cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
treysis
Punch Card
Posts: 47
Registered: ‎03-01-2017
Location: DE
Views: 4,380
Message 1 of 54

Yoga 2 13 20344 Spectre vulnerability BIOS update

I know this isn't the newest model, but I just purchased it new (on offer) by mid 2015, so I just have it for a good 2 years!

 

I don't see it on the list of affected models, while it CLEARLY IS affected. Will we see a BIOS update to target the Spectre vulnerability? I have always taken Lenovo for giving good support for their hardware. Surely I will have to consider a different brand, if I cannot count on security updates for hardware just a little over 2 years old. (I'm taking suggestions as to which manufacturer is giving better support).

 

At least put all models affected on the list, and just admit that they will not receive an update. So at least we know what we can expect!

AndyU
Ctrl-Alt-Del
Posts: 8
Registered: ‎06-29-2014
Location: RU
Views: 4,316
Message 2 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

Could you please publish URL with the list of the vulnerable notebooks? I can't find it. Thank you in advance.
treysis
Punch Card
Posts: 47
Registered: ‎03-01-2017
Location: DE
Views: 4,304
Message 3 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

The list is here:

https://support.lenovo.com/de/en/solutions/len-18282

 

However, it only lists affected models that will receive an update, or models that are not affected. It doesn't list models that are affected and which won't receive an update or for which the status is unknown. It would be nice if they would at least tell customers that some models are still being reviewed or won't receive an update at all.

AndyU
Ctrl-Alt-Del
Posts: 8
Registered: ‎06-29-2014
Location: RU
Views: 4,291
Message 4 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

I agree. As I see, your laptop also has Haswell CPU. The updated Intel microcode already exists (but is still "unofficial") and if updated firmware will not be available, microcode can be: 1) added manually to existing BIOS/UEFFI, (https://www.win-raid.com/t154f16-Tool-Guide-News-quot-UEFI-BIOS-Updater-quot-UBU.html) 2) downloaded to CPU from Windows (http://forum.notebookreview.com/threads/how-to-update-microcode-from-windows.787152/) Of course, direct way, using official firmware update is preferable. And, I again agree, that the choice of the next laptop/PC motherboard/etc. brand will depend on the reaction of the current brand(s) technical support on this disaster.
treysis
Punch Card
Posts: 47
Registered: ‎03-01-2017
Location: DE
Views: 4,151
Message 5 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

Hi. The microcode exists, but it cannot be installed:

1) it is not possible to install a manipulated BIOS. The BIOS file needs a digital signature. Otherwise, it will not be accepted for installation.

2) Windows did offer microcode updates in the past. There are some workaround, but tests have shown that these workarounds are kicking in too late. Windows will not see the new microcode early enough, and will not activate Spectre mitigation.

 

So far, nothing new from Lenovo.

AndyU
Ctrl-Alt-Del
Posts: 8
Registered: ‎06-29-2014
Location: RU
Views: 4,147
Message 6 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

Hi, 1) Microcode exists, but still has problems. Please, see this page (mentioned in a closed some time ago similar thread): https://support.lenovo.com/ru/en/solutions/len-18282 2) Did you try to install modded BIOS to Lenovo laptop? Not from Windows, but from DOS, Linux, etc? For example, there are many different possibilities for ASUS motherboards. I modded 2 BIOS'es (added OEM slic blocks). 3) I started thinking about reverse engineering of the mcupdate_GenuineIntel.dll. May be microcode here is just a resource? At least, this dll is loaded at the very beginning of the boot process. Can not say nothing about digital signature of it...
treysis
Punch Card
Posts: 47
Registered: ‎03-01-2017
Location: DE
Views: 4,132
Message 7 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

Hi AndyU,

1) I know. Broadwell and Haswell CPUs have problems with current microcode, so it might not even be a good idea to update.

2) yes, I tried from DOS and Linux as well. It's not possible. The BIOS enforces the digital signature. The only way around it is to desolder the BIOS chip and use a EEPROM programmer to program a new BIOS into the chip.

3) This might work, but you would need to disable SecureBoot and other safety features of Windows. This is because the DLL is also digitally signed. And probably also the resources loaded by this DLL.

 

I hope Microsoft will change it's mind and start pushing out microcode updates with Windows again, like they did until mid 2015.

AndyU
Ctrl-Alt-Del
Posts: 8
Registered: ‎06-29-2014
Location: RU
Views: 4,120
Message 8 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

Hi, I just found some software, which can possibly help with signature of BIOS : https://github.com/ValdikSS/thinkpad-shahash Additional question, did you try modify BIOS using "novo" button https://support.lenovo.com/ru/en/solutions/ht062552 Similar variant (using "special" USB port at boot time) works for ASUS mbs.
treysis
Punch Card
Posts: 47
Registered: ‎03-01-2017
Location: DE
Views: 4,106
Message 9 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

Hi, I doubt this tool is helpfull. Also, my laptop has Ivy Bridge, not Sandy Bridge. So a newer model.

No, I don't have a novo button, the novo button is also only there to enter BIOS. It doesn't help with flashing. The signature verification is done by the previous BIOS, so it won't allow to be overwritten with an unsigned version. I modified BIOS with an InsydeH2O BIOS editor.

AndyU
Ctrl-Alt-Del
Posts: 8
Registered: ‎06-29-2014
Location: RU
Views: 4,049
Message 10 of 54

Re: Yoga 2 13 20344 Spectre vulnerability BIOS update

Hi, may be this reference will help you? https://www.bios-mods.com/forum/Thread-SUCCESS-BIOS-Lock-Disabled-Yoga-2-13-Pro P.S. I have Yoga 2 Pro, where this variant does not work, as I understand reading this thread.

Check out current deals!


Shop current deals