12 Replies Latest reply on Apr 15, 2018 5:49 AM by Gorbush

    NUC6CAYH SA-00088

    RvdH

      I updated the NUC6CAYH to latest bios AYAPLCEL.86A 0047 that has new microcode to protect against INTEL-SA-00088 vulnerabilities

       

      Windows Registry Settings

      FeatureSettingsOverride = 0

      FeatureSettingsOverrideMask = 3

       

      Q4beG9m2.png

       

      Before the AYAPLCEL.86A 0047 bios update (0045 in my case) everything under CVE-2017-5754 [roque data cache load] was displayed in green using the Get-SpeculationControlSettings Powershell script provided by Microsoft.

      Does this mean that after the AYAPLCEL.86A 0047 bios update the "software" fix from Microsoft to protect against Meltdown is not needed anymore? Or can anyone explain me why this is now again displayed in red?

        • 1. Re: NUC6CAYH SA-00088
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Hi RvdH,

          Thank you for bringing this to our attention, let me help you on this matter. 3

          Since the latest Intel® NUC BIOS provides the fix for the Security Advisory-00088, the Microsoft* tool is no longer needed.
          I would recommend checking with Microsoft* to see if they have information on this "Windows OS support for Kernel VA shadow is enabled: False" message.
          https://support.microsoft.com/en-us/contactus/

          Regards,
          Allan J
           

          • 2. Re: NUC6CAYH SA-00088
            N.Scott.Pearson

            There are essentially three vulnerabilities, Meltdown, SpectreA and SpectreB. Only SpectreB can be addressed by microcode change. The other two vulnerabilities can only be addressed by changes in the processor's silicon - which can only occur in future processors - or by workarounds in the Operating System. Bottom line, the workarounds in Windows that Microsoft has implemented are still absolutely necessary.

             

            ...S

            1 of 1 people found this helpful
            • 3. Re: NUC6CAYH SA-00088
              RvdH

              Hi Scott,

               

              That is exactly why I am puzzled about the "Windows OS support for Kernel VA shadow is enabled: False" message after updating to BIOS version 0047

              Like i said before, without BIOS update 0047 (rolling back to 0045) everything under the "Speculation control settings for CVE-2017-5754 [rogue data cache load]" section is displayed in green, what (if i understand it right) indicated OS enabled Meltdown protection

               

              The registry settings are enabled as described in this document provided by Microsoft, eg:

              FeatureSettingsOverride = 0

              FeatureSettingsOverrideMask = 3

               

              BTW, the NUC6CAYH has Windows Server 2016 (build 1607) as OS installed (although not officially supported this runs smooth, hopefully bluetooth can be disabled from within bios in future as this is the only driver that can't be installed)

               

              I think something is off here...being it either the tool to check against the vulnerabilities or the BIOS microcode itself breaks something that enables the tool to properly identify the vulnerabilities as being 'fixed'

              1 of 1 people found this helpful
              • 4. Re: NUC6CAYH SA-00088
                N.Scott.Pearson

                I haven't looked at the Microsoft stuff, so I cannot comment on that.

                 

                The reason why the parameters for disabling Bluetooth are not present in the BIOS is because the wireless module is not permanently attached and could be replaced. I argued that, for the NUC6CAYS and NUC6CAYH systems, they receive this module with the system and thus it should be supported as if it was permanent. They are looking into it...

                 

                ...S

                • 5. Re: NUC6CAYH SA-00088
                  Intel Corporation
                  This message was posted on behalf of Intel Corporation

                  Hi RvdH,

                  I've recreated the behavior of the "Kernel VA Shadow is enabled" showing False after the BIOS update.  I will try to get an answer on whether this is the expected behavior.

                  1 of 1 people found this helpful
                  • 6. Re: NUC6CAYH SA-00088
                    RvdH

                    Thanks..really wasn't sure how to get a answer on this, felt a bit like being shuttled here from pillar to post. Microsoft said: Ask Intel and Intel said: ask Microsoft

                     

                    I've I read the Understanding Get-SpeculationControlSettings PowerShell script output and if understand that explanation right, that is not the expected behavior for the output...or the hardware is no longer believed to be vulnerable, but i was under the impression the microcode updates were aimed at Spectre and not for Meltdown

                     

                    Windows OS support for kernel VA shadow is enabled

                    Maps to KVAShadowWindowsSupportEnabled. This line tells you if the kernel VA shadow feature has been enabled. If it is True, the hardware is believed to be vulnerable to CVE-2017-5754, Windows operating system support is present, and the feature has been enabled. The Kernel VA shadow feature is currently enabled by default on client versions of Windows and is disabled by default on versions of Windows Server. If it is False, either Windows operating system support is not present, or the feature has not been enabled.

                     

                    I can confirm the behavior is exactly the same on Windows 10 (i wanted to make sure it was not Windows server 2016 related)

                    And also rolling back to BIOS version 0045  makes "Kernel VA Shadow is enabled" revert to "True"

                    • 7. Re: NUC6CAYH SA-00088
                      N.Scott.Pearson

                      That is correct; the microcode updates are for SpectreB. Until such time as processors are available that have the appropriate fixes in silicon, both SpectreA and Meltdown require the workarounds in the O/S.

                       

                      I do not know what is going on. I need an expert to fill me in on this stuff Microsoft has added. I will get back to you...

                      ...S

                      1 of 1 people found this helpful
                      • 8. Re: NUC6CAYH SA-00088
                        Intel Corporation
                        This message was posted on behalf of Intel Corporation

                        Our engineers are working with Microsoft on this.  The Get-SpeculationControlSettings script is incorrectly identifying that Kernel VA Shadowing is needed for this model of CPU.  That's why it says "Hardware requires kernel VA shadowing: True".  Our BIOS update is setting a MSR (model specific register) that should be telling the script that VA shadowing is not required.

                        The bottom line is that the CPU in the NUC6CAYH is not impacted by CVE-2017-5754 so your system has all the proper mitigations applied.

                        Let us know if you have additional questions.

                        1 of 1 people found this helpful
                        • 9. Re: NUC6CAYH SA-00088
                          RvdH

                          OK, i'll keep my eyes open for a updated Get-SpeculationControlSettings script 

                           

                          Thanks for your feedback!

                          • 10. Re: NUC6CAYH SA-00088
                            RvdH

                            FYI, Finally updated script is made available by Microsoft, PowerShell Gallery | SpeculationControl 1.0.6

                            All seems to be OK now

                            • 11. Re: NUC6CAYH SA-00088
                              Gorbush

                              wrote:

                              I think something is off here...being it either the tool to check against the vulnerabilities or the BIOS microcode itself breaks something that enables the tool to properly identify the vulnerabilities as being 'fixed'

                              I'm confused. There isn't any article which would indicate that Apollo Lake platform (especially Celleron J3455) isn't vulnerable to Meltdown threat (CVE-2017-5754). But Microsoft Windows 10 clearly detects this CPU inside NUC6CAYS(/H) (after BIOS update to version 47) as not requiring KVAShadow protection. What's going on?

                              1 of 1 people found this helpful
                              • 12. Re: NUC6CAYH SA-00088
                                Gorbush

                                wrote:

                                FYI, Finally updated script is made available by Microsoft, PowerShell Gallery | SpeculationControl 1.0.6

                                All seems to be OK now

                                "All OK" means that this CPU doesn't need KVAShadow protection enabled? Where is Intel documentation on this?

                                1 of 1 people found this helpful