2021-02-10 18:46:31 +00:00
|
|
|
// Copyright 2021 The gVisor Authors.
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2021-03-11 21:08:11 +00:00
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
2021-03-31 10:31:59 +00:00
|
|
|
"runtime"
|
2021-02-10 18:46:31 +00:00
|
|
|
|
|
|
|
"github.com/google/subcommands"
|
|
|
|
"gvisor.dev/gvisor/pkg/log"
|
|
|
|
"gvisor.dev/gvisor/runsc/flag"
|
|
|
|
"gvisor.dev/gvisor/runsc/mitigate"
|
|
|
|
)
|
|
|
|
|
2021-03-11 21:08:11 +00:00
|
|
|
const (
|
|
|
|
// cpuInfo is the path used to parse CPU info.
|
|
|
|
cpuInfo = "/proc/cpuinfo"
|
|
|
|
// allPossibleCPUs is the path used to enable CPUs.
|
|
|
|
allPossibleCPUs = "/sys/devices/system/cpu/possible"
|
|
|
|
)
|
|
|
|
|
2021-02-10 18:46:31 +00:00
|
|
|
// Mitigate implements subcommands.Command for the "mitigate" command.
|
|
|
|
type Mitigate struct {
|
2021-03-11 21:08:11 +00:00
|
|
|
// Run the command without changing the underlying system.
|
|
|
|
dryRun bool
|
|
|
|
// Reverse mitigate by turning on all CPU cores.
|
|
|
|
reverse bool
|
|
|
|
// Path to file to read to create CPUSet.
|
|
|
|
path string
|
2021-04-16 21:26:29 +00:00
|
|
|
// Extra data for post mitigate operations.
|
|
|
|
data string
|
2021-02-10 18:46:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Name implements subcommands.command.name.
|
|
|
|
func (*Mitigate) Name() string {
|
|
|
|
return "mitigate"
|
|
|
|
}
|
|
|
|
|
|
|
|
// Synopsis implements subcommands.Command.Synopsis.
|
|
|
|
func (*Mitigate) Synopsis() string {
|
|
|
|
return "mitigate mitigates the underlying system against side channel attacks"
|
|
|
|
}
|
|
|
|
|
2021-04-16 21:26:29 +00:00
|
|
|
// Usage implements Usage for cmd.Mitigate.
|
2021-03-11 21:08:11 +00:00
|
|
|
func (m Mitigate) Usage() string {
|
2021-04-16 21:26:29 +00:00
|
|
|
return fmt.Sprintf(`mitigate [flags]
|
2021-03-11 21:08:11 +00:00
|
|
|
|
|
|
|
mitigate mitigates a system to the "MDS" vulnerability by implementing a manual shutdown of SMT. The command checks /proc/cpuinfo for cpus having the MDS vulnerability, and if found, shutdown all but one CPU per hyperthread pair via /sys/devices/system/cpu/cpu{N}/online. CPUs can be restored by writing "2" to each file in /sys/devices/system/cpu/cpu{N}/online or performing a system reboot.
|
|
|
|
|
2021-04-16 21:26:29 +00:00
|
|
|
The command can be reversed with --reverse, which reads the total CPUs from /sys/devices/system/cpu/possible and enables all with /sys/devices/system/cpu/cpu{N}/online.%s`, m.usage())
|
2021-02-10 18:46:31 +00:00
|
|
|
}
|
|
|
|
|
2021-03-11 21:08:11 +00:00
|
|
|
// SetFlags sets flags for the command Mitigate.
|
2021-02-10 18:46:31 +00:00
|
|
|
func (m *Mitigate) SetFlags(f *flag.FlagSet) {
|
2021-03-11 21:08:11 +00:00
|
|
|
f.BoolVar(&m.dryRun, "dryrun", false, "run the command without changing system")
|
|
|
|
f.BoolVar(&m.reverse, "reverse", false, "reverse mitigate by enabling all CPUs")
|
2021-04-16 21:26:29 +00:00
|
|
|
m.setFlags(f)
|
2021-02-10 18:46:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Execute implements subcommands.Command.Execute.
