Commit Graph

514 Commits

Author SHA1 Message Date
QuantMint
fb49d81b25 linux: enable ACPI_FPDT, ACPI_HMAT, ACPI_APEI, ACPI_APEI_GHES, ACPI_DPTF 2023-01-08 11:18:48 +01:00
Dominik Xaver Hörl
95c27f5975 linux: enable Multi-Gen LRU by default 2022-12-19 15:18:05 +01:00
Dominik Xaver Hörl
6486611984 linux: build with support for Multi-Gen LRU 2022-12-19 15:18:05 +01:00
Vladimír Čunát
9c497bb8d6
Merge branch 'staging-next' into staging 2022-12-09 10:27:46 +01:00
Fabián Heredia Montiel
13f89aee64 linux: further cleanup config after drop of 4.9 2022-12-03 10:22:06 -06:00
Martin Weinelt
ca98db29b3 Merge remote-tracking branch 'origin/staging-next' into staging 2022-12-03 13:56:22 +01:00
Vladimír Čunát
3dc3a628fd
Merge #204169: Linux Kernel updates for 2022-12-02 2022-12-03 09:13:56 +01:00
Martin Weinelt
e3da5a807b Merge remote-tracking branch 'origin/staging-next' into staging 2022-12-03 01:28:01 +01:00
K900
b9a4991020 linux: set X86_AMD_PSTATE=y instead of =m 2022-12-02 23:37:00 +03:00
Vincent Haupert
c0ae481757 linux: enable AMD SME, SEV, SEV-SE, SEV-SNP on x86_64
Enables the following kernel config options for AMD CPUs on x86_64:

- `CRYPTO_DEV_CCP`: Enables offloading of crypto operations to AMD's
  Cryptographic Coprocessor (CCP). Also required by `KVM_AMD_SEV`.
- `AMD_MEM_ENCRYPT`: Enables support for Secure Memory Encryption (SME).
  Please note that `AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT` is not enabled;
  yet, you you can enable memory encryption by passing `mem_encrypt=on`
  as a kernal command line option.
- `KVM_AMD_SEV`: Enables launching Encrypted VMs (SEV) and Secure VMs
  with Encrypted State (SEV-ES).
- `SEV_GUEST`: Enables support for AMD Secure Encrypted Virtualization
  with Secure Nested Paging (SEV-SNP). Built as module.

Enabling these options is in line with other distros, e.g., Debian,
Fedora or Arch Linux.
2022-12-02 08:33:06 +01:00
Cole Mickens
9c3dc3cfeb
linux: kernel: enable DRM_HYPERV 2022-11-28 13:14:10 -08:00
Brandon Weeks
4cfd354182 linux: fix unused option warnings on 5.x kernels 2022-11-22 19:17:51 -06:00
Bernardo Meurer
8951a71323
Merge pull request #201845 from LibreCybernetics/cleanup-linux-common-config 2022-11-22 12:12:43 -05:00
Bernardo Meurer
b21694b324
Merge pull request #164296 from duxovni/fanotify_access_permissions 2022-11-21 09:58:04 -05:00
Fabián Heredia Montiel
31531c747a linux: cleanup common-config after drop of 4.9
linux-4.9 was dropped on 8d9133c67d

next lowest version in nixpkgs is 4.14 so cleaning up options
2022-11-18 20:50:01 -06:00
Vladimír Čunát
636051e353
linux: avoid NO_HZ_FULL on i686-linux
This is just a stop-gap; seemed better than a real revert.
The issue is from commit 8d3fe232e (PR #198666).
2022-11-02 23:04:00 +01:00
github-actions[bot]
ef41cdba6c
Merge master into staging-next 2022-11-01 18:01:10 +00:00
Bernardo Meurer
c3033dafb0
Merge pull request #198783 from aacebedo/linux-testing_6.1_rc3 2022-11-01 15:07:19 +00:00
Alexandre Acebedo
cce5b62739 linuxKernel.kernels.linux_testing: 6.0-rc5 -> 6.1-rc3 2022-11-01 15:39:38 +01:00
github-actions[bot]
0ada81696d
Merge master into staging-next 2022-11-01 12:01:32 +00:00
Adrian Pistol
8d3fe232e3 linux: Set CONFIG_NO_HZ_FULL=y.
CONFIG_NO_HZ_FULL=y should be set to enable the `nohz_full=` and
`rcu_nocbs=` options. These carry no additional performance penalty
compared to CONFIG_NO_HZ_IDLE and behaves like it by default,
but allows disabling the tick interrupts on cores for power or
performance reasons.

