···

       
8
       
8
       
 
       
  option = x:

     

       
9
       
9
       
 
       
      x // { optional = true; };

     

       
10
       
10
       
 
       


     

       
11
       
11
       
-
       
  yes      = { tristate    = "y"; };

     

       
12
       
12
       
-
       
  no       = { tristate    = "n"; };

     

       
13
       
13
       
-
       
  module   = { tristate    = "m"; };

     

       
14
       
14
       
-
       
  freeform = x: { freeform = x; };

     

       
11
       
11
       
+
       
  yes      = { tristate    = "y"; optional = false; };

     

       
12
       
12
       
+
       
  no       = { tristate    = "n"; optional = false; };

     

       
13
       
13
       
+
       
  module   = { tristate    = "m"; optional = false; };

     

       
14
       
14
       
+
       
  freeform = x: { freeform = x; optional = false; };

     

       
15
       
15
       
 
       


     

       
16
       
16
       
 
       
  /*

     

       
17
       
17
       
 
       
    Common patterns/legacy used in common-config/hardened/config.nix

     

···

       
22
       
22
       
 
       


     

       
23
       
23
       
 
       
  mergeFalseByDefault = locs: defs:

     

       
24
       
24
       
 
       
    if defs == [] then abort "This case should never happen."

     

       
25
       
25
       
-
       
    else if any (x: x == false) defs then false

     

       
25
       
25
       
+
       
    else if any (x: x == false) (getValues defs) then false

     

       
26
       
26
       
 
       
    else true;

     

       
27
       
27
       
 
       


     

       
28
       
28
       
 
       
  kernelItem = types.submodule {

     
···

       
55
       
55
       
 
       
        default = false;

     

       
56
       
56
       
 
       
        description = ''

     

       
57
       
57
       
 
       
          Wether option should generate a failure when unused.

     

       
58
       
58
       
+
       
          Upon merging values, mandatory wins over optional.

     

       
58
       
59
       
 
       
        '';

     

       
59
       
60
       
 
       
      };

     

       
60
       
61
       
 
       
    };

     
···

       
121
       
122
       
 
       
      type = types.attrsOf kernelItem;

     

       
122
       
123
       
 
       
      example = literalExample '' with lib.kernel; {

     

       
123
       
124
       
 
       
        "9P_NET" = yes;

     

       
124
       
124
       
-
       
        USB = optional yes;

     

       
125
       
125
       
+
       
        USB = option yes;

     

       
125
       
126
       
 
       
        MMC_BLOCK_MINORS = freeform "32";

     

       
126
       
127
       
 
       
      }'';

     

       
127
       
128
       
 
       
      description = ''

     

···

       
42
       
42
       
 
       
      TIMER_STATS               = whenOlder "4.11" yes;

     

       
43
       
43
       
 
       
      DEBUG_NX_TEST             = whenOlder "4.11" no;

     

       
44
       
44
       
 
       
      DEBUG_STACK_USAGE         = no;

     

       
45
       
45
       
-
       
      DEBUG_STACKOVERFLOW       = mkIf (!features.grsecurity) no;

     

       
45
       
45
       
+
       
      DEBUG_STACKOVERFLOW       = mkIf (!features.grsecurity) (option no);

     

       
46
       
46
       
 
       
      RCU_TORTURE_TEST          = no;

     

       
47
       
47
       
 
       
      SCHEDSTATS                = no;

     

       
48
       
48
       
 
       
      DETECT_HUNG_TASK          = yes;

     
···

       
184
       
184
       
 
       


     

       
185
       
185
       
 
       
      # needed for ss

     

       
186
       
186
       
 
       
      INET_DIAG         = yes;

     

       
187
       
187
       
-
       
      INET_TCP_DIAG     = module;

     

       
188
       
187
       
 
       
      INET_UDP_DIAG     = module;

     

       
189
       
188
       
 
       
      INET_RAW_DIAG     = whenAtLeast "4.14" module;

     

       
190
       
189
       
 
       
