Status verification for L1 terminal fault attack
Status verification for L1 terminal fault attack
Today we received information about another weakness in Intel CPUs, but Microsoft has already released a fix: https://support.microsoft.com/sl-si/help...-kb4343909. After applying the update, I found a site with guidance on testing for L1TF exposure: https://www.windowscentral.com/how-check...e-exploits. My output looked like this: PS C:\WINDOWS\system32> Get-SpeculationControlSettings For more details, see https://support.microsoft.com/en-in/help/4074629 Speculation control settings for CVE-2017-5715 [branch target injection] The system supports branch target injection protection: True Windows OS support for branch target injection mitigation is present: True. For L1TF, hardware can block speculative store bypass: Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True. The update confirms your PC is protected against these threats.
This indicates a few things: first, Spectre 1-2 patches are applied along with OS and hardware fixes, which still provide solid performance thanks to INVPCID and the benefits of Coffee Lake. Second, your system lacks the SSB microcode update; while the OS is patched, it's insufficient. You'll need to install the BIOS update and manually turn on SSB, which adds only a minor performance hit—about 1% in games. Third, the issue with L1TF is more complex. The same microcode used for SSB should also cover L1TF, but it doesn’t. Something else must be addressed, though I’m not sure what yet. I haven’t enabled SSB myself, and it seems the problem might lie elsewhere. This is what I see on my 8700K—hopefully, someone can clarify this. But from the answers you received, I’m a bit doubtful.
Thanks for your interest in my post. I still have some old bios from April 26th. Since then, three new BIOS versions came out, but I didn’t feel the need to refresh everything again. Each update takes about an hour, and I end up resetting all settings manually. Sometimes saving backups doesn’t work after a BIOS change, so I have to reconfigure everything. I’m wondering if a newer BIOS is needed for the L1TF vulnerability—so I’ll wait a few more days to check if any motherboard partners will release updates. If not, I’ll upgrade my BIOS to the version from July 13th.
The BIOS containing the refreshed microcode for SSB is required. You need to verify the presence of the line: Hardware support for speculative store bypass disable is present: False. This suggests enabling it should be beneficial. For L1TF, this setting likely instructs the CPU to clear the L1 cache when needed—possibly preventing malware from deducing data. This adjustment could reduce risks in certain situations, though it might affect performance during gaming or web browsing. Running VMs may suffer more impact. You're also experiencing problems restoring older BIOS configurations after updates, so manual setup is necessary. Upgrading to the latest BIOS version would be advisable. The update should also include the new Intel RST EFI module v.16.5, which pairs well with 16.5 RST drivers. If this version offers improvements over 16.0, it might be worth considering. For full protection, you'll still need to enable SSB manually. I tested this and didn’t see any performance loss, though results can vary. In short: no need for new microcode beyond what’s released for SSB, and hardware remains flagged as vulnerable—just a mitigation measure.