pyrox.dev
LInux Hardened Kernel Updates for 2024-12-25 (#368235)
authored by Fabián Heredia Montiel and committed by GitHub dc1d7543 162b4bf7
+3
-3
pkgs/os-specific/linux/kernel/common-config.nix
+3
-3
pkgs/os-specific/linux/kernel/common-config.nix
···
533
533
# Enable Rust and features that depend on it
534
534
# Use a lower priority to allow these options to be overridden in hardened/config.nix
535
535
rust = lib.optionalAttrs withRust {
536
-
RUST = lib.mkDefault yes;
536
+
RUST = yes;
537
537
538
538
# These don't technically require Rust but we probably want to get some more testing
539
539
# on the whole DRM panic setup before shipping it by default.
540
540
DRM_PANIC = whenAtLeast "6.12" yes;
541
541
DRM_PANIC_SCREEN = whenAtLeast "6.12" (freeform "kmsg");
542
542
543
-
DRM_PANIC_SCREEN_QR_CODE = lib.mkDefault (whenAtLeast "6.12" yes);
543
+
DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" yes;
544
544
};
545
545
546
546
sound =
···
1256
1256
LIRC = yes;
1257
1257
1258
1258
SCHED_CORE = whenAtLeast "5.14" yes;
1259
-
SCHED_CLASS_EXT = lib.mkDefault (whenAtLeast "6.12" yes);
1259
+
SCHED_CLASS_EXT = whenAtLeast "6.12" yes;
1260
1260
1261
1261
LRU_GEN = whenAtLeast "6.1" yes;
1262
1262
LRU_GEN_ENABLED = whenAtLeast "6.1" yes;
-11
pkgs/os-specific/linux/kernel/hardened/config.nix
-11
pkgs/os-specific/linux/kernel/hardened/config.nix
···
38
38
DEBUG_PLIST = whenAtLeast "5.2" yes;
39
39
DEBUG_SG = yes;
40
40
DEBUG_VIRTUAL = yes;
41
-
# Set in common config as whenAtLeast "6.12" yes; Currently errors during config
42
-
SCHED_CLASS_EXT = whenAtLeast "6.12" (option yes);
43
41
SCHED_STACK_END_CHECK = yes;
44
42
45
43
REFCOUNT_FULL = whenOlder "5.4.208" yes;
···
68
66
PANIC_TIMEOUT = freeform "-1";
69
67
70
68
GCC_PLUGINS = yes; # Enable gcc plugin options
71
-
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
72
-
GCC_PLUGIN_LATENT_ENTROPY = yes;
73
69
74
70
GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin
75
71
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address
···
87
83
UBSAN_LOCAL_BOUNDS = option yes; # clang only
88
84
CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1
89
85
90
-
# Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.
91
-
RANDSTRUCT = whenAtLeast "5.19" yes;
92
-
RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;
93
-
94
86
# Disable various dangerous settings
95
87
ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory
96
88
PROC_KCORE = no; # Exposes kernel text image layout
···
118
110
119
111
# not needed for less than a decade old glibc versions
120
112
LEGACY_VSYSCALL_NONE = yes;
121
-
122
-
RUST = option yes; # Yes currently erros on 6.12
123
-
DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" (option yes);
124
113
}
+30
-30
pkgs/os-specific/linux/kernel/hardened/patches.json
+30
-30
pkgs/os-specific/linux/kernel/hardened/patches.json
···
2
2
"5.10": {
3
3
"patch": {
4
4
"extra": "-hardened1",
5
-
"name": "linux-hardened-v5.10.231-hardened1.patch",
6
-
"sha256": "1hjk2scmks3z78i4lzkjm7lcv2m94cv8mmpixw8ylxjfhq1hksv4",
7
-
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.10.231-hardened1/linux-hardened-v5.10.231-hardened1.patch"
5
+
"name": "linux-hardened-v5.10.232-hardened1.patch",
6
+
"sha256": "1bfhnj6k65q6kjlxbxqfzq2l81dvbfdc4khn7n0zp6vm37a34c74",
7
+
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.10.232-hardened1/linux-hardened-v5.10.232-hardened1.patch"
8
8
},
9
-
"sha256": "0xcnlz5ib4b368z5cyp4qwys3jsbm18wlvwn73rzj2j6rj1lhnjn",
10
-
"version": "5.10.231"
9
+
"sha256": "1w5ycdh24j4gsjc2zk7nhbmya59vhi49lbh8333ziprqlj4lb97x",
10
+
"version": "5.10.232"
11
11
},
12
12
"5.15": {
13
13
"patch": {
14
14
"extra": "-hardened1",
15
-
"name": "linux-hardened-v5.15.174-hardened1.patch",
