From ea1be31262c93155c03c953078fa50f27de14de5 Mon Sep 17 00:00:00 2001 From: Edmund Wu Date: Fri, 30 Nov 2018 13:50:47 -0500 Subject: nvidia: expose nvidia_x11_legacy390 --- nixos/modules/hardware/video/nvidia.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 21e12395498c..c37392841c47 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -20,6 +20,8 @@ let kernelPackages.nvidia_x11_legacy304 else if elem "nvidiaLegacy340" drivers then kernelPackages.nvidia_x11_legacy340 + else if elem "nvidiaLegacy390" drivers then + kernelPackages.nvidia_x11_legacy390 else null; nvidia_x11 = nvidiaForKernel config.boot.kernelPackages; -- cgit 1.4.1 From 207210660f2a8f178fa0dfb3fd3c35371bf9406d Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Tue, 25 Dec 2018 18:55:42 -0500 Subject: nixos/sd-image-aarch64: Configures it to use the default kernel --- nixos/modules/installer/cd-dvd/sd-image-aarch64.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix index 86e19f3da562..2db71eb20c5d 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix @@ -26,7 +26,6 @@ in boot.loader.generic-extlinux-compatible.enable = true; boot.consoleLogLevel = lib.mkDefault 7; - boot.kernelPackages = pkgs.linuxPackages_latest; # The serial ports listed here are: # - ttyS0: for Tegra (Jetson TX1) -- cgit 1.4.1 From 302d53df2b79f48ea6e9f42e47dd17e561ff6433 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Tue, 25 Dec 2018 18:58:04 -0500 Subject: nixos/sd-image-aarch64-new-kernel: Added to release This, paired with the previous commit, ensures the channel won't be held back from a kernel upgrade and a non-building sd image, while still having a new-kernel variant available. --- nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix | 7 +++++++ nixos/release.nix | 8 ++++++++ 2 files changed, 15 insertions(+) create mode 100644 nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix (limited to 'nixos') diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix new file mode 100644 index 000000000000..2882fbcc7305 --- /dev/null +++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + imports = [ ./sd-image-aarch64.nix ]; + + boot.kernelPackages = pkgs.linuxPackages_latest; +} diff --git a/nixos/release.nix b/nixos/release.nix index e7952b33de6b..df2c52ccd0b6 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -172,6 +172,14 @@ in rec { inherit system; }); + sd_image_new_kernel = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage { + module = { + aarch64-linux = ./modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix; + }.${system}; + type = "minimal-new-kernel"; + inherit system; + }); + # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF). ova = forMatchingSystems [ "x86_64-linux" ] (system: -- cgit 1.4.1 From 9db84f6fcdb2616471abb6a427a2b21fe8a8255f Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sat, 24 Nov 2018 18:37:46 +0100 Subject: nixos/security/misc: use mkMerge for easier extension --- nixos/modules/security/misc.nix | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 42f872b7b088..f3fc6db22ead 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -24,16 +24,18 @@ with lib; }; }; - config = mkIf (!config.security.allowUserNamespaces) { - # Setting the number of allowed user namespaces to 0 effectively disables - # the feature at runtime. Note that root may raise the limit again - # at any time. - boot.kernel.sysctl."user.max_user_namespaces" = 0; + config = mkMerge [ + (mkIf (!config.security.allowUserNamespaces) { + # Setting the number of allowed user namespaces to 0 effectively disables + # the feature at runtime. Note that root may raise the limit again + # at any time. + boot.kernel.sysctl."user.max_user_namespaces" = 0; - assertions = [ - { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; - message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; - } - ]; - }; + assertions = [ + { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; + message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; + } + ]; + }) + ]; } -- cgit 1.4.1 From 84fb8820db6226a6e5333813d47da6d876243064 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 16 Dec 2018 10:37:36 +0100 Subject: nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work. --- nixos/modules/profiles/hardened.nix | 8 ++------ nixos/modules/security/misc.nix | 15 +++++++++++++++ nixos/tests/hardened.nix | 6 ++++++ 3 files changed, 23 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 61e871bcaca5..bad4cb81639d 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -20,6 +20,8 @@ with lib; security.allowUserNamespaces = mkDefault false; + security.protectKernelImage = mkDefault true; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ @@ -28,9 +30,6 @@ with lib; # Disable legacy virtual syscalls "vsyscall=none" - - # Disable hibernation (allows replacing the running kernel) - "nohibernate" ]; boot.blacklistedKernelModules = [ @@ -44,9 +43,6 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Prevent replacing the running kernel image w/o reboot - boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; - # Restrict