From fba0ef3f7cd8cf451cb3548ff1947f67370aaa53 Mon Sep 17 00:00:00 2001
From: jmckenna <jason.mckenna@windriver.com>
Date: Fri, 11 May 2018 14:24:06 -0400
Subject: [PATCH] Spectre/meltdown kernel options controllable by customer

Implements customer configuration of kernel options to control
spectre/meltdown related kernel options.  Default (with "nopti
nospectre_v2" options) can be changed to "" using

system modify -S spectre_meltdown_all

Change-Id: I183a22fa681e6524415558c0009aa8786418cc07
Signed-off-by: Jack Ding <jack.ding@windriver.com>
---
 bsp-files/kickstarts/post_kernel_aio_and_compute.cfg | 12 ++++++++++--
 bsp-files/kickstarts/post_kernel_controller.cfg      | 12 ++++++++++--
 bsp-files/kickstarts/post_kernel_storage.cfg         | 12 ++++++++++--
 .../pxe-network-installer/pxeboot-update.sh          | 11 ++++++++++-
 4 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/bsp-files/kickstarts/post_kernel_aio_and_compute.cfg b/bsp-files/kickstarts/post_kernel_aio_and_compute.cfg
index ef485211..629b8ffe 100644
--- a/bsp-files/kickstarts/post_kernel_aio_and_compute.cfg
+++ b/bsp-files/kickstarts/post_kernel_aio_and_compute.cfg
@@ -86,8 +86,16 @@ if [[ "$subfunction" =~ lowlatency ]]; then
   KERN_OPTS="${KERN_OPTS} skew_tick=1"
 fi
 
-# spectre options
-KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
+# If the installer asked us to use security related kernel params, use
+# them in the grub line as well (until they can be configured via puppet)
+grep -q 'nopti' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nopti"
+fi
+grep -q 'nospectre_v2' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nospectre_v2"
+fi
 
 perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
 
diff --git a/bsp-files/kickstarts/post_kernel_controller.cfg b/bsp-files/kickstarts/post_kernel_controller.cfg
index 5b85fc49..684398de 100644
--- a/bsp-files/kickstarts/post_kernel_controller.cfg
+++ b/bsp-files/kickstarts/post_kernel_controller.cfg
@@ -26,8 +26,16 @@ fi
 
 KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
 
-# spectre options
-KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
+# If the installer asked us to use security related kernel params, use
+# them in the grub line as well (until they can be configured via puppet)
+grep -q 'nopti' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nopti"
+fi
+grep -q 'nospectre_v2' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nospectre_v2"
+fi
 
 perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
 
diff --git a/bsp-files/kickstarts/post_kernel_storage.cfg b/bsp-files/kickstarts/post_kernel_storage.cfg
index e6ce726d..894c2e89 100644
--- a/bsp-files/kickstarts/post_kernel_storage.cfg
+++ b/bsp-files/kickstarts/post_kernel_storage.cfg
@@ -20,8 +20,16 @@ fi
 
 KERN_OPTS="${KERN_OPTS} cgroup_disable=memory"
 
-# spectre options
-KERN_OPTS="${KERN_OPTS} nopti nospectre_v2"
+# If the installer asked us to use security related kernel params, use
+# them in the grub line as well (until they can be configured via puppet)
+grep -q 'nopti' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nopti"
+fi
+grep -q 'nospectre_v2' /proc/cmdline
+if [ $? -eq 0 ]; then
+    KERN_OPTS="${KERN_OPTS} nospectre_v2"
+fi
 
 perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub
 
diff --git a/installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh b/installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh
index 5664af2d..222eda4d 100755
--- a/installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh
+++ b/installer/pxe-network-installer/pxe-network-installer/pxeboot-update.sh
@@ -30,6 +30,7 @@ Arguments:
     -u <tisnotify url>  : Base url for TIS install progress notification
     -s <mode>           : Specify Security Profile mode (optional)
     -T <tboot value>    : Specify whether or not to use tboot (optional)
+    -k <kernel args>    : Specify any extra kernel boot arguments (optional)
 
 EOF
 }
@@ -71,7 +72,7 @@ function generate_config()
 parms=$@
 logger -t $0 " $parms"
 
-while getopts "i:o:tgc:b:r:u:s:T:h" opt
+while getopts "i:o:tgc:b:r:u:s:T:k:h" opt
 do
     case $opt in
         i)
@@ -109,6 +110,9 @@ do
         T)
             tboot=$OPTARG
             ;;
+        k)
+            kernal_extra_args=$OPTARG
+            ;;
         h)
             usage
             exit 1
@@ -158,6 +162,11 @@ then
     APPEND_OPTIONS="$APPEND_OPTIONS security_profile=$security_profile"
 fi
 
+if [ -n "$kernal_extra_args" ]
+then
+    APPEND_OPTIONS="$APPEND_OPTIONS $kernal_extra_args"
+fi
+
 generate_config $input_file $output_file
 
 # for extended security profile UEFI boot only,