Enable Retpoline to mitigate Spectre variant 2 (CVE-2017-5715) Solved

Page 2 of 4 FirstFirst 1234 LastLast
  1.    #11

    Steve C said: View Post
    I've modified my main two PCs. There is also discussion about retpoline on another thread which indicates drivers have to be updated to benefit from the retpoline fix - see post 315 onwards Cumulative Update KB4482887 Windows 10 v1809 Build 17763.348 - March 1
    Thanks Steve.
    The drivers compilation with Retpoline is referred in the conclusion of Microsoft's post too. As they say, the improvement they noticed, in their lab, was with all drivers compiled with Retpoline. Which is highly unlike to happen in real world systems....

    Cumulative Update KB4482887 Windows 10 v1809 Build 17763.348 - March 1 Windows Update - Page 27 - Windows 10 Forums
      My ComputerSystem Spec

  2.    #12

    Enabling Retpoline on an AMD machine might actually be somewhat important from a security standpoint since Indirect Branch Restricted Speculation (IBRS) is disabled by default on all AMD CPUs.
      My ComputerSystem Spec


  3. Posts : 2
    Windows 10 Pro
       #13

    I'm having an odd issue where BTIKernelRetpolineEnabled reports as true, but BTIKernelImportOptimizationEnabled reports as false, which I didn't even know was possible. I had nothing for the registry entries, and now both are set to 400.
    Click image for larger version. 

Name:	RetpolineRegistry.PNG 
Views:	2 
Size:	82.1 KB 
ID:	227391
    I have the latest microcode patch installed for my processor as well:
    Code:
    CPU-Info Version 2.1  © 2019 Dimitri Delopoulos
    
    
    Computer Model               : MS-7885
    Computer Name                : Z
    Processor Type               : Central Processor
    Manufacturer                 : GenuineIntel
    CPU Family                   : Intel(R) Xeon(TM)
    CPU Architecture             : x64
    Name                         : Intel(R) Core(TM) i7-5820K CPU @ 3.30GHz
    Description                  : Intel64 Family 6 Model 63 Stepping 2
    Number of Cores              : 6
    Number of Logical Processors : 12
    Current Clock Speed          : 3301
    Socket Designation           : SOCKET 0
    Upgrade Method               : Socket LGA2011-3
    CPUID                        : 000306F2
    Display Family               : 06H
    Display Model                : 3FH
    
    Running microcode revision   : 0x3D (loaded by UEFI)
    UEFI CPU microcode revision  : 0x3D
    
    Boot Mode                    : UEFI
    UEFI Version                 : P.60
    UEFI Manufacturer            : American Megatrends Inc.
    UEFI Serial Number           : Default string
    UEFI Release Date            : 2018-06-14 (273 days ago)
    Here's the full output of Get-SpeculationControlSettings:
    Code:
    PS C:\WINDOWS\system32> Get-SpeculationControlSettings
    For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
    
    Speculation control settings for CVE-2017-5715 [branch target injection]
    
    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: True
    
    Speculation control settings for CVE-2017-5754 [rogue data cache load]
    
    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: True [not required for security]
    
    Speculation control settings for CVE-2018-3639 [speculative store bypass]
    
    Hardware is vulnerable to speculative store bypass: True
    Hardware support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is enabled system-wide: False
    
    Speculation control settings for CVE-2018-3620 [L1 terminal fault]
    
    Hardware is vulnerable to L1 terminal fault: True
    Windows OS support for L1 terminal fault mitigation is present: True
    Windows OS support for L1 terminal fault mitigation is enabled: True
    
    
    BTIHardwarePresent                  : True
    BTIWindowsSupportPresent            : True
    BTIWindowsSupportEnabled            : True
    BTIDisabledBySystemPolicy           : False
    BTIDisabledByNoHardwareSupport      : False
    BTIKernelRetpolineEnabled           : True
    BTIKernelImportOptimizationEnabled  : False
    KVAShadowRequired                   : True
    KVAShadowWindowsSupportPresent      : True
    KVAShadowWindowsSupportEnabled      : True
    KVAShadowPcidEnabled                : True
    SSBDWindowsSupportPresent           : True
    SSBDHardwareVulnerable              : True
    SSBDHardwarePresent                 : True
    SSBDWindowsSupportEnabledSystemWide : False
    L1TFHardwareVulnerable              : True
    L1TFWindowsSupportPresent           : True
    L1TFWindowsSupportEnabled           : True
    L1TFInvalidPteBit                   : 45
    L1DFlushSupported                   : True
    If anybody has any thoughts, I would appreciate it!
      My ComputerSystem Spec


