pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7
8with lib;
9
10let
11
12 inherit (config.boot) kernelPatches;
13 inherit (config.boot.kernel) features randstructSeed;
14 inherit (config.boot.kernelPackages) kernel;
15
16 kernelModulesConf = pkgs.writeText "nixos.conf" ''
17 ${concatStringsSep "\n" config.boot.kernelModules}
18 '';
19
20in
21
22{
23
24 ###### interface
25
26 options = {
27 boot.kernel.enable =
28 mkEnableOption "the Linux kernel. This is useful for systemd-like containers which do not require a kernel"
29 // {
30 default = true;
31 };
32
33 boot.kernel.features = mkOption {
34 default = { };
35 example = literalExpression "{ debug = true; }";
36 internal = true;
37 description = ''
38 This option allows to enable or disable certain kernel features.
39 It's not API, because it's about kernel feature sets, that
40 make sense for specific use cases. Mostly along with programs,
41 which would have separate nixos options.
42 `grep features pkgs/os-specific/linux/kernel/common-config.nix`
43 '';
44 };
45
46 boot.kernelPackages = mkOption {
47 default = pkgs.linuxPackages;
48 type = types.raw;
49 apply =
50 kernelPackages:
51 kernelPackages.extend (
52 self: super: {
53 kernel = super.kernel.override (originalArgs: {
54 inherit randstructSeed;
55 kernelPatches = (originalArgs.kernelPatches or [ ]) ++ kernelPatches;
56 features = lib.recursiveUpdate super.kernel.features features;
57 });
58 }
59 );
60 # We don't want to evaluate all of linuxPackages for the manual
61 # - some of it might not even evaluate correctly.
62 defaultText = literalExpression "pkgs.linuxPackages";
63 example = literalExpression "pkgs.linuxKernel.packages.linux_5_10";
64 description = ''
65 This option allows you to override the Linux kernel used by
66 NixOS. Since things like external kernel module packages are
67 tied to the kernel you're using, it also overrides those.
68 This option is a function that takes Nixpkgs as an argument
69 (as a convenience), and returns an attribute set containing at
70 the very least an attribute {var}`kernel`.
71 Additional attributes may be needed depending on your
72 configuration. For instance, if you use the NVIDIA X driver,
73 then it also needs to contain an attribute
74 {var}`nvidia_x11`.
75
76 Please note that we strictly support kernel versions that are
77 maintained by the Linux developers only. More information on the
78 availability of kernel versions is documented
79 [in the Linux section of the manual](https://nixos.org/manual/nixos/unstable/index.html#sec-kernel-config).
80 '';
81 };
82
83 boot.kernelPatches = mkOption {
84 type = types.listOf types.attrs;
85 default = [ ];
86 example = literalExpression ''
87 [
88 {
89 name = "foo";
90 patch = ./foo.patch;
91 extraStructuredConfig.FOO = lib.kernel.yes;
92 features.foo = true;
93 }
94 {
95 name = "foo-ml-mbox";
96 patch = (fetchurl {
97 url = "https://lore.kernel.org/lkml/19700205182810.58382-1-email@domain/t.mbox.gz";
98 hash = "sha256-...";
99 });
100 }
101 ]
102 '';
103 description = ''
104 A list of additional patches to apply to the kernel.
105
106 Every item should be an attribute set with the following attributes:
107
108 ```nix
109 {
110 name = "foo"; # descriptive name, required
111
112 patch = ./foo.patch; # path or derivation that contains the patch source
113 # (required, but can be null if only config changes
114 # are needed)
115
116 extraStructuredConfig = { # attrset of extra configuration parameters without the CONFIG_ prefix
117 FOO = lib.kernel.yes; # (optional)
118 }; # values should generally be lib.kernel.yes,
119 # lib.kernel.no or lib.kernel.module
120
121 features = { # attrset of extra "features" the kernel is considered to have
122 foo = true; # (may be checked by other NixOS modules, optional)
123 };
124
125 extraConfig = "FOO y"; # extra configuration options in string form without the CONFIG_ prefix
126 # (optional, multiple lines allowed to specify multiple options)
127 # (deprecated, use extraStructuredConfig instead)
128 }
129 ```
130
131 There's a small set of existing kernel patches in Nixpkgs, available as `pkgs.kernelPatches`,
132 that follow this format and can be used directly.
