diff options
Diffstat (limited to 'pkgs/os-specific/linux/kernel/common-config.nix')
| -rw-r--r-- | pkgs/os-specific/linux/kernel/common-config.nix | 139 |
1 files changed, 105 insertions, 34 deletions
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index c0da19dd391..355e653c8ea 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -10,14 +10,14 @@ # hardware problems with a new one. # Configuration -{ stdenv, version +{ lib, stdenv, version -, features ? { grsecurity = false; } +, features ? {} }: -with stdenv.lib; -with stdenv.lib.kernel; -with (stdenv.lib.kernel.whenHelpers version); +with lib; +with lib.kernel; +with (lib.kernel.whenHelpers version); let @@ -42,7 +42,7 @@ let TIMER_STATS = whenOlder "4.11" yes; DEBUG_NX_TEST = whenOlder "4.11" no; DEBUG_STACK_USAGE = no; - DEBUG_STACKOVERFLOW = mkIf (!features.grsecurity) (option no); + DEBUG_STACKOVERFLOW = option no; RCU_TORTURE_TEST = no; SCHEDSTATS = no; DETECT_HUNG_TASK = yes; @@ -132,6 +132,7 @@ let IP_MROUTE_MULTIPLE_TABLES = yes; IP_MULTICAST = yes; IP_MULTIPLE_TABLES = yes; + IPV6 = yes; IPV6_ROUTER_PREF = yes; IPV6_ROUTE_INFO = yes; IPV6_OPTIMISTIC_DAD = yes; @@ -141,6 +142,9 @@ let IPV6_MROUTE_MULTIPLE_TABLES = yes; IPV6_PIMSM_V2 = yes; IPV6_FOU_TUNNEL = whenAtLeast "4.7" module; + IPV6_SEG6_LWTUNNEL = whenAtLeast "4.10" yes; + IPV6_SEG6_HMAC = whenAtLeast "4.10" yes; + IPV6_SEG6_BPF = whenAtLeast "4.18" yes; NET_CLS_BPF = whenAtLeast "4.4" module; NET_ACT_BPF = whenAtLeast "4.4" module; NET_SCHED = yes; @@ -173,6 +177,8 @@ let (whenAtLeast "4.17" yes) ]; NF_TABLES_NETDEV = mkMerge [ (whenOlder "4.17" module) (whenAtLeast "4.17" yes) ]; + NFT_REJECT_NETDEV = whenAtLeast "5.11" module; + # IP: Netfilter Configuration NF_TABLES_IPV4 = mkMerge [ (whenOlder "4.17" module) (whenAtLeast "4.17" yes) ]; @@ -190,11 +196,17 @@ let NET_DROP_MONITOR = yes; # needed for ss - INET_DIAG = module; - INET_TCP_DIAG = module; - INET_UDP_DIAG = module; - INET_RAW_DIAG = whenAtLeast "4.14" module; - INET_DIAG_DESTROY = whenAtLeast "4.9" yes; + # Use a lower priority to allow these options to be overridden in hardened/config.nix + INET_DIAG = mkDefault module; + INET_TCP_DIAG = mkDefault module; + INET_UDP_DIAG = mkDefault module; + INET_RAW_DIAG = whenAtLeast "4.14" (mkDefault module); + INET_DIAG_DESTROY = whenAtLeast "4.9" (mkDefault yes); + + # enable multipath-tcp + MPTCP = whenAtLeast "5.6" yes; + MPTCP_IPV6 = whenAtLeast "5.6" yes; + INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module); }; wireless = { @@ -235,8 +247,9 @@ let # Allow specifying custom EDID on the kernel command line DRM_LOAD_EDID_FIRMWARE = yes; VGA_SWITCHEROO = yes; # Hybrid graphics support - DRM_GMA600 = yes; - DRM_GMA3600 = yes; + DRM_GMA500 = whenAtLeast "5.12" module; + DRM_GMA600 = whenOlder "5.13" yes; + DRM_GMA3600 = whenOlder "5.12" yes; DRM_VMWGFX_FBCON = yes; # necessary for amdgpu polaris support DRM_AMD_POWERPLAY = whenBetween "4.5" "4.9" yes; @@ -244,6 +257,17 @@ let DRM_AMDGPU_SI = whenAtLeast "4.9" yes; # (stable) amdgpu support for bonaire and newer chipsets DRM_AMDGPU_CIK = whenAtLeast "4.9" yes; + # Allow device firmware updates + DRM_DP_AUX_CHARDEV = whenAtLeast "4.6" yes; + # amdgpu display core (DC) support + DRM_AMD_DC_DCN1_0 = whenBetween "4.15" "5.6" yes; + DRM_AMD_DC_PRE_VEGA = whenBetween "4.15" "4.18" yes; + DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes; + DRM_AMD_DC_DCN2_1 = whenBetween "5.4" "5.6" yes; + DRM_AMD_DC_DCN3_0 = whenBetween "5.9" "5.11" yes; + DRM_AMD_DC_DCN = whenAtLeast "5.11" yes; + DRM_AMD_DC_HDCP = whenAtLeast "5.5" yes; + DRM_AMD_DC_SI = whenAtLeast "5.10" yes; } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { # Intel GVT-g graphics virtualization supports 64-bit only DRM_I915_GVT = whenAtLeast "4.16" yes; @@ -268,21 +292,31 @@ let SND_SOC_SOF_TOPLEVEL = yes; SND_SOC_SOF_ACPI = module; SND_SOC_SOF_PCI = module; - SND_SOC_SOF_APOLLOLAKE_SUPPORT = yes; - SND_SOC_SOF_CANNONLAKE_SUPPORT = yes; - SND_SOC_SOF_COFFEELAKE_SUPPORT = yes; + SND_SOC_SOF_APOLLOLAKE = whenAtLeast "5.12" module; + SND_SOC_SOF_APOLLOLAKE_SUPPORT = whenOlder "5.12" yes; + SND_SOC_SOF_CANNONLAKE = whenAtLeast "5.12" module; + SND_SOC_SOF_CANNONLAKE_SUPPORT = whenOlder "5.12" yes; + SND_SOC_SOF_COFFEELAKE = whenAtLeast "5.12" module; + SND_SOC_SOF_COFFEELAKE_SUPPORT = whenOlder "5.12" yes; + SND_SOC_SOF_COMETLAKE = whenAtLeast "5.12" module; SND_SOC_SOF_COMETLAKE_H_SUPPORT = whenOlder "5.8" yes; - SND_SOC_SOF_COMETLAKE_LP_SUPPORT = yes; - SND_SOC_SOF_ELKHARTLAKE_SUPPORT = yes; - SND_SOC_SOF_GEMINILAKE_SUPPORT = yes; + SND_SOC_SOF_COMETLAKE_LP_SUPPORT = whenOlder "5.12" yes; + SND_SOC_SOF_ELKHARTLAKE = whenAtLeast "5.12" module; + SND_SOC_SOF_ELKHARTLAKE_SUPPORT = whenOlder "5.12" yes; + SND_SOC_SOF_GEMINILAKE = whenAtLeast "5.12" module; + SND_SOC_SOF_GEMINILAKE_SUPPORT = whenOlder "5.12" yes; SND_SOC_SOF_HDA_AUDIO_CODEC = yes; SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes; SND_SOC_SOF_HDA_LINK = yes; - SND_SOC_SOF_ICELAKE_SUPPORT = yes; + SND_SOC_SOF_ICELAKE = whenAtLeast "5.12" module; + SND_SOC_SOF_ICELAKE_SUPPORT = whenOlder "5.12" yes; SND_SOC_SOF_INTEL_TOPLEVEL = yes; - SND_SOC_SOF_JASPERLAKE_SUPPORT = yes; - SND_SOC_SOF_MERRIFIELD_SUPPORT = yes; - SND_SOC_SOF_TIGERLAKE_SUPPORT = yes; + SND_SOC_SOF_JASPERLAKE = whenAtLeast "5.12" module; + SND_SOC_SOF_JASPERLAKE_SUPPORT = whenOlder "5.12" yes; + SND_SOC_SOF_MERRIFIELD = whenAtLeast "5.12" module; + SND_SOC_SOF_MERRIFIELD_SUPPORT = whenOlder "5.12" yes; + SND_SOC_SOF_TIGERLAKE = whenAtLeast "5.12" module; + SND_SOC_SOF_TIGERLAKE_SUPPORT = whenOlder "5.12" yes; }; usb-serial = { @@ -350,6 +384,7 @@ let F2FS_FS = module; F2FS_FS_SECURITY = option yes; F2FS_FS_ENCRYPTION = option yes; + F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes; UDF_FS = module; NFSD_PNFS = whenBetween "4.0" "4.6" yes; @@ -396,6 +431,8 @@ let NLS_ISO8859_1 = module; # VFAT default for the iocharset= mount option DEVTMPFS = yes; + + UNICODE = whenAtLeast "5.2" yes; # Casefolding support for filesystems }; security = { @@ -406,14 +443,19 @@ let SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default # Prevent processes from ptracing non-children processes SECURITY_YAMA = option yes; - DEVKMEM = mkIf (!features.grsecurity) no; # Disable /dev/kmem + DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem USER_NS = yes; # Support for user namespaces SECURITY_APPARMOR = yes; DEFAULT_SECURITY_APPARMOR = yes; - SECURITY_LOCKDOWN_LSM = whenAtLeast "5.4" yes; + RANDOM_TRUST_CPU = whenAtLeast "4.19" yes; # allow RDRAND to seed the RNG + + MODULE_SIG = no; # r13y, generates a random key during build and bakes it in + # Depends on MODULE_SIG and only really helps when you sign your modules + # and enforce signatures which we don't do by default. + SECURITY_LOCKDOWN_LSM = option no; } // optionalAttrs (!stdenv.hostPlatform.isAarch32) { # Detect buffer overflows on the stack @@ -481,7 +523,7 @@ let virtualisation = { PARAVIRT = option yes; - HYPERVISOR_GUEST = mkIf (!features.grsecurity) yes; + HYPERVISOR_GUEST = yes; PARAVIRT_SPINLOCKS = option yes; KVM_APIC_ARCHITECTURE = whenOlder "4.8" yes; @@ -489,12 +531,12 @@ let KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; }; KVM_DEVICE_ASSIGNMENT = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; }; KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0" yes; - KVM_GUEST = mkIf (!features.grsecurity) yes; + KVM_GUEST = yes; KVM_MMIO = yes; KVM_VFIO = yes; KSM = yes; VIRT_DRIVERS = yes; - # We nneed 64 GB (PAE) support for Xen guest support + # We need 64 GB (PAE) support for Xen guest support HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";}; VFIO_PCI_VGA = mkIf stdenv.is64bit yes; @@ -618,7 +660,12 @@ let XZ_DEC_TEST = option no; }; - criu = optionalAttrs (features.criu or false) ({ + criu = if (versionAtLeast version "4.19") then { + # Unconditionally enabled, because it is required for CRIU and + # it provides the kcmp() system call that Mesa depends on. + CHECKPOINT_RESTORE = yes; + } else optionalAttrs (features.criu or false) ({ + # For older kernels, CHECKPOINT_RESTORE is hidden behind EXPERT. EXPERT = yes; CHECKPOINT_RESTORE = yes; } // optionalAttrs (features.criu_revert_expert or true) { @@ -631,7 +678,14 @@ let DEBUG_MEMORY_INIT = option yes; }); - misc = { + misc = let + # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz. + # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375 + useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9"; + in { + KERNEL_XZ = mkIf (!useZstd) yes; + KERNEL_ZSTD = mkIf useZstd yes; + HID_BATTERY_STRENGTH = yes; # enabled by default in x86_64 but not arm64, so we do that here HIDRAW = yes; @@ -644,9 +698,8 @@ let THRUSTMASTER_FF = yes; ZEROPLUS_FF = yes; - MODULE_COMPRESS = yes; + MODULE_COMPRESS = whenOlder "5.13" yes; MODULE_COMPRESS_XZ = yes; - KERNEL_XZ = yes; SYSVIPC = yes; # System-V IPC @@ -657,7 +710,6 @@ let MD = yes; # Device mapper (RAID, LVM, etc.) # Enable initrd support. - BLK_DEV_RAM = yes; BLK_DEV_INITRD = yes; PM_TRACE_RTC = no; # Disable some expensive (?) features. @@ -731,6 +783,8 @@ let MLX4_EN_VXLAN = whenOlder "4.8" yes; MLX5_CORE_EN = option yes; + NVME_MULTIPATH = whenAtLeast "4.15" yes; + PSI = whenAtLeast "4.20" yes; MODVERSIONS = whenOlder "4.9" yes; @@ -767,6 +821,8 @@ let X86_CHECK_BIOS_CORRUPTION = yes; X86_MCE = yes; + RAS = yes; # Needed for EDAC support + # Our initrd init uses shebang scripts, so can't be modular. BINFMT_SCRIPT = yes; # For systemd-binfmt @@ -788,6 +844,7 @@ let PREEMPT_VOLUNTARY = yes; X86_AMD_PLATFORM_DEVICE = yes; + X86_PLATFORM_DRIVERS_DELL = whenAtLeast "5.12" yes; } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") { # Enable CPU/memory hotplug support @@ -803,12 +860,26 @@ let # Bump the maximum number of CPUs to support systems like EC2 x1.* # instances and Xeon Phi. NR_CPUS = freeform "384"; - } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") { + } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") { # Enables support for the Allwinner Display Engine 2.0 SUN8I_DE2_CCU = whenAtLeast "4.13" yes; # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647 CRYPTO_AEGIS128_SIMD = whenAtLeast "5.4" no; + + # Distros should configure the default as a kernel option. + # We previously defined it on the kernel command line as cma= + # The kernel command line will override a platform-specific configuration from its device tree. + # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44 + CMA_SIZE_MBYTES = freeform "32"; + + # Many ARM SBCs hand off a pre-configured framebuffer. + # This always can can be replaced by the actual native driver. + # Keeping it a built-in ensures it will be used if possible. + FB_SIMPLE = yes; + + } // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux") { + ARM_LPAE = yes; }; }; in |