linux: build hardened kernel with matching releases
Until now we merged kernel updates even if no hardened versions were available yet. On one hand we don't want to delay patch-level updates, on the other hand users of hardened kernels have frequent breakage now[1]. This change aims to provide a solution this issue: * The hardened patchset now references the kernel version it's released for (including a sha256 hash for the fixed-output path of the source tarball). * The `hardenedKernelFor`-function doesn't just append hardened patches now, but also overrides version & src to match the kernel version the patch was built & tested for. Refs #140281 [1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all (cherry picked from commit bb5aa0109b6db98a2e0a7ba88f5e0287e2374384)
This commit is contained in:
parent
f48b51e12e
commit
f47c57802e
|
@ -1,32 +1,52 @@
|
||||||
{
|
{
|
||||||
"4.14": {
|
"4.14": {
|
||||||
"extra": "-hardened1",
|
"patch": {
|
||||||
"name": "linux-hardened-4.14.251-hardened1.patch",
|
"extra": "-hardened1",
|
||||||
"sha256": "1yv4b10w1psaj4m4r9jicf6c3wkyvb040p7gbdf1455nrcxnxr06",
|
"name": "linux-hardened-4.14.252-hardened1.patch",
|
||||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.251-hardened1/linux-hardened-4.14.251-hardened1.patch"
|
"sha256": "1isqlqg4diz0i3f77rigvb07fs2p1v9w2h5165l0rnkb6h26i1gn",
|
||||||
|
"url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.252-hardened1/linux-hardened-4.14.252-hardened1.patch"
|
||||||
|
},
|
||||||
|
"sha256": "022rw51s8fzz6wcxa9xq6h60fglfx0hq7bmqgs5dlrci6plv4fwk",
|
||||||
|
"version": "4.14.252"
|
||||||
},
|
},
|
||||||
"4.19": {
|
"4.19": {
|
||||||
"extra": "-hardened1",
|
"patch": {
|
||||||
"name": "linux-hardened-4.19.212-hardened1.patch",
|
"extra": "-hardened1",
|
||||||
"sha256": "1ildbzxzvkaziqiqlvw92pjmkd64hxdd9sn3fdq88q1pdw5x2jb3",
|
"name": "linux-hardened-4.19.213-hardened1.patch",
|
||||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.212-hardened1/linux-hardened-4.19.212-hardened1.patch"
|
"sha256": "03lk4m6sm3545s0xxx0w4sqgrsvrxqm8qg7swn05s36jj20viprm",
|
||||||
|
"url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.213-hardened1/linux-hardened-4.19.213-hardened1.patch"
|
||||||
|
},
|
||||||
|
"sha256": "162f5y3jplql3ca5xy889mq6izjinryx2kx16zp582yvsqf8rwiq",
|
||||||
|
"version": "4.19.213"
|
||||||
},
|
},
|
||||||
"5.10": {
|
"5.10": {
|
||||||
"extra": "-hardened1",
|
"patch": {
|
||||||
"name": "linux-hardened-5.10.74-hardened1.patch",
|
"extra": "-hardened1",
|
||||||
"sha256": "0prcrifz1zmjxv492dgd78h8bdsx4bh92dsbnp01nn1wmwbajp8p",
|
"name": "linux-hardened-5.10.75-hardened1.patch",
|
||||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.74-hardened1/linux-hardened-5.10.74-hardened1.patch"
|
"sha256": "17gm50aislxihfnmr4vi0p0gpg13m2pbldjpi81clnx93a7rrfw2",
|
||||||
|
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.75-hardened1/linux-hardened-5.10.75-hardened1.patch"
|
||||||
|
},
|
||||||
|
"sha256": "0jrhhk89587caw54nhnwms93kq33qdm75x5f18cp61xrxxgjyaqa",
|
||||||
|
"version": "5.10.75"
|
||||||
},
|
},
|
||||||
"5.14": {
|
"5.14": {
|
||||||
"extra": "-hardened1",
|
"patch": {
|
||||||
"name": "linux-hardened-5.14.13-hardened1.patch",
|
"extra": "-hardened1",
|
||||||
"sha256": "01kxjn1sndby3fjfq3g7z0ydrk8nv62bvpvprddqqc3bypk9q7m2",
|
"name": "linux-hardened-5.14.14-hardened1.patch",
|
||||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.14.13-hardened1/linux-hardened-5.14.13-hardened1.patch"
|
"sha256": "1hx5yal8jqnxr9c9ikvc6d0xp99kqjarj67720v9d4wvlmgsfabj",
|
||||||
|
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.14.14-hardened1/linux-hardened-5.14.14-hardened1.patch"
|
||||||
|
},
|
||||||
|
"sha256": "0snh17ah49wmfmazy6x42rhvl484h657y0iq4l09a885sjb4xzsd",
|
||||||
|
"version": "5.14.14"
|
||||||
},
|
},
|
||||||
"5.4": {
|
"5.4": {
|
||||||
"extra": "-hardened1",
|
"patch": {
|
||||||
"name": "linux-hardened-5.4.154-hardened1.patch",
|
"extra": "-hardened1",
|
||||||
"sha256": "0d7w27n3wq9jaq0wbf3iv2f0jb1y2v4k0c87rb6sakivwajxn1aw",
|
"name": "linux-hardened-5.4.155-hardened1.patch",
|
||||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.154-hardened1/linux-hardened-5.4.154-hardened1.patch"
|
"sha256": "0l8h9i6asiypgbxl90370kzfsyyc3f4vwl2r191arvrsgw863bid",
|
||||||
|
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.155-hardened1/linux-hardened-5.4.155-hardened1.patch"
|
||||||
|
},
|
||||||
|
"sha256": "0f2hfz76rnhmv99zhbh7n1z48316ilxrxrnh4b5m3lj84y80y36c",
|
||||||
|
