pyrox.dev / nixpkgs
lol
fork atom

linux: drop `*_latest_hardened`-attributes in favor of versioned attributes

The problem behind this is that the hardened patchset[1]. Quite recently
this led to a weird problem when Linux 5.12 was dropped (and thus had to
be removed from `nixpkgs`), there were no patches for 5.13, so
`linuxPackages_hardened_latest` had to be downgraded to 5.10 as base[2]
which may be rather unintuitive and unexpected.

To avoid these kind of "silent downgrades" in the future, it makes sense
to drop the attribute entirely. If somebody wants to use a hardened
kernel, it's better to explicitly pin it using the newly introduced
versioned attributes, e.g. `linuxPackages_4_14_hardened`.

[1] https://github.com/anthraxx/linux-hardened/
[2] https://github.com/NixOS/nixpkgs/pull/133587

Maximilian Bosch a5341beb c6dc09c9

+47 -7
unified split
+10
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
··· 717 717 option was removed and HTTPS is always used. 718 718 </para> 719 719 </listitem> 720 + <listitem> 721 + <para> 722 + The attribute <literal>linuxPackages_latest_hardened</literal> 723 + was dropped because the hardened patches lag behind the 724 + upstream kernel which made version bumps harder. If you want 725 + to use a hardened kernel, please pin it explicitly with a 726 + versioned attribute such as 727 + <literal>linuxPackages_5_10_hardened</literal>. 728 + </para> 729 + </listitem> 720 730 </itemizedlist> 721 731 </section> 722 732 <section xml:id="sec-release-21.11-notable-changes">
+5
nixos/doc/manual/release-notes/rl-2111.section.md
··· 183 183 184 184 - The `kubernetes` package was upgraded to 1.22. The `kubernetes.apiserver.kubeletHttps` option was removed and HTTPS is always used. 185 185 186 + - The attribute `linuxPackages_latest_hardened` was dropped because the hardened patches 187 + lag behind the upstream kernel which made version bumps harder. If you want to use 188 + a hardened kernel, please pin it explicitly with a versioned attribute such as 189 + `linuxPackages_5_10_hardened`. 190 + 186 191 ## Other Notable Changes {#sec-release-21.11-notable-changes} 187 192 188 193 - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
+5
nixos/tests/kernel-generic.nix
··· 33 33 linux_5_10 = makeKernelTest "5.10" linuxPackages_5_10; 34 34 linux_5_13 = makeKernelTest "5.13" linuxPackages_5_13; 35 35 36 + linux_hardened_4_14 = makeKernelTest "4.14" linuxPackages_4_14_hardened; 37 + linux_hardened_4_19 = makeKernelTest "4.19" linuxPackages_4_19_hardened; 38 + linux_hardened_5_4 = makeKernelTest "5.4" linuxPackages_5_4_hardened; 39 + linux_hardened_5_10 = makeKernelTest "5.10" linuxPackages_5_10_hardened; 40 + 36 41 linux_testing = makeKernelTest "testing" linuxPackages_testing; 37 42 }
+14
pkgs/top-level/aliases.nix
··· 448 448 linuxPackages_xen_dom0_hardened = linuxPackages_hardened; 449 449 linuxPackages_latest_xen_dom0_hardened = linuxPackages_latest_hardened; 450 450 451 + # added 2021-08-16 452 + linuxPackages_latest_hardened = throw '' 453 + The attribute `linuxPackages_hardened_latest' was dropped because the hardened patches 454 + frequently lag behind the upstream kernel. In some cases this meant that this attribute 455 + had to refer to an older kernel[1] because the latest hardened kernel was EOL and 456 + the latest supported kernel didn't have patches. 457 + 458 + If you want to use a hardened kernel, please check which kernel minors are supported 459 + and use a versioned attribute, e.g. `linuxPackages_5_10_hardened'. 460 + 461 + [1] for more context: https://github.com/NixOS/nixpkgs/pull/133587 462 + ''; 463 + linux_latest_hardened = linuxPackages_latest_hardened; 464 + 451 465 linux-steam-integration = throw "linux-steam-integration has been removed, as the upstream project has been abandoned"; # added 2020-05-22 452 466 loadcaffe = throw "loadcaffe has been removed, as the upstream project has been abandoned"; # added 2020-03-28 453 467 lobster-two = google-fonts; # added 2021-07-22
+13 -7
pkgs/top-level/all-packages.nix
··· 21553 21553 linuxPackages_testing_bcachefs = recurseIntoAttrs (linuxPackagesFor pkgs.linux_testing_bcachefs); 21554 21554 21555 21555 # Hardened Linux 21556 - hardenedLinuxPackagesFor = kernel': overrides: 21557 - let # Note: We use this hack since the hardened patches can lag behind and we don't want to delay updates: 21558 - linux_latest_for_hardened = pkgs.linux_5_10; 21559 - kernel = (if kernel' == pkgs.linux_latest then linux_latest_for_hardened else kernel').override overrides; 21560 - in linuxPackagesFor (kernel.override { 21556 + hardenedLinuxPackagesFor = kernel: overrides: 21557 + linuxPackagesFor (kernel.override { 21561 21558 structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix { 21562 21559 inherit lib; 21563 21560 inherit (kernel) version; ··· 21572 21569 linuxPackages_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux { }); 21573 21570 linux_hardened = linuxPackages_hardened.kernel; 21574 21571 21575 - linuxPackages_latest_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest { }); 21576 - linux_latest_hardened = linuxPackages_latest_hardened.kernel; 21572 + linuxPackages_4_14_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_4_14 { }); 21573 + linux_4_14_hardened = linuxPackages_4_14_hardened.kernel; 21574 + 21575 + linuxPackages_4_19_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_4_19 { }); 21576 + linux_4_19_hardened = linuxPackages_4_19_hardened.kernel; 21577 + 21578 + linuxPackages_5_4_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_5_4 { }); 21579 + linux_5_4_hardened = linuxPackages_5_4_hardened.kernel; 21580 + 21581 + linuxPackages_5_10_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_5_10 { }); 21582 + linux_5_10_hardened = linuxPackages_5_10_hardened.kernel; 21577 21583 21578 21584 # Hardkernel (Odroid) kernels. 21579 21585 linuxPackages_hardkernel_4_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_hardkernel_4_14);