我已经按照详细的
here安装了今天发布的补丁,然后按照提到的方式设置了两个注册表项:
reg add "HKEY_LOCAL_MACHINE\SYstem\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYstem\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
但是,当我运行提供的PowerShell模块进行检查时,它会通知我仍然没有启用缓解:
PS C:\Users\Administrator> get-speculationcontrolsettings Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: False Windows OS support for branch target injection mitigation is present: False Windows OS support for branch target injection mitigation is enabled: False Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: False Windows OS support for kernel VA shadow is enabled: False Suggested actions * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation. * Install the latest available updates for Windows with support for speculation control mitigations. * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698 BTIHardwarePresent : False BTIWindowsSupportPresent : False BTIWindowsSupportEnabled : False BTIdisabledBySystemPolicy : False BTIdisabledByNoHardwareSupport : False KVAShadowrequired : True KVAShadowWindowsSupportPresent : False KVAShadowWindowsSupportEnabled : False KVAShadowPcidEnabled : False
为什么是这样?还有什么我需要做的?我重新启动了服务器,没有任何改进.
@保罗于answer年后更新:
我现在已经安装了正确的更新(wally),这是PowerShell cmdlet的输出:
PS C:\Users\Administrator> get-speculationcontrolsettings Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: False Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: False Windows OS support for branch target injection mitigation is disabled by system policy: True Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: False Suggested actions * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation. * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698 BTIHardwarePresent : False BTIWindowsSupportPresent : True BTIWindowsSupportEnabled : False BTIdisabledBySystemPolicy : True BTIdisabledByNoHardwareSupport : True KVAShadowrequired : True KVAShadowWindowsSupportPresent : True KVAShadowWindowsSupportEnabled : False KVAShadowPcidEnabled : False
这是我在微码更新之前可以做的一切吗?
首先上面的输出是说没有安装所需的Windows补丁:
Speculation control settings for CVE-2017-5715 [branch target injection] Windows OS support for branch target injection mitigation is present: False
和
Speculation control settings for CVE-2017-5754 [rogue data cache load] Windows OS support for kernel VA shadow is present: False
你的AV是否会阻止它? – 见here
其次,CVE-2017-5715还需要cpu微代码更新,这意味着当BIOS可用时更新BIOS.英特尔显然已经发布了这些代码,但是由OEM来提供更新的BIOS,并且可能需要一段时间.
您现在所能做的就是安装Windows补丁.一旦安装了正确的补丁,您应该为Meltdown提供保护,但仍需要后续的BIOS更新才能完全覆盖Spectre.
这里是我的(修补)Windows 10系统的输出:
Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: False Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: False Windows OS support for branch target injection mitigation is disabled by system policy: False Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware requires kernel VA shadowing: False
您将注意到,对于CVE-2017-5715,它显示补丁已安装但由于“缺少硬件支持”(即微代码更新)而未启用.
您还会注意到,对于CVE-2017-5754,它只是说它不是必需的 – 这是因为我在AMD cpu上运行.
至于你的旁注,我不能确定没有测试,但如果你仔细观察,为了禁用FeatureSettingsOverride键被设置为3,而不是0,因为启用它所以我假设你需要相同的掩码两者都是FeatureSettingsOverride键的0(启用)或3(禁用).
