mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-08-19 21:51:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(init): enforce KSPP kernel parameters (#585)

Browse Source 
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This commit is contained in:
Andrew Rynhard 2019-04-28 13:12:07 -07:00 committed by GitHub
parent ea99788ef1
commit 020d11d4ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
internal/app/init/internal/security/kspp/kspp.go Normal file
View File

@ -0,0 +1,42 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
package kspp
import (
"github.com/hashicorp/go-multierror"
"github.com/pkg/errors"
"github.com/talos-systems/talos/internal/pkg/kernel"
)
// RequiredKSPPKernelParameters is the set of kernel parameters required to
// satisfy the KSPP.
// # TODO(andrewrynhard): Add slub_debug=P. See https://github.com/talos-systems/talos/pull/157.
var RequiredKSPPKernelParameters = map[string]string{"page_poison": "1", "slab_nomerge": "", "pti": "on"}
// EnforceKSPPKernelParameters verifies that all required KSPP kernel
// parameters are present with the right value.
func EnforceKSPPKernelParameters() error {
arguments, err := kernel.ParseProcCmdline()
if err != nil {
return err
}
var result *multierror.Error
for param, expected := range RequiredKSPPKernelParameters {
var (
ok bool
val string
)
if val, ok = arguments[param]; !ok {
result = multierror.Append(result, errors.Errorf("KSPP kernel parameter %s is required", param))
continue
}
if val != expected {
result = multierror.Append(result, errors.Errorf("KSPP kernel parameter %s was found with value %s, expected %s", param, val, expected))
}
}
return result.ErrorOrNil()
}

6
internal/app/init/main.go
View File

@ -22,6 +22,7 @@ import (
"github.com/talos-systems/talos/internal/app/init/internal/reg" "github.com/talos-systems/talos/internal/app/init/internal/reg"
"github.com/talos-systems/talos/internal/app/init/internal/rootfs" "github.com/talos-systems/talos/internal/app/init/internal/rootfs"
"github.com/talos-systems/talos/internal/app/init/internal/rootfs/mount" "github.com/talos-systems/talos/internal/app/init/internal/rootfs/mount"
"github.com/talos-systems/talos/internal/app/init/internal/security/kspp"
"github.com/talos-systems/talos/internal/app/init/pkg/network" "github.com/talos-systems/talos/internal/app/init/pkg/network"
"github.com/talos-systems/talos/internal/app/init/pkg/system" "github.com/talos-systems/talos/internal/app/init/pkg/system"
ctrdrunner "github.com/talos-systems/talos/internal/app/init/pkg/system/runner/containerd" ctrdrunner "github.com/talos-systems/talos/internal/app/init/pkg/system/runner/containerd"
@ -124,6 +125,11 @@ func initram() (err error) {
if err != nil { if err != nil {
return err return err
} }
// Enforce KSPP kernel parameters.
log.Println("checking for KSPP kernel parameters")
if err = kspp.EnforceKSPPKernelParameters(); err != nil {
return err
}
// Discover the platform. // Discover the platform.
log.Println("discovering the platform") log.Println("discovering the platform")
var p platform.Platform var p platform.Platform