diff options
Diffstat (limited to 'runsc/mitigate/cpu.go')
| -rw-r--r-- | runsc/mitigate/cpu.go | 34 |
1 files changed, 7 insertions, 27 deletions
diff --git a/runsc/mitigate/cpu.go b/runsc/mitigate/cpu.go index ae4ce9579..38f9b787a 100644 --- a/runsc/mitigate/cpu.go +++ b/runsc/mitigate/cpu.go @@ -23,15 +23,10 @@ import ( ) const ( - // constants of coomm - meltdown = "cpu_meltdown" - l1tf = "l1tf" - mds = "mds" - swapgs = "swapgs" - taa = "taa" -) + // mds is the only bug we care about. + mds = "mds" -const ( + // Constants for parsing /proc/cpuinfo. processorKey = "processor" vendorIDKey = "vendor_id" cpuFamilyKey = "cpu family" @@ -39,9 +34,8 @@ const ( physicalIDKey = "physical id" coreIDKey = "core id" bugsKey = "bugs" -) -const ( + // Path to shutdown a CPU. cpuOnlineTemplate = "/sys/devices/system/cpu/cpu%d/online" ) @@ -249,24 +243,10 @@ func (t *thread) shutdown() error { return ioutil.WriteFile(cpuPath, []byte{'0'}, 0644) } -// List of pertinent side channel vulnerablilites. -// For mds, see: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html. -var vulnerabilities = []string{ - meltdown, - l1tf, - mds, - swapgs, - taa, -} - -// isVulnerable checks if a CPU is vulnerable to pertinent bugs. +// isVulnerable checks if a CPU is vulnerable to mds. func (t *thread) isVulnerable() bool { - for _, bug := range vulnerabilities { - if _, ok := t.bugs[bug]; ok { - return true - } - } - return false + _, ok := t.bugs[mds] + return ok } // isActive checks if a CPU is active from /sys/devices/system/cpu/cpu{N}/online |