Windows 10 Will Banish Spectre Slowdowns With Google's Retpoline Patch (zdnet.com) 61
Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.
"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.
"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.
Re: Use APK Hosts File Engine instead... apk (Score:2)
What is taking them so long ? (Score:5, Interesting)
Linux vendors had patches out in March!
Re: What is taking them so long ? (Score:2)
Re: What is taking them so long ? (Score:3)
Re: (Score:2)
Correct for servers, Routers however the majority run broadcom or atheros chips, go look at lede hardware support list or dd-wrt support list.
Re: (Score:2)
Difference being that "Linux" isn't responsible for patching all those devices. Microsoft has taken on a maintenance contract for hundreds of millions of computers. The terms are pretty shitty, if they brick your machine you are on your own, but they do at least pretend to try to make the update process kinda robust.
So while the Linux kernel was patched in March, it takes time for distros to adopt the patch, and then even longer for admins to roll the patch out to devices. In fact many devices will never be
Re: (Score:2)
As such, they have a much larger user base with a wider variety of hardware and software to test.
Funny, just a few stories down there's this one [slashdot.org], which implies that testing for Windows 10 changes is more or less optional:
Either tests do not exist at all for this code (and I've been told that yes, it's permitted to integrate code without tests, though I would hope this isn't the norm), or test failures are being regarded as acceptable, non-blocking issues, and developers are being allowed to integrate code that they know doesn't work properly...
Re: What is taking them so long ? (Score:2)
Re: (Score:1)
Actually... the INVPCID version was the first version proposed for Linux... by Intel. 3rd party developers managed to hack PCID to do the same thing, yet the performance improvement (or rather reduction of mitigation's degradation) is not as big as using INVPCID. That's why Linux will now try to use INVPCID if available, then PCID if not or just suck up the mitigation cost.
Microsoft probably had the patches ready from Intel way before the PCID method was even conceived. Remember that Intel was notified a lo
Re: What is taking them so long ? (Score:5, Funny)
Re: (Score:2)
> didn't care to investigate any possible other mitigations
To be fair, I don't think Microsoft has the expertise on staff to do that. They got rid of most of their more experienced devs in order to save money. Several friends that are great devs got fired since they were so good at their jobs they couldn't be promoted, but Microsoft fires you if you don't get promoted enough. Their system gets rid of the people that are the best at their jobs.
Re: (Score:3)
Nonsense, the patches are already upstreamed in the kernel code, any distro can distribute them.
Re: What is taking them so long ? (Score:1)
Windows 7 is why
To address it in win7 all systems need a BIOS newer than may 2018
Unfortunately only HP, Dell and Apple update their BIOS after 2 years due to enterprise demands. You are SOL if you have anything else and this have to rely on software to migitate the bugs.
Re: (Score:2)
Great news! (Score:1)
Microsoft management is becoming worse. (Score:2)
Microsoft: More than 10 years of poor management [slashdot.org]
Microsoft needs a new CEO and a re-organization of management.
Another case of Microsoft pushing Win10. (Score:2)
Oh, we gave you a patch that will slow down your machine because of Spectre.
Did we mention we're getting a much better patch now? You have to update to 10 to get it, though.
Retpoline does not "banish" slowdowns (Score:5, Informative)
The retpoline hack is a deliberate stack smash, to execute an indirect jump that the CPU will not speculate. Since the CPU cannot speculate it, execution *must* be slower than code from before spectre was discovered. But it does mean you can turn off *really* slow CPU mitigations.
The real trick is avoiding the need for retpoline in the first place. Make sure that indirect jumps have shortcuts for commonly executed branches that aren't affected by Spectre.
BTW, I watched a great talk about spectre [youtube.com], for application developers, by a clang compiler engineer who was involved in the research on spectre.
MS: what about Server OSes? And why so slow? (Score:1)
How about the patch where it really matters: on servers? Will this patch be available on Server 2016? Server 2019? 2012 R2? (OK, not really expecting it on 2012 R2 or earlier, but one can hope.)
Server 2016 and Windows 10 share (or at least used to share) a lot of the same codebase, so one would think Server 2016 could be patched here fairly easily.
And that this won't happen until the next Windows 10 release (probably April 2019)? Absolutely ridiculous. Get it out. NOW.
Re: (Score:2)
Glad it wasn't included in 1809 (Score:2)
[from TFS] "The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.
Not such bad news in light of 1809's data-losing file system bugs. I'd like to see something like this much more thoroughly tested, given the grave security implications.