Microcode questions

[flaubert]

So, I see some threads here in the forum about updating microcodes, and they quickly gather many posts from folks who are apparently more up to date on the benefits of updating such. I thought that perhaps the rest of us might benefit if those most knowledgeable would be able to enlighten us with some answers to basic questions!

So, here goes...

1. Microcodes define or change the instruction set of our Intel processors. Lately this has been occurring as a result of Intel updating microcode for their processors to mitigate the Meltdown and/or Spectre vulnerabilities. Specifically, Intel created some new instructions that define software regions where speculative execution is not performed - have I got that right?

2. On the Mac platform, microcode updates are delivered as part of a firmware update, which is itself usually delivered as part of a operating system install, or a security update. Have I got that right? What is the software tool for inspecting a package to see if it contains a microcode update?

3. Having updated microcode is useless unless the operating system supports using the new instructions supplied and/or changed by the microcode, right?

4. I'm guessing that Apple is probably only adding support for updated microcode in its latest version of MacOS, High Sierra (and presumably Mojave), right? Those of us running (currently supported) El Capitan and Sierra are probably not going to get any benefit from updated microcode, right?

5. Does updated microcode mainly add back in performance? That is, does it appear that systems running with older microcode, or systems still on El Capitan/Sierra will still be as secure as a system with latest microcode, but with a greater performance penalty? Or is it the case that if one wants to be as absolutely protected against Meltdown and Spectre as possible, one must run High Sierra and see that your microcode gets updated?

6. Intel originally issued a blanket statement that a great swath of their processor family would have updated microcode made available, but later they backed off and only issued updated microcode for a (still substantial) number of processors. In one particular example of interest to Mac Pro owners, the W3690 did not get a microcode update, while the similar dual processor version X5690 did. However, it appears from one Macrumors forum thread that the W3690 can be updated with microcode intended for another processor (presumably the X5690). Is this true, and reasonably safe?

7. If one has a processor that Intel has issued updated microcode for (like say an X5690 3.46GHz processor), are there recommended installation sequences or update sequences that are known to result in microcode getting updated to latest version without manual intervention like hex editors and dosdude1's tool? For instance, if one performs a completely clean install, is that sufficient? Is applying a combo update for the latest point release, is that sufficient?

Thanks for helping enlighten the community if you are able to answer some of these questions!

 

[tsialex]

I was answering your questions in detail, but something really bothered me: why open yet another thread if we have threads that already discuss all this in detail? Why spread the knowledge in multiple threads?

 

[flaubert]

I was answering your questions in detail, but something really bothered me: why open yet another thread if we have threads that already discuss all this in detail? Why spread the knowledge in multiple threads?

That's a fair question, tsialex, especially given that you've apparently done a lot of the heavy lifting. The existing threads are great for how-I-did-it and what-hardware-applies but they seem (from my skimming through them) to skip over the bigger picture questions of what-is-the-benefit and under-what-scenario. From my point of view the security implications of why microcode updates are necessary justify a concise thread that gives the bigger picture without getting bogged down in the details of how exactly to do it. In the same way that processor compatibility information was probably scattered through a half dozen or more threads before ActionableMango pulled it into a sticky, I'd like to see a similar concise post for microcode information, just so that the useful knowledge isn't quite so diffuse. If nothing else, I'll go through the 700+ microcode posts myself to try and answer my own questions; there are some questions I've posed that I wonder if anybody outside of Apple knows.

 

[tsialex]

Since I already wrote…

1)
You got that wrong. Intel did not created new instructions. They just updated the instructions sets to a new behaviour.

2)
You can inspect BootROM microcode versions with various tools like dosdude1 Apple Microcode Tool. But the tools only shows the installed microcode version, you have to check with published Intel tables to know if the microcode is the current one or obsolete. Let's not forget that you need to know what's the microcode that your installed processor requires.

3 & 4)
No, if your firmware has the current microcode and the security flaw is resolved with just the new microcode, you're safe even with obsolete OS. But it's more complex than just that.

The important fact is, to be secure you'll have to keep everything current, your Mac firmware and your macOS versions need to be the current ones. Apple mitigated some of the recent Spectre and Meltdown vulnerabilities with Security Updates to El Capitan on wards, but not every flaw with every OS version and the firmware updates to Mac Pros only are provided with High Sierra 10.13.6 full installer app.

When you power on your Mac, one of the first firmware operations is to load the BootROM microcode into the processor, then the processor starts to use the new microcode until a newer version is provided by the kernel or it's shutdown and the cycle restarts.

Recent macOS versions have a mechanism to update microcodes and Apple provides the full Intel microcode repository with Security Updates.

5)
It's a lot more complex than that. Some flaws have to be mitigated in the microcode, period.

Some penalty caused with various OS mitigations could be restored with the microcode updates. Not all mitigations imply with reduced performance and not all flaws are mitigated with every OS release since El Capitan.

To be secure you have to keep current.

6)
W3690 can use the same microcode as the Westmere-EP ones. Maybe it's the reason that Intel stopped microcode updates to Gulftown processors.

7)
You have to upgrade your firmware and use the current macOS version. A good security measure is update your firmware, then do a clean install of the current macOS.

Combo updates do not install firmwares with Mac Pros 1,1 to 5,1, just with 6,1 ones. So, you need to updated your firmware first.

The current firmware is MP51.0089.B00, released with 10.13.6 full Mac App Store installer app. Mojave DP7 onwards has 138.0.0.0.0.

 

[flaubert]

Thank you for your generous reply. That does fill in a lot of the blanks in one post.