admin/gg
1
0
Code Issues Packages Projects Wiki

Update nix os Info

admin
2026-02-17 08:29:48 -05:00
parent 8d7f5211c3
commit ddd7a296df
1 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
nix-os-Info.md

@@ -28,3 +28,49 @@ How to Mitigate Risks
- Update Regularly: Since updates are atomic, regular system rebuilds ensure you are using the latest, patched versions of software. - Update Regularly: Since updates are atomic, regular system rebuilds ensure you are using the latest, patched versions of software.
In summary, the immutability in NixOS protects against traditional file-tampering malware, but it is not a silver bullet against application-level vulnerabilities or privilege escalation. In summary, the immutability in NixOS protects against traditional file-tampering malware, but it is not a silver bullet against application-level vulnerabilities or privilege escalation.
# Concerning ASLR
Address Space Layout Randomization (ASLR) is active on NixOS, just like in other modern Linux distributions. It is a system-level security feature enabled by default to mitigate exploits by randomizing memory locations for stacks, libraries, and executables. NixOS relies on the Linux kernels implementation of ASLR.
- Default Behavior: ASLR is enabled by default to protect memory from unauthorized access.
- Requirements: For full ASLR protection, binaries must be compiled as Position-Independent Executables (PIE).
- Debugging Note: Using tools like gdb may automatically disable ASLR while debugging, which might cause memory addresses to appear consistent.
- Verification: You can verify the status by checking cat /proc/sys/kernel/randomize_va_space (values of 1 or 2 indicate enabled).
# Concerning IOMMU
NixOS can take full advantage of IOMMU (Input-Output Memory Management Unit) to enable hardware-accelerated virtualization, commonly used for GPU passthrough (VFIO).
NixOS's declarative configuration model actually makes setting up complex IOMMU scenarios, such as passing a GPU to a Windows VM for gaming, quite manageable compared to imperative distributions.
How to Enable IOMMU in NixOS
To activate IOMMU, you must modify your /etc/nixos/configuration.nix to include necessary kernel parameters for your CPU.
Enable in BIOS: First, ensure VT-d (Intel) or AMD-Vi (AMD) is enabled in your motherboard BIOS.
Configure configuration.nix: Add the following to your configuration:
nix
boot.kernelParams = [
"intel_iommu=on" # Use "amd_iommu=on" if you have an AMD CPU
"iommu=pt" # Optional: Often helps with performance/stability
];
Reboot: Rebuild your system (nixos-rebuild switch) and reboot to activate the IOMMU.
Verify: Check if IOMMU is active by running:
journalctl -b | grep -i -e iommu -e dmar.
Key IOMMU Use Cases in NixOS
GPU Passthrough (VFIO): You can pass a dedicated PCIe graphics card to a virtual machine (e.g., via QEMU/KVM) to get near-native gaming performance, allowing you to run Windows inside NixOS with high-performance graphics.
PCIe Device Isolation: IOMMU groups are essential for security and stability when passing devices (NICs, GPUs, USB controllers) directly to VMs.
VFIO Drivers: You can configure NixOS to load the vfio-pci drivers early in the boot process to grab a GPU before the host X11/Wayland desktop does.
Relevant NixOS Configurations
Modules: You need to load the VFIO kernel modules:
nix
boot.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
Device Blacklisting: Often, you need to blacklist GPU drivers (like nvidia or amdgpu) for the guest GPU to prevent the host from using it.
Libvirt/Virt-manager: NixOS has excellent support for virt-manager and QEMU, making it easy to manage VMs.
For detailed, step-by-step instructions, the official [NixOS Wiki PCI Passthrough page](https://wiki.nixos.org/wiki/PCI_passthrough) is the best resource.