[German]Finally it seems that Windows 10 systems with AMD CPUs can be protected against the Spectre V2 vulnerability with an update. However, there are a lot of hurdles to overcome in order to enjoy the Spectre V2 protection. Here is some information.
A German blog reader pointed me to the details – due to Microsoft’s patch day I haven’t had the time to sum things up.
Update KB4093112 for Windows 10 V1709
Blog reader Karl noticed, that cumulative update KB4093112 (mentioned within my blog post Patchday: Windows 10 Updates April 10, 2018) for Windows 10 Version 1709 (Fall Creators Update) also contains a fix for Spectre V2 on AMD CPUs:
Provides support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when switching from user context to kernel context (See AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates for more details). Follow instructions outlined in KB4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when switching from user context to kernel context.
To obtain this Spectre V2 mitigation Microcode updates for AMD processors are required. Thes updates must be included as BIOS updates for the respective motherboards. These microcode updates provided by AMD go back to the AMD bulldozer CPU generation introduced in 2011.
A combination of BIOS Update with new Microcode and the above mentioned update KB4093112, mitigates systems with Windows 10 version 1709 (Fall Creators Update) against the Spectre V2.
The crux: theory and practice are two shoes
To benefit from Spectre V2 protection, you would first need the microcode update for the motherboard in question. Karl wrote within an e-mail:
This topic is getting more and more abstruse. From 57 systems I support, only 11 are effectively protected against Spectre / Meltdown, for 4 more there are still BIOS updates available. 26 systems have not yet been tested. Thus still known to 16 without patch.
In official whitepapers, for example, many HP systems marks BIOS updates as still pending. HP Tool Support Assist does not find BIOS updates, but there is actually one from the end of March for 2 laptop systems. So not a formerly withdrawn update.
In other words, the whitepapers are no longer maintained, especially the updater products.
Another game at Medion [a German vendor]. There you won’t find any BIOS updates in the DL of the support section, but via the official topic page (even maintained, different from HP).
It’s a little better at DELL. The BIOS updates also arrive in Dell Command Update and Support Assist.
Asus wrote to me that motherboards with Intel B,H,Z 6x / 7x / 8x chipsets “according to Taiwan” should get updates until the end of May.
That would be the hurdle #1 that the user has to manage. Hurdle #2 is the fact, the the mitigation is offered only in certain operating systems. Update KB4093112 supports currently only systems with Windows 10 Version 1709 (Fall Creators Update). But it works only, if hurdle #1 has been managed and a BIOS update has been installed. If that update is available, what’s about Windows Server 2016? Karl wrote (Source):
Operating System Updates for GPZ Variant 2/Spectre
Microsoft is releasing an operating system update containing Variant 2 (Spectre) mitigations for AMD users running Windows 10 (version 1709) today. Support for these mitigations for AMD processors in Windows Server 2016 is expected to be available following final validation and testing.
AMD Microcode Updates for GPZ Variant 2/Spectre
In addition, microcode updates with our recommended mitigations addressing Variant 2 (Spectre) have been released to our customers and ecosystem partners for AMD processors dating back to the first “Bulldozer” core products introduced in 2011. AMD customers will be able to install the microcode by downloading BIOS updates provided by PC and server manufacturers and motherboard providers. Please check with your provider for the latest updates.
We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop solutions to protect users from security threats.
Everything is set on hold – so you have wait until the OEMs deliver BIOS updates and till Microsoft provides Windows updates. But it gets even better, because there is a third hurdle. Microsoft’s document Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities contains the information that the following keys must be set manually to activate the Enable usage of Indirect Branch Prediction Barrier (IBPB) command introduced by microcode update and patch to protect against Spectre V2 on AMD CPUs:
To enable usage of Indirect Branch Prediction Barrier (IBPB) when switching from user context to kernel context:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
These values differ from the Intel registry settings for enabling protection against CVE 2017-5715 Branch Target Injection. The whole thing can only be regarded as a ‘surreal’ or alibi event. ‘Yes, we have updates to mitigate Spectre V2. Uh, you don’t have Windows 10 V1709 and a BIOS update with new microcode? We are so sorry, then this update is not for you Sir …’. Well done.
Addendum: The German blog reader pointed out, that the registry entry need
Microsoft Patchday Summary April 10, 2018
Patchday: Windows 10 Updates April 10, 2018
Spectre v2 update March 2018 for Surface Pro (2017)
Intel Spectre/Meltdown Microcode Updates (March 11, 2018)
New Intel Spectre V2 microcode updates (02/20/2018)