fix: minimal kernel config compiles after rebase to 23.11

* addresses missing kernel configuration options * tested in kernel devshell: $ nix develop .#devShells.x86_64-linux.kernel-x86 $ make -j$(nproc) <accept defaults missing from migration to 6.6.2> * adds checkPhase * updates documentation Signed-off-by: Ville Ilvonen <[email protected]>
tiiuae · Dec 4, 2023 · 378b6f6 · 378b6f6
1 parent d66ba54
commit 378b6f6
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 43 deletions.
diff --git a/docs/src/architecture/hardening.md b/docs/src/architecture/hardening.md
@@ -21,27 +21,28 @@ NixOS provides several mechanisms to customize kernel. The main methods are:
   * [Usage in Ghaf](https://github.com/tiiuae/ghaf/blob/main/modules/host/kernel.nix)
   * Example of entering the kernel development shell to customize the `.config` and build it:
   ```
-  ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel
+  ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel-x86
   ...
-  [ghaf-kernel-devshell:~/ghaf/linux-6.5.5]$ make menuconfig
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.2]$ cp ../modules/host/ghaf_host_hardened_baseline .config
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.2]$ make menuconfig
   ...
-  [ghaf-kernel-devshell:~/ghaf/linux-6.5.5]$ make -j16
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.2]$ make -j$(nproc)
   ...
   Kernel: arch/x86/boot/bzImage
   ```
 * Boot the built kernel with QEMU
   ```
-  [ghaf-kernel-devshell:~/ghaf/linux-6.5.5]$ qemu-system-x86_64 -kernel arch/x86/boot/bzImage
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.2]$ qemu-system-x86_64 -kernel arch/x86/boot/bzImage
   ```
 * [validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker)
   ```
-  [ghaf-kernel-devshell:~/ghaf/linux-6.5.5]$ kernel-hardening-checker -c ../modules/host/ghaf_host_hardened_baseline
+  [ghaf-kernel-devshell:~/ghaf/linux-6.6.2]$ kernel-hardening-checker -c ../modules/host/ghaf_host_hardened_baseline
   [+] Kconfig file to check: ../modules/host/ghaf_host_hardened_baseline
-  [+] Detected microarchitecture: X86_32
-  [+] Detected kernel version: 6.5
+  [+] Detected microarchitecture: X86_64
+  [+] Detected kernel version: 6.6
   [+] Detected compiler: GCC 120200
   ...
-  [+] Config check is finished: 'OK' - 100 / 'FAIL' - 80
+  [+] Config check is finished: 'OK' - 103 / 'FAIL' - 84
   ```
 
 ### Host kernel

diff --git a/modules/host/ghaf_host_hardened_baseline b/modules/host/ghaf_host_hardened_baseline
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.5.5 Kernel Configuration
+# Linux/x86 6.6.2 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.2.0"
 CONFIG_CC_IS_GCC=y
@@ -215,7 +215,6 @@ CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
 # CONFIG_KCMP is not set
 # CONFIG_RSEQ is not set
 # CONFIG_CACHESTAT_SYSCALL is not set
-CONFIG_EMBEDDED=y
 CONFIG_HAVE_PERF_EVENTS=y
 # CONFIG_PC104 is not set
 
@@ -227,6 +226,14 @@ CONFIG_PERF_EVENTS=y
 # end of Kernel Performance Events And Counters
 
 # CONFIG_PROFILING is not set
+
+#
+# Kexec and crash features
+#
+# CONFIG_KEXEC is not set
+# CONFIG_KEXEC_FILE is not set
+# CONFIG_CRASH_DUMP is not set
+# end of Kexec and crash features
 # end of General setup
 
