diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index bad4cb81639..53aa4bae262 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -22,6 +22,8 @@ with lib; security.protectKernelImage = mkDefault true; + security.virtualization.flushL1DataCache = mkDefault "always"; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index b1db0bc8da8..735362729bf 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -30,6 +30,41 @@ with lib; Whether to prevent replacing the running kernel image. ''; }; + + security.virtualization.flushL1DataCache = mkOption { + type = types.nullOr (types.enum [ "never" "cond" "always" ]); + default = null; + description = '' + Whether the hypervisor should flush the L1 data cache before + entering guests. + + + + + + null + uses the kernel default + + + "never" + disables L1 data cache flushing entirely. + May be appropriate if all guests are trusted. + + + "cond" + flushes L1 data cache only for pre-determined + code paths. May leak information about the host address space + layout. + + + "always" + flushes L1 data cache every time the hypervisor + enters the guest. May incur significant performance cost. + + + + ''; + }; }; config = mkMerge [ @@ -52,5 +87,9 @@ with lib; # Prevent replacing the running kernel image w/o reboot boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; }) + + (mkIf (config.security.virtualization.flushL1DataCache != null) { + boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ]; + }) ]; }