1bfe0f3c08
Previously, when a kernel configuration option was defined multiple times (in different sections), only the first value was honored and all subsequent ones were silently ignored. Remove this footgun by throwing in this situation instead. In addition, fix all instances where an option was in fact defined multiple times. In two cases (`RCU_TORTURE_TEST` and `CRASH_DUMP`), the value was effectively the same both times. In the other two cases (`SCHEDSTATS` and `DRM_SIMPLEDRM`) the value was in fact different; the one that was actually applied was kept here to prevent a rebuild.
1247 lines
49 KiB
Nix
1247 lines
49 KiB
Nix
# WARNING/NOTE: whenever you want to add an option here you need to either
|
||
# * mark it as an optional one with `option`,
|
||
# * or make sure it works for all the versions in nixpkgs,
|
||
# * or check for which kernel versions it will work (using kernel
|
||
# changelog, google or whatever) and mark it with `whenOlder` or
|
||
# `whenAtLeast`.
|
||
# Then do test your change by building all the kernels (or at least
|
||
# their configs) in Nixpkgs or else you will guarantee lots and lots
|
||
# of pain to users trying to switch to an older kernel because of some
|
||
# hardware problems with a new one.
|
||
|
||
# Configuration
|
||
{ lib, stdenv, version
|
||
|
||
, features ? {}
|
||
}:
|
||
|
||
with lib;
|
||
with lib.kernel;
|
||
with (lib.kernel.whenHelpers version);
|
||
|
||
let
|
||
|
||
|
||
# configuration items have to be part of a subattrs
|
||
flattenKConf = nested: mapAttrs (name: values: if length values == 1 then head values else throw "duplicate kernel configuration option: ${name}") (zipAttrs (attrValues nested));
|
||
|
||
whenPlatformHasEBPFJit =
|
||
mkIf (stdenv.hostPlatform.isAarch32 ||
|
||
stdenv.hostPlatform.isAarch64 ||
|
||
stdenv.hostPlatform.isx86_64 ||
|
||
(stdenv.hostPlatform.isPower && stdenv.hostPlatform.is64bit) ||
|
||
(stdenv.hostPlatform.isMips && stdenv.hostPlatform.is64bit));
|
||
|
||
options = {
|
||
|
||
debug = {
|
||
# Necessary for BTF
|
||
DEBUG_INFO = mkMerge [
|
||
(whenOlder "5.2" (if (features.debug or false) then yes else no))
|
||
(whenBetween "5.2" "5.18" yes)
|
||
];
|
||
DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT = whenAtLeast "5.18" yes;
|
||
# Reduced debug info conflict with BTF and have been enabled in
|
||
# aarch64 defconfig since 5.13
|
||
DEBUG_INFO_REDUCED = whenAtLeast "5.13" (option no);
|
||
DEBUG_INFO_BTF = whenAtLeast "5.2" (option yes);
|
||
# Allow loading modules with mismatched BTFs
|
||
# FIXME: figure out how to actually make BTFs reproducible instead
|
||
# See https://github.com/NixOS/nixpkgs/pull/181456 for details.
|
||
MODULE_ALLOW_BTF_MISMATCH = whenAtLeast "5.18" (option yes);
|
||
BPF_LSM = whenAtLeast "5.7" (option yes);
|
||
DEBUG_KERNEL = yes;
|
||
DEBUG_DEVRES = no;
|
||
DYNAMIC_DEBUG = yes;
|
||
DEBUG_STACK_USAGE = no;
|
||
RCU_TORTURE_TEST = no;
|
||
SCHEDSTATS = no;
|
||
DETECT_HUNG_TASK = yes;
|
||
CRASH_DUMP = option no;
|
||
# Easier debugging of NFS issues.
|
||
SUNRPC_DEBUG = yes;
|
||
# Provide access to tunables like sched_migration_cost_ns
|
||
SCHED_DEBUG = yes;
|
||
|
||
# Count IRQ and steal CPU time separately
|
||
IRQ_TIME_ACCOUNTING = yes;
|
||
PARAVIRT_TIME_ACCOUNTING = yes;
|
||
|
||
# Enable CPU lockup detection
|
||
LOCKUP_DETECTOR = yes;
|
||
SOFTLOCKUP_DETECTOR = yes;
|
||
HARDLOCKUP_DETECTOR = yes;
|
||
|
||
# Enable streaming logs to a remote device over a network
|
||
NETCONSOLE = module;
|
||
NETCONSOLE_DYNAMIC = yes;
|
||
|
||
# Export known printks in debugfs
|
||
PRINTK_INDEX = whenAtLeast "5.15" yes;
|
||
};
|
||
|
||
power-management = {
|
||
CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
|
||
CPU_FREQ_GOV_SCHEDUTIL = yes;
|
||
PM_ADVANCED_DEBUG = yes;
|
||
PM_WAKELOCKS = yes;
|
||
POWERCAP = yes;
|
||
# ACPI Firmware Performance Data Table Support
|
||
ACPI_FPDT = whenAtLeast "5.12" (option yes);
|
||
# ACPI Heterogeneous Memory Attribute Table Support
|
||
ACPI_HMAT = whenAtLeast "5.2" (option yes);
|
||
# ACPI Platform Error Interface
|
||
ACPI_APEI = (option yes);
|
||
# APEI Generic Hardware Error Source
|
||
ACPI_APEI_GHES = (option yes);
|
||
|
||
# Enable lazy RCUs for power savings:
|
||
# https://lore.kernel.org/rcu/20221019225138.GA2499943@paulmck-ThinkPad-P17-Gen-1/
|
||
# RCU_LAZY depends on RCU_NOCB_CPU depends on NO_HZ_FULL
|
||
# depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT,
|
||
# so we can't force-enable this
|
||
RCU_LAZY = whenAtLeast "6.2" (option yes);
|
||
|
||
# Auto suspend Bluetooth devices at idle
|
||
BT_HCIBTUSB_AUTOSUSPEND = yes;
|
||
|
||
# Expose cpufreq stats in sysfs
|
||
CPU_FREQ_STAT = yes;
|
||
|
||
# Enable CPU energy model for scheduling
|
||
ENERGY_MODEL = whenAtLeast "5.0" yes;
|
||
|
||
# Enable thermal interface netlink API
|
||
THERMAL_NETLINK = whenAtLeast "5.9" yes;
|
||
|
||
# Prefer power-efficient workqueue implementation to per-CPU workqueues,
|
||
# which is slightly slower, but improves battery life.
|
||
# This is opt-in per workqueue, and can be disabled globally with a kernel command line option.
|
||
WQ_POWER_EFFICIENT_DEFAULT = yes;
|
||
|
||
# Default SATA link power management to "medium with device initiated PM"
|
||
# for some extra power savings.
|
||
SATA_MOBILE_LPM_POLICY = whenAtLeast "5.18" (freeform "3");
|
||
} // optionalAttrs (stdenv.hostPlatform.isx86) {
|
||
INTEL_IDLE = yes;
|
||
INTEL_RAPL = whenAtLeast "5.3" module;
|
||
X86_INTEL_LPSS = yes;
|
||
X86_INTEL_PSTATE = yes;
|
||
X86_AMD_PSTATE = whenAtLeast "5.17" yes;
|
||
# Intel DPTF (Dynamic Platform and Thermal Framework) Support
|
||
ACPI_DPTF = whenAtLeast "5.10" yes;
|
||
|
||
# Required to bring up some Bay Trail devices properly
|
||
I2C = yes;
|
||
I2C_DESIGNWARE_PLATFORM = yes;
|
||
PMIC_OPREGION = whenAtLeast "5.10" yes;
|
||
INTEL_SOC_PMIC = whenAtLeast "5.10" yes;
|
||
BYTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes;
|
||
CHTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes;
|
||
XPOWER_PMIC_OPREGION = whenAtLeast "5.10" yes;
|
||
BXT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes;
|
||
INTEL_SOC_PMIC_CHTWC = whenAtLeast "5.10" yes;
|
||
CHT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes;
|
||
INTEL_SOC_PMIC_CHTDC_TI = whenAtLeast "5.10" yes;
|
||
CHT_DC_TI_PMIC_OPREGION = whenAtLeast "5.10" yes;
|
||
MFD_TPS68470 = whenBetween "5.10" "5.13" yes;
|
||
TPS68470_PMIC_OPREGION = whenAtLeast "5.10" yes;
|
||
|
||
# Enable Intel thermal hardware feedback
|
||
INTEL_HFI_THERMAL = whenAtLeast "5.18" yes;
|
||
};
