Re‐format code
This commit is contained in:
parent
5c54a9b2cb
commit
ed9c1b76d6
|
@ -1,4 +1,6 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
{ lib, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
ARM64_VA_BITS_48 = yes;
|
||||
ARM64_PAN = yes;
|
||||
ARM64_USE_LSE_ATOMICS = yes;
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
{ lib, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
SOUND = yes;
|
||||
SND = yes;
|
||||
SND_PCM_TIMER = yes;
|
||||
|
|
16
base.nix
16
base.nix
|
@ -1,7 +1,9 @@
|
|||
{ lib, hostPlatform, ... }@args: with lib.kernel;
|
||||
{ lib, hostPlatform, ... }@args:
|
||||
with lib.kernel;
|
||||
|
||||
(import ./disable.nix args) //
|
||||
(import ./systemd.nix args) // {
|
||||
(import ./disable.nix args)
|
||||
// (import ./systemd.nix args)
|
||||
// {
|
||||
KERNEL_ZSTD = yes;
|
||||
|
||||
SYSVIPC = yes;
|
||||
|
@ -263,7 +265,7 @@
|
|||
USB_XHCI_HCD = yes;
|
||||
USB_XHCI_PCI = yes;
|
||||
|
||||
RTC_CLASS = yes;
|
||||
RTC_CLASS = yes;
|
||||
|
||||
DMADEVICES = yes;
|
||||
ASYNC_TX_DMA = option yes;
|
||||
|
@ -344,8 +346,8 @@
|
|||
PANIC_TIMEOUT = freeform "-1";
|
||||
|
||||
EARLY_PRINTK = option no;
|
||||
} // lib.optionalAttrs hostPlatform.is64bit {
|
||||
"64BIT" = option yes;
|
||||
} // lib.optionalAttrs hostPlatform.isx86 (import ./x86.nix args)
|
||||
}
|
||||
// lib.optionalAttrs hostPlatform.is64bit { "64BIT" = option yes; }
|
||||
// lib.optionalAttrs hostPlatform.isx86 (import ./x86.nix args)
|
||||
// lib.optionalAttrs hostPlatform.isRiscV (import ./riscv.nix args)
|
||||
// lib.optionalAttrs hostPlatform.isAarch64 (import ./arm64.nix args)
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
{ lib, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
X86_MPPARSE = option no;
|
||||
AMD_NUMA = option no;
|
||||
|
||||
|
|
13
dm-crypt.nix
13
dm-crypt.nix
|
@ -1,4 +1,6 @@
|
|||
{ lib, hostPlatform, ... }: with lib.kernel; {
|
||||
{ lib, hostPlatform, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
MD = yes;
|
||||
MD_BITMAP_FILE = no;
|
||||
BLK_DEV_DM = yes;
|
||||
|
@ -13,14 +15,17 @@
|
|||
|
||||
CRYPTO_USER_API_HASH = yes;
|
||||
CRYPTO_USER_API_SKCIPHER = yes;
|
||||
} // lib.optionalAttrs hostPlatform.isx86_64 {
|
||||
}
|
||||
// lib.optionalAttrs hostPlatform.isx86_64 {
|
||||
CRYPTO_AES_NI_INTEL = yes;
|
||||
CRYPTO_AEGIS128_AESNI_SSE2 = yes;
|
||||
CRYPTO_SHA256_SSSE3 = yes;
|
||||
} // lib.optionalAttrs hostPlatform.isRiscV64 {
|
||||
}
|
||||
// lib.optionalAttrs hostPlatform.isRiscV64 {
|
||||
CRYPTO_AES_RISCV64 = yes;
|
||||
CRYPTO_SHA256_RISCV64 = yes;
|
||||
} // lib.optionalAttrs hostPlatform.isAarch64 {
|
||||
}
|
||||
// lib.optionalAttrs hostPlatform.isAarch64 {
|
||||
CRYPTO_AES_ARM64 = yes;
|
||||
CRYPTO_AES_ARM64_CE = yes;
|
||||
CRYPTO_AES_ARM64_CE_BLK = yes;
|
||||
|
|
82
flake.nix
82
flake.nix
|
@ -8,42 +8,56 @@
|
|||
extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, ... }:
|
||||
let
|
||||
inherit (nixpkgs) lib;
|
||||
inherit (lib) mapAttrs;
|
||||
profiles = import ./profiles.nix;
|
||||
|
||||
legacyPackages = mapAttrs
|
||||
(system: profile: import nixpkgs { inherit system; }) profiles;
|
||||
|
||||
linux-hardened = import ./linux-hardened.nix;
