pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / pkgs / os-specific / linux / kernel / common-config.nix
at 25.11-pre 1465 lines 55 kB view raw
Thiago Kenji Okada linuxKernel.kernels.linux_zen: 6.14.0-zen1 -> 6.14.1-zen1, linuxKernel.kernels.linux_lqx: 6.14.0-lqx1 -> 6.14.1-lqx1 (#396937)
914507b8
1# WARNING/NOTE: whenever you want to add an option here you need to either 2# * mark it as an optional one with `option`, 3# * or make sure it works for all the versions in nixpkgs, 4# * or check for which kernel versions it will work (using kernel 5# changelog, google or whatever) and mark it with `whenOlder` or 6# `whenAtLeast`. 7# Then do test your change by building all the kernels (or at least 8# their configs) in Nixpkgs or else you will guarantee lots and lots 9# of pain to users trying to switch to an older kernel because of some 10# hardware problems with a new one. 11 12# Configuration 13{ 14 lib, 15 stdenv, 16 version, 17 rustAvailable, 18 19 features ? { }, 20}: 21 22with lib.kernel; 23with (lib.kernel.whenHelpers version); 24 25let 26 # configuration items have to be part of a subattrs 27 flattenKConf = 28 nested: 29 lib.mapAttrs ( 30 name: values: 31 if lib.length values == 1 then 32 lib.head values 33 else 34 throw "duplicate kernel configuration option: ${name}" 35 ) (lib.zipAttrs (lib.attrValues nested)); 36 37 whenPlatformHasEBPFJit = lib.mkIf ( 38 stdenv.hostPlatform.isAarch32 39 || stdenv.hostPlatform.isAarch64 40 || stdenv.hostPlatform.isx86_64 41 || (stdenv.hostPlatform.isPower && stdenv.hostPlatform.is64bit) 42 || (stdenv.hostPlatform.isMips && stdenv.hostPlatform.is64bit) 43 ); 44 45 forceRust = features.rust or false; 46 # Architecture support collected from HAVE_RUST Kconfig definitions and the following table: 47 # https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/rust/arch-support.rst 48 rustByDefault = ( 49 lib.versionAtLeast version "6.12" 50 && ( 51 stdenv.hostPlatform.isx86_64 52 || stdenv.hostPlatform.isLoongArch64 53 || stdenv.hostPlatform.isAarch64 54 || (stdenv.hostPlatform.isRiscV64 && !stdenv.cc.isGNU) 55 ) 56 ); 57 58 withRust = 59 lib.warnIfNot (forceRust -> rustAvailable) 60 "force-enabling Rust for Linux without an available rustc" 61 lib.warnIfNot 62 (forceRust -> rustByDefault) 63 "force-enabling Rust for Linux on an unsupported kernel version, host platform or compiler" 64 (forceRust || (rustAvailable && rustByDefault)); 65 66 options = { 67 68 debug = { 69 # Necessary for BTF and crashkernel 70 DEBUG_INFO = yes; 71 DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT = whenAtLeast "5.18" yes; 72 # Reduced debug info conflict with BTF and have been enabled in 73 # aarch64 defconfig since 5.13 74 DEBUG_INFO_REDUCED = whenAtLeast "5.13" (option no); 75 DEBUG_INFO_BTF = option yes; 76 # Allow loading modules with mismatched BTFs 77 # FIXME: figure out how to actually make BTFs reproducible instead 78 # See https://github.com/NixOS/nixpkgs/pull/181456 for details. 79 MODULE_ALLOW_BTF_MISMATCH = whenAtLeast "5.18" (option yes); 80 BPF_LSM = whenAtLeast "5.7" (option yes); 81 DEBUG_KERNEL = yes; 82 DEBUG_DEVRES = no; 83 DYNAMIC_DEBUG = yes; 84 DEBUG_STACK_USAGE = no; 85 RCU_TORTURE_TEST = no; 86 SCHEDSTATS = yes; 87 DETECT_HUNG_TASK = yes; 88 CRASH_DUMP = yes; 89 # Easier debugging of NFS issues. 90 SUNRPC_DEBUG = yes; 91 # Provide access to tunables like sched_migration_cost_ns 92 SCHED_DEBUG = whenOlder "6.15" yes; 93 94 # Count IRQ and steal CPU time separately 95 IRQ_TIME_ACCOUNTING = yes; 96 PARAVIRT_TIME_ACCOUNTING = yes; 97 98 # Enable CPU lockup detection 99 LOCKUP_DETECTOR = yes; 100 SOFTLOCKUP_DETECTOR = yes; 101 HARDLOCKUP_DETECTOR = lib.mkIf ( 102 with stdenv.hostPlatform; isPower || isx86 || lib.versionAtLeast version "6.5" 103 ) yes; 104 105 # Enable streaming logs to a remote device over a network 106 NETCONSOLE = module; 107 NETCONSOLE_DYNAMIC = yes; 108 109 # Export known printks in debugfs 110 PRINTK_INDEX = whenAtLeast "5.15" yes; 111 112 # Enable crashkernel support 113 PROC_VMCORE = yes; 114 115 # Track memory leaks and performance issues related to allocations. 116 MEM_ALLOC_PROFILING = whenAtLeast "6.10" yes; 117 MEM_ALLOC_PROFILING_ENABLED_BY_DEFAULT = whenAtLeast "6.10" yes; 118 }; 119 120 power-management = 121 { 122 CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes; 123 CPU_FREQ_GOV_SCHEDUTIL = yes; 124 PM_DEBUG = yes; 125 PM_ADVANCED_DEBUG = yes; 126 PM_WAKELOCKS = yes; 127 POWERCAP = yes; 128 # ACPI Firmware Performance Data Table Support 129 ACPI_FPDT = whenAtLeast "5.12" (option yes); 130 # ACPI Heterogeneous Memory Attribute Table Support 131 ACPI_HMAT = option yes; 132 # ACPI Platform Error Interface 133 ACPI_APEI = (option yes); 134 # APEI Generic Hardware Error Source 135 ACPI_APEI_GHES = (option yes); 136 137 # Enable lazy RCUs for power savings: 138 # https://lore.kernel.org/rcu/20221019225138.GA2499943@paulmck-ThinkPad-P17-Gen-1/ 139 # RCU_LAZY depends on RCU_NOCB_CPU depends on NO_HZ_FULL 140 # depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT, 141 # so we can't force-enable this 142 RCU_LAZY = whenAtLeast "6.2" (option yes); 143 144 # Auto suspend Bluetooth devices at idle 145 BT_HCIBTUSB_AUTOSUSPEND = yes; 146 147 # Expose cpufreq stats in sysfs 148 CPU_FREQ_STAT = yes; 149 150 # Enable CPU energy model for scheduling 151 ENERGY_MODEL = whenAtLeast "5.0" yes; 152 153 # Enable thermal interface netlink API 154 THERMAL_NETLINK = whenAtLeast "5.9" yes; 155 156 # Prefer power-efficient workqueue implementation to per-CPU workqueues, 157 # which is slightly slower, but improves battery life. 158 # This is opt-in per workqueue, and can be disabled globally with a kernel command line option. 159 WQ_POWER_EFFICIENT_DEFAULT = yes; 160 161 # Default SATA link power management to "medium with device initiated PM" 162 # for some extra power savings. 163 SATA_MOBILE_LPM_POLICY = whenAtLeast "5.18" (freeform "3"); 164 165 # GPIO power management 166 POWER_RESET_GPIO = option yes; 167 POWER_RESET_GPIO_RESTART = option yes; 168 169 # Enable Pulse-Width-Modulation support, commonly used for fan and backlight. 