nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
This commit is contained in:
parent
84fb8820db
commit
e9761fa327
2 changed files with 41 additions and 0 deletions
|
@ -22,6 +22,8 @@ with lib;
|
|||
|
||||
security.protectKernelImage = mkDefault true;
|
||||
|
||||
security.virtualization.flushL1DataCache = mkDefault "always";
|
||||
|
||||
security.apparmor.enable = mkDefault true;
|
||||
|
||||
boot.kernelParams = [
|
||||
|
|
|
@ -30,6 +30,41 @@ with lib;
|
|||
Whether to prevent replacing the running kernel image.
|
||||
'';
|
||||
};
|
||||
|
||||
security.virtualization.flushL1DataCache = mkOption {
|
||||
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
|
||||
default = null;
|
||||
description = ''
|
||||
Whether the hypervisor should flush the L1 data cache before
|
||||
entering guests.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><literal>null</literal></term>
|
||||
<listitem><para>uses the kernel default</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>"never"</literal></term>
|
||||
<listitem><para>disables L1 data cache flushing entirely.
|
||||
May be appropriate if all guests are trusted.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>"cond"</literal></term>
|
||||
<listitem><para>flushes L1 data cache only for pre-determined
|
||||
code paths. May leak information about the host address space
|
||||
layout.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>"always"</literal></term>
|
||||
<listitem><para>flushes L1 data cache every time the hypervisor
|
||||
enters the guest. May incur significant performance cost.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
|
@ -52,5 +87,9 @@ with lib;
|
|||
# Prevent replacing the running kernel image w/o reboot
|
||||
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
|
||||
})
|
||||
|
||||
(mkIf (config.security.virtualization.flushL1DataCache != null) {
|
||||
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue