Skip to content

fix(charts): stop disabling KVM nested virtualization in Talos presets#225

Merged
Aleksei Sviridkin (lexfrei) merged 1 commit into
mainfrom
fix/restore-nested-virt
Jul 9, 2026
Merged

fix(charts): stop disabling KVM nested virtualization in Talos presets#225
Aleksei Sviridkin (lexfrei) merged 1 commit into
mainfrom
fix/restore-nested-virt

Conversation

@lexfrei

@lexfrei Aleksei Sviridkin (lexfrei) commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

The cozystack and generic presets pin kvm_intel.nested=0 / kvm_amd.nested=0 through machine.install.extraKernelArgs to mitigate CVE-2026-53359 and its companion CVE-2026-46113, a KVM x86 shadow-paging guest-to-host escape. Because Talos rejects extraKernelArgs alongside the UKI command line, the presets also pin machine.install.grubUseUKICmdline=false on v1.12 and newer. This drops both, along with the contract tests that asserted them.

Nested virtualization is a feature operators may legitimately need. A preset that installs it off takes it away from every node it touches, and that is not a decision a preset should make on the operator's behalf.

The grubUseUKICmdline=false pin has no security purpose of its own. It exists only so the kernel args can be delivered, and as a side effect moves v1.12+ nodes off the UKI command line onto the Talos-built one — a boot-path change with no bearing on the vulnerability.

Both kernel bugs are fixed upstream, and the stable trees are cumulative: Linux 6.18.38 carries the escape fix together with the frame-number fix that must accompany it, and Talos v1.13.6 ships that kernel. Upgrading closes the vulnerability at its root, keeps nested virtualization available, and leaves the boot path untouched — strictly better than disabling the feature.

The mitigation shipped in v0.33.0, so this goes out as a v0.33.1 patch release.

golangci-lint run reports 0 issues; go test ./... is green.

Summary by CodeRabbit

  • Bug Fixes
    • Simplified Talos install configuration by removing outdated installation options that could conflict with newer releases.
    • Reduced the chance of invalid or unsupported machine install settings being generated during cluster setup.

The cozystack and generic presets pinned kvm_intel.nested=0 and
kvm_amd.nested=0 through machine.install.extraKernelArgs to mitigate
CVE-2026-53359 and its companion CVE-2026-46113, a KVM x86
shadow-paging guest-to-host escape. Talos rejects extraKernelArgs
alongside the UKI command line, so the presets also had to pin
machine.install.grubUseUKICmdline=false on v1.12 and newer.

Both effects are unwanted. Nested virtualization is a feature operators
may legitimately need, and a preset is the wrong place to take it away
from every node it installs. The grubUseUKICmdline pin has no security
purpose of its own: it exists only so the kernel args can be delivered,
and as a side effect moves v1.12+ nodes off the UKI command line onto
the Talos-built one.

Both kernel bugs are fixed upstream, and the stable trees are
cumulative: Linux 6.18.38 carries the escape fix together with the
frame-number fix that must accompany it. Upgrading the kernel closes
the vulnerability at its root, keeps nested virtualization available,
and leaves the boot path untouched.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 02280f6f-2191-43a6-8090-4f26ad4ec1f1

📥 Commits

Reviewing files that changed from the base of the PR and between 6a38060 and 42bd818.

📒 Files selected for processing (3)
  • charts/cozystack/templates/_helpers.tpl
  • charts/generic/templates/_helpers.tpl
  • pkg/engine/contract_machine_kvmnested_test.go
💤 Files with no reviewable changes (3)
  • pkg/engine/contract_machine_kvmnested_test.go
  • charts/generic/templates/_helpers.tpl
  • charts/cozystack/templates/_helpers.tpl

📝 Walkthrough

Walkthrough

This PR removes the CVE-2026-53359 KVM nested-virtualization mitigation from the talos.config.machine.common template in both the cozystack and generic charts, eliminating the conditional grubUseUKICmdline: false setting and the extraKernelArgs entries disabling kvm_intel.nested and kvm_amd.nested. The corresponding contract test file is deleted.

Changes

KVM mitigation removal

Layer / File(s) Summary
Template mitigation removal
charts/cozystack/templates/_helpers.tpl, charts/generic/templates/_helpers.tpl
Removes the conditional grubUseUKICmdline: false field and the extraKernelArgs block disabling KVM nested virtualization from machine.install in both charts.
Contract test removal
pkg/engine/contract_machine_kvmnested_test.go
Deletes the test file verifying KVM nested-virtualization mitigation config, including tests for extraKernelArgs, the UKI cmdline gate, and full-pipeline validation.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: IvanHunters

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: removing Talos preset settings that disabled KVM nested virtualization.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/restore-nested-virt

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes the mitigation for CVE-2026-53359 (disabling KVM nested virtualization) from both the cozystack and generic Helm charts. This includes removing the grubUseUKICmdline and extraKernelArgs configurations from the templates, as well as deleting the associated Go contract tests that validated these configurations. I have no feedback to provide as there are no review comments to evaluate.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@lexfrei Aleksei Sviridkin (lexfrei) merged commit e14fe35 into main Jul 9, 2026
7 of 8 checks passed
@lexfrei Aleksei Sviridkin (lexfrei) deleted the fix/restore-nested-virt branch July 9, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant