Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Manager
2,308 Views

NUC6CAYH SA-00088

I updated the NUC6CAYH to latest bios AYAPLCEL.86A 0047 that has new microcode to protect against INTEL-SA-00088 vulnerabilities

Windows Registry Settings

FeatureSettingsOverride = 0

FeatureSettingsOverrideMask = 3

Before the AYAPLCEL.86A 0047 bios update (0045 in my case) everything under CVE-2017-5754 [roque data cache load] was displayed in green using the Get-SpeculationControlSettings Powershell script provided by Microsoft.

Does this mean that after the AYAPLCEL.86A 0047 bios update the "software" fix from Microsoft to protect against Meltdown is not needed anymore? Or can anyone explain me why this is now again displayed in red?

14 Replies
Highlighted
Community Manager
26 Views

Hi RvdH,

 

 

Thank you for bringing this to our attention, let me help you on this matter. 3

 

 

Since the latest Intel® NUC BIOS provides the fix for the Security Advisory-00088, the Microsoft* tool is no longer needed.

 

I would recommend checking with Microsoft* to see if they have information on this "Windows OS support for Kernel VA shadow is enabled: False" message.

 

https://support.microsoft.com/en-us/contactus/ https://support.microsoft.com/en-us/contactus/

 

 

Regards,

 

Allan J

 

0 Kudos
Highlighted
Super User Retired Employee
26 Views

There are essentially three vulnerabilities, Meltdown, SpectreA and SpectreB. Only SpectreB can be addressed by microcode change. The other two vulnerabilities can only be addressed by changes in the processor's silicon - which can only occur in future processors - or by workarounds in the Operating System. Bottom line, the workarounds in Windows that Microsoft has implemented are still absolutely necessary.

...S

Highlighted
Community Manager
26 Views

Hi Scott,

That is exactly why I am puzzled about the "Windows OS support for Kernel VA shadow is enabled: False" message after updating to BIOS version 0047

Like i said before, without BIOS update 0047 (rolling back to 0045) everything under the "Speculation control settings for CVE-2017-5754 [rogue data cache load]" section is displayed in green, what (if i understand it right) indicated OS enabled Meltdown protection

The registry settings are enabled as described inhttps://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-spec... this document provided by Microsoft, eg:

FeatureSettingsOverride = 0

FeatureSettingsOverrideMask = 3

BTW, the NUC6CAYH has Windows Server 2016 (build 1607) as OS installed (although not officially supported this runs smooth, hopefully /thread/122254?q=bluetooth bluetooth can be disabled from within bios in future as this is the only driver that can't be installed)

I think something is off here...being it either the tool to check against the vulnerabilities or the BIOS microcode itself breaks something that enables the tool to properly identify the vulnerabilities as being 'fixed'

Highlighted
Super User Retired Employee
26 Views

I haven't looked at the Microsoft stuff, so I cannot comment on that.

The reason why the parameters for disabling Bluetooth are not present in the BIOS is because the wireless module is not permanently attached and could be replaced. I argued that, for the NUC6CAYS and NUC6CAYH systems, they receive this module with the system and thus it should be supported as if it was permanent. They are looking into it...

...S

0 Kudos
Highlighted
Community Manager
26 Views

Hi RvdH,

 

 

I've recreated the behavior of the "Kernel VA Shadow is enabled" showing False after the BIOS update. I will try to get an answer on whether this is the expected behavior.
Highlighted
Community Manager
26 Views

Thanks..really wasn't sure how to get a answer on this, felt a bit like being shuttled here from pillar to post. Microsoft said: Ask Intel and Intel said: ask Microsoft

I've I read the https://support.microsoft.com/en-za/help/4074629/understanding-the-output-of-get-speculationcontrols... Understanding Get-SpeculationControlSettings PowerShell script output and if understand that explanation right, that is not the expected behavior for the output...or the hardware is no longer believed to be vulnerable, but i was under the impression the microcode updates were aimed at Spectre and not for Meltdown

Windows OS support for kernel VA shadow is enabled

Maps to KVAShadowWindowsSupportEnabled. This line tells you if the kernel VA shadow feature has been enabled. If it is True, the hardware is believed to be vulnerable to http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5754 CVE-2017-5754, Windows operating system support is present, and the feature has been enabled. The Kernel VA shadow feature is currently enabled by default on client versions of Windows and is disabled by default on versions of Windows Server. If it is False, either Windows operating system support is not present, or the feature has not been enabled.