133 '';
134 };
135
136 boot.kernel.randstructSeed = mkOption {
137 type = types.str;
138 default = "";
139 example = "my secret seed";
140 description = ''
141 Provides a custom seed for the {var}`RANDSTRUCT` security
142 option of the Linux kernel. Note that {var}`RANDSTRUCT` is
143 only enabled in NixOS hardened kernels. Using a custom seed requires
144 building the kernel and dependent packages locally, since this
145 customization happens at build time.
146 '';
147 };
148
149 boot.kernelParams = mkOption {
150 type = types.listOf (
151 types.strMatching ''([^"[:space:]]|"[^"]*")+''
152 // {
153 name = "kernelParam";
154 description = "string, with spaces inside double quotes";
155 }
156 );
157 default = [ ];
158 description = "Parameters added to the kernel command line.";
159 };
160
161 boot.consoleLogLevel = mkOption {
162 type = types.int;
163 default = 4;
164 description = ''
165 The kernel console `loglevel`. All Kernel Messages with a log level smaller
166 than this setting will be printed to the console.
167 '';
168 };
169
170 boot.vesa = mkOption {
171 type = types.bool;
172 default = false;
173 description = ''
174 (Deprecated) This option, if set, activates the VESA 800x600 video
175 mode on boot and disables kernel modesetting. It is equivalent to
176 specifying `[ "vga=0x317" "nomodeset" ]` in the
177 {option}`boot.kernelParams` option. This option is
178 deprecated as of 2020: Xorg now works better with modesetting, and
179 you might want a different VESA vga setting, anyway.
180 '';
181 };
182
183 boot.extraModulePackages = mkOption {
184 type = types.listOf types.package;
185 default = [ ];
186 example = literalExpression "[ config.boot.kernelPackages.nvidia_x11 ]";
187 description = "A list of additional packages supplying kernel modules.";
188 };
189
190 boot.kernelModules = mkOption {
191 type = types.listOf types.str;
192 default = [ ];
193 description = ''
194 The set of kernel modules to be loaded in the second stage of
195 the boot process. Note that modules that are needed to
196 mount the root file system should be added to
197 {option}`boot.initrd.availableKernelModules` or
198 {option}`boot.initrd.kernelModules`.
199 '';
200 };
201
202 boot.initrd.availableKernelModules = mkOption {
203 type = types.listOf types.str;
204 default = [ ];
205 example = [
206 "sata_nv"
207 "ext3"
208 ];
209 description = ''
210 The set of kernel modules in the initial ramdisk used during the
211 boot process. This set must include all modules necessary for
212 mounting the root device. That is, it should include modules
213 for the physical device (e.g., SCSI drivers) and for the file
214 system (e.g., ext3). The set specified here is automatically
215 closed under the module dependency relation, i.e., all
216 dependencies of the modules list here are included
217 automatically. The modules listed here are available in the
218 initrd, but are only loaded on demand (e.g., the ext3 module is
219 loaded automatically when an ext3 filesystem is mounted, and
220 modules for PCI devices are loaded when they match the PCI ID
221 of a device in your system). To force a module to be loaded,
222 include it in {option}`boot.initrd.kernelModules`.
223 '';
224 };
225
226 boot.initrd.kernelModules = mkOption {
227 type = types.listOf types.str;
228 default = [ ];
229 description = "List of modules that are always loaded by the initrd.";
230 };
231
232 boot.initrd.includeDefaultModules = mkOption {
233 type = types.bool;
234 default = true;
235 description = ''
236 This option, if set, adds a collection of default kernel modules
237 to {option}`boot.initrd.availableKernelModules` and
238 {option}`boot.initrd.kernelModules`.