|
|
|
|
func (m *Mitigate) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) subcommands.ExitStatus {
|
2021-03-31 10:31:59 +00:00
|
|
|
if runtime.GOARCH == "arm64" || runtime.GOARCH == "arm" {
|
|
|
|
log.Warningf("As ARM is not affected by MDS, mitigate does not support")
|
|
|
|
return subcommands.ExitFailure
|
|
|
|
}
|
|
|
|
|
2021-02-10 18:46:31 +00:00
|
|
|
if f.NArg() != 0 {
|
|
|
|
f.Usage()
|
|
|
|
return subcommands.ExitUsageError
|
|
|
|
}
|
|
|
|
|
2021-03-11 21:08:11 +00:00
|
|
|
m.path = cpuInfo
|
|
|
|
if m.reverse {
|
|
|
|
m.path = allPossibleCPUs
|
|
|
|
}
|
|
|
|
|
2021-04-16 21:26:29 +00:00
|
|
|
set, err := m.doExecute()
|
|
|
|
if err != nil {
|
|
|
|
return Errorf("Execute failed: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if m.data == "" {
|
|
|
|
return subcommands.ExitSuccess
|
2021-03-11 21:08:11 +00:00
|
|
|
}
|
|
|
|
|
2021-04-16 21:26:29 +00:00
|
|
|
if err = m.postMitigate(set); err != nil {
|
|
|
|
return Errorf("Post Mitigate failed: %v", err)
|
2021-02-10 18:46:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return subcommands.ExitSuccess
|
|
|
|
}
|
2021-03-11 21:08:11 +00:00
|
|
|
|
|
|
|
// Execute executes the Mitigate command.
|
|
|
|
func (m *Mitigate) doExecute() (mitigate.CPUSet, error) {
|
|
|
|
if m.dryRun {
|
|
|
|
log.Infof("Running with DryRun. No cpu settings will be changed.")
|
|
|
|
}
|
2021-04-16 21:26:29 +00:00
|
|
|
data, err := ioutil.ReadFile(m.path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to read %s: %w", m.path, err)
|
|
|
|
}
|
2021-03-11 21:08:11 +00:00
|
|
|
if m.reverse {
|
|
|
|
set, err := m.doReverse(data)
|
|
|
|
if err != nil {
|
2021-04-16 21:26:29 +00:00
|
|
|
return nil, fmt.Errorf("reverse operation failed: %w", err)
|
2021-03-11 21:08:11 +00:00
|
|
|
}
|
|
|
|
return set, nil
|
|
|
|
}
|
|
|
|
set, err := m.doMitigate(data)
|
|
|
|
if err != nil {
|
2021-04-16 21:26:29 +00:00
|
|
|
return nil, fmt.Errorf("mitigate operation failed: %w", err)
|
2021-03-11 21:08:11 +00:00
|
|
|
}
|
|
|
|
return set, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *Mitigate) doMitigate(data []byte) (mitigate.CPUSet, error) {
|
2021-04-16 21:26:29 +00:00
|
|
|
set, err := mitigate.NewCPUSet(data)
|
2021-03-11 21:08:11 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Infof("Mitigate found the following CPUs...")
|
|
|
|
log.Infof("%s", set)
|
|
|
|
|
|
|
|
disableList := set.GetShutdownList()
|
|
|
|
log.Infof("Disabling threads on thread pairs.")
|
|
|
|
for _, t := range disableList {
|
|
|
|
log.Infof("Disable thread: %s", t)
|
|
|
|
if m.dryRun {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if err := t.Disable(); err != nil {
|
2021-04-16 21:26:29 +00:00
|
|
|
return nil, fmt.Errorf("error disabling thread: %s err: %w", t, err)
|
2021-03-11 21:08:11 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Infof("Shutdown successful.")
|
|
|
|
return set, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *Mitigate) doReverse(data []byte) (mitigate.CPUSet, error) {
|
|
|
|
set, err := mitigate.NewCPUSetFromPossible(data)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Infof("Reverse mitigate found the following CPUs...")
|
|
|
|
log.Infof("%s", set)
|
|
|
|
|
|
|
|
enableList := set.GetRemainingList()
|
|
|
|
|
|
|
|
log.Infof("Enabling all CPUs...")
|
|
|
|
for _, t := range enableList {
|
|
|
|
log.Infof("Enabling thread: %s", t)
|
|
|
|
if m.dryRun {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if err := t.Enable(); err != nil {
|
2021-04-16 21:26:29 +00:00
|
|
|
return nil, fmt.Errorf("error enabling thread: %s err: %w", t, err)
|
2021-03-11 21:08:11 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Infof("Enable successful.")
|
|
|
|
return set, nil
|
|
|
|
}
|