Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 2534dddaa96a
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: ea4f37162767
Choose a head ref
  • 4 commits
  • 3 files changed
  • 1 contributor

Commits on Dec 27, 2018

  1. nixos/security/misc: use mkMerge for easier extension

    @joachifm
    joachifm committed Dec 27, 2018
    Copy the full SHA
    9db84f6 View commit details

  2. nixos/security/misc: factor out protectKernelImage 

    Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
    @joachifm
    joachifm committed Dec 27, 2018
    Copy the full SHA
    84fb882 View commit details

  3. nixos/security/misc: expose l1tf mitigation option 

    For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
    @joachifm
    joachifm committed Dec 27, 2018
    Copy the full SHA
    e9761fa View commit details

  4. nixos/security/misc: expose SMT control option 

    For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
    @joachifm
    joachifm committed Dec 27, 2018
    Copy the full SHA
    ea4f371 View commit details
Showing with 110 additions and 18 deletions.
  1. +6 −6 nixos/modules/profiles/hardened.nix
  2. +98 −12 nixos/modules/security/misc.nix
  3. +6 −0 nixos/tests/hardened.nix
12 changes: 6 additions & 6 deletions nixos/modules/profiles/hardened.nix
View file
Original file line number Diff line number Diff line change
@@ -20,6 +20,12 @@ with lib;

security.allowUserNamespaces = mkDefault false;

security.protectKernelImage = mkDefault true;

security.allowSimultaneousMultithreading = mkDefault false;

security.virtualization.flushL1DataCache = mkDefault "always";

security.apparmor.enable = mkDefault true;

boot.kernelParams = [
@@ -28,9 +34,6 @@ with lib;

# Disable legacy virtual syscalls
"vsyscall=none"

# Disable hibernation (allows replacing the running kernel)
"nohibernate"
];

boot.blacklistedKernelModules = [
@@ -44,9 +47,6 @@ with lib;
# (e.g., parent/child)
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;

# Restrict access to kernel ring buffer (information leaks)
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;

110 changes: 98 additions & 12 deletions nixos/modules/security/misc.nix
View file
Original file line number Diff line number Diff line change
@@ -22,18 +22,104 @@ with lib;
a user namespace fails with "no space left on device" (ENOSPC).
'';
};
};

config = mkIf (!config.security.allowUserNamespaces) {
# Setting the number of allowed user namespaces to 0 effectively disables
# the feature at runtime. Note that root may raise the limit again
# at any time.
boot.kernel.sysctl."user.max_user_namespaces" = 0;

assertions = [
{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
}
];
security.protectKernelImage = mkOption {
type = types.bool;
default = false;
description = ''
Whether to prevent replacing the running kernel image.
'';
};

security.allowSimultaneousMultithreading = mkOption {
type = types.bool;
default = true;
description = ''
Whether to allow SMT/hyperthreading. Disabling SMT means that only
physical CPU cores will be usable at runtime, potentially at
significant performance cost.
</para>
<para>
The primary motivation for disabling SMT is to mitigate the risk of
leaking data between threads running on the same CPU core (due to
e.g., shared caches). This attack vector is unproven.
</para>
<para>
Disabling SMT is a supplement to the L1 data cache flushing mitigation
(see <xref linkend="opt-security.virtualization.flushL1DataCache"/>)
versus malicious VM guests (SMT could "bring back" previously flushed
data).
</para>
<para>
'';
};

security.virtualization.flushL1DataCache = mkOption {
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
default = null;
description = ''
Whether the hypervisor should flush the L1 data cache before
entering guests.
See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.
</para>
<para>
<variablelist>
<varlistentry>
<term><literal>null</literal></term>
<listitem><para>uses the kernel default</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"never"</literal></term>
<listitem><para>disables L1 data cache flushing entirely.
May be appropriate if all guests are trusted.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"cond"</literal></term>
<listitem><para>flushes L1 data cache only for pre-determined
code paths. May leak information about the host address space
layout.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"always"</literal></term>
<listitem><para>flushes L1 data cache every time the hypervisor
enters the guest. May incur significant performance cost.
</para></listitem>
</varlistentry>
</variablelist>
'';
};
};

config = mkMerge [
(mkIf (!config.security.allowUserNamespaces) {
# Setting the number of allowed user namespaces to 0 effectively disables
# the feature at runtime. Note that root may raise the limit again
# at any time.
boot.kernel.sysctl."user.max_user_namespaces" = 0;

assertions = [
{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
}
];
})

(mkIf config.security.protectKernelImage {
# Disable hibernation (allows replacing the running kernel)
boot.kernelParams = [ "nohibernate" ];
# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
})

(mkIf (!config.security.allowSimultaneousMultithreading) {
boot.kernelParams = [ "nosmt" ];
})

(mkIf (config.security.virtualization.flushL1DataCache != null) {
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
})
];
}
6 changes: 6 additions & 0 deletions nixos/tests/hardened.nix
View file
Original file line number Diff line number Diff line change
@@ -70,5 +70,11 @@ import ./make-test.nix ({ pkgs, ...} : {
$machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'");
$machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK";
};
# Test kernel image protection
subtest "kernelimage", sub {
$machine->fail("systemctl hibernate");
$machine->fail("systemctl kexec");
};
'';
})