diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2019-04-16 17:49:19 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-04-16 17:49:19 +0000 |
commit | d7da5e2af2ddcde1aee2030f0264c4b596bd200f (patch) | |
tree | ab080d5d99a156c4e4b9984374816c2358a07bc6 /nixos/modules | |
parent | a165e6c672cab0049959914e9bad94834c2bda23 (diff) | |
parent | 8769d2d58cb3ae0c0b66f5de6a4423109a2613e2 (diff) |
Merge pull request #53826 from delroth/randstruct-custom-seed
nixos: allow customizing the kernel RANDSTRUCT seed
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/system/boot/kernel.nix | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index 8ea05ed14687..ab919099d112 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -5,7 +5,7 @@ with lib; let inherit (config.boot) kernelPatches; - inherit (config.boot.kernel) features; + inherit (config.boot.kernel) features randstructSeed; inherit (config.boot.kernelPackages) kernel; kernelModulesConf = pkgs.writeText "nixos.conf" @@ -38,6 +38,7 @@ in default = pkgs.linuxPackages; apply = kernelPackages: kernelPackages.extend (self: super: { kernel = super.kernel.override { + inherit randstructSeed; kernelPatches = super.kernel.kernelPatches ++ kernelPatches; features = lib.recursiveUpdate super.kernel.features features; }; @@ -67,6 +68,19 @@ in description = "A list of additional patches to apply to the kernel."; }; + boot.kernel.randstructSeed = mkOption { + type = types.str; + default = ""; + example = "my secret seed"; + description = '' + Provides a custom seed for the <varname>RANDSTRUCT</varname> security + option of the Linux kernel. Note that <varname>RANDSTRUCT</varname> is + only enabled in NixOS hardened kernels. Using a custom seed requires + building the kernel and dependent packages locally, since this + customization happens at build time. + ''; + }; + boot.kernelParams = mkOption { type = types.listOf types.str; default = [ ]; @@ -298,7 +312,7 @@ in # !!! Should this really be needed? (isYes "MODULES") (isYes "BINFMT_ELF") - ]; + ] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT")); # nixpkgs kernels are assumed to have all required features assertions = if config.boot.kernelPackages.kernel ? features then [] else |