This should make the composability of kernel configurations more straigthforward.
- now distinguish freeform options from tristate ones
- will look for a structured config in kernelPatches too
one can now access the structuredConfig from a kernel via linux_test.configfile.structuredConfig
in order to reinject it into another kernel, no need to rewrite the config from scratch
The following merge strategies are used in case of conflict:
-- freeform items must be equal or they conflict (mergeEqualOption)
-- for tristate (y/m/n) entries, I use the mergeAnswer strategy which takes the best available value, "best" being defined by the user (by default "y" > "m" > "n", e.g. if one entry is both marked "y" and "n", "y" wins)
-- if one item is both marked optional/mandatory, mandatory wins (mergeFalseByDefault)
Instead of using a string to describe kernel config, use a nix
attribute set, then converted to a string.
- allows to override the config, aka convert 'yes' into 'modules' or
vice-versa
- while for now merging different configs is still crude (last spec wins),
at least there should be only one CONFIG_XYZ value compared to the current string
config where the first defined would be used and others ignored.
[initial idea by copumpkin in 2016, a major rebase to 2018 by teto]
Following legacy packing conventions, `isArm` was defined just for
32-bit ARM instruction set. This is confusing to non packagers though,
because Aarch64 is an ARM instruction set.
The official ARM overview for ARMv8[1] is surprisingly not confusing,
given the overall state of affairs for ARM naming conventions, and
offers us a solution. It divides the nomenclature into three levels:
```
ISA: ARMv8 {-A, -R, -M}
/ \
Mode: Aarch32 Aarch64
| / \
Encoding: A64 A32 T32
```
At the top is the overall v8 instruction set archicture. Second are the
two modes, defined by bitwidth but differing in other semantics too, and
buttom are the encodings, (hopefully?) isomorphic if they encode the
same mode.
The 32 bit encodings are mostly backwards compatible with previous
non-Thumb and Thumb encodings, and if so we can pun the mode names to
instead mean "sets of compatable or isomorphic encodings", and then
voilà we have nice names for 32-bit and 64-bit arm instruction sets
which do not use the word ARM so as to not confused either laymen or
experienced ARM packages.
[1]: https://developer.arm.com/products/architecture/a-profile
Avoids the following warning:
File /.../systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
They got removed:
commit 003948c54e5b5034a9bbb4923336f5aba125eae6
Author: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Date: Tue Jan 23 18:06:30 2018 -0800
USB: serial: keyspan: Drop firmware Kconfig options
The USB_SERIAL_KEYSPAN_* firmware options no longer do anything.
No reason to have complex version-dependent conditionals when the
question mark already handles this just as well.
Also add RUNTIME_TESTING_MENU setting which nicely disables all of this
on >= 4.16.
- defined buildLinux as generic.nix instead of manual-config.nix. This
makes kernel derivations a tad more similar to your typical derivations.
- moved $buildRoot to within the source folder, this way it doesn't have to be created before the unpackPhase
and make it easier to work on kernel source without running the unpackPhase
With this disabled, cameras would not get a `/dev/mediaX` entry matching
the `/dev/videoX` which broke any application (e.g: `uvcdynctrl -l`,
`media-ctl -p`) depending on this interface.
Since we don't have a split debug info output yet, don't waste time
writing several gigabytes of debug info that's all going to be stripped
out at the end.
This change only affects Aarch64 (where some joker has enabled it in the
architecture defconfig) and is a no-op on the others.
There is no maintainer for this package, probably not many users.
It requires effort to fix all third-party modules for this old kernel
versions. It might contain unpatched security holes.
For Pixel chromebooks, we have the samus-kernel.
Apart from that https://github.com/GalliumOS/linux might be a good choice.
There's an upstream build failure on ARM (not directly related to Xen
but rather some other config options it enables). The xen package is
x86_64-only anyways.
Linux 4.9 includes experimental amdgpu support for AMD Southern Islands
chipsets. (By default, only Sea Islands and newer chipsets are supported.)
Southern Islands chips will still use radeon by default, but daring users may
set `services.xserver.videoDrivers = [ "amdgpu" ];` to try the experimental
driver.
