unexplrd/nixos-blueprint
2
2
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hosts/sarien/boot.nix: add security kernel params

Browse Source 
Signed-off-by: unexplrd <unexplrd@linerds.us>
This commit is contained in:
unexplrd
2025-04-02 15:10:09 +03:00
parent 201db59fce
commit a0037fdb0f
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/sarien/boot.nix
View File

@ -11,6 +11,21 @@
# kernelPackages = pkgs.linuxPackages_latest; # kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_cachyos; kernelPackages = pkgs.linuxPackages_cachyos;
kernelModules = ["kvm-intel"]; kernelModules = ["kvm-intel"];
kernelParams = [
"debugfs=off"
"efi=disable_early_pci_dma"
# "gather_data_sampling=force"
"intel_iommu=on"
"iommu.passthrough=0"
"iommu.strict=1"
"iommu=force"
# "lockdown=confidentiality"
# "module.sig_enforce=1"
"page_alloc.shuffle=1"
# "reg_file_data_sampling=on"
# "spec_rstack_overflow=safe-ret"
"vsyscall=none"
];
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
loader.systemd-boot = { loader.systemd-boot = {
enable = true; enable = true;