diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 08b8456bf6e6..96b1e0afb324 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -533,14 +533,14 @@ let # Enable Rust and features that depend on it # Use a lower priority to allow these options to be overridden in hardened/config.nix rust = lib.optionalAttrs withRust { - RUST = lib.mkDefault yes; + RUST = yes; # These don't technically require Rust but we probably want to get some more testing # on the whole DRM panic setup before shipping it by default. DRM_PANIC = whenAtLeast "6.12" yes; DRM_PANIC_SCREEN = whenAtLeast "6.12" (freeform "kmsg"); - DRM_PANIC_SCREEN_QR_CODE = lib.mkDefault (whenAtLeast "6.12" yes); + DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" yes; }; sound = @@ -1256,7 +1256,7 @@ let LIRC = yes; SCHED_CORE = whenAtLeast "5.14" yes; - SCHED_CLASS_EXT = lib.mkDefault (whenAtLeast "6.12" yes); + SCHED_CLASS_EXT = whenAtLeast "6.12" yes; LRU_GEN = whenAtLeast "6.1" yes; LRU_GEN_ENABLED = whenAtLeast "6.1" yes; diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index f098cf375c9d..e04b6d878993 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -38,8 +38,6 @@ assert (lib.versionAtLeast version "4.9"); DEBUG_PLIST = whenAtLeast "5.2" yes; DEBUG_SG = yes; DEBUG_VIRTUAL = yes; - # Set in common config as whenAtLeast "6.12" yes; Currently errors during config - SCHED_CLASS_EXT = whenAtLeast "6.12" (option yes); SCHED_STACK_END_CHECK = yes; REFCOUNT_FULL = whenOlder "5.4.208" yes; @@ -68,8 +66,6 @@ assert (lib.versionAtLeast version "4.9"); PANIC_TIMEOUT = freeform "-1"; GCC_PLUGINS = yes; # Enable gcc plugin options - # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. - GCC_PLUGIN_LATENT_ENTROPY = yes; GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address @@ -87,10 +83,6 @@ assert (lib.versionAtLeast version "4.9"); UBSAN_LOCAL_BOUNDS = option yes; # clang only CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 - # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. - RANDSTRUCT = whenAtLeast "5.19" yes; - RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; - # Disable various dangerous settings ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory PROC_KCORE = no; # Exposes kernel text image layout @@ -118,7 +110,4 @@ assert (lib.versionAtLeast version "4.9"); # not needed for less than a decade old glibc versions LEGACY_VSYSCALL_NONE = yes; - - RUST = option yes; # Yes currently erros on 6.12 - DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" (option yes); } diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 4ba723afe279..b088f24fa79b 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -2,42 +2,42 @@ "5.10": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-v5.10.231-hardened1.patch", - "sha256": "1hjk2scmks3z78i4lzkjm7lcv2m94cv8mmpixw8ylxjfhq1hksv4", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.10.231-hardened1/linux-hardened-v5.10.231-hardened1.patch" + "name": "linux-hardened-v5.10.232-hardened1.patch", + "sha256": "1bfhnj6k65q6kjlxbxqfzq2l81dvbfdc4khn7n0zp6vm37a34c74", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.10.232-hardened1/linux-hardened-v5.10.232-hardened1.patch" }, - "sha256": "0xcnlz5ib4b368z5cyp4qwys3jsbm18wlvwn73rzj2j6rj1lhnjn", - "version": "5.10.231" + "sha256": "1w5ycdh24j4gsjc2zk7nhbmya59vhi49lbh8333ziprqlj4lb97x", + "version": "5.10.232" }, "5.15": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