From 435ae1504d5e40cc037c7e97aa74baff2bd32bf5 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 11 Apr 2019 10:48:52 +0200 Subject: [PATCH 01/17] cpu_mitigations --- src/autoyast-rnc/bootloader.rnc | 4 +- src/lib/bootloader/autoyast_converter.rb | 7 ++- src/lib/bootloader/grub2_widgets.rb | 31 +++++++--- src/lib/bootloader/grub2base.rb | 74 +++++++++++++++--------- src/modules/BootArch.rb | 42 +++++++------- test/autoyast_converter_test.rb | 14 ++--- test/boot_arch_test.rb | 18 ++++-- test/grub2_efi_test.rb | 6 ++ test/grub2_test.rb | 6 ++ test/grub2base_test.rb | 5 ++ 10 files changed, 136 insertions(+), 71 deletions(-) diff --git a/src/autoyast-rnc/bootloader.rnc b/src/autoyast-rnc/bootloader.rnc index 2c2ecf238..4b62d1cab 100644 --- a/src/autoyast-rnc/bootloader.rnc +++ b/src/autoyast-rnc/bootloader.rnc @@ -71,7 +71,7 @@ bl_global = boot_extended? & boot_mbr? & stage1_dev? & - smt? & + cpu_mitigations? & element vgamode { text }? } @@ -86,7 +86,7 @@ boot_root = element boot_root { "true" | "false" } boot_boot = element boot_boot { "true" | "false" } boot_extended = element boot_extended { "true" | "false" } boot_mbr = element boot_mbr { "true" | "false" } -smt = element smt { "true" | "false" } +cpu_mitigations = element cpu_mitigations { "nosmt", "auto", "off", "manual" } sections = element sections { diff --git a/src/lib/bootloader/autoyast_converter.rb b/src/lib/bootloader/autoyast_converter.rb index d0c8a4c1b..178705ccd 100644 --- a/src/lib/bootloader/autoyast_converter.rb +++ b/src/lib/bootloader/autoyast_converter.rb @@ -37,7 +37,8 @@ def import(data) # always nil pmbr as autoyast does not support it yet, # so use nil to always use proposed value (bsc#1081967) bootloader.pmbr_action = nil - bootloader.smt = data["global"]["smt"] == "true" unless data["global"]["smt"].nil? + cpu_mitigations = data["global"]["cpu_mitigations"] + bootloader.cpu_mitigations = cpu_mitigations unless cpu_mitigations.nil? # TODO: import Initrd log.warn "autoyast profile contain sections which won't be processed" if data["sections"] @@ -57,7 +58,7 @@ def export(config) global = res["global"] export_grub2(global, config) if config.name == "grub2" export_default(global, config.grub_default) - res["global"]["smt"] = config.smt ? "true" : "false" + res["global"]["cpu_mitigations"] = config.cpu_mitigations.to_s # Do not export device map as device name are very unpredictable and is used only as # work-around when automatic ones do not work for what-ever reasons ( it can really safe # your day in L3 ) @@ -79,7 +80,7 @@ def import_grub2(data, bootloader) end def import_default(data, default) - # import first kernel params as smt can later modify it + # import first kernel params as cpu_mitigations can later modify it DEFAULT_KERNEL_PARAMS_MAPPING.each do |key, method| val = data["global"][key] next unless val diff --git a/src/lib/bootloader/grub2_widgets.rb b/src/lib/bootloader/grub2_widgets.rb index 45a42870c..9dc35f056 100644 --- a/src/lib/bootloader/grub2_widgets.rb +++ b/src/lib/bootloader/grub2_widgets.rb @@ -113,7 +113,7 @@ def store end # Represents decision if smt is enabled - class Smt < CWM::CheckBox + class CpuMitigations < CWM::ComboBox include Grub2Widget def initialize @@ -121,22 +121,38 @@ def initialize end def label - _("Disable Simultaneous &Multithreading") + _("CPU Mitigations") + end + + def items + [ + [:nosmt, _("Auto + No SMT")], + [:auto, _("Auto")], + [:off, _("Off")], + [:manual, _("Manually")] + ] end def help + # TODO: adapt _( - "

Disable Simultaneous Multithreading
\n" \ - "To disable sharing physical cores by more virtual ones." + "

CPU Speculation
\n" \ + "Controls CPU speculative execution. Secure is the most secure option " \ + "that enable all mitigations for known security issues for speculative execution " \ + "including complete disable of SMT. Keep SMT enables all mitigations for " \ + "known security issues for speculative execution, but keep SMT enabled, even if " \ + "it is vulnerable. Performance disables all mitigations to use speculative " \ + "execution for the best performance. Manually lets user to specify mitigations " \ + "himself on kernel command line." ) end def init - self.value = !grub2.smt + self.value = grub2.cpu_mitigations end def store - grub2.smt = !value + grub2.cpu_mitigations = value end end @@ -872,11 +888,10 @@ def label def contents console_widget = Yast::Arch.s390 ? CWM::Empty.new("console") : ConsoleWidget.new - smt_widget = Yast::Arch.x86_64 ? MarginBox(1, 0.5, Smt.new) : CWM::Empty.new("smt") VBox( VSpacing(1), MarginBox(1, 0.5, KernelAppendWidget.new), - Left(smt_widget), + MarginBox(1, 0.5, Left(CpuMitigations.new)), MarginBox(1, 0.5, console_widget), VStretch() ) diff --git a/src/lib/bootloader/grub2base.rb b/src/lib/bootloader/grub2base.rb index e9beadd02..6ac4409ff 100644 --- a/src/lib/bootloader/grub2base.rb +++ b/src/lib/bootloader/grub2base.rb @@ -28,6 +28,7 @@ module Bootloader # Common base for GRUB2 specialized classes + # rubocop:disable Metrics/ClassLength class Grub2Base < BootloaderBase include Yast::Logger include Yast::I18n @@ -54,7 +55,7 @@ def initialize @grub_default = ::CFA::Grub2::Default.new @sections = ::Bootloader::Sections.new @pmbr_action = :nothing - @smt = nil # nil means not set explicitly, otherwise boolean + @explicit_cpu_speculation = false end # general functions @@ -75,23 +76,37 @@ def pmbr_setup(*devices) end end - def smt - !grub_default.kernel_params.parameter("nosmt") + CPU_MITIGATIONS_MAPPING = { + off: "off", + auto: "auto", + nosmt: "auto,nosmt", + manual: nil + }.freeze + + def cpu_mitigations + value = grub_default.kernel_params.parameter("mitigations") + value = nil if value == false + reverse_mapping = CPU_MITIGATIONS_MAPPING.invert + raise "Unknown mitigations value #{value.inspect}" if !reverse_mapping.key?