diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix
index 8ea05ed1468..ab919099d11 100644
--- a/nixos/modules/system/boot/kernel.nix
+++ b/nixos/modules/system/boot/kernel.nix
@@ -5,7 +5,7 @@ with lib;
let
inherit (config.boot) kernelPatches;
- inherit (config.boot.kernel) features;
+ inherit (config.boot.kernel) features randstructSeed;
inherit (config.boot.kernelPackages) kernel;
kernelModulesConf = pkgs.writeText "nixos.conf"
@@ -38,6 +38,7 @@ in
default = pkgs.linuxPackages;
apply = kernelPackages: kernelPackages.extend (self: super: {
kernel = super.kernel.override {
+ inherit randstructSeed;
kernelPatches = super.kernel.kernelPatches ++ kernelPatches;
features = lib.recursiveUpdate super.kernel.features features;
};
@@ -67,6 +68,19 @@ in
description = "A list of additional patches to apply to the kernel.";
};
+ boot.kernel.randstructSeed = mkOption {
+ type = types.str;
+ default = "";
+ example = "my secret seed";
+ description = ''
+ Provides a custom seed for the RANDSTRUCT security
+ option of the Linux kernel. Note that RANDSTRUCT is
+ only enabled in NixOS hardened kernels. Using a custom seed requires
+ building the kernel and dependent packages locally, since this
+ customization happens at build time.
+ '';
+ };
+
boot.kernelParams = mkOption {
type = types.listOf types.str;
default = [ ];
@@ -298,7 +312,7 @@ in
# !!! Should this really be needed?
(isYes "MODULES")
(isYes "BINFMT_ELF")
- ];
+ ] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT"));
# nixpkgs kernels are assumed to have all required features
assertions = if config.boot.kernelPackages.kernel ? features then [] else
diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix
index df9a628f83d..5a086612925 100644
--- a/pkgs/os-specific/linux/kernel/generic.nix
+++ b/pkgs/os-specific/linux/kernel/generic.nix
@@ -33,6 +33,10 @@
# NixOS to implement kernel-specific behaviour.
features ? {}
+, # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+ # automatically extended with extra per-version and per-config values.
+ randstructSeed ? ""
+
, # A list of patches to apply to the kernel. Each element of this list
# should be an attribute set {name, patch} where `name' is a
# symbolic name and `patch' is the actual patch. The patch may
@@ -162,7 +166,7 @@ let
}; # end of configfile derivation
kernel = (callPackage ./manual-config.nix {}) {
- inherit version modDirVersion src kernelPatches stdenv extraMeta configfile;
+ inherit version modDirVersion src kernelPatches randstructSeed stdenv extraMeta configfile;
config = { CONFIG_MODULES = "y"; CONFIG_FW_LOADER = "m"; };
};
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 4b570c1fe94..1512f47ade4 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -30,6 +30,9 @@ in {
# Manually specified nixexpr representing the config
# If unspecified, this will be autodetected from the .config
config ? stdenv.lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
+ # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+ # automatically extended with extra per-version and per-config values.
+ randstructSeed ? "",
# Use defaultMeta // extraMeta
extraMeta ? {},
# Whether to utilize the controversial import-from-derivation feature to parse the config
@@ -111,7 +114,7 @@ let
if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then
substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \
--replace NIXOS_RANDSTRUCT_SEED \
- $(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
+ $(echo ${randstructSeed}${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
fi
'';