tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / os-specific / linux / kernel / common-config.nix
at fix-function-merge 1315 lines 53 kB view raw
1# WARNING/NOTE: whenever you want to add an option here you need to either 2# * mark it as an optional one with `option`, 3# * or make sure it works for all the versions in nixpkgs, 4# * or check for which kernel versions it will work (using kernel 5# changelog, google or whatever) and mark it with `whenOlder` or 6# `whenAtLeast`. 7# Then do test your change by building all the kernels (or at least 8# their configs) in Nixpkgs or else you will guarantee lots and lots 9# of pain to users trying to switch to an older kernel because of some 10# hardware problems with a new one. 11 12# Configuration 13{ lib, stdenv, version 14 15, features ? {} 16}: 17 18with lib; 19with lib.kernel; 20with (lib.kernel.whenHelpers version); 21 22let 23 24 25 # configuration items have to be part of a subattrs 26 flattenKConf = nested: mapAttrs (name: values: if length values == 1 then head values else throw "duplicate kernel configuration option: ${name}") (zipAttrs (attrValues nested)); 27 28 whenPlatformHasEBPFJit = 29 mkIf (stdenv.hostPlatform.isAarch32 || 30 stdenv.hostPlatform.isAarch64 || 31 stdenv.hostPlatform.isx86_64 || 32 (stdenv.hostPlatform.isPower && stdenv.hostPlatform.is64bit) || 33 (stdenv.hostPlatform.isMips && stdenv.hostPlatform.is64bit)); 34 35 options = { 36 37 debug = { 38 # Necessary for BTF 39 DEBUG_INFO = mkMerge [ 40 (whenOlder "5.2" (if (features.debug or false) then yes else no)) 41 (whenBetween "5.2" "5.18" yes) 42 ]; 43 DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT = whenAtLeast "5.18" yes; 44 # Reduced debug info conflict with BTF and have been enabled in 45 # aarch64 defconfig since 5.13 46 DEBUG_INFO_REDUCED = whenAtLeast "5.13" (option no); 47 DEBUG_INFO_BTF = whenAtLeast "5.2" (option yes); 48 # Allow loading modules with mismatched BTFs 49 # FIXME: figure out how to actually make BTFs reproducible instead 50 # See https://github.com/NixOS/nixpkgs/pull/181456 for details. 51 MODULE_ALLOW_BTF_MISMATCH = whenAtLeast "5.18" (option yes); 52 BPF_LSM = whenAtLeast "5.7" (option yes); 53 DEBUG_KERNEL = yes; 54 DEBUG_DEVRES = no; 55 DYNAMIC_DEBUG = yes; 56 DEBUG_STACK_USAGE = no; 57 RCU_TORTURE_TEST = no; 58 SCHEDSTATS = yes; 59 DETECT_HUNG_TASK = yes; 60 CRASH_DUMP = option no; 61 # Easier debugging of NFS issues. 62 SUNRPC_DEBUG = yes; 63 # Provide access to tunables like sched_migration_cost_ns 64 SCHED_DEBUG = yes; 65 66 # Count IRQ and steal CPU time separately 67 IRQ_TIME_ACCOUNTING = yes; 68 PARAVIRT_TIME_ACCOUNTING = yes; 69 70 # Enable CPU lockup detection 71 LOCKUP_DETECTOR = yes; 72 SOFTLOCKUP_DETECTOR = yes; 73 HARDLOCKUP_DETECTOR = yes; 74 75 # Enable streaming logs to a remote device over a network 76 NETCONSOLE = module; 77 NETCONSOLE_DYNAMIC = yes; 78 79 # Export known printks in debugfs 80 PRINTK_INDEX = whenAtLeast "5.15" yes; 81 }; 82 83 power-management = { 84 CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes; 85 CPU_FREQ_GOV_SCHEDUTIL = yes; 86 PM_ADVANCED_DEBUG = yes; 87 PM_WAKELOCKS = yes; 88 POWERCAP = yes; 89 # ACPI Firmware Performance Data Table Support 90 ACPI_FPDT = whenAtLeast "5.12" (option yes); 91 # ACPI Heterogeneous Memory Attribute Table Support 92 ACPI_HMAT = whenAtLeast "5.2" (option yes); 93 # ACPI Platform Error Interface 94 ACPI_APEI = (option yes); 95 # APEI Generic Hardware Error Source 96 ACPI_APEI_GHES = (option yes); 97 98 # Enable lazy RCUs for power savings: 99 # https://lore.kernel.org/rcu/20221019225138.GA2499943@paulmck-ThinkPad-P17-Gen-1/ 100 # RCU_LAZY depends on RCU_NOCB_CPU depends on NO_HZ_FULL 101 # depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT, 102 # so we can't force-enable this 103 RCU_LAZY = whenAtLeast "6.2" (option yes); 104 105 # Auto suspend Bluetooth devices at idle 106 BT_HCIBTUSB_AUTOSUSPEND = yes; 107 108 # Expose cpufreq stats in sysfs 109 CPU_FREQ_STAT = yes; 110 111 # Enable CPU energy model for scheduling 112 ENERGY_MODEL = whenAtLeast "5.0" yes; 113 114 # Enable thermal interface netlink API 115 THERMAL_NETLINK = whenAtLeast "5.9" yes; 116 117 # Prefer power-efficient workqueue implementation to per-CPU workqueues, 118 # which is slightly slower, but improves battery life. 119 # This is opt-in per workqueue, and can be disabled globally with a kernel command line option. 120 WQ_POWER_EFFICIENT_DEFAULT = yes; 121 122 # Default SATA link power management to "medium with device initiated PM" 123 # for some extra power savings. 124 SATA_MOBILE_LPM_POLICY = whenAtLeast "5.18" (freeform "3"); 125 126 # GPIO power management 127 POWER_RESET_GPIO = option yes; 128 POWER_RESET_GPIO_RESTART = option yes; 129 130 # Enable Pulse-Width-Modulation support, commonly used for fan and backlight. 131 PWM = yes; 132 } // optionalAttrs (stdenv.hostPlatform.isx86) { 133 INTEL_IDLE = yes; 134 INTEL_RAPL = whenAtLeast "5.3" module; 135 X86_INTEL_LPSS = yes; 136 X86_INTEL_PSTATE = yes; 137 X86_AMD_PSTATE = whenAtLeast "5.17" yes; 138 # Intel DPTF (Dynamic Platform and Thermal Framework) Support 139 ACPI_DPTF = whenAtLeast "5.10" yes; 140 141 # Required to bring up some Bay Trail devices properly 142 I2C = yes; 143 I2C_DESIGNWARE_PLATFORM = yes; 144 PMIC_OPREGION = whenAtLeast "5.10" yes; 145 INTEL_SOC_PMIC = whenAtLeast "5.10" yes; 146 BYTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes; 147 CHTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes; 148 XPOWER_PMIC_OPREGION = whenAtLeast "5.10" yes; 149 BXT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes; 150 INTEL_SOC_PMIC_CHTWC = whenAtLeast "5.10" yes; 151 CHT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes; 152 INTEL_SOC_PMIC_CHTDC_TI = whenAtLeast "5.10" yes; 153 CHT_DC_TI_PMIC_OPREGION = whenAtLeast "5.10" yes; 154 MFD_TPS68470 = whenBetween "5.10" "5.13" yes; 155 TPS68470_PMIC_OPREGION = whenAtLeast "5.10" yes; 156 157 # Enable Intel thermal hardware feedback 158 INTEL_HFI_THERMAL = whenAtLeast "5.18" yes; 159 }; 160 161 external-firmware = { 162 # Support drivers that need external firmware. 163 STANDALONE = no; 164 }; 165 166 proc-config-gz = { 167 # Make /proc/config.gz available 168 IKCONFIG = yes; 169 IKCONFIG_PROC = yes; 170 }; 171 172 optimization = { 173 X86_GENERIC = mkIf (stdenv.hostPlatform.system == "i686-linux") yes; 174 # Optimize with -O2, not -Os 175 CC_OPTIMIZE_FOR_SIZE = no; 176 }; 177 178 memory = { 179 DAMON = whenAtLeast "5.15" yes; 180 DAMON_VADDR = whenAtLeast "5.15" yes; 181 DAMON_PADDR = whenAtLeast "5.16" yes; 182 DAMON_SYSFS = whenAtLeast "5.18" yes; 183 DAMON_DBGFS = whenBetween "5.15" "6.9" yes; 184 DAMON_RECLAIM = whenAtLeast "5.16" yes; 185 DAMON_LRU_SORT = whenAtLeast "6.0" yes; 186 # Support recovering from memory failures on systems with ECC and MCA recovery. 187 MEMORY_FAILURE = yes; 188 189 # Collect ECC errors and retire pages that fail too often 190 RAS_CEC = yes; 191 } // optionalAttrs (stdenv.is32bit) { 192 # Enable access to the full memory range (aka PAE) on 32-bit architectures 193 # This check isn't super accurate but it's close enough 194 HIGHMEM = option yes; 195 BOUNCE = option yes; 196 }; 197 198 memtest = { 199 MEMTEST = yes; 200 }; 201 202 # Include the CFQ I/O scheduler in the kernel, rather than as a 203 # module, so that the initrd gets a good I/O scheduler. 204 scheduler = { 205 IOSCHED_CFQ = whenOlder "5.0" yes; # Removed in 5.0-RC1 206 BLK_CGROUP = yes; # required by CFQ" 207 BLK_CGROUP_IOLATENCY = yes; 208 BLK_CGROUP_IOCOST = whenAtLeast "5.4" yes; 209 IOSCHED_DEADLINE = whenOlder "5.0" yes; # Removed in 5.0-RC1 210 MQ_IOSCHED_DEADLINE = yes; 211 BFQ_GROUP_IOSCHED = yes; 212 MQ_IOSCHED_KYBER = yes; 213 IOSCHED_BFQ = module; 214 # Enable CPU utilization clamping for RT tasks 215 UCLAMP_TASK = whenAtLeast "5.3" yes; 216 UCLAMP_TASK_GROUP = whenAtLeast "5.4" yes; 217 }; 218 219 220 timer = { 221 # Enable Full Dynticks System. 222 # NO_HZ_FULL depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT 223 NO_HZ_FULL = mkIf stdenv.is64bit yes; 224 }; 225 226 # Enable NUMA. 227 numa = { 228 NUMA = option yes; 229 NUMA_BALANCING = option yes; 230 }; 231 232 networking = { 233 NET = yes; 234 IP_ADVANCED_ROUTER = yes; 235 IP_PNP = no; 236 IP_ROUTE_MULTIPATH = yes; 237 IP_VS_PROTO_TCP = yes; 238 IP_VS_PROTO_UDP = yes; 239 IP_VS_PROTO_ESP = yes; 240 IP_VS_PROTO_AH = yes; 241 IP_VS_IPV6 = yes; 242 IP_DCCP_CCID3 = no; # experimental 243 CLS_U32_PERF = yes; 244 CLS_U32_MARK = yes; 245 BPF_JIT = whenPlatformHasEBPFJit yes; 246 BPF_JIT_ALWAYS_ON = whenPlatformHasEBPFJit no; # whenPlatformHasEBPFJit yes; # see https://github.com/NixOS/nixpkgs/issues/79304 247 HAVE_EBPF_JIT = whenPlatformHasEBPFJit yes; 248 BPF_STREAM_PARSER = yes; 249 XDP_SOCKETS = yes; 250 XDP_SOCKETS_DIAG = whenAtLeast "5.1" yes; 251 WAN = yes; 252 TCP_CONG_ADVANCED = yes; 253 TCP_CONG_CUBIC = yes; # This is the default congestion control algorithm since 2.6.19 254 # Required by systemd per-cgroup firewalling 255 CGROUP_BPF = option yes; 256 CGROUP_NET_PRIO = yes; # Required by systemd 257 IP_ROUTE_VERBOSE = yes; 258 IP_MROUTE_MULTIPLE_TABLES = yes; 259 IP_MULTICAST = yes; 260 IP_MULTIPLE_TABLES = yes; 261 IPV6 = yes; 262 IPV6_ROUTER_PREF = yes; 263 IPV6_ROUTE_INFO = yes; 264 IPV6_OPTIMISTIC_DAD = yes; 265 IPV6_MULTIPLE_TABLES = yes; 266 IPV6_SUBTREES = yes; 267 IPV6_MROUTE = yes; 268 IPV6_MROUTE_MULTIPLE_TABLES = yes; 269 IPV6_PIMSM_V2 = yes; 270 IPV6_FOU_TUNNEL = module; 271 IPV6_SEG6_LWTUNNEL = yes; 272 IPV6_SEG6_HMAC = yes; 273 IPV6_SEG6_BPF = yes; 274 NET_CLS_BPF = module; 275 NET_ACT_BPF = module; 276 NET_SCHED = yes; 277 L2TP_V3 = yes; 278 L2TP_IP = module; 279 L2TP_ETH = module; 280 BRIDGE_VLAN_FILTERING = yes; 281 BONDING = module; 282 NET_L3_MASTER_DEV = option yes; 283 NET_FOU_IP_TUNNELS = option yes; 284 IP_NF_TARGET_REDIRECT = module; 285 286 PPP_MULTILINK = yes; # PPP multilink support 287 PPP_FILTER = yes; 288 289 # needed for iwd WPS support (wpa_supplicant replacement) 290 KEY_DH_OPERATIONS = yes; 291 292 # needed for nftables 293 # Networking Options 294 NETFILTER = yes; 295 NETFILTER_ADVANCED = yes; 296 # Core Netfilter Configuration 297 NF_CONNTRACK_ZONES = yes; 298 NF_CONNTRACK_EVENTS = yes; 299 NF_CONNTRACK_TIMEOUT = yes; 300 NF_CONNTRACK_TIMESTAMP = yes; 301 NETFILTER_NETLINK_GLUE_CT = yes; 302 NF_TABLES_INET = yes; 303 NF_TABLES_NETDEV = yes; 304 NFT_REJECT_NETDEV = whenAtLeast "5.11" module; 305 306 # IP: Netfilter Configuration 307 NF_TABLES_IPV4 = yes; 308 NF_TABLES_ARP = yes; 309 # IPv6: Netfilter Configuration 310 NF_TABLES_IPV6 = yes; 311 # Bridge Netfilter Configuration 312 NF_TABLES_BRIDGE = mkMerge [ (whenOlder "5.3" yes) 313 (whenAtLeast "5.3" module) ]; 314 # Expose some debug info 315 NF_CONNTRACK_PROCFS = yes; 316 NF_FLOW_TABLE_PROCFS = whenAtLeast "6.0" yes; 317 318 # needed for `dropwatch` 319 # Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450 320 NET_DROP_MONITOR = yes; 321 322 # needed for ss 323 # Use a lower priority to allow these options to be overridden in hardened/config.nix 324 INET_DIAG = mkDefault module; 325 INET_TCP_DIAG = mkDefault module; 326 INET_UDP_DIAG = mkDefault module; 327 INET_RAW_DIAG = mkDefault module; 328 INET_DIAG_DESTROY = mkDefault yes; 329 330 # IPsec over TCP 331 INET_ESPINTCP = whenAtLeast "5.8" yes; 332 INET6_ESPINTCP = whenAtLeast "5.8" yes; 333 334 # enable multipath-tcp 335 MPTCP = whenAtLeast "5.6" yes; 336 MPTCP_IPV6 = whenAtLeast "5.6" yes; 337 INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module); 338 339 # Kernel TLS 340 TLS = module; 341 TLS_DEVICE = yes; 342 343 # infiniband 344 INFINIBAND = module; 345 INFINIBAND_IPOIB = module; 346 INFINIBAND_IPOIB_CM = yes; 347 348 # Enable debugfs for wireless drivers 349 CFG80211_DEBUGFS = yes; 350 MAC80211_DEBUGFS = yes; 351 } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") { 352 # Not enabled by default, hides modules behind it 353 NET_VENDOR_MEDIATEK = yes; 354 # Enable SoC interface for MT7915 module, required for MT798X. 355 MT7986_WMAC = whenBetween "5.18" "6.6" yes; 356 MT798X_WMAC = whenAtLeast "6.6" yes; 357 }; 358 359 wireless = { 360 CFG80211_WEXT = option yes; # Without it, ipw2200 drivers don't build 361 IPW2100_MONITOR = option yes; # support promiscuous mode 362 IPW2200_MONITOR = option yes; # support promiscuous mode 363 HOSTAP_FIRMWARE = whenOlder "6.8" (option yes); # Support downloading firmware images with Host AP driver 364 HOSTAP_FIRMWARE_NVRAM = whenOlder "6.8" (option yes); 365 MAC80211_MESH = option yes; # Enable 802.11s (mesh networking) support 366 ATH9K_PCI = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus 367 ATH9K_AHB = option yes; # Ditto, AHB bus 368 # The description of this option makes it sound dangerous or even illegal 369 # But OpenWRT enables it by default: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/Makefile#L55 370 # At the time of writing (25-06-2023): this is only used in a "correct" way by ath drivers for initiating DFS radiation 371 # for "certified devices" 372 EXPERT = option yes; # this is needed for offering the certification option 373 RFKILL_INPUT = option yes; # counteract an undesired effect of setting EXPERT 374 CFG80211_CERTIFICATION_ONUS = option yes; 375 # DFS: "Dynamic Frequency Selection" is a spectrum-sharing mechanism that allows 376 # you to use certain interesting frequency when your local regulatory domain mandates it. 377 # ATH drivers hides the feature behind this option and makes hostapd works with DFS frequencies. 378 # OpenWRT enables it too: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/ath.mk#L42 379 ATH9K_DFS_CERTIFIED = option yes; 380 ATH10K_DFS_CERTIFIED = option yes; 381 B43_PHY_HT = option yes; 382 BCMA_HOST_PCI = option yes; 383 RTW88 = whenAtLeast "5.2" module; 384 RTW88_8822BE = mkMerge [ (whenBetween "5.2" "5.8" yes) (whenAtLeast "5.8" module) ]; 385 RTW88_8822CE = mkMerge [ (whenBetween "5.2" "5.8" yes) (whenAtLeast "5.8" module) ]; 386 }; 387 388 fb = { 389 FB = yes; 390 FB_EFI = yes; 391 FB_NVIDIA_I2C = yes; # Enable DDC Support 392 FB_RIVA_I2C = yes; 393 FB_ATY_CT = yes; # Mach64 CT/VT/GT/LT (incl. 3D RAGE) support 394 FB_ATY_GX = yes; # Mach64 GX support 395 FB_SAVAGE_I2C = yes; 396 FB_SAVAGE_ACCEL = yes; 397 FB_SIS_300 = yes; 398 FB_SIS_315 = yes; 399 FB_3DFX_ACCEL = yes; 400 FB_VESA = yes; 401 FRAMEBUFFER_CONSOLE = yes; 402 FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes; 403 FRAMEBUFFER_CONSOLE_ROTATION = yes; 404 FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = yes; 405 FB_GEODE = mkIf (stdenv.hostPlatform.system == "i686-linux") yes; 406 # Use simplefb on older kernels where we don't have simpledrm (enabled below) 407 FB_SIMPLE = whenOlder "5.15" yes; 408 DRM_FBDEV_EMULATION = yes; 409 }; 410 411 fonts = { 412 FONTS = yes; 413 # Default fonts enabled if FONTS is not set 414 FONT_8x8 = yes; 415 FONT_8x16 = yes; 416 # High DPI font 417 FONT_TER16x32 = whenAtLeast "5.0" yes; 418 }; 419 420 video = let 421 whenHasDevicePrivate = mkIf (!stdenv.isx86_32 && versionAtLeast version "5.1"); 422 in { 423 # compile in DRM so simpledrm can load before initrd if necessary 424 AGP = yes; 425 DRM = yes; 426 427 DRM_LEGACY = whenOlder "6.8" no; 428 429 NOUVEAU_LEGACY_CTX_SUPPORT = whenBetween "5.2" "6.3" no; 430 431 # Enable simpledrm and use it for generic framebuffer 432 # Technically added in 5.14, but adding more complex configuration is not worth it 433 DRM_SIMPLEDRM = whenAtLeast "5.15" yes; 434 SYSFB_SIMPLEFB = whenAtLeast "5.15" yes; 435 436 # Allow specifying custom EDID on the kernel command line 437 DRM_LOAD_EDID_FIRMWARE = yes; 438 VGA_SWITCHEROO = yes; # Hybrid graphics support 439 DRM_GMA500 = whenAtLeast "5.12" module; 440 DRM_GMA600 = whenOlder "5.13" yes; 441 DRM_GMA3600 = whenOlder "5.12" yes; 442 DRM_VMWGFX_FBCON = whenOlder "6.1" yes; 443 # (experimental) amdgpu support for verde and newer chipsets 444 DRM_AMDGPU_SI = yes; 445 # (stable) amdgpu support for bonaire and newer chipsets 446 DRM_AMDGPU_CIK = yes; 447 # Allow device firmware updates 448 DRM_DP_AUX_CHARDEV = whenOlder "6.10" yes; 449 DRM_DISPLAY_DP_AUX_CHARDEV = whenAtLeast "6.10" yes; 450 # amdgpu display core (DC) support 451 DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes; 452 DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes; 453 DRM_AMD_DC_DCN2_1 = whenBetween "5.4" "5.6" yes; 454 DRM_AMD_DC_DCN3_0 = whenBetween "5.9" "5.11" yes; 455 DRM_AMD_DC_DCN = whenBetween "5.11" "6.4" yes; 456 DRM_AMD_DC_FP = whenAtLeast "6.4" yes; 457 DRM_AMD_DC_HDCP = whenBetween "5.5" "6.4" yes; 458 DRM_AMD_DC_SI = whenAtLeast "5.10" yes; 459 460 # Enable AMD Audio Coprocessor support for HDMI outputs 461 DRM_AMD_ACP = yes; 462 463 # Enable AMD secure display when available 464 DRM_AMD_SECURE_DISPLAY = whenAtLeast "5.13" yes; 465 466 # Enable new firmware (and by extension NVK) for compatible hardware on Nouveau 467 DRM_NOUVEAU_GSP_DEFAULT = whenAtLeast "6.8" yes; 468 469 # Enable Nouveau shared virtual memory (used by OpenCL) 470 DEVICE_PRIVATE = whenHasDevicePrivate yes; 471 DRM_NOUVEAU_SVM = whenHasDevicePrivate yes; 472 473 # Enable HDMI-CEC receiver support 474 RC_CORE = yes; 475 MEDIA_CEC_RC = whenAtLeast "5.10" yes; 476 477 # Enable CEC over DisplayPort 478 DRM_DP_CEC = whenOlder "6.10" yes; 479 DRM_DISPLAY_DP_AUX_CEC = whenAtLeast "6.10" yes; 480 } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 481 # Intel GVT-g graphics virtualization supports 64-bit only 482 DRM_I915_GVT = yes; 483 DRM_I915_GVT_KVMGT = module; 484 # Enable Hyper-V Synthetic DRM Driver 485 DRM_HYPERV = whenAtLeast "5.14" module; 486 } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") { 487 # enable HDMI-CEC on RPi boards 488 DRM_VC4_HDMI_CEC = yes; 489 }; 490 491 # Enables Rust support in the Linux kernel. This is currently not enabled by default, because it occasionally requires 492 # patching the Linux kernel for the specific Rust toolchain in nixpkgs. These patches usually take a bit 493 # of time to appear and this would hold up Linux kernel and Rust toolchain updates. 