diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2021-10-09 14:48:27 +0200 |
---|---|---|
committer | Maximilian Bosch <maximilian@mbosch.me> | 2021-10-20 23:51:52 +0200 |
commit | bb5aa0109b6db98a2e0a7ba88f5e0287e2374384 (patch) | |
tree | 8bb659d09c25fcc0654ae73fd99460e1e6635fcb /pkgs/os-specific/linux/kernel/hardened/update.py | |
parent | 65930caffe78ccd3c0e4f00bfd79123fcba9e444 (diff) | |
download | nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.gz nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.bz2 nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.lz nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.xz nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.zst nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.zip |
linux: build hardened kernel with matching releases
Until now we merged kernel updates even if no hardened versions were available yet. On one hand we don't want to delay patch-level updates, on the other hand users of hardened kernels have frequent breakage now[1]. This change aims to provide a solution this issue: * The hardened patchset now references the kernel version it's released for (including a sha256 hash for the fixed-output path of the source tarball). * The `hardenedKernelFor`-function doesn't just append hardened patches now, but also overrides version & src to match the kernel version the patch was built & tested for. Refs #140281 [1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all
Diffstat (limited to 'pkgs/os-specific/linux/kernel/hardened/update.py')
-rwxr-xr-x | pkgs/os-specific/linux/kernel/hardened/update.py | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py index f278b518c02..48567b68dc3 100755 --- a/pkgs/os-specific/linux/kernel/hardened/update.py +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -31,7 +31,12 @@ VersionComponent = Union[int, str] Version = List[VersionComponent] -Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str}) +PatchData = TypedDict("PatchData", {"name": str, "url": str, "sha256": str, "extra": str}) +Patch = TypedDict("Patch", { + "patch": PatchData, + "version": str, + "sha256": str, +}) @dataclass @@ -133,7 +138,15 @@ def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]: if not sig_ok: return None - return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra) + kernel_ver = release_info.release.tag_name.replace("-hardened1", "") + major = kernel_ver.split('.')[0] + sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz") + + return Patch( + patch=PatchData(name=patch_filename, url=patch_url, sha256=sha256, extra=extra), + version=kernel_ver, + sha256=sha256_kernel + ) def parse_version(version_str: str) -> Version: @@ -249,7 +262,7 @@ for kernel_key in sorted(releases.keys()): old_version_str: Optional[str] = None update: bool try: - old_filename = patches[kernel_key]["name"] + old_filename = patches[kernel_key]["patch"]["name"] old_version_str = old_filename.replace("linux-hardened-", "").replace( ".patch", "" ) |