ark/modules/security/mitigations.nix

{ config, lib, ... }:
with lib;
let
  inherit (builtins) readFile fetchurl;

  cfg = config.security.mitigations;

  cmdline = ''
    ibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off'';
in
{
  options = {
    security.mitigations.disable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to disable spectre and meltdown mitigations in the kernel. Do
        not use this in mission critical deployments, or on any machine you do
        not have physical access to.
      '';
    };
  };

  config = mkIf cfg.disable {
    boot.kernelParams = splitString " " cmdline;
  };
}
refactor: seperate into modules 2021-05-03 09:19:54 +03:00			`{ config, lib, ... }:`
			`with lib;`
			`let`
			`inherit (builtins) readFile fetchurl;`

			`cfg = config.security.mitigations;`

			`cmdline = ''`
			`ibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off'';`
			`in`
			`{`
			`options = {`
			`security.mitigations.disable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Whether to disable spectre and meltdown mitigations in the kernel. Do`
			`not use this in mission critical deployments, or on any machine you do`
			`not have physical access to.`
			`'';`
			`};`
			`};`

			`config = mkIf cfg.disable {`
			`boot.kernelParams = splitString " " cmdline;`
			`};`
			`}`