From 413a6c75f6b1ae1f6650035fe8da8a84753ced92 Mon Sep 17 00:00:00 2001 From: Timothy DeHerrera Date: Wed, 8 Jan 2020 13:28:49 -0700 Subject: [PATCH] security#mitigations: init module Resolves #6 by breaking out the disabling of mitigations into it's own module. Now users must explicitly accept the risk of disabling Spectre and Meltdown mitigations with `security.mitigations.acceptRisk` in addition to actually disabling them with `security.mitigations.disable`. --- modules/default.nix | 2 +- modules/security/mitigations.nix | 50 +++++++++++++++++++++++++ profiles/misc/default.nix | 4 +- profiles/misc/disable-mitigations.nix | 1 + profiles/misc/make-linux-fast-again.nix | 9 ----- 5 files changed, 53 insertions(+), 13 deletions(-) create mode 100644 modules/security/mitigations.nix create mode 100644 profiles/misc/disable-mitigations.nix delete mode 100644 profiles/misc/make-linux-fast-again.nix diff --git a/modules/default.nix b/modules/default.nix index 7146630b..ee8934a9 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1 +1 @@ -[ ./services/torrent/qbittorrent.nix ] +[ ./services/torrent/qbittorrent.nix ./security/mitigations.nix ] diff --git a/modules/security/mitigations.nix b/modules/security/mitigations.nix new file mode 100644 index 00000000..9cd45729 --- /dev/null +++ b/modules/security/mitigations.nix @@ -0,0 +1,50 @@ +{ config, lib, options, ... }: +with lib; +let + inherit (builtins) readFile fetchurl; + + cfg = config.security.mitigations; + + cmdline = readFile (fetchurl { + url = "https://make-linux-fast-again.com"; + sha256 = "sha256:10diw5xn5jjx79nvyjqcpdpcqihnr3y0756fsgiv1nq7w28ph9w6"; + }); +in { + options = { + security.mitigations.disable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to disable spectre and meltdown mitigations in the kernel. Do + not use this in mission critical deployments, or on any machine you do + not have physical access to. + ''; + }; + + security.mitigations.acceptRisk = mkOption { + type = types.bool; + default = false; + description = '' + To ensure users know what they are doing, they must explicitly accept + the risk of turning off mitigations by enabling this. + ''; + }; + }; + + config = mkIf cfg.disable { + assertions = [{ + assertion = cfg.acceptRisk; + message = '' + You have enabled 'security.mitigations.disable' without accepting the + risk of disabling mitigations. + + You must explicitly accept the risk of running the kernel without + Spectre or Meltdown mitigations. Set 'security.mitigations.acceptRisk' + to 'true' only if you know what your doing! + ''; + }]; + + boot.kernelParams = splitString " " cmdline; + + }; +} diff --git a/profiles/misc/default.nix b/profiles/misc/default.nix index 0a1d4cbe..ae3f2515 100644 --- a/profiles/misc/default.nix +++ b/profiles/misc/default.nix @@ -1,3 +1 @@ -{ ... }: { - imports = [ ./stubby.nix ./adblocking.nix ./make-linux-fast-again.nix ]; -} +{ ... }: { imports = [ ./stubby.nix ./adblocking.nix ]; } diff --git a/profiles/misc/disable-mitigations.nix b/profiles/misc/disable-mitigations.nix new file mode 100644 index 00000000..63105b13 --- /dev/null +++ b/profiles/misc/disable-mitigations.nix @@ -0,0 +1 @@ +{ ... }: { security.mitigations.disable = true; } diff --git a/profiles/misc/make-linux-fast-again.nix b/profiles/misc/make-linux-fast-again.nix deleted file mode 100644 index 58cf17f7..00000000 --- a/profiles/misc/make-linux-fast-again.nix +++ /dev/null @@ -1,9 +0,0 @@ -# file: make-linux-fast-again.nix -{ pkgs, config, ... }: -let - inherit (builtins) readFile fetchurl; - cmdline = readFile (fetchurl { - url = "https://make-linux-fast-again.com"; - sha256 = "sha256:10diw5xn5jjx79nvyjqcpdpcqihnr3y0756fsgiv1nq7w28ph9w6"; - }); -in { boot.kernelParams = pkgs.lib.splitString " " cmdline; }