[Debian][1] also applied the change to all their kernels.
Like the Kernel says: "If you're a distro say Y."

[1]: f6aad27f05
2022-10-30 17:20:22 +01:00
Mihai Fufezan
7520ab8e66
linux: enable amd_pstate 2022-10-23 03:06:26 +03:00
github-actions[bot]
14fe809072
Merge master into staging-next 2022-10-14 18:02:25 +00:00
Bernardo Meurer
71f2836fba
Merge pull request #184770 from NickCao/kernel-keyring 2022-10-14 09:46:01 -03:00
Yureka
9d24c1f09e
linux: XFS_ONLINE_SCRUB=y (#195266) 2022-10-12 20:10:07 +02:00
Andrew Marshall
7c49efdd2a linux: Enable HARDENED_USERCOPY
Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel
Self Protection Project][4]. Originally [reported to have no noticeable
performance impact][5].

[1]: 66d72ee54a/trunk/config (L10252)
[2]: 07731f5956/debian/config/config (L7710)
[3]: 6d6ad72f0c/f/kernel-x86_64-fedora.config (_2202)
[4]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[5]: https://lwn.net/Articles/695991/
2022-09-27 09:21:48 -04:00
Nick Cao
8db1ad7850
linux: enable PERSISTENT_KEYRINGS and KEYS_REQUEST_CACHE
PERSISTENT_KEYRINGS provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis.
KEYS_REQUEST_CACHE enable temporary caching of the last request_key() result.
2022-09-16 19:45:56 +08:00
Andrew Marshall
bcd41f2891 linux: Disable DRM_LEGACY, NOUVEAU_LEGACY_CTX_SUPPORT
This currently gets enabled as generate-config.pl will enable all the
drivers below it as modules.

Is “not set” in [Arch][1], [Debian][2], [Fedora][3]. See also [summary
of setting from various distros in April 2020][4].

Recommended disabled by [CLIP OS][5] and per current [Kernel config
description][6]:

> bool "Enable legacy drivers (DANGEROUS)"
> Enable legacy DRI1 drivers. Those drivers expose unsafe and dangerous
> APIs to user-space, which can be used to circumvent access
> restrictions and other security measures. For backwards compatibility
> those drivers are still available, but their use is highly
> inadvisable and might harm your system.
>
> You are recommended to use the safe modeset-only drivers instead, and
> perform 3D emulation in user-space.
>
> Unless you have strong reasons to go rogue, say "N".

Also disable NOUVEAU_LEGACY_CTX_SUPPORT, as this does `select
DRM_LEGACY`. Per Kernel config docs:

>There was a version of the nouveau DDX that relied on legacy
> ctx ioctls not erroring out. But that was back in time a long
> ways, so offer a way to disable it now. For uapi compat with
> old nouveau ddx this should be on by default, but modern distros
> should consider turning it off.

and the [commit][7]:

> These driver functions contain several bugs and security holes. This
> change makes these functions optional can be turned on by a setting,
> they are turned off by default for modeset driver with the exception of
> the nouvea driver that may require them with an old version of libdrm.

Referenced earlier commit elaborates that

> libdrm_nouveau before 2.4.33 used contexts

Since nixpkgs here has a much newer version (2.4.33 is from March 2012),
should not be a concern.

NOUVEAU_LEGACY_CTX_SUPPORT is also “not set” in the linked Arch, Debian,
& Fedora configs.

