commit b2ec74836b916e545dc7dd4b6a47c6ea8bec31ea · pyrox.dev/nixpkgs

+1

nixos/tests/kernel-generic.nix

···

       30
       30
        
             linux_5_4_hardened

     

       31
       31
        
             linux_5_10_hardened

     

       32
       32
        
             linux_5_15_hardened

     

       33
       33
       +
             linux_5_19_hardened

     

       33
       34
        
       

     

       34
       35
        
             linux_testing;

     

       35
       36
        
         };

+6 -2

pkgs/os-specific/linux/kernel/hardened/config.nix

···

       72
       72
        
         GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin

     

       73
       73
        
         GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address

     

       74
       74
        
         GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin

     

       75
       75
       -
         GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin

     

       76
       76
       -
         GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes;

     

       75
       75
       +
         GCC_PLUGIN_RANDSTRUCT = whenBetween "4.13" "5.19" yes; # A port of the PaX randstruct plugin

     

       76
       76
       +
         GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenBetween "4.13" "5.19" yes;

     

       77
       77
       +
       

     

       78
       78
       +
         # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.

     

       79
       79
       +
         RANDSTRUCT = whenAtLeast "5.19" yes;

     

       80
       80
       +
         RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;

     

       77
       81
        
       

     

       78
       82
        
         # Disable various dangerous settings

     

       79
       83
        
         ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory

+4 -4

pkgs/os-specific/linux/kernel/hardened/patches.json

···

       41
       41
        
           },

     

       42
       42
        
           "5.19": {

     

       43
       43
        
               "patch": {

     

       44
       44
       -
                   "extra": "-hardened1",

     

       45
       45
       -
                   "name": "linux-hardened-5.19.8-hardened1.patch",

     

       46
       46
       -
                   "sha256": "1j7wg4hq06drxr42jl89za1f7x52d4ck5i38p4njz4j415ihsiys",

     

       47
       47
       -
                   "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.19.8-hardened1/linux-hardened-5.19.8-hardened1.patch"

     

       44
       44
       +
                   "extra": "-hardened2",

     

       45
       45
       +
                   "name": "linux-hardened-5.19.8-hardened2.patch",

     

       46
       46
       +
                   "sha256": "1dfgnx2yr5d5kh2d8r7ywqkyjq1rfni2b5sdpqly0w986rlkw48k",

     

       47
       47
       +
                   "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.19.8-hardened2/linux-hardened-5.19.8-hardened2.patch"

     

       48
       48
        
               },

     

       49
       49
        
               "sha256": "1kl7fifsa6vsm34xg3kd2svhx18n771hfj67nhwnlalmb9whhqv1",

     

       50
       50
        
               "version": "5.19.8"

+1 -1

pkgs/os-specific/linux/kernel/hardened/update.py

···

       138
       138
        
           if not sig_ok:

     

       139
       139
        
               return None

     

       140
       140
        
       

     

       141
       141
       -
           kernel_ver = release_info.release.tag_name.replace("-hardened1", "")

     

       141
       141
       +
           kernel_ver = re.sub(r"(.*)(-hardened[\d]+)$", r'\1', release_info.release.tag_name)

     

       142
       142
        
           major = kernel_ver.split('.')[0]

     

       143
       143
        
           sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz")

     

       144
       144

+2 -2

pkgs/os-specific/linux/kernel/linux-libre.nix

···

       1
       1
        
       { stdenv, lib, fetchsvn, linux

     

       2
       2
        
       , scripts ? fetchsvn {

     

       3
       3
        
           url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";

     

       4
       4
       -
           rev = "18911";

     

       5
       5
       -
           sha256 = "1f5b936a7ayva2kyly3n71sg6cqdvcavcxbj3cy3imaj9247bx72";

     

       4
       4
       +
           rev = "18916";

     

       5
       5
       +
           sha256 = "0axjbr1zbj7izkvvz2nv4ij1xjjnbxpch43cpl169cr8rqdl6n6i";

     

       6
       6
        
         }

     

       7
       7
        
       , ...

     

       8
       8
        
       }:

+8 -5

pkgs/os-specific/linux/kernel/manual-config.nix

···

       131
       131
        
               # the buildFlags, but that would require also patching the kernel's

     

       132
       132
        
               # toplevel Makefile to add a variable export. This would be likely to

     

       133
       133
        
               # cause future patch conflicts.

     

       134
       134
       -
               if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then

     

       135
       135
       -
                 substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \

     

       136
       136
       -
                   --replace NIXOS_RANDSTRUCT_SEED \

     

       137
       137
       -
                   $(echo ${randstructSeed}${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')

     

       138
       138
       -
               fi

     

       134
       134
       +
               for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do

     

       135
       135
       +
                 if [ -f "$file" ]; then

     

       136
       136
       +
                   substituteInPlace "$file" \

     

       137
       137
       +
                     --replace NIXOS_RANDSTRUCT_SEED \

     

       138
       138
       +
                     $(echo ${randstructSeed}${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')

     

       139
       139
       +
                   break

     

       140
       140
       +
                 fi

     

       141
       141
       +
               done

     

       139
       142
        
       

     

       140
       143
        
               patchShebangs scripts

     

       141
       144

+2

pkgs/top-level/linux-kernels.nix

···

       244
       244
        
           linux_5_10_hardened = hardenedKernelFor kernels.linux_5_10 { };

     

       245
       245
        
           linux_5_15_hardened = hardenedKernelFor kernels.linux_5_15 { };

     

       246
       246
        
           linux_5_18_hardened = throw "linux 5.18 was removed because it has reached its end of life upstream";

     

       247
       247
       +
           linux_5_19_hardened = hardenedKernelFor kernels.linux_5_19 { };

     

       247
       248
        
       

     

       248
       249
        
         }));

     

       249
       250
        
         /*  Linux kernel modules are inherently tied to a specific kernel.  So

     
···

       569
       570
        
           linux_5_10_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_10 { });

     

       570
       571
        
           linux_5_15_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_15 { });

     

       571
       572
        
           linux_5_18_hardened = throw "linux 5.18 was removed because it has reached its end of life upstream";

     

       573
       573
       +
           linux_5_19_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_19 { });

     

       572
       574
        
       

     

       573
       575
        
           linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen);

     

       574
       576
        
           linux_lqx = recurseIntoAttrs (packagesFor kernels.linux_lqx);