linux-hardened/flake.nix

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  };

  nixConfig = {
    extra-substituters = [ "https://cache.kyouma.net" ];
    extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
  };

  outputs = { self, nixpkgs, ... }:
  let
    inherit (nixpkgs) lib;
    eachSystem = lib.genAttrs [ "x86_64-linux" ];
    legacyPackages = eachSystem (system: import nixpkgs { inherit system; });

    linux-hardened = pkgs: arch: configfile:
    let
      inherit (pkgs) linuxKernel fetchFromGitHub gccStdenv;

      kernel = linuxKernel.manualConfig rec {
        pname = "linux-hardened";
        version = "6.10.2-hardened1";

        src = fetchFromGitHub {
          owner = "anthraxx";
          repo = pname;
          rev = "v${version}";
          hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
        };

        stdenv = gccStdenv;

        extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];

        isHardened = true;
        inherit configfile features;
      };

      features = { efiBootStub = true; };
    in kernel.overrideAttrs (base: {
      passthru = base.passthru // { inherit features; };
    });
  in {
    packages.x86_64-linux =
    let
      pkgs = legacyPackages.x86_64-linux;
    in {
      qemu-virtio =
        linux-hardened pkgs "x86-64-v3" ./x86-64/qemu-virtio;
      thinkpad-x1-extreme-gen5 =
        linux-hardened pkgs "alderlake" ./x86-64/thinkpad-x1-extreme-gen5;
    };

    devShells.x86_64-linux =
    let
      pkgs = legacyPackages.x86_64-linux;
      mkShell = packages: pkgs.mkShell {
        inherit packages;
        shellHook = ''
          exec $SHELL
        '';
      };
    in {
      default = mkShell
        (with pkgs; self.packages.x86_64-linux.qemu-virtio.nativeBuildInputs ++ [ ncurses pkg-config ]);
    };

    hydraJobs = {
      kernel = self.packages;
      shell = self.devShells;
    };
  };
}
Initial import 2024-07-31 11:00:49 +02:00			`{`
			`inputs = {`
Properly capitalise nixpkgs URL 2024-07-31 13:21:20 +02:00			`nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";`
Initial import 2024-07-31 11:00:49 +02:00			`};`

			`nixConfig = {`
			`extra-substituters = [ "https://cache.kyouma.net" ];`
			`extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];`
			`};`

			`outputs = { self, nixpkgs, ... }:`
			`let`
			`inherit (nixpkgs) lib;`
			`eachSystem = lib.genAttrs [ "x86_64-linux" ];`
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`legacyPackages = eachSystem (system: import nixpkgs { inherit system; });`
Initial import 2024-07-31 11:00:49 +02:00
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`linux-hardened = pkgs: arch: configfile:`
Initial import 2024-07-31 11:00:49 +02:00			`let`
Build with GCC 2024-07-31 17:31:35 +02:00			`inherit (pkgs) linuxKernel fetchFromGitHub gccStdenv;`
Initial import 2024-07-31 11:00:49 +02:00
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`kernel = linuxKernel.manualConfig rec {`
Initial import 2024-07-31 11:00:49 +02:00			`pname = "linux-hardened";`
linux-hardened: 6.9.10 → 6.10.2 2024-07-31 11:07:12 +02:00			`version = "6.10.2-hardened1";`
Initial import 2024-07-31 11:00:49 +02:00
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`src = fetchFromGitHub {`
Initial import 2024-07-31 11:00:49 +02:00			`owner = "anthraxx";`
			`repo = pname;`
			`rev = "v${version}";`
linux-hardened: 6.9.10 → 6.10.2 2024-07-31 11:07:12 +02:00			`hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";`
Initial import 2024-07-31 11:00:49 +02:00			`};`

Build with GCC 2024-07-31 17:31:35 +02:00			`stdenv = gccStdenv;`
Initial import 2024-07-31 11:00:49 +02:00
Build with GCC 2024-07-31 17:31:35 +02:00			`extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];`
Initial import 2024-07-31 11:00:49 +02:00
			`isHardened = true;`
			`inherit configfile features;`
			`};`

			`features = { efiBootStub = true; };`
			`in kernel.overrideAttrs (base: {`
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`passthru = base.passthru // { inherit features; };`
Initial import 2024-07-31 11:00:49 +02:00			`});`
			`in {`
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`packages.x86_64-linux =`
			`let`
			`pkgs = legacyPackages.x86_64-linux;`
			`in {`
			`qemu-virtio =`
			`linux-hardened pkgs "x86-64-v3" ./x86-64/qemu-virtio;`
			`thinkpad-x1-extreme-gen5 =`
			`linux-hardened pkgs "alderlake" ./x86-64/thinkpad-x1-extreme-gen5;`
			`};`
Initial import 2024-07-31 11:00:49 +02:00
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`devShells.x86_64-linux =`
Initial import 2024-07-31 11:00:49 +02:00			`let`
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`pkgs = legacyPackages.x86_64-linux;`
			`mkShell = packages: pkgs.mkShell {`
			`inherit packages;`
			`shellHook = ''`
			`exec $SHELL`
			`'';`
			`};`
			`in {`
			`default = mkShell`
			`(with pkgs; self.packages.x86_64-linux.qemu-virtio.nativeBuildInputs ++ [ ncurses pkg-config ]);`
			`};`
Initial import 2024-07-31 11:00:49 +02:00
Optimise for pre‐defined ISA 2024-07-31 13:27:34 +02:00			`hydraJobs = {`
			`kernel = self.packages;`
			`shell = self.devShells;`
			`};`
Initial import 2024-07-31 11:00:49 +02:00			`};`
			`}`