nixos/hardened: make pti=on overridable
Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on.
This commit is contained in:
parent
fd2b2b5cd5
commit
67b7e70865
|
@ -26,6 +26,8 @@ with lib;
|
|||
|
||||
security.allowSimultaneousMultithreading = mkDefault false;
|
||||
|
||||
security.forcePageTableIsolation = mkDefault true;
|
||||
|
||||
security.virtualisation.flushL1DataCache = mkDefault "always";
|
||||
|
||||
security.apparmor.enable = mkDefault true;
|
||||
|
@ -42,9 +44,6 @@ with lib;
|
|||
|
||||
# Disable legacy virtual syscalls
|
||||
"vsyscall=none"
|
||||
|
||||
# Enable PTI even if CPU claims to be safe from meltdown
|
||||
"pti=on"
|
||||
];
|
||||
|
||||
boot.blacklistedKernelModules = [
|
||||
|
|
|
@ -54,6 +54,18 @@ with lib;
|
|||
'';
|
||||
};
|
||||
|
||||
security.forcePageTableIsolation = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to force-enable the Page Table Isolation (PTI) Linux kernel
|
||||
feature even on CPU models that claim to be safe from Meltdown.
|
||||
|
||||
This hardening feature is most beneficial to systems that run untrusted
|
||||
workloads that rely on address space isolation for security.
|
||||
'';
|
||||
};
|
||||
|
||||
security.virtualisation.flushL1DataCache = mkOption {
|
||||
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
|
||||
default = null;
|
||||
|
@ -114,6 +126,10 @@ with lib;
|
|||
boot.kernelParams = [ "nosmt" ];
|
||||
})
|
||||
|
||||
(mkIf config.security.forcePageTableIsolation {
|
||||
boot.kernelParams = [ "pti=on" ];
|
||||
})
|
||||
|
||||
(mkIf (config.security.virtualisation.flushL1DataCache != null) {
|
||||
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
|
||||
})
|
||||
|
|
Loading…
Reference in New Issue