diff options
author | Alyssa Ross <hi@alyssa.is> | 2024-02-13 12:25:07 +0100 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2024-02-13 12:25:07 +0100 |
commit | a5e1520e4538e29ecfbd4b168306f890566d7bfd (patch) | |
tree | 28099c268b5d4b1e33c2b29f0714c45f0b961382 /nixpkgs/pkgs/os-specific/linux/kernel/hardened | |
parent | 822f7c15c04567fbdc27020e862ea2b70cfbf8eb (diff) | |
parent | 3560d1c8269d0091b9aae10731b5e85274b7bbc1 (diff) | |
download | nixlib-a5e1520e4538e29ecfbd4b168306f890566d7bfd.tar nixlib-a5e1520e4538e29ecfbd4b168306f890566d7bfd.tar.gz nixlib-a5e1520e4538e29ecfbd4b168306f890566d7bfd.tar.bz2 nixlib-a5e1520e4538e29ecfbd4b168306f890566d7bfd.tar.lz nixlib-a5e1520e4538e29ecfbd4b168306f890566d7bfd.tar.xz nixlib-a5e1520e4538e29ecfbd4b168306f890566d7bfd.tar.zst nixlib-a5e1520e4538e29ecfbd4b168306f890566d7bfd.zip |
Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs
Conflicts: nixpkgs/nixos/modules/services/mail/rss2email.nix nixpkgs/pkgs/build-support/go/module.nix
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/kernel/hardened')
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix | 39 | ||||
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json | 70 |
2 files changed, 76 insertions, 33 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix index 7aa9c5117352..dec6a757c529 100644 --- a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -39,21 +39,33 @@ assert (versionAtLeast version "4.9"); DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG() DEBUG_PLIST = whenAtLeast "5.2" yes; DEBUG_SG = yes; + DEBUG_VIRTUAL = yes; SCHED_STACK_END_CHECK = yes; REFCOUNT_FULL = whenOlder "5.4.208" yes; + # tell EFI to wipe memory during reset + # https://lwn.net/Articles/730006/ + RESET_ATTACK_MITIGATION = yes; + + # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE + CONFIG_LDISC_AUTOLOAD = option no; + # Randomize page allocator when page_alloc.shuffle=1 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; - # Allow enabling slub/slab free poisoning with slub_debug=P - SLUB_DEBUG = yes; - # Wipe higher-level memory allocations on free() with page_poison=1 PAGE_POISONING = yes; PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; PAGE_POISONING_ZERO = whenOlder "5.11" yes; + # Enable init_on_alloc and init_on_free by default + INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes; + INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes; + + # Wipe all caller-used registers on exit from a function + ZERO_CALL_USED_REGS = whenAtLeast "5.15" yes; + # Enable the SafeSetId LSM SECURITY_SAFESETID = whenAtLeast "5.1" yes; @@ -70,6 +82,16 @@ assert (versionAtLeast version "4.9"); GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; + # Runtime undefined behaviour checks + # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html + # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan + UBSAN = yes; + UBSAN_TRAP = whenAtLeast "5.7" yes; + UBSAN_BOUNDS = whenAtLeast "5.7" yes; + UBSAN_SANITIZE_ALL = yes; + UBSAN_LOCAL_BOUNDS = option yes; # clang only + CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 + # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. RANDSTRUCT = whenAtLeast "5.19" yes; RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; @@ -97,4 +119,15 @@ assert (versionAtLeast version "4.9"); # CONFIG_DEVMEM=n causes these to not exist anymore. STRICT_DEVMEM = option no; IO_STRICT_DEVMEM = option no; + + # stricter IOMMU TLB invalidation + IOMMU_DEFAULT_DMA_STRICT = option yes; + IOMMU_DEFAULT_DMA_LAZY = option no; + + # not needed for less than a decade old glibc versions + LEGACY_VSYSCALL_NONE = yes; + + # Straight-Line-Speculation + # https://lwn.net/Articles/877845/ + SLS = option yes; } diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json index 345d25e6e4c4..8d92d9cae355 100644 --- a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -2,52 +2,52 @@ "4.19": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-4.19.304-hardened1.patch", - "sha256": "0bv6abcx8sknhsnijs176yq7q2mgrlyrv5xysnxa0l6wqpl2gqif", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.304-hardened1/linux-hardened-4.19.304-hardened1.patch" + "name": "linux-hardened-4.19.306-hardened1.patch", + "sha256": "0g38iy5vw9glqmqhmj5y8nnx8gbdj312yb14qnwcl21m78k63mxk", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.306-hardened1/linux-hardened-4.19.306-hardened1.patch" }, - "sha256": "165mljr8v1cf4vf4a4b44hx089rprkssvi2azq5wbxxg3basbind", - "version": "4.19.304" + "sha256": "06dy270xw4frnrc9p2qjh8chgp02fr5ll5g2b0lx9xqzlq7y86xr", + "version": "4.19.306" }, "5.10": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.10.206-hardened1.patch", - "sha256": "14xmp28grpwpgrsg88bnv164kk54k6akw5jydrs8447mqfyw7sqr", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.206-hardened1/linux-hardened-5.10.206-hardened1.patch" + "name": "linux-hardened-5.10.209-hardened1.patch", + "sha256": "1vccxrwi8a8fz3fcjxxqbkdbfjjhzwqpcibfg0nrydcix79ixgyw", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.209-hardened1/linux-hardened-5.10.209-hardened1.patch" }, - "sha256": "0ns8qxcrxj9i76b93xcghl002l8vbkg7ksd435sikig62qr62gf4", - "version": "5.10.206" + "sha256": "1mc8rssk5aypgb58jz6i2bbflfr6qh1kgqpam0k8fqvwcjnjzqj4", + "version": "5.10.209" }, "5.15": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.15.146-hardened1.patch", - "sha256": "0cd8gzixkc89n647g108f9r9dn8a3vw9ajdh4g7w7bq6vq71gglj", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.146-hardened1/linux-hardened-5.15.146-hardened1.patch" + "name": "linux-hardened-5.15.148-hardened1.patch", + "sha256": "0pryxvr058fisns01w52xsfbx4aqx2ssfk9n1r575lgywp6q03fj", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.148-hardened1/linux-hardened-5.15.148-hardened1.patch" }, - "sha256": "14nijbspmzd4r38l8cpl4vn9dhawzcfnhyc0gnaxl2m8l9gpm02s", - "version": "5.15.146" + "sha256": "1n75lrck581mppx84cds1a1l5vj05cdkp8ahpry7dx6rgz4pb1f4", + "version": "5.15.148" }, "5.4": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.4.266-hardened1.patch", - "sha256": "1gbyxz788j5lirjc62b56didnwq5s69cfindzndsj1r5wm0hknp4", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.266-hardened1/linux-hardened-5.4.266-hardened1.patch" + "name": "linux-hardened-5.4.268-hardened1.patch", + "sha256": "1lz9i5iaa6pchnk1bw9dg85n82j9hvjdh8pb7vxjg05fxvwgn7jh", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.268-hardened1/linux-hardened-5.4.268-hardened1.patch" }, - "sha256": "1dmcn9i3nvf1gldm1a32gnl5ybwbk2lizb3wa4gc06g7dxz2y1ys", - "version": "5.4.266" + "sha256": "081695lgkdwlrp6gpp6pyflgh76zax1w52shys4s9zjnrfkarj5g", + "version": "5.4.268" }, "6.1": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.1.72-hardened1.patch", - "sha256": "0zp6i44y3fi2xsk4jbwhk8w688ci34p5ymmk3kkb8s1cvhqzgddy", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.72-hardened1/linux-hardened-6.1.72-hardened1.patch" + "name": "linux-hardened-6.1.76-hardened1.patch", + "sha256": "1hybya6kxcy90cnc7m1gzykbbarqmbybmgrsbanb3gvlbvjghizx", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.76-hardened1/linux-hardened-6.1.76-hardened1.patch" }, - "sha256": "09h9kzv2xfrn369ynl09dfnjl9025b9vpkcxg75gyp63fy8fdp4q", - "version": "6.1.72" + "sha256": "1zdi4xbk7zyiab7x8z12xqg72zaw3j61slvrbwjfx6pzh47cr005", + "version": "6.1.76" }, "6.5": { "patch": { @@ -62,11 +62,21 @@ "6.6": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.6.11-hardened1.patch", - "sha256": "07l4fvc115iqiwbaq916g1l1jpmcg8injr5z5dx6jp2h635w72n3", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.11-hardened1/linux-hardened-6.6.11-hardened1.patch" + "name": "linux-hardened-6.6.15-hardened1.patch", + "sha256": "0yj821zaqxhk4yk1fgv1l5kcqsl05nvq8l6djbvhs0nnlmfd85yf", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.15-hardened1/linux-hardened-6.6.15-hardened1.patch" }, - "sha256": "0lhyczcj1fhh52fjf06ikp5yh7kxc1qymsw44rv6v25vc6kfbqmg", - "version": "6.6.11" + "sha256": "1ajzby6isqji1xlp660m4qj2i2xs003vsjp1jspziwl7hrzhqadb", + "version": "6.6.15" + }, + "6.7": { + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-6.7.3-hardened1.patch", + "sha256": "03jdch5fx6ly0haa2jrbjzyjnfv66dh1gkbhy1y79v3ylr4x29x4", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.7.3-hardened1/linux-hardened-6.7.3-hardened1.patch" + }, + "sha256": "0i1bfkawyp917d9v3qa5nqzspzr3ixx7scbfl8x4lms74xjqrw5p", + "version": "6.7.3" } } |