hardenedLinuxPackagesFor: Make it possible to delay major updates

This adds an abstraction/hack to update the latest hardened kernel independent of linux_latest, which is required as the hardened patches aren't immediately available ([0] currently doesn't exist). Currently the Linux hardened patches aren't even available for 5.7 which was released on 2020-05-31 (already 9 days ago!). Therefore it is required to keep both linuxPackages_latest_hardened and linuxPackages_latest_xen_dom0_hardened at 5.6 until the patches for 5.7 are released. This abstraction makes that task more manageable but we should aim for a better solution to resolve this or at least a cleaner and more robust implementation (in the sense of better error messages). [0]: https://github.com/anthraxx/linux-hardened/releases/tag/5.7.1.a
2024-10-01 01:20:17 +02:00 · 2020-06-09 15:39:32 +02:00 · 2020-06-09 15:39:32 +02:00 · 551a9887e2
parent 19b2efbc39
commit 551a9887e2
1 changed files with 20 additions and 15 deletions
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -17126,6 +17126,7 @@ in
  linux = linuxPackages.kernel;

  # Update this when adding the newest kernel major version!
+  # And update linux_latest_for_hardened below if the patches are already available
  linuxPackages_latest = linuxPackages_5_7;
  linux_latest = linuxPackages_latest.kernel;

@ -17176,28 +17177,32 @@ in

  linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));

-  # Hardened linux
-  hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
-    structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
-      inherit stdenv;
-      inherit (kernel) version;
-    };
-    kernelPatches = kernel.kernelPatches ++ [
-      kernelPatches.tag_hardened
-      kernelPatches.hardened.${kernel.meta.branch}
-    ];
-    modDirVersionArg = kernel.modDirVersion + "-hardened";
+  # Hardened Linux
+  hardenedLinuxPackagesFor = kernel': overrides:
+    let # Note: We use this hack since the hardened patches can lag behind and we don't want to delay updates:
+      linux_latest_for_hardened = pkgs.linux_5_6; # TODO: Update to linux_latest
+      kernel = (if kernel' == pkgs.linux_latest then linux_latest_for_hardened else kernel').override overrides;
+    in linuxPackagesFor (kernel.override {
+      structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
+        inherit stdenv;
+        inherit (kernel) version;
+      };
+      kernelPatches = kernel.kernelPatches ++ [
+        kernelPatches.tag_hardened
+        kernelPatches.hardened.${kernel.meta.branch}
+      ];
+      modDirVersionArg = kernel.modDirVersion + "-hardened";
  });

-  linuxPackages_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux);
+  linuxPackages_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux { });
  linux_hardened = linuxPackages_hardened.kernel;

-  linuxPackages_latest_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest);
+  linuxPackages_latest_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest { });
  linux_latest_hardened = linuxPackages_latest_hardened.kernel;

-  linuxPackages_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor (pkgs.linux.override { features.xen_dom0=true; }));
+  linuxPackages_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux { features.xen_dom0=true; });

-  linuxPackages_latest_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));
+  linuxPackages_latest_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest { features.xen_dom0=true; });

  # Hardkernel (Odroid) kernels.
  linuxPackages_hardkernel_4_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_hardkernel_4_14);