From 509d9c3d73204aab3b8df5babf54063371055bd3 Mon Sep 17 00:00:00 2001 From: Leo Date: Thu, 22 Oct 2020 16:51:56 +0200 Subject: [PATCH] bridge: use mlockall(2) to prevent pages from being swapped out The extra capability is harmless and is, at worst, a DoS risk. ghstack-source-id: d30b50dbca5d75e8280b0394e400f99c1ec529de Pull Request resolved: https://github.com/certusone/wormhole/pull/55 --- bridge/cmd/guardiand/main.go | 11 +++++++++++ devnet/bridge.yaml | 5 +++++ 2 files changed, 16 insertions(+) diff --git a/bridge/cmd/guardiand/main.go b/bridge/cmd/guardiand/main.go index 61befde76..478fd088e 100644 --- a/bridge/cmd/guardiand/main.go +++ b/bridge/cmd/guardiand/main.go @@ -7,10 +7,12 @@ import ( "net/http" _ "net/http/pprof" "os" + "syscall" eth_common "github.com/ethereum/go-ethereum/common" "github.com/libp2p/go-libp2p-core/peer" "go.uber.org/zap" + "golang.org/x/sys/unix" "github.com/certusone/wormhole/bridge/pkg/common" "github.com/certusone/wormhole/bridge/pkg/devnet" @@ -87,6 +89,15 @@ func main() { fmt.Print(devwarning) } + // Lock current and future pages in memory to protect secret keys from being swapped out to disk. + // It's possible (and strongly recommended) to deploy Wormhole such that keys are only ever + // stored in memory and never touch the disk. This is a privileged operation and requires CAP_IPC_LOCK. + err := unix.Mlockall(syscall.MCL_CURRENT | syscall.MCL_FUTURE) + if err != nil { + fmt.Printf("Failed to lock memory: %v (CAP_IPC_LOCK missing?)\n", err) + os.Exit(1) + } + // Set up logging. The go-log zap wrapper that libp2p uses is compatible with our // usage of zap in supervisor, which is nice. lvl, err := ipfslog.LevelFromString(*logLevel) diff --git a/devnet/bridge.yaml b/devnet/bridge.yaml index 6a5bab358..17a40e5dd 100644 --- a/devnet/bridge.yaml +++ b/devnet/bridge.yaml @@ -63,6 +63,11 @@ spec: - -unsafeDevMode # - -logLevel # - debug + securityContext: + capabilities: + add: + # required for syscall.Mlockall + - IPC_LOCK ports: - containerPort: 8999 name: p2p