commit | 91a54658e79d142c60999331197ab9ece80f3b97 | [log] [tgz] |
---|---|---|
author | Robert Kolchmeyer <rkolchmeyer@google.com> | Tue Aug 08 10:33:37 2023 -0700 |
committer | Robert Kolchmeyer <rkolchmeyer@google.com> | Tue Aug 08 18:51:52 2023 +0000 |
tree | 18cbbdeaf917300c5cd37fe713f0bb86b7c96a38 | |
parent | d954ff5bf7758f277020c4a7fd401f86a613b105 [diff] |
Add script to enable IBPB on COS VMs. `retbleed=ibpb` will fully mitigate the Inception vulnerability in AMD processors after microcode updates are applied. Users can use this script to choose to apply this mitigation. `retbleed=ibpb` has a substantial performance penalty; in our experience, it is by far the worst out of all speculative execution vulnerability mitigations (~50%, up to ~80% in one benchmark). There is still uncertainty in whether an alternative mitigation will be sent to Linux mailing lists or not. References: - https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html - https://comsec.ethz.ch/research/microarch/inception/ BUG=b/295020291 TEST=Create N2D VM with this script in startup-script metadata; ssh in and check /sys/devices/system/cpu/vulnerabilities/retbleed Change-Id: Icf044c43c28a1222d0f511c475e85654dd3f794b Reviewed-on: https://cos-review.googlesource.com/c/cos/tools/+/54167 Cloud-Build: GCB Service account <228075978874@cloudbuild.gserviceaccount.com> Tested-by: Robert Kolchmeyer <rkolchmeyer@google.com> Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
This is a repository of various tools developed for Container-Optimized OS. Examples include cos-gpu-installer, cos-toolbox, etc.
See CONTRIBUTING.md for how to contribute.