blob: eab546c535388606e09e22f0e9b25d5c032aef0d [file] [log] [blame]
#!/bin/bash
# Copyright 2015 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# All kernel command line changes must update the security base lines in
# the signer. It rejects any settings it does not recognize and breaks the
# build. So any modify_kernel_command_line() function change here needs to be
# reflected in ensure_secure_kernelparams.config.
# See crrev.com/i/216896 as an example.
# Arguments:
# $1 - Configuration file containing boot args.
modify_kernel_command_line() {
local config_file="$1"
# Lakitu boards currently use GRUB2 with BIOS. In ChromeOS tree, GRUB2 is
# almost always associated with EFI, so we trick everyone into believing that
# Lakitu uses EFI. Specifically, the image signers (at image build time) and
# the post-installer (during auto-updates) rely on presence of 'cros_efi' in
# the kernel commandline to infer the bootloader type.
# See
# https://www.chromium.org/chromium-os/chromiumos-design-docs/disk-format#TOC-Which-kernel-
sed -i -e 's/cros_secure/cros_efi/g' "${config_file}"
sed -i -e 's/noswap//g' "${config_file}"
# Enable AppArmor by default.
echo "security=apparmor" >> "${config_file}"
# Turn on tx napi for the virtio_net driver.
echo "virtio_net.napi_tx=1" >> "${config_file}"
# Disable NMI watchdog to avoid performance regression
echo "nmi_watchdog=0" >> "${config_file}"
# Disable Container Security Monitor by default.
echo "csm.disabled=1" >> "${config_file}"
# Exclude pinning kernel modules and firmwares.
echo "loadpin.exclude=kernel-module,firmware" >> "${config_file}"
# Load loadpin-trigger kernel module automatically on boot.
echo "modules-load=loadpin_trigger" >> "${config_file}"
# Add firmware search paths for NVIDIA GPU drivers.
echo "firmware_class.path=/var/lib/nvidia/firmware" >> "${config_file}"
local sig_enforce=0
if has "module_sign" "$("portageq-${FLAGS_board}" envvar USE)"; then
sig_enforce=1
fi
# Enforce kernel module signature verification.
echo "module.sig_enforce=${sig_enforce}" >> "${config_file}"
}