Modularise kernel configuration
This commit is contained in:
parent
abf2307259
commit
d1e1a5af7b
11
audio.nix
Normal file
11
audio.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
SOUND = yes;
|
||||
SND = yes;
|
||||
SND_PCM_TIMER = yes;
|
||||
SND_DYNAMIC_MINORS = yes;
|
||||
SND_SUPPORT_OLD_API = no;
|
||||
SND_PCI = yes;
|
||||
|
||||
SND_USB = yes;
|
||||
SND_USB_AUDIO = yes;
|
||||
}
|
345
base.nix
Normal file
345
base.nix
Normal file
|
@ -0,0 +1,345 @@
|
|||
{ lib, hostPlatform, ... }@args: with lib.kernel;
|
||||
|
||||
(import ./disable.nix args) //
|
||||
(import ./systemd.nix args) // {
|
||||
KERNEL_ZSTD = yes;
|
||||
|
||||
SYSVIPC = yes;
|
||||
POSIX_MQUEUE = yes;
|
||||
AUDIT = no;
|
||||
|
||||
NO_HZ_IDLE = yes;
|
||||
HIGH_RES_TIMERS = yes;
|
||||
|
||||
BPF_SYSCALL = yes;
|
||||
BPF_JIT = yes;
|
||||
BPF_JIT_ALWAYS_ON = yes;
|
||||
|
||||
SCHED_CORE = yes;
|
||||
CPU_ISOLATION = yes;
|
||||
|
||||
UTS_NS = yes;
|
||||
TIME_NS = yes;
|
||||
USER_NS = yes;
|
||||
PID_NS = yes;
|
||||
|
||||
SCHED_AUTOGROUP = yes;
|
||||
|
||||
BLK_DEV_INITRD = yes;
|
||||
RD_GZIP = no;
|
||||
RD_BZIP2 = no;
|
||||
RD_LZMA = no;
|
||||
RD_XZ = no;
|
||||
RD_LZO = no;
|
||||
RD_LZ4 = no;
|
||||
RD_ZSTD = yes;
|
||||
BOOT_CONFIG = yes;
|
||||
|
||||
EXPERT = yes;
|
||||
SGETMASK_SYSCALL = no;
|
||||
SYSFS_SYSCALL = no;
|
||||
PCSPKR_PLATFORM = no;
|
||||
|
||||
KALLSYMS = yes;
|
||||
KALLSYMS_ALL = no;
|
||||
|
||||
SMP = yes;
|
||||
SCHED_MC = yes;
|
||||
SCHED_CLUSTER = option yes;
|
||||
SCHED_SMT = option yes;
|
||||
NUMA = yes;
|
||||
|
||||
EFI = yes;
|
||||
EFI_STUB = yes;
|
||||
|
||||
HZ_1000 = yes;
|
||||
|
||||
RELOCATABLE = yes;
|
||||
RANDOMIZE_BASE = yes;
|
||||
RANDOMIZE_MEMORY = yes;
|
||||
|
||||
PM = yes;
|
||||
ENERGY_MODEL = yes;
|
||||
ACPI = yes;
|
||||
ACPI_APEI = yes;
|
||||
ACPI_NUMA = yes;
|
||||
|
||||
CPU_FREQ = yes;
|
||||
CPU_FREQ_STAT = yes;
|
||||
CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
|
||||
CPU_FREQ_GOV_SCHEDUTIL = yes;
|
||||
|
||||
CPU_IDLE = yes;
|
||||
CPU_IDLE_GOV_MENU = no;
|
||||
CPU_IDLE_GOV_TEO = yes;
|
||||
|
||||
JUMP_LABEL = yes;
|
||||
SECCOMP = yes;
|
||||
|
||||
STACKPROTECTOR = yes;
|
||||
STACKPROTECTOR_STRONG = yes;
|
||||
|
||||
LTO_CLANG_FULL = option yes;
|
||||
|
||||
VMAP_STACK = yes;
|
||||
RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes;
|
||||
|
||||
GCC_PLUGINS = yes;
|
||||
|
||||
BLK_DEV_WRITE_MOUNTED = yes;
|
||||
BLK_WBT = yes;
|
||||
BLK_WBT_MQ = yes;
|
||||
|
||||
PARTITION_ADVANCED = yes;
|
||||
MSDOS_PARTITION = no;
|
||||
EFI_PARTITION = yes;
|
||||
|
||||
MQ_IOSCHED_DEADLINE = yes;
|
||||
MQ_IOSCHED_KYBER = yes;
|
||||
IOSCHED_BFQ = yes;
|
||||
|
||||
BINFMT_ELF = yes;
|
||||
CORE_DUMP_DEFAULT_ELF_HEADERS = yes;
|
||||
BINFMT_SCRIPT = yes;
|
||||
BINFMT_MISC = yes;
|
||||
COREDUMP = yes;
|
||||
|
||||
SWAP = yes;
|
||||
|
||||
SLAB_FREELIST_RANDOM = yes;
|
||||
SLAB_FREELIST_HARDENED = yes;
|
||||
SLAB_CANARY = yes;
|
||||
SLUB_CPU_PARTIAL = yes;
|
||||
RANDOM_KMALLOC_CACHES = yes;
|
||||
|
||||
SHUFFLE_PAGE_ALLOCATOR = yes;
|
||||
COMPAT_BRK = no;
|
||||
SPARSEMEM_VMEMMAP = yes;
|
||||
MEMORY_HOTPLUG = yes;
|
||||
MEMORY_HOTREMOVE = yes;
|
||||
|
||||
COMPACTION = yes;
|
||||
MIGRATION = yes;
|
||||
KSM = yes;
|
||||
|
||||
TRANSPARENT_HUGEPAGE = yes;
|
||||
TRANSPARENT_HUGEPAGE_ALWAYS = yes;
|
||||
READ_ONLY_THP_FOR_FS = yes;
|
||||
DEFERRED_STRUCT_PAGE_INIT = yes;
|
||||
|
||||
ZONE_DEVICE = yes;
|