  4. Posts : 2
    Windows 10 Pro
       #14

    Zzyzx said: View Post
    I'm having an odd issue where BTIKernelRetpolineEnabled reports as true, but BTIKernelImportOptimizationEnabled reports as false, which I didn't even know was possible. I had nothing for the registry entries, and now both are set to 400.
    I found the issue. It was because I had Driver Verifier enabled. If anyone else has this issue, disable Driver Verifier.
      My ComputerSystem Spec

  5.    #15

    Thanks for the answer because i tried to find why to help you and i couldn't.
      My ComputerSystem Spec

  6.    #16

    @ddelo i found this:
    Has any meaning to u?

    Click image for larger version. 

Name:	1.jpg 
Views:	83 
Size:	38.5 KB 
ID:	227985
      My ComputerSystem Spec


  7.    #17

    boombastik said: View Post
    @ddelo i found this:
    Has any meaning to u?

    Click image for larger version. 

Name:	1.jpg 
Views:	83 
Size:	38.5 KB 
ID:	227985
    Nope, not really!
    And to be honest, I don't understand, which is the memory deduplication setting?
    0x800 or 0x400?
    Last edited by ddelo; 20 Mar 2019 at 20:10.
      My ComputerSystem Spec

  8.    #18

    Retpoline requirements?


    I have a couple of pretty nice desktop PCs that are about 10 years old. They are running Windows 10 Pro 64-bit v1809 on Asus P5Q-Pro mobos. I got curious about the non-hardware fixes for Spectre and Meltdown and began looking for how to verify what "fix" I have installed and if one is not installed how I could install/enable either the microcode update (If one was available from Intel but one is not available nor does Intel/Asus plan on providing one) or the Google Retpoline software patch which I understand is more efficient that the patch that MS has been providing.

    If it wasn't already before, my head is now filled with mush...

    According to Intel, my Q9550 (Yorkfield) CPU does not, and will not, have updated microcode to fix the vulnerability. Asus tech folks say they have no plans for it either but not to worry, just take the performance hit and use the software patch(es) from Microsoft.

    I don't find anything that lets me see if I even have the MS software patch -- MS or Google -- installed.

    My understanding is that MS is now going to use the Google Retpoline patch because it gives better performance -- with a vague commitment to providing their own more efficient patch later. Also they say the Retpoline patch is already installed and will be enabled "from the cloud" sometime in the future. I found many posts that give the same two Registry additions for enabling the Retpoline patch manually if you want to do it yourself now.

    After adding those two entries and rebooting, the PowerShell module Get-SpeculationControlSettings still shows "BTIKernelRetpolineEnabled : False".

    Several different threads on the subject make it sound like even Retpoline requires the Intel updated firmware which is in conflict with most articles that say its a software patch for older CPUs that will not get the updated firmware.

    Can anyone tell me if the MS-installed Google Retpoline sw patch requires new/updated firmware for the Yorkfield CPU? If not, if it indeed is a software-only patch for Spectre & Meltdown, what beyound the two new registry entries do I need to do to enable it?

    Thanks in advance,

    Howard
    ===================================================
    PS C:\WINDOWS\system32> get-speculationcontrolsettings
    For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

    Speculation
    control settings for CVE-2017-5715 [branch target injection]

    Hardware support for branch target injection mitigation is present: False
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: False
    Windows OS support for branch target injection mitigation is disabled by system policy: False
    Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

    Speculation control settings for CVE-2017-5754 [rogue data cache load]

    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: TrueWindows OS support for PCID performance optimization is enabled: False [not required for security]

    Speculation control settings for CVE-2018-3639 [speculative store bypass]

    Hardware is vulnerable to speculative store bypass: True
    Hardware support for speculative store bypass disable is present: False
    Windows OS support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is enabled system-wide: False

    Speculation control settings for CVE-2018-3620 [L1 terminal fault]

    Hardware is vulnerable to L1 terminal fault: True
    Windows OS support for L1 terminal fault mitigation is present: True
    Windows OS support for L1 terminal fault mitigation is enabled: True

    Suggested actions * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.