|
||||
in {
|
||||
packages = mapAttrs (system: profiles:
|
||||
mapAttrs (name: profile:
|
||||
linux-hardened legacyPackages.${system} profile) profiles)
|
||||
profiles;
|
||||
|
||||
devShells = mapAttrs (system: profile:
|
||||
outputs =
|
||||
{ self, nixpkgs, ... }:
|
||||
let
|
||||
pkgs = legacyPackages.${system};
|
||||
dummy = linux-hardened pkgs
|
||||
{ arch = ""; config = ./dummy.nix; firmware = [ ]; };
|
||||
inherit (nixpkgs) lib;
|
||||
inherit (lib) mapAttrs;
|
||||
profiles = import ./profiles.nix;
|
||||
|
||||
mkShell = packages: pkgs.mkShell {
|
||||
inherit packages;
|
||||
shellHook = ''
|
||||
exec $SHELL
|
||||
'';
|
||||
legacyPackages = mapAttrs (system: profile: import nixpkgs { inherit system; }) profiles;
|
||||
|
||||
linux-hardened = import ./linux-hardened.nix;
|
||||
in
|
||||
{
|
||||
packages = mapAttrs (
|
||||
system: profiles: mapAttrs (name: profile: linux-hardened legacyPackages.${system} profile) profiles
|
||||
) profiles;
|
||||
|
||||
devShells = mapAttrs (
|
||||
system: profile:
|
||||
let
|
||||
pkgs = legacyPackages.${system};
|
||||
dummy = linux-hardened pkgs {
|
||||
arch = "";
|
||||
config = ./dummy.nix;
|
||||
firmware = [ ];
|
||||
};
|
||||
|
||||
mkShell =
|
||||
packages:
|
||||
pkgs.mkShell {
|
||||
inherit packages;
|
||||
shellHook = ''
|
||||
exec $SHELL
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
default = mkShell (
|
||||
with pkgs;
|
||||
dummy.nativeBuildInputs
|
||||
++ [
|
||||
ncurses
|
||||
pkg-config
|
||||
]
|
||||
);
|
||||
}
|
||||
) profiles;
|
||||
|
||||
hydraJobs = {
|
||||
kernel = self.packages;
|
||||
shell = self.devShells;
|
||||
};
|
||||
in {
|
||||
default = mkShell
|
||||
(with pkgs; dummy.nativeBuildInputs ++ [ ncurses pkg-config ]);
|
||||
}) profiles;
|
||||
|
||||
hydraJobs = {
|
||||
kernel = self.packages;
|
||||
shell = self.devShells;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,56 +1,82 @@
|
|||
pkgs: { arch, config, firmware }:
|
||||
pkgs:
|
||||
{
|
||||
arch,
|
||||
config,
|
||||
firmware,
|
||||
}:
|
||||
let
|
||||
inherit (pkgs) lib buildLinux fetchFromGitHub gccStdenv runCommand;
|
||||
inherit (pkgs)
|
||||
lib
|
||||
buildLinux
|
||||
fetchFromGitHub
|
||||
gccStdenv
|
||||
runCommand
|
||||
;
|
||||
|
||||
kernel =
|
||||
let
|
||||
args = { inherit (pkgs) lib hostPlatform; };
|
||||
let
|
||||
args = {
|
||||
inherit (pkgs) lib hostPlatform;
|
||||
};
|
||||
|
||||
firmwareCollection = runCommand "linux-firmware" {
|
||||
inherit firmware;
|
||||
firmwarePackages = with pkgs; [ linux-firmware sof-firmware wireless-regdb ];
|
||||
} ''
|
||||
for dir in ''${firmwarePackages[@]}; do
|
||||
pushd "$dir/lib/firmware"
|
||||
firmwareCollection =
|
||||
runCommand "linux-firmware"
|
||||
{
|
||||
inherit firmware;
|
||||
firmwarePackages = with pkgs; [
|
||||
linux-firmware
|
||||
sof-firmware
|
||||
wireless-regdb
|
||||
];
|
||||
}
|
||||
''
|
||||
for dir in ''${firmwarePackages[@]}; do
|
||||
pushd "$dir/lib/firmware"
|
||||
|
||||
for fw in ''${firmware}; do
|
||||
if [ -e "$fw" ]; then
|
||||
local base="$(dirname "$fw")"
|
||||
mkdir -p "$out/lib/firmware/$base"
|
||||
