Thank you for bringing this to our attention, let me help you on this matter. 3
Since the latest Intel® NUC BIOS provides the fix for the Security Advisory-00088, the Microsoft* tool is no longer needed.
I would recommend checking with Microsoft* to see if they have information on this "Windows OS support for Kernel VA shadow is enabled: False" message.
There are essentially three vulnerabilities, Meltdown, SpectreA and SpectreB. Only SpectreB can be addressed by microcode change. The other two vulnerabilities can only be addressed by changes in the processor's silicon - which can only occur in future processors - or by workarounds in the Operating System. Bottom line, the workarounds in Windows that Microsoft has implemented are still absolutely necessary.
That is exactly why I am puzzled about the "Windows OS support for Kernel VA shadow is enabled: False" message after updating to BIOS version 0047
Like i said before, without BIOS update 0047 (rolling back to 0045) everything under the "Speculation control settings for CVE-2017-5754 [rogue data cache load]" section is displayed in green, what (if i understand it right) indicated OS enabled Meltdown protection
The registry settings are enabled as described in this document provided by Microsoft, eg:
FeatureSettingsOverride = 0
FeatureSettingsOverrideMask = 3
BTW, the NUC6CAYH has Windows Server 2016 (build 1607) as OS installed (although not officially supported this runs smooth, hopefully bluetooth can be disabled from within bios in future as this is the only driver that can't be installed)
I think something is off here...being it either the tool to check against the vulnerabilities or the BIOS microcode itself breaks something that enables the tool to properly identify the vulnerabilities as being 'fixed'
I haven't looked at the Microsoft stuff, so I cannot comment on that.
The reason why the parameters for disabling Bluetooth are not present in the BIOS is because the wireless module is not permanently attached and could be replaced. I argued that, for the NUC6CAYS and NUC6CAYH systems, they receive this module with the system and thus it should be supported as if it was permanent. They are looking into it...
1 of 1 people found this helpful
I've recreated the behavior of the "Kernel VA Shadow is enabled" showing False after the BIOS update. I will try to get an answer on whether this is the expected behavior.
Thanks..really wasn't sure how to get a answer on this, felt a bit like being shuttled here from pillar to post. Microsoft said: Ask Intel and Intel said: ask Microsoft
I've I read the Understanding Get-SpeculationControlSettings PowerShell script output and if understand that explanation right, that is not the expected behavior for the output...or the hardware is no longer believed to be vulnerable, but i was under the impression the microcode updates were aimed at Spectre and not for Meltdown
Windows OS support for kernel VA shadow is enabled
Maps to KVAShadowWindowsSupportEnabled. This line tells you if the kernel VA shadow feature has been enabled. If it is True, the hardware is believed to be vulnerable to CVE-2017-5754, Windows operating system support is present, and the feature has been enabled. The Kernel VA shadow feature is currently enabled by default on client versions of Windows and is disabled by default on versions of Windows Server. If it is False, either Windows operating system support is not present, or the feature has not been enabled.
I can confirm the behavior is exactly the same on Windows 10 (i wanted to make sure it was not Windows server 2016 related)
And also rolling back to BIOS version 0045 makes "Kernel VA Shadow is enabled" revert to "True"
That is correct; the microcode updates are for SpectreB. Until such time as processors are available that have the appropriate fixes in silicon, both SpectreA and Meltdown require the workarounds in the O/S.
I do not know what is going on. I need an expert to fill me in on this stuff Microsoft has added. I will get back to you...
Our engineers are working with Microsoft on this. The Get-SpeculationControlSettings script is incorrectly identifying that Kernel VA Shadowing is needed for this model of CPU. That's why it says "Hardware requires kernel VA shadowing: True". Our BIOS update is setting a MSR (model specific register) that should be telling the script that VA shadowing is not required.
The bottom line is that the CPU in the NUC6CAYH is not impacted by CVE-2017-5754 so your system has all the proper mitigations applied.
Let us know if you have additional questions.
OK, i'll keep my eyes open for a updated Get-SpeculationControlSettings script
Thanks for your feedback!