From accb36acfdf5b34053e03a59bd0c5cd9ebef829b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Wed, 17 Nov 2021 19:05:59 +0000 Subject: [PATCH] more power saving & security in foureighty kernel config --- nixos/boxes/foureighty/custom-kernel.nix | 133 +++++++++++++---------- 1 file changed, 75 insertions(+), 58 deletions(-) diff --git a/nixos/boxes/foureighty/custom-kernel.nix b/nixos/boxes/foureighty/custom-kernel.nix index a4aaa58a..9f437c71 100644 --- a/nixos/boxes/foureighty/custom-kernel.nix +++ b/nixos/boxes/foureighty/custom-kernel.nix @@ -9,64 +9,81 @@ name = "foureighty"; patch = null; extraConfig = '' - WATCH_QUEUE y - MCORE2 y - ENERGY_MODEL y - INTEL_TXT y - LOCKUP_DETECTOR y - HARDLOCKUP_DETECTOR y - BUG y - - DEBUG_RODATA y - DEBUG_SET_MODULE_RONX y - SECURITY_SELINUX_DISABLE n - SECURITY_WRITABLE_HOOKS n - - STRICT_KERNEL_RWX y - - DEVMEM y - STRICT_DEVMEM y - DEBUG_CREDENTIALS y - DEBUG_NOTIFIERS y - DEBUG_PI_LIST y - DEBUG_PLIST y - DEBUG_SG y - SCHED_STACK_END_CHECK y - - SHUFFLE_PAGE_ALLOCATOR y - SLUB_DEBUG y - - PAGE_POISONING y - PAGE_POISONING_NO_SANITY y - PAGE_POISONING_ZERO y - - SECURITY_SAFESETID y - - PANIC_TIMEOUT -1 - - GCC_PLUGINS y - GCC_PLUGIN_LATENT_ENTROPY y - - GCC_PLUGIN_STRUCTLEAK y - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y - GCC_PLUGIN_STACKLEAK y - GCC_PLUGIN_RANDSTRUCT y - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y - - ACPI_CUSTOM_METHOD n - PROC_KCORE n - INET_DIAG n - - INET_DIAG_DESTROY option no - INET_RAW_DIAG option no - INET_TCP_DIAG option no - INET_UDP_DIAG option no - INET_MPTCP_DIAG option no - - - CC_STACKPROTECTOR_STRONG y - - KFENCE y + ACPI_CUSTOM_METHOD n + ACPI_DPTF y + BUG y + CC_STACKPROTECTOR_STRONG y + CPU_IDLE_GOV_HALTPOLL y + CPU_IDLE_GOV_TEO y + DEBUG_CREDENTIALS y + DEBUG_NOTIFIERS y + DEBUG_PI_LIST y + DEBUG_PLIST y + DEBUG_RODATA y + DEBUG_SET_MODULE_RONX y + DEBUG_SG y + DEVMEM y + DPTF_PCH_FIVR m + DPTF_POWER m + ENERGY_MODEL y + FORTIFY_SOURCE y + GCC_PLUGINS y + GCC_PLUGIN_LATENT_ENTROPY y + GCC_PLUGIN_RANDSTRUCT y + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y + GCC_PLUGIN_STACKLEAK y + GCC_PLUGIN_STRUCTLEAK y + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y + HARDENED_USERCOPY y + HARDENED_USERCOPY_FALLBACK y + HARDLOCKUP_DETECTOR y + HZ_300 y + INET_DIAG n + INET_DIAG_DESTROY option no + INET_MPTCP_DIAG option no + INET_RAW_DIAG option no + INET_TCP_DIAG option no + INET_UDP_DIAG option no + INIT_ON_ALLOC_DEFAULT_ON y + INIT_ON_FREE_DEFAULT_ON y + INTEL_TXT y + KEXEC n + KFENCE y + LEGACY_VSYSCALL_NONE y + LOCKUP_DETECTOR y + MCORE2 y + NR_CPUS 16 + NUMA_BALANCING y + NUMA_BALANCING_DEFAULT_ENABLED y + PAGE_POISONING y + PAGE_POISONING_NO_SANITY y + PAGE_POISONING_ZERO y + PANIC_TIMEOUT -1 + PM_AUTOSLEEP y + POWER_EFFICIENT_DEFAULT y + PREEMPT y + PREEMPTION y + PREEMPT_COUNT y + PREEMPT_DYNAMIC y + PREEMPT_RCU y + PROC_KCORE n + RANDOMIZE_KSTACK_OFFSET_DEFAULT y + SCHED_CORE y + SCHED_STACK_END_CHECK y + SECURITY_SAFESETID y + SECURITY_SELINUX_DISABLE n + SECURITY_WRITABLE_HOOKS n + SHUFFLE_PAGE_ALLOCATOR y + SLAB_FREELIST_HARDENED y + SLAB_FREELIST_RANDOM y + SLUB_DEBUG y + STRICT_DEVMEM y + STRICT_KERNEL_RWX y + UNINLINE_SPIN_UNLOCK y + WATCH_QUEUE y + X86_INTEL_TSX_MODE_AUTO y + X86_SGX y + X86_SGX_KVM y ''; } ]; }