diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index f88be3918795c..20c64f2a67106 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -717,6 +717,16 @@ option was removed and HTTPS is always used. + + + The attribute linuxPackages_latest_hardened + was dropped because the hardened patches lag behind the + upstream kernel which made version bumps harder. If you want + to use a hardened kernel, please pin it explicitly with a + versioned attribute such as + linuxPackages_5_10_hardened. + +
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index b7cb31883f674..87747e0fc1baa 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -183,6 +183,11 @@ To be able to access the web UI this port needs to be opened in the firewall. - The `kubernetes` package was upgraded to 1.22. The `kubernetes.apiserver.kubeletHttps` option was removed and HTTPS is always used. +- The attribute `linuxPackages_latest_hardened` was dropped because the hardened patches + lag behind the upstream kernel which made version bumps harder. If you want to use + a hardened kernel, please pin it explicitly with a versioned attribute such as + `linuxPackages_5_10_hardened`. + ## Other Notable Changes {#sec-release-21.11-notable-changes} - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets. diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index 62d80db2915b1..5993d0e6ab784 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -33,5 +33,10 @@ with pkgs; { linux_5_10 = makeKernelTest "5.10" linuxPackages_5_10; linux_5_13 = makeKernelTest "5.13" linuxPackages_5_13; + linux_hardened_4_14 = makeKernelTest "4.14" linuxPackages_4_14_hardened; + linux_hardened_4_19 = makeKernelTest "4.19" linuxPackages_4_19_hardened; + linux_hardened_5_4 = makeKernelTest "5.4" linuxPackages_5_4_hardened; + linux_hardened_5_10 = makeKernelTest "5.10" linuxPackages_5_10_hardened; + linux_testing = makeKernelTest "testing" linuxPackages_testing; } diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 20f9f5aaa147b..973e6d50adfe5 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -88,7 +88,7 @@ assert (versionAtLeast version "4.9"); INET_MPTCP_DIAG = option no; # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. - CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no; + CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no); CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; # Detect out-of-bound reads/writes and use-after-free diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 7387d71883846..eaeff814e13bb 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -448,6 +448,20 @@ mapAliases ({ linuxPackages_xen_dom0_hardened = linuxPackages_hardened; linuxPackages_latest_xen_dom0_hardened = linuxPackages_latest_hardened; + # added 2021-08-16 + linuxPackages_latest_hardened = throw '' + The attribute `linuxPackages_hardened_latest' was dropped because the hardened patches + frequently lag behind the upstream kernel. In some cases this meant that this attribute + had to refer to an older kernel[1] because the latest hardened kernel was EOL and + the latest supported kernel didn't have patches. + + If you want to use a hardened kernel, please check which kernel minors are supported + and use a versioned attribute, e.g. `linuxPackages_5_10_hardened'. + + [1] for more context: https://github.com/NixOS/nixpkgs/pull/133587 + ''; + linux_latest_hardened = linuxPackages_latest_hardened; + linux-steam-integration = throw "linux-steam-integration has been removed, as the upstream project has been abandoned"; # added 2020-05-22 loadcaffe = throw "loadcaffe has been removed, as the upstream project has been abandoned"; # added 2020-03-28 lobster-two = google-fonts; # added 2021-07-22 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e81649f864fb6..8d6d2b4248eea 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -21553,11 +21553,8 @@ with pkgs; linuxPackages_testing_bcachefs = recurseIntoAttrs (linuxPackagesFor pkgs.linux_testing_bcachefs); # Hardened Linux - hardenedLinuxPackagesFor = kernel': overrides: - let # Note: We use this hack since the hardened patches can lag behind and we don't want to delay updates: - linux_latest_for_hardened = pkgs.linux_5_10; - kernel = (if kernel' == pkgs.linux_latest then linux_latest_for_hardened else kernel').override overrides; - in linuxPackagesFor (kernel.override { + hardenedLinuxPackagesFor = kernel: overrides: + linuxPackagesFor (kernel.override { structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix { inherit lib; inherit (kernel) version; @@ -21572,8 +21569,17 @@ with pkgs; linuxPackages_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux { }); linux_hardened = linuxPackages_hardened.kernel; - linuxPackages_latest_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest { }); - linux_latest_hardened = linuxPackages_latest_hardened.kernel; + linuxPackages_4_14_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_4_14 { }); + linux_4_14_hardened = linuxPackages_4_14_hardened.kernel; + + linuxPackages_4_19_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_4_19 { }); + linux_4_19_hardened = linuxPackages_4_19_hardened.kernel; + + linuxPackages_5_4_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_5_4 { }); + linux_5_4_hardened = linuxPackages_5_4_hardened.kernel; + + linuxPackages_5_10_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_5_10 { }); + linux_5_10_hardened = linuxPackages_5_10_hardened.kernel; # Hardkernel (Odroid) kernels. linuxPackages_hardkernel_4_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_hardkernel_4_14);