| #!/bin/bash |
| |
| # Copyright 2015 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # All kernel command line changes must update the security base lines in |
| # the signer. It rejects any settings it does not recognize and breaks the |
| # build. So any modify_kernel_command_line() function change here needs to be |
| # reflected in ensure_secure_kernelparams.config. |
| |
| # See crrev.com/i/216896 as an example. |
| |
| # We want to preserve what COS is doing, so preserve their function by renaming it. |
| eval "$(echo "cos_modify_kernel_command_line()"; declare -f modify_kernel_command_line | tail -n +2)" |
| |
| # Arguments: |
| # $1 - Configuration file containing boot args. |
| modify_kernel_command_line() { |
| local config_file="$1" |
| cos_modify_kernel_command_line "${config_file}" |
| |
| # Default to cgroupsv1 |
| echo "systemd.unified_cgroup_hierarchy=false" >> "${config_file}" |
| echo "systemd.legacy_systemd_cgroup_controller=false" >> "${config_file}" |
| |
| # Enable MSR writing from userspace. |
| echo "msr.allow_writes=on" >> "${config_file}" |
| |
| # Add vsyscall=emulate to command-line. Chromeos kernel defaults to |
| # vsyscall=none, but Lakitu users can run containers with old glibc which has |
| # dependency on vsyscall. |
| echo "vsyscall=emulate" >> "${config_file}" |
| |
| # Enable IOMMU for SRIOV |
| echo "intel_iommu=on iommu=pt" >> "${config_file}" |
| } |