| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | |
|
| |\ \
| | |
| | | |
linux: enable ACPI_FPDT, ACPI_HMAT, ACPI_APEI, ACPI_APEI_GHES, ACPI_DPTF
|
| | |/ |
|
| |/ |
|
| | |
|
| | |
|
| |\ |
|
| | | |
|
| |\| |
|
| | |\ |
|
| | | | |
|
| |\| | |
|
| | |/ |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables the following kernel config options for AMD CPUs on x86_64:
- `CRYPTO_DEV_CCP`: Enables offloading of crypto operations to AMD's
Cryptographic Coprocessor (CCP). Also required by `KVM_AMD_SEV`.
- `AMD_MEM_ENCRYPT`: Enables support for Secure Memory Encryption (SME).
Please note that `AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT` is not enabled;
yet, you you can enable memory encryption by passing `mem_encrypt=on`
as a kernal command line option.
- `KVM_AMD_SEV`: Enables launching Encrypted VMs (SEV) and Secure VMs
with Encrypted State (SEV-ES).
- `SEV_GUEST`: Enables support for AMD Secure Encrypted Virtualization
with Secure Nested Paging (SEV-SNP). Built as module.
Enabling these options is in line with other distros, e.g., Debian,
Fedora or Arch Linux.
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
linux-4.9 was dropped on 8d9133c67d25c15348ec12720ee2ce90762d4d4c
next lowest version in nixpkgs is 4.14 so cleaning up options
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| | |
Required for, eg, ClamAV's OnAccessPrevention feature.
|
| | |
| |
| |
| |
| | |
This is just a stop-gap; seemed better than a real revert.
The issue is from commit 8d3fe232e (PR #198666).
|
| |\ \ |
|
| | |\ \ |
|
| | | | | |
|
| |\| | | |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
CONFIG_NO_HZ_FULL=y should be set to enable the `nohz_full=` and
`rcu_nocbs=` options. These carry no additional performance penalty
compared to CONFIG_NO_HZ_IDLE and behaves like it by default,
but allows disabling the tick interrupts on cores for power or
performance reasons.
[Debian][1] also applied the change to all their kernels.
Like the Kernel says: "If you're a distro say Y."
[1]: https://salsa.debian.org/kernel-team/linux/-/commit/f6aad27f05c007d6f30b34ff77bc7ea47844f117
|
| |/ / |
|
| |\ \ |
|
| | |\ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
PERSISTENT_KEYRINGS provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis.
KEYS_REQUEST_CACHE enable temporary caching of the last request_key() result.
|
| |/ / / |
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel
Self Protection Project][4]. Originally [reported to have no noticeable
performance impact][5].
[1]: https://github.com/archlinux/svntogit-packages/blob/66d72ee54afc604391b618fc3eecc43f29e479e8/trunk/config#L10252
[2]: https://salsa.debian.org/kernel-team/linux/-/blob/07731f5956cf29876a7abc13f4ecbdf4d9459592/debian/config/config#L7710
[3]: https://src.fedoraproject.org/rpms/kernel/blob/6d6ad72f0ccfe72146f2876f90fe609548caa349/f/kernel-x86_64-fedora.config#_2202
[4]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[5]: https://lwn.net/Articles/695991/
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This currently gets enabled as generate-config.pl will enable all the
drivers below it as modules.
Is “not set” in [Arch][1], [Debian][2], [Fedora][3]. See also [summary
of setting from various distros in April 2020][4].
Recommended disabled by [CLIP OS][5] and per current [Kernel config
description][6]:
> bool "Enable legacy drivers (DANGEROUS)"
> Enable legacy DRI1 drivers. Those drivers expose unsafe and dangerous
> APIs to user-space, which can be used to circumvent access
> restrictions and other security measures. For backwards compatibility
> those drivers are still available, but their use is highly
> inadvisable and might harm your system.
>
> You are recommended to use the safe modeset-only drivers instead, and
> perform 3D emulation in user-space.
>
> Unless you have strong reasons to go rogue, say "N".
Also disable NOUVEAU_LEGACY_CTX_SUPPORT, as this does `select
DRM_LEGACY`. Per Kernel config docs:
>There was a version of the nouveau DDX that relied on legacy
> ctx ioctls not erroring out. But that was back in time a long
> ways, so offer a way to disable it now. For uapi compat with
> old nouveau ddx this should be on by default, but modern distros
> should consider turning it off.
and the [commit][7]:
> These driver functions contain several bugs and security holes. This
> change makes these functions optional can be turned on by a setting,
> they are turned off by default for modeset driver with the exception of
> the nouvea driver that may require them with an old version of libdrm.
Referenced earlier commit elaborates that
> libdrm_nouveau before 2.4.33 used contexts
Since nixpkgs here has a much newer version (2.4.33 is from March 2012),
should not be a concern.
NOUVEAU_LEGACY_CTX_SUPPORT is also “not set” in the linked Arch, Debian,
& Fedora configs.
