IMPORTANT SECURITY UPDATES!

Take a look in post #1 for password.

 

Goodness me. I swear I'm blind AF when it comes to blue and pink. Thanks.

 

err what the password is guys?

 

It's in the first post. At the end of the longest paragraph ;-)

 

Saw it, iam blind AF xD

 

Welcome to the club of blue and pink blindness.

 

Yeah, I am sure everyone here has vision problems, that's probably what it is...

 

Finally good to go!

 

How long the update process usually takes?
I have it on for about 20 min and not much happens
I have P670RP6-G

 

I can confirm that the patch is working on my Clevo P950HP6, (BIOS Version 1.05.08). It takes a few seconds to install. Thanks, Prema!

 

Disable Monitoring and auto cleaning of CCleaner and I think the temp files are cleared automatically. Close all programs before continuing. Disable AVs too. If all else fails then try in safe mode w/ networking.

 

Thanks for advise! Disabling CCleaner fixed my issue. Why didn't I think of that?
Thanks Prema for your great job!

 

Worked on Clevo P650RE6, thank you!

Donation done, enjoy (49U38728KL722471K)

 

Glad this is working so well for everyone!

 

Yees, sir. A Hell lot better fix than the one from Dellienware Keep on Prema

 

Yeah, they would argue that he is very well protected now...
Dell shouldn't lock the PCH on GeForce gaming systems sold in single quantity to end-user & just keep that for their Quadro series and only upon request by the companies purchasing them in quantity for their staff.
Or just purchase a Clevo in the first place and be done with it.

 

Didn't get the MEI FW from Dell at all. Maybe I should try ME Cleaner to remove it.

 

just checked mine and it says I am fine, seems the laptop came patched, which is very nice.

 

p170em stock driver said SAFE (8.0)
updated with prema ME 8.x anways




tell me again why we need these fancy tools like TPM/IME?


wanted to highlight a useful forum note

https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html

these show the Latest Versions.
i do not support or suggest downloading these. ^
i ran a comparison to Prema's to verify version

 

It's the Hardware manufacturers/ODM/OEM's + Micro$oft that say why we need these fancy tools. They don't ask you, if you want it... They prefer as always to force it on you More features. More they can charge Why+you+need+TPM -- Why+you+need+Intel+IME

 

Won't be long, looks like there's another Intel bug that will be announce soon that can potentially affect performance

https://www.reddit.com/r/sysadmin/comments/7nl8r0/intel_bug_incoming/

 

"The patches cannot be invoked on the firmware side of things, meaning it’s a software solution. And herein is a problem found, it has been reported that under specific workloads performance drops have been spotted ranging from 5 to even 30% on Intel processors. Patches for the Linux kernel are available and propagating, Microsoft will patch it’s OSes soon as well."

 

Seems not important to end users.

 

can this be used for MSI MS16L1, aka Tornado F5?

 

See post #15

 

That's not only Intel but AMD, ARM as well. Pretty much every 'out-of-order' chip made this Millennia is affected by Spectre.
What a welcome 'bug' to force people to upgrade to the next best thing...

 

see post #4

IMPORTANT SECURITY UPDATE!

 

upload NP9175 / Clevo P775TM1-G but getting this error..re-installed the chipset drivers but still the same

 

Completely uninstall Intel MEI driver using Revo and use inf method to install MEI. That'll get rid off the services.

 

@Prema Is there prerequisite for BIOS to be compatible with MEI FW 11.8?
Does the BIOS needed additional code fixes to be compatible with 11.8 on HM170 chipset?

 

thanks..uninstalled MEI drivers completely then reinstalled using INF but some components were still missing and got the same error.

There is an updated MEI driver on Sager website for Sager NP9175 / Clevo P775TM1-G which solved the error.

 

That's an important point and what I was just about to post myself. I haven't seen mass hysteria on nbr about this news, which is good in a way as it doesn't seem to have been picked up on as much by the more tech savvy of us, but for lots of other potential customers it's causing much confusion.

Intel have posted a press release, AMD hasn't which is why all the fuss is about Intel at the moment. Just one example - we had a customer ring up today and ask to change their CPU (on a €4k Intel workstation PC) because they saw an article about a completely unsubstantiated 30% performance decrease. Problem was, the customer didn't know what they wanted to change to and of course AMD wasn't a good alternative because they are also affected. Patch is already out and from what it seems like, only serious VM and related users will see a performance drop - which also isn't 30% and yet to be widely established in multiple scenarios.

