Microsoft ADV190013 MDS vulnerabilities - Potential performance impacts

Discussion in 'Operating Systems' started by chr!s, May 15, 2019.

  1. chr!s

    chr!s Master Guru

    Messages:
    225
    Likes Received:
    52
    GPU:
    RTX™ 3080 TI
    Looks like there could be more performance implications with latest Security Advisory from Microsoft.

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013

    Potential performance impacts
    Specific performance impact varies by hardware generation and implementation by the chip manufacturer. For most consumer devices, impact on performance may not be noticeable. Some customers may have to disable Hyper-Threading (SMT) to fully address the risk from MDS vulnerabilities. In testing Microsoft has seen some performance impact with these mitigations, in particular when hyperthreading is disabled. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. In some cases, mitigations are not enabled by default to allow users and administrators to evaluate the performance impact and risk exposure before deciding to enable the mitigations. We continue to work with hardware vendors to improve performance while maintaining a high level of security.​

    :(
     
    joe187 likes this.
  2. JonasBeckman

    JonasBeckman Ancient Guru

    Messages:
    17,564
    Likes Received:
    2,961
    GPU:
    XFX 7900XTX M'310
    There should be a registry switch for disabling it if you're not worried about it though it's performance or security when using a Intel CPU and it affects all of them from what I am reading though the severity and resulting performance impact can vary.
     
    chr!s likes this.
  3. EdKiefer

    EdKiefer Ancient Guru

    Messages:
    3,125
    Likes Received:
    394
    GPU:
    ASUS TUF 3060ti
    JonasBeckman likes this.
  4. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    15,636
    Likes Received:
    9,512
    GPU:
    4090@H2O
    Can't wait for new benchmarks.
    At this point I'd pay @Hilbert Hagedoorn for his time if he could do a roundup of all Intel CPUs since Sandy bridge, but that's a lot of work and probably only shows what we already suspect.
     

  5. artina90

    artina90 Member Guru

    Messages:
    148
    Likes Received:
    58
    GPU:
    RTX 3080Ti
    In cmd the following disables all mitigations:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
     
    JonasBeckman and fantaskarsef like this.
  6. EdKiefer

    EdKiefer Ancient Guru

    Messages:
    3,125
    Likes Received:
    394
    GPU:
    ASUS TUF 3060ti
    here output with stock settings

    Speculation control settings for CVE-2017-5715 [branch target injection]

    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: True

    Speculation control settings for CVE-2017-5754 [rogue data cache load]

    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: False [not required for security]

    Speculation control settings for CVE-2018-3639 [speculative store bypass]

    Hardware is vulnerable to speculative store bypass: True
    Hardware support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is enabled system-wide: False

    Speculation control settings for CVE-2018-3620 [L1 terminal fault]

    Hardware is vulnerable to L1 terminal fault: True
    Windows OS support for L1 terminal fault mitigation is present: True
    Windows OS support for L1 terminal fault mitigation is enabled: True


    BTIHardwarePresent : True
    BTIWindowsSupportPresent : True
    BTIWindowsSupportEnabled : True
    BTIDisabledBySystemPolicy : False
    BTIDisabledByNoHardwareSupport : False
    BTIKernelRetpolineEnabled : True
    BTIKernelImportOptimizationEnabled : True
    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : True
    KVAShadowWindowsSupportEnabled : True
    KVAShadowPcidEnabled : False
    SSBDWindowsSupportPresent : True
    SSBDHardwareVulnerable : True
    SSBDHardwarePresent : True
    SSBDWindowsSupportEnabledSystemWide : False
    L1TFHardwareVulnerable : True
    L1TFWindowsSupportPresent : True
    L1TFWindowsSupportEnabled : True
    L1TFInvalidPteBit : 45
    L1DFlushSupported : True


    this is with 0.12 version, I can't seem to get the newest 0.13 PS module to load as listed on this site https://support.microsoft.com/en-us...-of-get-speculationcontrolsettings-powershell

