diff options
Diffstat (limited to 'modules-available/minilinux')
-rw-r--r-- | modules-available/minilinux/inc/linuxbootentryhook.inc.php | 14 | ||||
-rw-r--r-- | modules-available/minilinux/inc/minilinux.inc.php | 1 | ||||
-rw-r--r-- | modules-available/minilinux/lang/de/module.json | 1 |
3 files changed, 13 insertions, 3 deletions
diff --git a/modules-available/minilinux/inc/linuxbootentryhook.inc.php b/modules-available/minilinux/inc/linuxbootentryhook.inc.php index 56f66502..324ffc7e 100644 --- a/modules-available/minilinux/inc/linuxbootentryhook.inc.php +++ b/modules-available/minilinux/inc/linuxbootentryhook.inc.php @@ -20,10 +20,12 @@ class LinuxBootEntryHook extends BootEntryHook /* For translate module: * Dictionary::translate('ipxe-kcl-extra'); * Dictionary::translate('ipxe-debug'); + * Dictionary::translate('ipxe-insecure-cpu'); */ return [ new HookExtraField('kcl-extra', 'string', ''), new HookExtraField('debug', 'bool', false), + new HookExtraField('insecure-cpu', 'bool', false), ]; } @@ -123,14 +125,20 @@ class LinuxBootEntryHook extends BootEntryHook } } // KCL hacks - if (isset($localData['debug']) && $localData['debug']) { + if (!empty($localData['debug'])) { + // Debug boot enabled $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, isset($remoteData['debugCommandLineModifier']) ? $remoteData['debugCommandLineModifier'] : '-vga -quiet -splash -loglevel loglevel=7' ); } - if (isset($localData['kcl-extra'])) { + // disable all CPU sidechannel attack mitigations etc. + if (!empty($localData['insecure-cpu'])) { + $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, + 'noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off'); + } + if (!empty($localData['kcl-extra'])) { $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, $localData['kcl-extra']); } $exec->commandLine = str_replace('%ID%', $effectiveId, $exec->commandLine); @@ -146,6 +154,8 @@ class LinuxBootEntryHook extends BootEntryHook public function isValidId($id) { + if ($id === 'default') + return true; // Meta-version that links to whatever the default is set to $res = Database::queryFirst('SELECT installed FROM minilinux_version WHERE versionid = :id', ['id' => $id]); return $res !== false && $res['installed']; } diff --git a/modules-available/minilinux/inc/minilinux.inc.php b/modules-available/minilinux/inc/minilinux.inc.php index ca81eafa..005b81fa 100644 --- a/modules-available/minilinux/inc/minilinux.inc.php +++ b/modules-available/minilinux/inc/minilinux.inc.php @@ -23,7 +23,6 @@ class MiniLinux { $stamp = time(); $last = Property::get(self::PROPERTY_KEY_FETCHTIME); - error_log('Last: ' . $last); if ($last !== false && $last + 10 > $stamp) return 0; // In progress... Property::set(self::PROPERTY_KEY_FETCHTIME, $stamp, 1); diff --git a/modules-available/minilinux/lang/de/module.json b/modules-available/minilinux/lang/de/module.json index 3e5ed495..133e428f 100644 --- a/modules-available/minilinux/lang/de/module.json +++ b/modules-available/minilinux/lang/de/module.json @@ -6,6 +6,7 @@ "file-ok": "OK", "file-size-mismatch": "Dateigr\u00f6\u00dfe stimmt nicht", "ipxe-debug": "Debug-Ausgaben statt Bootlogo", + "ipxe-insecure-cpu": "Alle Mitigations for CPU-Sicherheitsl\u00fccken deaktivieren", "ipxe-kcl-extra": "Modifikation der Kernel-Command-Line", "menu-sources": "Update-Quellen", "menu-versions": "Verf\u00fcgbare Versionen", |