[1]: 66d72ee54a/trunk/config (L6637)
[2]: 07731f5956/debian/config/config (L713)
[3]: https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel-x86_64-fedora.config#_1528
[4]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38#issuecomment-608639217
[5]: https://docs.clip-os.org/clipos/kernel.html#configuration
[6]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/Kconfig#n421
[7]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b30a43ac7132cdda833ac4b13dd1ebd35ace14b7
2022-08-27 18:40:32 -04:00
Andrew Marshall
00a45bc41b linux: Enable SLAB_FREELIST_HARDENED, SLAB_FREELIST_RANDOM
Enabled in [Arch][1], [Debian][2], [Fedora][3]; no others checked.
Recommended by [Kernel Self Protection Project][4]. This should also
implicitly enable SHUFFLE_PAGE_ALLOCATOR.

Performance impact per upstream:

For _HARDENED:
> The difference gets lost in the noise, but if the above is to be taken
> literally, using CONFIG_FREELIST_HARDENED is 0.07% slower.

For _RANDOM:
> Performance results highlighted no major changes

[1]: 66d72ee54a/trunk/config (L1037-L1038)
[2]: 07731f5956/debian/config/config (L6742-6743)
[3]: 6d6ad72f0c/f/kernel-x86_64-fedora.config (_6079)
[4]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2022-08-27 15:05:35 -04:00
Martino Fontana
014f12b87e linux: disable NTFS_FS, enable NTFS3_LZX_XPRESS and NTFS3_FS_POSIX_ACL 2022-08-26 20:32:37 +02:00
Bernardo Meurer
7e901eeae0
kernel: only enable PINCTRL_AMD on 5.19+ 2022-08-08 20:42:45 -04:00
Peter Hoeg
f7c980599e kernel: fix touchpads on AMD laptops 2022-08-08 22:28:05 +08:00
github-actions[bot]
97f117148f
Merge staging-next into staging 2022-07-17 00:02:54 +00:00
Martin Weinelt
b2d57db6c2
Merge pull request #180516 from Atemu/kernel-disable-ashmem
linux: disable ASHMEM on >= 5.18
2022-07-14 23:20:26 +02:00
K900
4e02bb4922 linux: enable MODULE_ALLOW_BTF_MISMATCH
Right now it looks like the BTFs are not reproducible between different builds
of the same kernel, and the kernel will refuse to load modules if the BTF
doesn't match. This can cause some interesting side effects when Nix
uses different substituters for different parts of the kernel.

This is far from ideal, and we _really_ should figure out how to actually
make the BTF building consistently reproducible, but that seems more
complicated, so maybe we should do this to get affected systems booting.

See also: https://lore.kernel.org/bpf/YfK18x%2FXrYL4Vw8o@syu-laptop/ ,
where the openSUSE people ran into similar issues.
2022-07-14 12:18:44 +03:00
Dominique Martinet
4b4576faf9 Revert "linux-kernel: disable BTF on 32-bit platforms on kernels 5.15+"
This reverts commit 79e05fb16b.

broken 32bit BTF builds got fixed in #175467 by switching libbpf from
libelf to elfutils, as a side-product of the upgrade, so we don't need
this anymore.
2022-07-11 10:32:23 +09:00
Dominique Martinet
47f9f04788 linux-kernel config: disable DEBUG_INFO_REDUCED
Linux's aarch64 defconfig has been updated in 5.13 to enable "reduced"
debug infos (upstream commit ed938a4bfc58 ("arm64: defconfig: Use
DEBUG_INFO_REDUCED"), but that commits locks DEBUG_INFO_BTF as noticed
in #175467

This disables it back which should fix bpftrace usage of BTF not working
on newer kernels.
2022-07-09 10:29:40 +09:00
Atemu
b5ee4eca8e linux: disable ASHMEM on >= 5.18
Dropped by upstream, see
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=721412ed3d819e767cac2b06646bf03aa158aaec

