mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-06-05 21:03:40 +00:00
linux_hardened: remove
isn't maintained to the standards people expect of kernels in nixpkgs
This commit is contained in:
zowoq
@@ -294,9 +294,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
|
||||
/nixos/modules/services/databases/mysql.nix @6543
|
||||
/nixos/modules/services/backup/mysql-backup.nix @6543
|
||||
|
||||
# Hardened profile & related modules
|
||||
/pkgs/os-specific/linux/kernel/hardened/ @fabianhjr
|
||||
|
||||
# Home Automation
|
||||
/nixos/modules/services/home-automation/home-assistant.nix @mweinelt
|
||||
/nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt
|
||||
|
||||
@@ -149,15 +149,6 @@ The change gets submitted like this:
|
||||
```
|
||||
* Update `linux_latest` to the new attribute.
|
||||
* __SQUASH__ the changes into the `linux: init at …` commit.
|
||||
* If a new hardened is available:
|
||||
* Instantiate a `linux_X_Y_hardened = hardenedKernelsFor kernels.linux_X_Y { };` in `kernels` and
|
||||
`linux_X_Y_hardened = hardenedKernelFor kernels.linux_X_Y { };` in the `packages`-section.
|
||||
* Make sure to remove the hardened variant of the previous kernel version unless it's LTS.
|
||||
We only support the latest and latest LTS version of hardened.
|
||||
* If no new hardened kernel is available:
|
||||
* Keep the previously latest kernel until its mainline counterpart gets removed.
|
||||
After that `linux_hardened` points to the latest LTS supported by hardened.
|
||||
* __SQUASH__ the changes into the `linux_X_Y_hardened: init at …` commit.
|
||||
|
||||
### Policy for accepting new kernel flavours {#sec-linux-new-kernels}
|
||||
|
||||
|
||||
@@ -133,6 +133,8 @@
|
||||
|
||||
- `services.pyload` has been removed because the package it relies on does not exist anymore in nixpkgs due to vulnerabilities and being unmaintained.
|
||||
|
||||
- `linux_hardened` kernel has been removed due to a lack of maintenance.
|
||||
|
||||
- `services.tandoor-recipes` now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
|
||||
|
||||
- `linux-rt` kernel has been removed due to a lack of maintenance.
|
||||
|
||||
@@ -79,7 +79,6 @@ let
|
||||
) args);
|
||||
kernels = patchedPkgs.linuxKernel.vanillaPackages // {
|
||||
inherit (patchedPkgs.linuxKernel.packages)
|
||||
linux_6_12_hardened
|
||||
|
||||
linux_testing
|
||||
;
|
||||
|
||||
@@ -86,8 +86,6 @@ python3.pkgs.buildPythonApplication (finalAttrs: {
|
||||
staslyakhov
|
||||
];
|
||||
platforms = if withDriver then [ "x86_64-linux" ] else with lib.platforms; linux ++ darwin;
