ark/modules/security/mitigations.nix

{
  config,
  lib,
  ...
}:
with lib; let
  inherit (builtins) readFile fetchurl;
  cfg = config.security.mitigations;
  cmdline = ''
    ibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off'';
in {
  options = {
    security.mitigations.disable =
      mkOption
      {
        type = types.bool;
        default = false;
        description = ''
          Whether to disable spectre and meltdown mitigations in the kernel. Do
          not use this in mission critical deployments, or on any machine you do
          not have physical access to.
        '';
      };
  };
  config = mkIf cfg.disable {boot.kernelParams = splitString " " cmdline;};
}
stuff 2022-02-18 20:31:01 +03:00			`{`
			`config,`
			`lib,`
			`...`
			`}:`
			`with lib; let`
refactor: seperate into modules 2021-05-03 09:19:54 +03:00			`inherit (builtins) readFile fetchurl;`
			`cfg = config.security.mitigations;`
ayo 2022-03-09 23:55:02 +03:00			`cmdline = ''`
			`ibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off'';`
stuff 2022-02-18 20:31:01 +03:00			`in {`
refactor: seperate into modules 2021-05-03 09:19:54 +03:00			`options = {`
stuff 2022-02-18 20:31:01 +03:00			`security.mitigations.disable =`
			`mkOption`
			`{`
			`type = types.bool;`
			`default = false;`
ayo 2022-03-09 23:55:02 +03:00			`description = ''`
			`Whether to disable spectre and meltdown mitigations in the kernel. Do`
			`not use this in mission critical deployments, or on any machine you do`
			`not have physical access to.`
			`'';`
stuff 2022-02-18 20:31:01 +03:00			`};`
refactor: seperate into modules 2021-05-03 09:19:54 +03:00			`};`
ayo 2022-03-09 23:55:02 +03:00			`config = mkIf cfg.disable {boot.kernelParams = splitString " " cmdline;};`
refactor: seperate into modules 2021-05-03 09:19:54 +03:00			`}`