It was marked as optional, so it didn't break our builds but resulted in:

    warning: unused option: ASHMEM

Explicitly disable ASHMEM on kernels >=5.18 for clarity and fewer warnings
2022-07-07 14:40:17 +02:00
Rick van Schijndel
a1e3a1dfc0
Merge pull request #178256 from misuzu/btf-32bit
linuxPackages: unbreak new kernels on 32-bit platforms
2022-06-21 22:09:41 +02:00
misuzu
79e05fb16b linux-kernel: disable BTF on 32-bit platforms on kernels 5.15+
It fails to build with `Failed to parse base BTF 'vmlinux': -22`
2022-06-21 19:05:52 +03:00
github-actions[bot]
ef1a40da01
Merge staging-next into staging 2022-06-10 12:02:21 +00:00
K900
d9b980c98e
linux: enable vc4 HDMI-CEC by default (#176762) 2022-06-10 11:20:50 +02:00
Sergei Trofimovich
fea73bfd63 linux: disable WERROR by default
gcc update frequently breaks most recent kernel releases due to blanket -Werror
flag. Let's avoid -Werror in a default build to ease kernel and gcc maintenance.
2022-05-30 07:22:49 +01:00
sternenseemann
8b5e372c97
Merge pull request #168113 from a-m-joseph/ispowerpc-becomes-ispower32
lib/systems/inspect.nix: replace isPowerPC with isPower32BigEndian
2022-05-26 11:44:39 +02:00
Adam Joseph
c0085404bd lib/systems/inspect.nix: remove isPowerPC
Very confusingly, the `isPowerPC` predicate in
`lib/systems/inspect.nix` does *not* match `powerpc64le`!

This is because `isPowerPC` is defined as

  isPowerPC      = { cpu = cpuTypes.powerpc; };

Where `cpuTypes.powerpc` is:

  { bits = 32; significantByte = bigEndian; family = "power"; };

This means that the `isPowerPC` predicate actually only matches the
subset of machines marketed under this name which happen to be 32-bit
and running in big-endian mode which is equivalent to:

  with stdenv.hostPlatform; isPower && isBigEndian && is32bit

This seems like a sharp edge that people could easily cut themselves
on.  In fact, that has already happened: in
`linux/kernel/common-config.nix` there is a test which will always
fail:

  (stdenv.hostPlatform.isPowerPC && stdenv.hostPlatform.is64bit)

A more subtle case of the strict isPowerPC being used instead of the
moreg general isPower accidentally are the GHC expressions:

  Update pkgs/development/compilers/ghc/8.10.7.nix
  Update pkgs/development/compilers/ghc/8.8.4.nix
  Update pkgs/development/compilers/ghc/9.2.2.nix
  Update pkgs/development/compilers/ghc/9.0.2.nix
  Update pkgs/development/compilers/ghc/head.nix

Since the remaining legitimate use sites of isPowerPC are so few, remove
the isPowerPC predicate completely. The alternative expression above is
noted in the release notes as an alternative.

Co-authored-by: sternenseemann <sternenseemann@systemli.org>
2022-05-25 09:45:42 +02:00
Alyssa Ross
fa7ae8876f
linux_latest: 5.17.9 -> 5.18
NSFD_V3 is now always enabled, and enabling debug info now requires
selecting a DWARF version instead of just setting DEBUG_INFO=y.
2022-05-23 09:19:42 +00:00
Alyssa Ross
9488086746
linux: support loading compressed firmware
Supported since Linux 5.3.
2022-05-12 15:29:17 +00:00
github-actions[bot]
c6dd9fd65d
Merge master into staging-next 2022-03-25 18:01:14 +00:00
Kevin Cox
974af50601
Merge pull request #165547 from LibreCybernetics/kernel-options
Kernel options cleanup
2022-03-25 11:01:29 -04:00
Vladimír Čunát
0a8b4eddd2
Merge branch 'master' into staging-next 2022-03-25 10:16:56 +01:00
Fabián Heredia Montiel
1b0e116b14 linux: condition CLEANCACHE to before 5.17 when it was removed 2022-03-23 21:23:14 -06:00
Fabián Heredia Montiel
11e697c3d7 linux: common-config cleanup older options 2022-03-23 21:23:14 -06:00
Fabián Heredia Montiel
cc8456effe linux: common-config condition power-management to required platform 2022-03-23 16:24:32 -06:00
Graham Christensen
a5c28278f9 kernel: enable RANDOM_TRUST_BOOTLOADER on >= 5.4
> Some bootloaders can provide entropy to increase the kernel's initial device randomness.

