MP51.0087.B00 10.13.5 BootROM update: Missing Microcode...

[Susurs]

Could someone please explain me in a “non-programmers/technical” language:

1) Is it safe to upgrade my 5,1 2x X5675 to MP51.0087.B00? Can there be any possible problems now/in future?

2) What is the difference with MP51.0085.B00? Are Spectre/Meltdown patches still in place?

3) How can missing microcode impact my 5,1 for now?

 

[thomasthegps]

Could someone please explain me in a “non-programmers/technical” language:

1) Is it safe to upgrade my 5,1 2x X5675 to MP51.0087.B00? Can there be any possible problems?

2) What is the difference with MP51.0085.B00?

3) How can missing microcpde impact my 5,1 for now?

If you want to expand your mac pro's lifespan, don't update the firmware.

 

[Squuiid]

The missing microcode in the 0087 firmware has got to be a mistake.
I’m personally holding off on updating my cMPs.

However, can’t microcode just be added at boot time at the OS level instead?
If so then perhaps this is what Apple have in mind. Remove all microcode from firmware and inject at boot from OS. This allows for much easier and safer microcode updates in future. Given the new and emerging Spectre/Meltdown variants this may be their approach going forward.

 

[bookemdano]

Could someone please explain me in a “non-programmers/technical” language:

1) Is it safe to upgrade my 5,1 2x X5675 to MP51.0087.B00? Can there be any possible problems now/in future?

2) What is the difference with MP51.0085.B00?

3) How can missing microcode impact my 5,1 for now?

None of that is known definitively. 0087.B00 just came out yesterday and Apple doesn't exactly provide details on changes. I'm not sure we even know what exactly changed between 0084 and 0085 much less 0085 to 0087 (aside from seemingly absent microcode in 0087 which could be a bug). This hack is in extremely early stages so just sit back and relax like I am and let the experts figure more of this out before you even consider modifying your own system.

 

[Susurs]

If you want to expand your mac pro's lifespan, don't update the firmware.

P.S. Any way to avoid FW upgrade when installing a clean system?

 

[bookemdano]

P.S. Any way to avoid FW upgrade when installing a clean system?

See here: #267

 

[thomasthegps]

P.S. Any way to avoid FW upgrade when installing a clean system?

Unless Apple has changed their firmware update process, as long a you don't have an apple efi gpu in your system you should be fine. If you maintain the key "c" after the boot chime it should boot from usb, you won't see anything on screen for a minute or two, wait until the installer appears

 

[handheldgames]

Microcode updates for Spector/Meltdiwn may have noticeable performance hit to PCIe SSD performance.

 

[MisterAndrew]

The missing microcode in the 0087 firmware has got to be a mistake.
I’m personally holding off on updating my cMPs.

However, can’t microcode just be added at boot time at the OS level instead?
If so then perhaps this is what Apple have in mind. Remove all microcode from firmware and inject at boot from OS. This allows for much easier and safer microcode updates in future. Given the new and emerging Spectre/Meltdown variants this may be their approach going forward.

How do we determine if Apple has done this for 10.13.5? (Added microcode at OS level.)

 

[star-affinity]

If you want to expand your mac pro's lifespan, don't update the firmware.

Sorry if I missed it, but why is it that the lifespan will be decreased if updating the firmware? Is it confirmed that's the case (if so – in what way?) or are we still speculating about what the new firmware does?

I was also thinking if it could just be that someone at Apple forgot to edit the machdep.cpu.microcode_version: part correctly like when a developer forgets to edit the ”Version” part seen when getting info on an app in the Finder. I guess what I'm trying to say is if it could be just a text string that's incorrect, or what is it that machdep.cpu.microcode_version: reads that gets the specific version number to show up after the colon?

 

[MisterAndrew]

Has anyone contacted Apple Support about this issue? What was their response?
[doublepost=1528048375][/doublepost]

Sorry if I missed it, but why is it that the lifespan will be decreased if updating the firmware? Is it confirmed that's the case (if so – in what way?) or are we still speculating about what the new firmware does?

