Spectre/meltdown kernel options controllable by customer

Implements customer configuration of kernel options to control
spectre/meltdown related kernel options.  Default (with "nopti
nospectre_v2" options) can be changed to "" using

system modify -S spectre_meltdown_all

Change-Id: I183a22fa681e6524415558c0009aa8786418cc07
Signed-off-by: Jack Ding <jack.ding@windriver.com>
This commit is contained in:
jmckenna 2018-05-11 14:24:06 -04:00 committed by Jack Ding
parent c038b1a9a7
commit fba0ef3f7c
4 changed files with 40 additions and 7 deletions

View File

@ -86,8 +86,16 @@ if [[ "$subfunction" =~ lowlatency ]]; then
KERN_OPTS="${KERN_OPTS} skew_tick=1"
fi
# spectre options
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
# If the installer asked us to use security related kernel params, use
# them in the grub line as well (until they can be configured via puppet)
grep -q 'nopti' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nopti"
fi
grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub

View File

@ -26,8 +26,16 @@ fi
KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
# spectre options
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
# If the installer asked us to use security related kernel params, use
# them in the grub line as well (until they can be configured via puppet)
grep -q 'nopti' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nopti"
fi
grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub

View File

@ -20,8 +20,16 @@ fi
KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
# spectre options
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
# If the installer asked us to use security related kernel params, use
# them in the grub line as well (until they can be configured via puppet)
grep -q 'nopti' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nopti"
fi
grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub

View File

@ -30,6 +30,7 @@ Arguments:
-u <tisnotify url> : Base url for TIS install progress notification
-s <mode> : Specify Security Profile mode (optional)
-T <tboot value> : Specify whether or not to use tboot (optional)
-k <kernel args> : Specify any extra kernel boot arguments (optional)
EOF
}
@ -71,7 +72,7 @@ function generate_config()
parms=$@
logger -t $0 " $parms"
while getopts "i:o:tgc:b:r:u:s:T:h" opt
while getopts "i:o:tgc:b:r:u:s:T:k:h" opt
do
case $opt in
i)
@ -109,6 +110,9 @@ do
T)
tboot=$OPTARG
;;
k)
kernal_extra_args=$OPTARG
;;
h)
usage
exit 1
@ -158,6 +162,11 @@ then
APPEND_OPTIONS="$APPEND_OPTIONS security_profile=$security_profile"
fi
if [ -n "$kernal_extra_args" ]
then
APPEND_OPTIONS="$APPEND_OPTIONS $kernal_extra_args"
fi
generate_config $input_file $output_file
# for extended security profile UEFI boot only,