-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathtoggle-kpti.sh
executable file
·134 lines (101 loc) · 2.86 KB
/
toggle-kpti.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
# SPDX-License-Identifier: BSD-3-Clause
# Authors: Hugo Lefeuvre <[email protected]>
GRUB_FILE="/etc/default/grub"
set -e
die() { echo "$*" 1>&2 ; exit 1; }
function disclaimer {
echo "[I] Disclaimer:"
echo "[I] This script is experimental. It is known to work on the official"
echo "[I] AE setup for the FlexOS paper, but might not be entirely generic."
echo "[I] Use at your own risk!"
echo ""
}
function checks {
disclaimer
users=$(who | wc -l)
if [ $users -gt 1 ]; then
die "[E] Cannot toggle KPTI: there are $users logged in; please coordinate on machine use."
fi
if ! test -f "$GRUB_FILE"; then
die "[E] This machine does not seem to use GRUB, but this script only supports GRUB."
fi
}
function prompt {
while true; do
read -p "${1}Proceed? [y/n] " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit 1;;
* ) echo "Please answer yes or no.";;
esac
done
}
function off {
checks
if grep -q "pti=off" $GRUB_FILE; then
die "[E] KPTI is already disabled."
fi
if grep -q "nopti" $GRUB_FILE; then
die "[E] KPTI is already disabled."
fi
prompt "This script is going disable KPTI on this machine, which requires a reboot. "
echo -n "[I] Command line before changes: "
echo $(cat $GRUB_FILE | grep "GRUB_CMDLINE_LINUX=" | sed "s/.*GRUB_CMDLINE_LINUX=//g")
cp $GRUB_FILE /tmp/.tmp_grub
echo -n "[I] Editing kernel command line..."
sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"pti=off /g" /tmp/.tmp_grub
if grep -q "pti=off" /tmp/.tmp_grub; then
echo " done."
else
echo ""
die "[E] Failed to edit kernel command line."
fi
echo -n "[I] Command line after changes: "
echo $(cat /tmp/.tmp_grub | grep "GRUB_CMDLINE_LINUX=" | sed "s/.*GRUB_CMDLINE_LINUX=//g")
prompt ""
cp /tmp/.tmp_grub $GRUB_FILE
echo "[I] Reconfiguring GRUB..."
update-grub
echo "[W] Rebooting in 3s..."
sleep 3
reboot
}
function on {
checks
if grep -q "pti=on" $GRUB_FILE; then
die "[E] KPTI is already enabled."
fi
if ! grep -q "nopti" $GRUB_FILE; then
if ! grep -q "pti=off" $GRUB_FILE; then
die "[E] KPTI is already enabled."
fi
fi
prompt "This script is going enable KPTI on this machine, which requires a reboot. "
echo -n "[I] Command line before changes: "
echo $(cat $GRUB_FILE | grep "GRUB_CMDLINE_LINUX=" | sed "s/.*GRUB_CMDLINE_LINUX=//g")
cp $GRUB_FILE /tmp/.tmp_grub
echo "[I] Editing kernel command line..."
sed -i "s/pti=off//g" /tmp/.tmp_grub
sed -i "s/nopti//g" /tmp/.tmp_grub
echo -n "[I] Command line after changes: "
echo $(cat /tmp/.tmp_grub | grep "GRUB_CMDLINE_LINUX=" | sed "s/.*GRUB_CMDLINE_LINUX=//g")
prompt ""
cp /tmp/.tmp_grub $GRUB_FILE
echo "[I] Reconfiguring GRUB..."
update-grub
echo "[W] Rebooting in 3s..."
sleep 3
reboot
}
case "$1" in
on)
on
;;
off)
off
;;
*)
die "'$1': unsupported argument. Usage: $0 {on, off}"
;;
esac