我无法在 Windows Server 2008 R2 中启用 Meltdown/Spectre 缓解措施

Question

我已经按照此处的详细说明安装了今天发布的补丁，然后设置了前面提到的两个注册表项：

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

但是，当我运行提供的 PowerShell 模块进行检查时，它通知我缓解措施仍未启用：

PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Install the latest available updates for Windows with support for speculation control mitigations.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : False
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

为什么是这样？我还需要做什么？我已经重新启动了服务器，但没有任何改进。

在@Paul回答后更新：

我现在已经安装了正确的更新 (wally)，这是 PowerShell cmdlet 的输出：

PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : True
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

这是我在等待微码更新时可以做的一切吗？

Answer 1

首先，上面的输出是说尚未安装所需的 Windows 补丁：

Speculation control settings for CVE-2017-5715 [branch target injection]

Windows OS support for branch target injection mitigation is present: False

和

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Windows OS support for kernel VA shadow is present: False

您的 AV 是否​​阻止了它？- 看这里

其次，CVE-2017-5715 还需要 CPU 微码更新，这意味着在/如果可用时进行 BIOS 更新。英特尔显然已经发布了代码，但要由 OEM 提供包含它的更新 BIOS，这可能需要一段时间。

您现在所能做的就是安装 Windows 补丁。安装正确的补丁后，您应该可以使用 Meltdown，但仍需要后续的 BIOS 更新才能完全覆盖 Spectre。

仅供参考，这是我的（已打补丁的）Windows 10 系统的输出：

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

您会注意到，对于 CVE-2017-5715，它显示补丁已安装但由于“缺少硬件支持”（即微码更新）而未启用。

您还会注意到，对于 CVE-2017-5754，它只是说它不是必需的 - 这是因为我在 AMD CPU 上运行。

至于你的旁注，我不能在没有测试的情况下肯定地说，但如果你仔细观察，禁用 FeatureSettingsOverride 键被设置为 3，而不是启用它所需的 0 所以我假设你需要相同的掩码对于 FeatureSettingsOverride 键，两者都是 0（启用）或 3（禁用）。