tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / os-specific / linux / kernel / common-config.nix
at devShellTools-shell 1483 lines 55 kB view raw
1# WARNING/NOTE: whenever you want to add an option here you need to either 2# * mark it as an optional one with `option`, 3# * or make sure it works for all the versions in nixpkgs, 4# * or check for which kernel versions it will work (using kernel 5# changelog, google or whatever) and mark it with `whenOlder` or 6# `whenAtLeast`. 7# Then do test your change by building all the kernels (or at least 8# their configs) in Nixpkgs or else you will guarantee lots and lots 9# of pain to users trying to switch to an older kernel because of some 10# hardware problems with a new one. 11 12# Configuration 13{ 14 lib, 15 stdenv, 16 version, 17 rustAvailable, 18 19 features ? { }, 20}: 21 22with lib.kernel; 23with (lib.kernel.whenHelpers version); 24 25let 26 # configuration items have to be part of a subattrs 27 flattenKConf = 28 nested: 29 lib.mapAttrs ( 30 name: values: 31 if lib.length values == 1 then 32 lib.head values 33 else 34 throw "duplicate kernel configuration option: ${name}" 35 ) (lib.zipAttrs (lib.attrValues nested)); 36 37 whenPlatformHasEBPFJit = lib.mkIf ( 38 stdenv.hostPlatform.isAarch32 39 || stdenv.hostPlatform.isAarch64 40 || stdenv.hostPlatform.isx86_64 41 || (stdenv.hostPlatform.isPower && stdenv.hostPlatform.is64bit) 42 || (stdenv.hostPlatform.isMips && stdenv.hostPlatform.is64bit) 43 ); 44 45 forceRust = features.rust or false; 46 # Architecture support collected from HAVE_RUST Kconfig definitions and the following table: 47 # https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/rust/arch-support.rst 48 rustByDefault = ( 49 lib.versionAtLeast version "6.12" 50 && ( 51 stdenv.hostPlatform.isx86_64 52 || stdenv.hostPlatform.isLoongArch64 53 || stdenv.hostPlatform.isAarch64 54 || (stdenv.hostPlatform.isRiscV64 && !stdenv.cc.isGNU) 55 ) 56 ); 57 58 withRust = 59 lib.warnIfNot (forceRust -> rustAvailable) 60 "force-enabling Rust for Linux without an available rustc" 61 lib.warnIfNot 62 (forceRust -> rustByDefault) 63 "force-enabling Rust for Linux on an unsupported kernel version, host platform or compiler" 64 (forceRust || (rustAvailable && rustByDefault)); 65 66 options = { 67 68 debug = { 69 # Necessary for BTF and crashkernel 70 DEBUG_INFO = yes; 71 DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT = whenAtLeast "5.18" yes; 72 # Reduced debug info conflict with BTF and have been enabled in 73 # aarch64 defconfig since 5.13 74 DEBUG_INFO_REDUCED = whenAtLeast "5.13" (option no); 75 DEBUG_INFO_BTF = option yes; 76 # Allow loading modules with mismatched BTFs 77 # FIXME: figure out how to actually make BTFs reproducible instead 78 # See https://github.com/NixOS/nixpkgs/pull/181456 for details. 79 MODULE_ALLOW_BTF_MISMATCH = whenAtLeast "5.18" (option yes); 80 BPF_LSM = whenAtLeast "5.7" (option yes); 81 DEBUG_KERNEL = yes; 82 DEBUG_DEVRES = no; 83 DYNAMIC_DEBUG = yes; 84 DEBUG_STACK_USAGE = no; 85 RCU_TORTURE_TEST = no; 86 SCHEDSTATS = yes; 87 DETECT_HUNG_TASK = yes; 88 CRASH_DUMP = yes; 89 # Easier debugging of NFS issues. 90 SUNRPC_DEBUG = yes; 91 # Provide access to tunables like sched_migration_cost_ns 92 SCHED_DEBUG = whenOlder "6.15" yes; 93 94 # Count IRQ and steal CPU time separately 95 IRQ_TIME_ACCOUNTING = yes; 96 PARAVIRT_TIME_ACCOUNTING = yes; 97 98 # Enable CPU lockup detection 99 LOCKUP_DETECTOR = yes; 100 SOFTLOCKUP_DETECTOR = yes; 101 HARDLOCKUP_DETECTOR = lib.mkIf ( 102 with stdenv.hostPlatform; isPower || isx86 || lib.versionAtLeast version "6.5" 103 ) yes; 104 105 # Enable streaming logs to a remote device over a network 106 NETCONSOLE = module; 107 NETCONSOLE_DYNAMIC = yes; 108 109 # Export known printks in debugfs 110 PRINTK_INDEX = whenAtLeast "5.15" yes; 111 112 # Enable crashkernel support 113 PROC_VMCORE = yes; 114 115 # Track memory leaks and performance issues related to allocations. 116 MEM_ALLOC_PROFILING = whenAtLeast "6.10" yes; 117 MEM_ALLOC_PROFILING_ENABLED_BY_DEFAULT = whenAtLeast "6.10" yes; 118 }; 119 120 power-management = { 121 CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes; 122 CPU_FREQ_GOV_SCHEDUTIL = yes; 123 PM_DEBUG = yes; 124 PM_ADVANCED_DEBUG = yes; 125 PM_WAKELOCKS = yes; 126 POWERCAP = yes; 127 # ACPI Firmware Performance Data Table Support 128 ACPI_FPDT = whenAtLeast "5.12" (option yes); 129 # ACPI Heterogeneous Memory Attribute Table Support 130 ACPI_HMAT = option yes; 131 # ACPI Platform Error Interface 132 ACPI_APEI = (option yes); 133 # APEI Generic Hardware Error Source 134 ACPI_APEI_GHES = (option yes); 135 136 # Without this, on some hardware the kernel fails at some 137 # point after the EFI stub has executed but before a console 138 # is set up. Regardless, it's good to have the extra debug 139 # anyway. 140 ACPI_DEBUG = yes; 141 142 # Enable lazy RCUs for power savings: 143 # https://lore.kernel.org/rcu/20221019225138.GA2499943@paulmck-ThinkPad-P17-Gen-1/ 144 # RCU_LAZY depends on RCU_NOCB_CPU depends on NO_HZ_FULL 145 # depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT, 146 # so we can't force-enable this 147 RCU_LAZY = whenAtLeast "6.2" (option yes); 148 149 # Auto suspend Bluetooth devices at idle 150 BT_HCIBTUSB_AUTOSUSPEND = yes; 151 152 # Expose cpufreq stats in sysfs 153 CPU_FREQ_STAT = yes; 154 155 # Enable CPU energy model for scheduling 156 ENERGY_MODEL = whenAtLeast "5.0" yes; 157 158 # Enable thermal interface netlink API 159 THERMAL_NETLINK = whenAtLeast "5.9" yes; 160 161 # Prefer power-efficient workqueue implementation to per-CPU workqueues, 162 # which is slightly slower, but improves battery life. 163 # This is opt-in per workqueue, and can be disabled globally with a kernel command line option. 164 WQ_POWER_EFFICIENT_DEFAULT = yes; 165 166 # Default SATA link power management to "medium with device initiated PM" 167 # for some extra power savings. 168 SATA_MOBILE_LPM_POLICY = whenAtLeast "5.18" (freeform "3"); 169 170 # GPIO power management 171 POWER_RESET_GPIO = option yes; 172 POWER_RESET_GPIO_RESTART = option yes; 173 174 # Enable Pulse-Width-Modulation support, commonly used for fan and backlight. 