Spectre - SPARC Solaris: The Safe Choice

Spectre - SPARC Solaris: The Safe Choice

Abstract:

As the industry continues to struggle with Meltdown, a second vulnerability family appeared referred to as Spectre. As of this article publication, there are 4 variants of Spectre, the latter two variants referred to as Spectre-NG. All SPARC systems are safe, if the most recent systems are on the most current firmware & OS releases. As of this publishing, the latest application/OS & firmware patches fixes the first two. The later 2 does not affect SPARC, as the rest of the Intel and other CPU communities are struggling with their cloud and local server infrastructures.
 

[Spectre logo, courtesy solaris.wtf]

Spectre 

Spectre comes in 4 variants, the first 2 and next 2 identified as of the publishing of this article.

Spectre v1

Upgrade firefox to 57.0.4 or greater for protection (i.e. bundled in recent Solaris 11.3 updates.

Unpatched super-scalar CPU's (i.e. SPARC T4, T5, M6, M7, S7, M8, M10, M12) could possibly be exploited by CVE-2017-5753.

Spectre  v2

 A quick summary on Stack Exchange on how Spectre works:

the attacker tricks the speculative execution to predictively execute instructions erroneously. In a nutshell, the predictor is coerced to predict a specific branch result (if -> true), that results in asking for an out-of-bound memory access that the victim process would not normally have requested, resulting in incorrect speculative execution. Then by the side-channel, retrieves the value of this memory. In this way, memory belonging to the victim process is leaked to the malicious process.

Unpatched super-scalar CPU's (i.e. SPARC T4, T5, M6, M7, S7, M8, M10, M12) may be exploited by CVE-2017-5715.

Spectre v3a

All 64 bit SPARC is immune to CVE-2018-3640 .

Spectre v4

All 64 bit SPARC is immune to CVE-2018-3639 .

[SPARC Logo, courtesy SPARC International]

SPARC

Modern 64 bit SPARC variants come in 2 classes: Scalar and Super-Scalar

[Sun Microsystems Logo, courtesy Sun Microsystems]

Sun UltraSPARC

Older Sun UltraSPARC 64 bit Servers do not have the CPU feature which could possibly be exploited and were not vulnerable... they did not issue speculative instructions. Oracle had purchased Sun, so their support channel can provide a definitive explanation. Performance was mostly driven on these servers leveraging SMP chassis, Multi-Core sockets, and large memory footprints.

[Oracle Logo, courtesy Oracle Corporation]

Oracle SPARC

Newer Oracle SPARC Solaris servers are possibly vulnerable, if you are running a modern CPU which initiates speculative instructions (i.e. T4 or newer) while older 64 bit CPU's are not vulnerable. It has been reported on Solaris WTF that "Spectre (CVE-2017-5753 and CVE-2017-5715)" has been fixed in firmware (i.e. T4: 8.9.10 or greater; T5, M5, M6: 9.6.22a or greater; M7, S7, M8: 9.8.5c or greater.)

The short story, a firmware patch for CPU's newer than T4 are required and the impact is very minor in performance, according to the previous blog. Stock Firefox as shipped with Solaris 10 is vulnerable to Spectre v1, Solaris 11 fixed Firefox vulnerability early 2018, so users should migrate to Solaris 11.

[Fujitsu Logo, courtesy Fujitsu corporation]

Fujitsu SPARC

Sun and Oracle are not the only 2 vendors, who have produced 64 bit SPARC platforms. Newer Fujitsu SPARC Servers are also super-scalar, possibly vulnerable to Spectre v2 (CVE-2017-5753), and have been been fixed in firmware (i.e. M10: XCP2351; M12: XCP3051.)

Conclusions:

If you are using an older Sun UltraSPARC server, you are OK. If you are running a newer Oracle SPARC (i.e. T4 or newer) server, you should update Firefox on Solaris 10 or get on the latest Solaris 11 release to be protected from Spectre v1. For the same class of hardware, apply firmware patches available today to protect from Spectre v2. SPARC is immune to Spectre v3 & v4. Get with your Oracle support for the first 2 variants (doc id 2349278.1) and second 2 variants.

SPARC T5 and M5 Tutorials

[Sun Microsystems Logo]

Abstract:
Sun Microsystems has been a leading provider of data center and internet hosting equipment for decades. Recently, Oracle corporation purchased Sun Microsystems. In 2013, Oracle released a new line of servers, as well as a refresh in video introductions, interactive tutorials, and white papers.


[Oracle Corporation Logo]

Oracle Hardware Introduction [html] video - Oracle Hardware: Automating Server Management
[html] video - Oracle Hardware: Simple Server Management at No Cost

Oracle's SPARC T5 and SPARC M5 Server Technical Insights

[html] tutorial - Oracle SPARC T5 and Oracle M5 Core

[SPARC T4 Processor, courtesy Oracle kick-off]

Oracle T5 Platforms

[html] tutorial - Oracle's SPARC T5 Servers External Features

[html] tutorial - SPARC T5-1B Server Module 3D Tour

[html] tutorial - SPARC T5-2 Server 3D Tour

[html] tutorial - SPARC T5-4 Server 3D Tour

[html] tutorial - SPARC T5-8 Server 3D Tour

[html] paper - Maximizing Application Reliability and Availability with SPARC T5 Servers

[html] paper - Oracle's SPARC T5-2, SPARC T5-4, SPARC T5-8, and SPARC T5-1B Server Architecture

