fix(charts): stop disabling KVM nested virtualization in Talos presets#225
Conversation
The cozystack and generic presets pinned kvm_intel.nested=0 and kvm_amd.nested=0 through machine.install.extraKernelArgs to mitigate CVE-2026-53359 and its companion CVE-2026-46113, a KVM x86 shadow-paging guest-to-host escape. Talos rejects extraKernelArgs alongside the UKI command line, so the presets also had to pin machine.install.grubUseUKICmdline=false on v1.12 and newer. Both effects are unwanted. Nested virtualization is a feature operators may legitimately need, and a preset is the wrong place to take it away from every node it installs. The grubUseUKICmdline pin has no security purpose of its own: it exists only so the kernel args can be delivered, and as a side effect moves v1.12+ nodes off the UKI command line onto the Talos-built one. Both kernel bugs are fixed upstream, and the stable trees are cumulative: Linux 6.18.38 carries the escape fix together with the frame-number fix that must accompany it. Upgrading the kernel closes the vulnerability at its root, keeps nested virtualization available, and leaves the boot path untouched. Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Aleksei Sviridkin <f@lex.la>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
💤 Files with no reviewable changes (3)
📝 WalkthroughWalkthroughThis PR removes the CVE-2026-53359 KVM nested-virtualization mitigation from the ChangesKVM mitigation removal
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request removes the mitigation for CVE-2026-53359 (disabling KVM nested virtualization) from both the cozystack and generic Helm charts. This includes removing the grubUseUKICmdline and extraKernelArgs configurations from the templates, as well as deleting the associated Go contract tests that validated these configurations. I have no feedback to provide as there are no review comments to evaluate.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
The
cozystackandgenericpresets pinkvm_intel.nested=0/kvm_amd.nested=0throughmachine.install.extraKernelArgsto mitigate CVE-2026-53359 and its companion CVE-2026-46113, a KVM x86 shadow-paging guest-to-host escape. Because Talos rejectsextraKernelArgsalongside the UKI command line, the presets also pinmachine.install.grubUseUKICmdline=falseon v1.12 and newer. This drops both, along with the contract tests that asserted them.Nested virtualization is a feature operators may legitimately need. A preset that installs it off takes it away from every node it touches, and that is not a decision a preset should make on the operator's behalf.
The
grubUseUKICmdline=falsepin has no security purpose of its own. It exists only so the kernel args can be delivered, and as a side effect moves v1.12+ nodes off the UKI command line onto the Talos-built one — a boot-path change with no bearing on the vulnerability.Both kernel bugs are fixed upstream, and the stable trees are cumulative: Linux 6.18.38 carries the escape fix together with the frame-number fix that must accompany it, and Talos v1.13.6 ships that kernel. Upgrading closes the vulnerability at its root, keeps nested virtualization available, and leaves the boot path untouched — strictly better than disabling the feature.
The mitigation shipped in v0.33.0, so this goes out as a v0.33.1 patch release.
golangci-lint runreports 0 issues;go test ./...is green.Summary by CodeRabbit