diff options
Diffstat (limited to 'pkgs/os-specific/linux')
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-patches.json | 38 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-4.19.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-5.4.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-5.5.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-5.6.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-libre.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-testing.nix | 6 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 13 | ||||
-rwxr-xr-x | pkgs/os-specific/linux/kernel/update-hardened.py | 151 | ||||
-rw-r--r-- | pkgs/os-specific/linux/nvme-cli/default.nix | 18 | ||||
-rw-r--r-- | pkgs/os-specific/linux/zenstates/default.nix | 54 |
11 files changed, 192 insertions, 108 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened-patches.json b/pkgs/os-specific/linux/kernel/hardened-patches.json index 97fbbb405e3e..eecb27cdb669 100644 --- a/pkgs/os-specific/linux/kernel/hardened-patches.json +++ b/pkgs/os-specific/linux/kernel/hardened-patches.json @@ -1,27 +1,27 @@ { - "4.14.176": { + "4.14": { + "name": "linux-hardened-4.14.176.a.patch", "sha256": "0pr3m2j63mc746fcbzg1hlwv85im9f87qkl6r4033gwnpa9brcgk", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.176.a/linux-hardened-4.14.176.a.patch", - "version_suffix": "a" + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.176.a/linux-hardened-4.14.176.a.patch" }, - "4.19.116": { - "sha256": "00y4i905gzs9w9kckrn1frh2vw32fsndz03g2psl1gk17snc3q7c", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.116.a/linux-hardened-4.19.116.a.patch", - "version_suffix": "a" + "4.19": { + "name": "linux-hardened-4.19.117.a.patch", + "sha256": "0c8dvh49nzypxwvsls10i896smvpdrk40x8ybljb3qk3r8j7niaw", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.117.a/linux-hardened-4.19.117.a.patch" }, - "5.4.33": { - "sha256": "1hjfvhyvz5kyvx25809brhsvfv9mjv9q1mw6ydb71gfwhw6q8d8b", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.33.a/linux-hardened-5.4.33.a.patch", - "version_suffix": "a" + "5.4": { + "name": "linux-hardened-5.4.34.a.patch", + "sha256": "1xwpqr9nzpjg837b3wnzb8fmrl2g9rz8gz5yb55vnnllbzbz36v6", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.34.a/linux-hardened-5.4.34.a.patch" }, - "5.5.18": { - "sha256": "0v7vla784sf1fk6d8qa5x8hkyhjb1jkw4lxxcgvvlqbmxl8md8ld", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.5.18.a/linux-hardened-5.5.18.a.patch", - "version_suffix": "a" + "5.5": { + "name": "linux-hardened-5.5.19.a.patch", + "sha256": "1ya5nsfhr3nwz6qiz4pdhvm6k9mx1kr0prhdvhx3p40f1vk281sc", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.5.19.a/linux-hardened-5.5.19.a.patch" }, - "5.6.5": { - "sha256": "19cdpygm5zx3szxl456lfjg5sffqcmn18470wv7prm8rf6liqdj3", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.6.5.a/linux-hardened-5.6.5.a.patch", - "version_suffix": "a" + "5.6": { + "name": "linux-hardened-5.6.6.a.patch", + "sha256": "0jiqh0frxirjbccgfdk007fca6r6n36n0pkqq4jszkckn59ayl7r", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.6.6.a/linux-hardened-5.6.6.a.patch" } } diff --git a/pkgs/os-specific/linux/kernel/linux-4.19.nix b/pkgs/os-specific/linux/kernel/linux-4.19.nix index cdb19fd54ab7..ab3d1b1a7196 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.19.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "4.19.116"; + version = "4.19.118"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz"; - sha256 = "0r3vdc3npl1bn06w9v6wsq7d5mm7bnhm9wsz36pb9ar3xhimvrlf"; + sha256 = "15lcq3xky59v88vb8vvnmgcsmm1fadz0m4jyrii6rynsz5jr6x49"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix index b2de6ea86899..08b28bc98dcd 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "5.4.33"; + version = "5.4.35"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0q9q48ij6vppfcrdf7fr24pvpwsd13pxjkdni6rnjq9a60hrcmxm"; + sha256 = "1m06k19pbb3wz8z2dgf03jvzbbdh6q8jwwdz509s902a53vxasz1"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.5.nix b/pkgs/os-specific/linux/kernel/linux-5.5.nix index ecb92b5bfe7d..96a349d985c9 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.5.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.5.