Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 0 additions & 23 deletions charts/cozystack/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -165,29 +165,6 @@ machine:
{{- end }}
{{- (include "talm.discovered.disks_info" .) | nindent 4 }}
disk: {{ include "talm.discovered.system_disk_name" . | quote }}
{{- /* CVE-2026-53359: disable KVM nested virtualization (guest-to-host
escape mitigation). kvm_intel/kvm_amd are built into the Talos
kernel, so the nested= parameter takes effect only from the
kernel command line — a modprobe.d drop-in or a runtime /sys
write cannot set it (the sysfs knob is read-only post-boot).
Both modules are listed so one config works on Intel and AMD;
the non-matching module silently ignores its arg.

On Talos >1.11 the generated base config defaults
machine.install.grubUseUKICmdline to true (UKI cmdline), and
Talos rejects extraKernelArgs alongside it ("install.extraKernelArgs
and install.grubUseUKICmdline can't be used together"). Pin it
false so the args land on the Talos-built cmdline. The guard
matches the base default exactly: emit the field only where the
base bundle would set it true, so we never surface a key on a
node whose schema predates grubUseUKICmdline. */ -}}
{{- if or (not .TalosVersion) (not (semverCompare "<1.12.0-0" .TalosVersion)) }}
grubUseUKICmdline: false
{{- end }}
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
{{- end }}

{{- /* Shared cluster section */ -}}
Expand Down
23 changes: 0 additions & 23 deletions charts/generic/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -58,29 +58,6 @@ machine:
install:
{{- (include "talm.discovered.disks_info" .) | nindent 4 }}
disk: {{ include "talm.discovered.system_disk_name" . | quote }}
{{- /* CVE-2026-53359: disable KVM nested virtualization (guest-to-host
escape mitigation). kvm_intel/kvm_amd are built into the Talos
kernel, so the nested= parameter takes effect only from the
kernel command line — a modprobe.d drop-in or a runtime /sys
write cannot set it (the sysfs knob is read-only post-boot).
Both modules are listed so one config works on Intel and AMD;
the non-matching module silently ignores its arg.

On Talos >1.11 the generated base config defaults
machine.install.grubUseUKICmdline to true (UKI cmdline), and
Talos rejects extraKernelArgs alongside it ("install.extraKernelArgs
and install.grubUseUKICmdline can't be used together"). Pin it
false so the args land on the Talos-built cmdline. The guard
matches the base default exactly: emit the field only where the
base bundle would set it true, so we never surface a key on a
node whose schema predates grubUseUKICmdline. */ -}}
{{- if or (not .TalosVersion) (not (semverCompare "<1.12.0-0" .TalosVersion)) }}
grubUseUKICmdline: false
{{- end }}
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
{{- end }}

{{- /* Shared cluster section */ -}}
Expand Down
160 changes: 0 additions & 160 deletions pkg/engine/contract_machine_kvmnested_test.go

This file was deleted.

Loading