From 282215ddeece1b1504d4efc842f880fd95f6ba6c Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Tue, 10 Dec 2019 15:08:50 +0100 Subject: [minilinux] Make Linux fast again Add boot option that adds all the KCL options to disable CPU security flaw mitigations. --- modules-available/minilinux/inc/linuxbootentryhook.inc.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'modules-available/minilinux/inc/linuxbootentryhook.inc.php') diff --git a/modules-available/minilinux/inc/linuxbootentryhook.inc.php b/modules-available/minilinux/inc/linuxbootentryhook.inc.php index 56f66502..41d70b17 100644 --- a/modules-available/minilinux/inc/linuxbootentryhook.inc.php +++ b/modules-available/minilinux/inc/linuxbootentryhook.inc.php @@ -20,10 +20,12 @@ class LinuxBootEntryHook extends BootEntryHook /* For translate module: * Dictionary::translate('ipxe-kcl-extra'); * Dictionary::translate('ipxe-debug'); + * Dictionary::translate('ipxe-insecure-cpu'); */ return [ new HookExtraField('kcl-extra', 'string', ''), new HookExtraField('debug', 'bool', false), + new HookExtraField('insecure-cpu', 'bool', false), ]; } @@ -123,14 +125,20 @@ class LinuxBootEntryHook extends BootEntryHook } } // KCL hacks - if (isset($localData['debug']) && $localData['debug']) { + if (!empty($localData['debug'])) { + // Debug boot enabled $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, isset($remoteData['debugCommandLineModifier']) ? $remoteData['debugCommandLineModifier'] : '-vga -quiet -splash -loglevel loglevel=7' ); } - if (isset($localData['kcl-extra'])) { + // disable all CPU sidechannel attack mitigations etc. + if (!empty($localData['insecure-cpu'])) { + $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, + 'noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off'); + } + if (!empty($localData['kcl-extra'])) { $exec->commandLine = IPxe::modifyCommandLine($exec->commandLine, $localData['kcl-extra']); } $exec->commandLine = str_replace('%ID%', $effectiveId, $exec->commandLine); -- cgit v1.2.3-55-g7522