commit f402bb1d4d81fc92d89f325d0aee4002560a93f6 Author: Mikael Voss Date: Tue Nov 5 21:11:29 2024 +0100 Initial import diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a3d6222 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +# Hidden files +.* +!.git* + +# Nix +/result +/result-* diff --git a/config.nix b/config.nix new file mode 100644 index 0000000..1f92ce3 --- /dev/null +++ b/config.nix @@ -0,0 +1,650 @@ +{ option, lib, hostPlatform }: { + meta = { + EXPERT = true; + STAGING = true; + } // lib.optionalAttrs hostPlatform.isx86_64 { + PROCESSOR_SELECT = true; + }; + + build = { + COMPILE_TEST = false; + WERROR = true; + + STANDALONE = true; + PREVENT_FIRMWARE_BUILD = true; + + JUMP_LABEL = true; + + LTO_CLANG_FULL = true; + }; + + boot = { + KERNEL_ZSTD = true; + BLK_DEV_INITRD = true; + RD_GZIP = false; + RD_BZIP2 = false; + RD_LZMA = false; + RD_XZ = false; + RD_LZO = false; + RD_LZ4 = false; + RD_ZSTD = true; + + BOOT_CONFIG = true; + + EFI = true; + EFI_STUB = true; + EFI_ZBOOT = option true; + + DEVTMPFS = true; + DEVTMPFS_MOUNT = true; + DEVTMPFS_SAFE = true; + + FW_LOADER = true; + FW_LOADER_COMPRESS = true; + FW_LOADER_COMPRESS_XZ = false; + FW_LOADER_COMPRESS_ZSTD = true; + FW_CACHE = true; + } // lib.optionalAttrs hostPlatform.isx86_64 { + EFI_HANDOVER_PROTOCOL = false; + }; + + debug = { + KALLSYMS = true; + KALLSYMS_ALL = false; + + SYMBOLIC_ERRNAME = true; + DEBUG_BUGVERBOSE = true; + DEBUG_INFO_DWARF5 = true; + DEBUG_INFO_SPLIT = true; + STRIP_ASM_SYMS = true; + + MAGIC_SYSRQ = true; + MAGIC_SYSRQ_DEFAULT_ENABLE = "0x1f4"; + + SLUB_DEBUG = false; + + DEBUG_WX = true; + WARN_ALL_UNSEEDED_RANDOM = true; + + RCU_TRACE = false; + + } // lib.optionalAttrs hostPlatform.isx86_64 { + X86_VERBOSE_BOOTUP = false; + EARLY_PRINTK = false; + X86_DEBUG_FPU = false; + + UNWINDER_ORC = true; + }; + + firmware = { + EFI_BOOTLOADER_CONTROL = true; + RESET_ATTACK_MITIGATION = true; + EFI_DISABLE_PCI_DMA = true; + + EFIVAR_FS = true; + + # pstore + PSTORE = true; + PSTORE_COMPRESS = true; + EFI_VARS_PSTORE = true; + }; + + platform = { + "64BIT" = true; + } // lib.optionalAttrs hostPlatform.isx86_64 { + X86_MPPARSE = false; + X86_FRED = true; + X86_EXTENDED_PLATFORM = false; + + CPU_SUP_HYGON = false; + CPU_SUP_CENTAUR = false; + CPU_SUP_ZHAOXIN = false; + } // lib.optionalAttrs hostPlatform.isAarch64 { + ARM64_VA_BITS_48 = true; + ARM64_PAN = true; + ARM64_USE_LSE_ATOMICS = true; + ARM64_CNP = true; + ARM64_PTR_AUTH = true; + ARM64_EPAN = true; + } // lib.optionalAttrs hostPlatform.isRiscV64 { + ARCH_RV64I = true; + COMPAT = false; + }; + + security = { + SECCOMP = true; + + # Kernel memory base + RELOCATABLE = true; + RANDOMIZE_BASE = true; + + # Stack protection + STACKPROTECTOR = true; + STACKPROTECTOR_STRONG = true; + VMAP_STACK = true; + RANDOMIZE_KSTACK_OFFSET = true; + RANDOMIZE_KSTACK_OFFSET_DEFAULT = true; + INIT_STACK_ALL_ZERO = true; + + STRICT_KERNEL_RWX = true; + CFI_CLANG = true; + + # Slab allocator + SLAB_MERGE_DEFAULT = false; + SLAB_FREELIST_RANDOM = true; + SLAB_FREELIST_HARDENED = true; + SLAB_CANARY = true; + SLUB_CPU_PARTIAL = true; + RANDOM_KMALLOC_CACHES = true; + + # Page allocator + SHUFFLE_PAGE_ALLOCATOR = true; + COMPAT_BRK = false; + INIT_ON_FREE_DEFAULT_ON = true; + + # False positives in combination with panic on BUG() + PAGE_SANITIZE_VERIFY = false; + SLAB_SANITIZE_VERIFY = false; + + MODULES = false; + + LDISC_AUTOLOAD = false; + + DEVMEM = false; + DEVPORT = false; + + DEBUG_FS = false; + + # Bounds checking + # False positives in iwlwifi + #UBSAN = true; + #UBSAN_BOUNDS = true; + #UBSAN_SIGNED_WRAP = false; + #UBSAN_BOOL = false; + #UBSAN_ENUM = false; + + # Memory safety error detection + KFENCE = true; + KFENCE_DEFERRABLE = true; + KFENCE_BUG_ON_DATA_CORRUPTION = true; + + PANIC_ON_OOPS = true; + PANIC_TIMEOUT = (-1); + + HARDENED_USERCOPY = true; + FORTIFY_SOURCE = true; + + SECURITY_DMESG_RESTRICT = true; + SECURITY_PERF_EVENTS_RESTRICT = true; + SECURITY_TIOCSTI_RESTRICT = true; + SECURITY = true; + SECURITY_NETWORK = true; + SECURITY_SELINUX = false; + SECURITY_YAMA = true; + SECURITY_LOCKDOWN_LSM = true; + SECURITY_LOCKDOWN_LSM_EARLY = true; + LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = true; + SECURITY_LANDLOCK = true; + + LIST_HARDENED = true; + BUG_ON_DATA_CORRUPTION = true; + + } // lib.optionalAttrs hostPlatform.isx86_64 { + X86_UMIP = true; + X86_USER_SHADOW_STACK = true; + + RANDOMIZE_MEMORY = true; + + STRICT_SIGALTSTACK_SIZE = true; + }; + + timer = { + NO_HZ_FULL = true; + HIGH_RES_TIMERS = true; + HZ_1000 = true; + + RTC_CLASS = true; + RTC_HCTOSYS = true; + RTC_SYSTOHC = true; + } // lib.optionalAttrs hostPlatform.isx86_64 { + X86_PM_TIMER = true; + RTC_DRV_CMOS = true; + }; + + interfaces = { + SYSVIPC = true; + POSIX_MQUEUE = true; + USELIB = false; + + UID16 = false; + SGETMASK_SYSCALL = false; + SYSFS_SYSCALL = false; + POSIX_TIMERS = true; + PCSPKR_PLATFORM = false; + FUTEX = true; + EPOLL = true; + AIO = false; + IO_URING = true; + ADVISE_SYSCALLS = true; + + COMPAT_VDSO = false; + COMPAT_32BIT_TIME = false; + + # Required for BPF LSM instrumentation + PERF_EVENTS = true; + + DNOTIFY = false; + + bpf = { + BPF_SYSCALL = true; + BPF_JIT = true; + BPF_JIT_ALWAYS_ON = true; + BPF_UNPRIV_DEFAULT_OFF = true; + BPF_LSM = true; + }; + + namespaces = { + NAMESPACES = true; + UTS_NS = true; + TIME_NS = true; + USER_NS = true; + USER_NS_UNPRIVILEGED = false; + PID_NS = true; + NET_NS = true; + }; + } // lib.optionalAttrs hostPlatform.isx86_64 { + X86_VSYSCALL_EMULATION = false; + X86_IOPL_IOPERM = false; + LEGACY_VSYSCALL_NONE = true; + MODIFY_LDT_SYSCALL = false; + IA32_EMULATION = false; + }; + + scheduler = { + SMP = true; + PREEMPT_DYNAMIC = false; + + SCHED_MC = true; + SCHED_CLUSTER = true; + SCHED_SMT = option true; + SCHED_CORE = option true; + SCHED_AUTOGROUP = true; + + RCU_NOCB_CPU_DEFAULT_ALL = true; + RCU_LAZY = true; + + CGROUPS = true; + BLK_CGROUP = true; + CGROUP_SCHED = true; + + } // lib.optionalAttrs hostPlatform.isx86_64 { + SCHED_OMIT_FRAME_POINTER = true; + + SCHED_MC_PRIO = true; + }; + + memory = { + NUMA = true; + NUMA_BALANCING = true; + NUMA_BALANCING_DEFAULT_ENABLED = true; + + SPARSEMEM_VMEMMAP = true; + MEMORY_HOTPLUG = true; + MEMORY_HOTREMOVE = true; + + COMPACTION = true; + MIGRATION = true; + + KSM = true; + + TRANSPARENT_HUGEPAGE = true; + TRANSPARENT_HUGEPAGE_ALWAYS = true; + READ_ONLY_THP_FOR_FS = true; + HUGETLBFS = true; + HUGETLB_PAGE_OPTIMIZE_VMEMMAP = option true; + HUGETLB_PAGE_OPTIMIZE_VMEMMAP_DEFAULT_ON = option true; + + DEFERRED_STRUCT_PAGE_INIT = true; + + ZONE_DEVICE = true; + DEVICE_PRIVATE = true; + + LRU_GEN = true; + LRU_GEN_ENABLED = true; + + DMADEVICES = true; + ASYNC_TX_DMA = option true; + + zram = { + SWAP = true; + ZSMALLOC = true; + ZRAM = true; + ZRAM_DEF_COMP_ZSTD = true; + ZRAM_WRITEBACK = true; + CRYPTO_ZSTD = true; + }; + } // lib.optionalAttrs hostPlatform.isx86_64 { + AMD_NUMA = option false; + X86_64_ACPI_NUMA = true; + + X86_INTEL_TSX_MODE_AUTO = option true; + + ADDRESS_MASKING = false; + }; + + block = { + BLOCK = true; + BLOCK_LEGACY_AUTOLOAD = false; + BLK_DEV = true; + BLK_DEV_WRITE_MOUNTED = true; + BLK_WBT = true; + BLK_WBT_MQ = true; + + PARTITION_ADVANCED = true; + MSDOS_PARTITION = false; + EFI_PARTITION = true; + + MQ_IOSCHED_DEADLINE = true; + MQ_IOSCHED_KYBER = true; + IOSCHED_BFQ = true; + BFQ_GROUP_IOSCHED = true; + + BLK_DEV_LOOP = true; + BLK_DEV_LOOP_MIN_COUNT = 0; + }; + + binfmt = { + BINFMT_ELF = true; + CORE_DUMP_DEFAULT_ELF_HEADERS = true; + BINFMT_SCRIPT = true; + BINFMT_MISC = true; + COREDUMP = true; + }; + + io = { + IOMMU_SUPPORT = true; + IOMMU_DEFAULT_DMA_STRICT = true; + SWIOTLB_DYNAMIC = true; + } // lib.optionalAttrs hostPlatform.isx86_64 { + X86_X2APIC = true; + + AMD_IOMMU = option true; + INTEL_IOMMU = option true; + INTEL_IOMMU_SVM = option true; + INTEL_IOMMU_DEFAULT_ON = option true; + INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON = option true; + IRQ_REMAP = true; + + IO_DELAY_NONE = true; + } // lib.optionalAttrs hostPlatform.isAarch64 { + ARM_SMMU_V3 = true; + }; + + bus = { + PCI = true; + PCIEPORTBUS = true; + PCI_MSI = true; + PCIE_BUS_PERFORMANCE = true; + + HID_SUPPORT = true; + HID = true; + HIDRAW = true; + UHID = true; + HID_GENERIC = true; + USB_HID = true; + USB_HIDDEV = true; + + USB_SUPPORT = true; + USB = true; + USB_PCI = true; + USB_ANNOUNCE_NEW_DEVICES = true; + USB_DEFAULT_PERSIST = true; + USB_DYNAMIC_MINORS = true; + USB_XHCI_HCD = true; + USB_XHCI_PCI = true; + }; + + power = { + PM = true; + ENERGY_MODEL = true; + ACPI = true; + ACPI_APEI = true; + ACPI_NUMA = true; + + CPU_FREQ = true; + CPU_FREQ_STAT = true; + CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = true; + CPU_FREQ_GOV_SCHEDUTIL = true; + + CPU_IDLE = true; + CPU_IDLE_GOV_MENU = false; + CPU_IDLE_GOV_TEO = true; + + PCIEASPM = true; + PCIEASPM_POWER_SUPERSAVE = true; + + } // lib.optionalAttrs hostPlatform.isx86_64 { + X86_ACPI_CPUFREQ = true; + X86_ACPI_CPUFREQ_CPB = false; + } // lib.optionalAttrs (hostPlatform.isAarch64 || hostPlatform.isRiscV64) { + ACPI_CPPC_CPUFREQ = true; + }; + + framebuffer = { + DRM_SIMPLE_DRM = option true; + FB = true; + FB_EFI = true; + FB_SIMPLE = option true; + FB_DEVICE = false; + VGA_CONSOLE = false; + FRAMEBUFFER_CONSOLE = true; + FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = true; + SYSFB_SIMPLEFB = true; + }; + + network = { + NET = true; + PACKET = true; + PACKET_DIAG = true; + UNIX = true; + UNIX_DIAG = true; + XDP_SOCKETS = true; + XDP_SOCKETS_DIAG = true; + INET = true; + SYN_COOKIES = true; + INET_AH = true; + INET_ESP = true; + + INET_DIAG = true; + INET_UDP_DIAG = true; + INET_RAW_DIAG = true; + + TCP_CONG_ADVANCED = true; + TCP_CONG_BIC = false; + TCP_CONG_CUBIC = false; + TCP_CONG_WESTWOOD = false; + TCP_CONG_HTCP = false; + TCP_CONG_BBR = true; + DEFAULT_BBR = true; + + IPV6 = true; + INET6_AH = true; + INET6_ESP = true; + + NETFILTER = true; + NETFILTER_ADVANCED = true; + NETFILTER_INGRESS = true; + NETFILTER_EGRESS = true; + + NETFILTER_NETLINK_LOG = true; + NF_LOG_SYSLOG = true; + + NF_CONNTRACK = true; + NF_NAT = true; + NF_TABLES = true; + NF_TABLES_INET = true; + NFT_CT = true; + NFT_CONNLIMIT = true; + NFT_LIMIT = true; + NFT_LOG = true; + NFT_NAT = true; + NFT_REJECT = true; + NFT_FIB_INET = true; + NF_TABLES_IPV4 = true; + NFT_FIB_IPV4 = true; + NF_TABLES_IPV6 = true; + NFT_FIB_IPV6 = true; + + NET_SCH_CAKE = true; + NET_SCH_FQ = true; + NET_SCH_DEFAULT = true; + DEFAULT_FQ = true; + DEFAULT_NET_SCH = "fq"; + + NETLINK_DIAG = true; + ETHTOOL_NETLINK = true; + + NETDEVICES = true; + ETHERNET = true; + }; + + chardev = { + TTY = true; + VT = true; + CONSOLE_TRANSLATIONS = true; + VT_CONSOLE = true; + UNIX98_PTYS = true; + + SERIAL_DEV_BUS = true; + SERIAL_DEV_CTRL_TTYPORT = true; + + HW_RANDOM = true; + HW_RANDOM_INTEL = false; + HW_RANDOM_AMD = false; + HW_RANDOM_VIA = false; + + TCG_TPM = true; + TCG_TPM2_HMAC = true; + HW_RANDOM_TPM = true; + TCG_TIS = true; + TCG_CRB = true; + }; + + input = { + INPUT = true; + INPUT_SPARSEKMAP = true; + INPUT_EVDEV = true; + INPUT_KEYBOARD = true; + }; + + filesystem = { + EXT4_FS = true; + EXT4_USE_FOR_EXT2 = true; + EXT4_FS_POSIX_ACL = true; + + OVERLAY_FS = true; + OVERLAY_FS_REDIRECT_DIR = true; + OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW = false; + OVERLAY_FS_XINO_AUTO = true; + OVERLAY_FS_METACOPY = true; + + MSDOS_FS = true; + VFAT_FS = true; + FAT_DEFAULT_UTF8 = true; + + PROC_FS = true; + PROC_KCORE = false; + PROC_SYSCTL = true; + PROC_PAGE_MONITOR = true; + SYSFS = true; + TMPFS = true; + TMPFS_POSIX_ACL = true; + EFIVAR_FS = true; + + EROFS_FS = true; + EROFS_FS_XATTR = true; + EROFS_FS_POSIX_ACL = true; + EROFS_FS_SECURITY = false; + EROFS_FS_ZIP = true; + EROFS_FS_ZIP_ZSTD = true; + + NLS = true; + NLS_CODEPAGE_437 = true; + NLS_ISO8859_1 = true; + UNICODE = true; + }; + + fonts = { + FONTS = true; + FONT_TER16x32 = true; + }; + + systemd = { + # Base requirements + DEVTMPFS = true; + CGROUPS = true; + INOTIFY_USER = true; + SIGNALFD = true; + TIMERFD = true; + EPOLL = true; + UNIX = true; + PROC_FS = true; + FHANDLE = true; + + # Legacy interfaces + UEVENT_HELPER = false; + FW_LOADER_USER_HELPER = false; + + # udev & virtualisation + DMIID = true; + + # SCSI device serial number retrieval + BLK_DEV_BSG = option true; + + # PrivateNetwork + NET_NS = true; + + # PrivateUser + USER_NS = true; + + # Optional but recommended + IPV6 = true; + AUTOFS_FS = true; + TMPFS_XATTR = true; + TMPFS_POSIX_ACL = true; + SECCOMP = true; + SECCOMP_FILTER = true; + KCMP = true; + NET_SCHED = true; + + # CPUShares + CGROUP_SCHED = true; + FAIR_GROUP_SCHED = true; + + # CPUQuota + CFS_BANDWIDTH = true; + + # IPaddress{Allow,Deny}, SocketBind{Allow,Deny}, RestrictNetworkInterfaces + BPF = true; + BPF_SYSCALL = true; + BPF_JIT = true; + CGROUP_BPF = true; + + # EFI + EFIVAR_FS = true; + EFI_PARTITION = true; + + # SMBIOS credentials + DMI = true; + DMI_SYSFS = true; + + # Realā€time scheduling + RT_GROUP_SCHED = false; + + # systemd-oomd + PSI = true; + MEMCG = true; + + AUDIT = false; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..bf45d63 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1730768919, + "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..66cde64 --- /dev/null +++ b/flake.nix @@ -0,0 +1,42 @@ +{ + description = "Hardened Linux kernel"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + }; + + nixConfig = { + extra-experimental-features = [ "pipe-operator" "pipe-operators" ]; + extra-substituters = [ "https://cache.kyouma.net" ]; + extra-trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ]; + }; + + outputs = { self, nixpkgs, ... }@inputs: let + inherit (nixpkgs) lib; + packageWith = pkgs: lib.callPackageWith pkgs ./package.nix; + in { + lib.kernel = import ./lib.nix { inherit lib; }; + packages = { + riscv64-linux = let + package = packageWith nixpkgs.legacyPackages.riscv64-linux; + in { + default = package { }; + }; + + aarch64-linux = let + package = packageWith nixpkgs.legacyPackages.aarch64-linux; + in { + default = package { }; + }; + + x86_64-linux = let + package = packageWith nixpkgs.legacyPackages.x86_64-linux; + in { + default = package { }; + }; + }; + + hydraJobs = self.packages |> lib.foldlAttrs (jobs: system: packages: lib.recursiveUpdate jobs + (lib.mapAttrs (name: package: { ${system} = package; }) packages)) { }; + }; +} diff --git a/lib.nix b/lib.nix new file mode 100644 index 0000000..e1c2cab --- /dev/null +++ b/lib.nix @@ -0,0 +1,59 @@ +{ lib }: +let + inherit (builtins) + isAttrs + isInt + length + match + toString; + + inherit (lib.asserts) + assertMsg; + + inherit (lib.attrsets) + isDerivation + mapAttrsToList + mergeAttrsList; + + inherit (lib.lists) + flatten; + + inherit (lib.strings) + concatStrings + concatStringsSep + escape; + + isKey = str: match "[0-9A-Z][0-9A-Zx_]*" str != null; + isNum = str: match "(0x[0-9A-Fa-f]+|[1-9][0-9]*)" str != null; + + mkValueString = v: let + v' = toString v; + in if v == true then "y" + else if isInt v || isNum v' then v' + else "\"${escape [ "\"" ] v'}\""; + +in rec { + flattenAttrs = let + compose = p: n: if isKey n then p ++ [ n ] else p; + recurse = p: v: + if isValue v then { ${concatStringsSep "_" p} = v; } + else mapAttrsToList (n: v: recurse (compose p n) v) v; + in attrs: recurse [ ] attrs |> flatten |> mergeAttrsList; + mergeConfig = list: map flattenAttrs list |> mergeAttrsList; + + option = v: { _option = v; }; + isValue = x: isAttrs x -> !isDerivation x -> x ? _option; + isOptional = x: isAttrs x && !isDerivation x && x ? _option; + getValue = x: if isOptional x then x._option else x; + + mkKey = n: assert isKey n; "CONFIG_${n}"; + + mkKeyValue = n: v: let + v' = getValue v; + in if (v' == false || v' == null) + then "# ${mkKey n} is not set" + else "${mkKey n}=${mkValueString v'}"; + + mkConfig = attrs: mapAttrsToList (k: v: mkKeyValue k v + "\n") attrs + |> concatStrings; +} diff --git a/package.nix b/package.nix new file mode 100644 index 0000000..b6bb5c7 --- /dev/null +++ b/package.nix @@ -0,0 +1,267 @@ +{ + lib, + stdenv, + buildPackages, + llvmPackages_19, + hostPlatform, + fetchFromGitHub, + buildEnv, + callPackage, + + linux-firmware, + sof-firmware, + wireless-regdb, + + jq, + python3, + perl, + flex, + bison, + bc, + openssl, + zstd, + hexdump, + + elfutils, + kmod, + ... +}@args: + +lib.makeOverridable ({ + llvmPackages ? llvmPackages_19, + instSetArch ? hostPlatform.gccarch or null, + platformConfig ? { }, + extraConfig ? { }, + firmwarePackages ? [ + linux-firmware + sof-firmware + wireless-regdb + ], + extraFirmware ? [ ], + profiles ? { }, + ... +}: + +let + kernel = import ./lib.nix { inherit lib; }; + + inherit (lib.attrsets) + filterAttrs + mapAttrsToList + mergeAttrsList; + + inherit (lib.strings) + concatStringsSep; + + firmwareEnv = buildEnv { + name = "linux-firmware"; + pathsToLink = [ "/lib/firmware" ]; + paths = firmwarePackages; + } + "/lib/firmware"; + + config = let + profileConfigs = builtins.readDir ./profile + |> lib.filterAttrs (name: type: type == "regular") + |> builtins.attrNames + |> map (lib.removeSuffix ".nix") + |> builtins.filter (profile: profiles.${profile} or false) + |> map (profile: ./profile/${profile}.nix); + + forceConfig = { + MODULES = false; + EXTRA_FIRMWARE = extraFirmware; + EXTRA_FIRMWARE_DIR = kernel.option firmwareEnv; + }; + + args = { + inherit (kernel) option; + inherit lib hostPlatform; + }; + in [ ./config.nix platformConfig ] ++ profileConfigs ++ [ extraConfig forceConfig ] + |> map (cfg: if builtins.isPath cfg then import cfg else cfg) + |> map (cfg: if builtins.isFunction cfg then cfg args else cfg) + |> kernel.mergeConfig; +in stdenv.mkDerivation (finalAttrs: { + __structuredAttrs = true; + + pname = "linux-hardened"; + version = "6.10.13-hardened1"; + + modDirVersion = lib.versions.pad 3 finalAttrs.version; + + src = fetchFromGitHub { + owner = "anthraxx"; + repo = finalAttrs.pname; + rev = "v${finalAttrs.version}"; + hash = "sha256-XWrX1jlUv1cwGzCz8Qqaa1mbetvPWY2ivPLyw6Fx54c="; + }; + + depsBuildBuild = [ + jq + + flex + bison + bc + python3 + perl + openssl + hexdump + + zstd + ]; + + nativeBuildInputs = [ + elfutils + kmod + ]; + + makeFlags = [ + "ARCH:=${hostPlatform.linuxArch}" + + "HOSTCC:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}cc" + "HOSTCXX:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}c++" + "HOSTLD:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}ld" + "HOSTAR:=${buildPackages.stdenv.cc}/bin/${buildPackages.stdenv.cc.targetPrefix}ar" + + "CC:=${llvmPackages.clang-unwrapped}/bin/clang" + "LD:=${llvmPackages.lld}/bin/ld.lld" + "AR:=${llvmPackages.llvm}/bin/llvm-ar" + "NM:=${llvmPackages.llvm}/bin/llvm-nm" + "OBJCOPY:=${llvmPackages.llvm}/bin/llvm-objcopy" + "OBJDUMP:=${llvmPackages.llvm}/bin/llvm-objdump" + "READELF:=${llvmPackages.llvm}/bin/llvm-readelf" + "STRIP:=${llvmPackages.llvm}/bin/llvm-strip" + ]; + + configfile = config |> kernel.mkConfig; + + requiredPresent = config + |> filterAttrs (n: v: !kernel.isOptional v && kernel.getValue v != false) + |> mapAttrsToList kernel.mkKeyValue; + + optionalPresent = config + |> filterAttrs (n: v: kernel.isOptional v && kernel.getValue v != false) + |> mapAttrsToList kernel.mkKeyValue; + + requiredAbsent = config + |> filterAttrs (n: v: !kernel.isOptional v && kernel.getValue v == false) + |> mapAttrsToList (n: v: kernel.mkKey n); + + optionalAbsent = config + |> filterAttrs (n: v: kernel.isOptional v && kernel.getValue v == false) + |> mapAttrsToList (n: v: kernel.mkKey n); + + postPatch = '' + patchShebangs scripts/ + + sed -i '/select BLOCK_LEGACY_AUTOLOAD/d' drivers/md/Kconfig + ''; + + preConfigure = '' + mkdir build + + export KBUILD_BUILD_TIMESTAMP="$(date -u -d @$SOURCE_DATE_EPOCH)" + export KBUILD_OUTPUT="$(pwd)/build" + + makeFlags+=( "-j $NIX_BUILD_CORES" ) + '' + lib.optionalString (hostPlatform ? linux-kernel.target) '' + export KBUILD_IMAGE=${lib.escapeShellArg hostPlatform.linux-kernel.target} + '' + lib.optionalString (instSetArch != null) '' + export KCFLAGS="-march=${lib.escapeShellArg instSetArch}" + ''; + + configurePhase = '' + runHook preConfigure + + cat >build/.config <<<"$configfile" + make "''${makeFlags[@]}" olddefconfig + + runHook postConfigure + ''; + + postConfigure = '' + # Verify configuration + for keyValue in "''${requiredPresent[@]}"; do + if ! grep -F -x -q "$keyValue" build/.config; then + printf 'Required: %s\nActual: %s\n\n' "$keyValue" \ + "$(grep -E "''${keyValue%%=*}[ =]" build/.config || echo "(absent)")" >&2 + exit 1 + fi + done + + for key in "''${requiredAbsent[@]}"; do + if grep -E -q "^$key=" build/.config; then + printf 'Required: %s unset or absent.\n Actual: %s\n\n' "$key" \ + "$(grep -E -q "^key=" build/.config)" >&2 + exit 1 + fi + done + + for keyValue in "''${optionalPresent[@]}"; do + if ! grep -F -x -q "$keyValue" build/.config; then + printf 'Suggested: %s\nActual: %s\n\n' "$keyValue" \ + "$(grep -E "''${keyValue%%=*}[ =]" build/.config || echo "(absent)")" >&2 + fi + done + + for key in "''${optionalAbsent[@]}"; do + if grep -E -q "^$key=" build/.config; then + printf 'Suggested: %s unset or absent.