IBM Support

How-to disable/enable Spectre/Meltdown mitigaton on POWER9 Systems

How To


Summary

IBM POWER9 systems have three different modes available for Sprecte/Meltdown mitigation. To view or change the desired mode, "Speculative Execution Control" menu in ASMI can be used.

Objective

The three "Speculative Execution Control" modes available on POWER9 Systems are as follows:

Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks

                     This mode is designed for systems that need to mitigate exposures of the Hypervisor, operating systems, and user application data to untrusted code. For the system models 9008-22L, 9009-22A, 9009-41A, and 9009-42A , this mode is set as the default. In this mode all the controls incorporated in the Spectre/Meldown patches are active and controls the speculative execution to mitigate both user-to-kernel and user-to-user side-channel attacks. In this mode it provides highest possible mitigation to side channel attacks on both User accessible data as well as for System data, with some performance trade off.

Speculative execution controls to mitigate user-to-kernel side-channel attacks

                   This mode is designed for systems that need to mitigate against the threat of lower privileged code accessing operating system secrets as described in CVE-2017-5753, CVE-2017- 5715, and CVE-2017-5754. For the system models 9223-22H and 9223-42H this mode is set as the default. By enabling this mode it provides the mitigation against side channel attacks on System/Kernel data but not for User accessible data. Enabling this option could expose any user-accessible data in the system to CVE-2017-5753, CVE-2017- 5715, and CVE-2017-5754. This includes any partitions that are migrated (using Live Partition Mobility) to this system. This option provides less performance impact on the system when compared to option 1, but at the cost of possible User accessible data exposure to untrusted application code, if there is any.

Speculative execution fully enabled

                This optional mode is designed for systems where the hypervisor, operating system, and applications can be fully trusted. Enabling this option could expose the system to CVE-2017-5753, CVE-2017- 5715, and CVE-2017-5754. This includes any partitions that are migrated (using Live Partition Mobility) to this system. This option has the least possible impact on the performance at the cost of possible exposure to both User accessible data as well as System data.

Environment

Any POWER9 system.

Steps

To view the current "Speculative Execution Control" mode setting on POWER9 Systems:

To view the current setting on the system using ASMI window menu:

1. Open ASMI window to FSP (either via HMC or direct IP)
2. Login as authorized user ( ex: admin )
3. Expand "System Configuration"
4. Navigate to "Speculative Execution Control"
5. It has following three modes:

      * Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
     O Speculative execution controls to mitigate user-to-kernel side-channel attacks
     O Speculative execution fully enabled.

First mode is ON by default for the POWER9 models 9008-22L, 9009-22A, 9009-41A, and 9009-42A

* Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
O Speculative execution controls to mitigate user-to-kernel side-channel attacks
O Speculative execution fully enabled

Second mode is ON by default for the POWER9 models 9223-22H and 9223-42H

O Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
* Speculative execution controls to mitigate user-to-kernel side-channel attacks
O Speculative execution fully enabled

To Change or Set "Speculative Execution Control" mode to the desired setting on POWER9 Systems:

While system is in a powered on state (Operating/Standby), user is unable to change the settings of "Speculative Execution Control" mode. System needs to be brought to Power Off state.

And then:

1. Open ASMI window to FSP (either via HMC or direct IP)
2. Login as authorized user ( ex: admin )
3. Expand "System Configuration"
4. Navigate to "Speculative Execution Control"
5. It will show following three radio buttons:

      * Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
     O Speculative execution controls to mitigate user-to-kernel side-channel attacks
     O Speculative execution fully enabled
6.  Then change the setting to the desired by selecting the appropriate radio button.

For example:
To switch to Security Enabled to Security Disabled (ie re-enabling Speculative Execution), choose the radio button option 3, then press "Save settings" text button.

O Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
O Speculative execution controls to mitigate user-to-kernel side-channel attacks
* Speculative execution fully enabled

Then, this text is presented:
"Enabling this option could expose the system to CVE-2017-5753, CVE-2017- 5715 and CVE-2017-5754. This includes any partitions that are migrated (via LPM) to this system. Please acknowledge your understanding of the associated risks? Yes/No"
With two text buttons: "Yes" and "No"
Selecting "No" will return user to the menu with the radio buttons

Selecting "Yes" will result in a message "Operation completed successfully" and user has to click back on "Speculative Execution Control" in order to view the newly set settings.

To effectively activate the change, user needs to power on the system.
While system is in a powered on state (Operating/Standby), user is unable to change the settings back to security enabled (just as when disabling), but must return to Power Off state to change.

At power on with security disabled, this message is shown in ASMI:
"Current Security Settings : Speculative execution fully enabled
This feature is available only when the system is powered off. "

Additional Information

On Power8 Systems, there are two possible security controls i.e disable or enable Spectre/Meltdown mitigation.

On an LPAR, one can use lparstat -x to display the current mitigation mode:

  • 0 = Speculative execution fully enabled
  • 1 = Speculative execution controls to mitigate user-to-kernel side-channel attacks
  • 2 = Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
# lparstat -x

LPAR Speculative Execution Mode            : 2

See above for explanation of these modes.

[{"Business Unit":{"code":"BU009","label":"Systems - Server"},"Product":{"code":"SSMV87","label":"AIX Enterprise Edition"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":""}]

Document Information

Modified date:
14 March 2019

UID

ibm10715841