MDS

hosts/yodaHedgehog/configuration.nix

@@ -43,7 +43,11 @@
   # Note: dualstack lite -> No A record for that subdomain!
   yoda.netcup-dns = ../../secrets/netcup-dns-hedgehog.json;
 
-  boot.kernelParams = [];
+  boot.kernelParams = [
+    # If the CPU is vulnerable, enable all available mitigations
+    # except `nosmt` as we don't run any VMs on this machine.
+    "mds=full"
+  ];
   boot.kernelPackages = pkgs.linuxPackages;
 
   # Most users should never change this value after the initial install, for any reason, even if you've upgraded your system to a new NixOS release.

hosts/yodaNas/configuration.nix

@@ -48,6 +48,8 @@
   yoda.netcup-dns = ../../secrets/netcup-dns-nas.json;
 
   boot.kernelParams = [
+    # If the CPU is vulnerable, enable all available mitigations.
+    #
     # Microarchitectural Data Sampling (MDS), see https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mitigation-control-on-the-kernel-command-line
     "mds=full,nosmt"
   ];

hosts/yodaTab/configuration.nix

@@ -35,7 +35,7 @@
       ../../modules/uni-vpn.nix
       #../../modules/epa.nix
 
-      ../../modules/autostart.nix
+      #../../modules/autostart.nix
 
       #
       # Development
@@ -50,11 +50,6 @@
       #../../modules/vscodium.nix
       #../../modules/android.nix
       #../../modules/pmbootstrap.nix
-
-      #../../modules/boxes.nix
-      #../../modules/virtualbox.nix
-      ../../modules/docker.nix
-      #../../modules/docker-pushrm.nix
     ];
 
   networking.hostName = "yodaTab";
@@ -73,6 +68,11 @@
   # Motivation behind bare bones systemd-based initrd: https://github.com/NixOS/nixpkgs/pull/164943
   #boot.initrd.systemd.enable = true;
 
+  boot.kernelParams = [
+    # If the CPU is vulnerable, enable all available mitigations
+    # except `nosmt` as we don't run any VMs on this machine.
+    "mds=full"
+  ];
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
   # Most users should never change this value after the initial install, for any reason, even if you've upgraded your system to a new NixOS release.

hosts/yodaTux/host-specific.nix

@@ -5,9 +5,16 @@
   yoda.btrfsFileSystems = ["/"];
   #yoda.btrfsMounts = yoda.btrfsFileSystems;
 
-  # Systemd Journal entry:
+  boot.kernelParams = [
-  # S Sat Sep 23 16:11:52 2023 p4 kernel: TSC found unstable after boot, most likely due to broken BIOS. Use 'tsc=unstable'.
+    # If the CPU is vulnerable, enable all available mitigations.
-  boot.kernelParams = [ "tsc=unstable" ];
+    #
+    # Microarchitectural Data Sampling (MDS), see https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mitigation-control-on-the-kernel-command-line
+    "mds=full,nosmt"
+
+    # Systemd Journal entry:
+    # TSC found unstable after boot, most likely due to broken BIOS. Use 'tsc=unstable'.
+    #"tsc=unstable"
+  ];
 
   # Most users should never change this value after the initial install, for any reason, even if you've upgraded your system to a new NixOS release.
   system.stateVersion = "23.05";

hosts/yodaTuxHeadless/configuration.nix

@@ -1,8 +1,8 @@
 { config, pkgs, lib, ... }:
 {
   imports = [
-    ./hardware-configuration.nix
+    ../yodaTux/hardware-configuration.nix
-    ./host-specific.nix
+    ../yodaTux/host-specific.nix
     #../../modules/tuxedo-rs.nix
     #../../modules/gpu-amd.nix
 

hosts/yodaTuxHeadless/hardware-configuration.nix

@@ -1 +0,0 @@
-../yodaTux/hardware-configuration.nix

hosts/yodaTuxHeadless/host-specific.nix

@@ -1 +0,0 @@
-../yodaTux/host-specific.nix

hosts/yodaYoga/configuration.nix

@@ -26,8 +26,9 @@
   #yoda.btrfsMounts = yoda.btrfsFileSystems;
 
   boot.kernelParams = [
-    # Microarchitectural Data Sampling (MDS), see https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mitigation-control-on-the-kernel-command-line
+    # If the CPU is vulnerable, enable all available mitigations
-    "mds=full,nosmt"
+    # except `nosmt` as we don't run any VMs on this machine.
+    "mds=full"
   ];
   boot.kernelPackages = pkgs.linuxPackages;