|
||||
# https://github.com/chipsec/chipsec/issues/1793
|
||||
broken = withDriver && kernel.kernelOlder "5.4" && kernel.isHardened;
|
||||
mainProgram = "chipsec_main";
|
||||
};
|
||||
})
|
||||
|
||||
@@ -45,7 +45,5 @@ stdenv.mkDerivation (finalAttrs: {
|
||||
"aarch64-linux"
|
||||
];
|
||||
description = "AJA video driver";
|
||||
# FTB for hardened 5.10/5.15 kernels
|
||||
broken = kernel.kernelOlder "6" && kernel.isHardened;
|
||||
};
|
||||
})
|
||||
|
||||
@@ -77,7 +77,6 @@ lib.makeOverridable (
|
||||
|
||||
# for module compatibility
|
||||
isZen ? false,
|
||||
isHardened ? false,
|
||||
|
||||
# Whether to utilize the controversial import-from-derivation feature to parse the config
|
||||
allowImportFromDerivation ? false,
|
||||
@@ -530,7 +529,6 @@ lib.makeOverridable (
|
||||
;
|
||||
inherit
|
||||
isZen
|
||||
isHardened
|
||||
withRust
|
||||
;
|
||||
baseVersion = lib.head (lib.splitString "-rc" version);
|
||||
|
||||
@@ -75,7 +75,6 @@ lib.makeOverridable (
|
||||
|
||||
isLTS ? false,
|
||||
isZen ? false,
|
||||
isHardened ? false,
|
||||
|
||||
# easy overrides to stdenv.hostPlatform.linux-kernel members
|
||||
autoModules ? stdenv.hostPlatform.linux-kernel.autoModules or true,
|
||||
@@ -315,7 +314,6 @@ lib.makeOverridable (
|
||||
extraMakeFlags
|
||||
isLTS
|
||||
isZen
|
||||
isHardened
|
||||
;
|
||||
|
||||
# Adds dependencies needed to edit the config:
|
||||
|
||||
@@ -1,325 +0,0 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v2
|
||||
|
||||
mQINBE64OEUBEADPS1v+zoCdKA6zyfUtVIaBoIwMhCibqurXi30tVoC9LgM6W1ve
|
||||
HwPFukWq7DAS0mZUPE3mSV63JFLaTy0bY/6GO1D4wLdWZx4ppH7XKNCvKCbsi70k
|
||||
UozFykNVf+83WEskuF1oYzXlF3aB5suz2IWJl7ey1EXgIpehwQaTJUA5JIWYFp9A
|
||||
566LRNJefYMzUR33xc4dRKj6Etg0xdLVq7/vZoo8HpLCBGNWiP0AKqFWEwTg0xQL
|
||||
7nsJA5tfJJdwAJvrzjpFsvb63PKG6waAtdHhON4q7E2Udak9fz2tRjxA5l9l2zXk
|
||||
aqsysUzkxPhNjwMENoQ04KZg4aT+ZhhBzTowSWLp3KV2uaZ66kdPUO3s+/1bPp5/
|
||||
N/IlykaUwyL773iYOZ5dOY/9hIuX/zssihcrGEMW6yIyZR5uKhzYdaM9ExTXP637
|
||||
UccgNS9/pskPGPx/xK23NDCfeHzL9YHS5KokA2wb/b9hqpwvLaeblbMl2pt79F1R
|
||||
ac+rZlrRyX3NvlTQP4hqM9Ei2YBAU7QFDJEjH8pVIceL7grxi1Ju1iD5QiSK+je5
|
||||
Jj5EAikfwSeAttSzsqNvaXJHfABrv5mkkVt1z3icP3HIHTYnG+uj+t8kvW+o9/1i
|
||||
pD6e6LUh4w5v1aY9kaK/M3+eBH59yNYI99crPUKUBVfW4gv4DBUJAQTWRQARAQAB
|
||||
tDVMZXZlbnRlIFBvbHlhayAoYW50aHJheHgpIDxsZXZlbnRlQGxldmVudGVwb2x5
|
||||
YWsubmV0PokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4ACGQEF
|
||||
AlSXU9QFCQfATw8ACgkQ/BtUfI2BcsjPbxAAs+UR/bJz/HeYTpPy+HnKwDJgI9GP
|
||||
AZlNvp+QSIhOTtKCYkQ/Iu+5scY5J0Qyv0pcJW5Rxjx+l7KGovw84jzVznnYsJoy
