kvm: adhere to Debian's grub layout

This adopts our anti-CPU-mitigation configuration to use Debian's expected grub paths and programs.
2 years ago · fec4008d0e
parent 627f79ff8d
commit fec4008d0e
3 changed files with 4 additions and 10 deletions
--- a/roles/kvm/files/cpu-mitigations.cfg
+++ b/roles/kvm/files/cpu-mitigations.cfg
@ -0,0 +1 @@
+GRUB_CMDLINE_LINUX="noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off"
--- a/roles/kvm/files/grub-mitigations.conf
+++ b/roles/kvm/files/grub-mitigations.conf
@ -1 +0,0 @@
-noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off
--- a/roles/kvm/tasks/main.yml
+++ b/roles/kvm/tasks/main.yml
@ -76,22 +76,16 @@
  shell: grep -c Intel /proc/cpuinfo
  register: intel_check

- name: Create sysconfig directory
-  file:
-    path: /etc/sysconfig
-    state: directory
-  when: intel_check.stdout != "0"
-
 - name: Install grub config to disable CPU mitigations
  copy:
-    src: grub-mitigations.conf
-    dest: /etc/sysconfig/grub
+    src: cpu-mitigations.cfg
+    dest: /etc/default/grub.d/cpu-mitigations.cfg
    mode: 0644
  register: grub-mitigations
  when: intel_check.stdout != "0"

 - name: Regenerate grub's config file
-  shell: grub-mkconfig
+  shell: update-grub
  notify:
    - reboot
  when: grub-mitigations.changed
				`@ -0,0 +1 @@`
				`GRUB_CMDLINE_LINUX="noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off"`
				`@ -1 +0,0 @@`
				`noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off`