nixpkgs/nixos/modules/security/misc.nix

{ config, lib, ... }:

with lib;

{
  meta = {
    maintainers = [ maintainers.joachifm ];
  };

  options = {
    security.allowUserNamespaces = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to allow creation of user namespaces.

        The motivation for disabling user namespaces is the potential
        presence of code paths where the kernel's permission checking
        logic fails to account for namespacing, instead permitting a
        namespaced process to act outside the namespace with the same
        privileges as it would have inside it.  This is particularly
        damaging in the common case of running as root within the namespace.

        When user namespace creation is disallowed, attempting to create a
        user namespace fails with "no space left on device" (ENOSPC).
        root may re-enable user namespace creation at runtime.
      '';
    };

    security.protectKernelImage = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to prevent replacing the running kernel image.
      '';
    };

    security.allowSimultaneousMultithreading = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to allow SMT/hyperthreading.  Disabling SMT means that only
        physical CPU cores will be usable at runtime, potentially at
        significant performance cost.

        The primary motivation for disabling SMT is to mitigate the risk of
        leaking data between threads running on the same CPU core (due to
        e.g., shared caches).  This attack vector is unproven.

        Disabling SMT is a supplement to the L1 data cache flushing mitigation
        (see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>)
        versus malicious VM guests (SMT could "bring back" previously flushed
        data).
      '';
    };

    security.forcePageTableIsolation = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to force-enable the Page Table Isolation (PTI) Linux kernel
        feature even on CPU models that claim to be safe from Meltdown.

        This hardening feature is most beneficial to systems that run untrusted
        workloads that rely on address space isolation for security.
      '';
    };

    security.virtualisation.flushL1DataCache = mkOption {
      type = types.nullOr (types.enum [ "never" "cond" "always" ]);
      default = null;
      description = ''
        Whether the hypervisor should flush the L1 data cache before
        entering guests.
        See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.

        <variablelist>
          <varlistentry>
            <term><literal>null</literal></term>
            <listitem><para>uses the kernel default</para></listitem>
          </varlistentry>
          <varlistentry>
            <term><literal>"never"</literal></term>
            <listitem><para>disables L1 data cache flushing entirely.
            May be appropriate if all guests are trusted.</para></listitem>
          </varlistentry>
          <varlistentry>
            <term><literal>"cond"</literal></term>
            <listitem><para>flushes L1 data cache only for pre-determined
            code paths.  May leak information about the host address space
            layout.</para></listitem>
          </varlistentry>
          <varlistentry>
            <term><literal>"always"</literal></term>
            <listitem><para>flushes L1 data cache every time the hypervisor
            enters the guest.  May incur significant performance cost.
            </para></listitem>
          </varlistentry>
        </variablelist>
      '';
    };
  };

  config = mkMerge [
    (mkIf (!config.security.allowUserNamespaces) {
      # Setting the number of allowed user namespaces to 0 effectively disables
      # the feature at runtime.  Note that root may raise the limit again
      # at any time.
      boot.kernel.sysctl."user.max_user_namespaces" = 0;

      assertions = [
        { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
          message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
        }
      ];
    })

    (mkIf config.security.protectKernelImage {
      # Disable hibernation (allows replacing the running kernel)
      boot.kernelParams = [ "nohibernate" ];
      # Prevent replacing the running kernel image w/o reboot
      boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
    })

    (mkIf (!config.security.allowSimultaneousMultithreading) {
      boot.kernelParams = [ "nosmt" ];
    })

    (mkIf config.security.forcePageTableIsolation {
      boot.kernelParams = [ "pti=on" ];
    })

    (mkIf (config.security.virtualisation.flushL1DataCache != null) {
      boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
    })
  ];
}
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module. 2018-10-15 00:39:26 +02:00			`{ config, lib, ... }:`

			`with lib;`

			`{`
			`meta = {`
			`maintainers = [ maintainers.joachifm ];`
			`};`

			`options = {`
			`security.allowUserNamespaces = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = ''`
nixos/hardened: split description of allowUserNamespaces into paras 2019-04-21 11:50:52 +02:00			`Whether to allow creation of user namespaces.`

			`The motivation for disabling user namespaces is the potential`
			`presence of code paths where the kernel's permission checking`
			`logic fails to account for namespacing, instead permitting a`
			`namespaced process to act outside the namespace with the same`
			`privileges as it would have inside it. This is particularly`
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module. 2018-10-15 00:39:26 +02:00			`damaging in the common case of running as root within the namespace.`
nixos/hardened: split description of allowUserNamespaces into paras 2019-04-21 11:50:52 +02:00
			`When user namespace creation is disallowed, attempting to create a`
			`user namespace fails with "no space left on device" (ENOSPC).`
			`root may re-enable user namespace creation at runtime.`
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module. 2018-10-15 00:39:26 +02:00			`'';`
			`};`
nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work. 2018-12-16 10:37:36 +01:00
			`security.protectKernelImage = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Whether to prevent replacing the running kernel image.`
			`'';`
			`};`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 22:22:55 +01:00
nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no proven method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control 2018-12-26 22:24:04 +01:00			`security.allowSimultaneousMultithreading = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = ''`
			`Whether to allow SMT/hyperthreading. Disabling SMT means that only`
			`physical CPU cores will be usable at runtime, potentially at`
			`significant performance cost.`

