nixos/hardened: make pti=on overridable

Introduces a new security.forcePageTableIsolation option (default false
on !hardened, true on hardened) that forces pti=on.

nixos/modules/profiles/hardened.nix

@@ -26,6 +26,8 @@ with lib;
 
   security.allowSimultaneousMultithreading = mkDefault false;
 
+  security.forcePageTableIsolation = mkDefault true;
+
   security.virtualisation.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;
@@ -42,9 +44,6 @@ with lib;
 
     # Disable legacy virtual syscalls
     "vsyscall=none"
-
-    # Enable PTI even if CPU claims to be safe from meltdown
-    "pti=on"
   ];
 
   boot.blacklistedKernelModules = [

nixos/modules/security/misc.nix

@@ -54,6 +54,18 @@ with lib;
       '';
     };
 
+    security.forcePageTableIsolation = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to force-enable the Page Table Isolation (PTI) Linux kernel
+        feature even on CPU models that claim to be safe from Meltdown.
+
+        This hardening feature is most beneficial to systems that run untrusted
+        workloads that rely on address space isolation for security.
+      '';
+    };
+
     security.virtualisation.flushL1DataCache = mkOption {
       type = types.nullOr (types.enum [ "never" "cond" "always" ]);
       default = null;
@@ -114,6 +126,10 @@ with lib;
       boot.kernelParams = [ "nosmt" ];
     })
 
+    (mkIf config.security.forcePageTableIsolation {
+      boot.kernelParams = [ "pti=on" ];
+    })
+
     (mkIf (config.security.virtualisation.flushL1DataCache != null) {
       boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
     })