 

We can only do so much to reduce the amount of people accessing our data, not stop them all.
For every disclosed vulnerability there are dozens kept to a small circle and used to walk in and out of our systems daily.

We have to stop being driven by fear into the illusion of false security. So much money is made by trying to sell that warm feeling. Be it technology, insurance policies, the walls around our properties or through new laws.

Suppressing the symptoms has never cured a disease.

As long as we don't take better care of educating our youth in values by installing love in their hearts and continue to ignore the suffering of the poor, there won't be any lasting change. After all, the warm feeling, that we are all searching for, doesn't come from outside, but from inside of us.

 

Depends how you see it http://forum.notebookreview.com/thr...cripples-performance-up-to-30-percent.812424/

 

In general the update tool will do it's job on all supported boards, regardless of the ODM. In the past I have seen side effects if the BIOS ME counter part wasn't updated as well, but nothing has been reported with this specific revision, yet.
Also since Intel dropped the ball on fixing v11.0-v11.7 there isn't really another way if your ODM no longer supports your hardware.

 

I will give it a go.

 

Fair enough, I hadn't seen that hysteria thread ;-) Point is that there's zero proof that there will be a 30% performance hit at the moment, it's just speculation driven by a single news article with no source or proof, which all other news media have latched on to and repeated. For VMs, yes there will be a performance hit but we don't know what it will be and will change case by case - for mainstream customers the difference is negligable - and the situation with AMD isn't exactly clear either.

 

This is a good article regarding performance hits on Linux:

https://access.redhat.com/articles/3307751

Here a more casual read for Windows:

http://www.guru3d.com/articles-pages/windows-vulnerability-cpu-meltdown-patch-benchmarked,1.html

Edit: This has nothing to do with the vulnerability patched by the OP!

 

Microsoft released a test for patches related to Meltdown.

https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in

It involves using PowerShell.

From this test is appears there is a microcode update that helps. I personally have a EVOC laptop that just recently got the Prema BIOS (Thank you Prema).

When HIDevolution updated the BIOS they also updated the ME firmware. So that got patched (Thanks again Prema). But the TPM and now the microcode needs updates too. I wish Clevo would release these updates themselves instead of having us rely on Prema for these.

Here is the results I got from PowerShell.

https://kigen.co/img/facepunch/spec-control.png

If I'm understanding things right then Windows patched Meltdown, but Spectre requires a microcode update to mitigate.

 

There's beta uCode for Intel CPU to fix Meltdown and Spectre acc. to Ubuntu launchpad.net
Changelog:
intel-microcode (3.20171215.1) unstable; urgency=high

* Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367)
New upstream microcodes to partially address CVE-2017-5715
+ Updated Microcodes:
sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304
* Implements IBRS and IBPB support via new MSR (Spectre variant 2
mitigation, indirect branches). Support is exposed through cpuid(7).EDX.
* LFENCE terminates all previous instructions (Spectre variant 2
mitigation, conditional branches).
Important keywords: Partial fix/addressed.

 

We have been testing the new Spectre microcodes (SKL, KBL, KBL-R) since the holidays in order to ensure that performance doesn't degrade without also deploying their OS counterparts...

This is with the new code but without OS patch:

http://forum.notebookreview.com/threads/clevo-overclockers-lounge.788975/page-1493#post-10658449

As for TPM fixes. The update procedure is a bit more complicated because if the end user doesn't manually clear existing keys before the update the old vulnerable keys will migrate to the new firmware and get stuck in the TPM for good:

https://twitter.com/PremaMod/status/934494571857190912

 

There are indeed uses where the performance hit's will be higher:

This is bad: performance hit from PTI on the du -s benchmark on an AMD EPYC 7601 is 49%.
https://twitter.com/grsecurity/status/947439275460702208

The more intense the % of use hits the PTI overhead, the worse the performance penalty of an operation overall.

Of course that Intel only bug won't affect AMD CPU's now that the PTI patch is turned off for Linux.

heads up: Fix for intel hardware bug will lead to performance regressions
7%-23% transaction performance penalties for Postgres with PTI patch.
https://www.postgresql.org/message-id/[email protected]

Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes
https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2

Further Analyzing The Intel CPU "x86 PTI Issue" On More Systems
https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1

Under real work loads, Guest VM's running PTI patches on top of Hosts running PTI patches with high syscall + interrupt - IO work loads will see greater hits to performance. On heavily subscribed VM servers this could require reducing resource allocations per VM and redistributing loads across more servers - costing $$$.

