mikael/linux-hardened
Archived
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Reformat code for compactness

Browse source
This commit is contained in:
Mikael Voss 2024-08-12 21:12:18 +02:00
parent 00adf2b257
commit 2b34fc4f3f
No known key found for this signature in database
16 changed files with 76 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
arm64.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
ARM64_VA_BITS_48 = yes; ARM64_VA_BITS_48 = yes;
ARM64_PAN = yes; ARM64_PAN = yes;
ARM64_USE_LSE_ATOMICS = yes; ARM64_USE_LSE_ATOMICS = yes;

4
audio.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
SOUND = yes; SOUND = yes;
SND = yes; SND = yes;
SND_PCM_TIMER = yes; SND_PCM_TIMER = yes;

8
base.nix
View file

@ -1,9 +1,7 @@
{ lib, hostPlatform, ... }@args: { lib, hostPlatform, ... }@args: with lib.kernel;
with lib.kernel;
(import ./disable.nix args) (import ./disable.nix args) //
// (import ./systemd.nix args) (import ./systemd.nix args) // {
// {
KERNEL_ZSTD = yes; KERNEL_ZSTD = yes;
SYSVIPC = yes; SYSVIPC = yes;

4
disable.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
X86_MPPARSE = option no; X86_MPPARSE = option no;
AMD_NUMA = option no; AMD_NUMA = option no;

13
dm-crypt.nix
View file

@ -1,6 +1,4 @@
{ lib, hostPlatform, ... }: { lib, hostPlatform, ... }: with lib.kernel; {
with lib.kernel;
{
MD = yes; MD = yes;
MD_BITMAP_FILE = no; MD_BITMAP_FILE = no;
BLK_DEV_DM = yes; BLK_DEV_DM = yes;
@ -15,17 +13,14 @@ with lib.kernel;
CRYPTO_USER_API_HASH = yes; CRYPTO_USER_API_HASH = yes;
CRYPTO_USER_API_SKCIPHER = yes; CRYPTO_USER_API_SKCIPHER = yes;
} } // lib.optionalAttrs hostPlatform.isx86_64 {
// lib.optionalAttrs hostPlatform.isx86_64 {
CRYPTO_AES_NI_INTEL = yes; CRYPTO_AES_NI_INTEL = yes;
CRYPTO_AEGIS128_AESNI_SSE2 = yes; CRYPTO_AEGIS128_AESNI_SSE2 = yes;
CRYPTO_SHA256_SSSE3 = yes; CRYPTO_SHA256_SSSE3 = yes;
} } // lib.optionalAttrs hostPlatform.isRiscV64 {
// lib.optionalAttrs hostPlatform.isRiscV64 {
CRYPTO_AES_RISCV64 = yes; CRYPTO_AES_RISCV64 = yes;
CRYPTO_SHA256_RISCV64 = yes; CRYPTO_SHA256_RISCV64 = yes;
} } // lib.optionalAttrs hostPlatform.isAarch64 {
// lib.optionalAttrs hostPlatform.isAarch64 {
CRYPTO_AES_ARM64 = yes; CRYPTO_AES_ARM64 = yes;
CRYPTO_AES_ARM64_CE = yes; CRYPTO_AES_ARM64_CE = yes;
CRYPTO_AES_ARM64_CE_BLK = yes; CRYPTO_AES_ARM64_CE_BLK = yes;

