Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: July 2019
 
 

Protecting Platforms Against Speculative Execution Attacks

The Security Extensions Framework also provides platform-specific security extensions that protect Oracle Solaris from various speculative execution vulnerabilities. Some of these security extensions are always enabled, some can be enabled or disabled, and a few can be managed per process, similar to the extensions in the preceding section. You use the sxadm command to manage the extensions that can be configured. See the sxadm(8) man page.


Note -  If you enable or disable mitigations that are set at boot time, you must reboot the system for the changes to take effect.

SPARC: Security Extensions Protection on the SPARC Platform

All SPARC mitigations display in the output of the sxadm status command, but some are not configurable. The following mitigations are configurable:

HW_BTI

Hardware BTI Mitigation (HW_BTI) mitigates https://nvd.nist.gov/vuln/detail/CVE-2017-5715 (Branch Target Injection, Spectre Variant 2). HW_BTI is not enabled by default. You must reboot after enabling or disabling it for the changes to take effect. When it is enabled, application performance can slow.


Tip  -  Use the sxadm status command to display the current status of SPARC mitigations. To change the status, use the ILOM interface, as shown in Setting Host Control and Boot Properties on SPARC Host Server in Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 4.0.x.

x86: Security Extensions Protection on the x86 Platform

Oracle Solaris provides several speculative execution mitigations for x86 systems. Use the sxadm command to configure them.


Note -  If you enable or disable mitigations that are set at boot time, you must reboot the system for the changes to take effect.
IBPB

Indirect Branch Prediction Barrier (IBPB) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). It is used in the kernel to guarantee that older indirect branches cannot influence predictions of indirect branches in the future. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.

IBRS

Indirect Branch Restricted Speculation (IBRS) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). At every entry into the kernel, IBRS restricts the speculation of indirect branches. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.

KPTI

Kernel Page Table Isolation (KPTI) is a software workaround for Meltdown vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2017-5754). It is enabled by default on systems where it is required and supported.

L1DF

Level 1 Data Cache Flush (L1DF) mitigates https://nvd.nist.gov/vuln/detail/CVE-2018-3646. It flushes sensitive data from the L1D cache to prevent an untrusted guest virtual machine from inferring data from other guest virtual machines. This flush is performed every time the host system enters a virtual machine (VM entry). L1DF is enabled by default on systems where it is required and supported.


Note -  Although L1DF is needed only when running non-trusted kernel zones, full mitigation also requires disabling hyper-threading (HT).
RDCL_NO

Rogue Data Cache Avoidance Mitigation (RDCL_NO) mitigates https://nvd.nist.gov/vuln/detail/CVE-2017-5754?cpeVersion=2.2 and https://nvd.nist.gov/vuln/detail/CVE-2018-3646. It prevents unauthorized disclosure of information to an attacker with local user access through a side-channel analysis of the data cache. RDCL_NO is read-only, and enabled by default on systems where it is required and supported.


Note -  When RDCL_NO is enabled, L1DF is also enabled read-only.
SMAP

Supervisor Mode Access Prevention (SMAP) prevents supervisor mode execution of text that is mapped in userland. It is enabled by default when it is supported by the hardware. Certain applications or drivers can fail when SMAP is enabled.