      INET_DIAG_DESTROY = whenAtLeast "4.9" yes;

     
···

       
365
       
364
       
 
       
      CIFS_STATS        = whenOlder "4.19" yes;

     

       
366
       
365
       
 
       
      CIFS_WEAK_PW_HASH = yes;

     

       
367
       
366
       
 
       
      CIFS_UPCALL       = yes;

     

       
368
       
368
       
-
       
      CIFS_ACL          = yes;

     

       
367
       
367
       
+
       
      CIFS_ACL          = option yes;

     

       
369
       
368
       
 
       
      CIFS_DFS_UPCALL   = yes;

     

       
370
       
369
       
 
       
      CIFS_SMB2         = whenOlder "4.13" yes;

     

       
371
       
370
       
 
       


     
···

       
396
       
395
       
 
       
      DEBUG_SET_MODULE_RONX            = { optional = true; tristate = whenOlder "4.11" "y"; };

     

       
397
       
396
       
 
       
      RANDOMIZE_BASE                   = option yes;

     

       
398
       
397
       
 
       
      STRICT_DEVMEM                    = option yes; # Filter access to /dev/mem

     

       
399
       
399
       
-
       
      SECURITY_SELINUX_BOOTPARAM_VALUE = freeform "0"; # Disable SELinux by default

     

       
398
       
398
       
+
       
      SECURITY_SELINUX_BOOTPARAM_VALUE = option (freeform "0"); # Disable SELinux by default

     

       
400
       
399
       
 
       
      # Prevent processes from ptracing non-children processes

     

       
401
       
400
       
 
       
      SECURITY_YAMA                    = option yes;

     

       
402
       
401
       
 
       
      DEVKMEM                          = mkIf (!features.grsecurity) no; # Disable /dev/kmem

     
···

       
709
       
708
       
 
       
      KEXEC_JUMP      = option yes;

     

       
710
       
709
       
 
       


     

       
711
       
710
       
 
       
      # Windows Logical Disk Manager (Dynamic Disk) support

     

       
712
       
712
       
-
       
      LDM_PARTITION         = yes;

     

       
711
       
711
       
+
       
      LDM_PARTITION         = option yes;

     

       
713
       
712
       
 
       
      LOGIRUMBLEPAD2_FF     = yes; # Logitech Rumblepad 2 force feedback

     

       
714
       
713
       
 
       
      LOGO                  = no; # not needed

     

       
715
       
714
       
 
       
      MEDIA_ATTACH          = yes;

     

···

       
158
       
158
       
 
       
        ;

     

       
159
       
159
       
 
       
      }).config;

     

       
160
       
160
       
 
       


     

       
161
       
161
       
-
       
      #

     

       
162
       
161
       
 
       
      structuredConfig = moduleStructuredConfig.settings;

     

       
163
       
162
       
 
       
    };

     

       
164
       
164
       
-
       


     

       
165
       
165
       
-
       


     

       
166
       
163
       
 
       
  }; # end of configfile derivation

     

       
167
       
164
       
 
       


     

       
168
       
165
       
 
       
  kernel = (callPackage ./manual-config.nix {}) {

     

···

       
1
       
1
       
+
       
# to run these tests:

     

       
2
       
2
       
+
       
# nix-instantiate --eval --strict . -A tests.kernel-config

     

       
3
       
3
       
+
       
#

     

       
4
       
4
       
+
       
# make sure to use NON EXISTING kernel settings else they may conflict with

     

       
5
       
5
       
+
       
# common-config.nix

     

       
1
       
6
       
 
       
{ lib, pkgs }:

     

       
2
       
7
       
 
       


     

       
3
       
3
       
-
       
with lib.kernel;

     

       
4
       
4
       
-
       
with lib.asserts;

     

       
5
       
5
       
-
       
with lib.modules;

     

       
8
       
8
       
+
       
with lib;

     

       
9
       
9
       
+
       
with kernel;

     

       
6
       
10
       
 
       


     

       
7
       
7
       
-
       
# To test nixos/modules/system/boot/kernel_config.nix;

     

