diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2019-07-30 10:35:31 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-07-30 10:35:31 +0000 |
commit | a7d71da84db0a84a4b07b05ebd25fe9da943be52 (patch) | |
tree | 8000ba010f5b4dbed5d4b02465f58c90a7b73594 | |
parent | 70503758fb4b37107953dfb03ad7c0cf36ad0435 (diff) | |
parent | 67b7e70865896433f01ca173eda8f5217eae4d49 (diff) | |
download | nixlib-a7d71da84db0a84a4b07b05ebd25fe9da943be52.tar nixlib-a7d71da84db0a84a4b07b05ebd25fe9da943be52.tar.gz nixlib-a7d71da84db0a84a4b07b05ebd25fe9da943be52.tar.bz2 nixlib-a7d71da84db0a84a4b07b05ebd25fe9da943be52.tar.lz nixlib-a7d71da84db0a84a4b07b05ebd25fe9da943be52.tar.xz nixlib-a7d71da84db0a84a4b07b05ebd25fe9da943be52.tar.zst nixlib-a7d71da84db0a84a4b07b05ebd25fe9da943be52.zip |
Merge pull request #65585 from delroth/hardened-pti
nixos/hardened: make pti=on overridable
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 5 | ||||
-rw-r--r-- | nixos/modules/security/misc.nix | 16 |
2 files changed, 18 insertions, 3 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 29c3f2f8bbf8..9e9ddd4f3788 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -26,6 +26,8 @@ with lib; security.allowSimultaneousMultithreading = mkDefault false; + security.forcePageTableIsolation = mkDefault true; + security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; @@ -42,9 +44,6 @@ with lib; # Disable legacy virtual syscalls "vsyscall=none" - - # Enable PTI even if CPU claims to be safe from meltdown - "pti=on" ]; boot.blacklistedKernelModules = [ diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 2a7f07ef6dbe..16e3bfb14199 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -54,6 +54,18 @@ with lib; ''; }; + security.forcePageTableIsolation = mkOption { + type = types.bool; + default = false; + description = '' + Whether to force-enable the Page Table Isolation (PTI) Linux kernel + feature even on CPU models that claim to be safe from Meltdown. + + This hardening feature is most beneficial to systems that run untrusted + workloads that rely on address space isolation for security. + ''; + }; + security.virtualisation.flushL1DataCache = mkOption { type = types.nullOr (types.enum [ "never" "cond" "always" ]); default = null; @@ -114,6 +126,10 @@ with lib; boot.kernelParams = [ "nosmt" ]; }) + (mkIf config.security.forcePageTableIsolation { + boot.kernelParams = [ "pti=on" ]; + }) + (mkIf (config.security.virtualisation.flushL1DataCache != null) { boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ]; }) |