-v5.15.174-hardened1.patch", - "sha256": "1583qbknmqf8fhm95jdpr4qw8i7nq2103ba5wsrn87w43m14s2z8", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.15.174-hardened1/linux-hardened-v5.15.174-hardened1.patch" + "name": "linux-hardened-v5.15.175-hardened1.patch", + "sha256": "1j7z487n26jd8npylddflpdksrwk7b7xck2gblsd1rp1zgpd0q4g", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.15.175-hardened1/linux-hardened-v5.15.175-hardened1.patch" }, - "sha256": "02kn9nvaa36s070k235lk9x6n40l2zlwj4v6i2y6nnx0cjw3rrn3", - "version": "5.15.174" + "sha256": "1l59x1f1b29mayhzxxkh9vlba41h51mmfh1vram31bks1v4bpn4g", + "version": "5.15.175" }, "5.4": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-v5.4.287-hardened1.patch", - "sha256": "08abr58k2ha29x72mpz49ivzmm5bhv6fflxwm0lhmijwqly2p05d", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.4.287-hardened1/linux-hardened-v5.4.287-hardened1.patch" + "name": "linux-hardened-v5.4.288-hardened1.patch", + "sha256": "0zqc0xblfy2rj1n8mr2q07apcq1rmqshsi15881df4ml5lkq4y62", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.4.288-hardened1/linux-hardened-v5.4.288-hardened1.patch" }, - "sha256": "082bq26bwi8jxfbk840wf9awm5l65aya4bg43im9qvqfpzjzl3qd", - "version": "5.4.287" + "sha256": "1zhsb6gwhb6cvijzh7s8rnm4b06klyhb2mxb06gcyfvj0givlvw7", + "version": "5.4.288" }, "6.1": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-v6.1.120-hardened1.patch", - "sha256": "1x9nl76186ij447x2xrrrls9xaj97rdw4b6v4dnsyg9qjx846lp6", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.1.120-hardened1/linux-hardened-v6.1.120-hardened1.patch" + "name": "linux-hardened-v6.1.121-hardened1.patch", + "sha256": "0m8gdp8jsv5nd5xpdcxq5jd88gcfajacm5v0fz1f5vlsgs4gazcg", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.1.121-hardened1/linux-hardened-v6.1.121-hardened1.patch" }, - "sha256": "06gp5fdq0bc39hd8mf9mrdrygdybdr3nzsb58lcapf5vmjw9gjb1", - "version": "6.1.120" + "sha256": "0hrv9l2m4yqhh6cwr8xj9jvx8y3sfwmd394g0f2iawrgc3d1dg6x", + "version": "6.1.121" }, "6.11": { "patch": { @@ -52,21 +52,21 @@ "6.12": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-v6.12.5-hardened1.patch", - "sha256": "07rb0wf647qjdkir2p0bxf625bhbjlqhdv5wrjfc5c0dhrlikihr", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.5-hardened1/linux-hardened-v6.12.5-hardened1.patch" + "name": "linux-hardened-v6.12.6-hardened1.patch", + "sha256": "02c723gcbdzlgladhw3mpvavz8zy5aq4ncqljrxipia419giw7g7", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.6-hardened1/linux-hardened-v6.12.6-hardened1.patch" }, - "sha256": "1k9bc0lpgg29bh7zqz3pm91hhjnfyl5aw6r6hph3ha743k77y81r", - "version": "6.12.5" + "sha256": "17lwn89903ffyi2b29j59c1gsczsc1kj3x70hnxziqg4blhsnl6l", + "version": "6.12.6" }, "6.6": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-v6.6.66-hardened1.patch", - "sha256": "04m65bfmahjq29qy9lbzhyqz7a0yahgfjq8d1ck5z4y0x3yvpggp", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.66-hardened1/linux-hardened-v6.6.66-hardened1.patch" + "name": "linux-hardened-v6.6.67-hardened1.patch", + "sha256": "0p6vilg82pcsqmy336157b06v1fbyx8mkzpgccpmgk77wprzd438", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.67-hardened1/linux-hardened-v6.6.67-hardened1.patch" }, - "sha256": "0lhy5waj330hmaxbqpfw2fxzkvvlxxs1nr325i8jy736qhvpjxcx", - "version": "6.6.66" + "sha256": "06iy243l7c2nldamq0nzbkwxrqr7sg0p89gdp3ib18s2xj1a87g4", + "version": "6.6.67" } }