I can't submit this in smaller units because the various components all
depend on one another during the stdenv bootstrap, so I think this is
the smallest sensible change I can make.
I also removed the symbol-hiding shenanigans in Libsystem. It might mess
up compatibility with 10.9 but I don't really want to support the added
complexity and I see little evidence of anyone else wanting to support
it. If someone cares, we might be able to revive compatibility, but for
now it'll stay like this.
For instance, the current 3.10 kernel build fails at the end with:
unused option: BRCMFMAC_PCIE
unused option: FW_LOADER_USER_HELPER_FALLBACK
unused option: KEXEC_FILE
unused option: RANDOMIZE_BASE
However, it's not obvious that only the _last_ one is actually fatal to
the build. After this change it's at least somewhat better:
warning: unused option: BRCMFMAC_PCIE
warning: unused option: FW_LOADER_USER_HELPER_FALLBACK
warning: unused option: KEXEC_FILE
error: unused option: RANDOMIZE_BASE
Adds basic support for Intel GMA3600/3650 (Intel Cedar Trail) platforms
and support for GMA600 (Intel Moorestown/Oaktrail) platforms with LVDS
ports via the gma500_gfx module.
Resolves#14727Closes#17519
The patch is from the following Gentoo bug:
https://bugs.gentoo.org/show_bug.cgi?id=523326#c24
Built successfully against Linux 3.18.36, 4.4.16 and 4.7.0.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @phreedom, @vcunat
The patch for kernel version 3.18 is already applied upstream, so we
don't need it any longer.
Without i686-build-failure.patch, the build for i686-linux fails because
it references rdtscl(), which is no longer available in Linux 4.3.0.
Patch for missing rdtscl() is from Arch Linux:
https://aur.archlinux.org/cgit/aur.git/tree/002-rdtscl.patch?h=broadcom-wl-ck
I've tested building against 32 and 64 bit Linux versions 3.18.36,
4.4.16 and 4.7.0.
The hashes were verified using the ones from the AUR (using the 16 bit
hashes of course):
$ nix-hash --type sha256 --to-base16 1kaqa2dw3nb8k23ffvx46g8jj3wdhz8xa6jp1v3wb35cjfr712sg
4f8b70b293ac8cc5c70e571ad5d1878d0f29d133a46fe7869868d9c19b5058cd
$ nix-hash --type sha256 --to-base16 1gj485qqr190idilacpxwgqyw21il03zph2rddizgj7fbd6pfyaz
5f79774d5beec8f7636b59c0fb07a03108eef1e3fd3245638b20858c714144be
AUR hashes can be found at:
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=broadcom-wl&id=9d6f10b1b7745fbf5d140ac749e2253caf70daa8#n26
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @phreedom, @vcunat
While useless for binaries within the Nix store, user xattrs are a convenient
alternative for setting PaX flags to executables outside of the store.
To use disable secure memory protections for a non-store file foo, do
$ setfattr -n user.pax.flags -v em foo
Fixed for all available 4.x series kernels.
From CVE-2016-5829:
Multiple heap-based buffer overflows in the hiddev_ioctl_usage function
in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow
local users to cause a denial of service or possibly have unspecified
other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl
call.
This enables a few features that should be useful and safe (they're
all used by the default Ubuntu kernel config), in particular zswap,
wakelocks, kernel load address randomization, userfaultfd (useful for
QEMU), paravirtualized spinlocks and automatic process group
scheduling.
Also removes some configuration conditional on kernel versions that we
no longer support.
- Add a patch to unset CONFIG_LOCALVERSION in the v7 build.
- Copy all the device trees to match the upstream names so U-Boot can
find them. (This is a hack.)
The config option DEVPTS_MULTIPLE_INSTANCES now no longer exists since
torvalds/linux@eedf265aa0.
Built successfully on my Hydra instance:
https://headcounter.org/hydra/log/r4n6sv0zld0aj65r7l494757s2r8w8sr-linux-4.7-rc6.drv
Verified unpacked tarball with GnuPG:
ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886
gpg: Signature made Mon 04 Jul 2016 08:13:05 AM CEST
gpg: using RSA key 79BE3E4300411886
gpg: Good signature from "Linus Torvalds <torvalds@linux-foundation.org>"
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
- Use fetchFromGitHub
- Some files in bin/ are now shell scripts, so skip patchelf on any
non-ELF files.
With this U-Boot can be successfully launched on a RPi 3.
Without these patches, specifically the
0001-Do-not-assume-fixed-line-lengths-for-proc-acpi-wakeu.patch (wakeu
patch typo from upstream,) acpitool will consume 100% CPU when reading
long lines (>40 characters) like:
ADP1 S4 *disabled platform:ACPI0003:00
In line with the Nixpkgs manual.
A mechanical change, done with this command:
find pkgs -name "*.nix" | \
while read f; do \
sed -e 's/description\s*=\s*"\([a-z]\)/description = "\u\1/' -i "$f"; \
done
I manually skipped some:
* Descriptions starting with an abbreviation, a user name or package name
* Frequently generated expressions (haskell-packages.nix)
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel. This kernel is intended as a general
purpose kernel, tuned for casual desktop use.
Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors. It is impossible, however, to
effectively test and support that many options. This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised. More generally, it is
hopeless to anticipate imagined needs. It is better to start from a
solid foundation and possibly add more flavours on demand.
While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything. For some, the configuration will be either
too restrictive or too lenient. In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.
Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
extraConfig = ''
GRKERNSEC y
PAX y
# and so on ...
'';
}
```
The generic kernel should be usable both as a KVM guest and host. When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.
Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.
Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
problem, which implies we'd have to disable RAP as well for ZFS to
work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
Per my own testing, the NixOS grsecurity kernel works both as a
KVM-based virtualisation host and guest; there appears to be no good
reason to making these conditional on `features.grsecurity`.
More generally, it's unclear what `features.grsecurity` *means*. If
someone configures a grsecurity kernel in such a fashion that it breaks
KVM support, they should know to disable KVM themselves.
This was presumably set for grsecurity compatibility, but now appears
redundant. Grsecurity does not expect nor require /dev/kmem to be
present and so it makes little sense to continue making its inclusion in
the standard kernel dependent on grsecurity.
More generally, given the large number of possible grsecurity
configurations, it is unclear what `features.grsecurity` even
*means* and its use should be discouraged.