 CONFIG_64BIT=y
@@ -318,7 +325,8 @@ CONFIG_PERF_EVENTS_INTEL_CSTATE=y
 
 CONFIG_X86_VSYSCALL_EMULATION=y
 # CONFIG_X86_IOPL_IOPERM is not set
-# CONFIG_MICROCODE is not set
+CONFIG_MICROCODE=y
+# CONFIG_MICROCODE_LATE_LOADING is not set
 # CONFIG_X86_MSR is not set
 # CONFIG_X86_CPUID is not set
 CONFIG_X86_5LEVEL=y
@@ -333,11 +341,13 @@ CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
 # CONFIG_MTRR is not set
 # CONFIG_X86_UMIP is not set
 CONFIG_CC_HAS_IBT=y
+CONFIG_X86_CET=y
 CONFIG_X86_KERNEL_IBT=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_X86_INTEL_TSX_MODE_OFF=y
 # CONFIG_X86_INTEL_TSX_MODE_ON is not set
 # CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
+# CONFIG_X86_USER_SHADOW_STACK is not set
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_HANDOVER_PROTOCOL=y
@@ -349,9 +359,14 @@ CONFIG_HZ_250=y
 # CONFIG_HZ_300 is not set
 # CONFIG_HZ_1000 is not set
 CONFIG_HZ=250
-# CONFIG_KEXEC is not set
-# CONFIG_KEXEC_FILE is not set
-# CONFIG_CRASH_DUMP is not set
+CONFIG_ARCH_SUPPORTS_KEXEC=y
+CONFIG_ARCH_SUPPORTS_KEXEC_FILE=y
+CONFIG_ARCH_SUPPORTS_KEXEC_SIG=y
+CONFIG_ARCH_SUPPORTS_KEXEC_SIG_FORCE=y
+CONFIG_ARCH_SUPPORTS_KEXEC_BZIMAGE_VERIFY_SIG=y
+CONFIG_ARCH_SUPPORTS_KEXEC_JUMP=y
+CONFIG_ARCH_SUPPORTS_CRASH_DUMP=y
+CONFIG_ARCH_SUPPORTS_CRASH_HOTPLUG=y
 CONFIG_PHYSICAL_START=0x1000000
 CONFIG_RELOCATABLE=y
 CONFIG_RANDOMIZE_BASE=y
@@ -377,7 +392,6 @@ CONFIG_FUNCTION_PADDING_CFI=11
 CONFIG_FUNCTION_PADDING_BYTES=16
 # CONFIG_SPECULATION_MITIGATIONS is not set
 CONFIG_ARCH_HAS_ADD_PAGES=y
-CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
 
 #
 # Power management and ACPI options
@@ -505,6 +519,7 @@ CONFIG_AS_SHA1_NI=y
 CONFIG_AS_SHA256_NI=y
 CONFIG_AS_TPAUSE=y
 CONFIG_AS_GFNI=y
+CONFIG_AS_WRUSS=y
 
 #
 # General architecture-dependent options
@@ -664,7 +679,6 @@ CONFIG_BLK_DEV_BSG_COMMON=m
 # CONFIG_BLK_DEV_INTEGRITY is not set
 # CONFIG_BLK_DEV_ZONED is not set
 # CONFIG_BLK_WBT is not set
-# CONFIG_BLK_SED_OPAL is not set
 # CONFIG_BLK_INLINE_ENCRYPTION is not set
 
 #
@@ -733,11 +747,13 @@ CONFIG_SPARSEMEM=y
 CONFIG_SPARSEMEM_EXTREME=y
 CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
 CONFIG_SPARSEMEM_VMEMMAP=y
-CONFIG_ARCH_WANT_OPTIMIZE_VMEMMAP=y
+CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=y
+CONFIG_ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP=y
 CONFIG_HAVE_FAST_GUP=y
 CONFIG_EXCLUSIVE_SYSTEM_RAM=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
 # CONFIG_MEMORY_HOTPLUG is not set
+CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
 CONFIG_SPLIT_PTLOCK_CPUS=4
 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
 # CONFIG_COMPACTION is not set
@@ -771,6 +787,7 @@ CONFIG_ARCH_HAS_PKEYS=y
 #
 # CONFIG_DMAPOOL_TEST is not set
 CONFIG_ARCH_HAS_PTE_SPECIAL=y
+CONFIG_MEMFD_CREATE=y
 # CONFIG_SECRETMEM is not set
 # CONFIG_USERFAULTFD is not set
 # CONFIG_LRU_GEN is not set
@@ -958,6 +975,11 @@ CONFIG_GENERIC_CPU_VULNERABILITIES=y
 # CONFIG_MHI_BUS_EP is not set
 # end of Bus devices
 