ln -s "$dir/lib/firmware/$fw" "$out/lib/firmware/$base"
|
||||
fi
|
||||
done
|
||||
for fw in ''${firmware}; do
|
||||
if [ -e "$fw" ]; then
|
||||
local base="$(dirname "$fw")"
|
||||
mkdir -p "$out/lib/firmware/$base"
|
||||
ln -s "$dir/lib/firmware/$fw" "$out/lib/firmware/$base"
|
||||
fi
|
||||
done
|
||||
|
||||
popd
|
||||
done
|
||||
'';
|
||||
in buildLinux rec {
|
||||
pname = "linux-hardened";
|
||||
version = "6.10.2-hardened1";
|
||||
popd
|
||||
done
|
||||
'';
|
||||
in
|
||||
buildLinux rec {
|
||||
pname = "linux-hardened";
|
||||
version = "6.10.2-hardened1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "anthraxx";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
|
||||
src = fetchFromGitHub {
|
||||
owner = "anthraxx";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
hash = "sha256-a9kxt09pQjUJUsdqaIMyA7Us6sxueaacetWKv59Xy3s=";
|
||||
};
|
||||
|
||||
defconfig = "allnoconfig";
|
||||
extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
|
||||
enableCommonConfig = false;
|
||||
|
||||
structuredExtraConfig =
|
||||
(import ./base.nix args)
|
||||
// (import config args)
|
||||
// {
|
||||
EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
|
||||
EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareCollection}/lib/firmware";
|
||||
};
|
||||
|
||||
features = {
|
||||
efiBootStub = true;
|
||||
};
|
||||
isHardened = true;
|
||||
stdenv = gccStdenv;
|
||||
};
|
||||
|
||||
defconfig = "allnoconfig";
|
||||
extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
|
||||
enableCommonConfig = false;
|
||||
|
||||
structuredExtraConfig = (import ./base.nix args) // (import config args) // {
|
||||
EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
|
||||
EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareCollection}/lib/firmware";
|
||||
};
|
||||
|
||||
features = { efiBootStub = true; };
|
||||
isHardened = true;
|
||||
stdenv = gccStdenv;
|
||||
};
|
||||
in kernel.overrideAttrs (base: {
|
||||
installFlags = base.installFlags or [ ] ++
|
||||
[ "INSTALL_MOD_PATH=$(out)" ];
|
||||
in
|
||||
kernel.overrideAttrs (base: {
|
||||
installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ];
|
||||
|
||||
postInstall = ''
|
||||
if [ -z "''${dontStrip-}" ]; then
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
{ lib, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
MICROCODE = yes;
|
||||
|
||||
ENERGY_MODEL = yes;
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
{ lib, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
PREEMPT_VOLUNTARY = yes;
|
||||
|
||||
SUSPEND = yes;
|
||||
|
|
33
profiles.nix
33
profiles.nix
|
@ -10,20 +10,31 @@
|
|||
arch = "alderlake";
|
||||
config = ./x86-64/thinkpad-x1-extreme-gen5.nix;
|
||||
firmware = [
|
||||
"i915/adlp_dmc.bin" "i915/adlp_dmc_ver2_16.bin"
|
||||
"i915/adlp_guc_70.bin" "i915/tgl_huc.bin"
|
||||
"intel/ibt-0040-0041.sfi" "intel/ibt-0040-0041.ddc"
|
||||
"intel/sof/sof-adl.ri" "intel/sof-tplg/sof-hda-generic-2ch.tplg"
|
||||
"iwlwifi-so-a0-gf-a0-89.ucode" "iwlwifi-so-a0-gf-a0.pnvm"
|
||||
"i915/adlp_dmc.bin"
|
||||
"i915/adlp_dmc_ver2_16.bin"
|
||||
"i915/adlp_guc_70.bin"
|
||||
"i915/tgl_huc.bin"
|
||||
"intel/ibt-0040-0041.sfi"
|
||||