|
||
|
||
external-firmware = {
|
||
# Support drivers that need external firmware.
|
||
STANDALONE = no;
|
||
};
|
||
|
||
proc-config-gz = {
|
||
# Make /proc/config.gz available
|
||
IKCONFIG = yes;
|
||
IKCONFIG_PROC = yes;
|
||
};
|
||
|
||
optimization = {
|
||
X86_GENERIC = mkIf (stdenv.hostPlatform.system == "i686-linux") yes;
|
||
# Optimize with -O2, not -Os
|
||
CC_OPTIMIZE_FOR_SIZE = no;
|
||
};
|
||
|
||
memory = {
|
||
DAMON = whenAtLeast "5.15" yes;
|
||
DAMON_VADDR = whenAtLeast "5.15" yes;
|
||
DAMON_PADDR = whenAtLeast "5.16" yes;
|
||
DAMON_SYSFS = whenAtLeast "5.18" yes;
|
||
DAMON_DBGFS = whenAtLeast "5.15" yes;
|
||
DAMON_RECLAIM = whenAtLeast "5.16" yes;
|
||
DAMON_LRU_SORT = whenAtLeast "6.0" yes;
|
||
# Support recovering from memory failures on systems with ECC and MCA recovery.
|
||
MEMORY_FAILURE = yes;
|
||
|
||
# Collect ECC errors and retire pages that fail too often
|
||
RAS_CEC = yes;
|
||
} // optionalAttrs (stdenv.is32bit) {
|
||
# Enable access to the full memory range (aka PAE) on 32-bit architectures
|
||
# This check isn't super accurate but it's close enough
|
||
HIGHMEM = option yes;
|
||
BOUNCE = option yes;
|
||
};
|
||
|
||
memtest = {
|
||
MEMTEST = yes;
|
||
};
|
||
|
||
# Include the CFQ I/O scheduler in the kernel, rather than as a
|
||
# module, so that the initrd gets a good I/O scheduler.
|
||
scheduler = {
|
||
IOSCHED_CFQ = whenOlder "5.0" yes; # Removed in 5.0-RC1
|
||
BLK_CGROUP = yes; # required by CFQ"
|
||
BLK_CGROUP_IOLATENCY = yes;
|
||
BLK_CGROUP_IOCOST = whenAtLeast "5.4" yes;
|
||
IOSCHED_DEADLINE = whenOlder "5.0" yes; # Removed in 5.0-RC1
|
||
MQ_IOSCHED_DEADLINE = yes;
|
||
BFQ_GROUP_IOSCHED = yes;
|
||
MQ_IOSCHED_KYBER = yes;
|
||
IOSCHED_BFQ = module;
|
||
# Enable CPU utilization clamping for RT tasks
|
||
UCLAMP_TASK = whenAtLeast "5.3" yes;
|
||
UCLAMP_TASK_GROUP = whenAtLeast "5.4" yes;
|
||
};
|
||
|
||
|
||
timer = {
|
||
# Enable Full Dynticks System.
|
||
# NO_HZ_FULL depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT
|
||
NO_HZ_FULL = mkIf stdenv.is64bit yes;
|
||
};
|
||
|
||
# Enable NUMA.
|
||
numa = {
|
||
NUMA = option yes;
|
||
NUMA_BALANCING = option yes;
|
||
};
|
||
|
||
networking = {
|
||
NET = yes;
|
||
IP_ADVANCED_ROUTER = yes;
|
||
IP_PNP = no;
|
||
IP_ROUTE_MULTIPATH = yes;
|
||
IP_VS_PROTO_TCP = yes;
|
||
IP_VS_PROTO_UDP = yes;
|
||
IP_VS_PROTO_ESP = yes;
|
||
IP_VS_PROTO_AH = yes;
|
||
IP_VS_IPV6 = yes;
|
||
IP_DCCP_CCID3 = no; # experimental
|
||
CLS_U32_PERF = yes;
|
||
CLS_U32_MARK = yes;
|
||
BPF_JIT = whenPlatformHasEBPFJit yes;
|
||
BPF_JIT_ALWAYS_ON = whenPlatformHasEBPFJit no; # whenPlatformHasEBPFJit yes; # see https://github.com/NixOS/nixpkgs/issues/79304
|
||
HAVE_EBPF_JIT = whenPlatformHasEBPFJit yes;
|
||
BPF_STREAM_PARSER = yes;
|
||
XDP_SOCKETS = yes;
|
||
XDP_SOCKETS_DIAG = whenAtLeast "5.1" yes;
|
||
WAN = yes;
|
||
TCP_CONG_ADVANCED = yes;
|
||
TCP_CONG_CUBIC = yes; # This is the default congestion control algorithm since 2.6.19
|
||
# Required by systemd per-cgroup firewalling
|
||
CGROUP_BPF = option yes;
|
||
CGROUP_NET_PRIO = yes; # Required by systemd
|
||
IP_ROUTE_VERBOSE = yes;
|
||
IP_MROUTE_MULTIPLE_TABLES = yes;
|
||
IP_MULTICAST = yes;
|
||
IP_MULTIPLE_TABLES = yes;
|
||
IPV6 = yes;
|
||
IPV6_ROUTER_PREF = yes;
|
||
IPV6_ROUTE_INFO = yes;
|
||
IPV6_OPTIMISTIC_DAD = yes;
|
||
IPV6_MULTIPLE_TABLES = yes;
|
||
IPV6_SUBTREES = yes;
|
||
IPV6_MROUTE = yes;
|
||
IPV6_MROUTE_MULTIPLE_TABLES = yes;
|
||
IPV6_PIMSM_V2 = yes;
|
||
IPV6_FOU_TUNNEL = module;
|
||
IPV6_SEG6_LWTUNNEL = yes;
|
||
IPV6_SEG6_HMAC = yes;
|
||
IPV6_SEG6_BPF = yes;
|
||
NET_CLS_BPF = module;
|
||
NET_ACT_BPF = module;
|
||
NET_SCHED = yes;
|
||
L2TP_V3 = yes;
|
||
L2TP_IP = module;
|
||
L2TP_ETH = module;
|
||
BRIDGE_VLAN_FILTERING = yes;
|
||
BONDING = module;
|
||
NET_L3_MASTER_DEV = option yes;
|
||
NET_FOU_IP_TUNNELS = option yes;
|
||
IP_NF_TARGET_REDIRECT = module;
|
||
|
||
PPP_MULTILINK = yes; # PPP multilink support
|
||
PPP_FILTER = yes;
|
||
|
||
# needed for iwd WPS support (wpa_supplicant replacement)
|
||
KEY_DH_OPERATIONS = yes;
|
||
|
||
# needed for nftables
|
||
# Networking Options
|
||
NETFILTER = yes;
|
||
NETFILTER_ADVANCED = yes;
|
||
# Core Netfilter Configuration
|
||
NF_CONNTRACK_ZONES = yes;
|
||
NF_CONNTRACK_EVENTS = yes;
|
||
NF_CONNTRACK_TIMEOUT = yes;
|
||
NF_CONNTRACK_TIMESTAMP = yes;
|
||
NETFILTER_NETLINK_GLUE_CT = yes;
|
||
NF_TABLES_INET = yes;
|
||
NF_TABLES_NETDEV = yes;
|
||
NFT_REJECT_NETDEV = whenAtLeast "5.11" module;
|
||
|
||
# IP: Netfilter Configuration
|
||
NF_TABLES_IPV4 = yes;
|
||
NF_TABLES_ARP = yes;
|
||
# IPv6: Netfilter Configuration
|
||
NF_TABLES_IPV6 = yes;
|
||
# Bridge Netfilter Configuration
|
||
NF_TABLES_BRIDGE = mkMerge [ (whenOlder "5.3" yes)
|
||
(whenAtLeast "5.3" module) ];
|
||
# Expose some debug info
|
||
NF_CONNTRACK_PROCFS = yes;
|
||
NF_FLOW_TABLE_PROCFS = whenAtLeast "6.0" yes;
|
||
|
||
# needed for `dropwatch`
|
||
# Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450
|
||
NET_DROP_MONITOR = yes;
|
||
|
||
# needed for ss
|
||
# Use a lower priority to allow these options to be overridden in hardened/config.nix
|
||
INET_DIAG = mkDefault module;
|
||
INET_TCP_DIAG = mkDefault module;
|
||
INET_UDP_DIAG = mkDefault module;
|
||
INET_RAW_DIAG = mkDefault module;
|
||
INET_DIAG_DESTROY = mkDefault yes;
|
||
|
||
# enable multipath-tcp
|
||
MPTCP = whenAtLeast "5.6" yes;
|
||
MPTCP_IPV6 = whenAtLeast "5.6" yes;
|
||
INET_MPTCP_DIAG = whenAtLeast "5.9" (mkDefault module);
|
||
|
||
# Kernel TLS
|
||
TLS = module;
|
||
TLS_DEVICE = yes;
|
||
|
||
# infiniband
|
||
INFINIBAND = module;
|
||
INFINIBAND_IPOIB = module;
|
||
INFINIBAND_IPOIB_CM = yes;
|
||
|
||
# Enable debugfs for wireless drivers
|
||
CFG80211_DEBUGFS = yes;
|
||
MAC80211_DEBUGFS = yes;
|
||
} // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
|
||
# Not enabled by default, hides modules behind it
|
||
NET_VENDOR_MEDIATEK = yes;
