diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-26 22:22:55 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-27 15:00:48 +0100 |
commit | e9761fa3270c5182b488e483be1d97ed7e8a0fee (patch) | |
tree | c8c05bcb285adaa499aede7c65b82c2c524a0767 /nixos/modules/profiles | |
parent | 84fb8820db6226a6e5333813d47da6d876243064 (diff) |
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
Diffstat (limited to 'nixos/modules/profiles')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index bad4cb81639d..53aa4bae2624 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -22,6 +22,8 @@ with lib; security.protectKernelImage = mkDefault true; + security.virtualization.flushL1DataCache = mkDefault "always"; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ |