about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nixos/modules/profiles/hardened.nix2
-rw-r--r--nixos/modules/security/misc.nix30
2 files changed, 32 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 53aa4bae2624..a588943fe710 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -22,6 +22,8 @@ with lib;
 
   security.protectKernelImage = mkDefault true;
 
+  security.allowSimultaneousMultithreading = mkDefault false;
+
   security.virtualization.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index 735362729bfd..4506a67487d4 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -31,12 +31,38 @@ with lib;
       '';
     };
 
+    security.allowSimultaneousMultithreading = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to allow SMT/hyperthreading.  Disabling SMT means that only
+        physical CPU cores will be usable at runtime, potentially at
+        significant performance cost.
+        </para>
+
+        <para>
+        The primary motivation for disabling SMT is to mitigate the risk of
+        leaking data between threads running on the same CPU core (due to
+        e.g., shared caches).  This attack vector is unproven.
+        </para>
+
+        <para>
+        Disabling SMT is a supplement to the L1 data cache flushing mitigation
+        (see <xref linkend="opt-security.virtualization.flushL1DataCache"/>)
+        versus malicious VM guests (SMT could "bring back" previously flushed
+        data).
+        </para>
+        <para>
+      '';
+    };
+
     security.virtualization.flushL1DataCache = mkOption {
       type = types.nullOr (types.enum [ "never" "cond" "always" ]);
       default = null;
       description = ''
         Whether the hypervisor should flush the L1 data cache before
         entering guests.
+        See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.
         </para>
 
         <para>
@@ -88,6 +114,10 @@ with lib;
       boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
     })
 
+    (mkIf (!config.security.allowSimultaneousMultithreading) {
+      boot.kernelParams = [ "nosmt" ];
+    })
+
     (mkIf (config.security.virtualization.flushL1DataCache != null) {
       boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
     })
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-30 15:30:30 +0000