diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2021-10-09 14:48:27 +0200 |
---|---|---|
committer | Maximilian Bosch <maximilian@mbosch.me> | 2021-10-20 23:51:52 +0200 |
commit | bb5aa0109b6db98a2e0a7ba88f5e0287e2374384 (patch) | |
tree | 8bb659d09c25fcc0654ae73fd99460e1e6635fcb /pkgs/os-specific/linux/kernel/patches.nix | |
parent | 65930caffe78ccd3c0e4f00bfd79123fcba9e444 (diff) | |
download | nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.gz nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.bz2 nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.lz nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.xz nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.tar.zst nixpkgs-bb5aa0109b6db98a2e0a7ba88f5e0287e2374384.zip |
linux: build hardened kernel with matching releases
Until now we merged kernel updates even if no hardened versions were available yet. On one hand we don't want to delay patch-level updates, on the other hand users of hardened kernels have frequent breakage now[1]. This change aims to provide a solution this issue: * The hardened patchset now references the kernel version it's released for (including a sha256 hash for the fixed-output path of the source tarball). * The `hardenedKernelFor`-function doesn't just append hardened patches now, but also overrides version & src to match the kernel version the patch was built & tested for. Refs #140281 [1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all
Diffstat (limited to 'pkgs/os-specific/linux/kernel/patches.nix')
-rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index f41cedca0f6..b818ddc5f2a 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -47,10 +47,11 @@ cpu-cgroup-v2 = import ./cpu-cgroup-v2-patches; hardened = let - mkPatch = kernelVersion: src: { + mkPatch = kernelVersion: { version, sha256, patch }: let src = patch; in { name = lib.removeSuffix ".patch" src.name; patch = fetchurl (lib.filterAttrs (k: v: k != "extra") src); extra = src.extra; + inherit version sha256; }; patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json); in lib.mapAttrs mkPatch patches; |