The plan is to fix mounting DFS shares on NixOS (for which some of these
options are needed), but I figured it might be a good idea to enable all
CONFIG_CIFS_* like Fedora 24 and Ubuntu 16.04 while at it. Ubuntu even
has CONFIG_CIFS_SMB311, but as Fedora do not, I left it out.
Mounting DFS shares still doesn't work; need to configure cifs.upcall
and /etc/request-key.conf. Until then, using GVFS as a workaround.
Enable encryption support for both F2FS and ext4. For ext4 this is a bit
tricky, since pre-4.8 the way to enable it as a module was just
"EXT4_ENCRYPTION=m" but after that it changed to "FS_ENCRYPTION=m &&
EXT4_ENCRYPTION=y".
Also make sure UDF is enabled.
The Yama Linux Security Module restricts the use of ptrace so that
processes cannot ptrace processes that are not their children. This
prevents attackers from compromising one user-level processes and
snooping on the memory and runtime state of other processes owned
by the same user.
List of what to enable taken from https://lwn.net/Articles/672587/.
This doesn't change the resulting x86 configs, but is more useful for
other architectures. For instance, POSIX_MQUEUE is currently missing
on ARM.
Adds basic support for Intel GMA3600/3650 (Intel Cedar Trail) platforms
and support for GMA600 (Intel Moorestown/Oaktrail) platforms with LVDS
ports via the gma500_gfx module.
Resolves#14727Closes#17519
This enables a few features that should be useful and safe (they're
all used by the default Ubuntu kernel config), in particular zswap,
wakelocks, kernel load address randomization, userfaultfd (useful for
QEMU), paravirtualized spinlocks and automatic process group
scheduling.
Also removes some configuration conditional on kernel versions that we
no longer support.
The config option DEVPTS_MULTIPLE_INSTANCES now no longer exists since
torvalds/linux@eedf265aa0.
Built successfully on my Hydra instance:
https://headcounter.org/hydra/log/r4n6sv0zld0aj65r7l494757s2r8w8sr-linux-4.7-rc6.drv
Verified unpacked tarball with GnuPG:
ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886
gpg: Signature made Mon 04 Jul 2016 08:13:05 AM CEST
gpg: using RSA key 79BE3E4300411886
gpg: Good signature from "Linus Torvalds <torvalds@linux-foundation.org>"
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Per my own testing, the NixOS grsecurity kernel works both as a
KVM-based virtualisation host and guest; there appears to be no good
reason to making these conditional on `features.grsecurity`.
More generally, it's unclear what `features.grsecurity` *means*. If
someone configures a grsecurity kernel in such a fashion that it breaks
KVM support, they should know to disable KVM themselves.
This was presumably set for grsecurity compatibility, but now appears
redundant. Grsecurity does not expect nor require /dev/kmem to be
present and so it makes little sense to continue making its inclusion in
the standard kernel dependent on grsecurity.
More generally, given the large number of possible grsecurity
configurations, it is unclear what `features.grsecurity` even
*means* and its use should be discouraged.
- Enable BPF_SYSCALL and BPF_EVENTS
- Build modules for NET_CLS_BPF and NET_ACT_BPF
With these config options we can leverage the full potential of BPF for
tracing and instrumenting Linux systems, for example using
libraries/tools like those provided by the bcc project.
This hopefully fixes intermittent initrd failures where udevd cannot
create a Unix domain socket:
machine# running udev...
machine# error getting socket: Address family not supported by protocol
machine# error initializing udev control socket
machine# error getting socket: Address family not supported by protocol
The "unix" kernel module is supposed to be loaded automatically, and
clearly that works most of the time, but maybe there is a race
somewhere. In any case, no sane person would run a kernel without Unix
domain sockets, so we may as well make it builtin.
http://hydra.nixos.org/build/30001448
Systemd dropped support in 207 (would be nice if configure failed with a bad flag),
so all this does is add an annoying delay if firmware can't be found by the kernel
Namespace support is required by the `unshare` tool used in
`nixos-install`. It's enabled by the x86 defconfig, but not by
e.g. multi_v7_defconfig. So enable it here so that `nixos-install`
can work on ARM.
