2024-11-05 21:11:29 +01:00
|
|
|
{
|
|
|
|
lib,
|
|
|
|
stdenv,
|
|
|
|
buildPackages,
|
|
|
|
llvmPackages_19,
|
|
|
|
hostPlatform,
|
|
|
|
fetchFromGitHub,
|
|
|
|
buildEnv,
|
|
|
|
callPackage,
|
|
|
|
|
|
|
|
linux-firmware,
|
|
|
|
sof-firmware,
|
|
|
|
wireless-regdb,
|
|
|
|
|
|
|
|
jq,
|
|
|
|
python3,
|
|
|
|
perl,
|
|
|
|
flex,
|
|
|
|
bison,
|
|
|
|
bc,
|
|
|
|
openssl,
|
|
|
|
zstd,
|
|
|
|
hexdump,
|
|
|
|
|
|
|
|
elfutils,
|
|
|
|
kmod,
|
|
|
|
...
|
|
|
|
}@args:
|
|
|
|
|
|
|
|
lib.makeOverridable ({
|
|
|
|
llvmPackages ? llvmPackages_19,
|
|
|
|
instSetArch ? hostPlatform.gccarch or null,
|
|
|
|
platformConfig ? { },
|
|
|
|
extraConfig ? { },
|
|
|
|
firmwarePackages ? [
|
|
|
|
linux-firmware
|
|
|
|
sof-firmware
|
|
|
|
wireless-regdb
|
|
|
|
],
|
2024-11-05 23:22:20 +01:00
|
|
|
platformFirmware ? [ ],
|
2024-11-05 21:11:29 +01:00
|
|
|
extraFirmware ? [ ],
|
2024-11-13 17:20:50 +01:00
|
|
|
platformProfiles ? { },
|
|
|
|
extraProfiles ? { },
|
2024-11-05 21:11:29 +01:00
|
|
|
...
|
|
|
|
}:
|
|
|
|
|
|
|
|
let
|
|
|
|
kernel = import ./lib.nix { inherit lib; };
|
|
|
|
|
|
|
|
inherit (lib.attrsets)
|
|
|
|
filterAttrs
|
|
|
|
mapAttrsToList
|
|
|
|
mergeAttrsList;
|
|
|
|
|
|
|
|
inherit (lib.strings)
|
|
|
|
concatStringsSep;
|
|
|
|
|
|
|
|
firmwareEnv = buildEnv {
|
|
|
|
name = "linux-firmware";
|
|
|
|
pathsToLink = [ "/lib/firmware" ];
|
|
|
|
paths = firmwarePackages;
|
|
|
|
} + "/lib/firmware";
|
|
|
|
|
|
|
|
config = let
|
2024-11-13 17:20:50 +01:00
|
|
|
profileConfigs = let
|
|
|
|
profiles = platformProfiles // extraProfiles;
|
|
|
|
in builtins.readDir ./profile
|
2024-11-05 21:11:29 +01:00
|
|
|
|> lib.filterAttrs (name: type: type == "regular")
|
|
|
|
|> builtins.attrNames
|
|
|
|
|> map (lib.removeSuffix ".nix")
|
|
|
|
|> builtins.filter (profile: profiles.${profile} or false)
|
|
|
|
|> map (profile: ./profile/${profile}.nix);
|
|
|
|
|
|
|
|
forceConfig = {
|
|
|
|
MODULES = false;
|
2024-11-05 23:22:20 +01:00
|
|
|
EXTRA_FIRMWARE = platformFirmware ++ extraFirmware |> lib.unique;
|
2024-11-05 21:11:29 +01:00
|
|
|
EXTRA_FIRMWARE_DIR = kernel.option firmwareEnv;
|
|
|
|
};
|
|
|
|
|
|
|
|
args = {
|
|
|
|
inherit (kernel) option;
|
|
|
|
inherit lib hostPlatform;
|
|
|
|
};
|
|
|
|
in [ ./config.nix platformConfig ] ++ profileConfigs ++ [ extraConfig forceConfig ]
|
|
|
|
|> map (cfg: if builtins.isPath cfg then import cfg else cfg)
|
|
|
|
|> map (cfg: if builtins.isFunction cfg then cfg args else cfg)
|
|
|
|
|> kernel.mergeConfig;
|
|
|
|
in stdenv.mkDerivation (finalAttrs: {
|
|
|
|
__structuredAttrs = true;
|
|
|
|
|
|
|
|
pname = "linux-hardened";
|
2024-11-09 19:46:07 +01:00
|
|
|
version = "6.11.6-hardened1";
|
2024-11-05 21:11:29 +01:00
|
|
|
|
|
|
|
modDirVersion = lib.versions.pad 3 finalAttrs.version;
|
|
|
|
|
|
|
|
src = fetchFromGitHub {
|
|
|
|
