How you have grown ... sxadm

I remember i have first talked at a Solaris day in the Vienna Urania about sxadm for security extension administration. At that time we had one security extension and having an own administration program looked a little bit over the top for it. The single existing extension was for ASLR or “address space layout randomization”.

root@solaris:/# sxadm info
aslr                enabled (tagged-files)         system default (default)

And this was it … in 2013. Well, things have grown significantly since and so sxadm makes a lot more sense. Now it’s a central place for checking the state and partly to control the state of a number of security mechanisms and mitigations inside of Solaris. This is the current output of the system on a x86 system.

aslr                enabled (tagged-files)        u-c--
ibpb                not supported                 -----
ibrs                not supported                 -----
if_pschange_mc_no   not supported                 -----
kpti                enabled                       -kcr-
l1df                enabled                       -kcr-
md_clear            enabled                       -kcr-
mds_no              not supported                 -----
nxheap              enabled (tagged-files)        u-c--
nxstack             enabled (all)                 u-c--
rdcl_no             not supported                 -----
rsbs                enabled                       -kcr-
smap                not supported                 -----
ssbd                not supported                 -----
taa_no              not supported                 -----
tsx_disable         not supported                 -----
umip                not supported                 -----

The list looks differenly on a SPARC system because for example ADI isn’t available on x86. The job of sxadm got a little bit different. For some extensions it’s more like a status report, not a mechanism to enable or disable them, as they are either always enabled, enabled or disabled elsewhere or just show the state of things. I will cite the public man page for the following list.

A first group of extensions manages Solaris feature (albeit they may use CPU features). Some of the features are quite old like nxheap and nxstack, which were managed by /etc/system in the past.

A number of other extensions are meant to manage the mitigation against vulnerabilities of CPUs. Please consult the sxadm man page for further information.

There are a number of extensions that are meant to show you that some mitigations are not active because your CPU isn’t vulnerable.