Microsoft recently detailed its testing of retpoline optimizations present in Windows Insider Preview builds of its Windows 10 operating system (18272 and newer) and has announced that starting with Microsoft Update KB4482887 on March 1st the company will be rolling out and enabling the Google-developed Retpoline performance optimizations that reduce the performance impact of security mitigations put in place to combat Spectre Variant 2 (CVE-2017-5715). Windows 10 users running 64-bit versions of Windows 10 Build 1809 and newer will have the Retpoline optimizations installed with the KB4482887 and other updates turned on via cloud configuration in a phased rollout.
No retpoline fixups for me, at least not until Microsoft Update stops failing to install a newer build (heh). It may be time to nuke it from orbit and start fresh! If you get this error on a supported build you may have to run this PowerShell script from the Microsoft Support website to get it to work though when I tried I was not able to get PS to import the module…
As a refresher, Spectre Variant 2 is a security vulnerability related to speculative execution that requires CPU microcode as well as OS kernel updates to mitigate. Red Hat summarizes CVE-2017-5715 as “an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system.” Microsoft further clairifies:
“At a high level, the Spectre variant 2 attack exploits indirect branches to steal secrets located in higher privilege contexts (e.g. kernel-mode vs user-mode). Indirect branches are instructions where the target of the branch is not contained in the instruction itself, such as when the destination address is stored in a CPU register.”
Unfortunately, while Spectre Variant 1 was able to be patched at the OS kernel level, Spectre Variant 2 required processor microcode updates (or new hardware with different speculative execution methods) and the patches while necessary to improve security and mitigate potential attacks have an impact on performance. Last year, Google began work on “retpoline” to attempt to reduce the performance impact that these security measures have on systems. Retpoline ended up being much faster than IBRS (indirect branch restricted speculation) which is the default behavior post-mitigations but still slower than regular indirect calls / jumps (pre-mitigations). Retpoline replaces all indirect calls or jumps in kernel-mode binaries with indirect brand sequences that have safe speculation behavior, according to Microsoft. Retpoline applies to all AMD processors as well as Intel Broadwell and older architecture-based chips where the CPU RET (return from procedure) instructions do not speculate based on the contents of indirect call brand prediction. The retpoline methods allow for safe control transfers to target addresses by performing a function call, modifying the return address, and returning it. The optimizations are traditionally done at compile time with indirect calls being replaced with retpoline sequences. Microsoft stated that due to its need for legacy support and third-party driver code, such a compile-time optimization was simply not practical. Instead, Microsoft performs the retpoline optimizations at runtime. It extended the DVRT (Dynamic Value Relocation Table) format and NT Memory Manager to support the new retpoline metadata that can be added to the DVRT without breaking backwards compatibility. Speaking of backwards compatibility, the Redmond-based software giant plans to continue shipping Windows 10 as-is in a non-retpoline state to maintain wider compatibility and software support. Drivers and software that do support retpoline will be able to take advantage of the optimizations, however.
“As mentioned earlier, the Windows implementation needs to support mixed environments in which some drivers are not compiled with retpoline support. This means that we cannot simply replace every indirect call with a retpoline sequence like the example shown in the introduction. We need to ensure that the kernel gets the opportunity to inspect the target of the call or jump so that it can apply appropriate mitigations if the target does not support retpoline.” – Mehmet_Iyigun, Microsoft
DVRT metadata can store retpoline data for import calls/jumps, switchable jumps, and generic indirect calls/jumps, and then the extended NT Memory Manager infrastructure is used to understand that metadata and apply fixups / retpoline optimizations where applicable.
What does all this mean for performance though? Well, according to Microsoft and its internal testing, the company saw approximately 25% faster Microsoft Office application startup times and between a 1.5 to 2-times increase in storage and networking performance which is a notable improvement post-Spectre 2 patches. They also claimed that the performance impact has been "reduced to noise level for most situations." If you are running Windows Insider Preview 18272 or later on supporting hardware the retpoline optimizations should already be turned on for you (you can double check with PowerShell cmdlet Get-SpeculationControlSettings) and if you are running Windows 10 1809 or later the optimizations will be enabled within the first half of this year in a phased rollout.
Until we get new processors that are not affected by the various speculative execution attacks (which could be difficult if not impossible to totally eliminate just due to the nature of how those performance tricks work), optimizations like retpoline to reduce the performance impact of patches that improved security but limited full potential chip performance may well be our best bet.
Are you running one of the Windows Insider builds with retpoline enabled and noticed any increased application performance? You can check out Microsoft’s blog post with all the juicy programming details here. You can find the KB4482887 update information page here.
- Google's 'free' Spectre patch @ PC Perspective