175 PWM = yes; 176 } 177 // lib.optionalAttrs (stdenv.hostPlatform.isx86) { 178 INTEL_IDLE = yes; 179 INTEL_RAPL = module; 180 X86_INTEL_LPSS = yes; 181 X86_INTEL_PSTATE = yes; 182 X86_AMD_PSTATE = whenAtLeast "5.17" yes; 183 # Intel DPTF (Dynamic Platform and Thermal Framework) Support 184 ACPI_DPTF = whenAtLeast "5.10" yes; 185 186 # Required to bring up some Bay Trail devices properly 187 I2C = yes; 188 I2C_DESIGNWARE_CORE = yes; 189 I2C_DESIGNWARE_PLATFORM = yes; 190 PMIC_OPREGION = whenAtLeast "5.10" yes; 191 INTEL_SOC_PMIC = whenAtLeast "5.10" yes; 192 BYTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes; 193 CHTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes; 194 XPOWER_PMIC_OPREGION = whenAtLeast "5.10" yes; 195 BXT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes; 196 INTEL_SOC_PMIC_CHTWC = whenAtLeast "5.10" yes; 197 CHT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes; 198 INTEL_SOC_PMIC_CHTDC_TI = whenAtLeast "5.10" yes; 199 CHT_DC_TI_PMIC_OPREGION = whenAtLeast "5.10" yes; 200 MFD_TPS68470 = whenBetween "5.10" "5.13" yes; 201 TPS68470_PMIC_OPREGION = whenAtLeast "5.10" yes; 202 203 # Enable Intel thermal hardware feedback 204 INTEL_HFI_THERMAL = whenAtLeast "5.18" yes; 205 }; 206 207 external-firmware = { 208 # Support drivers that need external firmware. 209 STANDALONE = no; 210 }; 211 212 proc-config-gz = { 213 # Make /proc/config.gz available 214 IKCONFIG = yes; 215 IKCONFIG_PROC = yes; 216 }; 217 218 optimization = { 219 X86_GENERIC = lib.mkIf (stdenv.hostPlatform.system == "i686-linux") yes; 220 # Optimize with -O2, not -Os 221 CC_OPTIMIZE_FOR_SIZE = no; 222 }; 223 224 memory = { 225 DAMON = whenAtLeast "5.15" yes; 226 DAMON_VADDR = whenAtLeast "5.15" yes; 227 DAMON_PADDR = whenAtLeast "5.16" yes; 228 DAMON_SYSFS = whenAtLeast "5.18" yes; 229 DAMON_DBGFS = whenBetween "5.15" "6.9" yes; 230 DAMON_RECLAIM = whenAtLeast "5.16" yes; 231 DAMON_LRU_SORT = whenAtLeast "6.0" yes; 232 # Support recovering from memory failures on systems with ECC and MCA recovery. 233 MEMORY_FAILURE = yes; 234 235 # Collect ECC errors and retire pages that fail too often 236 RAS_CEC = lib.mkIf stdenv.hostPlatform.isx86 yes; 237 } 238 // lib.optionalAttrs (stdenv.hostPlatform.is32bit) { 239 # Enable access to the full memory range (aka PAE) on 32-bit architectures 240 # This check isn't super accurate but it's close enough 241 HIGHMEM = option yes; 242 BOUNCE = option yes; 243 }; 244 245 memtest = { 246 MEMTEST = yes; 247 }; 248 249 # Include the CFQ I/O scheduler in the kernel, rather than as a 250 # module, so that the initrd gets a good I/O scheduler. 251 scheduler = { 252 IOSCHED_CFQ = whenOlder "5.0" yes; # Removed in 5.0-RC1 253 BLK_CGROUP = yes; # required by CFQ" 254 BLK_CGROUP_IOLATENCY = yes; 255 BLK_CGROUP_IOCOST = yes; 256 IOSCHED_DEADLINE = whenOlder "5.0" yes; # Removed in 5.0-RC1 257 MQ_IOSCHED_DEADLINE = yes; 258 BFQ_GROUP_IOSCHED = yes; 259 MQ_IOSCHED_KYBER = yes; 260 IOSCHED_BFQ = module; 261 # Enable CPU utilization clamping for RT tasks 262 UCLAMP_TASK = yes; 263 UCLAMP_TASK_GROUP = yes; 264 }; 265 266 timer = { 267 # Enable Full Dynticks System. 268 # NO_HZ_FULL depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT 269 NO_HZ_FULL = lib.mkIf stdenv.hostPlatform.is64bit yes; 270 }; 271 272 # Enable NUMA. 273 numa = { 274 NUMA = option yes; 275 NUMA_BALANCING = option yes; 276 }; 277 278 networking = { 279 NET = yes; 280 IP_ADVANCED_ROUTER = yes; 281 IP_PNP = no; 282 IP_ROUTE_MULTIPATH = yes; 283 IP_VS_PROTO_TCP = yes; 284 IP_VS_PROTO_UDP = yes; 285 IP_VS_PROTO_ESP = yes; 286 IP_VS_PROTO_AH = yes; 287 IP_VS_IPV6 = yes; 288 IP_DCCP_CCID3 = whenOlder "6.16" no; # experimental 289 CLS_U32_PERF = yes; 290 CLS_U32_MARK = yes; 291 BPF_JIT = whenPlatformHasEBPFJit yes; 292 BPF_JIT_ALWAYS_ON = whenPlatformHasEBPFJit no; # whenPlatformHasEBPFJit yes; # see https://github.com/NixOS/nixpkgs/issues/79304 293 HAVE_EBPF_JIT = whenPlatformHasEBPFJit yes; 294 BPF_STREAM_PARSER = yes; 295 XDP_SOCKETS = yes; 296 XDP_SOCKETS_DIAG = yes; 297 WAN = yes; 298 TCP_CONG_ADVANCED = yes; 299 TCP_CONG_CUBIC = yes; # This is the default congestion control algorithm since 2.6.19 300 # Required by systemd per-cgroup firewalling 301 CGROUP_BPF = option yes; 302 CGROUP_NET_PRIO = yes; # Required by systemd 303 IP_ROUTE_VERBOSE = yes; 304 IP_MROUTE = yes; 305 IP_MROUTE_MULTIPLE_TABLES = yes; 306 IP_MULTICAST = yes; 307 IP_MULTIPLE_TABLES = yes; 308 IPV6 = yes; 309 IPV6_ROUTER_PREF = yes; 310 IPV6_ROUTE_INFO = yes; 311 IPV6_OPTIMISTIC_DAD = yes; 312 IPV6_MULTIPLE_TABLES = yes; 313 IPV6_SUBTREES = yes; 314 IPV6_MROUTE = yes; 315 IPV6_MROUTE_MULTIPLE_TABLES = yes; 316 IPV6_PIMSM_V2 = yes; 317 IPV6_FOU_TUNNEL = module; 318 IPV6_SEG6_LWTUNNEL = yes; 319 IPV6_SEG6_HMAC = yes; 320 IPV6_SEG6_BPF = yes; 321 NET_CLS_BPF = module; 322 NET_ACT_BPF = module; 323 NET_SCHED = yes; 324 NET_SCH_BPF = whenAtLeast "6.16" yes; 325 L2TP_V3 = yes; 326 L2TP_IP = module; 327 L2TP_ETH = module; 328 BRIDGE_VLAN_FILTERING = yes; 329 BONDING = module; 330 NET_L3_MASTER_DEV = option yes; 331 NET_FOU_IP_TUNNELS = option yes; 332 IP_NF_TARGET_REDIRECT = module; 333 NETKIT = whenAtLeast "6.7" yes; 334 335 PPP_MULTILINK = yes; # PPP multilink support 336 PPP_FILTER = yes; 337 338 # needed for iwd WPS support (wpa_supplicant replacement) 339 KEY_DH_OPERATIONS = yes; 340 341 # needed for nftables 342 # Networking Options 343 NETFILTER = yes; 344 NETFILTER_ADVANCED = yes; 345 # Core Netfilter Configuration 346 NF_CONNTRACK_ZONES = yes; 347 NF_CONNTRACK_EVENTS = yes; 348 NF_CONNTRACK_TIMEOUT = yes; 349 NF_CONNTRACK_TIMESTAMP = yes; 350 NETFILTER_NETLINK_GLUE_CT = yes; 351 NF_TABLES_INET = yes; 352 NF_TABLES_NETDEV = yes; 353 NFT_REJECT_NETDEV = whenAtLeast "5.11" module; 354 355 # IP: Netfilter Configuration 356 NF_TABLES_IPV4 = yes; 357 NF_TABLES_ARP = yes; 358 # IPv6: Netfilter Configuration 359 NF_TABLES_IPV6 = yes; 360 # Bridge Netfilter Configuration 361 NF_TABLES_BRIDGE = module; 362 # Expose some debug info 363 NF_CONNTRACK_PROCFS = yes; 364 NF_FLOW_TABLE_PROCFS = whenAtLeast "6.0" yes; 365 366 # needed for `dropwatch` 367 # Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450 368 NET_DROP_MONITOR = yes; 369 370 # needed for ss 371 # Use a lower priority to allow these options to be overridden in hardened/config.nix 372 INET_DIAG = lib.mkDefault module; 373 INET_TCP_DIAG = lib.mkDefault module; 374 INET_UDP_DIAG = lib.mkDefault module; 375 INET_RAW_DIAG = lib.mkDefault module; 376 INET_DIAG_DESTROY = lib.mkDefault yes; 377 378 # IPsec over TCP 379 INET_ESPINTCP = whenAtLeast "5.8" yes; 380 INET6_ESPINTCP = whenAtLeast "5.8" yes; 381 382 # enable multipath-tcp 383 MPTCP = whenAtLeast "5.6" yes; 384 MPTCP_IPV6 = whenAtLeast "5.6" yes; 385 INET_MPTCP_DIAG = whenAtLeast "5.9" (lib.mkDefault module); 386 387 # Kernel TLS 388 TLS = module; 389 TLS_DEVICE = yes; 390 391 # infiniband 