It should be interesting to see how this plays out as user VM's are restarted... coming soon. With many overloading Guest VM's / Host server playing on the edge of load, this will likely require pushing off VM's onto other (new) servers.

"Messing around" with benchmarks on gaming laptops isn't one of the use cases with much impact - interactive performance would be affected more than side by side benchmarks of single threaded non-IO-intensive benchmark or gaming comparisons, so there likely won't be much of a hit on what the typical NBR benchmarker / gamer comes across.

Update: It looks like performance hits against VM's are already been seen now that the instances have been restarted:

Degraded performance after forced reboot due to AWS instance maintenance
https://forums.aws.amazon.com/thread.jspa?threadID=269858

Re: Degraded performance after forced reboot due to AWS instance maintenance
Posted by: miljesse2 Posted on: Jan 4, 2018 1:58 PM in response to: ajnaware

It's was around 4 AM (UTC) last night that we started seeing problems. I have 2 c3.large (PV) instances behind an ELB, both of them were peaking at most 50% CPU usage (over 1 hour) at peak hours, now I'm having spikes of 83% (over 1 hour!) so they've been close to 100% many times. The load averages (from 'top') they are reporting have been past 10 multiple times!
Needles to say they're pretty sluggish to even access.

Is there going to be any relief? There's no larger instance type for these AMI:s.

I also have multiple m1.small instances (for development mostly), they're nearly unusable.

Re: Degraded performance after forced reboot due to AWS instance maintenance
Posted by: ramj Posted on: Jan 4, 2018 9:08 PM in response to: ajnaware

We were hit by this issue and saw a 50% spike in some of our i3 nodes. And we can almost see the spikes happen in waves across different AZ's. Maybe they correlate with when the patches we being applied.

Do we know if AWS is done patching all their nodes, or is there still more to come ?

Re: Degraded performance after forced reboot due to AWS instance maintenance
Posted on: Jan 4, 2018 9:30 PM in response to: ramj

I thought we were the only one to have this issue and trying to fix and re-look at our DB queries, etc.
Our CPU load has gone up 10 times and hovering at around 100% all the time.

We have r4.2xlarge - Instance ID : XXXX

Can Amazon team pls take a look and help us out ?"

Degraded performance on Amazon Linux instances
https://forums.aws.amazon.com/thread.jspa?threadID=270729&tstart=0

Instance high load and SSH console hanging - not created by user processes
https://forums.aws.amazon.com/thread.jspa?threadID=270635&tstart=0

r4.2xlarge - Very high CPU usage/load average
https://forums.aws.amazon.com/thread.jspa?threadID=270766&tstart=0

This is the catastrophe part for some beginning now...

Update 2: Ongoing update followups in this thread:
http://forum.notebookreview.com/thr...up-to-30-percent.812424/page-22#post-10658883

 

@hmscott PTI is worthless on AMD processors as they are not vulnerable to Meltdown. AMD recently pushed a microcode update that fixes one part of Spectre(it's two related issues).

 

Wish we have something like this for MSI owners.

 

http://forum.notebookreview.com/index.php?posts/10658623



@ All the people writing me PMs, DMs and Mails, please bare with me.
I'll reply as soon as I get a moment to breath in IRL...

 

I have a Clevo P650HS-G with original BIOS Version 1.05.01 (12/02/2016). I'm not receiving any new updates from Clevo anymore. So I was planing to update them using the drivers (no BIOS or unsupported internal components) from the P8xxTMxG.
I have ME updated to 11.7.0.1045 (03/10/2017) so I'm getting that I have a vulnerable system. Based on the first post, I should update that version to 11.7.0.1058 but there is a newer version already 11.7.0.1065 and I was doubting to which one go.
I just read in the previous page that your tool automatically check the system and then it should work successfully. But sincerely, I wanted to be sure before proceeding. I read that another user said your tool worked for the "Clevo P651HS-G" but it doesn't say anything about the version of the BIOS.
Besides, today I received the update from windows KB4056892, so I also i was doubting what to apply first from all the things.

Thanks for your help and time.

 

The ME driver version doesn't matter in order to update the ME firmware with the patch from the OP.

 

So... I understand I just run your tool. Or Did you mean that I'm completely unable to update?

 

Just run it!

 

Hi Prema, is there a way to update the new microcode (fixing variant 2 of spectre) to our clevos via ur bios?