From 0c13c06b029375473b92a3277fb7e9a26949c5f0 Mon Sep 17 00:00:00 2001
From: Jim Somerville <Jim.Somerville@windriver.com>
Date: Mon, 27 Jan 2020 17:09:52 -0500
Subject: [PATCH] Security: Add nospectre_v1 to the security params

Most of the v1 mitigation is baked into the kernel and not
optional.  The swapgs barriers are, however, optional.
They have a negative performance impact so we disable them
by using the nospectre_v1 kernel bootarg.

Partial-Bug: 1860193
Depends-On: https://review.opendev.org/#/c/705300
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
(cherry picked from commit 950670ac1f0bfaa43e29eeb3ffda71a94de66520)

Change-Id: I8472e7fc4fbf5b3e01b56b79eba7feda315d29cf
---
 puppet-manifests/centos/build_srpm.data                 | 2 +-
 puppet-manifests/src/hieradata/global.yaml              | 2 +-
 puppet-manifests/src/modules/platform/manifests/grub.pp | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/puppet-manifests/centos/build_srpm.data b/puppet-manifests/centos/build_srpm.data
index 22af5e82..7d32ce1e 100644
--- a/puppet-manifests/centos/build_srpm.data
+++ b/puppet-manifests/centos/build_srpm.data
@@ -1,2 +1,2 @@
 SRC_DIR="src"
-TIS_PATCH_VER=95
+TIS_PATCH_VER=96
diff --git a/puppet-manifests/src/hieradata/global.yaml b/puppet-manifests/src/hieradata/global.yaml
index 7647db40..563d7d49 100644
--- a/puppet-manifests/src/hieradata/global.yaml
+++ b/puppet-manifests/src/hieradata/global.yaml
@@ -7,7 +7,7 @@ platform::params::controller_hostname: controller
 platform::params::controller_0_hostname: controller-0
 platform::params::controller_1_hostname: controller-1
 platform::params::pxeboot_hostname: pxecontroller
-platform::params::security_feature: nopti nospectre_v2
+platform::params::security_feature: nopti nospectre_v2 nospectre_v1
 platform::amqp::auth_user: guest
 platform::users::params::sysadmin_password_max_age: 45
 
diff --git a/puppet-manifests/src/modules/platform/manifests/grub.pp b/puppet-manifests/src/modules/platform/manifests/grub.pp
index df6ea185..36fc6f42 100644
--- a/puppet-manifests/src/modules/platform/manifests/grub.pp
+++ b/puppet-manifests/src/modules/platform/manifests/grub.pp
@@ -1,7 +1,7 @@
 class platform::grub
 {
   include ::platform::params
-  $managed_security_params = 'nopti nospectre_v2'
+  $managed_security_params = 'nopti nospectre_v2 nospectre_v1'
 
   # Run grubby to update params
   # First, remove all the parameters we manage, then we add back in the ones