Merge pull request #53826 from delroth/randstruct-custom-seed

nixos: allow customizing the kernel RANDSTRUCT seed
This commit is contained in:
Joachim F 2019-04-16 17:49:19 +00:00 committed by GitHub
commit d7da5e2af2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 4 deletions

View File

@ -5,7 +5,7 @@ with lib;
let
inherit (config.boot) kernelPatches;
inherit (config.boot.kernel) features;
inherit (config.boot.kernel) features randstructSeed;
inherit (config.boot.kernelPackages) kernel;
kernelModulesConf = pkgs.writeText "nixos.conf"
@ -38,6 +38,7 @@ in
default = pkgs.linuxPackages;
apply = kernelPackages: kernelPackages.extend (self: super: {
kernel = super.kernel.override {
inherit randstructSeed;
kernelPatches = super.kernel.kernelPatches ++ kernelPatches;
features = lib.recursiveUpdate super.kernel.features features;
};
@ -67,6 +68,19 @@ in
description = "A list of additional patches to apply to the kernel.";
};
boot.kernel.randstructSeed = mkOption {
type = types.str;
default = "";
example = "my secret seed";
description = ''
Provides a custom seed for the <varname>RANDSTRUCT</varname> security
option of the Linux kernel. Note that <varname>RANDSTRUCT</varname> is
only enabled in NixOS hardened kernels. Using a custom seed requires
building the kernel and dependent packages locally, since this
customization happens at build time.
'';
};
boot.kernelParams = mkOption {
type = types.listOf types.str;
default = [ ];
@ -298,7 +312,7 @@ in
# !!! Should this really be needed?
(isYes "MODULES")
(isYes "BINFMT_ELF")
];
] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT"));
# nixpkgs kernels are assumed to have all required features
assertions = if config.boot.kernelPackages.kernel ? features then [] else

View File

@ -33,6 +33,10 @@
# NixOS to implement kernel-specific behaviour.
features ? {}
, # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
# automatically extended with extra per-version and per-config values.
randstructSeed ? ""
, # A list of patches to apply to the kernel. Each element of this list
# should be an attribute set {name, patch} where `name' is a
# symbolic name and `patch' is the actual patch. The patch may
@ -162,7 +166,7 @@ let
}; # end of configfile derivation
kernel = (callPackage ./manual-config.nix {}) {
inherit version modDirVersion src kernelPatches stdenv extraMeta configfile;
inherit version modDirVersion src kernelPatches randstructSeed stdenv extraMeta configfile;
config = { CONFIG_MODULES = "y"; CONFIG_FW_LOADER = "m"; };
};

View File

@ -30,6 +30,9 @@ in {
# Manually specified nixexpr representing the config
# If unspecified, this will be autodetected from the .config
config ? stdenv.lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
# Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
# automatically extended with extra per-version and per-config values.
randstructSeed ? "",
# Use defaultMeta // extraMeta
extraMeta ? {},
# Whether to utilize the controversial import-from-derivation feature to parse the config
@ -111,7 +114,7 @@ let
if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then
substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \
--replace NIXOS_RANDSTRUCT_SEED \
$(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
$(echo ${randstructSeed}${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
fi
'';