||||
DEVICE_PRIVATE = yes;
|
||||
|
||||
LRU_GEN = option yes;
|
||||
LRU_GEN_ENABLED = option yes;
|
||||
|
||||
NET = yes;
|
||||
PACKET = yes;
|
||||
PACKET_DIAG = yes;
|
||||
UNIX = yes;
|
||||
UNIX_DIAG = yes;
|
||||
XDP_SOCKETS = yes;
|
||||
XDP_SOCKETS_DIAG = yes;
|
||||
INET = yes;
|
||||
SYN_COOKIES = yes;
|
||||
INET_DIAG = yes;
|
||||
INET_UDP_DIAG = yes;
|
||||
INET_RAW_DIAG = yes;
|
||||
|
||||
TCP_CONG_ADVANCED = yes;
|
||||
TCP_CONG_BIC = no;
|
||||
TCP_CONG_CUBIC = no;
|
||||
TCP_CONG_WESTWOOD = no;
|
||||
TCP_CONG_HTCP = no;
|
||||
TCP_CONG_BBR = yes;
|
||||
DEFAULT_BBR = yes;
|
||||
|
||||
IPV6 = yes;
|
||||
|
||||
NETFILTER = yes;
|
||||
NETFILTER_ADVANCED = yes;
|
||||
NETFILTER_INGRESS = yes;
|
||||
NETFILTER_EGRESS = yes;
|
||||
|
||||
NF_CONNTRACK = yes;
|
||||
NF_TABLES = yes;
|
||||
NF_TABLES_INET = yes;
|
||||
NFT_CT = yes;
|
||||
NFT_CONNLIMIT = yes;
|
||||
NFT_LIMIT = yes;
|
||||
NFT_LOG = yes;
|
||||
NFT_REJECT = yes;
|
||||
NFT_FIB_INET = yes;
|
||||
NF_TABLES_IPV4 = yes;
|
||||
NFT_FIB_IPV4 = yes;
|
||||
NF_TABLES_IPV6 = yes;
|
||||
NFT_FIB_IPV6 = yes;
|
||||
|
||||
NET_SCH_CAKE = yes;
|
||||
NET_SCH_FQ = yes;
|
||||
NET_SCH_DEFAULT = yes;
|
||||
DEFAULT_FQ = yes;
|
||||
DEFAULT_NET_SCH = freeform "fq";
|
||||
|
||||
NETLINK_DIAG = yes;
|
||||
ETHTOOL_NETLINK = yes;
|
||||
|
||||
PCI = yes;
|
||||
PCI_MSI = yes;
|
||||
PCIE_BUS_PERFORMANCE = option yes;
|
||||
|
||||
DEVTMPFS = yes;
|
||||
DEVTMPFS_MOUNT = yes;
|
||||
DEVTMPFS_SAFE = yes;
|
||||
|
||||
STANDALONE = yes;
|
||||
PREVENT_FIRMWARE_BUILD = yes;
|
||||
|
||||
FW_LOADER_COMPRESS = yes;
|
||||
FW_LOADER_COMPRESS_XZ = no;
|
||||
FW_LOADER_COMPRESS_ZSTD = yes;
|
||||
ALLOW_DEV_COREDUMP = yes;
|
||||
|
||||
SYSFB_SIMPLEFB = yes;
|
||||
|
||||
EFI_VARS_PSTORE = yes;
|
||||
RESET_ATTACK_MITIGATION = yes;
|
||||
EFI_DISABLE_PCI_DMA = yes;
|
||||
|
||||
BLK_DEV = yes;
|
||||
ZRAM = yes;
|
||||
ZRAM_DEF_COMP_ZSTD = yes;
|
||||
ZRAM_WRITEBACK = yes;
|
||||
BLK_DEV_LOOP = yes;
|
||||
|
||||
NETDEVICES = yes;
|
||||
NET_CORE = yes;
|
||||
|
||||
INPUT = yes;
|
||||
INPUT_SPARSEKMAP = yes;
|
||||
INPUT_EVDEV = yes;
|
||||
INPUT_KEYBOARD = yes;
|
||||
|
||||
TTY = yes;
|
||||
VT = yes;
|
||||
CONSOLE_TRANSLATIONS = yes;
|
||||
VT_CONSOLE = yes;
|
||||
UNIX98_PTYS = yes;
|
||||
|
||||
TCG_TPM = yes;
|
||||
TCG_TPM2_HMAC = yes;
|
||||
TCG_TIS = yes;
|
||||
|
||||
WATCHDOG = yes;
|
||||
WATCHDOG_HANDLE_BOOT_ENABLED = yes;
|
||||
|
||||
FB = yes;
|
||||
FB_EFI = yes;
|
||||
FB_SIMPLE = yes;
|
||||
FB_DEVICE = no;
|
||||
VGA_CONSOLE = no;
|
||||
FRAMEBUFFER_CONSOLE = yes;
|
||||
FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes;
|
||||
|
||||
HID_SUPPORT = yes;
|
||||
HID = yes;
|
||||
HIDRAW = yes;
|
||||
UHID = yes;
|
||||
HID_GENERIC = yes;
|
||||
USB_HID = yes;
|
||||
USB_HIDDEV = yes;
|
||||
|
||||
USB_SUPPORT = yes;
|
||||
USB = yes;
|
||||
USB_PCI = yes;
|
||||
USB_PCI_AMD = no;
|
||||
USB_ANNOUNCE_NEW_DEVICES = yes;
|
||||
USB_DEFAULT_PERSIST = yes;
|
||||
USB_DYNAMIC_MINORS = yes;
|
||||
USB_XHCI_HCD = yes;
|
||||
USB_XHCI_PCI = yes;
|
||||
|
||||
RTC_CLASS = yes;
|
||||
|
||||
DMADEVICES = yes;
|
||||
ASYNC_TX_DMA = option yes;
|
||||
|
||||
STAGING = yes;
|
||||
|
||||
IOMMU_SUPPORT = yes;
|
||||
IOMMU_DEFAULT_DMA_STRICT = yes;
|
||||
IRQ_REMAP = yes;
|
||||
|
||||
MSDOS_FS = yes;
|
||||
VFAT_FS = yes;
|
||||
FAT_DEFAULT_UTF8 = yes;
|
||||
|
||||
PROC_FS = yes;
|
||||
PROC_KCORE = no;
|
||||
PROC_SYSCTL = yes;
