nixos/hardened: make pti=on overridable

Introduces a new security.forcePageTableIsolation option (default false
on !hardened, true on hardened) that forces pti=on.

1 files changed, 16 insertions, 0 deletions

diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index 2a7f07ef6dbe..16e3bfb14199 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -54,6 +54,18 @@ with lib;
       '';
     };
 
+    security.forcePageTableIsolation = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to force-enable the Page Table Isolation (PTI) Linux kernel
+        feature even on CPU models that claim to be safe from Meltdown.
+
+        This hardening feature is most beneficial to systems that run untrusted
+        workloads that rely on address space isolation for security.
+      '';
+    };
+
     security.virtualisation.flushL1DataCache = mkOption {
       type = types.nullOr (types.enum [ "never" "cond" "always" ]);
       default = null;
@@ -114,6 +126,10 @@ with lib;
       boot.kernelParams = [ "nosmt" ];
     })
 
+    (mkIf config.security.forcePageTableIsolation {
+      boot.kernelParams = [ "pti=on" ];
+    })
+
     (mkIf (config.security.virtualisation.flushL1DataCache != null) {
       boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
     })