summary refs log tree commit diff
diff options
context:
space:
mode:
authorMaximilian Bosch <maximilian@mbosch.me>2021-10-09 14:48:27 +0200
committerMaximilian Bosch <maximilian@mbosch.me>2021-10-20 23:51:52 +0200
commitbb5aa0109b6db98a2e0a7ba88f5e0287e2374384 (patch)
tree8bb659d09c25fcc0654ae73fd99460e1e6635fcb
parent65930caffe78ccd3c0e4f00bfd79123fcba9e444 (diff)
downloadnixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar
nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.gz
nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.bz2
nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.lz
nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.xz
nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.zst
nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.zip
linux: build hardened kernel with matching releases
Until now we merged kernel updates even if no hardened versions were
available yet. On one hand we don't want to delay patch-level updates,
on the other hand users of hardened kernels have frequent breakage now[1].

This change aims to provide a solution this issue:

* The hardened patchset now references the kernel version it's released
  for (including a sha256 hash for the fixed-output path of the source
  tarball).
* The `hardenedKernelFor`-function doesn't just append hardened patches
  now, but also overrides version & src to match the kernel version the
  patch was built & tested for.

Refs #140281

[1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all
Diffstat
-rw-r--r--pkgs/os-specific/linux/kernel/hardened/patches.json60
-rwxr-xr-xpkgs/os-specific/linux/kernel/hardened/update.py19
-rw-r--r--pkgs/os-specific/linux/kernel/patches.nix3
-rw-r--r--pkgs/top-level/linux-kernels.nix20
4 files changed, 74 insertions, 28 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json
index 3ff41c8aa87..c0f9882cc14 100644
--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -1,32 +1,52 @@
 {
     "4.14": {
-        "extra": "-hardened1",
-        "name": "linux-hardened-4.14.251-hardened1.patch",
-        "sha256": "1yv4b10w1psaj4m4r9jicf6c3wkyvb040p7gbdf1455nrcxnxr06",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.251-hardened1/linux-hardened-4.14.251-hardened1.patch"
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-4.14.252-hardened1.patch",
+            "sha256": "1isqlqg4diz0i3f77rigvb07fs2p1v9w2h5165l0rnkb6h26i1gn",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.252-hardened1/linux-hardened-4.14.252-hardened1.patch"
+        },
+        "sha256": "022rw51s8fzz6wcxa9xq6h60fglfx0hq7bmqgs5dlrci6plv4fwk",
+        "version": "4.14.252"
     },
     "4.19": {
-        "extra": "-hardened1",
-        "name": "linux-hardened-4.19.212-hardened1.patch",
-        "sha256": "1ildbzxzvkaziqiqlvw92pjmkd64hxdd9sn3fdq88q1pdw5x2jb3",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.212-hardened1/linux-hardened-4.19.212-hardened1.patch"
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-4.19.213-hardened1.patch",
+            "sha256": "03lk4m6sm3545s0xxx0w4sqgrsvrxqm8qg7swn05s36jj20viprm",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.213-hardened1/linux-hardened-4.19.213-hardened1.patch"
+        },
+        "sha256": "162f5y3jplql3ca5xy889mq6izjinryx2kx16zp582yvsqf8rwiq",
+        "version": "4.19.213"
     },
     "5.10": {
-        "extra": "-hardened1",
-        "name": "linux-hardened-5.10.74-hardened1.patch",
-        "sha256": "0prcrifz1zmjxv492dgd78h8bdsx4bh92dsbnp01nn1wmwbajp8p",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.74-hardened1/linux-hardened-5.10.74-hardened1.patch"
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.10.75-hardened1.patch",
+            "sha256": "17gm50aislxihfnmr4vi0p0gpg13m2pbldjpi81clnx93a7rrfw2",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.75-hardened1/linux-hardened-5.10.75-hardened1.patch"
+        },
+        "sha256": "0jrhhk89587caw54nhnwms93kq33qdm75x5f18cp61xrxxgjyaqa",
+        "version": "5.10.75"
     },
     "5.14": {
-        "extra": "-hardened1",
-        "name": "linux-hardened-5.14.13-hardened1.patch",
-        "sha256": "01kxjn1sndby3fjfq3g7z0ydrk8nv62bvpvprddqqc3bypk9q7m2",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.14.13-hardened1/linux-hardened-5.14.13-hardened1.patch"
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.14.14-hardened1.patch",
+            "sha256": "1hx5yal8jqnxr9c9ikvc6d0xp99kqjarj67720v9d4wvlmgsfabj",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.14.14-hardened1/linux-hardened-5.14.14-hardened1.patch"
+        },
+        "sha256": "0snh17ah49wmfmazy6x42rhvl484h657y0iq4l09a885sjb4xzsd",
+        "version": "5.14.14"
     },
     "5.4": {
-        "extra": "-hardened1",
-        "name": "linux-hardened-5.4.154-hardened1.patch",
-        "sha256": "0d7w27n3wq9jaq0wbf3iv2f0jb1y2v4k0c87rb6sakivwajxn1aw",
-        "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.154-hardened1/linux-hardened-5.4.154-hardened1.patch"
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-5.4.155-hardened1.patch",
+            "sha256": "0l8h9i6asiypgbxl90370kzfsyyc3f4vwl2r191arvrsgw863bid",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.155-hardened1/linux-hardened-5.4.155-hardened1.patch"
+        },
+        "sha256": "0f2hfz76rnhmv99zhbh7n1z48316ilxrxrnh4b5m3lj84y80y36c",
+        "version": "5.4.155"
     }
 }
diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py
index f278b518c02..48567b68dc3 100755
--- a/pkgs/os-specific/linux/kernel/hardened/update.py
+++ b/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -31,7 +31,12 @@ VersionComponent = Union[int, str]
 Version = List[VersionComponent]
 