This allows, for example, EFI to provide 64 bytes. In general my opinion is an attacker
who can manipulate the random seed sufficiently to cause problems likely has other,
more direct approaches at their disposal as well.
2022-03-22 22:05:10 -04:00
github-actions[bot]
6ae26bb3c8
Merge staging-next into staging 2022-03-21 18:07:51 +00:00
Robin Townsend
3132fcfec3 linux: Enable BPF_UNPRIV_DEFAULT_OFF in 5.15 2022-03-20 21:19:07 -04:00
Sandro
c377a6f7f5
Merge pull request #164566 from jian-lin/linux-enable-TASKSTATS-and-TASK_DELAY_ACCT 2022-03-18 15:53:27 +01:00
linj
8d7d5fdbdc linux: enable TASKSTATS, TASK_XACCT, TASK_DELAY_ACCT and TASK_IO_ACCOUNTING
iotop needs TASKSTATS, TASK_DELAY_ACCT, TASK_XACCT and
TASK_IO_ACCOUNTING to work. For x86_64, all these options are enabled
by upstream[1]. For aarch64, however, only TASK_XACCT and
TASK_IO_ACCOUNTING are enabled by upstream[2].

This patch enables all these four options for aarch64, which have been
enabled by many other distributions, e.g. debian[3], fedora[4],
rhel[5] and gentoo[6].

I tried to only enable TASKSTATS and TASK_DELAY_ACCT since the other
two options are enabled by upstream, but it turns out that it's
necessary to explicitly enable all four options. I do not figure out
the reason though.

Additionally, given that debian enables these four options for all
arch[3], I think it's safe for us to do the same thing.

[1]: 56e337f2cf/arch/x86/configs/x86_64_defconfig (L8-L11)
[2]: 56e337f2cf/arch/arm64/configs/defconfig (L10-L11)
[3]: da6ddc7d8f/debian/config/config (L6356-6359)
[4]: https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel-aarch64-fedora.config#_7398
[5]: https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel-aarch64-rhel.config#_5885
[6]: b839fccce2/sys-kernel/gentoo-kernel/gentoo-kernel-5.15.29.ebuild (L27)
2022-03-17 21:45:56 +08:00
Faye Duxovni
e1642afb01 kernel: common-config.nix: enable FANOTIFY_ACCESS_PERMISSIONS
Required for, eg, ClamAV's OnAccessPrevention feature.
2022-03-15 13:43:54 -04:00
github-actions[bot]
137a689db1
Merge staging-next into staging 2022-03-07 00:02:59 +00:00
github-actions[bot]
b4b1ce4d4f
Merge master into staging-next 2022-03-07 00:02:12 +00:00
Artturi
ef67e135e9
Merge pull request #160539 from danielfullmer/kernel-iso9660
linux: enable ISO9660_FS module
2022-03-06 11:13:45 +02:00
Vladimír Čunát
f57be3c72a
linux: restrict option JOYSTICK_PSXPAD_SPI_FF
This broke older kernels in PR #155613 (commit 8aae7afa3e).
I only checked the kernel versions that we maintain,
so (>= 4.14) might be an imprecise condition.
2022-02-24 07:53:06 +01:00
Bernardo Meurer
c05bf8a9ce
Merge pull request #130615 from zhaofengli/ipoib-cm
kernel: Enable IPoIB Connected Mode
2022-02-21 10:55:24 -08:00
ajs124
5177d2aeef kernel/common-config: clean up after 4.4 removal 2022-02-21 17:32:05 +01:00
Daniel Fullmer
21babd5d52 linux: enable ISO9660_FS module 2022-02-17 17:26:55 -08:00
Sandro
f61999ec62
Merge pull request #155613 from SuperSamus/hid_ff 2022-02-16 17:16:28 +01:00
Bernardo Meurer
4c13b31801
linux/kernel/common-config.nix: mark FORTIFY_SOURCE as optional
You cannot use it on clang-built kernels due to some LLVM bugs, namely:

