Enable Retpoline to mitigate Spectre variant 2 (CVE-2017-5715)
-
@
ddelo If u have time i want from you too make a test
I want u to download the timer resolution from here:
-https://vvvv.org/contribution/windows-system-timer-tool
And i want to restart you machine 10 times. Every time you restart your machine i i want from you to write down the
current timer info like the photo and tell me if is always 15,625 or a few times 0,500 (and near it).
My power cfg shows 15,625 but the timer resolution tool 0.5 many times after i restart my machine.
Hi Bampi,
Are you watching me?.....
I was playing around with the powercfg report in Powershell, last week, but to be honest I never saw the timer interrupt thingy...
I'll definitely test what you said, but I want some time, since I just got back my laptop from a repair and I need to set things back to normal!
I'll send you my results the soonest possible.
P.S. You had to put the image in Greek ehhh.....? With these damn translations that I don't understand.
Although born and raised in Athens, I studied Computer Science at UofT in Toronto and I have difficulty understanding the Greek translation of the computer jargon. But I'll manage. After all it's my mother tongue!
Take care man. I'll be back in a couple of days with the results.
Last edited by ddelo; 14 Apr 2019 at 04:01.
-
-
@boombastik
As requested, here are the results:
I run the test (as you described it) more than 15 times and the results were identical every time!
The image below is the outcome of the last test (the 15th), which is exactly the same with the other 14.
Please note that the tests were performed on Windows 10 Pro x64, v. 1809 17763.437
What I don't understand, after reading the tech blog of Bruce Dawson, is why powercfg reports current timer resolution of 15.625ms (every single time), whereas both Sysinternals clockres and TimerTool always report it as 0.499ms.
Hope you can shed some light on this...
-
@ddelo Open the CPUz latest version 1.88. In the section tools it have the timers options. Run it for 200 sec and post the results.
-
-
@
ddelo Open the CPUz latest version 1.88. In the section tools it have the timers options. Run it for 200 sec and post the results.
Here it its:
What does that tell us?
ACPI (Advanced Configuration and Power Interface) = QPC (QueryPerformanceCounter) = RTC (Real Time Clock)…. they're the same. And..?
What does that mean with regards to my question, for the difference in current timer resolution between powercfg and TimerTool/Clockres?
-
clockres detects kernel and non-kernel timer interrupts. powercfg only detects non-kernel timer interrupts. So a kernel driver built in Microsoft change it and forget to change it back. I dont know for sure but that seems a bug. U may use feedback option in Microsoft and tell about it. I have seen only in haswell and broadwell pcs. Send also your picture that posted here. I have already posted it in feedback but more are better And you may write it better as you know better english.
For the cpuz i asked because i wanted to see if u have rtc drifting it has nothing to do with timer resolution.
-
clockres detects kernel and non-kernel timer interrupts. powercfg only detects non-kernel timer interrupts. So a kernel driver built in Microsoft change it and forget to change it back. I dont know for sure but that seems a bug. U may use feedback option in Microsoft and tell about it. I have seen only in haswell and broadwell pcs. Send also your picture that posted here. I have already posted it in feedback but more are better And you may write it better as you know better english.
For the cpuz i asked because i wanted to see if u have rtc drifting it has nothing to do with timer resolution.
Thanks a lot for the explanation Bampi!
So the actual timer resolution is the one presented by Russinovich (clockres).
The good thing is that none of my installed apps and drivers changes the timer resolution!
On the other hand, MS either by mistake or in purpose change the kernel timer interval to 0.5ms...I will post it in feedback to see if we get any reaction (I seriously doubt it, but it won't hurt trying!)
Last edited by ddelo; 04 Jun 2019 at 04:41.
-
So stupid question. I have applied 1809 updates and Retpoline is enabled, but I notice when I run Get-SpeculationControlSettings the SSBDWindowsSupportEnabledSystemWide: is False. The only way for me to get this to True, is to change the below registry entries, which were the original fix. So if I am reading this right, with Retpoline enabled, this SHOULD be false?
To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
-
@ddelo the timer resolution fixed in new windows? can u test?
-
-
@
ddelo the timer resolution fixed in new windows? can u test?
Fix what....?
Mine was ACPI (Advanced Configuration and Power Interface) = QPC (QueryPerformanceCounter) = RTC (Real Time Clock), in v1809
and still is in 1903.
-
So stupid question. I have applied 1809 updates and Retpoline is enabled, but I notice when I run Get-SpeculationControlSettings the SSBDWindowsSupportEnabledSystemWide: is False. The only way for me to get this to True, is to change the below registry entries, which were the original fix. So if I am reading this right, with Retpoline enabled, this SHOULD be false?
To enable mitigations for CVE-2018-3639 (Speculative Store Bypass), default mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown):
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Hi and welcome to TenForums
First things first... stupid question is only the one that hasn't been asked....
Second, Microsoft Cumulative Update KB4494441 (OS Build 17763.503), enables “Retpoline” by default if Spectre Variant 2 (CVE-2017-5715) is enabled. In other words, Retpoline is enabled by default, in Clent SKUs with a Retpoline capable CPU, without the need to alter the Registry in any way!
So if you want SSBDWindowsSupportEnabledSystemWide to be True, yes you need to add the two registry entries with the values 8 and 3.
You can read about it here
In my system, I haven't added the two registry entries which results to SSBDWindowsSupportEnabledSystemWide not enabled (=False). That's my choice though and I cannot suggest to anyone that it's the correct one!