494 # 495 # Once Rust in the kernel has more users, we can reconsider enabling it by default. 496 rust = optionalAttrs ((features.rust or false) && versionAtLeast version "6.7") { 497 RUST = yes; 498 GCC_PLUGINS = no; 499 }; 500 501 sound = { 502 SND_DYNAMIC_MINORS = yes; 503 SND_AC97_POWER_SAVE = yes; # AC97 Power-Saving Mode 504 # 10s for the idle timeout, Fedora does 1, Arch does 10. 505 # The kernel says we should do 10. 506 # Read: https://docs.kernel.org/sound/designs/powersave.html 507 SND_AC97_POWER_SAVE_DEFAULT = freeform "10"; 508 SND_HDA_POWER_SAVE_DEFAULT = freeform "10"; 509 SND_HDA_INPUT_BEEP = yes; # Support digital beep via input layer 510 SND_HDA_RECONFIG = yes; # Support reconfiguration of jack functions 511 # Support configuring jack functions via fw mechanism at boot 512 SND_HDA_PATCH_LOADER = yes; 513 SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon 514 SND_HDA_CODEC_CS8409 = whenAtLeast "6.6" module; # Cirrus Logic HDA Bridge CS8409 515 SND_OSSEMUL = yes; 516 SND_USB_CAIAQ_INPUT = yes; 517 SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes; 518 # Enable Sound Open Firmware support 519 } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" && 520 versionAtLeast version "5.5") { 521 SND_SOC_INTEL_SOUNDWIRE_SOF_MACH = whenAtLeast "5.10" module; 522 SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES = whenAtLeast "5.10" yes; # dep of SOF_MACH 523 SND_SOC_SOF_INTEL_SOUNDWIRE_LINK = whenBetween "5.10" "5.11" yes; # dep of SOF_MACH 524 SND_SOC_SOF_TOPLEVEL = yes; 525 SND_SOC_SOF_ACPI = module; 526 SND_SOC_SOF_PCI = module; 527 SND_SOC_SOF_APOLLOLAKE = whenAtLeast "5.12" module; 528 SND_SOC_SOF_APOLLOLAKE_SUPPORT = whenOlder "5.12" yes; 529 SND_SOC_SOF_CANNONLAKE = whenAtLeast "5.12" module; 530 SND_SOC_SOF_CANNONLAKE_SUPPORT = whenOlder "5.12" yes; 531 SND_SOC_SOF_COFFEELAKE = whenAtLeast "5.12" module; 532 SND_SOC_SOF_COFFEELAKE_SUPPORT = whenOlder "5.12" yes; 533 SND_SOC_SOF_COMETLAKE = whenAtLeast "5.12" module; 534 SND_SOC_SOF_COMETLAKE_H_SUPPORT = whenOlder "5.8" yes; 535 SND_SOC_SOF_COMETLAKE_LP_SUPPORT = whenOlder "5.12" yes; 536 SND_SOC_SOF_ELKHARTLAKE = whenAtLeast "5.12" module; 537 SND_SOC_SOF_ELKHARTLAKE_SUPPORT = whenOlder "5.12" yes; 538 SND_SOC_SOF_GEMINILAKE = whenAtLeast "5.12" module; 539 SND_SOC_SOF_GEMINILAKE_SUPPORT = whenOlder "5.12" yes; 540 SND_SOC_SOF_HDA_AUDIO_CODEC = yes; 541 SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes; 542 SND_SOC_SOF_HDA_LINK = yes; 543 SND_SOC_SOF_ICELAKE = whenAtLeast "5.12" module; 544 SND_SOC_SOF_ICELAKE_SUPPORT = whenOlder "5.12" yes; 545 SND_SOC_SOF_INTEL_TOPLEVEL = yes; 546 SND_SOC_SOF_JASPERLAKE = whenAtLeast "5.12" module; 547 SND_SOC_SOF_JASPERLAKE_SUPPORT = whenOlder "5.12" yes; 548 SND_SOC_SOF_MERRIFIELD = whenAtLeast "5.12" module; 549 SND_SOC_SOF_MERRIFIELD_SUPPORT = whenOlder "5.12" yes; 550 SND_SOC_SOF_TIGERLAKE = whenAtLeast "5.12" module; 551 SND_SOC_SOF_TIGERLAKE_SUPPORT = whenOlder "5.12" yes; 552 }; 553 554 usb = { 555 USB = yes; # compile USB core into kernel, so we can use USB_SERIAL_CONSOLE before modules 556 557 USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators 558 USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling 559 USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies) 560 561 # default to dual role mode 562 USB_DWC2_DUAL_ROLE = yes; 563 USB_DWC3_DUAL_ROLE = yes; 564 }; 565 566 usb-serial = { 567 USB_SERIAL = yes; 568 USB_SERIAL_GENERIC = yes; # USB Generic Serial Driver 569 USB_SERIAL_CONSOLE = yes; # Allow using USB serial adapter as console 570 U_SERIAL_CONSOLE = whenAtLeast "5.10" yes; # Allow using USB gadget as console 571 }; 572 573 # Filesystem options - in particular, enable extended attributes and 574 # ACLs for all filesystems that support them. 575 filesystem = { 576 FANOTIFY = yes; 577 FANOTIFY_ACCESS_PERMISSIONS = yes; 578 579 TMPFS = yes; 580 TMPFS_POSIX_ACL = yes; 581 FS_ENCRYPTION = if (versionAtLeast version "5.1") then yes else option module; 582 583 EXT2_FS_XATTR = yes; 584 EXT2_FS_POSIX_ACL = yes; 585 EXT2_FS_SECURITY = yes; 586 587 EXT3_FS_POSIX_ACL = yes; 588 EXT3_FS_SECURITY = yes; 589 590 EXT4_FS_POSIX_ACL = yes; 591 EXT4_FS_SECURITY = yes; 592 EXT4_ENCRYPTION = whenOlder "5.1" yes; 593 594 NTFS_FS = whenBetween "5.15" "6.9" no; 595 NTFS3_LZX_XPRESS = whenAtLeast "5.15" yes; 596 NTFS3_FS_POSIX_ACL = whenAtLeast "5.15" yes; 597 598 REISERFS_FS_XATTR = option yes; 599 REISERFS_FS_POSIX_ACL = option yes; 600 REISERFS_FS_SECURITY = option yes; 601 602 JFS_POSIX_ACL = option yes; 603 JFS_SECURITY = option yes; 604 605 XFS_QUOTA = option yes; 606 XFS_POSIX_ACL = option yes; 607 XFS_RT = option yes; # XFS Realtime subvolume support 608 XFS_ONLINE_SCRUB = option yes; 609 610 OCFS2_DEBUG_MASKLOG = option no; 611 612 BTRFS_FS_POSIX_ACL = yes; 613 614 BCACHEFS_QUOTA = whenAtLeast "6.7" (option yes); 615 BCACHEFS_POSIX_ACL = whenAtLeast "6.7" (option yes); 616 617 UBIFS_FS_ADVANCED_COMPR = option yes; 618 619 F2FS_FS = module; 620 F2FS_FS_SECURITY = option yes; 621 F2FS_FS_ENCRYPTION = whenOlder "5.1" yes; 622 F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes; 623 UDF_FS = module; 624 625 NFSD_V2_ACL = whenOlder "5.10" yes; 626 NFSD_V3 = whenOlder "5.10" yes; 627 NFSD_V3_ACL = yes; 628 NFSD_V4 = yes; 629 NFSD_V4_SECURITY_LABEL = yes; 630 631 NFS_FSCACHE = yes; 632 NFS_SWAP = yes; 633 NFS_V3_ACL = yes; 634 NFS_V4_1 = yes; # NFSv4.1 client support 635 NFS_V4_2 = yes; 636 