* https://bugs.llvm.org/show_bug.cgi?id=50322
* https://bugs.llvm.org/show_bug.cgi?id=41459

so Kconfig forces it off, causing generate-config.pl to explode since it
is not marked optional.
2022-02-01 09:18:17 -08:00
Maximilian Bosch
f74a2e4840
Merge pull request #154370 from brandonweeks/kspp
linux: enable FORTIFY_SOURCE
2022-01-30 23:34:45 +01:00
Martino Fontana
8aae7afa3e linux: enable FF for many gamepads 2022-01-24 11:46:57 +01:00
nullrequest
eff260aaf2
linux config: enable Landlock LSM 2022-01-19 12:12:03 +01:00
Martin Weinelt
3ee206291a
linux: enable BPF_UNPRIV_DEFAULT_OFF between 5.10 and 5.15
Disable unprivileged access to BPF syscalls to prevent denial of service
and privilege escalation via

a) potential speculative execution side-channel-attacks on unmitigated
hardware[0]

or

b) unvalidated memory access in ringbuffer helper functions[1].

Fixes: CVE-2021-4204, CVE-2022-23222

[0] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
[1] https://www.openwall.com/lists/oss-security/2022/01/13/1
2022-01-15 23:44:19 +01:00
Brandon Weeks
fbad6464be linux: enable FORTIFY_SOURCE 2022-01-10 17:00:08 -08:00
Bernardo Meurer
5f36161ae1
linuxKernel.kernels: mark {IO_,}STRICT_DEVMEM optional to unbreak hardened kernels 2022-01-10 17:49:30 -03:00
Bernardo Meurer
c1376aedd7
linuxKernel.kernels: also enable SND_SOC_SOF_INTEL_SOUNDWIRE_LINK between 5.10-5.11 2022-01-10 11:15:24 -03:00
Brandon Weeks
8f200e0e38 linux: enable IO_STRICT_DEVMEM 2022-01-09 21:34:42 -08:00
Bernardo Meurer
501a2c13cc
Merge pull request #154181 from brandonweeks/debug_list 2022-01-10 04:48:21 +00:00
Nelson Jeppesen
935303fd36 linux config: SND_SOC_INTEL_SOUNDWIRE_SOF_MACH >= 5.10
Enable for SND_SOC_INTEL_SOUNDWIRE_SOF_MACH kernel module. This is used
on some 10/11th gen Intel laptops such as the XPS 17 97[00|10]

Enable SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES as well - this is required dep
2022-01-09 19:28:24 -08:00
Brandon Weeks
b39c01b69c linux: enable DEBUG_LIST 2022-01-09 11:46:32 -08:00
github-actions[bot]
0d3fe41724
Merge master into staging-next 2022-01-05 18:01:06 +00:00
Vincent Haupert
8bedcacaf1 linux: enable X86_SGX{_KVM} on x86_64 only
The config option X86_SGX is available on x86_64-linux only; i686-linux
is not supported.

https://github.com/torvalds/linux/blob/55a677b/arch/x86/Kconfig#L1914
2022-01-05 00:36:55 +01:00
Dmitry Kalinkin
2ddda43924
Merge branch 'staging' into staging-next
Conflicts:
	pkgs/os-specific/linux/kernel/common-config.nix
2021-12-25 17:16:26 -05:00
github-actions[bot]
b7f2d2da61
Merge master into staging-next 2021-12-24 00:01:44 +00:00
Linus Heckemann
588db2a720 linux: enable FSL_MC_UAPI_SUPPORT 2021-12-18 00:05:49 +01:00
Maciej Krüger
0c287b011e
Merge pull request #145768 from mkg20001/anbox-waydroid-modules 2021-12-03 13:00:58 +01:00
Zhaofeng Li
5f3b85f618 kernel: Enable IPoIB Connected Mode
`INFINIBAND` and `INFINIBAND_IPOIB` are here for clarity - They along
with other required flags are enabled already in the default config.
2021-12-01 10:20:10 -08:00
Vincent Haupert
1f65b4c416 linux: enable X86_SGX and X86_SGX_KVM on x86
Enable Intel Software Guard eXtensions (SGX) on x86 when using Linux
5.11.0 or later. Also enable KVM guests to create SGX enclaves if
running Linux 5.13.0 or later.
2021-11-29 08:03:26 +01:00
Jonathan Ringer
4b73049ccc
Merge remote-tracking branch 'origin/staging' into staging-next
Conflicts:
	nixos/tests/custom-ca.nix
2021-11-22 21:33:23 -08:00
Izorkin
8bcc413092 linux: enable kTLS 2021-11-22 21:01:01 +00:00
Artturi
f57a2a6cf1
Merge pull request #144227 from humancalico/bpf-lsm 2021-11-18 03:00:28 +02:00
Matt Votava
c2e142d8ae
linux: CONFIG_ASHMEM=y, CONFIG_ANDROID=y
This enables ashmem, binder so waydroid/anbox works with
the provided linux kernel

