I can’t enable the Meltdown/Spectre mitigations in Windows Server 2008 R2

updatevulnerabilitieswindows-server-2008-r2

I have installed the patch released today as detailed here and then set the two registry keys as mentioned:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

However, when I run the provided PowerShell module to check, it is informing me the mitigations are still not enabled:

PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Install the latest available updates for Windows with support for speculation control mitigations.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : False
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

Why is this? What else do I have to do? I have rebooted the server for good measure with no improvement.

Update after answer from @Paul:

I've now installed the correct update (wally), and this is the output of the PowerShell cmdlet:

PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : True
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

Is this everything I can do pending a microcode update?

Best Answer

Firstly the above output is saying that the required windows patch has not been installed:

Speculation control settings for CVE-2017-5715 [branch target injection]

Windows OS support for branch target injection mitigation is present: False

and

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Windows OS support for kernel VA shadow is present: False

Is your AV preventing it? - see here

Secondly CVE-2017-5715 will also require a CPU Microcode update which means a BIOS update when/if it becomes available. Intel have apparently released the code but it's down to OEMs to provide updated BIOS's that incorporate it and that may take a while.

All you can do right now is install the Windows patch. Once the correct patch is installed you should be covered for Meltdown but will still need a subsequent BIOS update to fully cover off Spectre.

FYI here is the output for my (patched) windows 10 system:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

You will note that for CVE-2017-5715 it shows that the patch is installed but not enabled due to "absence of hardware support" i.e. the microcode update.

You will also note that for CVE-2017-5754 it simply says that it's not required - this is because I'm running on an AMD CPU.

As for your side note, I can't say for sure without testing but if you look closely, for disable the FeatureSettingsOverride key is being set to 3, not 0 as is required to enable it so I assume that you need the same mask for both but either a 0 (enable) or 3 (disable) for the FeatureSettingsOverride key.

Best Answer

Related Solutions

What’s the difference between Windows Server 2008, 2008 SP2 and 2008 R2

Linux – Meltdown & Spectre – Does patching the guest kernel of an unpatched hypervisor prevent cross-VM memory leaks

Related Topic