From 167578163a5031e8d7519b010824499db73fa62f Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sat, 5 Jan 2019 13:50:36 +0100
Subject: [PATCH] nixos/hardened profile: always enable pti

---
 nixos/modules/profiles/hardened.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index aa9ea2c9a357..9ab2ee87a19e 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -40,6 +40,9 @@ with lib;
 
     # Disable legacy virtual syscalls
     "vsyscall=none"
+
+    # Enable PTI even if CPU claims to be safe from meltdown
+    "pti=on"
   ];
 
   boot.blacklistedKernelModules = [