From 020d11d4ba29b0f1e8c1e133556c597421c20986 Mon Sep 17 00:00:00 2001
From: Andrew Rynhard <andrew@andrewrynhard.com>
Date: Sun, 28 Apr 2019 13:12:07 -0700
Subject: [PATCH] feat(init): enforce KSPP kernel parameters (#585)

Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
---
 .../app/init/internal/security/kspp/kspp.go   | 42 +++++++++++++++++++
 internal/app/init/main.go                     |  6 +++
 2 files changed, 48 insertions(+)
 create mode 100644 internal/app/init/internal/security/kspp/kspp.go

diff --git a/internal/app/init/internal/security/kspp/kspp.go b/internal/app/init/internal/security/kspp/kspp.go
new file mode 100644
index 000000000..375db2205
--- /dev/null
+++ b/internal/app/init/internal/security/kspp/kspp.go
@@ -0,0 +1,42 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+package kspp
+
+import (
+	"github.com/hashicorp/go-multierror"
+	"github.com/pkg/errors"
+	"github.com/talos-systems/talos/internal/pkg/kernel"
+)
+
+// RequiredKSPPKernelParameters is the set of kernel parameters required to
+// satisfy the KSPP.
+// # TODO(andrewrynhard): Add slub_debug=P. See https://github.com/talos-systems/talos/pull/157.
+var RequiredKSPPKernelParameters = map[string]string{"page_poison": "1", "slab_nomerge": "", "pti": "on"}
+
+// EnforceKSPPKernelParameters verifies that all required KSPP kernel
+// parameters are present with the right value.
+func EnforceKSPPKernelParameters() error {
+	arguments, err := kernel.ParseProcCmdline()
+	if err != nil {
+		return err
+	}
+
+	var result *multierror.Error
+	for param, expected := range RequiredKSPPKernelParameters {
+		var (
+			ok  bool
+			val string
+		)
+		if val, ok = arguments[param]; !ok {
+			result = multierror.Append(result, errors.Errorf("KSPP kernel parameter %s is required", param))
+			continue
+		}
+		if val != expected {
+			result = multierror.Append(result, errors.Errorf("KSPP kernel parameter %s was found with value %s, expected %s", param, val, expected))
+		}
+	}
+
+	return result.ErrorOrNil()
+}
diff --git a/internal/app/init/main.go b/internal/app/init/main.go
index 71eb8f000..798567031 100644
--- a/internal/app/init/main.go
+++ b/internal/app/init/main.go
@@ -22,6 +22,7 @@ import (
 	"github.com/talos-systems/talos/internal/app/init/internal/reg"
 	"github.com/talos-systems/talos/internal/app/init/internal/rootfs"
 	"github.com/talos-systems/talos/internal/app/init/internal/rootfs/mount"
+	"github.com/talos-systems/talos/internal/app/init/internal/security/kspp"
 	"github.com/talos-systems/talos/internal/app/init/pkg/network"
 	"github.com/talos-systems/talos/internal/app/init/pkg/system"
 	ctrdrunner "github.com/talos-systems/talos/internal/app/init/pkg/system/runner/containerd"
@@ -124,6 +125,11 @@ func initram() (err error) {
 	if err != nil {
 		return err
 	}
+	// Enforce KSPP kernel parameters.
+	log.Println("checking for KSPP kernel parameters")
+	if err = kspp.EnforceKSPPKernelParameters(); err != nil {
+		return err
+	}
 	// Discover the platform.
 	log.Println("discovering the platform")
 	var p platform.Platform