diff options
| author | Joachim F <joachifm@users.noreply.github.com> | 2016-08-03 10:48:25 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-08-03 10:48:25 +0200 |
| commit | 772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef (patch) | |
| tree | 3261a320cff38e2343132b61b754b1b364223f41 /nixos | |
| parent | 4ba0912a9298667b7f40e199b9648897b5e7237a (diff) | |
| parent | 43fc394a5cd06c38ed43e857ed14496cafdde0b5 (diff) | |
| download | nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.gz nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.bz2 nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.lz nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.xz nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.zst nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.zip | |
Merge pull request #17425 from joachifm/grsec-efi
grsecurity module: disable EFI runtime services by default
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/configuration/grsecurity.xml | 5 | ||||
| -rw-r--r-- | nixos/modules/security/grsecurity.nix | 14 |
2 files changed, 19 insertions, 0 deletions
diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml index 06e7617d58eb..3c17fc19397f 100644 --- a/nixos/doc/manual/configuration/grsecurity.xml +++ b/nixos/doc/manual/configuration/grsecurity.xml @@ -265,6 +265,11 @@ <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> <itemizedlist> + <listitem><para>Access to EFI runtime services is disabled by default: + this plugs a potential code injection attack vector; use + <option>security.grsecurity.disableEfiRuntimeServices</option> to override + this behavior.</para></listitem> + <listitem><para>Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are <emphasis>unsupported</emphasis> and most likely require a custom kernel. diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 6b4dbe8e11f8..60e9058dd69e 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -37,6 +37,18 @@ in ''; }; + disableEfiRuntimeServices = mkOption { + type = types.bool; + example = false; + default = true; + description = '' + Whether to disable access to EFI runtime services. Enabling EFI runtime + services creates a venue for code injection attacks on the kernel and + should be disabled if at all possible. Changing this option enters into + effect upon reboot. + ''; + }; + }; config = mkIf cfg.enable { @@ -45,6 +57,8 @@ in # required kernel config boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos; + boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi"; + system.requiredKernelConfig = with config.lib.kernelConfig; [ (isEnabled "GRKERNSEC") (isEnabled "PAX") |