Windows 10 Will Banish Spectre Slowdowns With Google's Retpoline Patch (zdnet.com)

← Back to Stories (view on slashdot.org)

Windows 10 Will Banish Spectre Slowdowns With Google's Retpoline Patch (zdnet.com)

Posted by BeauHD on Sunday October 21, 2018 @06:18AM from the performance-improvements dept.

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

20 of 61 comments (clear)

Min score:

Reason:

Sort:

What is taking them so long ? by Alain+Williams · 2018-10-21 06:33 · Score: 5, Interesting

Linux vendors had patches out in March!
1. Re:What is taking them so long ? by Anonymous Coward · 2018-10-21 07:26 · Score: 1
  
  Actually... the INVPCID version was the first version proposed for Linux... by Intel. 3rd party developers managed to hack PCID to do the same thing, yet the performance improvement (or rather reduction of mitigation's degradation) is not as big as using INVPCID. That's why Linux will now try to use INVPCID if available, then PCID if not or just suck up the mitigation cost.
  Microsoft probably had the patches ready from Intel way before the PCID method was even conceived. Remember that Intel was notified a long time before those vulnerabilities were made public, they even extended the deadlines for publication multiple times.
2. Re: What is taking them so long ? by Zero__Kelvin · 2018-10-21 07:36 · Score: 2
  
  A lot more servers, routers, smartphones, home appliances and other systems are running Linux. What's your point? Mostly that it didn't occur to you that Linux isn't the niche OS you are trying to claim it is I suppose.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re: What is taking them so long ? by Zero__Kelvin · 2018-10-21 07:38 · Score: 1
  
  So then ... the mitigations *weren't* all in then we're they? Thus this new one.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
4. Re: What is taking them so long ? by Zero__Kelvin · 2018-10-21 07:42 · Score: 4, Funny
  
  So you are saying Microsoft was way ahead of the pack but came in last anyway? Sounds about right.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
5. Re: What is taking them so long ? by Anonymous Coward · 2018-10-21 09:16 · Score: 1
  
  Windows 7 is why
  To address it in win7 all systems need a BIOS newer than may 2018
  Unfortunately only HP, Dell and Apple update their BIOS after 2 years due to enterprise demands. You are SOL if you have anything else and this have to rely on software to migitate the bugs.
6. Re:What is taking them so long ? by greenwow · 2018-10-21 09:58 · Score: 1
  
  > didn't care to investigate any possible other mitigations
  To be fair, I don't think Microsoft has the expertise on staff to do that. They got rid of most of their more experienced devs in order to save money. Several friends that are great devs got fired since they were so good at their jobs they couldn't be promoted, but Microsoft fires you if you don't get promoted enough. Their system gets rid of the people that are the best at their jobs.
7. Re:What is taking them so long ? by p0p0 · 2018-10-21 11:00 · Score: 1
  
  Microsoft has tried adding it in but when they test Windows Update, it just deletes the patch from the filesystem!
8. Re:What is taking them so long ? by arglebargle_xiv · 2018-10-21 11:07 · Score: 1
  
  As such, they have a much larger user base with a wider variety of hardware and software to test.
  Funny, just a few stories down there's this one, which implies that testing for Windows 10 changes is more or less optional:
  
  Either tests do not exist at all for this code (and I've been told that yes, it's permitted to integrate code without tests, though I would hope this isn't the norm), or test failures are being regarded as acceptable, non-blocking issues, and developers are being allowed to integrate code that they know doesn't work properly...
9. Re: What is taking them so long ? by emil · 2018-10-21 22:13 · Score: 1
  
  Big companies are slow. This is especially so with profound changes to the kernel compiler, which were likely reviewed by Dave Cutler himself.
10. Re: What is taking them so long ? by Highdude702 · 2018-10-21 22:23 · Score: 1
  
  Correct for servers, Routers however the majority run broadcom or atheros chips, go look at lede hardware support list or dd-wrt support list.
11. Re: What is taking them so long ? by AmiMoJo · 2018-10-22 02:02 · Score: 1
  
  Difference being that "Linux" isn't responsible for patching all those devices. Microsoft has taken on a maintenance contract for hundreds of millions of computers. The terms are pretty shitty, if they brick your machine you are on your own, but they do at least pretend to try to make the update process kinda robust.
  So while the Linux kernel was patched in March, it takes time for distros to adopt the patch, and then even longer for admins to roll the patch out to devices. In fact many devices will never be patched. One thing you can say about Windows 10 is that most machines do get patched, even if it bricks them.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Microsoft management is becoming worse. by Futurepower(R) · 2018-10-21 08:23 · Score: 1

"Microsoft again is late to the party in protecting its users with better security solutions and instead created its own performance robbing patches."

Microsoft: More than 10 years of poor management

Microsoft needs a new CEO and a re-organization of management.
Re:Seriously? by r1348 · 2018-10-21 08:51 · Score: 2

Nonsense, the patches are already upstreamed in the kernel code, any distro can distribute them.
Another case of Microsoft pushing Win10. by SeaFox · 2018-10-21 09:27 · Score: 1

Oh, we gave you a patch that will slow down your machine because of Spectre.
Did we mention we're getting a much better patch now? You have to update to 10 to get it, though.
Retpoline does not "banish" slowdowns by complete+loony · 2018-10-21 12:00 · Score: 4, Informative

The retpoline hack is a deliberate stack smash, to execute an indirect jump that the CPU will not speculate. Since the CPU cannot speculate it, execution *must* be slower than code from before spectre was discovered. But it does mean you can turn off *really* slow CPU mitigations.
The real trick is avoiding the need for retpoline in the first place. Make sure that indirect jumps have shortcuts for commonly executed branches that aren't affected by Spectre.
BTW, I watched a great talk about spectre, for application developers, by a clang compiler engineer who was involved in the research on spectre.

--
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
MS: what about Server OSes? And why so slow? by mattb47 · 2018-10-21 12:20 · Score: 1

How about the patch where it really matters: on servers? Will this patch be available on Server 2016? Server 2019? 2012 R2? (OK, not really expecting it on 2012 R2 or earlier, but one can hope.)
Server 2016 and Windows 10 share (or at least used to share) a lot of the same codebase, so one would think Server 2016 could be patched here fairly easily.
And that this won't happen until the next Windows 10 release (probably April 2019)? Absolutely ridiculous. Get it out. NOW.
Re: Use APK Hosts File Engine instead... apk by emil · 2018-10-21 22:10 · Score: 1

It is unlikely that subscription charges to Windows 10 will ever be enforced. ChromeOS and Android have supplanted Windows as the main consumer OS, and Microsoft likely will not want to see their market share decay any more rapidly than necessary. It is more likely that adware will be introduced on systems that do not have corporate subscriptions.
Glad it wasn't included in 1809 by sydbarrett74 · 2018-10-23 17:18 · Score: 1

[from TFS] "The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.
Not such bad news in light of 1809's data-losing file system bugs. I'd like to see something like this much more thoroughly tested, given the grave security implications.

--
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
Re:MS: what about Server OSes? And why so slow? by sydbarrett74 · 2018-10-23 17:20 · Score: 1

My guess is that it will be prioritised for inclusion in Server 2019, then back-ported to 2016.

--
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman