pyrox.dev / nixpkgs
lol
fork atom

LInux Hardened Kernel Updates for 2024-12-25 (#368235)

authored by Fabián Heredia Montiel and committed by GitHub dc1d7543 162b4bf7

+33 -44
unified split
+3 -3
pkgs/os-specific/linux/kernel/common-config.nix
··· 533 # Enable Rust and features that depend on it 534 # Use a lower priority to allow these options to be overridden in hardened/config.nix 535 rust = lib.optionalAttrs withRust { 536 - RUST = lib.mkDefault yes; 537 538 # These don't technically require Rust but we probably want to get some more testing 539 # on the whole DRM panic setup before shipping it by default. 540 DRM_PANIC = whenAtLeast "6.12" yes; 541 DRM_PANIC_SCREEN = whenAtLeast "6.12" (freeform "kmsg"); 542 543 - DRM_PANIC_SCREEN_QR_CODE = lib.mkDefault (whenAtLeast "6.12" yes); 544 }; 545 546 sound = ··· 1256 LIRC = yes; 1257 1258 SCHED_CORE = whenAtLeast "5.14" yes; 1259 - SCHED_CLASS_EXT = lib.mkDefault (whenAtLeast "6.12" yes); 1260 1261 LRU_GEN = whenAtLeast "6.1" yes; 1262 LRU_GEN_ENABLED = whenAtLeast "6.1" yes;
··· 533 # Enable Rust and features that depend on it 534 # Use a lower priority to allow these options to be overridden in hardened/config.nix 535 rust = lib.optionalAttrs withRust { 536 + RUST = yes; 537 538 # These don't technically require Rust but we probably want to get some more testing 539 # on the whole DRM panic setup before shipping it by default. 540 DRM_PANIC = whenAtLeast "6.12" yes; 541 DRM_PANIC_SCREEN = whenAtLeast "6.12" (freeform "kmsg"); 542 543 + DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" yes; 544 }; 545 546 sound = ··· 1256 LIRC = yes; 1257 1258 SCHED_CORE = whenAtLeast "5.14" yes; 1259 + SCHED_CLASS_EXT = whenAtLeast "6.12" yes; 1260 1261 LRU_GEN = whenAtLeast "6.1" yes; 1262 LRU_GEN_ENABLED = whenAtLeast "6.1" yes;
-11
pkgs/os-specific/linux/kernel/hardened/config.nix
··· 38 DEBUG_PLIST = whenAtLeast "5.2" yes; 39 DEBUG_SG = yes; 40 DEBUG_VIRTUAL = yes; 41 - # Set in common config as whenAtLeast "6.12" yes; Currently errors during config 42 - SCHED_CLASS_EXT = whenAtLeast "6.12" (option yes); 43 SCHED_STACK_END_CHECK = yes; 44 45 REFCOUNT_FULL = whenOlder "5.4.208" yes; ··· 68 PANIC_TIMEOUT = freeform "-1"; 69 70 GCC_PLUGINS = yes; # Enable gcc plugin options 71 - # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. 72 - GCC_PLUGIN_LATENT_ENTROPY = yes; 73 74 GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin 75 GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address ··· 87 UBSAN_LOCAL_BOUNDS = option yes; # clang only 88 CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 89 90 - # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. 91 - RANDSTRUCT = whenAtLeast "5.19" yes; 92 - RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; 93 - 94 # Disable various dangerous settings 95 ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory 96 PROC_KCORE = no; # Exposes kernel text image layout ··· 118 119 # not needed for less than a decade old glibc versions 120 LEGACY_VSYSCALL_NONE = yes; 121 - 122 - RUST = option yes; # Yes currently erros on 6.12 123 - DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" (option yes); 124 }
