b80c3284d5
Borrowing from here to match hardened profile with more recent kernels: * https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters * https://github.com/a13xp0p0v/kernel-hardening-checker/ Removed "slub_debug" as that option disables kernel memory address hashing. You also see a big warning about this in the dmesg: "This system shows unhashed kernel memory addresses via the console, logs, and other interfaces." "init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig. "slab_nomerge" prevents the merging of slab/slub caches. These are effectively slab/slub pools. "LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on static address. It got superseeded by vdsos a decade ago. Read some LWN.net to learn more ;) "debugfs=off" I'm sure there are some few userspace programs that rely on debugfs, but they shouldn't. Most other things mentioned on the blog where already the default on a running machine or may not be applicable. Most other Kconfigs changes come from the kernel hardening checker and were added, when they were not applied to the kernel already. Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing. |
||
---|---|---|
.. | ||
hardened | ||
perf | ||
bridge-stp-helper.patch | ||
common-config.nix | ||
export-rt-sched-migrate.patch | ||
generate-config.pl | ||
generic.nix | ||
gpio-utils.nix | ||
htmldocs.nix | ||
kernels-org.json | ||
linux-libre.nix | ||
linux-rpi.nix | ||
linux-rt-5.4.nix | ||
linux-rt-5.10.nix | ||
linux-rt-5.15.nix | ||
linux-rt-6.1.nix | ||
mainline.nix | ||
manual-config.nix | ||
modinst-arg-list-too-long.patch | ||
mptcp-config.nix | ||
patches.nix | ||
randstruct-provide-seed-5.19.patch | ||
randstruct-provide-seed.patch | ||
README.md | ||
request-key-helper-updated.patch | ||
request-key-helper.patch | ||
rtl8761b-support.patch | ||
update-libre.sh | ||
update-mainline.py | ||
update-rt.sh | ||
update-zen.py | ||
update.sh | ||
xanmod-kernels.nix | ||
zen-kernels.nix |
How to add a new (major) version of the Linux kernel to Nixpkgs:
-
Copy the old Nix expression (e.g.,
linux-2.6.21.nix
) to the new one (e.g.,linux-2.6.22.nix
) and update it. -
Add the new kernel to the
kernels
attribute set inlinux-kernels.nix
(e.g., create an attributekernel_2_6_22
). -
Update the kernel configuration:
-
While in the Nixpkgs repository, enter the development shell for that kernel:
$ nix-shell -A linuxKernel.kernels.linux_2_6_22
-
Unpack the kernel:
[nix-shell]$ pushd $(mktemp -d) [nix-shell]$ unpackPhase
-
For each supported platform (
i686
,x86_64
,uml
) do the following:-
Make a copy from the old config (e.g.,
config-2.6.21-i686-smp
) to the new one (e.g.,config-2.6.22-i686-smp
). -
Copy the config file for this platform (e.g.,
config-2.6.22-i686-smp
) to.config
in the unpacked kernel source tree. -
Run
make oldconfig ARCH={i386,x86_64,um}
and answer all questions. (For the uml configuration, also addSHELL=bash
.) Make sure to keep the configuration consistent between platforms (i.e., don’t enable some feature oni686
and disable it onx86_64
). -
If needed, you can also run
make menuconfig
:$ nix-shell -p ncurses pkg-config $ make menuconfig ARCH=arch
-
Copy
.config
over the new config file (e.g.,config-2.6.22-i686-smp
).
-
-
-
Test building the kernel:
nix-build -A linuxKernel.kernels.kernel_2_6_22
If it compiles, ship it! For extra credit, try booting NixOS with it.
- It may be that the new kernel requires updating the external kernel modules and kernel-dependent packages listed in the
linuxPackagesFor
function inlinux-kernels.nix
(such as the NVIDIA drivers, AUFS, etc.). If the updated packages aren’t backwards compatible with older kernels, you may need to keep the older versions around.