392 INFINIBAND = module; 393 INFINIBAND_IPOIB = module; 394 INFINIBAND_IPOIB_CM = yes; 395 396 # Enable debugfs for wireless drivers 397 CFG80211_DEBUGFS = yes; 398 MAC80211_DEBUGFS = yes; 399 400 # HAM radio 401 HAMRADIO = yes; 402 AX25 = module; 403 } 404 // lib.optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") { 405 # Not enabled by default, hides modules behind it 406 NET_VENDOR_MEDIATEK = yes; 407 # Enable SoC interface for MT7915 module, required for MT798X. 408 MT7986_WMAC = whenBetween "5.18" "6.6" yes; 409 MT798X_WMAC = whenAtLeast "6.6" yes; 410 }; 411 412 wireless = { 413 CFG80211_WEXT = option yes; # Without it, ipw2200 drivers don't build 414 IPW2100_MONITOR = option yes; # support promiscuous mode 415 IPW2200_MONITOR = option yes; # support promiscuous mode 416 HOSTAP_FIRMWARE = whenOlder "6.8" (option yes); # Support downloading firmware images with Host AP driver 417 HOSTAP_FIRMWARE_NVRAM = whenOlder "6.8" (option yes); 418 MAC80211_MESH = option yes; # Enable 802.11s (mesh networking) support 419 ATH9K_PCI = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus 420 ATH9K_AHB = option yes; # Ditto, AHB bus 421 # The description of this option makes it sound dangerous or even illegal 422 # But OpenWRT enables it by default: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/Makefile#L55 423 # At the time of writing (25-06-2023): this is only used in a "correct" way by ath drivers for initiating DFS radiation 424 # for "certified devices" 425 EXPERT = option yes; # this is needed for offering the certification option 426 RFKILL_INPUT = option yes; # counteract an undesired effect of setting EXPERT 427 CFG80211_CERTIFICATION_ONUS = option yes; 428 # DFS: "Dynamic Frequency Selection" is a spectrum-sharing mechanism that allows 429 # you to use certain interesting frequency when your local regulatory domain mandates it. 430 # ATH drivers hides the feature behind this option and makes hostapd works with DFS frequencies. 431 # OpenWRT enables it too: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/ath.mk#L42 432 ATH9K_DFS_CERTIFIED = option yes; 433 ATH10K_DFS_CERTIFIED = option yes; 434 B43_PHY_HT = option yes; 435 BCMA_HOST_PCI = option yes; 436 437 # Enable "untested" hardware support for RTL8xxxU. 438 # There's a bunch of those still floating around, 439 # and given how old the hardware is, we're unlikely 440 # to kill any, so let's enable all known device IDs. 441 RTL8XXXU_UNTESTED = option yes; 442 443 RTW88 = module; 444 RTW88_8822BE = lib.mkMerge [ 445 (whenOlder "5.8" yes) 446 (whenAtLeast "5.8" module) 447 ]; 448 RTW88_8822CE = lib.mkMerge [ 449 (whenOlder "5.8" yes) 450 (whenAtLeast "5.8" module) 451 ]; 452 }; 453 454 fb = { 455 FB = yes; 456 FB_EFI = yes; 457 FB_NVIDIA_I2C = yes; # Enable DDC Support 458 FB_RIVA_I2C = yes; 459 FB_ATY_CT = yes; # Mach64 CT/VT/GT/LT (incl. 3D RAGE) support 460 FB_ATY_GX = yes; # Mach64 GX support 461 FB_SAVAGE_I2C = yes; 462 FB_SAVAGE_ACCEL = yes; 463 FB_SIS_300 = yes; 464 FB_SIS_315 = yes; 465 FB_3DFX_ACCEL = yes; 466 FB_VESA = lib.mkIf stdenv.hostPlatform.isx86 yes; 467 FRAMEBUFFER_CONSOLE = yes; 468 FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes; 469 FRAMEBUFFER_CONSOLE_ROTATION = yes; 470 FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = yes; 471 FB_GEODE = lib.mkIf (stdenv.hostPlatform.system == "i686-linux") yes; 472 # Use simplefb on older kernels where we don't have simpledrm (enabled below) 473 FB_SIMPLE = whenOlder "5.15" yes; 474 DRM_FBDEV_EMULATION = yes; 475 }; 476 477 fonts = { 478 FONTS = yes; 479 # Default fonts enabled if FONTS is not set 480 FONT_8x8 = yes; 481 FONT_8x16 = yes; 482 # High DPI font 483 FONT_TER16x32 = whenAtLeast "5.0" yes; 484 }; 485 486 video = 487 let 488 whenHasDevicePrivate = lib.mkIf (!stdenv.hostPlatform.isx86_32); 489 in 490 { 491 # compile in DRM so simpledrm can load before initrd if necessary 492 AGP = lib.mkIf (with stdenv.hostPlatform; isPower || isx86) yes; 493 DRM = yes; 494 495 DRM_LEGACY = whenOlder "6.8" no; 496 497 # Must be the same as CONFIG_DRM 498 BACKLIGHT_CLASS_DEVICE = yes; 499 500 NOUVEAU_LEGACY_CTX_SUPPORT = whenOlder "6.3" no; 501 502 # Enable simpledrm and use it for generic framebuffer 503 # Technically added in 5.14, but adding more complex configuration is not worth it 504 DRM_SIMPLEDRM = whenAtLeast "5.15" yes; 505 SYSFB_SIMPLEFB = whenAtLeast "5.15" yes; 506 507 # Allow specifying custom EDID on the kernel command line 508 DRM_LOAD_EDID_FIRMWARE = yes; 509 VGA_SWITCHEROO = lib.mkIf stdenv.hostPlatform.isx86 yes; # Hybrid graphics support 510 DRM_GMA500 = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "5.12" module); 511 DRM_GMA600 = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "5.13" yes); 512 DRM_GMA3600 = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "5.12" yes); 513 DRM_VMWGFX_FBCON = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.1" yes); 514 # (experimental) amdgpu support for verde and newer chipsets 515 DRM_AMDGPU_SI = yes; 516 # (stable) amdgpu support for bonaire and newer chipsets 517 DRM_AMDGPU_CIK = yes; 518 # Allow device firmware updates 519 DRM_DP_AUX_CHARDEV = whenOlder "6.10" yes; 520 DRM_DISPLAY_DP_AUX_CHARDEV = whenAtLeast "6.10" yes; 521 # amdgpu display core (DC) support 522 DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes; 523 DRM_AMD_DC_DCN2_0 = whenOlder "5.6" yes; 524 DRM_AMD_DC_DCN2_1 = whenOlder "5.6" yes; 525 DRM_AMD_DC_DCN3_0 = lib.mkIf (with stdenv.hostPlatform; isx86) (whenBetween "5.9" "5.11" yes); 526 DRM_AMD_DC_DCN = lib.mkIf (with stdenv.hostPlatform; isx86 || isPower64) ( 527 whenBetween "5.11" "6.4" yes 528 ); 529 DRM_AMD_DC_FP = whenAtLeast "6.4" yes; 530 DRM_AMD_DC_HDCP = whenBetween "5.5" "6.4" yes; 531 DRM_AMD_DC_SI = whenAtLeast "5.10" yes; 532 533 # Enable AMD Audio Coprocessor support for HDMI outputs 534 DRM_AMD_ACP = yes; 535 536 # Enable AMD secure display when available 537 DRM_AMD_SECURE_DISPLAY = lib.mkIf ( 538 with stdenv.hostPlatform; 539 (lib.versionAtLeast version "5.13" && (isx86 || isPower64)) 540 || (lib.versionAtLeast version "6.2" && isAarch64 && !stdenv.cc.isClang) 541 || (lib.versionAtLeast version "6.5" && isLoongArch64 && !stdenv.cc.isClang) 542 || (lib.versionAtLeast version "6.10" && isRiscV64 && !stdenv.cc.isClang) 543 ) yes; 544 545 # Enable AMD image signal processor 546 DRM_AMD_ISP = whenAtLeast "6.11" yes; 547 548 # Enable new firmware (and by extension NVK) for compatible hardware on Nouveau 549 DRM_NOUVEAU_GSP_DEFAULT = whenAtLeast "6.8" yes; 550 551 # Enable Nouveau shared virtual memory (used by OpenCL) 552 DEVICE_PRIVATE = whenHasDevicePrivate yes; 553 DRM_NOUVEAU_SVM = whenHasDevicePrivate yes; 554 555 # Enable HDMI-CEC receiver support 556 RC_CORE = yes; 557 MEDIA_CEC_RC = whenAtLeast "5.10" yes; 558 559 # Enable CEC over DisplayPort 560 DRM_DP_CEC = whenOlder "6.10" yes; 561 DRM_DISPLAY_DP_AUX_CEC = whenAtLeast "6.10" yes; 562 } 563 // lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 564 # Intel GVT-g graphics virtualization supports 64-bit only 565 DRM_I915_GVT = yes; 566 DRM_I915_GVT_KVMGT = module; 567 # Enable Hyper-V Synthetic DRM Driver 568 DRM_HYPERV = whenAtLeast "5.14" module; 569 # And disable the legacy framebuffer driver when we have the new one 570 FB_HYPERV = whenAtLeast "5.14" no; 571 } 572 // lib.optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") { 573 # enable HDMI-CEC on RPi boards 574 DRM_VC4_HDMI_CEC = yes; 575 # Enable HDMI out on platforms using the RK3588 lineup of SoCs. 576 ROCKCHIP_DW_HDMI_QP = whenAtLeast "6.13" yes; 577 }; 578 579 # Enable Rust and features that depend on it 580 # Use a lower priority to allow these options to be overridden in hardened/config.nix 581 rust = lib.optionalAttrs withRust { 582 RUST = yes; 583 584 # These don't technically require Rust but we probably want to get some more testing 585 # on the whole DRM panic setup before shipping it by default. 586 DRM_PANIC = whenAtLeast "6.12" yes; 587 DRM_PANIC_SCREEN = whenAtLeast "6.12" (freeform "kmsg"); 588 589 DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" yes; 590 }; 591 592 sound = { 593 SND_DYNAMIC_MINORS = yes; 594 SND_AC97_POWER_SAVE = yes; # AC97 Power-Saving Mode 595 # 10s for the idle timeout, Fedora does 1, Arch does 10. 596 # The kernel says we should do 10. 597 # Read: https://docs.kernel.org/sound/designs/powersave.html 598 SND_AC97_POWER_SAVE_DEFAULT = freeform "10"; 599 SND_HDA_POWER_SAVE_DEFAULT = freeform "10"; 600 SND_HDA_INPUT_BEEP = yes; # Support digital beep via input layer 601 SND_HDA_RECONFIG = yes; # Support reconfiguration of jack functions 602 # Support configuring jack functions via fw mechanism at boot 603 SND_HDA_PATCH_LOADER = yes; 604 SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon 605 SND_HDA_CODEC_CS8409 = whenAtLeast "6.6" module; # Cirrus Logic HDA Bridge CS8409 606 SND_OSSEMUL = yes; 607 SND_USB_CAIAQ_INPUT = yes; 608 SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes; 609 # Enable Sound Open Firmware support 610 } 611 // 612 lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" && lib.versionAtLeast version "5.5") 613 { 614 SND_SOC_INTEL_SOUNDWIRE_SOF_MACH = whenAtLeast "5.10" module; 615 SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES = whenAtLeast "5.10" yes; # dep of SOF_MACH 616 SND_SOC_SOF_INTEL_SOUNDWIRE_LINK = whenBetween "5.10" "5.11" yes; # dep of SOF_MACH 617 SND_SOC_SOF_TOPLEVEL = yes; 618 SND_SOC_SOF_ACPI = module; 619 SND_SOC_SOF_PCI = module; 620 SND_SOC_SOF_APOLLOLAKE = whenAtLeast "5.12" module; 621 SND_SOC_SOF_APOLLOLAKE_SUPPORT = whenOlder "5.12" yes; 622 SND_SOC_SOF_CANNONLAKE = whenAtLeast "5.12" module; 623 SND_SOC_SOF_CANNONLAKE_SUPPORT = whenOlder "5.12" yes; 624 SND_SOC_SOF_COFFEELAKE = whenAtLeast "5.12" module; 625 SND_SOC_SOF_COFFEELAKE_SUPPORT = whenOlder "5.12" yes; 626 SND_SOC_SOF_COMETLAKE = whenAtLeast "5.12" module; 627 SND_SOC_SOF_COMETLAKE_H_SUPPORT = whenOlder "5.8" yes; 628 SND_SOC_SOF_COMETLAKE_LP_SUPPORT = whenOlder "5.12" yes; 629 SND_SOC_SOF_ELKHARTLAKE = whenAtLeast "5.12" module; 630 SND_SOC_SOF_ELKHARTLAKE_SUPPORT = whenOlder "5.12" yes; 631 SND_SOC_SOF_GEMINILAKE = whenAtLeast "5.12" module; 632 SND_SOC_SOF_GEMINILAKE_SUPPORT = whenOlder "5.12" yes; 633 SND_SOC_SOF_HDA_AUDIO_CODEC = yes; 634 SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes; 635 SND_SOC_SOF_HDA_LINK = yes; 636 SND_SOC_SOF_ICELAKE = whenAtLeast "5.12" module; 637 SND_SOC_SOF_ICELAKE_SUPPORT = whenOlder "5.12" yes; 638 SND_SOC_SOF_INTEL_TOPLEVEL = yes; 639 SND_SOC_SOF_JASPERLAKE = whenAtLeast "5.12" module; 640 SND_SOC_SOF_JASPERLAKE_SUPPORT = whenOlder "5.12" yes; 641 SND_SOC_SOF_MERRIFIELD = whenAtLeast "5.12" module; 642 SND_SOC_SOF_MERRIFIELD_SUPPORT = whenOlder "5.12" yes; 643 SND_SOC_SOF_TIGERLAKE = whenAtLeast "5.12" module; 644 SND_SOC_SOF_TIGERLAKE_SUPPORT = whenOlder "5.12" yes; 645 }; 646 647 usb = { 648 USB = yes; # compile USB core into kernel, so we can use USB_SERIAL_CONSOLE before modules 649 650 USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators 651 USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling 652 USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies) 653 654 # default to dual role mode 655 USB_DWC2_DUAL_ROLE = yes; 656 USB_DWC3_DUAL_ROLE = yes; 657 658 USB_XHCI_SIDEBAND = whenAtLeast "6.16" yes; # needed for audio offload 659 }; 660 661 usb-serial = { 662 USB_SERIAL = yes; 663 USB_SERIAL_GENERIC = yes; # USB Generic Serial Driver 664 USB_SERIAL_CONSOLE = yes; # Allow using USB serial adapter as console 665 U_SERIAL_CONSOLE = whenAtLeast "5.10" yes; # Allow using USB gadget as console 666 }; 667 668 # Filesystem options - in particular, enable extended attributes and 669 # ACLs for all filesystems that support them. 670 filesystem = { 671 FANOTIFY = yes; 672 FANOTIFY_ACCESS_PERMISSIONS = yes; 673 674 TMPFS = yes; 675 TMPFS_POSIX_ACL = yes; 676 FS_ENCRYPTION = yes; 677 678 EXT2_FS_XATTR = yes; 679 EXT2_FS_POSIX_ACL = yes; 680 EXT2_FS_SECURITY = yes; 681 682 EXT3_FS_POSIX_ACL = yes; 683 EXT3_FS_SECURITY = yes; 684 685 EXT4_FS_POSIX_ACL = yes; 686 EXT4_FS_SECURITY = yes; 687 688 NTFS_FS = whenBetween "5.15" "6.9" no; 689 NTFS3_LZX_XPRESS = whenAtLeast "5.15" yes; 690 NTFS3_FS_POSIX_ACL = whenAtLeast "5.15" yes; 691 692 REISERFS_FS_XATTR = option yes; 693 REISERFS_FS_POSIX_ACL = option yes; 694 REISERFS_FS_SECURITY = option yes; 695 696 JFS_POSIX_ACL = option yes; 697 JFS_SECURITY = option yes; 698 699 XFS_QUOTA = option yes; 700 XFS_POSIX_ACL = option yes; 701 XFS_RT = option yes; # XFS Realtime subvolume support 702 XFS_ONLINE_SCRUB = option yes; 703 704 OCFS2_DEBUG_MASKLOG = option no; 705 706 BTRFS_FS_POSIX_ACL = yes; 707 708 BCACHEFS_QUOTA = whenAtLeast "6.7" (option yes); 709 BCACHEFS_POSIX_ACL = whenAtLeast "6.7" (option yes); 710 711 UBIFS_FS_ADVANCED_COMPR = option yes; 712 713 F2FS_FS = module; 714 F2FS_FS_SECURITY = option yes; 715 F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes; 716 UDF_FS = module; 717 718 NFSD_V2_ACL = whenOlder "5.10" yes; 719 NFSD_V3 = whenOlder "5.10" yes; 720 NFSD_V3_ACL = yes; 721 NFSD_V4 = yes; 722 NFSD_V4_SECURITY_LABEL = yes; 723 724 NFS_FS = module; 725 NFS_FSCACHE = yes; 726 NFS_SWAP = yes; 727 NFS_V3_ACL = yes; 728 NFS_V4_1 = yes; # NFSv4.1 client support 729 NFS_V4_2 = yes; 730 NFS_V4_SECURITY_LABEL = yes; 731 NFS_LOCALIO = whenAtLeast "6.12" yes; 732 733 CIFS_XATTR = yes; 734 CIFS_POSIX = option yes; 735 CIFS_FSCACHE = yes; 736 CIFS_WEAK_PW_HASH = whenOlder "5.15" yes; 737 CIFS_UPCALL = yes; 738 CIFS_DFS_UPCALL = yes; 739 740 CEPH_FSCACHE = yes; 741 CEPH_FS_POSIX_ACL = yes; 742 743 SQUASHFS_FILE_DIRECT = yes; 744 SQUASHFS_DECOMP_MULTI_PERCPU = whenOlder "6.2" yes; 745 SQUASHFS_CHOICE_DECOMP_BY_MOUNT = whenAtLeast "6.2" yes; 746 SQUASHFS_XATTR = yes; 747 SQUASHFS_ZLIB = yes; 748 SQUASHFS_LZO = yes; 749 SQUASHFS_XZ = yes; 750 SQUASHFS_LZ4 = yes; 751 SQUASHFS_ZSTD = yes; 752 753 # Native Language Support modules, needed by some filesystems 754 NLS = yes; 755 NLS_DEFAULT = freeform "utf8"; 756 NLS_UTF8 = module; 757 NLS_CODEPAGE_437 = module; # VFAT default for the codepage= mount option 758 NLS_ISO8859_1 = module; # VFAT default for the iocharset= mount option 759 760 # Needed to use the installation iso image. Not included in all defconfigs (e.g. arm64) 761 ISO9660_FS = module; 762 763 DEVTMPFS = yes; 764 765 UNICODE = yes; # Casefolding support for filesystems 766 }; 767 768 security = { 769 # Report BUG() conditions and kill the offending process. 770 BUG = yes; 771 BUG_ON_DATA_CORRUPTION = yes; 772 773 FORTIFY_SOURCE = option yes; 774 775 # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html 776 DEBUG_LIST = yes; 777 778 HARDENED_USERCOPY = yes; 779 RANDOMIZE_BASE = option yes; 780 STRICT_KERNEL_RWX = yes; 781 STRICT_MODULE_RWX = yes; 782 STRICT_DEVMEM = lib.mkDefault yes; # Filter access to /dev/mem 783 IO_STRICT_DEVMEM = lib.mkDefault yes; 784 785 # Prevent processes from ptracing non-children processes 786 SECURITY_YAMA = option yes; 787 # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. 788 # This does not have any effect if a program does not support it 789 SECURITY_LANDLOCK = whenAtLeast "5.13" yes; 790 791 DEVKMEM = lib.mkIf (!stdenv.hostPlatform.isAarch64) (whenOlder "5.13" no); # Disable /dev/kmem 792 793 USER_NS = yes; # Support for user namespaces 794 795 SECURITY_APPARMOR = yes; 796 DEFAULT_SECURITY_APPARMOR = yes; 797 798 SECURITY_DMESG_RESTRICT = yes; 799 800 RANDOM_TRUST_CPU = whenOlder "6.2" yes; # allow RDRAND to seed the RNG 801 RANDOM_TRUST_BOOTLOADER = whenOlder "6.2" yes; # allow the bootloader to seed the RNG 802 803 MODULE_SIG = no; # r13y, generates a random key during build and bakes it in 804 # Depends on MODULE_SIG and only really helps when you sign your modules 805 # and enforce signatures which we don't do by default. 806 SECURITY_LOCKDOWN_LSM = no; 807 808 # provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis 809 PERSISTENT_KEYRINGS = yes; 810 # enable temporary caching of the last request_key() result 811 KEYS_REQUEST_CACHE = yes; 812 # randomized slab caches 813 RANDOM_KMALLOC_CACHES = whenAtLeast "6.6" yes; 814 815 # NIST SP800-90A DRBG modes - enabled by most distributions 816 # and required by some out-of-tree modules (ShuffleCake) 817 # This does not include the NSA-backdoored Dual-EC mode from the same NIST publication. 818 CRYPTO_DRBG_HASH = yes; 819 CRYPTO_DRBG_CTR = yes; 820 821 # Enable KFENCE 822 # See: https://docs.kernel.org/dev-tools/kfence.html 823 KFENCE = whenAtLeast "5.12" yes; 824 825 # Enable support for page poisoning. Still needs to be enabled on the command line to actually work. 826 PAGE_POISONING = yes; 827 # Randomize page allocator when page_alloc.shuffle=1 828 SHUFFLE_PAGE_ALLOCATOR = yes; 829 830 INIT_ON_ALLOC_DEFAULT_ON = yes; 831 832 # Enable stack smashing protections in schedule() 833 # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f 834 SCHED_STACK_END_CHECK = yes; 835 836 # Enable separate slab buckets for user controlled allocations 837 # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f2df3b82d091ed095d0e47e1f3a9d3e18e4e41 838 SLAB_BUCKETS = whenAtLeast "6.11" yes; 839 } 840 // lib.optionalAttrs stdenv.hostPlatform.isx86_64 { 841 # Enable Intel SGX 842 X86_SGX = whenAtLeast "5.11" yes; 843 # Allow KVM guests to load SGX enclaves 844 X86_SGX_KVM = whenAtLeast "5.13" yes; 845 846 # AMD Cryptographic Coprocessor (CCP) 847 CRYPTO_DEV_CCP = yes; 848 # AMD SME 849 AMD_MEM_ENCRYPT = yes; 850 # AMD SEV and AMD SEV-SE 851 KVM_AMD_SEV = yes; 852 # AMD SEV-SNP 853 SEV_GUEST = whenAtLeast "5.19" module; 854 # Shadow stacks 855 X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes; 856 857 # Enable support for Intel Trust Domain Extensions (TDX) 858 INTEL_TDX_GUEST = whenAtLeast "5.19" yes; 859 TDX_GUEST_DRIVER = whenAtLeast "6.2" module; 860 861 # Mitigate straight line speculation at the cost of some file size 862 SLS = whenBetween "5.17" "6.9" yes; 863 MITIGATION_SLS = whenAtLeast "6.9" yes; 864 865 DEFAULT_MMAP_MIN_ADDR = freeform "65536"; 866 } 867 // lib.optionalAttrs stdenv.hostPlatform.isAarch64 { 868 DEFAULT_MMAP_MIN_ADDR = freeform "32768"; 869 }; 870 871 microcode = { 872 MICROCODE = lib.mkIf stdenv.hostPlatform.isx86 yes; 873 MICROCODE_INTEL = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.6" yes); 874 MICROCODE_AMD = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.6" yes); 875 # Write Back Throttling 876 # https://lwn.net/Articles/682582/ 877 # https://bugzilla.kernel.org/show_bug.cgi?id=12309#c655 878 BLK_WBT = yes; 879 BLK_WBT_SQ = whenOlder "5.0" yes; # Removed in 5.0-RC1 880 BLK_WBT_MQ = yes; 881 }; 882 883 container = { 884 NAMESPACES = yes; # Required by 'unshare' used by 'nixos-install' 885 RT_GROUP_SCHED = no; 886 CGROUP_DEVICE = yes; 887 CGROUP_HUGETLB = yes; 888 CGROUP_PERF = yes; 889 CGROUP_RDMA = yes; 890 CGROUP_DMEM = whenAtLeast "6.14" yes; 891 892 MEMCG = yes; 893 MEMCG_SWAP = whenOlder "6.1" yes; 894 895 BLK_DEV_THROTTLING = yes; 896 CFQ_GROUP_IOSCHED = whenOlder "5.0" yes; # Removed in 5.0-RC1 897 CGROUP_PIDS = yes; 898 }; 899 900 staging = { 901 # Enable staging drivers. These are somewhat experimental, but 902 # they generally don't hurt. 903 STAGING = yes; 904 }; 905 906 proc-events = { 907 # PROC_EVENTS requires that the netlink connector is not built 908 # as a module. This is required by libcgroup's cgrulesengd. 