NFS_V4_SECURITY_LABEL = yes; 637 638 CIFS_XATTR = yes; 639 CIFS_POSIX = option yes; 640 CIFS_FSCACHE = yes; 641 CIFS_WEAK_PW_HASH = whenOlder "5.15" yes; 642 CIFS_UPCALL = yes; 643 CIFS_ACL = whenOlder "5.3" yes; 644 CIFS_DFS_UPCALL = yes; 645 646 CEPH_FSCACHE = yes; 647 CEPH_FS_POSIX_ACL = yes; 648 649 SQUASHFS_FILE_DIRECT = yes; 650 SQUASHFS_DECOMP_MULTI_PERCPU = whenOlder "6.2" yes; 651 SQUASHFS_CHOICE_DECOMP_BY_MOUNT = whenAtLeast "6.2" yes; 652 SQUASHFS_XATTR = yes; 653 SQUASHFS_ZLIB = yes; 654 SQUASHFS_LZO = yes; 655 SQUASHFS_XZ = yes; 656 SQUASHFS_LZ4 = yes; 657 SQUASHFS_ZSTD = yes; 658 659 # Native Language Support modules, needed by some filesystems 660 NLS = yes; 661 NLS_DEFAULT = freeform "utf8"; 662 NLS_UTF8 = module; 663 NLS_CODEPAGE_437 = module; # VFAT default for the codepage= mount option 664 NLS_ISO8859_1 = module; # VFAT default for the iocharset= mount option 665 666 # Needed to use the installation iso image. Not included in all defconfigs (e.g. arm64) 667 ISO9660_FS = module; 668 669 DEVTMPFS = yes; 670 671 UNICODE = whenAtLeast "5.2" yes; # Casefolding support for filesystems 672 }; 673 674 security = { 675 # Report BUG() conditions and kill the offending process. 676 BUG = yes; 677 BUG_ON_DATA_CORRUPTION = yes; 678 679 FORTIFY_SOURCE = option yes; 680 681 # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html 682 DEBUG_LIST = yes; 683 684 HARDENED_USERCOPY = yes; 685 RANDOMIZE_BASE = option yes; 686 STRICT_KERNEL_RWX = yes; 687 STRICT_MODULE_RWX = yes; 688 STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem 689 IO_STRICT_DEVMEM = mkDefault yes; 690 SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default 691 692 # Prevent processes from ptracing non-children processes 693 SECURITY_YAMA = option yes; 694 # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. 695 # This does not have any effect if a program does not support it 696 SECURITY_LANDLOCK = whenAtLeast "5.13" yes; 697 698 DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem 699 700 USER_NS = yes; # Support for user namespaces 701 702 SECURITY_APPARMOR = yes; 703 DEFAULT_SECURITY_APPARMOR = yes; 704 705 RANDOM_TRUST_CPU = whenOlder "6.2" yes; # allow RDRAND to seed the RNG 706 RANDOM_TRUST_BOOTLOADER = whenOlder "6.2" (whenAtLeast "5.4" yes); # allow the bootloader to seed the RNG 707 708 MODULE_SIG = no; # r13y, generates a random key during build and bakes it in 709 # Depends on MODULE_SIG and only really helps when you sign your modules 710 # and enforce signatures which we don't do by default. 711 SECURITY_LOCKDOWN_LSM = whenAtLeast "5.4" no; 712 713 # provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis 714 PERSISTENT_KEYRINGS = yes; 715 # enable temporary caching of the last request_key() result 716 KEYS_REQUEST_CACHE = whenAtLeast "5.3" yes; 717 # randomized slab caches 718 RANDOM_KMALLOC_CACHES = whenAtLeast "6.6" yes; 719 720 # NIST SP800-90A DRBG modes - enabled by most distributions 721 # and required by some out-of-tree modules (ShuffleCake) 722 # This does not include the NSA-backdoored Dual-EC mode from the same NIST publication. 723 CRYPTO_DRBG_HASH = yes; 724 CRYPTO_DRBG_CTR = yes; 725 726 # Enable KFENCE 727 # See: https://docs.kernel.org/dev-tools/kfence.html 728 KFENCE = whenAtLeast "5.12" yes; 729 730 # Enable support for page poisoning. Still needs to be enabled on the command line to actually work. 731 PAGE_POISONING = yes; 732 # Randomize page allocator when page_alloc.shuffle=1 733 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; 734 735 INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes; 736 737 # Enable stack smashing protections in schedule() 738 # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f 739 SCHED_STACK_END_CHECK = yes; 740 } // optionalAttrs stdenv.hostPlatform.isx86_64 { 741 # Enable Intel SGX 742 X86_SGX = whenAtLeast "5.11" yes; 743 # Allow KVM guests to load SGX enclaves 744 X86_SGX_KVM = whenAtLeast "5.13" yes; 745 746 # AMD Cryptographic Coprocessor (CCP) 747 CRYPTO_DEV_CCP = yes; 748 # AMD SME 749 AMD_MEM_ENCRYPT = yes; 750 # AMD SEV and AMD SEV-SE 751 KVM_AMD_SEV = yes; 752 # AMD SEV-SNP 753 SEV_GUEST = whenAtLeast "5.19" module; 754 # Shadow stacks 755 X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes; 756 757 # Mitigate straight line speculation at the cost of some file size 758 SLS = whenBetween "5.17" "6.9" yes; 759 MITIGATION_SLS = whenAtLeast "6.9" yes; 760 761 DEFAULT_MMAP_MIN_ADDR = freeform "65536"; 762 } // optionalAttrs stdenv.hostPlatform.isAarch64 { 763 DEFAULT_MMAP_MIN_ADDR = freeform "32768"; 764 }; 765 766 microcode = { 767 MICROCODE = yes; 768 MICROCODE_INTEL = whenOlder "6.6" yes; 769 MICROCODE_AMD = whenOlder "6.6" yes; 770 # Write Back Throttling 771 # https://lwn.net/Articles/682582/ 772 # https://bugzilla.kernel.org/show_bug.cgi?id=12309#c655 773 BLK_WBT = yes; 774 BLK_WBT_SQ = whenOlder "5.0" yes; # Removed in 5.0-RC1 775 BLK_WBT_MQ = yes; 776 }; 777 778 container = { 779 NAMESPACES = yes; # Required by 'unshare' used by 'nixos-install' 780 RT_GROUP_SCHED = no; 781 CGROUP_DEVICE = yes; 782 CGROUP_HUGETLB = yes; 783 CGROUP_PERF = yes; 784 CGROUP_RDMA = yes; 785 786 MEMCG = yes; 787 MEMCG_SWAP = whenOlder "6.1" yes; 788 789 BLK_DEV_THROTTLING = yes; 790 CFQ_GROUP_IOSCHED = whenOlder "5.0" yes; # Removed in 5.0-RC1 791 CGROUP_PIDS = yes; 792 }; 793 794 staging = { 795 # Enable staging drivers. These are somewhat experimental, but 796 # they generally don't hurt. 797 STAGING = yes; 798 }; 799 800 proc-events = { 801 # PROC_EVENTS requires that the netlink connector is not built 802 # as a module. This is required by libcgroup's cgrulesengd. 