Cherry-picked from https://github.com/NixOS/nixpkgs/pull/102341
2021-11-17 23:00:13 +01:00
Maximilian Bosch
61870bd811
Merge pull request #144409 from mitchmindtree/xps-9310-kernel-config
linux: Add kernel config required for QCA6390 bluetooth (XPS 9310)
2021-11-17 18:30:35 +01:00
github-actions[bot]
bc35dc4f3b
Merge master into staging-next 2021-11-14 12:01:23 +00:00
Jörg Thalheim
13dc25bd67
Merge branch 'master' into xps-9310-kernel-config 2021-11-14 11:33:38 +00:00
Jörg Thalheim
2a909594f1
Merge pull request #145827 from ncfavier/mediatek-bluetooth
linux: add BT_HCIBTUSB_MTK to common kernel config
2021-11-14 11:31:33 +00:00
Naïm Favier
3c2c3df181
linux: add BT_HCIBTUSB_MTK to common kernel config
> The MediaTek protocol support enables firmware download support and chip initialization for MediaTek Bluetooth USB controllers.

Necessary to make Bluetooth work on some MediaTek controllers.
2021-11-14 01:13:34 +01:00
github-actions[bot]
9b5a105856
Merge master into staging-next 2021-11-14 00:01:47 +00:00
Austin Seipp
3df74bdd3f kernel: enable core scheduling on 5.14+ kernels
Core scheduling is a recent innovation in newer kernels to help run
certain untrusted compute workloads more safely in the face of
vulnerabilities like Spectre. In short: it lets processes assign a
unique "cookie" to some group of processes to indicate they are allowed
to be scheduled together on the same SMT-capable core. This helps
mitigate attacks that rely on observing usage of CPU execution units by
cohabitated threads.

Some extra details are available via Linux Weekly News:

  "Core scheduling lands in 5.14", https://lwn.net/Articles/861251/

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2021-11-13 17:02:34 -06:00
Akshat Agarwal
972d7e74f6 linux-kernel: enable BPF_LSM
Enables instrumentation of the security hooks with BPF programs for
implementing dynamic MAC and Audit Policies.

The BPF LSM was merged into the Linux kernel 5.7

This has already been enabled in Fedora (version 33 onwards), Ubuntu
(Hirsute Hippo), Flatcar Linux, Arch Linux.

Distros like Ubuntu don't enable bpf in CONFIG_LSM by default to avoid
any performance penalty so similar to that this commit enables
CONFIG_BPF_LSM but doesn't add bpf to the default list in CONFIG_LSM,
users willing to use this feature could boot with the lsm=...bpf
parameter on the kernel

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=641cd7b06c911c5935c34f24850ea18690649917
https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/
https://lwn.net/Articles/813057/
https://github.com/flatcar-linux/Flatcar/issues/343
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1905975
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983329
2021-11-09 16:29:40 +05:30
Bernardo Meurer
9a96e0ec8c
Merge pull request #144641 from jian-lin/enable-TCP_CONG_ADVANCED-on-aarch64
linux: enable TCP_CONG_ADVANCED
2021-11-04 23:31:16 -07:00