|
||||
UQ5H3Ev9T2xW1nrZT3abJ7j6ZIck+Q+WFHu5Plsq6doSXOXmJNoehvT3BVolvc6w
|
||||
S1+CAoyA5Wm1yfocZgVOvWPWQaa1T4XA7OwxFWrvNWEZwAzTSjkGHkwmji+DxdBd
|
||||
RPam9+qm/rcN1IJTu6xJPr38a9LydWonsUpTR2Qn7Bo4EJp8yHJLaiLEMV/Nmgrr
|
||||
1orBYw/OzDzhbdMl+2zzwEBLUMPABdgnPM6ZCZ5PWyWnCU4jsBGyVd0IC5xEu3Eg
|
||||
a0EtIdvx2lXiLfh2dulpMn52uJY5iNwaTleO+z9CENQVhh5R4FuN9H0BLiyAxf1+
|
||||
MkD3jLT+DGl02hQghtxz18iTkRk7KOw/NFn4z0is+TRl4/ocNt1LiWQXt8dr7qdx
|
||||
zvUpDnxCSYZkeutzopo1TA4lKpnsS2mHabx6CbrUmF+wOIr8gHUfpBFeEQ8BHebU
|
||||
5X0JrFF5mjeNl4uK9l9lD9ng74rsSpKPr15DU41jIuQDHJYd6H3TXQ4K1z7Ciivy
|
||||
r4vgsruAFX/GduKseOx1obWW3GfIQzLAIuVdjldgREl61GWoLiGFqlcveiAIkN5p
|
||||
Bxc20hSrHgZP9ZyIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GTK7AKC8Sd1ndNvc
|
||||
1ispBaECbHT/JPfGrQCgvkfGBsFn/KBrgC5hTm0mSxdy942JAkEEEwECACsCGwMF
|
||||
CQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOuD2qAhkBAAoJEPwbVHyN
|
||||
gXLIXL4QAJtbs62EpOIFld0N+tTEFn1qQPPaExAXmH/RF5Epf+0rSS6B0OXEZBXz
|
||||
cWtMPbHxoLjN1iY8o0QC1ex7/KDfYq8Ho18M9P+Lf6XfW0sJ9d021U5MJWGPs4zA
|
||||
lNFXJqeMgfJZAno2N6dO/azcYHq1wmSgUbTb9Oyi1PHfn3g0UAW59dfkB8d2jEvY
|
||||
Yed1X0mBPPXcbgnYNZ514JQtm9wuDdVWrh/Si9EhKg6+MPcbv18G4lpPGR+yNq9y
|
||||
3Jze4vmmWen0ceDJEp06IAeTfJzzD80Oui2WXtLfaQxgf9uuZtGjrMX5l+mq7rBS
|
||||
VH/dsHP1VYI0efKIs7qbmiLcMRVWYIGix9I1C3UYr3ImYiCGlBG/uQ929xbjWAHa
|
||||
hy4W6rzruUWjyi/Kz7QRnyBgtHfhDO7hYziTr5hoGhd4VeUpcbxL+MegXFZsWJlE
|
||||
kz8TOOsZ/4XxXHVoalg8fYOcA7j/aoszsPMQUOL/5jsVRhyP3evtVxb3m1EwvYDK
|
||||
Lii4IkVxGztlBOIgeT4kwXgoJEASSZHgcd6tDv9q7o33n2I1DGL8X3axcHES2/C7
|
||||
cP+li3KL3Hc9vjgaJ9HfcQLuMcHqfoHn+YzVfbG5XeFcxhgQpwpYsZv3MTbXAQwI
|
||||
fRHXRuIfOiFwqUXahi5N1WSIXNBGSyI7pu9ht5I7gIIOINE+VS7FiQJBBBMBAgAr
|
||||
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAIZAQUCUNol8QUJA/yTqwAKCRD8
|
||||
G1R8jYFyyIqUD/9yWw7WBQiWyIMpVuX9c2Ov1fAkDya43fDm0gqIgNsdaxCt5ATh
|
||||
XaXZ/p2jglWwon5jDLDNsVR0/Q/t8ugdcP3bcwRtW2YYQ2F1PaNjfr5WsuPEadyc
|
||||
J62DIobY4IzqBpDuqGLYdbzZeKr49VwbRRvIJpphrk3+CekFvdIs1ofEpA2Kn2oA
|
||||
DXfYuaWoVBF7fTwAZmc3hYPOI1jK7nrFZbCnAT4WZPzZ4IY9lsaNTF/4mQ8vV1xF
|
||||
De6HjfslHURlZWsWtQIKhIPBKoZC1nP5VRK3IHYgKw8toq780kalLH8ofv9BkSrs
|
||||
t98JOoJX4etdmE8Ta/+Wg5C9EzR+909tQfdWdkaRbhvbtl/x7X76HU4ItefLR5pW
|
||||
d0OSo488QZMQjCUWlzgPMsmnYMQm6ckNOp0B/RtMfbJV7t5H+JE3PLfFG55jcz3w
|
||||
uNGhfZyl/ZhV9fvGLU/sPyhIW7ewuIwd+7i12fH9r4NAGB/mkSKK+tHGcTZvXxux
|
||||
5QMKE+a9u6NMJRrbsIiTFwhrCLMgzLYL0mtX8FZXNFFZzGFYkiXymBR0ze4LKzRo
|
||||
dMFpyP/w/IIjYBhVpgboT2EMMIgJHSsMJDCdDjI+9cAykVF6ccSiUQ11devHL6Pv
|
||||
WwlT2Ub4TP4yCScHDPyfWq+tfdQlWFVRZMRJ7kmq0VagqomdRHgLPyPgDYkCHAQQ
|
||||
