diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml index 06e7617d58eb..3c17fc19397f 100644 --- a/nixos/doc/manual/configuration/grsecurity.xml +++ b/nixos/doc/manual/configuration/grsecurity.xml @@ -265,6 +265,11 @@ <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> <itemizedlist> + <listitem><para>Access to EFI runtime services is disabled by default: + this plugs a potential code injection attack vector; use + <option>security.grsecurity.disableEfiRuntimeServices</option> to override + this behavior.</para></listitem> + <listitem><para>Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are <emphasis>unsupported</emphasis> and most likely require a custom kernel. diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 6b4dbe8e11f8..60e9058dd69e 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -37,6 +37,18 @@ in ''; }; + disableEfiRuntimeServices = mkOption { + type = types.bool; + example = false; + default = true; + description = '' + Whether to disable access to EFI runtime services. Enabling EFI runtime + services creates a venue for code injection attacks on the kernel and + should be disabled if at all possible. Changing this option enters into + effect upon reboot. + ''; + }; + }; config = mkIf cfg.enable { @@ -45,6 +57,8 @@ in # required kernel config boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos; + boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi"; + system.requiredKernelConfig = with config.lib.kernelConfig; [ (isEnabled "GRKERNSEC") (isEnabled "PAX")