If you are using older Intel processors or AMD processors, you can boost the performance of Windows 10 by enabling the Retpoline Spectre mitigations that were recently ported to Windows 10 October 2018 Update build 1809.
In order to mitigate the Spectre vulnerabilities in Windows 10, Microsoft had introduced fixes that caused a performance decrease, which were more noticeable in older CPUs. To resolve these performance issues, Microsoft has been testing a new mitigation technique called Retpoline in Windows Insider Preview builds since build 18272.
This mitigation has recently been backported to Windows 10 October 2018 Update build 1809, but is being slowly rolled out over time as they test its performance in large-scale public use. If you do not want to wait, you can use the instructions below to enable it immediately on supported processors.
AMD and Intel Broadwell and older CPUs supported
While an explanation of Retpoline is outside the scope of this article (more can be read here), it is important to note that for this mitigation to work a CPU's Return Stack Buffer (RSB) has to have predictable behavior. For AMD processors and Broadwell Intel processors and older, the RSB's behavior is predictable and this mitigation can be used.
Unfortunately, Intel Skylake and later processors have different RSB behavior in certain situations and reptoline will not be used with these CPUs.
According to Intel, the incompatible CPUs containing this different RSB behavior will have the following Family and Model IDs as part of their CPUID.
You can look up your processors Family and Model IDs by searching for your processor using the CPU-World CPU database. If you are unsure what CPU your computer is using, you can look in Device Manager or download CPU-Z to view your processors Family and Model numbers.
For example, my processor is an Intel i7-8700k Coffee Lake processor and you can see that my Family is 6 and my Extended Model is 9E, which makes my processor incompatible with Retpoline in Windows 10.
Enabling Retpoline in Windows 10 Build 1809 and later
Please read this whole section before continuing.
For those who have compatible processors and do not want to wait for Retpoline to be enabled, Microsoft has released information on how to modify the Windows Registry so that you can enable this new mitigation feature.
On Windows 10 Client SKUs:
Open an elevated command prompt.
Execute this command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400
Execute this command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400
Restart Windows 10.
Alternatively, you can download the retpoline-windows-10-client.reg Registry file and double-click on it to import these entries into the Registry. Then restart Windows 10 to put the new settings into effect.
On Windows 10 Server SKUs:
Open an elevated command prompt.
Execute this command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400
Execute this command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x401
Restart Windows 10 Server.
Alternatively, you can download the retpoline-windows-10-server.reg Registry file and double-click on it to import these entries into the Registry. Then restart Windows 10 Server to put the new settings into effect.
Microsoft has updated their article to indicate that the above Registry commands are for users with default configurations. By default, Microsoft does not enable SSBD (speculative store bypass) mitigation system-wide.
If you have enabled SSBD (speculative store bypass) mitigation system-wide, then you need to perform a bitwise OR on the values for FeatureSettingsOverride and FeatureSettingsOverrideMask above and the values listed below in order to also enable Reptoline. If you have any questions, feel free to ask in the comments.
Below are the notes from Microsoft's article:
Note: The above registry configurations are for customers running with default mitigation settings. In particular, for Server SKUs, these settings will enable Spectre variant 2 mitigations (which are enabled by default on Client SKUs). If it's desirable to enable additional security mitigations on top of Retpoline, then the feature settings values for those features need to be bitwise OR'd into FeatureSettingsOverride and FeatureSettingsOverrideMask.
Example: Feature settings values for enabling SSBD (speculative store bypass) system wide:
FeatureSettingsOverride = 0x8 and FeatureSettingsOverrideMask = 0
To add Retpoline, feature settings value for Retpoline (0x400) should be bitwise OR'd:
FeatureSettingsOverride = 0x408 and FeatureSettings OverrideMask = 0x400
Once you have made the appropriate changes and restarted Windows, you can use the Get-SpeculationControlSettings PowerShell cmdlet to determine if Retpoline has been enabled. If enabled, the output should show the following lines:
Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True … BTIKernelRetpolineEnabled : True BTIKernelImportOptimizationEnabled : True ...
To revert to default settings, you can run the following commands from an elevated command prompt and then restart the computer.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Update 3/5/19 8:00 PM EST:
The article was updated with new information Microsoft added about users who enabled SSBD (speculative store bypass) mitigations system wide.