|
||
# Enable SoC interface for MT7915 module, required for MT798X.
|
||
MT7986_WMAC = whenBetween "5.18" "6.6" yes;
|
||
MT798X_WMAC = whenAtLeast "6.6" yes;
|
||
};
|
||
|
||
wireless = {
|
||
CFG80211_WEXT = option yes; # Without it, ipw2200 drivers don't build
|
||
IPW2100_MONITOR = option yes; # support promiscuous mode
|
||
IPW2200_MONITOR = option yes; # support promiscuous mode
|
||
HOSTAP_FIRMWARE = whenOlder "6.8" (option yes); # Support downloading firmware images with Host AP driver
|
||
HOSTAP_FIRMWARE_NVRAM = whenOlder "6.8" (option yes);
|
||
MAC80211_MESH = option yes; # Enable 802.11s (mesh networking) support
|
||
ATH9K_PCI = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus
|
||
ATH9K_AHB = option yes; # Ditto, AHB bus
|
||
# The description of this option makes it sound dangerous or even illegal
|
||
# But OpenWRT enables it by default: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/Makefile#L55
|
||
# At the time of writing (25-06-2023): this is only used in a "correct" way by ath drivers for initiating DFS radiation
|
||
# for "certified devices"
|
||
EXPERT = option yes; # this is needed for offering the certification option
|
||
RFKILL_INPUT = option yes; # counteract an undesired effect of setting EXPERT
|
||
CFG80211_CERTIFICATION_ONUS = option yes;
|
||
# DFS: "Dynamic Frequency Selection" is a spectrum-sharing mechanism that allows
|
||
# you to use certain interesting frequency when your local regulatory domain mandates it.
|
||
# ATH drivers hides the feature behind this option and makes hostapd works with DFS frequencies.
|
||
# OpenWRT enables it too: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/ath.mk#L42
|
||
ATH9K_DFS_CERTIFIED = option yes;
|
||
ATH10K_DFS_CERTIFIED = option yes;
|
||
B43_PHY_HT = option yes;
|
||
BCMA_HOST_PCI = option yes;
|
||
RTW88 = whenAtLeast "5.2" module;
|
||
RTW88_8822BE = mkMerge [ (whenBetween "5.2" "5.8" yes) (whenAtLeast "5.8" module) ];
|
||
RTW88_8822CE = mkMerge [ (whenBetween "5.2" "5.8" yes) (whenAtLeast "5.8" module) ];
|
||
};
|
||
|
||
fb = {
|
||
FB = yes;
|
||
FB_EFI = yes;
|
||
FB_NVIDIA_I2C = yes; # Enable DDC Support
|
||
FB_RIVA_I2C = yes;
|
||
FB_ATY_CT = yes; # Mach64 CT/VT/GT/LT (incl. 3D RAGE) support
|
||
FB_ATY_GX = yes; # Mach64 GX support
|
||
FB_SAVAGE_I2C = yes;
|
||
FB_SAVAGE_ACCEL = yes;
|
||
FB_SIS_300 = yes;
|
||
FB_SIS_315 = yes;
|
||
FB_3DFX_ACCEL = yes;
|
||
FB_VESA = yes;
|
||
FRAMEBUFFER_CONSOLE = yes;
|
||
FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes;
|
||
FRAMEBUFFER_CONSOLE_ROTATION = yes;
|
||
FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = yes;
|
||
FB_GEODE = mkIf (stdenv.hostPlatform.system == "i686-linux") yes;
|
||
# On 5.14 this conflicts with FB_SIMPLE.
|
||
DRM_SIMPLEDRM = whenAtLeast "5.14" no;
|
||
DRM_FBDEV_EMULATION = yes;
|
||
};
|
||
|
||
fonts = {
|
||
FONTS = yes;
|
||
# Default fonts enabled if FONTS is not set
|
||
FONT_8x8 = yes;
|
||
FONT_8x16 = yes;
|
||
# High DPI font
|
||
FONT_TER16x32 = whenAtLeast "5.0" yes;
|
||
};
|
||
|
||
video = let
|
||
whenHasDevicePrivate = mkIf (!stdenv.isx86_32 && versionAtLeast version "5.1");
|
||
in {
|
||
DRM_LEGACY = whenOlder "6.8" no;
|
||
|
||
NOUVEAU_LEGACY_CTX_SUPPORT = whenBetween "5.2" "6.3" no;
|
||
|
||
# Allow specifying custom EDID on the kernel command line
|
||
DRM_LOAD_EDID_FIRMWARE = yes;
|
||
VGA_SWITCHEROO = yes; # Hybrid graphics support
|
||
DRM_GMA500 = whenAtLeast "5.12" module;
|
||
DRM_GMA600 = whenOlder "5.13" yes;
|
||
DRM_GMA3600 = whenOlder "5.12" yes;
|
||
DRM_VMWGFX_FBCON = whenOlder "6.2" yes;
|
||
# (experimental) amdgpu support for verde and newer chipsets
|
||
DRM_AMDGPU_SI = yes;
|
||
# (stable) amdgpu support for bonaire and newer chipsets
|
||
DRM_AMDGPU_CIK = yes;
|
||
# Allow device firmware updates
|
||
DRM_DP_AUX_CHARDEV = yes;
|
||
# amdgpu display core (DC) support
|
||
DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes;
|
||
DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes;
|
||
DRM_AMD_DC_DCN2_1 = whenBetween "5.4" "5.6" yes;
|
||
DRM_AMD_DC_DCN3_0 = whenBetween "5.9" "5.11" yes;
|
||
DRM_AMD_DC_DCN = whenBetween "5.11" "6.4" yes;
|
||
DRM_AMD_DC_FP = whenAtLeast "6.4" yes;
|
||
DRM_AMD_DC_HDCP = whenBetween "5.5" "6.4" yes;
|
||
DRM_AMD_DC_SI = whenAtLeast "5.10" yes;
|
||
|
||
# Enable AMD Audio Coprocessor support for HDMI outputs
|
||
DRM_AMD_ACP = yes;
|
||
|
||
# Enable AMD secure display when available
|
||
DRM_AMD_SECURE_DISPLAY = whenAtLeast "5.13" yes;
|
||
|
||
# Enable new firmware (and by extension NVK) for compatible hardware on Nouveau
|
||
DRM_NOUVEAU_GSP_DEFAULT = whenAtLeast "6.8" yes;
|
||
|
||
# Enable Nouveau shared virtual memory (used by OpenCL)
|
||
DEVICE_PRIVATE = whenHasDevicePrivate yes;
|
||
DRM_NOUVEAU_SVM = whenHasDevicePrivate yes;
|
||
|
||
# Enable HDMI-CEC receiver support
|
||
MEDIA_CEC_RC = whenAtLeast "5.10" yes;
|
||
|
||
# Enable CEC over DisplayPort
|
||
DRM_DP_CEC = yes;
|
||
} // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
|
||
# Intel GVT-g graphics virtualization supports 64-bit only
|
||
DRM_I915_GVT = yes;
|
||
DRM_I915_GVT_KVMGT = module;
|
||
# Enable Hyper-V Synthetic DRM Driver
|
||
DRM_HYPERV = whenAtLeast "5.14" module;
|
||
} // optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
|
||
# enable HDMI-CEC on RPi boards
|
||
DRM_VC4_HDMI_CEC = yes;
|
||
};
