sys smcvemgt command

Last Updated : Mar 25, 2021 |

The system layer smcvemgt command is used to manage the Linux kernel patches related to the following vulnerabilities:

  • Variant #2/Spectre (CVE-2017–5715)

  • Variant #3/Meltdown (CVE-2017–5754)

Note:

The kernel patch for the Variant #1/Spectre (CVE-2017–5754) vulnerability is permanently enabled on the system and cannot be disabled.

This command is only available for OVA-based deployments.

The choice to enable or disable these patches is a trade-off between performance and security impact:

  • If the patches are enabled, the system might experience noticeable performance losses.

  • If the patches are disabled, the system is not protected against the Variant #2/Spectre and Variant #3/Meltdown vulnerabilities.

By default, Linux patches for Variant #2/Spectre and Variant #3/Meltdown are enabled. The Variant #2/Spectre patch is enabled with Linux kernel defaults. In default operation mode, the Variant #2/Spectre Linux patch selects the mitigation method that is best suited for the processor architecture of the host machine.

Note:

To be fully functional, patches for the Variant #2/Spectre vulnerability require hardware support, which is provided by VMware and hardware vendors through microcode updates.

Changes made by the smcvemgt command to the Linux kernel tunalbles always cause a server reboot. The script does not manage the state of application services. To ensure that the application services are stopped before the reboot, run the svc csa stop command before using the smcvemgt command. After the reboot, manually start the application services using the svc csa start command.

For more information about Spectre and Meltdown kernel tunables that are affected by the smcvemgt command, see https://access.redhat.com/articles/3311301. For more information about the Spectre and Meltdown vulnerabilities, see https://access.redhat.com/security/vulnerabilities/speculativeexecution.

Syntax help: sys smcvemgt --help

[admin@server-dev ~]$ sys smcvemgt --help

Version 1.2

Syntax:
    --help,    -h
    --hhelp,   -hh
    --query,   -q
    --set,     -s  enabled
    --set,     -s  disabled
    --set,     -s  [ v2=<v2-mode> ] [ v3=<v3-mode> ]
        (v2-mode: disabled | default | kernel | user | both | user+retp)
        (v3-mode: disabled | enabled)
    --history

Verbose help: sys smcvemgt --hhelp

[admin@srvr-dev ~]$ sys smcvemgt --hhelp

Version 1.2

This script manages the enablement status of the Linux kernel patches for the
following Spectre and Meltdown vulnerabilities:

    Variant #2/Spectre  (CVE-2017-5715)
    Variant #3/Meltdown (CVE-2017-5754)

The kernel patch for the following related vulnerability is permanently enabled
on the system (cannot be disabled):

    Variant #1/Spectre (CVE-2017-5753)

Note that hardware support is required for Variant #2/Spectre to be fully
functional. CPU microcode updates must be applied in order for this hardware
support to be provided. The "--query" argument includes an indication as to
whether or not hardware support is provided on this server.

For more information on Spectre/Meltdown kernel tunables, refer to:

    https://access.redhat.com/articles/3311301

For additional information on the Spectre/Meltdown vulnerabilities, refer
to:

    https://access.redhat.com/security/vulnerabilities/speculativeexecution

Syntax:

    --help,    -h
        Provide terse help.

    --hhelp,   -hh
        Provide verbose help (this text).

    --query,   -q
        Query the configuration of the Variant #2/Spectre and Variant #3/
        Meltdown tunables for system reboots, as well as on the running
        system.

    --set,  -s  enabled
    --set,  -s  disabled
    --set,  -s  [ v2=<v2-mode> ] [ v3=<v3-mode> ]
        Enables and disables Variant #2/Spectre ("v2") and/or Variant #3/
        Meltdown ("v3") patches.

        This immediately reboots the server. Applications on the server are
        not managed by this script. Ensure that any applications are
        disabled, as required, prior to changing kernel settings with this
        script.

        If "enabled" is specified, then both v2 and v3 are enabled,
        with v2 set to kernel default behavior. If "disabled" is specified,
        then both v2 and v3 are disabled. Otherwise, kernel patches
        are enabled or disbled as per the specified "v2" and/or "v3"
        arguments. If a "v2" or "v3" argument is not specified, the current
        system value for that item is retained.

        v2-mode:

            disabled
                Variant #2/Spectre is disabled.

            default
                The kernel decides how to set tunables for Variant #2/
                Spectre, based on the processor architecture. Note that for
                architectures prior to Skylake, the kernel selects
                retpoline ("return trampoline") over ibrs.

            kernel
                Use "ibrs" (i.e., kernel space only).

            user
                Use "ibrs_user" (i.e., userland only).

            both
                Use "ibrs_always" (i.e., kernel space and userland).

            user+retp
                Use "retpoline,ibrs_user".

        v3-mode:

            disabled
                Variant #3/Meltdown is disabled.

            enabled
                Variant #3/Meltdown is enabled.
        The following two commands are equivalent:

            sys smcvemgt enabled
            sys smcvemgt v2=default v3=enabled

        The following two commands are equivalent:

            sys smcvemgt disabled
            sys smcvemgt v2=disabled v3=disabled

    --history
        Show a history of changes made to the enablement status of the
        Spectre and Meltdown patches.