New
#10
Last edited by Polo6RGTI; 06 Aug 2019 at 03:30.
So I applied the "big one" with all the mitigations including disabling HT and I have to say, I hardly notice a performance difference with HT disabled. But what I do notice is that lower priority processes don't eat into the responsiveness of my laptop any more, which is just a 2 core CPU. With HT, priorities didn't matter since windows would just put a low prio thread running on the other logical cpu pertaining to the physical core and cause contention. I'll be leaving HT off
I'm uncertain what to do here. I thought I had enabled most of these security options. Under the registry key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, I have the following settings for an Intel CPU:
FeatureSettingsOverride = 400 hex
FeatureSettingsOverrideMask = 400 hex
My security report is below. Is there anything to fix?
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: False [not required for security]
Speculation control settings for CVE-2018-3639 [speculative store bypass]
Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False
Speculation control settings for CVE-2018-3620 [L1 terminal fault]
Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False
Suggested actions
* Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : True
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : True
L1TFInvalidPteBit : 45
L1DFlushSupported : True
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : False
It looks normal.
MDS mitigation requires a new microcode update from Intel, which Microsoft is currently only providing for Windows 10 v1903 and Enterprise users of some older versions of Windows 10.
System-wide mitigation against speculative store bypass (SSB) is disabled by default on most computers.
And I think PCID performance optimization is only for Haswell and newer processors.
Last edited by Ground Sloth; 27 May 2019 at 09:52.
Just out of curiosity, has anyone found a source that says which features each of the "Features Settings" bits represents?
; FeatureSettingsOverride values:
; 400+ =Retpoline enabled (Intel only; Broadwell and earlier) +bitwise OR with values 8 and lower
; 72 = Enable All (Speculative Store Bypass together with Spectre Variant 2)(AMD)
; 64 = Enable Spectre Variant 2 (AMD)
; 8 = Enable All (Speculative Store Bypass together with Spectre Variant 2 and Meltdown)
; 3 = Disable both Spectre Variant 2 and Meltdown
; 2 = Disable Meltdown (Kernel VA Shadow)
; 1 = Disable Spectre Variant 2 (Branch Target Injection)
; 0 = Enable Spectre Variant 2 and Meltdown
;
; FeatureSettingsOverrideMask value is always 3 (unless Retpoline enabled then is 400)