diff --git a/flake.lock b/flake.lock index b098f53..0327c2f 100644 --- a/flake.lock +++ b/flake.lock @@ -344,6 +344,24 @@ "type": "github" } }, + "linux-hardened": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1730844490, + "narHash": "sha256-g2cZqD4KwnFsM6dhXzfrdOUMf0GgTlZhQdtBtUa/b1U=", + "ref": "refs/heads/main", + "rev": "f402bb1d4d81fc92d89f325d0aee4002560a93f6", + "revCount": 1, + "type": "git", + "url": "https://woof.rip/mikael/linux-hardened.git" + }, + "original": { + "type": "git", + "url": "https://woof.rip/mikael/linux-hardened.git" + } + }, "lix": { "flake": false, "locked": { @@ -477,11 +495,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730272153, - "narHash": "sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z+w=", + "lastModified": 1730768919, + "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53", + "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", "type": "github" }, "original": { @@ -551,6 +569,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1730272153, + "narHash": "sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z+w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1730720916, @@ -651,12 +685,13 @@ "colmena": "colmena", "home-manager": "home-manager", "lanzaboote": "lanzaboote", + "linux-hardened": "linux-hardened", "lix": "lix", "lix-module": "lix-module", "niri": "niri", "nix-index-database": "nix-index-database", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nur": "nur", "ripgrep-all": "ripgrep-all", "rust-overlay": "rust-overlay" diff --git a/flake.nix b/flake.nix index 87a3097..61818e3 100644 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,8 @@ flake = false; }; + linux-hardened.url = "git+https://woof.rip/mikael/linux-hardened.git"; + nix-index-database = { url = "github:illdefined/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/nixos/config/muon.nix b/nixos/config/muon.nix index cea57ea..9e487a8 100644 --- a/nixos/config/muon.nix +++ b/nixos/config/muon.nix @@ -1,4 +1,4 @@ -{ self, nixos-hardware, ... }: { lib, config, pkgs, ... }: { +{ self, nixos-hardware, linux-hardened, ... }: { lib, config, pkgs, ... }: { imports = [ nixos-hardware.nixosModules.lenovo-thinkpad-x1-extreme-gen4 ] ++ (with self.nixosModules; [ @@ -27,8 +27,8 @@ imports = [ ]; boot.kernelPackages = let - inherit (self.packages.x86_64-linux) linux-hardened; - in pkgs.linuxPackagesFor (linux-hardened.override { + inherit (linux-hardened.packages.x86_64-linux) default; + in pkgs.linuxPackagesFor (default.override { instSetArch = "alderlake"; extraFirmware = [ "i915/adlp_dmc.bin" @@ -63,143 +63,149 @@ imports = [ "rtl_nic/rtl8153b-2.fw" ]; - extraConfig = - (with linux-hardened.profile; physical // portable // dm-crypt // wireless // audio) - // (with self.lib.kernel; { - X86_INTEL_LPSS = true; + profiles = { + physical = true; + portable = true; + dm-crypt = true; + wireless = true; + audio = true; + }; - CPU_SUP_INTEL = true; - CPU_SUP_AMD = false; - NR_CPUS = 20; - X86_MCE_INTEL = true; + extraConfig = with linux-hardened.lib.kernel; { + X86_INTEL_LPSS = true; - ACPI_DPTF = true; - DPTF_POWER = true; - DPTF_PCH_FIVR = true; - INTEL_IDLE = true; + CPU_SUP_INTEL = true; + CPU_SUP_AMD = false; + NR_CPUS = 20; + X86_MCE_INTEL = true; - VIRTUALIZATION = true; - KVM = true; - KVM_INTEL = true; - KVM_SMM = true; + ACPI_DPTF = true; + DPTF_POWER = true; + DPTF_PCH_FIVR = true; + INTEL_IDLE = true; - IP_MULTICAST = true; + VIRTUALIZATION = true; + KVM = true; + KVM_INTEL = true; + KVM_SMM = true; - IPV6_ROUTER_PREF = true; - IPV6_ROUTE_INFO = true; - IPV6_OPTIMISTIC_DAD = true; + IP_MULTICAST = true; - BT_INTEL = true; - BT_HCIBTUSB = true; + IPV6_ROUTER_PREF = true; + IPV6_ROUTE_INFO = true; + IPV6_OPTIMISTIC_DAD = true; - EISA = true; - EISA_PCI_EISA = true; - EISA_VIRTUAL_ROOT = false; - EISA_NAMES = true; + BT_INTEL = true; + BT_HCIBTUSB = true; - NVME_CORE = true; - BLK_DEV_NVME = true; - NVME_VERBOSE_ERRORS = true; - NVME_HWMON = true; + EISA = true; + EISA_PCI_EISA = true; + EISA_VIRTUAL_ROOT = false; + EISA_NAMES = true; - MISC_RTSX = true; - INTEL_MEI = true; - MISC_RTSX_PCI = true; + NVME_CORE = true; + BLK_DEV_NVME = true; + NVME_VERBOSE_ERRORS = true; + NVME_HWMON = true; - ETHERNET = true; - AQTION = true; + MISC_RTSX = true; + INTEL_MEI = true; + MISC_RTSX_PCI = true; - WLAN = true; - IWLWIFI = true; - IWLMVM = true; + ETHERNET = true; + AQTION = true; - INPUT_MOUSEDEV = true; - INPUT_JOYDEV = true; + WLAN = true; + IWLWIFI = true; + IWLMVM = true; - KEYBOARD_ATKBD = true; + INPUT_MOUSEDEV = true; + INPUT_JOYDEV = true; - INPUT_MOUSE = true; - MOUSE_PS2 = true; - MOUSE_PS2_TRACKPOINT = true; + KEYBOARD_ATKBD = true; - INPUT_JOYSTICK = true; + INPUT_MOUSE = true; + MOUSE_PS2 = true; + MOUSE_PS2_TRACKPOINT = true; - INTEL_PCH_THERMAL = true; + INPUT_JOYSTICK = true; - MFD_CORE = true; - MFD_INTEL_LPSS_PCI = true; + INTEL_PCH_THERMAL = true; - I2C = true; - I2C_I801 = true; + MFD_CORE = true; + MFD_INTEL_LPSS_PCI = true; - SPI = true; - SPI_MEM = true; - SPI_INTEL_PCI = true; + I2C = true; + I2C_I801 = true; - INT340X_THERMAL = true; + SPI = true; + SPI_MEM = true; + SPI_INTEL_PCI = true; - VIDEO = true; - VGA_SWITCHEROO = true; - DRM = true; - DRM_FBDEV_EMULATION = true; - DRM_NOUVEAU = true; - DRM_NOUVEAU_SVM = true; - DRM_NOUVEAU_GSP_DEFAULT = true; - DRM_I915 = true; + INT340X_THERMAL = true; - BACKLIGHT_CLASS_DEVICE = true; + VIDEO = true; + VGA_SWITCHEROO = true; + DRM = true; + DRM_FBDEV_EMULATION = true; + DRM_NOUVEAU = true; + DRM_NOUVEAU_SVM = true; + DRM_NOUVEAU_GSP_DEFAULT = true; + DRM_I915 = true; - HDMI = true; + BACKLIGHT_CLASS_DEVICE = true; - SND_HDA_INTEL = true; - SND_HDA_HWDEP = true; - SND_HDA_CODEC_REALTEK = true; - SND_HDA_CODEC_HDMI = true; - SND_HDA_POWER_SAVE_DEFAULT = 2; + HDMI = true; - SND_SOC = true; - SND_SOC_SOF_TOPLEVEL = true; - SND_SOC_SOF_PCI = true; - SND_SOC_SOF_INTEL_TOPLEVEL = true; - SND_SOC_SOF_TIGERLAKE = true; - SND_SOC_SOF_HDA_LINK = true; - SND_SOC_SOF_HDA_AUDIO_CODEC = true; - SND_SOC_DMIC = true; + SND_HDA_INTEL = true; + SND_HDA_HWDEP = true; + SND_HDA_CODEC_REALTEK = true; + SND_HDA_CODEC_HDMI = true; + SND_HDA_POWER_SAVE_DEFAULT = 2; - HID_LENOVO = true; - HID_LOGITECH = true; + SND_SOC = true; + SND_SOC_SOF_TOPLEVEL = true; + SND_SOC_SOF_PCI = true; + SND_SOC_SOF_INTEL_TOPLEVEL = true; + SND_SOC_SOF_TIGERLAKE = true; + SND_SOC_SOF_HDA_LINK = true; + SND_SOC_SOF_HDA_AUDIO_CODEC = true; + SND_SOC_DMIC = true; - USB_ACM = true; + HID_LENOVO = true; + HID_LOGITECH = true; - USB_SERIAL = true; - USB_SERIAL_PL2303 = true; + USB_ACM = true; - EDAC_IGEN6 = true; + USB_SERIAL = true; + USB_SERIAL_PL2303 = true; - ACPI_WMI = true; - MXM_WMI = true; - THINKPAD_ACPI = true; - THINKPAD_ACPI_ALSA_SUPPORT = true; - THINKPAD_ACPI_VIDEO = true; + EDAC_IGEN6 = true; - INTEL_TURBO_MAX_3 = true; - INTEL_VSEC = true; + ACPI_WMI = true; + MXM_WMI = true; + THINKPAD_ACPI = true; + THINKPAD_ACPI_ALSA_SUPPORT = true; + THINKPAD_ACPI_VIDEO = true; - INTEL_IOMMU = true; - INTEL_IOMMU_DEFAULT_ON = true; + INTEL_TURBO_MAX_3 = true; + INTEL_VSEC = true; - SOUNDWIRE = true; - SOUNDWIRE_INTEL = true; + INTEL_IOMMU = true; + INTEL_IOMMU_DEFAULT_ON = true; - INTEL_IDMA64 = true; + SOUNDWIRE = true; + SOUNDWIRE_INTEL = true; - INTEL_RAPL = true; + INTEL_IDMA64 = true; - BTRFS_FS = true; - BTRFS_FS_POSIX_ACL = true; - FUSE_FS = true; - EXFAT_FS = true; - }); + INTEL_RAPL = true; + + BTRFS_FS = true; + BTRFS_FS_POSIX_ACL = true; + FUSE_FS = true; + EXFAT_FS = true; + }; }); hardware.cpu.clusters.performance = lib.range 0 11; diff --git a/nixos/config/solitary/configuration.nix b/nixos/config/solitary/configuration.nix index 17bc403..1a48b12 100644 --- a/nixos/config/solitary/configuration.nix +++ b/nixos/config/solitary/configuration.nix @@ -1,4 +1,4 @@ -{ self, ... }: { lib, config, pkgs, ... }: +{ self, linux-hardened, ... }: { lib, config, pkgs, ... }: with lib; let ports = { @@ -40,15 +40,16 @@ in { ]; boot.kernelPackages = let - inherit (self.packages.x86_64-linux) linux-hardened; - in pkgs.linuxPackagesFor (linux-hardened.override { + inherit (linux-hardened.packages.x86_64-linux) default; + in pkgs.linuxPackagesFor (default.override { instSetArch = "x86-64-v3"; - extraConfig = linux-hardened.profile.paravirt // (with self.lib.kernel; { + profiles = { paravirt = true; }; + extraConfig = with linux-hardened.lib.kernel; { NR_CPUS = 8; BTRFS_FS = true; BTRFS_FS_POSIX_ACL = true; - }); + }; }); environment.etc."machine-id".text = "1c97ae368741530de77aad42b5a6ae42"; diff --git a/nixos/module/magi.nix b/nixos/module/magi.nix index bfa1ecb..537c684 100644 --- a/nixos/module/magi.nix +++ b/nixos/module/magi.nix @@ -1,4 +1,4 @@ -{ self, ... }: { lib, config, pkgs, ... }: { +{ self, linux-hardened, ... }: { lib, config, pkgs, ... }: { imports = with self.nixosModules; [ default headless @@ -16,92 +16,95 @@ ]; boot.kernelPackages = let - inherit (self.packages.x86_64-linux) linux-hardened; - in pkgs.linuxPackagesFor (linux-hardened.override { + inherit (linux-hardened.packages.x86_64-linux) default; + in pkgs.linuxPackagesFor (default.override { instSetArch = "znver2"; - extraConfig = - (with