Merge staging-next into staging

2021-01-08 06:29:07 +00:00
parent 4a580eb51b 67bbf2c845
commit 18280919d6
68 changed files with 1101 additions and 942 deletions
--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -1,25 +1,30 @@
 {
    "4.14": {
+        "extra": "",
        "name": "linux-hardened-4.14.213.a.patch",
        "sha256": "0lkjgg6cbsaiypxij7p00q3y094qf0h172hc2p7wgy39777b45a7",
        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.213.a/linux-hardened-4.14.213.a.patch"
    },
    "4.19": {
+        "extra": ".a",
        "name": "linux-hardened-4.19.165.a.patch",
        "sha256": "06v34jaj4jg6f3v05wbkkfnr69ahxqyyq0gam4ma3wgm74x6cf3s",
        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.165.a/linux-hardened-4.19.165.a.patch"
    },
    "5.10": {
+        "extra": ".a",
        "name": "linux-hardened-5.10.5.a.patch",
        "sha256": "1fq2n60brhi6wjazkdgj2aqc4maskvlymbznl03hvj0x5kahjxvx",
        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.5.a/linux-hardened-5.10.5.a.patch"
    },
    "5.4": {
+        "extra": ".a",
        "name": "linux-hardened-5.4.87.a.patch",
        "sha256": "01hpww6lm00iry8z4z86hh86x66h3xbmxknxhmmhh2zwz6ahkmfd",
        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.87.a/linux-hardened-5.4.87.a.patch"
    },
    "5.9": {
+        "extra": "",
        "name": "linux-hardened-5.9.16.a.patch",
        "sha256": "024wdzc9bwgr4nd4z0l6bazcl35jczhsmdl2lb26bvffjwg207rw",
        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.9.16.a/linux-hardened-5.9.16.a.patch"
--- a/pkgs/os-specific/linux/kernel/hardened/update.py
+++ b/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -31,7 +31,7 @@ VersionComponent = Union[int, str]
 Version = List[VersionComponent]


-Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str})
+Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str})


@dataclass
@@ -99,7 +99,10 @@ def verify_openpgp_signature(
            return False


-def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
+def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
+    release = release_info.release
+    extra = f'.{release_info.version[-1]}'
+
    def find_asset(filename: str) -> str:
        try:
            it: Iterator[str] = (
@@ -130,7 +133,7 @@ def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
    if not sig_ok:
        return None

-    return Patch(name=patch_filename, url=patch_url, sha256=sha256)
+    return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra)


 def parse_version(version_str: str) -> Version:
@@ -252,7 +255,7 @@ for kernel_key in sorted(releases.keys()):
        update = True

    if update:
-        patch = fetch_patch(name=name, release=release)
+        patch = fetch_patch(name=name, release_info=release_info)
        if patch is None:
            failures = True
        else:
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -41,7 +41,8 @@
  hardened = let
    mkPatch = kernelVersion: src: {
      name = lib.removeSuffix ".patch" src.name;
-      patch = fetchurl src;
+      patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
+      extra = src.extra;
    };
    patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
  in lib.mapAttrs mkPatch patches;