fba0ef3f7c
Implements customer configuration of kernel options to control spectre/meltdown related kernel options. Default (with "nopti nospectre_v2" options) can be changed to "" using system modify -S spectre_meltdown_all Change-Id: I183a22fa681e6524415558c0009aa8786418cc07 Signed-off-by: Jack Ding <jack.ding@windriver.com>
50 lines
1.4 KiB
INI
50 lines
1.4 KiB
INI
%post --erroronfail
|
|
|
|
# Source common functions
|
|
. /tmp/ks-functions.sh
|
|
|
|
## Custom kernel options
|
|
KERN_OPTS=" intel_iommu=off usbcore.autosuspend=-1"
|
|
|
|
## Setup the loop module to support up to 15 partitions so that we can enable the
|
|
## customer to manually resize images if needed.
|
|
##
|
|
KERN_OPTS="${KERN_OPTS} loop.max_part=15"
|
|
|
|
## Add kernel options to ensure an selinux is disabled
|
|
KERN_OPTS="${KERN_OPTS} selinux=0 enforcing=0"
|
|
|
|
# Add kernel options to ensure NMI watchdog is enabled, if supported
|
|
KERN_OPTS="${KERN_OPTS} nmi_watchdog=panic,1 softlockup_panic=1"
|
|
|
|
# Add kernel option to disable biosdevname if enabled
|
|
# As this may already be in GRUB_CMDLINE_LINUX, only add if it is not already present
|
|
grep -q '^GRUB_CMDLINE_LINUX=.*biosdevname=0' /etc/default/grub
|
|
if [ $? -ne 0 ]; then
|
|
KERN_OPTS="${KERN_OPTS} biosdevname=0"
|
|
fi
|
|
|
|
KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
|
|
|
|
# If the installer asked us to use security related kernel params, use
|
|
# them in the grub line as well (until they can be configured via puppet)
|
|
grep -q 'nopti' /proc/cmdline
|
|
if [ $? -eq 0 ]; then
|
|
KERN_OPTS="${KERN_OPTS} nopti"
|
|
fi
|
|
grep -q 'nospectre_v2' /proc/cmdline
|
|
if [ $? -eq 0 ]; then
|
|
KERN_OPTS="${KERN_OPTS} nospectre_v2"
|
|
fi
|
|
|
|
perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
|
|
|
|
if [ -d /sys/firmware/efi ] ; then
|
|
grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
|
|
else
|
|
grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
fi
|
|
|
|
%end
|
|
|