starlingx/metal
Code Issues Proposed changes

Merge "Spectre/meltdown kernel options controllable by customer"

Browse Source
This commit is contained in:
Zuul 2018-07-03 17:19:18 +00:00 committed by Gerrit Code Review
commit db4063233b
4 changed files with 40 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bsp-files/kickstarts/post_kernel_aio_and_compute.cfg
View File

@ -86,8 +86,16 @@ if [[ "$subfunction" =~ lowlatency ]]; then
KERN_OPTS="${KERN_OPTS} skew_tick=1" KERN_OPTS="${KERN_OPTS} skew_tick=1"
fi fi
# spectre options # If the installer asked us to use security related kernel params, use
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2" # them in the grub line as well (until they can be configured via puppet)
grep -q 'nopti' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nopti"
fi
grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub

12
bsp-files/kickstarts/post_kernel_controller.cfg
View File

@ -26,8 +26,16 @@ fi
KERN_OPTS="${KERN_OPTS} cgroup_disable=memory" KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
# spectre options # If the installer asked us to use security related kernel params, use
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2" # them in the grub line as well (until they can be configured via puppet)
grep -q 'nopti' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nopti"
fi
grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub

12
bsp-files/kickstarts/post_kernel_storage.cfg
View File

@ -20,8 +20,16 @@ fi
KERN_OPTS="${KERN_OPTS} cgroup_disable=memory" KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
# spectre options # If the installer asked us to use security related kernel params, use
KERN_OPTS="${KERN_OPTS} nopti nospectre_v2" # them in the grub line as well (until they can be configured via puppet)
grep -q 'nopti' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nopti"
fi
grep -q 'nospectre_v2' /proc/cmdline
if [ $? -eq 0 ]; then
KERN_OPTS="${KERN_OPTS} nospectre_v2"
fi
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub

11
installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh
View File

@ -30,6 +30,7 @@ Arguments:
-u <tisnotify url> : Base url for TIS install progress notification -u <tisnotify url> : Base url for TIS install progress notification
-s <mode> : Specify Security Profile mode (optional) -s <mode> : Specify Security Profile mode (optional)
-T <tboot value> : Specify whether or not to use tboot (optional) -T <tboot value> : Specify whether or not to use tboot (optional)
-k <kernel args> : Specify any extra kernel boot arguments (optional)
EOF EOF
} }
@ -71,7 +72,7 @@ function generate_config()
parms=$@ parms=$@
logger -t $0 " $parms" logger -t $0 " $parms"
while getopts "i:o:tgc:b:r:u:s:T:h" opt while getopts "i:o:tgc:b:r:u:s:T:k:h" opt
do do
case $opt in case $opt in
i) i)
@ -109,6 +110,9 @@ do
T) T)
tboot=$OPTARG tboot=$OPTARG
;; ;;
k)
kernal_extra_args=$OPTARG
;;
h) h)
usage usage
exit 1 exit 1
@ -158,6 +162,11 @@ then
APPEND_OPTIONS="$APPEND_OPTIONS security_profile=$security_profile" APPEND_OPTIONS="$APPEND_OPTIONS security_profile=$security_profile"
fi fi
if [ -n "$kernal_extra_args" ]
then
APPEND_OPTIONS="$APPEND_OPTIONS $kernal_extra_args"
fi
generate_config $input_file $output_file generate_config $input_file $output_file
# for extended security profile UEFI boot only, # for extended security profile UEFI boot only,