 
-Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str})
+PatchData = TypedDict("PatchData", {"name": str, "url": str, "sha256": str, "extra": str})
+Patch = TypedDict("Patch", {
+    "patch": PatchData,
+    "version": str,
+    "sha256": str,
+})
 
 
 @dataclass
@@ -133,7 +138,15 @@ def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
     if not sig_ok:
         return None
 
-    return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra)
+    kernel_ver = release_info.release.tag_name.replace("-hardened1", "")
+    major = kernel_ver.split('.')[0]
+    sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz")
+
+    return Patch(
+        patch=PatchData(name=patch_filename, url=patch_url, sha256=sha256, extra=extra),
+        version=kernel_ver,
+        sha256=sha256_kernel
+    )
 
 
 def parse_version(version_str: str) -> Version:
@@ -249,7 +262,7 @@ for kernel_key in sorted(releases.keys()):
     old_version_str: Optional[str] = None
     update: bool
     try:
-        old_filename = patches[kernel_key]["name"]
+        old_filename = patches[kernel_key]["patch"]["name"]
         old_version_str = old_filename.replace("linux-hardened-", "").replace(
             ".patch", ""
         )
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index f41cedca0f6..b818ddc5f2a 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -47,10 +47,11 @@
   cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches;
 
   hardened = let
-    mkPatch = kernelVersion: src: {
+    mkPatch = kernelVersion: { version, sha256, patch }: let src = patch; in {
       name = lib.removeSuffix ".patch" src.name;
       patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src);
       extra = src.extra;
+      inherit version sha256;
     };
     patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
   in lib.mapAttrs mkPatch patches;
diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix
index d1afd342280..da6bd08e567 100644
--- a/pkgs/top-level/linux-kernels.nix
+++ b/pkgs/top-level/linux-kernels.nix
@@ -10,6 +10,7 @@
 , stdenvNoCC
 , newScope
 , lib
+, fetchurl
 }:
 
 # When adding a kernel:
@@ -26,16 +27,27 @@ let
 
   # Hardened Linux
   hardenedKernelFor = kernel': overrides:
-    let kernel = kernel'.override overrides;
+    let
+      kernel = kernel'.override overrides;
+      version = kernelPatches.hardened.${kernel.meta.branch}.version;
+      major = lib.versions.major version;
+      sha256 = kernelPatches.hardened.${kernel.meta.branch}.sha256;
+      modDirVersion' = builtins.replaceStrings [ kernel.version ] [ version ] kernel.modDirVersion;
     in kernel.override {
       structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
-        inherit lib;
-        inherit (kernel) version;
+        inherit lib version;
+      };
+      argsOverride = {
+        inherit version;
+        src = fetchurl {
+          url = "mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz";
+          inherit sha256;
+        };
       };
       kernelPatches = kernel.kernelPatches ++ [
         kernelPatches.hardened.${kernel.meta.branch}
       ];
-      modDirVersionArg = kernel.modDirVersion + (kernelPatches.hardened.${kernel.meta.branch}).extra;
+      modDirVersionArg = modDirVersion' + (kernelPatches.hardened.${kernel.meta.branch}).extra;
       isHardened = true;
   };
 in {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-30 16:39:25 +0000