config: Add DisableSpeculationMitigations

It disables speculative execution mitigations in the container. For more information about that, please refer to: opencontainers/runc#2430 Co-Authored-By: Aleksa Sarai <[email protected]> Signed-off-by: Kenta Tada <[email protected]>
KentaTada · Jul 21, 2020 · 7ce4d0a · 7ce4d0a
1 parent 3e4195d
commit 7ce4d0a
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 0 deletions.
diff --git a/config.md b/config.md
@@ -208,6 +208,23 @@ For Linux-based systems, the `process` object supports the following process-spe
  For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
 * **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
  For more information about SELinux, see [SELinux documentation][selinux].
+* **`disableSpeculationMitigations`** (object, OPTIONAL) specifies whether CPU speculative execution mitigations should be disabled for the process. Several mitigations are auto-enabled under Linux, and can cause a noticeable performance impact (depending on your workload). Note that enabling this option may reduce the security properties of containers created with this configuration. See [the kernel documentation][speculative-control] for more information.
+ * **`defaultRule`** *(string, REQUIRED)* sets up the default rule to enable or disable the mitigations.
+ * `enable` - The mitigation of speculations without `exceptions` is disabled.
+ * `disable` - The mitigation of speculations without `exceptions` is enabled.
+ * `force-disable` - Same as disable, but it cannot be undone.
+ * `disable-noexec` - Same as disable, but the state will be cleared on execve(2).
+ * **`exceptions`** *(array of objects, OPTIONAL)* - the configuration of specific mitigations.
+ Each entry has the following structure:
+ * **`mitigation`** *(string, REQUIRED)* - the name of specific mitigation.
+ A valid list of mitigations.
+ * `store-bypass` - Speculative Store Bypass
+ * `indirect-branch` - Indirect Branch Speculation in User Processes
+ * **`rule`** *(string, REQUIRED)* - enables or disables the specific mitigation.
+ * `enable` - The mitigation of this particular speculation is disabled.
+ * `disable` - The mitigation of this particular speculation is enabled.
+ * `force-disable` - Same as disable, but it cannot be undone.
+ * `disable-noexec` - Same as disable, but the state will be cleared on execve(2).
 
 ### <a name="configUser" />User
 
@@ -973,3 +990,4 @@ Here is a full example `config.json` for reference.
 [stdin.3]: http://man7.org/linux/man-pages/man3/stdin.3.html
 [uts-namespace.7]: http://man7.org/linux/man-pages/man7/namespaces.7.html
 [zonecfg.1m]: http://docs.oracle.com/cd/E86824_01/html/E54764/zonecfg-1m.html
+[speculative-control]: https://www.kernel.org/doc/html/latest/userspace-api/spec_ctrl.html
diff --git a/schema/config-schema.json b/schema/config-schema.json
@@ -166,6 +166,21 @@
  }
  }
  }
+ },
+ "disableSpeculationMitigations": {
+ "type": "object",
+ "required": [
+ "defaultRule"
+ ],
+ "properties": {
+ "defaultRule": {
+ "type": "string"
+ },
+ "exceptions": {
+ "type": "array",
+ "$ref": "defs.json#/definitions/Exception"
+ }
+ }
  }
  }
  },

diff --git a/schema/defs.json b/schema/defs.json
@@ -153,6 +153,21 @@
  },
  "annotations": {
  "$ref": "#/definitions/mapStringString"
+ },
+ "Exception": {
+ "type": "object",
+ "properties": {
+ "mitigation": {
+ "type": "string"
+ },
+ "rule": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "mitigation",
+ "rule"
+ ]
  }
  }
 }
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -58,6 +58,8 @@ type Process struct {
  OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
  // SelinuxLabel specifies the selinux context that the container process is run as.
  SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
+ // DisableSpeculationMitigations disables speculative execution mitigations
+ DisableSpeculationMitigations *LinuxDisableSpeculationMitigations `json:"disableSpeculationMitigations,omitempty" platform:"linux"`
 }
 
 // LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.
@@ -75,6 +77,18 @@ type LinuxCapabilities struct {
  Ambient []string `json:"ambient,omitempty" platform:"linux"`
 }
 
+// LinuxDisableSpeculationMitigations sets up the rule of speculative execution mitigations.
+type LinuxDisableSpeculationMitigations struct {
+ DefaultRule string `json:"defaultRule"`
+ Exceptions []SpecExceptions `json:"exceptions,omitempty"`
+}
+
+// SpecExceptions is used to specify the setting of speculative execution mitigations.
+type SpecExceptions struct {
+ Mitigation string `json:"mitigation"`
+ Rule string `json:"rule"`
+}
+
 // Box specifies dimensions of a rectangle. Used for specifying the size of a console.
 type Box struct {
  // Height is the vertical dimension of a box.