			`The primary motivation for disabling SMT is to mitigate the risk of`
			`leaking data between threads running on the same CPU core (due to`
			`e.g., shared caches). This attack vector is unproven.`

			`Disabling SMT is a supplement to the L1 data cache flushing mitigation`
Renaming security.virtualization.flushL1DataCache to virtualisation Fixes #65044 2019-07-19 15:49:37 +02:00			`(see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>)`
nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no proven method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control 2018-12-26 22:24:04 +01:00			`versus malicious VM guests (SMT could "bring back" previously flushed`
			`data).`
			`'';`
			`};`

nixos/hardened: make pti=on overridable Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on. 2019-07-30 02:24:56 +02:00			`security.forcePageTableIsolation = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Whether to force-enable the Page Table Isolation (PTI) Linux kernel`
			`feature even on CPU models that claim to be safe from Meltdown.`

			`This hardening feature is most beneficial to systems that run untrusted`
			`workloads that rely on address space isolation for security.`
			`'';`
			`};`

Renaming security.virtualization.flushL1DataCache to virtualisation Fixes #65044 2019-07-19 15:49:37 +02:00			`security.virtualisation.flushL1DataCache = mkOption {`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 22:22:55 +01:00			`type = types.nullOr (types.enum [ "never" "cond" "always" ]);`
			`default = null;`
			`description = ''`
			`Whether the hypervisor should flush the L1 data cache before`
			`entering guests.`
nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no proven method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control 2018-12-26 22:24:04 +01:00			`See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 22:22:55 +01:00
FIx some malformed XML in option descriptions E.g. these were using "<para>" at the end of a description. The real WTF is that this is possible at all... 2019-05-13 09:15:17 +02:00			`<variablelist>`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 22:22:55 +01:00			`<varlistentry>`
			`<term><literal>null</literal></term>`
			`<listitem><para>uses the kernel default</para></listitem>`
			`</varlistentry>`
			`<varlistentry>`
			`<term><literal>"never"</literal></term>`
			`<listitem><para>disables L1 data cache flushing entirely.`
			`May be appropriate if all guests are trusted.</para></listitem>`
			`</varlistentry>`
			`<varlistentry>`
			`<term><literal>"cond"</literal></term>`
			`<listitem><para>flushes L1 data cache only for pre-determined`
			`code paths. May leak information about the host address space`
			`layout.</para></listitem>`
			`</varlistentry>`
			`<varlistentry>`
			`<term><literal>"always"</literal></term>`
			`<listitem><para>flushes L1 data cache every time the hypervisor`
			`enters the guest. May incur significant performance cost.`
			`</para></listitem>`
			`</varlistentry>`
FIx some malformed XML in option descriptions E.g. these were using "<para>" at the end of a description. The real WTF is that this is possible at all... 2019-05-13 09:15:17 +02:00			`</variablelist>`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 22:22:55 +01:00			`'';`
			`};`
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module. 2018-10-15 00:39:26 +02:00			`};`

nixos/security/misc: use mkMerge for easier extension 2018-11-24 18:37:46 +01:00			`config = mkMerge [`
			`(mkIf (!config.security.allowUserNamespaces) {`
			`# Setting the number of allowed user namespaces to 0 effectively disables`
			`# the feature at runtime. Note that root may raise the limit again`
			`# at any time.`
			`boot.kernel.sysctl."user.max_user_namespaces" = 0;`
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module. 2018-10-15 00:39:26 +02:00
nixos/security/misc: use mkMerge for easier extension 2018-11-24 18:37:46 +01:00			`assertions = [`
			`{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;`
			message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
			`}`
			`];`
			`})`
nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work. 2018-12-16 10:37:36 +01:00
			`(mkIf config.security.protectKernelImage {`
			`# Disable hibernation (allows replacing the running kernel)`
			`boot.kernelParams = [ "nohibernate" ];`
			`# Prevent replacing the running kernel image w/o reboot`
			`boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;`
			`})`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 22:22:55 +01:00
nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no proven method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control 2018-12-26 22:24:04 +01:00			`(mkIf (!config.security.allowSimultaneousMultithreading) {`
			`boot.kernelParams = [ "nosmt" ];`
			`})`

nixos/hardened: make pti=on overridable Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on. 2019-07-30 02:24:56 +02:00			`(mkIf config.security.forcePageTableIsolation {`
			`boot.kernelParams = [ "pti=on" ];`
			`})`

Renaming security.virtualization.flushL1DataCache to virtualisation Fixes #65044 2019-07-19 15:49:37 +02:00			`(mkIf (config.security.virtualisation.flushL1DataCache != null) {`
			`boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 22:22:55 +01:00			`})`
nixos/security/misc: use mkMerge for easier extension 2018-11-24 18:37:46 +01:00			`];`
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module. 2018-10-15 00:39:26 +02:00			`}`