239 '';
240 };
241
242 system.modulesTree = mkOption {
243 type = types.listOf types.path;
244 internal = true;
245 default = [ ];
246 description = ''
247 Tree of kernel modules. This includes the kernel, plus modules
248 built outside of the kernel. Combine these into a single tree of
249 symlinks because modprobe only supports one directory.
250 '';
251 # Convert the list of path to only one path.
252 apply =
253 let
254 kernel-name = config.boot.kernelPackages.kernel.name or "kernel";
255 in
256 modules: (pkgs.aggregateModules modules).override { name = kernel-name + "-modules"; };
257 };
258
259 system.requiredKernelConfig = mkOption {
260 default = [ ];
261 example = literalExpression ''
262 with config.lib.kernelConfig; [
263 (isYes "MODULES")
264 (isEnabled "FB_CON_DECOR")
265 (isEnabled "BLK_DEV_INITRD")
266 ]
267 '';
268 internal = true;
269 type = types.listOf types.attrs;
270 description = ''
271 This option allows modules to specify the kernel config options that
272 must be set (or unset) for the module to work. Please use the
273 lib.kernelConfig functions to build list elements.
274 '';
275 };
276
277 };
278
279 ###### implementation
280
281 config = mkMerge [
282 (mkIf config.boot.initrd.enable {
283 boot.initrd.availableKernelModules = optionals config.boot.initrd.includeDefaultModules (
284 [
285 # Note: most of these (especially the SATA/PATA modules)
286 # shouldn't be included by default since nixos-generate-config
287 # detects them, but I'm keeping them for now for backwards
288 # compatibility.
289
290 # Some SATA/PATA stuff.
291 "ahci"
292 "sata_nv"
293 "sata_via"
294 "sata_sis"
295 "sata_uli"
296 "ata_piix"
297 "pata_marvell"
298
299 # NVMe
300 "nvme"
301
302 # Standard SCSI stuff.
303 "sd_mod"
304 "sr_mod"
305
306 # SD cards and internal eMMC drives.
307 "mmc_block"
308
309 # Support USB keyboards, in case the boot fails and we only have
310 # a USB keyboard, or for LUKS passphrase prompt.
311 "uhci_hcd"
312 "ehci_hcd"
313 "ehci_pci"
314 "ohci_hcd"
315 "ohci_pci"
316 "xhci_hcd"
317 "xhci_pci"
318 "usbhid"
319 "hid_generic"
320 "hid_lenovo"
321 "hid_apple"
322 "hid_roccat"
323 "hid_logitech_hidpp"
324 "hid_logitech_dj"
325 "hid_microsoft"
326 "hid_cherry"
327 "hid_corsair"
328
329 ]
330 ++ optionals pkgs.stdenv.hostPlatform.isx86 [
331 # Misc. x86 keyboard stuff.
332 "pcips2"
333 "atkbd"
334 "i8042"
335 ]
336 );
337
338 boot.initrd.kernelModules = optionals config.boot.initrd.includeDefaultModules [
339 # For LVM.
340 "dm_mod"
341 ];
342 })
343
344 (mkIf config.boot.kernel.enable {
345 system.build = { inherit kernel; };
346
347 system.modulesTree = [ kernel ] ++ config.boot.extraModulePackages;
348
349 # Not required for, e.g., containers as they don't have their own kernel or initrd.
350 # They boot directly into stage 2.
351 system.systemBuilderArgs.kernelParams = config.boot.kernelParams;
352 system.systemBuilderCommands =
353 let
354 kernelPath = "${config.boot.kernelPackages.kernel}/" + "${config.system.boot.loader.kernelFile}";
355 initrdPath = "${config.system.build.initialRamdisk}/" + "${config.system.boot.loader.initrdFile}";
356 in
357 ''
358 if [ ! -f ${kernelPath} ]; then
359 echo "The bootloader cannot find the proper kernel image."
