Unable to enable Meltdown mitigation after installing updated Microcode

Could somebody please kindly explain what is going on? I tried messing with FeatureSettingsOverride, setting it to 0 or 8 and rebooting the machine afterwards - nothing changes, InSpectre still reports the machine vulnerable to Meltdown. It is running Windows 10 1809, with manually installed KB4465065 microcode update. Before applying KB4465065, InSpectre was reporting the machine mitigated against Meltdown and vulnerable to Spectre. I want it protected against both.

 

I've the same issue on my Ivybridge, meltdown and spectre updates can't be disabled or enabled at all.

 

The machine in question is Apollo Lake. Powershell script reports that Meltdown protection is not needed:

Code:

KVAShadowRequired:False

But what exactly does that mean,? That Intel/Microsoft think the performance will be so abysmal if Meltdown in addition to Spectre is enabled? Or that they somehow patched Meltdown but InSpectre doesn't detect that?

I would really appreciate feedback from other users of similar machines - Atoms and Atom-derived Celerons and Pentiums, Surface 3 users in particular.

 

Apollo lake means 8th gen CPU, right? I think OS level patching isn't needed!

 

More like 7th Gen. InSpectre says it is vulnerable, though. It said it was patched against Meltdown but vulnerable to Spectre until I applied the Intel Microcode Windows update.

 

Do you have Core isolation mode turned ON in Win defender?

 

I have Windows Defender disabled, and rely on Avast Free only.

 

Try disabling Script scanning technique. I think 3rd party uses WD's superior script scanning and analysis to catch PS1 scripts drive by attacks. I have a similar setting in Kaspersky Security cloud.

 

My WD is completely disabled by OOSU10, it shouldn't be used from my understanding. And I sadly don't understand how it helps with enabling both Spectre and Meltdown protections.

 

It protects from malicious ps1 scripts.
Try a Linux LiveCD and check using SpecuCheck or meltdown spectre checker at github and if you find Linux is using KVAShadow thing then I suspect Windows did something.

 

You have following setup in the registry which means Meltdown disabled & Spectre enabled without Retpoline patch:

"FeatureSettingsOverride"=dword:00000002
"FeatureSettingsOverrideMask"=dword:00000003

With Retpoline patch it becomes:

"FeatureSettingsOverride"=dword:00000 402
"FeatureSettingsOverrideMask"=dword:00000 403

So if you want to enable both with retpoline patch:

"FeatureSettingsOverride"=dword:00000400
"FeatureSettingsOverrideMask"=dword:00000403

If you want to enable both without retpoline patch:

"FeatureSettingsOverride"=dword:00000000
"FeatureSettingsOverrideMask"=dword:00000003

This is what i get with everything enabled:

"FeatureSettingsOverride"=dword:00000408
"FeatureSettingsOverrideMask"=dword:00000403



When i game, i disable everything to mitigate performance issues (I have a simple bat script to disable and enable).

(EDIT) PS. My CPU info is in my signature.

 

Thank you for detailed explanation. Following these settings enables BTIKernelRetpolineEnabled and BTIKernelImportOptimizationEnabled, but KVAShadowRequired, KVAShadowWindowsSupportEnabled and KVAShadowPcidEnabled all stay False. Behavior is the same if setting FeatureSettingsOverride to 0 or 400, or deleting the key.

 

Source: https://support.microsoft.com/en-in...-of-get-speculationcontrolsettings-powershell

I think your version of "Get-SpeculationControlSettings" is outdated.

 

I'll give it a try, thank you.

Installed SpeculationControlSettings couple days ago, and output is identical to yours.

I will rephrase my question then. Why is Celeron N3450 reporting KVAShadowRequired as False after applying updated Microcode? How can it become not vulnerable to Meltdown after mere firmware update, justifying disabling Meltdown OS protection? I couldn't find any article explaining the situation with these particular CPUs. Is it it really not vulnerable to Meltdown and thus safe to use, or did Intel/Microsoft disable protection because it would make these CPUs run prohibitively slow as a result, is the question that drives me mad. If there was some article explaining hows and whys, I wouldn't bother at all.

I like the machine, for what I typically use it for it performs quite well (otherwise it's a cheap pile of crap with fantastic display). But now I'd like to sometimes access my NAS with it, and herein lies the problem since it would greatly benefit from full access instead of couple read-only folders.

 

I think the script checked the BIOS uCode for proper fix since OS uCode are hot-patches which are removed once restarted or shut down.