Merge pull request #53369 from delroth/kernel-hardening

Re-add security features based on GCC plugins in 4.18+ hardened kernels

pkgs/os-specific/linux/kernel/generic.nix

@@ -4,6 +4,9 @@
 , perl
 , bison ? null
 , flex ? null
+, gmp ? null
+, libmpc ? null
+, mpfr ? null
 , stdenv
 
 , # The kernel source tarball.
@@ -89,7 +92,7 @@ let
     passAsFile = [ "kernelConfig" ];
 
     depsBuildBuild = [ buildPackages.stdenv.cc ];
-    nativeBuildInputs = [ perl ]
+    nativeBuildInputs = [ perl gmp libmpc mpfr ]
       ++ lib.optionals (stdenv.lib.versionAtLeast version "4.16") [ bison flex ];
 
     platformName = stdenv.hostPlatform.platform.name;
@@ -112,7 +115,10 @@ let
       export buildRoot="''${buildRoot:-build}"
 
       # Get a basic config file for later refinement with $generateConfig.
-      make HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc -C . O="$buildRoot" $kernelBaseConfig ARCH=$kernelArch
+      make -C .  O="$buildRoot" $kernelBaseConfig \
+          ARCH=$kernelArch \
+          HOSTCC=${buildPackages.stdenv.cc.targetPrefix}gcc \
+          HOSTCXX=${buildPackages.stdenv.cc.targetPrefix}g++
 
       # Create the config file.
       echo "generating kernel configuration..."

pkgs/os-specific/linux/kernel/hardened-config.nix

@@ -103,7 +103,6 @@ PAGE_POISONING_ZERO y
 PANIC_ON_OOPS y
 PANIC_TIMEOUT -1
 
-${optionalString (versionOlder version "4.18") ''
 GCC_PLUGINS y # Enable gcc plugin options
 # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
 GCC_PLUGIN_LATENT_ENTROPY y
@@ -114,6 +113,8 @@ ${optionalString (versionOlder version "4.18") ''
 ${optionalString (versionAtLeast version "4.14") ''
   GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
 ''}
+${optionalString (versionAtLeast version "4.20") ''
+  GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin
 ''}
 
 # Disable various dangerous settings