170 PWM = yes; 171 } 172 // lib.optionalAttrs (stdenv.hostPlatform.isx86) { 173 INTEL_IDLE = yes; 174 INTEL_RAPL = module; 175 X86_INTEL_LPSS = yes; 176 X86_INTEL_PSTATE = yes; 177 X86_AMD_PSTATE = whenAtLeast "5.17" yes; 178 # Intel DPTF (Dynamic Platform and Thermal Framework) Support 179 ACPI_DPTF = whenAtLeast "5.10" yes; 180 181 # Required to bring up some Bay Trail devices properly 182 I2C = yes; 183 I2C_DESIGNWARE_CORE = yes; 184 I2C_DESIGNWARE_PLATFORM = yes; 185 PMIC_OPREGION = whenAtLeast "5.10" yes; 186 INTEL_SOC_PMIC = whenAtLeast "5.10" yes; 187 BYTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes; 188 CHTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes; 189 XPOWER_PMIC_OPREGION = whenAtLeast "5.10" yes; 190 BXT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes; 191 INTEL_SOC_PMIC_CHTWC = whenAtLeast "5.10" yes; 192 CHT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes; 193 INTEL_SOC_PMIC_CHTDC_TI = whenAtLeast "5.10" yes; 194 CHT_DC_TI_PMIC_OPREGION = whenAtLeast "5.10" yes; 195 MFD_TPS68470 = whenBetween "5.10" "5.13" yes; 196 TPS68470_PMIC_OPREGION = whenAtLeast "5.10" yes; 197 198 # Enable Intel thermal hardware feedback 199 INTEL_HFI_THERMAL = whenAtLeast "5.18" yes; 200 }; 201 202 external-firmware = { 203 # Support drivers that need external firmware. 204 STANDALONE = no; 205 }; 206 207 proc-config-gz = { 208 # Make /proc/config.gz available 209 IKCONFIG = yes; 210 IKCONFIG_PROC = yes; 211 }; 212 213 optimization = { 214 X86_GENERIC = lib.mkIf (stdenv.hostPlatform.system == "i686-linux") yes; 215 # Optimize with -O2, not -Os 216 CC_OPTIMIZE_FOR_SIZE = no; 217 }; 218 219 memory = 220 { 221 DAMON = whenAtLeast "5.15" yes; 222 DAMON_VADDR = whenAtLeast "5.15" yes; 223 DAMON_PADDR = whenAtLeast "5.16" yes; 224 DAMON_SYSFS = whenAtLeast "5.18" yes; 225 DAMON_DBGFS = whenBetween "5.15" "6.9" yes; 226 DAMON_RECLAIM = whenAtLeast "5.16" yes; 227 DAMON_LRU_SORT = whenAtLeast "6.0" yes; 228 # Support recovering from memory failures on systems with ECC and MCA recovery. 229 MEMORY_FAILURE = yes; 230 231 # Collect ECC errors and retire pages that fail too often 232 RAS_CEC = lib.mkIf stdenv.hostPlatform.isx86 yes; 233 } 234 // lib.optionalAttrs (stdenv.hostPlatform.is32bit) { 235 # Enable access to the full memory range (aka PAE) on 32-bit architectures 236 # This check isn't super accurate but it's close enough 237 HIGHMEM = option yes; 238 BOUNCE = option yes; 239 }; 240 241 memtest = { 242 MEMTEST = yes; 243 }; 244 245 # Include the CFQ I/O scheduler in the kernel, rather than as a 246 # module, so that the initrd gets a good I/O scheduler. 247 scheduler = { 248 IOSCHED_CFQ = whenOlder "5.0" yes; # Removed in 5.0-RC1 249 BLK_CGROUP = yes; # required by CFQ" 250 BLK_CGROUP_IOLATENCY = yes; 251 BLK_CGROUP_IOCOST = yes; 252 IOSCHED_DEADLINE = whenOlder "5.0" yes; # Removed in 5.0-RC1 253 MQ_IOSCHED_DEADLINE = yes; 254 BFQ_GROUP_IOSCHED = yes; 255 MQ_IOSCHED_KYBER = yes; 256 IOSCHED_BFQ = module; 257 # Enable CPU utilization clamping for RT tasks 258 UCLAMP_TASK = yes; 259 UCLAMP_TASK_GROUP = yes; 260 }; 261 262 timer = { 263 # Enable Full Dynticks System. 264 # NO_HZ_FULL depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT 265 NO_HZ_FULL = lib.mkIf stdenv.hostPlatform.is64bit yes; 266 }; 267 268 # Enable NUMA. 269 numa = { 270 NUMA = option yes; 271 NUMA_BALANCING = option yes; 272 }; 273 274 networking = 275 { 276 NET = yes; 277 IP_ADVANCED_ROUTER = yes; 278 IP_PNP = no; 279 IP_ROUTE_MULTIPATH = yes; 280 IP_VS_PROTO_TCP = yes; 281 IP_VS_PROTO_UDP = yes; 282 IP_VS_PROTO_ESP = yes; 283 IP_VS_PROTO_AH = yes; 284 IP_VS_IPV6 = yes; 285 IP_DCCP_CCID3 = no; # experimental 286 CLS_U32_PERF = yes; 287 CLS_U32_MARK = yes; 288 BPF_JIT = whenPlatformHasEBPFJit yes; 289 BPF_JIT_ALWAYS_ON = whenPlatformHasEBPFJit no; # whenPlatformHasEBPFJit yes; # see https://github.com/NixOS/nixpkgs/issues/79304 290 HAVE_EBPF_JIT = whenPlatformHasEBPFJit yes; 291 BPF_STREAM_PARSER = yes; 292 XDP_SOCKETS = yes; 293 XDP_SOCKETS_DIAG = yes; 294 WAN = yes; 295 TCP_CONG_ADVANCED = yes; 296 TCP_CONG_CUBIC = yes; # This is the default congestion control algorithm since 2.6.19 297 # Required by systemd per-cgroup firewalling 298 CGROUP_BPF = option yes; 299 CGROUP_NET_PRIO = yes; # Required by systemd 300 IP_ROUTE_VERBOSE = yes; 301 IP_MROUTE = yes; 302 IP_MROUTE_MULTIPLE_TABLES = yes; 303 IP_MULTICAST = yes; 304 IP_MULTIPLE_TABLES = yes; 305 IPV6 = yes; 306 IPV6_ROUTER_PREF = yes; 307 IPV6_ROUTE_INFO = yes; 308 IPV6_OPTIMISTIC_DAD = yes; 309 IPV6_MULTIPLE_TABLES = yes; 310 IPV6_SUBTREES = yes; 311 IPV6_MROUTE = yes; 312 IPV6_MROUTE_MULTIPLE_TABLES = yes; 313 IPV6_PIMSM_V2 = yes; 314 IPV6_FOU_TUNNEL = module; 315 IPV6_SEG6_LWTUNNEL = yes; 316 IPV6_SEG6_HMAC = yes; 317 IPV6_SEG6_BPF = yes; 318 NET_CLS_BPF = module; 319 NET_ACT_BPF = module; 320 NET_SCHED = yes; 321 L2TP_V3 = yes; 322 L2TP_IP = module; 323 L2TP_ETH = module; 324 BRIDGE_VLAN_FILTERING = yes; 325 BONDING = module; 326 NET_L3_MASTER_DEV = option yes; 327 NET_FOU_IP_TUNNELS = option yes; 328 IP_NF_TARGET_REDIRECT = module; 329 NETKIT = whenAtLeast "6.7" yes; 330 331 PPP_MULTILINK = yes; # PPP multilink support 332 PPP_FILTER = yes; 333 334 # needed for iwd WPS support (wpa_supplicant replacement) 335 KEY_DH_OPERATIONS = yes; 336 337 # needed for nftables 338 # Networking Options 339 NETFILTER = yes; 340 NETFILTER_ADVANCED = yes; 341 # Core Netfilter Configuration 342 NF_CONNTRACK_ZONES = yes; 343 NF_CONNTRACK_EVENTS = yes; 344 NF_CONNTRACK_TIMEOUT = yes; 345 NF_CONNTRACK_TIMESTAMP = yes; 346 NETFILTER_NETLINK_GLUE_CT = yes; 347 NF_TABLES_INET = yes; 348 NF_TABLES_NETDEV = yes; 349 NFT_REJECT_NETDEV = whenAtLeast "5.11" module; 350 351 # IP: Netfilter Configuration 352 NF_TABLES_IPV4 = yes; 353 NF_TABLES_ARP = yes; 354 # IPv6: Netfilter Configuration 355 NF_TABLES_IPV6 = yes; 356 # Bridge Netfilter Configuration 357 NF_TABLES_BRIDGE = module; 358 # Expose some debug info 359 NF_CONNTRACK_PROCFS = yes; 360 NF_FLOW_TABLE_PROCFS = whenAtLeast "6.0" yes; 361 362 # needed for `dropwatch` 363 # Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450 364 NET_DROP_MONITOR = yes; 365 366 # needed for ss 367 # Use a lower priority to allow these options to be overridden in hardened/config.nix 368 INET_DIAG = lib.mkDefault module; 369 INET_TCP_DIAG = lib.mkDefault module; 370 INET_UDP_DIAG = lib.mkDefault module; 371 INET_RAW_DIAG = lib.mkDefault module; 372 INET_DIAG_DESTROY = lib.mkDefault yes; 373 374 # IPsec over TCP 375 INET_ESPINTCP = whenAtLeast "5.8" yes; 376 INET6_ESPINTCP = whenAtLeast "5.8" yes; 377 378 # enable multipath-tcp 379 MPTCP = whenAtLeast "5.6" yes; 380 MPTCP_IPV6 = whenAtLeast "5.6" yes; 381 INET_MPTCP_DIAG = whenAtLeast "5.9" (lib.mkDefault module); 382 383 # Kernel