New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linux: fix kernel config options #88946
Conversation
One fix is in staging https://github.com/NixOS/nixpkgs/pull/84032/files. I haven't adjusted the config though because I had not the power to compile all the kernels so that part of the PR may be relevant. |
Oh, great, I hadn't noticed that. |
613b04d
to
3b0471c
Compare
3b0471c
to
8007dee
Compare
cc @teto Done, let me know if I should do anything else. Note: I've mostly used https://cateee.net/lkddb/web-lkddb/ to figure out kernel version constraints. |
The issues I have mainly just come from how What I use locally
|
@eadwu Assuming I understood you correctly, that sounds like something that should be fixed (probably in another PR), i.e., that config options passed in as It would probably be good to reuse the existing option overriding mechanism (with priorities) and to make sure all options defined with the highest priority have the same value. |
You just made me realize that a few kernel config options that I had explicitly disabled were being silently enabled by |
you can use mkForce etc to override with your settings. I was planning to wrtie some documentation on the mechanism after fixing the merge config issue (that is in staging). Would like to update some kernel-related PRs too. |
I think the current merge strategy can silently lead to undesired results. For example, Furthermore, even if we fix this instance, there's nothing guaranteeing that if in the future someone adds another config option to I would be in favor of removing the We can further recommend that the user always uses |
Or if possible, in addition to removing |
Just to note that merging linux config is non trivial (even with the merge scripts), hopefully it can be solved outside of nix (SAT solvers are WIP). It is also why I proposed #69013 . I think it's ok to have a merge strategy except:
|
Here's some of the changes I found (that should be wrong in the default configuration) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index b3f01b2b207..32eedbd7330 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -269,7 +269,7 @@ let
SND_SOC_SOF_ELKHARTLAKE_SUPPORT = yes;
SND_SOC_SOF_GEMINILAKE_SUPPORT = yes;
SND_SOC_SOF_HDA_AUDIO_CODEC = yes;
- SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = yes;
+ SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
SND_SOC_SOF_HDA_LINK = yes;
SND_SOC_SOF_ICELAKE_SUPPORT = yes;
SND_SOC_SOF_INTEL_TOPLEVEL = yes;
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index 95510fe218e..d0e0a89635f 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -40,11 +40,12 @@ assert (versionAtLeast version "4.9");
# Perform additional validation of commonly targeted structures.
DEBUG_CREDENTIALS = yes;
DEBUG_NOTIFIERS = yes;
- DEBUG_PI_LIST = yes; # doesn't BUG()
+ DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG()
+ DEBUG_PLIST = whenAtLeast "5.2" yes; # DEBUG_PI_LIST as of v5.2, 8e18fae
DEBUG_SG = yes;
SCHED_STACK_END_CHECK = yes;
- REFCOUNT_FULL = whenAtLeast "4.13" yes;
+ REFCOUNT_FULL = whenBetween "4.13" "5.5" yes;
# Randomize page allocator when page_alloc.shuffle=1
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
@@ -76,10 +77,19 @@ assert (versionAtLeast version "4.9");
# Disable various dangerous settings
ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
PROC_KCORE = no; # Exposes kernel text image layout
- INET_DIAG = no; # Has been used for heap based attacks in the past
+ INET_DIAG = mkForce no; # Has been used for heap based attacks in the past
+ INET_TCP_DIAG = mkForce (option no);
+ INET_UDP_DIAG = mkForce (option no);
+ INET_RAW_DIAG = mkForce (option no);
+ INET_DIAG_DESTROY = mkForce (option no);
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
+ # Satisfy configfile build
+ DEVMEM = yes; # needed for STRICT_DEVMEM to show, oh well to disabled DEVMEM
+ STRICT_DEVMEM = yes; # somehow wants this, probably because something we enabled needs it
+ IO_STRICT_DEVMEM = yes; # enabled from patchset, but for the sake of completion of the DEVMEM
+
} |
Motivation for this change
Some of the options didn't have correct kernel version constraints, others had been removed or made optional unnecessarily in #84032.
cc @teto
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)