From e9761fa3270c5182b488e483be1d97ed7e8a0fee Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Wed, 26 Dec 2018 22:22:55 +0100 Subject: [PATCH] nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). --- nixos/modules/profiles/hardened.nix | 2 ++ nixos/modules/security/misc.nix | 39 +++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index bad4cb81639d..53aa4bae2624 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -22,6 +22,8 @@ with lib; security.protectKernelImage = mkDefault true; + security.virtualization.flushL1DataCache = mkDefault "always"; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index b1db0bc8da85..735362729bfd 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -30,6 +30,41 @@ with lib; Whether to prevent replacing the running kernel image. ''; }; + + security.virtualization.flushL1DataCache = mkOption { + type = types.nullOr (types.enum [ "never" "cond" "always" ]); + default = null; + description = '' + Whether the hypervisor should flush the L1 data cache before + entering guests. + + + + + + null + uses the kernel default + + + "never" + disables L1 data cache flushing entirely. + May be appropriate if all guests are trusted. + + + "cond" + flushes L1 data cache only for pre-determined + code paths. May leak information about the host address space + layout. + + + "always" + flushes L1 data cache every time the hypervisor + enters the guest. May incur significant performance cost. + + + + ''; + }; }; config = mkMerge [ @@ -52,5 +87,9 @@ with lib; # Prevent replacing the running kernel image w/o reboot boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; }) + + (mkIf (config.security.virtualization.flushL1DataCache != null) { + boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ]; + }) ]; }