nixos kernel.nix: add an option to customize the kernel RANDSTRUCT seed
This commit is contained in:
parent
a258015d3a
commit
8769d2d58c
1 changed files with 16 additions and 2 deletions
|
@ -5,7 +5,7 @@ with lib;
|
||||||
let
|
let
|
||||||
|
|
||||||
inherit (config.boot) kernelPatches;
|
inherit (config.boot) kernelPatches;
|
||||||
inherit (config.boot.kernel) features;
|
inherit (config.boot.kernel) features randstructSeed;
|
||||||
inherit (config.boot.kernelPackages) kernel;
|
inherit (config.boot.kernelPackages) kernel;
|
||||||
|
|
||||||
kernelModulesConf = pkgs.writeText "nixos.conf"
|
kernelModulesConf = pkgs.writeText "nixos.conf"
|
||||||
|
@ -38,6 +38,7 @@ in
|
||||||
default = pkgs.linuxPackages;
|
default = pkgs.linuxPackages;
|
||||||
apply = kernelPackages: kernelPackages.extend (self: super: {
|
apply = kernelPackages: kernelPackages.extend (self: super: {
|
||||||
kernel = super.kernel.override {
|
kernel = super.kernel.override {
|
||||||
|
inherit randstructSeed;
|
||||||
kernelPatches = super.kernel.kernelPatches ++ kernelPatches;
|
kernelPatches = super.kernel.kernelPatches ++ kernelPatches;
|
||||||
features = lib.recursiveUpdate super.kernel.features features;
|
features = lib.recursiveUpdate super.kernel.features features;
|
||||||
};
|
};
|
||||||
|
@ -67,6 +68,19 @@ in
|
||||||
description = "A list of additional patches to apply to the kernel.";
|
description = "A list of additional patches to apply to the kernel.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
boot.kernel.randstructSeed = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "";
|
||||||
|
example = "my secret seed";
|
||||||
|
description = ''
|
||||||
|
Provides a custom seed for the <varname>RANDSTRUCT</varname> security
|
||||||
|
option of the Linux kernel. Note that <varname>RANDSTRUCT</varname> is
|
||||||
|
only enabled in NixOS hardened kernels. Using a custom seed requires
|
||||||
|
building the kernel and dependent packages locally, since this
|
||||||
|
customization happens at build time.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
boot.kernelParams = mkOption {
|
boot.kernelParams = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [ ];
|
default = [ ];
|
||||||
|
@ -298,7 +312,7 @@ in
|
||||||
# !!! Should this really be needed?
|
# !!! Should this really be needed?
|
||||||
(isYes "MODULES")
|
(isYes "MODULES")
|
||||||
(isYes "BINFMT_ELF")
|
(isYes "BINFMT_ELF")
|
||||||
];
|
] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT"));
|
||||||
|
|
||||||
# nixpkgs kernels are assumed to have all required features
|
# nixpkgs kernels are assumed to have all required features
|
||||||
assertions = if config.boot.kernelPackages.kernel ? features then [] else
|
assertions = if config.boot.kernelPackages.kernel ? features then [] else
|
||||||
|
|
Loading…
Reference in a new issue