Google Git
Sign in
cos / cos / tools / 91a54658e79d142c60999331197ab9ece80f3b97
commit91a54658e79d142c60999331197ab9ece80f3b97[log] [tgz]
authorRobert Kolchmeyer <rkolchmeyer@google.com>Tue Aug 08 10:33:37 2023 -0700
committerRobert Kolchmeyer <rkolchmeyer@google.com>Tue Aug 08 18:51:52 2023 +0000
tree18cbbdeaf917300c5cd37fe713f0bb86b7c96a38
parentd954ff5bf7758f277020c4a7fd401f86a613b105 [diff]
Add script to enable IBPB on COS VMs.

`retbleed=ibpb` will fully mitigate the Inception vulnerability in AMD
processors after microcode updates are applied. Users can use this
script to choose to apply this mitigation.

`retbleed=ibpb` has a substantial performance penalty; in our
experience, it is by far the worst out of all speculative execution
vulnerability mitigations (~50%, up to ~80% in one benchmark).

There is still uncertainty in whether an alternative mitigation will be
sent to Linux mailing lists or not.

References:
- https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html
- https://comsec.ethz.ch/research/microarch/inception/

BUG=b/295020291
TEST=Create N2D VM with this script in startup-script metadata; ssh in
and check /sys/devices/system/cpu/vulnerabilities/retbleed

Change-Id: Icf044c43c28a1222d0f511c475e85654dd3f794b
Reviewed-on: https://cos-review.googlesource.com/c/cos/tools/+/54167
Cloud-Build: GCB Service account <228075978874@cloudbuild.gserviceaccount.com>
Tested-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
1 file changed
tree: 18cbbdeaf917300c5cd37fe713f0bb86b7c96a38
  1. coverage/
  2. release/
  3. src/
  4. testing/
  5. .gitignore
  6. BUILD.bazel
  7. cloudbuild.yaml
  8. CONTRIBUTING.md
  9. deps.bzl
  10. go.mod
  11. go.sum
  12. LICENSE
  13. README.md
  14. run_tests.sh
  15. WORKSPACE
README.md

Tools for Container-Optimized OS

This is a repository of various tools developed for Container-Optimized OS. Examples include cos-gpu-installer, cos-toolbox, etc.

See CONTRIBUTING.md for how to contribute.