(value) + + reverse_mapping[value] end - def explicit_smt - @smt + def explicit_cpu_mitigations + @explicit_cpu_mitigations ? cpu_mitigations : nil end - def smt=(value) - log.info "setting smt to #{value}" - @smt = value + def cpu_mitigations=(value) + log.info "setting mitigations to #{value}" + @explicit_cpu_mitigations = true + matcher = CFA::Matcher.new(key: "mitigations") - if value - matcher = CFA::Matcher.new(key: "nosmt") + if value == :manual grub_default.kernel_params.remove_parameter(matcher) - elsif !grub_default.kernel_params.parameter("nosmt") - grub_default.kernel_params.add_parameter("nosmt", true) + else + text = CPU_MITIGATIONS_MAPPING[value] or raise "Invalid value #{value.inspect}" + placer = CFA::ReplacePlacer.new(matcher) + grub_default.kernel_params.add_parameter("mitigations", text, placer) end end @@ -219,28 +234,34 @@ def merge_grub_default(other) log.info "before merge other #{other_default.inspect}" KERNEL_FLAVORS_METHODS.each do |method| - other_params = other_default.public_send(method) - default_params = default.public_send(method) - next if other_params.empty? - - default_serialize = default_params.serialize - # handle specially noresume as it should lead to remove all other resume - default_serialize.gsub!(/resume=\S+/, "") if other_params.parameter("noresume") - - new_kernel_params = default_serialize + " " + other_params.serialize - - default_params.replace(new_kernel_params) + merge_kernel_params(method, other_default) end merge_attributes(default, other_default) - # explicitly set smt - self.smt = other.explicit_smt unless other.explicit_smt.nil? - log.info "smt after merge #{smt}" + # explicitly set mitigations + if !other.explicit_cpu_mitigations.nil? + self.cpu_mitigations = other.explicit_cpu_mitigations + end + log.info "mitigations after merge #{cpu_mitigations}" log.info "after merge default #{default.inspect}" end + def merge_kernel_params(method, other_default) + other_params = other_default.public_send(method) + default_params = grub_default.public_send(method) + return if other_params.empty? + + default_serialize = default_params.serialize + # handle specially noresume as it should lead to remove all other resume + default_serialize.gsub!(/resume=\S+/, "") if other_params.parameter("noresume") + + new_kernel_params = default_serialize + " " + other_params.serialize + + default_params.replace(new_kernel_params) + end + def merge_attributes(default, other) # string attributes [:serial_console, :timeout, :hidden_timeout, :distributor, @@ -338,4 +359,5 @@ def propose_encrypted grub_default.cryptodisk.value = !!Yast::BootStorage.encrypted_boot? end end + # rubocop:enable Metrics/ClassLength end diff --git a/src/modules/BootArch.rb b/src/modules/BootArch.rb index 3a236dbc5..5fc37e36d 100644 --- a/src/modules/BootArch.rb +++ b/src/modules/BootArch.rb @@ -37,7 +37,8 @@ def main # from installation to running kernel on s390 (bsc#1086665) S390_WHITELIST = [ /net\.ifnames=\S*/, - /fips=\S*/ + /fips=\S*/, + /mitigations=\S*/ ].freeze # Get parameters for the default kernel @@ -54,8 +55,8 @@ def DefaultKernelParams(resume) if Arch.i386 || Arch.x86_64 || Arch.aarch64 || Arch.ppc ret = kernel_cmdline ret << " resume=#{resume}" unless resume.empty? - ret << propose_smt if Arch.x86_64 ret << " #{features}" unless features.empty? + ret << propose_cpu_mitigations ret << " quiet" return ret elsif Arch.s390 @@ -70,11 +71,12 @@ def DefaultKernelParams(resume) parameters << " #{Regexp.last_match(0)}" if kernel_cmdline =~ pattern end + parameters << propose_cpu_mitigations parameters << " resume=#{resume}" unless resume.empty? return parameters else log.warn "Default kernel parameters not defined" - return kernel_cmdline + return kernel_cmdline + propose_cpu_mitigations end end @@ -84,28 +86,26 @@ def ResumeAvailable Arch.i386 || Arch.x86_64 || Arch.s390 end - SMT_DEFAULT = true - def smt_settings - linuxrc_value = Yast::Linuxrc.value_for("disablesmt") - product_value = ProductFeatures.GetBooleanFeatureWithFallback("globals", "smt", SMT_DEFAULT) - log.info "smt settings: linuxrc #{linuxrc_value.inspect} product #{product_value.inspect}" - # linuxrc cmdline - return linuxrc_value == "0" if !linuxrc_value.nil? - - # product features - product_value + DEFAULT_CPU_MITIGATIONS = :auto + def propose_cpu_mitigations + linuxrc_value = Yast::Linuxrc.value_for("mitigations") + log.info "linuxrc mitigations #{linuxrc_value.inspect}" + return "" unless linuxrc_value.nil? # linuxrc already has mitigations + product_value = ProductFeatures.GetStringFeature("globals", "cpu_mitigations") + log.info "cpu mitigations in product: #{product_value.inspect}" + product_value = DEFAULT_CPU_MITIGATIONS if product_value.empty? + + # lazy load grub2 base which defines cpu mitigation mapping + # TODO: own class for cpu mitigations + require "bootloader/grub2base" + text = ::Bootloader::Grub2Base::CPU_MITIGATIONS_MAPPING[product_value] or + raise "Invalid value #{product_value.inspect}" + # no value for manual mitigations + text.nil? ? "" : " mitigations=#{text}" end publish :function => :DefaultKernelParams, :type => "string (string)" publish :function => :ResumeAvailable, :type => "boolean ()" - - private - - DISABLE_SMT = " nosmt".freeze - - def propose_smt - smt_settings ? "" : DISABLE_SMT - end end BootArch = BootArchClass.new diff --git a/test/autoyast_converter_test.rb b/test/autoyast_converter_test.rb index cd40f70a9..dda354c4b 100644 --- a/test/autoyast_converter_test.rb +++ b/test/autoyast_converter_test.rb @@ -116,13 +116,13 @@ bootloader.trusted_boot = true expected_export = { - "append" => "verbose nomodeset", - "terminal" => "gfxterm", - "os_prober" => "true", - "hiddenmenu" => "true", - "timeout" => 10, - "trusted_grub" => "true", - "smt" => "true" + "append" => "verbose