diff options
-rw-r--r-- | runsc/mitigate/cpu.go | 34 | ||||
-rw-r--r-- | runsc/mitigate/mitigate.go | 6 |
2 files changed, 8 insertions, 32 deletions
diff --git a/runsc/mitigate/cpu.go b/runsc/mitigate/cpu.go index ae4ce9579..38f9b787a 100644 --- a/runsc/mitigate/cpu.go +++ b/runsc/mitigate/cpu.go @@ -23,15 +23,10 @@ import ( ) const ( - // constants of coomm - meltdown = "cpu_meltdown" - l1tf = "l1tf" - mds = "mds" - swapgs = "swapgs" - taa = "taa" -) + // mds is the only bug we care about. + mds = "mds" -const ( + // Constants for parsing /proc/cpuinfo. processorKey = "processor" vendorIDKey = "vendor_id" cpuFamilyKey = "cpu family" @@ -39,9 +34,8 @@ const ( physicalIDKey = "physical id" coreIDKey = "core id" bugsKey = "bugs" -) -const ( + // Path to shutdown a CPU. cpuOnlineTemplate = "/sys/devices/system/cpu/cpu%d/online" ) @@ -249,24 +243,10 @@ func (t *thread) shutdown() error { return ioutil.WriteFile(cpuPath, []byte{'0'}, 0644) } -// List of pertinent side channel vulnerablilites. -// For mds, see: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html. -var vulnerabilities = []string{ - meltdown, - l1tf, - mds, - swapgs, - taa, -} - -// isVulnerable checks if a CPU is vulnerable to pertinent bugs. +// isVulnerable checks if a CPU is vulnerable to mds. func (t *thread) isVulnerable() bool { - for _, bug := range vulnerabilities { - if _, ok := t.bugs[bug]; ok { - return true - } - } - return false + _, ok := t.bugs[mds] + return ok } // isActive checks if a CPU is active from /sys/devices/system/cpu/cpu{N}/online diff --git a/runsc/mitigate/mitigate.go b/runsc/mitigate/mitigate.go index 5be66f5f3..3ea58454f 100644 --- a/runsc/mitigate/mitigate.go +++ b/runsc/mitigate/mitigate.go @@ -36,11 +36,7 @@ type Mitigate struct { func (m Mitigate) Usage() string { usageString := `mitigate [flags] -This command mitigates an underlying system against side channel attacks. -The command checks /proc/cpuinfo for cpus having key vulnerablilities (meltdown, -l1tf, mds, swapgs, taa). If cpus are found to have one of the vulnerabilities, -all but one cpu is shutdown on each core via -/sys/devices/system/cpu/cpu{N}/online. +Mitigate mitigates a system to the "MDS" vulnerability by implementing a manual shutdown of SMT. The command checks /proc/cpuinfo for cpus having the MDS vulnerability, and if found, shutdown all but one CPU per hyperthread pair via /sys/devices/system/cpu/cpu{N}/online. CPUs can be restored by writing "2" to each file in /sys/devices/system/cpu/cpu{N}/online or performing a system reboot. ` return usageString + m.other.usage() } |