feat(init): enforce KSPP kernel parameters (#585)

Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
2025-08-19 21:51:12 +02:00 · 2019-04-28 13:12:07 -07:00 · 2019-04-28 13:12:07 -07:00 · 020d11d4ba
commit 020d11d4ba
parent ea99788ef1
2 changed files with 48 additions and 0 deletions
--- a/internal/app/init/internal/security/kspp/kspp.go
+++ b/internal/app/init/internal/security/kspp/kspp.go
@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+package kspp
+
+import (
+	"github.com/hashicorp/go-multierror"
+	"github.com/pkg/errors"
+	"github.com/talos-systems/talos/internal/pkg/kernel"
+)
+
+// RequiredKSPPKernelParameters is the set of kernel parameters required to
+// satisfy the KSPP.
+// # TODO(andrewrynhard): Add slub_debug=P. See https://github.com/talos-systems/talos/pull/157.
+var RequiredKSPPKernelParameters = map[string]string{"page_poison": "1", "slab_nomerge": "", "pti": "on"}
+
+// EnforceKSPPKernelParameters verifies that all required KSPP kernel
+// parameters are present with the right value.
+func EnforceKSPPKernelParameters() error {
+	arguments, err := kernel.ParseProcCmdline()
+	if err != nil {
+		return err
+	}
+
+	var result *multierror.Error
+	for param, expected := range RequiredKSPPKernelParameters {
+		var (
+			ok  bool
+			val string
+		)
+		if val, ok = arguments[param]; !ok {
+			result = multierror.Append(result, errors.Errorf("KSPP kernel parameter %s is required", param))
+			continue
+		}
+		if val != expected {
+			result = multierror.Append(result, errors.Errorf("KSPP kernel parameter %s was found with value %s, expected %s", param, val, expected))
+		}
+	}
+
+	return result.ErrorOrNil()
+}
--- a/internal/app/init/main.go
+++ b/internal/app/init/main.go
@ -22,6 +22,7 @@ import (
 	"github.com/talos-systems/talos/internal/app/init/internal/reg"
 	"github.com/talos-systems/talos/internal/app/init/internal/rootfs"
 	"github.com/talos-systems/talos/internal/app/init/internal/rootfs/mount"
+	"github.com/talos-systems/talos/internal/app/init/internal/security/kspp"
 	"github.com/talos-systems/talos/internal/app/init/pkg/network"
 	"github.com/talos-systems/talos/internal/app/init/pkg/system"
 	ctrdrunner "github.com/talos-systems/talos/internal/app/init/pkg/system/runner/containerd"
@ -124,6 +125,11 @@ func initram() (err error) {
 	if err != nil {
 		return err
 	}
+	// Enforce KSPP kernel parameters.
+	log.Println("checking for KSPP kernel parameters")
+	if err = kspp.EnforceKSPPKernelParameters(); err != nil {
+		return err
+	}
 	// Discover the platform.
 	log.Println("discovering the platform")
 	var p platform.Platform