diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 97279a78a57b..29c3f2f8bbf8 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -26,7 +26,7 @@ with lib;
security.allowSimultaneousMultithreading = mkDefault false;
- security.virtualization.flushL1DataCache = mkDefault "always";
+ security.virtualisation.flushL1DataCache = mkDefault "always";
security.apparmor.enable = mkDefault true;
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index f611a3992ed4..4ae642222740 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -63,6 +63,8 @@ with lib;
(mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
(mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
+ (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
+
# PAM
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index bf474ac0a546..2a7f07ef6dbe 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -48,13 +48,13 @@ with lib;
e.g., shared caches). This attack vector is unproven.
Disabling SMT is a supplement to the L1 data cache flushing mitigation
- (see )
+ (see )
versus malicious VM guests (SMT could "bring back" previously flushed
data).
'';
};
- security.virtualization.flushL1DataCache = mkOption {
+ security.virtualisation.flushL1DataCache = mkOption {
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
default = null;
description = ''
@@ -114,8 +114,8 @@ with lib;
boot.kernelParams = [ "nosmt" ];
})
- (mkIf (config.security.virtualization.flushL1DataCache != null) {
- boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
+ (mkIf (config.security.virtualisation.flushL1DataCache != null) {
+ boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
})
];
}