mikael/linux-hardened
Archived
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compile with Clang / LLVM

Browse source
This commit is contained in:
Mikael Voss 2024-08-12 22:52:12 +02:00
parent f8f6adeccd
commit d5cba52ab2
No known key found for this signature in database
2 changed files with 53 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
base.nix
View file

@ -79,13 +79,12 @@
STACKPROTECTOR = yes; STACKPROTECTOR = yes;
STACKPROTECTOR_STRONG = yes; STACKPROTECTOR_STRONG = yes;
LTO_CLANG_FULL = option yes; LTO_CLANG_FULL = yes;
CFI_CLANG = yes;
VMAP_STACK = yes; VMAP_STACK = yes;
RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes; RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes;
GCC_PLUGINS = yes;
BLK_DEV_WRITE_MOUNTED = yes; BLK_DEV_WRITE_MOUNTED = yes;
BLK_WBT = yes; BLK_WBT = yes;
BLK_WBT_MQ = yes; BLK_WBT_MQ = yes;
@ -325,8 +324,6 @@
BUG_ON_DATA_CORRUPTION = yes; BUG_ON_DATA_CORRUPTION = yes;
RANDSTRUCT_PERFORMANCE = option yes;
CRYPTO_ZSTD = yes; CRYPTO_ZSTD = yes;
SWIOTLB_DYNAMIC = yes; SWIOTLB_DYNAMIC = yes;

79
linux-hardened.nix
View file

@ -4,11 +4,16 @@ let
lib lib
buildEnv buildEnv
buildLinux buildLinux
buildPackages
fetchFromGitHub fetchFromGitHub
gccStdenv overrideCC
runCommand; runCommand;
kernel = let kernel = let
inherit (pkgs.llvmPackages_latest)
llvm clang-unwrapped lld
clang bintools;
args = { args = {
inherit (pkgs) lib hostPlatform; inherit (pkgs) lib hostPlatform;
}; };
@ -23,35 +28,53 @@ let
]; ];
}; };
in buildLinux rec { in buildLinux rec {
pname = "linux-hardened"; pname = "linux-hardened";
version = "6.10.4-hardened1"; version = "6.10.4-hardened1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "anthraxx"; owner = "anthraxx";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
hash = "sha256-qq2vmrUIYUuXEwuZoXrXbZY/li+ReFNuqhsy1R0yx0s="; hash = "sha256-qq2vmrUIYUuXEwuZoXrXbZY/li+ReFNuqhsy1R0yx0s=";
};
defconfig = "allnoconfig";
extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
enableCommonConfig = false;
structuredExtraConfig =
(import ./base.nix args) //
(import config args) //
lib.optionalAttrs (firmware != [ ]) {
EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware";
};
features = {
efiBootStub = true;
};
isHardened = true;
stdenv = gccStdenv;
}; };
defconfig = "allnoconfig";
enableCommonConfig = false;
extraMakeFlags = [
"LLVM=1"
"HOSTCC=${clang}/bin/clang"
"HOSTCXX=${clang}/bin/clang++"
"HOSTLD=${bintools}/bin/ld.lld"
"HOSTAR=${bintools}/bin/ar"
"CC=${clang-unwrapped}/bin/clang"
"LD=${lld}/bin/ld.lld"
"AR=${llvm}/bin/llvm-ar"
"NM=${llvm}/bin/llvm-nm"
"OBJCOPY=${llvm}/bin/llvm-objcopy"
"OBJDUMP=${llvm}/bin/llvm-objdump"
"READELF=${llvm}/bin/llvm-readelf"
"STRIP=${llvm}/bin/llvm-strip"
"KCFLAGS=-march=${arch}"
];
structuredExtraConfig =
(import ./base.nix args) //
(import config args) //
lib.optionalAttrs (firmware != [ ]) {
EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware";
};
features = {
efiBootStub = true;
};
isHardened = true;
};
in kernel.overrideAttrs (base: { in kernel.overrideAttrs (base: {
installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ]; installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ];