diff --git a/bsp-files/kickstarts/post_kernel_aio_and_compute.cfg b/bsp-files/kickstarts/post_kernel_aio_and_compute.cfg index ef485211..629b8ffe 100644 --- a/bsp-files/kickstarts/post_kernel_aio_and_compute.cfg +++ b/bsp-files/kickstarts/post_kernel_aio_and_compute.cfg @@ -86,8 +86,16 @@ if [[ "$subfunction" =~ lowlatency ]]; then KERN_OPTS="${KERN_OPTS} skew_tick=1" fi -# spectre options -KERN_OPTS="${KERN_OPTS} nopti nospectre_v2" +# If the installer asked us to use security related kernel params, use +# them in the grub line as well (until they can be configured via puppet) +grep -q 'nopti' /proc/cmdline +if [ $? -eq 0 ]; then + KERN_OPTS="${KERN_OPTS} nopti" +fi +grep -q 'nospectre_v2' /proc/cmdline +if [ $? -eq 0 ]; then + KERN_OPTS="${KERN_OPTS} nospectre_v2" +fi perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub diff --git a/bsp-files/kickstarts/post_kernel_controller.cfg b/bsp-files/kickstarts/post_kernel_controller.cfg index 5b85fc49..684398de 100644 --- a/bsp-files/kickstarts/post_kernel_controller.cfg +++ b/bsp-files/kickstarts/post_kernel_controller.cfg @@ -26,8 +26,16 @@ fi KERN_OPTS="${KERN_OPTS} cgroup_disable=memory" -# spectre options -KERN_OPTS="${KERN_OPTS} nopti nospectre_v2" +# If the installer asked us to use security related kernel params, use +# them in the grub line as well (until they can be configured via puppet) +grep -q 'nopti' /proc/cmdline +if [ $? -eq 0 ]; then + KERN_OPTS="${KERN_OPTS} nopti" +fi +grep -q 'nospectre_v2' /proc/cmdline +if [ $? -eq 0 ]; then + KERN_OPTS="${KERN_OPTS} nospectre_v2" +fi perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub diff --git a/bsp-files/kickstarts/post_kernel_storage.cfg b/bsp-files/kickstarts/post_kernel_storage.cfg index e6ce726d..894c2e89 100644 --- a/bsp-files/kickstarts/post_kernel_storage.cfg +++ b/bsp-files/kickstarts/post_kernel_storage.cfg @@ -20,8 +20,16 @@ fi KERN_OPTS="${KERN_OPTS} cgroup_disable=memory" -# spectre options -KERN_OPTS="${KERN_OPTS} nopti nospectre_v2" +# If the installer asked us to use security related kernel params, use +# them in the grub line as well (until they can be configured via puppet) +grep -q 'nopti' /proc/cmdline +if [ $? -eq 0 ]; then + KERN_OPTS="${KERN_OPTS} nopti" +fi +grep -q 'nospectre_v2' /proc/cmdline +if [ $? -eq 0 ]; then + KERN_OPTS="${KERN_OPTS} nospectre_v2" +fi perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub diff --git a/installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh b/installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh index 5664af2d..222eda4d 100755 --- a/installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh +++ b/installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh @@ -30,6 +30,7 @@ Arguments: -u : Base url for TIS install progress notification -s : Specify Security Profile mode (optional) -T : Specify whether or not to use tboot (optional) + -k : Specify any extra kernel boot arguments (optional) EOF } @@ -71,7 +72,7 @@ function generate_config() parms=$@ logger -t $0 " $parms" -while getopts "i:o:tgc:b:r:u:s:T:h" opt +while getopts "i:o:tgc:b:r:u:s:T:k:h" opt do case $opt in i) @@ -109,6 +110,9 @@ do T) tboot=$OPTARG ;; + k) + kernal_extra_args=$OPTARG + ;; h) usage exit 1 @@ -158,6 +162,11 @@ then APPEND_OPTIONS="$APPEND_OPTIONS security_profile=$security_profile" fi +if [ -n "$kernal_extra_args" ] +then + APPEND_OPTIONS="$APPEND_OPTIONS $kernal_extra_args" +fi + generate_config $input_file $output_file # for extended security profile UEFI boot only,