From ea44b36ee34c117ee6f4b4b33b21242fc77f6edd Mon Sep 17 00:00:00 2001 From: Kenta Tada Date: Thu, 28 May 2020 12:59:15 +0900 Subject: [PATCH] config: Add DisableSpeculationMitigations It disables speculative execution mitigations in the container. For more information about that, please refer to: https://github.com/opencontainers/runc/issues/2430 Co-Authored-By: Aleksa Sarai Signed-off-by: Kenta Tada --- config.md | 18 ++++++++++++++++++ schema/config-schema.json | 15 +++++++++++++++ schema/defs.json | 15 +++++++++++++++ specs-go/config.go | 14 ++++++++++++++ 4 files changed, 62 insertions(+) diff --git a/config.md b/config.md index 667bbba58..b450a4856 100644 --- a/config.md +++ b/config.md @@ -208,6 +208,23 @@ For Linux-based systems, the `process` object supports the following process-spe For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2]. * **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process. For more information about SELinux, see [SELinux documentation][selinux]. +* **`disableSpeculationMitigations`** (object, OPTIONAL) specifies whether CPU speculative execution mitigations should be disabled for the process. Several mitigations are auto-enabled under Linux, and can cause a noticeable performance impact (depending on your workload). Note that enabling this option may reduce the security properties of containers created with this configuration. See [the kernel documentation][speculative-control] for more information. + * **`defaultRule`** *(string, REQUIRED)* sets up the default rule to enable or disable the mitigations. + * `enable` - The mitigation of speculations without `exceptions` is disabled. + * `disable` - The mitigation of speculations without `exceptions` is enabled. + * `force-disable` - Same as disable, but it cannot be undone. + * `disable-noexec` - Same as disable, but the state will be cleared on execve(2). + * **`exceptions`** *(array of objects, OPTIONAL)* - the configuration of specific mitigations. + Each entry has the following structure: + * **`mitigation`** *(string, REQUIRED)* - the name of specific mitigation. + A valid list of mitigations. + * `store-bypass` - Speculative Store Bypass + * `indirect-branch` - Indirect Branch Speculation in User Processes + * **`rule`** *(string, REQUIRED)* - enables or disables the specific mitigation. + * `enable` - The mitigation of this particular speculation is disabled. + * `disable` - The mitigation of this particular speculation is enabled. + * `force-disable` - Same as disable, but it cannot be undone. + * `disable-noexec` - Same as disable, but the state will be cleared on execve(2). ### User @@ -973,3 +990,4 @@ Here is a full example `config.json` for reference. [stdin.3]: http://man7.org/linux/man-pages/man3/stdin.3.html [uts-namespace.7]: http://man7.org/linux/man-pages/man7/namespaces.7.html [zonecfg.1m]: http://docs.oracle.com/cd/E86824_01/html/E54764/zonecfg-1m.html +[speculative-control]: https://www.kernel.org/doc/html/latest/userspace-api/spec_ctrl.html diff --git a/schema/config-schema.json b/schema/config-schema.json index 94923b35a..d19d57ba5 100644 --- a/schema/config-schema.json +++ b/schema/config-schema.json @@ -166,6 +166,21 @@ } } } + }, + "disableSpeculationMitigations": { + "type": "object", + "required": [ + "defaultRule" + ], + "properties": { + "defaultRule": { + "type": "string" + }, + "exceptions": { + "type": "array", + "$ref": "defs.json#/definitions/Exception" + } + } } } }, diff --git a/schema/defs.json b/schema/defs.json index 58b07e656..5c5032744 100644 --- a/schema/defs.json +++ b/schema/defs.json @@ -153,6 +153,21 @@ }, "annotations": { "$ref": "#/definitions/mapStringString" + }, + "Exception": { + "type": "object", + "properties": { + "mitigation": { + "type": "string" + }, + "rule": { + "type": "string" + } + }, + "required": [ + "mitigation", + "rule" + ] } } } diff --git a/specs-go/config.go b/specs-go/config.go index 08af67798..3b8ca89a5 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -58,6 +58,8 @@ type Process struct { OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"` // SelinuxLabel specifies the selinux context that the container process is run as. SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` + // DisableSpeculationMitigations disables speculative execution mitigations + DisableSpeculationMitigations *LinuxDisableSpeculationMitigations `json:"disableSpeculationMitigations,omitempty" platform:"linux"` } // LinuxCapabilities specifies the whitelist of capabilities that are kept for a process. @@ -75,6 +77,18 @@ type LinuxCapabilities struct { Ambient []string `json:"ambient,omitempty" platform:"linux"` } +// LinuxDisableSpeculationMitigations sets up the rule of speculative execution mitigations. +type LinuxDisableSpeculationMitigations struct { + DefaultRule string `json:"defaultRule"` + Exceptions []SpecExceptions `json:"exceptions,omitempty"` +} + +// SpecExceptions is used to specify the setting of speculative execution mitigations. +type SpecExceptions struct { + Mitigation string `json:"mitigation"` + Rule string `json:"rule"` +} + // Box specifies dimensions of a rectangle. Used for specifying the size of a console. type Box struct { // Height is the vertical dimension of a box.