       
8
       
11
       
 
       
let

     

       
9
       
9
       
-
       
  # copied from release-lib.nix

     

       
10
       
10
       
-
       
  assertTrue = bool:

     

       
11
       
11
       
-
       
    if bool

     

       
12
       
12
       
-
       
    then pkgs.runCommand "evaluated-to-true" {} "touch $out"

     

       
13
       
13
       
-
       
    else pkgs.runCommand "evaluated-to-false" {} "false";

     

       
14
       
14
       
-
       


     

       
15
       
12
       
 
       
  lts_kernel = pkgs.linuxPackages.kernel;

     

       
16
       
13
       
 
       


     

       
17
       
17
       
-
       
  kernelTestConfig = structuredConfig: (lts_kernel.override {

     

       
18
       
18
       
-
       
    structuredExtraConfig = structuredConfig;

     

       
19
       
19
       
-
       
  }).configfile.structuredConfig;

     

       
14
       
14
       
+
       
  # to see the result once the module transformed the lose structured config

     

       
15
       
15
       
+
       
  getConfig = structuredConfig:

     

       
16
       
16
       
+
       
    (lts_kernel.override {

     

       
17
       
17
       
+
       
      structuredExtraConfig = structuredConfig;

     

       
18
       
18
       
+
       
    }).configfile.structuredConfig;

     

       
20
       
19
       
 
       


     

       
21
       
20
       
 
       
  mandatoryVsOptionalConfig = mkMerge [

     

       
22
       
22
       
-
       
    { USB_DEBUG = option yes;}

     

       
23
       
23
       
-
       
    { USB_DEBUG = yes;}

     

       
21
       
21
       
+
       
    { NIXOS_FAKE_USB_DEBUG = yes;}

     

       
22
       
22
       
+
       
    { NIXOS_FAKE_USB_DEBUG = option yes; }

     

       
24
       
23
       
 
       
  ];

     

       
25
       
24
       
 
       


     

       
26
       
25
       
 
       
  freeformConfig = mkMerge [

     

       
27
       
27
       
-
       
    { MMC_BLOCK_MINORS = freeform "32"; } # same as default, won't trigger any error

     

       
28
       
28
       
-
       
    { MMC_BLOCK_MINORS = freeform "64"; } # will trigger an error but the message is not great:

     

       
26
       
26
       
+
       
    { NIXOS_FAKE_MMC_BLOCK_MINORS = freeform "32"; } # same as default, won't trigger any error

     

       
27
       
27
       
+
       
    { NIXOS_FAKE_MMC_BLOCK_MINORS = freeform "64"; } # will trigger an error but the message is not great:

     

       
29
       
28
       
 
       
  ];

     

       
30
       
29
       
 
       


     

       
31
       
30
       
 
       
  yesWinsOverNoConfig = mkMerge [

     

       
32
       
32
       
-
       
    # default for "8139TOO_PIO" is no

     

       
33
       
33
       
-
       
    { "8139TOO_PIO"  = yes; } # yes wins over no by default

     

       
34
       
34
       
-
       
    { "8139TOO_PIO"  = no; }

     

       
31
       
31
       
+
       
    # default for "NIXOS_TEST_BOOLEAN" is no

     

       
32
       
32
       
+
       
    { "NIXOS_TEST_BOOLEAN"  = yes; } # yes wins over no by default

     

       
33
       
33
       
+
       
    { "NIXOS_TEST_BOOLEAN"  = no; }

     

       
34
       
34
       
+
       
  ];

     

       
35
       
35
       
+
       


     

       
36
       
36
       
+
       
  optionalNoWins = mkMerge [

     

       
37
       
37
       
+
       
    { NIXOS_FAKE_USB_DEBUG = option yes;}

     

       
38
       
38
       
+
       
    { NIXOS_FAKE_USB_DEBUG = yes;}

     

       
35
       
39
       
 
       
  ];

     

       
40
       
40
       
+
       


     

       
41
       
41
       
+
       
  allOptionalRemainOptional = mkMerge [

     

