Skip to content

NOTES.md

Latest commit

 

History

History
248 lines (188 loc) · 7.86 KB

NOTES.md

File metadata and controls

248 lines (188 loc) · 7.86 KB

TO RESEARCH:

nix-mineral vs Current Configuration Comparison

Overview

Your config: Performance-focused tuning for high-end desktop (128GB RAM, 1 Gbps network, audio production) nix-mineral: Security-focused hardening module (may break desktop functionality)

Key Conflicts

1. CPU Mitigations (CRITICAL CONFLICT)

  • Your config: mitigations=off (performance priority)
  • nix-mineral: mitigations=auto,nosmt (security priority)
  • Impact: nix-mineral disables SMT (hyperthreading), reducing performance by ~30% on Ryzen CPUs
  • Recommendation: Keep your setting for desktop use

2. Network Forwarding

  • Your config: Not explicitly disabled (may be needed for VMs/containers)
  • nix-mineral: net.ipv4.ip_forward = 0 (security)
  • Impact: Breaks VM networking, Docker, containers
  • Recommendation: Keep current (don't disable if using virtualization)

3. TCP Timestamps

  • Your config: net.ipv4.tcp_timestamps = 1 (performance)
  • nix-mineral: net.ipv4.tcp_timestamps = 1 (same, but notes privacy concern)
  • Status: ✅ Compatible

4. TCP SACK

  • Your config: net.ipv4.tcp_sack = 1 (performance)
  • nix-mineral: net.ipv4.tcp_sack = 0 (security - prevents some attacks)
  • Impact: Reduces network performance on high-latency links
  • Recommendation: Keep your setting for performance

Security Settings Missing from Your Config

Low-Risk Additions (Recommended)

Kernel Security

boot.kernel.sysctl = {
  # Restrict ptrace (Yama)
  "kernel.yama.ptrace_scope" = "1"; # You may want "2" for stricter

  # Disable magic sysrq (security)
  "kernel.sysrq" = "0";

  # Disable binfmt (breaks Rosetta/Wine, but more secure)
  "fs.binfmt_misc.status" = "0"; # ⚠️ May break some apps

  # Disable io_uring (many vulnerabilities)
  "kernel.io_uring_disabled" = "2"; # ⚠️ May break some apps

  # Restrict dmesg access
  "kernel.dmesg_restrict" = "1";

  # Restrict kernel pointer access
  "kernel.kptr_restrict" = "2";

  # Restrict perf subsystem
  "kernel.perf_event_paranoid" = "3";
  "kernel.perf_cpu_time_max_percent" = "1";
  "kernel.perf_event_max_sample_rate" = "1";

  # Disable unprivileged BPF
  "kernel.unprivileged_bpf_disabled" = "1";

  # Harden BPF JIT
  "net.core.bpf_jit_harden" = "2";

  # Disable kexec (prevent kernel replacement attacks)
  "kernel.kexec_load_disabled" = "1";

  # Restrict printk
  "kernel.printk" = "3 3 3 3";

  # Disable core dumps
  "kernel.core_pattern" = "|/bin/false";
  "fs.suid_dumpable" = "0";

  # ASLR
  "kernel.randomize_va_space" = "2";

  # Memory protection
  "vm.mmap_min_addr" = "65536";
  "vm.mmap_rnd_bits" = "32";
  "vm.mmap_rnd_compat_bits" = "16";
  "vm.unprivileged_userfaultfd" = "0";

  # Filesystem protection
  "fs.protected_fifos" = "2";
  "fs.protected_hardlinks" = "1";
  "fs.protected_regular" = "2";
  "fs.protected_symlinks" = "1";

  # Disable TTY autoload
  "dev.tty.ldisc_autoload" = "0";
};

Network Security (Already Partially Configured)

boot.kernel.sysctl = {
  # You already have these ✅:
  # - net.ipv4.conf.all.rp_filter = 1
  # - net.ipv4.conf.all.accept_source_route = 0
  # - net.ipv4.conf.all.accept_redirects = 0
  # - net.ipv4.conf.all.send_redirects = 0
  # - net.ipv4.conf.all.log_martians = 1

  # Additional IPv6 security (you're missing):
  "net.ipv6.conf.all.accept_redirects" = "0";
  "net.ipv6.conf.default.accept_redirects" = "0";
  "net.ipv6.conf.all.accept_source_route" = "0";
  "net.ipv6.conf.default.accept_source_route" = "0";
  "net.ipv6.conf.all.accept_ra" = "0";
  "net.ipv6.conf.default.accept_ra" = "0";
  "net.ipv6.conf.all.router_solicitations" = "0";
  "net.ipv6.conf.all.accept_ra_rtr_pref" = "0";
  "net.ipv6.conf.all.accept_ra_pinfo" = "0";
  "net.ipv6.conf.all.accept_ra_defrtr" = "0";
  "net.ipv6.conf.all.autoconf" = "0";
  "net.ipv6.conf.all.dad_transmits" = "0";
  "net.ipv6.conf.all.max_addresses" = "1";
  "net.ipv6.icmp.echo_ignore_all" = "1";
  "net.ipv6.icmp.echo_ignore_anycast" = "1";
  "net.ipv6.icmp.echo_ignore_multicast" = "1";