owner = "anthraxx";
|
|
|
|
repo = finalAttrs.pname;
|
|
|
|
rev = "v${finalAttrs.version}";
|
2024-11-09 19:46:07 +01:00
|
|
|
hash = "sha256-PEaavtKBjAZevsyVvTVXD9E8meMcM/343UKL2P14+D4=";
|
2024-11-05 21:11:29 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
depsBuildBuild = [
|
|
|
|
jq
|
|
|
|
|
|
|
|
flex
|
|
|
|
bison
|
|
|
|
bc
|
|
|
|
python3
|
|
|
|
perl
|
|
|
|
openssl
|
|
|
|
hexdump
|
|
|
|
|
|
|
|
zstd
|
|
|
|
];
|
|
|
|
|
|
|
|
nativeBuildInputs = [
|
|
|
|
elfutils
|
|
|
|
kmod
|
|
|
|
];
|
|
|
|
|
|
|
|
makeFlags = [
|
|
|
|
"ARCH:=${hostPlatform.linuxArch}"
|
|
|
|
|
|
|
|
"HOSTCC:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc"
|
|
|
|
"HOSTCXX:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}c++"
|
|
|
|
"HOSTLD:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}ld"
|
|
|
|
"HOSTAR:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}ar"
|
|
|
|
|
|
|
|
"CC:=${llvmPackages.clang-unwrapped}/bin/clang"
|
|
|
|
"LD:=${llvmPackages.lld}/bin/ld.lld"
|
|
|
|
"AR:=${llvmPackages.llvm}/bin/llvm-ar"
|
|
|
|
"NM:=${llvmPackages.llvm}/bin/llvm-nm"
|
|
|
|
"OBJCOPY:=${llvmPackages.llvm}/bin/llvm-objcopy"
|
|
|
|
"OBJDUMP:=${llvmPackages.llvm}/bin/llvm-objdump"
|
|
|
|
"READELF:=${llvmPackages.llvm}/bin/llvm-readelf"
|
|
|
|
"STRIP:=${llvmPackages.llvm}/bin/llvm-strip"
|
|
|
|
];
|
|
|
|
|
|
|
|
configfile = config |> kernel.mkConfig;
|
|
|
|
|
|
|
|
requiredPresent = config
|
|
|
|
|> filterAttrs (n: v: !kernel.isOptional v && kernel.getValue v != false)
|
|
|
|
|> mapAttrsToList kernel.mkKeyValue;
|
|
|
|
|
|
|
|
optionalPresent = config
|
|
|
|
|> filterAttrs (n: v: kernel.isOptional v && kernel.getValue v != false)
|
|
|
|
|> mapAttrsToList kernel.mkKeyValue;
|
|
|
|
|
|
|
|
requiredAbsent = config
|
|
|
|
|> filterAttrs (n: v: !kernel.isOptional v && kernel.getValue v == false)
|
|
|
|
|> mapAttrsToList (n: v: kernel.mkKey n);
|
|
|
|
|
|
|
|
optionalAbsent = config
|
|
|
|
|> filterAttrs (n: v: kernel.isOptional v && kernel.getValue v == false)
|
|
|
|
|> mapAttrsToList (n: v: kernel.mkKey n);
|
|
|
|
|
|
|
|
postPatch = ''
|
|
|
|
patchShebangs scripts/
|
|
|
|
|
|
|
|
sed -i '/select BLOCK_LEGACY_AUTOLOAD/d' drivers/md/Kconfig
|
|
|
|
'';
|
|
|
|
|
|
|
|
preConfigure = ''
|
|
|
|
mkdir build
|
|
|
|
|
|
|
|
export KBUILD_BUILD_TIMESTAMP="$(date -u -d @$SOURCE_DATE_EPOCH)"
|
|
|
|
export KBUILD_OUTPUT="$(pwd)/build"
|
|
|
|
|
|
|
|
makeFlags+=( "-j $NIX_BUILD_CORES" )
|
|
|
|
'' + lib.optionalString (hostPlatform ? linux-kernel.target) ''
|
|
|
|
export KBUILD_IMAGE=${lib.escapeShellArg hostPlatform.linux-kernel.target}
|
|
|
|
'' + lib.optionalString (instSetArch != null) ''
|
|
|
|
export KCFLAGS="-march=${lib.escapeShellArg instSetArch}"
|
|
|
|
'';
|
|
|
|
|
|
|
|
configurePhase = ''
|
|
|
|
runHook preConfigure
|
|
|
|
|
|
|
|
cat >build/.config <<<"$configfile"
|
|
|
|
