What do I do with old PCs that are vulnerable to Meltdown?

OK so I’ve updated my personal PC and laptop to modern systems that have been patched against Meltdown and Spectre. But I also have an old Westmere Xeon tower, Athlon II X3, and i5-3570K that are sitting ducks for a Spectre attack. And they’re never going to get a BIOS patch, either. I also don’t want to put them on Craigslist and saddle some poor noob with a vulnerable system. So what should I do with them?

I thought at least that ivybridge would get a microcode update

What are you using them for? Just as regular workstations / desktops?

Well, the actual problem is the motherboard. It’s an Asus P8Z77-V LK, which the OEM apparently has no interest in updating. Are there any Z77 boards getting Meltdown updates?

1 Like

Non-internet facing NAS?

And yeah, whilst intel may have put out patches for ivy bridge, etc. you need your motherboard vendor to update the BIOS.

My Haswell based gigabyte board hasn’t had a bios update since 2016, so i consider it abandoned.

If intel has put out a microcode update for the CPU, linux will include it whether or not your BIOS updates it, if i am not mistaken. Worth checking into.

If its just as a workstation on LAN, you’re more than likly fine.

Security starts at the network level.

2 Likes

Once Libreboot/Coreboot gets more traction, you can replace the BIOS on those boards with that and Just have a decent performance NAS system out of Meltdown parts using just a distro with the latest upstream kernel.

Pretty sure BIOS support for meltdown patch is irrelevant if you run Linux, as Linux distributes/includes the microcode update.

If you were SUPER paranoid though, Libreboot/Coreboot ensures the whole boot process contains publicly viewable code which can be scrutinized for backdoors. A few Lenovo laptops now have Libreboot support.

you give them to me :smiley:

You are aware that 97% of computers on the planet are vulnerable right, and that worrying about it is relatively stupid?

1 Like

Just because 97% of people are vulnerable, doesn’t mean that attempting to not be like the 97% of sheep is stupid.

Plenty of people run publicly facing servers without firewalls in front of them, don’t change default credentials, etc. either.

I mean yeah, but thats either freescale ppc chips, atom N250´s and N270´s, Ryzen, or POWER8 and up. By all means, go ahead, but its such a narrow market atm and to be scared of something that still hasn´t been used or proven to be possible country to country without being next to the target computer on lan… I mean its just unrealistic.

1 Like

Do you have a source for this? I’d like to believe this, but I was pretty sure ANY platform required OS and BIOS patches.

I was sure I found a Coreboot image for the P8Z77-V Pro motherboard, but it seems to have vanished. Probably wouldn’t work on my board anyway.

from my work desktop PC’s dmesg (i7-6700):

[ 0.977083] microcode: sig=0x506e3, pf=0x2, revision=0xc2
[ 0.977374] microcode: Microcode Update Driver: v2.2.

Linux updates CPU microcode (as well as having OS patches). Microsoft distributed OS patches, but they did not distribute microcode updates for meltdown.

additionally:

So yeah, if your motherboard vendor has not bothered to release a BIOS update for meltdown, you can still use the machine with Linux securely.

To clarify: Microcode updates can be applied either from within the OS, or via BIOS. Microsoft chose not to ship the updates (no doubt because they don’t want the blame for any fall out from them) and that’s why you need BIOS updates to be secure with Windows. Microsoft do actually ship updated microcode for the Surface line in Windows, but thats because the surface line is their own hardware.

1 Like

Thanks, that’s frickin’ awesome news. It’s good to know I can use them for something. Now I just need to figure out what kind of home environment I want to set up. I had the Westmere running ESXi, but I think the latest version has dropped Westmere support. The 3570K was a gaming machine, and only has four threads, so I’m not sure how useful it would be for virtualization.

1 Like

I’m not sure this is correct. When the patch came through in CentOS, there was a message from RHEL saying you’d still need to get an update for the motherboard.

One special case is Apple who claimed they patched it, but from what I can tell, it didn’t involve any change to firmware, unless the firmware update process has become completely transparent to the user.


That said, I believe it is really only a concern for hypervisors. Maybe an issue with containers as well, but not something the average user needs to worry about. According to Netgate, it’s not something that concerns firewalls/gateways much either.

1 Like

Here’s info from the linked Intel microcode download page:

Microcode is best loaded from the BIOS. Certain microcode must only be applied from the BIOS. Such processor microcode updates are never packaged in this package since they are not appropriate for OS distribution. An OEM may receive microcode packages that might be a superset of what is contained in this package.

OS vendors may choose to also update microcode that the kernel can consume for early
loading. For example, Linux can update processor microcode very early in the kernel
boot sequence. In situations when the BIOS update isn’t available, early loading
is the next best alternative to updating processor microcode. Microcode states
are reset on a power reset, hence it is required to be updated every time during the
boot process.

So it seems that a BIOS microcode update might be a superset of an OS-level microcode update, but it seems like it would be adequate protection (or the best alternative, as Intel puts it.)

2 Likes

Basically you want the microcode update loaded as soon as possible in the boot process. BIOS/UEFI is best - so that way it applies if you do PXE boot, etc.

But if there is no BIOS update (as is the case with basically anything 2 years old or more), loading it from the OS kernel or early in boot is probably fine for most people as it will be loaded before the OS goes multi-user and loads the network.