linux-hardened/linux-hardened.nix

pkgs: { arch, config, firmware }:
let
  inherit (pkgs)
    lib
    buildEnv
    buildLinux
    buildPackages
    fetchFromGitHub
    overrideCC
    runCommand;

  kernel = let
    inherit (pkgs.llvmPackages_19)
      llvm clang-unwrapped lld
      clang bintools;

    args = {
      inherit (pkgs) lib hostPlatform;
    };

    firmwareEnv = buildEnv {
      name = "linux-firmware";
      pathsToLink = [ "/lib/firmware" ];
      paths = with pkgs; [
        linux-firmware
        sof-firmware
        wireless-regdb
      ];
    };
  in buildLinux rec {
    pname = "linux-hardened";
    version = "6.10.4-hardened1";

    src = fetchFromGitHub {
      owner = "anthraxx";
      repo = pname;
      rev = "v${version}";
      hash = "sha256-qq2vmrUIYUuXEwuZoXrXbZY/li+ReFNuqhsy1R0yx0s=";
    };

    defconfig = "allnoconfig";
    enableCommonConfig = false;

    extraMakeFlags = [
      "LLVM=1"

      "HOSTCC=${clang}/bin/clang"
      "HOSTCXX=${clang}/bin/clang++"
      "HOSTLD=${bintools}/bin/ld.lld"
      "HOSTAR=${bintools}/bin/ar"

      "CC=${clang-unwrapped}/bin/clang"
      "LD=${lld}/bin/ld.lld"
      "AR=${llvm}/bin/llvm-ar"
      "NM=${llvm}/bin/llvm-nm"
      "OBJCOPY=${llvm}/bin/llvm-objcopy"
      "OBJDUMP=${llvm}/bin/llvm-objdump"
      "READELF=${llvm}/bin/llvm-readelf"
      "STRIP=${llvm}/bin/llvm-strip"

      "KCFLAGS=-march=${arch}"
    ];

    structuredExtraConfig =
      (import ./base.nix args) //
      (import config args) //
      lib.optionalAttrs (firmware != [ ]) {
        EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
        EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware";
      };

    features = {
      efiBootStub = true;
    };

    isHardened = true;
  };
in kernel.overrideAttrs (base: {
  installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ];

  postInstall = ''
    if [ -z "''${dontStrip-}" ]; then
      installFlagsArray+=( "INSTALL_MOD_STRIP=1" )
    fi

    make modules_install $makeFlags "''${makeFlagsArray[@]}" \
      $installFlags "''${installFlagsArray[@]}"

    depmod -b $out ${base.version}
    touch $out/lib/modules/${base.version}/modules.order
  '';
})
Reformat code for compactness 2024-08-12 21:12:18 +02:00			`pkgs: { arch, config, firmware }:`
Initial import 2024-07-31 11:00:49 +02:00			`let`
Re‐format code 2024-08-03 10:28:48 +02:00			`inherit (pkgs)`
			`lib`
Collect firmware files using buildEnv 2024-08-06 22:55:23 +02:00			`buildEnv`
Re‐format code 2024-08-03 10:28:48 +02:00			`buildLinux`
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`buildPackages`
Re‐format code 2024-08-03 10:28:48 +02:00			`fetchFromGitHub`
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`overrideCC`
Reformat code for compactness 2024-08-12 21:12:18 +02:00			`runCommand;`
Initial import 2024-07-31 11:00:49 +02:00
Reformat code for compactness 2024-08-12 21:12:18 +02:00			`kernel = let`
Switch to LLVM 19 2024-08-13 21:54:11 +02:00			`inherit (pkgs.llvmPackages_19)`
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`llvm clang-unwrapped lld`
			`clang bintools;`

Reformat code for compactness 2024-08-12 21:12:18 +02:00			`args = {`
			`inherit (pkgs) lib hostPlatform;`
			`};`
Modularise kernel configuration 2024-08-02 22:14:55 +02:00
Reformat code for compactness 2024-08-12 21:12:18 +02:00			`firmwareEnv = buildEnv {`
			`name = "linux-firmware";`
			`pathsToLink = [ "/lib/firmware" ];`
			`paths = with pkgs; [`
			`linux-firmware`
			`sof-firmware`
			`wireless-regdb`
			`];`
			`};`
			`in buildLinux rec {`
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`pname = "linux-hardened";`
			`version = "6.10.4-hardened1";`
Modularise kernel configuration 2024-08-02 22:14:55 +02:00
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`src = fetchFromGitHub {`
			`owner = "anthraxx";`
			`repo = pname;`
			`rev = "v${version}";`
			`hash = "sha256-qq2vmrUIYUuXEwuZoXrXbZY/li+ReFNuqhsy1R0yx0s=";`
			`};`

			`defconfig = "allnoconfig";`
			`enableCommonConfig = false;`
Modularise kernel configuration 2024-08-02 22:14:55 +02:00
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`extraMakeFlags = [`
			`"LLVM=1"`
Modularise kernel configuration 2024-08-02 22:14:55 +02:00
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`"HOSTCC=${clang}/bin/clang"`
			`"HOSTCXX=${clang}/bin/clang++"`
			`"HOSTLD=${bintools}/bin/ld.lld"`
			`"HOSTAR=${bintools}/bin/ar"`
Modularise kernel configuration 2024-08-02 22:14:55 +02:00
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`"CC=${clang-unwrapped}/bin/clang"`
			`"LD=${lld}/bin/ld.lld"`
			`"AR=${llvm}/bin/llvm-ar"`
			`"NM=${llvm}/bin/llvm-nm"`
			`"OBJCOPY=${llvm}/bin/llvm-objcopy"`
			`"OBJDUMP=${llvm}/bin/llvm-objdump"`
			`"READELF=${llvm}/bin/llvm-readelf"`
			`"STRIP=${llvm}/bin/llvm-strip"`

			`"KCFLAGS=-march=${arch}"`
			`];`

			`structuredExtraConfig =`
			`(import ./base.nix args) //`
			`(import config args) //`
			`lib.optionalAttrs (firmware != [ ]) {`
			`EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);`
			`EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware";`
Re‐format code 2024-08-03 10:28:48 +02:00			`};`
Reformat code for compactness 2024-08-12 21:12:18 +02:00
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00			`features = {`
			`efiBootStub = true;`
Re‐format code 2024-08-03 10:28:48 +02:00			`};`
Compile with Clang / LLVM 2024-08-12 22:52:12 +02:00
			`isHardened = true;`
			`};`
Reformat code for compactness 2024-08-12 21:12:18 +02:00			`in kernel.overrideAttrs (base: {`
Re‐format code 2024-08-03 10:28:48 +02:00			`installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ];`
Initial import 2024-07-31 11:00:49 +02:00
			`postInstall = ''`
			`if [ -z "''${dontStrip-}" ]; then`
			`installFlagsArray+=( "INSTALL_MOD_STRIP=1" )`
			`fi`

			`make modules_install $makeFlags "''${makeFlagsArray[@]}" \`
			`$installFlags "''${installFlagsArray[@]}"`

			`depmod -b $out ${base.version}`
			`touch $out/lib/modules/${base.version}/modules.order`
			`'';`
			`})`