diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2018-12-27 18:11:34 +0100 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2018-12-27 18:11:34 +0100 |
commit | 10afccf1455167972b559f32b3b1495a07593cf1 (patch) | |
tree | b0f0d3e167586472e629f336337a1e15f750a318 /nixos | |
parent | e039310f9673d8e4d4975c0aa97e7b294536e4b5 (diff) | |
parent | 22d2b84f0f76acc11c57c71ded207e2653bbef33 (diff) | |
download | nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.gz nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.bz2 nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.lz nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.xz nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.zst nixlib-10afccf1455167972b559f32b3b1495a07593cf1.zip |
Merge staging-next into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/hardware/video/nvidia.nix | 2 | ||||
-rw-r--r-- | nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix | 7 | ||||
-rw-r--r-- | nixos/modules/installer/cd-dvd/sd-image-aarch64.nix | 1 | ||||
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 12 | ||||
-rw-r--r-- | nixos/modules/security/misc.nix | 110 | ||||
-rw-r--r-- | nixos/release.nix | 8 | ||||
-rw-r--r-- | nixos/tests/hardened.nix | 6 |
7 files changed, 127 insertions, 19 deletions
diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index b680c3c1ccb5..6ba8130af71f 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -20,6 +20,8 @@ let kernelPackages.nvidia_x11_legacy304 else if elem "nvidiaLegacy340" drivers then kernelPackages.nvidia_x11_legacy340 + else if elem "nvidiaLegacy390" drivers then + kernelPackages.nvidia_x11_legacy390 else null; nvidia_x11 = nvidiaForKernel config.boot.kernelPackages; diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix new file mode 100644 index 000000000000..2882fbcc7305 --- /dev/null +++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + imports = [ ./sd-image-aarch64.nix ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; +} diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix index 86e19f3da562..2db71eb20c5d 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix @@ -26,7 +26,6 @@ in boot.loader.generic-extlinux-compatible.enable = true; boot.consoleLogLevel = lib.mkDefault 7; - boot.kernelPackages = pkgs.linuxPackages_latest; # The serial ports listed here are: # - ttyS0: for Tegra (Jetson TX1) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 61e871bcaca5..a588943fe710 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -20,6 +20,12 @@ with lib; security.allowUserNamespaces = mkDefault false; + security.protectKernelImage = mkDefault true; + + security.allowSimultaneousMultithreading = mkDefault false; + + security.virtualization.flushL1DataCache = mkDefault "always"; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ @@ -28,9 +34,6 @@ with lib; # Disable legacy virtual syscalls "vsyscall=none" - - # Disable hibernation (allows replacing the running kernel) - "nohibernate" ]; boot.blacklistedKernelModules = [ @@ -44,9 +47,6 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Prevent replacing the running kernel image w/o reboot - boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; - # Restrict access to kernel ring buffer (information leaks) boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 42f872b7b088..4506a67487d4 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -22,18 +22,104 @@ with lib; a user namespace fails with "no space left on device" (ENOSPC). ''; }; - }; - config = mkIf (!config.security.allowUserNamespaces) { - # Setting the number of allowed user namespaces to 0 effectively disables - # the feature at runtime. Note that root may raise the limit again - # at any time. - boot.kernel.sysctl."user.max_user_namespaces" = 0; - - assertions = [ - { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; - message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; - } - ]; + security.protectKernelImage = mkOption { + type = types.bool; + default = false; + description = '' + Whether to prevent replacing the running kernel image. + ''; + }; + + security.allowSimultaneousMultithreading = mkOption { + type = types.bool; + default = true; + description = '' + Whether to allow SMT/hyperthreading. Disabling SMT means that only + physical CPU cores will be usable at runtime, potentially at + significant performance cost. + </para> + + <para> + The primary motivation for disabling SMT is to mitigate the risk of + leaking data between threads running on the same CPU core (due to + e.g., shared caches). This attack vector is unproven. + </para> + + <para> + Disabling SMT is a supplement to the L1 data cache flushing mitigation + (see <xref linkend="opt-security.virtualization.flushL1DataCache"/>) + versus malicious VM guests (SMT could "bring back" previously flushed + data). + </para> + <para> + ''; + }; + + security.virtualization.flushL1DataCache = mkOption { + type = types.nullOr (types.enum [ "never" "cond" "always" ]); + default = null; + description = '' + Whether the hypervisor should flush the L1 data cache before + entering guests. + See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>. + </para> + + <para> + <variablelist> + <varlistentry> + <term><literal>null</literal></term> + <listitem><para>uses the kernel default</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"never"</literal></term> + <listitem><para>disables L1 data cache flushing entirely. + May be appropriate if all guests are trusted.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"cond"</literal></term> + <listitem><para>flushes L1 data cache only for pre-determined + code paths. May leak information about the host address space + layout.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"always"</literal></term> + <listitem><para>flushes L1 data cache every time the hypervisor + enters the guest. May incur significant performance cost. + </para></listitem> + </varlistentry> + </variablelist> + ''; + }; }; + + config = mkMerge [ + (mkIf (!config.security.allowUserNamespaces) { + # Setting the number of allowed user namespaces to 0 effectively disables + # the feature at runtime. Note that root may raise the limit again + # at any time. + boot.kernel.sysctl."user.max_user_namespaces" = 0; + + assertions = [ + { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; + message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; + } + ]; + }) + + (mkIf config.security.protectKernelImage { + # Disable hibernation (allows replacing the running kernel) + boot.kernelParams = [ "nohibernate" ]; + # Prevent replacing the running kernel image w/o reboot + boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; + }) + + (mkIf (!config.security.allowSimultaneousMultithreading) { + boot.kernelParams = [ "nosmt" ]; + }) + + (mkIf (config.security.virtualization.flushL1DataCache != null) { + boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ]; + }) + ]; } diff --git a/nixos/release.nix b/nixos/release.nix index e7952b33de6b..df2c52ccd0b6 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -172,6 +172,14 @@ in rec { inherit system; }); + sd_image_new_kernel = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage { + module = { + aarch64-linux = ./modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix; + }.${system}; + type = "minimal-new-kernel"; + inherit system; + }); + # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF). ova = forMatchingSystems [ "x86_64-linux" ] (system: diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index e10a6363164a..683f56c45af4 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -70,5 +70,11 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'"); $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK"; }; + + # Test kernel image protection + subtest "kernelimage", sub { + $machine->fail("systemctl hibernate"); + $machine->fail("systemctl kexec"); + }; ''; }) |