Browse Source

Security: Handle nospectre_v1 in the bootargs

Most of the v1 mitigation is baked into the kernel and not
optional.  The swapgs barriers are, however, optional.
They have a negative performance impact so we disable them
by using the nospectre_v1 kernel bootarg.

Partial-Bug: 1860193
Depends-On: https://review.opendev.org/#/c/704406
Change-Id: Id11232fe113293ed04b2802aaf038e2eedf9d797
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
changes/50/704450/2
Jim Somerville 1 year ago
parent
commit
91f488af02
5 changed files with 14 additions and 2 deletions
  1. +4
    -0
      bsp-files/kickstarts/post_kernel_aio_and_worker.cfg
  2. +4
    -0
      bsp-files/kickstarts/post_kernel_controller.cfg
  3. +4
    -0
      bsp-files/kickstarts/post_kernel_storage.cfg
  4. +1
    -1
      devstack/files/platform.conf
  5. +1
    -1
      kickstart/centos/build_srpm.data

+ 4
- 0
bsp-files/kickstarts/post_kernel_aio_and_worker.cfg View File

@ -91,6 +91,10 @@ grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
grep -q 'nospectre_v1' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v1"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub


+ 4
- 0
bsp-files/kickstarts/post_kernel_controller.cfg View File

@ -38,6 +38,10 @@ grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
grep -q 'nospectre_v1' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v1"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub


+ 4
- 0
bsp-files/kickstarts/post_kernel_storage.cfg View File

@ -32,6 +32,10 @@ grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
grep -q 'nospectre_v1' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v1"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub


+ 1
- 1
devstack/files/platform.conf View File

@ -10,5 +10,5 @@ sdn_enabled=no
region_config=no
system_mode=@SYS_MODE@
sw_version=@SW_VERSION@
security_feature="nopti nospectre_v2"
security_feature="nopti nospectre_v2 nospectre_v1"
vswitch_type=ovs-dpdk

+ 1
- 1
kickstart/centos/build_srpm.data View File

@ -1,3 +1,3 @@
SRC_DIR="${GIT_BASE}/bsp-files"
COPY_LIST="$PKG_BASE/LICENSE"
TIS_PATCH_VER=3
TIS_PATCH_VER=4

Loading…
Cancel
Save