PowerShell DSC for enabling Speculation Control fixes on Windows. Authored by Kieran Jacobsen
The Microsoft KB Windows Server guidance to protect against speculative execution side-channel vulnerabilities provides a number of options on what speculative controls you can implement, use the table below to map the titles of each mitgation in the KB with the mitigation names in the DSC module.
| Title in KB | Mitigation in DSC |
|---|---|
| Manage mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) | SpectreVariant2Meltdown |
| Manage the mitigation for CVE-2017-5715 (Spectre Variant 2) | SpectreVariant2 |
| AMD processors only: Enable the full mitigation for CVE-2017-5715 (Spectre Variant 2) | AMDOnlySpectreVariant2 |
| Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown) | SpeculativeStoreSpectreVariant2Meltdown |
| AMD processors only: Enable the full mitigation for CVE-2017-5715 (Spectre Variant 2) and CVE 2018-3639 (Speculative Store Bypass) | AMDOnlySpeculativeStoreSpectreVariant2 |
| Manage Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ] without disabling Hyper-Threading | IntelTSXDataSamplingSpectreMeltdownSpeculativeStoreL1TerminalFaultWithHT |
| Manage Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135) and Microarchitectural Data Sampling (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) along with Spectre [ CVE-2017-5753 & CVE-2017-5715 ] and Meltdown [ CVE-2017-5754 ] variants, including Speculative Store Bypass Disable (SSBD) [ CVE-2018-3639 ] as well as L1 Terminal Fault (L1TF) [ CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 ] with Hyper-Threading disabled | IntelTSXDataSamplingSpectreMeltdownSpeculativeStoreL1TerminalFaultWithoutHT |
The easiest way to get cSpeculationControlFixes is using the PowerShell Gallery!
Best practice is that you inspect modules prior to installing them. You can do this by saving the module to a local path:
PS> Save-Module -Name cSpeculationControlFixes -Path <path>Once you trust a module, you can install it using:
PS> Install-Module -Name cSpeculationControlFixesOnce installed from the PowerShell Gallery, you can update it using:
PS> Update-Module -Name cSpeculationControlFixesTo remove cSpeculationControlFixes:
PS> Uninstall-Module -Name cSpeculationControlFixesInterested in contributing? Read how you can Contribute to cSpeculationControlFixes
This project is maintains a Code of Conduct that establishes how the project is governed and how everyone involved is expected to behave. You can report unacceptable behavior to code@poshsecurity.com.
A detailed release history is contained in the Change Log.
cSpeculationControlFixes is provided under the MIT license.