Difference between revisions of "Configuring Spectre Protection Level"

From RCS Wiki
Jump to navigation Jump to search
(Created page with "The Spectre protections on POWER9 can be partly of fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant...")
 
Line 1: Line 1:
The Spectre protections on POWER9 can be partly of fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise.
+
The Spectre protections on [[POWER9]] can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise.
  
 
To override the protection level:
 
To override the protection level:
  
* Create/edit the "/var/lib/obmc/cfam_overrides" on OpenBMC
+
* Create/edit the <tt>/var/lib/obmc/cfam_overrides</tt> on the BMC.
* Add the following contents
+
* Add the following contents:
<pre>
+
# Control speculative execution mode
# Control speculative execution mode
+
0 0x283a 0x00000001  # bits 28:31 are used for init level -- in this case 1
0 0x283a 0x00000001  # bits 28:31 are used for init level -- in this case 1
+
0 0x283F 0x20000000  # Indicate scratch 3 is valid
0 0x283F 0x20000000  # Indicate scratch 3 is valid
 
</pre>
 
 
*  Re-IPL to apply changes.
 
*  Re-IPL to apply changes.
  
 
Key:
 
Key:
* init level 0 == Kernel and User protection (safest, default)
+
* Init level 0 &mdash; Kernel and User protection (safest, default)
* init level 1 == Kernel protection only
+
* Init level 1 &mdash; Kernel protection only
* init level 2 == No protection
+
* Init level 2 &mdash; No protection
 +
 
 +
[[Category:Guides]]

Revision as of 18:11, 6 March 2019

The Spectre protections on POWER9 can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise.

To override the protection level:

  • Create/edit the /var/lib/obmc/cfam_overrides on the BMC.
  • Add the following contents:
# Control speculative execution mode
0 0x283a 0x00000001  # bits 28:31 are used for init level -- in this case 1
0 0x283F 0x20000000  # Indicate scratch 3 is valid
  • Re-IPL to apply changes.

Key:

  • Init level 0 — Kernel and User protection (safest, default)
  • Init level 1 — Kernel protection only
  • Init level 2 — No protection