From 2a7cb246a11add07851b85cca23ac72d9790d5da Mon Sep 17 00:00:00 2001
From: Jim Somerville <Jim.Somerville@windriver.com>
Date: Mon, 27 Jan 2020 17:18:47 -0500
Subject: [PATCH] Security: Handle nospectre_v1 in the bootargs

Most of the v1 mitigation is baked into the kernel and not
optional.  The swapgs barriers are, however, optional.
They have a negative performance impact so we disable them
by using the nospectre_v1 kernel bootarg.

Partial-Bug: 1860193
Depends-On: https://review.opendev.org/#/c/705300
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
(cherry picked from commit 91f488af02e2bc27007690450a3ee63826e67c86)

Change-Id: I88c8fafe558c5f03a9d0af7c42a668decef18f5a
---
 bsp-files/kickstarts/post_kernel_aio_and_worker.cfg | 4 ++++
 bsp-files/kickstarts/post_kernel_controller.cfg     | 4 ++++
 bsp-files/kickstarts/post_kernel_storage.cfg        | 4 ++++
 devstack/files/platform.conf                        | 2 +-
 kickstart/centos/build_srpm.data                    | 2 +-
 5 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/bsp-files/kickstarts/post_kernel_aio_and_worker.cfg b/bsp-files/kickstarts/post_kernel_aio_and_worker.cfg
index f2281101..ae76d301 100644
--- a/bsp-files/kickstarts/post_kernel_aio_and_worker.cfg
+++ b/bsp-files/kickstarts/post_kernel_aio_and_worker.cfg
@@ -91,6 +91,10 @@ grep -q 'nospectre_v2' /proc/cmdline
 if [ $? -eq 0 ]; then
     KERN_OPTS="${KERN_OPTS} nospectre_v2"
 fi
+grep -q 'nospectre_v1' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nospectre_v1"
+fi
 
 perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
 
diff --git a/bsp-files/kickstarts/post_kernel_controller.cfg b/bsp-files/kickstarts/post_kernel_controller.cfg
index a49f835a..e07540c0 100644
--- a/bsp-files/kickstarts/post_kernel_controller.cfg
+++ b/bsp-files/kickstarts/post_kernel_controller.cfg
@@ -38,6 +38,10 @@ grep -q 'nospectre_v2' /proc/cmdline
 if [ $? -eq 0 ]; then
     KERN_OPTS="${KERN_OPTS} nospectre_v2"
 fi
+grep -q 'nospectre_v1' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nospectre_v1"
+fi
 
 perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
 
diff --git a/bsp-files/kickstarts/post_kernel_storage.cfg b/bsp-files/kickstarts/post_kernel_storage.cfg
index 53bff1b2..ccc4a435 100644
--- a/bsp-files/kickstarts/post_kernel_storage.cfg
+++ b/bsp-files/kickstarts/post_kernel_storage.cfg
@@ -32,6 +32,10 @@ grep -q 'nospectre_v2' /proc/cmdline
 if [ $? -eq 0 ]; then
     KERN_OPTS="${KERN_OPTS} nospectre_v2"
 fi
+grep -q 'nospectre_v1' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nospectre_v1"
+fi
 
 perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
 
diff --git a/devstack/files/platform.conf b/devstack/files/platform.conf
index 2961910c..cd328fd7 100644
--- a/devstack/files/platform.conf
+++ b/devstack/files/platform.conf
@@ -10,5 +10,5 @@ sdn_enabled=no
 region_config=no
 system_mode=@SYS_MODE@
 sw_version=@SW_VERSION@
-security_feature="nopti nospectre_v2"
+security_feature="nopti nospectre_v2 nospectre_v1"
 vswitch_type=ovs-dpdk
diff --git a/kickstart/centos/build_srpm.data b/kickstart/centos/build_srpm.data
index 1eb8a789..9e433cbc 100644
--- a/kickstart/centos/build_srpm.data
+++ b/kickstart/centos/build_srpm.data
@@ -1,3 +1,3 @@
 SRC_DIR="${GIT_BASE}/bsp-files"
 COPY_LIST="$PKG_BASE/LICENSE"
-TIS_PATCH_VER=3
+TIS_PATCH_VER=4