diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 1cb7a7ea778b..611998768824 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -252,6 +252,7 @@ in { services.xserver.displayManager.sddm = { package = kdePackages.sddm; theme = mkDefault "breeze"; + wayland.compositor = "kwin"; extraPackages = with kdePackages; [ breeze-icons kirigami diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index 5b7f4bc58d80..a315a3ebf322 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -1,19 +1,24 @@ { config, lib, pkgs, ... }: -with lib; let xcfg = config.services.xserver; dmcfg = xcfg.displayManager; cfg = dmcfg.sddm; xEnv = config.systemd.services.display-manager.environment; - sddm = cfg.package.override(old: { + sddm = cfg.package.override (old: { withWayland = cfg.wayland.enable; - extraPackages = old.extraPackages or [] ++ cfg.extraPackages; + extraPackages = old.extraPackages or [ ] ++ cfg.extraPackages; }); iniFmt = pkgs.formats.ini { }; + inherit (lib) + concatMapStrings concatStringsSep getExe + attrNames getAttr optionalAttrs optionalString + mkRemovedOptionModule mkRenamedOptionModule mkIf mkEnableOption mkOption mkPackageOption types + ; + xserverWrapper = pkgs.writeShellScript "xserver-wrapper" '' ${concatMapStrings (n: "export ${n}=\"${getAttr n xEnv}\"\n") (attrNames xEnv)} exec systemd-cat -t xserver-wrapper ${dmcfg.xserverBin} ${toString dmcfg.xserverArgs} "$@" @@ -38,12 +43,21 @@ let DefaultSession = optionalString (dmcfg.defaultSession != null) "${dmcfg.defaultSession}.desktop"; DisplayServer = if cfg.wayland.enable then "wayland" else "x11"; + } // optionalAttrs (cfg.wayland.compositor == "kwin") { + GreeterEnvironment = concatStringsSep " " [ + "LANG=C.UTF-8" + "QT_WAYLAND_SHELL_INTEGRATION=layer-shell" + ]; + InputMethod = ""; # needed if we are using --inputmethod with kwin }; Theme = { Current = cfg.theme; ThemeDir = "/run/current-system/sw/share/sddm/themes"; FacesDir = "/run/current-system/sw/share/sddm/faces"; + } // optionalAttrs (cfg.theme == "breeze") { + CursorTheme = "breeze_cursors"; + CursorSize = 24; }; Users = { @@ -69,7 +83,7 @@ let SessionDir = "${dmcfg.sessionData.desktops}/share/wayland-sessions"; CompositorCommand = lib.optionalString cfg.wayland.enable cfg.wayland.compositorCommand; }; - } // lib.optionalAttrs dmcfg.autoLogin.enable { + } // optionalAttrs dmcfg.autoLogin.enable { Autologin = { User = dmcfg.autoLogin.user; Session = autoLoginSessionName; @@ -83,6 +97,34 @@ let autoLoginSessionName = "${dmcfg.sessionData.autologinSession}.desktop"; + compositorCmds = { + kwin = concatStringsSep " " [ + "${lib.getBin pkgs.kdePackages.kwin}/bin/kwin_wayland" + "--no-global-shortcuts" + "--no-kactivities" + "--no-lockscreen" + "--locale1" + ]; + # This is basically the upstream default, but with Weston referenced by full path + # and the configuration generated from NixOS options. + weston = + let + westonIni = (pkgs.formats.ini { }).generate "weston.ini" { + libinput = { + enable-tap = xcfg.libinput.mouse.tapping; + left-handed = xcfg.libinput.mouse.leftHanded; + }; + keyboard = { + keymap_model = xcfg.xkb.model; + keymap_layout = xcfg.xkb.layout; + keymap_variant = xcfg.xkb.variant; + keymap_options = xcfg.xkb.options; + }; + }; + in + "${getExe pkgs.weston} --shell=kiosk -c ${westonIni}"; + }; + in { imports = [ @@ -111,7 +153,7 @@ in ''; }; - package = mkPackageOption pkgs [ "plasma5Packages" "sddm" ] {}; + package = mkPackageOption pkgs [ "plasma5Packages" "sddm" ] { }; enableHidpi = mkOption { type = types.bool; @@ -145,7 +187,7 @@ in extraPackages = mkOption { type = types.listOf types.package; - default = []; + default = [ ]; defaultText = "[]"; description = lib.mdDoc '' Extra Qt plugins / QML libraries to add to the environment. @@ -206,24 +248,16 @@ in wayland = { enable = mkEnableOption "experimental Wayland support"; + compositor = mkOption { + description = lib.mdDoc "The compositor to use: ${lib.concatStringsSep ", " (builtins.attrNames compositorCmds)}"; + type = types.enum (builtins.attrNames compositorCmds); + default = "weston"; + }; + compositorCommand = mkOption { type = types.str; internal = true; - - # This is basically the upstream default, but with Weston referenced by full path - # and the configuration generated from NixOS options. - default = let westonIni = (pkgs.formats.ini {}).generate "weston.ini" { - libinput = { - enable-tap = xcfg.libinput.mouse.tapping; - left-handed = xcfg.libinput.mouse.leftHanded; - }; - keyboard = { - keymap_model = xcfg.xkb.model; - keymap_layout = xcfg.xkb.layout; - keymap_variant = xcfg.xkb.variant; - keymap_options = xcfg.xkb.options; - }; - }; in "${pkgs.weston}/bin/weston --shell=kiosk -c ${westonIni}"; + default = compositorCmds.${cfg.wayland.compositor}; description = lib.mdDoc "Command used to start the selected compositor"; }; }; @@ -247,8 +281,6 @@ in } ]; - services.xserver.displayManager.job.execCmd = "exec /run/current-system/sw/bin/sddm"; - security.pam.services = { sddm.text = '' auth substack login @@ -293,30 +325,41 @@ in uid = config.ids.uids.sddm; }; - environment.etc."sddm.conf".source = cfgFile; - environment.pathsToLink = [ - "/share/sddm" - ]; + environment = { + etc."sddm.conf".source = cfgFile; + pathsToLink = [ + "/share/sddm" + ]; + systemPackages = [ sddm ]; + }; users.groups.sddm.gid = config.ids.gids.sddm; - environment.systemPackages = [ sddm ]; - services.dbus.packages = [ sddm ]; - systemd.tmpfiles.packages = [ sddm ]; + services = { + dbus.packages = [ sddm ]; + xserver = { + displayManager.job.execCmd = "exec /run/current-system/sw/bin/sddm"; + # To enable user switching, allow sddm to allocate TTYs/displays dynamically. + tty = null; + display = null; + }; + }; - # We're not using the upstream unit, so copy these: https://github.com/sddm/sddm/blob/develop/services/sddm.service.in - systemd.services.display-manager.after = [ - "systemd-user-sessions.service" - "getty@tty7.service" - "plymouth-quit.service" - "systemd-logind.service" - ]; - systemd.services.display-manager.conflicts = [ - "getty@tty7.service" - ]; + systemd = { + tmpfiles.packages = [ sddm ]; - # To enable user switching, allow sddm to allocate TTYs/displays dynamically. - services.xserver.tty = null; - services.xserver.display = null; + # We're not using the upstream unit, so copy