mikael/linux-hardened
Archived
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2024-08-18. You can view files and clone it, but cannot push or open issues or pull requests.
linux-hardened/base.nix
Mikael Voss d5cba52ab2
Compile with Clang / LLVM
2024-08-13 20:54:25 +02:00

361 lines
6.7 KiB
Nix
Raw Blame History

{ lib, hostPlatform, ... }@args: with lib.kernel;
(import ./disable.nix args) //
(import ./systemd.nix args) // {
KERNEL_ZSTD = yes;
SYSVIPC = yes;
POSIX_MQUEUE = yes;
AUDIT = no;
NO_HZ_FULL = yes;
HIGH_RES_TIMERS = yes;
BPF_SYSCALL = yes;
BPF_JIT = yes;
BPF_JIT_ALWAYS_ON = yes;
SCHED_CORE = yes;
CPU_ISOLATION = yes;
UTS_NS = yes;
TIME_NS = yes;
USER_NS = yes;
PID_NS = yes;
SCHED_AUTOGROUP = yes;
BLK_DEV_INITRD = yes;
RD_GZIP = no;
RD_BZIP2 = no;
RD_LZMA = no;
RD_XZ = no;
RD_LZO = no;
RD_LZ4 = no;
RD_ZSTD = yes;
BOOT_CONFIG = yes;
EXPERT = yes;
SGETMASK_SYSCALL = no;
SYSFS_SYSCALL = no;
PCSPKR_PLATFORM = no;
KALLSYMS = yes;
KALLSYMS_ALL = no;
SMP = yes;
SCHED_MC = yes;
SCHED_CLUSTER = option yes;
SCHED_SMT = option yes;
NUMA = yes;
EFI = yes;
EFI_STUB = yes;
HZ_1000 = yes;
RELOCATABLE = yes;
RANDOMIZE_BASE = yes;
RANDOMIZE_MEMORY = yes;
PM = yes;
ENERGY_MODEL = yes;
ACPI = yes;
ACPI_APEI = yes;
ACPI_NUMA = yes;
CPU_FREQ = yes;
CPU_FREQ_STAT = yes;
CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
CPU_FREQ_GOV_SCHEDUTIL = yes;
CPU_IDLE = yes;
CPU_IDLE_GOV_MENU = no;
CPU_IDLE_GOV_TEO = yes;
JUMP_LABEL = yes;
SECCOMP = yes;
STACKPROTECTOR = yes;
STACKPROTECTOR_STRONG = yes;
LTO_CLANG_FULL = yes;
CFI_CLANG = yes;
VMAP_STACK = yes;
RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes;
BLK_DEV_WRITE_MOUNTED = yes;
BLK_WBT = yes;
BLK_WBT_MQ = yes;
PARTITION_ADVANCED = yes;
MSDOS_PARTITION = no;
EFI_PARTITION = yes;
MQ_IOSCHED_DEADLINE = yes;
MQ_IOSCHED_KYBER = yes;
IOSCHED_BFQ = yes;
BINFMT_ELF = yes;
CORE_DUMP_DEFAULT_ELF_HEADERS = yes;
BINFMT_SCRIPT = yes;
BINFMT_MISC = yes;
COREDUMP = yes;
SWAP = yes;
SLAB_FREELIST_RANDOM = yes;
SLAB_FREELIST_HARDENED = yes;
SLAB_CANARY = yes;
SLUB_CPU_PARTIAL = yes;
RANDOM_KMALLOC_CACHES = yes;
SHUFFLE_PAGE_ALLOCATOR = yes;
COMPAT_BRK = no;
SPARSEMEM_VMEMMAP = yes;
MEMORY_HOTPLUG = yes;
MEMORY_HOTREMOVE = yes;
COMPACTION = yes;
