English Community

ThinkPad NotebooksThinkPad: P and W Series Mobile Workstations
All Forum Topics
Options

3 Posts

02-10-2021

United States of America

12 Signins

30 Page Views

  • Posts: 3
  • Registered: ‎02-10-2021
  • Location: United States of America
  • Views: 30
  • Message 1 of 11

Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-10, 13:55 PM

Hi,

 

I would like to undervolt my i9-10885H (10th generation Intel) CPU, because I deliberately got the i9 processor instead of i7 (because I assume i9 chips are better selected chips than the same chips used for i7s). Yet, that is not possible because it is disabled.

 

Please develop an option, UEFI/BIOS would be okay for me, to allow undervolting. This is also a good approach to improve the longevity of the device/CPU. I know about the "vulnerability", yet I think it is not applicable to all computers and certainly not all usage scenarios. So an option for users to allow it would be good, also nice would be to allow it for non-affected models, such as this one.

 

Also to cite the Plundervolt suggestions: "

Should I now throw away my CPU or stop using SGX altogether?

No, definitely not. If you are not using SGX, no actions are required. If you are using SGX, it suffices to apply the microcode update provided by Intel to mitigate Plundervolt." => a desktop computer currently does not focus on using SGX a lot, does it. And also, allowing this undervolting interface to be enabled via UEFI/BIOS would place the user in charge and also would transfer the responsibility to him/her.

 

Thanks.

 

 

 

Reply
Options

560 Posts

01-08-2021

Philippines

43 Signins

2886 Page Views

  • Posts: 560
  • Registered: ‎01-08-2021
  • Location: Philippines
  • Views: 2886
  • Message 2 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-10, 17:09 PM

Hello albertorogers,

 


Welcome to Lenovo Community

 

 

If the current OEM version from the support site do not provide this undervolt option, then it was intended to have it on defaults.

Let's see if other users who have the same model, were able to undervolt their machines.

You may check related topic here:
https://forums.lenovo.com/t5/ThinkPad-P-and-W-Series-Mobile-Workstations/Undervolting-ThinkPad-P-Series-list-your-config-settings/m-p/4320983?page=1#4359824

Hope this helps

 


Regards, 
Lorenzo_Lenovo



Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.

Follow us @LenovoSupport on Facebook and Twitter!

Reply
Options

3 Posts

02-10-2021

United States of America

12 Signins

30 Page Views

  • Posts: 3
  • Registered: ‎02-10-2021
  • Location: United States of America
  • Views: 30
  • Message 3 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-11, 8:24 AM

@ Lorenzo_Lenovo wrote:

 

If the current OEM version from the support site do not provide this undervolt option, then it was intended to have it on defaults.

 

Let' see if other users who have the same model, were able to undervolt their machines.

You may check related topic here:
https://forums.lenovo.com/t5/ThinkPad-P-and-W-Series-Mobile-Workstations/Undervolting-ThinkPad-P-Series-list-your-config-settings/m-p/4320983?page=1#4359824

 

 

Thanks for the link, yet the problem is indeed, that it is intentional to disable the undervolting, as there appears to be a vulnerability related to this undervolting interface, that can be exploited. The relevance for desktop computers is not comparable to CPUs used in cloud environments and similar, where the SGX feature of the CPU is actually used to store cryptographic secrets for different environments. This is something usually not relevant for Laptops/Desktops.

 

Therefore it should not be disabled in general but it should be allowed for users to enable this undervolting interface again.

 

With my model it is not possible, see below screenshots of Intel XTU and Throttlestop, both show it as locked!:

 

 

Reply
Options

2 Posts

02-05-2021

Germany

2 Signins

15 Page Views

  • Posts: 2
  • Registered: ‎02-05-2021
  • Location: Germany
  • Views: 15
  • Message 4 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-14, 0:18 AM
I agree completely. I need this option for my P1 gen 3 too! Please integrate that in the bios again
Reply
Options

1 Posts

02-15-2021

Croatia

2 Signins

5 Page Views

  • Posts: 1
  • Registered: ‎02-15-2021
  • Location: Croatia
  • Views: 5
  • Message 5 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-15, 15:54 PM
Undervolt feature is a must for this kind of laptop, please allow the user to enable or disable it in BIOS for P1 gen 3 and other 10th generation Intel processors.

Since it is users choice (Opt in) no one can complain about the lack of security.
 
Thanks.
Reply
Options

3936 Posts

12-02-2007

United States of America

9067 Signins

191498 Page Views

  • Posts: 3936
  • Registered: ‎12-02-2007
  • Location: United States of America
  • Views: 191498
  • Message 6 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-16, 7:45 AM

Hello,

I am not a Lenovo employee, just a volunteer here, but wanted to provide my own perspective on this.