TLS 384 TLS = module; 385 TLS_DEVICE = yes; 386 387 # infiniband 388 INFINIBAND = module; 389 INFINIBAND_IPOIB = module; 390 INFINIBAND_IPOIB_CM = yes; 391 392 # Enable debugfs for wireless drivers 393 CFG80211_DEBUGFS = yes; 394 MAC80211_DEBUGFS = yes; 395 } 396 // lib.optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") { 397 # Not enabled by default, hides modules behind it 398 NET_VENDOR_MEDIATEK = yes; 399 # Enable SoC interface for MT7915 module, required for MT798X. 400 MT7986_WMAC = whenBetween "5.18" "6.6" yes; 401 MT798X_WMAC = whenAtLeast "6.6" yes; 402 }; 403 404 wireless = { 405 CFG80211_WEXT = option yes; # Without it, ipw2200 drivers don't build 406 IPW2100_MONITOR = option yes; # support promiscuous mode 407 IPW2200_MONITOR = option yes; # support promiscuous mode 408 HOSTAP_FIRMWARE = whenOlder "6.8" (option yes); # Support downloading firmware images with Host AP driver 409 HOSTAP_FIRMWARE_NVRAM = whenOlder "6.8" (option yes); 410 MAC80211_MESH = option yes; # Enable 802.11s (mesh networking) support 411 ATH9K_PCI = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus 412 ATH9K_AHB = option yes; # Ditto, AHB bus 413 # The description of this option makes it sound dangerous or even illegal 414 # But OpenWRT enables it by default: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/Makefile#L55 415 # At the time of writing (25-06-2023): this is only used in a "correct" way by ath drivers for initiating DFS radiation 416 # for "certified devices" 417 EXPERT = option yes; # this is needed for offering the certification option 418 RFKILL_INPUT = option yes; # counteract an undesired effect of setting EXPERT 419 CFG80211_CERTIFICATION_ONUS = option yes; 420 # DFS: "Dynamic Frequency Selection" is a spectrum-sharing mechanism that allows 421 # you to use certain interesting frequency when your local regulatory domain mandates it. 422 # ATH drivers hides the feature behind this option and makes hostapd works with DFS frequencies. 423 # OpenWRT enables it too: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/ath.mk#L42 424 ATH9K_DFS_CERTIFIED = option yes; 425 ATH10K_DFS_CERTIFIED = option yes; 426 B43_PHY_HT = option yes; 427 BCMA_HOST_PCI = option yes; 428 RTW88 = module; 429 RTW88_8822BE = lib.mkMerge [ 430 (whenOlder "5.8" yes) 431 (whenAtLeast "5.8" module) 432 ]; 433 RTW88_8822CE = lib.mkMerge [ 434 (whenOlder "5.8" yes) 435 (whenAtLeast "5.8" module) 436 ]; 437 }; 438 439 fb = { 440 FB = yes; 441 FB_EFI = yes; 442 FB_NVIDIA_I2C = yes; # Enable DDC Support 443 FB_RIVA_I2C = yes; 444 FB_ATY_CT = yes; # Mach64 CT/VT/GT/LT (incl. 3D RAGE) support 445 FB_ATY_GX = yes; # Mach64 GX support 446 FB_SAVAGE_I2C = yes; 447 FB_SAVAGE_ACCEL = yes; 448 FB_SIS_300 = yes; 449 FB_SIS_315 = yes; 450 FB_3DFX_ACCEL = yes; 451 FB_VESA = lib.mkIf stdenv.hostPlatform.isx86 yes; 452 FRAMEBUFFER_CONSOLE = yes; 453 FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes; 454 FRAMEBUFFER_CONSOLE_ROTATION = yes; 455 FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = yes; 456 FB_GEODE = lib.mkIf (stdenv.hostPlatform.system == "i686-linux") yes; 457 # Use simplefb on older kernels where we don't have simpledrm (enabled below) 458 FB_SIMPLE = whenOlder "5.15" yes; 459 DRM_FBDEV_EMULATION = yes; 460 }; 461 462 fonts = { 463 FONTS = yes; 464 # Default fonts enabled if FONTS is not set 465 FONT_8x8 = yes; 466 FONT_8x16 = yes; 467 # High DPI font 468 FONT_TER16x32 = whenAtLeast "5.0" yes; 469 }; 470 471 video = 472 let 473 whenHasDevicePrivate = lib.mkIf (!stdenv.hostPlatform.isx86_32); 474 in 475 { 476 # compile in DRM so simpledrm can load before initrd if necessary 477 AGP = lib.mkIf (with stdenv.hostPlatform; isPower || isx86) yes; 478 DRM = yes; 479 480 DRM_LEGACY = whenOlder "6.8" no; 481 482 # Must be the same as CONFIG_DRM 483 BACKLIGHT_CLASS_DEVICE = yes; 484 485 NOUVEAU_LEGACY_CTX_SUPPORT = whenOlder "6.3" no; 486 487 # Enable simpledrm and use it for generic framebuffer 488 # Technically added in 5.14, but adding more complex configuration is not worth it 489 DRM_SIMPLEDRM = whenAtLeast "5.15" yes; 490 SYSFB_SIMPLEFB = whenAtLeast "5.15" yes; 491 492 # Allow specifying custom EDID on the kernel command line 493 DRM_LOAD_EDID_FIRMWARE = yes; 494 VGA_SWITCHEROO = lib.mkIf stdenv.hostPlatform.isx86 yes; # Hybrid graphics support 495 DRM_GMA500 = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "5.12" module); 496 DRM_GMA600 = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "5.13" yes); 497 DRM_GMA3600 = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "5.12" yes); 498 DRM_VMWGFX_FBCON = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.1" yes); 499 # (experimental) amdgpu support for verde and newer chipsets 500 DRM_AMDGPU_SI = yes; 501 # (stable) amdgpu support for bonaire and newer chipsets 502 DRM_AMDGPU_CIK = yes; 503 # Allow device firmware updates 504 DRM_DP_AUX_CHARDEV = whenOlder "6.10" yes; 505 DRM_DISPLAY_DP_AUX_CHARDEV = whenAtLeast "6.10" yes; 506 # amdgpu display core (DC) support 507 DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes; 508 DRM_AMD_DC_DCN2_0 = whenOlder "5.6" yes; 509 DRM_AMD_DC_DCN2_1 = whenOlder "5.6" yes; 510 DRM_AMD_DC_DCN3_0 = lib.mkIf (with stdenv.hostPlatform; isx86) (whenBetween "5.9" "5.11" yes); 511 DRM_AMD_DC_DCN = lib.mkIf (with stdenv.hostPlatform; isx86 || isPower64) ( 512 whenBetween "5.11" "6.4" yes 513 ); 514 DRM_AMD_DC_FP = whenAtLeast "6.4" yes; 515 DRM_AMD_DC_HDCP = whenBetween "5.5" "6.4" yes; 516 DRM_AMD_DC_SI = whenAtLeast "5.10" yes; 517 518 # Enable AMD Audio Coprocessor support for HDMI outputs 519 DRM_AMD_ACP = yes; 520 521 # Enable AMD secure display when available 522 DRM_AMD_SECURE_DISPLAY = lib.mkIf ( 523 with stdenv.hostPlatform; 524 (lib.versionAtLeast version "5.13" && (isx86 || isPower64)) 525 || (lib.versionAtLeast version "6.2" && isAarch64 && !stdenv.cc.isClang) 526 || (lib.versionAtLeast version "6.5" && isLoongArch64 && !stdenv.cc.isClang) 527 || (lib.versionAtLeast version "6.10" && isRiscV64 && !stdenv.cc.isClang) 528 ) yes; 529 530 # Enable AMD image signal processor 531 DRM_AMD_ISP = whenAtLeast "6.11" yes; 532 533 # Enable new firmware (and by extension NVK) for compatible hardware on Nouveau 534 DRM_NOUVEAU_GSP_DEFAULT = whenAtLeast "6.8" yes; 535 536 # Enable Nouveau shared virtual memory (used by OpenCL) 537 DEVICE_PRIVATE = whenHasDevicePrivate yes; 538 DRM_NOUVEAU_SVM = whenHasDevicePrivate yes; 539 540 # Enable HDMI-CEC receiver support 541 RC_CORE = yes; 542 MEDIA_CEC_RC = whenAtLeast "5.10" yes; 543 544 # Enable CEC over DisplayPort 545 DRM_DP_CEC = whenOlder "6.10" yes; 546 DRM_DISPLAY_DP_AUX_CEC = whenAtLeast "6.10" yes; 547 } 548 // lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 549 # Intel GVT-g graphics virtualization supports 64-bit only 550 DRM_I915_GVT = yes; 551 DRM_I915_GVT_KVMGT = module; 552 # Enable Hyper-V Synthetic DRM Driver 553 DRM_HYPERV = whenAtLeast "5.14" module; 554 # And disable the legacy framebuffer driver when we have the new one 555 FB_HYPERV = whenAtLeast "5.14" no; 556 } 557 // lib.optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") { 558 # enable HDMI-CEC on RPi boards 559 DRM_VC4_HDMI_CEC = yes; 560 # Enable HDMI out on platforms using the RK3588 lineup of SoCs. 561 ROCKCHIP_DW_HDMI_QP = whenAtLeast "6.13" yes; 562 }; 563 564 # Enable Rust and features that depend on it 565 # Use a lower priority to allow these options to be overridden in hardened/config.nix 566 rust = lib.optionalAttrs withRust { 567 RUST = yes; 568 569 # These don't technically require Rust but we probably want to get some more testing 570 # on the whole DRM panic setup before shipping it by default. 571 DRM_PANIC = whenAtLeast "6.12" yes; 572 DRM_PANIC_SCREEN = whenAtLeast "6.12" (freeform "kmsg"); 573 574 DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" yes; 575 }; 576 577 sound = 578 { 579 SND_DYNAMIC_MINORS = yes; 580 SND_AC97_POWER_SAVE = yes; # AC97 Power-Saving Mode 581 # 10s for the idle timeout, Fedora does 1, Arch does 10. 582 # The kernel says we should do 10. 583 # Read: https://docs.kernel.org/sound/designs/powersave.html 584 SND_AC97_POWER_SAVE_DEFAULT = freeform "10"; 585 SND_HDA_POWER_SAVE_DEFAULT = freeform "10"; 586 SND_HDA_INPUT_BEEP = yes; # Support digital beep via input layer 587 SND_HDA_RECONFIG = yes; # Support reconfiguration of jack functions 588 # Support configuring jack functions via fw mechanism at boot 589 SND_HDA_PATCH_LOADER = yes; 590 SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon 591 SND_HDA_CODEC_CS8409 = whenAtLeast "6.6" module; # Cirrus Logic HDA Bridge CS8409 592 SND_OSSEMUL = yes; 593 SND_USB_CAIAQ_INPUT = yes; 594 SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes; 595 # Enable Sound Open Firmware support 596 } 597 // lib.optionalAttrs 598 (stdenv.hostPlatform.system == "x86_64-linux" && lib.versionAtLeast version "5.5") 599 { 600 SND_SOC_INTEL_SOUNDWIRE_SOF_MACH = whenAtLeast "5.10" module; 601 SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES = whenAtLeast "5.10" yes; # dep of SOF_MACH 602 SND_SOC_SOF_INTEL_SOUNDWIRE_LINK = whenBetween "5.10" "5.11" yes; # dep of SOF_MACH 603 SND_SOC_SOF_TOPLEVEL = yes; 604 SND_SOC_SOF_ACPI = module; 605 SND_SOC_SOF_PCI = module; 606 SND_SOC_SOF_APOLLOLAKE = whenAtLeast "5.12" module; 607 SND_SOC_SOF_APOLLOLAKE_SUPPORT = whenOlder "5.12" yes; 608 SND_SOC_SOF_CANNONLAKE = whenAtLeast "5.12" module; 609 SND_SOC_SOF_CANNONLAKE_SUPPORT = whenOlder "5.12" yes; 610 SND_SOC_SOF_COFFEELAKE = whenAtLeast "5.12" module; 611 SND_SOC_SOF_COFFEELAKE_SUPPORT = whenOlder "5.12" yes; 612 SND_SOC_SOF_COMETLAKE = whenAtLeast "5.12" module; 613 SND_SOC_SOF_COMETLAKE_H_SUPPORT = whenOlder "5.8" yes; 614 SND_SOC_SOF_COMETLAKE_LP_SUPPORT = whenOlder "5.12" yes; 615 SND_SOC_SOF_ELKHARTLAKE = whenAtLeast "5.12" module; 616 SND_SOC_SOF_ELKHARTLAKE_SUPPORT = whenOlder "5.12" yes; 617 SND_SOC_SOF_GEMINILAKE = whenAtLeast "5.12" module; 618 SND_SOC_SOF_GEMINILAKE_SUPPORT = whenOlder "5.12" yes; 619 SND_SOC_SOF_HDA_AUDIO_CODEC = yes; 620 SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes; 621 SND_SOC_SOF_HDA_LINK = yes; 622 SND_SOC_SOF_ICELAKE = whenAtLeast "5.12" module; 623 SND_SOC_SOF_ICELAKE_SUPPORT = whenOlder "5.12" yes; 624 SND_SOC_SOF_INTEL_TOPLEVEL = yes; 625 SND_SOC_SOF_JASPERLAKE = whenAtLeast "5.12" module; 626 SND_SOC_SOF_JASPERLAKE_SUPPORT = whenOlder "5.12" yes; 627 SND_SOC_SOF_MERRIFIELD = whenAtLeast "5.12" module; 628 SND_SOC_SOF_MERRIFIELD_SUPPORT = whenOlder "5.12" yes; 629 SND_SOC_SOF_TIGERLAKE = whenAtLeast "5.12" module; 630 SND_SOC_SOF_TIGERLAKE_SUPPORT = whenOlder "5.12" yes; 631 }; 632 633 usb = { 634 USB = yes; # compile USB core into kernel, so we can use USB_SERIAL_CONSOLE before modules 635 636 USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators 637 USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling 638 USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies) 639 640 # default to dual role mode 641 USB_DWC2_DUAL_ROLE = yes; 642 USB_DWC3_DUAL_ROLE = yes; 643 }; 644 645 usb-serial = { 646 USB_SERIAL = yes; 647 USB_SERIAL_GENERIC = yes; # USB Generic Serial Driver 648 USB_SERIAL_CONSOLE = yes; # Allow using USB serial adapter as console 649 U_SERIAL_CONSOLE = whenAtLeast "5.10" yes; # Allow using USB gadget as console 650 }; 651 652 # Filesystem options - in particular, enable extended attributes and 653 # ACLs for all filesystems that support them. 654 filesystem = { 655 FANOTIFY = yes; 656 FANOTIFY_ACCESS_PERMISSIONS = yes; 657 658 TMPFS = yes; 659 TMPFS_POSIX_ACL = yes; 660 FS_ENCRYPTION = yes; 661 662 EXT2_FS_XATTR = yes; 663 EXT2_FS_POSIX_ACL = yes; 664 EXT2_FS_SECURITY = yes; 665 666 EXT3_FS_POSIX_ACL = yes; 667 EXT3_FS_SECURITY = yes; 668 669 EXT4_FS_POSIX_ACL = yes; 670 EXT4_FS_SECURITY = yes; 671 672 NTFS_FS = whenBetween "5.15" "6.9" no; 673 NTFS3_LZX_XPRESS = whenAtLeast "5.15" yes; 674 NTFS3_FS_POSIX_ACL = whenAtLeast "5.15" yes; 675 676 REISERFS_FS_XATTR = option yes; 677 REISERFS_FS_POSIX_ACL = option yes; 678 REISERFS_FS_SECURITY = option yes; 679 680 JFS_POSIX_ACL = option yes; 681 JFS_SECURITY = option yes; 682 683 XFS_QUOTA = option yes; 684 XFS_POSIX_ACL = option yes; 685 XFS_RT = option yes; # XFS Realtime subvolume support 686 XFS_ONLINE_SCRUB = option yes; 687 688 OCFS2_DEBUG_MASKLOG = option no; 689 690 BTRFS_FS_POSIX_ACL = yes; 691 692 BCACHEFS_QUOTA = whenAtLeast "6.7" (option yes); 693 BCACHEFS_POSIX_ACL = whenAtLeast "6.7" (option yes); 694 695 UBIFS_FS_ADVANCED_COMPR = option yes; 696 697 F2FS_FS = module; 698 F2FS_FS_SECURITY = option yes; 699 F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes; 700 UDF_FS = module; 701 702 NFSD_V2_ACL = whenOlder "5.10" yes; 703 NFSD_V3 = whenOlder "5.10" yes; 704 NFSD_V3_ACL = yes; 705 NFSD_V4 = yes; 706 NFSD_V4_SECURITY_LABEL = yes; 707 708 NFS_FS = module; 709 NFS_FSCACHE = yes; 710 NFS_SWAP = yes; 711 