I was also thinking if it could just be that someone at Apple forgot to edit the machdep.cpu.microcode_version: part correctly like when a developer forgets to edit the ”Version” part seen when getting info on an app in the Finder. I guess what I'm trying to say is if it could be just a text string that's incorrect, or what is it that machdep.cpu.microcode_version: reads that gets the specific version number to show up after the colon?

Besides the potential lack of microcode and that it appears to be resistant to hacking (injected NVMe driver doesn’t work) I see no reason not to update. I updated mine and I don’t plan to roll back unless the lack of microcode really is a serious security vulnerability.

 

[crjackson2134]

Besides the potential lack of microcode and that it appears to be resistant to hacking (injected NVMe driver doesn’t work) I see no reason not to update. I updated mine and I don’t plan to roll back unless the lack of microcode really is a serious security vulnerability.

Agreed... I'm not too worried about it, and my system is running very well on 10.13.5 including it's firmware flash.

 

[bookemdano]

Sorry if I missed it, but why is it that the lifespan will be decreased if updating the firmware? Is it confirmed that's the case (if so – in what way?) or are we still speculating about what the new firmware does?

I was also thinking if it could just be that someone at Apple forgot to edit the machdep.cpu.microcode_version: part correctly like when a developer forgets to edit the ”Version” part seen when getting info on an app in the Finder. I guess what I'm trying to say is if it could be just a text string that's incorrect, or what is it that machdep.cpu.microcode_version: reads that gets the specific version number to show up after the colon?

I'm not the person who said that but I assume what he meant by lifespan is the hacks this thread and the other one here that are working on adding compatibility with newer hardware that Apple long ago decided not to support on the cMPs. We have some degree of assurance they work on the 0085 bootrom (granted only a couple of reports). There was also a report of a potential issue with the NVMe hack on 0087. Maybe that issue can be resolved, maybe it can't. But I think the point was 0085 is sort of a known quantity while future firmwares are not. Apple might stick another firmware update in 10.13.6 that prevents the injection of EFI drivers or specifically prevents rolling back to older firmware (like they already do with iOS devices). It's unlikely I think because even the 2012 cMPs aren't going to be supported for too much longer and Apple is probably budgeting the bare minimum $ for firmware development on them.

But the larger point that we enthusiasts sometimes miss is that newer isn't always better. Perhaps because Apple doesn't care much about the cMP, the updates they release for it aren't rigorously tested and could introduce bugs while not adding anything of real benefit.

So flash it if you want to, but as of now no one can say for sure if there are or will be problems with it because it's so new. I think you can flash back to 0085 by changing the filename of the firmware file in the installer, but then again that's a PITA and we only have one confirmation of it working. It's better to stand pat and let's see if more information can be gleaned about what's changed in 0087, or if Apple ends up releasing a 0089 to fix the microcode issue.

 

[tsialex]

Seems the motive for MP51.0087.B00 firmware update is security related:

Firmware

Available for: macOS High Sierra 10.13.4

Impact: A malicious application with root privileges may be able to modify the EFI flash memory region

Description: A device configuration issue was addressed with an updated configuration.

CVE-2018-4251: Maxim Goryachy and Mark Ermolov​

 

[bookemdano]

Seems the motive for MP51.0087.B00 firmware update is security related:

Firmware

Available for: macOS High Sierra 10.13.4

Impact: A malicious application with root privileges may be able to modify the EFI flash memory region

Description: A device configuration issue was addressed with an updated configuration.

CVE-2018-4251: Maxim Goryachy and Mark Ermolov​

Thanks tsialex for that info. Is there a similar description for what changed in 0085? Edit: Looks like 0085 did not have any security updates in the firmware as nothing is listed here: https://support.apple.com/en-us/HT208692

It would be ironic if whatever Apple changed to fix that vulnerability also prevents the injection of additional drivers. I think it's probably unlikely, but not out of the realm of possibility.

Perhaps dosdude1's tool needs a modification to work with 0087. I assume he is enjoying a weekend away from this forum

 

[MisterAndrew]

Seems the motive for MP51.0087.B00 firmware update is security related:

Firmware

Available for: macOS High Sierra 10.13.4

Impact: A malicious application with root privileges may be able to modify the EFI flash memory region

Description: A device configuration issue was addressed with an updated configuration.