 

From reading Intel's own advisory at https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html, plus the Plundervolt website at https://plundervolt.com/, Intel's decision to disable undervolting in affected CPUs seems justifiable given the HIGH severity rating assigned due to the scope of the vulnerability.

 

While individual users (aka knowledgeable ThinkPad owners such as yourselves) are able to make decisions about the amount of risk allowed in your computing environments, computer manufacturers like Lenovo have to take a look at managing CPU vulnerabilities like this following the best practices and guidelines from the silicon vendor, along with the requirements and use cases from their corporate customers for the security, integrity and reliability of the devices they have (or are going to) purchase.

 

The problem with intentionally allowing a vulnerability to remain in a computing device because a subset of its users make use of that functionality is that it exposes all users of the devices to that vulnerability.  While it is easy to reply saying that's a risk-management concern (as mentioned above for individual users), at the end of the day that is not really a scenario every customer has the ability to assess or manage.  It also doesn't account well for things like supply-chain/in-transit tampering, or attacks on end-users with some kind of social engineering angle—which could something as simple as calling the victim, stating that you are from their IT department, and walking them through making BIOS (UEFI) firmware changes, downloading and running a script, and so forth.  While such actions are usually performed by support scammers and other "low-hanging fruit" type threat actors, there is no reason they cannot be used as a pretext by a more sophisticated attacker.  To paraphrase one of Murphy's Laws, "If it's dump but it works, it isn't dumb."

 

Anyways, I just wanted to provide some context here as to why it is often a good idea to disable vulnerable interfaces and settings.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English


Need an answer, fast? Try using Browser Search to find it in the Lenovo and Moto Community
Reply
Options

3 Posts

02-10-2021

United States of America

12 Signins

30 Page Views

  • Posts: 3
  • Registered: ‎02-10-2021
  • Location: United States of America
  • Views: 30
  • Message 7 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-16, 13:49 PM

@ goretsky wrote:

Hello,

I am not a Lenovo employee, just a volunteer here, but wanted to provide my own perspective on this.

 

From reading Intel' own advisory at https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html, plus the Plundervolt website at https://plundervolt.com/, Intel' decision to disable undervolting in affected CPUs seems justifiable given the HIGH severity rating assigned due to the scope of the vulnerability.

 

While individual users (aka knowledgeable ThinkPad owners such as yourselves) are able to make decisions about the amount of risk allowed in your computing environments, computer manufacturers like Lenovo have to take a look at managing CPU vulnerabilities like this following the best practices and guidelines from the silicon vendor, along with the requirements and use cases from their corporate customers for the security, integrity and reliability of the devices they have (or are going to) purchase.

 

The problem with intentionally allowing a vulnerability to remain in a computing device because a subset of its users make use of that functionality is that it exposes all users of the devices to that vulnerability.  While it is easy to reply saying that' a risk-management concern (as mentioned above for individual users), at the end of the day that is not really a scenario every customer has the ability to assess or manage.  It also doesn' account well for things like supply-chain/in-transit tampering, or attacks on end-users with some kind of social engineering angle—which could something as simple as calling the victim, stating that you are from their IT department, and walking them through making BIOS (UEFI) firmware changes, downloading and running a script, and so forth.  While such actions are usually performed by support scammers and other "low-hanging fruit" type threat actors, there is no reason they cannot be used as a pretext by a more sophisticated attacker.  To paraphrase one of Murphy' Laws, "If it' dump but it works, it isn' dumb."

 

Anyways, I just wanted to provide some context here as to why it is often a good idea to disable vulnerable interfaces and settings.

 

Regards,

 

Aryeh Goretsky

 

Thank you for that insight and I agree almost; I really like that you step in here and bring up such important business decisions regarding security risks!

 

I think it is important to keep something like this scammer attacks in mind but I would go so far as to say then also the removal of the supervisor password to protect the bios or other security relevant features changeable in the UEFI/BIOS would be a good target.

 

If such an option would be made available in the UEFI/BIOS, to enable/disable that undervolting interface of the processor, it should include a security warning information (as other options in the UEFI/BIOS also have. With that I would think the responsibility of the OEM/Lenvo would have been taken care of.

 

I don't know how to factor in this supply chain attack, but I think that goes also along with other security relevant options available via UEFI.

 

Regarding this small user base, I think also the userbase affected by the vulnerability is small, but this is only an assumption.