|
||||
PROC_PAGE_MONITOR = yes;
|
||||
SYSFS = yes;
|
||||
TMPFS = yes;
|
||||
TMPFS_POSIX_ACL = yes;
|
||||
HUGETLBFS = yes;
|
||||
HUGETLB_PAGE_OPTIMIZE_VMEMMAP = yes;
|
||||
HUGETLB_PAGE_OPTIMIZE_VMEMMAP_DEFAULT_ON = yes;
|
||||
EFIVAR_FS = yes;
|
||||
|
||||
UNICODE = yes;
|
||||
|
||||
SECURITY_DMESG_RESTRICT = yes;
|
||||
SECURITY_PERF_EVENTS_RESTRICT = yes;
|
||||
SECURITY_TIOCSTI_RESTRICT = yes;
|
||||
SECURITY = yes;
|
||||
SECURITY_NETWORK = yes;
|
||||
SECURITY_YAMA = yes;
|
||||
SECURITY_LOCKDOWN_LSM = yes;
|
||||
SECURITY_LOCKDOWN_LSM_EARLY = yes;
|
||||
LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = yes;
|
||||
SECURITY_LANDLOCK = yes;
|
||||
|
||||
HARDENED_USERCOPY = yes;
|
||||
FORTIFY_SOURCE = yes;
|
||||
|
||||
INIT_STACK_ALL_ZERO = yes;
|
||||
GCC_PLUGIN_STACKLEAK = option yes;
|
||||
INIT_ON_FREE_DEFAULT_ON = yes;
|
||||
ZERO_CALL_USED_REGS = yes;
|
||||
|
||||
BUG_ON_DATA_CORRUPTION = yes;
|
||||
|
||||
RANDSTRUCT_PERFORMANCE = option yes;
|
||||
|
||||
CRYPTO_ZSTD = yes;
|
||||
|
||||
SWIOTLB_DYNAMIC = yes;
|
||||
|
||||
FONTS = yes;
|
||||
FONT_TER16x32 = yes;
|
||||
|
||||
DEBUG_BUGVERBOSE = yes;
|
||||
DEBUG_INFO_DWARF5 = yes;
|
||||
DEBUG_INFO_SPLIT = yes;
|
||||
STRIP_ASM_SYMS = yes;
|
||||
|
||||
UBSAN = yes;
|
||||
UBSAN_BOUNDS = yes;
|
||||
UBSAN_SIGNED_WRAP = no;
|
||||
UBSAN_BOOL = no;
|
||||
UBSAN_ENUM = no;
|
||||
|
||||
WARN_ALL_UNSEEDED_RANDOM = yes;
|
||||
DEBUG_WX = yes;
|
||||
|
||||
KFENCE = yes;
|
||||
KFENCE_DEFERRABLE = yes;
|
||||
KFENCE_BUG_ON_DATA_CORRUPTION = yes;
|
||||
|
||||
PANIC_ON_OOPS = yes;
|
||||
PANIC_TIMEOUT = freeform "-1";
|
||||
|
||||
EARLY_PRINTK = option no;
|
||||
} // lib.optionalAttrs hostPlatform.is64bit {
|
||||
"64BIT" = option yes;
|
||||
} // lib.optionalAttrs hostPlatform.isx86 (import ./x86.nix args)
|
48
disable.nix
Normal file
48
disable.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
X86_MPPARSE = option no;
|
||||
AMD_NUMA = option no;
|
||||
|
||||
ACPI_BATTERY = option no;
|
||||
ACPI_FAN = option no;
|
||||
|
||||
KVM_HYPERV = option no;
|
||||
|
||||
ATA_SFF = option no;
|
||||
|
||||
USB_NET_AX8817X = option no;
|
||||
USB_NET_CDC_NCM = option no;
|
||||
USB_NET_NET1080 = option no;
|
||||
USB_BELKIN = option no;
|
||||
USB_ARMLINUX = option no;
|
||||
USB_NET_ZAURUS = option no;
|
||||
|
||||
MOUSE_PS2_ALPS = option no;
|
||||
MOUSE_PS2_BYD = option no;
|
||||
MOUSE_PS2_LOGIPS2PP = option no;
|
||||
MOUSE_PS2_SYNAPTICS = option no;
|
||||
MOUSE_PS2_CYPRESS = option no;
|
||||
MOUSE_PS2_LIFEBOOK = option no;
|
||||
MOUSE_PS2_TRACKPOINT = option no;
|
||||
MOUSE_PS2_FOCALTECH = option no;
|
||||
|
||||
I2C_COMPAT = option no;
|
||||
|
||||
SND_SOC_INTEL_ATOM_HIFI2_PLATFORM_ACPI = option no;
|
||||
|
||||
SND_SOC_SOF_MERRIFIELD = option no;
|
||||
SND_SOC_SOF_SKYLAKE = option no;
|
||||
SND_SOC_SOF_KABYLAKE = option no;
|
||||
SND_SOC_SOF_APOLLOLAKE = option no;
|
||||
SND_SOC_SOF_GEMINILAKE = option no;
|
||||
SND_SOC_SOF_CANNONLAKE = option no;
|
||||
SND_SOC_SOF_COFFEELAKE = option no;
|
||||
SND_SOC_SOF_COMETLAKE = option no;
|
||||
SND_SOC_SOF_ICELAKE = option no;
|
||||
SND_SOC_SOF_JASPERLAKE = option no;
|
||||
SND_SOC_SOF_ELKHARTLAKE = option no;
|
||||
SND_SOC_SOF_ALDERLAKE = option no;
|
||||
SND_SOC_SOF_METEORLAKE = option no;
|
||||
SND_SOC_SOF_LUNARLAKE = option no;
|
||||
|
||||
SECURITY_SELINUX = option no;
|
||||
}
|
27
dm-crypt.nix
Normal file
27
