Spectre/meltdown kernel options controllable by customer
Implements customer configuration of kernel options to control spectre/meltdown related kernel options. Default (with "nopti nospectre_v2" options) can be changed to "" using system modify -S spectre_meltdown_all Change-Id: I183a22fa681e6524415558c0009aa8786418cc07 Signed-off-by: Jack Ding <jack.ding@windriver.com>
This commit is contained in:
parent
c038b1a9a7
commit
fba0ef3f7c
@ -86,8 +86,16 @@ if [[ "$subfunction" =~ lowlatency ]]; then
|
||||
KERN_OPTS="${KERN_OPTS} skew_tick=1"
|
||||
fi
|
||||
|
||||
# spectre options
|
||||
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
|
||||
# If the installer asked us to use security related kernel params, use
|
||||
# them in the grub line as well (until they can be configured via puppet)
|
||||
grep -q 'nopti' /proc/cmdline
|
||||
if [ $? -eq 0 ]; then
|
||||
KERN_OPTS="${KERN_OPTS} nopti"
|
||||
fi
|
||||
grep -q 'nospectre_v2' /proc/cmdline
|
||||
if [ $? -eq 0 ]; then
|
||||
KERN_OPTS="${KERN_OPTS} nospectre_v2"
|
||||
fi
|
||||
|
||||
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
|
||||
|
||||
|
@ -26,8 +26,16 @@ fi
|
||||
|
||||
KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
|
||||
|
||||
# spectre options
|
||||
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
|
||||
# If the installer asked us to use security related kernel params, use
|
||||
# them in the grub line as well (until they can be configured via puppet)
|
||||
grep -q 'nopti' /proc/cmdline
|
||||
if [ $? -eq 0 ]; then
|
||||
KERN_OPTS="${KERN_OPTS} nopti"
|
||||
fi
|
||||
grep -q 'nospectre_v2' /proc/cmdline
|
||||
if [ $? -eq 0 ]; then
|
||||
KERN_OPTS="${KERN_OPTS} nospectre_v2"
|
||||
fi
|
||||
|
||||
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
|
||||
|
||||
|
@ -20,8 +20,16 @@ fi
|
||||
|
||||
KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
|
||||
|
||||
# spectre options
|
||||
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
|
||||
# If the installer asked us to use security related kernel params, use
|
||||
# them in the grub line as well (until they can be configured via puppet)
|
||||
grep -q 'nopti' /proc/cmdline
|
||||
if [ $? -eq 0 ]; then
|
||||
KERN_OPTS="${KERN_OPTS} nopti"
|
||||
fi
|
||||
grep -q 'nospectre_v2' /proc/cmdline
|
||||
if [ $? -eq 0 ]; then
|
||||
KERN_OPTS="${KERN_OPTS} nospectre_v2"
|
||||
fi
|
||||
|
||||
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
|
||||
|
||||
|
@ -30,6 +30,7 @@ Arguments:
|
||||
-u <tisnotify url> : Base url for TIS install progress notification
|
||||
-s <mode> : Specify Security Profile mode (optional)
|
||||
-T <tboot value> : Specify whether or not to use tboot (optional)
|
||||
-k <kernel args> : Specify any extra kernel boot arguments (optional)
|
||||
|
||||
EOF
|
||||
}
|
||||
@ -71,7 +72,7 @@ function generate_config()
|
||||
parms=$@
|
||||
logger -t $0 " $parms"
|
||||
|
||||
while getopts "i:o:tgc:b:r:u:s:T:h" opt
|
||||
while getopts "i:o:tgc:b:r:u:s:T:k:h" opt
|
||||
do
|
||||
case $opt in
|
||||
i)
|
||||
@ -109,6 +110,9 @@ do
|
||||
T)
|
||||
tboot=$OPTARG
|
||||
;;
|
||||
k)
|
||||
kernal_extra_args=$OPTARG
|
||||
;;
|
||||
h)
|
||||
usage
|
||||
exit 1
|
||||
@ -158,6 +162,11 @@ then
|
||||
APPEND_OPTIONS="$APPEND_OPTIONS security_profile=$security_profile"
|
||||
fi
|
||||
|
||||
if [ -n "$kernal_extra_args" ]
|
||||
then
|
||||
APPEND_OPTIONS="$APPEND_OPTIONS $kernal_extra_args"
|
||||
fi
|
||||
|
||||
generate_config $input_file $output_file
|
||||
|
||||
# for extended security profile UEFI boot only,
|
||||
|
Loading…
x
Reference in New Issue
Block a user