NFS_V3_ACL = yes; 712 NFS_V4_1 = yes; # NFSv4.1 client support 713 NFS_V4_2 = yes; 714 NFS_V4_SECURITY_LABEL = yes; 715 NFS_LOCALIO = whenAtLeast "6.12" yes; 716 717 CIFS_XATTR = yes; 718 CIFS_POSIX = option yes; 719 CIFS_FSCACHE = yes; 720 CIFS_WEAK_PW_HASH = whenOlder "5.15" yes; 721 CIFS_UPCALL = yes; 722 CIFS_DFS_UPCALL = yes; 723 724 CEPH_FSCACHE = yes; 725 CEPH_FS_POSIX_ACL = yes; 726 727 SQUASHFS_FILE_DIRECT = yes; 728 SQUASHFS_DECOMP_MULTI_PERCPU = whenOlder "6.2" yes; 729 SQUASHFS_CHOICE_DECOMP_BY_MOUNT = whenAtLeast "6.2" yes; 730 SQUASHFS_XATTR = yes; 731 SQUASHFS_ZLIB = yes; 732 SQUASHFS_LZO = yes; 733 SQUASHFS_XZ = yes; 734 SQUASHFS_LZ4 = yes; 735 SQUASHFS_ZSTD = yes; 736 737 # Native Language Support modules, needed by some filesystems 738 NLS = yes; 739 NLS_DEFAULT = freeform "utf8"; 740 NLS_UTF8 = module; 741 NLS_CODEPAGE_437 = module; # VFAT default for the codepage= mount option 742 NLS_ISO8859_1 = module; # VFAT default for the iocharset= mount option 743 744 # Needed to use the installation iso image. Not included in all defconfigs (e.g. arm64) 745 ISO9660_FS = module; 746 747 DEVTMPFS = yes; 748 749 UNICODE = yes; # Casefolding support for filesystems 750 }; 751 752 security = 753 { 754 # Report BUG() conditions and kill the offending process. 755 BUG = yes; 756 BUG_ON_DATA_CORRUPTION = yes; 757 758 FORTIFY_SOURCE = option yes; 759 760 # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html 761 DEBUG_LIST = yes; 762 763 HARDENED_USERCOPY = yes; 764 RANDOMIZE_BASE = option yes; 765 STRICT_KERNEL_RWX = yes; 766 STRICT_MODULE_RWX = yes; 767 STRICT_DEVMEM = lib.mkDefault yes; # Filter access to /dev/mem 768 IO_STRICT_DEVMEM = lib.mkDefault yes; 769 770 # Prevent processes from ptracing non-children processes 771 SECURITY_YAMA = option yes; 772 # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. 773 # This does not have any effect if a program does not support it 774 SECURITY_LANDLOCK = whenAtLeast "5.13" yes; 775 776 DEVKMEM = lib.mkIf (!stdenv.hostPlatform.isAarch64) (whenOlder "5.13" no); # Disable /dev/kmem 777 778 USER_NS = yes; # Support for user namespaces 779 780 SECURITY_APPARMOR = yes; 781 DEFAULT_SECURITY_APPARMOR = yes; 782 783 SECURITY_DMESG_RESTRICT = yes; 784 785 RANDOM_TRUST_CPU = whenOlder "6.2" yes; # allow RDRAND to seed the RNG 786 RANDOM_TRUST_BOOTLOADER = whenOlder "6.2" yes; # allow the bootloader to seed the RNG 787 788 MODULE_SIG = no; # r13y, generates a random key during build and bakes it in 789 # Depends on MODULE_SIG and only really helps when you sign your modules 790 # and enforce signatures which we don't do by default. 791 SECURITY_LOCKDOWN_LSM = no; 792 793 # provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis 794 PERSISTENT_KEYRINGS = yes; 795 # enable temporary caching of the last request_key() result 796 KEYS_REQUEST_CACHE = yes; 797 # randomized slab caches 798 RANDOM_KMALLOC_CACHES = whenAtLeast "6.6" yes; 799 800 # NIST SP800-90A DRBG modes - enabled by most distributions 801 # and required by some out-of-tree modules (ShuffleCake) 802 # This does not include the NSA-backdoored Dual-EC mode from the same NIST publication. 803 CRYPTO_DRBG_HASH = yes; 804 CRYPTO_DRBG_CTR = yes; 805 806 # Enable KFENCE 807 # See: https://docs.kernel.org/dev-tools/kfence.html 808 KFENCE = whenAtLeast "5.12" yes; 809 810 # Enable support for page poisoning. Still needs to be enabled on the command line to actually work. 811 PAGE_POISONING = yes; 812 # Randomize page allocator when page_alloc.shuffle=1 813 SHUFFLE_PAGE_ALLOCATOR = yes; 814 815 INIT_ON_ALLOC_DEFAULT_ON = yes; 816 817 # Enable stack smashing protections in schedule() 818 # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f 819 SCHED_STACK_END_CHECK = yes; 820 821 # Enable separate slab buckets for user controlled allocations 822 # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f2df3b82d091ed095d0e47e1f3a9d3e18e4e41 823 SLAB_BUCKETS = whenAtLeast "6.11" yes; 824 } 825 // lib.optionalAttrs stdenv.hostPlatform.isx86_64 { 826 # Enable Intel SGX 827 X86_SGX = whenAtLeast "5.11" yes; 828 # Allow KVM guests to load SGX enclaves 829 X86_SGX_KVM = whenAtLeast "5.13" yes; 830 831 # AMD Cryptographic Coprocessor (CCP) 832 CRYPTO_DEV_CCP = yes; 833 # AMD SME 834 AMD_MEM_ENCRYPT = yes; 835 # AMD SEV and AMD SEV-SE 836 KVM_AMD_SEV = yes; 837 # AMD SEV-SNP 838 SEV_GUEST = whenAtLeast "5.19" module; 839 # Shadow stacks 840 X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes; 841 842 # Enable support for Intel Trust Domain Extensions (TDX) 843 INTEL_TDX_GUEST = whenAtLeast "5.19" yes; 844 TDX_GUEST_DRIVER = whenAtLeast "6.2" module; 845 846 # Mitigate straight line speculation at the cost of some file size 847 SLS = whenBetween "5.17" "6.9" yes; 848 MITIGATION_SLS = whenAtLeast "6.9" yes; 849 850 DEFAULT_MMAP_MIN_ADDR = freeform "65536"; 851 } 852 // lib.optionalAttrs stdenv.hostPlatform.isAarch64 { 853 DEFAULT_MMAP_MIN_ADDR = freeform "32768"; 854 }; 855 856 microcode = { 857 MICROCODE = lib.mkIf stdenv.hostPlatform.isx86 yes; 858 MICROCODE_INTEL = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.6" yes); 859 MICROCODE_AMD = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.6" yes); 860 # Write Back Throttling 861 # https://lwn.net/Articles/682582/ 862 # https://bugzilla.kernel.org/show_bug.cgi?id=12309#c655 863 BLK_WBT = yes; 864 BLK_WBT_SQ = whenOlder "5.0" yes; # Removed in 5.0-RC1 865 BLK_WBT_MQ = yes; 866 }; 867 868 container = { 869 NAMESPACES = yes; # Required by 'unshare' used by 'nixos-install' 870 RT_GROUP_SCHED = no; 871 CGROUP_DEVICE = yes; 872 CGROUP_HUGETLB = yes; 873 CGROUP_PERF = yes; 874 CGROUP_RDMA = yes; 875 CGROUP_DMEM = whenAtLeast "6.14" yes; 876 877 MEMCG = yes; 878 MEMCG_SWAP = whenOlder "6.1" yes; 879 880 BLK_DEV_THROTTLING = yes; 881 CFQ_GROUP_IOSCHED = whenOlder "5.0" yes; # Removed in 5.0-RC1 882 CGROUP_PIDS = yes; 883 }; 884 885 staging = { 886 # Enable staging drivers. These are somewhat experimental, but 887 # they generally don't hurt. 888 STAGING = yes; 889 }; 890 891 proc-events = { 892 # PROC_EVENTS requires that the netlink connector is not built 893 # as a module. This is required by libcgroup's cgrulesengd. 