dm-crypt.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{ lib, hostPlatform, ... }: with lib.kernel; {
|
||||
MD = yes;
|
||||
MD_BITMAP_FILE = no;
|
||||
BLK_DEV_DM = yes;
|
||||
DM_CRYPT = yes;
|
||||
DM_UEVENT = yes;
|
||||
DM_INTEGRITY = yes;
|
||||
|
||||
CRYPTO_AES = yes;
|
||||
CRYPTO_XTS = yes;
|
||||
CRYPTO_AEGIS128 = yes;
|
||||
CRYPTO_SHA256 = yes;
|
||||
|
||||
CRYPTO_USER_API_HASH = yes;
|
||||
CRYPTO_USER_API_SKCIPHER = yes;
|
||||
} // lib.optionalAttrs hostPlatform.isx86_64 {
|
||||
CRYPTO_AES_NI_INTEL = yes;
|
||||
CRYPTO_AEGIS128_AESNI_SSE2 = yes;
|
||||
CRYPTO_SHA256_SSSE3 = yes;
|
||||
} // lib.optionalAttrs hostPlatform.isRiscV64 {
|
||||
CRYPTO_AES_RISCV64 = yes;
|
||||
CRYPTO_SHA256_RISCV64 = yes;
|
||||
} // lib.optionalAttrs hostPlatform.isAarch64 {
|
||||
CRYPTO_AES_ARM64_CE = yes;
|
||||
CRYPTO_AES_ARM64_CE_BLK = yes;
|
||||
CRYPTO_AEGIS128_SIMD = yes;
|
||||
}
|
|
@ -28,7 +28,7 @@
|
|||
let
|
||||
pkgs = legacyPackages.${system};
|
||||
dummy = linux-hardened pkgs
|
||||
{ arch = ""; config = "/dev/null"; firmware = [ ]; };
|
||||
{ arch = ""; config = ./dummy.nix; firmware = [ ]; };
|
||||
|
||||
mkShell = packages: pkgs.mkShell {
|
||||
inherit packages;
|
||||
|
|
|
@ -1,34 +1,15 @@
|
|||
pkgs: { arch, config, firmware }:
|
||||
let
|
||||
inherit (pkgs) lib linuxKernel fetchFromGitHub gccStdenv runCommand;
|
||||
inherit (pkgs) lib buildLinux fetchFromGitHub gccStdenv runCommand;
|
||||
|
||||
kernel = linuxKernel.manualConfig rec {
|
||||
inherit configfile;
|
||||
|
||||
pname = "linux-hardened";
|
||||
version = "6.10.2-hardened1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "anthraxx";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
|
||||
};
|
||||
|
||||
stdenv = gccStdenv;
|
||||
|
||||
extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
|
||||
isHardened = true;
|
||||
};
|
||||
|
||||
configfile =
|
||||
kernel =
|
||||
let
|
||||
args = { inherit (pkgs) lib hostPlatform; };
|
||||
|
||||
firmwareCollection = runCommand "linux-firmware" {
|
||||
inherit firmware;
|
||||
firmwarePackages = with pkgs; [ linux-firmware sof-firmware wireless-regdb ];
|
||||
} ''
|
||||
mkdir -p "$out/lib/firmware"
|
||||
|
||||
for dir in ''${firmwarePackages[@]}; do
|
||||
pushd "$dir/lib/firmware"
|
||||
|
||||
|
@ -43,19 +24,31 @@ let
|
|||
popd
|
||||
done
|
||||
'';
|
||||
in runCommand "linux-config" {
|
||||
env = {
|
||||
extra_firmware = lib.concatStringsSep " " firmware;
|
||||
extra_firmware_dir = "${firmwareCollection}/lib/firmware";
|
||||
};
|
||||
} ''
|
||||
substituteAll ${config} $out
|
||||
'';
|
||||
in kernel.overrideAttrs (base: {
|
||||
passthru = base.passthru or { } // {
|
||||
features = { efiBootStub = true; };
|
||||
in buildLinux rec {
|
||||
pname = "linux-hardened";
|
||||
version = "6.10.2-hardened1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "anthraxx";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
|
||||
};
|
||||
|
||||
defconfig = "allnoconfig";
|
||||
extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
|
||||
enableCommonConfig = false;
|
||||
|
||||
structuredExtraConfig = (import ./base.nix args) // (import config args) // {
|
||||
EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
|
||||
EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareCollection}/lib/firmware";
|
||||
};
|
||||
|
||||
features = { efiBootStub = true; };
|
||||
isHardened = true;
|
||||
stdenv = gccStdenv;
|
||||
};
|
||||
in kernel.overrideAttrs (base: {
