Security: Allow disabling of spectre v1 swapgs mitigation

Most of the v1 mitigation is baked into the kernel and not optional. The swapgs barriers are, however, optional. They have a negative performance impact so we disable them by using the nospectre_v1 kernel bootarg. Closes-Bug: 1860193 Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com> (cherry picked from commit de23dcfd05) (cherry picked from commit 950670ac1f0bfaa43e29eeb3ffda71a94de66520 in upstream stx-puppet repo) Conflicts: sysinv/cgts-client/centos/build_srpm.data sysinv/sysinv/centos/build_srpm.data tsconfig/centos/build_srpm.data tsconfig/tsconfig/tsconfig/tests/test_basics.py puppet-manifests/centos/build_srpm.data Change-Id: Ic77ffbdeb8dd65464a777673c5d7e49b894feedc
2020-01-27 14:25:14 -05:00 · 2020-01-27 14:25:14 -05:00 · a6ec8d3f7e
parent 26dd7e8daa
commit a6ec8d3f7e
7 changed files with 9 additions and 7 deletions
--- a/puppet-manifests/centos/build_srpm.data
+++ b/puppet-manifests/centos/build_srpm.data
@ -1,2 +1,2 @@
 SRC_DIR="src"
-TIS_PATCH_VER=92
+TIS_PATCH_VER=93
--- a/puppet-manifests/src/hieradata/global.yaml
+++ b/puppet-manifests/src/hieradata/global.yaml
@ -7,7 +7,7 @@ platform::params::controller_hostname: controller
 platform::params::controller_0_hostname: controller-0
 platform::params::controller_1_hostname: controller-1
 platform::params::pxeboot_hostname: pxecontroller
-platform::params::security_feature: nopti nospectre_v2
+platform::params::security_feature: nopti nospectre_v2 nospectre_v1
 platform::amqp::auth_user: guest
 platform::users::params::sysadmin_password_max_age: 45

--- a/puppet-manifests/src/modules/platform/manifests/grub.pp
+++ b/puppet-manifests/src/modules/platform/manifests/grub.pp
@ -1,7 +1,7 @@
 class platform::grub
 {
  include ::platform::params
-  $managed_security_params = 'nopti nospectre_v2'
+  $managed_security_params = 'nopti nospectre_v2 nospectre_v1'

  # Run grubby to update params
  # First, remove all the parameters we manage, then we add back in the ones
--- a/sysinv/cgts-client/centos/build_srpm.data
+++ b/sysinv/cgts-client/centos/build_srpm.data
@ -1,2 +1,2 @@
 SRC_DIR="cgts-client"
-TIS_PATCH_VER=69
+TIS_PATCH_VER=70
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/isystem_shell.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/isystem_shell.py
@ -87,7 +87,9 @@ def do_show(cc, args):
@utils.arg('-S', '--security_feature',
           metavar='<security_feature>',
           choices=['spectre_meltdown_v1', 'spectre_meltdown_all'],
-           help='Use spectre_meltdown_v1 for spectre/meltdown v1 fixes, or spectre_meltdown_all to use all fixes')
+           help='Use spectre_meltdown_v1 to add linux bootargs "nopti '
+                'nospectre_v2 nospectre_v1", or spectre_meltdown_all to not '
+                'add any mitigation disabling bootargs')
 def do_modify(cc, args):
    """Modify system attributes."""
    isystems = cc.isystem.list()
--- a/sysinv/sysinv/centos/build_srpm.data
+++ b/sysinv/sysinv/centos/build_srpm.data
@ -1,2 +1,2 @@
 SRC_DIR="sysinv"
-TIS_PATCH_VER=330
+TIS_PATCH_VER=331
--- a/sysinv/sysinv/sysinv/sysinv/common/constants.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py
@ -1326,7 +1326,7 @@ GLANCE_REGISTRY_DATA_API = 'glance.db.registry.api'

 # kernel options for various security feature selections
 SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_V1 = 'spectre_meltdown_v1'
-SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_V1_OPTS = 'nopti nospectre_v2'
+SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_V1_OPTS = 'nopti nospectre_v2 nospectre_v1'
 SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_ALL = 'spectre_meltdown_all'
 SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_ALL_OPTS = ''
 SYSTEM_SECURITY_FEATURE_SPECTRE_MELTDOWN_OPTS = {