Enabling Security Mitigations for Meltdown and Spectre on NI Linux Real-Time Controllers

Overview

This document describes how to enable security mitigations for Meltdown and Spectre on NI Linux Real-Time targets. For more information on the vulnerabilities and what hardware is impacted, refer to Meltdown and Spectre – Processor Speculative Execution Vulnerabilities (NI Linux Real-Time). The process for enabling mitigations differs based on the architecture of the controller. Please refer to the Real-Time Controllers and Real-Time Operating System Compatibility to determine the architecture for a specific controller.

Contents

ARM-based Controller Mitigation Process

In order to enable mitigations, the following steps must be taken. 

  1. Install the 19.0 or later version of the specific controller’s device driver on the host computer.   
  2. Upgrade the firmware of the controller to the 7.0 or later version by following Upgrading Firmware on my NI Linux Real-Time device.
  3. Format and Re-install software to the controller.

For example, if using the cRIO-9068, you would need to install NI-CompactRIO 19.0 and upgrade the firmware to get the mitigations.

Intel x64-based Controller Mitigation Process

In order to enable all mitigations, the following steps must be taken:

  1. Install the 19.0 or later version of the specific controller’s device driver on the host computer.
  2. Upgrade the Firmware of the controller to the 7.0 or later version by following Upgrading Firmware on my NI Linux Real-Time device.
    Note PXI Linux RT controllers will not require a firmware update. Follow Installing Software on NI Linux Real-Time PXI Controllers to install software.   
  3. Format and re-install software to the controller.
  4. Enable SSH from NI MAX and connect to the controller via SSH.
    1. Refer to Accessing the Shell on NI Linux RT Devices for help.
  5. (Optional) Confirm your target’s mitigations by observing the vulnerabilities files reported by running grep . /sys/devices/system/cpu/vulnerabilities/*
  6.  Enable mitigations for all vulnerabilities in the INI file. This can be done using the nirtcfg utility in the shell.
    nirtcfg --set section=SYSTEMSETTINGS,token=cpu.mitigations.disabled,value="False" 
  7. VulnerabilityStatus NameSectionTokenValue
    For NI Linux Real-Time 2022Q4 and Later
    AllAllSYSTEMSETTINGScpu.mitigations.disabledFALSE
    For NI Linux Real-Time 2022Q4 and Prior
    Spectre Variant 2Spectre_v2SYSTEMSETTINGSspectre_v2.mitigations.disabledFALSE
    Spectre Variant 4Spec_store_bypassSYSTEMSETTINGSspectre_v4.mitigations.disabledFALSE
    MeltdownMeltdownSYSTEMSETTINGSmeltdown.mitigations.disabledFALSE
    ForeshadowL1tfSYSTEMSETTINGSl1tf.mitigations.disabledFALSE
  8. Reboot the controller so your changes to take effect.
  9. (Optional) Confirm your new mitigation status by repeating step 5.

Advanced Programming

If you need to enable or disable specific mitigations for NI Linux Real-Time 2022Q4 and later, directly edit “/boot/runmode/cpu-mitigations.cfg” on the NI Linux Real-Time target.

If the cpu-mitigations file is named “cpu-mitigations.cfg.disabled” on your NI Linux Real-Time target you should first rename it to “cpu-mitigations.cfg”. Next you will need to replace “mitigations=off” in “cpu-mitigations.cfg”. Note that replacing mitigations=off will enable all mitigations by default. You will need to specify specific mitigations you want disabled in cpu-mitigations.cfg. For example, if you want to enable all mitigations but specifically disable spectre_v2 and meltdown mitigations you would update “cpu-mitigations.cfg” to the following: 

set otherbootargs="${otherbootargs} spectre_v2=off pti=off"  

Whenever you update “cpu-mitigations.cfg” you will need to reboot your NI Linux Real-Time target for the changes to take effect. For a complete list of mitigations please refer to the kernel parameter documentation for the kernel version you’re using on your NI Linux Real-Time target.

Downloads

Was this information helpful?

Yes

No