1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Protecting Oracle Solaris System Integrity
  3. Protecting Platforms Against Speculative Execution Attacks
  4. Security Extensions Protection on the SPARC Platform

Security Extensions Protection on the SPARC Platform

All SPARC mitigations display in the output of the sxadm status command, but some are not configurable. The following mitigations are configurable:

HW_BTI

Hardware BTI Mitigation (HW_BTI) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). HW_BTI is not enabled by default. You must reboot after enabling or disabling it for the changes to take effect. When it is enabled, application performance can slow.

SSBD

Speculative Store Bypass Disable (SSBD) mitigates CVE-2018-3639 (https://nvd.nist.gov/vuln/detail/CVE-2018-3639). It restricts loads from speculating around older stores, which mostly affects interpreters such as the JVM and Javascript engines. SSBD is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.

Note:

The SSBD mitigation is implemented differently on the x86 platform. See SSBD in Security Extensions Protection on the x86 Platform.

Tip:

Use the sxadm status command to display the current status of SPARC mitigations. To change the status, use the ILOM interface, as shown in Setting Host Control and Boot Properties on SPARC Host Server in Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 4.0.x.