diff options
| author | Pierre Bourdon <delroth@gmail.com> | 2019-01-12 01:35:18 +0100 |
|---|---|---|
| committer | Pierre Bourdon <delroth@gmail.com> | 2019-01-24 01:42:17 +0100 |
| commit | 8769d2d58cb3ae0c0b66f5de6a4423109a2613e2 (patch) | |
| tree | f309fe22a78f1383651f11214a801309d6813ffe /nixos/modules/system/boot/kernel.nix | |
| parent | a258015d3a0eece5cb8b17aef66d650be112de71 (diff) | |
| download | nixpkgs-8769d2d58cb3ae0c0b66f5de6a4423109a2613e2.tar nixpkgs-8769d2d58cb3ae0c0b66f5de6a4423109a2613e2.tar.gz nixpkgs-8769d2d58cb3ae0c0b66f5de6a4423109a2613e2.tar.bz2 nixpkgs-8769d2d58cb3ae0c0b66f5de6a4423109a2613e2.tar.lz nixpkgs-8769d2d58cb3ae0c0b66f5de6a4423109a2613e2.tar.xz nixpkgs-8769d2d58cb3ae0c0b66f5de6a4423109a2613e2.tar.zst nixpkgs-8769d2d58cb3ae0c0b66f5de6a4423109a2613e2.zip | |
nixos kernel.nix: add an option to customize the kernel RANDSTRUCT seed
Diffstat (limited to 'nixos/modules/system/boot/kernel.nix')
| -rw-r--r-- | nixos/modules/system/boot/kernel.nix | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index 8ea05ed1468..ab919099d11 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -5,7 +5,7 @@ with lib; let inherit (config.boot) kernelPatches; - inherit (config.boot.kernel) features; + inherit (config.boot.kernel) features randstructSeed; inherit (config.boot.kernelPackages) kernel; kernelModulesConf = pkgs.writeText "nixos.conf" @@ -38,6 +38,7 @@ in default = pkgs.linuxPackages; apply = kernelPackages: kernelPackages.extend (self: super: { kernel = super.kernel.override { + inherit randstructSeed; kernelPatches = super.kernel.kernelPatches ++ kernelPatches; features = lib.recursiveUpdate super.kernel.features features; }; @@ -67,6 +68,19 @@ in description = "A list of additional patches to apply to the kernel."; }; + boot.kernel.randstructSeed = mkOption { + type = types.str; + default = ""; + example = "my secret seed"; + description = '' + Provides a custom seed for the <varname>RANDSTRUCT</varname> security + option of the Linux kernel. Note that <varname>RANDSTRUCT</varname> is + only enabled in NixOS hardened kernels. Using a custom seed requires + building the kernel and dependent packages locally, since this + customization happens at build time. + ''; + }; + boot.kernelParams = mkOption { type = types.listOf types.str; default = [ ]; @@ -298,7 +312,7 @@ in # !!! Should this really be needed? (isYes "MODULES") (isYes "BINFMT_ELF") - ]; + ] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT")); # nixpkgs kernels are assumed to have all required features assertions = if config.boot.kernelPackages.kernel ? features then [] else |