nomodeset", + "terminal" => "gfxterm", + "os_prober" => "true", + "hiddenmenu" => "true", + "timeout" => 10, + "trusted_grub" => "true", + "cpu_mitigations" => "manual" } expect(subject.export(bootloader)["global"]).to eq expected_export diff --git a/test/boot_arch_test.rb b/test/boot_arch_test.rb index 66aa51be5..7f218912b 100644 --- a/test/boot_arch_test.rb +++ b/test/boot_arch_test.rb @@ -5,6 +5,11 @@ describe Yast::BootArch do subject { Yast::BootArch } + before do + allow(Yast::ProductFeatures).to receive(:GetStringFeature) + .and_return("") + end + def stub_arch(arch) Yast.import "Arch" @@ -50,7 +55,8 @@ def stub_arch(arch) end it "adds additional parameters from Product file" do - allow(Yast::ProductFeatures).to receive(:GetStringFeature).and_return("console=ttyS0") + allow(Yast::ProductFeatures).to receive(:GetStringFeature) + .with("globals", "additional_kernel_parameters").and_return("console=ttyS0") expect(subject.DefaultKernelParams("/dev/sda2")).to include("console=ttyS0") end @@ -74,7 +80,8 @@ def stub_arch(arch) end it "adds additional parameters from Product file" do - allow(Yast::ProductFeatures).to receive(:GetStringFeature).and_return("console=ttyS0") + allow(Yast::ProductFeatures).to receive(:GetStringFeature) + .with("globals", "additional_kernel_parameters").and_return("console=ttyS0") expect(subject.DefaultKernelParams("/dev/sda2")).to include("console=ttyS0") end @@ -122,9 +129,12 @@ def stub_arch(arch) it "returns parameters from current command line" do allow(Yast::Kernel).to receive(:GetCmdLine).and_return("console=ttyS0") # just to test that it do not add product features - allow(Yast::ProductFeatures).to receive(:GetStringFeature).and_return("console=ttyS1") + allow(Yast::ProductFeatures).to receive(:GetStringFeature) + .with("globals", "additional_kernel_parameters").and_return("console=ttyS1") - expect(subject.DefaultKernelParams("/dev/sda2")).to eq "console=ttyS0 resume=/dev/sda2 console=ttyS1 quiet" + expect(subject.DefaultKernelParams("/dev/sda2")).to eq( + "console=ttyS0 resume=/dev/sda2 console=ttyS1 mitigations=auto quiet" + ) end it "adds \"quiet\" parameter" do diff --git a/test/grub2_efi_test.rb b/test/grub2_efi_test.rb index b6c6c889e..f796bd7de 100644 --- a/test/grub2_efi_test.rb +++ b/test/grub2_efi_test.rb @@ -3,6 +3,12 @@ require "bootloader/grub2efi" describe Bootloader::Grub2EFI do + subject do + sub = described_class.new + allow(sub).to receive(:cpu_mitigations).and_return(:manual) + sub + end + before do allow(::CFA::Grub2::Default).to receive(:new).and_return(double("GrubDefault").as_null_object) allow(::CFA::Grub2::GrubCfg).to receive(:new).and_return(double("GrubCfg").as_null_object) diff --git a/test/grub2_test.rb b/test/grub2_test.rb index a3e2b1937..a3424cc66 100644 --- a/test/grub2_test.rb +++ b/test/grub2_test.rb @@ -3,6 +3,12 @@ require "bootloader/grub2" describe Bootloader::Grub2 do + subject do + sub = described_class.new + allow(sub).to receive(:cpu_mitigations).and_return(:manual) + sub + end + before do allow(::CFA::Grub2::Default).to receive(:new).and_return(double("GrubDefault").as_null_object) allow(::CFA::Grub2::GrubCfg).to receive(:new).and_return(double("GrubCfg").as_null_object) diff --git a/test/grub2base_test.rb b/test/grub2base_test.rb index 2f0c502db..6dd1f7785 100644 --- a/test/grub2base_test.rb +++ b/test/grub2base_test.rb @@ -3,6 +3,11 @@ require "bootloader/grub2base" describe Bootloader::Grub2Base do + before do + allow(Yast::ProductFeatures).to receive(:GetStringFeature) + .and_return("") + end + describe "#read" do before do allow(::CFA::Grub2::Default).to receive(:new).and_return(double("GrubDefault", loaded?: false, load: nil, save: nil)) From fa3109f4690e709df6f55677685567419a694e22 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 18 Apr 2019 16:16:51 +0200 Subject: [PATCH 02/17] allow different initial page --- src/lib/bootloader/config_dialog.rb | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/src/lib/bootloader/config_dialog.rb b/src/lib/bootloader/config_dialog.rb index 45c78bcf1..f22400144 100644 --- a/src/lib/bootloader/config_dialog.rb +++ b/src/lib/bootloader/config_dialog.rb @@ -17,6 +17,11 @@ class ConfigDialog include Yast::I18n include Yast::UIShortcuts + # param initial_tab [:boot_code|:kernel|:bootloader] initial tab when dialog open + def initialize(initial_tab: :boot_code) + @initial_tab = initial_tab + end + def run guarded_run rescue ::Bootloader::BrokenConfiguration, ::Bootloader::UnsupportedOption => e @@ -63,13 +68,6 @@ def guarded_run end # F#300779: end - if BootloaderFactory.current.is_a?(NoneBootloader) - contents = VBox(LoaderTypeWidget.new) - else - tabs = CWM::Tabs.new(BootCodeTab.new, KernelTab.new, BootloaderTab.new) - contents = VBox(tabs) - end - Yast::CWM.show( contents, caption: _("Boot Loader Settings"), @@ -79,5 +77,22 @@ def guarded_run skip_store_for: [:redraw] ) end + + def contents + return VBox(LoaderTypeWidget.new) if BootloaderFactory.current.is_a?