nixos/security/misc: expose l1tf mitigation option

For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
This commit is contained in:
Joachim Fasting 2018-12-26 22:22:55 +01:00
parent 84fb8820db
commit e9761fa327
No known key found for this signature in database
GPG key ID: 5C204DF675C90294
2 changed files with 41 additions and 0 deletions

View file

@ -22,6 +22,8 @@ with lib;
security.protectKernelImage = mkDefault true;
security.virtualization.flushL1DataCache = mkDefault "always";
security.apparmor.enable = mkDefault true;
boot.kernelParams = [

View file

@ -30,6 +30,41 @@ with lib;
Whether to prevent replacing the running kernel image.
'';
};
security.virtualization.flushL1DataCache = mkOption {
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
default = null;
description = ''
Whether the hypervisor should flush the L1 data cache before
entering guests.
</para>
<para>
<variablelist>
<varlistentry>
<term><literal>null</literal></term>
<listitem><para>uses the kernel default</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"never"</literal></term>
<listitem><para>disables L1 data cache flushing entirely.
May be appropriate if all guests are trusted.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"cond"</literal></term>
<listitem><para>flushes L1 data cache only for pre-determined
code paths. May leak information about the host address space
layout.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"always"</literal></term>
<listitem><para>flushes L1 data cache every time the hypervisor
enters the guest. May incur significant performance cost.
</para></listitem>
</varlistentry>
</variablelist>
'';
};
};
config = mkMerge [
@ -52,5 +87,9 @@ with lib;
# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
})
(mkIf (config.security.virtualization.flushL1DataCache != null) {
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
})
];
}