Mike is correct. For more details about the individual results see this
Microsoft release:
https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell
hth
gt
On 2018-01-09 5:08 PM, Mike wrote:
For CVE-2017-5754 [rogue data cache load] you are good as the PCID
line doesn't impact security.
For CVE-2017-5715 [branch target injection] you need a
microcode/BIOS/firmware update.
The Windows patch is installed....
/Windows OS support for branch target injection mitigation is present:
True/
But the hardware isn't fixed...
/Hardware support for branch target injection mitigation is present:
False/
Which is causing the patch to be disabled...
/Windows OS support for branch target injection mitigation is disabled
by absence of hardware support: True/
As shown here...
/Windows OS support for branch target injection mitigation is enabled:
False/
/
/
Once the hardware gets its fix the last two should go True.
On Tue, Jan 9, 2018 at 4:23 PM, Michael Leone <oozerd...@gmail.com
<mailto:oozerd...@gmail.com>> wrote:
I've already issued the registry entries, so it looks like this:
Speculation control settings for CVE-2017-5715 [branch target
injection]
Hardware support for branch target injection mitigation is
present: False
Windows OS support for branch target injection mitigation is
present: True
Windows OS support for branch target injection mitigation is
enabled: False
Windows OS support for branch target injection mitigation is
disabled by system policy: False
Windows OS support for branch target injection mitigation is
disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: False
Suggested actions
* Install BIOS/firmware update provided by your device OEM that
enables hardware support for the branch target injection mitigation.
* Follow the guidance for enabling Windows support for
speculation control mitigations are described in
https://support.microsoft.com/help/4072698
<https://support.microsoft.com/help/4072698>
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : False
On Tue, Jan 9, 2018 at 3:58 PM, Mike <craigslist...@gmail.com
<mailto:craigslist...@gmail.com>> wrote:
Interesting. Can you post the output of the
Get-SpeculationControlSettings command?
On Tue, Jan 9, 2018 at 3:12 PM, Michael Leone
<oozerd...@gmail.com <mailto:oozerd...@gmail.com>> wrote:
On Tue, Jan 9, 2018 at 3:00 PM, Mike
<craigslist...@gmail.com <mailto:craigslist...@gmail.com>>
wrote:
You only need the Registry entries on Server versions.
You do need hardware support to protect against
CVE-2017-5715.
Run the Get-SpeculationControlSettings PowerShell
command to get the details.
https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050
<https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050>
I have run it. It didn't answer my question. If you don't
run the registry entries, some values are false. I take
"false" to mean "not as fully protected as you should be".
Which indicates to me that I need the registry entries,
even if it's not a server.
Hence my question ...