80
flake.nix
View file

@ -8,56 +8,40 @@
extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ]; extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
}; };
outputs = outputs = { self, nixpkgs, ... }:
{ self, nixpkgs, ... }: let
inherit (nixpkgs) lib;
inherit (lib) mapAttrs;
profiles = import ./profiles.nix;
legacyPackages = mapAttrs (system: profile: import nixpkgs { inherit system; }) profiles;
linux-hardened = import ./linux-hardened.nix;
in {
packages = mapAttrs
(system: profiles: mapAttrs
(name: profile: linux-hardened legacyPackages.${system} profile)
profiles) profiles;
devShells = mapAttrs (system: profile:
let let
inherit (nixpkgs) lib; pkgs = legacyPackages.${system};
inherit (lib) mapAttrs; dummy = linux-hardened pkgs { arch = ""; config = ./dummy.nix; firmware = [ ]; };
profiles = import ./profiles.nix;
legacyPackages = mapAttrs (system: profile: import nixpkgs { inherit system; }) profiles; mkShell = packages:
pkgs.mkShell {
inherit packages;
shellHook = ''
exec $SHELL
'';
};
in {
default = mkShell
(with pkgs; dummy.nativeBuildInputs ++ [ ncurses pkg-config ]);
}) profiles;
linux-hardened = import ./linux-hardened.nix; hydraJobs = {
in kernel = self.packages;
{ shell = self.devShells;
packages = mapAttrs (
system: profiles: mapAttrs (name: profile: linux-hardened legacyPackages.${system} profile) profiles
) profiles;
devShells = mapAttrs (
system: profile:
let
pkgs = legacyPackages.${system};
dummy = linux-hardened pkgs {
arch = "";
config = ./dummy.nix;
firmware = [ ];
};
mkShell =
packages:
pkgs.mkShell {
inherit packages;
shellHook = ''
exec $SHELL
'';
};
in
{
default = mkShell (
with pkgs;
dummy.nativeBuildInputs
++ [
ncurses
pkg-config
]
);
}
) profiles;
hydraJobs = {
kernel = self.packages;
shell = self.devShells;
};
}; };
};
} }

50
linux-hardened.nix
View file

@ -1,9 +1,4 @@
pkgs: pkgs: { arch, config, firmware }:
{
arch,
config,
firmware,
}:
let let
inherit (pkgs) inherit (pkgs)
lib lib
@ -11,26 +6,23 @@ let
buildLinux buildLinux
fetchFromGitHub fetchFromGitHub
gccStdenv gccStdenv
runCommand runCommand;
;
kernel = kernel = let
let args = {
args = { inherit (pkgs) lib hostPlatform;
inherit (pkgs) lib hostPlatform; };
};
firmwareEnv = buildEnv { firmwareEnv = buildEnv {
name = "linux-firmware"; name = "linux-firmware";
pathsToLink = [ "/lib/firmware" ]; pathsToLink = [ "/lib/firmware" ];
paths = with pkgs; [ paths = with pkgs; [
linux-firmware linux-firmware
sof-firmware sof-firmware
wireless-regdb wireless-regdb
]; ];
}; };
in in buildLinux rec {
buildLinux rec {
pname = "linux-hardened"; pname = "linux-hardened";
version = "6.10.4-hardened1"; version = "6.10.4-hardened1";
@ -46,9 +38,9 @@ let
enableCommonConfig = false; enableCommonConfig = false;
structuredExtraConfig = structuredExtraConfig =
(import ./base.nix args) (import ./base.nix args) //
// (import config args) (import config args) //
// lib.optionalAttrs (firmware != [ ]) { lib.optionalAttrs (firmware != [ ]) {
EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware); EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware"; EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware";
}; };
@ -56,11 +48,11 @@ let
features = { features = {
efiBootStub = true; efiBootStub = true;
}; };
isHardened = true; isHardened = true;
stdenv = gccStdenv; stdenv = gccStdenv;
}; };
in in kernel.overrideAttrs (base: {
kernel.overrideAttrs (base: {
installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ]; installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ];
postInstall = '' postInstall = ''

4
physical.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
MICROCODE = yes; MICROCODE = yes;
ENERGY_MODEL = yes; ENERGY_MODEL = yes;

4
portable.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
PREEMPT_VOLUNTARY = yes; PREEMPT_VOLUNTARY = yes;
SUSPEND = yes; SUSPEND = yes;

2
profiles.nix
View file

@ -44,6 +44,7 @@
firmware = [ ]; firmware = [ ];
}; };
}; };
riscv64-linux = { riscv64-linux = {
qemu-virtio = { qemu-virtio = {
arch = "rv64gc"; arch = "rv64gc";
@ -51,6 +52,7 @@
firmware = [ ]; firmware = [ ];
}; };
}; };
aarch64-linux = { aarch64-linux = {
qemu-virtio = { qemu-virtio = {
arch = "armv8.2-a"; arch = "armv8.2-a";