these: https://github.com/sddm/sddm/blob/develop/services/sddm.service.in + services.display-manager = { + after = [ + "systemd-user-sessions.service" + "getty@tty7.service" + "plymouth-quit.service" + "systemd-logind.service" + ]; + conflicts = [ + "getty@tty7.service" + ]; + }; + }; }; } diff --git a/pkgs/applications/video/vdr/markad/default.nix b/pkgs/applications/video/vdr/markad/default.nix index db273ba4ff04..28dad0200270 100644 --- a/pkgs/applications/video/vdr/markad/default.nix +++ b/pkgs/applications/video/vdr/markad/default.nix @@ -19,12 +19,12 @@ }: stdenv.mkDerivation rec { pname = "vdr-markad"; - version = "3.4.12"; + version = "3.4.13"; src = fetchFromGitHub { repo = "vdr-plugin-markad"; owner = "kfb77"; - sha256 = "sha256-yc/zWMGzsfZl3n+Qt5Se2duo3jwntCWaYq1yACsrPzM="; + sha256 = "sha256-pDnziIWX6deBXuVIN7w6F6TdYDCcEO6MSaUIMB63uAg="; rev = "V${version}"; }; diff --git a/pkgs/development/ocaml-modules/eliom/default.nix b/pkgs/development/ocaml-modules/eliom/default.nix index 48b9a153f5b3..73f7c0aaccd2 100644 --- a/pkgs/development/ocaml-modules/eliom/default.nix +++ b/pkgs/development/ocaml-modules/eliom/default.nix @@ -1,6 +1,7 @@ { buildDunePackage , lib , fetchFromGitHub +, fetchpatch , which , ocsigen_server , lwt_react @@ -26,6 +27,12 @@ buildDunePackage rec { hash = "sha256-REOyxwnQqWOKywVYwN/WP22cNKZv5Nv0OpFVbNBPJN8="; }; + # Compatibility with tyxml 4.6.x + patches = fetchpatch { + url = "https://github.com/ocsigen/eliom/commit/9a6adcce3959a37b971890999331335d07f4f732.patch"; + hash = "sha256-rgsqohSAHHljvag3c+HNGEgW9qwmqPq8qfTpX6vVKtg="; + }; + nativeBuildInputs = [ which ]; diff --git a/pkgs/development/ocaml-modules/lwd/tyxml-lwd.nix b/pkgs/development/ocaml-modules/lwd/tyxml-lwd.nix index 0832847be3d6..0aad68fa5a0b 100644 --- a/pkgs/development/ocaml-modules/lwd/tyxml-lwd.nix +++ b/pkgs/development/ocaml-modules/lwd/tyxml-lwd.nix @@ -1,12 +1,17 @@ -{ lib, fetchurl, buildDunePackage, js_of_ocaml, js_of_ocaml-ppx, lwd, tyxml }: +{ lib, fetchurl, fetchpatch, buildDunePackage, js_of_ocaml, js_of_ocaml-ppx, lwd, tyxml }: buildDunePackage { pname = "tyxml-lwd"; inherit (lwd) version src; + # Compatibility with latest Tyxml (4.6.x) + patches = fetchpatch { + url = "https://github.com/let-def/lwd/commit/7f3364ec593b5ccf0d0294b97bcd1e28e4164691.patch"; + hash = "sha256-W1HjExZxDKRwsrB9ZTkvHTMKO0K5iZl+FrNqPs6BPGU="; + }; + minimalOCamlVersion = "4.08"; - duneVersion = "3"; buildInputs = [ js_of_ocaml-ppx ]; propagatedBuildInputs = [ js_of_ocaml lwd tyxml ]; diff --git a/pkgs/development/ocaml-modules/ocsigen-start/default.nix b/pkgs/development/ocaml-modules/ocsigen-start/default.nix index 3b26c28f5341..e9af3a27a756 100644 --- a/pkgs/development/ocaml-modules/ocsigen-start/default.nix +++ b/pkgs/development/ocaml-modules/ocsigen-start/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchFromGitHub, ocaml, findlib, ocsigen-toolkit, pgocaml_ppx, safepass, yojson +{ stdenv, lib, fetchFromGitHub, fetchpatch, ocaml, findlib, ocsigen-toolkit, pgocaml_ppx, safepass, yojson , cohttp-lwt-unix, eliom , resource-pooling , ocsigen-ppx-rpc @@ -14,7 +14,13 @@ stdenv.mkDerivation rec { strictDeps = true; - patches = [ ./templates-dir.patch ]; + patches = [ ./templates-dir.patch + # Compatibility with tyxml 4.6.x + (fetchpatch { + url = "https://github.com/ocsigen/ocsigen-start/commit/0b70506f94fcb2e06cb65ce0d6a28b9b84c695f3.patch"; + hash = "sha256-p/VvIu9reI8lc9lxWiTrjZvn46vuF00QInYuWPtRVyk="; + }) + ]; src = fetchFromGitHub { owner = "ocsigen"; diff --git a/pkgs/development/ocaml-modules/tyxml/default.nix b/pkgs/development/ocaml-modules/tyxml/default.nix index c49327d7d338..4cc5aa4cc42d 100644 --- a/pkgs/development/ocaml-modules/tyxml/default.nix +++ b/pkgs/development/ocaml-modules/tyxml/default.nix @@ -2,13 +2,11 @@ buildDunePackage rec { pname = "tyxml"; - version = "4.5.0"; - - useDune2 = true; + version = "4.6.0"; src = fetchurl { url = "https://github.com/ocsigen/tyxml/releases/download/${version}/tyxml-${version}.tbz"; - sha256 = "0s30f72m457c3gbdmdwbx7ls9zg806nvm83aiz9qkpglbppwr6n6"; + hash = "sha256-v+tnPGtOEgpOykxIRIrdR9w/jQLCtA9j/9zMTpHJAt0="; }; propagatedBuildInputs = [ uutf re ]; diff --git a/pkgs/development/python-modules/datadog/default.nix b/pkgs/development/python-modules/datadog/default.nix index c700bdd82b39..8b0b0956b89d 100644 --- a/pkgs/development/python-modules/datadog/default.nix +++ b/pkgs/development/python-modules/datadog/default.nix @@ -16,14 +16,14 @@ buildPythonPackage rec { pname = "datadog"; - version = "0.49.0"; + version = "0.49.1"; pyproject = true; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-rcHH/a6ntmQZvyDqsg2eWcMQbKouauHsUvJtECQPsiw="; + hash = "sha256-TLenmRr2ytuGj+RQzUVkc+ZfEfxni3189hBE/xxgdNg="; }; nativeBuildInputs = [ diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index e19f33c7c6af..1e50fc3dfa15 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -62,10 +62,26 @@ let SUNRPC_DEBUG = yes; # Provide access to tunables like sched_migration_cost_ns SCHED_DEBUG = yes; + + # Count IRQ and steal CPU time separately + IRQ_TIME_ACCOUNTING = yes; + PARAVIRT_TIME_ACCOUNTING = yes; + + # Enable CPU lockup detection + LOCKUP_DETECTOR = yes; + SOFTLOCKUP_DETECTOR = yes; + HARDLOCKUP_DETECTOR = yes; + + # Enable streaming logs to a remote device over a network + NETCONSOLE = module; + NETCONSOLE_DYNAMIC = yes; + + # Export known printks in debugfs + PRINTK_INDEX = whenAtLeast "5.15" yes; }; power-management = { - CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes; + CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes; CPU_FREQ_GOV_SCHEDUTIL = yes; PM_ADVANCED_DEBUG = yes; PM_WAKELOCKS = yes; @@ -85,6 +101,30 @@ let # depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT, # so we can't force-enable this RCU_LAZY = whenAtLeast "6.2" (option yes); + + # Auto suspend Bluetooth devices at idle + BT_HCIBTUSB_AUTOSUSPEND = yes; + + # Expose cpufreq stats in sysfs + CPU_FREQ_STAT = yes; + + # Enable CPU energy model for scheduling + ENERGY_MODEL = whenAtLeast "5.0" yes; + + # Enable scheduling stats collection + SCHEDSTATS = yes; + + # Enable thermal interface netlink API + THERMAL_NETLINK = whenAtLeast "5.9" yes; + + # Prefer power-efficient workqueue implementation to per-CPU workqueues, + # which is slightly