+#
+# Cache Drivers
+#
+# end of Cache Drivers
+
 # CONFIG_CONNECTOR is not set
 
 #
@@ -1425,34 +1447,17 @@ CONFIG_BCMA_POSSIBLE=y
 #
 CONFIG_APERTURE_HELPERS=y
 CONFIG_VIDEO_CMDLINE=y
+# CONFIG_AUXDISPLAY is not set
 # CONFIG_AGP is not set
 # CONFIG_VGA_SWITCHEROO is not set
 # CONFIG_DRM is not set
 # CONFIG_DRM_DEBUG_MODESET_LOCK is not set
-
-#
-# ARM devices
-#
-# end of ARM devices
-
 CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
 
 #
 # Frame buffer Devices
 #
-CONFIG_FB_NOTIFY=y
 CONFIG_FB=y
-# CONFIG_FIRMWARE_EDID is not set
-CONFIG_FB_CFB_FILLRECT=y
-CONFIG_FB_CFB_COPYAREA=y
-CONFIG_FB_CFB_IMAGEBLIT=y
-# CONFIG_FB_FOREIGN_ENDIAN is not set
-# CONFIG_FB_MODE_HELPERS is not set
-# CONFIG_FB_TILEBLITTING is not set
-
-#
-# Frame buffer hardware drivers
-#
 # CONFIG_FB_CIRRUS is not set
 # CONFIG_FB_PM2 is not set
 # CONFIG_FB_CYBER2000 is not set
@@ -1480,20 +1485,29 @@ CONFIG_FB_EFI=y
 # CONFIG_FB_NEOMAGIC is not set
 # CONFIG_FB_KYRO is not set
 # CONFIG_FB_3DFX is not set
-# CONFIG_FB_VOODOO1 is not set
 # CONFIG_FB_VT8623 is not set
 # CONFIG_FB_TRIDENT is not set
 # CONFIG_FB_ARK is not set
 # CONFIG_FB_PM3 is not set
 # CONFIG_FB_CARMINE is not set
 # CONFIG_FB_SMSCUFX is not set
-# CONFIG_FB_UDL is not set
 # CONFIG_FB_IBM_GXT4500 is not set
 # CONFIG_FB_VIRTUAL is not set
 # CONFIG_FB_METRONOME is not set
 # CONFIG_FB_MB862XX is not set
 # CONFIG_FB_SIMPLE is not set
 # CONFIG_FB_SM712 is not set
+CONFIG_FB_CORE=y
+CONFIG_FB_NOTIFY=y
+# CONFIG_FIRMWARE_EDID is not set
+# CONFIG_FB_DEVICE is not set
+CONFIG_FB_CFB_FILLRECT=y
+CONFIG_FB_CFB_COPYAREA=y
+CONFIG_FB_CFB_IMAGEBLIT=y
+# CONFIG_FB_FOREIGN_ENDIAN is not set
+CONFIG_FB_IOMEM_HELPERS=y
+# CONFIG_FB_MODE_HELPERS is not set
+# CONFIG_FB_TILEBLITTING is not set
 # end of Frame buffer Devices
 
 #
@@ -1555,6 +1569,7 @@ CONFIG_HID_GENERIC=y
 # CONFIG_HID_GFRM is not set
 # CONFIG_HID_GLORIOUS is not set
 # CONFIG_HID_HOLTEK is not set
+# CONFIG_HID_GOOGLE_STADIA_FF is not set
 # CONFIG_HID_VIVALDI is not set
 # CONFIG_HID_KEYTOUCH is not set
 # CONFIG_HID_KYE is not set
@@ -1792,7 +1807,6 @@ CONFIG_RTC_MC146818_LIB=y
 # CONFIG_DMABUF_HEAPS is not set
 # end of DMABUF options
 
