Merge staging-next into staging

author: Frederik Rietdijk <fridh@fridh.nl> 2018-12-27 18:11:34 +0100
committer: Frederik Rietdijk <fridh@fridh.nl> 2018-12-27 18:11:34 +0100
commit: 10afccf1455167972b559f32b3b1495a07593cf1 (patch)
tree: b0f0d3e167586472e629f336337a1e15f750a318 /nixos
parent: e039310f9673d8e4d4975c0aa97e7b294536e4b5 (diff)
parent: 22d2b84f0f76acc11c57c71ded207e2653bbef33 (diff)
download: nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar
nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.gz
nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.bz2
nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.lz
nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.xz
nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.zst
nixlib-10afccf1455167972b559f32b3b1495a07593cf1.zip
7 files changed, 127 insertions, 19 deletions
diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix
index b680c3c1ccb5..6ba8130af71f 100644
--- a/nixos/modules/hardware/video/nvidia.nix
+++ b/nixos/modules/hardware/video/nvidia.nix
@@ -20,6 +20,8 @@ let
       kernelPackages.nvidia_x11_legacy304
     else if elem "nvidiaLegacy340" drivers then
       kernelPackages.nvidia_x11_legacy340
+    else if elem "nvidiaLegacy390" drivers then
+      kernelPackages.nvidia_x11_legacy390
     else null;
 
   nvidia_x11 = nvidiaForKernel config.boot.kernelPackages;
diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix
new file mode 100644
index 000000000000..2882fbcc7305
--- /dev/null
+++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix
@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+{
+  imports = [ ./sd-image-aarch64.nix ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+}
diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
index 86e19f3da562..2db71eb20c5d 100644
--- a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
@@ -26,7 +26,6 @@ in
   boot.loader.generic-extlinux-compatible.enable = true;
 
   boot.consoleLogLevel = lib.mkDefault 7;
-  boot.kernelPackages = pkgs.linuxPackages_latest;
 
   # The serial ports listed here are:
   # - ttyS0: for Tegra (Jetson TX1)
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 61e871bcaca5..a588943fe710 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -20,6 +20,12 @@ with lib;
 
   security.allowUserNamespaces = mkDefault false;
 
+  security.protectKernelImage = mkDefault true;
+
+  security.allowSimultaneousMultithreading = mkDefault false;
+
+  security.virtualization.flushL1DataCache = mkDefault "always";
+
   security.apparmor.enable = mkDefault true;
 
   boot.kernelParams = [
@@ -28,9 +34,6 @@ with lib;
 
     # Disable legacy virtual syscalls
     "vsyscall=none"
-
-    # Disable hibernation (allows replacing the running kernel)
-    "nohibernate"
   ];
 
   boot.blacklistedKernelModules = [
@@ -44,9 +47,6 @@ with lib;
   # (e.g., parent/child)
   boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
 
-  # Prevent replacing the running kernel image w/o reboot
-  boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
-
   # Restrict access to kernel ring buffer (information leaks)
   boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
 
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index 42f872b7b088..4506a67487d4 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -22,18 +22,104 @@ with lib;
         a user namespace fails with "no space left on device" (ENOSPC).
       '';
     };
-  };
 
