ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-10-08 05:27:57 +03:00
Code Issues Projects Releases Wiki Activity
b80c3284d5
nixpkgs/pkgs/os-specific/linux/kernel
History
Tamara Schmitz b80c3284d5
nixos/hardened: update hardened profile to new recommendations 
Borrowing from here to match hardened profile with more recent kernels:
* https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters
* https://github.com/a13xp0p0v/kernel-hardening-checker/

Removed "slub_debug" as that option disables kernel memory address
hashing. You also see a big warning about this in the dmesg:
"This system shows unhashed kernel memory addresses via the console, logs, and other interfaces."

"init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig.

"slab_nomerge" prevents the merging of slab/slub caches. These are
effectively slab/slub pools.

"LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on
static address. It got superseeded by vdsos a decade ago. Read some
LWN.net to learn more ;)

"debugfs=off" I'm sure there are some few userspace programs that rely on
debugfs, but they shouldn't.

Most other things mentioned on the blog where already the default on a
running machine or may not be applicable.

Most other Kconfigs changes come from the kernel hardening checker and
were added, when they were not applied to the kernel already.

Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing.
2024-01-27 20:43:58 +00:00
..
hardened nixos/hardened: update hardened profile to new recommendations 2024-01-27 20:43:58 +00:00
perf perf: enable perf stat evens supported by libpfm 2023-08-19 13:09:17 +01:00
bridge-stp-helper.patch
common-config.nix Merge master into staging-next 2024-01-23 00:02:30 +00:00
export-rt-sched-migrate.patch
generate-config.pl
generic.nix Merge master into staging-next 2024-01-22 18:00:55 +00:00
gpio-utils.nix
htmldocs.nix
kernels-org.json linux_6_1: 6.1.74 -> 6.1.75 2024-01-26 01:43:12 +01:00
linux-libre.nix linux_latest-libre: 19459 -> 19473 2024-01-09 13:42:19 +01:00
linux-rpi.nix linux-rpi: 6.1.21-1.20230405 -> 6.1.63-stable_20231123 2023-12-30 19:37:08 +07:00
linux-rt-5.4.nix linux-rt_5_4: 5.4.257-rt87 -> 5.4.264-rt88 2024-01-05 21:23:34 +03:00
linux-rt-5.10.nix linux-rt_5_10: 5.10.201-rt98 -> 5.10.204-rt100 2023-12-28 21:40:47 +01:00
linux-rt-5.15.nix linux-rt_5_15: 5.15.141-rt72 -> 5.15.145-rt73 2024-01-05 21:23:02 +03:00
linux-rt-6.1.nix linux-rt_6_1: 6.1.70-rt21 -> 6.1.73-rt22 2024-01-20 14:59:30 +03:00
mainline.nix linux: more update-script cleanups/fixes 2023-09-22 16:09:59 +03:00
manual-config.nix linux_latest: optionally build Linux 6.7 and onwards with rust support 2024-01-12 20:28:46 +01:00
modinst-arg-list-too-long.patch
mptcp-config.nix
patches.nix linux/patches: remove cpu-cgroup-v2 2023-10-15 01:19:36 +02:00
randstruct-provide-seed-5.19.patch
randstruct-provide-seed.patch
README.md doc: update the kernel config documentation to use nix-shell (#265057) 2024-01-08 12:10:41 +01:00
request-key-helper-updated.patch
request-key-helper.patch
rtl8761b-support.patch
update-libre.sh
update-mainline.py linux: ignore kernel branches older than min supported branch 2024-01-02 18:43:41 +01:00
update-rt.sh
update-zen.py
update.sh linux: rewrite updater-script, make data-driven 2023-09-22 10:38:44 +03:00
xanmod-kernels.nix linux_xanmod_latest: 6.6.10 -> 6.6.13 2024-01-21 17:08:45 +08:00
zen-kernels.nix linuxKernel.kernels.linux_lqx: 6.7.1-lqx1 -> 6.7.2-lqx1 2024-01-26 22:17:51 +01:00

README.md

How to add a new (major) version of the Linux kernel to Nixpkgs:

  1. Copy the old Nix expression (e.g., linux-2.6.21.nix) to the new one (e.g., linux-2.6.22.nix) and update it.

  2. Add the new kernel to the kernels attribute set in linux-kernels.nix (e.g., create an attribute kernel_2_6_22).

  3. Update the kernel configuration:

    1. While in the Nixpkgs repository, enter the development shell for that kernel:

      $ nix-shell -A linuxKernel.kernels.linux_2_6_22

    2. Unpack the kernel:

      [nix-shell]$ pushd $(mktemp -d)
[nix-shell]$ unpackPhase

    3. For each supported platform (i686, x86_64, uml) do the following:

      1. Make a copy from the old config (e.g., config-2.6.21-i686-smp) to the new one (e.g., config-2.6.22-i686-smp).

      2. Copy the config file for this platform (e.g., config-2.6.22-i686-smp) to .config in the unpacked kernel source tree.

      3. Run make oldconfig ARCH={i386,x86_64,um} and answer all questions. (For the uml configuration, also add SHELL=bash.) Make sure to keep the configuration consistent between platforms (i.e., dont enable some feature on i686 and disable it on x86_64).

      4. If needed, you can also run make menuconfig:

        $ nix-shell -p ncurses pkg-config
$ make menuconfig ARCH=arch

      5. Copy .config over the new config file (e.g., config-2.6.22-i686-smp).

  4. Test building the kernel:

nix-build -A linuxKernel.kernels.kernel_2_6_22

If it compiles, ship it! For extra credit, try booting NixOS with it.

  1. It may be that the new kernel requires updating the external kernel modules and kernel-dependent packages listed in the linuxPackagesFor function in linux-kernels.nix (such as the NVIDIA drivers, AUFS, etc.). If the updated packages arent backwards compatible with older kernels, you may need to keep the older versions around.