Always enable page table isolation on stretch/amd64

[mirror/dsa-puppet.git] / modules / grub / manifests / init.pp

diff --git a/modules/grub/manifests/init.pp b/modules/grub/manifests/init.pp
index f0fa84a..51f3f87 100644 (file)
--- a/modules/grub/manifests/init.pp
+++ b/modules/grub/manifests/init.pp
@@ -29,6 +29,8 @@ class grub {
                # hp-health requires nopat on linux 4.9
                $grub_do_nopat = ($::systemproductname and $::systemproductname =~ /^ProLiant/ and versioncmp($::kernelversion, '4.9') >= 0)
 
+               $grub_do_pti_on = ($::debarchitecture == 'amd64' and versioncmp($::lsbmajdistrelease, '9') >= 0)
+
                $grub_do_extra = $::hostname in [fasolo,grnet-node01,grnet-node02]
 
                file { '/etc/default/grub':
@@ -75,6 +77,12 @@ class grub {
                        content  => template('grub/puppet-kernel-extra.cfg.erb'),
                        notify  => Exec['update-grub']
                }
+
+               file { '/etc/default/grub.d/puppet-kernel-pti-on.cfg':
+                       ensure => $grub_do_pti_on ? { true  => 'present', default => 'absent' },
+                       content  => template('grub/puppet-kernel-pti-on.cfg.erb'),
+                       notify  => Exec['update-grub']
+               }
        }
 
        exec { 'update-grub':