diff options
| author | Pierre Bourdon <delroth@gmail.com> | 2019-07-30 02:24:56 +0200 |
|---|---|---|
| committer | Pierre Bourdon <delroth@gmail.com> | 2019-07-30 02:24:56 +0200 |
| commit | 67b7e70865896433f01ca173eda8f5217eae4d49 (patch) | |
| tree | 677e7ac0afa58bcf87726c0bcee39fc2704aac11 /nixos/modules/profiles | |
| parent | fd2b2b5cd56a5be788fa88dcd9605a3a5bb5ecc7 (diff) | |
nixos/hardened: make pti=on overridable
Introduces a new security.forcePageTableIsolation option (default false
on !hardened, true on hardened) that forces pti=on.
Diffstat (limited to 'nixos/modules/profiles')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 29c3f2f8bbf8..9e9ddd4f3788 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -26,6 +26,8 @@ with lib; security.allowSimultaneousMultithreading = mkDefault false; + security.forcePageTableIsolation = mkDefault true; + security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; @@ -42,9 +44,6 @@ with lib; # Disable legacy virtual syscalls "vsyscall=none" - - # Enable PTI even if CPU claims to be safe from meltdown - "pti=on" ]; boot.blacklistedKernelModules = [ |