From f48b51e12ea086b1ee5517ecd8e1d991f3b48207 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Fri, 8 Oct 2021 23:17:40 +0200 Subject: [PATCH 1/2] linux: create maintainer team Now there are a few more folks who should get pinged on kernel changes: $ nix-instantiate -E 'with import ./. {}; (map (x: x.github) linux.meta.maintainers)' --eval --strict [ "TredwellGit" "mweinelt" "ma27" "nequissimus" "alyssais" "thoughtpolice" ] Refs #140281 (cherry picked from commit 65930caffe78ccd3c0e4f00bfd79123fcba9e444) --- maintainers/team-list.nix | 10 ++++++++++ pkgs/os-specific/linux/kernel/manual-config.nix | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/maintainers/team-list.nix b/maintainers/team-list.nix index a0bbc4d4383..fb17cb6490c 100644 --- a/maintainers/team-list.nix +++ b/maintainers/team-list.nix @@ -142,6 +142,16 @@ with lib.maintainers; { scope = "Maintain Kodi and related packages."; }; + linux-kernel = { + members = [ + TredwellGit + ma27 + nequissimus + qyliss + ]; + scope = "Maintain the Linux kernel."; + }; + matrix = { members = [ ma27 diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index f874762267a..03a11bdf97d 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -288,7 +288,7 @@ let license = lib.licenses.gpl2Only; homepage = "https://www.kernel.org/"; repositories.git = "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git"; - maintainers = [ + maintainers = lib.teams.linux-kernel.members ++ [ maintainers.thoughtpolice ]; platforms = platforms.linux; From f47c57802ec32d28f4e524faa86bbf6905a6347b Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 9 Oct 2021 14:48:27 +0200 Subject: [PATCH 2/2] linux: build hardened kernel with matching releases Until now we merged kernel updates even if no hardened versions were available yet. On one hand we don't want to delay patch-level updates, on the other hand users of hardened kernels have frequent breakage now[1]. This change aims to provide a solution this issue: * The hardened patchset now references the kernel version it's released for (including a sha256 hash for the fixed-output path of the source tarball). * The `hardenedKernelFor`-function doesn't just append hardened patches now, but also overrides version & src to match the kernel version the patch was built & tested for. Refs #140281 [1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all (cherry picked from commit bb5aa0109b6db98a2e0a7ba88f5e0287e2374384) --- .../linux/kernel/hardened/patches.json | 60 ++++++++++++------- .../linux/kernel/hardened/update.py | 19 +++++- pkgs/os-specific/linux/kernel/patches.nix | 3 +- pkgs/top-level/all-packages.nix | 21 +++++-- 4 files changed, 73 insertions(+), 30 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 3ff41c8aa87..c0f9882cc14 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -1,32 +1,52 @@ { "4.14": { - "extra": "-hardened1", - "name": "linux-hardened-4.14.251-hardened1.patch", - "sha256": "1yv4b10w1psaj4m4r9jicf6c3wkyvb040p7gbdf1455nrcxnxr06", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.251-hardened1/linux-hardened-4.14.251-hardened1.patch" + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-4.14.252-hardened1.patch", + "sha256": "1isqlqg4diz0i3f77rigvb07fs2p1v9w2h5165l0rnkb6h26i1gn", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.252-hardened1/linux-hardened-4.14.252-hardened1.patch" + }, + "sha256": "022rw51s8fzz6wcxa9xq6h60fglfx0hq7bmqgs5dlrci6plv4fwk", + "version": "4.14.252" }, "4.19": { - "extra": "-hardened1", - "name": "linux-hardened-4.19.212-hardened1.patch", - "sha256": "1ildbzxzvkaziqiqlvw92pjmkd64hxdd9sn3fdq88q1pdw5x2jb3", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.212-hardened1/linux-hardened-4.19.212-hardened1.patch" + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-4.19.213-hardened1.patch", + "sha256": "03lk4m6sm3545s0xxx0w4sqgrsvrxqm8qg7swn05s36jj20viprm", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.213-hardened1/linux-hardened-4.19.213-hardened1.patch" + }, + "sha256": "162f5y3jplql3ca5xy889mq6izjinryx2kx16zp582yvsqf8rwiq", + "version": "4.19.213" }, "5.10": { - "extra": "-hardened1", - "name": "linux-hardened-5.10.74-hardened1.patch", - "sha256": "0prcrifz1zmjxv492dgd78h8bdsx4bh92dsbnp01nn1wmwbajp8p", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.74-hardened1/linux-hardened-5.10.74-hardened1.patch" + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-5.10.75-hardened1.patch", + "sha256": "17gm50aislxihfnmr4vi0p0gpg13m2pbldjpi81clnx93a7rrfw2", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.75-hardened1/linux-hardened-5.10.75-hardened1.patch" + }, + "sha256": "0jrhhk89587caw54nhnwms93kq33qdm75x5f18cp61xrxxgjyaqa", + "version": "5.10.75" }, "5.14": { - "extra": "-hardened1", - "name": "linux-hardened-5.14.13-hardened1.patch", - "sha256": "01kxjn1sndby3fjfq3g7z0ydrk8nv62bvpvprddqqc3bypk9q7m2", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.14.13-hardened1/linux-hardened-5.14.13-hardened1.patch" + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-5.14.14-hardened1.patch", + "sha256": "1hx5yal8jqnxr9c9ikvc6d0xp99kqjarj67720v9d4wvlmgsfabj", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.14.14-hardened1/linux-hardened-5.14.14-hardened1.patch" + }, + "sha256": "0snh17ah49wmfmazy6x42rhvl484h657y0iq4l09a885sjb4xzsd", + "version": "5.14.14" }, "5.4": { - "extra": "-hardened1", - "name": "linux-hardened-5.4.154-hardened1.patch", - "sha256": "0d7w27n3wq9jaq0wbf3iv2f0jb1y2v4k0c87rb6sakivwajxn1aw", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.154-hardened1/linux-hardened-5.4.154-hardened1.patch" + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-5.4.155-hardened1.patch", + "sha256": "0l8h9i6asiypgbxl90370kzfsyyc3f4vwl2r191arvrsgw863bid", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.155-hardened1/linux-hardened-5.4.155-hardened1.patch" + }, + "sha256": "0f2hfz76rnhmv99zhbh7n1z48316ilxrxrnh4b5m3lj84y80y36c", + "version": "5.4.155" } } diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py index 8ff65107926..6133f3aad41 100755 --- a/pkgs/os-specific/linux/kernel/hardened/update.py +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -31,7 +31,12 @@ VersionComponent = Union[int, str] Version = List[VersionComponent] -Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str}) +PatchData = TypedDict("PatchData", {"name": str, "url": str, "sha256": str, "extra": str}) +Patch = TypedDict("Patch", { + "patch": PatchData, + "version": str, + "sha256": str, +}) @dataclass @@ -133,7 +138,15 @@ def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]: if not sig_ok: return None - return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra) + kernel_ver = release_info.release.tag_name.replace("-hardened1", "") + major = kernel_ver.split('.')[0] + sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz") + + return Patch( + patch=PatchData(name=patch_filename, url=patch_url, sha256=sha256, extra=extra), + version=kernel_ver, + sha256=sha256_kernel + ) def parse_version(version_str: str) -> Version: @@ -245,7 +258,7 @@ for kernel_key in sorted(releases.keys()): old_version_str: Optional[str] = None update: bool try: - old_filename = patches[kernel_key]["name"] + old_filename = patches[kernel_key]["patch"]["name"] old_version_str = old_filename.replace("linux-hardened-", "").replace( ".patch", "" ) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index f41cedca0f6..b818ddc5f2a 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -47,10 +47,11 @@ cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches; hardened = let - mkPatch = kernelVersion: src: { + mkPatch = kernelVersion: { version, sha256, patch }: let src = patch; in { name = lib.removeSuffix ".patch" src.name; patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src); extra = src.extra; + inherit version sha256; }; patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json); in lib.mapAttrs mkPatch patches; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d171a800f60..683acfa23fe 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -20830,18 +20830,27 @@ in # Hardened Linux hardenedLinuxPackagesFor = kernel': overrides: - let # Note: We use this hack since the hardened patches can lag behind and we don't want to delay updates: - linux_latest_for_hardened = pkgs.linux_5_10; - kernel = (if kernel' == pkgs.linux_latest then linux_latest_for_hardened else kernel').override overrides; + let + kernel = kernel'.override overrides; + version = kernelPatches.hardened.${kernel.meta.branch}.version; + major = lib.versions.major version; + sha256 = kernelPatches.hardened.${kernel.meta.branch}.sha256; + modDirVersion' = builtins.replaceStrings [ kernel.version ] [ version ] kernel.modDirVersion; in linuxPackagesFor (kernel.override { structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix { - inherit lib; - inherit (kernel) version; + inherit lib version; + }; + argsOverride = { + inherit version; + src = fetchurl { + url = "mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz"; + inherit sha256; + }; }; kernelPatches = kernel.kernelPatches ++ [ kernelPatches.hardened.${kernel.meta.branch} ]; - modDirVersionArg = kernel.modDirVersion + (kernelPatches.hardened.${kernel.meta.branch}).extra; + modDirVersionArg = modDirVersion' + (kernelPatches.hardened.${kernel.meta.branch}).extra; isHardened = true; });