AQIABgUCUtgrXgAKCRBH1QFsQv98LACcEACFq3Oz8nHAa6KsyspIWo0+HjzCtTv0
|
||||
G6TB+svf3fl24C93IfFhpSyxNf8XVa9h9kCU5ZImYN+LaoUGiz3lcYxjdOeFYDc4
|
||||
GU5TFrJwY9eOYYCsr+z+NLn7wlLZEO772lGUDPJMWxSGqR9yOGhQCTIADLLcp6mt
|
||||
07zdejESYxMT6IjYR+rX6miWG5Hr9/lBdh/X4XhGpHEY64IL8vVB3C+FQfG3hiMB
|
||||
bHbvJ4/S/cjfNM1T9oKiA0H6jklRHIdstj+2eeWA7lS+GE3Mpkra+8KmkEjV4O03
|
||||
izcRpMm1yTGoTjp9UddTNYErb/sha5YigYAqK8bj3gh6tTFNJHbN4RWgtPDyc5Va
|
||||
1u+sH2ob6JS5tez8/Z6pMarGpTQujIGAlntP4igi0Q4hxyLof6Vtc6XF80uSwTvN
|
||||
RRmQrcq+kLPwX0NbyZCBCI+kjBPu2b932JDTfVBKwJCLF3e1zvQqN0C7EZnIzveX
|
||||
r7VtJ4WHIfSyi/HQP7xm5L0uQj+KRr+/LMaxkCDgrlqoWTgAoxCAPYH1XCvBoJRc
|
||||
DHjNikyEAS8WUGl9ZHQyAoFngi/jqH6WoDAmfBUKRoBMR2hXLOKUBmObw0DHgauM
|
||||
kk4kD6CW4UEy0SM/i9JD7sk9KiKoHMip1jguKRJkHJ1WSkNl7nZpeo+KG0WbGHXN
|
||||
b7hnrQsNyqJkUokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AC
|
||||
GQEFAlLV0QIFCQXdHmsACgkQ/BtUfI2Bcsj8DA//b8wZrFY/Fj/iR5ZaO0AjmMV1
|
||||
hM7lAFWLfDiLyYofuiGLUg9rqFWj+Ks2kedVN7+22Bjgi5fvpXv3Uy4trZKKw8Xs
|
||||
FJ/s8HQ6jzIv6pFdIYPLFQBqS2tEgfsanPZWIqJI9fbhOrRGN7WV5tXiksCaRO+u
|
||||
rLjIhAYmsDb//BD2xqsY54ouRdrz5nRG3qG2odq2Lw8XquW6srouGaSm+BI3sow6
|
||||
l2eAW8UjbxwICQg2ZPZYCBc9ArbgLS1ha+yPhp65nGpVbqDA8rUKC11op1ArAbY3
|
||||
Yt6xzLg+RCuCHBa1gNPpDoYV9V8Zve03mEIcsK10X0RhJQ+z4INvrjtelPRCOLpN
|
||||
179JmsyxwOzwAPg773SK1Z31jSirsiEke/q8j13PGNDBCb4ZKpm/KOht+4d0jJLK
|
||||
GLqD85cv3/uAeSh2zWkoKcVW6uVZpiz3KA3i4YMWnteOlrlZH28nIrDXevPzkOxo
|
||||
pZlhuLboCD6g6yuZI4Wm9fEiga8xmRDw4RrOIuDXWjNW6IVaeFGvnYaNf0wnmBD+
|
||||
FE1SMWwcmqgB1yIylmKqH0lYce8SVAMLkkOlaijhWrfCO5iS7zjWaVz98HCqFfwR
|
||||
gHuJTxOwwlf9Qb6cyC3bGsfILBUuE0L5vUAZUAc61H+6Sv88CDDUO1EOKaqAAYhR
|
||||
plvoyYZ3xiSMgzYKGZ+0OkxldmVudGUgUG9seWFrIChKYWJiZXIvWE1QUCBvbmx5
|
||||
KSA8YW50aHJheHhAamFiYmVyLmNjYy5kZT6JAj4EEwECACgCGwMGCwkIBwMCBhUI
|
||||
AgkKCwQWAgMBAh4BAheABQJUl1PaBQkHwE8PAAoJEPwbVHyNgXLIQokQAKxJB9/F
|
||||
TfBae6eqcT+izxGSnsvbc2bcrtsmKkhu9HwpsJ4IDutphXFB0wFalI40BL0o1k54
|
||||
Wlfv5GHbq7Ju3kW2dmTMP0WpfFytV7rr2yqSmik+skJw27BDk74rP0v4TNOHaTrP
|
||||
nokfTnlaKuv1bqlwbIwV7rJ5jbAtw5hueeN4jghGU8SGlCOEZ/xGxYYsvtyPhZhn
|
||||
kmsAzcPr/BpW4NkSb2SnRIO8KzcPnzxz7JDdeIusq/YW7P5OlhDx4ejdh0Wg6ISl
|
||||
zxB5VoqFqNuKTBQNz4HHpqDVQqEDE4JngMerDr+4qAiDYI4w6kN3Ce2LqciRyMVh
|
||||
YYnTqyyjXYY3C1WwXIa1tZb2Cw2DorshNFdACr7wKQMOoJtAFpdd3d/DRKQWCc3x
|
||||
jkBERqZ+55unTY0/0uyNPoK0noAcGydiU8WGh6wyi+Do+Zxq4QJEcqL/FHrhlaiw
|
||||
LTmgDS+XDl7zRtQia7ykpi/xqe74ujOHcJO8tpY0ZCdR2A13xiOi+11wndbOkBFv
|
||||
dQ0vgih9ROzwe3hBbBQQOdF4hkA9vEd2Ks4gF8IR+5ixWAIyZAVbnDiLelWgQgnE
|
||||
aeEwTtfcXRNAxuj+MgMPQhXQ2/cK0dPD4z51DchVRIf9G3hAuBT/CEhTqNkkm5F0
