Make custom kernel build with custom configuration

pekkari · February 2, 2022, 10:06am

Hi,

I have a configuration that builds a hardened kernel using nixos-generator, that looks like:

{ config, lib, pkgs, ... }:
{
  services.sshd.enable = true;
  services.nginx.enable = true;

  networking.firewall.allowedTCPPorts = [ 80 ];

  users.users.root.password = "nixos";
  services.openssh.permitRootLogin = lib.mkDefault "yes";
  services.getty.autologinUser = lib.mkDefault "root";

  boot.kernelPackages = let
      linux_hardened_pkg = { fetchurl, buildLinux, ... } @ args:

        buildLinux (args // rec {
          version = "5.10.32-hardened1";
          modDirVersion = version;

          src = fetchurl {
            url = "https://github.com/anthraxx/linux-hardened/archive/refs/tags/5.10.32-hardened1.tar.gz";
            sha256 = "6a2fa5c8c151735a2eed59b5c93c0cb57c495588b4e1406a1fe4d066f52c4d37";
          };
          kernelPatches  = lib.singleton {
            name = "prune";
            patch = null;
            extraStructuredConfig = with lib.kernel; {

            };
          };

          extraMeta.branch = "5.10";
        } // (args.argsOverride or {}));
      linux_hardened = pkgs.callPackage linux_hardened_pkg{};
    in
      pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);
}

I’d like to add my own .config according to this documentation. Can anyone
give some insight how the configuration.nix should look like to do so?

Thanks!

573 · June 23, 2022, 1:32pm

Same question here. Stuck there as well Are they steps missing integrating usbip support in NixOS-WSL ? · nix-community/NixOS-WSL · Discussion #110 · GitHub

How would I build this file ?

@pekkari in your case did you try sudo nixos-rebuild test -I nixos-config=./your_hardened_kernel.nix already ? For extraStructuredConfig see The *correct* way to override the latest kernel config - #9 by julm and Linux kernel - NixOS Wiki (called structuredExtraConfig there).

Atemu · June 23, 2022, 11:59pm

I’d highly recommend you use extraStructuredConfig like this:

{
  boot.kernelPackages = let
      linux_hardened_pkg = { fetchurl, buildLinux, ... } @ args:

        buildLinux (args // rec {
          version = "5.10.32-hardened1";
          modDirVersion = version;

          src = fetchurl {
            url = "https://github.com/anthraxx/linux-hardened/archive/refs/tags/5.10.32-hardened1.tar.gz";
            sha256 = "6a2fa5c8c151735a2eed59b5c93c0cb57c495588b4e1406a1fe4d066f52c4d37";
          };
          kernelPatches  = lib.singleton {
            name = "prune";
            patch = null;
          };

          extraStructuredConfig = with lib.kernel; {
            FOO = yes; # CONFIG_FOO
            BAR = option no; # CONFIG_BAR
          };

          extraMeta.branch = "5.10";
        } // (args.argsOverride or {}));
      linux_hardened = pkgs.callPackage linux_hardened_pkg{};
    in
      pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_hardened);
}

(Untested.)

573 · June 28, 2022, 11:40am

Regarding

extraStructuredConfig is what it is called only inside the kernelPatches closure. For all other occasions use structuredExtraConfig please. I myself needed two days to spot this difference in detail.