Mitigating Spectre Variant 2 with Retpoline on Windows
Microsoft patched the Spectre variant 2 vulnerability (CVE-2017-5753), a branch target injection microprocessor flaw, back in January 2018 along with two other processor bugs, CVE-2017-5753 and CVE-2017-5754. But the original Spectre v2 patch caused performance to drop by up to 30% under some load conditions. Microsoft distributed a fix for the performance issues at the beginning of March. Developed by Google and called Retpoline, the patch can be applied to CPUs that have predictable Return Stack Buffer (RSB) behavior. For Intel processors, that means that Retpoline can’t be used with Skylake and later generation CPUs, although Import Optimization can be enabled.
How to Enable Retpoline
The Retpoline update was part of the March 1st cumulative update for Windows 10 version 1809 and later (KB4482887), and it is disabled by default. But customers who wish to manually enable Retpoline on their systems can by manually editing the registry. Use the reg.exe command-line tool to add two keys to the registry and then reboot the system. The keys below are for client SKUs.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400
If you want to enable Retpoline on server SKUs of Windows, use the following commands and reboot:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x401
The registry keys are for customers that have the default mitigation settings already enabled. Windows 10 client SKUs have the mitigations enabled by default. If you add the registry keys on server SKUs, default mitigations will be enabled. For more details, read Microsoft’s blog post carefully here.
Speculation Control Settings
To check the status of speculation control mitigations on your system, use the Get-SpeculationControlSettings PowerShell cmdlet. Install-Module downloads the SpeculationControl module from GitHub.
Install-Module -Name SpeculationControl Import-Module SpeculationControl Get-SpeculationControlSettings
Before running Get-SpeculationControlSettings, the PowerShell execution policy should be set to RemoteSigned. If Retpoline and Import Optimization are enabled on the system, you should see the following line in the output:
BTIKernelRetpolineEnabled : True
BTIKernelImportOptimizationEnabled : True
In the screenshot above, you can see that on my system Retpoline isn’t enabled.
$SaveExecutionPolicy = Get-ExecutionPolicy Set-ExecutionPolicy RemoteSigned -Scope Currentuser
To reset the execution policy, run:
Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
Retpoline Arrives Early for Windows 10
The Retpoline patch for Windows 10 was originally slated to arrive in the Windows 10 May 2019 Update but Microsoft will enable the fix in Windows 10 version 1809 for some users. Most users won’t need to do anything, and Microsoft will automatically enable the patch at some point in the future if it is compatible with your system and it has tested to be stable.
According to Google, Retpoline has negligible impact on performance, as opposed to the mitigations most OS vendors put in place. So, customers who want to do their own testing or have specific cases where they would benefit from enabling the patch manually, like on server workloads, can do so using the registry keys provided.
More in Windows 10
IT Admins Report Issues With Microsoft Store Version of Quick Assist App
May 16, 2022 | Rabia Noureen
Microsoft Releases May 2022 Patch Tuesday Updates
May 11, 2022 | Laurent Giret
What’s New with Windows – April 2022
May 2, 2022 | Russell Smith
This Week in IT - Is Microsoft Killing Off Patch Tuesday?
Apr 22, 2022 | Russell Smith
Windows 10 November 2021 Update is Now Ready for Broad Deployment
Apr 18, 2022 | Rabia Noureen
This Week in IT - Windows 10 Gets Search Highlights and Is Microsoft in Hot Water Over Windows Cloud Pricing?
Apr 15, 2022 | Russell Smith
Most popular on petri