diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-26 22:24:04 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-27 15:00:49 +0100 |
commit | ea4f37162767280bbed460dc7293b6738cb43bd5 (patch) | |
tree | 8c3eeee0192429af81dfa93ea84d465765edaa65 /nixos/modules/profiles | |
parent | e9761fa3270c5182b488e483be1d97ed7e8a0fee (diff) |
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading. There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however. This is in keeping with OpenBSD
defaults.
TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation. Write to
/sys/devices/system/cpu/smt/control
Diffstat (limited to 'nixos/modules/profiles')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 53aa4bae2624..a588943fe710 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -22,6 +22,8 @@ with lib; security.protectKernelImage = mkDefault true; + security.allowSimultaneousMultithreading = mkDefault false; + security.virtualization.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; |