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "5.5.18"; + version = "5.5.19"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "01iiiq4dsyyc5y6b52wax9as6dzhdi172vd1423sc1yp4rrk8178"; + sha256 = "1sqiw9d25sqqzdh04dd722i7ff6kchj869jp4l8zalpvf51k6j0l"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.6.nix b/pkgs/os-specific/linux/kernel/linux-5.6.nix index d3334293dc19..a31e6e26d3f6 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.6.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.6.nix @@ -3,7 +3,7 @@ with stdenv.lib; buildLinux (args // rec { - version = "5.6.5"; + version = "5.6.7"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1rjjkcmzsj9azggh960qnk2x44ns475b8nbd4nxazrz1rgdx76zp"; + sha256 = "1jljcva3gxg1yc2kw3jjgmhzzdm16nylzxl63zbndjza547l5813"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix index d167a89ea830..b13791ccb99b 100644 --- a/pkgs/os-specific/linux/kernel/linux-libre.nix +++ b/pkgs/os-specific/linux/kernel/linux-libre.nix @@ -1,8 +1,8 @@ { stdenv, lib, fetchsvn, linux , scripts ? fetchsvn { url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/"; - rev = "17402"; - sha256 = "1g151h6hdiwpvpip1r2rhbma8j13xghcyxddh0ppg9h548wwwack"; + rev = "17445"; + sha256 = "0d2gd2w4pbb728a7mw9dnq3aicwpjzg8zahg80ismvc9l1sym50a"; } , ... }: diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index e63fe96be6b9..9e2ccaeae2b2 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -3,15 +3,15 @@ with stdenv.lib; buildLinux (args // rec { - version = "5.6-rc7"; - extraMeta.branch = "5.6"; + version = "5.7-rc2"; + extraMeta.branch = "5.7"; # modDirVersion needs to be x.y.z, will always add .0 modDirVersion = if (modDirVersionArg == null) then builtins.replaceStrings ["-"] [".0-"] version else modDirVersionArg; src = fetchurl { url = "https://git.kernel.org/torvalds/t/linux-${version}.tar.gz"; - sha256 = "0wv3ipfm970y2pyadwn5g7hd9bj117qk8jl8sdhrasbsy1p8936i"; + sha256 = "06h7lrif84gyzblrdgg4cirsr2v69sdbymwkk89nr3gc87hnjlvs"; }; # Should the testing kernels ever be built on Hydra? diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 69b0197d4e68..1c4af8c32a6f 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -39,16 +39,9 @@ }; hardened = let - mkPatch = kernelVersion: patch: let - fullVersion = "${kernelVersion}.${patch.version_suffix}"; - name = "linux-hardened-${fullVersion}"; - in { - inherit name; - patch = fetchurl { - name = "${name}.patch"; - inherit (patch) url sha256; - meta.maintainers = with lib.maintainers; [ emily ]; - }; + mkPatch = kernelVersion: src: { + name = lib.removeSuffix ".patch" src.name; + patch = fetchurl src; }; patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json); in lib.mapAttrs mkPatch patches; diff --git a/pkgs/os-specific/linux/kernel/update-hardened.py b/pkgs/os-specific/linux/kernel/update-hardened.py index 089e991d06bc..7f6949653afc 100755 --- a/pkgs/os-specific/linux/kernel/update-hardened.py +++ b/pkgs/os-specific/linux/kernel/update-hardened.py @@ -17,17 +17,7 @@ HERE = os.path.dirname(os.path.realpath(__file__)) HARDENED_GITHUB_REPO = 'anthraxx/linux-hardened' HARDENED_TRUSTED_KEY = os.path.join(HERE, 'anthraxx.asc') HARDENED_PATCHES_PATH = os.path.join(HERE, 'hardened-patches.json') -MIN_KERNEL = (4, 14) - -HARDENED_VERSION_RE = re.compile(r''' - (?P<kernel_version> [\d.]+) \. - (?P<version_suffix> [a-z]+) -''', re.VERBOSE) - -def parse_version(version): - match = HARDENED_VERSION_RE.fullmatch(version) - if match: - return match.groups() +MIN_KERNEL_VERSION = [4, 14] def run(*args, **kwargs): try: @@ -78,11 +68,12 @@ def fetch_patch(*, name, release): except StopIteration: raise KeyError(filename) + patch_filename = f'{name}.patch' try: - patch_url = find_asset(f'{name}.patch') - sig_url = find_asset(f'{name}.patch.sig') + patch_url = find_asset(patch_filename) + sig_url = find_asset(patch_filename + '.sig') except KeyError: - print(f'error: {name}.patch{{,sig}} not present', file=sys.stderr) + print(f'error: {patch_filename}{{,.sig}} not present', file=sys.stderr) return None sha256, patch_path = nix_prefetch_url(patch_url) @@ -97,16 +88,32 @@ def fetch_patch(*, name, release): return None return { + 'name': patch_filename, 'url': patch_url, 'sha256': sha256, } -def commit_patches(*, kernel_version, message): +def parse_version(version_str): + version = [] + for component in version_str.split('.'): + try: + version.append(int(component)) + except ValueError: + version.append(component) + return version + +def version_string(version): + return '.'