blob: de584a37695303a5dba4950f0ec444de3e6d713d [file] [log] [blame]
# Copyright 2015 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# All kernel command line changes must update the security base lines in
# the signer. It rejects any settings it does not recognize and breaks the
# build. So any modify_kernel_command_line() function change here needs to be
# reflected in ensure_secure_kernelparams.config.
# See as an example.
# Arguments:
# $1 - Configuration file containing boot args.
modify_kernel_command_line() {
local config_file="$1"
# Lakitu boards currently use GRUB2 with BIOS. In ChromeOS tree, GRUB2 is
# almost always associated with EFI, so we trick everyone into believing that
# Lakitu uses EFI. Specifically, the image signers (at image build time) and
# the post-installer (during auto-updates) rely on presence of 'cros_efi' in
# the kernel commandline to infer the bootloader type.
# See
sed -i -e 's/cros_secure/cros_efi/g' "${config_file}"
sed -i -e 's/noswap//g' "${config_file}"
# Enable AppArmor by default.
echo "security=apparmor" >> "${config_file}"
# Turn on tx napi for the virtio_net driver.
echo "virtio_net.napi_tx=1" >> "${config_file}"
# Disable Container Security Monitor by default.
echo "csm.disabled=1" >> "${config_file}"
# Exclude pinning kernel modules.
echo "loadpin.exclude=kernel-module" >> "${config_file}"
# Load loadpin-trigger kernel module automatically on boot.
echo "modules-load=loadpin_trigger" >> "${config_file}"
local sig_enforce=0
if has "module_sign" "$("portageq-${FLAGS_board}" envvar USE)"; then
# Enforce kernel module signature verification.
echo "module.sig_enforce=${sig_enforce}" >> "${config_file}"