linux: further cleanup config after drop of 4.9

pkgs/os-specific/linux/kernel/common-config.nix

@@ -390,7 +390,7 @@ let
 
       TMPFS           = yes;
       TMPFS_POSIX_ACL = yes;
-      FS_ENCRYPTION   = if (versionAtLeast version "5.1") then yes else whenAtLeast "4.9" (option module);
+      FS_ENCRYPTION   = if (versionAtLeast version "5.1") then yes else option module;
 
       EXT2_FS_XATTR     = yes;
       EXT2_FS_POSIX_ACL = yes;
@@ -628,7 +628,6 @@ let
     media = {
       MEDIA_DIGITAL_TV_SUPPORT = yes;
       MEDIA_CAMERA_SUPPORT     = yes;
-      MEDIA_RC_SUPPORT         = whenOlder "4.14" yes;
       MEDIA_CONTROLLER         = yes;
       MEDIA_PCI_SUPPORT        = yes;
       MEDIA_USB_SUPPORT        = yes;
@@ -708,7 +707,7 @@ let
       LOCK_TORTURE_TEST        = option no;
       MTD_TESTS                = option no;
       NOTIFIER_ERROR_INJECTION = option no;
-      RCU_PERF_TEST            = whenBetween "4.13" "5.9" no;
+      RCU_PERF_TEST            = whenOlder "5.9" no;
       RCU_SCALE_TEST           = whenAtLeast "5.10" no;
       RCU_TORTURE_TEST         = option no;
       TEST_ASYNC_DRIVER_PROBE  = option no;

pkgs/os-specific/linux/kernel/hardened/config.nix

@@ -21,10 +21,6 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4");
   # Report BUG() conditions and kill the offending process.
   BUG = yes;
 
-  # Safer page access permissions (wrt. code injection).  Default on >=4.11.
-  DEBUG_RODATA          = whenOlder "4.11" yes;
-  DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes;
-
   # Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
   # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
   # implicitly marks LSM hooks read-only after init.
@@ -33,10 +29,10 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4");
   #
   # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
   # config builder fails to detect that it has indeed been unset.
-  SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no;
-  SECURITY_WRITABLE_HOOKS  = whenAtLeast "4.12" (option no);
+  SECURITY_SELINUX_DISABLE = no;
+  SECURITY_WRITABLE_HOOKS  = option no;
 
-  STRICT_KERNEL_RWX = whenAtLeast "4.11" yes;
+  STRICT_KERNEL_RWX = yes;
 
   # Perform additional validation of commonly targeted structures.
   DEBUG_CREDENTIALS     = yes;
@@ -46,7 +42,7 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4");
   DEBUG_SG              = yes;
   SCHED_STACK_END_CHECK = yes;
 
-  REFCOUNT_FULL = whenBetween "4.13" "5.5" yes;
+  REFCOUNT_FULL = whenOlder "5.5" yes;
 
   # Randomize page allocator when page_alloc.shuffle=1
   SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
@@ -69,11 +65,11 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4");
   # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
   GCC_PLUGIN_LATENT_ENTROPY = yes;
 
-  GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
-  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address
+  GCC_PLUGIN_STRUCTLEAK = yes; # A port of the PaX structleak plugin
+  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = yes; # Also cover structs passed by address
   GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
-  GCC_PLUGIN_RANDSTRUCT = whenBetween "4.13" "5.19" yes; # A port of the PaX randstruct plugin
-  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenBetween "4.13" "5.19" yes;
+  GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin
+  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;
 
   # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.
   RANDSTRUCT = whenAtLeast "5.19" yes;

pkgs/os-specific/linux/kernel/manual-config.nix

@@ -55,8 +55,7 @@ let
     hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
 
   # Dependencies that are required to build kernel modules
-  moduleBuildDependencies = [ perl ]
-    ++ optional (lib.versionAtLeast version "4.14") libelf
+  moduleBuildDependencies = [ perl libelf ]
     ++ optional (lib.versionAtLeast version "5.13") zstd;
 
   drvAttrs = config_: kernelConf: kernelPatches: configfile:
@@ -100,7 +99,7 @@ let
       patches =
         map (p: p.patch) kernelPatches
         # Required for deterministic builds along with some postPatch magic.
-        ++ optional (lib.versionAtLeast version "4.13" && lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
+        ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
         ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
         # Fixes determinism by normalizing metadata for the archive of kheaders
         ++ optional (lib.versionAtLeast version "5.2" && lib.versionOlder version "5.4") ./gen-kheaders-metadata.patch;
@@ -353,7 +352,7 @@ let
     };
 in
 
-assert (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") -> libelf != null;
+assert lib.versionOlder version "5.8" -> libelf != null;
 assert lib.versionAtLeast version "5.8" -> elfutils != null;
 
 stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile) // {
@@ -365,7 +364,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.hostPlatform.linux-kernel kernelPat
   depsBuildBuild = [ buildPackages.stdenv.cc ];
   nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr zstd python3Minimal ]
       ++ optional  (stdenv.hostPlatform.linux-kernel.target == "uImage") buildPackages.ubootTools
-      ++ optional  (lib.versionAtLeast version "4.14" && lib.versionOlder version "5.8") libelf
+      ++ optional  (lib.versionOlder version "5.8") libelf
       # Removed util-linuxMinimal since it should not be a dependency.
       ++ optionals (lib.versionAtLeast version "4.16") [ bison flex ]
       ++ optionals (lib.versionAtLeast version "5.2")  [ cpio pahole zlib ]