.join(str(component) for component in version) + +def major_kernel_version_key(kernel_version): + return version_string(kernel_version[:-1]) + +def commit_patches(*, kernel_key, message): with open(HARDENED_PATCHES_PATH + '.new', 'w') as new_patches_file: json.dump(patches, new_patches_file, indent=4, sort_keys=True) new_patches_file.write('\n') os.rename(HARDENED_PATCHES_PATH + '.new', HARDENED_PATCHES_PATH) - message = f'linux/hardened-patches/{kernel_version}: {message}' + message = f'linux/hardened-patches/{kernel_key}: {message}' print(message) if os.environ.get('COMMIT'): run( @@ -125,74 +132,96 @@ NIX_VERSION_RE = re.compile(r''' ''', re.VERBOSE) # Get the set of currently packaged kernel versions. -kernel_versions = set() +kernel_versions = {} for filename in os.listdir(HERE): filename_match = re.fullmatch(r'linux-(\d+)\.(\d+)\.nix', filename) if filename_match: - if tuple(int(v) for v in filename_match.groups()) < MIN_KERNEL: - continue with open(os.path.join(HERE, filename)) as nix_file: for nix_line in nix_file: match = NIX_VERSION_RE.fullmatch(nix_line) if match: - kernel_versions.add(match.group('version')) + kernel_version = parse_version(match.group('version')) + if kernel_version < MIN_KERNEL_VERSION: + continue + kernel_key = major_kernel_version_key(kernel_version) + kernel_versions[kernel_key] = kernel_version -# Remove patches for old kernel versions. -for kernel_version in patches.keys() - kernel_versions: - del patches[kernel_version] - commit_patches(kernel_version=kernel_version, message='remove') +# Remove patches for unpackaged kernel versions. +for kernel_key in sorted(patches.keys() - kernel_versions.keys()): + commit_patches(kernel_key=kernel_key, message='remove') g = Github(os.environ.get('GITHUB_TOKEN')) repo = g.get_repo(HARDENED_GITHUB_REPO) -releases = repo.get_releases() -found_kernel_versions = set() failures = False -for release in releases: - remaining_kernel_versions = kernel_versions - found_kernel_versions - - if not remaining_kernel_versions: - break +# Match each kernel version with the best patch version. +releases = {} +for release in repo.get_releases(): + version = parse_version(release.tag_name) + # needs to look like e.g. 5.6.3.a + if len(version) < 4: + continue - version = release.tag_name - name = f'linux-hardened-{version}' - version_info = parse_version(version) - if not version_info: + kernel_version = version[:-1] + kernel_key = major_kernel_version_key(kernel_version) + try: + packaged_kernel_version = kernel_versions[kernel_key] + except KeyError: continue - kernel_version, version_suffix = version_info - if kernel_version in remaining_kernel_versions: - found_kernel_versions.add(kernel_version) - try: - old_version_suffix = patches[kernel_version]['version_suffix'] - old_version = f'{kernel_version}.{old_version_suffix}' - update = old_version_suffix < version_suffix - except KeyError: - update = True - old_version = None - - if update: - patch = fetch_patch(name=name, release=release) - if patch is None: - failures = True + release_info = { + 'version': version, + 'release': release, + } + + if kernel_version == packaged_kernel_version: + releases[kernel_key] = release_info + else: + # Fall back to the latest patch for this major kernel version, + # skipping patches for kernels newer than the packaged one. + if kernel_version > packaged_kernel_version: + continue + elif (kernel_key not in releases or + releases[kernel_key]['version'] < version): + releases[kernel_key] = release_info + +# Update hardened-patches.json for each release. +for kernel_key, release_info in releases.items(): + release = release_info['release'] + version = release_info['version'] + version_str = release.tag_name + name = f'linux-hardened-{version_str}' + + try: + old_filename = patches[kernel_key]['name'] + old_version_str = (old_filename + .replace('linux-hardened-', '') + .replace('.patch', '')) + old_version = parse_version(old_version_str) + update = old_version < version + except KeyError: + update = True + old_version = None + + if update: + patch = fetch_patch(name=name, release=release) + if patch is None: + failures = True + else: + patches[kernel_key] = patch + if old_version: + message = f'{old_version_str} -> {version_str}' else: - patch['version_suffix'] = version_suffix - patches[kernel_version] = patch - if old_version: - message = f'{old_version} -> {version}' - else: - message = f'init at {version}' - commit_patches(kernel_version=kernel_version, message=message) + message = f'init at {version_str}' + commit_patches(kernel_key=kernel_key, message=message) -missing_kernel_versions = kernel_versions - patches.keys() +missing_kernel_versions = kernel_versions.keys() - patches.keys() if missing_kernel_versions: print( f'warning: no patches for kernel versions ' + - ', '.join(missing_kernel_versions) + - '\nwarning: consider manually backporting older patches (bump ' - 'JSON key, set version_suffix to "NixOS-a")', + ', '.join(missing_kernel_versions), file=sys.stderr, ) diff --git a/pkgs/os-specific/linux/nvme-cli/default.nix b/pkgs/os-specific/linux/nvme-cli/default.nix index d0aca3bbc827..616ad9c67647 100644 --- a/pkgs/os-specific/linux/nvme-cli/default.nix +++ b/pkgs/os-specific/linux/nvme-cli/default.nix @@ -1,17 +1,17 @@ -{ lib, stdenv, fetchFromGitHub, pkgconfig }: +{ lib, stdenv, fetchFromGitHub, pkg-config }: stdenv.mkDerivation rec { pname = "nvme-cli"; - version = "1.10.1"; + version = "1.11.1"; src = fetchFromGitHub { owner = "linux-nvme"; repo = "nvme-cli"; rev = "v${version}"; - sha256 = "12wp2wxmsw2v8m9bhvwvdbhdgx1md8iilhbl19sfzz2araiwi2x8"; + sha256 = "06cxs41biqx230grvpk7zid3apcaajjywrccag50krb6h2wqafdl"; }; - nativeBuildInputs = [ pkgconfig ]; + nativeBuildInputs = [ pkg-config ]; makeFlags = [ "DESTDIR=$(out)" "PREFIX=" ]; @@ -20,8 +20,16 @@ stdenv.mkDerivation rec { installTargets = [ "install-spec" ]; meta = with lib; { - inherit (src.meta) homepage; + inherit (src.meta) homepage; # https://nvmexpress.org/ description = "NVM-Express user space tooling for Linux"; + longDescription = '' + NVM-Express is a fast, scalable host controller interface designed to + address the needs for not only PCI Express based solid state drives, but + also NVMe-oF(over fabrics). + This nvme program is a user space utility to provide standards compliant + tooling for NVM-Express drives. It was made specifically for Linux as it + relies on the IOCTLs defined by the mainline kernel driver. + ''; license = licenses.gpl2Plus; platforms = platforms.linux; maintainers = with maintainers; [ primeos tavyc ]; diff --git a/pkgs/os-specific/linux/zenstates/default.nix b/pkgs/os-specific/linux/zenstates/default.nix new file mode 100644 index 000000000000..4ac77c00aa3b --- /dev/null +++ b/pkgs/os-specific/linux/zenstates/default.nix @@ -0,0 +1,54 @@ +# Zenstates provides access to a variety of CPU tunables no Ryzen processors. +# +# In particular, I am adding Zenstates because I need it to disable the C6 +# sleep state to stabilize wake from sleep on my Lenovo x395 system. After +# installing Zenstates, I need a before-sleep script like so: +# +# before-sleep = pkgs.writeScript "before-sleep" '' +# #!${pkgs.bash}/bin/bash +# ${pkgs.zenstates}/bin/zenstates --c6-disable +# ''; +# +# ... +# +# systemd.services.before-sleep = { +# description = "Jobs to run before going to sleep"; +# serviceConfig = { +# Type = "oneshot"; +# ExecStart = "${before-sleep}"; +# }; +# wantedBy = [ "sleep.target" ]; +# before = [ "sleep.target" ]; +# }; + +{ stdenv, fetchFromGitHub, python3 }: +stdenv.mkDerivation rec { + pname = "zenstates"; + version = "0.0.1"; + + src = fetchFromGitHub { + owner = "r4m0n"; + repo = "ZenStates-Linux"; + rev = "0bc27f4740e382f2a2896dc1dabfec1d0ac96818"; + sha256 = "1h1h2n50d2cwcyw3zp4lamfvrdjy1gjghffvl3qrp6arfsfa615y"; + }; + + buildInputs = [ python3 ]; + + phases = [ "installPhase" ]; + + installPhase = '' + mkdir -p $out/bin + cp $src/zenstates.py $out/bin/zenstates + chmod +x $out/bin/zenstates + patchShebangs --build $out/bin/zenstates + ''; + + meta = with stdenv.lib; { + description = "Linux utility for Ryzen processors and motherboards"; + homepage = "https://github.com/r4m0n/ZenStates-Linux"; + license = licenses.mit; + maintainers = with maintainers; [ savannidgerinel ]; + platforms = platforms.linux; + }; +} |