803 CONNECTOR = yes; 804 PROC_EVENTS = yes; 805 }; 806 807 tracing = { 808 FTRACE = yes; 809 KPROBES = yes; 810 FUNCTION_TRACER = yes; 811 FTRACE_SYSCALLS = yes; 812 SCHED_TRACER = yes; 813 STACK_TRACER = yes; 814 UPROBE_EVENTS = option yes; 815 BPF_SYSCALL = yes; 816 BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.16" yes; 817 BPF_EVENTS = yes; 818 FUNCTION_PROFILER = yes; 819 RING_BUFFER_BENCHMARK = no; 820 }; 821 822 perf = { 823 # enable AMD Zen branch sampling if available 824 PERF_EVENTS_AMD_BRS = whenAtLeast "5.19" (option yes); 825 }; 826 827 virtualisation = { 828 PARAVIRT = option yes; 829 830 HYPERVISOR_GUEST = yes; 831 PARAVIRT_SPINLOCKS = option yes; 832 833 KVM_ASYNC_PF = yes; 834 KVM_GENERIC_DIRTYLOG_READ_PROTECT = yes; 835 KVM_GUEST = yes; 836 KVM_MMIO = yes; 837 KVM_VFIO = yes; 838 KSM = yes; 839 VIRT_DRIVERS = yes; 840 # We need 64 GB (PAE) support for Xen guest support 841 HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";}; 842 843 VFIO_PCI_VGA = mkIf stdenv.is64bit yes; 844 845 UDMABUF = whenAtLeast "4.20" yes; 846 847 # VirtualBox guest drivers in the kernel conflict with the ones in the 848 # official additions package and prevent the vboxsf module from loading, 849 # so disable them for now. 850 VBOXGUEST = option no; 851 DRM_VBOXVIDEO = option no; 852 853 XEN = option yes; 854 XEN_DOM0 = option yes; 855 PCI_XEN = option yes; 856 HVC_XEN = option yes; 857 HVC_XEN_FRONTEND = option yes; 858 XEN_SYS_HYPERVISOR = option yes; 859 SWIOTLB_XEN = option yes; 860 XEN_BACKEND = option yes; 861 XEN_BALLOON = option yes; 862 XEN_BALLOON_MEMORY_HOTPLUG = option yes; 863 XEN_EFI = option yes; 864 XEN_HAVE_PVMMU = option yes; 865 XEN_MCE_LOG = option yes; 866 XEN_PVH = option yes; 867 XEN_PVHVM = option yes; 868 XEN_SAVE_RESTORE = option yes; 869 XEN_SELFBALLOONING = whenOlder "5.3" yes; 870 871 # Enable device detection on virtio-mmio hypervisors 872 VIRTIO_MMIO_CMDLINE_DEVICES = yes; 873 }; 874 875 media = { 876 MEDIA_DIGITAL_TV_SUPPORT = yes; 877 MEDIA_CAMERA_SUPPORT = yes; 878 MEDIA_CONTROLLER = yes; 879 MEDIA_PCI_SUPPORT = yes; 880 MEDIA_USB_SUPPORT = yes; 881 MEDIA_ANALOG_TV_SUPPORT = yes; 882 VIDEO_STK1160_COMMON = whenOlder "6.5" module; 883 }; 884 885 "9p" = { 886 # Enable the 9P cache to speed up NixOS VM tests. 887 "9P_FSCACHE" = option yes; 888 "9P_FS_POSIX_ACL" = option yes; 889 }; 890 891 huge-page = { 892 TRANSPARENT_HUGEPAGE = option yes; 893 TRANSPARENT_HUGEPAGE_ALWAYS = option no; 894 TRANSPARENT_HUGEPAGE_MADVISE = option yes; 895 }; 896 897 zram = { 898 ZRAM = module; 899 ZRAM_WRITEBACK = option yes; 900 ZRAM_MULTI_COMP = whenAtLeast "6.2" yes; 901 ZRAM_DEF_COMP_ZSTD = whenAtLeast "5.11" yes; 902 ZSWAP = option yes; 903 ZSWAP_COMPRESSOR_DEFAULT_ZSTD = whenAtLeast "5.7" (mkOptionDefault yes); 904 ZPOOL = yes; 905 ZSMALLOC = option yes; 906 }; 907 908 brcmfmac = { 909 # Enable PCIe and USB for the brcmfmac driver 910 BRCMFMAC_USB = option yes; 911 BRCMFMAC_PCIE = option yes; 912 }; 913 914 # Support x2APIC (which requires IRQ remapping) 915 x2apic = optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 916 X86_X2APIC = yes; 917 IRQ_REMAP = yes; 918 }; 919 920 # Disable various self-test modules that have no use in a production system 921 tests = { 922 # This menu disables all/most of them on >= 4.16 923 RUNTIME_TESTING_MENU = option no; 924 } // { 925 CRC32_SELFTEST = option no; 926 CRYPTO_TEST = option no; 927 EFI_TEST = option no; 928 GLOB_SELFTEST = option no; 929 LOCK_TORTURE_TEST = option no; 930 MTD_TESTS = option no; 931 NOTIFIER_ERROR_INJECTION = option no; 932 RCU_PERF_TEST = whenOlder "5.9" no; 933 RCU_SCALE_TEST = whenAtLeast "5.10" no; 934 TEST_ASYNC_DRIVER_PROBE = option no; 935 WW_MUTEX_SELFTEST = option no; 936 XZ_DEC_TEST = option no; 937 }; 938 939 criu = { 940 # Unconditionally enabled, because it is required for CRIU and 941 # it provides the kcmp() system call that Mesa depends on. 942 CHECKPOINT_RESTORE = yes; 943 944 # Allows soft-dirty tracking on pages, used by CRIU. 945 # See https://docs.kernel.org/admin-guide/mm/soft-dirty.html 946 MEM_SOFT_DIRTY = mkIf (!stdenv.isx86_32) yes; 947 }; 948 949 misc = let 950 # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz. 951 # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375 952 useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9"; 953 in { 954 # stdenv.hostPlatform.linux-kernel.target assumes uncompressed on RISC-V. 955 KERNEL_UNCOMPRESSED = mkIf stdenv.hostPlatform.isRiscV yes; 956 KERNEL_XZ = mkIf (!stdenv.hostPlatform.isRiscV && !useZstd) yes; 957 KERNEL_ZSTD = mkIf (!stdenv.hostPlatform.isRiscV && useZstd) yes; 958 959 HID_BATTERY_STRENGTH = yes; 960 # enabled by default in x86_64 but not arm64, so we do that here 961 HIDRAW = yes; 962 963 # Enable loading HID fixups as eBPF from userspace 964 HID_BPF = whenAtLeast "6.3" yes; 965 966 HID_ACRUX_FF = yes; 967 DRAGONRISE_FF = yes; 968 GREENASIA_FF = yes; 969 HOLTEK_FF = yes; 970 JOYSTICK_PSXPAD_SPI_FF = yes; 971 LOGIG940_FF = yes; 972 NINTENDO_FF = whenAtLeast "5.16" yes; 973 PLAYSTATION_FF = whenAtLeast "5.12" yes; 974 SONY_FF = yes; 975 SMARTJOYPLUS_FF = yes; 976 THRUSTMASTER_FF = yes; 977 ZEROPLUS_FF = yes; 978 979 MODULE_COMPRESS = whenOlder "5.13" yes; 980 MODULE_COMPRESS_XZ = yes; 981 982 SYSVIPC = yes; # System-V IPC 983 984 AIO = yes; # POSIX asynchronous I/O 985 986 UNIX = yes; # Unix domain sockets. 987 988 MD = yes; # Device mapper (RAID, LVM, etc.) 989 990 # Enable initrd support. 