From 9ce46e61eb67e9f30e6f1035cfee382f3a13c33f Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Fri, 9 Feb 2024 23:26:29 +0000 Subject: [PATCH] nixos/hardened: fix lower bounds of hardened options Without the change build of `linux-config-4.19.306` fails as https://cache.nixos.org/log/994zy6g5fsb4p6c8jdwham8sp0mqh1w4-linux-config-4.19.306.drv: error: unused option: INIT_ON_ALLOC_DEFAULT_ON error: unused option: INIT_ON_FREE_DEFAULT_ON error: unused option: UBSAN_TRAP error: unused option: ZERO_CALL_USED_REGS --- pkgs/os-specific/linux/kernel/hardened/config.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index ea49966f46dd..dec6a757c529 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -60,11 +60,11 @@ assert (versionAtLeast version "4.9"); PAGE_POISONING_ZERO = whenOlder "5.11" yes; # Enable init_on_alloc and init_on_free by default - INIT_ON_ALLOC_DEFAULT_ON = yes; - INIT_ON_FREE_DEFAULT_ON = yes; + INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes; + INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes; # Wipe all caller-used registers on exit from a function - ZERO_CALL_USED_REGS = yes; + ZERO_CALL_USED_REGS = whenAtLeast "5.15" yes; # Enable the SafeSetId LSM SECURITY_SAFESETID = whenAtLeast "5.1" yes; @@ -86,8 +86,8 @@ assert (versionAtLeast version "4.9"); # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan UBSAN = yes; - UBSAN_TRAP = yes; - UBSAN_BOUNDS = yes; + UBSAN_TRAP = whenAtLeast "5.7" yes; + UBSAN_BOUNDS = whenAtLeast "5.7" yes; UBSAN_SANITIZE_ALL = yes; UBSAN_LOCAL_BOUNDS = option yes; # clang only CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1