Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: February 2020
 
 

Protecting Platforms Against Speculative Execution Attacks

The Security Extensions Framework also provides platform-specific security extensions that protect Oracle Solaris from various speculative execution vulnerabilities. Some of these security extensions are always enabled, some can be enabled or disabled, and a few can be managed per process, similar to the extensions in the preceding section. You use the sxadm command to manage the extensions that can be configured. See the sxadm(8) man page.


Note -  If you enable or disable mitigations that are set at boot time, you must reboot the system for the changes to take effect.

SPARC: Security Extensions Protection on the SPARC Platform

All SPARC mitigations display in the output of the sxadm status command, but some are not configurable. The following mitigations are configurable:

HW_BTI

Hardware BTI Mitigation (HW_BTI) mitigates https://nvd.nist.gov/vuln/detail/CVE-2017-5715 (Branch Target Injection, Spectre Variant 2). HW_BTI is not enabled by default. You must reboot after enabling or disabling it for the changes to take effect. When it is enabled, application performance can slow.

SSBD

Speculative Store Bypass Disable (SSBD) mitigates https://nvd.nist.gov/vuln/detail/CVE-2018-3639. It restricts loads from speculating around older stores, which mostly affects interpreters such as the JVM and Javascript engines. SSBD is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.


Note - The SSBD mitigation is implemented differently on the x86 platform. See SSBD in Security Extensions Protection on the x86 Platform.

Tip  -  Use the sxadm status command to display the current status of SPARC mitigations. To change the status, use the ILOM interface, as shown in Setting Host Control and Boot Properties on SPARC Host Server in Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 4.0.x.

x86: Security Extensions Protection on the x86 Platform

Oracle Solaris provides several speculative execution mitigations for x86 systems. Use the sxadm command to configure them.


Note -  If you enable or disable mitigations that are set at boot time, you must reboot the system for the changes to take effect.
IBPB

Indirect Branch Prediction Barrier (IBPB) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). It is used in the kernel to guarantee that older indirect branches cannot influence predictions of indirect branches in the future. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.

IBRS

Indirect Branch Restricted Speculation (IBRS) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). At every entry into the kernel, IBRS restricts the speculation of indirect branches. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.

KPTI

Kernel Page Table Isolation (KPTI) is a software workaround for Meltdown vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2017-5754). It is enabled by default on systems where it is required and supported.

L1DF

Level 1 Data Cache Flush (L1DF) mitigates https://nvd.nist.gov/vuln/detail/CVE-2018-3646. It flushes sensitive data from the L1D cache to prevent an untrusted guest virtual machine from inferring data from other guest virtual machines. This flush is performed every time the host system enters a virtual machine (VM entry). L1DF is enabled by default on systems where it is required and supported.


Note -  Although L1DF is needed only when running non-trusted kernel zones, full mitigation also requires disabling hyper-threading (HT).
MD_CLEAR

Microarchitectural Data Sampling Avoidance Mitigation (MD_CLEAR) mitigates the Microarchitectural Data Sampling (MDS) series of vulnerabilities. The vulnerabilities are:

MD_CLEAR overwrites the store and fill buffers on the logical processors that are affected by MDS. It is enabled by default on systems where MD_CLEAR is required and supported.


Note -  Full mitigation of MD_CLEAR also requires disabling hyper-threading (HT).
MDS_NO

Microarchitectural Data Sampling Hardware Avoidance Mitigation (MDS_NO) is a read-only extension that is only enabled if the CPU is not vulnerable to the Microarchitectural Data Sampling (MDS) series of vulnerabilities that the MD_CLEAR extension mitigates in software.


Note -  When MDS_NO is enabled, MD_CLEAR is enabled read-only.
RDCL_NO

Rogue Data Cache Avoidance Mitigation (RDCL_NO) mitigates https://nvd.nist.gov/vuln/detail/CVE-2017-5754?cpeVersion=2.2 and https://nvd.nist.gov/vuln/detail/CVE-2018-3646. It prevents unauthorized disclosure of information to an attacker with local user access through a side-channel analysis of the data cache. RDCL_NO is read-only, and enabled by default on systems where it is required and supported.


Note -  When RDCL_NO is enabled, L1DF is also enabled read-only.
SMAP

Supervisor Mode Access Prevention (SMAP) prevents supervisor mode execution of text that is mapped in userland. It is enabled by default when it is supported by the hardware. Certain applications or drivers can fail when SMAP is enabled.

SSBD

Speculative Store Bypass Disable (SSBD) mitigates https://nvd.nist.gov/vuln/detail/CVE-2018-3639. It restricts loads from speculating around older stores, which mostly affects interpreters such as the JVM and Javascript engines. SSBD is not enabled at boot time.

Similar to the ASLR and ADI security extensions, this extension can be enabled on individual binaries. Such configuration changes do not require a reboot. For examples of how to do this, see Example 3, Compiling an Application With adistack Enabled, Example 4, Illustrating Security Extension Inheritance, and the sxadm(8) man page.


Note - The SSBD mitigation is implemented differently on the SPARC platform. See SSBD in Security Extensions Protection on the SPARC Platform.