forked from pub-solar/os
security#mitigations: init module
Resolves #6 by breaking out the disabling of mitigations into it's own module. Now users must explicitly accept the risk of disabling Spectre and Meltdown mitigations with `security.mitigations.acceptRisk` in addition to actually disabling them with `security.mitigations.disable`.
This commit is contained in:
parent
86a1974010
commit
413a6c75f6
|
@ -1 +1 @@
|
|||
[ ./services/torrent/qbittorrent.nix ]
|
||||
[ ./services/torrent/qbittorrent.nix ./security/mitigations.nix ]
|
||||
|
|
50
modules/security/mitigations.nix
Normal file
50
modules/security/mitigations.nix
Normal file
|
@ -0,0 +1,50 @@
|
|||
{ config, lib, options, ... }:
|
||||
with lib;
|
||||
let
|
||||
inherit (builtins) readFile fetchurl;
|
||||
|
||||
cfg = config.security.mitigations;
|
||||
|
||||
cmdline = readFile (fetchurl {
|
||||
url = "https://make-linux-fast-again.com";
|
||||
sha256 = "sha256:10diw5xn5jjx79nvyjqcpdpcqihnr3y0756fsgiv1nq7w28ph9w6";
|
||||
});
|
||||
in {
|
||||
options = {
|
||||
security.mitigations.disable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to disable spectre and meltdown mitigations in the kernel. Do
|
||||
not use this in mission critical deployments, or on any machine you do
|
||||
not have physical access to.
|
||||
'';
|
||||
};
|
||||
|
||||
security.mitigations.acceptRisk = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
To ensure users know what they are doing, they must explicitly accept
|
||||
the risk of turning off mitigations by enabling this.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.disable {
|
||||
assertions = [{
|
||||
assertion = cfg.acceptRisk;
|
||||
message = ''
|
||||
You have enabled 'security.mitigations.disable' without accepting the
|
||||
risk of disabling mitigations.
|
||||
|
||||
You must explicitly accept the risk of running the kernel without
|
||||
Spectre or Meltdown mitigations. Set 'security.mitigations.acceptRisk'
|
||||
to 'true' only if you know what your doing!
|
||||
'';
|
||||
}];
|
||||
|
||||
boot.kernelParams = splitString " " cmdline;
|
||||
|
||||
};
|
||||
}
|
|
@ -1,3 +1 @@
|
|||
{ ... }: {
|
||||
imports = [ ./stubby.nix ./adblocking.nix ./make-linux-fast-again.nix ];
|
||||
}
|
||||
{ ... }: { imports = [ ./stubby.nix ./adblocking.nix ]; }
|
||||
|
|
1
profiles/misc/disable-mitigations.nix
Normal file
1
profiles/misc/disable-mitigations.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{ ... }: { security.mitigations.disable = true; }
|
|
@ -1,9 +0,0 @@
|
|||
# file: make-linux-fast-again.nix
|
||||
{ pkgs, config, ... }:
|
||||
let
|
||||
inherit (builtins) readFile fetchurl;
|
||||
cmdline = readFile (fetchurl {
|
||||
url = "https://make-linux-fast-again.com";
|
||||
sha256 = "sha256:10diw5xn5jjx79nvyjqcpdpcqihnr3y0756fsgiv1nq7w28ph9w6";
|
||||
});
|
||||
in { boot.kernelParams = pkgs.lib.splitString " " cmdline; }
|
Loading…
Reference in a new issue