Skip to content

Commit

Permalink
Add hardened hypervisor option for lenovo X1 carbon
Browse files Browse the repository at this point in the history
Set linux kernel version to 6.1.55 + apply pkvm intel X86 patch

Signed-off-by: Kalle Marjamaki <[email protected]>
  • Loading branch information
Kalle Marjamaki authored and mikatammi committed Dec 4, 2023
1 parent 378b6f6 commit 6bc8288
Show file tree
Hide file tree
Showing 3 changed files with 21,606 additions and 5 deletions.
45 changes: 40 additions & 5 deletions modules/host/kernel.nix
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,22 @@
pkgs,
...
}: let
baseKernel = pkgs.linux_latest;

baseKernel =
if hyp_cfg.enable
then
pkgs.linux_6_1.override {
argsOverride = rec {
src = pkgs.fetchurl {
url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
hash = "sha256-qH4kHsFdU0UsTv4hlxOjdp2IzENrW5jPbvsmLEr/FcA=";
};
version = "6.1.55";
modDirVersion = "6.1.55";
};
}
else pkgs.linux_latest;
hardened_kernel = pkgs.linuxManualConfig rec {
inherit (baseKernel) src modDirVersion;
inherit (baseKernel) src modDirVersion kernelPatches;
version = "${baseKernel.version}-ghaf-hardened";
/*
baseline "make tinyconfig"
Expand Down Expand Up @@ -55,19 +67,42 @@
- also see https://github.com/NixOS/nixpkgs/issues/109280
for the context >
*/

configfile = ./ghaf_host_hardened_baseline;
allowImportFromDerivation = true;
};

cfg = config.ghaf.host.kernel_hardening;
pkvm_patch = lib.mkIf config.ghaf.hardware.x86_64.common.enable [
{
name = "pkvm-patch";
patch = ../virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch;
structuredExtraConfig = with lib.kernel; {
KVM_INTEL = yes;
KSM = no;
PKVM_INTEL = yes;
PKVM_INTEL_DEBUG = yes;
PKVM_GUEST = yes;
EARLY_PRINTK_USB_XDBC = yes;
RETPOLINE = yes;
};
}
];

kern_cfg = config.ghaf.host.kernel_hardening;
hyp_cfg = config.ghaf.host.hypervisor_hardening;
in
with lib; {
options.ghaf.host.kernel_hardening = {
enable = mkEnableOption "Host kernel hardening";
};

config = mkIf cfg.enable {
options.ghaf.host.hypervisor_hardening = {
enable = mkEnableOption "Hypervisor hardening";
};

config = mkIf kern_cfg.enable {
boot.kernelPackages = pkgs.linuxPackagesFor hardened_kernel;
boot.kernelPatches = mkIf (hyp_cfg.enable && "${baseKernel.version}" == "6.1.55") pkvm_patch;
# https://github.com/NixOS/nixpkgs/issues/109280#issuecomment-973636212
nixpkgs.overlays = [
(_final: prev: {
Expand Down
Loading

0 comments on commit 6bc8288

Please sign in to comment.