dotfiles/nixos/boxes/foureighty/custom-kernel.nix

{ config, pkgs, ... }:
{
  boot.kernelPackages = pkgs.linuxPackages_latest_hardened;
  nixpkgs.overlays = [ (self: super: { buildLinux = x: super.buildLinux ({
    ignoreConfigErrors = true;
    enableParallelBuilding = true;
  } // x); } ) ];
  boot.kernelPatches = [ {
    name = "foureighty";
    patch = null;
    extraConfig = ''
      WATCH_QUEUE y
      MCORE2 y
      ENERGY_MODEL y
      INTEL_TXT y
      LOCKUP_DETECTOR y
      HARDLOCKUP_DETECTOR y
      BUG y

      DEBUG_RODATA        y
      DEBUG_SET_MODULE_RONX y
      SECURITY_SELINUX_DISABLE  n
      SECURITY_WRITABLE_HOOKS  n

      STRICT_KERNEL_RWX  y

      DEVMEM y
      STRICT_DEVMEM y
      DEBUG_CREDENTIALS     y
      DEBUG_NOTIFIERS       y
      DEBUG_PI_LIST         y
      DEBUG_PLIST           y
      DEBUG_SG              y
      SCHED_STACK_END_CHECK  y

      SHUFFLE_PAGE_ALLOCATOR  y
      SLUB_DEBUG y

      PAGE_POISONING            y
      PAGE_POISONING_NO_SANITY  y
      PAGE_POISONING_ZERO       y

      SECURITY_SAFESETID  y

      PANIC_TIMEOUT  -1

      GCC_PLUGINS  y
      GCC_PLUGIN_LATENT_ENTROPY  y

      GCC_PLUGIN_STRUCTLEAK  y
      GCC_PLUGIN_STRUCTLEAK_BYREF_ALL  y
      GCC_PLUGIN_STACKLEAK  y
      GCC_PLUGIN_RANDSTRUCT y
      GCC_PLUGIN_RANDSTRUCT_PERFORMANCE  y

      ACPI_CUSTOM_METHOD  n
      PROC_KCORE          n
      INET_DIAG           n

      INET_DIAG_DESTROY  option no
      INET_RAW_DIAG      option no
      INET_TCP_DIAG      option no
      INET_UDP_DIAG      option no
      INET_MPTCP_DIAG    option no


      CC_STACKPROTECTOR_STRONG y

      KFENCE y
    '';
  } ];
}
custom kernel for foureighty, fix vscode 2020-09-17 20:01:52 +01:00			`{ config, pkgs, ... }:`
			`{`
fix throttled on T480 hardened 2021-07-18 18:53:01 +01:00			`boot.kernelPackages = pkgs.linuxPackages_latest_hardened;`
			`nixpkgs.overlays = [ (self: super: { buildLinux = x: super.buildLinux ({`
			`ignoreConfigErrors = true;`
			`enableParallelBuilding = true;`
			`} // x); } ) ];`
custom kernel for foureighty, fix vscode 2020-09-17 20:01:52 +01:00			`boot.kernelPatches = [ {`
			`name = "foureighty";`
			`patch = null;`
			`extraConfig = ''`
			`WATCH_QUEUE y`
			`MCORE2 y`
			`ENERGY_MODEL y`
			`INTEL_TXT y`
kernel 2021-05-21 19:39:21 +01:00			`LOCKUP_DETECTOR y`
			`HARDLOCKUP_DETECTOR y`
			`BUG y`

tor browser 2021-05-22 22:31:54 +01:00			`DEBUG_RODATA y`
			`DEBUG_SET_MODULE_RONX y`
kernel 2021-05-21 19:39:21 +01:00			`SECURITY_SELINUX_DISABLE n`
tor browser 2021-05-22 22:31:54 +01:00			`SECURITY_WRITABLE_HOOKS n`
kernel 2021-05-21 19:39:21 +01:00
			`STRICT_KERNEL_RWX y`

fix throttled on T480 hardened 2021-07-18 18:53:01 +01:00			`DEVMEM y`
tor browser 2021-05-22 22:31:54 +01:00			`STRICT_DEVMEM y`
			`DEBUG_CREDENTIALS y`
			`DEBUG_NOTIFIERS y`
			`DEBUG_PI_LIST y`
			`DEBUG_PLIST y`
			`DEBUG_SG y`
kernel 2021-05-21 19:39:21 +01:00			`SCHED_STACK_END_CHECK y`

			`SHUFFLE_PAGE_ALLOCATOR y`
tor browser 2021-05-22 22:31:54 +01:00			`SLUB_DEBUG y`
kernel 2021-05-21 19:39:21 +01:00
			`PAGE_POISONING y`
			`PAGE_POISONING_NO_SANITY y`
			`PAGE_POISONING_ZERO y`

			`SECURITY_SAFESETID y`

			`PANIC_TIMEOUT -1`

			`GCC_PLUGINS y`
			`GCC_PLUGIN_LATENT_ENTROPY y`

			`GCC_PLUGIN_STRUCTLEAK y`
			`GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y`
			`GCC_PLUGIN_STACKLEAK y`
			`GCC_PLUGIN_RANDSTRUCT y`
			`GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y`

			`ACPI_CUSTOM_METHOD n`
			`PROC_KCORE n`
			`INET_DIAG n`
tor browser 2021-05-22 22:31:54 +01:00
			`INET_DIAG_DESTROY option no`
			`INET_RAW_DIAG option no`
			`INET_TCP_DIAG option no`
			`INET_UDP_DIAG option no`
			`INET_MPTCP_DIAG option no`


			`CC_STACKPROTECTOR_STRONG y`

			`KFENCE y`
custom kernel for foureighty, fix vscode 2020-09-17 20:01:52 +01:00			`'';`
			`} ];`
			`}`