- Enable RETPOLINE by default. Note, however, this will
only be used if the compiler supports it.
- Enable sysfs interface for vulnerabilities
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.4.14 has a number of important fixes/additions:
- New support for retpolines (enabled but requires newer gcc
to take advantage of). This provides mitigation for Spectre
style attacks.
- Various KPTI fixes including fixes for EFI booting
- More eBPF fixes around out-of-bounds and overflow of
maps. These were used for variant 1 of CVE-2017-5753.
- Several KVM related to CVE-2017-5753, CVE-2017-5715,
CVE-2017-17741.
- New sysfs interface listing vulnerabilities:
/sys/devices/system/cpu/vulnerabilities
The 4.9.77 kernel also has seems to have most/all of the above
back-ported.
See https://lwn.net/SubscriberLink/744287/1fc3c18173f732e7/
for more details on the Spectre mitigation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds a namespace field to override the LinuxKit containerd
default namespace, in case you want to run a container in another
namespace.
Needs a patch in LinuxKit to implement this that I will open soon.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
If the flag is set on push, then the image will have the license
set to enabled the currently experimental netsted virtualisation
feature. The flag currently also needs to be set on run to make
sure the right CPU model (at least Haswell) is selected.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Annotations do not do anything by default but get passed through to the runtime,
which can be useful. I never metadata I didn't like...
Also fix sysctl to be a map in the validation, not an array. I can't see any
examples using this in LinuxKit, but this matches OCI so is correct.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This package is primarily for users of custom or foreign
kernels which may have drivers enabled for which the
'firmware' package does not contain the firmware blobs.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This new 'firmware' package contains the firmware blobs required
by the device drivers in a LinuxKit kernel. The list of required
blobs is determined by calling 'modinfo' on each module.
We also unconditionally include the AMD CPU microcode and the
licence files.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
go_vet (via https://goreportcard.com/report/github.com/linuxkit/linuxkit)
reported:
error: missing argument for Printf("%v"): format reads arg 2, have only 1 args (vet)
error: wrong number of args for format in Printf call: 2 needed but 3 args (vet)
Signed-off-by: Ian Campbell <ijc@docker.com>
This prepends 'ucode.cpio' to the initrd if present. Padding
should not be necessary as the ucode.cpio should be padded
to the right size.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
For now the backends for the different formats do not yet
use the extracted ucode cpio archive, but '// TODO' are
placed for the backends which should eventually handle it.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This extends the kernel filter to also look for the CPU microcode
file if specified in the YAML. If found, the ucode cpio archive
is placed into the intermediate tar file as '/boot/ucode.cpio'.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This optional option will allow users to specify a CPU
microcode cpio archive to be prepended to the initrd file.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
DOwnload and verify the Intel microcode package and convert it
to a cpio archive which can be prepended to the initrd.
It also adds the license file to the kernel package.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The iucode_tool is used to convert the Intel CPU microcode
binaries into a cpio archive. There is no alpine package
for it, so compile it from source.
This is for x86_64 only and on other archs we create a empty
file.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