|
||||
installFlags = base.installFlags or [ ] ++
|
||||
[ "INSTALL_MOD_PATH=$(out)" ];
|
||||
|
||||
|
|
35
physical.nix
Normal file
35
physical.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
MICROCODE = yes;
|
||||
|
||||
ENERGY_MODEL = yes;
|
||||
ACPI_BUTTON = yes;
|
||||
ACPI_VIDEO = yes;
|
||||
ACPI_FAN = yes;
|
||||
ACPI_TAD = yes;
|
||||
ACPI_PROCESSOR_AGGREGATOR = yes;
|
||||
ACPI_THERMAL = yes;
|
||||
ACPI_PCI_SLOT = yes;
|
||||
|
||||
SCSI = yes;
|
||||
BLK_DEV_SD = yes;
|
||||
CHR_DEV_SG = yes;
|
||||
SCSI_CONSTANTS = yes;
|
||||
SCSI_SCAN_ASYNC = yes;
|
||||
|
||||
USB_STORAGE = yes;
|
||||
USB_UAS = yes;
|
||||
|
||||
LEDS_CLASS = yes;
|
||||
LEDS_TRIGGERS = yes;
|
||||
LEDS_TRIGGER_PANIC = yes;
|
||||
LEDS_TRIGGER_NETDEV = yes;
|
||||
|
||||
THERMAL = yes;
|
||||
THERMAL_NETLINK = yes;
|
||||
THERMAL_DEFAULT_GOV_FAIR_SHARE = yes;
|
||||
THERMAL_GOV_FAIR_SHARE = yes;
|
||||
|
||||
WDAT_WDT = yes;
|
||||
|
||||
POWERCAP = yes;
|
||||
}
|
44
portable.nix
Normal file
44
portable.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
PREEMPT_VOLUNTARY = yes;
|
||||
|
||||
SUSPEND = yes;
|
||||
PM_AUTOSLEEP = yes;
|
||||
WQ_POWER_EFFICIENT_DEFAULT = yes;
|
||||
ACPI_BATTERY = yes;
|
||||
|
||||
PCIEASPM_POWER_SUPERSAVE = option yes;
|
||||
PCIEPORTBUS = yes;
|
||||
HOTPLUG_PCI_PCIE = yes;
|
||||
HOTPLUG_PCI = yes;
|
||||
|
||||
MEDIA_SUPPORT = yes;
|
||||
MEDIA_SUPPORT_FILTER = yes;
|
||||
MEDIA_SUBDRV_AUTOSELECT = yes;
|
||||
MEDIA_CAMERA_SUPPORT = yes;
|
||||
MEDIA_USB_SUPPORT = yes;
|
||||
USB_VIDEO_CLASS = yes;
|
||||
USB_VIDEO_CLASS_INPUT_EVDEV = yes;
|
||||
|
||||
HID_BATTERY_STRENGTH = yes;
|
||||
|
||||
USB_NET_DRIVERS = yes;
|
||||
USB_RTL8152 = yes;
|
||||
USB_USBNET = yes;
|
||||
USB_NET_AX88179_178A = yes;
|
||||
USB_NET_CDCETHER = yes;
|
||||
USB_NET_CDC_SUBSET = yes;
|
||||
|
||||
BACKLIGHT_CLASS_DEVICE = yes;
|
||||
|
||||
TYPEC = yes;
|
||||
TYPEC_UCSI = yes;
|
||||
UCSI_ACPI = yes;
|
||||
TYPEC_DP_ALTMODE = yes;
|
||||
|
||||
MMC = yes;
|
||||
MMC_BLOCK = yes;
|
||||
|
||||
USB4 = yes;
|
||||
|
||||
KFENCE_SAMPLE_INTERVAL = freeform "500";
|
||||
}
|
|
@ -2,13 +2,13 @@
|
|||
x86_64-linux = {
|
||||
qemu-virtio = {
|
||||
arch = "x86-64-v3";
|
||||
config = ./x86-64/qemu-virtio;
|
||||
config = ./x86-64/qemu-virtio.nix;
|
||||
firmware = [ ];
|
||||
};
|
||||
|
||||
thinkpad-x1-extreme-gen5 = {
|
||||
arch = "alderlake";
|
||||
config = ./x86-64/thinkpad-x1-extreme-gen5;
|
||||
config = ./x86-64/thinkpad-x1-extreme-gen5.nix;
|
||||
firmware = [
|
||||
"i915/adlp_dmc.bin" "i915/adlp_dmc_ver2_16.bin"
|
||||
"i915/adlp_guc_70.bin" "i915/tgl_huc.bin"
|
||||
|
@ -29,7 +29,7 @@
|
|||
|
||||
zen3-stub = {
|
||||
arch = "znver3";
|
||||
config = ./x86-64/zen3-stub;
|
||||
config = ./x86-64/zen3-stub.nix;
|
||||
firmware = [ ];
|
||||
};
|
||||
};
|
||||
|
|
11
router.nix
Normal file
11
router.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ lib, ... }:
|
||||
|
||||
with lib.kernel; {
|
||||
IP_ADVANCED_ROUTER = yes;
|
||||
IP_MULTIPLE_TABLES = yes;
|
||||
IP_ROUTE_MULTIPATH = yes;
|
||||
IP_ROUTE_VERBOSE = yes;
|
||||
|
||||
IPV6_MULTIPLE_TABLES = yes;
|
||||
IPV6_SUBTREES = yes;
|
||||
}
|
66
systemd.nix
Normal file
66
systemd.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
# Base requirements
|
||||
DEVTMPFS = yes;
|
||||
CGROUPS = yes;
|
||||
INOTIFY_USER = yes;
|
||||
SIGNALFD = yes;
|
||||
TIMERFD = yes;
|
||||
EPOLL = yes;
|
||||
UNIX = yes;
|
||||