KVM_COMPAT apparently enables 32-bit compability syscalls for KVM, and
as such can be enabled only on a 64-bit system.
Resolves error http://hydra.nixos.org/build/23014132/nixlog/1/raw:
GOT: #
GOT: # configuration written to .config
GOT: #
GOT: make[1]: Leaving directory '/tmp/nix-build-linux-config-4.0.5.drv-0/build'
GOT: make: Leaving directory '/tmp/nix-build-linux-config-4.0.5.drv-0/linux-4.0.5'
unused option: KVM_COMPAT
builder for ‘/nix/store/7kskdvmzs116f1fm55ghm0crjniw9q0a-linux-config-4.0.5.drv’ failed with exit code 255
IKCONFIG must be enabled so IKCONFIG_PROC can be set. On x86 IKCONFIG
gets implicitly enabled by kernelAutoModules in platforms.nix. But ARM
doesn't use kernelAutoModules, so IKCONFIG_PROC won't get enabled
without this patch.
Commit 159fed47bc (nixos/grub: Fix video display on efi) changed BIOS
systems to start in non-text mode as well. Enable FB_VESA to get a
framebuffer console on BIOS systems. Change FRAMEBUFFER_CONSOLE to 'y'
instead of the default 'm' to so the user doesn't need to manually load
the fbcon module anymore.
Other distros have similar defaults, at least on Arch:
CONFIG_FB_VESA=y
CONFIG_FRAMEBUFFER_CONSOLE=y
and on Ubuntu (12.04):
CONFIG_FB_VESA=m
CONFIG_FRAMEBUFFER_CONSOLE=y
Fixes#8139
Also build the performance governor into the kernel so there is a sane
default. Note that cpufreq.service will still load "ondemand" on
non-pstate systems.
The option has been removed in torvalds/linux@6cd176a and thus we
shouldn't try to set it for kernel version 4.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Using linux-testing for a bunch of machines, I'd actually expect it to
be more recent than the latest stable, but until now it actually was
behind.
Since torvalds/linux@464ed18ebd, the option
PM_RUNTIME doesn't exist anymore, so we need to remove it from our
common config.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We don't really need this anymore, except that our docs say that you
can put firmware in /root/test-firmware, which doesn't work via
/sys/module/firmware_class/parameters/path.
This should only be temporary, but there's a bug in the 3.17 rc1 and rc2 that leads to cyclic module dependencies and a segfault during the build process.
I'm only enabling for kernels >= 3.11 to be conservative, because clients and
servers automatically negotiate and use the highest mutually supported version
by default, but only in kernel 3.11 server NFSv4.1 support actually became RFC
compliant.
I'm also adding support for swap on NFS, which is enabled by default on
Ubuntu kernels.
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Realistically, common-config is useful, but there are a lot of things in
there that are non-optionally specified that aren't always useful. For
example, when deploying grsecurity, I don't want the bluetooth,
wireless, or input joystick/extra filesystem stack (XFS, etc), nor the
staging drivers tree.
The problem is that if you specify this in your own kernel config in the
grsecurity module, by saying 'BT n' to turn off bluetooth,
common-config turns on 'BT_HCIUART_BCSP y', which then becomes unused
and errors out.
This is really just an arbitrary picking at the moment, but it should be
OK.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Although this is a release canidate version of kernel 3.12, there are
reasons for merging this anyway, as discussed in #1010 and #1006.
Thanks to @offlinehacker for this and the initial pull request.
It's bad to have the kernel config scattered across two places. (This
should also be done for the other architectures.)
Also, restore Xen and KVM guest support in Linux 3.10.
Having N different copies of the NixOS kernel configuration is bad
because these copies tend to diverge. For instance, our 3.10 config
lacked some modules that were enabled in older configs, probably
because the 3.10 config had been copied off an earlier version of some
older kernel config.
So now there is a single kernel config in common-config.nix. It has a
few conditionals to deal with new/removed kernel options, but
otherwise it's pretty straightforward.
Also, a lot of cut&paste boilerplate between the kernel Nix
expressions is gone (such as preConfigure).
