I have a Xeon x5675. I’m in the process of updating the microcode in lieu of the Spectre/Meltdown issues, but I’m wondering if, in general, are there any downsides to updated microcode? Is updated microcode ever a bad/negative thing? Can it result in performance loss (setting aside any OS settings/patches)?
Which brings me to my second unsurety: my understanding is that Spectre/Meltdown patches are entirely contingent on parameters set in Windows’ registry, which determines whether the patches are activated or not. So please clarify or correct me if I’m wrong, but if I update my x5675 microcode to the latest, do I still have the option of disabling the Spectre/Meltdown patches in Windows/registry, and if I were to disable the Windows registry patches, would I still have the full performance of my pre-microcode-updated x5675?
The reason I ask is because I’m weighing whether to A.) update the microcode, and B.) whether to disable the patches, as I would really prefer not to have the performance loss. If there’s no downside to updating the microcode, and the performance loss is entirely whether the OS (Windows) activates the patches or not, then it makes sense to update the microcode no matter what. Then it’s a matter of whether to leave the patches activated or not.
I should probably test to determine how much performance loss there would be, but I’m unsure whether I should test with new updated microcode AND with old outdated microcode, and then with each of those test branches, test each with the Windows/registry patches activated AND then not activated. Which would be a lot of testing, and I’m not even sure yet what would be the best utility to properly test for whether there’d be a significant performance hit from them (and how much – any recommendations on best testing utility to determine this?).
Any thoughts/input would be much appreciated!
I am not professional at all, so correct me if it is needed.
As you said there is same microcode updates on the OS level that you can make with updating tha bios uCodes. Only difference is there that bios level uCodes has been loaded little bit sooner.
I am not sure about the Windows. Linux has tried to fix security issues with the some kind of run time check. If you have out dated uCode the kernel is running security patches that has atleast same level performance loss or greater than updated uCodes.
There original security issues is easier to understand than newers and more complex.
If you have ever make any coding it is easy to understand here with the pseudo code:
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
string name = "Raun0"
boolean check = True
if ( check == False ) {
name = name + " " + surename ## << This line has been runned before actual true/false check on the line above. This is "speculative operations". Prosessors performance increase running lines beforehand. In this case we never needed this line runned because check is True. But attackers can get access to this data. So they can in this case stole information of your name. That can be password or anything.
}
print name
So there is be some grade performance hit always with these security patches! It depends on the load if it is noticeable.