Enabling Security Mitigations for Meltdown and Spectre on NI Linux Real-Time Controllers

Publish Date: Jul 10, 2019 | 0 Ratings | 0.00 out of 5 | Print

Overview

This document describes how to enable security mitigations for Meltdown and Spectre on NI Linux Real-Time targets. For more information on the vulnerabilities and what hardware is impacted, refer to Meltdown and Spectre – Processor Speculative Execution Vulnerabilities (NI Linux Real-Time). The process for enabling mitigations differs based on the architecture of the controller. Please refer to the Real-Time Controllers and Real-Time Operating System Compatibility to determine the architecture for a specific controller.

Table of Contents

  1. ARM-based Controller Mitigation Process
  2. Intel x64-based Controller Mitigation Process
  3. Related Resources

1. ARM-based Controller Mitigation Process

In order to enable mitigations, the following steps must be taken. 

  1. Install the 19.0 or later version of the specific controller’s device driver on the host computer.   
  2. Upgrade the firmware of the controller to the 7.0 or later version by following Upgrading Firmware on my NI Linux Real-Time device.
  3. Format and Re-install software to the controller.

For example, if using the cRIO-9068, you would need to install NI-CompactRIO 19.0 and upgrade the firmware to get the mitigations.

 

Back to Top

2. Intel x64-based Controller Mitigation Process


In order to enable all mitigations, the following steps must be taken:

  1. Install the 19.0 or later version of the specific controller’s device driver on the host computer.
  2. Upgrade the Firmware of the controller to the 7.0 or later version by following Upgrading Firmware on my NI Linux Real-Time device.
    Note PXI Linux RT controllers will not require a firmware update. Follow Installing Software on NI Linux Real-Time PXI Controllers to install software.   
  3. Format and re-install software to the controller.
  4. Enable SSH from NI MAX and connect to the controller via SSH.
    1. Refer to Accessing the Shell on NI Linux RT Devices for help.
  5. (Optional) Confirm your target’s mitigations by observing the vulnerabilities files reported by running grep . /sys/devices/system/cpu/vulnerabilities/*
  6.  Enable mitigations for each vulnerability in the INI file. This can be done using the table below and using the nirtcfg utility in the shell. For example, enabling the mitigation for Meltdown would use
    nirtcfg --set section=SYSTEMSETTINGS,token=meltdown.mitigations.disabled,value="False"
  7. Vulnerability Status Name Section Token Value
    Spectre Variant 2 Spectre_v2 SYSTEMSETTINGS spectre_v2.mitigations.disabled False
    Spectre Variant 4 Spec_store_bypass SYSTEMSETTINGS spectre_v4.mitigations.disabled False
    Meltdown Meltdown SYSTEMSETTINGS meltdown.mitigations.disabled False
    Foreshadow L1tf SYSTEMSETTINGS l1tf.mitigations.disabled False
  8. Reboot the controller so your changes to take effect.
  9. (Optional) Confirm your new mitigation status by repeating step 5.

Back to Top

3. Related Resources

 

 

Back to Top

Bookmark & Share


Downloads

Attachments:

mitigations.sh


Ratings

Rate this document

Answered Your Question?
Yes No

Submit