991 BLK_DEV_INITRD = yes; 992 993 # Allows debugging systems that get stuck during suspend/resume 994 PM_TRACE = yes; 995 PM_TRACE_RTC = yes; 996 997 ACCESSIBILITY = yes; # Accessibility support 998 AUXDISPLAY = yes; # Auxiliary Display support 999 HIPPI = yes; 1000 MTD_COMPLEX_MAPPINGS = yes; # needed for many devices 1001 1002 SCSI_LOWLEVEL = yes; # enable lots of SCSI devices 1003 SCSI_LOWLEVEL_PCMCIA = yes; 1004 SCSI_SAS_ATA = yes; # added to enable detection of hard drive 1005 1006 SPI = yes; # needed for many devices 1007 SPI_MASTER = yes; 1008 1009 "8139TOO_8129" = yes; 1010 "8139TOO_PIO" = no; # PIO is slower 1011 1012 AIC79XX_DEBUG_ENABLE = no; 1013 AIC7XXX_DEBUG_ENABLE = no; 1014 AIC94XX_DEBUG = no; 1015 1016 BLK_DEV_INTEGRITY = yes; 1017 BLK_DEV_ZONED = yes; 1018 1019 BLK_SED_OPAL = yes; 1020 1021 # Enable support for block layer inline encryption 1022 BLK_INLINE_ENCRYPTION = whenAtLeast "5.8" yes; 1023 # ...but fall back to CPU encryption if unavailable 1024 BLK_INLINE_ENCRYPTION_FALLBACK = whenAtLeast "5.8" yes; 1025 1026 BSD_PROCESS_ACCT_V3 = yes; 1027 1028 SERIAL_DEV_BUS = yes; # enables support for serial devices 1029 SERIAL_DEV_CTRL_TTYPORT = yes; # enables support for TTY serial devices 1030 1031 BT_HCIBTUSB_MTK = whenAtLeast "5.3" yes; # MediaTek protocol support 1032 1033 BT_HCIUART = module; # required for BT devices with serial port interface (QCA6390) 1034 BT_HCIUART_BCM = option yes; # Broadcom Bluetooth support 1035 BT_HCIUART_BCSP = option yes; # CSR BlueCore support 1036 BT_HCIUART_H4 = option yes; # UART (H4) protocol support 1037 BT_HCIUART_LL = option yes; # Texas Instruments BRF 1038 BT_HCIUART_QCA = yes; # Qualcomm Atheros support 1039 BT_HCIUART_SERDEV = yes; # required by BT_HCIUART_QCA 1040 1041 BT_RFCOMM_TTY = option yes; # RFCOMM TTY support 1042 BT_QCA = module; # enables QCA6390 bluetooth 1043 1044 # Removed on 5.17 as it was unused 1045 # upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a4ee518185e902758191d968600399f3bc2be31 1046 CLEANCACHE = whenOlder "5.17" (option yes); 1047 1048 FSCACHE_STATS = yes; 1049 1050 DVB_DYNAMIC_MINORS = option yes; # we use udev 1051 1052 EFI_STUB = yes; # EFI bootloader in the bzImage itself 1053 EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER = 1054 whenOlder "6.2" (whenAtLeast "5.8" yes); # initrd kernel parameter for EFI 1055 1056 # Generic compression support for EFI payloads 1057 # Add new platforms only after they have been verified to build and boot. 1058 # This is unsupported on x86 due to a custom decompression mechanism. 1059 EFI_ZBOOT = mkIf stdenv.hostPlatform.isAarch64 (whenAtLeast "6.1" yes); 1060 1061 CGROUPS = yes; # used by systemd 1062 FHANDLE = yes; # used by systemd 1063 SECCOMP = yes; # used by systemd >= 231 1064 SECCOMP_FILTER = yes; # ditto 1065 POSIX_MQUEUE = yes; 1066 FRONTSWAP = whenOlder "6.6" yes; 1067 FUSION = yes; # Fusion MPT device support 1068 IDE = whenOlder "5.14" no; # deprecated IDE support, removed in 5.14 1069 IDLE_PAGE_TRACKING = yes; 1070 1071 JOYSTICK_IFORCE_232 = { optional = true; tristate = whenOlder "5.3" "y"; }; # I-Force Serial joysticks and wheels 1072 JOYSTICK_IFORCE_USB = { optional = true; tristate = whenOlder "5.3" "y"; }; # I-Force USB joysticks and wheels 1073 JOYSTICK_XPAD_FF = option yes; # X-Box gamepad rumble support 1074 JOYSTICK_XPAD_LEDS = option yes; # LED Support for Xbox360 controller 'BigX' LED 1075 1076 KEYBOARD_APPLESPI = whenAtLeast "5.3" module; 1077 1078 KEXEC_FILE = option yes; 1079 KEXEC_JUMP = option yes; 1080 1081 PARTITION_ADVANCED = yes; # Needed for LDM_PARTITION 1082 # Windows Logical Disk Manager (Dynamic Disk) support 1083 LDM_PARTITION = yes; 1084 LOGIRUMBLEPAD2_FF = yes; # Logitech Rumblepad 2 force feedback 1085 LOGO = no; # not needed 1086 MEDIA_ATTACH = yes; 1087 MEGARAID_NEWGEN = yes; 1088 1089 MLX5_CORE_EN = option yes; 1090 1091 NVME_MULTIPATH = yes; 1092 1093 NVME_AUTH = mkMerge [ 1094 (whenBetween "6.0" "6.7" yes) 1095 (whenAtLeast "6.7" module) 1096 ]; 1097 1098 NVME_HOST_AUTH = whenAtLeast "6.7" yes; 1099 NVME_TCP_TLS = whenAtLeast "6.7" yes; 1100 1101 NVME_TARGET = module; 1102 NVME_TARGET_PASSTHRU = whenAtLeast "5.9" yes; 1103 NVME_TARGET_AUTH = whenAtLeast "6.0" yes; 1104 NVME_TARGET_TCP_TLS = whenAtLeast "6.7" yes; 1105 1106 PCI_P2PDMA = mkIf (stdenv.hostPlatform.is64bit && versionAtLeast version "4.20") yes; 1107 1108 PSI = whenAtLeast "4.20" yes; 1109 1110 MOUSE_ELAN_I2C_SMBUS = yes; 1111 MOUSE_PS2_ELANTECH = yes; # Elantech PS/2 protocol extension 1112 MOUSE_PS2_VMMOUSE = yes; 1113 MTRR_SANITIZER = yes; 1114 NET_FC = yes; # Fibre Channel driver support 1115 # Needed for touchpads to work on some AMD laptops 1116 PINCTRL_AMD = whenAtLeast "5.19" yes; 1117 # GPIO on Intel Bay Trail, for some Chromebook internal eMMC disks 1118 PINCTRL_BAYTRAIL = yes; 1119 # GPIO for Braswell and Cherryview devices 1120 # Needs to be built-in to for integrated keyboards to function properly 1121 PINCTRL_CHERRYVIEW = yes; 1122 # 8 is default. Modern gpt tables on eMMC may go far beyond 8. 1123 MMC_BLOCK_MINORS = freeform "32"; 1124 1125 REGULATOR = yes; # Voltage and Current Regulator Support 1126 RC_DEVICES = option yes; # Enable IR devices 1127 RC_DECODERS = option yes; # Required for IR devices to work 1128 1129 RT2800USB_RT53XX = yes; 1130 RT2800USB_RT55XX = yes; 1131 1132 SCHED_AUTOGROUP = yes; 1133 CFS_BANDWIDTH = yes; 1134 1135 SCSI_LOGGING = yes; # SCSI logging facility 1136 SERIAL_8250 = yes; # 8250/16550 and compatible serial support 1137 1138 SLAB_FREELIST_HARDENED = yes; 1139 SLAB_FREELIST_RANDOM = yes; 1140 1141 SLIP_COMPRESSED = yes; # CSLIP compressed headers 1142 SLIP_SMART = yes; 1143 1144 HWMON = yes; 1145 THERMAL_HWMON = yes; # Hardware monitoring support 1146 NVME_HWMON = whenAtLeast "5.5" yes; # NVMe drives temperature reporting 1147 UEVENT_HELPER = no; 1148 1149 USERFAULTFD = yes; 1150 X86_CHECK_BIOS_CORRUPTION = yes; 1151 X86_MCE = yes; 1152 1153 RAS = yes; # Needed for EDAC support 1154 1155 # Our initrd init uses shebang scripts, so can't be modular. 