make "''${makeFlags[@]}" olddefconfig
|
|
|
|
|
|
|
|
runHook postConfigure
|
|
|
|
'';
|
|
|
|
|
|
|
|
postConfigure = ''
|
|
|
|
# Verify configuration
|
|
|
|
for keyValue in "''${requiredPresent[@]}"; do
|
|
|
|
if ! grep -F -x -q "$keyValue" build/.config; then
|
|
|
|
printf 'Required: %s\nActual: %s\n\n' "$keyValue" \
|
|
|
|
"$(grep -E "''${keyValue%%=*}[ =]" build/.config || echo "(absent)")" >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
for key in "''${requiredAbsent[@]}"; do
|
|
|
|
if grep -E -q "^$key=" build/.config; then
|
|
|
|
printf 'Required: %s unset or absent.\n Actual: %s\n\n' "$key" \
|
|
|
|
"$(grep -E -q "^key=" build/.config)" >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
for keyValue in "''${optionalPresent[@]}"; do
|
|
|
|
if ! grep -F -x -q "$keyValue" build/.config; then
|
|
|
|
printf 'Suggested: %s\nActual: %s\n\n' "$keyValue" \
|
|
|
|
"$(grep -E "''${keyValue%%=*}[ =]" build/.config || echo "(absent)")" >&2
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
for key in "''${optionalAbsent[@]}"; do
|
|
|
|
if grep -E -q "^$key=" build/.config; then
|
|
|
|
printf 'Suggested: %s unset or absent.\nActual: %s\n\n' "$key" \
|
|
|
|
"$(grep -E "^$key=" build/.config)" >&2
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
'';
|
|
|
|
|
|
|
|
preInstall = let
|
|
|
|
installkernel = buildPackages.writeShellScriptBin "installkernel" ''
|
|
|
|
cp "$2" "$4"
|
|
|
|
cp "$3" "$4"
|
|
|
|
'';
|
|
|
|
in ''
|
|
|
|
export HOME=${installkernel}
|
|
|
|
'';
|
|
|
|
|
|
|
|
installFlags = [
|
|
|
|
"INSTALL_PATH=$(out)"
|
|
|
|
"INSTALL_MOD_PATH=$(out)"
|
|
|
|
];
|
|
|
|
|
|
|
|
installTargets = [
|
|
|
|
"install"
|
|
|
|
"modules_install"
|
|
|
|
];
|
|
|
|
|
|
|
|
postInstall = ''
|
|
|
|
depmod -b "$out" ${finalAttrs.modDirVersion}
|
|
|
|
touch "$out/lib/modules/${finalAttrs.modDirVersion}/modules.order"
|
|
|
|
'';
|
|
|
|
|
|
|
|
passthru = {
|
|
|
|
config = with kernel; {
|
|
|
|
isYes = option: getValue config.${option} or false == true;
|
|
|
|
isNo = option: getValue config.${option} or false == false;
|
|
|
|
isModule = option: false;
|
|
|
|
|
|
|
|
isEnabled = option: getValue config.${option} or false == true;
|
|
|
|
isDisabled = option: getValue config.${option} or false == false;
|
|
|
|
};
|
|
|
|
|
|
|
|
isHardened = true;
|
|
|
|
isLibre = false;
|
|
|
|
isZen = false;
|
|
|
|
|
|
|
|
features = {
|
|
|
|
efiBootStub = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
kernelOlder = lib.versionOlder finalAttrs.version;
|
|
|
|
kernelAtLeast = lib.versionAtLeast finalAttrs.version;
|
|
|
|
};
|
|
|
|
|
|
|
|
meta = {
|
|
|
|
homepage = "https://github.com/anthraxx/linux-hardened";
|
|
|
|
license = lib.licenses.gpl2Only;
|
|
|
|
maintainers = with lib.maintainers; [ mvs ];
|
|
|
|
platforms = [ "riscv64-linux" "aarch64-linux" "x86_64-linux" ];
|
|
|
|
};
|
|
|
|
})) args
|