Why does pkgs.linux_hardened lag behind pkgs.linux?

eity · June 3, 2024, 4:20pm

As of now, for release-23.11, hardened is at 6.1.81 while linux is at 6.1.92.

For release-24.05, hardened is 6.6.31 which is behind linux at 6.6.32.

From quick glance at pkgs/top-level/linux-kernels.nix, it seems to be generated functionally using the same sources for linux.

I’ve been using NixOS since during 23.05 and this gap seems unpredictable. What’s causing this?

doronbehar · June 3, 2024, 7:24pm

This may help:

nix eval --json -L --impure \
  --expr 'with (builtins.getFlake "nixpkgs").legacyPackages.${builtins.currentSystem};
  builtins.map
    (k: builtins.unsafeGetAttrPos "src" k)
    [ linux linux_hardened ]
  ' | \
  jq .

When I read the files the above command prints, I suspect the version gap is related to:

github.com

NixOS/nixpkgs/blob/c046b651e5d7cdb0c30627defd7131cd4858b478/pkgs/os-specific/linux/kernel/hardened/patches.json

{
    "4.19": {
        "patch": {
            "extra": "-hardened1",
            "name": "linux-hardened-4.19.314-hardened1.patch",
            "sha256": "18k8rvcfqjdrjv4a8lbfxdi5nipn0widarncxgmbaykc2x37q4vr",
            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.314-hardened1/linux-hardened-4.19.314-hardened1.patch"
        },
        "sha256": "0nvrpg5aj2q4h2drmczprqaprcc2zhcrijfri77b830ms8rg4y2a",
        "version": "4.19.314"
    },
    "5.10": {
        "patch": {
            "extra": "-hardened1",
            "name": "linux-hardened-5.10.217-hardened1.patch",
            "sha256": "1isql7dsky91kp856gcwczzd4vwyfi0xxdgv7s0987v4p6ih3gbz",
            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.217-hardened1/linux-hardened-5.10.217-hardened1.patch"
        },
        "sha256": "0qhzqrjci45vcbzjch7vq75i6hpyap6yb7jw6g71phcnqgzw2ay5",
        "version": "5.10.217"

This file has been truncated. show original

Which specifies for each major version X.Y of a kernel a more specific and full version and a sha256 that are used eventually here:

github.com

NixOS/nixpkgs/blob/c046b651e5d7cdb0c30627defd7131cd4858b478/pkgs/top-level/linux-kernels.nix#L44-L47


      
          src = fetchurl {
            url = "mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz";
            inherit sha256;
          };

If this small gap within the same major version bothers you, perhaps this is due to the hardened kernel patches maintainer, or perhaps you should run one of the supplied update scripts to fix this:

github.com

NixOS/nixpkgs/blob/c046b651e5d7cdb0c30627defd7131cd4858b478/pkgs/os-specific/linux/kernel/update.sh#L13-L14


      
          echo "Update linux-hardened"
          COMMIT=1 ./hardened/update.py || echo "update-hardened failed with exit code $?"

You mean to say you are afraid that the version bump between the nixos releases will cause you issues? I wouldn’t be afraid of that.

eity · June 4, 2024, 7:18am

Thanks for your detailed reply and apologies for my late response.

If this small gap within the same major version bothers you, perhaps this is due to the hardened kernel patches maintainer

Since I’m talking about the kernel packaged in nixpkgs, patches.json not being updated regularly seems to be the cause. For nixos-23.11, this was last updated 3 months ago.

perhaps you should run one of the supplied update scripts to fix this

I guess I’ll need to maintain my own version of nixpkgs?! It’ll be convenient if I didn’t have to manually update it everytime and sync with upstream. I’ll try using github-actions.

You mean to say you are afraid that the version bump between the nixos releases will cause you issues?

No, I am talking during the same release here. I just took example of nixos-23.11 as I think that’s a huge gap between 6.1.81-hardened and 6.1.92.

vcunat · June 10, 2024, 6:00pm

Why don’t you make pull requests?

doronbehar · June 12, 2024, 7:12pm

BTW this might be of interest to anyone reading this:

github.com

NixOS/nixpkgs/blob/4dae540dc9c46b6709b3ab66ffa210468570547e/pkgs/top-level/aliases.nix#L757-L769


      
          # Added 2021-08-16
          linuxPackages_latest_hardened = throw ''
            The attribute `linuxPackages_hardened_latest' was dropped because the hardened patches
            frequently lag behind the upstream kernel. In some cases this meant that this attribute
            had to refer to an older kernel[1] because the latest hardened kernel was EOL and
            the latest supported kernel didn't have patches.
          
          
  If you want to use a hardened kernel, please check which kernel minors are supported
            and use a versioned attribute, e.g. `linuxPackages_5_10_hardened'.
          
          
  [1] for more context: https://github.com/NixOS/nixpkgs/pull/133587
          '';
          linux_latest_hardened = linuxPackages_latest_hardened;