nixos/security/misc: expose l1tf mitigation option

For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
author: Joachim Fasting <joachifm@fastmail.fm> 2018-12-26 22:22:55 +0100
committer: Joachim Fasting <joachifm@fastmail.fm> 2018-12-27 15:00:48 +0100
commit: e9761fa3270c5182b488e483be1d97ed7e8a0fee (patch)
tree: c8c05bcb285adaa499aede7c65b82c2c524a0767 /nixos/modules/profiles
parent: 84fb8820db6226a6e5333813d47da6d876243064 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index bad4cb81639d..53aa4bae2624 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -22,6 +22,8 @@ with lib;
 
   security.protectKernelImage = mkDefault true;
 
+  security.virtualization.flushL1DataCache = mkDefault "always";
+
   security.apparmor.enable = mkDefault true;
 
   boot.kernelParams = [
author	Joachim Fasting <joachifm@fastmail.fm>	2018-12-26 22:22:55 +0100
committer	Joachim Fasting <joachifm@fastmail.fm>	2018-12-27 15:00:48 +0100
commit	e9761fa3270c5182b488e483be1d97ed7e8a0fee (patch)
tree	c8c05bcb285adaa499aede7c65b82c2c524a0767 /nixos/modules/profiles
parent	84fb8820db6226a6e5333813d47da6d876243064 (diff)