|
||||
og7azwd75+vh5RxwVld3ES6CMXKaiV4csQkdiEYEEBECAAYFAk64PygACgkQvnQP
|
||||
QT8iuxlligCeNgfNE4w1AQuOC4ef3HNNY0GXgVMAnjmtCVIUJv/w6PDimvf20rgF
|
||||
GVHxiQI+BBMBAgAoBQJOuD0KAhsDBQkCHIcABgsJCAcDAgYVCAIJCgsEFgIDAQIe
|
||||
AQIXgAAKCRD8G1R8jYFyyPv3D/wJ+sYXqSxoo8OriGMUzG5LXs2Hf1YULdlysGa8
|
||||
mxWTwCIEMSSx8AoOKf/FyXglDVl9msfOgv6jRiN+UyNCQEv+6a5ZCL7BlAVU0Q4W
|
||||
w2/UUlOUlLMC1QAodGcC3kiPSy41jnDVswKYRrICuiW1Pqgad3h7u7caqvqG1D/A
|
||||
YOR2Q8JjY15j6Qf62Xx+YANx2tPWKeDyPUAN/x1W6RrEDbN5F+1qOpPFuTnpPmqH
|
||||
q4zxm4Dz4szypmAKsN+5/q8T6DJtSnP7COtsY467oX2XtNTTuCIsU79lBVo/yan9
|
||||
ofB6hu12KyXwJIl1OK34g9VEP5suU3hcEw7uVAvxyMYJQlxORUCG0DAFc/oPm3d0
|
||||
ypRdbxXJMjoS3pmCf7kwnEA9PIAjZDYuVHGZkAdmYYInTIH6ipjkVxDHEF1en0h2
|
||||
zHJEZC7NIYgPyzHXmH7Xy3VZVhhKKKM12VDOuIOOecQPuFIw3hG7dymjn5e9dMzv
|
||||
+DMkbEZzoFahLYkbVGG1FGzhE6Uvb/IG0UJCC4nDz0pzZpV++QHvgEvbY/HLbHJ4
|
||||
o3CT5aVE0YIhTP+zqXNFMOao8yZy+AzdMzdX+Y3ADZfY0oiZ+JH1Zo++rdrgXUhg
|
||||
Y98QgMwVwESbwaBKjsC0JnlmWyNivhIOS6NRyqR75E7j7JSvgJdxhvpQXXkQ/BzL
|
||||
FM1Ej4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlDaJfoF
|
||||
CQP8k6sACgkQ/BtUfI2BcsiEahAArZfD1yJK385eqgCZ5LryVLRXrocuF1zlHl/6
|
||||
ugRy2TEe43ex4eTOY+mv4ZJVSxbDzUqMbBv0m3IETbM0CSESjGD+i5I7K3IToZO9
|
||||
ZgIXDbpoy9x2KWjU+R5oaxCTmZ9jk1p+f4zHxc8lJdgOXPwcIIT5Euwk4LAFN+wn
|
||||
CUHkO/D0xzP2ivTrM+VHNWqSUcNInAGRx+R0NvdSryIAsdA/5E3ql786WQhPy6L6
|
||||
1d7cmxaLsfAKIOf8ydNyoiqmJkT62omLLnqyERfLZRa9RKt5EgnxX6kR2BA+h/Gn
|
||||
KVV18bCIJjF3Gjnh3qjJehKRaw9nmzrB9KtGQAHdIp8ivNvjMitc1ijRIECfidWd
|
||||
lGxgmuI/gX58eaV3scjbs5YUFmGhcZIgjCxWWxFSwmzJTUVT5XqBpXFQB4dokj9m
|
||||
NNMpM3YH8T9QaaS/m9j7cmCJ4gxp7i1bJsqsVG5BjRLiZv701eVKVmU6vqhubR0R
|
||||
eSZghqho9e44ZMbn4rJ5kTQhGc7ZGNsIyChMSaYVreB8IBLDC7rg8dB/umg1OYOp
|
||||
8EqRLJyXdtpa4DN3X0e4WcWb0Toj4QuyCh/es1CtBldhdqHr0aLZYCX4i/KuGTXI
|
||||
kA8LTOJmZsE+K+/NCux1VHK9DADKcNjhSV0QTf+8ntGlNW6i2Mlt34thZK5eeB6W
|
||||
Bbo1zl6JAhwEEAECAAYFAlLYK14ACgkQR9UBbEL/fCyyQBAA0931q8dBD/6COmat
|
||||
8S+JSgcuIpylukFxU2vySBWSGRHFmFzwbokUE4bbNyutwNO2cNBa9zcxRPrkIg+7
|
||||
d65QjdZNDV2zWTjv5GwzEMjWxhP7VpTwTouYgx9j2d2KpFo2jfhTtZ7OU7DDF9YT
|
||||
FsaRiZHHZT+W/JHuB9Lxc55HkSagu00yTaZURc0olBui5c/hqBte1b3OWTjCmysG
|
||||
mwDL2FwdmFi9mbEm77sdD8PSVfkZaBv5rIaet+Xe/JMZoz0WUkZRCFXMr6B7aOdS
|
||||
WeB7kUsPh2J5dhf4x4YaxKLOHod9JQF/DGJsdexKqMTqM/xOMSQ1FTUMCQ5SBWJc
|
||||
3PywqMB/0eqlteHydlk7bb9HLCT3M6vVxTkpj834wGRsoVXPqWKzAHPpO2kjxXtc
|
||||
4DBh7T88YGE2k5rxdJHb3MjWVJQzHGhrO5Ji8CQaHjUJ4BTyim++RDisDi4C/QJ4
|
||||
qPOrafw/+KyJoWyfmAUpxplPvY/LKJlvKaKxmpwlildYjH7HjoYvCjagbSCUOnzo
|
||||
uM//YIJ8/o8QdxEDdYiTd7cwskYWphrAlV8+vCl/Y0lepRf+hsUS+uZi/NX4qYMx
|
||||
CTsewnnqJQduuehQl9/RnoBX9T04kS64cWNaPZ4dxZUYJm3us5QFcQJMysZ4tT1Y
|
||||
A0oEUX1KUTDzTQXT/kFi8MtmXauJAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQW
|
||||
AgMBAh4BAheABQJS1dELBQkF3R5rAAoJEPwbVHyNgXLIV98P/jcu/DiP/muH2Qsy
|
||||
FtjscyLu1NzBbSFB9q1jMVfx3VbaIT22Ly6BIQNHF7L2fpjf36EWpdJzpfR+Glp5
|
||||
1+KqZgIMAW5CGguSy8v7iHs6Rh5hzChiF48wCqxUmMdQ0ITTrnAXIYq6H6s8ytKF
|
||||
Y31znXmne1XYBg8e4yb3pcBhkzIPeVU7rMz9PjPB0+Q2jWCpqPA4eUSV8rL2TxFR
|
||||
KbEt8XlkZ6yuCLnkN84aLZFxfZA1tIGifi0PpeaO2z/IwOmftbQRiljMdnsPye49
|
||||
j4wlJS7yRIpnH3nH9Zku/MrDV/M0z7BVwKfF2F95/2QX4Tdyd/UESTdLqGtXpX4c
|
||||
axahZKrOhNr+k60qSBxoBqKauZkSbZunRnbYmVa3nA2kQuIPF9/QmoZgDUfdkKZJ
|
||||
u1RjwcRUGKd1XV19QjUvBMD3oHA4G6Jbi5vWKQZ40KVcL78YIL7C8dUOiPIasA45
|
||||
olaGpCSsGsfrMp5ngegxM+uh9Tc2kTFC9bTqp17VYI96cAqGrEBUQrmLmZLk0HUm
|
||||
a6MNZO/+vKN4UTlgjpjxZon+/yK8bsmT/VNie5hzqZim6tfztl3rpJ9jPUeLgr5x
|
||||
oGePYV02inapzNHdWFHk0L9zR/3KKfJ3IRJwUXp00Eya28hEepIvdxgLYcN1UqVn
|
||||
VuFuMY8zYSl/VXtPxySCLENJHxvdtClMZXZlbnRlIFBvbHlhayA8bGV2ZW50ZUBs
|
||||
ZXZlbnRlcG9seWFrLmRlPokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC
|
||||
HgECF4AFAlSXU9oFCQfATw8ACgkQ/BtUfI2BcsiPxw//X2xUctIrd1O7UOk7LHBX
|
||||
/xI7xXoWQcA7l/1XMuZhM8yC8yIoAgvFrWBP1a29I0P3/yigkQXs+eTDTdvb0QP2
|
||||
q72q7Azt852v5u8+dHzoOXDpbo+4lfX+0OBDWimwJuChD8LQH7b7jO0oqWIV0AzM
|
||||
vegFJVp3cDbyqw08lBz3xZ79A9JtBeewf6PLpXKjEVS8bEAZjZKjsjAY+5ShtJAf
|
||||
PsD8r353dmkaHgC5Aji74ijZeY3PUCvGVVCGeN9isLnRpTEn7qUvN2DfHJU4w6aw
|
||||
sXu7m7zidISo6dQLUzo54dHKWPGFy6INNkzXPOgrlbYnjt7v0Ou21/R6HrhdmsSw
|
||||
lt7GALJcgAUxrcT/ljB3SZhSB0BdH0DXPcUziEdfhgMhhrXYpMjwH2XFBD1MLusW
|
||||
GaVDbpPrSoEnmPVePcDUonDHePcuLjfOl13mOER1Kf6WFapOCa+4HCLakfKcPnGY
|
||||
eyfD7Dbz3/046MmfQ8/Iyf8ipFXN6tI2WkRKj8uq9IFYrX3yoCBxZJN837DM3Grq
|
||||
h48/T3pYU1f9LiekxbsgXmcHoGNdXX5+EsuO+QILZPttlG5QLuqFdJHei77uvW+B
|
||||
4u8mgzi1Zhh0hRLm4K6UaJ/fBJ87BZSHShPKI9PI073U1O/CcYXnb8cdPLu3UgSQ
|
||||
FM/bxT70TSYKI01Dt4KXRfWIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GT9FAJ47
|
||||
X5+0dQaOFkfy3WnMgX3AmIXJYQCfR4XL47rZ9a66jWaD0IbcXMK4oE2JAj4EEwEC
|
||||
ACgFAk64PJ4CGwMFCQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwb
|
||||
VHyNgXLI2U8QAJGKPv1gWLn7P1KeHVsKkfRf+zgdsoY4mF3bUjX/03z1h1OKp+S7
|
||||
gZD/ZI80ckw/ElgFt9sr8J+pOgHk+aGHW+V0cZNgDHXCINb17s+Ra7SA/SWeJOrr
|
||||
d4IpvTnjGc88C/j+bzRFagfnGXU601PeJdXIe6H75xVGIb0DgQBfPB9m+7p3sq/R
|
||||
6UigzLwwhIQRW/l77hq79v5Rm77e0GTfcYHSuKu2Itim8p5OYCNchr4ZpBzrv5cF
|
||||
/nH+HyD0AnM1q4a3mT9y4abNgtxJMGJBoIUEDT5vaTRpPowVHIGg9QroHkrYkMWA
|
||||
ffIBzoq38WLnPjvjNtTncyP7sjbP8KS7NfjxZ6RAcNO6m6BTDYG/lM9jwCcOma90
