我已经安装了今天发布的补丁,详情如下这里然后设置上述两个注册表项:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
但是,当我运行提供的 PowerShell 模块进行检查时,它通知我缓解措施仍未启用:
PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Install the latest available updates for Windows with support for speculation control mitigations.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698
BTIHardwarePresent : False
BTIWindowsSupportPresent : False
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
这是为什么?我还需要做什么?我已经重启了服务器,但情况没有任何改善。
更新时间回答来自@Paul:
我现在已经安装了正确的更新(wally),这是 PowerShell cmdlet 的输出:
PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
这就是我在等待微码更新时能做的一切吗?
答案1
首先,上面的输出表明尚未安装所需的 Windows 补丁:
Speculation control settings for CVE-2017-5715 [branch target injection]
Windows OS support for branch target injection mitigation is present: False
和
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Windows OS support for kernel VA shadow is present: False
你的 AV 会阻止它吗? - 请参阅这里
其次,CVE-2017-5715 还需要 CPU 微代码更新,这意味着如果 BIOS 可用,则需要更新 BIOS。英特尔显然已经发布了代码,但 OEM 需要提供包含该代码的更新 BIOS,这可能需要一段时间。
您现在能做的就是安装 Windows 补丁。安装正确的补丁后,您应该可以解决 Meltdown 问题,但仍需要后续 BIOS 更新才能完全解决 Spectre 问题。
仅供参考,这是我的(已修补的)Windows 10 系统的输出:
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: False
您会注意到,对于 CVE-2017-5715,它显示补丁已安装但由于“缺乏硬件支持”(即微码更新)而未启用。
您还会注意到,对于 CVE-2017-5754,它只是说它不是必需的 - 这是因为我在 AMD CPU 上运行。
至于您的旁注,如果没有测试我无法肯定地说,但如果您仔细观察,为了禁用,FeatureSettingsOverride 键被设置为 3,而不是启用它所需的 0,所以我假设您需要对两者使用相同的掩码,但对于 FeatureSettingsOverride 键,要么为 0(启用),要么为 3(禁用)。
答案2
注册表项有 3 个,而不是 2 个。请参见此处:
你漏掉了这个:
reg 添加“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization”/v MinVmVersionForCpuBasedMitigations /t REG_SZ /d“1.0”/f
答案3
在没有固件更新的情况下,CVE-2017-5715 对我来说是正确的,但是 CVE-2017-5754 现在显示为已安装但已禁用。您是否检查过启用程序注册表项的设置?
我还刚刚注意到 CVE-2017-5715 也显示为被系统策略禁用以及由于缺乏硬件支持,这也表明注册表设置错误。
答案4
我和 Marco Vernaglione 有同样的问题。感谢 VMware 驱动程序和从 Intel 下载的微代码,我现在有了硬件支持和操作系统支持,但缓解措施仍然被禁用。
所以这绝对是启用硬件支持的方法。
我尝试重新安装 kb4056892 Windows 更新,但没有任何变化。