Security: Add nospectre_v1 to the default setting

Most of the v1 mitigation is baked into the kernel and not optional. The swapgs barriers are, however, optional. They have a negative performance impact so we disable them by using the nospectre_v1 kernel bootarg. Change-Id: Idd806e76f3204c6bce7aae9dfdcd455566fdc795 Partial-Bug: 1860193 Depends-On: https://review.opendev.org/#/c/704406 Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
2020-01-27 16:08:48 -05:00
parent ae1e45e00e
commit 792ea357e2
2 changed files with 2 additions and 2 deletions
--- a/playbookconfig/centos/build_srpm.data
+++ b/playbookconfig/centos/build_srpm.data
@@ -1,2 +1,2 @@
 SRC_DIR="src"
-TIS_PATCH_VER=8
+TIS_PATCH_VER=9
--- a/playbookconfig/src/playbooks/roles/bootstrap/persist-config/vars/main.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/persist-config/vars/main.yml
@@ -2,7 +2,7 @@
 keyring_workdir: /tmp/python_keyring
 docker_proxy_conf: /etc/systemd/system/docker.service.d/http-proxy.conf
 minimum_root_disk_size: 240
-default_security_feature: "nopti nospectre_v2"
+default_security_feature: "nopti nospectre_v2 nospectre_v1"
 temp_ssl_ca: "/tmp/ca-cert.pem"
 ssl_ca_complete_flag: /etc/platform/.ssl_ca_complete
 region_config: no