From 67b7e70865896433f01ca173eda8f5217eae4d49 Mon Sep 17 00:00:00 2001
From: Pierre Bourdon <delroth@gmail.com>
Date: Tue, 30 Jul 2019 02:24:56 +0200
Subject: [PATCH] nixos/hardened: make pti=on overridable

Introduces a new security.forcePageTableIsolation option (default false
on !hardened, true on hardened) that forces pti=on.
---
 nixos/modules/profiles/hardened.nix |  5 ++---
 nixos/modules/security/misc.nix     | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 29c3f2f8bbf8..9e9ddd4f3788 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -26,6 +26,8 @@ with lib;
 
   security.allowSimultaneousMultithreading = mkDefault false;
 
+  security.forcePageTableIsolation = mkDefault true;
+
   security.virtualisation.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;
@@ -42,9 +44,6 @@ with lib;
 
     # Disable legacy virtual syscalls
     "vsyscall=none"
-
-    # Enable PTI even if CPU claims to be safe from meltdown
-    "pti=on"
   ];
 
   boot.blacklistedKernelModules = [
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index 2a7f07ef6dbe..16e3bfb14199 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -54,6 +54,18 @@ with lib;
       '';
     };
 
+    security.forcePageTableIsolation = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to force-enable the Page Table Isolation (PTI) Linux kernel
+        feature even on CPU models that claim to be safe from Meltdown.
+
+        This hardening feature is most beneficial to systems that run untrusted
+        workloads that rely on address space isolation for security.
+      '';
+    };
+
     security.virtualisation.flushL1DataCache = mkOption {
       type = types.nullOr (types.enum [ "never" "cond" "always" ]);
       default = null;
@@ -114,6 +126,10 @@ with lib;
       boot.kernelParams = [ "nosmt" ];
     })
 
+    (mkIf config.security.forcePageTableIsolation {
+      boot.kernelParams = [ "pti=on" ];
+    })
+
     (mkIf (config.security.virtualisation.flushL1DataCache != null) {
       boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
     })