|
||||
RZDVYD8hy+z1hXWFfB7zB+5TYuuKV5SXZpS9/JUR1BuI44WkY0hLHUa7inpqLlqc
|
||||
b9O7KYikgyaeUKAN5LkF8A7rMVzuhrSItNzJVOs7WLnNAe9+Frzqx/jZ9aU04avS
|
||||
r5OlWLdL7k9JNDnsLFqNtG/XQ7Hc8CPl0HvY3YXYGD3xwW6Ua6+ykxZGmQGPB68W
|
||||
6a7G5EX+MEWKZgMQYsl1HgU49/sOD6QnCG3m2IB7bRAf5Kd527BnSgAaYHjVug8G
|
||||
+X9opDwUW1b73Ut5tWfZJqQ4XBjl0Hc7Zi7OtlqdBeKGu/65QU+N9x33iQI+BBMB
|
||||
AgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8
|
||||
G1R8jYFyyPv+D/9lA9yMXPBROLaCRab8Ca2QJBEtpT6lGVlkQ5Am2C8xdoLGiuJF
|
||||
E7Cn/lS1j4RSVDK6DELeaBMXaY2g1eun8g2ERJIUGC98zrPjZXs/ZtCZtX8vYr1X
|
||||
Bf9U8Ty6N3rKgt1XHc1oMgzkKLUc72RC+P/fkDsiAg62nVcmOFFykyTXnpM/5Ux/
|
||||
9kaahjf4LwGeRqkDIoLrXdZ7FHPjei8VlKSiHTkl4F+UCzEySxiInV+BWAhL5Lvb
|
||||
zHxHaNDCquOb2zbgafVKON3oa8nCZoUw3iwpjrEy/JT+1BG6vxyT/LX7wPG3SKEw
|
||||
8QTl8YBF8wvHS0JHW4KTc4grCMNWDwfkrlXnp6ZzTpy4JXZfYs/ltR4FH3atDG2C
|
||||
xRCSAWXkGyTPMZkougdDbJ3jjViYcWO6B//LE1qDjeC05O9G3MXVxu16M5U8nVA2
|
||||
B3bo5cVv7+ECBTKaAvG3ZV6eOaeJ63gHRY8qI7y5OgzuNfxUXMTIAjHfO2mvSy5M
|
||||
qFgDI10F8rYevGOKxvPVE1F8aiD1uRAOMCcLTy3oUKHIdaskSytL1D/bT9WqWzii
|
||||
OXhLhSjMzkdPSUWVABeC6KM+Jcll0A0sHTkKWS3mavx3dUacB+O4efuTKNhSvo7n
|
||||
XhUvSOOikRityipE5Ma5WlXBiu54DdIMGFzANHFdb5GmC7da9F1aALkshokCHAQQ
|
||||
AQIABgUCUtgrXgAKCRBH1QFsQv98LMmaD/9W2qJyFlZAsjOWgNQPwUU4vV9/Ursj
|
||||
kt4RI/oS0Gzovw2bmL0a+Q/dp6wM4PBMuYQXCepF8V+o4uKzL2OjVZDVtU/KqGCY
|
||||
rEigiAhG0gHxgF1ukc9JQzhShFeq7/wkY+FQ4MOhuhuUsSMlvFzAd1hY+xlvckol
|
||||
DEeS54loDspUh4EwxsWlopaA1rs5dzVXrYcinz9iDzLj6ujb6uJzCQVogk9w3dv8
|
||||
smKn81TVhtR4RFecqL9mURZcGnj7NV3n2Lrl2Pe0u/DiTtpavCkzVx7v9qiB/2Di
|
||||
dqWR7OtYcywUr6lZeZsNabNwntPxSP7V6EcNXF3Qpi2IkAcwdJKb+aIG1v7/Wx77
|
||||
GhpBhbtdgKEebttzO4EVVeE8a2kmgqc8VXeAeqI89egU53dUdAinejFVDyemxHnJ
|
||||
L4L6uVnSxbk/vRzu+fr6EaPyBsqORGXj2OuwxlWcnWs/N9XzNaiq6funedUSYtbP
|
||||
trdpt7ogvzrQew7wetcwfxSB3IWcVwA9QvGDIBHTWPrb87jKV153w9I+cSfz9jg8
|
||||
qTIOw4qad7VOC4L1oaoRsLq6VFgnoW5DLsuhaVd6fgdY/byL6H5q2FPYJ+F8ovhR
|
||||
2yPlQm8UYIFwmnwzpnuGBaPtU0bP7C+SNMK+G/9+b5q4psh1MnK8sg1RfSr1w7sw
|
||||
b+Tur045QrUDu4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AF
|
||||
AlLV0QsFCQXdHmsACgkQ/BtUfI2BcsitRA/7BbFuuAXPJMA4XtPhlYbfhNkYQ7+v
|
||||
vx9HIZ1SgJfhpYwt/vbNTVclO79XD65v5JSWx+0gVJfHNolP5umB0++giIw9NCIx
|
||||
uVa5eh3kS5NFfJ0YHrYgpFDdZPHRA9wI+oZgJBC/Cm40kafgTUoPFqXb0Sdlcz3R
|
||||
hciLZBgYXV/uYubczfmAaJpmrVI1UuUWYrdPnmUkgitp9e6IePYiKVDeIGhBW8Bc
|
||||
7Nbs2hc9yH1zwv3Affs8m+4tQQiwQHsB29WEZcmBuFllTbA5g5bvTvhfCRmYVgWC
|
||||
Ti4SW+uA0B05a/aVP8fDXk82qCQ4cRB1BOwVNn+1/Aqcw+Zh8KKzH8gpPcsKGGP6
|
||||
uNg9uinuxYDneEY8cG7FSpm3XsXu4q4N6j5R63U6hz39pY/5Ib8mzYMEoLEZOLPu