PROC_FS = yes;
|
||||
FHANDLE = yes;
|
||||
|
||||
# Legacy interfaces
|
||||
UEVENT_HELPER = no;
|
||||
FW_LOADER_USER_HELPER = no;
|
||||
|
||||
# udev & virtualisation
|
||||
DMIID = yes;
|
||||
|
||||
# SCSI device serial number retrieval
|
||||
BLK_DEV_BSG = option yes;
|
||||
|
||||
# PrivateNetwork
|
||||
NET_NS = yes;
|
||||
|
||||
# PrivateUser
|
||||
USER_NS = yes;
|
||||
|
||||
# Optional but recommended
|
||||
IPV6 = yes;
|
||||
AUTOFS_FS = yes;
|
||||
TMPFS_XATTR = yes;
|
||||
TMPFS_POSIX_ACL = yes;
|
||||
SECCOMP = yes;
|
||||
SECCOMP_FILTER = yes;
|
||||
KCMP = yes;
|
||||
NET_SCHED = yes;
|
||||
|
||||
# CPUShares
|
||||
CGROUP_SCHED = yes;
|
||||
FAIR_GROUP_SCHED = yes;
|
||||
|
||||
# CPUQuota
|
||||
CFS_BANDWIDTH = yes;
|
||||
|
||||
# IPaddress{Allow,Deny}, SocketBind{Allow,Deny}, RestrictNetworkInterfaces
|
||||
BPF = yes;
|
||||
BPF_SYSCALL = yes;
|
||||
BPF_JIT = yes;
|
||||
CGROUP_BPF = yes;
|
||||
|
||||
# EFI
|
||||
EFIVAR_FS = option yes;
|
||||
EFI_PARTITION = option yes;
|
||||
|
||||
# SMBIOS credentials
|
||||
DMI = yes;
|
||||
DMI_SYSFS = yes;
|
||||
|
||||
# Real‐time scheduling
|
||||
RT_GROUP_SCHED = no;
|
||||
|
||||
# systemd-oomd
|
||||
PSI = yes;
|
||||
MEMCG = yes;
|
||||
}
|
62
wireless.nix
Normal file
62
wireless.nix
Normal file
|
@ -0,0 +1,62 @@
|
|||
{ lib, hostPlatform, ... }: with lib.kernel; {
|
||||
WIRELESS = yes;
|
||||
CFG80211 = yes;
|
||||
CFG80211_DEFAULT_PS = yes;
|
||||
CFG80211_CRDA_SUPPORT = yes;
|
||||
MAC80211 = yes;
|
||||
MAC80211_RC_MINSTREL = yes;
|
||||
MAC80211_RC_DEFAULT_MINSTREL = yes;
|
||||
MAC80211_LEDS = yes;
|
||||
|
||||
BT = yes;
|
||||
BT_BREDR = yes;
|
||||
BT_RFCOMM = yes;
|
||||
BT_HIDP = yes;
|
||||
BT_LE = yes;
|
||||
BT_LEDS = yes;
|
||||
|
||||
BT_HCIBTUSB_AUTOSUSPEND = option yes;
|
||||
BT_HCIBTUSB_BCM = option no;
|
||||
BT_HCIBTUSB_RTL = option no;
|
||||
|
||||
RFKILL = yes;
|
||||
RFKILL_INPUT = yes;
|
||||
|
||||
# iwd
|
||||
KEYS = yes;
|
||||
CRYPTO_USER_API_SKCIPHER = yes;
|
||||
CRYPTO_USER_API_HASH = yes;
|
||||
CRYPTO_HMAC = yes;
|
||||
CRYPTO_CMAC = yes;
|
||||
CRYPTO_MD4 = yes;
|
||||
CRYPTO_MD5 = yes;
|
||||
CRYPTO_SHA1 = yes;
|
||||
CRYPTO_SHA256 = yes;
|
||||
CRYPTO_SHA512 = yes;
|
||||
CRYPTO_AES = yes;
|
||||
CRYPTO_ECB = yes;
|
||||
CRYPTO_DES = yes;
|
||||
CRYPTO_CBC = yes;
|
||||
|
||||
ASYMMETRIC_KEY_TYPE = option yes;
|
||||
ASYMMETRIC_PUBLIC_KEY_SUBTYPE = option yes;
|
||||
X509_CERTIFICATE_PARSER = option yes;
|
||||
PKCS7_MESSAGE_PARSER = option yes;
|
||||
PKCS8_PRIVATE_KEY_PARSER = option yes;
|
||||
} // lib.optionalAttrs hostPlatform.isx86_64 {
|
||||
CRYPTO_AES_NI_INTEL = option yes;
|
||||
CRYPTO_DES3_EDE_X86_64 = option yes;
|
||||
CRYPTO_SHA1_SSSE3 = option yes;
|
||||
CRYPTO_SHA256_SSSE3 = option yes;
|
||||
CRYPTO_SHA512_SSSE3 = option yes;
|
||||
} // lib.optionalAttrs hostPlatform.isRiscV64 {
|
||||
CRYPTO_AES_RISCV64 = option yes;
|
||||
CRYPTO_SHA256_RISCV64 = option yes;
|
||||
CRYPTO_SHA512_RISCV64 = option yes;
|
||||
} // lib.optionalAttrs hostPlatform.isAarch64 {
|
||||
CRYPTO_AES_ARM64_CE = option yes;
|
||||
CRYPTO_AES_ARM64_CE_BLK = option yes;
|
||||
CRYPTO_SHA1_ARM64_CE = option yes;
|
||||
CRYPTO_SHA2_ARM64_CE = option yes;
|
||||
CRYPTO_SHA512_ARM64_CE = option yes;
|
||||
}
|
4028
x86-64/qemu-virtio
4028
x86-64/qemu-virtio
File diff suppressed because it is too large
Load diff
49
x86-64/qemu-virtio.nix
Normal file
49
x86-64/qemu-virtio.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
