bridge: use mlockall(2) to prevent pages from being swapped out

The extra capability is harmless and is, at worst, a DoS risk.

ghstack-source-id: d30b50dbca
Pull Request resolved: https://github.com/certusone/wormhole/pull/55

bridge/cmd/guardiand/main.go

@@ -7,10 +7,12 @@ import (
 	"net/http"
 	_ "net/http/pprof"
 	"os"
+	"syscall"
 
 	eth_common "github.com/ethereum/go-ethereum/common"
 	"github.com/libp2p/go-libp2p-core/peer"
 	"go.uber.org/zap"
+	"golang.org/x/sys/unix"
 
 	"github.com/certusone/wormhole/bridge/pkg/common"
 	"github.com/certusone/wormhole/bridge/pkg/devnet"
@@ -87,6 +89,15 @@ func main() {
 		fmt.Print(devwarning)
 	}
 
+	// Lock current and future pages in memory to protect secret keys from being swapped out to disk.
+	// It's possible (and strongly recommended) to deploy Wormhole such that keys are only ever
+	// stored in memory and never touch the disk. This is a privileged operation and requires CAP_IPC_LOCK.
+	err := unix.Mlockall(syscall.MCL_CURRENT | syscall.MCL_FUTURE)
+	if err != nil {
+		fmt.Printf("Failed to lock memory: %v (CAP_IPC_LOCK missing?)\n", err)
+		os.Exit(1)
+	}
+
 	// Set up logging. The go-log zap wrapper that libp2p uses is compatible with our
 	// usage of zap in supervisor, which is nice.
 	lvl, err := ipfslog.LevelFromString(*logLevel)

devnet/bridge.yaml

@@ -63,6 +63,11 @@ spec:
             - -unsafeDevMode
 #            - -logLevel
 #            - debug
+          securityContext:
+            capabilities:
+              add:
+                # required for syscall.Mlockall
+                - IPC_LOCK
           ports:
             - containerPort: 8999
               name: p2p