From 88877ed3cd20fc1ee32e1b4f0c1bacc44754b7e0 Mon Sep 17 00:00:00 2001 From: jmckenna Date: Fri, 11 May 2018 14:24:06 -0400 Subject: [PATCH] Spectre/meltdown kernel options controllable by customer Add spectre-meltdown-checker package. Implements customer configuration of kernel options to control spectre/meltdown related kernel options. Default (with "nopti nospectre_v2" options) can be changed to "" using system modify -S spectre_meltdown_all Change-Id: Id86c4bbe9063cf6c47fe4128d641ef2983622481 Signed-off-by: Jack Ding --- centos_pkg_dirs | 1 + .../centos/build_srpm.data | 2 ++ .../centos/spectre-meltdown-checker.spec | 35 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 security/spectre-meltdown-checker/centos/build_srpm.data create mode 100644 security/spectre-meltdown-checker/centos/spectre-meltdown-checker.spec diff --git a/centos_pkg_dirs b/centos_pkg_dirs index f51a9423e..5bd726e22 100644 --- a/centos_pkg_dirs +++ b/centos_pkg_dirs @@ -54,6 +54,7 @@ security/tpm2-openssl-engine security/libtpms security/swtpm security/audit +security/spectre-meltdown-checker kernel-std devtools/puppet-4.8.2 devtools/puppet-modules/puppet-boolean-1.0.2 diff --git a/security/spectre-meltdown-checker/centos/build_srpm.data b/security/spectre-meltdown-checker/centos/build_srpm.data new file mode 100644 index 000000000..444e0ec5a --- /dev/null +++ b/security/spectre-meltdown-checker/centos/build_srpm.data @@ -0,0 +1,2 @@ +COPY_LIST="$CGCS_BASE/downloads/spectre-meltdown-checker-0.37+-5cc77741.tar.bz2" +TIS_PATCH_VER=0 diff --git a/security/spectre-meltdown-checker/centos/spectre-meltdown-checker.spec b/security/spectre-meltdown-checker/centos/spectre-meltdown-checker.spec new file mode 100644 index 000000000..0881118ba --- /dev/null +++ b/security/spectre-meltdown-checker/centos/spectre-meltdown-checker.spec @@ -0,0 +1,35 @@ +Name: spectre-meltdown-checker +Version: 0.37+ +Release: %{tis_patch_ver}%{?_tis_dist} +Summary: Checker script for spectre/meltdown + +Group: base +License: GPLv3 +URL: https://github.com/speed47/spectre-meltdown-checker.git +Source0: spectre-meltdown-checker-0.37+-5cc77741.tar.bz2 + +BuildArch: noarch +Requires: bash + +%description +Script to check whether kernel is susceptible to spectre/meltdown vulnerabilities. + + +%prep +tar xjf %{SOURCE0} + +%build + + +%install +install -d -m 755 %{buildroot}/usr/sbin/ +install -m 744 spectre-meltdown-checker/spectre-meltdown-checker.sh %{buildroot}/usr/sbin/spectre-meltdown-checker.sh + + +%files +%license %{name}/LICENSE +/usr/sbin/* + + +%changelog +