New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.03] Backport all kernel updates #91225
Closed
bjornfor
wants to merge
123
commits into
NixOS:release-20.03
from
bjornfor:backport-all-kernel-updates-20.03
Closed
[20.03] Backport all kernel updates #91225
bjornfor
wants to merge
123
commits into
NixOS:release-20.03
from
bjornfor:backport-all-kernel-updates-20.03
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(cherry picked from commit 25f706b)
(cherry picked from commit 3f448f0)
(cherry picked from commit 1e41aa8)
CONFIG_IP_MULTIPLE_TABLES is part of the default x86 kernel config but absent from the Aarch64 one. Adding explicitely this flag together with its dependency IP_ADVANCED_ROUTER. Both of these config flags are needed to use the routing policy facilities. (cherry picked from commit 6896b1c)
(cherry picked from commit cd167a0)
Remove the "version" parameter in order to make it more widely available. Starts making some kernel configuration helpers available. The intent is to be able to better build and check the linux kernel configuration. (cherry picked from commit afa0e02)
whenAtLeast/whenBetween are made available in lib/kernel.nix but are now scoped under whenXXX. (cherry picked from commit a4fe469)
Per discussion in NixOS#81943. Resolves NixOS#79798. (cherry picked from commit b628400)
(cherry picked from commit c76bad0)
Since we select everything as a module, snd_hda_codec_ca0132 is built as well. DSP loading is not enabled by default, but without it the soundcard produces timeouts within ALSA and does not emit sound. Explicitly enable the firmware loading to ensure Soundblaster Z/Zx/ZxR/Recon devices can be used with NixOS. The patch to enable this by default in the kernel is staged for 5.8. (cherry picked from commit 62cdbd6)
This will switch the default TCP congestion control algorithm from new Reno to CUBIC. CUBIC is the default since Linux kernel 2.6.19 (see 597811ec167fa) and most (all?) distributions keep this default (e.g. Debian and Ubuntu). On NixOS the default was still new Reno because generate-config.pl changes TCP_CONG_CUBIC from y to m (since we try to build everything as a module by default). To check the active and available algorithms: $ sysctl net.ipv4.tcp_congestion_control net.ipv4.tcp_congestion_control = cubic $ sysctl net.ipv4.tcp_available_congestion_control net.ipv4.tcp_available_congestion_control = cubic reno Note: E.g. x86_64_defconfig sets TCP_CONG_CUBIC=y indirectly via CONFIG_TCP_CONG_ADVANCED=y (but CUBIC is also the default if set to no, see net/ipv4/Kconfig). (cherry picked from commit 60f4345)
(cherry picked from commit 00e7a67)
(cherry picked from commit 04a5e5a)
Needed for subscribing to dropped packets (e.g. via `dropwatch`). (cherry picked from commit f16ae2d)
The linux-hardened patch set removes this default, probably because of its original focus on Android kernel hardening. (cherry picked from commit 3d01e80)
This is an updated version of the former upstream, https://github.com/AndroidHardeningArchive/linux-hardened, and provides a minimal set of additional hardening patches on top of upstream. The patch already incorporates many of our hardened profile defaults, and releases are timely (Linux 5.5.15 and 5.6.2 were released on 2020-04-02; linux-hardened patches for them came out on 2020-04-03 and 2020-04-04 respectively). (cherry picked from commit 0d4f35e)
As far as I can tell, this has never defaulted to on upstream, and our common kernel configuration doesn't turn it on, so the attack surface reduction here is somewhat homeopathic. (cherry picked from commit 7d5352d)
This has been on by default upstream for as long as it's been an option. (cherry picked from commit 3d4c8ae)
Upstreamed in anthraxx/linux-hardened@f1fe0a6. (cherry picked from commit 8efe83c)
Upstreamed in anthraxx/linux-hardened@0564487. (cherry picked from commit 8c68055)
These are on by default for x86 in upstream linux-5.6.2, and turned on for arm64 by anthraxx/linux-hardened@90f9670. (cherry picked from commit 130f681)
Upstreamed in anthraxx/linux-hardened@d300b0f. (cherry picked from commit db6b327)
Upstreamed in anthraxx/linux-hardened@3fcd150. (cherry picked from commit 33b94e5)
Upstreamed in anthraxx/linux-hardened@55ee741. (cherry picked from commit 303bb60)
STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is turned on by anthraxx/linux-hardened@103d23c. Note that anthraxx/linux-hardened@db1d27e disables DEVMEM by default, so this is only relevant if that default is overridden to turn it back on. (cherry picked from commit 0611462)
Upstreamed in anthraxx/linux-hardened@6b20124. (cherry picked from commit 3eeb524)
Upstreamed in anthraxx/linux-hardened@c1fe7a6, anthraxx/linux-hardened@2c553a2. (cherry picked from commit 4fb796e)
Upstreamed in anthraxx/linux-hardened@786126f, anthraxx/linux-hardened@44822eb. (cherry picked from commit 0d5f169)
Upstreamed in anthraxx/linux-hardened@366e021. (cherry picked from commit ed89b5b)
Upstreamed in anthraxx/linux-hardened@d12c0d5. (cherry picked from commit 7fdfe53)
Some of the options didn't have correct kernel version constraints, others had been removed or made optional unnecessarily in NixOS#84032. (cherry picked from commit 9dd9bc7)
(cherry picked from commit bbe7161)
Signed-off-by: Anders Kaseorg <andersk@mit.edu> (cherry picked from commit 0f2e569)
Fix config options for linux_hardened and linux_latest_hardened due to NixOS#84302. This is a continuation of NixOS#88946. (cherry picked from commit 8417052)
(cherry picked from commit fa736e1)
(cherry picked from commit 909cdaf)
(cherry picked from commit 0d1be0c)
(cherry picked from commit 7296aae)
Even the default pkgsi686Linux.linux was broken. (cherry picked from commit b23c1ab)
(cherry picked from commit 098aae8)
(cherry picked from commit 7049657)
(cherry picked from commit 9132965)
(cherry picked from commit 4392b44)
(cherry picked from commit 5953625)
(cherry picked from commit 893b1a3)
This is disabled by default in the linux-hardened patchset, but is required by e.g. LVM. Fixes NixOS#87260. (cherry picked from commit 4688ec0)
(cherry picked from commit 5af8ad3)
(cherry picked from commit 0d0b504)
(cherry picked from commit 4f7e011)
(cherry picked from commit 9181f79)
(cherry picked from commit 41bd44e)
bjornfor
requested review from
edolstra,
infinisil,
joachifm and
nbp
as code owners
June 21, 2020 12:16
10 tasks
There is an ofborg eval issue, I opened up a smaller version of this, containing only updates to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
My new laptop needs linux >= 5.7 for graphics support and release-20.03 only has linux <= 5.6. Initially I wanted to only backport
linuxPackages_latest
andlinuxPackages_testing
but found some patch dependencies in there and decided to look at the full history difference between master and release-20.03. The result is this PR which backports everything.I figure backporting everything is good for:
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)