Commit 79081fda authored May 20, 2024 by Fabián Heredia Montiel

linux/hardened/patches/6.9: init at 6.9.1-hardened1

- ACPI_CUSTOM_METHOD: dropped in 0cc46f1a52b4220ec11d98a01575909ca820a7b4
- UBSAN_SANITIZE_ALL: dropped in 918327e9b7ffb45321cbb4b9b86b58ec555fe6b3

parent 2da64127

nixos/tests/kernel-generic.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -32,6 +32,7 @@ let
		linux_6_1_hardened
		linux_6_6_hardened
		linux_6_8_hardened
		linux_6_9_hardened
		linux_rt_5_4
		linux_rt_5_10
		linux_rt_5_15

pkgs/os-specific/linux/kernel/hardened/config.nix

+2 −2

Original line number	Diff line number	Diff line
		@@ -88,7 +88,7 @@ assert (versionAtLeast version "4.9");
		UBSAN = yes;
		UBSAN_TRAP = whenAtLeast "5.7" yes;
		UBSAN_BOUNDS = whenAtLeast "5.7" yes;
		UBSAN_SANITIZE_ALL = yes;
		UBSAN_SANITIZE_ALL = whenOlder "6.9" yes;
		UBSAN_LOCAL_BOUNDS = option yes; # clang only
		CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1

		@@ -97,7 +97,7 @@ assert (versionAtLeast version "4.9");
		RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;

		# Disable various dangerous settings
		ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
		ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory
		PROC_KCORE = no; # Exposes kernel text image layout
		INET_DIAG = no; # Has been used for heap based attacks in the past

pkgs/os-specific/linux/kernel/hardened/patches.json

+10 −0

Original line number	Diff line number	Diff line
		@@ -68,5 +68,15 @@
		},
		"sha256": "0xjirg2w5fc2w2q6wr702akszq32m31lk4q5nbjq10zqhbcr5fxh",
		"version": "6.8.10"
		},
		"6.9": {
		"patch": {
		"extra": "-hardened1",
		"name": "linux-hardened-6.9.1-hardened1.patch",
		"sha256": "1zp0qwri43v4h234x1vqbwcbd50hryshi7i717xandzkpxvq72l2",
		"url": "https://github.com/anthraxx/linux-hardened/releases/download/6.9.1-hardened1/linux-hardened-6.9.1-hardened1.patch"
		},
		"sha256": "0jn0qp22vx7xf2mgaj7cwf8agqhahvrwlda4ak6rw67xk2x19d01",
		"version": "6.9.1"
		}
		}

pkgs/top-level/all-packages.nix

+2 −0

Original line number	Diff line number	Diff line
		@@ -27330,6 +27330,8 @@ with pkgs;
		linux_6_6_hardened = linuxKernel.kernels.linux_6_6_hardened;
		linuxPackages_6_8_hardened = linuxKernel.packages.linux_6_8_hardened;
		linux_6_8_hardened = linuxKernel.kernels.linux_6_8_hardened;
		linuxPackages_6_9_hardened = linuxKernel.packages.linux_6_9_hardened;
		linux_6_9_hardened = linuxKernel.kernels.linux_6_9_hardened;

		# GNU Linux-libre kernels
		linuxPackages-libre = linuxKernel.packages.linux_libre;

pkgs/top-level/linux-kernels.nix

+2 −0

Original line number	Diff line number	Diff line
		@@ -270,6 +270,7 @@ in {
		linux_6_1_hardened = hardenedKernelFor kernels.linux_6_1 { };
		linux_6_6_hardened = hardenedKernelFor kernels.linux_6_6 { };
		linux_6_8_hardened = hardenedKernelFor kernels.linux_6_8 { };
		linux_6_9_hardened = hardenedKernelFor kernels.linux_6_9 { };

		} // lib.optionalAttrs config.allowAliases {
		linux_4_9 = throw "linux 4.9 was removed because it will reach its end of life within 22.11";
		@@ -659,6 +660,7 @@ in {
		linux_6_1_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_1_hardened);
		linux_6_6_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_6_hardened);
		linux_6_8_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_8_hardened);
		linux_6_9_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_9_hardened);

		linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen);
		linux_lqx = recurseIntoAttrs (packagesFor kernels.linux_lqx);