894 CONNECTOR = yes; 895 PROC_EVENTS = yes; 896 }; 897 898 tracing = { 899 FTRACE = yes; 900 KPROBES = yes; 901 FUNCTION_TRACER = yes; 902 FTRACE_SYSCALLS = yes; 903 SCHED_TRACER = yes; 904 STACK_TRACER = yes; 905 UPROBE_EVENTS = option yes; 906 BPF_SYSCALL = yes; 907 BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.16" yes; 908 BPF_EVENTS = yes; 909 FUNCTION_PROFILER = yes; 910 RING_BUFFER_BENCHMARK = no; 911 }; 912 913 perf = { 914 # enable AMD Zen branch sampling if available 915 PERF_EVENTS_AMD_BRS = whenAtLeast "5.19" (option yes); 916 }; 917 918 virtualisation = { 919 PARAVIRT = option yes; 920 921 HYPERVISOR_GUEST = lib.mkIf stdenv.hostPlatform.isx86 yes; 922 PARAVIRT_SPINLOCKS = option yes; 923 924 KVM_ASYNC_PF = lib.mkIf (with stdenv.hostPlatform; isS390 || isx86) yes; 925 KVM_GENERIC_DIRTYLOG_READ_PROTECT = yes; 926 KVM_GUEST = lib.mkIf (with stdenv.hostPlatform; isPower || isx86) yes; 927 KVM_MMIO = yes; 928 KVM_VFIO = yes; 929 KSM = yes; 930 VIRT_DRIVERS = yes; 931 # We need 64 GB (PAE) support for Xen guest support 932 HIGHMEM64G = { 933 optional = true; 934 tristate = lib.mkIf (!stdenv.hostPlatform.is64bit) "y"; 935 }; 936 937 VFIO_PCI_VGA = lib.mkIf stdenv.hostPlatform.isx86_64 yes; 938 939 UDMABUF = yes; 940 941 # VirtualBox guest drivers in the kernel conflict with the ones in the 942 # official additions package and prevent the vboxsf module from loading, 943 # so disable them for now. 944 VBOXGUEST = option no; 945 DRM_VBOXVIDEO = option no; 946 947 XEN = option yes; 948 XEN_DOM0 = option yes; 949 PCI_XEN = option yes; 950 HVC_XEN = option yes; 951 HVC_XEN_FRONTEND = option yes; 952 XEN_SYS_HYPERVISOR = option yes; 953 SWIOTLB_XEN = option yes; 954 XEN_BACKEND = option yes; 955 XEN_BALLOON = option yes; 956 XEN_BALLOON_MEMORY_HOTPLUG = option yes; 957 XEN_EFI = option yes; 958 XEN_HAVE_PVMMU = option yes; 959 XEN_MCE_LOG = option yes; 960 XEN_PVH = option yes; 961 XEN_PVHVM = option yes; 962 XEN_SAVE_RESTORE = option yes; 963 964 # Enable device detection on virtio-mmio hypervisors 965 VIRTIO_MMIO_CMDLINE_DEVICES = yes; 966 }; 967 968 media = { 969 MEDIA_DIGITAL_TV_SUPPORT = yes; 970 MEDIA_CAMERA_SUPPORT = yes; 971 MEDIA_CONTROLLER = yes; 972 MEDIA_PCI_SUPPORT = yes; 973 MEDIA_USB_SUPPORT = yes; 974 MEDIA_ANALOG_TV_SUPPORT = yes; 975 VIDEO_STK1160_COMMON = whenOlder "6.5" module; 976 }; 977 978 "9p" = { 979 # Enable the 9P cache to speed up NixOS VM tests. 980 "9P_FSCACHE" = option yes; 981 "9P_FS_POSIX_ACL" = option yes; 982 }; 983 984 huge-page = { 985 TRANSPARENT_HUGEPAGE = option yes; 986 TRANSPARENT_HUGEPAGE_ALWAYS = option no; 987 TRANSPARENT_HUGEPAGE_MADVISE = option yes; 988 }; 989 990 zram = { 991 ZRAM = module; 992 ZRAM_WRITEBACK = option yes; 993 ZRAM_MULTI_COMP = whenAtLeast "6.2" yes; 994 ZRAM_BACKEND_842 = whenAtLeast "6.12" yes; 995 ZRAM_BACKEND_DEFLATE = whenAtLeast "6.12" yes; 996 ZRAM_BACKEND_LZ4 = whenAtLeast "6.12" yes; 997 ZRAM_BACKEND_LZ4HC = whenAtLeast "6.12" yes; 998 ZRAM_BACKEND_LZO = whenAtLeast "6.12" yes; 999 ZRAM_BACKEND_ZSTD = whenAtLeast "6.12" yes; 1000 ZRAM_DEF_COMP_ZSTD = whenAtLeast "5.11" yes; 1001 ZSWAP = option yes; 1002 ZSWAP_COMPRESSOR_DEFAULT_ZSTD = whenAtLeast "5.7" (lib.mkOptionDefault yes); 1003 ZPOOL = yes; 1004 ZSMALLOC = option yes; 1005 }; 1006 1007 brcmfmac = { 1008 # Enable PCIe and USB for the brcmfmac driver 1009 BRCMFMAC_USB = option yes; 1010 BRCMFMAC_PCIE = option yes; 1011 }; 1012 1013 # Support x2APIC (which requires IRQ remapping) 1014 x2apic = lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 1015 X86_X2APIC = yes; 1016 IRQ_REMAP = yes; 1017 }; 1018 1019 # Disable various self-test modules that have no use in a production system 1020 tests = 1021 { 1022 # This menu disables all/most of them on >= 4.16 1023 RUNTIME_TESTING_MENU = option no; 1024 } 1025 // { 1026 CRC32_SELFTEST = option no; 1027 CRYPTO_TEST = option no; 1028 EFI_TEST = option no; 1029 GLOB_SELFTEST = option no; 1030 LOCK_TORTURE_TEST = option no; 1031 MTD_TESTS = option no; 1032 NOTIFIER_ERROR_INJECTION = option no; 1033 RCU_PERF_TEST = whenOlder "5.9" no; 1034 RCU_SCALE_TEST = whenAtLeast "5.10" no; 1035 TEST_ASYNC_DRIVER_PROBE = option no; 1036 WW_MUTEX_SELFTEST = option no; 1037 XZ_DEC_TEST = option no; 1038 }; 1039 1040 criu = { 1041 # Unconditionally enabled, because it is required for CRIU and 1042 # it provides the kcmp() system call that Mesa depends on. 1043 CHECKPOINT_RESTORE = yes; 1044 1045 # Allows soft-dirty tracking on pages, used by CRIU. 1046 # See https://docs.kernel.org/admin-guide/mm/soft-dirty.html 1047 MEM_SOFT_DIRTY = lib.mkIf (with stdenv.hostPlatform; isS390 || isPower64 || isx86_64) yes; 1048 }; 1049 1050 misc = 1051 let 1052 # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz. 1053 # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375 1054 useZstd = stdenv.buildPlatform.is64bit && lib.versionAtLeast version "5.9"; 1055 in 1056 { 1057 # stdenv.hostPlatform.linux-kernel.target assumes uncompressed on RISC-V. 1058 KERNEL_UNCOMPRESSED = lib.mkIf stdenv.hostPlatform.isRiscV yes; 1059 KERNEL_XZ = lib.mkIf (!stdenv.hostPlatform.isRiscV && !useZstd) yes; 1060 KERNEL_ZSTD = lib.mkIf ( 1061 with stdenv.hostPlatform; 1062 (isMips || isS390 || isx86 || (lib.versionAtLeast version "6.1" && isAarch64 || isLoongArch64)) 1063 && useZstd 1064 ) yes; 1065 1066 HID_BATTERY_STRENGTH = yes; 1067 # enabled by default in x86_64 but not arm64, so we do that here 1068 HIDRAW = yes; 1069 1070 # Enable loading HID fixups as eBPF from userspace 1071 HID_BPF = whenAtLeast "6.3" (whenPlatformHasEBPFJit yes); 1072 1073 HID_ACRUX_FF = yes; 1074 DRAGONRISE_FF = yes; 1075 GREENASIA_FF = yes; 1076 HOLTEK_FF = yes; 1077 INPUT_JOYSTICK = yes; 1078 JOYSTICK_PSXPAD_SPI_FF = yes; 1079 LOGIG940_FF = yes; 1080 NINTENDO_FF = whenAtLeast "5.16" yes; 1081 NVIDIA_SHIELD_FF = whenAtLeast "6.5" yes; 1082 PLAYSTATION_FF = whenAtLeast "5.12" yes; 1083 SONY_FF = yes; 1084 SMARTJOYPLUS_FF = yes; 1085 THRUSTMASTER_FF = yes; 1086 ZEROPLUS_FF = yes; 1087 1088 MODULE_COMPRESS = lib.mkMerge [ 1089 (whenOlder "5.13" yes) 1090 (whenAtLeast "6.12" yes) 1091 ]; 1092 MODULE_COMPRESS_ALL = whenAtLeast "6.12" yes; 1093 MODULE_COMPRESS_XZ = yes; 1094 1095 SYSVIPC = yes; # System-V IPC 1096 1097 AIO = yes; # POSIX asynchronous I/O 1098 1099 UNIX = yes; # Unix domain sockets. 1100 1101 MD = yes; # Device mapper (RAID, LVM, etc.) 1102 1103 # enable support for device trees and overlays 1104 OF = option yes; 1105 OF_OVERLAY = option yes; 1106 1107 # Enable initrd support. 1108 BLK_DEV_INITRD = yes; 1109 1110 # Allows debugging systems that get stuck during suspend/resume 1111 PM_TRACE_RTC = lib.mkIf stdenv.hostPlatform.isx86 yes; 1112 1113 ACCESSIBILITY = yes; # Accessibility support 1114 AUXDISPLAY = yes; # Auxiliary Display support 1115 HIPPI = yes; 1116 MTD_COMPLEX_MAPPINGS = yes; # needed for many devices 1117 1118 SCSI_LOWLEVEL = yes; # enable lots of SCSI devices 1119 SCSI_LOWLEVEL_PCMCIA = yes; 1120 SCSI_SAS_ATA = yes; # added to enable detection of hard drive 1121 1122 SPI = yes; # needed for many devices 1123 SPI_MASTER = yes; 1124 1125 "8139TOO_8129" = yes; 1126 "8139TOO_PIO" = no; # PIO is slower 1127 1128 AIC79XX_DEBUG_ENABLE = no; 1129 AIC7XXX_DEBUG_ENABLE = no; 1130 AIC94XX_DEBUG = no; 1131 1132 BLK_DEV_INTEGRITY = yes; 1133 BLK_DEV_ZONED = yes; 1134 1135 BLK_SED_OPAL = yes; 1136 1137 # Enable support for block layer inline encryption 1138 BLK_INLINE_ENCRYPTION = whenAtLeast "5.8" yes; 1139 # ...but fall back to CPU encryption if unavailable 1140 BLK_INLINE_ENCRYPTION_FALLBACK = whenAtLeast "5.8" yes; 1141 1142 BSD_PROCESS_ACCT_V3 = yes; 1143 1144 SERIAL_DEV_BUS = yes; # enables support for serial devices 1145 SERIAL_DEV_CTRL_TTYPORT = yes; # enables support for TTY serial devices 1146 1147 BT_HCIBTUSB_MTK = yes; # MediaTek protocol support 1148 1149 BT_HCIUART = module; # required for BT devices with serial port interface (QCA6390) 1150 BT_HCIUART_BCM = option yes; # Broadcom Bluetooth support 1151 BT_HCIUART_BCSP = option yes; # CSR BlueCore support 1152 BT_HCIUART_H4 = option yes; # UART (H4) protocol support 1153 BT_HCIUART_LL = option yes; # Texas Instruments BRF 1154 BT_HCIUART_QCA = yes; # Qualcomm Atheros support 1155 BT_HCIUART_SERDEV = yes; # required by BT_HCIUART_QCA 1156 1157 BT_RFCOMM_TTY = option yes; # RFCOMM TTY support 1158 BT_QCA = module; # enables QCA6390 bluetooth 1159 1160 # Removed on 5.17 as it was unused 1161 # upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a4ee518185e902758191d968600399f3bc2be31 1162 CLEANCACHE = whenOlder "5.17" (option yes); 1163 1164 FSCACHE_STATS = yes; 1165 1166 DVB_DYNAMIC_MINORS = option yes; # we use udev 1167 1168 EFI_STUB = yes; # EFI bootloader in the bzImage itself 1169 EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER = whenOlder "6.2" (whenAtLeast "5.8" yes); # initrd kernel parameter for EFI 1170 1171 # Generic compression support for EFI payloads 1172 # Add new platforms only after they have been verified to build and boot. 1173 # This is unsupported on x86 due to a custom decompression mechanism. 1174 EFI_ZBOOT = lib.mkIf stdenv.hostPlatform.isAarch64 (whenAtLeast "6.1" yes); 1175 1176 CGROUPS = yes; # used by systemd 1177 FHANDLE = yes; # used by systemd 1178 SECCOMP = yes; # used by systemd >= 231 1179 SECCOMP_FILTER = yes; # ditto 1180 POSIX_MQUEUE = yes; 1181 FRONTSWAP = whenOlder "6.6" yes; 1182 FUSION = yes; # Fusion MPT device support 1183 IDE = lib.mkIf (with stdenv.hostPlatform; isAarch32 || isM68k || isMips || isPower || isx86) ( 1184 whenOlder "5.14" no 1185 ); # deprecated IDE support, removed in 5.14 1186 IDLE_PAGE_TRACKING = yes; 1187 1188 JOYSTICK_XPAD_FF = option yes; # X-Box gamepad rumble support 1189 JOYSTICK_XPAD_LEDS = option yes; # LED Support for Xbox360 controller 'BigX' LED 1190 1191 KEYBOARD_APPLESPI = lib.mkIf stdenv.hostPlatform.isx86 module; 1192 1193 KEXEC_FILE = option yes; 1194 KEXEC_JUMP = option yes; 1195 1196 PARTITION_ADVANCED = yes; # Needed for LDM_PARTITION 1197 # Windows Logical Disk Manager (Dynamic Disk) support 1198 LDM_PARTITION = yes; 1199 LOGIRUMBLEPAD2_FF = yes; # Logitech Rumblepad 2 force feedback 1200 LOGO = no; # not needed 1201 MEDIA_ATTACH = yes; 1202 MEGARAID_NEWGEN = yes; 1203 1204 MLX5_CORE_EN = option yes; 1205 1206 NVME_MULTIPATH = yes; 1207 1208 NVME_AUTH = lib.mkMerge [ 1209 (whenBetween "6.0" "6.7" yes) 1210 (whenAtLeast "6.7" module) 1211 ]; 1212 1213 NVME_HOST_AUTH = whenAtLeast "6.7" yes; 1214 NVME_TCP_TLS = whenAtLeast "6.7" yes; 1215 1216 NVME_TARGET = module; 1217 NVME_TARGET_PASSTHRU = whenAtLeast "5.9" yes; 1218 NVME_TARGET_AUTH = whenAtLeast "6.0" yes; 1219 NVME_TARGET_TCP_TLS = whenAtLeast "6.7" yes; 1220 1221 PCI_P2PDMA = lib.mkIf (stdenv.hostPlatform.is64bit) yes; 1222 1223 PSI = yes; 1224 1225 MOUSE_ELAN_I2C_SMBUS = yes; 1226 MOUSE_PS2_ELANTECH = yes; # Elantech PS/2 protocol extension 1227 MOUSE_PS2_VMMOUSE = lib.mkIf stdenv.hostPlatform.isx86 yes; 1228 MTRR_SANITIZER = lib.mkIf stdenv.hostPlatform.isx86 yes; 1229 NET_FC = yes; # Fibre Channel driver support 1230 # Needed for touchpads to work on some AMD laptops 1231 PINCTRL_AMD = whenAtLeast "5.19" yes; 1232 # GPIO on Intel Bay Trail, for some Chromebook internal eMMC disks 1233 PINCTRL_BAYTRAIL = lib.mkIf stdenv.hostPlatform.isx86 yes; 1234 # GPIO for Braswell and Cherryview devices 1235 # Needs to be built-in to for integrated keyboards to function properly 1236 PINCTRL_CHERRYVIEW = lib.mkIf stdenv.hostPlatform.isx86 yes; 1237 # 8 is default. Modern gpt tables on eMMC may go far beyond 8. 1238 MMC_BLOCK_MINORS = freeform "32"; 1239 1240 REGULATOR = yes; # Voltage and Current Regulator Support 1241 RC_DEVICES = option yes; # Enable IR devices 1242 RC_DECODERS = option yes; # Required for IR devices to work 1243 1244 RT2800USB_RT53XX = yes; 1245 RT2800USB_RT55XX = yes; 1246 1247 SCHED_AUTOGROUP = yes; 1248 CFS_BANDWIDTH = yes; 1249 1250 SCSI_LOGGING = yes; # SCSI logging facility 1251 SERIAL_8250 = yes; # 8250/16550 and compatible serial support 1252 1253 SLAB_FREELIST_HARDENED = yes; 1254 SLAB_FREELIST_RANDOM = yes; 1255 1256 SLIP_COMPRESSED = yes; # CSLIP compressed headers 1257 SLIP_SMART = yes; 1258 1259 HWMON = yes; 1260 THERMAL_HWMON = yes; # Hardware monitoring support 1261 NVME_HWMON = whenAtLeast "5.5" yes; # NVMe drives temperature reporting 1262 UEVENT_HELPER = no; 1263 1264 USERFAULTFD = yes; 1265 X86_CHECK_BIOS_CORRUPTION = lib.mkIf stdenv.hostPlatform.isx86 yes; 1266 X86_MCE = lib.mkIf stdenv.hostPlatform.isx86 yes; 1267 1268 RAS = yes; # Needed for EDAC support 1269 1270 # Our initrd init uses shebang scripts, so can't be modular. 