909 CONNECTOR = yes; 910 PROC_EVENTS = yes; 911 }; 912 913 tracing = { 914 FTRACE = yes; 915 KPROBES = yes; 916 FUNCTION_TRACER = yes; 917 FTRACE_SYSCALLS = yes; 918 SCHED_TRACER = yes; 919 STACK_TRACER = yes; 920 UPROBE_EVENTS = option yes; 921 BPF_SYSCALL = yes; 922 BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.16" yes; 923 BPF_EVENTS = yes; 924 FUNCTION_PROFILER = yes; 925 RING_BUFFER_BENCHMARK = no; 926 }; 927 928 perf = { 929 # enable AMD Zen branch sampling if available 930 PERF_EVENTS_AMD_BRS = whenAtLeast "5.19" (option yes); 931 }; 932 933 virtualisation = { 934 PARAVIRT = option yes; 935 936 HYPERVISOR_GUEST = lib.mkIf stdenv.hostPlatform.isx86 yes; 937 PARAVIRT_SPINLOCKS = option yes; 938 939 KVM_ASYNC_PF = lib.mkIf (with stdenv.hostPlatform; isS390 || isx86) yes; 940 KVM_GENERIC_DIRTYLOG_READ_PROTECT = yes; 941 KVM_GUEST = lib.mkIf (with stdenv.hostPlatform; isPower || isx86) yes; 942 KVM_MMIO = yes; 943 KVM_VFIO = yes; 944 KSM = yes; 945 VIRT_DRIVERS = yes; 946 # We need 64 GB (PAE) support for Xen guest support 947 HIGHMEM64G = { 948 optional = true; 949 tristate = lib.mkIf (!stdenv.hostPlatform.is64bit) "y"; 950 }; 951 952 VFIO_PCI_VGA = lib.mkIf stdenv.hostPlatform.isx86_64 yes; 953 954 UDMABUF = yes; 955 956 # VirtualBox guest drivers in the kernel conflict with the ones in the 957 # official additions package and prevent the vboxsf module from loading, 958 # so disable them for now. 959 VBOXGUEST = option no; 960 DRM_VBOXVIDEO = option no; 961 962 XEN = option yes; 963 XEN_DOM0 = option yes; 964 PCI_XEN = option yes; 965 HVC_XEN = option yes; 966 HVC_XEN_FRONTEND = option yes; 967 XEN_SYS_HYPERVISOR = option yes; 968 SWIOTLB_XEN = option yes; 969 XEN_BACKEND = option yes; 970 XEN_BALLOON = option yes; 971 XEN_BALLOON_MEMORY_HOTPLUG = option yes; 972 XEN_EFI = option yes; 973 XEN_HAVE_PVMMU = option yes; 974 XEN_MCE_LOG = option yes; 975 XEN_PVH = option yes; 976 XEN_PVHVM = option yes; 977 XEN_SAVE_RESTORE = option yes; 978 979 # Enable device detection on virtio-mmio hypervisors 980 VIRTIO_MMIO_CMDLINE_DEVICES = yes; 981 }; 982 983 media = { 984 MEDIA_DIGITAL_TV_SUPPORT = yes; 985 MEDIA_CAMERA_SUPPORT = yes; 986 MEDIA_CONTROLLER = yes; 987 MEDIA_PCI_SUPPORT = yes; 988 MEDIA_USB_SUPPORT = yes; 989 MEDIA_ANALOG_TV_SUPPORT = yes; 990 VIDEO_STK1160_COMMON = whenOlder "6.5" module; 991 }; 992 993 "9p" = { 994 # Enable the 9P cache to speed up NixOS VM tests. 995 "9P_FSCACHE" = option yes; 996 "9P_FS_POSIX_ACL" = option yes; 997 }; 998 999 huge-page = { 1000 TRANSPARENT_HUGEPAGE = option yes; 1001 TRANSPARENT_HUGEPAGE_ALWAYS = option no; 1002 TRANSPARENT_HUGEPAGE_MADVISE = option yes; 1003 }; 1004 1005 zram = { 1006 ZRAM = module; 1007 ZRAM_WRITEBACK = option yes; 1008 ZRAM_MULTI_COMP = whenAtLeast "6.2" yes; 1009 ZRAM_BACKEND_842 = whenAtLeast "6.12" yes; 1010 ZRAM_BACKEND_DEFLATE = whenAtLeast "6.12" yes; 1011 ZRAM_BACKEND_LZ4 = whenAtLeast "6.12" yes; 1012 ZRAM_BACKEND_LZ4HC = whenAtLeast "6.12" yes; 1013 ZRAM_BACKEND_LZO = whenAtLeast "6.12" yes; 1014 ZRAM_BACKEND_ZSTD = whenAtLeast "6.12" yes; 1015 ZRAM_DEF_COMP_ZSTD = whenAtLeast "5.11" yes; 1016 ZSWAP = option yes; 1017 ZSWAP_COMPRESSOR_DEFAULT_ZSTD = whenAtLeast "5.7" (lib.mkOptionDefault yes); 1018 ZPOOL = yes; 1019 ZSMALLOC = option yes; 1020 }; 1021 1022 brcmfmac = { 1023 # Enable PCIe and USB for the brcmfmac driver 1024 BRCMFMAC_USB = option yes; 1025 BRCMFMAC_PCIE = option yes; 1026 }; 1027 1028 # Support x2APIC (which requires IRQ remapping) 1029 x2apic = lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 1030 X86_X2APIC = yes; 1031 IRQ_REMAP = yes; 1032 }; 1033 1034 # Disable various self-test modules that have no use in a production system 1035 tests = { 1036 # This menu disables all/most of them on >= 4.16 1037 RUNTIME_TESTING_MENU = option no; 1038 } 1039 // { 1040 CRC32_SELFTEST = option no; 1041 CRYPTO_TEST = option no; 1042 EFI_TEST = option no; 1043 GLOB_SELFTEST = option no; 1044 LOCK_TORTURE_TEST = option no; 1045 MTD_TESTS = option no; 1046 NOTIFIER_ERROR_INJECTION = option no; 1047 RCU_PERF_TEST = whenOlder "5.9" no; 1048 RCU_SCALE_TEST = whenAtLeast "5.10" no; 1049 TEST_ASYNC_DRIVER_PROBE = option no; 1050 WW_MUTEX_SELFTEST = option no; 1051 XZ_DEC_TEST = option no; 1052 }; 1053 1054 criu = { 1055 # Unconditionally enabled, because it is required for CRIU and 1056 # it provides the kcmp() system call that Mesa depends on. 1057 CHECKPOINT_RESTORE = yes; 1058 1059 # Allows soft-dirty tracking on pages, used by CRIU. 1060 # See https://docs.kernel.org/admin-guide/mm/soft-dirty.html 1061 MEM_SOFT_DIRTY = lib.mkIf (with stdenv.hostPlatform; isS390 || isPower64 || isx86_64) yes; 1062 }; 1063 1064 misc = 1065 let 1066 # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz. 1067 # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375 1068 useZstd = stdenv.buildPlatform.is64bit && lib.versionAtLeast version "5.9"; 1069 in 1070 { 1071 # stdenv.hostPlatform.linux-kernel.target assumes uncompressed on RISC-V. 1072 KERNEL_UNCOMPRESSED = lib.mkIf stdenv.hostPlatform.isRiscV yes; 1073 KERNEL_XZ = lib.mkIf (!stdenv.hostPlatform.isRiscV && !useZstd) yes; 1074 KERNEL_ZSTD = lib.mkIf ( 1075 with stdenv.hostPlatform; 1076 (isMips || isS390 || isx86 || (lib.versionAtLeast version "6.1" && isAarch64 || isLoongArch64)) 1077 && useZstd 1078 ) yes; 1079 1080 HID_BATTERY_STRENGTH = yes; 1081 # enabled by default in x86_64 but not arm64, so we do that here 1082 HIDRAW = yes; 1083 1084 # Enable loading HID fixups as eBPF from userspace 1085 HID_BPF = whenAtLeast "6.3" (whenPlatformHasEBPFJit yes); 1086 1087 HID_ACRUX_FF = yes; 1088 DRAGONRISE_FF = yes; 1089 GREENASIA_FF = yes; 1090 HOLTEK_FF = yes; 1091 INPUT_JOYSTICK = yes; 1092 JOYSTICK_PSXPAD_SPI_FF = yes; 1093 LOGIG940_FF = yes; 1094 NINTENDO_FF = whenAtLeast "5.16" yes; 1095 NVIDIA_SHIELD_FF = whenAtLeast "6.5" yes; 1096 PLAYSTATION_FF = whenAtLeast "5.12" yes; 1097 SONY_FF = yes; 1098 SMARTJOYPLUS_FF = yes; 1099 THRUSTMASTER_FF = yes; 1100 ZEROPLUS_FF = yes; 1101 1102 MODULE_COMPRESS = lib.mkMerge [ 1103 (whenOlder "5.13" yes) 1104 (whenAtLeast "6.12" yes) 1105 ]; 1106 MODULE_COMPRESS_ALL = whenAtLeast "6.12" yes; 1107 MODULE_COMPRESS_XZ = yes; 1108 1109 SYSVIPC = yes; # System-V IPC 1110 1111 AIO = yes; # POSIX asynchronous I/O 1112 1113 UNIX = yes; # Unix domain sockets. 1114 1115 MD = yes; # Device mapper (RAID, LVM, etc.) 1116 1117 # enable support for device trees and overlays 1118 OF = option yes; 1119 # OF_OVERLAY breaks v5.10 on x86_64, see https://github.com/NixOS/nixpkgs/issues/403985 1120 OF_OVERLAY = lib.mkIf (!(lib.versionOlder version "5.15" && stdenv.hostPlatform.isx86_64)) ( 1121 option yes 1122 ); 1123 1124 # Enable initrd support. 