From 19b2efbc3921c967d8260bf246391a93aed30874 Mon Sep 17 00:00:00 2001
From: Michael Weiss <dev.primeos@gmail.com>
Date: Mon, 8 Jun 2020 17:01:58 +0200
Subject: [PATCH 1/2] linux_5_7: init at 5.7.1

Changes:
- Copied linux-5.7.nix from linux-5.6.nix
- Add linux_5_7 and linuxPackages_5_7
- Update linux_latest to 5.7

Note:
The kernel patch 'kernelPatches.export_kernel_fpu_functions."5.3"' is
still applied as I copied the list from linux_5_7 (vs. linux_testing).
This patch is probably still required for the ZFS performance.
---
 pkgs/os-specific/linux/kernel/linux-5.7.nix | 18 ++++++++++++++++++
 pkgs/top-level/all-packages.nix             | 11 ++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/os-specific/linux/kernel/linux-5.7.nix

diff --git a/pkgs/os-specific/linux/kernel/linux-5.7.nix b/pkgs/os-specific/linux/kernel/linux-5.7.nix
new file mode 100644
index 00000000000..81f4d4b3553
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/linux-5.7.nix
@@ -0,0 +1,18 @@
+{ stdenv, buildPackages, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+
+with stdenv.lib;
+
+buildLinux (args // rec {
+  version = "5.7.1";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = versions.majorMinor version;
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
+    sha256 = "1vcxrrb2i4366iciw0mfahwbdrzmhrrsr7gi4vdkzznfv2niils0";
+  };
+} // (args.argsOverride or {}))
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6d3741cae39..6558f59ef63 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -16906,6 +16906,14 @@ in
     ];
   };
 
+  linux_5_7 = callPackage ../os-specific/linux/kernel/linux-5.7.nix {
+    kernelPatches = [
+      kernelPatches.bridge_stp_helper
+      kernelPatches.request_key_helper
+      kernelPatches.export_kernel_fpu_functions."5.3"
+    ];
+  };
+
   linux_testing = callPackage ../os-specific/linux/kernel/linux-testing.nix {
     kernelPatches = [
       kernelPatches.bridge_stp_helper
@@ -17118,7 +17126,7 @@ in
   linux = linuxPackages.kernel;
 
   # Update this when adding the newest kernel major version!
-  linuxPackages_latest = linuxPackages_5_6;
+  linuxPackages_latest = linuxPackages_5_7;
   linux_latest = linuxPackages_latest.kernel;
 
   # Build the kernel modules for the some of the kernels.
@@ -17133,6 +17141,7 @@ in
   linuxPackages_4_19 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_19);
   linuxPackages_5_4 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_5_4);
   linuxPackages_5_6 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_5_6);
+  linuxPackages_5_7 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_5_7);
 
   # When adding to this list:
   # - Update linuxPackages_latest to the latest version

From 551a9887e2852f0908adcc3a4cc8b15c290af0c0 Mon Sep 17 00:00:00 2001
From: Michael Weiss <dev.primeos@gmail.com>
Date: Tue, 9 Jun 2020 15:39:32 +0200
Subject: [PATCH 2/2] hardenedLinuxPackagesFor: Make it possible to delay major
 updates

This adds an abstraction/hack to update the latest hardened kernel
independent of linux_latest, which is required as the hardened patches
aren't immediately available ([0] currently doesn't exist).
Currently the Linux hardened patches aren't even available for 5.7 which
was released on 2020-05-31 (already 9 days ago!).
Therefore it is required to keep both linuxPackages_latest_hardened and
linuxPackages_latest_xen_dom0_hardened at 5.6 until the patches for 5.7
are released.

This abstraction makes that task more manageable but we should aim for a
better solution to resolve this or at least a cleaner and more robust
implementation (in the sense of better error messages).

[0]: https://github.com/anthraxx/linux-hardened/releases/tag/5.7.1.a
---
 pkgs/top-level/all-packages.nix | 35 +++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6558f59ef63..4a022868fde 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -17126,6 +17126,7 @@ in
   linux = linuxPackages.kernel;
 
   # Update this when adding the newest kernel major version!
+  # And update linux_latest_for_hardened below if the patches are already available
   linuxPackages_latest = linuxPackages_5_7;
   linux_latest = linuxPackages_latest.kernel;
 
@@ -17176,28 +17177,32 @@ in
 
   linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));
 
-  # Hardened linux
-  hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
-    structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
-      inherit stdenv;
-      inherit (kernel) version;
-    };
-    kernelPatches = kernel.kernelPatches ++ [
-      kernelPatches.tag_hardened
-      kernelPatches.hardened.${kernel.meta.branch}
-    ];
-    modDirVersionArg = kernel.modDirVersion + "-hardened";
+  # Hardened Linux
+  hardenedLinuxPackagesFor = kernel': overrides:
+    let # Note: We use this hack since the hardened patches can lag behind and we don't want to delay updates:
+      linux_latest_for_hardened = pkgs.linux_5_6; # TODO: Update to linux_latest
+      kernel = (if kernel' == pkgs.linux_latest then linux_latest_for_hardened else kernel').override overrides;
+    in linuxPackagesFor (kernel.override {
+      structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
+        inherit stdenv;
+        inherit (kernel) version;
+      };
+      kernelPatches = kernel.kernelPatches ++ [
+        kernelPatches.tag_hardened
+        kernelPatches.hardened.${kernel.meta.branch}
+      ];
+      modDirVersionArg = kernel.modDirVersion + "-hardened";
   });
 
-  linuxPackages_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux);
+  linuxPackages_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux { });
   linux_hardened = linuxPackages_hardened.kernel;
 
-  linuxPackages_latest_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest);
+  linuxPackages_latest_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest { });
   linux_latest_hardened = linuxPackages_latest_hardened.kernel;
 
-  linuxPackages_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor (pkgs.linux.override { features.xen_dom0=true; }));
+  linuxPackages_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux { features.xen_dom0=true; });
 
-  linuxPackages_latest_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));
+  linuxPackages_latest_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest { features.xen_dom0=true; });
 
   # Hardkernel (Odroid) kernels.
   linuxPackages_hardkernel_4_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_hardkernel_4_14);