diff options
Diffstat (limited to 'pkgs/os-specific/linux/kernel/hardened')
4 files changed, 50 insertions, 34 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index c817f104427..20f9f5aaa14 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -8,11 +8,11 @@ # # See also <nixos/modules/profiles/hardened.nix> -{ stdenv, version }: +{ lib, version }: -with stdenv.lib; -with stdenv.lib.kernel; -with (stdenv.lib.kernel.whenHelpers version); +with lib; +with lib.kernel; +with (lib.kernel.whenHelpers version); assert (versionAtLeast version "4.9"); @@ -55,8 +55,8 @@ assert (versionAtLeast version "4.9"); # Wipe higher-level memory allocations on free() with page_poison=1 PAGE_POISONING = yes; - PAGE_POISONING_NO_SANITY = yes; - PAGE_POISONING_ZERO = yes; + PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; + PAGE_POISONING_ZERO = whenOlder "5.11" yes; # Enable the SafeSetId LSM SECURITY_SAFESETID = whenAtLeast "5.1" yes; @@ -65,7 +65,7 @@ assert (versionAtLeast version "4.9"); PANIC_TIMEOUT = freeform "-1"; GCC_PLUGINS = yes; # Enable gcc plugin options - # Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources. + # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. GCC_PLUGIN_LATENT_ENTROPY = yes; GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin @@ -79,8 +79,18 @@ assert (versionAtLeast version "4.9"); PROC_KCORE = no; # Exposes kernel text image layout INET_DIAG = no; # Has been used for heap based attacks in the past + # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix, + # make them optional + INET_DIAG_DESTROY = option no; + INET_RAW_DIAG = option no; + INET_TCP_DIAG = option no; + INET_UDP_DIAG = option no; + INET_MPTCP_DIAG = option no; + # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no; CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; + # Detect out-of-bound reads/writes and use-after-free + KFENCE = whenAtLeast "5.12" yes; } diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 824eb1a6966..412e5041500 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -1,22 +1,32 @@ { "4.14": { - "name": "linux-hardened-4.14.194.a.patch", - "sha256": "07z3lr3mbm6c95d7fra2qp071n1c45f9241cl19zs63g00avi11p", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.194.a/linux-hardened-4.14.194.a.patch" + "extra": "-hardened1", + "name": "linux-hardened-4.14.240-hardened1.patch", + "sha256": "0j5zp0f8s4w3f60yam2spg3bx56bdjvv0mh632zlhchz8rdk5zs4", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.240-hardened1/linux-hardened-4.14.240-hardened1.patch" }, "4.19": { - "name": "linux-hardened-4.19.141.a.patch", - "sha256": "0yiqkkp17pf9r6nakpnqhvmf8awpzp5n27cmh15ril7vn1y71sxw", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.141.a/linux-hardened-4.19.141.a.patch" + "extra": "-hardened1", + "name": "linux-hardened-4.19.198-hardened1.patch", + "sha256": "18c5j00xiwc0xn5klcrwazk6wvjiy3cixbfbrw4xj7zal9r5p6q9", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.198-hardened1/linux-hardened-4.19.198-hardened1.patch" }, - "5.4": { - "name": "linux-hardened-5.4.60.a.patch", - "sha256": "138kms73rlj5zmsb2ivjzz1jr5aa8y8pmwzx02c7j1qk08v82823", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.60.a/linux-hardened-5.4.60.a.patch" + "5.10": { + "extra": "-hardened1", + "name": "linux-hardened-5.10.52-hardened1.patch", + "sha256": "062a32rb1g5xk1npiz9fa114k7g4x9pmygycn3alc0phngjmvr98", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.52-hardened1/linux-hardened-5.10.52-hardened1.patch" + }, + "5.12": { + "extra": "-hardened1", + "name": "linux-hardened-5.12.19-hardened1.patch", + "sha256": "1nr3922gd6il69k5cpp9g3knpy6yjb6jsmpi9k4v02bkvypg86dc", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.12.19-hardened1/linux-hardened-5.12.19-hardened1.patch" }, - "5.7": { - "name": "linux-hardened-5.7.17.a.patch", - "sha256": "181b473y0hkw076hsndw6nfynr2yhcaypj48iqnk25hzcj40nnaz", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.7.17.a/linux-hardened-5.7.17.a.patch" + "5.4": { + "extra": "-hardened1", + "name": "linux-hardened-5.4.134-hardened1.patch", + "sha256": "0iay6dxwd1vqj02ljf0ghncrqpr6b0gby90xiza8kkk8wnh3r9hh", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.134-hardened1/linux-hardened-5.4.134-hardened1.patch" } } diff --git a/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch deleted file mode 100644 index ff8a3a12797..00000000000 --- a/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch +++ /dev/null @@ -1,7 +0,0 @@ -diff --git a/localversion-hardened b/localversion-hardened -new file mode 100644 -index 0000000000..e578045860 ---- /dev/null -+++ b/localversion-hardened -@@ -0,0 +1 @@ -+-hardened diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py index d6443d2e751..e96ac9ca855 100755 --- a/pkgs/os-specific/linux/kernel/hardened/update.py +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -31,7 +31,7 @@ VersionComponent = Union[int, str] Version = List[VersionComponent] -Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str}) +Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str, "extra": str}) @dataclass @@ -99,7 +99,10 @@ def verify_openpgp_signature( return False -def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]: +def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]: + release = release_info.release + extra = f'-{release_info.version[-1]}' + def find_asset(filename: str) -> str: try: it: Iterator[str] = ( @@ -130,12 +133,12 @@ def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]: if not sig_ok: return None - return Patch(name=patch_filename, url=patch_url, sha256=sha256) + return Patch(name=patch_filename, url=patch_url, sha256=sha256, extra=extra) def parse_version(version_str: str) -> Version: version: Version = [] - for component in version_str.split("."): + for component in re.split('\.|\-', version_str): try: version.append(int(component)) except ValueError: @@ -205,7 +208,7 @@ failures = False releases = {} for release in repo.get_releases(): version = parse_version(release.tag_name) - # needs to look like e.g. 5.6.3.a + # needs to look like e.g. 5.6.3-hardened1 if len(version) < 4: continue @@ -252,7 +255,7 @@ for kernel_key in sorted(releases.keys()): update = True if update: - patch = fetch_patch(name=name, release=release) + patch = fetch_patch(name=name, release_info=release_info) if patch is None: failures = True else: |