|
||
|
||
# Enables Rust support in the Linux kernel. This is currently not enabled by default, because it occasionally requires
|
||
# patching the Linux kernel for the specific Rust toolchain in nixpkgs. These patches usually take a bit
|
||
# of time to appear and this would hold up Linux kernel and Rust toolchain updates.
|
||
#
|
||
# Once Rust in the kernel has more users, we can reconsider enabling it by default.
|
||
rust = optionalAttrs ((features.rust or false) && versionAtLeast version "6.7") {
|
||
RUST = yes;
|
||
GCC_PLUGINS = no;
|
||
};
|
||
|
||
sound = {
|
||
SND_DYNAMIC_MINORS = yes;
|
||
SND_AC97_POWER_SAVE = yes; # AC97 Power-Saving Mode
|
||
# 10s for the idle timeout, Fedora does 1, Arch does 10.
|
||
# The kernel says we should do 10.
|
||
# Read: https://docs.kernel.org/sound/designs/powersave.html
|
||
SND_AC97_POWER_SAVE_DEFAULT = freeform "10";
|
||
SND_HDA_POWER_SAVE_DEFAULT = freeform "10";
|
||
SND_HDA_INPUT_BEEP = yes; # Support digital beep via input layer
|
||
SND_HDA_RECONFIG = yes; # Support reconfiguration of jack functions
|
||
# Support configuring jack functions via fw mechanism at boot
|
||
SND_HDA_PATCH_LOADER = yes;
|
||
SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon
|
||
SND_OSSEMUL = yes;
|
||
SND_USB_CAIAQ_INPUT = yes;
|
||
SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes;
|
||
# Enable Sound Open Firmware support
|
||
} // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" &&
|
||
versionAtLeast version "5.5") {
|
||
SND_SOC_INTEL_SOUNDWIRE_SOF_MACH = whenAtLeast "5.10" module;
|
||
SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES = whenAtLeast "5.10" yes; # dep of SOF_MACH
|
||
SND_SOC_SOF_INTEL_SOUNDWIRE_LINK = whenBetween "5.10" "5.11" yes; # dep of SOF_MACH
|
||
SND_SOC_SOF_TOPLEVEL = yes;
|
||
SND_SOC_SOF_ACPI = module;
|
||
SND_SOC_SOF_PCI = module;
|
||
SND_SOC_SOF_APOLLOLAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_APOLLOLAKE_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_CANNONLAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_CANNONLAKE_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_COFFEELAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_COFFEELAKE_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_COMETLAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_COMETLAKE_H_SUPPORT = whenOlder "5.8" yes;
|
||
SND_SOC_SOF_COMETLAKE_LP_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_ELKHARTLAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_ELKHARTLAKE_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_GEMINILAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_GEMINILAKE_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_HDA_AUDIO_CODEC = yes;
|
||
SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
|
||
SND_SOC_SOF_HDA_LINK = yes;
|
||
SND_SOC_SOF_ICELAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_ICELAKE_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_INTEL_TOPLEVEL = yes;
|
||
SND_SOC_SOF_JASPERLAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_JASPERLAKE_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_MERRIFIELD = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_MERRIFIELD_SUPPORT = whenOlder "5.12" yes;
|
||
SND_SOC_SOF_TIGERLAKE = whenAtLeast "5.12" module;
|
||
SND_SOC_SOF_TIGERLAKE_SUPPORT = whenOlder "5.12" yes;
|
||
};
|
||
|
||
usb = {
|
||
USB = yes; # compile USB core into kernel, so we can use USB_SERIAL_CONSOLE before modules
|
||
|
||
USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators
|
||
USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling
|
||
USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies)
|
||
|
||
# default to dual role mode
|
||
USB_DWC2_DUAL_ROLE = yes;
|
||
USB_DWC3_DUAL_ROLE = yes;
|
||
};
|
||
|
||
usb-serial = {
|
||
USB_SERIAL = yes;
|
||
USB_SERIAL_GENERIC = yes; # USB Generic Serial Driver
|
||
USB_SERIAL_CONSOLE = yes; # Allow using USB serial adapter as console
|
||
U_SERIAL_CONSOLE = whenAtLeast "5.10" yes; # Allow using USB gadget as console
|
||
};