I also like that Lenovo fixed the security vulnerability and provides secure products, yet I think it is also important to offer, especially in ThinkPad products, the full features of the components used in the product, in this case the undervolting interface.

 

 

 

Reply
Options

45 Posts

02-21-2017

Canada

115 Signins

514 Page Views

  • Posts: 45
  • Registered: ‎02-21-2017
  • Location: Canada
  • Views: 514
  • Message 8 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-21, 5:42 AM

It is dead simple for manufacturers to include CPU voltage control in the BIOS. When a computer exits the BIOS, the lock bit is set on the CPU voltage control register and the Plundervolt problem is solved. Setting a single lock bit prevents any user software from changing the CPU voltage while in Windows. No more security vulnerability.

 

Instead, Lenovo and the majority of manufacturers took the easy way out by disabling all access to the CPU voltage register. 

 

Many MSI laptops allow users to access voltage control in the BIOS for 10th Gen CPUs. It can be done. 

 

I have been a long time Lenovo customer but I will be shopping elsewhere next time. 

Reply
Options

6 Posts

02-16-2018

United Kingdom of Great Britain and Northern Ireland

24 Signins

232 Page Views

  • Posts: 6
  • Registered: ‎02-16-2018
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 232
  • Message 9 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-21, 14:29 PM

This is quite a serious decision/mistake.

Undervolting is/should be part of the configuration and optimizing of any system that has to efficiently do sustained work.

 

P series Thinkpads are obviously very much in this category.

 

* Plundervolt is ONLY a risk when Intel SGX is enabled.
* Undervolting should ONLY be locked out when SGX is enabled.
* Perhaps the option for enabling undervolting is presented when SGX is enabled.  This could be debatable, for sure.
* There is zero reason why there should even be an option for undervolting in the BIOS if SGX is disabled.  It should just be unlocked.


Right now, my Xeon E3-1505M v5 powered P51 has had it's undervolting locked out.  Where previously, i'd successfully undervolted it to a rock-solid -115mv, and used it like this for several years already.  
So now:
* My system is running hotter.
* My system fans have to run faster/louder.
* My system's lifespan is therefore being reduced.
* Replacing systems sooner = money
* Render/Encoding jobs now take longer.
* That eats into my time.
* Time = money.
* Longer, hotter, less efficient processing = higher carbon footprint.

Due to this clumsy overreaction and unnecessarily heavy-handed fix for this genuine exploit, most of our Thinkpads are now unnecessarily running hotter, slower, louder, costing us time and money:
The Plundervolt exploit has effectively won.

Reply
Options

366 Posts

01-23-2009

Finland

662 Signins

6840 Page Views

  • Posts: 366
  • Registered: ‎01-23-2009
  • Location: Finland
  • Views: 6840
  • Message 10 of 11

Re:Allow undervolting 10th gen Intel CPUs/processors (e.g. add UEFI/BIOS option) on P1 Gen 3 20TH i9

2021-02-22, 8:10 AM

@ topbanana wrote:


Right now, my Xeon E3-1505M v5 powered P51 has had it' undervolting locked out.  Where previously, i' successfully undervolted it to a rock-solid -115mv, and used it like this for several years already.  
So now:
* My system is running hotter.
* My system fans have to run faster/louder.
* My system' lifespan is therefore being reduced.
* Replacing systems sooner = money
* Render/Encoding jobs now take longer.
* That eats into my time.
* Time = money.
* Longer, hotter, less efficient processing = higher carbon footprint.

Due to this clumsy overreaction and unnecessarily heavy-handed fix for this genuine exploit, most of our Thinkpads are now unnecessarily running hotter, slower, louder, costing us time and money:
The Plundervolt exploit has effectively won.

 

Your response resonates with me very much! And I fully agree on your point that we should just be able to disable SGX and have undervolting then enabled. 

 

Unfortunately I have to say, that the percentage of people that use undervolting is miniscule compared to users who just use their computer as is, never knowing this is an option. Experimenting with the proper undervolt amount to get a stable system is just not something a regular user is prepared to do. So I understand that this is not a priority for Lenovo to support the undervolting scenario for that few users who would actually take advantage of it. 

 

Keeping my fingers crossed that we may see a change in this. 

 

(In the meantime, I repasted my P15 Gen1 with better thermal paste, and it also made a huge improvement. Previously I used undervolting on the P52 and I do miss that because of Plundervolt, because the computer got more performance and made less heat/fan noise). 

 

Lenard | (I am a Lenovo INsider - a volunteer and not a Lenovo employee) | @lenardg
ThinkPad P15 Gen1 | YOGA C630 WOS
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms