diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 62f1fcdda20c6..c159ead188fc4 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -12,71 +12,61 @@ "5.10": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.10.218-hardened1.patch", - "sha256": "1ah4pznha17ngg3w7l0j74h4910gjv8qj503adrap7plvapf82m4", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.218-hardened1/linux-hardened-5.10.218-hardened1.patch" + "name": "linux-hardened-v5.10.226-hardened1.patch", + "sha256": "1vxcr0f3ikkg10wcvq76djxzmhlc6h5fv34xf8vm48wfi7ryajbk", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.10.226-hardened1/linux-hardened-v5.10.226-hardened1.patch" }, - "sha256": "1mmj5hwm5i16gc1y4nzr1cs882vi6vrihrincdcivv63x11v4dlw", - "version": "5.10.218" + "sha256": "19hwwl5sbya65mch7fwmji2cli9b8796zjqbmkybjrarg1j9m8gn", + "version": "5.10.226" }, "5.15": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.15.160-hardened1.patch", - "sha256": "1r10ylx886rslsmrixlijjm4crhwzkl3wj6kpyn2344qik1gxpqr", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.160-hardened1/linux-hardened-5.15.160-hardened1.patch" + "name": "linux-hardened-v5.15.167-hardened1.patch", + "sha256": "1mwww490bf5i1njzyprnamfn8n471r94klgn7wghwi2f5vsn6j9g", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.15.167-hardened1/linux-hardened-v5.15.167-hardened1.patch" }, - "sha256": "018v19a7rhzc4szybzzn86jlnk42x7jm6xkadfd2d3xq6f7727pl", - "version": "5.15.160" + "sha256": "0c6s6l5sz9ibws7bymb393ww0z9i3amsk1yx0bahipz3xhc1yxdi", + "version": "5.15.167" }, "5.4": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.4.277-hardened1.patch", - "sha256": "1zjw5wl8lj69j402qm8dg3m4dxgq3ppx2jyz8jks976vyhh8fsg4", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.277-hardened1/linux-hardened-5.4.277-hardened1.patch" + "name": "linux-hardened-v5.4.284-hardened1.patch", + "sha256": "1skqaq90bigrxg0w075nssqbdq868ii62r8asx0m6wcvd5cl50af", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v5.4.284-hardened1/linux-hardened-v5.4.284-hardened1.patch" }, - "sha256": "0l8zq3k07hdprfpvw69ykkf2pdg8wiv28xz733yxsjcfb0l5n7vy", - "version": "5.4.277" + "sha256": "0axkwfhvq3w2072xjqww476qa3rjglxyqmf72mlp9b5ymswil8kp", + "version": "5.4.284" }, "6.1": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.1.92-hardened1.patch", - "sha256": "0cw87ygmisi823y3f7xrck12b6zh3mq1qmb7lcmr3hg6w3xskmn3", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.92-hardened1/linux-hardened-6.1.92-hardened1.patch" + "name": "linux-hardened-v6.1.112-hardened1.patch", + "sha256": "1kna12dhs1csg2cd9ixm261pgnc44v7q67njd0z1mnjrk9q1y7n6", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.1.112-hardened1/linux-hardened-v6.1.112-hardened1.patch" }, - "sha256": "1j9n8gk76nn4gw42iba5zgghr360gb9n1mslr5dyv76wpwkz86ch", - "version": "6.1.92" + "sha256": "094z3wfcxqx2rbi072i5frshpy6rdvk39aahwm9nc07vc8sxxn4b", + "version": "6.1.112" }, - "6.6": { - "patch": { - "extra": "-hardened1", - "name": "linux-hardened-6.6.32-hardened1.patch", - "sha256": "19362a6lxs3cnaw19jvda7n791y95lfgn9ki4wmaxnw2qbpi0bgg", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.32-hardened1/linux-hardened-6.6.32-hardened1.patch" - }, - "sha256": "1qbc8dqmk2xs1cz968rysw5xvhq3lj8g0pxp48fr2qbzy3m29a5a", - "version": "6.6.32" - }, - "6.8": { + "6.10": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.8.11-hardened1.patch", - "sha256": "08i03dmri9h6jxcjd9g6s7pv0spqi3f4fgch1ars68cgngikvbpq", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.8.11-hardened1/linux-hardened-6.8.11-hardened1.patch" + "name": "linux-hardened-v6.10.12-hardened1.patch", + "sha256": "07z35f4nqj9vgj2ynq7spgckb770a0w0906m7l28i1x0kch2kr3j", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.10.12-hardened1/linux-hardened-v6.10.12-hardened1.patch" }, - "sha256": "1di8kr596sf68sm61kp5rz6bn3sb0q5ag1qc5hm8f9dpyq4wv3dp", - "version": "6.8.11" + "sha256": "1kvkwgnq5gsdqarrdg32qjrbq1dggxp1x2yy2zpsjsaq5y2mhj2j", + "version": "6.10.12" }, - "6.9": { + "6.6": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.9.2-hardened1.patch", - "sha256": "0ph1m0pnlqrhvddz2mjgcwvs0ddcpzigz8kgi9zi063qinlfbm3q", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.9.2-hardened1/linux-hardened-6.9.2-hardened1.patch" + "name": "linux-hardened-v6.6.53-hardened1.patch", + "sha256": "09i25qrn18psyrzr8srav4zcbyqmn2z8ycfk9fix2pdfxsaxl8h9", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.6.53-hardened1/linux-hardened-v6.6.53-hardened1.patch" }, - "sha256": "1yg5j284y1gz7zwxjz2abvlnas259m1y1vzd9lmcqqar5kgmnv6l", - "version": "6.9.2" + "sha256": "0yfpyiz57wz9rkwif6n3k2n87waw46ad0h7h0pwhnar53cfihp98", + "version": "6.6.53" } } diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py