The Security Extensions Framework also provides platform-specific security extensions that protect Oracle Solaris from various speculative execution vulnerabilities. Some of these security extensions are always enabled, some can be enabled or disabled, and a few can be managed per process, similar to the extensions in the preceding section. You use the sxadm command to manage the extensions that can be configured. See the sxadm(8) man page.
All SPARC mitigations display in the output of the sxadm status command, but some are not configurable. The following mitigations are configurable:
Hardware BTI Mitigation (HW_BTI) mitigates https://nvd.nist.gov/vuln/detail/CVE-2017-5715 (Branch Target Injection, Spectre Variant 2). HW_BTI is not enabled by default. You must reboot after enabling or disabling it for the changes to take effect. When it is enabled, application performance can slow.
Oracle Solaris provides several speculative execution mitigations for x86 systems. Use the sxadm command to configure them.
Indirect Branch Prediction Barrier (IBPB) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). It is used in the kernel to guarantee that older indirect branches cannot influence predictions of indirect branches in the future. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.
Indirect Branch Restricted Speculation (IBRS) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). At every entry into the kernel, IBRS restricts the speculation of indirect branches. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.
Kernel Page Table Isolation (KPTI) is a software workaround for Meltdown vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2017-5754). It is enabled by default on systems where it is required and supported.
Level 1 Data Cache Flush (L1DF) mitigates https://nvd.nist.gov/vuln/detail/CVE-2018-3646. It flushes sensitive data from the L1D cache to prevent an untrusted guest virtual machine from inferring data from other guest virtual machines. This flush is performed every time the host system enters a virtual machine (VM entry). L1DF is enabled by default on systems where it is required and supported.
MD_CLEAR overwrites the store and fill buffers on the logical processors that are affected by MDS. It is enabled by default on systems where MD_CLEAR is required and supported.
Microarchitectural Data Sampling Hardware Avoidance Mitigation (MDS_NO) is a read-only extension that is only enabled if the CPU is not vulnerable to the Microarchitectural Data Sampling (MDS) series of vulnerabilities that the MD_CLEAR extension mitigates in software.
Rogue Data Cache Avoidance Mitigation (RDCL_NO) mitigates https://nvd.nist.gov/vuln/detail/CVE-2017-5754?cpeVersion=2.2 and https://nvd.nist.gov/vuln/detail/CVE-2018-3646. It prevents unauthorized disclosure of information to an attacker with local user access through a side-channel analysis of the data cache. RDCL_NO is read-only, and enabled by default on systems where it is required and supported.
Supervisor Mode Access Prevention (SMAP) prevents supervisor mode execution of text that is mapped in userland. It is enabled by default when it is supported by the hardware. Certain applications or drivers can fail when SMAP is enabled.