{ lib, ... }:
|
||||
|
||||
with lib.kernel; {
|
||||
NR_CPUS = freeform "8";
|
||||
|
||||
HYPERVISOR_GUEST = yes;
|
||||
PARAVIRT = yes;
|
||||
PARAVIRT_SPINLOCKS = yes;
|
||||
KVM_GUEST = yes;
|
||||
ARCH_CPUIDLE_HALTPOLL = yes;
|
||||
PARAVIRT_CLOCK = yes;
|
||||
|
||||
HALTPOLL_CPUIDLE = yes;
|
||||
|
||||
FW_CFG_SYSFS = yes;
|
||||
|
||||
BLK_MQ_VIRTIO = yes;
|
||||
VIRTIO_BLK = yes;
|
||||
VIRTIO_NET = yes;
|
||||
VIRTIO_CONSOLE = yes;
|
||||
|
||||
HW_RANDOM = yes;
|
||||
HW_RANDOM_VIRTIO = yes;
|
||||
|
||||
I6300ESB_WDT = yes;
|
||||
|
||||
DRM = yes;
|
||||
DRM_FBDEV_EMULATION = yes;
|
||||
DRM_BOCHS = yes;
|
||||
DRM_SIMPLEDRM = yes;
|
||||
|
||||
VIRT_DRIVERS = yes;
|
||||
VMGENID = yes;
|
||||
VIRTIO = yes;
|
||||
VIRTIO_PCI = yes;
|
||||
VIRTIO_BALLOON = yes;
|
||||
|
||||
VIRTIO_IOMMU = yes;
|
||||
|
||||
EXT4_FS = yes;
|
||||
EXT4_USE_FOR_EXT2 = yes;
|
||||
EXT4_FS_POSIX_ACL = yes;
|
||||
BTRFS_FS = yes;
|
||||
BTRFS_FS_POSIX_ACL = yes;
|
||||
VIRTIO_FS = yes;
|
||||
|
||||
CRYPTO_HW = yes;
|
||||
CRYPTO_DEV_VIRTIO = yes;
|
||||
}
|
File diff suppressed because it is too large
Load diff
141
x86-64/thinkpad-x1-extreme-gen5.nix
Normal file
141
x86-64/thinkpad-x1-extreme-gen5.nix
Normal file
|
@ -0,0 +1,141 @@
|
|||
{ lib, ... }@args: with lib.kernel;
|
||||
|
||||
(import ../physical.nix args) //
|
||||
(import ../portable.nix args) //
|
||||
(import ../dm-crypt.nix args) //
|
||||
(import ../audio.nix args) //
|
||||
(import ../wireless.nix args) // {
|
||||
X86_INTEL_LPSS = yes;
|
||||
|
||||
CPU_SUP_INTEL = yes;
|
||||
CPU_SUP_AMD = no;
|
||||
NR_CPUS = freeform "20";
|
||||
X86_MCE_INTEL = yes;
|
||||
|
||||
INTEL_IDLE = yes;
|
||||
|
||||
VIRTUALIZATION = yes;
|
||||
KVM = yes;
|
||||
KVM_INTEL = yes;
|
||||
KVM_SMM = yes;
|
||||
|
||||
IP_MULTICAST = yes;
|
||||
|
||||
IPV6_ROUTER_PREF = yes;
|
||||
IPV6_ROUTE_INFO = yes;
|
||||
IPV6_OPTIMISTIC_DAD = yes;
|
||||
|
||||
BT_INTEL = yes;
|
||||
BT_HCIBTUSB = yes;
|
||||
|
||||
EISA = yes;
|
||||
EISA_PCI_EISA = yes;
|
||||
EISA_VIRTUAL_ROOT = no;
|
||||
EISA_NAMES = yes;
|
||||
|
||||
NVME_CORE = yes;
|
||||
BLK_DEV_NVME = yes;
|
||||
NVME_VERBOSE_ERRORS = yes;
|
||||
NVME_HWMON = yes;
|
||||
|
||||
MISC_RTSX = yes;
|
||||
INTEL_MEI = yes;
|
||||
MISC_RTSX_PCI = yes;
|
||||
|
||||
ETHERNET = yes;
|
||||
AQTION = yes;
|
||||
|
||||
WLAN = yes;
|
||||
IWLWIFI = yes;
|
||||
IWLMVM = yes;
|
||||
|
||||
INPUT_MOUSEDEV = yes;
|
||||
INPUT_JOYDEV = yes;
|
||||
|
||||
KEYBOARD_ATKBD = yes;
|
||||
|
||||
INPUT_MOUSE = yes;
|
||||
MOUSE_PS2 = yes;
|
||||
MOUSE_PS2_TRACKPOINT = yes;
|
||||
|
||||
INPUT_JOYSTICK = yes;
|
||||
|
||||
INTEL_PCH_THERMAL = yes;
|
||||
|
||||
MFD_CORE = yes;
|
||||
MFD_INTEL_LPSS_PCI = yes;
|
||||
|
||||
I2C = yes;
|
||||
I2C_I801 = yes;
|
||||
|
||||
SPI = yes;
|
||||
SPI_MEM = yes;
|
||||
SPI_INTEL_PCI = yes;
|
||||
|
||||
INT340X_THERMAL = yes;
|
||||
|
||||
VIDEO = yes;
|
||||
VGA_SWITCHEROO = yes;
|
||||
DRM = yes;
|
||||
DRM_FBDEV_EMULATION = yes;
|
||||
DRM_NOUVEAU = yes;
|
||||
DRM_NOUVEAU_SVM = yes;
|
||||
DRM_NOUVEAU_GSP_DEFAULT = yes;
|
||||
DRM_I915 = yes;
|
||||
|
||||
BACKLIGHT_CLASS_DEVICE = yes;
|
||||
|
||||
HDMI = yes;
|
||||
|
||||
SND_HDA_INTEL = yes;
|
||||
SND_HDA_HWDEP = yes;
|
||||
SND_HDA_CODEC_REALTEK = yes;
|
||||
SND_HDA_CODEC_HDMI = yes;
|
||||
SND_HDA_POWER_SAVE_DEFAULT = freeform "2";
|
||||
|
||||
SND_SOC = yes;
|
||||
SND_SOC_SOF_TOPLEVEL = yes;
|
||||