1271 BINFMT_SCRIPT = yes; 1272 # For systemd-binfmt 1273 BINFMT_MISC = option yes; 1274 1275 # Required for EDID overriding 1276 FW_LOADER = yes; 1277 # Disable the firmware helper fallback, udev doesn't implement it any more 1278 FW_LOADER_USER_HELPER_FALLBACK = option no; 1279 1280 FW_LOADER_COMPRESS = yes; 1281 FW_LOADER_COMPRESS_ZSTD = whenAtLeast "5.19" yes; 1282 1283 HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI 1284 HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support 1285 1286 # Enable AMD's ROCm GPU compute stack 1287 HSA_AMD = lib.mkIf stdenv.hostPlatform.is64bit (yes); 1288 ZONE_DEVICE = lib.mkIf stdenv.hostPlatform.is64bit (yes); 1289 HMM_MIRROR = yes; 1290 DRM_AMDGPU_USERPTR = yes; 1291 1292 PREEMPT = no; 1293 PREEMPT_VOLUNTARY = yes; 1294 1295 X86_AMD_PLATFORM_DEVICE = lib.mkIf stdenv.hostPlatform.isx86 yes; 1296 X86_PLATFORM_DRIVERS_DELL = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "5.12" yes); 1297 X86_PLATFORM_DRIVERS_HP = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "6.1" yes); 1298 1299 LIRC = yes; 1300 1301 SCHED_CORE = whenAtLeast "5.14" yes; 1302 SCHED_CLASS_EXT = whenAtLeast "6.12" (whenPlatformHasEBPFJit yes); 1303 1304 LRU_GEN = whenAtLeast "6.1" yes; 1305 LRU_GEN_ENABLED = whenAtLeast "6.1" yes; 1306 1307 FSL_MC_UAPI_SUPPORT = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") ( 1308 whenAtLeast "5.12" yes 1309 ); 1310 1311 ASHMEM = { 1312 optional = true; 1313 tristate = whenBetween "5.0" "5.18" "y"; 1314 }; 1315 ANDROID = { 1316 optional = true; 1317 tristate = whenBetween "5.0" "5.19" "y"; 1318 }; 1319 ANDROID_BINDER_IPC = { 1320 optional = true; 1321 tristate = whenAtLeast "5.0" "y"; 1322 }; 1323 ANDROID_BINDERFS = { 1324 optional = true; 1325 tristate = whenAtLeast "5.0" "y"; 1326 }; 1327 ANDROID_BINDER_DEVICES = { 1328 optional = true; 1329 freeform = whenAtLeast "5.0" "binder,hwbinder,vndbinder"; 1330 }; 1331 1332 TASKSTATS = yes; 1333 TASK_DELAY_ACCT = yes; 1334 TASK_XACCT = yes; 1335 TASK_IO_ACCOUNTING = yes; 1336 1337 # Fresh toolchains frequently break -Werror build for minor issues. 1338 WERROR = whenAtLeast "5.15" no; 1339 1340 # > CONFIG_KUNIT should not be enabled in a production environment. Enabling KUnit disables Kernel Address-Space Layout Randomization (KASLR), and tests may affect the state of the kernel in ways not suitable for production. 1341 # https://www.kernel.org/doc/html/latest/dev-tools/kunit/start.html 1342 KUNIT = whenAtLeast "5.5" no; 1343 1344 # Set system time from RTC on startup and resume 1345 RTC_HCTOSYS = option yes; 1346 1347 # Expose watchdog information in sysfs 1348 WATCHDOG_SYSFS = yes; 1349 1350 # Enable generic kernel watch queues 1351 # See https://docs.kernel.org/core-api/watch_queue.html 1352 WATCH_QUEUE = whenAtLeast "5.8" yes; 1353 } 1354 // 1355 lib.optionalAttrs 1356 (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") 1357 { 1358 # Enable CPU/memory hotplug support 1359 # Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot 1360 ACPI_HOTPLUG_CPU = yes; 1361 ACPI_HOTPLUG_MEMORY = yes; 1362 MEMORY_HOTPLUG = yes; 1363 MEMORY_HOTPLUG_DEFAULT_ONLINE = whenOlder "6.14" yes; 1364 MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO = whenAtLeast "6.14" yes; 1365 MEMORY_HOTREMOVE = yes; 1366 HOTPLUG_CPU = yes; 1367 MIGRATION = yes; 1368 SPARSEMEM = yes; 1369 1370 # Bump the maximum number of CPUs to support systems like EC2 x1.* 1371 # instances and Xeon Phi. 1372 NR_CPUS = freeform "384"; 1373 1374 # Enable LEDS to display link-state status of PHY devices (i.e. eth lan/wan interfaces) 1375 LED_TRIGGER_PHY = yes; 1376 1377 # Required for various hardware features on Chrome OS devices 1378 CHROME_PLATFORMS = yes; 1379 CHROMEOS_TBMC = module; 1380 CROS_EC = module; 1381 CROS_EC_I2C = module; 1382 CROS_EC_SPI = module; 1383 CROS_KBD_LED_BACKLIGHT = module; 1384 TCG_TIS_SPI_CR50 = whenAtLeast "5.5" yes; 1385 } 1386 // 1387 lib.optionalAttrs 1388 (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") 1389 { 1390 # Enables support for the Allwinner Display Engine 2.0 1391 SUN8I_DE2_CCU = yes; 1392 1393 # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647 1394 CRYPTO_AEGIS128_SIMD = no; 1395 1396 # Distros should configure the default as a kernel option. 1397 # We previously defined it on the kernel command line as cma= 1398 # The kernel command line will override a platform-specific configuration from its device tree. 1399 # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44 1400 CMA_SIZE_MBYTES = freeform "32"; 1401 1402 # Add debug interfaces for CMA 1403 CMA_DEBUGFS = yes; 1404 CMA_SYSFS = whenAtLeast "5.13" yes; 1405 1406 # https://docs.kernel.org/arch/arm/mem_alignment.html 1407 # tldr: 1408 # when buggy userspace code emits illegal misaligned LDM, STM, 1409 # LDRD and STRDs, the instructions trap, are caught, and then 1410 # are emulated by the kernel. 1411 # 1412 # This is the default on armv7l, anyway, but it is explicitly 1413 # enabled here for the sake of providing context for the 1414 # aarch64 compat option which follows. 1415 ALIGNMENT_TRAP = lib.mkIf (stdenv.hostPlatform.system == "armv7l-linux") yes; 1416 1417 # https://patchwork.kernel.org/project/linux-arm-kernel/patch/20220701135322.3025321-1-ardb@kernel.org/ 1418 # tldr: 1419 # when encountering alignment faults under aarch64, this option 1420 # makes the kernel attempt to handle the fault by doing the 1421 # same style of misaligned emulation that is performed under 1422 # armv7l (see above option). 1423 # 1424 # This minimizes the potential for aarch32 userspace to behave 1425 # differently when run under aarch64 kernels compared to when 1426 # it is run under an aarch32 kernel. 1427 COMPAT_ALIGNMENT_FIXUPS = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") ( 1428 whenAtLeast "6.1" yes 1429 ); 1430 1431 # requirement for CP15_BARRIER_EMULATION 1432 ARMV8_DEPRECATED = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") yes; 1433 # emulate a specific armv7 instruction that was removed from armv8 1434 # this instruction is required to build a native armv7 nodejs on an 1435 # aarch64-linux builder, for example 1436 CP15_BARRIER_EMULATION = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") yes; 1437 } 1438 // lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 1439 CROS_EC_LPC = module; 1440 CROS_EC_ISHTP = module; 1441 1442 CHROMEOS_LAPTOP = module; 1443 CHROMEOS_PSTORE = module; 1444 1445 # Enable x86 resource control 1446 X86_CPU_RESCTRL = whenAtLeast "5.0" yes; 1447 1448 # Enable TSX on CPUs where it's not vulnerable 1449 X86_INTEL_TSX_MODE_AUTO = yes; 1450 1451 # Enable AMD Wi-Fi RF band mitigations 1452 # See https://cateee.net/lkddb/web-lkddb/AMD_WBRF.html 1453 AMD_WBRF = whenAtLeast "6.8" yes; 1454 1455 # Enable Intel Turbo Boost Max 3.0 1456 INTEL_TURBO_MAX_3 = yes; 1457 }; 1458 1459 accel = { 1460 # Build DRM accelerator devices 1461 DRM_ACCEL = whenAtLeast "6.2" yes; 1462 }; 1463 }; 1464in 1465flattenKConf options