mikael/linux-hardened
Archived
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Reformat code for compactness

Browse source
This commit is contained in:
Mikael Voss 2024-08-12 21:12:18 +02:00
parent 00adf2b257
commit 2b34fc4f3f
No known key found for this signature in database
16 changed files with 76 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
arm64.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
ARM64_VA_BITS_48 = yes; ARM64_VA_BITS_48 = yes;
ARM64_PAN = yes; ARM64_PAN = yes;
ARM64_USE_LSE_ATOMICS = yes; ARM64_USE_LSE_ATOMICS = yes;

4
audio.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
SOUND = yes; SOUND = yes;
SND = yes; SND = yes;
SND_PCM_TIMER = yes; SND_PCM_TIMER = yes;

8
base.nix
View file

@ -1,9 +1,7 @@
{ lib, hostPlatform, ... }@args: { lib, hostPlatform, ... }@args: with lib.kernel;
with lib.kernel;
(import ./disable.nix args) (import ./disable.nix args) //
// (import ./systemd.nix args) (import ./systemd.nix args) // {
// {
KERNEL_ZSTD = yes; KERNEL_ZSTD = yes;
SYSVIPC = yes; SYSVIPC = yes;

4
disable.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
X86_MPPARSE = option no; X86_MPPARSE = option no;
AMD_NUMA = option no; AMD_NUMA = option no;

13
dm-crypt.nix
View file

@ -1,6 +1,4 @@
{ lib, hostPlatform, ... }: { lib, hostPlatform, ... }: with lib.kernel; {
with lib.kernel;
{
MD = yes; MD = yes;
MD_BITMAP_FILE = no; MD_BITMAP_FILE = no;
BLK_DEV_DM = yes; BLK_DEV_DM = yes;
@ -15,17 +13,14 @@ with lib.kernel;
CRYPTO_USER_API_HASH = yes; CRYPTO_USER_API_HASH = yes;
CRYPTO_USER_API_SKCIPHER = yes; CRYPTO_USER_API_SKCIPHER = yes;
} } // lib.optionalAttrs hostPlatform.isx86_64 {
// lib.optionalAttrs hostPlatform.isx86_64 {
CRYPTO_AES_NI_INTEL = yes; CRYPTO_AES_NI_INTEL = yes;
CRYPTO_AEGIS128_AESNI_SSE2 = yes; CRYPTO_AEGIS128_AESNI_SSE2 = yes;
CRYPTO_SHA256_SSSE3 = yes; CRYPTO_SHA256_SSSE3 = yes;
} } // lib.optionalAttrs hostPlatform.isRiscV64 {
// lib.optionalAttrs hostPlatform.isRiscV64 {
CRYPTO_AES_RISCV64 = yes; CRYPTO_AES_RISCV64 = yes;
CRYPTO_SHA256_RISCV64 = yes; CRYPTO_SHA256_RISCV64 = yes;
} } // lib.optionalAttrs hostPlatform.isAarch64 {
// lib.optionalAttrs hostPlatform.isAarch64 {
CRYPTO_AES_ARM64 = yes; CRYPTO_AES_ARM64 = yes;
CRYPTO_AES_ARM64_CE = yes; CRYPTO_AES_ARM64_CE = yes;
CRYPTO_AES_ARM64_CE_BLK = yes; CRYPTO_AES_ARM64_CE_BLK = yes;

44
flake.nix
View file

@ -8,52 +8,36 @@
extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ]; extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
}; };
outputs = outputs = { self, nixpkgs, ... }:
{ self, nixpkgs, ... }:
let let
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
inherit (lib) mapAttrs; inherit (lib) mapAttrs;
profiles = import ./profiles.nix; profiles = import ./profiles.nix;
legacyPackages = mapAttrs (system: profile: import nixpkgs { inherit system; }) profiles; legacyPackages = mapAttrs (system: profile: import nixpkgs { inherit system; }) profiles;
linux-hardened = import ./linux-hardened.nix; linux-hardened = import ./linux-hardened.nix;
in in {
{ packages = mapAttrs
packages = mapAttrs ( (system: profiles: mapAttrs
system: profiles: mapAttrs (name: profile: linux-hardened legacyPackages.${system} profile) profiles (name: profile: linux-hardened legacyPackages.${system} profile)
) profiles; profiles) profiles;
devShells = mapAttrs ( devShells = mapAttrs (system: profile:
system: profile:
let let
pkgs = legacyPackages.${system}; pkgs = legacyPackages.${system};
dummy = linux-hardened pkgs { dummy = linux-hardened pkgs { arch = ""; config = ./dummy.nix; firmware = [ ]; };
arch = "";
config = ./dummy.nix;
firmware = [ ];
};
mkShell = mkShell = packages:
packages:
pkgs.mkShell { pkgs.mkShell {
inherit packages; inherit packages;
shellHook = '' shellHook = ''
exec $SHELL exec $SHELL
''; '';
}; };
in in {
{ default = mkShell
default = mkShell ( (with pkgs; dummy.nativeBuildInputs ++ [ ncurses pkg-config ]);
with pkgs; }) profiles;
dummy.nativeBuildInputs
++ [
ncurses
pkg-config
]
);
}
) profiles;
hydraJobs = { hydraJobs = {
kernel = self.packages; kernel = self.packages;

