Initial import

2024-07-31 11:00:49 +02:00 · 2024-07-31 11:00:49 +02:00 · 47278bc6f0
commit 47278bc6f0
7 changed files with 10597 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,7 @@
 # Hidden files
 .*
 !.git*
 # Nix
 /result
 /result-*
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1722415718,
        "narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c3392ad349a5227f4a3464dce87bcc5046692fce",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,49 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  };
  nixConfig = {
    extra-substituters = [ "https://cache.kyouma.net" ];
    extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
  };
  outputs = { self, nixpkgs, ... }:
  let
    inherit (nixpkgs) lib;
    inherit (lib) mapAttrs;
    profiles = import ./profiles.nix;
    legacyPackages = mapAttrs
      (system: profile: import nixpkgs { inherit system; }) profiles;
    linux-hardened = import ./linux-hardened.nix;
  in {
    packages = mapAttrs (system: profiles:
      mapAttrs (name: profile:
        linux-hardened legacyPackages.${system} profile) profiles)
      profiles;
    devShells = mapAttrs (system: profile:
    let
      pkgs = legacyPackages.${system};
      dummy = linux-hardened pkgs
        { arch = ""; config = "/dev/null"; firmware = [ ]; };
      mkShell = packages: pkgs.mkShell {
        inherit packages;
        shellHook = ''
          exec $SHELL
        '';
      };
    in {
      default = mkShell
        (with pkgs; dummy.nativeBuildInputs ++ [ ncurses pkg-config ]);
    }) profiles;
    hydraJobs = {
      kernel = self.packages;
      shell = self.devShells;
    };
  };
 }
--- a/linux-hardened.nix
+++ b/linux-hardened.nix
@ -0,0 +1,71 @@
 pkgs: { arch, config, firmware }:
 let
  inherit (pkgs) lib linuxKernel fetchFromGitHub gccStdenv runCommand;
  kernel = linuxKernel.manualConfig rec {
    inherit configfile;
    pname = "linux-hardened";
    version = "6.10.2-hardened1";
    src = fetchFromGitHub {
      owner = "anthraxx";
      repo = pname;
      rev = "v${version}";
      hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
    };
    stdenv = gccStdenv;
    extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
    isHardened = true;
  };
  configfile =
  let
    firmwareCollection = runCommand "linux-firmware" {
      inherit firmware;
      firmwarePackages = with pkgs; [ linux-firmware sof-firmware wireless-regdb ];
    } ''
      for dir in ''${firmwarePackages[@]}; do
        pushd "$dir/lib/firmware"
        for fw in ''${firmware}; do
          if [ -e "$fw" ]; then
            local base="$(dirname "$fw")"
            mkdir -p "$out/lib/firmware/$base"
            ln -s "$dir/lib/firmware/$fw" "$out/lib/firmware/$base"
          fi
        done
        popd
      done
    '';
  in runCommand "linux-config" {
    env = {
      extra_firmware = lib.concatStringsSep " " firmware;
      extra_firmware_dir = "${firmwareCollection}/lib/firmware";
    };
  } ''
    substituteAll ${config} $out
  '';
 in kernel.overrideAttrs (base: {
  passthru = base.passthru or { } // {
    features = { efiBootStub = true; };
  };
  installFlags = base.installFlags or [ ] ++
    [ "INSTALL_MOD_PATH=$(out)" ];
  postInstall = ''
    if [ -z "''${dontStrip-}" ]; then
      installFlagsArray+=( "INSTALL_MOD_STRIP=1" )
    fi
    make modules_install $makeFlags "''${makeFlagsArray[@]}" \
      $installFlags "''${installFlagsArray[@]}"
    depmod -b $out ${base.version}
    touch $out/lib/modules/${base.version}/modules.order
  '';
 })
--- a/profiles.nix
+++ b/profiles.nix
@ -0,0 +1,30 @@
 {
  x86_64-linux = {
    qemu-virtio = {
      arch = "x86-64-v3";
      config = ./x86-64/qemu-virtio;
      firmware = [ ];
    };
    thinkpad-x1-extreme-gen5 = {
      arch = "alderlake";
      config = ./x86-64/thinkpad-x1-extreme-gen5;
      firmware = [
        "i915/adlp_dmc.bin" "i915/adlp_dmc_ver2_16.bin"
        "i915/adlp_guc_70.bin" "i915/tgl_huc.bin"
        "intel/ibt-0040-0041.sfi" "intel/ibt-0040-0041.ddc"
        "intel/sof/sof-adl.ri" "intel/sof-tplg/sof-hda-generic-2ch.tplg"
        "iwlwifi-so-a0-gf-a0-89.ucode" "iwlwifi-so-a0-gf-a0.pnvm"
        "nvidia/ga107/acr/ucode_unload.bin"
        "nvidia/ga107/acr/ucode_asb.bin" "nvidia/ga107/acr/ucode_ahesasc.bin"
        "nvidia/ga107/gr/fecs_bl.bin" "nvidia/ga107/gr/fecs_sig.bin"
        "nvidia/ga107/gr/gpccs_bl.bin" "nvidia/ga107/gr/gpccs_sig.bin"
        "nvidia/ga107/gr/NET_img.bin"
        "nvidia/ga107/sec2/desc.bin" "nvidia/ga107/sec2/image.bin"
        "nvidia/ga107/sec2/sig.bin" "nvidia/ga107/sec2/hs_bl_sig.bin"
        "nvidia/ga107/nvdec/scrubber.bin"
        "regulatory.db" "regulatory.db.p7s"
      ];
    };
  };
 }
--- a/x86-64/qemu-virtio
+++ b/x86-64/qemu-virtio
--- a/x86-64/thinkpad-x1-extreme-gen5
+++ b/x86-64/thinkpad-x1-extreme-gen5