|
||
|
||
# Filesystem options - in particular, enable extended attributes and
|
||
# ACLs for all filesystems that support them.
|
||
filesystem = {
|
||
FANOTIFY = yes;
|
||
FANOTIFY_ACCESS_PERMISSIONS = yes;
|
||
|
||
TMPFS = yes;
|
||
TMPFS_POSIX_ACL = yes;
|
||
FS_ENCRYPTION = if (versionAtLeast version "5.1") then yes else option module;
|
||
|
||
EXT2_FS_XATTR = yes;
|
||
EXT2_FS_POSIX_ACL = yes;
|
||
EXT2_FS_SECURITY = yes;
|
||
|
||
EXT3_FS_POSIX_ACL = yes;
|
||
EXT3_FS_SECURITY = yes;
|
||
|
||
EXT4_FS_POSIX_ACL = yes;
|
||
EXT4_FS_SECURITY = yes;
|
||
EXT4_ENCRYPTION = whenOlder "5.1" yes;
|
||
|
||
NTFS_FS = whenAtLeast "5.15" no;
|
||
NTFS3_LZX_XPRESS = whenAtLeast "5.15" yes;
|
||
NTFS3_FS_POSIX_ACL = whenAtLeast "5.15" yes;
|
||
|
||
REISERFS_FS_XATTR = option yes;
|
||
REISERFS_FS_POSIX_ACL = option yes;
|
||
REISERFS_FS_SECURITY = option yes;
|
||
|
||
JFS_POSIX_ACL = option yes;
|
||
JFS_SECURITY = option yes;
|
||
|
||
XFS_QUOTA = option yes;
|
||
XFS_POSIX_ACL = option yes;
|
||
XFS_RT = option yes; # XFS Realtime subvolume support
|
||
XFS_ONLINE_SCRUB = option yes;
|
||
|
||
OCFS2_DEBUG_MASKLOG = option no;
|
||
|
||
BTRFS_FS_POSIX_ACL = yes;
|
||
|
||
BCACHEFS_QUOTA = whenAtLeast "6.7" (option yes);
|
||
BCACHEFS_POSIX_ACL = whenAtLeast "6.7" (option yes);
|
||
|
||
UBIFS_FS_ADVANCED_COMPR = option yes;
|
||
|
||
F2FS_FS = module;
|
||
F2FS_FS_SECURITY = option yes;
|
||
F2FS_FS_ENCRYPTION = whenOlder "5.1" yes;
|
||
F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes;
|
||
UDF_FS = module;
|
||
|
||
NFSD_V2_ACL = whenOlder "6.1" yes;
|
||
NFSD_V3 = whenOlder "5.18" yes;
|
||
NFSD_V3_ACL = yes;
|
||
NFSD_V4 = yes;
|
||
NFSD_V4_SECURITY_LABEL = yes;
|
||
|
||
NFS_FSCACHE = yes;
|
||
NFS_SWAP = yes;
|
||
NFS_V3_ACL = yes;
|
||
NFS_V4_1 = yes; # NFSv4.1 client support
|
||
NFS_V4_2 = yes;
|
||
NFS_V4_SECURITY_LABEL = yes;
|
||
|
||
CIFS_XATTR = yes;
|
||
CIFS_POSIX = option yes;
|
||
CIFS_FSCACHE = yes;
|
||
CIFS_WEAK_PW_HASH = whenOlder "5.15" yes;
|
||
CIFS_UPCALL = yes;
|
||
CIFS_ACL = whenOlder "5.3" yes;
|
||
CIFS_DFS_UPCALL = yes;
|
||
|
||
CEPH_FSCACHE = yes;
|
||
CEPH_FS_POSIX_ACL = yes;
|
||
|
||
SQUASHFS_FILE_DIRECT = yes;
|
||
SQUASHFS_DECOMP_MULTI_PERCPU = whenOlder "6.2" yes;
|
||
SQUASHFS_CHOICE_DECOMP_BY_MOUNT = whenAtLeast "6.2" yes;
|
||
SQUASHFS_XATTR = yes;
|
||
SQUASHFS_ZLIB = yes;
|
||
SQUASHFS_LZO = yes;
|
||
SQUASHFS_XZ = yes;
|
||
SQUASHFS_LZ4 = yes;
|
||
SQUASHFS_ZSTD = yes;
|
||
|
||
# Native Language Support modules, needed by some filesystems
|
||
NLS = yes;
|
||
NLS_DEFAULT = freeform "utf8";
|
||
NLS_UTF8 = module;
|
||
NLS_CODEPAGE_437 = module; # VFAT default for the codepage= mount option
|
||
NLS_ISO8859_1 = module; # VFAT default for the iocharset= mount option
|
||
|
||
# Needed to use the installation iso image. Not included in all defconfigs (e.g. arm64)
|
||
ISO9660_FS = module;
|
||
|
||
DEVTMPFS = yes;
|
||
|
||
UNICODE = whenAtLeast "5.2" yes; # Casefolding support for filesystems
|
||
};
|
||
|
||
security = {
|
||
FORTIFY_SOURCE = option yes;
|
||
|
||
# https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
|
||
DEBUG_LIST = yes;
|
||
HARDENED_USERCOPY = yes;
|
||
RANDOMIZE_BASE = option yes;
|
||
STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem
|
||
IO_STRICT_DEVMEM = mkDefault yes;
|
||
SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
|
||
# Prevent processes from ptracing non-children processes
|
||
SECURITY_YAMA = option yes;
|
||
# The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
|
||
# This does not have any effect if a program does not support it
|
||
SECURITY_LANDLOCK = whenAtLeast "5.13" yes;
|
||
DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem
|
||
|
||
USER_NS = yes; # Support for user namespaces
|
||
|
||
SECURITY_APPARMOR = yes;
|
||
DEFAULT_SECURITY_APPARMOR = yes;
|
||
|
||
RANDOM_TRUST_CPU = whenOlder "6.2" yes; # allow RDRAND to seed the RNG
|
||
RANDOM_TRUST_BOOTLOADER = whenOlder "6.2" (whenAtLeast "5.4" yes); # allow the bootloader to seed the RNG
|
||
|
||
MODULE_SIG = no; # r13y, generates a random key during build and bakes it in
|
||
# Depends on MODULE_SIG and only really helps when you sign your modules
|
||
# and enforce signatures which we don't do by default.
|
||
SECURITY_LOCKDOWN_LSM = whenAtLeast "5.4" no;
|
||
|
||
# provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis
|
||
PERSISTENT_KEYRINGS = yes;
|
||
# enable temporary caching of the last request_key() result
|
||
KEYS_REQUEST_CACHE = whenAtLeast "5.3" yes;
|
||
# randomized slab caches
|
||
RANDOM_KMALLOC_CACHES = whenAtLeast "6.6" yes;
|
||
|
||
# NIST SP800-90A DRBG modes - enabled by most distributions
|
||
# and required by some out-of-tree modules (ShuffleCake)
|
||
# This does not include the NSA-backdoored Dual-EC mode from the same NIST publication.
|
||
CRYPTO_DRBG_HASH = yes;
|
||
CRYPTO_DRBG_CTR = yes;
|
||
|
||
# Enable KFENCE
|
||
# See: https://docs.kernel.org/dev-tools/kfence.html
|
||
KFENCE = whenAtLeast "5.12" yes;
|
||
|
||
# Enable support for page poisoning. Still needs to be enabled on the command line to actually work.
|
||
PAGE_POISONING = yes;
|
||
|
||
# Enable stack smashing protections in schedule()
|
||
# See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
|
||
SCHED_STACK_END_CHECK = yes;
|
||
} // optionalAttrs stdenv.hostPlatform.isx86_64 {
|
||
# Enable Intel SGX
|
||
X86_SGX = whenAtLeast "5.11" yes;
|
||
# Allow KVM guests to load SGX enclaves
|
||
X86_SGX_KVM = whenAtLeast "5.13" yes;
|
||
|
||
# AMD Cryptographic Coprocessor (CCP)
|
||
CRYPTO_DEV_CCP = yes;
|
||
# AMD SME
|
||
AMD_MEM_ENCRYPT = yes;
|
||
# AMD SEV and AMD SEV-SE
|
||
KVM_AMD_SEV = yes;
|
||
# AMD SEV-SNP
|
||
SEV_GUEST = whenAtLeast "5.19" module;
|
||
# Shadow stacks
|
||
X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes;
|
||
|
||
# Mitigate straight line speculation at the cost of some file size
|
||
SLS = whenAtLeast "5.17" yes;
|
||
};
|
||
|
||
microcode = {
|
||
MICROCODE = yes;
|
||
MICROCODE_INTEL = whenOlder "6.6" yes;
|
||
MICROCODE_AMD = whenOlder "6.6" yes;
|
||
# Write Back Throttling
|
||
# https://lwn.net/Articles/682582/
|
||
# https://bugzilla.kernel.org/show_bug.cgi?id=12309#c655
|
||
BLK_WBT = yes;
|
||
BLK_WBT_SQ = whenOlder "5.0" yes; # Removed in 5.0-RC1
|
||
BLK_WBT_MQ = yes;
|
||
};
|
||
|
||
container = {
|
||
NAMESPACES = yes; # Required by 'unshare' used by 'nixos-install'
|
||
RT_GROUP_SCHED = no;
|
||
CGROUP_DEVICE = yes;
|
||
CGROUP_HUGETLB = yes;
|
||
CGROUP_PERF = yes;
|
||
CGROUP_RDMA = yes;
|
||
|
||
MEMCG = yes;
|
||
MEMCG_SWAP = whenOlder "6.1" yes;
|
||
|
||
BLK_DEV_THROTTLING = yes;
|
||
CFQ_GROUP_IOSCHED = whenOlder "5.0" yes; # Removed in 5.0-RC1
|
||
CGROUP_PIDS = yes;
|
||
};
|
||
|
||
staging = {
|
||
# Enable staging drivers. These are somewhat experimental, but
|
||
# they generally don't hurt.
|
||
STAGING = yes;
|
||
};
