project-edgeos/scripts/build_kernel_image.sh - cos/overlays/board-overlays - Git at Google

 #!/bin/bash

 # Copyright 2021 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 # Arguments:
 #   $1 - Configuration file containing boot args.
 modify_kernel_command_line() {
   local config_file="$1"

   # Lakitu boards currently use GRUB2 with BIOS.  In ChromeOS tree, GRUB2 is
   # almost always associated with EFI, so we trick everyone into believing that
   # Lakitu uses EFI.  Specifically, the image signers (at image build time) and
   # the post-installer (during auto-updates) rely on presence of 'cros_efi' in
   # the kernel commandline to infer the bootloader type.
   # See
   # https://www.chromium.org/chromium-os/chromiumos-design-docs/disk-format#TOC-Which-kernel-
   sed -i -e 's/cros_secure/cros_efi/g' "${config_file}"

   # Enable AppArmor by default.
   echo "security=apparmor" >> "${config_file}"

   # Turn on tx napi for the virtio_net driver.
   echo "virtio_net.napi_tx=1" >> "${config_file}"

   # Enable cgroup-v2 hybrid mode
   echo "systemd.unified_cgroup_hierarchy=false" >> "${config_file}"
   echo "systemd.legacy_systemd_cgroup_controller=false" >> "${config_file}"

   # Disable Container Security Monitor by default.
   echo "csm.disabled=1" >> "${config_file}"

   # Exclude pinning kernel modules.
   echo "loadpin.exclude=kernel-module" >> "${config_file}"

   # Load loadpin-trigger kernel module automatically on boot.
   echo "modules-load=loadpin_trigger" >> "${config_file}"

   # Enforce kernel module signature verification.
   echo "module.sig_enforce=1" >> "${config_file}"

   # Add vsyscall=emulate to command-line. Chromeos kernel defaults to
   # vsyscall=none, but Lakitu users can run containers with old glibc which has
   # dependency on vsyscall.
   echo "vsyscall=emulate" >> "${config_file}"

   # Enable IOMMU for SRIOV
   echo "intel_iommu=on iommu=pt" >> "${config_file}"
 }
	#!/bin/bash

	# Copyright 2021 Google LLC
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# https://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	# Arguments:
	# $1 - Configuration file containing boot args.
	modify_kernel_command_line() {
	local config_file="$1"

	# Lakitu boards currently use GRUB2 with BIOS. In ChromeOS tree, GRUB2 is
	# almost always associated with EFI, so we trick everyone into believing that
	# Lakitu uses EFI. Specifically, the image signers (at image build time) and
	# the post-installer (during auto-updates) rely on presence of 'cros_efi' in
	# the kernel commandline to infer the bootloader type.
	# See
	# https://www.chromium.org/chromium-os/chromiumos-design-docs/disk-format#TOC-Which-kernel-
	sed -i -e 's/cros_secure/cros_efi/g' "${config_file}"

	# Enable AppArmor by default.
	echo "security=apparmor" >> "${config_file}"

	# Turn on tx napi for the virtio_net driver.
	echo "virtio_net.napi_tx=1" >> "${config_file}"

	# Enable cgroup-v2 hybrid mode
	echo "systemd.unified_cgroup_hierarchy=false" >> "${config_file}"
	echo "systemd.legacy_systemd_cgroup_controller=false" >> "${config_file}"

	# Disable Container Security Monitor by default.
	echo "csm.disabled=1" >> "${config_file}"

	# Exclude pinning kernel modules.
	echo "loadpin.exclude=kernel-module" >> "${config_file}"

	# Load loadpin-trigger kernel module automatically on boot.
	echo "modules-load=loadpin_trigger" >> "${config_file}"

	# Enforce kernel module signature verification.
	echo "module.sig_enforce=1" >> "${config_file}"

	# Add vsyscall=emulate to command-line. Chromeos kernel defaults to
	# vsyscall=none, but Lakitu users can run containers with old glibc which has
	# dependency on vsyscall.
	echo "vsyscall=emulate" >> "${config_file}"

	# Enable IOMMU for SRIOV
	echo "intel_iommu=on iommu=pt" >> "${config_file}"
	}