slower, but improves battery life. + # This is opt-in per workqueue, and can be disabled globally with a kernel command line option. + WQ_POWER_EFFICIENT_DEFAULT = yes; + + # Default SATA link power management to "medium with device initiated PM" + # for some extra power savings. + SATA_MOBILE_LPM_POLICY = whenAtLeast "5.18" (freeform "3"); } // optionalAttrs (stdenv.hostPlatform.isx86) { INTEL_IDLE = yes; INTEL_RAPL = whenAtLeast "5.3" module; @@ -109,6 +149,9 @@ let CHT_DC_TI_PMIC_OPREGION = whenAtLeast "5.10" yes; MFD_TPS68470 = whenBetween "5.10" "5.13" yes; TPS68470_PMIC_OPREGION = whenAtLeast "5.10" yes; + + # Enable Intel thermal hardware feedback + INTEL_HFI_THERMAL = whenAtLeast "5.18" yes; }; external-firmware = { @@ -136,6 +179,16 @@ let DAMON_DBGFS = whenAtLeast "5.15" yes; DAMON_RECLAIM = whenAtLeast "5.16" yes; DAMON_LRU_SORT = whenAtLeast "6.0" yes; + # Support recovering from memory failures on systems with ECC and MCA recovery. + MEMORY_FAILURE = yes; + + # Collect ECC errors and retire pages that fail too often + RAS_CEC = yes; + } // optionalAttrs (stdenv.is32bit) { + # Enable access to the full memory range (aka PAE) on 32-bit architectures + # This check isn't super accurate but it's close enough + HIGHMEM = option yes; + BOUNCE = option yes; }; memtest = { @@ -154,6 +207,9 @@ let BFQ_GROUP_IOSCHED = yes; MQ_IOSCHED_KYBER = yes; IOSCHED_BFQ = module; + # Enable CPU utilization clamping for RT tasks + UCLAMP_TASK = whenAtLeast "5.3" yes; + UCLAMP_TASK_GROUP = whenAtLeast "5.4" yes; }; @@ -166,6 +222,7 @@ let # Enable NUMA. numa = { NUMA = option yes; + NUMA_BALANCING = option yes; }; networking = { @@ -250,6 +307,9 @@ let # Bridge Netfilter Configuration NF_TABLES_BRIDGE = mkMerge [ (whenOlder "5.3" yes) (whenAtLeast "5.3" module) ]; + # Expose some debug info + NF_CONNTRACK_PROCFS = yes; + NF_FLOW_TABLE_PROCFS = whenAtLeast "6.0" yes; # needed for `dropwatch` # Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450 @@ -276,6 +336,10 @@ let INFINIBAND = module; INFINIBAND_IPOIB = module; INFINIBAND_IPOIB_CM = yes; + + # Enable debugfs for wireless drivers + CFG80211_DEBUGFS = yes; + MAC80211_DEBUGFS = yes; } // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") { # Not enabled by default, hides modules behind it NET_VENDOR_MEDIATEK = yes; @@ -288,8 +352,8 @@ let CFG80211_WEXT = option yes; # Without it, ipw2200 drivers don't build IPW2100_MONITOR = option yes; # support promiscuous mode IPW2200_MONITOR = option yes; # support promiscuous mode - HOSTAP_FIRMWARE = option yes; # Support downloading firmware images with Host AP driver - HOSTAP_FIRMWARE_NVRAM = option yes; + HOSTAP_FIRMWARE = whenOlder "6.8" (option yes); # Support downloading firmware images with Host AP driver + HOSTAP_FIRMWARE_NVRAM = whenOlder "6.8" (option yes); MAC80211_MESH = option yes; # Enable 802.11s (mesh networking) support ATH9K_PCI = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus ATH9K_AHB = option yes; # Ditto, AHB bus @@ -345,8 +409,12 @@ let FONT_TER16x32 = whenAtLeast "5.0" yes; }; - video = { + video = let + whenHasDevicePrivate = mkIf (!stdenv.isx86_32 && versionAtLeast