New
#260
Is there is a complete; easy; detailed; step by step tutorial of "enable and verify Retpoline"?
Your output looks just fine.
If you want to install KB4465065, get it from Microsoft Update Catalog and install it.
Regarding Windows OS support for speculative store bypass disable is enabled system-wide: False, if you haven't previously installed any Microsoft provided microcode updates it's absolutely normal to be false. In any case there is a lot of discussion that this should stay false as its enablement has serious performance impact. Unfortunately I can't verify it, as I have never installed MS microcode updates, since I was lucky enough to get the appropriate, Intel suggested, microcode through a BIOS update from hp, my laptop manufacturer.
I have the KB4465065 installed (2/6/2019) and all up to date 1809 with this retpoline patch and my line Windows OS support for speculative store bypass disable is enabled system-wide: False"
is also false I also enabled retpline with reg values 400 for both FeatureSettingsOverride and FeatureSettingsOverrideMask.
I did some testing performance and best is with retpoline on, at least with Cinebench 20.
here my output FWIW.
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : True
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : True
L1TFInvalidPteBit : 45
L1DFlushSupported : True
I was very surprised by results, As I had both Spectre/Meltdown disabled with Inspectre, but all patched up.SoI wanted to see what the hit was with new retpoline patch, so enabled and tested.
I ran CB20 three times and avg results in each of the 3 tests.
So I run CB20, I got repeatable
1) Spectre/meltdown disabled 1387
2) Spectre/meltdown enabled 1390
3)Retpoline enabled 1393-98
So I got best with Retpoline enabled.
I expected the first test to be best but it wasn't, now other BM show nil difference, this was one popular one I happened to have and got improvement along with repeatable results (BM is no good if each run is like 5% delta).
Thank you for your test results. They don't show an overwhelming performance improvement, but it's better than before.
Of course your result beat the Microsoft statement about great performance improvement, as they conclude in their Mitigating Spectre variant 2 with Retpoline on Windows post. On the other hand they clearly state "When all relevant kernel-mode binaries are compiled with retpoline", which is practically impossible in the real world, as there will always be drivers not compiled with Retpoline… but well...
Conclusion
Retpoline has significantly improved the performance of the Spectre variant 2 mitigations on Windows. When all relevant kernel-mode binaries are compiled with retpoline, we’ve measured ~25% speedup in Office app launch times and up to 1.5-2x improved throughput in the Diskspd (storage) and NTttcp (networking) benchmarks on Broadwell CPUs in our lab. It is enabled by default in the latest Windows Client Insider Fast builds (for builds 18272 and higher on machines exposing compatible speculation control capabilities) and is targeted to ship with 19H1.
Last edited by ddelo; 13 Mar 2019 at 02:57.
The only thing that you might want to do, from your output from the Get-SpeculationControlSettings script, is to Enable the following two entries
From what I saw in your specs you have an intel i7-8700.Code:BTIKernelRetpolineEnabled : False BTIKernelImportOptimizationEnabled : False
According to Intel your CPU cannot use Retpoline.
So that leaves you to at least enable BTIKernelImportOptimizationEnabled.
If you want to do that, just make the two registry changes proposed in the Windows Kernel Internals blog post.
It has been reported previously in this thread that by doing that you do get some performance improvement.
Either way, from what I understood from the Microsoft blog is that, even if you don't do it now, at a point of time, it will be automatically done by a future Windows Update. Now the if's, when's and how's, as always, are up to Microsoft!