26
linux-hardened.nix
View file

@ -1,9 +1,4 @@
pkgs: pkgs: { arch, config, firmware }:
{
arch,
config,
firmware,
}:
let let
inherit (pkgs) inherit (pkgs)
lib lib
@ -11,11 +6,9 @@ let
buildLinux buildLinux
fetchFromGitHub fetchFromGitHub
gccStdenv gccStdenv
runCommand runCommand;
;
kernel = kernel = let
let
args = { args = {
inherit (pkgs) lib hostPlatform; inherit (pkgs) lib hostPlatform;
}; };
@ -29,8 +22,7 @@ let
wireless-regdb wireless-regdb
]; ];
}; };
in in buildLinux rec {
buildLinux rec {
pname = "linux-hardened"; pname = "linux-hardened";
version = "6.10.4-hardened1"; version = "6.10.4-hardened1";
@ -46,9 +38,9 @@ let
enableCommonConfig = false; enableCommonConfig = false;
structuredExtraConfig = structuredExtraConfig =
(import ./base.nix args) (import ./base.nix args) //
// (import config args) (import config args) //
// lib.optionalAttrs (firmware != [ ]) { lib.optionalAttrs (firmware != [ ]) {
EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware); EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware"; EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware";
}; };
@ -56,11 +48,11 @@ let
features = { features = {
efiBootStub = true; efiBootStub = true;
}; };
isHardened = true; isHardened = true;
stdenv = gccStdenv; stdenv = gccStdenv;
}; };
in in kernel.overrideAttrs (base: {
kernel.overrideAttrs (base: {
installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ]; installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ];
postInstall = '' postInstall = ''

4
physical.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
MICROCODE = yes; MICROCODE = yes;
ENERGY_MODEL = yes; ENERGY_MODEL = yes;

4
portable.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
PREEMPT_VOLUNTARY = yes; PREEMPT_VOLUNTARY = yes;
SUSPEND = yes; SUSPEND = yes;

2
profiles.nix
View file

@ -44,6 +44,7 @@
firmware = [ ]; firmware = [ ];
}; };
}; };
riscv64-linux = { riscv64-linux = {
qemu-virtio = { qemu-virtio = {
arch = "rv64gc"; arch = "rv64gc";
@ -51,6 +52,7 @@
firmware = [ ]; firmware = [ ];
}; };
}; };
aarch64-linux = { aarch64-linux = {
qemu-virtio = { qemu-virtio = {
arch = "armv8.2-a"; arch = "armv8.2-a";

5
qemu-virtio.nix
View file

@ -1,7 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
NR_CPUS = freeform "8"; NR_CPUS = freeform "8";
HYPERVISOR_GUEST = yes; HYPERVISOR_GUEST = yes;

4
riscv.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
ARCH_RV64I = yes; ARCH_RV64I = yes;
COMPAT = no; COMPAT = no;

5
router.nix
View file

@ -1,7 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
IP_ADVANCED_ROUTER = yes; IP_ADVANCED_ROUTER = yes;
IP_MULTIPLE_TABLES = yes; IP_MULTIPLE_TABLES = yes;
IP_ROUTE_MULTIPATH = yes; IP_ROUTE_MULTIPATH = yes;

4
systemd.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
# Base requirements # Base requirements
DEVTMPFS = yes; DEVTMPFS = yes;
CGROUPS = yes; CGROUPS = yes;

13
wireless.nix
View file

@ -1,6 +1,4 @@
{ lib, hostPlatform, ... }: { lib, hostPlatform, ... }: with lib.kernel; {
with lib.kernel;
{
WIRELESS = yes; WIRELESS = yes;
CFG80211 = yes; CFG80211 = yes;
CFG80211_DEFAULT_PS = yes; CFG80211_DEFAULT_PS = yes;
@ -45,20 +43,17 @@ with lib.kernel;
X509_CERTIFICATE_PARSER = option yes; X509_CERTIFICATE_PARSER = option yes;
PKCS7_MESSAGE_PARSER = option yes; PKCS7_MESSAGE_PARSER = option yes;
PKCS8_PRIVATE_KEY_PARSER = option yes; PKCS8_PRIVATE_KEY_PARSER = option yes;
} } // lib.optionalAttrs hostPlatform.isx86_64 {
// lib.optionalAttrs hostPlatform.isx86_64 {
CRYPTO_AES_NI_INTEL = option yes; CRYPTO_AES_NI_INTEL = option yes;
CRYPTO_DES3_EDE_X86_64 = option yes; CRYPTO_DES3_EDE_X86_64 = option yes;
CRYPTO_SHA1_SSSE3 = option yes; CRYPTO_SHA1_SSSE3 = option yes;
CRYPTO_SHA256_SSSE3 = option yes; CRYPTO_SHA256_SSSE3 = option yes;
CRYPTO_SHA512_SSSE3 = option yes; CRYPTO_SHA512_SSSE3 = option yes;
} } // lib.optionalAttrs hostPlatform.isRiscV64 {
// lib.optionalAttrs hostPlatform.isRiscV64 {
CRYPTO_AES_RISCV64 = option yes; CRYPTO_AES_RISCV64 = option yes;
CRYPTO_SHA256_RISCV64 = option yes; CRYPTO_SHA256_RISCV64 = option yes;
CRYPTO_SHA512_RISCV64 = option yes; CRYPTO_SHA512_RISCV64 = option yes;
} } // lib.optionalAttrs hostPlatform.isAarch64 {
// lib.optionalAttrs hostPlatform.isAarch64 {
CRYPTO_AES_ARM64_CE = option yes; CRYPTO_AES_ARM64_CE = option yes;
CRYPTO_AES_ARM64_CE_BLK = option yes; CRYPTO_AES_ARM64_CE_BLK = option yes;
CRYPTO_SHA1_ARM64_CE = option yes; CRYPTO_SHA1_ARM64_CE = option yes;

4
x86.nix
View file

@ -1,6 +1,4 @@
{ lib, hostPlatform, ... }: { lib, hostPlatform, ... }: with lib.kernel; {
with lib.kernel;
{
SCHED_OMIT_FRAME_POINTER = yes; SCHED_OMIT_FRAME_POINTER = yes;
X86_FRED = yes; X86_FRED = yes;