access to kernel ring buffer (information leaks) boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index f3fc6db22ead..b1db0bc8da85 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -22,6 +22,14 @@ with lib; a user namespace fails with "no space left on device" (ENOSPC). ''; }; + + security.protectKernelImage = mkOption { + type = types.bool; + default = false; + description = '' + Whether to prevent replacing the running kernel image. + ''; + }; }; config = mkMerge [ @@ -37,5 +45,12 @@ with lib; } ]; }) + + (mkIf config.security.protectKernelImage { + # Disable hibernation (allows replacing the running kernel) + boot.kernelParams = [ "nohibernate" ]; + # Prevent replacing the running kernel image w/o reboot + boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; + }) ]; } diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index e10a6363164a..683f56c45af4 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -70,5 +70,11 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'"); $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK"; }; + + # Test kernel image protection + subtest "kernelimage", sub { + $machine->fail("systemctl hibernate"); + $machine->fail("systemctl kexec"); + }; ''; }) -- cgit 1.4.1 From e9761fa3270c5182b488e483be1d97ed7e8a0fee Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Wed, 26 Dec 2018 22:22:55 +0100 Subject: nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). --- nixos/modules/profiles/hardened.nix | 2 ++ nixos/modules/security/misc.nix | 39 +++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index bad4cb81639d..53aa4bae2624 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -22,6 +22,8 @@ with lib; security.protectKernelImage = mkDefault true; + security.virtualization.flushL1DataCache = mkDefault "always"; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index b1db0bc8da85..735362729bfd 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -30,6 +30,41 @@ with lib; Whether to prevent replacing the running kernel image. ''; }; + + security.virtualization.flushL1DataCache = mkOption { + type = types.nullOr (types.enum [ "never" "cond" "always" ]); + default = null; + description = '' + Whether the hypervisor should flush the L1 data cache before + entering guests. + + + + + + null + uses the kernel default + + + "never" + disables L1 data cache flushing entirely. + May be appropriate if all guests are trusted. + + + "cond" + flushes L1 data cache only for pre-determined + code paths. May leak information about the host address space + layout. + + + "always" + flushes L1 data cache every time the hypervisor + enters the guest. May incur significant performance cost. + + + + ''; + }; }; config = mkMerge [ @@ -52,5 +87,9 @@ with lib; # Prevent replacing the running kernel image w/o reboot boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; }) + + (mkIf (config.security.virtualization.flushL1DataCache != null) { + boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ]; + }) ]; } -- cgit 1.4.1 From ea4f37162767280bbed460dc7293b6738cb43bd5 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Wed, 26 Dec 2018 22:24:04 +0100 Subject: nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no *proven* method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control --- nixos/modules/profiles/hardened.nix | 2 ++ nixos/modules/security/misc.nix | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 53aa4bae2624..a588943fe710 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -22,6 +22,8 @@ with lib; security.protectKernelImage = mkDefault true; + security.allowSimultaneousMultithreading = mkDefault false; + security.virtualization.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 735362729bfd..4506a67487d4 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -31,12 +31,38 @@ with lib; ''; }; + security.allowSimultaneousMultithreading = mkOption { + type = types.bool; + default = true; + description = '' + Whether to allow SMT/hyperthreading. Disabling SMT means that only + physical CPU cores will be usable at runtime, potentially at + significant performance cost. + + + + The primary motivation for disabling SMT is to mitigate the risk of + leaking data between threads running on the same CPU core (due to + e.g., shared caches). This attack vector is unproven. + + + + Disabling SMT is a supplement to the L1 data cache flushing mitigation + (see ) + versus malicious VM guests (SMT could "bring back" previously flushed + data). + + + ''; + }; + security.virtualization.flushL1DataCache = mkOption { type = types.nullOr (types.enum [ "never" "cond" "always" ]); default = null; description = '' Whether the hypervisor should flush the L1 data cache before entering guests. + See also . @@ -88,6 +114,10 @@ with lib; boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; }) + (mkIf (!config.security.allowSimultaneousMultithreading) { + boot.kernelParams = [ "nosmt" ]; + }) + (mkIf (config.security.virtualization.flushL1DataCache != null) { boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ]; }) -- cgit 1.4.1