Difference between revisions of "Configuring Spectre Protection Level"

From RCS Wiki
Jump to navigation Jump to search
(Undo revision 3125 by Carlosedp (talk) Reason: Summary of the spectre vulnerabilities is off-topic here. I will re-add the useful parts (i.e. new information) in a future revision.)
Tag: Undo
(Indicate that the override is controlled by the BMC + add reference to IBM bulletin + improve formatting)
Line 1: Line 1:
The Spectre protections on [[POWER9]] can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise.
+
The Spectre protections on [[POWER9]] can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise. "The override is controlled by the BMC and requires a reboot of the POWER9 to take effect."<ref>[ftp://170.225.15.34/ecc/sar/CMA/SFA/08h25/1/AC922_8335-GTH-GTX_OpenPowerReadme.op920.21.xhtml IBM POWER9 Systems LC Server Firmware] 2020-03-26</ref>
  
 
To override the protection level:
 
To override the protection level:
  
* Create/edit the <tt>/var/lib/obmc/cfam_overrides</tt> on the BMC.
+
<ol>
* Add the following contents:
+
<li>Create/edit the file <code>/var/lib/obmc/cfam_overrides</code> on the BMC.</li>
# Control speculative execution mode
+
<li>Add the following contents:</li>
0 0x283a 0x00000001  # bits 28:31 are used for init level -- in this case 1
+
<pre># Control speculative execution mode
0 0x283F 0x20000000  # Indicate scratch 3 is valid
+
0 0x283a 0x00000001  # bits 28:31 are used for init level -- in this case 1 (Kernel protection only)
Re-[[IPL]] (fully power off and restart the host system) to apply changes.
+
0 0x283F 0x20000000  # Indicate override register is valid</pre>
 +
<li>Re-[[IPL]] (fully power off and restart the host system) to apply changes.</li>
 +
</ol>
  
 
Key:
 
Key:
Line 14: Line 16:
 
* Init level 1 &mdash; Kernel protection only
 
* Init level 1 &mdash; Kernel protection only
 
* Init level 2 &mdash; No protection
 
* Init level 2 &mdash; No protection
 +
 +
== See also ==
 +
 +
* [[Speculative Execution Vulnerabilities of 2018]]
 +
 +
== References ==
 +
 +
<references />
  
 
[[Category:Guides]]
 
[[Category:Guides]]

Revision as of 20:15, 25 March 2020

The Spectre protections on POWER9 can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise. "The override is controlled by the BMC and requires a reboot of the POWER9 to take effect."[1]

To override the protection level:

  1. Create/edit the file /var/lib/obmc/cfam_overrides on the BMC.
  2. Add the following contents:
  3. # Control speculative execution mode
    0 0x283a 0x00000001  # bits 28:31 are used for init level -- in this case 1 (Kernel protection only)
    0 0x283F 0x20000000  # Indicate override register is valid
  4. Re-IPL (fully power off and restart the host system) to apply changes.

Key:

  • Init level 0 — Kernel and User protection (safest, default)
  • Init level 1 — Kernel protection only
  • Init level 2 — No protection

See also

References