\nActual: %s\n\n' "$key" \ + "$(grep -E "^$key=" build/.config)" >&2 + fi + done + ''; + + preInstall = let + installkernel = buildPackages.writeShellScriptBin "installkernel" '' + cp "$2" "$4" + cp "$3" "$4" + ''; + in '' + export HOME=${installkernel} + ''; + + installFlags = [ + "INSTALL_PATH=$(out)" + "INSTALL_MOD_PATH=$(out)" + ]; + + installTargets = [ + "install" + "modules_install" + ]; + + postInstall = '' + depmod -b "$out" ${finalAttrs.modDirVersion} + touch "$out/lib/modules/${finalAttrs.modDirVersion}/modules.order" + ''; + + passthru = { + config = with kernel; { + isYes = option: getValue config.${option} or false == true; + isNo = option: getValue config.${option} or false == false; + isModule = option: false; + + isEnabled = option: getValue config.${option} or false == true; + isDisabled = option: getValue config.${option} or false == false; + }; + + isHardened = true; + isLibre = false; + isZen = false; + + features = { + efiBootStub = true; + }; + + kernelOlder = lib.versionOlder finalAttrs.version; + kernelAtLeast = lib.versionAtLeast finalAttrs.version; + }; + + meta = { + homepage = "https://github.com/anthraxx/linux-hardened"; + license = lib.licenses.gpl2Only; + maintainers = with lib.maintainers; [ mvs ]; + platforms = [ "riscv64-linux" "aarch64-linux" "x86_64-linux" ]; + }; +})) args diff --git a/profile/audio.nix b/profile/audio.nix new file mode 100644 index 0000000..dd65b06 --- /dev/null +++ b/profile/audio.nix @@ -0,0 +1,11 @@ +{ option, lib, hostPlatform }: { + SOUND = true; + SND = true; + SND_PCM_TIMER = true; + SND_DYNAMIC_MINORS = true; + SND_SUPPORT_OLD_API = false; + SND_PCI = true; + + SND_USB = true; + SND_USB_AUDIO = true; +} diff --git a/profile/dm-crypt.nix b/profile/dm-crypt.nix new file mode 100644 index 0000000..cd549b8 --- /dev/null +++ b/profile/dm-crypt.nix @@ -0,0 +1,31 @@ +{ option, lib, hostPlatform }: { + MD = true; + MD_BITMAP_FILE = false; + BLK_DEV_DM = true; + DM_CRYPT = true; + DM_UEVENT = true; + DM_INTEGRITY = true; + + CRYPTO_AES = true; + CRYPTO_XTS = true; + CRYPTO_AEGIS128 = true; + CRYPTO_SHA256 = true; + + CRYPTO_USER_API_HASH = true; + CRYPTO_USER_API_SKCIPHER = true; +} // lib.optionalAttrs hostPlatform.isx86_64 { + CRYPTO_AES_NI_INTEL = true; + CRYPTO_AEGIS128_AESNI_SSE2 = true; + CRYPTO_SHA256_SSSE3 = true; +} // lib.optionalAttrs hostPlatform.isRiscV64 { + CRYPTO_AES_RISCV64 = true; + CRYPTO_SHA256_RISCV64 = true; +} // lib.optionalAttrs hostPlatform.isAarch64 { + CRYPTO_AES_ARM64 = true; + CRYPTO_AES_ARM64_CE = true; + CRYPTO_AES_ARM64_CE_BLK = true; + CRYPTO_AES_ARM64_NEON_BLK = true; + CRYPTO_AES_ARM64_BS = true; + CRYPTO_AEGIS128_SIMD = true; + CRYPTO_SHA256_ARM64 = true; +} diff --git a/profile/paravirt.nix b/profile/paravirt.nix new file mode 100644 index 0000000..e75aecf --- /dev/null +++ b/profile/paravirt.nix @@ -0,0 +1,41 @@ +{ option, lib, hostPlatform }: { + HYPERVISOR_GUEST = true; + PARAVIRT = true; + PARAVIRT_SPINLOCKS = true; + KVM_GUEST = true; + ARCH_CPUIDLE_HALTPOLL = true; + PARAVIRT_CLOCK = true; + + HALTPOLL_CPUIDLE = true; + + FW_CFG_SYSFS = true; + + BLK_MQ_VIRTIO = true; + VIRTIO_BLK = true; + VIRTIO_NET = true; + VIRTIO_CONSOLE = true; + + HW_RANDOM_VIRTIO = true; + + DRM = true; + DRM_FBDEV_EMULATION = true; + DRM_VIRTIO_GPU = true; + DRM_VIRTIO_GPU_KMS = true; + DRM_BOCHS = true; + DRM_SIMPLEDRM = true; + + VIRT_DRIVERS = true; + VMGENID = true; + + VIRTIO_MENU = true; + VIRTIO = true; + VIRTIO_PCI = true; + VIRTIO_PCI_LEGACY = false; + VIRTIO_BALLOON = true; + VIRTIO_INPUT = true; + + VIRTIO_IOMMU = true; + + FUSE_FS = true; + VIRTIO_FS = true; +} diff --git a/profile/physical.nix b/profile/physical.nix new file mode 100644 index 0000000..ad2c74f --- /dev/null +++ b/profile/physical.nix @@ -0,0 +1,34 @@ +{ option, lib, hostPlatform }: { + ACPI_BUTTON = true; + ACPI_FAN = true; + ACPI_TAD = true; + ACPI_PROCESSOR_AGGREGATOR = true; + ACPI_THERMAL = true; + ACPI_PCI_SLOT = true; + + SCSI = true; + BLK_DEV_SD = true; + CHR_DEV_SG = true; + SCSI_CONSTANTS = true; + SCSI_SCAN_ASYNC = true; + + USB_STORAGE = true; + USB_UAS = true; + + NEW_LEDS = true; + LEDS_CLASS = true; + LEDS_TRIGGERS = true; + LEDS_TRIGGER_PANIC = true; + LEDS_TRIGGER_NETDEV = true; + + EDAC = true; + + THERMAL = true; + THERMAL_NETLINK = true; + THERMAL_DEFAULT_GOV_FAIR_SHARE = true; + THERMAL_GOV_FAIR_SHARE = true; + + POWERCAP = true; + + RAS = true; +} diff --git a/profile/portable.nix b/profile/portable.nix new file mode 100644 index 0000000..72641a6 --- /dev/null +++ b/profile/portable.nix @@ -0,0 +1,44 @@ +{ option, lib, hostPlatform }: { + PREEMPT_VOLUNTARY = true; + + SUSPEND = true; + WQ_POWER_EFFICIENT_DEFAULT = true; + ACPI_BATTERY = true; + ACPI_VIDEO = true; + + HOTPLUG_PCI_PCIE = true; + HOTPLUG_PCI = true; + + MEDIA_SUPPORT = true; + MEDIA_SUPPORT_FILTER = true; + MEDIA_SUBDRV_AUTOSELECT = true; + MEDIA_CAMERA_SUPPORT = true; + MEDIA_USB_SUPPORT = true; + USB_VIDEO_CLASS = true; + USB_VIDEO_CLASS_INPUT_EVDEV = true; + + HID_BATTERY_STRENGTH = true; + + USB_NET_DRIVERS = true; + USB_RTL8152 = true; + USB_USBNET = true; + USB_NET_AX88179_178A = true; + USB_NET_CDCETHER = true; + USB_NET_CDC_SUBSET = true; + + BACKLIGHT_CLASS_DEVICE = true; + + TYPEC = true; + TYPEC_TCPM = true; + TYPEC_TCPCI = true; + TYPEC_UCSI = true; + UCSI_ACPI = true; + TYPEC_DP_ALTMODE = true; + + MMC = true; + MMC_BLOCK = true; + + USB4 = true; + + KFENCE_SAMPLE_INTERVAL = "500"; +} diff --git a/profile/wireless.nix b/profile/wireless.nix new file mode 100644 index 0000000..42ae906 --- /dev/null +++ b/profile/wireless.nix @@ -0,0 +1,64 @@ +{ option, lib, hostPlatform }: { + WIRELESS = true; + CFG80211 = true; + CFG80211_DEFAULT_PS = true; + CFG80211_CRDA_SUPPORT = true; + MAC80211 = true; + MAC80211_RC_MINSTREL = true; + MAC80211_RC_DEFAULT_MINSTREL = true; + MAC80211_LEDS = true; + + BT = true; + BT_BREDR = true; + BT_RFCOMM = true; + BT_HIDP = true; + BT_LE = true; + BT_LEDS = true; + + BT_HCIBTUSB_AUTOSUSPEND = option true; + BT_HCIBTUSB_BCM = option false; + BT_HCIBTUSB_RTL = option false; + + RFKILL = true; + RFKILL_INPUT = true; + + # iwd + KEYS = true; + CRYPTO_USER_API_SKCIPHER = true; + CRYPTO_USER_API_HASH = true; + CRYPTO_HMAC = true; + CRYPTO_CMAC = true; + CRYPTO_MD4 = true; + CRYPTO_MD5 = true; + CRYPTO_SHA1 = true; + CRYPTO_SHA256 = true; + CRYPTO_SHA512 = true; + CRYPTO_AES = true; + CRYPTO_ECB = true; + CRYPTO_DES = true; + CRYPTO_CBC = true; + + ASYMMETRIC_KEY_TYPE = option true; + ASYMMETRIC_PUBLIC_KEY_SUBTYPE = option true; + X509_CERTIFICATE_PARSER = option true; + PKCS7_MESSAGE_PARSER = option true; + PKCS8_PRIVATE_KEY_PARSER = option true; +} // lib.optionalAttrs hostPlatform.isx86_64 { + CRYPTO_AES_NI_INTEL = option true; + CRYPTO_DES3_EDE_X86_64 = option true; + CRYPTO_SHA1_SSSE3 = option true; + CRYPTO_SHA256_SSSE3 = option true; + CRYPTO_SHA512_SSSE3 = option true; +} // lib.optionalAttrs hostPlatform.isRiscV64 { + CRYPTO_AES_RISCV64 = option true; + CRYPTO_SHA256_RISCV64 = option true; + CRYPTO_SHA512_RISCV64 = option true; +} // lib.optionalAttrs hostPlatform.isAarch64 { + CRYPTO_AES_ARM64_CE = option true; + CRYPTO_AES_ARM64_CE_BLK = option true; + CRYPTO_SHA1_ARM64_CE = option true; + CRYPTO_SHA256_ARM64 = option true; + CRYPTO_SHA2_ARM64_CE = option true; + CRYPTO_SHA512_ARM64 = option true; + CRYPTO_SHA512_ARM64_CE = option true; +}