windows-server-2008-r2 – 我无法在Windows Server 2008 R2中启用Meltdown / Spectre缓解

前端之家收集整理的这篇文章主要介绍了windows-server-2008-r2 – 我无法在Windows Server 2008 R2中启用Meltdown / Spectre缓解前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我已经按照详细的 here安装了今天发布的补丁,然后按照提到的方式设置了两个注册表项:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

但是,当我运行提供的PowerShell模块进行检查时,它会通知我仍然没有启用缓解:

PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: False
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Install the latest available updates for Windows with support for speculation control mitigations.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : False
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : False
BTIDisabledByNoHardwareSupport : False
KVAShadowrequired              : True
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

为什么是这样?还有什么我需要做的?我重新启动了服务器,没有任何改进.

@保罗于answer年后更新:

我现在已经安装了正确的更新(wally),这是PowerShell cmdlet的输出

PS C:\Users\Administrator> get-speculationcontrolsettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: True
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False

Suggested actions

 * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
 * Follow the guidance for enabling Windows support for speculation control mitigations are described in https://support.microsoft.com/help/4072698


BTIHardwarePresent             : False
BTIWindowsSupportPresent       : True
BTIWindowsSupportEnabled       : False
BTIDisabledBySystemPolicy      : True
BTIDisabledByNoHardwareSupport : True
KVAShadowrequired              : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled           : False

这是我在微码更新之前可以做的一切吗?

首先上面的输出是说没有安装所需的Windows补丁:
Speculation control settings for CVE-2017-5715 [branch target injection]

Windows OS support for branch target injection mitigation is present: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Windows OS support for kernel VA shadow is present: False

你的AV是否会阻止它? – 见here

其次,CVE-2017-5715还需要cpu代码更新,这意味着当BIOS可用时更新BIOS.英特尔显然已经发布了这些代码,但是由OEM来提供更新的BIOS,并且可能需要一段时间.

您现在所能做的就是安装Windows补丁.一旦安装了正确的补丁,您应该为Meltdown提供保护,但仍需要后续的BIOS更新才能完全覆盖Spectre.

这里是我的(修补)Windows 10系统的输出

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

您将注意到,对于CVE-2017-5715,它显示补丁已安装但由于“缺少硬件支持”(即微代码更新)而未启用.

您还会注意到,对于CVE-2017-5754,它只是说它不是必需的 – 这是因为我在AMD cpu上运行.

至于你的旁注,我不能确定没有测试,但如果你仔细观察,为了禁用FeatureSettingsOverride键被设置为3,而不是0,因为启用它所以我假设你需要相同的掩码两者都是FeatureSettingsOverride键的0(启用)或3(禁用).

猜你在找的Windows相关文章