|
||
|
||
proc-events = {
|
||
# PROC_EVENTS requires that the netlink connector is not built
|
||
# as a module. This is required by libcgroup's cgrulesengd.
|
||
CONNECTOR = yes;
|
||
PROC_EVENTS = yes;
|
||
};
|
||
|
||
tracing = {
|
||
FTRACE = yes;
|
||
KPROBES = yes;
|
||
FUNCTION_TRACER = yes;
|
||
FTRACE_SYSCALLS = yes;
|
||
SCHED_TRACER = yes;
|
||
STACK_TRACER = yes;
|
||
UPROBE_EVENTS = option yes;
|
||
BPF_SYSCALL = yes;
|
||
BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.16" yes;
|
||
BPF_EVENTS = yes;
|
||
FUNCTION_PROFILER = yes;
|
||
RING_BUFFER_BENCHMARK = no;
|
||
};
|
||
|
||
perf = {
|
||
# enable AMD Zen branch sampling if available
|
||
PERF_EVENTS_AMD_BRS = whenAtLeast "5.19" (option yes);
|
||
};
|
||
|
||
virtualisation = {
|
||
PARAVIRT = option yes;
|
||
|
||
HYPERVISOR_GUEST = yes;
|
||
PARAVIRT_SPINLOCKS = option yes;
|
||
|
||
KVM_ASYNC_PF = yes;
|
||
KVM_GENERIC_DIRTYLOG_READ_PROTECT = yes;
|
||
KVM_GUEST = yes;
|
||
KVM_MMIO = yes;
|
||
KVM_VFIO = yes;
|
||
KSM = yes;
|
||
VIRT_DRIVERS = yes;
|
||
# We need 64 GB (PAE) support for Xen guest support
|
||
HIGHMEM64G = { optional = true; tristate = mkIf (!stdenv.is64bit) "y";};
|
||
|
||
VFIO_PCI_VGA = mkIf stdenv.is64bit yes;
|
||
|
||
UDMABUF = whenAtLeast "4.20" yes;
|
||
|
||
# VirtualBox guest drivers in the kernel conflict with the ones in the
|
||
# official additions package and prevent the vboxsf module from loading,
|
||
# so disable them for now.
|
||
VBOXGUEST = option no;
|
||
DRM_VBOXVIDEO = option no;
|
||
|
||
XEN = option yes;
|
||
XEN_DOM0 = option yes;
|
||
PCI_XEN = option yes;
|
||
HVC_XEN = option yes;
|
||
HVC_XEN_FRONTEND = option yes;
|
||
XEN_SYS_HYPERVISOR = option yes;
|
||
SWIOTLB_XEN = option yes;
|
||
XEN_BACKEND = option yes;
|
||
XEN_BALLOON = option yes;
|
||
XEN_BALLOON_MEMORY_HOTPLUG = option yes;
|
||
XEN_EFI = option yes;
|
||
XEN_HAVE_PVMMU = option yes;
|
||
XEN_MCE_LOG = option yes;
|
||
XEN_PVH = option yes;
|
||
XEN_PVHVM = option yes;
|
||
XEN_SAVE_RESTORE = option yes;
|
||
XEN_SELFBALLOONING = whenOlder "5.3" yes;
|
||
|
||
# Enable device detection on virtio-mmio hypervisors
|
||
VIRTIO_MMIO_CMDLINE_DEVICES = yes;
|
||
};
|
||
|
||
media = {
|
||
MEDIA_DIGITAL_TV_SUPPORT = yes;
|
||
MEDIA_CAMERA_SUPPORT = yes;
|
||
MEDIA_CONTROLLER = yes;
|
||
MEDIA_PCI_SUPPORT = yes;
|
||
MEDIA_USB_SUPPORT = yes;
|
||
MEDIA_ANALOG_TV_SUPPORT = yes;
|
||
VIDEO_STK1160_COMMON = whenOlder "6.5" module;
|
||
};
|
||
|
||
"9p" = {
|
||
# Enable the 9P cache to speed up NixOS VM tests.
|
||
"9P_FSCACHE" = option yes;
|
||
"9P_FS_POSIX_ACL" = option yes;
|
||
};
|
||
|
||
huge-page = {
|
||
TRANSPARENT_HUGEPAGE = option yes;
|
||
TRANSPARENT_HUGEPAGE_ALWAYS = option no;
|
||
TRANSPARENT_HUGEPAGE_MADVISE = option yes;
|
||
};
|
||
|
||
zram = {
|
||
ZRAM = module;
|
||
ZRAM_WRITEBACK = option yes;
|
||
ZSWAP = option yes;
|
||
ZPOOL = yes;
|
||
ZBUD = option yes;
|
||
};
|
||
|
||
brcmfmac = {
|
||
# Enable PCIe and USB for the brcmfmac driver
|
||
BRCMFMAC_USB = option yes;
|
||
BRCMFMAC_PCIE = option yes;
|
||
};
|
||
|
||
# Support x2APIC (which requires IRQ remapping)
|
||
x2apic = optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
|
||
X86_X2APIC = yes;
|
||
IRQ_REMAP = yes;
|
||
};
|
||
|
||
# Disable various self-test modules that have no use in a production system
|
||
tests = {
|
||
# This menu disables all/most of them on >= 4.16
|
||
RUNTIME_TESTING_MENU = option no;
|
||
} // {
|
||
CRC32_SELFTEST = option no;
|
||
CRYPTO_TEST = option no;
|
||
EFI_TEST = option no;
|
||
GLOB_SELFTEST = option no;
|
||
LOCK_TORTURE_TEST = option no;
|
||
MTD_TESTS = option no;
|
||
NOTIFIER_ERROR_INJECTION = option no;
|
||
RCU_PERF_TEST = whenOlder "5.9" no;
|
||
RCU_SCALE_TEST = whenAtLeast "5.10" no;
|
||
TEST_ASYNC_DRIVER_PROBE = option no;
|
||
WW_MUTEX_SELFTEST = option no;
|
||
XZ_DEC_TEST = option no;
|
||
};
|
||
|
||
criu = {
|
||
# Unconditionally enabled, because it is required for CRIU and
|
||
# it provides the kcmp() system call that Mesa depends on.
|
||
CHECKPOINT_RESTORE = yes;
|
||
|
||
# Allows soft-dirty tracking on pages, used by CRIU.
|
||
# See https://docs.kernel.org/admin-guide/mm/soft-dirty.html
|
||
MEM_SOFT_DIRTY = mkIf (!stdenv.isx86_32) yes;
|
||
};
|
||
|
||
misc = let
|
||
# Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz.
|
||
# i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375
|
||
useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9";
|
||
in {
|
||
KERNEL_XZ = mkIf (!useZstd) yes;
|
||
KERNEL_ZSTD = mkIf useZstd yes;
|
||
|
||
HID_BATTERY_STRENGTH = yes;
|
||
# enabled by default in x86_64 but not arm64, so we do that here
|
||
HIDRAW = yes;
|
||
|
||
# Enable loading HID fixups as eBPF from userspace
|
||
HID_BPF = whenAtLeast "6.3" yes;
|
||
|
||
HID_ACRUX_FF = yes;
|
||
DRAGONRISE_FF = yes;
|
||
GREENASIA_FF = yes;
|
||
HOLTEK_FF = yes;
|
||
JOYSTICK_PSXPAD_SPI_FF = yes;
|
||
LOGIG940_FF = yes;
|
||
NINTENDO_FF = whenAtLeast "5.16" yes;
|
||
PLAYSTATION_FF = whenAtLeast "5.12" yes;
|
||
SONY_FF = yes;
|
||
SMARTJOYPLUS_FF = yes;
|
||
THRUSTMASTER_FF = yes;
|
||
ZEROPLUS_FF = yes;
|
||
|
||
MODULE_COMPRESS = whenOlder "5.13" yes;
|
||
MODULE_COMPRESS_XZ = yes;
|
||
|
||
SYSVIPC = yes; # System-V IPC
|
||
|
||
AIO = yes; # POSIX asynchronous I/O
|
||
|
||
UNIX = yes; # Unix domain sockets.
|
||
|
||
MD = yes; # Device mapper (RAID, LVM, etc.)
