unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hosts/dunamis/hardware.nix: some security kernel opts

Browse Source 
Signed-off-by: unexplrd <unexplrd@linerds.us>
This commit is contained in:
unexplrd
2025-03-27 01:46:01 +02:00
parent 81e293df91
commit 228fda644b
1 changed files with 19 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
hosts/dunamis/hardware.nix
View File

@ -28,25 +28,29 @@
}; };
}; };
boot.kernelParams = [ boot.kernelParams = [
"mitigations=auto" # "mitigations=auto"
"spectre_v2=on" # "spectre_v2=on"
"spectre_bhi=on" # "spectre_v2_user=on"
"spec_store_bypass_disable=on" # "spectre_bhi=on"
"tsx=off" # "spec_store_bypass_disable=on"
"kvm.nx_huge_pages=force" # "tsx=off"
"nosmt=force" # "kvm.nx_huge_pages=force"
"l1d_flush=on" # "l1d_flush=on"
"spec_rstack_overflow=safe-ret"
"gather_data_sampling=force"
"reg_file_data_sampling=on"
"module.sig_enforce=1"
"lockdown=confidentiality"
"intel_iommu=on"
"amd_iommu=force_isolation" "amd_iommu=force_isolation"
"debugfs=off"
"efi=disable_early_pci_dma" "efi=disable_early_pci_dma"
"iommu=force" "gather_data_sampling=force"
# "ia32_emulation=0"
"intel_iommu=on"
"iommu.passthrough=0" "iommu.passthrough=0"
"iommu.strict=1" "iommu.strict=1"
"iommu=force"
"lockdown=confidentiality"
"module.sig_enforce=1"
"page_alloc.shuffle=1"
"reg_file_data_sampling=on"
"spec_rstack_overflow=safe-ret"
"vsyscall=none"
]; ];
hardware.graphics = { hardware.graphics = {