| #!/bin/bash |
| |
| # Copyright 2021 Google LLC |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # https://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| # Arguments: |
| # $1 - Configuration file containing boot args. |
| modify_kernel_command_line() { |
| local config_file="$1" |
| |
| # Lakitu boards currently use GRUB2 with BIOS. In ChromeOS tree, GRUB2 is |
| # almost always associated with EFI, so we trick everyone into believing that |
| # Lakitu uses EFI. Specifically, the image signers (at image build time) and |
| # the post-installer (during auto-updates) rely on presence of 'cros_efi' in |
| # the kernel commandline to infer the bootloader type. |
| # See |
| # https://www.chromium.org/chromium-os/chromiumos-design-docs/disk-format#TOC-Which-kernel- |
| sed -i -e 's/cros_secure/cros_efi/g' "${config_file}" |
| |
| # Enable AppArmor by default. |
| echo "security=apparmor" >> "${config_file}" |
| |
| # Turn on tx napi for the virtio_net driver. |
| echo "virtio_net.napi_tx=1" >> "${config_file}" |
| |
| # Enable cgroup-v2 hybrid mode |
| echo "systemd.unified_cgroup_hierarchy=false" >> "${config_file}" |
| echo "systemd.legacy_systemd_cgroup_controller=false" >> "${config_file}" |
| |
| # Disable Container Security Monitor by default. |
| echo "csm.disabled=1" >> "${config_file}" |
| |
| # Exclude pinning kernel modules. |
| echo "loadpin.exclude=kernel-module" >> "${config_file}" |
| |
| # Load loadpin-trigger kernel module automatically on boot. |
| echo "modules-load=loadpin_trigger" >> "${config_file}" |
| |
| # Enforce kernel module signature verification. |
| echo "module.sig_enforce=1" >> "${config_file}" |
| |
| # Add vsyscall=emulate to command-line. Chromeos kernel defaults to |
| # vsyscall=none, but Lakitu users can run containers with old glibc which has |
| # dependency on vsyscall. |
| echo "vsyscall=emulate" >> "${config_file}" |
| |
| # Enable IOMMU for SRIOV |
| echo "intel_iommu=on iommu=pt" >> "${config_file}" |
| } |