-# CONFIG_AUXDISPLAY is not set
 # CONFIG_UIO is not set
 # CONFIG_VFIO is not set
 # CONFIG_VIRT_DRIVERS is not set
@@ -1812,7 +1826,6 @@ CONFIG_RTC_MC146818_LIB=y
 # CONFIG_MELLANOX_PLATFORM is not set
 # CONFIG_SURFACE_PLATFORMS is not set
 # CONFIG_X86_PLATFORM_DEVICES is not set
-# CONFIG_P2SB is not set
 # CONFIG_COMMON_CLK is not set
 # CONFIG_HWSPINLOCK is not set
 
@@ -1969,6 +1982,7 @@ CONFIG_PCC=y
 CONFIG_DCACHE_WORD_ACCESS=y
 # CONFIG_VALIDATE_FS_PARSER is not set
 CONFIG_FS_IOMAP=y
+CONFIG_BUFFER_HEAD=y
 CONFIG_LEGACY_DIRECT_IO=y
 # CONFIG_EXT2_FS is not set
 # CONFIG_EXT3_FS is not set
@@ -1999,7 +2013,6 @@ CONFIG_INOTIFY_USER=y
 # CONFIG_FANOTIFY is not set
 # CONFIG_QUOTA is not set
 CONFIG_AUTOFS_FS=y
-CONFIG_AUTOFS4_FS=y
 # CONFIG_FUSE_FS is not set
 # CONFIG_OVERLAY_FS is not set
 
@@ -2045,8 +2058,8 @@ CONFIG_TMPFS=y
 CONFIG_TMPFS_POSIX_ACL=y
 CONFIG_TMPFS_XATTR=y
 # CONFIG_TMPFS_INODE64 is not set
+# CONFIG_TMPFS_QUOTA is not set
 # CONFIG_HUGETLBFS is not set
-CONFIG_MEMFD_CREATE=y
 CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
 # CONFIG_CONFIGFS_FS is not set
 CONFIG_EFIVAR_FS=m
@@ -2141,6 +2154,13 @@ CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y
 # CONFIG_ZERO_CALL_USED_REGS is not set
 # end of Memory initialization
 
+#
+# Hardening of kernel data structures
+#
+# CONFIG_LIST_HARDENED is not set
+# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+# end of Hardening of kernel data structures
+
 CONFIG_RANDSTRUCT_NONE=y
 # end of Kernel hardening options
 # end of Security options
@@ -2434,6 +2454,7 @@ CONFIG_NEED_SG_DMA_LENGTH=y
 CONFIG_NEED_DMA_MAP_STATE=y
 CONFIG_ARCH_DMA_ADDR_T_64BIT=y
 CONFIG_SWIOTLB=y
+# CONFIG_SWIOTLB_DYNAMIC is not set
 # CONFIG_DMA_API_DEBUG is not set
 CONFIG_SGL_ALLOC=y
 # CONFIG_FORCE_NR_CPUS is not set
@@ -2611,7 +2632,6 @@ CONFIG_LOCK_DEBUGGING_SUPPORT=y
 # CONFIG_DEBUG_PLIST is not set
 # CONFIG_DEBUG_SG is not set
 # CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
 # CONFIG_DEBUG_MAPLE_TREE is not set
 # end of Debug kernel data structures
 

diff --git a/nix/devshell.nix b/nix/devshell.nix
@@ -39,11 +39,15 @@
         # install kernel-hardening-checker via pip under "linux-<version" for
         # easy clean-up with directory removal - if not already installed
         if [ ! -f "_build/pip_packages/bin/kernel-hardening-checker" ]; then
-          python3 -m pip install git+https://github.com/a13xp0p0v/kernel-hardening-checker
+          python3 -m pip --disable-pip-version-check \
+            install git+https://github.com/a13xp0p0v/kernel-hardening-checker
         fi
 
         export PS1="[ghaf-kernel-devshell:\w]$ "
       '';
+      # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707
+      checkPhase = "cp ../modules/host/ghaf_host_hardened_baseline ./.config && make -j$(nproc)";
+
     };
 
     devShells.default = let