From 84fb8820db6226a6e5333813d47da6d876243064 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sun, 16 Dec 2018 10:37:36 +0100
Subject: nixos/security/misc: factor out protectKernelImage

Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
---
 nixos/modules/security/misc.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'nixos/modules/security')

diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index f3fc6db22ead..b1db0bc8da85 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -22,6 +22,14 @@ with lib;
         a user namespace fails with "no space left on device" (ENOSPC).
       '';
     };
+
+    security.protectKernelImage = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to prevent replacing the running kernel image.
+      '';
+    };
   };
 
   config = mkMerge [
@@ -37,5 +45,12 @@ with lib;
         }
       ];
     })
+
+    (mkIf config.security.protectKernelImage {
+      # Disable hibernation (allows replacing the running kernel)
+      boot.kernelParams = [ "nohibernate" ];
+      # Prevent replacing the running kernel image w/o reboot
+      boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
+    })
   ];
 }
-- 
cgit v1.2.3