··· 38 DEBUG_PLIST = whenAtLeast "5.2" yes; 39 DEBUG_SG = yes; 40 DEBUG_VIRTUAL = yes; 41 SCHED_STACK_END_CHECK = yes; 42 43 REFCOUNT_FULL = whenOlder "5.4.208" yes; ··· 66 PANIC_TIMEOUT = freeform "-1"; 67 68 GCC_PLUGINS = yes; # Enable gcc plugin options 69 70 GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin 71 GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address ··· 83 UBSAN_LOCAL_BOUNDS = option yes; # clang only 84 CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 85 86 # Disable various dangerous settings 87 ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory 88 PROC_KCORE = no; # Exposes kernel text image layout ··· 110 111 # not needed for less than a decade old glibc versions 112 LEGACY_VSYSCALL_NONE = yes; 113 }
+30 -30
pkgs/os-specific/linux/kernel/hardened/patches.json
··· 2 "5.10": { 3 "patch": { 4 "extra": "-hardened1", 5 - "name": "linux-hardened-v5.10.231-hardened1.patch", 6 - "sha256": "1hjk2scmks3z78i4lzkjm7lcv2m94cv8mmpixw8ylxjfhq1hksv4", 7 - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.10.231-hardened1/linux-hardened-v5.10.231-hardened1.patch" 8 }, 9 - "sha256": "0xcnlz5ib4b368z5cyp4qwys3jsbm18wlvwn73rzj2j6rj1lhnjn", 10 - "version": "5.10.231" 11 }, 12 "5.15": { 13 "patch": { 14 "extra": "-hardened1", 15 - "name": "linux-hardened-v5.15.174-hardened1.patch", 16 - "sha256": "1583qbknmqf8fhm95jdpr4qw8i7nq2103ba5wsrn87w43m14s2z8", 17 - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.15.174-hardened1/linux-hardened-v5.15.174-hardened1.patch" 18 }, 19 - "sha256": "02kn9nvaa36s070k235lk9x6n40l2zlwj4v6i2y6nnx0cjw3rrn3", 20 - "version": "5.15.174" 21 }, 22 "5.4": { 23 "patch": { 24 "extra": "-hardened1", 25 - "name": "linux-hardened-v5.4.287-hardened1.patch", 26 - "sha256": "08abr58k2ha29x72mpz49ivzmm5bhv6fflxwm0lhmijwqly2p05d", 27 - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.4.287-hardened1/linux-hardened-v5.4.287-hardened1.patch" 28 }, 29 - "sha256": "082bq26bwi8jxfbk840wf9awm5l65aya4bg43im9qvqfpzjzl3qd", 30 - "version": "5.4.287" 31 }, 32 "6.1": { 33 "patch": { 34 "extra": "-hardened1", 35 - "name": "linux-hardened-v6.1.120-hardened1.patch", 36 - "sha256": "1x9nl76186ij447x2xrrrls9xaj97rdw4b6v4dnsyg9qjx846lp6", 37 - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.1.120-hardened1/linux-hardened-v6.1.120-hardened1.patch" 38 }, 39 - "sha256": "06gp5fdq0bc39hd8mf9mrdrygdybdr3nzsb58lcapf5vmjw9gjb1", 40 - "version": "6.1.120" 41 }, 42 "6.11": { 43 "patch": { ··· 52 "6.12": { 53 "patch": { 54 "extra": "-hardened1", 55 - "name": "linux-hardened-v6.12.5-hardened1.patch", 56 - "sha256": "07rb0wf647qjdkir2p0bxf625bhbjlqhdv5wrjfc5c0dhrlikihr", 57 - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.5-hardened1/linux-hardened-v6.12.5-hardened1.patch" 