  # ICMP security
  "net.ipv4.icmp_echo_ignore_all" = "1"; # You have ignore_broadcasts, but not all
  "net.ipv4.icmp_ignore_bogus_error_responses" = "1";

  # ARP security
  "net.ipv4.conf.all.arp_announce" = "2";
  "net.ipv4.conf.default.arp_announce" = "2";
  "net.ipv4.conf.all.arp_ignore" = "1";
  "net.ipv4.conf.default.arp_ignore" = "1";
  "net.ipv4.conf.all.drop_gratuitous_arp" = "1";
  "net.ipv4.conf.default.drop_gratuitous_arp" = "1";
  "net.ipv4.conf.all.shared_media" = "0";
  "net.ipv4.conf.default.shared_media" = "0";

  # TCP security (some conflict with your performance settings)
  "net.ipv4.tcp_dsack" = "0"; # ⚠️ Conflicts with your performance tuning
  "net.ipv4.tcp_fack" = "0"; # ⚠️ Conflicts with your performance tuning
  "net.ipv4.tcp_rfc1337" = "1";
  "net.ipv4.tcp_syncookies" = "1"; # ✅ Good, doesn't hurt performance
};

Medium-Risk Additions (May Break Functionality)

Filesystem Hardening

# These mount options are VERY restrictive and may break desktop apps:
fileSystems."/home" = {
  options = [ "bind" "nosuid" "noexec" "nodev" ]; # ⚠️ noexec breaks many apps
};

fileSystems."/tmp" = {
  options = [ "bind" "nosuid" "noexec" "nodev" ]; # ⚠️ Breaks many apps
};

fileSystems."/var" = {
  options = [ "bind" "nosuid" "noexec" "nodev" ]; # ⚠️ May break some services
};

boot.specialFileSystems."/dev/shm" = {
  options = [ "noexec" ]; # ⚠️ Breaks some applications
};

boot.specialFileSystems."/proc" = {
  options = [ "hidepid=2" "gid=..." ]; # ⚠️ Breaks many desktop tools
};

Recommendation: ❌ Don't add these - too restrictive for desktop use

High-Risk Additions (Will Break Functionality)

Kernel Parameters

boot.kernelParams = [
  "module.sig_enforce=1" # ⚠️ Breaks out-of-tree modules (NVIDIA, etc.)
  "lockdown=confidentiality" # ⚠️ Very restrictive, breaks many things
  "efi=disable_early_pci_dma" # ⚠️ May prevent boot on some systems
  "iommu.passthrough=0" # ⚠️ Breaks GPU passthrough
  "mitigations=auto,nosmt" # ⚠️ Disables SMT (30% performance loss)
  "pti=on" # ⚠️ Performance impact
  "slab_nomerge" # ⚠️ May cause issues
  "init_on_alloc=1" # ⚠️ Performance impact
  "init_on_free=1" # ⚠️ Performance impact
  "vsyscall=none" # ⚠️ Breaks some old binaries
  "debugfs=off" # ⚠️ Breaks debugging tools
  "oops=panic" # ⚠️ System will panic on kernel errors
  "quiet" "loglevel=0" # ⚠️ Hides all boot messages
  "random.trust_cpu=off" # ⚠️ Slower entropy
  "random.trust_bootloader=off" # ⚠️ Slower entropy
];

Recommendation: ❌ Don't add these - conflicts with your performance goals

Summary Recommendations

✅ Safe to Add (Security without breaking functionality)

  1. Kernel security restrictions (ptrace, dmesg, perf, BPF)
  2. IPv6 security hardening (you're missing these)
  3. ICMP security improvements
  4. ARP security settings
  5. Filesystem protection flags (protected_fifos, protected_symlinks, etc.)
  6. Memory protection settings (mmap_min_addr, etc.)

⚠️ Consider Carefully

  1. fs.binfmt_misc.status = 0 - Breaks Wine/Rosetta
  2. kernel.io_uring_disabled = 2 - Breaks some modern apps
  3. TCP security settings that conflict with your performance tuning

❌ Don't Add (Conflicts with Performance Goals)

  1. CPU mitigations (you have mitigations=off)
  2. Filesystem mount restrictions (noexec on /home, /tmp, etc.)
  3. /proc hiding (hidepid=2)
  4. Kernel lockdown mode
  5. Module signature enforcement (if using proprietary drivers)
  6. Network forwarding restrictions (if using VMs/containers)

Next Steps

Would you like me to:

  1. Create a new security module with the safe additions?
  2. Add security settings directly to your existing sysctl.nix?
  3. Create a separate security module that can be optionally enabled?