SND_SOC_SOF_PCI = yes;
|
||||
SND_SOC_SOF_INTEL_TOPLEVEL = yes;
|
||||
SND_SOC_SOF_TIGERLAKE = yes;
|
||||
SND_SOC_SOF_HDA_LINK = yes;
|
||||
SND_SOC_SOF_HDA_AUDIO_CODEC = yes;
|
||||
SND_SOC_DMIC = yes;
|
||||
|
||||
HID_LENOVO = yes;
|
||||
HID_LOGITECH = yes;
|
||||
|
||||
USB_ACM = yes;
|
||||
|
||||
USB_SERIAL = yes;
|
||||
USB_SERIAL_PL2303 = yes;
|
||||
|
||||
ACPI_WMI = yes;
|
||||
MXM_WMI = yes;
|
||||
THINKPAD_ACPI = yes;
|
||||
THINKPAD_ACPI_ALSA_SUPPORT = yes;
|
||||
THINKPAD_ACPI_VIDEO = yes;
|
||||
|
||||
INTEL_TURBO_MAX_3 = yes;
|
||||
|
||||
INTEL_IOMMU = yes;
|
||||
INTEL_IOMMU_DEFAULT_ON = yes;
|
||||
|
||||
SOUNDWIRE = yes;
|
||||
SOUNDWIRE_INTEL = yes;
|
||||
|
||||
INTEL_IDMA64 = yes;
|
||||
|
||||
INTEL_RAPL = yes;
|
||||
|
||||
EXT4_FS = yes;
|
||||
EXT4_USE_FOR_EXT2 = yes;
|
||||
EXT4_FS_POSIX_ACL = yes;
|
||||
BTRFS_FS = yes;
|
||||
BTRFS_FS_POSIX_ACL = yes;
|
||||
FUSE_FS = yes;
|
||||
ISO9660_FS = yes;
|
||||
JOLIET = yes;
|
||||
UDF_FS = yes;
|
||||
EXFAT_FS = yes;
|
||||
}
|
4277
x86-64/zen3-stub
4277
x86-64/zen3-stub
File diff suppressed because it is too large
Load diff
47
x86-64/zen3-stub.nix
Normal file
47
x86-64/zen3-stub.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ lib, ... }@args: with lib.kernel;
|
||||
|
||||
(import ../physical.nix args) //
|
||||
(import ../router.nix args) // {
|
||||
CPU_SUP_INTEL = no;
|
||||
NR_CPUS = freeform "256";
|
||||
PERF_EVENTS_AMD_BRS = yes;
|
||||
X86_MCE_AMD = yes;
|
||||
AMD_MEM_ENCRYPT = yes;
|
||||
|
||||
MEMORY_FAILURE = yes;
|
||||
|
||||
VIRTUALIZATION = yes;
|
||||
KVM = yes;
|
||||
KVM_AMD = yes;
|
||||
KVM_SMM = yes;
|
||||
|
||||
NVME_CORE = yes;
|
||||
BLK_DEV_NVME = yes;
|
||||
NVME_VERBOSE_ERRORS = yes;
|
||||
NVME_HWMON = yes;
|
||||
|
||||
ATA = yes;
|
||||
ATA_VERBOSE_ERROR = yes;
|
||||
ATA_ACPI = yes;
|
||||
SATA_AHCI = yes;
|
||||
ATA_SFF = no;
|
||||
|
||||
IXGBE = yes;
|
||||
|
||||
IPMI_HANDLER = yes;
|
||||
IMPI_PANIC_EVENT = yes;
|
||||
IMPI_PANIC_STRING = yes;
|
||||
IPMI_WATCHDOG = yes;
|
||||
|
||||
BCACHEFS_FS = yes;
|
||||
BCACHEFS_POSIX_ACL = yes;
|
||||
FUSE_FS = yes;
|
||||
|
||||
CRYPTO_CHACHA20_X86_64 = yes;
|
||||
CONFIG_POLY1305_X86_64 = yes;
|
||||
|
||||
CRYPTO_DEV_CCP = yes;
|
||||
CRYPTO_DEV_CCP_DD = yes;
|
||||
CRYPTO_DEV_SP_CCP = yes;
|
||||
CRYPTO_DEV_CCP_CRYPTO = yes;
|
||||
}
|
45
x86.nix
Normal file
45
x86.nix
Normal file
|
@ -0,0 +1,45 @@
|
|||
{ lib, hostPlatform, ... }: with lib.kernel; {
|
||||
SCHED_OMIT_FRAME_POINTER = yes;
|
||||
|
||||
X86_FRED = yes;
|
||||
|
||||
PROCESSOR_SELECT = yes;
|
||||
CPU_SUP_HYGON = no;
|
||||
CPU_SUP_CENTAUR = no;
|
||||
CPU_SUP_ZHAOXIN = no;
|
||||
|
||||
SCHED_CLUSTER = yes;
|
||||
SCHED_MC_PRIO = yes;
|
||||
|
||||
X86_MCE = yes;
|
||||
X86_MCE_INTEL = yes;
|
||||
|
||||
X86_5LEVEL = option no;
|
||||
|
||||
X86_VSYSCALL_EMULATION = no;
|
||||
LEGACY_VSYSCALL_NONE = yes;
|
||||
|
||||
X86_INTEL_TSX_MODE_AUTO = yes;
|
||||
X86_USER_SHADOW_STACK = yes;
|
||||
|
||||
EFI_HANDOVER_PROTOCOL = no;
|
||||
|
||||
STRICT_SIGALTSTACK_SIZE = yes;
|
||||
|
||||
CPU_MITIGATIONS = yes;
|
||||
MITIGATION_SLS = yes;
|
||||
|
||||
X86_ACPI_CPUFREQ = yes;
|
||||
X86_ACPI_CPUFREQ_CPB = option no;
|
||||
|
||||
HPET = yes;
|
||||
HPET_MMAP = yes;
|
||||
HPET_MMAP_DEFAULT = yes;
|
||||
|
||||
X86_PLATFORM_DEVICES = yes;
|
||||
|
||||
IO_DELAY_NONE = yes;
|
||||
|
||||
X86_DEBUG_FPU = option no;
|
||||
UNWINDER_ORC = yes;
|
||||
}
|
Reference in a new issue