"version": "5.4.155"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,7 +31,12 @@ VersionComponent = Union[int, str]
|
||||||
Version = List[VersionComponent]
|
Version = List[VersionComponent]
|
||||||
|
|
||||||
|
|
||||||
Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str})
|
PatchData = TypedDict("PatchData", {"name": str, "url": str, "sha256": str, "extra": str})
|
||||||
|
Patch = TypedDict("Patch", {
|
||||||
|
"patch": PatchData,
|
||||||
|
"version": str,
|
||||||
|
"sha256": str,
|
||||||
|
})
|
||||||
|
|
||||||
|
|
||||||
@dataclass
|
@dataclass
|
||||||
|
@ -133,7 +138,15 @@ def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
|
||||||
if not sig_ok:
|
if not sig_ok:
|
||||||
return None
|
return None
|
||||||
|
|
||||||
return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra)
|
kernel_ver = release_info.release.tag_name.replace("-hardened1", "")
|
||||||
|
major = kernel_ver.split('.')[0]
|
||||||
|
sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz")
|
||||||
|
|
||||||
|
return Patch(
|
||||||
|
patch=PatchData(name=patch_filename, url=patch_url, sha256=sha256, extra=extra),
|
||||||
|
version=kernel_ver,
|
||||||
|
sha256=sha256_kernel
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def parse_version(version_str: str) -> Version:
|
def parse_version(version_str: str) -> Version:
|
||||||
|
@ -245,7 +258,7 @@ for kernel_key in sorted(releases.keys()):
|
||||||
old_version_str: Optional[str] = None
|
old_version_str: Optional[str] = None
|
||||||
update: bool
|
update: bool
|
||||||
try:
|
try:
|
||||||
old_filename = patches[kernel_key]["name"]
|
old_filename = patches[kernel_key]["patch"]["name"]
|
||||||
old_version_str = old_filename.replace("linux-hardened-", "").replace(
|
old_version_str = old_filename.replace("linux-hardened-", "").replace(
|
||||||
".patch", ""
|
".patch", ""
|
||||||
)
|
)
|
||||||
|
|
|
@ -47,10 +47,11 @@
|
||||||
cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches;
|
cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches;
|
||||||
|
|
||||||
hardened = let
|
hardened = let
|
||||||
mkPatch = kernelVersion: src: {
|
mkPatch = kernelVersion: { version, sha256, patch }: let src = patch; in {
|
||||||
name = lib.removeSuffix ".patch" src.name;
|
name = lib.removeSuffix ".patch" src.name;
|
||||||
patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
|
patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
|
||||||
extra = src.extra;
|
extra = src.extra;
|
||||||
|
inherit version sha256;
|
||||||
};
|
};
|
||||||
patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
|
patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
|
||||||
in lib.mapAttrs mkPatch patches;
|
in lib.mapAttrs mkPatch patches;
|
||||||
|
|
|
@ -20830,18 +20830,27 @@ in
|
||||||
|
|
||||||
# Hardened Linux
|
# Hardened Linux
|
||||||
hardenedLinuxPackagesFor = kernel': overrides:
|
hardenedLinuxPackagesFor = kernel': overrides:
|
||||||
let # Note: We use this hack since the hardened patches can lag behind and we don't want to delay updates:
|
let
|
||||||
linux_latest_for_hardened = pkgs.linux_5_10;
|
kernel = kernel'.override overrides;
|
||||||
kernel = (if kernel' == pkgs.linux_latest then linux_latest_for_hardened else kernel').override overrides;
|
version = kernelPatches.hardened.${kernel.meta.branch}.version;
|
||||||
|
major = lib.versions.major version;
|
||||||
|
sha256 = kernelPatches.hardened.${kernel.meta.branch}.sha256;
|
||||||
|
modDirVersion' = builtins.replaceStrings [ kernel.version ] [ version ] kernel.modDirVersion;
|
||||||
in linuxPackagesFor (kernel.override {
|
in linuxPackagesFor (kernel.override {
|
||||||
structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
|
structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
|
||||||
inherit lib;
|
inherit lib version;
|
||||||
inherit (kernel) version;
|
};
|
||||||
|
argsOverride = {
|
||||||
|
inherit version;
|
||||||
|
src = fetchurl {
|
||||||
|
url = "mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz";
|
||||||
|
inherit sha256;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
kernelPatches = kernel.kernelPatches ++ [
|
kernelPatches = kernel.kernelPatches ++ [
|
||||||
kernelPatches.hardened.${kernel.meta.branch}
|
kernelPatches.hardened.${kernel.meta.branch}
|
||||||
];
|
];
|
||||||
modDirVersionArg = kernel.modDirVersion + (kernelPatches.hardened.${kernel.meta.branch}).extra;
|
modDirVersionArg = modDirVersion' + (kernelPatches.hardened.${kernel.meta.branch}).extra;
|
||||||
isHardened = true;
|
isHardened = true;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue