bkc: set KVM module parameters for ccc

intel / ccc-linux-guest-hardening

Linux Security Hardening for Confidential Compute

https://intel.github.io/ccc-linux-guest-hardening-docs

MIT License

63 stars 13 forks source link

bkc: set KVM module parameters for ccc #107

Closed Wenzel closed 1 year ago

Wenzel commented 1 year ago

This PR should fix https://github.com/intel/ccc-linux-guest-hardening/issues/81

It adds a task in bkc role to append the following block in /etc/modprobe.d/kvm-intel.conf if not found:

# BEGIN ANSIBLE MANAGED BLOCK - ccc-linux-guest-hardening
options kvm-intel nested=1 ve_injection=1 halt_on_triple_fault=1
# END ANSIBLE MANAGED BLOCK - ccc-linux-guest-hardening

ereshetova commented 1 year ago

Tested this one, works properly, thank you, merging!