nixos/security/misc: expose SMT control option

For the hardened profile disable symmetric multi threading. There seems to be no *proven* method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control
author: Joachim Fasting <joachifm@fastmail.fm> 2018-12-26 22:24:04 +0100
committer: Joachim Fasting <joachifm@fastmail.fm> 2018-12-27 15:00:49 +0100
commit: ea4f37162767280bbed460dc7293b6738cb43bd5 (patch)
tree: 8c3eeee0192429af81dfa93ea84d465765edaa65 /nixos/modules/profiles
parent: e9761fa3270c5182b488e483be1d97ed7e8a0fee (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 53aa4bae2624..a588943fe710 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -22,6 +22,8 @@ with lib;
 
   security.protectKernelImage = mkDefault true;
 
+  security.allowSimultaneousMultithreading = mkDefault false;
+
   security.virtualization.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;
author	Joachim Fasting <joachifm@fastmail.fm>	2018-12-26 22:24:04 +0100
committer	Joachim Fasting <joachifm@fastmail.fm>	2018-12-27 15:00:49 +0100
commit	ea4f37162767280bbed460dc7293b6738cb43bd5 (patch)
tree	8c3eeee0192429af81dfa93ea84d465765edaa65 /nixos/modules/profiles
parent	e9761fa3270c5182b488e483be1d97ed7e8a0fee (diff)