2 files changed, 41 insertions, 0 deletions

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index bad4cb81639d..53aa4bae2624 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -22,6 +22,8 @@ with lib;
 
   security.protectKernelImage = mkDefault true;
 
+  security.virtualization.flushL1DataCache = mkDefault "always";
+
   security.apparmor.enable = mkDefault true;
 
   boot.kernelParams = [
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index b1db0bc8da85..735362729bfd 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -30,6 +30,41 @@ with lib;
         Whether to prevent replacing the running kernel image.
       '';
     };
+
+    security.virtualization.flushL1DataCache = mkOption {
+      type = types.nullOr (types.enum [ "never" "cond" "always" ]);
+      default = null;
+      description = ''
+        Whether the hypervisor should flush the L1 data cache before
+        entering guests.
+        </para>
+
+        <para>
+          <variablelist>
+          <varlistentry>
+            <term><literal>null</literal></term>
+            <listitem><para>uses the kernel default</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"never"</literal></term>
+            <listitem><para>disables L1 data cache flushing entirely.
+            May be appropriate if all guests are trusted.</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"cond"</literal></term>
+            <listitem><para>flushes L1 data cache only for pre-determined
+            code paths.  May leak information about the host address space
+            layout.</para></listitem>
+          </varlistentry>
+          <varlistentry>
+            <term><literal>"always"</literal></term>
+            <listitem><para>flushes L1 data cache every time the hypervisor
+            enters the guest.  May incur significant performance cost.
+            </para></listitem>
+          </varlistentry>
+          </variablelist>
+      '';
+    };
   };
 
   config = mkMerge [
@@ -52,5 +87,9 @@ with lib;
       # Prevent replacing the running kernel image w/o reboot
       boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
     })
+
+    (mkIf (config.security.virtualization.flushL1DataCache != null) {
+      boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
+    })
   ];
 }