nixos kernel.nix: add an option to customize the kernel RANDSTRUCT seed
This commit is contained in:
parent
a258015d3a
commit
8769d2d58c
1 changed files with 16 additions and 2 deletions
|
@ -5,7 +5,7 @@ with lib;
|
|||
let
|
||||
|
||||
inherit (config.boot) kernelPatches;
|
||||
inherit (config.boot.kernel) features;
|
||||
inherit (config.boot.kernel) features randstructSeed;
|
||||
inherit (config.boot.kernelPackages) kernel;
|
||||
|
||||
kernelModulesConf = pkgs.writeText "nixos.conf"
|
||||
|
@ -38,6 +38,7 @@ in
|
|||
default = pkgs.linuxPackages;
|
||||
apply = kernelPackages: kernelPackages.extend (self: super: {
|
||||
kernel = super.kernel.override {
|
||||
inherit randstructSeed;
|
||||
kernelPatches = super.kernel.kernelPatches ++ kernelPatches;
|
||||
features = lib.recursiveUpdate super.kernel.features features;
|
||||
};
|
||||
|
@ -67,6 +68,19 @@ in
|
|||
description = "A list of additional patches to apply to the kernel.";
|
||||
};
|
||||
|
||||
boot.kernel.randstructSeed = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
example = "my secret seed";
|
||||
description = ''
|
||||
Provides a custom seed for the <varname>RANDSTRUCT</varname> security
|
||||
option of the Linux kernel. Note that <varname>RANDSTRUCT</varname> is
|
||||
only enabled in NixOS hardened kernels. Using a custom seed requires
|
||||
building the kernel and dependent packages locally, since this
|
||||
customization happens at build time.
|
||||
'';
|
||||
};
|
||||
|
||||
boot.kernelParams = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
|
@ -298,7 +312,7 @@ in
|
|||
# !!! Should this really be needed?
|
||||
(isYes "MODULES")
|
||||
(isYes "BINFMT_ELF")
|
||||
];
|
||||
] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT"));
|
||||
|
||||
# nixpkgs kernels are assumed to have all required features
|
||||
assertions = if config.boot.kernelPackages.kernel ? features then [] else
|
||||
|
|
Loading…
Reference in a new issue