Protecting your 5105-22E, 9008-22L, 9009-22A, 9009-22G, 9009-41A, 9009-41G, 9009-42A, 9009-42G, 9223-22H, 9223-22S, 9223-42H, and 9223-42S servers against “Spectre” and “Meltdown”
Protect your 5105-22E, 9008-22L, 9009-22A, 9009-22G, 9009-41A, 9009-41G, 9009-42A, 9009-42G, 9223-22H, 9223-22S, 9223-42H, and 9223-42S servers from “Spectre” and “Meltdown” vulnerabilities.
Introduction
Three security vulnerabilities that allow unauthorized users to bypass the hardware barrier between applications and kernel memory are available public. These vulnerabilities use speculative execution to execute side-channel information disclosure attacks.
The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715 (collectively known as Spectre) allow user-level code to infer data from unauthorized memory.
The third vulnerability, CVE-2017-5754 (known as Meltdown), allows user-level code to infer the contents of kernel memory. The vulnerabilities are all variants of the same class of attacks but differ in the way that speculative execution might be used.
While these vulnerabilities do not allow an external unauthorized party to gain access to a machine, they might allow a party with access to a system to access unauthorized data.
Since the customer-specific operating environments, including system (including use of Power® Hypervisor) application, and operating systems are varied, POWER9™ systems (5105-22E, 9008-22L, 9009-22A, 9009-22G, 9009-41A, 9009-41G, 9009-42A, 9009-42G, 9223-22H, 9223-22S, 9223-42H, and 9223-42S) provide the option for customers to control speculative execution at a system level, to meet their individual security standards.
- Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
- Speculative execution controls to mitigate user-to-kernel side-channel attacks
- Speculative execution fully enabled
- Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
- Speculative execution fully enabled
Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
This mode is designed for systems that need to mitigate exposures of the hypervisor, operating systems, and user application data to untrusted code. For the 5105-22E, 9008-22L, 9009-22A, 9009-22G, 9009-41A, 9009-41G, 9009-42A, 9009-42G, 9223-22S and 9223-42S models this mode is set as the default.
Speculative execution controls to mitigate user-to-kernel side-channel attacks
Speculative execution fully enabled
Accessing speculative execution control options
Speculative execution control options can be accessed using the Advanced Systems Management Interface (ASMI) menu under System Configuration > Speculative Execution Control. This setting can be changed when the system is in powered off state.