[1]: https://github.com/archlinux/svntogit-packages/blob/66d72ee54afc604391b618fc3eecc43f29e479e8/trunk/config#L6637
[2]: https://salsa.debian.org/kernel-team/linux/-/blob/07731f5956cf29876a7abc13f4ecbdf4d9459592/debian/config/config#L713
[3]: https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel-x86_64-fedora.config#_1528
[4]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38#issuecomment-608639217
[5]: https://docs.clip-os.org/clipos/kernel.html#configuration
[6]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/Kconfig#n421
[7]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b30a43ac7132cdda833ac4b13dd1ebd35ace14b7
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Enabled in [Arch][1], [Debian][2], [Fedora][3]; no others checked.
Recommended by [Kernel Self Protection Project][4]. This should also
implicitly enable SHUFFLE_PAGE_ALLOCATOR.
Performance impact per upstream:
For _HARDENED:
> The difference gets lost in the noise, but if the above is to be taken
> literally, using CONFIG_FREELIST_HARDENED is 0.07% slower.
For _RANDOM:
> Performance results highlighted no major changes
[1]: https://github.com/archlinux/svntogit-packages/blob/66d72ee54afc604391b618fc3eecc43f29e479e8/trunk/config#L1037-L1038
[2]: https://salsa.debian.org/kernel-team/linux/-/blob/07731f5956cf29876a7abc13f4ecbdf4d9459592/debian/config/config#L6742-6743
[3]: https://src.fedoraproject.org/rpms/kernel/blob/6d6ad72f0ccfe72146f2876f90fe609548caa349/f/kernel-x86_64-fedora.config#_6079
[4]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
|
| | | |
|
| | | |
|
| | | |
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Right now it looks like the BTFs are not reproducible between different builds
of the same kernel, and the kernel will refuse to load modules if the BTF
doesn't match. This can cause some interesting side effects when Nix
uses different substituters for different parts of the kernel.
This is far from ideal, and we _really_ should figure out how to actually
make the BTF building consistently reproducible, but that seems more
complicated, so maybe we should do this to get affected systems booting.
See also: https://lore.kernel.org/bpf/YfK18x%2FXrYL4Vw8o@syu-laptop/ ,
where the openSUSE people ran into similar issues.
|
| |\ \ \
| |/ /
|/| | |
linux: disable ASHMEM on >= 5.18
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Dropped by upstream, see
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=721412ed3d819e767cac2b06646bf03aa158aaec
It was marked as optional, so it didn't break our builds but resulted in:
warning: unused option: ASHMEM
Explicitly disable ASHMEM on kernels >=5.18 for clarity and fewer warnings
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 79e05fb16b1af292e50cc0c479809cc66b47b087.
broken 32bit BTF builds got fixed in #175467 by switching libbpf from
libelf to elfutils, as a side-product of the upgrade, so we don't need
this anymore.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Linux's aarch64 defconfig has been updated in 5.13 to enable "reduced"
debug infos (upstream commit ed938a4bfc58 ("arm64: defconfig: Use
DEBUG_INFO_REDUCED"), but that commits locks DEBUG_INFO_BTF as noticed
in #175467
This disables it back which should fix bpftrace usage of BTF not working
on newer kernels.
|
| |\ \
| | |
| | | |
linuxPackages: unbreak new kernels on 32-bit platforms
|
| | | |
| | |
| | |
| | | |
It fails to build with `Failed to parse base BTF 'vmlinux': -22`
|
| |\| | |
|
| | | | |
|
| |/ /
| |
| |
| |
| | |
gcc update frequently breaks most recent kernel releases due to blanket -Werror
flag. Let's avoid -Werror in a default build to ease kernel and gcc maintenance.
|
| |\ \
| | |
| | | |
lib/systems/inspect.nix: replace isPowerPC with isPower32BigEndian
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Very confusingly, the `isPowerPC` predicate in
`lib/systems/inspect.nix` does *not* match `powerpc64le`!
This is because `isPowerPC` is defined as
isPowerPC = { cpu = cpuTypes.powerpc; };
Where `cpuTypes.powerpc` is:
{ bits = 32; significantByte = bigEndian; family = "power"; };
This means that the `isPowerPC` predicate actually only matches the
subset of machines marketed under this name which happen to be 32-bit
and running in big-endian mode which is equivalent to:
with stdenv.hostPlatform; isPower && isBigEndian && is32bit
This seems like a sharp edge that people could easily cut themselves
on. In fact, that has already happened: in
`linux/kernel/common-config.nix` there is a test which will always
fail:
(stdenv.hostPlatform.isPowerPC && stdenv.hostPlatform.is64bit)
A more subtle case of the strict isPowerPC being used instead of the
moreg general isPower accidentally are the GHC expressions:
Update pkgs/development/compilers/ghc/8.10.7.nix
Update pkgs/development/compilers/ghc/8.8.4.nix
Update pkgs/development/compilers/ghc/9.2.2.nix
Update pkgs/development/compilers/ghc/9.0.2.nix
Update pkgs/development/compilers/ghc/head.nix
Since the remaining legitimate use sites of isPowerPC are so few, remove
the isPowerPC predicate completely. The alternative expression above is
noted in the release notes as an alternative.
Co-authored-by: sternenseemann <sternenseemann@systemli.org>
|
| |/ /
| |
| |
| |
| | |
NSFD_V3 is now always enabled, and enabling debug info now requires
selecting a DWARF version instead of just setting DEBUG_INFO=y.
|