From e905157331cfb2b4244492c51d426ceb804b5329 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 7 Jul 2026 16:11:34 +0200 Subject: [PATCH 1/3] feat(cozystack): disable KVM nested virtualization in Talos skills (CVE-2026-53359) Prescribe kvm_intel.nested=0 and kvm_amd.nested=0 via machine.install.extraKernelArgs in the talos-bootstrap node overlay, add a Phase 7 review check and a post-upgrade verification, to mitigate CVE-2026-53359 (Januscape). Placing the args under machine.install makes talm re-apply them on every upgrade so the mitigation survives OS bumps. Signed-off-by: Andrei Kvapil Assisted-By: Claude --- .../cluster-upgrade/references/post-upgrade-checks.md | 4 ++++ plugins/cozystack/skills/talos-bootstrap/SKILL.md | 8 ++++++++ .../skills/talos-bootstrap/references/manual-steps.md | 5 +++++ 3 files changed, 17 insertions(+) diff --git a/plugins/cozystack/skills/cluster-upgrade/references/post-upgrade-checks.md b/plugins/cozystack/skills/cluster-upgrade/references/post-upgrade-checks.md index 896fe53..b5d727f 100644 --- a/plugins/cozystack/skills/cluster-upgrade/references/post-upgrade-checks.md +++ b/plugins/cozystack/skills/cluster-upgrade/references/post-upgrade-checks.md @@ -28,6 +28,10 @@ kubectl --context $CTX get tenantcontrolplane -A alias linstor='kubectl exec -n cozy-linstor deploy/linstor-controller -ti -- linstor' linstor node list linstor resource list --faulty + +# 6. CVE-2026-53359 mitigation survived the OS upgrade (nested virtualization still off). +# machine.install.extraKernelArgs is re-applied by `talm upgrade`; confirm per node: +talm -n read /proc/cmdline | grep -o 'kvm_intel.nested=[01]' # expect kvm_intel.nested=0 ``` ## Targeted checks (map from change-risk summary) diff --git a/plugins/cozystack/skills/talos-bootstrap/SKILL.md b/plugins/cozystack/skills/talos-bootstrap/SKILL.md index b09fe66..a4ded75 100644 --- a/plugins/cozystack/skills/talos-bootstrap/SKILL.md +++ b/plugins/cozystack/skills/talos-bootstrap/SKILL.md @@ -296,6 +296,13 @@ for node_idx in "${!INVENTORY_NODE_NAMES[@]}"; do cat > "$f" <.yaml` for review. Things to spot before apply: - `machine.install.image` should be `ghcr.io/cozystack/cozystack/talos:`. The cozystack preset sets this; surface if missing. +- `machine.install.extraKernelArgs` should include `kvm_intel.nested=0` and `kvm_amd.nested=0` — the CVE-2026-53359 (Januscape) nested-virtualization guest-to-host escape mitigation. The Phase 6.5 overlay and the cozystack preset set these; surface if missing (e.g. an older preset). - `machine.kernel.modules` should list drbd / zfs / spl / openvswitch / vfio_pci / vfio_iommu_type1. - For CP nodes: `machine.type: controlplane`, optional `machine.network.interfaces[].vip` for HA. - `machine.install.disk` defaults to a heuristic — confirm it picks the right system disk on multi-disk nodes (operator can edit nodes/.yaml before apply). diff --git a/plugins/cozystack/skills/talos-bootstrap/references/manual-steps.md b/plugins/cozystack/skills/talos-bootstrap/references/manual-steps.md index c77b5fc..d2058ee 100644 --- a/plugins/cozystack/skills/talos-bootstrap/references/manual-steps.md +++ b/plugins/cozystack/skills/talos-bootstrap/references/manual-steps.md @@ -131,6 +131,11 @@ machine: # Required: which interface to install Talos to. install: disk: /dev/sda + # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation). + # Under machine.install so talm re-applies it on every `talm upgrade`. + extraKernelArgs: + - kvm_intel.nested=0 + - kvm_amd.nested=0 --- apiVersion: v1alpha1 kind: HostnameConfig From 3b4c8b87abf6279786c94915f3ac56431a7729ac Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 7 Jul 2026 20:25:59 +0200 Subject: [PATCH 2/3] fix(cozystack): pin grubUseUKICmdline=false and note upgrade-only rollout (CVE-2026-53359) kvm_intel/kvm_amd are built into the Talos kernel, so nested= is settable only from the kernel command line. Pin grubUseUKICmdline=false (Talos >=1.12) so extraKernelArgs land on the built cmdline, and note the args take effect via talm upgrade, not a plain apply. Signed-off-by: Andrei Kvapil Assisted-By: Claude --- plugins/cozystack/skills/talos-bootstrap/SKILL.md | 7 ++++++- .../skills/talos-bootstrap/references/manual-steps.md | 4 +++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/plugins/cozystack/skills/talos-bootstrap/SKILL.md b/plugins/cozystack/skills/talos-bootstrap/SKILL.md index a4ded75..99880b4 100644 --- a/plugins/cozystack/skills/talos-bootstrap/SKILL.md +++ b/plugins/cozystack/skills/talos-bootstrap/SKILL.md @@ -299,7 +299,12 @@ for node_idx in "${!INVENTORY_NODE_NAMES[@]}"; do machine: install: # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation). - # Lives under machine.install so talm re-applies it on every talm upgrade. + # kvm_intel/kvm_amd are built into the Talos kernel, so nested= is settable + # only from the kernel command line. On Talos >=1.12 pin grubUseUKICmdline + # false so the args land on the Talos-built cmdline (Talos rejects/ignores + # extraKernelArgs under the UKI cmdline). Applied by the installer, so it + # takes effect on "talm upgrade", not a plain "talm apply". + grubUseUKICmdline: false extraKernelArgs: - kvm_intel.nested=0 - kvm_amd.nested=0 diff --git a/plugins/cozystack/skills/talos-bootstrap/references/manual-steps.md b/plugins/cozystack/skills/talos-bootstrap/references/manual-steps.md index d2058ee..d584158 100644 --- a/plugins/cozystack/skills/talos-bootstrap/references/manual-steps.md +++ b/plugins/cozystack/skills/talos-bootstrap/references/manual-steps.md @@ -132,7 +132,9 @@ machine: install: disk: /dev/sda # CVE-2026-53359: disable KVM nested virtualization (guest-to-host escape mitigation). - # Under machine.install so talm re-applies it on every `talm upgrade`. + # On Talos >=1.12 pin grubUseUKICmdline false so the args land on the built + # cmdline. Takes effect on `talm upgrade` (installer re-run), not `talm apply`. + grubUseUKICmdline: false extraKernelArgs: - kvm_intel.nested=0 - kvm_amd.nested=0 From 5f61d784299d1886604f88a6aed5aa7fceb1d9e2 Mon Sep 17 00:00:00 2001 From: Aleksei Sviridkin Date: Wed, 8 Jul 2026 10:44:37 +0300 Subject: [PATCH 3/3] fix(cozystack): correct talm flag in post-upgrade nested-virt check talm rejects the -n shorthand (unknown shorthand flag: 'n'); non-config subcommands need explicit --nodes and --endpoints. Use the long flags so the documented verification command actually runs. Assisted-By: Claude Signed-off-by: Aleksei Sviridkin --- .../skills/cluster-upgrade/references/post-upgrade-checks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/cozystack/skills/cluster-upgrade/references/post-upgrade-checks.md b/plugins/cozystack/skills/cluster-upgrade/references/post-upgrade-checks.md index b5d727f..28ace81 100644 --- a/plugins/cozystack/skills/cluster-upgrade/references/post-upgrade-checks.md +++ b/plugins/cozystack/skills/cluster-upgrade/references/post-upgrade-checks.md @@ -31,7 +31,7 @@ linstor resource list --faulty # 6. CVE-2026-53359 mitigation survived the OS upgrade (nested virtualization still off). # machine.install.extraKernelArgs is re-applied by `talm upgrade`; confirm per node: -talm -n read /proc/cmdline | grep -o 'kvm_intel.nested=[01]' # expect kvm_intel.nested=0 +talm --nodes --endpoints read /proc/cmdline | grep -o 'kvm_intel.nested=[01]' # expect kvm_intel.nested=0 ``` ## Targeted checks (map from change-risk summary)