       
42
       
42
       
+
       
    { NIXOS_FAKE_USB_DEBUG = option yes;}

     

       
43
       
43
       
+
       
    { NIXOS_FAKE_USB_DEBUG = option yes;}

     

       
44
       
44
       
+
       
  ];

     

       
45
       
45
       
+
       


     

       
36
       
46
       
 
       
in

     

       
37
       
37
       
-
       
{

     

       
47
       
47
       
+
       
runTests {

     

       
48
       
48
       
+
       
  testEasy = {

     

       
49
       
49
       
+
       
    expr = (getConfig { NIXOS_FAKE_USB_DEBUG = yes;}).NIXOS_FAKE_USB_DEBUG;

     

       
50
       
50
       
+
       
    expected = { tristate = "y"; optional = false; freeform = null; };

     

       
51
       
51
       
+
       
  };

     

       
52
       
52
       
+
       


     

       
38
       
53
       
 
       
  # mandatory flag should win over optional

     

       
39
       
39
       
-
       
  mandatoryCheck = (kernelTestConfig mandatoryVsOptionalConfig);

     

       
54
       
54
       
+
       
  testMandatoryCheck = {

     

       
55
       
55
       
+
       
    expr = (getConfig mandatoryVsOptionalConfig).NIXOS_FAKE_USB_DEBUG.optional;

     

       
56
       
56
       
+
       
    expected = false;

     

       
57
       
57
       
+
       
  };

     

       
58
       
58
       
+
       


     

       
59
       
59
       
+
       
  testYesWinsOverNo = {

     

       
60
       
60
       
+
       
    expr = (getConfig yesWinsOverNoConfig)."NIXOS_TEST_BOOLEAN".tristate;

     

       
61
       
61
       
+
       
    expected = "y";

     

       
62
       
62
       
+
       
  };

     

       
63
       
63
       
+
       


     

       
64
       
64
       
+
       
  testAllOptionalRemainOptional = {

     

       
65
       
65
       
+
       
    expr = (getConfig allOptionalRemainOptional)."NIXOS_FAKE_USB_DEBUG".optional;

     

       
66
       
66
       
+
       
    expected = true;

     

       
67
       
67
       
+
       
  };

     

       
40
       
68
       
 
       


     

       
41
       
69
       
 
       
  # check that freeform options are unique

     

       
42
       
70
       
 
       
  # Should trigger

     

       
43
       
43
       
-
       
  # > The option `settings.MMC_BLOCK_MINORS.freeform' has conflicting definitions, in `<unknown-file>' and `<unknown-file>'

     

       
44
       
44
       
-
       
  freeformCheck = let

     

       
45
       
45
       
-
       
    res = builtins.tryEval ( (kernelTestConfig freeformConfig).MMC_BLOCK_MINORS.freeform);

     

       
46
       
46
       
-
       
  in

     

       
47
       
47
       
-
       
    assertTrue (res.success == false);

     

       
71
       
71
       
+
       
  # > The option `settings.NIXOS_FAKE_MMC_BLOCK_MINORS.freeform' has conflicting definitions, in `<unknown-file>' and `<unknown-file>'

     

       
72
       
72
       
+
       
  testTreeform = let

     

       
73
       
73
       
+
       
    res = builtins.tryEval ( (getConfig freeformConfig).NIXOS_FAKE_MMC_BLOCK_MINORS.freeform);

     

       
74
       
74
       
+
       
  in {

     

       
75
       
75
       
+
       
    expr = res.success;

     

       
76
       
76
       
+
       
    expected = false;

     

       
77
       
77
       
+
       
  };

     

       
48
       
78
       
 
       


     

       
49
       
49
       
-
       
  yesVsNoCheck = let

     

       
50
       
50
       
-
       
    res = kernelTestConfig yesWinsOverNoConfig;

     

       
51
       
51
       
-
       
  in

     

       
52
       
52
       
-
       
    assertTrue (res."8139TOO_PIO".tristate == "y");

     

       
53
       
79
       
 
       
}