"intel/ibt-0040-0041.ddc"
|
||||
"intel/sof/sof-adl.ri"
|
||||
"intel/sof-tplg/sof-hda-generic-2ch.tplg"
|
||||
"iwlwifi-so-a0-gf-a0-89.ucode"
|
||||
"iwlwifi-so-a0-gf-a0.pnvm"
|
||||
"nvidia/ga107/acr/ucode_unload.bin"
|
||||
"nvidia/ga107/acr/ucode_asb.bin" "nvidia/ga107/acr/ucode_ahesasc.bin"
|
||||
"nvidia/ga107/gr/fecs_bl.bin" "nvidia/ga107/gr/fecs_sig.bin"
|
||||
"nvidia/ga107/gr/gpccs_bl.bin" "nvidia/ga107/gr/gpccs_sig.bin"
|
||||
"nvidia/ga107/acr/ucode_asb.bin"
|
||||
"nvidia/ga107/acr/ucode_ahesasc.bin"
|
||||
"nvidia/ga107/gr/fecs_bl.bin"
|
||||
"nvidia/ga107/gr/fecs_sig.bin"
|
||||
"nvidia/ga107/gr/gpccs_bl.bin"
|
||||
"nvidia/ga107/gr/gpccs_sig.bin"
|
||||
"nvidia/ga107/gr/NET_img.bin"
|
||||
"nvidia/ga107/sec2/desc.bin" "nvidia/ga107/sec2/image.bin"
|
||||
"nvidia/ga107/sec2/sig.bin" "nvidia/ga107/sec2/hs_bl_sig.bin"
|
||||
"nvidia/ga107/sec2/desc.bin"
|
||||
"nvidia/ga107/sec2/image.bin"
|
||||
"nvidia/ga107/sec2/sig.bin"
|
||||
"nvidia/ga107/sec2/hs_bl_sig.bin"
|
||||
"nvidia/ga107/nvdec/scrubber.bin"
|
||||
"regulatory.db" "regulatory.db.p7s"
|
||||
"regulatory.db"
|
||||
"regulatory.db.p7s"
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ lib, ... }:
|
||||
|
||||
with lib.kernel; {
|
||||
with lib.kernel;
|
||||
{
|
||||
NR_CPUS = freeform "8";
|
||||
|
||||
HYPERVISOR_GUEST = yes;
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
{ lib, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
ARCH_RV64I = yes;
|
||||
COMPAT = no;
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ lib, ... }:
|
||||
|
||||
with lib.kernel; {
|
||||
with lib.kernel;
|
||||
{
|
||||
IP_ADVANCED_ROUTER = yes;
|
||||
IP_MULTIPLE_TABLES = yes;
|
||||
IP_ROUTE_MULTIPATH = yes;
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
{ lib, ... }: with lib.kernel; {
|
||||
{ lib, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
# Base requirements
|
||||
DEVTMPFS = yes;
|
||||
CGROUPS = yes;
|
||||
|
|
13
wireless.nix
13
wireless.nix
|
@ -1,4 +1,6 @@
|
|||
{ lib, hostPlatform, ... }: with lib.kernel; {
|
||||
{ lib, hostPlatform, ... }:
|
||||
with lib.kernel;
|
||||
{
|
||||
WIRELESS = yes;
|
||||
CFG80211 = yes;
|
||||
CFG80211_DEFAULT_PS = yes;
|
||||
|
@ -43,17 +45,20 @@
|
|||
X509_CERTIFICATE_PARSER = option yes;
|
||||
PKCS7_MESSAGE_PARSER = option yes;
|
||||
PKCS8_PRIVATE_KEY_PARSER = option yes;
|
||||
} // lib.optionalAttrs hostPlatform.isx86_64 {
|
||||
}
|
||||
// lib.optionalAttrs hostPlatform.isx86_64 {
|
||||
CRYPTO_AES_NI_INTEL = option yes;
|
||||
CRYPTO_DES3_EDE_X86_64 = option yes;
|
||||
CRYPTO_SHA1_SSSE3 = option yes;
|
||||
CRYPTO_SHA256_SSSE3 = option yes;
|
||||
CRYPTO_SHA512_SSSE3 = option yes;
|
||||
} // lib.optionalAttrs hostPlatform.isRiscV64 {
|
||||
}
|
||||
// lib.optionalAttrs hostPlatform.isRiscV64 {
|
||||
CRYPTO_AES_RISCV64 = option yes;
|
||||
CRYPTO_SHA256_RISCV64 = option yes;
|
||||
CRYPTO_SHA512_RISCV64 = option yes;
|
||||
} // lib.optionalAttrs hostPlatform.isAarch64 {
|
||||
}
|
||||
// lib.optionalAttrs hostPlatform.isAarch64 {
|
||||
CRYPTO_AES_ARM64_CE = option yes;
|
||||
CRYPTO_AES_ARM64_CE_BLK = option yes;
|
||||
CRYPTO_SHA1_ARM64_CE = option yes;
|
||||
|
|
Reference in a new issue