linux-hardened.profile; physical // dm-crypt) - // (with self.lib.kernel; { - CPU_SUP_INTEL = false; - CPU_SUP_AMD = true; - NR_CPUS = 96; - AMD_MEM_ENCRYPT = true; + profiles = { + physical = true; + dm-crypt = true; + }; - ACPI_IPMI = true; - ACPI_HMAT = true; + extraConfig = with linux-hardened.lib.kernel; { + CPU_SUP_INTEL = false; + CPU_SUP_AMD = true; + NR_CPUS = 96; + AMD_MEM_ENCRYPT = true; - VIRTUALIZATION = true; - KVM = true; - KVM_AMD = true; - KVM_SMM = true; + ACPI_IPMI = true; + ACPI_HMAT = true; - NVME_CORE = true; - BLK_DEV_NVME = true; - NVME_VERBOSE_ERRORS = true; - NVME_HWMON = true; + VIRTUALIZATION = true; + KVM = true; + KVM_AMD = true; + KVM_SMM = true; - ATA = true; - ATA_VERBOSE_ERROR = true; - ATA_ACPI = true; - SATA_PMP = true; - SATA_AHCI = true; - SATA_MOBILE_LPM_POLICY = 1; - ATA_SFF = false; + NVME_CORE = true; + BLK_DEV_NVME = true; + NVME_VERBOSE_ERRORS = true; + NVME_HWMON = true; - BLK_DEV_MD = true; - MD_AUTODETECT = true; - MD_RAID1 = true; - DM_RAID = true; + ATA = true; + ATA_VERBOSE_ERROR = true; + ATA_ACPI = true; + SATA_PMP = true; + SATA_AHCI = true; + SATA_MOBILE_LPM_POLICY = 1; + ATA_SFF = false; - BNXT = true; - BNXT_FLOWER_OFFLOAD = true; - BNXT_HWMON = true; - MLX4_EN = true; - MLX4_CORE_GEN2 = false; + BLK_DEV_MD = true; + MD_AUTODETECT = true; + MD_RAID1 = true; + DM_RAID = true; - IPMI_HANDLER = true; - IPMI_PANIC_EVENT = true; - IPMI_PANIC_STRING = true; - IPMI_DEVICE_INTERFACE = true; - IPMI_SI = true; - IPMI_SSIF = true; + BNXT = true; + BNXT_FLOWER_OFFLOAD = true; + BNXT_HWMON = true; + MLX4_EN = true; + MLX4_CORE_GEN2 = false; - I2C_PIIX4 = true; + IPMI_HANDLER = true; + IPMI_PANIC_EVENT = true; + IPMI_PANIC_STRING = true; + IPMI_DEVICE_INTERFACE = true; + IPMI_SI = true; + IPMI_SSIF = true; - HWMON = true; - SENSORS_K10TEMP = true; + I2C_PIIX4 = true; - WATCHDOG = true; - WATCHDOG_HANDLE_BOOT_ENABLED = true; - WATCHDOG_OPEN_TIMEOUT = 0; - WATCHDOG_SYSFS = true; - SP5100_TCO = true; + HWMON = true; + SENSORS_K10TEMP = true; - VIDEO = true; - DRM = true; - DRM_FBDEV_EMULATION = true; - DRM_AST = true; + WATCHDOG = true; + WATCHDOG_HANDLE_BOOT_ENABLED = true; + WATCHDOG_OPEN_TIMEOUT = 0; + WATCHDOG_SYSFS = true; + SP5100_TCO = true; - EDAC_DECODE_MCE = true; - EDAC_AMD64 = true; + VIDEO = true; + DRM = true; + DRM_FBDEV_EMULATION = true; + DRM_AST = true; - AMD_PTDMA = true; - AMD_IOMMU = true; + EDAC_DECODE_MCE = true; + EDAC_AMD64 = true; - INTEL_RAPL = true; + AMD_PTDMA = true; + AMD_IOMMU = true; - BTRFS_FS = true; - BTRFS_FS_POSIX_ACL = true; + INTEL_RAPL = true; - CEPH_FS = true; - CEPH_FS_POSIX_ACL = true; + BTRFS_FS = true; + BTRFS_FS_POSIX_ACL = true; - CRYPTO_DEV_CCP = true; - CRYPTO_DEV_CCP_DD = true; - CRYPTO_DEV_SP_CCP = true; - CRYPTO_DEV_CCP_CRYPTO = true; - CRYPTO_DEV_SP_PSP = true; - }); + CEPH_FS = true; + CEPH_FS_POSIX_ACL = true; + + CRYPTO_DEV_CCP = true; + CRYPTO_DEV_CCP_DD = true; + CRYPTO_DEV_SP_CCP = true; + CRYPTO_DEV_CCP_CRYPTO = true; + CRYPTO_DEV_SP_PSP = true; + }; }); hardware.nitrokey.enable = true; diff --git a/package/linux-hardened/config.nix b/package/linux-hardened/config.nix deleted file mode 100644 index 776de06..0000000 --- a/package/linux-hardened/config.nix +++ /dev/null @@ -1,650 +0,0 @@ -{ kernel, lib, hostPlatform, systemd }: with kernel; { - meta = { - EXPERT = true; - STAGING = true; - } // lib.optionalAttrs hostPlatform.isx86_64 { - PROCESSOR_SELECT = true; - }; - - build = { - COMPILE_TEST = false; - WERROR = true; - - STANDALONE = true; - PREVENT_FIRMWARE_BUILD = true; - - JUMP_LABEL = true; - - LTO_CLANG_FULL = true; - }; - - boot = { - KERNEL_ZSTD = true; - BLK_DEV_INITRD = true; - RD_GZIP = false; - RD_BZIP2 = false; - RD_LZMA = false; - RD_XZ = false; - RD_LZO = false; - RD_LZ4 = false; - RD_ZSTD = true; - - BOOT_CONFIG = true; - - EFI = true; - EFI_STUB = true; - EFI_ZBOOT = option true; - - DEVTMPFS = true; - DEVTMPFS_MOUNT = true; - DEVTMPFS_SAFE = true; - - FW_LOADER = true; - FW_LOADER_COMPRESS = true; - FW_LOADER_COMPRESS_XZ = false; - FW_LOADER_COMPRESS_ZSTD = true; - FW_CACHE = true; - } // lib.optionalAttrs hostPlatform.isx86_64 { - EFI_HANDOVER_PROTOCOL = false; - }; - - debug = { - KALLSYMS = true; - KALLSYMS_ALL = false; - - SYMBOLIC_ERRNAME = true; - DEBUG_BUGVERBOSE = true; - DEBUG_INFO_DWARF5 = true; - DEBUG_INFO_SPLIT = true; - STRIP_ASM_SYMS = true; - - MAGIC_SYSRQ = true; - MAGIC_SYSRQ_DEFAULT_ENABLE = "0x1f4"; - - SLUB_DEBUG = false; - - DEBUG_WX = true; - WARN_ALL_UNSEEDED_RANDOM = true; - - RCU_TRACE = false; - - } // lib.optionalAttrs hostPlatform.isx86_64 { - X86_VERBOSE_BOOTUP = false; - EARLY_PRINTK = false; - X86_DEBUG_FPU = false; - - UNWINDER_ORC = true; - }; - - firmware = { - EFI_BOOTLOADER_CONTROL = true; - RESET_ATTACK_MITIGATION = true; - EFI_DISABLE_PCI_DMA = true; - - EFIVAR_FS = true; - - # pstore - PSTORE = true; - PSTORE_COMPRESS = true; - EFI_VARS_PSTORE = true; - }; - - platform = { - "64BIT" = true; - } // lib.optionalAttrs hostPlatform.isx86_64 { - X86_MPPARSE = false; - X86_FRED = true; - X86_EXTENDED_PLATFORM = false; - - CPU_SUP_HYGON = false; - CPU_SUP_CENTAUR = false; - CPU_SUP_ZHAOXIN = false; - } // lib.optionalAttrs hostPlatform.isAarch64 { - ARM64_VA_BITS_48 = true; - ARM64_PAN = true; - ARM64_USE_LSE_ATOMICS = true; - ARM64_CNP = true; - ARM64_PTR_AUTH = true; - ARM64_EPAN = true; - } // lib.optionalAttrs hostPlatform.isRiscV64 { - ARCH_RV64I = true; - COMPAT = false; - }; - - security = { - SECCOMP = true; - - # Kernel memory base - RELOCATABLE = true; - RANDOMIZE_BASE = true; - - # Stack protection - STACKPROTECTOR = true; - STACKPROTECTOR_STRONG = true; - VMAP_STACK = true; - RANDOMIZE_KSTACK_OFFSET = true; - RANDOMIZE_KSTACK_OFFSET_DEFAULT = true; - INIT_STACK_ALL_ZERO = true; - - STRICT_KERNEL_RWX = true; - CFI_CLANG = true; - - # Slab allocator - SLAB_MERGE_DEFAULT = false; - SLAB_FREELIST_RANDOM = true; - SLAB_FREELIST_HARDENED = true; - SLAB_CANARY = true; - SLUB_CPU_PARTIAL = true; - RANDOM_KMALLOC_CACHES = true; - - # Page allocator - SHUFFLE_PAGE_ALLOCATOR = true; - COMPAT_BRK = false; - INIT_ON_FREE_DEFAULT_ON = true; - - # False positives in combination with panic on BUG() - PAGE_SANITIZE_VERIFY = false; - SLAB_SANITIZE_VERIFY = false; - - MODULES = false; - - LDISC_AUTOLOAD = false; - - DEVMEM = false; - DEVPORT = false; - - DEBUG_FS = false; - - # Bounds checking - # False positives in iwlwifi - #UBSAN = true; - #UBSAN_BOUNDS = true; - #UBSAN_SIGNED_WRAP = false; - #UBSAN_BOOL = false; - #UBSAN_ENUM = false; - - # Memory safety error detection - KFENCE = true; - KFENCE_DEFERRABLE = true; - KFENCE_BUG_ON_DATA_CORRUPTION = true; - - PANIC_ON_OOPS = true; - PANIC_TIMEOUT = (-1); - - HARDENED_USERCOPY = true; - FORTIFY_SOURCE = true; - - SECURITY_DMESG_RESTRICT = true; - SECURITY_PERF_EVENTS_RESTRICT = true; - SECURITY_TIOCSTI_RESTRICT = true; - SECURITY = true; - SECURITY_NETWORK = true; - SECURITY_SELINUX = false; - SECURITY_YAMA = true; - SECURITY_LOCKDOWN_LSM = true; - SECURITY_LOCKDOWN_LSM_EARLY = true; - LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = true; - SECURITY_LANDLOCK = true; - - LIST_HARDENED = true; - BUG_ON_DATA_CORRUPTION = true; - - } // lib.optionalAttrs hostPlatform.isx86_64 { - X86_UMIP = true; - X86_USER_SHADOW_STACK = true; - - RANDOMIZE_MEMORY = true; - - STRICT_SIGALTSTACK_SIZE = true; - }; - - timer = { - NO_HZ_FULL = true; - HIGH_RES_TIMERS = true; - HZ_1000 = true; - - RTC_CLASS = true; - RTC_HCTOSYS = true; - RTC_SYSTOHC = true; - } // lib.optionalAttrs hostPlatform.isx86_64 { - X86_PM_TIMER = true; - RTC_DRV_CMOS = true; - }; - - interfaces = { - SYSVIPC = true; - POSIX_MQUEUE = true; - USELIB = false; - - UID16 = false; - SGETMASK_SYSCALL = false; - SYSFS_SYSCALL = false; - POSIX_TIMERS = true; - PCSPKR_PLATFORM = false; - FUTEX = true; - EPOLL = true; - AIO = false; - IO_URING = true; - ADVISE_SYSCALLS = true; - - COMPAT_VDSO = false; - COMPAT_32BIT_TIME = false; - - # Required for BPF LSM instrumentation - PERF_EVENTS = true; - - DNOTIFY = false; - - bpf = { - BPF_SYSCALL = true; - BPF_JIT = true; - BPF_JIT_ALWAYS_ON = true; - BPF_UNPRIV_DEFAULT_OFF = true; - BPF_LSM = true; - }; - - namespaces = { - NAMESPACES = true; - UTS_NS = true; - TIME_NS = true; - USER_NS = true; - USER_NS_UNPRIVILEGED = false; - PID_NS = true; - NET_NS = true; - }; - } // lib.optionalAttrs hostPlatform.isx86_64 { - X86_VSYSCALL_EMULATION = false; - X86_IOPL_IOPERM = false; - LEGACY_VSYSCALL_NONE = true; - MODIFY_LDT_SYSCALL = false; - IA32_EMULATION = false; - }; - - scheduler = { - SMP = true; - PREEMPT_DYNAMIC = false; - - SCHED_MC = true; - SCHED_CLUSTER = true; - SCHED_SMT = option true; - SCHED_CORE = option true; - SCHED_AUTOGROUP = true; - - RCU_NOCB_CPU_DEFAULT_ALL = true; - RCU_LAZY = true; - - CGROUPS = true; - BLK_CGROUP = true; - CGROUP_SCHED = true; - - } // lib.optionalAttrs hostPlatform.isx86_64 { - SCHED_OMIT_FRAME_POINTER = true; - - SCHED_MC_PRIO = true; - }; - - memory = { - NUMA = true; - NUMA_BALANCING = true; - NUMA_BALANCING_DEFAULT_ENABLED = true; - - SPARSEMEM_VMEMMAP = true; - MEMORY_HOTPLUG = true; - MEMORY_HOTREMOVE = true; - - COMPACTION = true; - MIGRATION = true; - - KSM = true; - - TRANSPARENT_HUGEPAGE = true; - TRANSPARENT_HUGEPAGE_ALWAYS = true; - READ_ONLY_THP_FOR_FS = true; - HUGETLBFS = true; - HUGETLB_PAGE_OPTIMIZE_VMEMMAP = option true; - HUGETLB_PAGE_OPTIMIZE_VMEMMAP_DEFAULT_ON = option true; - - DEFERRED_STRUCT_PAGE_INIT = true; - - ZONE_DEVICE = true; - DEVICE_PRIVATE = true; - - LRU_GEN = true; - LRU_GEN_ENABLED = true; - - DMADEVICES = true; - ASYNC_TX_DMA = option true; - - zram = { - SWAP = true; - ZSMALLOC = true; - ZRAM = true; - ZRAM_DEF_COMP_ZSTD = true; - ZRAM_WRITEBACK = true; - CRYPTO_ZSTD = true; - }; - } // lib.optionalAttrs hostPlatform.isx86_64 { - AMD_NUMA = option false; - X86_64_ACPI_NUMA = true; - - X86_INTEL_TSX_MODE_AUTO = option true; - - ADDRESS_MASKING = false; - }; - - block = { - BLOCK = true; - BLOCK_LEGACY_AUTOLOAD = false; - BLK_DEV = true; - BLK_DEV_WRITE_MOUNTED = true; - BLK_WBT = true; - BLK_WBT_MQ = true; - - PARTITION_ADVANCED = true; - MSDOS_PARTITION = false; - EFI_PARTITION = true; - - MQ_IOSCHED_DEADLINE = true; - MQ_IOSCHED_KYBER = true; - IOSCHED_BFQ = true; - BFQ_GROUP_IOSCHED = true; - - BLK_DEV_LOOP = true; - BLK_DEV_LOOP_MIN_COUNT = 0; - }; - - binfmt = { - BINFMT_ELF = true; - CORE_DUMP_DEFAULT_ELF_HEADERS = true; - BINFMT_SCRIPT = true; - BINFMT_MISC = true; - COREDUMP = true; - }; - - io = { - IOMMU_SUPPORT = true; - IOMMU_DEFAULT_DMA_STRICT = true; - SWIOTLB_DYNAMIC = true; - } // lib.optionalAttrs hostPlatform.isx86_64 { - X86_X2APIC = true; - - AMD_IOMMU = option true; - INTEL_IOMMU = option true; - INTEL_IOMMU_SVM = option true; - INTEL_IOMMU_DEFAULT_ON = option true; - INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON = option true; - IRQ_REMAP = true; - - IO_DELAY_NONE = true; - } // lib.optionalAttrs hostPlatform.isAarch64 { - ARM_SMMU_V3 = true; - }; - - bus = { - PCI = true; - PCIEPORTBUS = true; - PCI_MSI = true; - PCIE_BUS_PERFORMANCE = true; - - HID_SUPPORT = true; - HID = true; - HIDRAW = true; - UHID = true; - HID_GENERIC = true; - USB_HID = true; - USB_HIDDEV = true; - - USB_SUPPORT = true; - USB = true; - USB_PCI = true; - USB_ANNOUNCE_NEW_DEVICES = true; - USB_DEFAULT_PERSIST = true; - USB_DYNAMIC_MINORS = true; - USB_XHCI_HCD = true; - USB_XHCI_PCI = true; - }; - - power = { - PM = true; - ENERGY_MODEL = true; - ACPI = true; - ACPI_APEI = true; - ACPI_NUMA = true; - - CPU_FREQ = true; - CPU_FREQ_STAT = true; - CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = true; - CPU_FREQ_GOV_SCHEDUTIL = true; - - CPU_IDLE = true; - CPU_IDLE_GOV_MENU = false; - CPU_IDLE_GOV_TEO = true; - - PCIEASPM = true; - PCIEASPM_POWER_SUPERSAVE = true; - - } // lib.optionalAttrs hostPlatform.isx86_64 { - X86_ACPI_CPUFREQ = true; - X86_ACPI_CPUFREQ_CPB = false; - } // lib.optionalAttrs (hostPlatform.isAarch64 || hostPlatform.isRiscV64) { - ACPI_CPPC_CPUFREQ = true; - }; - - framebuffer = { - DRM_SIMPLE_DRM = option true; - FB = true; - FB_EFI = true; - FB_SIMPLE = option true; - FB_DEVICE = false; - VGA_CONSOLE = false; - FRAMEBUFFER_CONSOLE = true; - FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = true; - SYSFB_SIMPLEFB = true; - }; - - network = { - NET = true; - PACKET = true; - PACKET_DIAG = true; - UNIX = true; - UNIX_DIAG = true; - XDP_SOCKETS = true; - XDP_SOCKETS_DIAG = true; - INET = true; - SYN_COOKIES = true; - INET_AH = true; - INET_ESP = true; - - INET_DIAG = true; - INET_UDP_DIAG = true; - INET_RAW_DIAG = true; - - TCP_CONG_ADVANCED = true; - TCP_CONG_BIC = false; - TCP_CONG_CUBIC = false; - TCP_CONG_WESTWOOD = false; - TCP_CONG_HTCP = false; - TCP_CONG_BBR = true; - DEFAULT_BBR = true; - - IPV6 = true; - INET6_AH = true; - INET6_ESP = true; - - NETFILTER = true; - NETFILTER_ADVANCED = true; - NETFILTER_INGRESS = true; - NETFILTER_EGRESS = true; - - NETFILTER_NETLINK_LOG = true; - NF_LOG_SYSLOG = true; - - NF_CONNTRACK = true; - NF_NAT = true; - NF_TABLES = true; - NF_TABLES_INET = true; - NFT_CT = true; - NFT_CONNLIMIT = true; - NFT_LIMIT = true; - NFT_LOG = true; - NFT_NAT = true; - NFT_REJECT = true; - NFT_FIB_INET = true; - NF_TABLES_IPV4 = true; - NFT_FIB_IPV4 = true; - NF_TABLES_IPV6 = true; - NFT_FIB_IPV6 = true; - - NET_SCH_CAKE = true; - NET_SCH_FQ = true; - NET_SCH_DEFAULT = true; - DEFAULT_FQ = true; - DEFAULT_NET_SCH = "fq"; - - NETLINK_DIAG = true; - ETHTOOL_NETLINK = true; - - NETDEVICES = true; - ETHERNET = true; - }; - - chardev = { - TTY = true; - VT = true; - CONSOLE_TRANSLATIONS = true; - VT_CONSOLE = true; - UNIX98_PTYS = true; - - SERIAL_DEV_BUS = true; - SERIAL_DEV_CTRL_TTYPORT = true; - - HW_RANDOM = true; - HW_RANDOM_INTEL = false; - HW_RANDOM_AMD = false; - HW_RANDOM_VIA = false; - - TCG_TPM = true; - TCG_TPM2_HMAC = true; - HW_RANDOM_TPM = true; - TCG_TIS = true; - TCG_CRB = true; - }; - - input = { - INPUT = true; - INPUT_SPARSEKMAP = true; - INPUT_EVDEV = true; - INPUT_KEYBOARD = true; - }; - - filesystem = { - EXT4_FS = true; - EXT4_USE_FOR_EXT2 = true; - EXT4_FS_POSIX_ACL = true; - - OVERLAY_FS = true; - OVERLAY_FS_REDIRECT_DIR = true; - OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW = false; - OVERLAY_FS_XINO_AUTO = true; - OVERLAY_FS_METACOPY = true; - - MSDOS_FS = true; - VFAT_FS = true; - FAT_DEFAULT_UTF8 = true; - - PROC_FS = true; - PROC_KCORE = false; - PROC_SYSCTL = true; - PROC_PAGE_MONITOR = true; - SYSFS = true; - TMPFS = true; - TMPFS_POSIX_ACL = true; - EFIVAR_FS = true; - - EROFS_FS = true; - EROFS_FS_XATTR = true; - EROFS_FS_POSIX_ACL = true; - EROFS_FS_SECURITY = false; - EROFS_FS_ZIP = true; - EROFS_FS_ZIP_ZSTD = true; - - NLS = true; - NLS_CODEPAGE_437 = true; - NLS_ISO8859_1 = true; - UNICODE = true; - }; - - fonts = { - FONTS = true; - FONT_TER16x32 = true; - }; - - systemd = lib.optionalAttrs (lib.meta.availableOn hostPlatform systemd) { - # Base requirements - DEVTMPFS = true; - CGROUPS = true; - INOTIFY_USER = true; - SIGNALFD = true; - TIMERFD = true; - EPOLL = true; - UNIX = true; - PROC_FS = true; - FHANDLE = true; - - # Legacy interfaces - UEVENT_HELPER = false; - FW_LOADER_USER_HELPER = false; - - # udev & virtualisation - DMIID = true; - - # SCSI device serial number retrieval - BLK_DEV_BSG = option true; - - # PrivateNetwork - NET_NS = true; - - # PrivateUser - USER_NS = true; - - # Optional but recommended - IPV6 = true; - AUTOFS_FS = true; - TMPFS_XATTR = true; - TMPFS_POSIX_ACL = true; - SECCOMP = true; - SECCOMP_FILTER = true; - KCMP = true; - NET_SCHED = true; - - # CPUShares - CGROUP_SCHED = true; - FAIR_GROUP_SCHED = true; - - # CPUQuota - CFS_BANDWIDTH = true; - - # IPaddress{Allow,Deny}, SocketBind{Allow,Deny}, RestrictNetworkInterfaces - BPF = true; - BPF_SYSCALL = true; - BPF_JIT = true; - CGROUP_BPF = true; - - # EFI - EFIVAR_FS = true; - EFI_PARTITION = true; - - # SMBIOS credentials - DMI = true; - DMI_SYSFS = true; - - # Realā€time scheduling - RT_GROUP_SCHED = false; - - # systemd-oomd - PSI = true; - MEMCG = true; - - AUDIT = false; - }; -} diff --git a/package/linux-hardened/package.nix b/package/linux-hardened/package.nix deleted file mode 100644 index edddaa0..0000000 --- a/package/linux-hardened/package.nix +++ /dev/null @@ -1,255 +0,0 @@ -{ self, ... }: { - lib, - stdenv, - buildPackages, - llvmPackages_19, - hostPlatform, - fetchFromGitHub, - buildEnv, - callPackage, - - linux-firmware, - sof-firmware, - wireless-regdb, - - systemd, - - jq, - python3, - perl, - flex, - bison, - bc, - openssl, - zstd, - hexdump, - - elfutils, - kmod, - ... -}@args: - -lib.makeOverridable ({ - llvmPackages ? llvmPackages_19, - instSetArch ? hostPlatform.gccarch or null, - extraConfig ? { }, - firmwarePackages ? [ - linux-firmware - sof-firmware - wireless-regdb - ], - extraFirmware ? [ ], - ... -}: - -let - inherit (self.lib) kernel; - - inherit (lib.attrsets) - filterAttrs - mapAttrsToList - mergeAttrsList; - - inherit (lib.strings) - concatStringsSep; - - firmwareEnv = buildEnv { - name = "linux-firmware"; - pathsToLink = [ "/lib/firmware" ]; - paths = firmwarePackages; - } + "/lib/firmware"; - - config = lib.mergeAttrsList (map kernel.flattenAttrs [ - (import ./config.nix { inherit kernel lib hostPlatform systemd; }) - extraConfig - { - EXTRA_FIRMWARE = extraFirmware; - EXTRA_FIRMWARE_DIR = kernel.option firmwareEnv; - } - ]); -in stdenv.mkDerivation (finalAttrs: { - __structuredAttrs = true; - - pname = "linux-hardened"; - version = "6.10.13-hardened1"; - - modDirVersion = lib.versions.pad 3 finalAttrs.version; - - src = fetchFromGitHub { - owner = "anthraxx"; - repo = finalAttrs.pname; - rev = "v${finalAttrs.version}"; - hash = "sha256-XWrX1jlUv1cwGzCz8Qqaa1mbetvPWY2ivPLyw6Fx54c="; - }; - - depsBuildBuild = [ - jq - - flex - bison - bc - python3 - perl - openssl - hexdump - - zstd - ]; - - nativeBuildInputs = [ - elfutils - kmod - ]; - - makeFlags = [ - "ARCH:=${hostPlatform.linuxArch}" - - "HOSTCC:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc" - "HOSTCXX:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}c++" - "HOSTLD:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}ld" - "HOSTAR:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}ar" - - "CC:=${llvmPackages.clang-unwrapped}/bin/clang" - "LD:=${llvmPackages.lld}/bin/ld.lld" - "AR:=${llvmPackages.llvm}/bin/llvm-ar" - "NM:=${llvmPackages.llvm}/bin/llvm-nm" - "OBJCOPY:=${llvmPackages.llvm}/bin/llvm-objcopy" - "OBJDUMP:=${llvmPackages.llvm}/bin/llvm-objdump" - "READELF:=${llvmPackages.llvm}/bin/llvm-readelf" - "STRIP:=${llvmPackages.llvm}/bin/llvm-strip" - ]; - - configfile = config |> kernel.mkConfig; - - requiredPresent = config - |> filterAttrs (n: v: !kernel.isOptional v && kernel.getValue v != false) - |> mapAttrsToList kernel.mkKeyValue; - - optionalPresent = config - |> filterAttrs (n: v: kernel.isOptional v && kernel.getValue v != false) - |> mapAttrsToList kernel.mkKeyValue; - - requiredAbsent = config - |> filterAttrs (n: v: !kernel.isOptional v && kernel.getValue v == false) - |> mapAttrsToList (n: v: kernel.mkKey n); - - optionalAbsent = config - |> filterAttrs (n: v: kernel.isOptional v && kernel.getValue v == false) - |> mapAttrsToList (n: v: kernel.mkKey n); - - postPatch = '' - patchShebangs scripts/ - - sed -i '/select BLOCK_LEGACY_AUTOLOAD/d' drivers/md/Kconfig - ''; - - preConfigure = '' - mkdir build - - export KBUILD_BUILD_TIMESTAMP="$(date -u -d @$SOURCE_DATE_EPOCH)" - export KBUILD_OUTPUT="$(pwd)/build" - - makeFlags+=( "-j $NIX_BUILD_CORES" ) - '' + lib.optionalString (hostPlatform ? linux-kernel.target) '' - export KBUILD_IMAGE=${lib.escapeShellArg hostPlatform.linux-kernel.target} - '' + lib.optionalString (instSetArch != null) '' - export KCFLAGS="-march=${lib.escapeShellArg instSetArch}" - ''; - - configurePhase = '' - runHook preConfigure - - cat >build/.config <<<"$configfile" - make "''${makeFlags[@]}" olddefconfig - - runHook postConfigure - ''; - - postConfigure = '' - # Verify configuration - for keyValue in "''${requiredPresent[@]}"; do - if ! grep -F -x -q "$keyValue" build/.config; then - printf 'Required: %s\nActual: %s\n\n' "$keyValue" \ - "$(grep -E "''${keyValue%%=*}[ =]" build/.config || echo "(absent)")" >&2 - exit 1 - fi - done - - for key in "''${requiredAbsent[@]}"; do - if grep -E -q "^$key=" build/.config; then - printf 'Required: %s unset or absent.\n Actual: %s\n\n' "$key" \ - "$(grep -E -q "^key=" build/.config)" >&2 - exit 1 - fi - done - - for keyValue in "''${optionalPresent[@]}"; do - if ! grep -F -x -q "$keyValue" build/.config; then - printf 'Suggested: %s\nActual: %s\n\n' "$keyValue" \ - "$(grep -E "''${keyValue%%=*}[ =]" build/.config || echo "(absent)")" >&2 - fi - done - - for key in "''${optionalAbsent[@]}"; do - if grep -E -q "^$key=" build/.config; then - printf 'Suggested: %s unset or absent.\nActual: %s\n\n' "$key" \ - "$(grep -E "^$key=" build/.config)" >&2 - fi - done - ''; - - preInstall = let - installkernel = buildPackages.writeShellScriptBin "installkernel" '' - cp "$2" "$4" - cp "$3" "$4" - ''; - in '' - export HOME=${installkernel} - ''; - - installFlags = [ - "INSTALL_PATH=$(out)" - "INSTALL_MOD_PATH=$(out)" - ]; - - installTargets = [ - "install" - "modules_install" - ]; - - postInstall = '' - depmod -b "$out" ${finalAttrs.modDirVersion} - touch "$out/lib/modules/${finalAttrs.modDirVersion}/modules.order" - ''; - - passthru = { - profile = import ./profile.nix { inherit kernel lib hostPlatform; }; - - config = with kernel; { - isYes = option: getValue config.${option} or false == true; - isNo = option: getValue config.${option} or false == false; - isModule = option: false; - - isEnabled = option: getValue config.${option} or false == true; - isDisabled = option: getValue config.${option} or false == false; - }; - - isHardened = true; - isLibre = false; - isZen = false; - - features = { - efiBootStub = true; - }; - - kernelOlder = lib.versionOlder finalAttrs.version; - kernelAtLeast = lib.versionAtLeast finalAttrs.version; - }; - - meta = { - homepage = "https://github.com/anthraxx/linux-hardened"; - license = lib.licenses.gpl2Only; - maintainers = with lib.maintainers; [ mvs ]; - platforms = [ "x86_64-linux" "aarch64-linux" "riscv64-linux" ]; - }; -})) args diff --git a/package/linux-hardened/profile.nix b/package/linux-hardened/profile.nix deleted file mode 100644 index 378afd3..0000000 --- a/package/linux-hardened/profile.nix +++ /dev/null @@ -1,232 +0,0 @@ -{ kernel, lib, hostPlatform }: with kernel; { - paravirt = { - HYPERVISOR_GUEST = true; - PARAVIRT = true; - PARAVIRT_SPINLOCKS = true; - KVM_GUEST = true; - ARCH_CPUIDLE_HALTPOLL = true; - PARAVIRT_CLOCK = true; - - HALTPOLL_CPUIDLE = true; - - FW_CFG_SYSFS = true; - - BLK_MQ_VIRTIO = true; - VIRTIO_BLK = true; - VIRTIO_NET = true; - VIRTIO_CONSOLE = true; - - HW_RANDOM_VIRTIO = true; - - DRM = true; - DRM_FBDEV_EMULATION = true; - DRM_VIRTIO_GPU = true; - DRM_VIRTIO_GPU_KMS = true; - DRM_BOCHS = true; - DRM_SIMPLEDRM = true; - - VIRT_DRIVERS = true; - VMGENID = true; - - VIRTIO_MENU = true; - VIRTIO = true; - VIRTIO_PCI = true; - VIRTIO_PCI_LEGACY = false; - VIRTIO_BALLOON = true; - VIRTIO_INPUT = true; - - VIRTIO_IOMMU = true; - - FUSE_FS = true; - VIRTIO_FS = true; - }; - - physical = { - ACPI_BUTTON = true; - ACPI_FAN = true; - ACPI_TAD = true; - ACPI_PROCESSOR_AGGREGATOR = true; - ACPI_THERMAL = true; - ACPI_PCI_SLOT = true; - - SCSI = true; - BLK_DEV_SD = true; - CHR_DEV_SG = true; - SCSI_CONSTANTS = true; - SCSI_SCAN_ASYNC = true; - - USB_STORAGE = true; - USB_UAS = true; - - NEW_LEDS = true; - LEDS_CLASS = true; - LEDS_TRIGGERS = true; - LEDS_TRIGGER_PANIC = true; - LEDS_TRIGGER_NETDEV = true; - - EDAC = true; - - THERMAL = true; - THERMAL_NETLINK = true; - THERMAL_DEFAULT_GOV_FAIR_SHARE = true; - THERMAL_GOV_FAIR_SHARE = true; - - POWERCAP = true; - - RAS = true; - }; - - portable = { - PREEMPT_VOLUNTARY = true; - - SUSPEND = true; - WQ_POWER_EFFICIENT_DEFAULT = true; - ACPI_BATTERY = true; - ACPI_VIDEO = true; - - HOTPLUG_PCI_PCIE = true; - HOTPLUG_PCI = true; - - MEDIA_SUPPORT = true; - MEDIA_SUPPORT_FILTER = true; - MEDIA_SUBDRV_AUTOSELECT = true; - MEDIA_CAMERA_SUPPORT = true; - MEDIA_USB_SUPPORT = true; - USB_VIDEO_CLASS = true; - USB_VIDEO_CLASS_INPUT_EVDEV = true; - - HID_BATTERY_STRENGTH = true; - - USB_NET_DRIVERS = true; - USB_RTL8152 = true; - USB_USBNET = true; - USB_NET_AX88179_178A = true; - USB_NET_CDCETHER = true; - USB_NET_CDC_SUBSET = true; - - BACKLIGHT_CLASS_DEVICE = true; - - TYPEC = true; - TYPEC_TCPM = true; - TYPEC_TCPCI = true; - TYPEC_UCSI = true; - UCSI_ACPI = true; - TYPEC_DP_ALTMODE = true; - - MMC = true; - MMC_BLOCK = true; - - USB4 = true; - - KFENCE_SAMPLE_INTERVAL = "500"; - }; - - dm-crypt = { - MD = true; - MD_BITMAP_FILE = false; - BLK_DEV_DM = true; - DM_CRYPT = true; - DM_UEVENT = true; - DM_INTEGRITY = true; - - CRYPTO_AES = true; - CRYPTO_XTS = true; - CRYPTO_AEGIS128 = true; - CRYPTO_SHA256 = true; - - CRYPTO_USER_API_HASH = true; - CRYPTO_USER_API_SKCIPHER = true; - } // lib.optionalAttrs hostPlatform.isx86_64 { - CRYPTO_AES_NI_INTEL = true; - CRYPTO_AEGIS128_AESNI_SSE2 = true; - CRYPTO_SHA256_SSSE3 = true; - } // lib.optionalAttrs hostPlatform.isRiscV64 { - CRYPTO_AES_RISCV64 = true; - CRYPTO_SHA256_RISCV64 = true; - } // lib.optionalAttrs hostPlatform.isAarch64 { - CRYPTO_AES_ARM64 = true; - CRYPTO_AES_ARM64_CE = true; - CRYPTO_AES_ARM64_CE_BLK = true; - CRYPTO_AES_ARM64_NEON_BLK = true; - CRYPTO_AES_ARM64_BS = true; - CRYPTO_AEGIS128_SIMD = true; - CRYPTO_SHA256_ARM64 = true; - }; - - wireless = { - WIRELESS = true; - CFG80211 = true; - CFG80211_DEFAULT_PS = true; - CFG80211_CRDA_SUPPORT = true; - MAC80211 = true; - MAC80211_RC_MINSTREL = true; - MAC80211_RC_DEFAULT_MINSTREL = true; - MAC80211_LEDS = true; - - BT = true; - BT_BREDR = true; - BT_RFCOMM = true; - BT_HIDP = true; - BT_LE = true; - BT_LEDS = true; - - BT_HCIBTUSB_AUTOSUSPEND = option true; - BT_HCIBTUSB_BCM = option false; - BT_HCIBTUSB_RTL = option false; - - RFKILL = true; - RFKILL_INPUT = true; - - # iwd - KEYS = true; - CRYPTO_USER_API_SKCIPHER = true; - CRYPTO_USER_API_HASH = true; - CRYPTO_HMAC = true; - CRYPTO_CMAC = true; - CRYPTO_MD4 = true; - CRYPTO_MD5 = true; - CRYPTO_SHA1 = true; - CRYPTO_SHA256 = true; - CRYPTO_SHA512 = true; - CRYPTO_AES = true; - CRYPTO_ECB = true; - CRYPTO_DES = true; - CRYPTO_CBC = true; - - ASYMMETRIC_KEY_TYPE = option true; - ASYMMETRIC_PUBLIC_KEY_SUBTYPE = option true; - X509_CERTIFICATE_PARSER = option true; - PKCS7_MESSAGE_PARSER = option true; - PKCS8_PRIVATE_KEY_PARSER = option true; - } // lib.optionalAttrs hostPlatform.isx86_64 { - CRYPTO_AES_NI_INTEL = option true; - CRYPTO_DES3_EDE_X86_64 = option true; - CRYPTO_SHA1_SSSE3 = option true; - CRYPTO_SHA256_SSSE3 = option true; - CRYPTO_SHA512_SSSE3 = option true; - } // lib.optionalAttrs hostPlatform.isRiscV64 { - CRYPTO_AES_RISCV64 = option true; - CRYPTO_SHA256_RISCV64 = option true; - CRYPTO_SHA512_RISCV64 = option true; - } // lib.optionalAttrs hostPlatform.isAarch64 { - CRYPTO_AES_ARM64_CE = option true; - CRYPTO_AES_ARM64_CE_BLK = option true; - CRYPTO_SHA1_ARM64_CE = option true; - CRYPTO_SHA256_ARM64 = option true; - CRYPTO_SHA2_ARM64_CE = option true; - CRYPTO_SHA512_ARM64 = option true; - CRYPTO_SHA512_ARM64_CE = option true; - }; - - audio = { - SOUND = true; - SND = true; - SND_PCM_TIMER = true; - SND_DYNAMIC_MINORS = true; - SND_SUPPORT_OLD_API = false; - SND_PCI = true; - - SND_USB = true; - SND_USB_AUDIO = true; - }; -}