Forum Discussion

Xavier_2020's avatar
Xavier_2020
Copper Contributor
Jan 27, 2020

Windows Update and security fixes.

Hi all, Since several years, many securities issues has been discovered in CPU.   Microsoft has been able to update CPU microcode revision which is prerequisite to handle mitigation OS fixes on so...
Xavier_2020's avatar
Xavier_2020
Copper Contributor

dretzer 

 

Hello,

 

Thank-you for your test and explaination.

I have done some tests on my own personal computer with new installed Windows 10 1909 build with AMD CPU.

  • CVE 2017-5715 (Spectre Variant 2) mitigation is now applied by default.
  • CVE 2018-3639 (Speculative Store Bypass) mitigation is still not applied by default.

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

 

Speculation control settings for CVE-2017-5754 [rogue data cache load]

 

Hardware requires kernel VA shadowing: False

 

Speculation control settings for CVE-2018-3639 [speculative store bypass]

 

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False

 

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

 

Hardware is vulnerable to L1 terminal fault: False

 

Speculation control settings for MDS [microarchitectural data sampling]

Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: False


BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : True
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
SSBDWindowsSupportPresent : True
SSBDHardwareVulnerable : True
SSBDHardwarePresent : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable : False
L1TFWindowsSupportPresent : True
L1TFWindowsSupportEnabled : False
L1TFInvalidPteBit : 0
L1DFlushSupported : False
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : False
MDSWindowsSupportEnabled : False

 

Same results as you.

The question is for sensitives PC who need to have “SSBDWindowsSupportEnabledSystemWide” activated, how to do this? If VBS (Virtualization-based security) is running, do we have now to understand that Hyper-V is installed for 1909 build? I don’t think so, even if Windows server has some specific additional lines for Hyper-V on AMD, but Intel based CPU Windows 10 has to deal with this choice.

 

Link for Servers:

https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities 

 

For my understanding, we just need to add this two lines for AMD:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

 

And for Intel based CPU with only VBS activated, do we have to integrate that Hyper-V is installed or not?

dretzer's avatar
dretzer
Iron Contributor
Feb 04, 2020

If you are using VBS, with or without Hyper-V virtual machines, you can only mitigate L1TF/MDS fully if you disable hyper-threading (SMT). You have to do this either in firmware or via registry (firmware is preferable). There is no way around this. If you use VBS and have hyper-threading enabled, VBS secrets will be vulnerable to L1TF and MDS exploits.

Hyper-V itself does not need special attention on a client. If you have Windows Server 2016 Hyper-V, you should enable the core-scheduler for Hyper-V.

 

If you have to enable all mitigations, with no regards for performance, use the following settings (works the same for Intel and AMD CPU's, and needs current microcode for the CPU):

 

Set the following registry keys:

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f​

 

 

If you are using VBS and/or WDAG:

  • Disable SMT/HT in firmware
  • If you can't disable SMT/HT in firmware, use the following registry keys instead:

 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f​

 

 

If you are using Hyper-V on Windows Server 2016:

  • Enable core scheduler and set all your VMs to utilize SMT:

 

bcdedit /set hypervisorschedulertype core​
Set-VMProcessor -VMName <VMName> -HwThreadCountPerCore 2​

 

 

 

 

  • If you use VMs older than 8.0 (this is needed for WS2019 as well if you use old VM-configurations):

 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f​

 

Xavier_2020 

Resources