Windows 10 V1809: Enable Retpoline Spectre V2 protection

[German]Microsoft introduces Retpoline as protection against Spectre 2 attacks in Windows 10 (Version 1809 and later). So far, however, Retpoline is disabled on Windows 10 clients. Admins of Windows 10 V1809 can already activate the Retpoline Spectre 2 protection manually via registry settings.


Advertising

The background of Retpoline

Retpoline (Return Trampoline) is a compiler technology developed by Google to protect executable code against page channel attacks (Spectre) via branch-target-injection. As opposed to microcode updates, which lead to a loss of performance and can only be offered processor-specifically, Retpoline as compiler technology avoids these performance losses.

While the Linux developers quickly adopted this technology into the kernel, Microsoft relied on microcode updates. Only from Windows 10 19H1 is Retpoline used in the Windows kernel as protection against Spectre V2 attacks. In autumn 2018 I had reported about it in the article Windows 10 19H1 with Retpoline Spectre V2 Mitigation. There you can also read the confirmation of Microsoft's Mehmet Iyigun from the Windows/Azure Kernel Team.

Because Retpoline is a performance optimization for the Spectre Variant 2 vulnerability, it requires hardware and operating system support for Branch Target Injection to be present and enabled. Skylake and later generations of Intel processors are not compatible with Retpoline. Only import optimization is enabled on these processors, according to Microsoft. This is a special Microsoft technique designed to minimize overhead during kernel calls. Details about the requirements for Windows machines (e.g. processors) can be found in this document.

Retpoline Backport for Windows 10 V1809

Microsoft will port Retpoline technology back to older Windows 10 versions in the coming months. Microsoft started with the update KB44828887 for Windows 10 Version 1809, which was released on March 1, 2019. The blog post Windows 10 V1809: Update KB4482887 released (03/01/2019) contains the corresponding note:

Enables "Retpoline" for Windows on certain devices, which may improve performance of Spectre variant 2 mitigations (CVE-2017-5715).

In the blog post Mitigating Spectre variant 2 with Retpoline on Windows Microsoft had already published some information about Retpoline and Windows 10 at the beginning of December 2018 (see also my blog post New SplitSpectre-Attack; Windows Retpoline Spectre Mitigation). This Microsoft blog post has been updated with new information over the last few days.

On March 1, 2019, Microsoft announced that it had backported the operating system changes required to support Retpoline. This allows Retpoline to be used in the Windows 10 version 1809 kernel. These changes were introduced in update KB44828887 dated March 1, 2019. Due to the complexity of the implementation and the associated changes, Microsoft wants to activate Retpoline and the associated performance benefits only for Windows 10, version 1809 and later releases.


Advertising

In addition, according to Microsoft, Retpoline is currently deactivated by default on Windows 10 client devices anyway. Microsoft states that Retpoline will be activated in the coming months as part of a step-by-step rollout via the cloud configuration. Microsoft will determine when a Windows 10 client will receive Retpoline activation.

Manual Retpoline Release during Rollout phase

In an addendum to March 5, 2019, Microsoft's Mehmet Iyigun of the Windows/Azure Kernel Team now provides hints on how users can manually release Retpoline during the rollout phase. On Windows 10 V1809 clients, the following commands must be executed in an administrative prompt to activate Retpoline.

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400

The machine must then be restarted. On Windows Server 2019, on the other hand, the following commands must be entered:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x401

Here, too, the machine must be restarted afterwards. Whether Retpoline is enabled can be determined with the PowerShell command:

Get-SpeculationControlSettings

The required background information can be found in this Microsoft article.

Similar articles:
Windows 10 19H1 with Retpoline Spectre V2 Mitigation
New SplitSpectre-Attack; Windows Retpoline Spectre Mitigation
Windows 10 V1809: Update KB4482887 released (03/01/2019)


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).