1156 BINFMT_SCRIPT = yes; 1157 # For systemd-binfmt 1158 BINFMT_MISC = option yes; 1159 1160 # Required for EDID overriding 1161 FW_LOADER = yes; 1162 # Disable the firmware helper fallback, udev doesn't implement it any more 1163 FW_LOADER_USER_HELPER_FALLBACK = option no; 1164 1165 FW_LOADER_COMPRESS = whenAtLeast "5.3" yes; 1166 FW_LOADER_COMPRESS_ZSTD = whenAtLeast "5.19" yes; 1167 1168 HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI 1169 HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support 1170 1171 # Enable AMD's ROCm GPU compute stack 1172 HSA_AMD = mkIf stdenv.hostPlatform.is64bit (whenAtLeast "4.20" yes); 1173 ZONE_DEVICE = mkIf stdenv.hostPlatform.is64bit (whenAtLeast "5.3" yes); 1174 HMM_MIRROR = whenAtLeast "5.3" yes; 1175 DRM_AMDGPU_USERPTR = whenAtLeast "5.3" yes; 1176 1177 PREEMPT = no; 1178 PREEMPT_VOLUNTARY = yes; 1179 1180 X86_AMD_PLATFORM_DEVICE = yes; 1181 X86_PLATFORM_DRIVERS_DELL = whenAtLeast "5.12" yes; 1182 X86_PLATFORM_DRIVERS_HP = whenAtLeast "6.1" yes; 1183 1184 LIRC = yes; 1185 1186 SCHED_CORE = whenAtLeast "5.14" yes; 1187 1188 LRU_GEN = whenAtLeast "6.1" yes; 1189 LRU_GEN_ENABLED = whenAtLeast "6.1" yes; 1190 1191 FSL_MC_UAPI_SUPPORT = mkIf (stdenv.hostPlatform.system == "aarch64-linux") (whenAtLeast "5.12" yes); 1192 1193 ASHMEM = { optional = true; tristate = whenBetween "5.0" "5.18" "y";}; 1194 ANDROID = { optional = true; tristate = whenBetween "5.0" "5.19" "y";}; 1195 ANDROID_BINDER_IPC = { optional = true; tristate = whenAtLeast "5.0" "y";}; 1196 ANDROID_BINDERFS = { optional = true; tristate = whenAtLeast "5.0" "y";}; 1197 ANDROID_BINDER_DEVICES = { optional = true; freeform = whenAtLeast "5.0" "binder,hwbinder,vndbinder";}; 1198 1199 TASKSTATS = yes; 1200 TASK_DELAY_ACCT = yes; 1201 TASK_XACCT = yes; 1202 TASK_IO_ACCOUNTING = yes; 1203 1204 # Fresh toolchains frequently break -Werror build for minor issues. 1205 WERROR = whenAtLeast "5.15" no; 1206 1207 # > CONFIG_KUNIT should not be enabled in a production environment. Enabling KUnit disables Kernel Address-Space Layout Randomization (KASLR), and tests may affect the state of the kernel in ways not suitable for production. 1208 # https://www.kernel.org/doc/html/latest/dev-tools/kunit/start.html 1209 KUNIT = whenAtLeast "5.5" no; 1210 1211 # Set system time from RTC on startup and resume 1212 RTC_HCTOSYS = option yes; 1213 1214 # Expose watchdog information in sysfs 1215 WATCHDOG_SYSFS = yes; 1216 1217 # Enable generic kernel watch queues 1218 # See https://docs.kernel.org/core-api/watch_queue.html 1219 WATCH_QUEUE = whenAtLeast "5.8" yes; 1220 } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") { 1221 # Enable CPU/memory hotplug support 1222 # Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot 1223 ACPI_HOTPLUG_CPU = yes; 1224 ACPI_HOTPLUG_MEMORY = yes; 1225 MEMORY_HOTPLUG = yes; 1226 MEMORY_HOTREMOVE = yes; 1227 HOTPLUG_CPU = yes; 1228 MIGRATION = yes; 1229 SPARSEMEM = yes; 1230 1231 # Bump the maximum number of CPUs to support systems like EC2 x1.* 1232 # instances and Xeon Phi. 1233 NR_CPUS = freeform "384"; 1234 1235 # Enable LEDS to display link-state status of PHY devices (i.e. eth lan/wan interfaces) 1236 LED_TRIGGER_PHY = whenAtLeast "4.10" yes; 1237 } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") { 1238 # Enables support for the Allwinner Display Engine 2.0 1239 SUN8I_DE2_CCU = yes; 1240 1241 # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647 1242 CRYPTO_AEGIS128_SIMD = whenAtLeast "5.4" no; 1243 1244 # Distros should configure the default as a kernel option. 1245 # We previously defined it on the kernel command line as cma= 1246 # The kernel command line will override a platform-specific configuration from its device tree. 1247 # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44 1248 CMA_SIZE_MBYTES = freeform "32"; 1249 1250 # Add debug interfaces for CMA 1251 CMA_DEBUGFS = yes; 1252 CMA_SYSFS = yes; 1253 1254 # https://docs.kernel.org/arch/arm/mem_alignment.html 1255 # tldr: 1256 # when buggy userspace code emits illegal misaligned LDM, STM, 1257 # LDRD and STRDs, the instructions trap, are caught, and then 1258 # are emulated by the kernel. 1259 # 1260 # This is the default on armv7l, anyway, but it is explicitly 1261 # enabled here for the sake of providing context for the 1262 # aarch64 compat option which follows. 1263 ALIGNMENT_TRAP = mkIf (stdenv.hostPlatform.system == "armv7l-linux") yes; 1264 1265 # https://patchwork.kernel.org/project/linux-arm-kernel/patch/20220701135322.3025321-1-ardb@kernel.org/ 1266 # tldr: 1267 # when encountering alignment faults under aarch64, this option 1268 # makes the kernel attempt to handle the fault by doing the 1269 # same style of misaligned emulation that is performed under 1270 # armv7l (see above option). 1271 # 1272 # This minimizes the potential for aarch32 userspace to behave 1273 # differently when run under aarch64 kernels compared to when 1274 # it is run under an aarch32 kernel. 1275 COMPAT_ALIGNMENT_FIXUPS = mkIf (stdenv.hostPlatform.system == "aarch64-linux") (whenAtLeast "6.1" yes); 1276 } // optionalAttrs (versionAtLeast version "5.4" && (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux")) { 1277 # Required for various hardware features on Chrome OS devices 1278 CHROME_PLATFORMS = yes; 1279 CHROMEOS_TBMC = module; 1280 1281 CROS_EC = module; 1282 1283 CROS_EC_I2C = module; 1284 CROS_EC_SPI = module; 1285 CROS_EC_LPC = module; 1286 CROS_EC_ISHTP = module; 1287 1288 CROS_KBD_LED_BACKLIGHT = module; 1289 1290 TCG_TIS_SPI_CR50 = whenAtLeast "5.5" yes; 1291 } // optionalAttrs (versionAtLeast version "5.4" && stdenv.hostPlatform.system == "x86_64-linux") { 1292 CHROMEOS_LAPTOP = module; 1293 CHROMEOS_PSTORE = module; 1294 } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { 1295 # Enable x86 resource control 1296 X86_CPU_RESCTRL = whenAtLeast "5.0" yes; 1297 1298 # Enable TSX on CPUs where it's not vulnerable 1299 X86_INTEL_TSX_MODE_AUTO = yes; 1300 1301 # Enable AMD Wi-Fi RF band mitigations 1302 # See https://cateee.net/lkddb/web-lkddb/AMD_WBRF.html 1303 AMD_WBRF = whenAtLeast "6.8" yes; 1304 1305 # Enable Intel Turbo Boost Max 3.0 1306 INTEL_TURBO_MAX_3 = yes; 1307 }; 1308 1309 accel = { 1310 # Build DRM accelerator devices 1311 DRM_ACCEL = whenAtLeast "6.2" yes; 1312 }; 1313 }; 1314in 1315 flattenKConf options