index 8b46137afb37b..0603812124bea 100755 --- a/pkgs/os-specific/linux/kernel/hardened/update.py +++ b/pkgs/os-specific/linux/kernel/hardened/update.py @@ -145,7 +145,7 @@ def find_asset(filename: str) -> str: if not sig_ok: return None - kernel_ver = re.sub(r"(.*)(-hardened[\d]+)$", r'\1', release_info.release.tag_name) + kernel_ver = re.sub(r"v?(.*)(-hardened[\d]+)$", r'\1', release_info.release.tag_name) major = kernel_ver.split('.')[0] sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz") @@ -157,8 +157,11 @@ def find_asset(filename: str) -> str: def parse_version(version_str: str) -> Version: + # There have been two variants v6.10[..] and 6.10[..], drop the v + version_str_without_v = version_str[1:] if not version_str[0].isdigit() else version_str version: Version = [] - for component in re.split(r'\.|\-', version_str): + + for component in re.split(r'\.|\-', version_str_without_v): try: version.append(int(component)) except ValueError: @@ -227,7 +230,7 @@ def commit_patches(*, kernel_key: str, message: str) -> None: # It's not reliable to exit earlier because not every kernel minor may # have hardened patches, hence the naive search below. i += 1 - if i > 500: + if i > 100: break version = parse_version(release.tag_name) diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index 8ba27041edc8b..d9666903b4cb8 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -24,8 +24,8 @@ "hash": "sha256:0qj106lj554y1kdqj8kwyf7pk9bvrrpgz6s8zyh7d61mk7wws9sf" }, "6.6": { - "version": "6.6.53", - "hash": "sha256:0yfpyiz57wz9rkwif6n3k2n87waw46ad0h7h0pwhnar53cfihp98" + "version": "6.6.54", + "hash": "sha256:186ggr0yz7fgp05qav6k6j72aazvwdljdnf2zwb5q194dafqdbjz" }, "6.8": { "version": "6.8.12", @@ -36,11 +36,11 @@ "hash": "sha256:08ngskni7d9wi93vlwcmbdg7sb2jl1drhhzn62k9nsrg1r7crrss" }, "6.10": { - "version": "6.10.12", - "hash": "sha256:1kvkwgnq5gsdqarrdg32qjrbq1dggxp1x2yy2zpsjsaq5y2mhj2j" + "version": "6.10.13", + "hash": "sha256:0smimvnivdswiggplz9x65d03vdysgr3v9iijbk4f5fva0iypz2z" }, "6.11": { - "version": "6.11.1", - "hash": "sha256:0ggfg3f8nkcgs2pg7y5ccfrcjzj7j7x4n41g59gzbsp1nirj6dra" + "version": "6.11.2", + "hash": "sha256:0hlwsfq6brdkdcwdq6d1aq2b210hkqgpmy0y1sa5bfyfp6hgg7pc" } } diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix index 05134b759fa4c..8878775e5e118 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "5.15.163-rt78"; # updated by ./update-rt.sh + version = "5.15.167-rt79"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz"; - sha256 = "00mkipkhz0i5xld7kyaxcj8cj8faw4gmjl5fribg832nn7ccfpq2"; + sha256 = "0c6s6l5sz9ibws7bymb393ww0z9i3amsk1yx0bahipz3xhc1yxdi"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "030aycnrcnjhylkqj0wrfi992v2l26v17rgvxl16514zpdjmiv1x"; + sha256 = "0z9yhg0vxzrqn2vyg973pd8qy5iq30jkza8c0mrjjpjzyc8jvm57"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix index 6813d430a4694..d64a3a3240c45 100644 --- a/pkgs/top-level/linux-kernels.nix +++ b/pkgs/top-level/linux-kernels.nix @@ -26,6 +26,10 @@ let linux = kernel; }; + markBroken = drv: drv.overrideAttrs ({ meta ? {}, ... }: { + meta = meta // { broken = true; }; + }); + # Hardened Linux hardenedKernelFor = kernel': overrides: let @@ -256,10 +260,10 @@ in { stdenv = gcc10Stdenv; buildPackages = buildPackages // { stdenv = buildPackages.gcc10Stdenv; }; }; - linux_5_4_hardened = hardenedKernelFor kernels.linux_5_4 { + linux_5_4_hardened = markBroken (hardenedKernelFor kernels.linux_5_4 { stdenv = gcc10Stdenv; buildPackages = buildPackages // { stdenv = buildPackages.gcc10Stdenv; }; - }; + }); linux_5_10_hardened = hardenedKernelFor kernels.linux_5_10 { }; linux_5_15_hardened = hardenedKernelFor kernels.linux_5_15 { }; linux_6_1_hardened = hardenedKernelFor kernels.linux_6_1 { };