Security Extensions Protection on the x86 Platform

Oracle Solaris provides several speculative execution mitigations for x86 systems. Use the sxadm command to configure them.

Note:

If you enable or disable mitigations that are set at boot time, you must reboot the system for the changes to take effect.

IBPB

Indirect Branch Prediction Barrier (IBPB) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). It is used in the kernel to guarantee that older indirect branches cannot influence predictions of indirect branches in the future. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.

IBRS

Indirect Branch Restricted Speculation (IBRS) mitigates Branch Target Injection, Spectre Variant 2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5715). At every entry into the kernel, IBRS restricts the speculation of indirect branches. It is enabled by default on systems where it is required and supported. When it is enabled, application performance can slow.

IF_PSCHANGE_MC_NO

Machine Check Error on Page Size Change (IF_PSCHANGE_MC_NO) is a read-only extension that mitigates CVE-2018-12207 (https://nvid.nist.gov/vuln/detail/CVE-2018-12207). It is enabled by default on systems where it is supported.

KPTI

Kernel Page Table Isolation (KPTI) is a software workaround for Meltdown vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2017-5754). It is enabled by default on systems where it is supported.

L1DF

Level 1 Data Cache Flush (L1DF) mitigates CVE-2018-3646 (https://nvd.nist.gov/vuln/detail/CVE-2018-3646). It flushes sensitive data from the L1D cache to prevent an untrusted guest virtual machine from inferring data from other guest virtual machines. This flush is performed every time the host system enters a virtual machine (VM entry). L1DF is enabled by default on systems where it is required and supported.

Note:

Although L1DF is needed only when running non-trusted kernel zones, full mitigation also requires disabling hyper-threading (HT).

MD_CLEAR

Microarchitectural Data Sampling Avoidance Mitigation (MD_CLEAR) mitigates the Microarchitectural Data Sampling (MDS) series of vulnerabilities. The vulnerabilities are:

• Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (https://nvd.nist.gov/vuln/detail/CVE-2019-11091)
• Microarchitectural Store Buffer Data Sampling (MSBDS) (https://nvd.nist.gov/vuln/detail/CVE-2018-12126)
• Microarchitectural Load Port Data Sampling (MLPDS) (https://nvd.nist.gov/vuln/detail/CVE-2018-12127)
• Microarchitectural Fill Buffer Data Sampling (MFBDS) (https://nvd.nist.gov/vuln/detail/CVE-2018-12130)

MD_CLEAR overwrites the store and fill buffers on the logical processors that are affected by MDS. It is enabled by default on systems where MD_CLEAR is required and supported.

Note:

Full mitigation of MD_CLEAR also requires disabling hyper-threading (HT).

MDS_NO

Microarchitectural Data Sampling Hardware Avoidance Mitigation (MDS_NO) is a read-only extension that is only enabled if the CPU is not vulnerable to the Microarchitectural Data Sampling (MDS) series of vulnerabilities that the MD_CLEAR extension mitigates in software.

Note:

When MDS_NO is enabled, MD_CLEAR is enabled read-only.

RDCL_NO

Rogue Data Cache Avoidance Mitigation (RDCL_NO) mitigates CVE-2017-5754 Version 2.2 (https://nvd.nist.gov/vuln/detail/CVE-2017-5754?cpeVersion=2.2) and CVE-2018-3646 (https://nvd.nist.gov/vuln/detail/CVE-2018-3646). It prevents unauthorized disclosure of information to an attacker with local user access through a side-channel analysis of the data cache. RDCL_NO is read-only, and enabled by default on systems where it is supported.

Note:

When RDCL_NO is enabled, L1DF is also enabled read-only.

RSBS

Return Stack Buffer Speculation (RSBS) counters Spectre RSB (https://nvd.nist.gov/vuln/detail/CVE-2017-5715) by making several consecutive calls and returns for every context switch. RSBS is enabled by default on systems where it is required and supported.

SMAP

Supervisor Mode Access Prevention (SMAP) prevents supervisor mode execution of text that is mapped in userland. It is enabled by default when it is supported by the hardware. Certain applications or drivers can fail when SMAP is enabled.

SSBD

Speculative Store Bypass Disable (SSBD) mitigates CVE-2018-3639 (https://nvd.nist.gov/vuln/detail/CVE-2018-3639). It restricts loads from speculating around older stores, which mostly affects interpreters such as the JVM and Javascript engines. SSBD is not enabled at boot time.

Similar to the ASLR and ADI security extensions, this extension can be enabled on individual binaries. Such configuration changes do not require a reboot. For examples of how to do this, see Compiling an Application With adistack Enabled, Illustrating Security Extension Inheritance, and the sxadm(8) man page.

Note:

The SSBD mitigation is implemented differently on the SPARC platform. See SSBD in Security Extensions Protection on the SPARC Platform.

TAA_NO

TAA_NO is a read-only extension that mitigates the TSX Asynchronous Abort (TAA) (https://nvid.nist.gov/vuln/detail/CVE-2019-11135) vulnerability. It is enabled by default only when the CPU supports the Intel TSX feature and is not vulnerable to the TAA vulnerability due to a hardware mitigation. Otherwise, the extension is in the not supported state.

TSX_DISABLE

TSX_DISABLE is a read-only extension that mitigates the TSX Asynchronous Abort (TAA) (https://nvid.nist.gov/vuln/detail/CVE-2019-11135) vulnerability by using a control register to disable TSX.

If the TAA_NO, TSX_DISABLE, and MDS_NO extensions are in the not supported state, you might be able to mitigate TAA by enabling the MD_CLEAR extension, if not enabled already, and then rebooting the system.

If the MDS_NO extension is in the enabled state, and if both the TAA_NO and TSX_DISABLE extensions are in the not supported state, you cannot mitigate the TAA vulnerability until after you perform a microcode update.

The following table shows the minimum microcode version for each Intel Xeon CPU that contains the mitigation for the TAA vulnerability. Each table entry lists information about an Intel Xeon CPU including the CPU name and code name, its CPU identifier, and its minimum microcode version.

Intel CPU (Code Name)	CPU Identifier	Minimum Microcode Version
E7 v3 (Haswell-EX)	306F4	0x00000016
E5 v4 (Broadwell-EP)	406F1	0x0B000038
Scalable Processor (Skylake-SP)	50654	0x02000065
Scalable Processor (Cascade Lake-SP)	50657	0x0500002C

See the following information about updating the system firmware on your x86 systems:

• Update the microcode by updating the system firmware to the latest version. See Firmware Resources (https://www.oracle.com/servers/technologies/firmware-resources.html).

• Install firmware updates on Oracle x86 systems. See Oracle x86 Servers Administration, Diagnostics, and Applications Documentation (https://docs.oracle.com/cd/E23161_01/).

• Download the latest Oracle x86 system firmware version. See Welcome to the Server System Firmware Release Hub (https://www.oracle.com/servers/technologies/firmware.html).

• Obtain information about updating system firmware on non-Oracle x86 systems by referring to your vendor's documentation.

UMIP

User-Mode Instruction Prevention (UMIP) is a mechanism on Intel CPUs that restricts the execution of specific instructions if the CPU is running outside of its highest privileged mode (e.g., running in user mode). This is a security feature to prevent potential manipulation of system software data structures by malicious userland applications.

It is enabled by default when it is supported by the hardware. A reboot is required after enabling or disabling UMIP for the changes to take effect.