Windows 10 Will Banish Spectre Slowdowns With Google's Retpoline Patch

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

Re: Use APK Hosts File Engine instead... apk

[emil]

It is unlikely that subscription charges to Windows 10 will ever be enforced. ChromeOS and Android have supplanted Windows as the main consumer OS, and Microsoft likely will not want to see their market share decay any more rapidly than necessary. It is more likely that adware will be introduced on systems that do not have corporate subscriptions.

What is taking them so long ?

[Alain Williams]

Linux vendors had patches out in March!

Re: What is taking them so long ?

[emil]

Big companies are slow. This is especially so with profound changes to the kernel compiler, which were likely reviewed by Dave Cutler himself.

Re: What is taking them so long ?

[Zero__Kelvin]

A lot more servers, routers, smartphones, home appliances and other systems are running Linux. What's your point? Mostly that it didn't occur to you that Linux isn't the niche OS you are trying to claim it is I suppose.

Re:

[Highdude702]

Correct for servers, Routers however the majority run broadcom or atheros chips, go look at lede hardware support list or dd-wrt support list.

Re:

[AmiMoJo]

Difference being that "Linux" isn't responsible for patching all those devices. Microsoft has taken on a maintenance contract for hundreds of millions of computers. The terms are pretty shitty, if they brick your machine you are on your own, but they do at least pretend to try to make the update process kinda robust.

So while the Linux kernel was patched in March, it takes time for distros to adopt the patch, and then even longer for admins to roll the patch out to devices. In fact many devices will never be

Re:

[arglebargle_xiv]

As such, they have a much larger user base with a wider variety of hardware and software to test.

Funny, just a few stories down there's this one [slashdot.org], which implies that testing for Windows 10 changes is more or less optional:

Either tests do not exist at all for this code (and I've been told that yes, it's permitted to integrate code without tests, though I would hope this isn't the norm), or test failures are being regarded as acceptable, non-blocking issues, and developers are being allowed to integrate code that they know doesn't work properly...

Re: What is taking them so long ?

[Zero__Kelvin]

So then ... the mitigations *weren't* all in then we're they? Thus this new one.

Re:

[Anonymous Coward]

Actually... the INVPCID version was the first version proposed for Linux... by Intel. 3rd party developers managed to hack PCID to do the same thing, yet the performance improvement (or rather reduction of mitigation's degradation) is not as big as using INVPCID. That's why Linux will now try to use INVPCID if available, then PCID if not or just suck up the mitigation cost.

Microsoft probably had the patches ready from Intel way before the PCID method was even conceived. Remember that Intel was notified a lo

Re: What is taking them so long ?

[Zero__Kelvin]

So you are saying Microsoft was way ahead of the pack but came in last anyway? Sounds about right.

Re:

[greenwow]

> didn't care to investigate any possible other mitigations

To be fair, I don't think Microsoft has the expertise on staff to do that. They got rid of most of their more experienced devs in order to save money. Several friends that are great devs got fired since they were so good at their jobs they couldn't be promoted, but Microsoft fires you if you don't get promoted enough. Their system gets rid of the people that are the best at their jobs.

Re:

[r1348]

Nonsense, the patches are already upstreamed in the kernel code, any distro can distribute them.

Re: What is taking them so long ?

[Anonymous Coward]

Windows 7 is why

To address it in win7 all systems need a BIOS newer than may 2018

Unfortunately only HP, Dell and Apple update their BIOS after 2 years due to enterprise demands. You are SOL if you have anything else and this have to rely on software to migitate the bugs.

Re:

[p0p0]

Microsoft has tried adding it in but when they test Windows Update, it just deletes the patch from the filesystem!

Great news!

[Zero__Kelvin]

The great news? The highly unlikely possibility that you will fall victim to a speculative execution based attack has been addressed. The horrible news? It was implemented by the same company that can't guarantee your files won't be randomly deleted by the greatest security threat known in modern times, to wit Microsoft. I'm sure it's been well tested and there will be no problems though. Even Microsoft has to get it right occasionally, amirite?

Microsoft management is becoming worse.

[Futurepower(R)]

"Microsoft again is late to the party in protecting its users with better security solutions and instead created its own performance robbing patches."

Microsoft: More than 10 years of poor management [slashdot.org]

Microsoft needs a new CEO and a re-organization of management.

Another case of Microsoft pushing Win10.

[SeaFox]

Oh, we gave you a patch that will slow down your machine because of Spectre.
Did we mention we're getting a much better patch now? You have to update to 10 to get it, though.

Retpoline does not "banish" slowdowns

[complete loony]

The retpoline hack is a deliberate stack smash, to execute an indirect jump that the CPU will not speculate. Since the CPU cannot speculate it, execution *must* be slower than code from before spectre was discovered. But it does mean you can turn off *really* slow CPU mitigations.

The real trick is avoiding the need for retpoline in the first place. Make sure that indirect jumps have shortcuts for commonly executed branches that aren't affected by Spectre.

BTW, I watched a great talk about spectre [youtube.com], for application developers, by a clang compiler engineer who was involved in the research on spectre.

MS: what about Server OSes? And why so slow?

[mattb47]

How about the patch where it really matters: on servers? Will this patch be available on Server 2016? Server 2019? 2012 R2? (OK, not really expecting it on 2012 R2 or earlier, but one can hope.)

Server 2016 and Windows 10 share (or at least used to share) a lot of the same codebase, so one would think Server 2016 could be patched here fairly easily.

And that this won't happen until the next Windows 10 release (probably April 2019)? Absolutely ridiculous. Get it out. NOW.

Re:

[sydbarrett74]

My guess is that it will be prioritised for inclusion in Server 2019, then back-ported to 2016.

Glad it wasn't included in 1809

[sydbarrett74]

[from TFS] "The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

Not such bad news in light of 1809's data-losing file system bugs. I'd like to see something like this much more thoroughly tested, given the grave security implications.