MIGRATION = yes;
KSM = yes;
TRANSPARENT_HUGEPAGE = yes;
TRANSPARENT_HUGEPAGE_ALWAYS = yes;
READ_ONLY_THP_FOR_FS = yes;
DEFERRED_STRUCT_PAGE_INIT = yes;
ZONE_DEVICE = yes;
DEVICE_PRIVATE = yes;
LRU_GEN = option yes;
LRU_GEN_ENABLED = option yes;
NET = yes;
PACKET = yes;
PACKET_DIAG = yes;
UNIX = yes;
UNIX_DIAG = yes;
XDP_SOCKETS = yes;
XDP_SOCKETS_DIAG = yes;
INET = yes;
SYN_COOKIES = yes;
INET_DIAG = yes;
INET_UDP_DIAG = yes;
INET_RAW_DIAG = yes;
TCP_CONG_ADVANCED = yes;
TCP_CONG_BIC = no;
TCP_CONG_CUBIC = no;
TCP_CONG_WESTWOOD = no;
TCP_CONG_HTCP = no;
TCP_CONG_BBR = yes;
DEFAULT_BBR = yes;
IPV6 = yes;
NETFILTER = yes;
NETFILTER_ADVANCED = yes;
NETFILTER_INGRESS = yes;
NETFILTER_EGRESS = yes;
NETFILTER_NETLINK_LOG = yes;
NF_LOG_SYSLOG = yes;
NF_CONNTRACK = yes;
NF_TABLES = yes;
NF_TABLES_INET = yes;
NFT_CT = yes;
NFT_CONNLIMIT = yes;
NFT_LIMIT = yes;
NFT_LOG = yes;
NFT_REJECT = yes;
NFT_FIB_INET = yes;
NF_TABLES_IPV4 = yes;
NFT_FIB_IPV4 = yes;
NF_TABLES_IPV6 = yes;
NFT_FIB_IPV6 = yes;
NET_SCH_CAKE = yes;
NET_SCH_FQ = yes;
NET_SCH_DEFAULT = yes;
DEFAULT_FQ = yes;
DEFAULT_NET_SCH = freeform "fq";
NETLINK_DIAG = yes;
ETHTOOL_NETLINK = yes;
PCI = yes;
PCI_MSI = yes;
PCI_HOST_GENERIC = option yes;
DEVTMPFS = yes;
DEVTMPFS_MOUNT = yes;
DEVTMPFS_SAFE = yes;
STANDALONE = yes;
PREVENT_FIRMWARE_BUILD = yes;
FW_LOADER_COMPRESS = yes;
FW_LOADER_COMPRESS_XZ = no;
FW_LOADER_COMPRESS_ZSTD = yes;
ALLOW_DEV_COREDUMP = yes;
SYSFB_SIMPLEFB = yes;
EFI_VARS_PSTORE = yes;
RESET_ATTACK_MITIGATION = yes;
EFI_DISABLE_PCI_DMA = yes;
BLK_DEV = yes;
ZRAM = yes;
ZRAM_DEF_COMP_ZSTD = yes;
ZRAM_WRITEBACK = yes;
BLK_DEV_LOOP = yes;
BLK_DEV_LOOP_MIN_COUNT = freeform "0";
NETDEVICES = yes;
NET_CORE = yes;
INPUT = yes;
INPUT_SPARSEKMAP = yes;
INPUT_EVDEV = yes;
INPUT_KEYBOARD = yes;
TTY = yes;
VT = yes;
CONSOLE_TRANSLATIONS = yes;
VT_CONSOLE = yes;
UNIX98_PTYS = yes;
SERIAL_DEV_BUS = yes;
SERIAL_DEV_CTRL_TTYPORT = yes;
HW_RANDOM = yes;
TCG_TPM = yes;
TCG_TPM2_HMAC = yes;
HW_RANDOM_TPM = yes;
TCG_TIS = yes;
TCG_CRB = yes;
WATCHDOG = yes;
WATCHDOG_HANDLE_BOOT_ENABLED = yes;
DRM_SIMPLE_DRM = option yes;
FB = yes;
FB_EFI = yes;
FB_SIMPLE = option yes;
FB_DEVICE = no;
VGA_CONSOLE = no;
FRAMEBUFFER_CONSOLE = yes;
FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes;
HID_SUPPORT = yes;
HID = yes;
HIDRAW = yes;
UHID = yes;
HID_GENERIC = yes;
USB_HID = yes;
USB_HIDDEV = yes;
USB_SUPPORT = yes;
USB = yes;
USB_PCI = yes;
USB_PCI_AMD = no;
USB_ANNOUNCE_NEW_DEVICES = yes;
USB_DEFAULT_PERSIST = yes;
USB_DYNAMIC_MINORS = yes;
USB_LEDS_TRIGGER_USBPORT = yes;
USB_XHCI_HCD = yes;
USB_XHCI_PCI = yes;
RTC_CLASS = yes;
DMADEVICES = yes;
ASYNC_TX_DMA = option yes;
STAGING = yes;
IOMMU_SUPPORT = yes;
IOMMU_DEFAULT_DMA_STRICT = yes;
IRQ_REMAP = yes;
MSDOS_FS = yes;
VFAT_FS = yes;
FAT_DEFAULT_UTF8 = yes;
PROC_FS = yes;
PROC_KCORE = no;
PROC_SYSCTL = yes;
PROC_PAGE_MONITOR = yes;
SYSFS = yes;
TMPFS = yes;
TMPFS_POSIX_ACL = yes;
HUGETLBFS = yes;
HUGETLB_PAGE_OPTIMIZE_VMEMMAP = yes;
HUGETLB_PAGE_OPTIMIZE_VMEMMAP_DEFAULT_ON = yes;
EFIVAR_FS = yes;
NLS = yes;
NLS_CODEPAGE_437 = yes;
NLS_ISO8859_1 = yes;
UNICODE = yes;
SECURITY_DMESG_RESTRICT = yes;
SECURITY_PERF_EVENTS_RESTRICT = yes;
SECURITY_TIOCSTI_RESTRICT = yes;
SECURITY = yes;
SECURITY_NETWORK = yes;
SECURITY_YAMA = yes;
SECURITY_LOCKDOWN_LSM = yes;
SECURITY_LOCKDOWN_LSM_EARLY = yes;
LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = yes;
SECURITY_LANDLOCK = yes;
HARDENED_USERCOPY = yes;
FORTIFY_SOURCE = yes;
INIT_STACK_ALL_ZERO = yes;
GCC_PLUGIN_STACKLEAK = option yes;
INIT_ON_FREE_DEFAULT_ON = yes;
ZERO_CALL_USED_REGS = yes;
BUG_ON_DATA_CORRUPTION = yes;
CRYPTO_ZSTD = yes;
SWIOTLB_DYNAMIC = yes;
FONTS = yes;
FONT_TER16x32 = yes;
DEBUG_BUGVERBOSE = yes;
DEBUG_INFO_DWARF5 = yes;
DEBUG_INFO_SPLIT = yes;
STRIP_ASM_SYMS = yes;
UBSAN = yes;
UBSAN_BOUNDS = yes;
UBSAN_SIGNED_WRAP = no;
UBSAN_BOOL = no;
UBSAN_ENUM = no;
WARN_ALL_UNSEEDED_RANDOM = yes;
DEBUG_WX = yes;
KFENCE = yes;
KFENCE_DEFERRABLE = yes;
KFENCE_BUG_ON_DATA_CORRUPTION = yes;
PANIC_ON_OOPS = yes;
PANIC_TIMEOUT = freeform "-1";
EARLY_PRINTK = option no;
}
// lib.optionalAttrs hostPlatform.is64bit { "64BIT" = option yes; }
// lib.optionalAttrs hostPlatform.isx86 (import ./x86.nix args)
// lib.optionalAttrs hostPlatform.isRiscV (import ./riscv.nix args)
// lib.optionalAttrs hostPlatform.isAarch64 (import ./arm64.nix args)
Reference in a new issue View git blame Copy permalink