1125 BLK_DEV_INITRD = yes; 1126 1127 # Allows debugging systems that get stuck during suspend/resume 1128 PM_TRACE_RTC = lib.mkIf stdenv.hostPlatform.isx86 yes; 1129 1130 ACCESSIBILITY = yes; # Accessibility support 1131 AUXDISPLAY = yes; # Auxiliary Display support 1132 HIPPI = yes; 1133 MTD_COMPLEX_MAPPINGS = yes; # needed for many devices 1134 1135 SCSI_LOWLEVEL = yes; # enable lots of SCSI devices 1136 SCSI_LOWLEVEL_PCMCIA = yes; 1137 SCSI_SAS_ATA = yes; # added to enable detection of hard drive 1138 1139 SPI = yes; # needed for many devices 1140 SPI_MASTER = yes; 1141 1142 "8139TOO_8129" = yes; 1143 "8139TOO_PIO" = no; # PIO is slower 1144 1145 AIC79XX_DEBUG_ENABLE = no; 1146 AIC7XXX_DEBUG_ENABLE = no; 1147 AIC94XX_DEBUG = no; 1148 1149 BLK_DEV_INTEGRITY = yes; 1150 BLK_DEV_ZONED = yes; 1151 1152 BLK_SED_OPAL = yes; 1153 1154 # Enable support for block layer inline encryption 1155 BLK_INLINE_ENCRYPTION = whenAtLeast "5.8" yes; 1156 # ...but fall back to CPU encryption if unavailable 1157 BLK_INLINE_ENCRYPTION_FALLBACK = whenAtLeast "5.8" yes; 1158 1159 BSD_PROCESS_ACCT_V3 = yes; 1160 1161 SERIAL_DEV_BUS = yes; # enables support for serial devices 1162 SERIAL_DEV_CTRL_TTYPORT = yes; # enables support for TTY serial devices 1163 1164 BT_HCIBTUSB_MTK = yes; # MediaTek protocol support 1165 1166 BT_HCIUART = module; # required for BT devices with serial port interface (QCA6390) 1167 BT_HCIUART_BCM = option yes; # Broadcom Bluetooth support 1168 BT_HCIUART_BCSP = option yes; # CSR BlueCore support 1169 BT_HCIUART_H4 = option yes; # UART (H4) protocol support 1170 BT_HCIUART_LL = option yes; # Texas Instruments BRF 1171 BT_HCIUART_QCA = yes; # Qualcomm Atheros support 1172 BT_HCIUART_SERDEV = yes; # required by BT_HCIUART_QCA 1173 1174 BT_RFCOMM_TTY = option yes; # RFCOMM TTY support 1175 BT_QCA = module; # enables QCA6390 bluetooth 1176 1177 # Removed on 5.17 as it was unused 1178 # upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a4ee518185e902758191d968600399f3bc2be31 1179 CLEANCACHE = whenOlder "5.17" (option yes); 1180 1181 FSCACHE_STATS = yes; 1182 1183 DVB_DYNAMIC_MINORS = option yes; # we use udev 1184 1185 EFI = lib.mkIf stdenv.hostPlatform.isEfi yes; 1186 EFI_STUB = yes; # EFI bootloader in the bzImage itself 1187 EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER = whenOlder "6.2" (whenAtLeast "5.8" yes); # initrd kernel parameter for EFI 1188 1189 # Generic compression support for EFI payloads 1190 # Add new platforms only after they have been verified to build and boot. 1191 # This is unsupported on x86 due to a custom decompression mechanism. 1192 EFI_ZBOOT = lib.mkIf stdenv.hostPlatform.isAarch64 (whenAtLeast "6.1" yes); 1193 1194 CGROUPS = yes; # used by systemd 1195 FHANDLE = yes; # used by systemd 1196 SECCOMP = yes; # used by systemd >= 231 1197 SECCOMP_FILTER = yes; # ditto 1198 POSIX_MQUEUE = yes; 1199 FRONTSWAP = whenOlder "6.6" yes; 1200 FUSION = yes; # Fusion MPT device support 1201 IDE = lib.mkIf (with stdenv.hostPlatform; isAarch32 || isM68k || isMips || isPower || isx86) ( 1202 whenOlder "5.14" no 1203 ); # deprecated IDE support, removed in 5.14 1204 IDLE_PAGE_TRACKING = yes; 1205 1206 JOYSTICK_XPAD_FF = option yes; # X-Box gamepad rumble support 1207 JOYSTICK_XPAD_LEDS = option yes; # LED Support for Xbox360 controller 'BigX' LED 1208 1209 KEYBOARD_APPLESPI = lib.mkIf stdenv.hostPlatform.isx86 module; 1210 1211 KEXEC_FILE = option yes; 1212 KEXEC_JUMP = option yes; 1213 1214 PARTITION_ADVANCED = yes; # Needed for LDM_PARTITION 1215 # Windows Logical Disk Manager (Dynamic Disk) support 1216 LDM_PARTITION = yes; 1217 LOGIRUMBLEPAD2_FF = yes; # Logitech Rumblepad 2 force feedback 1218 LOGO = no; # not needed 1219 MEDIA_ATTACH = yes; 1220 MEGARAID_NEWGEN = yes; 1221 1222 MLX5_CORE_EN = option yes; 1223 1224 NVME_MULTIPATH = yes; 1225 1226 NVME_AUTH = lib.mkMerge [ 1227 (whenBetween "6.0" "6.7" yes) 1228 (whenAtLeast "6.7" module) 1229 ]; 1230 1231 NVME_HOST_AUTH = whenAtLeast "6.7" yes; 1232 NVME_TCP_TLS = whenAtLeast "6.7" yes; 1233 1234 NVME_TARGET = module; 1235 NVME_TARGET_PASSTHRU = whenAtLeast "5.9" yes; 1236 NVME_TARGET_AUTH = whenAtLeast "6.0" yes; 1237 NVME_TARGET_TCP_TLS = whenAtLeast "6.7" yes; 1238 1239 PCI_P2PDMA = lib.mkIf (stdenv.hostPlatform.is64bit) yes; 1240 1241 PSI = yes; 1242 1243 MOUSE_ELAN_I2C_SMBUS = yes; 1244 MOUSE_PS2_ELANTECH = yes; # Elantech PS/2 protocol extension 1245 MOUSE_PS2_VMMOUSE = lib.mkIf stdenv.hostPlatform.isx86 yes; 1246 MTRR_SANITIZER = lib.mkIf stdenv.hostPlatform.isx86 yes; 1247 NET_FC = yes; # Fibre Channel driver support 1248 # Needed for touchpads to work on some AMD laptops 1249 PINCTRL_AMD = whenAtLeast "5.19" yes; 1250 # GPIO on Intel Bay Trail, for some Chromebook internal eMMC disks 1251 PINCTRL_BAYTRAIL = lib.mkIf stdenv.hostPlatform.isx86 yes; 1252 # GPIO for Braswell and Cherryview devices 1253 # Needs to be built-in to for integrated keyboards to function properly 1254 PINCTRL_CHERRYVIEW = lib.mkIf stdenv.hostPlatform.isx86 yes; 1255 # 8 is default. Modern gpt tables on eMMC may go far beyond 8. 1256 MMC_BLOCK_MINORS = freeform "32"; 1257 1258 REGULATOR = yes; # Voltage and Current Regulator Support 1259 RC_DEVICES = option yes; # Enable IR devices 1260 RC_DECODERS = option yes; # Required for IR devices to work 1261 1262 RT2800USB_RT53XX = yes; 1263 RT2800USB_RT55XX = yes; 1264 1265 SCHED_AUTOGROUP = yes; 1266 CFS_BANDWIDTH = yes; 1267 1268 SCSI_LOGGING = yes; # SCSI logging facility 1269 SERIAL_8250 = yes; # 8250/16550 and compatible serial support 1270 1271 SLAB_FREELIST_HARDENED = yes; 1272 SLAB_FREELIST_RANDOM = yes; 1273 1274 SLIP_COMPRESSED = yes; # CSLIP compressed headers 1275 SLIP_SMART = yes; 1276 1277 HWMON = yes; 1278 THERMAL_HWMON = yes; # Hardware monitoring support 1279 NVME_HWMON = whenAtLeast "5.5" yes; # NVMe drives temperature reporting 1280 UEVENT_HELPER = no; 1281 1282 USERFAULTFD = yes; 1283 X86_CHECK_BIOS_CORRUPTION = lib.mkIf stdenv.hostPlatform.isx86 yes; 1284 X86_MCE = lib.mkIf stdenv.hostPlatform.isx86 yes; 1285 1286 RAS = yes; # Needed for EDAC support 1287 1288 # Our initrd init uses shebang scripts, so can't be modular. 