Windows 10 V1809: Enable Retpoline Spectre V2 Protection
Ceumar Franco
The Spectre and Meltdown vulnerabilities discovered in January 2018 showed that weaknesses in CPUs were a potential attack vector. They allow a rogue process to read memory without authorization. Patches were rolled out along with bios updates from the manufacturer, but they came with a costly side effect: They degraded performance, especially on systems with older CPUs. Microsoft enabled the protections by default on workstations, but not on server platforms.
Then you will need to decide if you will enable protections. Due to performance hits, Microsoft has enabled the protection on workstations by default, but left the decision up to you on server platforms. To enable these protections (or disable them) on workstations, follow the guidance provided by Microsoft in KB4073119. To enable these protections on Windows Server platforms, follow the guidance in KB4072698. You may need to review various tech sites as to the tested performance hits after the patches have been installed.
Make the following registry settings to enable these MDS protections: (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130. You can also use these settings for Spectre (CVE-2017-5753 and CVE-2017-5715), Meltdown (CVE-2017-5754), and variants including Speculative Store Bypass Disable (SSBD) (CVE-2018-3639) and L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646) without disabling hyper-threading:
After about two hours digging I found a somewhat simple solution to this problem, however, there is a caveat. The problem arises because Microsoft enabled something called "retpoline" by default via a recent cumulative update. Retpoline is a Spectre Variant 2 mitigation developed by Google which aims to provide Spectre V2 mitigation without performance degradation. I don't know the technical details of why this mitigation disallows installation of the AHCI virtual device driver. Here are the steps I took to get the Alcohol 120% virtual device working again on my fully updated (as of June 2019) Windows 10 v1809 system:
What does all this mean for performance though? Well, according to Microsoft and its internal testing, the company saw approximately 25% faster Microsoft Office application startup times and between a 1.5 to 2-times increase in storage and networking performance which is a notable improvement post-Spectre 2 patches. They also claimed that the performance impact has been "reduced to noise level for most situations." If you are running Windows Insider Preview 18272 or later on supporting hardware the retpoline optimizations should already be turned on for you (you can double check with PowerShell cmdlet Get-SpeculationControlSettings) and if you are running Windows 10 1809 or later the optimizations will be enabled within the first half of this year in a phased rollout.
To be honest I cannot tell if the performance issues will be gone as soon the premium trial is expired because all machines tested have a premium subcription active. I could think of that a certain module is causing the performance troubles - you'll certainly remember the Win7 incident some months ago.
At least in Premium (trial) the issues will be reproducible for me. On all machines there is full Spectre / Spectre NG protection enabled and Retpoline. This includes one setting is not enabled in 1903 by default such as SSBD
UPDATED ON NOVEMBER 12, 2019 On November 12, 2019, Intel published a technical advisory around Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability that is assigned CVE-2019-11135. Microsoft has released updates to help mitigate this vulnerability and the OS protections are enabled by default for Windows Server 2019 but disabled by default for Windows Server 2016 and earlier Windows Server OS editions.
By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002.
By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD processors. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002.
To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.
UPDATED ON NOVEMBER 12, 2019 On November 12, 2019, Intel published a technical advisory around Intel Transactional Synchronization Extensions (Intel TSX) Transaction Asynchronous Abort vulnerability that is assigned CVE-2019-11135. Microsoft has released updates to help mitigate this vulnerability and the OS protections are enabled by default for Windows Client OS Editions.
By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD and ARM CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. For more information, see FAQ #15 in ADV180002 for AMD processors and FAQ #20 in ADV180002 for ARM processors.
clearly, since it affected both a fedora 29 VM and a centos v7 VM, this problem has nothing to do with the OS's themselves (i.e. unlikely that it is vmtools-dependent). given that the recent windows updates have focused on spectre/metldown/retpoline, i'm guessing some big glitch was introduced at a low level.
In addition, it provides protections against a subclass of speculative execution side-channel vulnerability known as Speculative Store Bypass (CVE-2018-3639) for AMD-based computers. These protections are not enabled by default in the update. To turn the protections on after installing the update, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Additionally, IT staff should follow the mitigations that have already been released for Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754).
dd2b598166