public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #53369 from delroth/kernel-hardening 

Re-add security features based on GCC plugins in 4.18+ hardened kernels
This commit is contained in:
Joachim F 2019-01-04 21:49:53 +00:00 committed by GitHub
parent 125befe16c 0f7ca26a48
commit 893c51bda8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkgs/os-specific/linux/kernel/generic.nix
View File

@ -4,6 +4,9 @@
, perl
, bison ? null
, flex ? null
, gmp ? null
, libmpc ? null
, mpfr ? null
, stdenv
, # The kernel source tarball.
@ -89,7 +92,7 @@ let
passAsFile = [ "kernelConfig" ];
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ perl ]
nativeBuildInputs = [ perl gmp libmpc mpfr ]
++ lib.optionals (stdenv.lib.versionAtLeast version "4.16") [ bison flex ];
platformName = stdenv.hostPlatform.platform.name;
@ -112,7 +115,10 @@ let
export buildRoot="''${buildRoot:-build}"
# Get a basic config file for later refinement with $generateConfig.
make HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc -C . O="$buildRoot" $kernelBaseConfig ARCH=$kernelArch
make -C . O="$buildRoot" $kernelBaseConfig \
ARCH=$kernelArch \
HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc \
HOSTCXX=${buildPackages.stdenv.cc.targetPrefix}g++
# Create the config file.
echo "generating kernel configuration..."

21
pkgs/os-specific/linux/kernel/hardened-config.nix
View File

@ -103,17 +103,18 @@ PAGE_POISONING_ZERO y
PANIC_ON_OOPS y
PANIC_TIMEOUT -1
${optionalString (versionOlder version "4.18") ''
GCC_PLUGINS y # Enable gcc plugin options
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
GCC_PLUGIN_LATENT_ENTROPY y
GCC_PLUGINS y # Enable gcc plugin options
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
GCC_PLUGIN_LATENT_ENTROPY y
${optionalString (versionAtLeast version "4.11") ''
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
''}
${optionalString (versionAtLeast version "4.14") ''
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
''}
${optionalString (versionAtLeast version "4.11") ''
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
''}
${optionalString (versionAtLeast version "4.14") ''
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
''}
${optionalString (versionAtLeast version "4.20") ''
GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin
''}
# Disable various dangerous settings