Tuesday, October 02, 2018

Solaris: Spectre v2 & Meltdown fixes

Solaris 11.4 includes fixes for Meltdown and Spectre v2 (fixes for v1 were delievered few months ago for 11.3 via SRU and are also included in 111.4). What I really like about them is that you can turn them on or off via sxadm. The sxadm command will also report if your HW requires the fixes and if they are enabled or not. Additionally there is an FMA alert generated if you HW should have fixes enabled but due to old microcode it can't be done - so this way you also get alerting. Very nice intergration indeed.

Example output with Solaris running in Virtual Box:

# sxadm status
EXTENSION           STATUS                        FLAGS
aslr                enabled (tagged-files)        u-c--
nxstack             enabled (all)                 u-c--
nxheap              enabled (tagged-files)        u-c--
kpti                enabled                       -kcr-
ibpb                not supported                 -----
ibrs                not supported                 -----
smap                not supported                 -----

The kpti is fix for Meltdow and it is active, while ibpb and ibrs are mitigations for Spectre v2 and are not enabled as these are not supported on this HW. Let's see how FMA is reporting an old version of microcode: 

# fmadm faulty
--------------- ------------------------------------  -------------- ---------
TIME            EVENT-ID                              MSG-ID         SEVERITY
--------------- ------------------------------------  -------------- ---------
Oct 02 14:19:24 383538f1-9268-4a07-9ff8-86be48c02e72  SUNOS-8000-LG  Major    

Problem Status            : open
Diag Engine               : software-diagnosis / 0.2
System
    Manufacturer          : unknown
    Name                  : unknown
    Part_Number           : unknown
    Serial_Number         : unknown

System Component
    Manufacturer          : innotek GmbH
    Name                  : VirtualBox
    Part_Number           : 
    Serial_Number         : 0
    Firmware_Manufacturer : innotek GmbH
    Firmware_Version      : (BIOS)VirtualBox
    Firmware_Release      : (BIOS)12.01.2006
    Host_ID               : 00482293
    Server_Name           : solaris

----------------------------------------
Suspect 1 of 1 :
   Problem class : alert.oracle.solaris.cpu.firmware.security
   Certainty   : 100%

   FRU
     Status           : Active
     Location         : "/SYS/MB"
     Manufacturer     : unknown
     Name             : unknown
     Part_Number      : unknown
     Revision         : unknown
     Serial_Number    : unknown
     Chassis
        Manufacturer  : Oracle Corporation
        Name          : VirtualBox
        Part_Number   : 
        Serial_Number : 0
   Resource
     Status           : Active

Response    : No automated response available

Impact      : Oracle Solaris is not running with Spectre Vulnerability
              Mitigation Enabled

Action      : Update the CPU with Spectre capable microcode. Please refer to
              the associated reference document at
              http://support.oracle.com/msg/SUNOS-8000-LG for the latest
              service procedures and policies regarding this diagnosis.

1 comment:

  1. To use IBRS or IPBP in a VirtualBox instance, you need to do two things:

    1) Ensure the microcode update is installed in the CPU, either via a BIOS/firmware update or by having the host OS update it. (The BIOS/firmware update is most reliable, but availability depends on your hardware vendor and how far back they're willing to provide updates for.)

    2) Tell VirtualBox to expose the new microcode routines to guests, as described in the Solaris 11.4 release notes under Spectre Mitigation Warning During VirtualBox Guest Installation (28441940).

    ReplyDelete