version "5.1"); + in { DRM_LEGACY = whenOlder "6.8" no; + DRM_SIMPLEDRM = yes; + NOUVEAU_LEGACY_CTX_SUPPORT = whenBetween "5.2" "6.3" no; # Allow specifying custom EDID on the kernel command line @@ -371,8 +439,25 @@ let DRM_AMD_DC_FP = whenAtLeast "6.4" yes; DRM_AMD_DC_HDCP = whenBetween "5.5" "6.4" yes; DRM_AMD_DC_SI = whenAtLeast "5.10" yes; + + # Enable AMD Audio Coprocessor support for HDMI outputs + DRM_AMD_ACP = yes; + + # Enable AMD secure display when available + DRM_AMD_SECURE_DISPLAY = whenAtLeast "5.13" yes; + # Enable new firmware (and by extension NVK) for compatible hardware on Nouveau DRM_NOUVEAU_GSP_DEFAULT = whenAtLeast "6.8" yes; + + # Enable Nouveau shared virtual memory (used by OpenCL) + DEVICE_PRIVATE = whenHasDevicePrivate yes; + DRM_NOUVEAU_SVM = whenHasDevicePrivate yes; + + # Enable HDMI-CEC receiver support + MEDIA_CEC_RC = whenAtLeast "5.10" yes; + + # Enable CEC over DisplayPort + DRM_DP_CEC = yes; } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { # Intel GVT-g graphics virtualization supports 64-bit only DRM_I915_GVT = yes; @@ -409,6 +494,7 @@ let SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon SND_OSSEMUL = yes; SND_USB_CAIAQ_INPUT = yes; + SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes; # Enable Sound Open Firmware support } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" && versionAtLeast version "5.5") { @@ -445,14 +531,23 @@ let SND_SOC_SOF_TIGERLAKE_SUPPORT = whenOlder "5.12" yes; }; - usb-serial = { - USB_SERIAL_GENERIC = yes; # USB Generic Serial Driver - }; - usb = { + USB = yes; # compile USB core into kernel, so we can use USB_SERIAL_CONSOLE before modules + USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies) + + # default to dual role mode + USB_DWC2_DUAL_ROLE = yes; + USB_DWC3_DUAL_ROLE = yes; + }; + + usb-serial = { + USB_SERIAL = yes; + USB_SERIAL_GENERIC = yes; # USB Generic Serial Driver + USB_SERIAL_CONSOLE = yes; # Allow using USB serial adapter as console + U_SERIAL_CONSOLE = whenAtLeast "5.10" yes; # Allow using USB gadget as console }; # Filesystem options - in particular, enable extended attributes and @@ -533,6 +628,7 @@ let SQUASHFS_FILE_DIRECT = yes; SQUASHFS_DECOMP_MULTI_PERCPU = whenOlder "6.2" yes; + SQUASHFS_CHOICE_DECOMP_BY_MOUNT = whenAtLeast "6.2" yes; SQUASHFS_XATTR = yes; SQUASHFS_ZLIB = yes; SQUASHFS_LZO = yes; @@ -598,6 +694,16 @@ let CRYPTO_DRBG_HASH = yes; CRYPTO_DRBG_CTR = yes; + # Enable KFENCE + # See: https://docs.kernel.org/dev-tools/kfence.html + KFENCE = whenAtLeast "5.12" yes; + + # Enable support for page poisoning. Still needs to be enabled on the command line to actually work. + PAGE_POISONING = yes; + + # Enable stack smashing protections in schedule() + # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f + SCHED_STACK_END_CHECK = yes; } // optionalAttrs stdenv.hostPlatform.isx86_64 { # Enable Intel SGX X86_SGX = whenAtLeast "5.11" yes; @@ -614,6 +720,9 @@ let SEV_GUEST = whenAtLeast "5.19" module; # Shadow stacks X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes; + + # Mitigate straight line speculation at the cost of some file size + SLS = whenAtLeast "5.17" yes; }; microcode = { @@ -791,6 +900,10 @@ let # Unconditionally enabled, because it is required for CRIU and # it provides the kcmp() system call that Mesa depends on. CHECKPOINT_RESTORE = yes; + + # Allows soft-dirty tracking on pages, used by CRIU. + # See https://docs.kernel.org/admin-guide/mm/soft-dirty.html + MEM_SOFT_DIRTY = mkIf (!stdenv.isx86_32) yes; }; misc = let @@ -805,6 +918,9 @@ let # enabled by default in x86_64 but not arm64, so we do that here HIDRAW = yes; + # Enable loading HID fixups as eBPF from userspace + HID_BPF = whenAtLeast "6.3" yes; + HID_ACRUX_FF = yes; DRAGONRISE_FF = yes; GREENASIA_FF = yes; @@ -832,7 +948,10 @@ let # Enable initrd support. BLK_DEV_INITRD = yes; - PM_TRACE_RTC = no; # Disable some expensive (?) features. + # Allows debugging systems that get stuck during suspend/resume + PM_TRACE = yes; + PM_TRACE_RTC = yes; + ACCESSIBILITY = yes; # Accessibility support AUXDISPLAY = yes; # Auxiliary Display support HIPPI = yes; @@ -857,6 +976,11 @@ let BLK_SED_OPAL = yes; + # Enable support for block layer inline encryption + BLK_INLINE_ENCRYPTION = whenAtLeast "5.8" yes; + # ...but fall back to CPU encryption if unavailable + BLK_INLINE_ENCRYPTION_FALLBACK = whenAtLeast "5.8" yes; + BSD_PROCESS_ACCT_V3 = yes; SERIAL_DEV_BUS = yes; # enables support for serial devices @@ -971,7 +1095,7 @@ let # Disable the firmware helper fallback, udev doesn't implement it any more FW_LOADER_USER_HELPER_FALLBACK = option no; - FW_LOADER_COMPRESS = option yes; + FW_LOADER_COMPRESS = whenAtLeast "5.3" yes; HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support @@ -1018,6 +1142,13 @@ let # Set system time from RTC on startup and resume RTC_HCTOSYS = option yes; + + # Expose watchdog information in sysfs + WATCHDOG_SYSFS = yes; + + # Enable generic kernel watch queues + # See https://docs.kernel.org/core-api/watch_queue.html + WATCH_QUEUE = whenAtLeast "5.8" yes; } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") { # Enable CPU/memory hotplug support # Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot @@ -1048,6 +1179,10 @@ let # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44 CMA_SIZE_MBYTES = freeform "32"; + # Add debug interfaces for CMA + CMA_DEBUGFS = yes; + CMA_SYSFS = yes; + # Many ARM SBCs hand off a pre-configured framebuffer. # This always can can be replaced by the actual native driver. # Keeping it a built-in ensures it will be used if possible. @@ -1093,6 +1228,24 @@ let } // optionalAttrs (versionAtLeast version "5.4" && stdenv.hostPlatform.system == "x86_64-linux") { CHROMEOS_LAPTOP = module; CHROMEOS_PSTORE = module; + } // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") { + # Enable x86 resource control + X86_CPU_RESCTRL = whenAtLeast "5.0" yes; + + # Enable TSX on CPUs where it's not vulnerable + X86_INTEL_TSX_MODE_AUTO = yes; + + # Enable AMD Wi-Fi RF band mitigations + # See https://cateee.net/lkddb/web-lkddb/AMD_WBRF.html + AMD_WBRF = whenAtLeast "6.8" yes; + + # Enable Intel Turbo Boost Max 3.0 + INTEL_TURBO_MAX_3 = yes; + }; + + accel = { + # Build DRM accelerator devices + DRM_ACCEL = whenAtLeast "6.2" yes; }; }; in