From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 21 Sep 2020 10:26:53 +0200
Subject: [PATCH] Remove zIPL rule for PTI bootloader option

This setting is to mitigate a problem specific for intel archs.
Also returns the CCE to the pool.
---
 .../zipl_pti_argument/rule.yml                | 38 -------------------
 rhel8/profiles/ospp.profile                   |  1 -
 rhel8/profiles/stig.profile                   |  1 -
 .../data/profile_stability/rhel8/ospp.profile |  1 -
 4 files changed, 41 deletions(-)
 delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
deleted file mode 100644
index 96170e6d85..0000000000
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-documentation_complete: true
-
-prodtype: rhel8
-
-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
-
-description: |-
-    To enable Kernel page-table isolation,
-    check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
-    included in its options.<br />
-    To ensure that new kernels and boot entries continue to enable page-table isolation,
-    add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
-
-rationale: |-
-    Kernel page-table isolation is a kernel feature that mitigates
-    the Meltdown security vulnerability and hardens the kernel
-    against attempts to bypass kernel address space layout
-    randomization (KASLR).
-
-severity: medium
-
-identifiers:
-    cce@rhel8: 83361-6
-
-ocil_clause: 'Kernel page-table isolation is not enabled'
-
-ocil: |-
-  To check that page-table isolation is enabled at boot time, check all boot entries with following command:
-  <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
-  No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
-
-platform: machine
-
-template:
-  name: zipl_bls_entries_option
-  vars:
-    arg_name: pti
-    arg_value: 'on'
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 5e81e4a92a..46f00c89f1 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -426,4 +426,3 @@ selections:
     - zipl_vsyscall_argument
     - zipl_vsyscall_argument.role=unscored
     - zipl_vsyscall_argument.severity=info
-    - zipl_pti_argument
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 53647475aa..817d5dbadd 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -52,7 +52,6 @@ selections:
     - "!zipl_audit_argument"
     - "!zipl_audit_backlog_limit_argument"
     - "!zipl_page_poison_argument"
-    - "!zipl_pti_argument"
     - "!zipl_slub_debug_argument"
     - "!zipl_vsyscall_argument"
     - "!zipl_vsyscall_argument.role=unscored"
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 7b7307cba8..223b1423cd 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -219,7 +219,6 @@ selections:
 - zipl_bls_entries_only
 - zipl_bootmap_is_up_to_date
 - zipl_page_poison_argument
-- zipl_pti_argument
 - zipl_slub_debug_argument
 - zipl_vsyscall_argument
 - var_sshd_set_keepalive=0