58 }, 59 - "sha256": "1k9bc0lpgg29bh7zqz3pm91hhjnfyl5aw6r6hph3ha743k77y81r", 60 - "version": "6.12.5" 61 }, 62 "6.6": { 63 "patch": { 64 "extra": "-hardened1", 65 - "name": "linux-hardened-v6.6.66-hardened1.patch", 66 - "sha256": "04m65bfmahjq29qy9lbzhyqz7a0yahgfjq8d1ck5z4y0x3yvpggp", 67 - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.66-hardened1/linux-hardened-v6.6.66-hardened1.patch" 68 }, 69 - "sha256": "0lhy5waj330hmaxbqpfw2fxzkvvlxxs1nr325i8jy736qhvpjxcx", 70 - "version": "6.6.66" 71 } 72 }
··· 2 "5.10": { 3 "patch": { 4 "extra": "-hardened1", 5 + "name": "linux-hardened-v5.10.232-hardened1.patch", 6 + "sha256": "1bfhnj6k65q6kjlxbxqfzq2l81dvbfdc4khn7n0zp6vm37a34c74", 7 + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.10.232-hardened1/linux-hardened-v5.10.232-hardened1.patch" 8 }, 9 + "sha256": "1w5ycdh24j4gsjc2zk7nhbmya59vhi49lbh8333ziprqlj4lb97x", 10 + "version": "5.10.232" 11 }, 12 "5.15": { 13 "patch": { 14 "extra": "-hardened1", 15 + "name": "linux-hardened-v5.15.175-hardened1.patch", 16 + "sha256": "1j7z487n26jd8npylddflpdksrwk7b7xck2gblsd1rp1zgpd0q4g", 17 + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.15.175-hardened1/linux-hardened-v5.15.175-hardened1.patch" 18 }, 19 + "sha256": "1l59x1f1b29mayhzxxkh9vlba41h51mmfh1vram31bks1v4bpn4g", 20 + "version": "5.15.175" 21 }, 22 "5.4": { 23 "patch": { 24 "extra": "-hardened1", 25 + "name": "linux-hardened-v5.4.288-hardened1.patch", 26 + "sha256": "0zqc0xblfy2rj1n8mr2q07apcq1rmqshsi15881df4ml5lkq4y62", 27 + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.4.288-hardened1/linux-hardened-v5.4.288-hardened1.patch" 28 }, 29 + "sha256": "1zhsb6gwhb6cvijzh7s8rnm4b06klyhb2mxb06gcyfvj0givlvw7", 30 + "version": "5.4.288" 31 }, 32 "6.1": { 33 "patch": { 34 "extra": "-hardened1", 35 + "name": "linux-hardened-v6.1.121-hardened1.patch", 36 + "sha256": "0m8gdp8jsv5nd5xpdcxq5jd88gcfajacm5v0fz1f5vlsgs4gazcg", 37 + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.1.121-hardened1/linux-hardened-v6.1.121-hardened1.patch" 38 }, 39 + "sha256": "0hrv9l2m4yqhh6cwr8xj9jvx8y3sfwmd394g0f2iawrgc3d1dg6x", 40 + "version": "6.1.121" 41 }, 42 "6.11": { 43 "patch": { ··· 52 "6.12": { 53 "patch": { 54 "extra": "-hardened1", 55 + "name": "linux-hardened-v6.12.6-hardened1.patch", 56 + "sha256": "02c723gcbdzlgladhw3mpvavz8zy5aq4ncqljrxipia419giw7g7", 57 + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.6-hardened1/linux-hardened-v6.12.6-hardened1.patch" 58 }, 59 + "sha256": "17lwn89903ffyi2b29j59c1gsczsc1kj3x70hnxziqg4blhsnl6l", 60 + "version": "6.12.6" 61 }, 62 "6.6": { 63 "patch": { 64 "extra": "-hardened1", 65 + "name": "linux-hardened-v6.6.67-hardened1.patch", 66 + "sha256": "0p6vilg82pcsqmy336157b06v1fbyx8mkzpgccpmgk77wprzd438", 67 + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.67-hardened1/linux-hardened-v6.6.67-hardened1.patch" 68 }, 69 + "sha256": "06iy243l7c2nldamq0nzbkwxrqr7sg0p89gdp3ib18s2xj1a87g4", 70 + "version": "6.6.67" 71 } 72 }