New
#11
But it isn't response to my question; definitely I know what I am doing
So am I alone who refuse to tolerate serious performance drop (at the cost of implementing of new workflow to maintain security on home systems)?
PowerShell script for CPU information, incl. CPUID
-
-
New #12
That's why I answered the way I did.
Since you do face serious performance issues, it's up to you to evaluate the risks and decide what is best for you i.e performance VS security.
-
New #13
I never saw any performance drop (that I noticed - I didn't benchmark it). I run a lot of VM (mostly in fact).
If I had I'd have done the same as you as I don't really feel Spectre/Meldown is a big issue for me. As a home user I don't have unknown programs running (as far as I can tell obviously) so I don't really care.
I'm not really sure it is a big deal for anyone to be honest (it all seems theoretical) but perhaps I don't understand it well enough.
-
New #14
-
New #15
-
New #16
My answer is that it's your call. Personally, I would accept some (not major) performance degradation, to have peace of mind from these vulnerabilities. But I do not do SQL data processing, not at home at least. I leave that stuff for the Enterprise servers, in a closed, secure environment.
If you're alone? I don't know. Maybe for such heavy home use, if the slowdown is significant like yours, then you disable the mitigations, be extra careful and backup regularly.
-
New #17
As I already wrote above, I don't need neither advices nor opinions, they both have zero value for me. I already decided and I understand consequencies & responsibilities. So please don't continue this way if you can.
I'm only curious whether other people made the same decision as I did. This is my only one question, nothing more. So once again:
-
New #18
muchomurka, I have reverted to BIOS F22 (date of Aug 23 2017) for my Gigabyte GA-Z170X Designare board. I built my machine with top performing parts a couple years ago and had not had any crashes or BSOD, just a very stable, smoking fast computer. I was very disappointed that all of that changed when I flashed the BIOS to F23G, installed the microcode software update from Microsoft and installed the latest Intel Management software. I keep meticulous backups as the previous poster mentioned, but that's not really the main issue. A backup might contain your important data, but it won't help when your passwords and personal sensitive information is out in the wild for the highest bidder, and supposedly you won't even know your data was stolen.
-
-
New #19
Thank you @ddelo.
If they match like on your screenshot does that mean that the BIOS/UEFI uCode is working and in use even if OS patches are also at the 0x2B level? I did the PowerShell speculation script and posted it here b/c do not understand it at all even with the documentation. Sorry this is sort of a cross-post.
My guess is that something like this:
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Means what can be protected by my BIOS is the latest version and what can be protected by the OS is being protected by the latest version. But what confuses is why is the Windows OS support enabled if there is hardware mitigation present?
Also does CPU-info install any modules or scripts in a directory and if so where? Or is it just the one script on the desktop?
Last the "Set-ExecutionPolicy Bypass -Scope Process –force" just causes that policy for that PowerShell session? When I reopened and did GetList I got:
This is the proper default?Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser RemoteSigned
LocalMachine Undefined
-
New #20
You're most welcome, Andy!
If BIOS/UEFI microcode revision and Current microcode revision match, it means that the installed update at the BIOS/UEFI level is the same with the one currently running at the OS level. i.e. If you have applied any OS update, this OS update is the same or lower than the one of the BIOS/UEFI, in which case the OS update is discarded.
Hardware support for branch target injection mitigation is present: True
This line tells you if hardware features are present to support the branch target injection mitigation. The device OEM is responsible for providing the updated BIOS/firmware that contains the microcode provided by CPU manufacturers. If this line is True, the required hardware features are present.
Windows OS support for branch target injection mitigation is present: True
This line tells you if Windows operating system support is present for the branch target injection mitigation. If it is True, the operating system supports enabling the branch target injection mitigation (and therefore has installed the appropriate update). Again if the BIOS/UEFI update is later than the available OS update, then OS update is discarded, but at OS level you're protected.
Windows OS support for branch target injection mitigation is enabled: True
This line tells you if Windows operating system support is enabled (if it's present from the previous line) for the branch target injection mitigation. If it is True, hardware support and OS support for the branch target injection mitigation is enabled for the device, thus protecting against CVE-2017-5715.
It's just a script on your Desktop. Nothing is installed anywhere.
Yes, only for this session. (By the -Scope Process switch)
The default settings are the following:
My settings are:
I hope this helps. Cheers. Dimitri
Quote
Related Discussions