    BTIHardwarePresent : False
    BTIWindowsSupportPresent : True
    BTIWindowsSupportEnabled : False
    BTIDisabledBySystemPolicy : False
    BTIDisabledByNoHardwareSupport : True
    BTIKernelRetpolineEnabled : False
    BTIKernelImportOptimizationEnabled : False
    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : True
    KVAShadowWindowsSupportEnabled : True
    KVAShadowPcidEnabled : False
    SSBDWindowsSupportPresent : True
    SSBDHardwareVulnerable : True
    SSBDHardwarePresent : False
    SSBDWindowsSupportEnabledSystemWide : False
    L1TFHardwareVulnerable : True
    L1TFWindowsSupportPresent : True
    L1TFWindowsSupportEnabled : True
    L1TFInvalidPteBit : 45
    L1DFlushSupported : False
    ==========================================================
    PS C:\users\xxxxx\desktop> .\cpu-info.ps1CPU-Info Version 2.2 © 2019 Dimitri Delopoulos

    Computer Model : System Product Name
    Computer Name : GARAGE-PC
    Processor Type : Central Processor
    Manufacturer : GenuineIntel
    CPU Family : Intel(R) Core(TM)2 Quad processor
    CPU Architecture : x64
    Name : Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz
    Description : Intel64 Family 6 Model 23 Stepping 10
    Number of Cores : 4
    Number of Logical Processors : 4
    Current Clock Speed : 2833
    Socket Designation : LGA 775
    Upgrade Method : Other
    CPUID : 0001067A
    Display Family : 06H
    Display Model : 17H

    Running microcode revision : 0x79

    Boot Mode : Legacy BIOS
    Legacy BIOS Version : BIOS Date: 02/23/09 21:14:18 Ver: 08.00.14
    Legacy BIOS Manufacturer : American Megatrends Inc.
    Legacy BIOS Serial Number : System Serial Number
    Legacy BIOS Release Date : 2/22/2009 (3683 days ago)
      My ComputerSystem Spec

  9.    #19

    HowardWoodard said: View Post
    According to Intel, my Q9550 (Yorkfield) CPU does not, and will not, have updated microcode to fix the vulnerability. now.

    After adding those two entries and rebooting, the PowerShell module Get-SpeculationControlSettings still shows "BTIKernelRetpolineEnabled : False".

    Several different threads on the subject make it sound like even Retpoline requires the Intel updated firmware which is in conflict with most articles that say its a software patch for older CPUs that will not get the updated firmware.

    Can anyone tell me if the MS-installed Google Retpoline sw patch requires new/updated firmware for the Yorkfield CPU? If not, if it indeed is a software-only patch for Spectre & Meltdown, what beyound the two new registry entries do I need to do to enable it?

    Thanks in advance,

    Howard

    I'm afraid that since Intel, is not planning to issue an updated microcode for your Q9550 (Yorkfield), then the Microsoft KB4465065 cannot add an updated microcode because if doesn't have one.
    Now, regarding Retpoline, it will be applied on an updated microcode to make things a little better in the performance level.
    So to make a long story short, once there is no a available microcode update for your CPU, then Retpoline cannot be enabled.
    Without being an Intel or Microsoft security expert, that's my opinion.
      My ComputerSystem Spec

  10.    #20

    @ddelo If u have time i want from you too make a test
    I want u to download the timer resolution from here:
    -https://vvvv.org/contribution/windows-system-timer-tool
    And i want to restart you machine 10 times. Every time you restart your machine i i want from you to write down the current timer info like the photo and tell me if is always 15,625 or a few times 0,500 (and near it).

    Click image for larger version. 

Name:	1.jpg 
Views:	42 
Size:	141.4 KB 
ID:	230500

    My power cfg shows 15,625 but the timer resolution tool 0.5 many times after i restart my machine.
      My ComputerSystem Spec


 
Page 2 of 4 FirstFirst 1234 LastLast

Related Threads
Source: Mitigating Spectre variant 2 with Retpoline on Windows - Microsoft Tech Community - 295618
Source: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190006
Source: https://support.microsoft.com/en-us/help/4078407/update-to-enable-mitigation-against-spectre-variant-2 Direct download link for KB4078407 EXE file from Microsoft Update Catalog: :arrow: Download KB4078407 MSU for Windows 10,Windows...
Source: https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2 Direct download link for KB4078130 EXE file from Microsoft Update Catalog: :arrow: Download KB4078130 MSU for Windows 10, Windows...
Read more (PDF): https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:50.
Find Us