summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--runsc/mitigate/cpu.go34
-rw-r--r--runsc/mitigate/mitigate.go6
2 files changed, 8 insertions, 32 deletions
diff --git a/runsc/mitigate/cpu.go b/runsc/mitigate/cpu.go
index ae4ce9579..38f9b787a 100644
--- a/runsc/mitigate/cpu.go
+++ b/runsc/mitigate/cpu.go
@@ -23,15 +23,10 @@ import (
)
const (
- // constants of coomm
- meltdown = "cpu_meltdown"
- l1tf = "l1tf"
- mds = "mds"
- swapgs = "swapgs"
- taa = "taa"
-)
+ // mds is the only bug we care about.
+ mds = "mds"
-const (
+ // Constants for parsing /proc/cpuinfo.
processorKey = "processor"
vendorIDKey = "vendor_id"
cpuFamilyKey = "cpu family"
@@ -39,9 +34,8 @@ const (
physicalIDKey = "physical id"
coreIDKey = "core id"
bugsKey = "bugs"
-)
-const (
+ // Path to shutdown a CPU.
cpuOnlineTemplate = "/sys/devices/system/cpu/cpu%d/online"
)
@@ -249,24 +243,10 @@ func (t *thread) shutdown() error {
return ioutil.WriteFile(cpuPath, []byte{'0'}, 0644)
}
-// List of pertinent side channel vulnerablilites.
-// For mds, see: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html.
-var vulnerabilities = []string{
- meltdown,
- l1tf,
- mds,
- swapgs,
- taa,
-}
-
-// isVulnerable checks if a CPU is vulnerable to pertinent bugs.
+// isVulnerable checks if a CPU is vulnerable to mds.
func (t *thread) isVulnerable() bool {
- for _, bug := range vulnerabilities {
- if _, ok := t.bugs[bug]; ok {
- return true
- }
- }
- return false
+ _, ok := t.bugs[mds]
+ return ok
}
// isActive checks if a CPU is active from /sys/devices/system/cpu/cpu{N}/online
diff --git a/runsc/mitigate/mitigate.go b/runsc/mitigate/mitigate.go
index 5be66f5f3..3ea58454f 100644
--- a/runsc/mitigate/mitigate.go
+++ b/runsc/mitigate/mitigate.go
@@ -36,11 +36,7 @@ type Mitigate struct {
func (m Mitigate) Usage() string {
usageString := `mitigate [flags]
-This command mitigates an underlying system against side channel attacks.
-The command checks /proc/cpuinfo for cpus having key vulnerablilities (meltdown,
-l1tf, mds, swapgs, taa). If cpus are found to have one of the vulnerabilities,
-all but one cpu is shutdown on each core via
-/sys/devices/system/cpu/cpu{N}/online.
+Mitigate mitigates a system to the "MDS" vulnerability by implementing a manual shutdown of SMT. The command checks /proc/cpuinfo for cpus having the MDS vulnerability, and if found, shutdown all but one CPU per hyperthread pair via /sys/devices/system/cpu/cpu{N}/online. CPUs can be restored by writing "2" to each file in /sys/devices/system/cpu/cpu{N}/online or performing a system reboot.
`
return usageString + m.other.usage()
}