Last month in August 2023, several modern Intel processor families, from the 7th Gen Kaby Lake, all the way up to the 11th Gen Rocket Lake CPUs, were found to be susceptible to a new processor vulnerability. This security flaw is codenamed “Downfall” and it is a Transient Execution or Speculative execution side-channel attack called Gather Data Sampling (GDS) vulnerability.
The newest chips, i.e., Intel’s 12th Gen Alder Lake and the 13th Gen Raptor Lake parts come with Intel’s TDX which prevents the exploitation of stale data. Microsoft and Intel are working with one another and the issue is mitigated via firmware Microcode update (MCU).
On the security advisory published by Microsoft about this issue, the tech giant had a section that guided users in case they wanted to disable the mitigation provided for Downfall if users felt they weren’t affected. Interestingly, however, Microsoft has since erased this provided mitigation-removal as well as the section that described it from its website and has updated the changelog and explained why with the following message “Removed the content to disable the GDS mitigation as that option is no longer available.”
The removal of this mitigation involved making tweaks to the registry. Here is the archived version of it:
Disable the mitigation
If you do not consider GDS to be part of your threat model, you might choose to turn off (disable) the mitigation in a bare-metal environment.
Note Disabling the mitigation when Hyper-V (Virtualization) is enabled is not in scope of this current implementation.
To disable the GDS mitigation in Windows, you must have the following installed, as appropriate for your environment:
- On supported Windows 10 and Windows 11 environments, you must have installed the Windows update dated on or after August 22, 2023.
- On supported Windows Server environments, you must have installed the Windows update dated on or after September 12, 2023.
After the appropriate Windows update is installed, you must set the following feature flag in the registry:
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management Value name: FeatureSettingsOverride Value type: REG_DWORD Value data: 0x2000000 (hex)
If this registry value does not already exist, run the following command to disable the GDS mitigation:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 33554432 /f
You can find the security advisory about Intel’s Downfall (GDS) on this (KB5029778) support page on Microsoft’s official website.