From 0c990ed9c41fc8f011f15200cba00216ccd2ac77 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Sun, 7 Jan 2018 20:19:11 +0100
Subject: [PATCH] Always enable page table isolation on stretch/amd64

It is disabled by default on AMD, however enabling it provide more
hardening.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---
 modules/grub/manifests/init.pp                      | 8 ++++++++
 modules/grub/templates/puppet-kernel-pti-on.cfg.erb | 1 +
 2 files changed, 9 insertions(+)
 create mode 100644 modules/grub/templates/puppet-kernel-pti-on.cfg.erb

diff --git a/modules/grub/manifests/init.pp b/modules/grub/manifests/init.pp
index f0fa84ac7..51f3f877b 100644
--- a/modules/grub/manifests/init.pp
+++ b/modules/grub/manifests/init.pp
@@ -29,6 +29,8 @@ class grub {
 		# hp-health requires nopat on linux 4.9
 		$grub_do_nopat = ($::systemproductname and $::systemproductname =~ /^ProLiant/ and versioncmp($::kernelversion, '4.9') >= 0)
 
+		$grub_do_pti_on = ($::debarchitecture == 'amd64' and versioncmp($::lsbmajdistrelease, '9') >= 0)
+
 		$grub_do_extra = $::hostname in [fasolo,grnet-node01,grnet-node02]
 
 		file { '/etc/default/grub':
@@ -75,6 +77,12 @@ class grub {
 			content  => template('grub/puppet-kernel-extra.cfg.erb'),
 			notify  => Exec['update-grub']
 		}
+
+		file { '/etc/default/grub.d/puppet-kernel-pti-on.cfg':
+			ensure => $grub_do_pti_on ? { true  => 'present', default => 'absent' },
+			content  => template('grub/puppet-kernel-pti-on.cfg.erb'),
+			notify  => Exec['update-grub']
+		}
 	}
 
 	exec { 'update-grub':
diff --git a/modules/grub/templates/puppet-kernel-pti-on.cfg.erb b/modules/grub/templates/puppet-kernel-pti-on.cfg.erb
new file mode 100644
index 000000000..469d835af
--- /dev/null
+++ b/modules/grub/templates/puppet-kernel-pti-on.cfg.erb
@@ -0,0 +1 @@
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=one"
-- 
2.20.1