1289 BINFMT_SCRIPT = yes; 1290 # For systemd-binfmt 1291 BINFMT_MISC = option yes; 1292 1293 # Required for EDID overriding 1294 FW_LOADER = yes; 1295 # Disable the firmware helper fallback, udev doesn't implement it any more 1296 FW_LOADER_USER_HELPER_FALLBACK = option no; 1297 1298 FW_LOADER_COMPRESS = yes; 1299 FW_LOADER_COMPRESS_ZSTD = whenAtLeast "5.19" yes; 1300 1301 HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI 1302 HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support 1303 1304 # Enable AMD's ROCm GPU compute stack 1305 HSA_AMD = lib.mkIf stdenv.hostPlatform.is64bit (yes); 1306 ZONE_DEVICE = lib.mkIf stdenv.hostPlatform.is64bit (yes); 1307 HMM_MIRROR = yes; 1308 DRM_AMDGPU_USERPTR = yes; 1309 1310 PREEMPT = no; 1311 PREEMPT_VOLUNTARY = yes; 1312 1313 X86_AMD_PLATFORM_DEVICE = lib.mkIf stdenv.hostPlatform.isx86 yes; 1314 X86_PLATFORM_DRIVERS_DELL = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "5.12" yes); 1315 X86_PLATFORM_DRIVERS_HP = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "6.1" yes); 1316 1317 LIRC = yes; 1318 1319 SCHED_CORE = whenAtLeast "5.14" yes; 1320 SCHED_CLASS_EXT = whenAtLeast "6.12" (whenPlatformHasEBPFJit yes); 1321 1322 LRU_GEN = whenAtLeast "6.1" yes; 1323 LRU_GEN_ENABLED = whenAtLeast "6.1" yes; 1324 1325 FSL_MC_UAPI_SUPPORT = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") ( 1326 whenAtLeast "5.12" yes 1327 ); 1328 1329 ASHMEM = { 1330 optional = true; 1331 tristate = whenBetween "5.0" "5.18" "y"; 1332 }; 1333 ANDROID = { 1334 optional = true; 1335 tristate = whenBetween "5.0" "5.19" "y"; 1336 }; 1337 ANDROID_BINDER_IPC = { 1338 optional = true; 1339 tristate = whenAtLeast "5.0" "y"; 1340 }; 1341 ANDROID_BINDERFS = { 1342 optional = true; 1343 tristate = whenAtLeast "5.0" "y"; 1344 }; 1345 ANDROID_BINDER_DEVICES = { 1346 optional = true; 1347 freeform = whenAtLeast "5.0" "binder,hwbinder,vndbinder"; 1348 }; 1349 1350 TASKSTATS = yes; 1351 TASK_DELAY_ACCT = yes; 1352 TASK_XACCT = yes; 1353 TASK_IO_ACCOUNTING = yes; 1354 1355 # Fresh toolchains frequently break -Werror build for minor issues. 1356 WERROR = whenAtLeast "5.15" no; 1357 1358 # > CONFIG_KUNIT should not be enabled in a production environment. Enabling KUnit disables Kernel Address-Space Layout Randomization (KASLR), and tests may affect the state of the kernel in ways not suitable for production. 1359 # https://www.kernel.org/doc/html/latest/dev-tools/kunit/start.html 1360 KUNIT = whenAtLeast "5.5" no; 1361 1362 # Set system time from RTC on startup and resume 1363 RTC_HCTOSYS = option yes; 1364 1365 # Expose watchdog information in sysfs 1366 WATCHDOG_SYSFS = yes; 1367 1368 # Enable generic kernel watch queues 1369 # See https://docs.kernel.org/core-api/watch_queue.html 1370 WATCH_QUEUE = whenAtLeast "5.8" yes; 1371 } 1372 // 1373 lib.optionalAttrs 1374 (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") 1375 { 1376 # Enable CPU/memory hotplug support 1377 # Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot 1378 ACPI_HOTPLUG_CPU = yes; 1379 ACPI_HOTPLUG_MEMORY = yes; 1380 MEMORY_HOTPLUG = yes; 1381 MEMORY_HOTPLUG_DEFAULT_ONLINE = whenOlder "6.14" yes; 1382 MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO = whenAtLeast "6.14" yes; 1383 MEMORY_HOTREMOVE = yes; 1384 HOTPLUG_CPU = yes; 1385 MIGRATION = yes; 1386 SPARSEMEM = yes; 1387 1388 # Bump the maximum number of CPUs to support systems like EC2 x1.* 1389 # instances and Xeon Phi. 1390 NR_CPUS = freeform "384"; 1391 1392 # Enable LEDS to display link-state status of PHY devices (i.e. eth lan/wan interfaces) 1393 LED_TRIGGER_PHY = yes; 1394 1395 # Required for various hardware features on Chrome OS devices 1396 CHROME_PLATFORMS = yes; 1397 CHROMEOS_TBMC = module; 1398 CROS_EC = module; 1399 CROS_EC_I2C = module; 1400 CROS_EC_SPI = module; 1401 CROS_KBD_LED_BACKLIGHT = module; 1402 TCG_TIS_SPI_CR50 = whenAtLeast "5.5" yes; 1403 } 1404 // 1405 lib.optionalAttrs 1406 (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") 1407 { 1408 # Enables support for the Allwinner Display Engine 2.0 1409 SUN8I_DE2_CCU = yes; 1410 1411 # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647 1412 CRYPTO_AEGIS128_SIMD = no; 1413 1414 # Distros should configure the default as a kernel option. 1415 # We previously defined it on the kernel command line as cma= 1416 # The kernel command line will override a platform-specific configuration from its device tree. 1417 # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44 1418 CMA_SIZE_MBYTES = freeform "32"; 1419 1420 # Add debug interfaces for CMA 1421 CMA_DEBUGFS = yes; 1422 CMA_SYSFS = whenAtLeast "5.13" yes; 1423 1424 # https://docs.kernel.org/arch/arm/mem_alignment.html 1425 # tldr: 1426 # when buggy userspace code emits illegal misaligned LDM, STM, 1427 # LDRD and STRDs, the instructions trap, are caught, and then 1428 # are emulated by the kernel. 1429 # 1430 # This is the default on armv7l, anyway, but it is explicitly 1431 # enabled here for the sake of providing context for the 1432 # aarch64 compat option which follows. 1433 ALIGNMENT_TRAP = lib.mkIf (stdenv.hostPlatform.system == "armv7l-linux") yes; 1434 1435 # https://patchwork.kernel.org/project/linux-arm-kernel/patch/20220701135322.3025321-1-ardb@kernel.org/ 1436 # tldr: 1437 # when encountering alignment faults under aarch64, this option 1438 # makes the kernel attempt to handle the fault by doing the 1439 # same style of misaligned emulation that is performed under 1440 # armv7l (see above option). 1441 # 1442 # This minimizes the potential for aarch32 userspace to behave 1443 # differently when run under aarch64 kernels compared to when 1444 # it is run under an aarch32 kernel. 1445 COMPAT_ALIGNMENT_FIXUPS = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") ( 1446 whenAtLeast "6.1" yes 1447 ); 1448 1449 # requirement for CP15_BARRIER_EMULATION 1450 ARMV8_DEPRECATED = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") yes; 1451 # emulate a specific armv7 instruction that was removed from armv8 1452 # this instruction is required to build a native armv7 nodejs on an 1453 # aarch64-linux builder, for example 1454 CP15_BARRIER_EMULATION = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") yes; 1455 } 1456 // lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 1457 CROS_EC_LPC = module; 1458 CROS_EC_ISHTP = module; 1459 1460 CHROMEOS_LAPTOP = module; 1461 CHROMEOS_PSTORE = module; 1462 1463 # Enable x86 resource control 1464 X86_CPU_RESCTRL = whenAtLeast "5.0" yes; 1465 1466 # Enable TSX on CPUs where it's not vulnerable 1467 X86_INTEL_TSX_MODE_AUTO = yes; 1468 1469 # Enable AMD Wi-Fi RF band mitigations 1470 # See https://cateee.net/lkddb/web-lkddb/AMD_WBRF.html 1471 AMD_WBRF = whenAtLeast "6.8" yes; 1472 1473 # Enable Intel Turbo Boost Max 3.0 1474 INTEL_TURBO_MAX_3 = yes; 1475 }; 1476 1477 accel = { 1478 # Build DRM accelerator devices 1479 DRM_ACCEL = whenAtLeast "6.2" yes; 1480 }; 1481 }; 1482in 1483flattenKConf options