diff options
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/misc.nix | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index f3fc6db22ea..b1db0bc8da8 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -22,6 +22,14 @@ with lib; a user namespace fails with "no space left on device" (ENOSPC). ''; }; + + security.protectKernelImage = mkOption { + type = types.bool; + default = false; + description = '' + Whether to prevent replacing the running kernel image. + ''; + }; }; config = mkMerge [ @@ -37,5 +45,12 @@ with lib; } ]; }) + + (mkIf config.security.protectKernelImage { + # Disable hibernation (allows replacing the running kernel) + boot.kernelParams = [ "nohibernate" ]; + # Prevent replacing the running kernel image w/o reboot + boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; + }) ]; } |