Merge pull request #17425 from joachifm/grsec-efi

grsecurity module: disable EFI runtime services by default

nixos/doc/manual/configuration/grsecurity.xml

@@ -265,6 +265,11 @@
   <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
 
   <itemizedlist>
+    <listitem><para>Access to EFI runtime services is disabled by default:
+    this plugs a potential code injection attack vector; use
+    <option>security.grsecurity.disableEfiRuntimeServices</option> to override
+    this behavior.</para></listitem>
+
     <listitem><para>Virtualization: KVM is the preferred virtualization
     solution. Xen, Virtualbox, and VMWare are
     <emphasis>unsupported</emphasis> and most likely require a custom kernel.

nixos/modules/security/grsecurity.nix

@@ -37,6 +37,18 @@ in
       '';
     };
 
+    disableEfiRuntimeServices = mkOption {
+      type = types.bool;
+      example = false;
+      default = true;
+      description = ''
+        Whether to disable access to EFI runtime services.  Enabling EFI runtime
+        services creates a venue for code injection attacks on the kernel and
+        should be disabled if at all possible.  Changing this option enters into
+        effect upon reboot.
+      '';
+    };
+
   };
 
   config = mkIf cfg.enable {
@@ -45,6 +57,8 @@ in
     # required kernel config
     boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos;
 
+    boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
+
     system.requiredKernelConfig = with config.lib.kernelConfig;
       [ (isEnabled "GRKERNSEC")
         (isEnabled "PAX")