From ddd7a296df7aa9eb4426594f09d88873dc3603d0 Mon Sep 17 00:00:00 2001 From: admin Date: Tue, 17 Feb 2026 08:29:48 -0500 Subject: [PATCH] Update nix os Info --- nix-os-Info.md | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/nix-os-Info.md b/nix-os-Info.md index e546ff7..a74654d 100644 --- a/nix-os-Info.md +++ b/nix-os-Info.md @@ -27,4 +27,50 @@ How to Mitigate Risks - Sandboxing: Utilize containerization or sandboxing (like bubblewrap) to limit the impact of a compromised application. - Update Regularly: Since updates are atomic, regular system rebuilds ensure you are using the latest, patched versions of software. -In summary, the immutability in NixOS protects against traditional file-tampering malware, but it is not a silver bullet against application-level vulnerabilities or privilege escalation. \ No newline at end of file +In summary, the immutability in NixOS protects against traditional file-tampering malware, but it is not a silver bullet against application-level vulnerabilities or privilege escalation. + +# Concerning ASLR +Address Space Layout Randomization (ASLR) is active on NixOS, just like in other modern Linux distributions. It is a system-level security feature enabled by default to mitigate exploits by randomizing memory locations for stacks, libraries, and executables. NixOS relies on the Linux kernel’s implementation of ASLR. + +- Default Behavior: ASLR is enabled by default to protect memory from unauthorized access. +- Requirements: For full ASLR protection, binaries must be compiled as Position-Independent Executables (PIE). +- Debugging Note: Using tools like gdb may automatically disable ASLR while debugging, which might cause memory addresses to appear consistent. +- Verification: You can verify the status by checking cat /proc/sys/kernel/randomize_va_space (values of 1 or 2 indicate enabled). + + +# Concerning IOMMU +NixOS can take full advantage of IOMMU (Input-Output Memory Management Unit) to enable hardware-accelerated virtualization, commonly used for GPU passthrough (VFIO). +NixOS's declarative configuration model actually makes setting up complex IOMMU scenarios, such as passing a GPU to a Windows VM for gaming, quite manageable compared to imperative distributions. +How to Enable IOMMU in NixOS +To activate IOMMU, you must modify your /etc/nixos/configuration.nix to include necessary kernel parameters for your CPU. + + Enable in BIOS: First, ensure VT-d (Intel) or AMD-Vi (AMD) is enabled in your motherboard BIOS. + Configure configuration.nix: Add the following to your configuration: + nix + + boot.kernelParams = [ + "intel_iommu=on" # Use "amd_iommu=on" if you have an AMD CPU + "iommu=pt" # Optional: Often helps with performance/stability + ]; + + Reboot: Rebuild your system (nixos-rebuild switch) and reboot to activate the IOMMU. + Verify: Check if IOMMU is active by running: + journalctl -b | grep -i -e iommu -e dmar. + +Key IOMMU Use Cases in NixOS + + GPU Passthrough (VFIO): You can pass a dedicated PCIe graphics card to a virtual machine (e.g., via QEMU/KVM) to get near-native gaming performance, allowing you to run Windows inside NixOS with high-performance graphics. + PCIe Device Isolation: IOMMU groups are essential for security and stability when passing devices (NICs, GPUs, USB controllers) directly to VMs. + VFIO Drivers: You can configure NixOS to load the vfio-pci drivers early in the boot process to grab a GPU before the host X11/Wayland desktop does. + +Relevant NixOS Configurations + + Modules: You need to load the VFIO kernel modules: + nix + + boot.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ]; + + Device Blacklisting: Often, you need to blacklist GPU drivers (like nvidia or amdgpu) for the guest GPU to prevent the host from using it. + Libvirt/Virt-manager: NixOS has excellent support for virt-manager and QEMU, making it easy to manage VMs. + +For detailed, step-by-step instructions, the official [NixOS Wiki PCI Passthrough page](https://wiki.nixos.org/wiki/PCI_passthrough) is the best resource. \ No newline at end of file