[Oracle SPARC die, courtesy Oracle kick-off]

Oracle M5 Platforms

[html] tutorial - SPARC M5-32 Server 3D Tour

[html] tutorial - Oracle SPARC M5-32 External Features

[html] paper - SPARC M5-32 Server Architecture

[html] tutorial - Oracle's SPARC M5-32 Server Virtualization Options

[html] docs - Oracle's SPARC M5-32 Documentation

[html] paper - Maximizing Application Reliability and Availability with the SPARC M5-32 Server

Solaris: Massive Internet Scalability



[SPARC processor, courtesy Oracle SPARC T5/M5 Kick-Off]

 Solaris: Massive Internet Scalability
Abstract:
Computing systems started with single processors. As computer requirements increased, multiple processors were lashed together, using technology called SMP (Symmetric Multi-Processing) to add more computing power into a single system, breaking up tasks into processes and threads, but the transition to multi-threaded computing was a long process. The lack of scalability for some problems produced MPP (Massively Parallel Processing) platforms, lashing systems together using special software to load-balance jobs to be processed. MPP platforms were very difficult to program general purpose applications, so massively Multi-Core and Multi-Threaded processors started to appear. Oracle recently released the SPARC T5 processor and systems - producing an SMP platform scalable with massive sockets, cores, and threads into a single chassis - leveraging existing multi-threaded computing software, reducing the need for MPP in real-world applications, while placing tremendous pressure upon the Operating System layer.

[SPARC logo, courtesy SPARC.org]

SPARC Growth Rate:
The SPARC processors started a growth rate, with a movement to massively threaded software.

SPARC	Cores	GHz	Threads	Sockets	Total-Cores	Total-Threads
T1	8	1.4	32	1	8	32
T2	8	1.6	64	1	8	64
T2+	8	1.6	64	4	32	256
T3	16	1.6	128	4	64	512
T4	8	3	64	4	32	256
T5	16	3.6	128	8	128	1024
M5	6	3.6	48	32	192	1536

The movement to massively threaded processors meant that applications needed to be re-written to take advantage of the new higher throughput. Certain applications were already well suited for this workload (i.e. web servers) - but many were not.

[DTrace infrastructure and providers]

Application Challenges:
The movement to massively threaded software, to take advantage of the higher overall throughput offered by the new processor technology, was difficult for application programmers. Technologies such as DTrace were added to advanced operating systems such as Solaris to assist developers and systems administrators in pin-pointing their code hot-spots for later re-write.

When the SPARC T4 was released, there was a feature called "Critical Thread API" in the S3 core, to assist application programmers who could not resolve some single thread bottlenecks. The S3 core could automatically switch into a single-threaded mode (with the sacrifice of throughput) to address hot-spots. The T4 (and T5) faster S3 core was also clocked at a higher rate, providing an overall boost to single threaded workflows over previous processors - even at the same number of cores and threads. The ability to perform out-of-order instruction handling in the S3 also increased speed in the execution of single-threaded applications.

The SPARC T4 and T5 processors finally offered application developers a no-compromise processor. For heavy single-threaded workloads, the SPARC M5 processor was released from Oracle, driving inreasing scales of higher single-threaded workloads, without having to rely upon systems produced by long-time SPARC partner & competitor - Fujitsu.

[Solaris logo, courtesy Sun Microsystems]

Operating System Challenges:

A single system scaling to 192 cores and 1536 threads offers incredible challenges to Operating System designers. Steve Sistare from Oracle discusses some of these challenges in a Part 1 article and solutions in a  Part 2 article. Some of the challenges overcome by Solaris included:

CPU scaling issues include: •increased lock contention at higher thread counts
•O(NCPU) and worse algorithms

Memory scaling issues include:
•working sets that exceed VA translation caches
•unmapping translations in all CPUs that access a memory page
•O(memory) algorithms
•memory hotspots

Device scaling issues include:
•O(Ndevice) and worse algorithms
•system bandwidth limitations
•lock contention in interrupt threads and service threads

Clearly, the engineering team at Oracle were up for the tasks created for them by the Oracle SPARC engineering team. Innovation from Sun Microsystems continues under Oracle. It will take years for other Operating System vendors to "catch up".

Network Management Applications:

In the realm of Network Management, many polling applications used threads to scale, where network communication to edge devices was latency bottlenecked - making the SPARC "T" processors an excellent choice in the carrier based environment.
The data returned by the massively mult-threaded pollers needed to be placed in a database, in a consistent fashion. This offered a problem during the device "discovery" process. This is normally a single-threaded process, which experienced massive slow-downs under the "T" processors - until the T4 was released. With processors like the SPARC T4 and SPARC T5 - Network Management applications gain the proverbial "best of both worlds" with massive hardware thread scalability for pollers and excellent single-threaded throughput during discovery bottlenecks with the "Critical Thread API."

The latest SPARC platforms are optimal platforms for massive Network Management applications. There is no other platform on the planet which compares to SPARC for managing "The Internet".

Tab Update: Solaris - New T5 and M5 Platforms!

With the new Oracle T5 and Oracle M5 processors released from Oracle yesterday evening, two new white papers have hit Network Management blog, covering the architecture for solution integrations.

Solaris Reference Material
...
2013-03 [PDF] Oracle's SPARC T5-2, T5-4, T5-8, and T5-1B Server Architecture
2013-03 [PDF] Oracle's SPARC M5-32 Server Architecture