11 Replies Latest reply on Jan 11, 2018 8:15 PM by wpshooter

    what does SA-00086 Intel Detection Tool do ?

    wpshooter

      Can anyone tell me what the SA-00086 Intel Detection tool actually does ?

       

      Does it ?

       

      1) Only test the processor to see if it is one of the many processors on a long listing of processors which are vulnerable to the Meltdown and Specture threats.

       

      2) Show the actual (fixed/mitgated or not fixed/not-mitigated) status of the detected processor to the Meltdown and Spectre threats.

       

      I have been unable to get a clear answer to this question from either my computer manufacturer, Dell, or from Intel.

       

      I have applied all currently available kernel updates to my operating system (Linux Mint) and the detection tool still says that my processor is VULNERABLE.

       

      Thanks.

        • 1. Re: what does SA-00086 Intel Detection Tool do ?
          Win7ine

          It does test for vulnerabilities found in the Intel Management Engine and is a different/additional security issue to the later published CPU architecture related Spectre or Meltdown vulnerabilities.

          • 2. Re: what does SA-00086 Intel Detection Tool do ?
            wpshooter

            Win7ine:

             

            Can you refer me to your source for the different/additional security issues.

             

            I read the bulletin related to SA-00086, and unless I missed it, I saw no references to anything other than Meltdown and Spectre.

             

            If it is for different/additional security issues, is there a detection test which is strictly for the Meltdown and Spectre issues ?

             

            Thanks.

            • 4. Re: what does SA-00086 Intel Detection Tool do ?
              Win7ine

              If you are running Windows, yes there is a MS Powershell Script which will test for Spectre and Meltdown.

               

              Temporarily set PowerShell script execution policy
              PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

               

              Install the PowerShell module
              PS> Install-Module SpeculationControl -Force

               

              Run the PowerShell module to validate protections are enabled
              PS> Get-SpeculationControlSettings

              • 5. Re: what does SA-00086 Intel Detection Tool do ?
                wpshooter

                I am NOT using MS windows.

                 

                I am using Linux Mint version 18.3.

                 

                Isn't the utility (Linux version) listed on the SA-00086 bulletin supposed to be used to test for the Meltdown and Spectre vulnerabilities ?

                 

                According to my best guess reading of the bulletin, what it is referring to are the Meltdown and Spectre vulnerabilities even though it

                does not specifically call them by name.

                 

                I just got thru applying today's Intel microcode update 3.20180108 thru Linux Mint update manager and after doing so and rebooting

                the SA-00086 Linux Intel Detection Tool STILL says that my processor is VULNERABLE.  I looked in Driver Manager and yes, the

                microcode is showing the 2018 version.

                 

                Thanks.

                • 6. Re: what does SA-00086 Intel Detection Tool do ?
                  N.Scott.Pearson

                  NO!

                   

                  The SA-00086 bulletin refers to the vulnerability identified in the Intel Management Engine. To address this vulnerability, you will need a BIOS update that provides the new Intel Management Engine firmware.

                   

                  It is the SA-00088 bulletin that refers to the Meltdown and Spectre vulnerabilities in the processors. To address these vulnerabilities, you need a BIOS update that provides the latest microcode for your processor as well as the latest OS updates for these vulnerabilities.

                   

                  BIOS updates come from your board manufacturer; they DO NOT come from Intel. Yes, it's true that Linux can also install the latest microcode, but the absolute best place for this to happen is during BIOS POST.

                  ...S

                  • 7. Re: what does SA-00086 Intel Detection Tool do ?
                    wpshooter

                    Is there an Intel processor detection tool for SA-00088 ?

                     

                    I have been to Intel's download site (also Googled it) and searched for SA-00088 processor detection tool and

                    I find nothing - am I missing it ?

                     

                    So far, I have not been able to get an answer from Dell as to whether a BIOS will be offered to fix these

                    problems, does that likely mean that I am going to be up-the-creek-without-a-paddle ?  I have the latest

                    BIOS version A17 - June 2017 vintage already installed.  Yes, I know that these are more recently discovered

                    problems.

                     

                    I I have applied Linux Mint kernel updates, applied today's Intel microcode update, does this likely mean

                    that I have the problems mitigated - but how to know for sure if there is no detection tool ?

                     

                    Thanks.

                    • 8. Re: what does SA-00086 Intel Detection Tool do ?
                      N.Scott.Pearson

                      If there is a tool, you will find it through here: Facts about The New Security Research Findings and Intel Products.

                       

                      As for BIOS updates, it may take the manufacturers some time to make the updates available. Patience Grasshopper!

                       

                      ...S

                      • 9. Re: what does SA-00086 Intel Detection Tool do ?
                        wpshooter

                        Thanks for the link but I had pretty much went over that one and I can see no info

                        regarding a detection tool there.

                         

                        And had already read the computer listing and particular Dell model's listing and if

                        that is a comprehensive listing, then it is like I have suggested that I (and many others)

                        are going to be SOL.

                         

                        It would really be nice if Intel could plainly post a detection tool for these problems so

                        they one would not have to search all over creation to try to find it.

                         

                        Bad thing is that there is possibility that applying the Linux kernel updates and the

                        microcode update MAY have fixed the problems but with no way to know for sure

                        suppose I will just have to cross my fingers and hope that hackers are so busy with

                        other things that they don't have time to fool with my little old computer.

                         

                        Dell has already sort of indicated to me that they have no real great concerns as

                        to if, when or whether a BIOS is offered to fix this for a Dell Optiplex model 980, if

                        you do not purchase a new computer from these companies ever year or two, it is

                        no skin off their teeth, quite to the contrary this may be just more money in their

                        pockets a year or two from now when computer sales go up.  I know that MS$

                        users may need to purchase a new computer every year or so but that is not

                        true for Linux users.

                         

                        I will keep looking for Intel detection tool but at this point I have very little confidence

                        that I am going to find one.

                         

                        Thanks.

                        • 10. Re: what does SA-00086 Intel Detection Tool do ?
                          wpshooter

                          Well, I think I finally found it.  Boy, that was like hunting hen's teeth !!!

                           

                          However, it does not appear to me that it has much relationship to Intel.

                           

                          Found it at this link due to a post that someone made on Linux Mint forums:

                           

                          spectre-meltdown-checker/README.md at master · speed47/spectre-meltdown-checker · GitHub

                           

                          It says that my Meltdown has been mitigated but that the Spectre is still a problem.  Which is exactly

                          what someone had suggested on Linux Mint forums earlier.

                           

                          Hope the other owners of old no longer under warranty systems might happen to find this post

                          because both Intel and Dell were of zero help in finding this.

                           

                          Now to wait for a fix for Spectre.

                           

                          Thanks.

                          • 11. Re: what does SA-00086 Intel Detection Tool do ?
                            wpshooter

                            Now back to work.

                             

                            Now that the Meltdown and Spectre are solved or at least partly so, need to find out

                            what to do about vulnerability revealed by Intel detection tool for SA-00086 - Intel Management

                            Engine.

                             

                            Is the problem with Intel Management Engine the fact that the version of this needs to be

                            updated, i.e. a BIOS update or is it a problem with the way the IME is currently configured or is the

                            problem that the IME just needs to be DISABLED instead of being enabled ?

                             

                            Also, am I understanding correctly that the purpose of this IME is used by system administrators

                            to allow themselves to remotely control the client machines on the network ?

                             

                            Thanks.