From b3dc6e35e018328a654f8669767e064f9fd7d00d Mon Sep 17 00:00:00 2001 From: Maximilian Bosch <maximilian@mbosch.me> Date: Sat, 17 Sep 2022 15:24:40 +0200 Subject: [PATCH 1/5] linux_latest-libre: 18911 -> 18916 --- pkgs/os-specific/linux/kernel/linux-libre.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix index f760c033683d..18f91ae78d01 100644 --- a/pkgs/os-specific/linux/kernel/linux-libre.nix +++ b/pkgs/os-specific/linux/kernel/linux-libre.nix @@ -1,8 +1,8 @@ { stdenv, lib, fetchsvn, linux , scripts ? fetchsvn { url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/"; - rev = "18911"; - sha256 = "1f5b936a7ayva2kyly3n71sg6cqdvcavcxbj3cy3imaj9247bx72"; + rev = "18916"; + sha256 = "0axjbr1zbj7izkvvz2nv4ij1xjjnbxpch43cpl169cr8rqdl6n6i"; } , ... }: From c2d301f7af8c9dd1cca195540a2132c0693687ea Mon Sep 17 00:00:00 2001 From: Maximilian Bosch <maximilian@mbosch.me> Date: Sat, 17 Sep 2022 15:25:02 +0200 Subject: [PATCH 2/5] linux/hardened/patches/5.19: 5.19.8-hardened1 -> 5.19.8-hardened2 --- pkgs/os-specific/linux/kernel/hardened/patches.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index a27edf5260ec..141797bc7146 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -41,10 +41,10 @@ }, "5.19": { "patch": { - "extra": "-hardened1", - "name": "linux-hardened-5.19.8-hardened1.patch", - "sha256": "1j7wg4hq06drxr42jl89za1f7x52d4ck5i38p4njz4j415ihsiys", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.19.8-hardened1/linux-hardened-5.19.8-hardened1.patch" + "extra": "-hardened2", + "name": "linux-hardened-5.19.8-hardened2.patch", + "sha256": "1dfgnx2yr5d5kh2d8r7ywqkyjq1rfni2b5sdpqly0w986rlkw48k", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.19.8-hardened2/linux-hardened-5.19.8-hardened2.patch" }, "sha256": "1kl7fifsa6vsm34xg3kd2svhx18n771hfj67nhwnlalmb9whhqv1", "version": "5.19.8" From 80228b73e9cf9f8dd266ae58c2eeb7b554a2ddd2 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch <maximilian@mbosch.me> Date: Sat, 17 Sep 2022 15:27:58 +0200 Subject: [PATCH 3/5] linux-hardened: fix update script We now have releases called `v5.19.x-hardened2` so make sure that the update script doesn't stumble upon this. --- pkgs/os-specific/linux/kernel/hardened/update.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py index 8b40088756e1..e289a97c56ff 100755 --- a/pkgs/os-specific/linux/kernel/hardened/update.py +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -138,7 +138,7 @@ def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]: if not sig_ok: return None - kernel_ver = release_info.release.tag_name.replace("-hardened1", "") + kernel_ver = re.sub(r"(.*)(-hardened[\d]+)$", r'\1', release_info.release.tag_name) major = kernel_ver.split('.')[0] sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz") From 073f7b179c18ec771d3a3bd06aba16a8de70dfcc Mon Sep 17 00:00:00 2001 From: Maximilian Bosch <maximilian@mbosch.me> Date: Sat, 17 Sep 2022 15:29:13 +0200 Subject: [PATCH 4/5] nixos/kernel-generic: build linux_5_19_hardened --- nixos/tests/kernel-generic.nix | 1 + pkgs/top-level/linux-kernels.nix | 2 ++ 2 files changed, 3 insertions(+) diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index f34d5d607940..452c15a3a058 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -30,6 +30,7 @@ let linux_5_4_hardened linux_5_10_hardened linux_5_15_hardened + linux_5_19_hardened linux_testing; }; diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix index d27bda851cbd..139848b4fe97 100644 --- a/pkgs/top-level/linux-kernels.nix +++ b/pkgs/top-level/linux-kernels.nix @@ -244,6 +244,7 @@ in { linux_5_10_hardened = hardenedKernelFor kernels.linux_5_10 { }; linux_5_15_hardened = hardenedKernelFor kernels.linux_5_15 { }; linux_5_18_hardened = throw "linux 5.18 was removed because it has reached its end of life upstream"; + linux_5_19_hardened = hardenedKernelFor kernels.linux_5_19 { }; })); /* Linux kernel modules are inherently tied to a specific kernel. So @@ -569,6 +570,7 @@ in { linux_5_10_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_10 { }); linux_5_15_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_15 { }); linux_5_18_hardened = throw "linux 5.18 was removed because it has reached its end of life upstream"; + linux_5_19_hardened = recurseIntoAttrs (hardenedPackagesFor kernels.linux_5_19 { }); linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen); linux_lqx = recurseIntoAttrs (packagesFor kernels.linux_lqx); From dd6727e7b8a346f573770b5f9916914ccf919068 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch <maximilian@mbosch.me> Date: Sat, 17 Sep 2022 16:19:08 +0200 Subject: [PATCH 5/5] linux/hardened/5.19: fix build The options GCC_PLUGIN_RANDSTRUCT{,_PERFORMANCE} have been renamed to `RANDSTRUCT_*` in 595b893e2087de306d0781795fb8ec47873596a6 since CLang is about to support this as well and thus the options had to be generalized. Also, the file that is used to generate the seed has changed, only the reference to the file in the patch was changed on adding Linux 5.19[1] [1] b4d0cb44975e069e926a2c8963aded9557040541 --- pkgs/os-specific/linux/kernel/hardened/config.nix | 8 ++++++-- pkgs/os-specific/linux/kernel/manual-config.nix | 13 ++++++++----- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 0beab0725f6a..c90027f3eb14 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -72,8 +72,12 @@ assert (stdenv.hostPlatform.isx86_64 -> versions.majorMinor version != "5.4"); GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin - GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes; + GCC_PLUGIN_RANDSTRUCT = whenBetween "4.13" "5.19" yes; # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenBetween "4.13" "5.19" yes; + + # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. + RANDSTRUCT = whenAtLeast "5.19" yes; + RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; # Disable various dangerous settings ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 4780c959315d..1049d1c62a9f 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -131,11 +131,14 @@ let # the buildFlags, but that would require also patching the kernel's # toplevel Makefile to add a variable export. This would be likely to # cause future patch conflicts. - if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then - substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \ - --replace NIXOS_RANDSTRUCT_SEED \ - $(echo ${randstructSeed}${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n') - fi + for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do + if [ -f "$file" ]; then + substituteInPlace "$file" \ + --replace NIXOS_RANDSTRUCT_SEED \ + $(echo ${randstructSeed}${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n') + break + fi + done patchShebangs scripts