fix(charts): disable KVM nested virtualization in Talos presets (CVE-2026-53359)#224
fix(charts): disable KVM nested virtualization in Talos presets (CVE-2026-53359)#224Andrei Kvapil (kvaps) wants to merge 2 commits into
Conversation
…2026-53359) Add kvm_intel.nested=0 and kvm_amd.nested=0 to machine.install.extraKernelArgs in the cozystack and generic presets to mitigate CVE-2026-53359 (Januscape), a KVM guest-to-host escape reachable only when nested virtualization is exposed to the guest. Both args are set so one config covers Intel and AMD hosts. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> Assisted-By: Claude <noreply@anthropic.com>
📝 WalkthroughWalkthroughHelm machine templates now emit nested-virtualization kernel arguments and conditionally disable ChangesNested virtualization mitigation
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant GoTest
participant HelmEngine
participant ConfigLoader
participant TalosValidator
GoTest->>HelmEngine: render template output
GoTest->>ConfigLoader: load merged machine config
ConfigLoader->>TalosValidator: validate install config
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request adds extra kernel arguments to disable KVM nested virtualization (kvm_intel.nested=0 and kvm_amd.nested=0) in both cozystack and generic Helm charts to mitigate CVE-2026-53359. The feedback suggests improving flexibility by allowing operators to customize or override these kernel arguments through .Values.extraKernelArgs.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
To maintain consistency with other customizable fields (such as extraKernelModules, extraSysctls, etc.) and to allow operators to customize kernel arguments or override this mitigation if needed, consider adding support for an optional extraKernelArgs list in .Values.
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
{{- with .Values.extraKernelArgs }}
{{- toYaml . | nindent 4 }}
{{- end }}
| extraKernelArgs: | ||
| # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation) | ||
| - kvm_intel.nested=0 | ||
| - kvm_amd.nested=0 |
There was a problem hiding this comment.
To maintain consistency with other customizable fields (such as extraKernelModules, extraSysctls, etc.) and to allow operators to customize kernel arguments or override this mitigation if needed, consider adding support for an optional extraKernelArgs list in .Values.
extraKernelArgs:
# CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation)
- kvm_intel.nested=0
- kvm_amd.nested=0
{{- with .Values.extraKernelArgs }}
{{- toYaml . | nindent 4 }}
{{- end }}
… v1.12+
Talos >1.11 defaults machine.install.grubUseUKICmdline to true (UKI
cmdline) and rejects machine.install.extraKernelArgs alongside it
("install.extraKernelArgs and install.grubUseUKICmdline can't be used
together"). The generated base config carries that default, so the
kvm_intel/kvm_amd nested-virt args on their own rendered a config Talos
refused on apply for every v1.12+ node.
Pin grubUseUKICmdline=false in both presets wherever the base bundle
would set it true (no --talos-version, or >=1.12), so the args land on
the Talos-built kernel command line. The kvm modules are built into the
Talos kernel, so the nested= parameter is settable only via the command
line -- a modprobe.d drop-in or a read-only /sys write cannot set it.
Add contract tests that render the full apply config (base bundle +
preset patch) and run Talos validation, pinning the mitigation and
guarding against the UKI conflict regressing.
Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
pkg/engine/contract_machine_kvmnested_test.go (1)
105-110: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winRestore
helmEngine.LookupFuncafter the test.The package-level
helmEngine.LookupFuncis reassigned but never restored. Other contract tests in this package share the same global; leaving it mutated risks order-dependent flakiness. Prefer capturing and restoring viat.Cleanup.♻️ Restore the hook after the test
- helmEngine.LookupFunc = func(string, string, string) (map[string]any, error) { - return map[string]any{}, nil - } + prevLookup := helmEngine.LookupFunc + t.Cleanup(func() { helmEngine.LookupFunc = prevLookup }) + helmEngine.LookupFunc = func(string, string, string) (map[string]any, error) { + return map[string]any{}, nil + }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/engine/contract_machine_kvmnested_test.go` around lines 105 - 110, The test mutates the package-level helmEngine.LookupFunc and leaves it changed, which can affect other contract tests in this package. In TestContract_Machine_Install_FullConfigValidates_NoUKIConflict, capture the current LookupFunc before overriding it and restore it with t.Cleanup so the shared global is returned to its original state after the test finishes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@pkg/engine/contract_machine_kvmnested_test.go`:
- Around line 105-110: The test mutates the package-level helmEngine.LookupFunc
and leaves it changed, which can affect other contract tests in this package. In
TestContract_Machine_Install_FullConfigValidates_NoUKIConflict, capture the
current LookupFunc before overriding it and restore it with t.Cleanup so the
shared global is returned to its original state after the test finishes.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 21089072-340b-4bbb-afdc-23b7cea75384
📒 Files selected for processing (3)
charts/cozystack/templates/_helpers.tplcharts/generic/templates/_helpers.tplpkg/engine/contract_machine_kvmnested_test.go
|
Heads up — I pushed a fix commit ( Why it failed: talm's apply path serializes the generated base config merged with the preset. On Talos >1.11 the base defaults So the kvm args on their own made every v1.12+ apply fail. Confirmed against a live v1.12.6 node — The fix: pin Two things worth calling out:
kvm_intel/kvm_amd are built into the Talos kernel, so the cmdline is the only way to set |
|
Thanks Aleksei Sviridkin (@lexfrei) — good catch, and the fix is right. Confirmed the same conflict: Propagated the same pin to the coordinated PRs, and corrected the rollout wording to "applies on
Also confirms your point that kvm_intel/kvm_amd are built into the Talos kernel — so the cmdline is the only lever; the ansible-cozystack PR stays on modprobe.d, since on generic distros those are loadable modules. One open point: the older docs versions (v0–v1.2) pin Talos v1.10.3, where |
Summary
Disables KVM nested virtualization in the Talos machine config produced by the
cozystackandgenericpresets, to mitigate CVE-2026-53359 ("Januscape"), a guest-to-host escape in the Linux KVM/x86 shadow MMU (a use-after-free inkvm_mmu_get_child_sp()from shadow-page role confusion).The vulnerable code path is only reachable when a guest is allowed to use nested virtualization; disabling it on the host removes the attack surface regardless of the node kernel patch level. Fixed upstream in
81ccda30b4e8/ stable 6.12.95, 6.6.144, 6.1.177, 6.18.38, 7.1.3 (2026-07-04); no released Talos ships the fixed kernel yet.Change
Adds
kvm_intel.nested=0andkvm_amd.nested=0tomachine.install.extraKernelArgsin both presets. Both args are set so a single config works on Intel and AMD hosts (the non-matching one is silently ignored).Notes
Part of a coordinated set of PRs (see Related PRs below).
Related PRs
Coordinated CVE-2026-53359 (Januscape) nested-virtualization mitigation across Cozystack repos:
cozystack/genericpresets (canonical source)Summary by CodeRabbit