Security Extensions Protection on the x86 Platform
Oracle Solaris provides several speculative execution mitigations for x86 systems. Use the sxadm
command to configure them.
Note:
If you enable or disable mitigations that are set at boot time, you must reboot the system for the changes to take effect.
-
IBPB
-
Indirect Branch Prediction Barrier (
IBPB
) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). It is used in the kernel to guarantee that older indirect branches cannot influence predictions of indirect branches in the future. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow. -
IBRS
-
Indirect Branch Restricted Speculation (
IBRS
) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). At every entry into the kernel,IBRS
restricts the speculation of indirect branches. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow. -
IF_PSCHANGE_MC_NO
-
Machine Check Error on Page Size Change (
IF_PSCHANGE_MC_NO
) is a read-only extension that mitigates CVE-2018-12207 (https://nvid.nist.gov/vuln/detail/CVE-2018-12207). It is enabled by default on systems where it is supported. -
KPTI
-
Kernel Page Table Isolation (
KPTI
) is a software workaround for Meltdown vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2017-5754). It is enabled by default on systems where it is supported. -
L1DF
-
Level 1 Data Cache Flush (
L1DF
) mitigates CVE-2018-3646 (https://nvd.nist.gov/vuln/detail/CVE-2018-3646). It flushes sensitive data from the L1D cache to prevent an untrusted guest virtual machine from inferring data from other guest virtual machines. This flush is performed every time the host system enters a virtual machine (VM entry).L1DF
is enabled by default on systems where it is required and supported.Note:
Although
L1DF
is needed only when running non-trusted kernel zones, full mitigation also requires disabling hyper-threading (HT). -
MD_CLEAR
-
Microarchitectural Data Sampling Avoidance Mitigation (
MD_CLEAR
) mitigates the Microarchitectural Data Sampling (MDS) series of vulnerabilities. The vulnerabilities are:- Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (https://nvd.nist.gov/vuln/detail/CVE-2019-11091)
- Microarchitectural Store Buffer Data Sampling (MSBDS) (https://nvd.nist.gov/vuln/detail/CVE-2018-12126)
- Microarchitectural Load Port Data Sampling (MLPDS) (https://nvd.nist.gov/vuln/detail/CVE-2018-12127)
- Microarchitectural Fill Buffer Data Sampling (MFBDS) (https://nvd.nist.gov/vuln/detail/CVE-2018-12130)
MD_CLEAR
overwrites the store and fill buffers on the logical processors that are affected by MDS. It is enabled by default on systems whereMD_CLEAR
is required and supported.Note:
Full mitigation of
MD_CLEAR
also requires disabling hyper-threading (HT). -
MDS_NO
-
Microarchitectural Data Sampling Hardware Avoidance Mitigation (
MDS_NO
) is a read-only extension that is only enabled if the CPU is not vulnerable to the Microarchitectural Data Sampling (MDS) series of vulnerabilities that theMD_CLEAR
extension mitigates in software.Note:
When
MDS_NO
is enabled,MD_CLEAR
is enabled read-only. -
RDCL_NO
-
Rogue Data Cache Avoidance Mitigation (
RDCL_NO
) mitigates CVE-2017-5754 Version 2.2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5754?cpeVersion=2.2) and CVE-2018-3646 (https://nvd.nist.gov/vuln/detail/CVE-2018-3646). It prevents unauthorized disclosure of information to an attacker with local user access through a side-channel analysis of the data cache.RDCL_NO
is read-only, and enabled by default on systems where it is supported.Note:
When
RDCL_NO
is enabled,L1DF
is also enabled read-only. -
RSBS
-
Return Stack Buffer Speculation (
RSBS
) counters Spectre RSB (https://nvd.nist.gov/vuln/detail/CVE-2017-5715) by making several consecutive calls and returns for every context switch.RSBS
is enabled by default on systems where it is required and supported. -
SMAP
-
Supervisor Mode Access Prevention (
SMAP
) prevents supervisor mode execution of text that is mapped in userland. It is enabled by default when it is supported by the hardware. Certain applications or drivers can fail whenSMAP
is enabled. -
SSBD
-
Speculative Store Bypass Disable (
SSBD
) mitigates CVE-2018-3639 (https://nvd.nist.gov/vuln/detail/CVE-2018-3639). It restricts loads from speculating around older stores, which mostly affects interpreters such as the JVM and Javascript engines.SSBD
is not enabled at boot time.Similar to the ASLR and ADI security extensions, this extension can be enabled on individual binaries. Such configuration changes do not require a reboot. For examples of how to do this, see Compiling an Application With adistack Enabled, Illustrating Security Extension Inheritance, and the
sxadm
(8) man page.Note:
The
SSBD
mitigation is implemented differently on the SPARC platform. SeeSSBD
in Security Extensions Protection on the SPARC Platform. -
TAA_NO
-
TAA_NO
is a read-only extension that mitigates the TSX Asynchronous Abort (TAA) (https://nvid.nist.gov/vuln/detail/CVE-2019-11135) vulnerability. It is enabled by default only when the CPU supports the Intel TSX feature and is not vulnerable to the TAA vulnerability due to a hardware mitigation. Otherwise, the extension is in thenot supported
state. -
TSX_DISABLE
-
TSX_DISABLE
is a read-only extension that mitigates the TSX Asynchronous Abort (TAA) (https://nvid.nist.gov/vuln/detail/CVE-2019-11135) vulnerability by using a control register to disable TSX.If the
TAA_NO
,TSX_DISABLE
, andMDS_NO
extensions are in thenot supported
state, you might be able to mitigate TAA by enabling theMD_CLEAR
extension, if not enabled already, and then rebooting the system.If the
MDS_NO
extension is in theenabled
state, and if both theTAA_NO
andTSX_DISABLE
extensions are in thenot supported
state, you cannot mitigate the TAA vulnerability until after you perform a microcode update.The following table shows the minimum microcode version for each Intel Xeon CPU that contains the mitigation for the TAA vulnerability. Each table entry lists information about an Intel Xeon CPU including the CPU name and code name, its CPU identifier, and its minimum microcode version.
Intel CPU (Code Name) CPU Identifier Minimum Microcode Version E7 v3 (Haswell-EX)
306F4
0x00000016
E5 v4 (Broadwell-EP)
406F1
0x0B000038
Scalable Processor (Skylake-SP)
50654
0x02000065
Scalable Processor (Cascade Lake-SP)
50657
0x0500002C
See the following information about updating the system firmware on your x86 systems:
-
Update the microcode by updating the system firmware to the latest version. See Firmware Resources (https://www.oracle.com/servers/technologies/firmware-resources.html).
-
Install firmware updates on Oracle x86 systems. See Oracle x86 Servers Administration, Diagnostics, and Applications Documentation (https://docs.oracle.com/cd/E23161_01/).
-
Download the latest Oracle x86 system firmware version. See Welcome to the Server System Firmware Release Hub (https://www.oracle.com/servers/technologies/firmware.html).
-
Obtain information about updating system firmware on non-Oracle x86 systems by referring to your vendor's documentation.
-
-
UMIP
-
User-Mode Instruction Prevention (
UMIP
) is a mechanism on Intel CPUs that restricts the execution of specific instructions if the CPU is running outside of its highest privileged mode (e.g., running in user mode). This is a security feature to prevent potential manipulation of system software data structures by malicious userland applications.It is enabled by default when it is supported by the hardware. A reboot is required after enabling or disabling
UMIP
for the changes to take effect.