In order to mitigate the Spectre vulnerabilities in Windows 10, Microsoft had introduced fixes that caused a performance decrease, which were more noticeable in older CPUs. To resolve these performance issues, Microsoft has been testing a new mitigation technique called Retpoline in Windows Insider Preview builds since build 18272.
This mitigation has recently been backported to Windows 10 October 2018 Update build 1809, but is being slowly rolled out over time as they test its performance in large-scale public use. If you do not want to wait, you can use the instructions below to enable it immediately on supported processors.
AMD and Intel Broadwell and older CPUs supported
While an explanation of Retpoline is outside the scope of this article (more can be read here), it is important to note that for this mitigation to work a CPU's Return Stack Buffer (RSB) has to have predictable behavior. For AMD processors and Broadwell Intel processors and older, the RSB's behavior is predictable and this mitigation can be used.
Unfortunately, Intel Skylake and later processors have different RSB behavior in certain situations and reptoline will not be used with these CPUs.
According to Intel, the incompatible CPUs containing this different RSB behavior will have the following Family and Model IDs as part of their CPUID.
You can look up your processors Family and Model IDs by searching for your processor using the CPU-World CPU database. If you are unsure what CPU your computer is using, you can look in Device Manager or download CPU-Z to view your processors Family and Model numbers.
For example, my processor is an Intel i7-8700k Coffee Lake processor and you can see that my Family is 6 and my Extended Model is 9E, which makes my processor incompatible with Retpoline in Windows 10.
Enabling Retpoline in Windows 10 Build 1809 and later
Please read this whole section before continuing.
For those who have compatible processors and do not want to wait for Retpoline to be enabled, Microsoft has released information on how to modify the Windows Registry so that you can enable this new mitigation feature.
On Windows 10 Client SKUs:
Open an elevated command prompt.
Execute this command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400
Execute this command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400
Restart Windows 10.
Alternatively, you can download the retpoline-windows-10-client.reg Registry file and double-click on it to import these entries into the Registry. Then restart Windows 10 to put the new settings into effect.
On Windows 10 Server SKUs:
Open an elevated command prompt.
Execute this command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400
Execute this command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x401
Restart Windows 10 Server.
Alternatively, you can download the retpoline-windows-10-server.reg Registry file and double-click on it to import these entries into the Registry. Then restart Windows 10 Server to put the new settings into effect.
Microsoft has updated their article to indicate that the above Registry commands are for users with default configurations. By default, Microsoft does not enable SSBD (speculative store bypass) mitigation system-wide.
If you have enabled SSBD (speculative store bypass) mitigation system-wide, then you need to perform a bitwise OR on the values for FeatureSettingsOverride and FeatureSettingsOverrideMask above and the values listed below in order to also enable Reptoline. If you have any questions, feel free to ask in the comments.
Below are the notes from Microsoft's article:
Note: The above registry configurations are for customers running with default mitigation settings. In particular, for Server SKUs, these settings will enable Spectre variant 2 mitigations (which are enabled by default on Client SKUs). If it's desirable to enable additional security mitigations on top of Retpoline, then the feature settings values for those features need to be bitwise OR'd into FeatureSettingsOverride and FeatureSettingsOverrideMask.
Example: Feature settings values for enabling SSBD (speculative store bypass) system wide:
FeatureSettingsOverride = 0x8 and FeatureSettingsOverrideMask = 0
To add Retpoline, feature settings value for Retpoline (0x400) should be bitwise OR'd:
FeatureSettingsOverride = 0x408 and FeatureSettings OverrideMask = 0x400
Once you have made the appropriate changes and restarted Windows, you can use the Get-SpeculationControlSettings PowerShell cmdlet to determine if Retpoline has been enabled. If enabled, the output should show the following lines:
Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True … BTIKernelRetpolineEnabled : True BTIKernelImportOptimizationEnabled : True ...
To revert to default settings, you can run the following commands from an elevated command prompt and then restart the computer.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
Update 3/5/19 8:00 PM EST:
The article was updated with new information Microsoft added about users who enabled SSBD (speculative store bypass) mitigations system wide.
0 comments:
Post a Comment