IBM Support

How-to disable/enable (switch) Spectre/Meltdown patches on POWER8 Systems via the ASMI menu

How To


Summary

POWER8 Systems running with the firmware SP 860.50 and higher, has the capability of disabling or enabling the installed Spectre/Meltdown patches via the ASMI menu. This technote provides the procedure how to switch between these states.

Environment

Power systems, POWER8, and POWER9 systems, which are having spectra meltdown patches installed on them.

Steps

  1. Open ASMI window to FSP (either via HMC or direct IP).
  2. Log in as authorized user (e.g. admin).
  3. Expand "System Configuration".
  4. Navigate to "Speculative Execution Control".
  5. Observe panel and message regarding "Current Security Settings".
  6. "Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks" is default (security = Enabled).
  7. If value change is wanted (security = Disabled; e.g. allow Speculative Execution), the system needs to be brought to power off state (toggle is present).

Additional Information

"Speculative Execution Control" menu in ASMI at power off show radio buttons:
Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks.

  • Speculative execution fully enabled.
    • First option on by default.
    • To switch from security enabled to security disabled (e.g. Reenabling speculative execution), choose that radio button option, and then press 'Save settings' text button.
    • Then, this text is presented: "Enabling this option could expose the system to CVE-2017-5753, CVE-2017- 5715 and CVE-2017-5754. This includes any partitions that are migrated (via LPM) to this system. Please acknowledge your understanding of the associated risks? Yes/No"
      With two text buttons: "Yes" and "No".
    • Selecting "No" returns user to the menu with the radio buttons.
    • Selecting "Yes" results in a message "Operating completed successfully".
User has to click back on "Speculative Execution Control" in order to view the newly set settings:
Speculative execution controls to mitigate user-to-kernel and user-to-user side-channel attacks.
  • Speculative execution fully enabled.
    • To officially activate the change, user needs to power on the system.
    • While system is in a powered on state (operating or standby), user is unable to change the settings back to security enabled (just as when disabling), but must return to power off state to toggle back.
    • At power-on with security disabled, this message is shown in ASMI: "Current Security Settings : Speculative execution fully enabled This feature is available only when the system is powered off. "

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"HW1A1","label":"IBM Power Systems"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
03 May 2021

UID

ibm10713523

Page Feedback