Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linux/hardened/patches: Update again #102974

Merged
merged 5 commits into from Nov 6, 2020
Merged

linux/hardened/patches: Update again #102974

merged 5 commits into from Nov 6, 2020

Conversation

andersk
Copy link
Contributor

@andersk andersk commented Nov 6, 2020
edited

Motivation for this change

Reprise of #100769. 7e9c623 “linux: 5.8.17 -> 5.8.18” updated the kernel without updating the corresponding linux-hardened patch. The old one no longer applies, which broke the channel-blocking test nixos.tests.latestKernel.hardened.

Update the linux-hardened patches using pkgs/os-specific/linux/kernel/update.sh.

Cc @NeQuissimus. Is there a process improvement to be made so this doesn’t happen or doesn’t block channels? It doesn’t do much good to update the kernel if the failure to apply hardening patches blocks the channel and prevents users from actually getting the kernel update.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@NeQuissimus
Copy link
Member

Yeah, I've been waiting for these patches to come out... I have a feeling we may want to remove the hardened kernel from the channel blocking tests... It never used to be much of an issue but there have been patch conflicts recently...

@NeQuissimus NeQuissimus merged commit 7c125d1 into NixOS:master Nov 6, 2020
@NeQuissimus
Copy link
Member

I cherry-picked these into 20.09

@NeQuissimus NeQuissimus mentioned this pull request Nov 6, 2020
Merged
10 tasks
@andersk andersk deleted the linux-hardened branch December 26, 2022 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NeQuissimus NeQuissimus Awaiting requested review from NeQuissimus

Assignees
No one assigned
Labels
1.severity: channel blocker Blocks a channel 8.has: package (update) 10.rebuild-darwin: 0 10.rebuild-linux: 101-500 11.by: nixpkgs-member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@andersk @NeQuissimus