Do I need to apply a spectre/meltdown bios update?

[Letharion]

When spectre/meltdown was revealed, there was talk about bios updates, and the risk that they slowed CPUs down.
Then I got the impression that someone came up with a clever workaround (retpoline?) that could be applied on the compiler level.

My motherboard has a "beta" bios update that addresses spectre/meltdown, but MSI says they won't take it past "beta" because they consider the MB to old.

I'm hesitant to apply the update given that they won't call it by anything other than beta, though I barely know what they mean by that.

Can I safely get away without it, because the problem is solved by the compilier, so should I take the plunge?

I run a up to date kernel, as per this page: https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre

[tholin]

The kernel has 5 different mitigations for the various speculation attacks.

• spectre_v1 mitigation does not require any firmware update. Developers have to manually find and patch all vulnerable code.
  
• spectre_v2 could in theory be mitigated with just retpoline but only if all code on the system is recompiled with retpoline (including UEFI firmware code). That is not going to happen so a firmware update is needed anyway.
  
• meltdown is mitigated in software.
  
• spec_store_bypass can only by mitigated by disabling the feature using the speculative store bypass disable flag and that requires firmware with support for that.
  
• l1tf mitigation requires a firmware update if you use a virtual machine with Extended Page Table (EPT) enabled. You also need to disable hyper threading if your cpu supports it. Afaik the firmware update isn't needed if you don't use untrusted virtual machines.
  

The firmware that needs to be updated is the cpu's microcode. You can update that without flashing a new mobo bios.

https://wiki.gentoo.org/wiki/Microcode