(NoneBootloader) + + boot_code_tab = BootCodeTab.new + kernel_tab = KernelTab.new + bootloader_tab = BootloaderTab.new + case @initial_tab + when :boot_code then boot_code_tab.initial = true + when :kernel then kernel_tab.initial = true + when :bootloader then bootloader_tab.initial = true + else + raise "unknown initial tab #{@initial_tab.inspect}" + end + + VBox(CWM::Tabs.new(boot_code_tab, kernel_tab, bootloader_tab)) + end end end From 5cc03bb5d12db781c84a4dd5c75c4cd5c8be4f86 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Tue, 23 Apr 2019 16:02:47 +0200 Subject: [PATCH 03/17] move cpu mitigations to own class --- src/lib/bootloader/autoyast_converter.rb | 5 +- src/lib/bootloader/cpu_mitigations.rb | 71 ++++++++++++++++++++++++ src/lib/bootloader/grub2_widgets.rb | 45 +++++++++------ src/lib/bootloader/grub2base.rb | 30 ++-------- src/modules/BootArch.rb | 16 +++--- 5 files changed, 114 insertions(+), 53 deletions(-) create mode 100644 src/lib/bootloader/cpu_mitigations.rb diff --git a/src/lib/bootloader/autoyast_converter.rb b/src/lib/bootloader/autoyast_converter.rb index 178705ccd..97acb3576 100644 --- a/src/lib/bootloader/autoyast_converter.rb +++ b/src/lib/bootloader/autoyast_converter.rb @@ -1,6 +1,7 @@ require "yast" require "bootloader/bootloader_factory" +require "bootloader/cpu_mitigations" Yast.import "BootStorage" Yast.import "Arch" @@ -38,7 +39,7 @@ def import(data) # so use nil to always use proposed value (bsc#1081967) bootloader.pmbr_action = nil cpu_mitigations = data["global"]["cpu_mitigations"] - bootloader.cpu_mitigations = cpu_mitigations unless cpu_mitigations.nil? + bootloader.cpu_mitigations = CpuMitigations.from_string(cpu_mitigations) unless cpu_mitigations.nil? # TODO: import Initrd log.warn "autoyast profile contain sections which won't be processed" if data["sections"] @@ -58,7 +59,7 @@ def export(config) global = res["global"] export_grub2(global, config) if config.name == "grub2" export_default(global, config.grub_default) - res["global"]["cpu_mitigations"] = config.cpu_mitigations.to_s + res["global"]["cpu_mitigations"] = config.cpu_mitigations.value.to_s # Do not export device map as device name are very unpredictable and is used only as # work-around when automatic ones do not work for what-ever reasons ( it can really safe # your day in L3 ) diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb new file mode 100644 index 000000000..f04149f48 --- /dev/null +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -0,0 +1,71 @@ +require "yast" + +require "cfa/matcher" +require "cfa/placer" + +module Bootloader + class CpuMitigations + include Yast::I18n + extend Yast::I18n + KERNEL_MAPPING = { + off: "off", + auto: "auto", + nosmt: "auto,nosmt", + manual: nil + }.freeze + + HUMAN_MAPPING = { + nosmt: N_("Auto + No SMT"), + auto: N_("Auto"), + off: N_("Off"), + manual: N_("Manually") + } + + + attr_reader :value + + def initialize(value) + textdomain "bootloader" + + @value = value + end + + ALL = KERNEL_MAPPING.keys.map { |k| CpuMitigations.new(k) } + DEFAULT = CpuMitigations.new(:auto) + + def self.from_kernel_params(kernel_params) + param = kernel_params.parameter("mitigations") + param = nil if param == false + reverse_mapping = KERNEL_MAPPING.invert + raise "Unknown mitigations value #{param.inspect}" if !reverse_mapping.key?(param) + + new(reverse_mapping[param]) + end + + def self.from_string(string) + raise "Unknown mitigations value #{string.inspect}" if KERNEL_MAPPING.key?(string.to_sym) + + new(string.to_sym) + end + + def to_human_string + _(HUMAN_MAPPING[value]) + end + + def kernel_value + KERNEL_MAPPING[value] or raise "Invalid value #{value.inspect}" + end + + def modify_kernel_params(kernel_params) + matcher = CFA::Matcher.new(key: "mitigations") + + if value == :manual + kernel_params.remove_parameter(matcher) + else + placer = CFA::ReplacePlacer.new(matcher) + kernel_params.add_parameter("mitigations", text, placer) + end + + end + end +end diff --git a/src/lib/bootloader/grub2_widgets.rb b/src/lib/bootloader/grub2_widgets.rb index 9dc35f056..fb084a09d 100644 --- a/src/lib/bootloader/grub2_widgets.rb +++ b/src/lib/bootloader/grub2_widgets.rb @@ -3,6 +3,7 @@ require "bootloader/generic_widgets" require "bootloader/device_map_dialog" require "bootloader/serial_console" +require "bootloader/cpu_mitigations" require "cfa/matcher" Yast.import "BootStorage" @@ -113,7 +114,7 @@ def store end # Represents decision if smt is enabled - class CpuMitigations < CWM::ComboBox + class CpuMitigationsWidget < CWM::ComboBox include Grub2Widget def initialize @@ -125,34 +126,42 @@ def label end def items - [ - [:nosmt, _("Auto + No SMT")], - [:auto, _("Auto")], - [:off, _("Off")], - [:manual, _("Manually")] - ] + ::Bootloader::CpuMitigations::ALL.map do |m| + [m.value, m.to_human_string] + end end def help # TODO: adapt _( - "

CPU Speculation
\n" \ - "Controls CPU speculative execution. Secure is the most secure option " \ - "that enable all mitigations for known security issues for speculative execution " \ - "including complete disable of SMT. Keep SMT enables all mitigations for " \ - "known security issues for speculative execution, but keep SMT enabled, even if " \ - "it is vulnerable. Performance disables all mitigations to use speculative " \ - "execution for the best performance. Manually lets user to specify mitigations " \ - "himself on kernel command line." + "

CPU Mitigations
\n" \ + "The option selects which default settings should be used for CPU " \ + "side channels mitigations. A highlevel description is on our Technical Information " \ + "Document TID xxxxx. Following options are available:

" ) end def init - self.value = grub2.cpu_mitigations + self.value = grub2.cpu_mitigations.value end def store - grub2.cpu_mitigations = value + grub2.cpu_mitigations = ::Bootloader::CpuMitigations.new(value) end end @@ -891,7 +900,7 @@ def contents VBox( VSpacing(1), MarginBox(1, 0.5, KernelAppendWidget.new), - MarginBox(1, 0.5, Left(CpuMitigations.new)), + MarginBox(1, 0.5, Left(CpuMitigationsWidget.new)), MarginBox(1, 0.5, console_widget), VStretch() ) diff --git a/src/lib/bootloader/grub2base.rb b/src/lib/bootloader/grub2base.rb index 6ac4409ff..727b33785 100644 --- a/src/lib/bootloader/grub2base.rb +++ b/src/lib/bootloader/grub2base.rb @@ -76,20 +76,8 @@ def pmbr_setup(*devices) end end - CPU_MITIGATIONS_MAPPING = { - off: "off", - auto: "auto", - nosmt: "auto,nosmt", - manual: nil - }.freeze - def cpu_mitigations - value = grub_default.kernel_params.parameter("mitigations") - value = nil if value == false - reverse_mapping = CPU_MITIGATIONS_MAPPING.invert - raise "Unknown mitigations value #{value.inspect}" if !reverse_mapping.key?