How To
Summary
It is good to know you have the protection against the Spectre and Meltdown security issues.
Objective
Sleep easier at night.
Environment
AIX on a POWER7, POWER8 of POWER9 based Power System
Steps
To get protection from the Spectre and Meltdown security issues, you need a few items in place:
1) A systems firmware level that supports the protection
- All POWER9 systems firmware has protection
- You might need to upgrade your POWER7 or POWER8 firmware to a recent version - which is Best Practice anyway
2) The system firmware protection is switched on
- To check this use the HMC -> ASMI -> "System Configuration“ -> "Speculative Execution Control“
- To change the setting, first Power-Off the server (sorry) then change the setting plus Power Up the server, VIOS, and AIX
3) An AIX level that supports the protection
- An AIX version released in 2019 or later.
- As AIX starts, it detects the system firmware supports protection, and that protection is switched on - then it starts OS level protection
- As a result, if you switch off system firmware protection and reboot the servers, and AIX then AIX level protection is Off too
4) New AIX command details to check: lparstat -x but no detailed information can be found with:
- lparstat -?
- man lpar
stat - IBM Manuals website
For more information, see tech
Example:
$ lparstat -x LPAR Speculative Execution Mode: 2 $
What does the 2 mean?
Answer: Read the technote to find out, it covers the three modes with a full explanation and a link to the IBM web pages covering Spectre and Meltdown.
For POWER9-based servers the link is:
Hint: for full protection use mode 2
My Personal Best Practice recommendation:
Run ALL possible servers in Mode 2 to avoid unexpectedly lowering the security of your virtual machine (LPAR) - when you use Live Partition Migration (LPM).
You would not want to be accidentally run your production services without full protection and is important in a Cloud environment.
What is the effect of switching on the fixes on Performance?
I covered this content in during a session for the Power Virtual User Group session called the POWER9 Performance Review session 79.
You can find that here
Briefly:
- For POWER8-based servers we have the: "with and without protection" rPerf numbers in the systems performance report and shows across the rPerf "cocktail" of workloads the slowdown is only a factor of 5 to 6 %
- The POWER Sytems Performance Report is here
: - https://www.ibm.com/systems/power/hardware/reports/system_perf.html
- In the session, I also cover how POWER9 gets the extra performance boost over POWER8
- S924 +47%,
- E950 +42% and
- E980 +38%
I hope this article helps you to compute safely.
Additional Information
Other places to find content from Nigel Griffiths IBM (retired)
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
31 December 2023
UID
ibm11114071