IBM Support

Checking AIX Protection against Spectre and Meltdown Settings

How To


Summary

It is good to know you have the protection against the Spectre and Meltdown security issues.

Objective

Nigels Banner

Sleep easier at night.

Environment

AIX on a POWER7, POWER8 of POWER9 based Power System

Steps

To get protection from the Spectre and  Meltdown security issues, you need a few items in place:

1) A systems firmware level that supports the protection

  • All POWER9 systems firmware has protection
  • You might need to upgrade your POWER7 or POWER8 firmware to a recent version - which is Best Practice anyway

2) The system firmware protection is switched on

  • To check this use the HMC -> ASMI -> "System Configuration“ -> "Speculative Execution Control“
  • To change the setting, first Power-Off the server (sorry) then change the setting plus Power Up the server, VIOS, and AIX

3) An AIX level that supports the protection

  • An AIX version released in 2019 or later.
  • As AIX starts, it detects the system firmware supports protection, and that protection is switched on - then it starts OS level protection
  • As a result, if you switch off system firmware protection and reboot the servers, and AIX then AIX level protection is Off too
S and M Off

4) New AIX command details to check: lparstat -x  but no detailed information can be found with:

  • lparstat  -?
  • man lparstat 
  • IBM Manuals website

For more information, see technotehttps://www-01.ibm.com/support/docview.wss?uid=ibm10715841

Example:

  $  lparstat -x  LPAR Speculative Execution Mode: 2  $

What does the 2 mean?   

Answer: Read the technote to find out, it covers the three modes with a full explanation and a link to the IBM web pages covering Spectre and Meltdown.

For POWER9-based servers the link is:

Hint: for full protection use mode 2

My Personal Best Practice recommendation:

Run ALL possible servers in Mode 2 to avoid unexpectedly lowering the security of your virtual machine (LPAR) - when you use Live Partition Migration (LPM).

You would not want to be accidentally run your production services without full protection and is important in a Cloud environment.

What is the effect of switching on the fixes on Performance?

I covered this content in during a session for the Power Virtual User Group session called the POWER9 Performance Review session 79.
You can find that herehttps://www.ibm.com/support/pages/node/1110195

Briefly:

  • For POWER8-based servers we have the: "with and without protection" rPerf numbers in the systems performance report and shows across the rPerf "cocktail" of workloads the slowdown is only a factor of 5 to 6 %
  • The POWER Sytems Performance Report is here:
    • https://www.ibm.com/systems/power/hardware/reports/system_perf.html
  • In the session, I also cover how POWER9 gets the extra performance boost over POWER8
    • S924 +47%,
    • E950 +42% and
    • E980 +38% 

I hope this article helps you to compute safely.

Additional Information

Other places to find content from Nigel Griffiths IBM (retired)

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"HW1W1","label":"Power -\u003EPowerLinux"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"HW1A1","label":"IBM Power Systems"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
31 December 2023

UID

ibm11114071

Page Feedback