nixos/hardened profile: always enable pti

2019-01-05 13:50:36 +01:00
parent 3f1f443125
commit 167578163a
1 changed files with 3 additions and 0 deletions
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -40,6 +40,9 @@ with lib;

    # Disable legacy virtual syscalls
    "vsyscall=none"
+
+    # Enable PTI even if CPU claims to be safe from meltdown
+    "pti=on"
  ];

  boot.blacklistedKernelModules = [