(value) - - reverse_mapping[value] + CpuMitigations.from_kernel_params(grub_default.kernel_params) end def explicit_cpu_mitigations @@ -99,15 +87,7 @@ def explicit_cpu_mitigations def cpu_mitigations=(value) log.info "setting mitigations to #{value}" @explicit_cpu_mitigations = true - matcher = CFA::Matcher.new(key: "mitigations") - - if value == :manual - grub_default.kernel_params.remove_parameter(matcher) - else - text = CPU_MITIGATIONS_MAPPING[value] or raise "Invalid value #{value.inspect}" - placer = CFA::ReplacePlacer.new(matcher) - grub_default.kernel_params.add_parameter("mitigations", text, placer) - end + value.modify_kernel_params(grub_default.kernel_params) end def read @@ -239,9 +219,9 @@ def merge_grub_default(other) merge_attributes(default, other_default) - # explicitly set mitigations - if !other.explicit_cpu_mitigations.nil? - self.cpu_mitigations = other.explicit_cpu_mitigations + # explicitly set mitigations means overwrite of our + if other.explicit_cpu_mitigations + self.cpu_mitigations = other.cpu_mitigations end log.info "mitigations after merge #{cpu_mitigations}" diff --git a/src/modules/BootArch.rb b/src/modules/BootArch.rb index 5fc37e36d..bbea366dc 100644 --- a/src/modules/BootArch.rb +++ b/src/modules/BootArch.rb @@ -19,6 +19,8 @@ # require "yast" +require "bootloader/cpu_mitigations" + module Yast class BootArchClass < Module include Yast::Logger @@ -86,22 +88,20 @@ def ResumeAvailable Arch.i386 || Arch.x86_64 || Arch.s390 end - DEFAULT_CPU_MITIGATIONS = :auto def propose_cpu_mitigations linuxrc_value = Yast::Linuxrc.value_for("mitigations") log.info "linuxrc mitigations #{linuxrc_value.inspect}" return "" unless linuxrc_value.nil? # linuxrc already has mitigations product_value = ProductFeatures.GetStringFeature("globals", "cpu_mitigations") log.info "cpu mitigations in product: #{product_value.inspect}" - product_value = DEFAULT_CPU_MITIGATIONS if product_value.empty? - # lazy load grub2 base which defines cpu mitigation mapping - # TODO: own class for cpu mitigations - require "bootloader/grub2base" - text = ::Bootloader::Grub2Base::CPU_MITIGATIONS_MAPPING[product_value] or - raise "Invalid value #{product_value.inspect}" + if product_value.empty? + mitigations = ::Bootloader::CpuMitigations::DEFAULT + else + mitigations = ::Bootloader::CpuMitigations.from_string(product_value) + end # no value for manual mitigations - text.nil? ? "" : " mitigations=#{text}" + mitigations.kernel_value ? " mitigations=#{mitigations.kernel_value}" : "" end publish :function => :DefaultKernelParams, :type => "string (string)" From beeeaf119f26854f8660710d27ef5e9e78955bd4 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 24 Apr 2019 11:40:46 +0200 Subject: [PATCH 04/17] use proper order for correct display --- src/lib/bootloader/cpu_mitigations.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb index f04149f48..d7c82a624 100644 --- a/src/lib/bootloader/cpu_mitigations.rb +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -8,9 +8,9 @@ class CpuMitigations include Yast::I18n extend Yast::I18n KERNEL_MAPPING = { - off: "off", - auto: "auto", nosmt: "auto,nosmt", + auto: "auto", + off: "off", manual: nil }.freeze From fc7db75c8fe5727fb1770b24bea51777239abce3 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 24 Apr 2019 13:57:17 +0200 Subject: [PATCH 05/17] fix initial tab initialization --- src/lib/bootloader/grub2_widgets.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/lib/bootloader/grub2_widgets.rb b/src/lib/bootloader/grub2_widgets.rb index fb084a09d..88e34e552 100644 --- a/src/lib/bootloader/grub2_widgets.rb +++ b/src/lib/bootloader/grub2_widgets.rb @@ -911,10 +911,6 @@ def contents class BootCodeTab < CWM::Tab include Grub2Widget - def initialize - self.initial = true - end - def label textdomain "bootloader" From 4ba9b3625d63b832b0304d53cd2428a186710bd4 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Wed, 24 Apr 2019 14:50:42 +0200 Subject: [PATCH 06/17] fix writting kernel params --- src/lib/bootloader/cpu_mitigations.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb index d7c82a624..899266f46 100644 --- a/src/lib/bootloader/cpu_mitigations.rb +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -63,9 +63,8 @@ def modify_kernel_params(kernel_params) kernel_params.remove_parameter(matcher) else placer = CFA::ReplacePlacer.new(matcher) - kernel_params.add_parameter("mitigations", text, placer) + kernel_params.add_parameter("mitigations", kernel_value, placer) end - end end end From 102298dbb32b662ca58b90e9fb3c598f52441fd0 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 25 Apr 2019 09:31:25 +0200 Subject: [PATCH 07/17] update removal of mitigations from widget --- src/lib/bootloader/grub2_widgets.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/bootloader/grub2_widgets.rb b/src/lib/bootloader/grub2_widgets.rb index 88e34e552..97169cd8b 100644 --- a/src/lib/bootloader/grub2_widgets.rb +++ b/src/lib/bootloader/grub2_widgets.rb @@ -265,7 +265,7 @@ def help end def init - self.value = grub_default.kernel_params.serialize.gsub(/nosmt/, "") + self.value = grub_default.kernel_params.serialize.gsub(/mitigations=\S+/, "") end def store From 142acc2313683c00ce7b749b9b153d637364bbe6 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 25 Apr 2019 10:09:27 +0200 Subject: [PATCH 08/17] Add TID for detailed info --- src/lib/bootloader/cpu_mitigations.rb | 1 + src/lib/bootloader/grub2_widgets.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb index 899266f46..eb6f41072 100644 --- a/src/lib/bootloader/cpu_mitigations.rb +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -30,6 +30,7 @@ def initialize(value) @value = value end + # Note: order of ALL is used also in UI as order of combobox. ALL = KERNEL_MAPPING.keys.map { |k| CpuMitigations.new(k) } DEFAULT = CpuMitigations.new(:auto) diff --git a/src/lib/bootloader/grub2_widgets.rb b/src/lib/bootloader/grub2_widgets.rb index 97169cd8b..dabb54bf1 100644 --- a/src/lib/bootloader/grub2_widgets.rb +++ b/src/lib/bootloader/grub2_widgets.rb @@ -137,7 +137,7 @@ def help "

