3 Replies Latest reply on Apr 13, 2018 12:31 PM by Intel Corporation

    nuc5i5ryh no longer Reports no longer meltdown/spectre "compliant"?

    yoda-intelnuc

      Howdy.

       

      Long story short, since I installed April 2018 updates for my NUC5i5RYH (running Win10 1709 Enterprise edition), the Microsoft powershell cmdlet to check for spectre/meltdown mitigations no longer reports my machine as "protected" (or whatever you want to call it).

       

      Here's the cmdlet snippet:

      :

      :

       

      PS C:\Windows\system32> Get-SpeculationControlSettings

      Speculation control settings for CVE-2017-5715 [branch target injection]

      For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

       

       

      Hardware support for branch target injection mitigation is present: False

      Windows OS support for branch target injection mitigation is present: True (I have the patches installed, but i've disabled the software mitigations via the registry keys.)

      Windows OS support for branch target injection mitigation is enabled: False (I have the patches installed, but i've disabled the software mitigations via the registry keys.)

      Windows OS support for branch target injection mitigation is disabled by system policy: True (I have the patches installed, but i've disabled the software mitigations via the registry keys.)

      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

       

      Speculation control settings for CVE-2017-5754 [rogue data cache load]

       

      Hardware requires kernel VA shadowing: True

      Windows OS support for kernel VA shadow is present: True

      Windows OS support for kernel VA shadow is enabled: False

       

      Suggested actions

       

       

      * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.

      * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119

       

       

       

       

      BTIHardwarePresent             : False

      BTIWindowsSupportPresent       : True

      BTIWindowsSupportEnabled       : False

      BTIDisabledBySystemPolicy      : True

      BTIDisabledByNoHardwareSupport : True

      KVAShadowRequired              : True

      KVAShadowWindowsSupportPresent : True

      KVAShadowWindowsSupportEnabled : False

      KVAShadowPcidEnabled           : False

       

      :

      :

       

      My machine is running the 369 version of the BIOS as per the output of this:

      :

      :

      PS C:\Windows\system32> wmic bios get smbiosbiosversion

      SMBIOSBIOSVersion

      RYBDWi35.86A.0369.2018.0305.1050

      :

      :

       

      According to the release notes for this BIOS version here: https://downloadmirror.intel.com/27631/eng/RY_0369_ReleaseNotes.pdf , it should provide the hardware mitigation the cmdlet is looking for.

       

      I'd like to say that prior to the April 2018 updates the cmdlet reported that hardware mitigation was in place, but I can't be 100% certain since I didn't document it.

       

      (Just in case, here's the link to the get-speculationcontrol thing:

       

      https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

       

      and here's the one to the aforementioned registry keys to disable mitigations at the client OS level:

       

      https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

       

      )

       

      Questions? Thoughts? Let me know if you need me to provide additional information on this.