Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[LTC8K6]

Intel said the first chips with hardware mitigation will be released in 2018. They already know about it for 7 months so definitely possible.

I would guess that the new chips are simply a different architecture from all the previous chips, which were based off the same architecture? The lack of vulnerability is probably a coincidence of the new architecture.

 

[french toast]

Intel said the first chips with hardware mitigation will be released in 2018. They already know about it for 7 months so definitely possible.

A reason for icelake to be pushed back? (And coffeelake pushed forward?)

 

[Glo.]

A reason for icelake to be pushed back? (And coffeelake pushed forward?)

If that is the case - best scenario possible.

 

[LTC8K6]

Warning

Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer.


Note Surface customers will receive a microcode update via Windows update.

So where do we get the processor microcode update from? I doubt ASUS is going to provide an update for the prebuilt system on my desk that's a few years old.

 

[jpiniero]

BTW, the Meltdown hit should be more severe on Intel chips that don't have PCID enabled, which appears to be added in Haswell. And at least on Windows for the time being you still have to enable it manually because it breaks Anti-Virus.

 

[Despoiler]

BTW, the Meltdown hit should be more severe on Intel chips that don't have PCID enabled, which appears to be added in Haswell. And at least on Windows for the time being you still have to enable it manually because it breaks Anti-Virus.

I posted a status list for AV compatibility several pages back.
https://docs.google.com/spreadsheet...tckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

BTW the megathread on r/sysadmin is really helpful.
https://www.reddit.com/r/sysadmin/comments/7o39et/meltdown_spectre_megathread/

 

[french toast]

If that is the case - best scenario possible.

Defo.
Coffeelake was rushed out of that door faster than you could say ..melt...

 

[coercitiv]

Intel said the first chips with hardware mitigation will be released in 2018. They already know about it for 7 months so definitely possible.

The only thing they can do in 6 months from discovery to silicon is physically disabling features. That's hardly better than software containment. Unless it's been significantly more than 6 months

 

[Genx87]

Sorry to post this here but I just don't know what I'm doing on this. How do I get the PowerShell commands to work? I basically get an Invalid Command when trying to execute them? This is on Windows 7 - 64 bit. I've never run PowerShell before. If I need to move this request to another post/ forum, please accept my apology.

Edit: Now I get a popup box asking me what I want to open "Install-Module" with. Something not right about this. What a disaster....

Edit #2: Nevermind - I'll just wait for something easier to be published that just works.

Goto to this site to install module.
https://www.powershellgallery.com/packages/SpeculationControl/1.0.0

This site to install and run.
https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in

 

[Engineer]

Goto to this site to install module.
https://www.powershellgallery.com/packages/SpeculationControl/1.0.0

This site to install and run.
https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in

Thanks. I'll look at it when I get home. Got frustrated and quit last night, lol!

Edit: It would appear that my PowerShell version is old, hence the issues I'm having. I'll update that to 5.1 tonight and try again. Thanks

 

[IEC]

Don't forget you will need the corresponding Intel microcode update from your board manufacturer via BIOS/UEFI update as well, in addition to the OS patch(es). One that may not be coming any time soon on older boards, if ever.

 

[Fanatical Meat]

This is what I'm most curious about: what CPUs will Intel be selling in 2019 that have been purposely built to avoid this vulnerability? Why would Intel's next gen arch be designed to be immune to this exploit path considering Intel has just become aware of it?

Given I'm a complete amateur I'd guess intel will disable the pre-fetch thing and add clock speed or something that will make up the difference

 

[Mockingbird]

GREAT, no wonder our user complain about the slow down, and maybe magnified because we use VM.




The problem with EPYC is the low frequency, we need that Mhz, because our server is used for thin-client too.

oh well, we will just wait a little while, just hope intel can get their shit together, this slowdown is annoying

Well, you are in luck.

The Gigabyte X399 DESIGNARE EX and Gigabyte X399 AORUS Gaming 7 are server class motherboards (with ECC support) for Ryzen Threadripper.

 

[Engineer]

Don't forget you will need the corresponding Intel microcode update from your board manufacturer via BIOS/UEFI update as well, in addition to the OS patch(es). One that may not be coming any time soon on older boards, if ever.

Yeah, that's going to be a problem for older boards or ones like mine that have a hacked BIOS (Microcode addition) to allow certain chips to run. I hacked my Biostar board from many years ago to allow a Xeon 1230V3 (IIRC) to run on it. Socket was right but didn't support the chip until I inserted the Microcode and flashed. I'm sure Biostar won't be fixing that, LOL.

 

[CluelessOne]

Going off tangent from the discussion, is this why Francois Piednoel quit Intel? Did he resigned or retired? Inquiring minds want to know

 

[LTC8K6]

Thanks. I'll look at it when I get home. Got frustrated and quit last night, lol!

Edit: It would appear that my PowerShell version is old, hence the issues I'm having. I'll update that to 5.1 tonight and try again. Thanks

I can't get the Powershell check to work no matter what I try, and I have 5.1.1 ?

 

[Engineer]

I can't get the Powershell check to work no matter what I try, and I have 5.1.1 ?

I'll check mine when I get home but it was opening the dialog box up when I did the "Install-Module" command asking me what i want to open "Install-Dialog" with (listed common programs like Notepad, Word, Internet Explorer, etc)?!? They need to come up with a simple utility to do this stuff for the masses.

