Solaris 11.4 includes fixes for Meltdown and Spectre v2 (fixes for v1 were delievered few months ago for 11.3 via SRU and are also included in 111.4). What I really like about them is that you can turn them on or off via sxadm. The sxadm command will also report if your HW requires the fixes and if they are enabled or not. Additionally there is an FMA alert generated if you HW should have fixes enabled but due to old microcode it can't be done - so this way you also get alerting. Very nice intergration indeed.
Example output with Solaris running in Virtual Box:# sxadm status EXTENSION STATUS FLAGS aslr enabled (tagged-files) u-c-- nxstack enabled (all) u-c-- nxheap enabled (tagged-files) u-c-- kpti enabled -kcr- ibpb not supported ----- ibrs not supported ----- smap not supported -----
The kpti is fix for Meltdow and it is active, while ibpb and ibrs are mitigations for Spectre v2 and are not enabled as these are not supported on this HW.
Let's see how FMA is reporting an old version of microcode:
# fmadm faulty --------------- ------------------------------------ -------------- --------- TIME EVENT-ID MSG-ID SEVERITY --------------- ------------------------------------ -------------- --------- Oct 02 14:19:24 383538f1-9268-4a07-9ff8-86be48c02e72 SUNOS-8000-LG Major Problem Status : open Diag Engine : software-diagnosis / 0.2 System Manufacturer : unknown Name : unknown Part_Number : unknown Serial_Number : unknown System Component Manufacturer : innotek GmbH Name : VirtualBox Part_Number : Serial_Number : 0 Firmware_Manufacturer : innotek GmbH Firmware_Version : (BIOS)VirtualBox Firmware_Release : (BIOS)12.01.2006 Host_ID : 00482293 Server_Name : solaris ---------------------------------------- Suspect 1 of 1 : Problem class : alert.oracle.solaris.cpu.firmware.security Certainty : 100% FRU Status : Active Location : "/SYS/MB" Manufacturer : unknown Name : unknown Part_Number : unknown Revision : unknown Serial_Number : unknown Chassis Manufacturer : Oracle Corporation Name : VirtualBox Part_Number : Serial_Number : 0 Resource Status : Active Response : No automated response available Impact : Oracle Solaris is not running with Spectre Vulnerability Mitigation Enabled Action : Update the CPU with Spectre capable microcode. Please refer to the associated reference document at http://support.oracle.com/msg/SUNOS-8000-LG for the latest service procedures and policies regarding this diagnosis.
To use IBRS or IPBP in a VirtualBox instance, you need to do two things:
ReplyDelete1) Ensure the microcode update is installed in the CPU, either via a BIOS/firmware update or by having the host OS update it. (The BIOS/firmware update is most reliable, but availability depends on your hardware vendor and how far back they're willing to provide updates for.)
2) Tell VirtualBox to expose the new microcode routines to guests, as described in the Solaris 11.4 release notes under Spectre Mitigation Warning During VirtualBox Guest Installation (28441940).