b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #7 from nrdxp/enhance/mitigations

Browse source 
security#mitigations: init module
This commit is contained in:
Timothy DeHerrera 2020-01-08 13:33:08 -07:00 committed by GitHub
parent 86a1974010 413a6c75f6
commit fd50518214
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 53 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
modules/default.nix
View file

@ -1 +1 @@
[ ./services/torrent/qbittorrent.nix ]
[ ./services/torrent/qbittorrent.nix ./security/mitigations.nix ]

50
modules/security/mitigations.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, lib, options, ... }:
with lib;
let
inherit (builtins) readFile fetchurl;
cfg = config.security.mitigations;
cmdline = readFile (fetchurl {
url = "https://make-linux-fast-again.com";
sha256 = "sha256:10diw5xn5jjx79nvyjqcpdpcqihnr3y0756fsgiv1nq7w28ph9w6";
});
in {
options = {
security.mitigations.disable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to disable spectre and meltdown mitigations in the kernel. Do
not use this in mission critical deployments, or on any machine you do
not have physical access to.
'';
};
security.mitigations.acceptRisk = mkOption {
type = types.bool;
default = false;
description = ''
To ensure users know what they are doing, they must explicitly accept
the risk of turning off mitigations by enabling this.
'';
};
};
config = mkIf cfg.disable {
assertions = [{
assertion = cfg.acceptRisk;
message = ''
You have enabled 'security.mitigations.disable' without accepting the
risk of disabling mitigations.
You must explicitly accept the risk of running the kernel without
Spectre or Meltdown mitigations. Set 'security.mitigations.acceptRisk'
to 'true' only if you know what your doing!
'';
}];
boot.kernelParams = splitString " " cmdline;
};
}

4
profiles/misc/default.nix
View file

@ -1,3 +1 @@
{ ... }: {
imports = [ ./stubby.nix ./adblocking.nix ./make-linux-fast-again.nix ];
}
{ ... }: { imports = [ ./stubby.nix ./adblocking.nix ]; }

1
profiles/misc/disable-mitigations.nix Normal file
View file

@ -0,0 +1 @@
{ ... }: { security.mitigations.disable = true; }

9
profiles/misc/make-linux-fast-again.nix
View file

@ -1,9 +0,0 @@
# file: make-linux-fast-again.nix
{ pkgs, config, ... }:
let
inherit (builtins) readFile fetchurl;
cmdline = readFile (fetchurl {
url = "https://make-linux-fast-again.com";
sha256 = "sha256:10diw5xn5jjx79nvyjqcpdpcqihnr3y0756fsgiv1nq7w28ph9w6";
});
in { boot.kernelParams = pkgs.lib.splitString " " cmdline; }