01-22-2018 07:48 AM
We upgraded a bunch of T470s notebooks with the now withdrawn BIOS update (1.21) that included micro code updates to address the Spectre/Meltdown vulnerabilities. The devices (running Windows 10) now have intermittent hangs and are almost unbearably slow to work with, so we decided to roll back to 1.20. Turns out, that the micro code updates cannot be reversed by downgrading the BIOS. So we are now stuck with almost unusable notebooks until there will be a new update. What are we supposed to do now?
01-22-2018 08:42 AM - edited 01-22-2018 08:48 AM
How do you know microcode was not downgraded? Microcode is part of the FW so it should downgrade.
Did you load setup defaults after FW downgrade?
Did you try to downgrade to an older FW version 1.19 or 1.17 on one of your devices?
<1.19> UEFI: 1.19 / ECP: 1.17 - (New) Updated the CPU microcode. <1.17> UEFI: 1.17 / ECP: 1.16 - [Important] Update includes some security fixes. (Note) If the UEFI BIOS has been updated to version 1.17 or higher, it is no longer able to roll back to the version before 1.17 for security improvement.
what to learn from this fiasco:
1. postpone flashing new FW until update is available on Lenovo System Update.
2. Upgrade one device only and do extensive tests for several days.
3. upgrade remaining devices if tests did not show any issues.
01-22-2018 09:06 AM
There is info in security advisory on Lenovo webpage that once updated microcode cannot be reversed other way than replacing motherboard. So the only solution is to wait for better microcode which should arrive soon.
01-22-2018 09:06 AM
01-22-2018 09:50 AM
CPU microcode isn't downgraded, because it's not possible to do so. The only supported opertation is to update to newer version.
You can do one thing though. I've found, that when I disabled Meltdown fix, my devices started to work as before update. No BSOD so far. I've used guide below:
01-22-2018 10:10 AM - edited 01-22-2018 10:13 AM
The interesting thing here is: In theory, it should be possible to downgrade the microcode version. The reason for the blocked downgrade path seems to be the flashing program (WinFlash) used for the BIOS update procedure: The program has a special switch "/vcpu" that enables microcode updating.
According to the WinFlash documentation, the program evaluates three sources to determine the microcode version to be inserted into the BIOS:
WinFlash then chooses the most recent microcode version found in these sources. Since the EEPROM content itself is part of the evaluation, the system's microcode will never be downgraded.
Since microcode updates are not persistent across reboots anyway, I don't currently see a real technical reason for this behaviour, though. (It's not like there was a danger of "downgrading" your CPU into an unsupported state.) If I had to guess, I'd assume this was done for convenience reasons. Anyone with more knowledge on the matter is free to correct this assumption, though ...
[edited to fix formatting]
01-22-2018 12:38 PM
You can follow the steps listed here https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/KB4056892-multiple-problems-on-T440s/m-p... to disable the Microsoft patch for CVE-2017-5715. This is the one that can be partially fix through a microcode update.
It has been observed by multiple people that disabing the Windows Update for 5715 restores system stability, albit keeping you vulnerable to the flaw.
Hope this helps!
02-26-2018 09:14 AM
My work T440p started BSODing after the BIOS update and patch too (I believe, was on vacation when it installed).
I also noticed the "WHEA parity errors" in the event log. I've disabled just the 5175 patch and they went away.
But I'm not sure if that patch is what was causing the BSODs or not. Time will tell.
02-27-2018 12:44 AM
There is a new microcode update for T440p.
I have checked it and accoriding to InSpectre app, it does not have Spectre hotfixes. It seems, this is a package restores previous - stable, CPU microcode.