16
-
"sha256": "1583qbknmqf8fhm95jdpr4qw8i7nq2103ba5wsrn87w43m14s2z8",
17
-
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.15.174-hardened1/linux-hardened-v5.15.174-hardened1.patch"
15
+
"name": "linux-hardened-v5.15.175-hardened1.patch",
16
+
"sha256": "1j7z487n26jd8npylddflpdksrwk7b7xck2gblsd1rp1zgpd0q4g",
17
+
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.15.175-hardened1/linux-hardened-v5.15.175-hardened1.patch"
18
18
},
19
-
"sha256": "02kn9nvaa36s070k235lk9x6n40l2zlwj4v6i2y6nnx0cjw3rrn3",
20
-
"version": "5.15.174"
19
+
"sha256": "1l59x1f1b29mayhzxxkh9vlba41h51mmfh1vram31bks1v4bpn4g",
20
+
"version": "5.15.175"
21
21
},
22
22
"5.4": {
23
23
"patch": {
24
24
"extra": "-hardened1",
25
-
"name": "linux-hardened-v5.4.287-hardened1.patch",
26
-
"sha256": "08abr58k2ha29x72mpz49ivzmm5bhv6fflxwm0lhmijwqly2p05d",
27
-
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.4.287-hardened1/linux-hardened-v5.4.287-hardened1.patch"
25
+
"name": "linux-hardened-v5.4.288-hardened1.patch",
26
+
"sha256": "0zqc0xblfy2rj1n8mr2q07apcq1rmqshsi15881df4ml5lkq4y62",
27
+
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.4.288-hardened1/linux-hardened-v5.4.288-hardened1.patch"
28
28
},
29
-
"sha256": "082bq26bwi8jxfbk840wf9awm5l65aya4bg43im9qvqfpzjzl3qd",
30
-
"version": "5.4.287"
29
+
"sha256": "1zhsb6gwhb6cvijzh7s8rnm4b06klyhb2mxb06gcyfvj0givlvw7",
30
+
"version": "5.4.288"
31
31
},
32
32
"6.1": {
33
33
"patch": {
34
34
"extra": "-hardened1",
35
-
"name": "linux-hardened-v6.1.120-hardened1.patch",
36
-
"sha256": "1x9nl76186ij447x2xrrrls9xaj97rdw4b6v4dnsyg9qjx846lp6",
37
-
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.1.120-hardened1/linux-hardened-v6.1.120-hardened1.patch"
35
+
"name": "linux-hardened-v6.1.121-hardened1.patch",
36
+
"sha256": "0m8gdp8jsv5nd5xpdcxq5jd88gcfajacm5v0fz1f5vlsgs4gazcg",
37
+
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.1.121-hardened1/linux-hardened-v6.1.121-hardened1.patch"
38
38
},
39
-
"sha256": "06gp5fdq0bc39hd8mf9mrdrygdybdr3nzsb58lcapf5vmjw9gjb1",
40
-
"version": "6.1.120"
39
+
"sha256": "0hrv9l2m4yqhh6cwr8xj9jvx8y3sfwmd394g0f2iawrgc3d1dg6x",
40
+
"version": "6.1.121"
41
41
},
42
42
"6.11": {
43
43
"patch": {
···
52
52
"6.12": {
53
53
"patch": {
54
54
"extra": "-hardened1",
55
-
"name": "linux-hardened-v6.12.5-hardened1.patch",
56
-
"sha256": "07rb0wf647qjdkir2p0bxf625bhbjlqhdv5wrjfc5c0dhrlikihr",
57
-
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.5-hardened1/linux-hardened-v6.12.5-hardened1.patch"
55
+
"name": "linux-hardened-v6.12.6-hardened1.patch",
56
+
"sha256": "02c723gcbdzlgladhw3mpvavz8zy5aq4ncqljrxipia419giw7g7",
57
+
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.6-hardened1/linux-hardened-v6.12.6-hardened1.patch"
58
58
},
59
-
"sha256": "1k9bc0lpgg29bh7zqz3pm91hhjnfyl5aw6r6hph3ha743k77y81r",
60
-
"version": "6.12.5"
59
+
"sha256": "17lwn89903ffyi2b29j59c1gsczsc1kj3x70hnxziqg4blhsnl6l",
60
+
"version": "6.12.6"
61
61
},
62
62
"6.6": {
63
63
"patch": {
64
64
"extra": "-hardened1",
65
-
"name": "linux-hardened-v6.6.66-hardened1.patch",
66
-
"sha256": "04m65bfmahjq29qy9lbzhyqz7a0yahgfjq8d1ck5z4y0x3yvpggp",
67
-
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.66-hardened1/linux-hardened-v6.6.66-hardened1.patch"
65
+
"name": "linux-hardened-v6.6.67-hardened1.patch",
66
+
"sha256": "0p6vilg82pcsqmy336157b06v1fbyx8mkzpgccpmgk77wprzd438",
67
+
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.67-hardened1/linux-hardened-v6.6.67-hardened1.patch"
68
68
},
69
-
"sha256": "0lhy5waj330hmaxbqpfw2fxzkvvlxxs1nr325i8jy736qhvpjxcx",
70
-
"version": "6.6.66"
69
+
"sha256": "06iy243l7c2nldamq0nzbkwxrqr7sg0p89gdp3ib18s2xj1a87g4",
70
+
"version": "6.6.67"
71
71
}
72
72
}