 

[LTC8K6]

I'll check mine when I get home but it was opening the dialog box up when I did the "Install-Module" command asking me what i want to open "Install-Dialog" with (listed common programs like Notepad, Word, Internet Explorer, etc)?!? They need to come up with a simple utility to do this stuff for the masses.

Yeah, i was getting that too.

It also said "Get" was unrecognized a few times?

 

[Genx87]

I'll check mine when I get home but it was opening the dialog box up when I did the "Install-Module" command asking me what i want to open "Install-Dialog" with (listed common programs like Notepad, Word, Internet Explorer, etc)?!? They need to come up with a simple utility to do this stuff for the masses.

Sorry, easiest way is from the first site to save it to an easy path. Like C:\PS. Once in powershell navigate to that directory and run the command to install module. Also run powershell as admin.

You can navigate directorys in PS like old Dos. If you save to C:\PS

To save to C:\PS
In powershell type Save-Module -Name SpeculationControl -Path c:\PS -RequiredVersion 1.0.0

Once in Powershell type cd.. until you get to the C: drive. It will look like this PS c:\>

Then type cd PS
You will be at the prompt in PS that shows PS C:\ps >

From there run Install-Module -Name SpeculationControl -RequiredVersion 1.0.0

 

[William Gaatjes]

I can't get the Powershell check to work no matter what I try, and I have 5.1.1 ?

Here they explain what to do :
https://www.bleepingcomputer.com/ne...stems-for-the-meltdown-and-spectre-cpu-flaws/

You have to adjust the policy for powershell, you also have to run it as administrator.
Search : powershell , Alternative mouse button : run as administrator.

Adjust security policy for powershell.
Set-ExecutionPolicy Bypass

Then do install.

Install-Module SpeculationControl

Get-SpeculationControlSettings


Set-ExecutionPolicy Restriced.
to set the policy back to default which is restriced.

Test with Get-ExecutionPolicy that it is restricted again.

 

[Thala]

The only thing they can do in 6 months from discovery to silicon is physically disabling features. That's hardly better than software containment. Unless it's been significantly more than 6 months

I do not agree at all. Protection against Meltdown can be relatively trivially added without modifying the underlying speculation behavior. If you look at the specifics of how Meltdown works, there are several mitigation options in the microarchitecture. As example even if you do not cancel speculation earlier or prevent the faulting load, it would be sufficient to just zero/modify the value returned by the faulting load to kernel address space. Then the second load will not be able to leak the secret value via cache sideband channels even if it is speculatively executed - problem solved.

 

[LTC8K6]

Sorry, easiest way is from the first site to save it to an easy path. Like C:\PS. Once in powershell navigate to that directory and run the command to install module. Also run powershell as admin.

You can navigate directorys in PS like old Dos.

It never installs the module, that's my problem.

Don't know what else to try, but I'm not really worried about it because I know I'm not getting any microcode or BIOS updates for this from ASUS, so I won't have the full protection in any case.

 

[LTC8K6]

Here they explain what to do :
https://www.bleepingcomputer.com/ne...stems-for-the-meltdown-and-spectre-cpu-flaws/

You have to adjust the policy for powershell, you also have to run it as administrator.
Search : powershell , Alternative mouse button : run as administrator.

Adjust security policy for powershell.
Set-ExecutionPolicy Bypass

Then do install.

Install-Module SpeculationControl

Get-SpeculationControlSettings


Set-ExecutionPolicy Restriced.
to set the policy back to default which is restriced.

Test with Get-ExecutionPolicy that it is restricted again.

I am in admin mode.
Setting and confirming the bypass setting on the execution policy did not change anything, unfortunately.
The module still does not install.
i will set the policy back to restricted.

 

[LTC8K6]

"NuGet provider is required to continue
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
'C:\Users\LFI1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import
the NuGet provider now?"

That was the problem. My Get function was old, I guess?
Results:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: False

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False

 

[William Gaatjes]

I am in admin mode.
Setting and confirming the bypass setting on the execution policy did not change anything, unfortunately.
The module still does not install.
i will set the policy back to restricted.

Strange. Now that i remember, with me it would not install at first as well, i had to install something else as well before i could do
Install-Module SpeculationControl
I got this message at first :

NuGet provider is required to continue

I installed NuGet. (for general information : https://www.nuget.org/)
Then did
the security policy to bypass.
and then :
Install-Module SpeculationControl

Maybe you can try this ?
https://www.ghacks.net/2018/01/05/f...affected-by-meltdown-spectre-vulnerabilities/

Here is what you need to do:

1. Load an elevated PowerShell prompt. Tap on the Windows-key, type PowerShell, hold down the Shift-key and the Ctrl-key and select the PowerShell entry to load it.
2. Type Install-Module SpeculationControl
3. You may get a prompt stating that “NuGet provider is required to continue.” Select Y to accept that.
4. You may get a prompt stating that you are installing an “untrusted repository.” Select Y to continue.
5. Type Import-Module SpeculationControl.
6. You may get an error stating that “running scripts” is disabled. If you do, type Set-ExecutionPolicy RemoteSigned. Repeat the command Import-Module SpeculationChannel.
7. Type Get-SpeculationControlSettings.

Tip: You can restore the default ExecutionPolicy setting by running the command Set-ExecutionPolicy Default.

edit:
I see you already found the solution.