|
||
|
||
# Enable initrd support.
|
||
BLK_DEV_INITRD = yes;
|
||
|
||
# Allows debugging systems that get stuck during suspend/resume
|
||
PM_TRACE = yes;
|
||
PM_TRACE_RTC = yes;
|
||
|
||
ACCESSIBILITY = yes; # Accessibility support
|
||
AUXDISPLAY = yes; # Auxiliary Display support
|
||
HIPPI = yes;
|
||
MTD_COMPLEX_MAPPINGS = yes; # needed for many devices
|
||
|
||
SCSI_LOWLEVEL = yes; # enable lots of SCSI devices
|
||
SCSI_LOWLEVEL_PCMCIA = yes;
|
||
SCSI_SAS_ATA = yes; # added to enable detection of hard drive
|
||
|
||
SPI = yes; # needed for many devices
|
||
SPI_MASTER = yes;
|
||
|
||
"8139TOO_8129" = yes;
|
||
"8139TOO_PIO" = no; # PIO is slower
|
||
|
||
AIC79XX_DEBUG_ENABLE = no;
|
||
AIC7XXX_DEBUG_ENABLE = no;
|
||
AIC94XX_DEBUG = no;
|
||
|
||
BLK_DEV_INTEGRITY = yes;
|
||
BLK_DEV_ZONED = yes;
|
||
|
||
BLK_SED_OPAL = yes;
|
||
|
||
# Enable support for block layer inline encryption
|
||
BLK_INLINE_ENCRYPTION = whenAtLeast "5.8" yes;
|
||
# ...but fall back to CPU encryption if unavailable
|
||
BLK_INLINE_ENCRYPTION_FALLBACK = whenAtLeast "5.8" yes;
|
||
|
||
BSD_PROCESS_ACCT_V3 = yes;
|
||
|
||
SERIAL_DEV_BUS = yes; # enables support for serial devices
|
||
SERIAL_DEV_CTRL_TTYPORT = yes; # enables support for TTY serial devices
|
||
|
||
BT_HCIBTUSB_MTK = whenAtLeast "5.3" yes; # MediaTek protocol support
|
||
BT_HCIUART_QCA = yes; # Qualcomm Atheros protocol support
|
||
BT_HCIUART_SERDEV = yes; # required by BT_HCIUART_QCA
|
||
BT_HCIUART = module; # required for BT devices with serial port interface (QCA6390)
|
||
BT_HCIUART_BCSP = option yes;
|
||
BT_HCIUART_H4 = option yes; # UART (H4) protocol support
|
||
BT_HCIUART_LL = option yes;
|
||
BT_RFCOMM_TTY = option yes; # RFCOMM TTY support
|
||
BT_QCA = module; # enables QCA6390 bluetooth
|
||
|
||
# Removed on 5.17 as it was unused
|
||
# upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a4ee518185e902758191d968600399f3bc2be31
|
||
CLEANCACHE = whenOlder "5.17" (option yes);
|
||
|
||
FSCACHE_STATS = yes;
|
||
|
||
DVB_DYNAMIC_MINORS = option yes; # we use udev
|
||
|
||
EFI_STUB = yes; # EFI bootloader in the bzImage itself
|
||
EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER =
|
||
whenOlder "6.2" (whenAtLeast "5.8" yes); # initrd kernel parameter for EFI
|
||
CGROUPS = yes; # used by systemd
|
||
FHANDLE = yes; # used by systemd
|
||
SECCOMP = yes; # used by systemd >= 231
|
||
SECCOMP_FILTER = yes; # ditto
|
||
POSIX_MQUEUE = yes;
|
||
FRONTSWAP = whenOlder "6.6" yes;
|
||
FUSION = yes; # Fusion MPT device support
|
||
IDE = whenOlder "5.14" no; # deprecated IDE support, removed in 5.14
|
||
IDLE_PAGE_TRACKING = yes;
|
||
|
||
JOYSTICK_IFORCE_232 = { optional = true; tristate = whenOlder "5.3" "y"; }; # I-Force Serial joysticks and wheels
|
||
JOYSTICK_IFORCE_USB = { optional = true; tristate = whenOlder "5.3" "y"; }; # I-Force USB joysticks and wheels
|
||
JOYSTICK_XPAD_FF = option yes; # X-Box gamepad rumble support
|
||
JOYSTICK_XPAD_LEDS = option yes; # LED Support for Xbox360 controller 'BigX' LED
|
||
|
||
KEYBOARD_APPLESPI = whenAtLeast "5.3" module;
|
||
|
||
KEXEC_FILE = option yes;
|
||
KEXEC_JUMP = option yes;
|
||
|
||
PARTITION_ADVANCED = yes; # Needed for LDM_PARTITION
|
||
# Windows Logical Disk Manager (Dynamic Disk) support
|
||
LDM_PARTITION = yes;
|
||
LOGIRUMBLEPAD2_FF = yes; # Logitech Rumblepad 2 force feedback
|
||
LOGO = no; # not needed
|
||
MEDIA_ATTACH = yes;
|
||
MEGARAID_NEWGEN = yes;
|
||
|
||
MLX5_CORE_EN = option yes;
|
||
|
||
NVME_MULTIPATH = yes;
|
||
|
||
PSI = whenAtLeast "4.20" yes;
|
||
|
||
MOUSE_ELAN_I2C_SMBUS = yes;
|
||
MOUSE_PS2_ELANTECH = yes; # Elantech PS/2 protocol extension
|
||
MOUSE_PS2_VMMOUSE = yes;
|
||
MTRR_SANITIZER = yes;
|
||
NET_FC = yes; # Fibre Channel driver support
|
||
# Needed for touchpads to work on some AMD laptops
|
||
PINCTRL_AMD = whenAtLeast "5.19" yes;
|
||
# GPIO on Intel Bay Trail, for some Chromebook internal eMMC disks
|
||
PINCTRL_BAYTRAIL = yes;
|
||
# GPIO for Braswell and Cherryview devices
|
||
# Needs to be built-in to for integrated keyboards to function properly
|
||
PINCTRL_CHERRYVIEW = yes;
|
||
# 8 is default. Modern gpt tables on eMMC may go far beyond 8.
|
||
MMC_BLOCK_MINORS = freeform "32";
|
||
|
||
REGULATOR = yes; # Voltage and Current Regulator Support
|
||
RC_DEVICES = option yes; # Enable IR devices
|
||
RC_DECODERS = option yes; # Required for IR devices to work
|
||
|
||
RT2800USB_RT53XX = yes;
|
||
RT2800USB_RT55XX = yes;
|
||
|
||
SCHED_AUTOGROUP = yes;
|
||
CFS_BANDWIDTH = yes;
|
||
|
||
SCSI_LOGGING = yes; # SCSI logging facility
|
||
SERIAL_8250 = yes; # 8250/16550 and compatible serial support
|
||
|
||
SLAB_FREELIST_HARDENED = yes;
|
||
SLAB_FREELIST_RANDOM = yes;
|
||
|
||
SLIP_COMPRESSED = yes; # CSLIP compressed headers
|
||
SLIP_SMART = yes;
|
||
|
||
HWMON = yes;
|
||
THERMAL_HWMON = yes; # Hardware monitoring support
|
||
NVME_HWMON = whenAtLeast "5.5" yes; # NVMe drives temperature reporting
|
||
UEVENT_HELPER = no;
|
||
|
||
USERFAULTFD = yes;
|
||
X86_CHECK_BIOS_CORRUPTION = yes;
|
||
X86_MCE = yes;