-  config = mkIf (!config.security.allowUserNamespaces) {
-    # Setting the number of allowed user namespaces to 0 effectively disables
-    # the feature at runtime.  Note that root may raise the limit again
-    # at any time.
-    boot.kernel.sysctl."user.max_user_namespaces" = 0;
-
-    assertions = [
-      { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
-        message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
-      }
-    ];
+    security.protectKernelImage = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to prevent replacing the running kernel image.
+      '';
+    };
+
+    security.allowSimultaneousMultithreading = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to allow SMT/hyperthreading.  Disabling SMT means that only
+        physical CPU cores will be usable at runtime, potentially at
+        significant performance cost.
+        </para>
+
+        <para>
+        The primary motivation for disabling SMT is to mitigate the risk of
+        leaking data between threads running on the same CPU core (due to
+        e.g., shared caches).  This attack vector is unproven.
+        </para>
+
+        <para>
+        Disabling SMT is a supplement to the L1 data cache flushing mitigation
+        (see <xref linkend="opt-security.virtualization.flushL1DataCache"/>)
+        versus malicious VM guests (SMT could "bring back" previously flushed
+        data).
+        </para>
+        <para>
+      '';
+    };
+
+    security.virtualization.flushL1DataCache = mkOption {
+      type = types.nullOr (types.enum [ "never" "cond" "always" ]);
+      default = null;
+      description = ''
+        Whether the hypervisor should flush the L1 data cache before
+        entering guests.
+        See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.
+        </para>
+
+        <para>
+          <variablelist>
+          <varlistentry>
+            <term><literal>null</literal></term>
+            <listitem><para>uses the kernel default</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"never"</literal></term>
+            <listitem><para>disables L1 data cache flushing entirely.
+            May be appropriate if all guests are trusted.</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"cond"</literal></term>
+            <listitem><para>flushes L1 data cache only for pre-determined
+            code paths.  May leak information about the host address space
+            layout.</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"always"</literal></term>
+            <listitem><para>flushes L1 data cache every time the hypervisor
+            enters the guest.  May incur significant performance cost.
+            </para></listitem>
+          </varlistentry>
+          </variablelist>
+      '';
+    };
   };
+
+  config = mkMerge [
+    (mkIf (!config.security.allowUserNamespaces) {
+      # Setting the number of allowed user namespaces to 0 effectively disables
+      # the feature at runtime.  Note that root may raise the limit again
+      # at any time.
+      boot.kernel.sysctl."user.max_user_namespaces" = 0;
+
+      assertions = [
+        { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
+          message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
+        }
+      ];
+    })
+
+    (mkIf config.security.protectKernelImage {
+      # Disable hibernation (allows replacing the running kernel)
+      boot.kernelParams = [ "nohibernate" ];
+      # Prevent replacing the running kernel image w/o reboot
+      boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
+    })
+
+    (mkIf (!config.security.allowSimultaneousMultithreading) {
+      boot.kernelParams = [ "nosmt" ];
+    })
+
+    (mkIf (config.security.virtualization.flushL1DataCache != null) {
+      boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
+    })
+  ];
 }
diff --git a/nixos/release.nix b/nixos/release.nix
index e7952b33de6b..df2c52ccd0b6 100644
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -172,6 +172,14 @@ in rec {
     inherit system;
   });
 
+  sd_image_new_kernel = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage {
+    module = {
+        aarch64-linux = ./modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix;
+      }.${system};
+    type = "minimal-new-kernel";
+    inherit system;
+  });
+
   # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF).
   ova = forMatchingSystems [ "x86_64-linux" ] (system:
 
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
index e10a6363164a..683f56c45af4 100644
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@@ -70,5 +70,11 @@ import ./make-test.nix ({ pkgs, ...} : {
         $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'");
         $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK";
       };
+
+      # Test kernel image protection
+      subtest "kernelimage", sub {
+        $machine->fail("systemctl hibernate");
+        $machine->fail("systemctl kexec");
+      };
     '';
 })
author	Frederik Rietdijk <fridh@fridh.nl>	2018-12-27 18:11:34 +0100
committer	Frederik Rietdijk <fridh@fridh.nl>	2018-12-27 18:11:34 +0100
commit	10afccf1455167972b559f32b3b1495a07593cf1 (patch)
tree	b0f0d3e167586472e629f336337a1e15f750a318 /nixos
parent	e039310f9673d8e4d4975c0aa97e7b294536e4b5 (diff)
parent	22d2b84f0f76acc11c57c71ded207e2653bbef33 (diff)
download	nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.gz nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.bz2 nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.lz nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.xz nixlib-10afccf1455167972b559f32b3b1495a07593cf1.tar.zst nixlib-10afccf1455167972b559f32b3b1495a07593cf1.zip