CPU Mitigations
\n" \ "The option selects which default settings should be used for CPU " \ "side channels mitigations. A highlevel description is on our Technical Information " \ - "Document TID xxxxx. Following options are available:

    " \ + "Document TID 7023836. Following options are available:
      " \ "
    • Auto: This option enables all the mitigations needed for your CPU model. " \ "This setting can impact performance to some degree, depending on CPU model and " \ "workload. It provides all security mitigations, but it does not protect against " \ From 6e4a54887d84da7fb1794cb769af991dc1ae6757 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 25 Apr 2019 10:29:54 +0200 Subject: [PATCH 09/17] fix typo --- src/lib/bootloader/cpu_mitigations.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb index eb6f41072..12a47114c 100644 --- a/src/lib/bootloader/cpu_mitigations.rb +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -44,7 +44,7 @@ def self.from_kernel_params(kernel_params) end def self.from_string(string) - raise "Unknown mitigations value #{string.inspect}" if KERNEL_MAPPING.key?(string.to_sym) + raise "Unknown mitigations value #{string.inspect}" unless KERNEL_MAPPING.key?(string.to_sym) new(string.to_sym) end From 95a7cdb0baaf95a9b8a72b93063a815137ff8fd9 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 25 Apr 2019 12:11:54 +0200 Subject: [PATCH 10/17] make rubocop happy --- src/lib/bootloader/autoyast_converter.rb | 2 +- src/lib/bootloader/cpu_mitigations.rb | 12 ++++++------ src/lib/bootloader/grub2base.rb | 1 - src/modules/BootArch.rb | 6 +++--- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/src/lib/bootloader/autoyast_converter.rb b/src/lib/bootloader/autoyast_converter.rb index 97acb3576..e02ca69d8 100644 --- a/src/lib/bootloader/autoyast_converter.rb +++ b/src/lib/bootloader/autoyast_converter.rb @@ -39,7 +39,7 @@ def import(data) # so use nil to always use proposed value (bsc#1081967) bootloader.pmbr_action = nil cpu_mitigations = data["global"]["cpu_mitigations"] - bootloader.cpu_mitigations = CpuMitigations.from_string(cpu_mitigations) unless cpu_mitigations.nil? + bootloader.cpu_mitigations = CpuMitigations.from_string(cpu_mitigations) if cpu_mitigations # TODO: import Initrd log.warn "autoyast profile contain sections which won't be processed" if data["sections"] diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb index 12a47114c..572290c8c 100644 --- a/src/lib/bootloader/cpu_mitigations.rb +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -4,6 +4,7 @@ require "cfa/placer" module Bootloader + # Specialized class to handle cpu mittigation settings. class CpuMitigations include Yast::I18n extend Yast::I18n @@ -15,12 +16,11 @@ class CpuMitigations }.freeze HUMAN_MAPPING = { - nosmt: N_("Auto + No SMT"), - auto: N_("Auto"), - off: N_("Off"), - manual: N_("Manually") - } - + nosmt: N_("Auto + No SMT"), + auto: N_("Auto"), + off: N_("Off"), + manual: N_("Manually") + }.freeze attr_reader :value diff --git a/src/lib/bootloader/grub2base.rb b/src/lib/bootloader/grub2base.rb index 727b33785..7259d8cf7 100644 --- a/src/lib/bootloader/grub2base.rb +++ b/src/lib/bootloader/grub2base.rb @@ -28,7 +28,6 @@ module Bootloader # Common base for GRUB2 specialized classes - # rubocop:disable Metrics/ClassLength class Grub2Base < BootloaderBase include Yast::Logger include Yast::I18n diff --git a/src/modules/BootArch.rb b/src/modules/BootArch.rb index bbea366dc..60d71133d 100644 --- a/src/modules/BootArch.rb +++ b/src/modules/BootArch.rb @@ -95,10 +95,10 @@ def propose_cpu_mitigations product_value = ProductFeatures.GetStringFeature("globals", "cpu_mitigations") log.info "cpu mitigations in product: #{product_value.inspect}" - if product_value.empty? - mitigations = ::Bootloader::CpuMitigations::DEFAULT + mitigations = if product_value.empty? + ::Bootloader::CpuMitigations::DEFAULT else - mitigations = ::Bootloader::CpuMitigations.from_string(product_value) + ::Bootloader::CpuMitigations.from_string(product_value) end # no value for manual mitigations mitigations.kernel_value ? " mitigations=#{mitigations.kernel_value}" : "" From 07105a0bfc3346850aa57d7d802a6cf5092f6e5d Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Thu, 25 Apr 2019 12:20:50 +0200 Subject: [PATCH 11/17] debug logs --- src/lib/bootloader/cpu_mitigations.rb | 13 ++++++++----- src/lib/bootloader/grub2base.rb | 3 +++ test/grub2_efi_test.rb | 2 +- test/grub2_test.rb | 2 +- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb index 572290c8c..7d907b5ad 100644 --- a/src/lib/bootloader/cpu_mitigations.rb +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -6,6 +6,7 @@ module Bootloader # Specialized class to handle cpu mittigation settings. class CpuMitigations + include Yast::Logger include Yast::I18n extend Yast::I18n KERNEL_MAPPING = { @@ -35,7 +36,9 @@ def initialize(value) DEFAULT = CpuMitigations.new(:auto) def self.from_kernel_params(kernel_params) + log.info "kernel params #{kernel_params.inspect}" param = kernel_params.parameter("mitigations") + log.info "mitigation param #{param.inspect}" param = nil if param == false reverse_mapping = KERNEL_MAPPING.invert raise "Unknown mitigations value #{param.inspect}" if !reverse_mapping.key?