Difference between revisions of "Configuring Spectre Protection Level"
(Indicate that the override is controlled by the BMC + add reference to IBM bulletin + improve formatting) |
Vmlinuz719 (talk | contribs) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | The Spectre protections on [[POWER9]] can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise. | + | The Spectre protections on [[POWER9]] can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise. The override is controlled by the BMC and requires a reboot of the POWER9 to take effect.<ref>[ftp://170.225.15.34/ecc/sar/CMA/SFA/08h25/1/AC922_8335-GTH-GTX_OpenPowerReadme.op920.21.xhtml IBM POWER9 Systems LC Server Firmware]. Retrieved 2020-03-26.</ref> |
To override the protection level: | To override the protection level: | ||
Line 16: | Line 16: | ||
* Init level 1 — Kernel protection only | * Init level 1 — Kernel protection only | ||
* Init level 2 — No protection | * Init level 2 — No protection | ||
+ | |||
+ | Note: Overriding the protection level in this manner may cause the POWER9 CPU to be detected by the operating system as an earlier revision than it should be - for instance, if your CPU is DD2.3, <code>/proc/cpuinfo</code> may report it as DD2.2. This can cause unexpected behavior or errors when running virtual machines. There is [[Speculative_Execution_Vulnerabilities_of_2018#Official_statement_from_Raptor_Computing_Systems_regarding_Talos.E2.84.A2_II|no performance benefit]] to disabling protections and in general, they should be left in place. | ||
== See also == | == See also == |
Latest revision as of 18:32, 17 November 2021
The Spectre protections on POWER9 can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise. The override is controlled by the BMC and requires a reboot of the POWER9 to take effect.[1]
To override the protection level:
- Create/edit the file
/var/lib/obmc/cfam_overrides
on the BMC. - Add the following contents:
- Re-IPL (fully power off and restart the host system) to apply changes.
# Control speculative execution mode 0 0x283a 0x00000001 # bits 28:31 are used for init level -- in this case 1 (Kernel protection only) 0 0x283F 0x20000000 # Indicate override register is valid
Key:
- Init level 0 — Kernel and User protection (safest, default)
- Init level 1 — Kernel protection only
- Init level 2 — No protection
Note: Overriding the protection level in this manner may cause the POWER9 CPU to be detected by the operating system as an earlier revision than it should be - for instance, if your CPU is DD2.3, /proc/cpuinfo
may report it as DD2.2. This can cause unexpected behavior or errors when running virtual machines. There is no performance benefit to disabling protections and in general, they should be left in place.
See also
References
- ↑ IBM POWER9 Systems LC Server Firmware. Retrieved 2020-03-26.