    The command " Install-Module SpeculationControl" gives me just a pop-up window, "what file do you want to open"
    I tried DL script as noted on that site but again when I run "Import-Module.\SpeculationControl.psd1 " I get a red error saying path, name is not right but it is.
     
    joe187, Jackalito and fantaskarsef like this.
  7. tsunami231

    tsunami231 Ancient Guru

    Messages:
    14,702
    Likes Received:
    1,843
    GPU:
    EVGA 1070Ti Black
    this is really getting ridiculous. by time things are done being patched performance will be less performance like ...
     
  8. EdKiefer

    EdKiefer Ancient Guru

    Messages:
    3,125
    Likes Received:
    394
    GPU:
    ASUS TUF 3060ti
  9. Astyanax

    Astyanax Ancient Guru

    Messages:
    16,996
    Likes Received:
    7,337
    GPU:
    GTX 1080ti
    Remove the existing module before trying to install the new one.
    You can do this with Uninstall-module command

    I see you got the same advice on tenforum but you didn't reply there yet.

    You also need to enable the installation of unsigned modules.
     
  10. EdKiefer

    EdKiefer Ancient Guru

    Messages:
    3,125
    Likes Received:
    394
    GPU:
    ASUS TUF 3060ti
    I did reply by saying thanks for the help but I disabled all those, I never wanted it enabled but wanted the script to work with the new version.
    So that is the reason I get the popup "open with what app" when I run PS> Install-Module SpeculationControl?

    I didn't want to try Uninstall-module command as if I still got that trouble afterward then I have no output.

    PS: I was using the "Set-ExecutionPolicy RemoteSigned -Scope Currentuser" with yes to all for signing stuff.

    Also, there was another guy at tenforum with 0.12 and wanted to upgrade to 0.14, he got it working with -force option, so he didn't have the same problem. I tried that too but doesn't seem to help and I don't see anyone else with this type of problem, at least with Google.

    With the popup, I was thinking might be a file association issue but seems ok when checking.
     
    Last edited: May 16, 2019

  11. Astyanax

    Astyanax Ancient Guru

    Messages:
    16,996
    Likes Received:
    7,337
    GPU:
    GTX 1080ti
    are you using native 10 powershell or did you install powershell core?

    might not work with powershell core.
     
  12. EdKiefer

    EdKiefer Ancient Guru

    Messages:
    3,125
    Likes Received:
    394
    GPU:
    ASUS TUF 3060ti
    I got it working with this post https://www.tenforums.com/windows-1...763-503-may-14-a-post1633893.html#post1633893
    you can see my reply.
    I am using native Win10 (1809) PS, haven't installed core or newer versions.
    So I now have C:\Program Files\WindowsPowerShell\Modules\SpeculationControl\1.0.14 with 1.0.12 to.
     
  13. joe187

    joe187 Master Guru

    Messages:
    494
    Likes Received:
    22
    GPU:
    EVGA RTX 3070ti FTW
    on i7-2600k, win10 pro 1809 build 503, all protection show as true as default now except these:

    SSBDWindowsSupportEnabledSystemWide : False <--- this one i CAN get to read as "True" with the MS reg key

    MDSWindowsSupportPresent : True
    MDSHardwareVulnerable : True
    MDSWindowsSupportEnabled : False <--- this one still reads as false when i use the recommended reg key.

    Am i correct that the MDS one is the newer issue, SSBD was earler but not enabled by default. And MDS i will have to wait for a new microcode (i currently have the latest from MS on their kb microcode ms-catalog)? Is the SSBD one not on by default because of perfomance issues?
     
  14. EdKiefer

    EdKiefer Ancient Guru

    Messages:
    3,125
    Likes Received:
    394
    GPU:
    ASUS TUF 3060ti
    I would say IMO yes to each of your questions for now until MS releases more info and patches.
     
    joe187 likes this.

Share This Page