Configuring Spectre Protection Level
The Spectre protections on POWER9 can be partly or fully disengaged if desired. Note that disengaging the protections will leave you vulnerable to attack via Spectre variant 2, and could result in data leakage and/or system compromise. "The override is controlled by the BMC and requires a reboot of the POWER9 to take effect."
To override the protection level:
- Create/edit the file
/var/lib/obmc/cfam_overrideson the BMC.
- Add the following contents:
- Re-IPL (fully power off and restart the host system) to apply changes.
# Control speculative execution mode 0 0x283a 0x00000001 # bits 28:31 are used for init level -- in this case 1 (Kernel protection only) 0 0x283F 0x20000000 # Indicate override register is valid
- Init level 0 — Kernel and User protection (safest, default)
- Init level 1 — Kernel protection only
- Init level 2 — No protection
- IBM POWER9 Systems LC Server Firmware 2020-03-26