5
qemu-virtio.nix
View file

@ -1,7 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
NR_CPUS = freeform "8"; NR_CPUS = freeform "8";
HYPERVISOR_GUEST = yes; HYPERVISOR_GUEST = yes;

4
riscv.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
ARCH_RV64I = yes; ARCH_RV64I = yes;
COMPAT = no; COMPAT = no;

5
router.nix
View file

@ -1,7 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
IP_ADVANCED_ROUTER = yes; IP_ADVANCED_ROUTER = yes;
IP_MULTIPLE_TABLES = yes; IP_MULTIPLE_TABLES = yes;
IP_ROUTE_MULTIPATH = yes; IP_ROUTE_MULTIPATH = yes;

4
systemd.nix
View file

@ -1,6 +1,4 @@
{ lib, ... }: { lib, ... }: with lib.kernel; {
with lib.kernel;
{
# Base requirements # Base requirements
DEVTMPFS = yes; DEVTMPFS = yes;
CGROUPS = yes; CGROUPS = yes;

13
wireless.nix
View file

@ -1,6 +1,4 @@
{ lib, hostPlatform, ... }: { lib, hostPlatform, ... }: with lib.kernel; {
with lib.kernel;
{
WIRELESS = yes; WIRELESS = yes;
CFG80211 = yes; CFG80211 = yes;
CFG80211_DEFAULT_PS = yes; CFG80211_DEFAULT_PS = yes;
@ -45,20 +43,17 @@ with lib.kernel;
X509_CERTIFICATE_PARSER = option yes; X509_CERTIFICATE_PARSER = option yes;
PKCS7_MESSAGE_PARSER = option yes; PKCS7_MESSAGE_PARSER = option yes;
PKCS8_PRIVATE_KEY_PARSER = option yes; PKCS8_PRIVATE_KEY_PARSER = option yes;
} } // lib.optionalAttrs hostPlatform.isx86_64 {
// lib.optionalAttrs hostPlatform.isx86_64 {
CRYPTO_AES_NI_INTEL = option yes; CRYPTO_AES_NI_INTEL = option yes;
CRYPTO_DES3_EDE_X86_64 = option yes; CRYPTO_DES3_EDE_X86_64 = option yes;
CRYPTO_SHA1_SSSE3 = option yes; CRYPTO_SHA1_SSSE3 = option yes;
CRYPTO_SHA256_SSSE3 = option yes; CRYPTO_SHA256_SSSE3 = option yes;
CRYPTO_SHA512_SSSE3 = option yes; CRYPTO_SHA512_SSSE3 = option yes;
} } // lib.optionalAttrs hostPlatform.isRiscV64 {
// lib.optionalAttrs hostPlatform.isRiscV64 {
CRYPTO_AES_RISCV64 = option yes; CRYPTO_AES_RISCV64 = option yes;
CRYPTO_SHA256_RISCV64 = option yes; CRYPTO_SHA256_RISCV64 = option yes;
CRYPTO_SHA512_RISCV64 = option yes; CRYPTO_SHA512_RISCV64 = option yes;
} } // lib.optionalAttrs hostPlatform.isAarch64 {
// lib.optionalAttrs hostPlatform.isAarch64 {
CRYPTO_AES_ARM64_CE = option yes; CRYPTO_AES_ARM64_CE = option yes;
CRYPTO_AES_ARM64_CE_BLK = option yes; CRYPTO_AES_ARM64_CE_BLK = option yes;
CRYPTO_SHA1_ARM64_CE = option yes; CRYPTO_SHA1_ARM64_CE = option yes;

4
x86.nix
View file

@ -1,6 +1,4 @@
{ lib, hostPlatform, ... }: { lib, hostPlatform, ... }: with lib.kernel; {
with lib.kernel;
{
SCHED_OMIT_FRAME_POINTER = yes; SCHED_OMIT_FRAME_POINTER = yes;
X86_FRED = yes; X86_FRED = yes;