search

erichte-ibm / conga

A System Configuration Gatherer
Apache License 2.0
1 stars 2 forks source link

Rework collectors into single vs group, implement CPU vulnerability mitigations collector #29

Open erichte-ibm opened 2 years ago

erichte-ibm commented 2 years ago

While attempting to implement a collector for CPU vulnerability mitigations, it became clear that not all tags can be determined at runtime. For example, not all kernel versions have the same list of mitigations; the list will likely grow with each new kernel version. Updating conga to support each of these new mitigations is tedious and would require constant maintenance.

Instead, this PR introduces a new concept of SingleCollector versus GroupCollector.

A SingleCollector is exactly as it sounds, it collects a single resulting value, and it is up to the caller to associate the full tag to the resulting value. For example, the SingleCollector for fetching number of CPU cores associates the tag "cpu.cores" with the result of the function cpu::get_cores() -> Result<CollectorValue, ...>. Note that the function returns a single value in its Result<..>.

A GroupCollector instead expects multiple results, and associates all of the results under one shared tag. The GroupCollector function instead returns a Result<Vec<(String, CollectorValue)>, ...>. The tuple contains a sub-tag, and the corresponding value.

So taking at look at the CPU vuln mitigations, here is the GroupCollector:

// As defined in the PLATFORM table
  GroupCollector { tag: "security.vulnerability", func: security::get_vulnerabilities }

// Function signature
pub fn get_vulnerabilities(_col: &mut Collector) -> Result<Vec<(String, CollectorValue)>, CollectorErr>

and the output looks something like this:

  "security.vulnerability.itlb_multihit": "KVM: Mitigation: VMX disabled",
  "security.vulnerability.l1tf": "Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable",
  "security.vulnerability.mds": "Mitigation: Clear CPU buffers; SMT vulnerable",
  "security.vulnerability.meltdown": "Mitigation: PTI",
  "security.vulnerability.spec_store_bypass": "Mitigation: Speculative Store Bypass disabled via prctl",
  "security.vulnerability.spectre_v1": "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
  "security.vulnerability.spectre_v2": "Mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling",
  "security.vulnerability.srbds": "Mitigation: Microcode",
  "security.vulnerability.tsx_async_abort": "Mitigation: TSX disabled",
erichte-ibm commented 2 years ago

This is somewhat out of scope for the original intent of this pull request, (which was to address cpu vuln mitigations) but the work started by this PR may also lead to addressing #20