Security: Add nospectre_v1 to the security params

Most of the v1 mitigation is baked into the kernel and not optional. The swapgs barriers are, however, optional. They have a negative performance impact so we disable them by using the nospectre_v1 kernel bootarg. Partial-Bug: 1860193 Depends-On: https://review.opendev.org/#/c/705300 Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com> (cherry picked from commit 950670ac1f) Change-Id: I8472e7fc4fbf5b3e01b56b79eba7feda315d29cf
2020-01-27 17:09:52 -05:00 · 2020-01-27 17:09:52 -05:00 · 0c13c06b02
parent 17ed77faf5
commit 0c13c06b02
3 changed files with 3 additions and 3 deletions
--- a/puppet-manifests/centos/build_srpm.data
+++ b/puppet-manifests/centos/build_srpm.data
@ -1,2 +1,2 @@
 SRC_DIR="src"
-TIS_PATCH_VER=95
+TIS_PATCH_VER=96
--- a/puppet-manifests/src/hieradata/global.yaml
+++ b/puppet-manifests/src/hieradata/global.yaml
@ -7,7 +7,7 @@ platform::params::controller_hostname: controller
 platform::params::controller_0_hostname: controller-0
 platform::params::controller_1_hostname: controller-1
 platform::params::pxeboot_hostname: pxecontroller
-platform::params::security_feature: nopti nospectre_v2
+platform::params::security_feature: nopti nospectre_v2 nospectre_v1
 platform::amqp::auth_user: guest
 platform::users::params::sysadmin_password_max_age: 45

--- a/puppet-manifests/src/modules/platform/manifests/grub.pp
+++ b/puppet-manifests/src/modules/platform/manifests/grub.pp
@ -1,7 +1,7 @@
 class platform::grub
 {
  include ::platform::params
-  $managed_security_params = 'nopti nospectre_v2'
+  $managed_security_params = 'nopti nospectre_v2 nospectre_v1'

  # Run grubby to update params
  # First, remove all the parameters we manage, then we add back in the ones