public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Renaming security.virtualization.flushL1DataCache to virtualisation

Browse Source 
Fixes #65044
This commit is contained in:
Marek Mahut 2019-07-19 15:49:37 +02:00
parent 663542ad04
commit e72f25673d
3 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/profiles/hardened.nix
View File

@ -26,7 +26,7 @@ with lib;
security.allowSimultaneousMultithreading = mkDefault false; security.allowSimultaneousMultithreading = mkDefault false;
security.virtualization.flushL1DataCache = mkDefault "always"; security.virtualisation.flushL1DataCache = mkDefault "always";
security.apparmor.enable = mkDefault true; security.apparmor.enable = mkDefault true;

2
nixos/modules/rename.nix
View File

@ -63,6 +63,8 @@ with lib;
(mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
(mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
(mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
# PAM # PAM
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])

8
nixos/modules/security/misc.nix
View File

@ -48,13 +48,13 @@ with lib;
e.g., shared caches). This attack vector is unproven. e.g., shared caches). This attack vector is unproven.
Disabling SMT is a supplement to the L1 data cache flushing mitigation Disabling SMT is a supplement to the L1 data cache flushing mitigation
(see <xref linkend="opt-security.virtualization.flushL1DataCache"/>) (see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>)
versus malicious VM guests (SMT could "bring back" previously flushed versus malicious VM guests (SMT could "bring back" previously flushed
data). data).
''; '';
}; };
security.virtualization.flushL1DataCache = mkOption { security.virtualisation.flushL1DataCache = mkOption {
type = types.nullOr (types.enum [ "never" "cond" "always" ]); type = types.nullOr (types.enum [ "never" "cond" "always" ]);
default = null; default = null;
description = '' description = ''
@ -114,8 +114,8 @@ with lib;
boot.kernelParams = [ "nosmt" ]; boot.kernelParams = [ "nosmt" ];
}) })
(mkIf (config.security.virtualization.flushL1DataCache != null) { (mkIf (config.security.virtualisation.flushL1DataCache != null) {
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ]; boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
}) })
]; ];
} }