From 33fe6d6f877ed7245d78a151619a55916701ae9b Mon Sep 17 00:00:00 2001
From: akrzos <akrzos@redhat.com>
Date: Mon, 2 Apr 2018 14:36:48 -0400
Subject: [PATCH] Add retp_enabled to adjust-security.yaml playbook

Corrects behavior of adjust-security playbook to match what should be expected.

Security On:
    pti_enabled: 1
    retp_enabled: 1

Security Off:
    pti_enabled: 0
    retp_enabled: 0

Change-Id: I643aca84391f78ea9b32c929f64e5a132bed9585
---
 ansible/browbeat/adjust-security.yml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/ansible/browbeat/adjust-security.yml b/ansible/browbeat/adjust-security.yml
index af070f2ce..5d975772c 100644
--- a/ansible/browbeat/adjust-security.yml
+++ b/ansible/browbeat/adjust-security.yml
@@ -6,26 +6,26 @@
 #
 # Examples:
 #
-# Turn off security on entire overcloud
+# Turn off security on the entire overcloud
 # ansible-playbook -i hosts browbeat/adjust-security.yml -e 'security=false'
 #
-# Turn on security on entire overcloud
+# Turn on security on the entire overcloud
 # ansible-playbook -i hosts browbeat/adjust-security.yml
 #
 # Turn off security on just compute nodes
 # ansible-playbook -i hosts browbeat/adjust-security.yml -e 'target=compute security=false'
 #
 # "target" can be any of the typical groups or a specific host in the hosts file
-# Also you can force any of the three flags to 0 or 1 (Ex. ibpb_enabled=0 etc)
-#
+# Also you can force any of the three flags* to 0 or 1 (Ex. retp_enabled=0 etc)
+# * Subject to them being writable
 
 - hosts: "{{target|default('overcloud')}}"
   gather_facts: true
   remote_user: "{{ host_remote_user }}"
   vars:
-    ibpb_enabled: 1
-    ibrs_enabled: 1
+    ibrs_enabled: 0
     pti_enabled: 1
+    retp_enabled: 1
     security: true
   vars_files:
     - ../install/group_vars/all.yml
@@ -39,21 +39,21 @@
 
     - name: Check to turn off security
       set_fact:
-        ibpb_enabled: 0
         ibrs_enabled: 0
         pti_enabled: 0
+        retp_enabled: 0
       when: not security|bool
 
     - name: Debug print the new values for security
       debug:
-        msg: "Setting these: ibpb_enabled- {{ibpb_enabled}} ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}}"
+        msg: "Setting these: ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}} retp_enabled - {{retp_enabled}}"
 
     - name: Check /sys/kernel for security performance affecting features
       become: true
       shell: |
-        echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)"
         echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
         echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
+        echo "/sys/kernel/debug/x86/retp_enabled: $(cat /sys/kernel/debug/x86/retp_enabled)"
       register: security_vars
 
     - name: Debug print the security_vars before setting
@@ -63,16 +63,16 @@
     - name: Turn on/off security
       become: true
       shell: |
-        echo {{ibpb_enabled}} > /sys/kernel/debug/x86/ibpb_enabled
         echo {{ibrs_enabled}} > /sys/kernel/debug/x86/ibrs_enabled
         echo {{pti_enabled}} > /sys/kernel/debug/x86/pti_enabled
+        echo {{retp_enabled}} > /sys/kernel/debug/x86/retp_enabled
 
     - name: Check /sys/kernel for security performance affecting features
       become: true
       shell: |
-        echo "/sys/kernel/debug/x86/ibpb_enabled: $(cat /sys/kernel/debug/x86/ibpb_enabled)"
         echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)"
         echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)"
+        echo "/sys/kernel/debug/x86/retp_enabled: $(cat /sys/kernel/debug/x86/retp_enabled)"
       register: security_vars
 
     - name: Debug print the security_vars after setting