Linux Hardened Kernel Updates 2024-12-14 (NixOS#365214)

Author: fabianhjr

nixos/tests/kernel-generic.nix

@@ -41,6 +41,7 @@ let
       linux_6_1_hardened
       linux_6_6_hardened
       linux_6_11_hardened
+      linux_6_12_hardened
       linux_rt_5_4
       linux_rt_5_10
       linux_rt_5_15

pkgs/os-specific/linux/kernel/common-config.nix

@@ -531,15 +531,16 @@ let
       };
 
     # Enable Rust and features that depend on it
+    # Use a lower priority to allow these options to be overridden in hardened/config.nix
     rust = lib.optionalAttrs withRust {
-      RUST = yes;
+      RUST = lib.mkDefault yes;
 
       # These don't technically require Rust but we probably want to get some more testing
       # on the whole DRM panic setup before shipping it by default.
       DRM_PANIC = whenAtLeast "6.12" yes;
       DRM_PANIC_SCREEN = whenAtLeast "6.12" (freeform "kmsg");
 
-      DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" yes;
+      DRM_PANIC_SCREEN_QR_CODE = lib.mkDefault (whenAtLeast "6.12" yes);
     };
 
     sound =
@@ -1255,7 +1256,7 @@ let
         LIRC = yes;
 
         SCHED_CORE = whenAtLeast "5.14" yes;
-        SCHED_CLASS_EXT = whenAtLeast "6.12" yes;
+        SCHED_CLASS_EXT = lib.mkDefault (whenAtLeast "6.12" yes);
 
         LRU_GEN = whenAtLeast "6.1" yes;
         LRU_GEN_ENABLED = whenAtLeast "6.1" yes;

pkgs/os-specific/linux/kernel/hardened/config.nix

@@ -38,6 +38,8 @@ assert (lib.versionAtLeast version "4.9");
   DEBUG_PLIST = whenAtLeast "5.2" yes;
   DEBUG_SG = yes;
   DEBUG_VIRTUAL = yes;
+  # Set in common config as whenAtLeast "6.12" yes; Currently errors during config
+  SCHED_CLASS_EXT = whenAtLeast "6.12" (option yes);
   SCHED_STACK_END_CHECK = yes;
 
   REFCOUNT_FULL = whenOlder "5.4.208" yes;
@@ -116,4 +118,7 @@ assert (lib.versionAtLeast version "4.9");
 
   # not needed for less than a decade old glibc versions
   LEGACY_VSYSCALL_NONE = yes;
+
+  RUST = option yes; # Yes currently erros on 6.12
+  DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" (option yes);
 }

pkgs/os-specific/linux/kernel/hardened/patches.json

@@ -42,21 +42,31 @@
     "6.11": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-v6.11.10-hardened1.patch",
-            "sha256": "10m3xkanix9yhj95p1qr5dk3gydq1hbnbnibrlp4ag9yqd5ki7d4",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.11.10-hardened1/linux-hardened-v6.11.10-hardened1.patch"
+            "name": "linux-hardened-v6.11.11-hardened1.patch",
+            "sha256": "09y9bglln7br53pwzb3yqafkaklfwn1hx5qpwp6x1s817bj7bhxx",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.11.11-hardened1/linux-hardened-v6.11.11-hardened1.patch"
         },
-        "sha256": "0xzynjyyr16my0wrla4ggpjbh4g7nsqixaimz5hrsqlhaa8q9hab",
-        "version": "6.11.10"
+        "sha256": "1z2913y38clnlmhvwj49h7p4pic24s4d8np7nmd4lk7m2xz8w532",
+        "version": "6.11.11"
+    },
+    "6.12": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-v6.12.4-hardened1.patch",
+            "sha256": "0807n36inzq82m8m279q6sfnh7cn2nwkqnf6hi5kw9k9z0x20a8l",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.4-hardened1/linux-hardened-v6.12.4-hardened1.patch"
+        },
+        "sha256": "0lhisw9sy0b38j1nifcgjm8w9864qx3hg6b7f6z2311x8chzhdbg",
+        "version": "6.12.4"
     },
     "6.6": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-v6.6.63-hardened1.patch",
-            "sha256": "1nsg9f6fgh1yfa95gwrdh8g8kwywbczl2rv8j06qsk0y6b79kmw1",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.63-hardened1/linux-hardened-v6.6.63-hardened1.patch"
+            "name": "linux-hardened-v6.6.64-hardened1.patch",
+            "sha256": "12zm0irxdl9iqihpnk9vwxqrraak3mf894s5pa7y62qan3xghc57",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.64-hardened1/linux-hardened-v6.6.64-hardened1.patch"
         },
-        "sha256": "0d8q0vwv3lcix3wiq2n53rir3h298flg2l0ghpify4rlh2s4l1fi",
-        "version": "6.6.63"
+        "sha256": "1cbag4wzv5fpjdcl0rpp158ch1q17rfz2qxm1xjjyhnblqzxjpq6",
+        "version": "6.6.64"
     }
 }

pkgs/top-level/all-packages.nix

@@ -12422,6 +12422,8 @@ with pkgs;
   linux_6_6_hardened = linuxKernel.kernels.linux_6_6_hardened;
   linuxPackages_6_11_hardened = linuxKernel.packages.linux_6_11_hardened;
   linux_6_11_hardened = linuxKernel.kernels.linux_6_11_hardened;
+  linuxPackages_6_12_hardened = linuxKernel.packages.linux_6_12_hardened;
+  linux_6_12_hardened = linuxKernel.kernels.linux_6_12_hardened;
 
   # GNU Linux-libre kernels
   linuxPackages-libre = linuxKernel.packages.linux_libre;

pkgs/top-level/linux-kernels.nix

@@ -276,6 +276,7 @@ in {
     linux_6_1_hardened = hardenedKernelFor kernels.linux_6_1 { };
     linux_6_6_hardened = hardenedKernelFor kernels.linux_6_6 { };
     linux_6_11_hardened = hardenedKernelFor kernels.linux_6_11 { };
+    linux_6_12_hardened = hardenedKernelFor kernels.linux_6_12 { };
 
   } // lib.optionalAttrs config.allowAliases {
     linux_4_14 = throw "linux 4.14 was removed because it will reach its end of life within 23.11";
@@ -675,6 +676,7 @@ in {
     linux_6_1_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_1_hardened);
     linux_6_6_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_6_hardened);
     linux_6_11_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_11_hardened);
+    linux_6_12_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_12_hardened);
 
     linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen);
     linux_lqx = recurseIntoAttrs (packagesFor kernels.linux_lqx);