diff options
author | Pierre Bourdon <delroth@gmail.com> | 2019-07-30 02:24:56 +0200 |
---|---|---|
committer | Pierre Bourdon <delroth@gmail.com> | 2019-07-30 02:24:56 +0200 |
commit | 67b7e70865896433f01ca173eda8f5217eae4d49 (patch) | |
tree | 677e7ac0afa58bcf87726c0bcee39fc2704aac11 /nixos/modules/security/misc.nix | |
parent | fd2b2b5cd56a5be788fa88dcd9605a3a5bb5ecc7 (diff) | |
download | nixlib-67b7e70865896433f01ca173eda8f5217eae4d49.tar nixlib-67b7e70865896433f01ca173eda8f5217eae4d49.tar.gz nixlib-67b7e70865896433f01ca173eda8f5217eae4d49.tar.bz2 nixlib-67b7e70865896433f01ca173eda8f5217eae4d49.tar.lz nixlib-67b7e70865896433f01ca173eda8f5217eae4d49.tar.xz nixlib-67b7e70865896433f01ca173eda8f5217eae4d49.tar.zst nixlib-67b7e70865896433f01ca173eda8f5217eae4d49.zip |
nixos/hardened: make pti=on overridable
Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on.
Diffstat (limited to 'nixos/modules/security/misc.nix')
-rw-r--r-- | nixos/modules/security/misc.nix | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 2a7f07ef6dbe..16e3bfb14199 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -54,6 +54,18 @@ with lib; ''; }; + security.forcePageTableIsolation = mkOption { + type = types.bool; + default = false; + description = '' + Whether to force-enable the Page Table Isolation (PTI) Linux kernel + feature even on CPU models that claim to be safe from Meltdown. + + This hardening feature is most beneficial to systems that run untrusted + workloads that rely on address space isolation for security. + ''; + }; + security.virtualisation.flushL1DataCache = mkOption { type = types.nullOr (types.enum [ "never" "cond" "always" ]); default = null; @@ -114,6 +126,10 @@ with lib; boot.kernelParams = [ "nosmt" ]; }) + (mkIf config.security.forcePageTableIsolation { + boot.kernelParams = [ "pti=on" ]; + }) + (mkIf (config.security.virtualisation.flushL1DataCache != null) { boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ]; }) |