Reading time: 2 minutes
How you have grown ... sxadm
I remember i have first talked at a Solaris day in the Vienna Urania about
sxadm for security extension administration. At that time we had one security extension and having an own administration program looked a little bit over the top for it. The single existing extension was for
ASLR or “address space layout randomization”.
And this was it … in 2013. Well, things have grown significantly since and so sxadm makes a lot more sense. Now it’s a central place for checking the state and partly to control the state of a number of security mechanisms and mitigations inside of Solaris. This is the current output of the system on a x86 system.
The list looks differenly on a SPARC system because for example ADI isn’t available on x86. The job of
sxadm got a little bit different. For some extensions it’s more like a status report, not a mechanism to enable or disable them, as they are either always enabled, enabled or disabled elsewhere or just show the state of things. I will cite the public man page for the following list.
A first group of extensions manages Solaris feature (albeit they may use CPU features). Some of the features are quite old like nxheap and nxstack, which were managed by
/etc/system in the past.
ADIHEAP: ADI based protections for heap allocators
ADISTACK: ADI based protections for stacks
KADI: ADI based protections for kernel heap
ASLR: Address Space Layout Randomization
NXHEAP: Non-Executable Heap
A number of other extensions are meant to manage the mitigation against vulnerabilities of CPUs. Please consult the
sxadm man page for further information.
HW_BTI: Hardware BTI Mitigation
IBPB: Indirect Branch Prediction Barrier
IBRS: Indirect Branch Restricted Speculation
KPTI: Kernel Page Table Isolation
L1DF: Level 1 Data Cache Flush
MD_CLEAR: Microarchitectural Data Sampling Avoidance Mitigation
RSBS: Return Stack Buffer Speculation Mitigation
SMAP: Supervisor Mode Access Prevention
SSBD: Speculative Store Bypass Disable
TSX_DISABLE:Intel TSX Asynchronous Abort (TAA) Avoidance Mitigation by disabling TSX
UMIP: User-Mode Instruction Prevention
IF_PSCHANGE_MC_NO: Machine Check Error on Page Size Change Mitigation
There are a number of extensions that are meant to show you that some mitigations are not active because your CPU isn’t vulnerable.
MDS_NOMicroarchitectural Data Sampling Hardware Avoidance Mitigation. This one is enabled when you don’t need the mitigation mechanism provider by
MD_CLEARbecause you CPU isn’t vulnerable.
RDCL_NORogue Data Cache Avoidance Mitigation. This is as well only enabled when your CPU isn’t vulnerable.
TAA_NO>: Intel TSX Asynchronous Abort (TAA) Hardware Avoidance Mitigation. This is only enabled, when your CPU isn’t vulnerable and it supports TSX.