360 echo "(Expecting ${kernelPath})"
361 false
362 fi
363
364 ln -s ${kernelPath} $out/kernel
365 ln -s ${config.system.modulesTree} $out/kernel-modules
366 ${optionalString (config.hardware.deviceTree.package != null) ''
367 ln -s ${config.hardware.deviceTree.package} $out/dtbs
368 ''}
369
370 echo -n "$kernelParams" > $out/kernel-params
371
372 ln -s ${initrdPath} $out/initrd
373
374 ln -s ${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets $out
375
376 ln -s ${config.hardware.firmware}/lib/firmware $out/firmware
377 '';
378
379 # Implement consoleLogLevel both in early boot and using sysctl
380 # (so you don't need to reboot to have changes take effect).
381 boot.kernelParams =
382 [ "loglevel=${toString config.boot.consoleLogLevel}" ]
383 ++ optionals config.boot.vesa [
384 "vga=0x317"
385 "nomodeset"
386 ];
387
388 boot.kernel.sysctl."kernel.printk" = mkDefault config.boot.consoleLogLevel;
389
390 boot.kernelModules = [
391 "loop"
392 "atkbd"
393 ];
394
395 # Create /etc/modules-load.d/nixos.conf, which is read by
396 # systemd-modules-load.service to load required kernel modules.
397 environment.etc = {
398 "modules-load.d/nixos.conf".source = kernelModulesConf;
399 };
400
401 systemd.services.systemd-modules-load = {
402 wantedBy = [ "multi-user.target" ];
403 restartTriggers = [ kernelModulesConf ];
404 serviceConfig = {
405 # Ignore failed module loads. Typically some of the
406 # modules in ‘boot.kernelModules’ are "nice to have but
407 # not required" (e.g. acpi-cpufreq), so we don't want to
408 # barf on those.
409 SuccessExitStatus = "0 1";
410 };
411 };
412
413 lib.kernelConfig = {
414 isYes = option: {
415 assertion = config: config.isYes option;
416 message = "CONFIG_${option} is not yes!";
417 configLine = "CONFIG_${option}=y";
418 };
419
420 isNo = option: {
421 assertion = config: config.isNo option;
422 message = "CONFIG_${option} is not no!";
423 configLine = "CONFIG_${option}=n";
424 };
425
426 isModule = option: {
427 assertion = config: config.isModule option;
428 message = "CONFIG_${option} is not built as a module!";
429 configLine = "CONFIG_${option}=m";
430 };
431
432 ### Usually you will just want to use these two
433 # True if yes or module
434 isEnabled = option: {
435 assertion = config: config.isEnabled option;
436 message = "CONFIG_${option} is not enabled!";
437 configLine = "CONFIG_${option}=y";
438 };
439
440 # True if no or omitted
441 isDisabled = option: {
442 assertion = config: config.isDisabled option;
443 message = "CONFIG_${option} is not disabled!";
444 configLine = "CONFIG_${option}=n";
445 };
446 };
447
448 # The config options that all modules can depend upon
449 system.requiredKernelConfig =
450 with config.lib.kernelConfig;
451 [
452 # !!! Should this really be needed?
453 (isYes "MODULES")
454 (isYes "BINFMT_ELF")
455 ]
456 ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT"));
457
458 # nixpkgs kernels are assumed to have all required features
459 assertions =
460 if config.boot.kernelPackages.kernel ? features then
461 [ ]
462 else
463 let
464 cfg = config.boot.kernelPackages.kernel.config;
465 in
466 map (attrs: {
467 assertion = attrs.assertion cfg;
468 inherit (attrs) message;
469 }) config.system.requiredKernelConfig;
470
471 })
472
473 ];
474
475}