blob: e75be0cd0efb3d2a0cf4c1bf1d228abbd70b5e41 [file] [log] [blame]
#!/bin/bash
# Copyright 2015 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# All kernel command line changes must update the security base lines in
# the signer. It rejects any settings it does not recognize and breaks the
# build. So any modify_kernel_command_line() function change here needs to be
# reflected in ensure_secure_kernelparams.config.
# See crrev.com/i/216896 as an example.
# We want to preserve what COS is doing, so preserve their function by renaming it.
eval "$(echo "cos_modify_kernel_command_line()"; declare -f modify_kernel_command_line | tail -n +2)"
# Arguments:
# $1 - Configuration file containing boot args.
modify_kernel_command_line() {
local config_file="$1"
cos_modify_kernel_command_line "${config_file}"
# Default to cgroupsv1
echo "systemd.unified_cgroup_hierarchy=false" >> "${config_file}"
echo "systemd.legacy_systemd_cgroup_controller=false" >> "${config_file}"
# Enable MSR writing from userspace.
echo "msr.allow_writes=on" >> "${config_file}"
# Add vsyscall=emulate to command-line. Chromeos kernel defaults to
# vsyscall=none, but Lakitu users can run containers with old glibc which has
# dependency on vsyscall.
echo "vsyscall=emulate" >> "${config_file}"
# Enable IOMMU for SRIOV
echo "intel_iommu=on iommu=pt" >> "${config_file}"
}