From bcd41f289122c4a182f892ee740b37e436daf89e Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Sat, 27 Aug 2022 17:10:06 -0400 Subject: linux: Disable DRM_LEGACY, NOUVEAU_LEGACY_CTX_SUPPORT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This currently gets enabled as generate-config.pl will enable all the drivers below it as modules. Is “not set” in [Arch][1], [Debian][2], [Fedora][3]. See also [summary of setting from various distros in April 2020][4]. Recommended disabled by [CLIP OS][5] and per current [Kernel config description][6]: > bool "Enable legacy drivers (DANGEROUS)" > Enable legacy DRI1 drivers. Those drivers expose unsafe and dangerous > APIs to user-space, which can be used to circumvent access > restrictions and other security measures. For backwards compatibility > those drivers are still available, but their use is highly > inadvisable and might harm your system. > > You are recommended to use the safe modeset-only drivers instead, and > perform 3D emulation in user-space. > > Unless you have strong reasons to go rogue, say "N". Also disable NOUVEAU_LEGACY_CTX_SUPPORT, as this does `select DRM_LEGACY`. Per Kernel config docs: >There was a version of the nouveau DDX that relied on legacy > ctx ioctls not erroring out. But that was back in time a long > ways, so offer a way to disable it now. For uapi compat with > old nouveau ddx this should be on by default, but modern distros > should consider turning it off. and the [commit][7]: > These driver functions contain several bugs and security holes. This > change makes these functions optional can be turned on by a setting, > they are turned off by default for modeset driver with the exception of > the nouvea driver that may require them with an old version of libdrm. Referenced earlier commit elaborates that > libdrm_nouveau before 2.4.33 used contexts Since nixpkgs here has a much newer version (2.4.33 is from March 2012), should not be a concern. NOUVEAU_LEGACY_CTX_SUPPORT is also “not set” in the linked Arch, Debian, & Fedora configs. [1]: https://github.com/archlinux/svntogit-packages/blob/66d72ee54afc604391b618fc3eecc43f29e479e8/trunk/config#L6637 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/07731f5956cf29876a7abc13f4ecbdf4d9459592/debian/config/config#L713 [3]: https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel-x86_64-fedora.config#_1528 [4]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38#issuecomment-608639217 [5]: https://docs.clip-os.org/clipos/kernel.html#configuration [6]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/Kconfig#n421 [7]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b30a43ac7132cdda833ac4b13dd1ebd35ace14b7 --- pkgs/os-specific/linux/kernel/common-config.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'pkgs/os-specific/linux/kernel/common-config.nix') diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 8211860b62f..97bf388d46a 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -270,6 +270,9 @@ let }; video = { + DRM_LEGACY = no; + NOUVEAU_LEGACY_CTX_SUPPORT = whenAtLeast "5.2" no; + # Allow specifying custom EDID on the kernel command line DRM_LOAD_EDID_FIRMWARE = yes; VGA_SWITCHEROO = yes; # Hybrid graphics support -- cgit 1.4.1