diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-26 22:22:55 +0100 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-27 15:00:48 +0100 |
| commit | e9761fa3270c5182b488e483be1d97ed7e8a0fee (patch) | |
| tree | c8c05bcb285adaa499aede7c65b82c2c524a0767 /nixos/modules/security | |
| parent | 84fb8820db6226a6e5333813d47da6d876243064 (diff) | |
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/misc.nix | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index b1db0bc8da85..735362729bfd 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -30,6 +30,41 @@ with lib; Whether to prevent replacing the running kernel image. ''; }; + + security.virtualization.flushL1DataCache = mkOption { + type = types.nullOr (types.enum [ "never" "cond" "always" ]); + default = null; + description = '' + Whether the hypervisor should flush the L1 data cache before + entering guests. + </para> + + <para> + <variablelist> + <varlistentry> + <term><literal>null</literal></term> + <listitem><para>uses the kernel default</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"never"</literal></term> + <listitem><para>disables L1 data cache flushing entirely. + May be appropriate if all guests are trusted.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"cond"</literal></term> + <listitem><para>flushes L1 data cache only for pre-determined + code paths. May leak information about the host address space + layout.</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"always"</literal></term> + <listitem><para>flushes L1 data cache every time the hypervisor + enters the guest. May incur significant performance cost. + </para></listitem> + </varlistentry> + </variablelist> + ''; + }; }; config = mkMerge [ @@ -52,5 +87,9 @@ with lib; # Prevent replacing the running kernel image w/o reboot boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; }) + + (mkIf (config.security.virtualization.flushL1DataCache != null) { + boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ]; + }) ]; } |