diff options
| author | Simon Rettberg | 2019-12-10 15:08:50 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2019-12-10 15:08:50 +0100 |
| commit | 282215ddeece1b1504d4efc842f880fd95f6ba6c (patch) | |
| tree | 561f447292570e3bac7c0a15fd31bc84286f42cd /modules-available | |
| parent | [sysconfig] Display error if deleting config from database failed (diff) | |
| download | slx-admin-282215ddeece1b1504d4efc842f880fd95f6ba6c.tar.gz slx-admin-282215ddeece1b1504d4efc842f880fd95f6ba6c.tar.xz slx-admin-282215ddeece1b1504d4efc842f880fd95f6ba6c.zip | |
[minilinux] Make Linux fast again
Add boot option that adds all the KCL options to disable CPU security
flaw mitigations.
Diffstat (limited to 'modules-available')
| -rw-r--r-- | modules-available/minilinux/inc/linuxbootentryhook.inc.php | 12 | ||||
| -rw-r--r-- | modules-available/minilinux/lang/de/module.json | 1 |
2 files changed, 11 insertions, 2 deletions
diff --git a/modules-available/minilinux/inc/linuxbootentryhook.inc.php b/modules-available/minilinux/inc/linuxbootentryhook.inc.php index 56f66502..41d70b17 100644 --- a/modules-available/minilinux/inc/linuxbootentryhook.inc.php +++ b/modules-available/minilinux/inc/linuxbootentryhook.inc.php @@ -20,10 +20,12 @@ class LinuxBootEntryHook extends BootEntryHook /* For translate module: * Dictionary::translate('ipxe-kcl-extra'); * Dictionary::translate('ipxe-debug'); + * Dictionary::translate('ipxe-insecure-cpu'); */ return [ new HookExtraField('kcl-extra', 'string', ''), new HookExtraField('debug', 'bool', false), + new HookExtraField('insecure-cpu', 'bool', false), ]; } @@ -123,14 +125,20 @@ class LinuxBootEntryHook extends BootEntryHook } } // KCL hacks - if (isset($localData['debug']) && $localData['debug']) { + if (!empty($localData['debug'])) { + // Debug boot enabled $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, isset($remoteData['debugCommandLineModifier']) ? $remoteData['debugCommandLineModifier'] : '-vga -quiet -splash -loglevel loglevel=7' ); } - if (isset($localData['kcl-extra'])) { + // disable all CPU sidechannel attack mitigations etc. + if (!empty($localData['insecure-cpu'])) { + $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, + 'noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off'); + } + if (!empty($localData['kcl-extra'])) { $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, $localData['kcl-extra']); } $exec->commandLine = str_replace('%ID%', $effectiveId, $exec->commandLine); diff --git a/modules-available/minilinux/lang/de/module.json b/modules-available/minilinux/lang/de/module.json index 3e5ed495..133e428f 100644 --- a/modules-available/minilinux/lang/de/module.json +++ b/modules-available/minilinux/lang/de/module.json @@ -6,6 +6,7 @@ "file-ok": "OK", "file-size-mismatch": "Dateigr\u00f6\u00dfe stimmt nicht", "ipxe-debug": "Debug-Ausgaben statt Bootlogo", + "ipxe-insecure-cpu": "Alle Mitigations for CPU-Sicherheitsl\u00fccken deaktivieren", "ipxe-kcl-extra": "Modifikation der Kernel-Command-Line", "menu-sources": "Update-Quellen", "menu-versions": "Verf\u00fcgbare Versionen", |