From 24ea8003a49dbbcdfbbf2e5969c4bf8002063b86 Mon Sep 17 00:00:00 2001 From: Zach Koopmans Date: Mon, 22 Feb 2021 16:00:33 -0800 Subject: Only detect mds for mitigate. Only detect and mitigate on mds for the mitigate command. PiperOrigin-RevId: 358924466 --- runsc/mitigate/cpu.go | 34 +++++++--------------------------- runsc/mitigate/mitigate.go | 6 +----- 2 files changed, 8 insertions(+), 32 deletions(-) diff --git a/runsc/mitigate/cpu.go b/runsc/mitigate/cpu.go index ae4ce9579..38f9b787a 100644 --- a/runsc/mitigate/cpu.go +++ b/runsc/mitigate/cpu.go @@ -23,15 +23,10 @@ import ( ) const ( - // constants of coomm - meltdown = "cpu_meltdown" - l1tf = "l1tf" - mds = "mds" - swapgs = "swapgs" - taa = "taa" -) + // mds is the only bug we care about. + mds = "mds" -const ( + // Constants for parsing /proc/cpuinfo. processorKey = "processor" vendorIDKey = "vendor_id" cpuFamilyKey = "cpu family" @@ -39,9 +34,8 @@ const ( physicalIDKey = "physical id" coreIDKey = "core id" bugsKey = "bugs" -) -const ( + // Path to shutdown a CPU. cpuOnlineTemplate = "/sys/devices/system/cpu/cpu%d/online" ) @@ -249,24 +243,10 @@ func (t *thread) shutdown() error { return ioutil.WriteFile(cpuPath, []byte{'0'}, 0644) } -// List of pertinent side channel vulnerablilites. -// For mds, see: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html. -var vulnerabilities = []string{ - meltdown, - l1tf, - mds, - swapgs, - taa, -} - -// isVulnerable checks if a CPU is vulnerable to pertinent bugs. +// isVulnerable checks if a CPU is vulnerable to mds. func (t *thread) isVulnerable() bool { - for _, bug := range vulnerabilities { - if _, ok := t.bugs[bug]; ok { - return true - } - } - return false + _, ok := t.bugs[mds] + return ok } // isActive checks if a CPU is active from /sys/devices/system/cpu/cpu{N}/online diff --git a/runsc/mitigate/mitigate.go b/runsc/mitigate/mitigate.go index 5be66f5f3..3ea58454f 100644 --- a/runsc/mitigate/mitigate.go +++ b/runsc/mitigate/mitigate.go @@ -36,11 +36,7 @@ type Mitigate struct { func (m Mitigate) Usage() string { usageString := `mitigate [flags] -This command mitigates an underlying system against side channel attacks. -The command checks /proc/cpuinfo for cpus having key vulnerablilities (meltdown, -l1tf, mds, swapgs, taa). If cpus are found to have one of the vulnerabilities, -all but one cpu is shutdown on each core via -/sys/devices/system/cpu/cpu{N}/online. +Mitigate mitigates a system to the "MDS" vulnerability by implementing a manual shutdown of SMT. The command checks /proc/cpuinfo for cpus having the MDS vulnerability, and if found, shutdown all but one CPU per hyperthread pair via /sys/devices/system/cpu/cpu{N}/online. CPUs can be restored by writing "2" to each file in /sys/devices/system/cpu/cpu{N}/online or performing a system reboot. ` return usageString + m.other.usage() } -- cgit v1.2.3