| #!/bin/bash |
| |
| # Copyright 2015 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # All kernel command line changes must update the security base lines in |
| # the signer. It rejects any settings it does not recognize and breaks the |
| # build. So any modify_kernel_command_line() function change here needs to be |
| # reflected in ensure_secure_kernelparams.config. |
| |
| # See crrev.com/i/216896 as an example. |
| |
| # Arguments: |
| # $1 - Configuration file containing boot args. |
| modify_kernel_command_line() { |
| local config_file="$1" |
| # Lakitu boards currently use GRUB2 with BIOS. In ChromeOS tree, GRUB2 is |
| # almost always associated with EFI, so we trick everyone into believing that |
| # Lakitu uses EFI. Specifically, the image signers (at image build time) and |
| # the post-installer (during auto-updates) rely on presence of 'cros_efi' in |
| # the kernel commandline to infer the bootloader type. |
| # See |
| # https://www.chromium.org/chromium-os/chromiumos-design-docs/disk-format#TOC-Which-kernel- |
| sed -i -e 's/cros_secure/cros_efi/g' "${config_file}" |
| sed -i -e 's/noswap//g' "${config_file}" |
| |
| # Enable AppArmor by default. |
| echo "security=apparmor" >> "${config_file}" |
| |
| # Turn on tx napi for the virtio_net driver. |
| echo "virtio_net.napi_tx=1" >> "${config_file}" |
| # Disable NMI watchdog to avoid performance regression |
| echo "nmi_watchdog=0" >> "${config_file}" |
| |
| # Disable Container Security Monitor by default. |
| echo "csm.disabled=1" >> "${config_file}" |
| |
| # Exclude pinning kernel modules and firmwares. |
| echo "loadpin.exclude=kernel-module,firmware" >> "${config_file}" |
| |
| # Load loadpin-trigger kernel module automatically on boot. |
| echo "modules-load=loadpin_trigger" >> "${config_file}" |
| |
| # Add firmware search paths for NVIDIA GPU drivers. |
| echo "firmware_class.path=/var/lib/nvidia/firmware" >> "${config_file}" |
| |
| local sig_enforce=0 |
| if has "module_sign" "$("portageq-${FLAGS_board}" envvar USE)"; then |
| sig_enforce=1 |
| fi |
| # Enforce kernel module signature verification. |
| echo "module.sig_enforce=${sig_enforce}" >> "${config_file}" |
| } |