IBM Support

How-to disable/enable (switch) Spectre/Meltdown patches on POWER8 Systems via the ASMI menu

How To


Summary

POWER8 Systems running with the firmware SP 860.50 and above , has the capability of disabling or enabling the
installed Spectre/Meltdown patches via the ASMI menu. This Technote provides the procedure how to switch between these states.

Environment

POWER Systems, POWER8 and  POWER9 systems which are having Spectra/Meltdown Patches installed on them.

Steps

1. Open ASM window to FSP (either via HMC or direct IP)
2. Login as authorized user ( ex: admin )
3. Expand "System Configuration"
4. Navigate to "Speculative Execution Control"
5. Observe panel & message regarding "Current Security Settings"
6. "Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks" is default, aka security = Enabled
7. If value change is desired (security = Disabled; i.e allow Speculative Execution), system needs to be brought to Power Off state (then toggle will be present)

Additional Information

"Speculative Execution Control" menu in ASM at Power Off will show radio buttons:

* Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
O Speculative execution fully enabled

First option on by default
To switch from Security Enabled to Security Disabled (ie re-enabling Speculative Execution), choose that radio button option, then press "Save settings" text button.
Then, this text is presented:

"Enabling this option could expose the system to CVE-2017-5753, CVE-2017- 5715 and CVE-2017-5754. This includes any partitions that are migrated (via LPM) to this system. Please acknowledge your understanding of the associated risks? Yes/No"
With two text buttons: "Yes" and "No"
Selecting "No" will return user to the menu with the radio buttons
Selecting "Yes" will result in a message "Operating completed successfully" and user has to click back on "Speculative Execution Control" in order to view the newly set settings:

O Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks
* Speculative execution fully enabled

To officially activate the change, user needs to power on the system.
While system is in a powered on state (Operating/Standby), user is unable to change the settings back to security enabled (just as when disabling), but must return to Power Off state to toggle back.
At power on with security disabled, this message is shown in ASM:

"Current Security Settings : Speculative execution fully enabled
This feature is available only when the system is powered off. "

[{"Business Unit":{"code":"BU009","label":"Systems - Server"},"Product":{"code":"HW1A1","label":"Power Systems"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":""}]

Document Information

Modified date:
25 June 2018

UID

ibm10713523