I can confirm the behavior is exactly the same on Windows 10 (i wanted to make sure it was not Windows server 2016 related)

And also rolling back to BIOS version 0045 makes "Kernel VA Shadow is enabled" revert to "True"

0 Kudos
Highlighted
Super User Retired Employee
26 Views

That is correct; the microcode updates are for SpectreB. Until such time as processors are available that have the appropriate fixes in silicon, both SpectreA and Meltdown require the workarounds in the O/S.

I do not know what is going on. I need an expert to fill me in on this stuff Microsoft has added. I will get back to you...

...S

0 Kudos
Highlighted
Community Manager
26 Views

Our engineers are working with Microsoft on this. The Get-SpeculationControlSettings script is incorrectly identifying that Kernel VA Shadowing is needed for this model of CPU. That's why it says "Hardware requires kernel VA shadowing: True". Our BIOS update is setting a MSR (model specific register) that should be telling the script that VA shadowing is not required.

 

 

The bottom line is that the CPU in the NUC6CAYH is not impacted by CVE-2017-5754 so your system has all the proper mitigations applied.

 

 

Let us know if you have additional questions.
0 Kudos
Highlighted
Community Manager
26 Views

OK, i'll keep my eyes open for a updated Get-SpeculationControlSettings script

Thanks for your feedback!

0 Kudos
Highlighted
Community Manager
26 Views

FYI, Finally updated script is made available by Microsoft, https://www.powershellgallery.com/packages/SpeculationControl/1.0.6 PowerShell Gallery | SpeculationControl 1.0.6

All seems to be OK now

Highlighted
New Contributor I
26 Views

RvdH wrote:

I think something is off here...being it either the tool to check against the vulnerabilities or the BIOS microcode itself breaks something that enables the tool to properly identify the vulnerabilities as being 'fixed'

I'm confused. There isn't any article which would indicate that Apollo Lake platform (especially Celleron J3455) isn't vulnerable to Meltdown threat (CVE-2017-5754). But Microsoft Windows 10 clearly detects this CPU inside NUC6CAYS(/H) (after BIOS update to version 47) as not requiring KVAShadow protection. What's going on?

0 Kudos
Highlighted
New Contributor I
26 Views

RvdH wrote:

FYI, Finally updated script is made available by Microsoft, https://www.powershellgallery.com/packages/SpeculationControl/1.0.6 PowerShell Gallery | SpeculationControl 1.0.6

All seems to be OK now

"All OK" means that this CPU doesn't need KVAShadow protection enabled? Where is Intel documentation on this?

Highlighted
New Contributor I
26 Views

It seems that for some reason Goldmont CPU isn't vulnerable to Rouge Data Cache Load aka Meltdown (RDCL) as well as L1 Terminal Fault and Speculative Store Bypass (SSB). At least it reports that in MSR 0x10A.

Right now Speculative Control script version 1.0.9 reports:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: False

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

Hardware is vulnerable to L1 terminal fault: False

Suggested actions

* Install the latest available updates for Windows with support for speculation control mitigations.

BTIHardwarePresent : True

BTIWindowsSupportPresent : True

BTIWindowsSupportEnabled : True

BTIDisabledBySystemPolicy : False

BTIDisabledByNoHardwareSupport : False

KVAShadowRequired : False

KVAShadowWindowsSupportPresent : True

KVAShadowWindowsSupportEnabled : False

KVAShadowPcidEnabled : False

SSBDWindowsSupportPresent : True

SSBDHardwareVulnerable : False

SSBDHardwarePresent : False

SSBDWindowsSupportEnabledSystemWide : False

L1TFHardwareVulnerable : False

L1TFWindowsSupportPresent : False

L1TFWindowsSupportEnabled : False

L1TFInvalidPteBit : 0

L1DFlushSupported : False

0 Kudos
Highlighted
New Contributor I
26 Views

After new wave of vulnerabilities (MDS) I must add that with new microcode version 0x38 Apollo Lake SoC's anounce that they are not vulnerable to these threats. They set bit 5 in MSR 0x10A called MDS_NO. Similar like SSBD_NO and RDCL_NO (Meltdown).

Only strange thing is that there is also bit 6 set and I don't know what it represent. Stay tuned.

0 Kudos