From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 7 Jan 2018 19:19:11 +0000 (+0100)
Subject: Always enable page table isolation on stretch/amd64
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=0c990ed9c41fc8f011f15200cba00216ccd2ac77;p=mirror%2Fdsa-puppet.git

Always enable page table isolation on stretch/amd64

It is disabled by default on AMD, however enabling it provide more
hardening.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---

diff --git a/modules/grub/manifests/init.pp b/modules/grub/manifests/init.pp
index f0fa84ac7..51f3f877b 100644
--- a/modules/grub/manifests/init.pp
+++ b/modules/grub/manifests/init.pp
@@ -29,6 +29,8 @@ class grub {
 		# hp-health requires nopat on linux 4.9
 		$grub_do_nopat = ($::systemproductname and $::systemproductname =~ /^ProLiant/ and versioncmp($::kernelversion, '4.9') >= 0)
 
+		$grub_do_pti_on = ($::debarchitecture == 'amd64' and versioncmp($::lsbmajdistrelease, '9') >= 0)
+
 		$grub_do_extra = $::hostname in [fasolo,grnet-node01,grnet-node02]
 
 		file { '/etc/default/grub':
@@ -75,6 +77,12 @@ class grub {
 			content  => template('grub/puppet-kernel-extra.cfg.erb'),
 			notify  => Exec['update-grub']
 		}
+
+		file { '/etc/default/grub.d/puppet-kernel-pti-on.cfg':
+			ensure => $grub_do_pti_on ? { true  => 'present', default => 'absent' },
+			content  => template('grub/puppet-kernel-pti-on.cfg.erb'),
+			notify  => Exec['update-grub']
+		}
 	}
 
 	exec { 'update-grub':
diff --git a/modules/grub/templates/puppet-kernel-pti-on.cfg.erb b/modules/grub/templates/puppet-kernel-pti-on.cfg.erb
new file mode 100644
index 000000000..469d835af
--- /dev/null
+++ b/modules/grub/templates/puppet-kernel-pti-on.cfg.erb
@@ -0,0 +1 @@
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=one"