Security: Allow disabling of spectre v1 swapgs mitigation
Most of the v1 mitigation is baked into the kernel and not
optional. The swapgs barriers are, however, optional.
They have a negative performance impact so we disable them
by using the nospectre_v1 kernel bootarg.
Closes-Bug: 1860193
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
(cherry picked from commit de23dcfd05
)
Conflicts:
sysinv/sysinv/centos/build_srpm.data
tsconfig/tsconfig/tsconfig/tests/test_basics.py
Change-Id: Id913d55ccf585098fa55c3754ebfbf1c7bd5d4e2
This commit is contained in:
parent
19c5060234
commit
7529638659
@ -1,2 +1,2 @@
|
|||||||
SRC_DIR="cgts-client"
|
SRC_DIR="cgts-client"
|
||||||
TIS_PATCH_VER=73
|
TIS_PATCH_VER=74
|
||||||
|
@ -86,7 +86,9 @@ def do_show(cc, args):
|
|||||||
@utils.arg('-S', '--security_feature',
|
@utils.arg('-S', '--security_feature',
|
||||||
metavar='<security_feature>',
|
metavar='<security_feature>',
|
||||||
choices=['spectre_meltdown_v1', 'spectre_meltdown_all'],
|
choices=['spectre_meltdown_v1', 'spectre_meltdown_all'],
|
||||||
help='Use spectre_meltdown_v1 for spectre/meltdown v1 fixes, or spectre_meltdown_all to use all fixes')
|
help='Use spectre_meltdown_v1 to add linux bootargs "nopti '
|
||||||
|
'nospectre_v2 nospectre_v1", or spectre_meltdown_all to not '
|
||||||
|
'add any mitigation disabling bootargs')
|
||||||
def do_modify(cc, args):
|
def do_modify(cc, args):
|
||||||
"""Modify system attributes."""
|
"""Modify system attributes."""
|
||||||
isystems = cc.isystem.list()
|
isystems = cc.isystem.list()
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
SRC_DIR="sysinv"
|
SRC_DIR="sysinv"
|
||||||
TIS_PATCH_VER=341
|
TIS_PATCH_VER=342
|
||||||
|
@ -1350,7 +1350,7 @@ GLANCE_REGISTRY_DATA_API = 'glance.db.registry.api'
|
|||||||
|
|
||||||
# kernel options for various security feature selections
|
# kernel options for various security feature selections
|
||||||
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_V1 = 'spectre_meltdown_v1'
|
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_V1 = 'spectre_meltdown_v1'
|
||||||
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_V1_OPTS = 'nopti nospectre_v2'
|
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_V1_OPTS = 'nopti nospectre_v2 nospectre_v1'
|
||||||
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_ALL = 'spectre_meltdown_all'
|
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_ALL = 'spectre_meltdown_all'
|
||||||
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_ALL_OPTS = ''
|
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_ALL_OPTS = ''
|
||||||
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_OPTS = {
|
SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_OPTS = {
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
SRC_DIR="tsconfig"
|
SRC_DIR="tsconfig"
|
||||||
TIS_PATCH_VER=10
|
TIS_PATCH_VER=11
|
||||||
|
@ -60,7 +60,7 @@ sdn_enabled=no
|
|||||||
region_config=no
|
region_config=no
|
||||||
system_mode=duplex
|
system_mode=duplex
|
||||||
sw_version=19.12
|
sw_version=19.12
|
||||||
security_feature="nopti nospectre_v2"
|
security_feature="nopti nospectre_v2 nospectre_v1"
|
||||||
vswitch_type=ovs-dpdk
|
vswitch_type=ovs-dpdk
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@ -82,7 +82,7 @@ region_2_name=Region2
|
|||||||
distributed_cloud_role=CloudRole
|
distributed_cloud_role=CloudRole
|
||||||
system_mode=duplex
|
system_mode=duplex
|
||||||
sw_version=19.12
|
sw_version=19.12
|
||||||
security_feature="nopti nospectre_v2"
|
security_feature="nopti nospectre_v2 nospectre_v1"
|
||||||
vswitch_type=ovs-dpdk
|
vswitch_type=ovs-dpdk
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user