(param) @@ -60,11 +63,11 @@ def kernel_value def modify_kernel_params(kernel_params) matcher = CFA::Matcher.new(key: "mitigations") - if value == :manual - kernel_params.remove_parameter(matcher) - else - placer = CFA::ReplacePlacer.new(matcher) - kernel_params.add_parameter("mitigations", kernel_value, placer) + kernel_params.remove_parameter(matcher) + if value != :manual + # TODO: fix cfa_grub2 with replace placer + kernel_params.add_parameter("mitigations", kernel_value) + log.info "replacing old config with #{kernel_value}: #{kernel_params.inspect}" end end end diff --git a/src/lib/bootloader/grub2base.rb b/src/lib/bootloader/grub2base.rb index 7259d8cf7..809cde05f 100644 --- a/src/lib/bootloader/grub2base.rb +++ b/src/lib/bootloader/grub2base.rb @@ -220,6 +220,7 @@ def merge_grub_default(other) # explicitly set mitigations means overwrite of our if other.explicit_cpu_mitigations + log.info "merging cpu_mitigations" self.cpu_mitigations = other.cpu_mitigations end log.info "mitigations after merge #{cpu_mitigations}" @@ -235,6 +236,8 @@ def merge_kernel_params(method, other_default) default_serialize = default_params.serialize # handle specially noresume as it should lead to remove all other resume default_serialize.gsub!(/resume=\S+/, "") if other_params.parameter("noresume") + # prevent double cpu_mitigations params + default_serialize.gsub!(/mitigations=\S+/, "") if other_params.parameter("mitigations") new_kernel_params = default_serialize + " " + other_params.serialize diff --git a/test/grub2_efi_test.rb b/test/grub2_efi_test.rb index f796bd7de..a16aee0b6 100644 --- a/test/grub2_efi_test.rb +++ b/test/grub2_efi_test.rb @@ -5,7 +5,7 @@ describe Bootloader::Grub2EFI do subject do sub = described_class.new - allow(sub).to receive(:cpu_mitigations).and_return(:manual) + allow(sub).to receive(:cpu_mitigations).and_return(::Bootloader::CpuMitigations.new(:manual)) sub end diff --git a/test/grub2_test.rb b/test/grub2_test.rb index a3424cc66..1e1cbb91b 100644 --- a/test/grub2_test.rb +++ b/test/grub2_test.rb @@ -5,7 +5,7 @@ describe Bootloader::Grub2 do subject do sub = described_class.new - allow(sub).to receive(:cpu_mitigations).and_return(:manual) + allow(sub).to receive(:cpu_mitigations).and_return(::Bootloader::CpuMitigations.new(:manual)) sub end From 9fa4c6c470ec41d6a59f2d73757db7f8dc704ed6 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Fri, 26 Apr 2019 14:28:41 +0200 Subject: [PATCH 12/17] changes --- package/yast2-bootloader.changes | 7 +++++++ package/yast2-bootloader.spec | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/package/yast2-bootloader.changes b/package/yast2-bootloader.changes index 67d55d0e2..625153c8f 100644 --- a/package/yast2-bootloader.changes +++ b/package/yast2-bootloader.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Apr 26 12:27:34 UTC 2019 - jreidinger + +- adapt to new name mitigations and improve naming and help + (bsc#1128707) +- 4.1.24 + ------------------------------------------------------------------- Mon Mar 25 15:45:54 CET 2019 - schubi@suse.de diff --git a/package/yast2-bootloader.spec b/package/yast2-bootloader.spec index d08ae954c..928168732 100644 --- a/package/yast2-bootloader.spec +++ b/package/yast2-bootloader.spec @@ -17,7 +17,7 @@ Name: yast2-bootloader -Version: 4.1.23 +Version: 4.1.24 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build From f86f95a97b066de14fd743e1e79c6092fd1b472b Mon Sep 17 00:00:00 2001 From: Martin Vidner Date: Fri, 26 Apr 2019 16:29:46 +0200 Subject: [PATCH 13/17] Apply suggestions from code review Co-Authored-By: jreidinger --- package/yast2-bootloader.changes | 4 ++-- src/lib/bootloader/cpu_mitigations.rb | 2 +- src/lib/bootloader/grub2base.rb | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/yast2-bootloader.changes b/package/yast2-bootloader.changes index 625153c8f..3ffbe393d 100644 --- a/package/yast2-bootloader.changes +++ b/package/yast2-bootloader.changes @@ -1,8 +1,8 @@ ------------------------------------------------------------------- Fri Apr 26 12:27:34 UTC 2019 - jreidinger -- adapt to new name mitigations and improve naming and help - (bsc#1128707) +- renamed "smt" to "cpu_mitigations", improved naming and help + (bsc#1098559) - 4.1.24 ------------------------------------------------------------------- diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb index 7d907b5ad..0a5074e59 100644 --- a/src/lib/bootloader/cpu_mitigations.rb +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -4,7 +4,7 @@ require "cfa/placer" module Bootloader - # Specialized class to handle cpu mittigation settings. + # Specialized class to handle CPU mitigation settings. class CpuMitigations include Yast::Logger include Yast::I18n diff --git a/src/lib/bootloader/grub2base.rb b/src/lib/bootloader/grub2base.rb index 809cde05f..888d5cdbb 100644 --- a/src/lib/bootloader/grub2base.rb +++ b/src/lib/bootloader/grub2base.rb @@ -54,7 +54,7 @@ def initialize @grub_default = ::CFA::Grub2::Default.new @sections = ::Bootloader::Sections.new @pmbr_action = :nothing - @explicit_cpu_speculation = false + @explicit_cpu_mitigations = false end # general functions From 1cea68e5921510f306f61655b25bb3fc3f30ed88 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Fri, 26 Apr 2019 16:33:40 +0200 Subject: [PATCH 14/17] changes from review --- src/lib/bootloader/cpu_mitigations.rb | 1 + src/lib/bootloader/grub2_widgets.rb | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/bootloader/cpu_mitigations.rb b/src/lib/bootloader/cpu_mitigations.rb index 0a5074e59..05f1aaf69 100644 --- a/src/lib/bootloader/cpu_mitigations.rb +++ b/src/lib/bootloader/cpu_mitigations.rb @@ -5,6 +5,7 @@ module Bootloader # Specialized class to handle CPU mitigation settings. + # @see https://www.suse.com/support/kb/doc/?id=7023836 class CpuMitigations include Yast::Logger include Yast::I18n diff --git a/src/lib/bootloader/grub2_widgets.rb b/src/lib/bootloader/grub2_widgets.rb index dabb54bf1..faeb5f8fc 100644 --- a/src/lib/bootloader/grub2_widgets.rb +++ b/src/lib/bootloader/grub2_widgets.rb @@ -132,7 +132,6 @@ def items end def help - # TODO: adapt _( "

