The Security Extensions Framework also provides platform-specific security extensions that protect Oracle Solaris from various speculative execution vulnerabilities. Some of these security extensions are always enabled, some can be enabled or disabled, and a few can be managed per process, similar to the extensions in the preceding section. You use the sxadm command to manage the extensions that can be configured. See the sxadm(8) man page.
All SPARC mitigations display in the output of the sxadm status command, but some are not configurable. The following mitigations are configurable:
Hardware BTI Mitigation (HW_BTI) mitigates https://nvd.nist.gov/vuln/detail/CVE-2017-5715 (Branch Target Injection, Spectre Variant 2). HW_BTI is not enabled by default. You must reboot after enabling or disabling it for the changes to take effect. When it is enabled, application performance can slow.
Oracle Solaris provides several speculative execution mitigations for x86 systems. Use the sxadm command to configure them.
Indirect Branch Prediction Barrier (IBPB) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). It is used in the kernel to guarantee that older indirect branches cannot influence predictions of indirect branches in the future. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.
Indirect Branch Restricted Speculation (IBRS) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). At every entry into the kernel, IBRS restricts the speculation of indirect branches. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.
Kernel Page Table Isolation (KPTI) is a software workaround for Meltdown vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2017-5754). It is enabled by default on systems where it is required and supported.
Level 1 Data Cache Flush (L1DF) mitigates https://nvd.nist.gov/vuln/detail/CVE-2018-3646. It flushes sensitive data from the L1D cache to prevent an untrusted guest virtual machine from inferring data from other guest virtual machines. This flush is performed every time the host system enters a virtual machine (VM entry). L1DF is enabled by default on systems where it is required and supported.
Rogue Data Cache Avoidance Mitigation (RDCL_NO) mitigates https://nvd.nist.gov/vuln/detail/CVE-2017-5754?cpeVersion=2.2 and https://nvd.nist.gov/vuln/detail/CVE-2018-3646. It prevents unauthorized disclosure of information to an attacker with local user access through a side-channel analysis of the data cache. RDCL_NO is read-only, and enabled by default on systems where it is required and supported.
Supervisor Mode Access Prevention (SMAP) prevents supervisor mode execution of text that is mapped in userland. It is enabled by default when it is supported by the hardware. Certain applications or drivers can fail when SMAP is enabled.