CVE-2018-4251: Maxim Goryachy and Mark Ermolov​

I just came across that as well. It looks like Apple fixed a serious vulnerability and the loss of our NVMe hack was a side effect of that.

 

[crjackson2134]

Perhaps modifying the EFI IS the security problem they are referring to.

 

[tsialex]

Perhaps modifying the EFI IS the security problem they are referring to.

I don't think so, the CVE creation date is 20180102, so months before romtool release.

Thanks tsialex for that info. Is there a similar description for what changed in 0085? Edit: Looks like 0085 did not have any security updates in the firmware as nothing is listed here: https://support.apple.com/en-us/HT208692

It would be ironic if whatever Apple changed to fix that vulnerability also prevents the injection of additional drivers. I think it's probably unlikely, but not out of the realm of possibility.

Perhaps dosdude1's tool needs a modification to work with 0087. I assume he is enjoying a weekend away from this forum

I hadn't found any info about MP51.0085.B00 yet, did you found something?

I have the same impression about MP51.0087.B00, maybe dosdude only needs to update his injection tool…

 

[bookemdano]

I don't think so, the CVE creation date is 20180102, so months before romtool release.

Exactly, and it would appear that all supported models (MacBook, Mac mini, nMP, MBP, etc.) received that firmware update fixing that same vulnerability. So it's extremely unlikely they were specifically targeting the NVMe hack (which, after all was only publicized in the last week or so). Maybe it killed it as a side effect, but it's way too early to assume that.

I hadn't found any info about MP51.0085.B00 yet, did you found something?

No, just my presumption... since 0085 was released with 10.13.4 and the 10.13.4 security notes didn't mention any security-related firmware fix. So I assume maybe 0085 was APFS-related, or some other non-security fix. I could be wrong of course.

 

[MisterAndrew]

10.13.5 updated the firmware on my MacBook Pro too with i7-3720QM CPU. From MBP91.00D9.B00 to MBP91.00DA.B00. The microcode version is 31. I forgot to see what it was before the update.

 

[tsialex]

10.13.5 updated the firmware on my MacBook Pro too with i7-3720QM CPU. From MBP91.00D9.B00 to MBP91.00DA.B00. The microcode version is 31. I forgot to see what it was before the update.

On my MBP10.1, still on 10.12.6 and with previous BootROM, the microcode is 21.

 

[h9826790]

Microcode updates for Spector/Meltdiwn may have noticeable performance hit to PCIe SSD performance.

Why only the PCIe SSD performance is affected but not other area?

 

[Surrat]

It seems that every supported mac got a microcode update with 10.13.5 except the mac pro towers.

On my 2010 macbook pro, the microcode went from 4 to 6.
Only the mac pro towers went from 15 to 0, meaning no added microcode and using the original one inside the cpu.

It has to be a mistake.

 

[tsialex]

It seems that every supported mac got a microcode update with 10.13.5 except the mac pro towers.

On my 2010 macbook pro, the microcode went from 4 to 6.
Only the mac pro towers went from 15 to 0, meaning no added microcode and using the original one inside the cpu.

It has to be a mistake.

Another more or less useless fact, almost all Macs got firmware updates on 10.13.5. The exception: Core2Duo Macs still supported by High Sierra.

Not one (MacBook Air 2010 / MacBook 2009 & 2010 / MacBook Pro 13" 2010 / mini 2010 / iMac 2009 10,1) received.

This page tracks firmwares: Which EFI firmware should your Mac be using?

Edit: forgot about MacBook Air 2010 and iMac 2009 10,1.

 

[MIKX]

Another more or less useless fact, almost all Macs got firmware updates on 10.13.5. The exception: Core2Duo Macs still supported by High Sierra.

Not one (MacBook 2009 & 2010 / MacBook Pro 13" 2010 / mini 2010) received.

This page tracks firmwares: Which EFI firmware should your Mac be using?

Mac Pro 5,1 MicroCode = "0". Intentional or a programmer mistake ?