      CPU Mitigations
      \n" \ "The option selects which default settings should be used for CPU " \ From a31fb06709e8911b41edaa841262f90b5bc7f8bc Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Mon, 29 Apr 2019 08:41:09 +0200 Subject: [PATCH 15/17] add to help also newlines --- src/lib/bootloader/grub2_widgets.rb | 34 ++++++++++++++--------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/src/lib/bootloader/grub2_widgets.rb b/src/lib/bootloader/grub2_widgets.rb index faeb5f8fc..56d918ba3 100644 --- a/src/lib/bootloader/grub2_widgets.rb +++ b/src/lib/bootloader/grub2_widgets.rb @@ -134,23 +134,23 @@ def items def help _( "

      CPU Mitigations
      \n" \ - "The option selects which default settings should be used for CPU " \ - "side channels mitigations. A highlevel description is on our Technical Information " \ - "Document TID 7023836. Following options are available:

        " \ - "
      • Auto: This option enables all the mitigations needed for your CPU model. " \ - "This setting can impact performance to some degree, depending on CPU model and " \ - "workload. It provides all security mitigations, but it does not protect against " \ - "cross-CPU thread attacks.
        • " \ - "
      • Auto + No SMT: This option enables all the above mitigations in \"Auto\", " \ - "and also disables Simultaneous Multithreading to avoid side channel attacks across " \ - "multiple CPU threads. This setting can further impact performance, depending on your " \ - "workload. This setting provides the full set of available security mitigations.
        • " \ - "
      • Off: All CPU Mitigations are disabled. This setting has no performance " \ - "impact, but side channel attacks against your CPU are possible, depending on CPU " \ - "model.
        • " \ - "
      • Manual: This setting does not specify a mitigation level and leaves " \ - "this to be the kernel default. The administrator can add other mitigations options " \ - "in the kernel command line widget." \ + "The option selects which default settings should be used for CPU \n" \ + "side channels mitigations. A highlevel description is on our Technical Information \n" \ + "Document TID 7023836. Following options are available:
          \n" \ + "
        • Auto: This option enables all the mitigations needed for your CPU model. \n" \ + "This setting can impact performance to some degree, depending on CPU model and \n" \ + "workload. It provides all security mitigations, but it does not protect against \n" \ + "cross-CPU thread attacks.
          • \n" \ + "
        • Auto + No SMT: This option enables all the above mitigations in \"Auto\", \n" \ + "and also disables Simultaneous Multithreading to avoid side channel attacks across \n" \ + "multiple CPU threads. This setting can further impact performance, depending on your \n" \ + "workload. This setting provides the full set of available security mitigations.
          • \n" \ + "
        • Off: All CPU Mitigations are disabled. This setting has no performance \n" \ + "impact, but side channel attacks against your CPU are possible, depending on CPU \n" \ + "model.
          • \n" \ + "
        • Manual: This setting does not specify a mitigation level and leaves \n" \ + "this to be the kernel default. The administrator can add other mitigations options \n" \ + "in the kernel command line widget.\n" \ "All CPU mitigation specific options can be set manually.

        " ) end From 06c6abc6aa27fe1d4af4ec65493c61a578a969da Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Mon, 29 Apr 2019 10:00:42 +0200 Subject: [PATCH 16/17] make rubocop happy --- src/lib/bootloader/grub2_widgets.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/lib/bootloader/grub2_widgets.rb b/src/lib/bootloader/grub2_widgets.rb index 56d918ba3..d8a78cd15 100644 --- a/src/lib/bootloader/grub2_widgets.rb +++ b/src/lib/bootloader/grub2_widgets.rb @@ -141,9 +141,10 @@ def help "This setting can impact performance to some degree, depending on CPU model and \n" \ "workload. It provides all security mitigations, but it does not protect against \n" \ "cross-CPU thread attacks.
        • \n" \ - "
      • Auto + No SMT: This option enables all the above mitigations in \"Auto\", \n" \ - "and also disables Simultaneous Multithreading to avoid side channel attacks across \n" \ - "multiple CPU threads. This setting can further impact performance, depending on your \n" \ + "
      • Auto + No SMT: This option enables all the above mitigations in \n" \ + "\"Auto\", and also disables Simultaneous Multithreading to avoid \n" \ + "side channel attacks across multiple CPU threads. This setting can \n" \ + "further impact performance, depending on your \n" \ "workload. This setting provides the full set of available security mitigations.
        • \n" \ "
      • Off: All CPU Mitigations are disabled. This setting has no performance \n" \ "impact, but side channel attacks against your CPU are possible, depending on CPU \n" \ From 29d86783b30b3d29dfa747a4f653e5338399b044 Mon Sep 17 00:00:00 2001 From: Josef Reidinger Date: Mon, 29 Apr 2019 10:52:07 +0200 Subject: [PATCH 17/17] fix schema --- src/autoyast-rnc/bootloader.rnc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/autoyast-rnc/bootloader.rnc b/src/autoyast-rnc/bootloader.rnc index 4b62d1cab..4704480ce 100644 --- a/src/autoyast-rnc/bootloader.rnc +++ b/src/autoyast-rnc/bootloader.rnc @@ -86,7 +86,7 @@ boot_root = element boot_root { "true" | "false" } boot_boot = element boot_boot { "true" | "false" } boot_extended = element boot_extended { "true" | "false" } boot_mbr = element boot_mbr { "true" | "false" } -cpu_mitigations = element cpu_mitigations { "nosmt", "auto", "off", "manual" } +cpu_mitigations = element cpu_mitigations { "nosmt" | "auto" | "off" | "manual" } sections = element sections {