|
||
|
||
RAS = yes; # Needed for EDAC support
|
||
|
||
# Our initrd init uses shebang scripts, so can't be modular.
|
||
BINFMT_SCRIPT = yes;
|
||
# For systemd-binfmt
|
||
BINFMT_MISC = option yes;
|
||
|
||
# Disable the firmware helper fallback, udev doesn't implement it any more
|
||
FW_LOADER_USER_HELPER_FALLBACK = option no;
|
||
|
||
FW_LOADER_COMPRESS = whenAtLeast "5.3" yes;
|
||
|
||
HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI
|
||
HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support
|
||
|
||
# Enable AMD's ROCm GPU compute stack
|
||
HSA_AMD = mkIf stdenv.hostPlatform.is64bit (whenAtLeast "4.20" yes);
|
||
ZONE_DEVICE = mkIf stdenv.hostPlatform.is64bit (whenAtLeast "5.3" yes);
|
||
HMM_MIRROR = whenAtLeast "5.3" yes;
|
||
DRM_AMDGPU_USERPTR = whenAtLeast "5.3" yes;
|
||
|
||
PREEMPT = no;
|
||
PREEMPT_VOLUNTARY = yes;
|
||
|
||
X86_AMD_PLATFORM_DEVICE = yes;
|
||
X86_PLATFORM_DRIVERS_DELL = whenAtLeast "5.12" yes;
|
||
X86_PLATFORM_DRIVERS_HP = whenAtLeast "6.1" yes;
|
||
|
||
LIRC = yes;
|
||
|
||
SCHED_CORE = whenAtLeast "5.14" yes;
|
||
|
||
LRU_GEN = whenAtLeast "6.1" yes;
|
||
LRU_GEN_ENABLED = whenAtLeast "6.1" yes;
|
||
|
||
FSL_MC_UAPI_SUPPORT = mkIf (stdenv.hostPlatform.system == "aarch64-linux") (whenAtLeast "5.12" yes);
|
||
|
||
ASHMEM = { optional = true; tristate = whenBetween "5.0" "5.18" "y";};
|
||
ANDROID = { optional = true; tristate = whenBetween "5.0" "5.19" "y";};
|
||
ANDROID_BINDER_IPC = { optional = true; tristate = whenAtLeast "5.0" "y";};
|
||
ANDROID_BINDERFS = { optional = true; tristate = whenAtLeast "5.0" "y";};
|
||
ANDROID_BINDER_DEVICES = { optional = true; freeform = whenAtLeast "5.0" "binder,hwbinder,vndbinder";};
|
||
|
||
TASKSTATS = yes;
|
||
TASK_DELAY_ACCT = yes;
|
||
TASK_XACCT = yes;
|
||
TASK_IO_ACCOUNTING = yes;
|
||
|
||
# Fresh toolchains frequently break -Werror build for minor issues.
|
||
WERROR = whenAtLeast "5.15" no;
|
||
|
||
# > CONFIG_KUNIT should not be enabled in a production environment. Enabling KUnit disables Kernel Address-Space Layout Randomization (KASLR), and tests may affect the state of the kernel in ways not suitable for production.
|
||
# https://www.kernel.org/doc/html/latest/dev-tools/kunit/start.html
|
||
KUNIT = whenAtLeast "5.5" no;
|
||
|
||
# Set system time from RTC on startup and resume
|
||
RTC_HCTOSYS = option yes;
|
||
|
||
# Expose watchdog information in sysfs
|
||
WATCHDOG_SYSFS = yes;
|
||
|
||
# Enable generic kernel watch queues
|
||
# See https://docs.kernel.org/core-api/watch_queue.html
|
||
WATCH_QUEUE = whenAtLeast "5.8" yes;
|
||
} // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
|
||
# Enable CPU/memory hotplug support
|
||
# Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot
|
||
ACPI_HOTPLUG_CPU = yes;
|
||
ACPI_HOTPLUG_MEMORY = yes;
|
||
MEMORY_HOTPLUG = yes;
|
||
MEMORY_HOTREMOVE = yes;
|
||
HOTPLUG_CPU = yes;
|
||
MIGRATION = yes;
|
||
SPARSEMEM = yes;
|
||
|
||
# Bump the maximum number of CPUs to support systems like EC2 x1.*
|
||
# instances and Xeon Phi.
|
||
NR_CPUS = freeform "384";
|
||
|
||
# Enable LEDS to display link-state status of PHY devices (i.e. eth lan/wan interfaces)
|
||
LED_TRIGGER_PHY = whenAtLeast "4.10" yes;
|
||
} // optionalAttrs (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux") {
|
||
# Enables support for the Allwinner Display Engine 2.0
|
||
SUN8I_DE2_CCU = yes;
|
||
|
||
# See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647
|
||
CRYPTO_AEGIS128_SIMD = whenAtLeast "5.4" no;
|
||
|
||
# Distros should configure the default as a kernel option.
|
||
# We previously defined it on the kernel command line as cma=
|
||
# The kernel command line will override a platform-specific configuration from its device tree.
|
||
# https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44
|
||
CMA_SIZE_MBYTES = freeform "32";
|
||
|
||
# Add debug interfaces for CMA
|
||
CMA_DEBUGFS = yes;
|
||
CMA_SYSFS = yes;
|
||
|
||
# Many ARM SBCs hand off a pre-configured framebuffer.
|
||
# This always can can be replaced by the actual native driver.
|
||
# Keeping it a built-in ensures it will be used if possible.
|
||
FB_SIMPLE = yes;
|
||
|
||
# https://docs.kernel.org/arch/arm/mem_alignment.html
|
||
# tldr:
|
||
# when buggy userspace code emits illegal misaligned LDM, STM,
|
||
# LDRD and STRDs, the instructions trap, are caught, and then
|
||
# are emulated by the kernel.
|
||
#
|
||
# This is the default on armv7l, anyway, but it is explicitly
|
||
# enabled here for the sake of providing context for the
|
||
# aarch64 compat option which follows.
|
||
ALIGNMENT_TRAP = mkIf (stdenv.hostPlatform.system == "armv7l-linux") yes;
|
||
|
||
# https://patchwork.kernel.org/project/linux-arm-kernel/patch/20220701135322.3025321-1-ardb@kernel.org/
|
||
# tldr:
|
||
# when encountering alignment faults under aarch64, this option
|
||
# makes the kernel attempt to handle the fault by doing the
|
||
# same style of misaligned emulation that is performed under
|
||
# armv7l (see above option).
|
||
#
|
||
# This minimizes the potential for aarch32 userspace to behave
|
||
# differently when run under aarch64 kernels compared to when
|
||
# it is run under an aarch32 kernel.
|
||
COMPAT_ALIGNMENT_FIXUPS = mkIf (stdenv.hostPlatform.system == "aarch64-linux") (whenAtLeast "6.1" yes);
|
||
} // optionalAttrs (versionAtLeast version "5.4" && (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux")) {
|
||
# Required for various hardware features on Chrome OS devices
|
||
CHROME_PLATFORMS = yes;
|
||
CHROMEOS_TBMC = module;
|
||
|
||
CROS_EC = module;
|
||
|
||
CROS_EC_I2C = module;
|
||
CROS_EC_SPI = module;
|
||
CROS_EC_LPC = module;
|
||
CROS_EC_ISHTP = module;
|
||
|
||
CROS_KBD_LED_BACKLIGHT = module;
|
||
|
||
TCG_TIS_SPI_CR50 = whenAtLeast "5.5" yes;
|
||
} // optionalAttrs (versionAtLeast version "5.4" && stdenv.hostPlatform.system == "x86_64-linux") {
|
||
CHROMEOS_LAPTOP = module;
|
||
CHROMEOS_PSTORE = module;
|
||
} // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
|
||
# Enable x86 resource control
|
||
X86_CPU_RESCTRL = whenAtLeast "5.0" yes;
|
||
|
||
# Enable TSX on CPUs where it's not vulnerable
|
||
X86_INTEL_TSX_MODE_AUTO = yes;
|
||
|
||
# Enable AMD Wi-Fi RF band mitigations
|
||
# See https://cateee.net/lkddb/web-lkddb/AMD_WBRF.html
|
||
AMD_WBRF = whenAtLeast "6.8" yes;
|
||
|
||
# Enable Intel Turbo Boost Max 3.0
|
||
INTEL_TURBO_MAX_3 = yes;
|
||
};
|
||
|
||
accel = {
|
||
# Build DRM accelerator devices
|
||
DRM_ACCEL = whenAtLeast "6.2" yes;
|
||
};
|
||
};
|
||
in
|
||
flattenKConf options
|