|
||||
CkVH9OOQc8zuiRL/wGc0pbMiGPEp13rAI0WbIFahrWS60bwtM1YEM5Ep8vD3TLl1
|
||||
pTWlF/zWpM/uJ6n/4nDXGQsGzKQn5D5Nsu7+55C0du0d1VRvYd8oG3AaNqhtM46V
|
||||
C4eOqxH8XZtkJ3WMxhsHnV9acuDTpn5E5JKL7vEq0btN2UQ69lpKv7PmV/TgOJhf
|
||||
KKvHZ0dh6KYY7iKW7NUCouLGibBoxDa+K4reh0i0M5UcsNiPkCqDIHUAIxW6FrvQ
|
||||
xBr7NgCls+B9Kwu0JExldmVudGUgUG9seWFrIDxaM3IwLjB4MDBAZ21haWwuY29t
|
||||
PokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlSXU9oFCQfA
|
||||
Tw8ACgkQ/BtUfI2Bcsg4cw/5Af5/cxr5s8qiPvcGDglJyzFj8VBk0d7hpgdxcOi3
|
||||
VCOJY4YRoliu8WKThwxt7sD03fSZurFDDx+X27y3zPtgH/qBohmcr51jbSNom4mH
|
||||
Gf8gpViFqbQlFh7tYz4kSQExgmpFx/FIaxmwFoEqiVrp6VpM2DZ6kg//4M+Ka2Mt
|
||||
nuzV3C631A0eoMCJhPWPTgkGGknURvzhw6m2aGFWC/HE1yzf7Ej7fQeaqIxIG4Wy
|
||||
Fk3lMV9rxMxGuUZTqIhvcU85JSriHowfX1VsAI2LXJYQ9c0jI737FcLwHv8VCa5s
|
||||
NKDkLkb5S83/4Ep8e9M+a7u4WvkAqzmPfSna7bLxdsTS5gKGqEtMvMP2YGWWQxSR
|
||||
GRSttiMmIC8Cnd45S8cASA2mR/ebNcrYOpa48cjYpBKDG2BIYU7oSLNulsM1qbxL
|
||||
WJ0QM/g7iKHcrXhyIBaI22GS9hvmYcS960cox9oPCvNZcOKA6FBklnUg/ReJ3JTj
|
||||
6D6v9SUxOOfXPQIon8EzB7BNKGedHxCFgniZnl10k+pP34YGyphMZTYGdhtAm6zq
|
||||
T7PlraHQaFgQ3ba78lJcn3cWVZYpbCNJiH+Nna/Akm3/qQKTst3eW1lqopffCs1m
|
||||
F6G6wjiHCw2bio5uX1c/gDr4Peh0E28heAqKopjultPXPZbSZL4D3fJIGP2j6e1B
|
||||
wvmIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GcYrAKCgKW+qFwbMNeh4ikFg9fJx
|
||||
4/lH9wCdGevT7dwBzPe6L+aWZxipEXYmjx6JAj4EEwECACgFAk64PN0CGwMFCQIc
|
||||
hwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwbVHyNgXLIThYP/AnoLpQl
|
||||
whEEKaIhOSOKXegfdUHK6cL4cHRACzRIbBk/S4G2Vg/bnUW8tvWZDQLZ3CGL8Z0F
|
||||
tNQ6GusUxt7mcYdSj7xynbi7bZiurgYp7B7hh1hVG3pAXEwlDnJgfoc0YZHrHZwt
|
||||
HnNVYOfGEQF4zyplmUUxDyp/ZMYcXMr3PVJkYBJhYKCHOkMUtzzNjSSginaqZY1p
|
||||
fgbP+Gou/9qgotkYiH84oUG9yTSKLIO5x0WzQYuoPNJyOdSHaLPfEqCC435vCYT5
|
||||
YLZB1YI5xzQiGsAL//cUCe267oiFmO9Ioky/azeX1Ouy2DH8uEDQPQFTJYXt3CbL
|
||||
i10HkoBWdmncPC6+b0IJjDUo8Iv4yk0xFt2/DGkGK3h6jJxJ9pzx5KBT46iLfU50
|
||||
iTWMTguXn9ud/UJV0MpKgKjvO9hB4fae60n2UootknzEw6Y5W55PfGkT14WcrGGo
|
||||
WHLSbpR6+gA9apU1cdoOC8nXlf3Eb2No6LP3X7RJXqiRsdP0s6QXkZGfR/qyNXI9
|
||||
S5j6wIyqNFU0cX21UgI9oJSKEKIKEFacgyD9za0gswEI+DZr8/p3cJE89ZX8ySgO
|
||||
FG148wgaakTNGyGwR6aogGZ8IAHc83bnwGCgTeK6ZPSKNLSE/sImcTOrxIN1/x39
|
||||
r8o0TxuZjqFH+zKWfpdHX+sJLyi8Gs29CsUhiQI+BBMBAgAoAhsDBgsJCAcDAgYV
|
||||
CAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8G1R8jYFyyLl/EACG6QRV
|
||||
kKVBoI2Ycr4UISk2+gCD2r4xSK/QLEhDFcZRgMctvPVnhod3uJOsMGJCk3aPGu91
|
||||
Jtwuj0CkeURa/cVzOjC+f7baveTuWQaAqW+r70m6F4gYHU0aDD/uQ75rTCcrsmt2
|
||||
pnZCyA9jLJxQGG11AvbOcV+7K7BuIvXs4iAactZ0hRvDVuGXuup2LnUbxyBU2oj7
|
||||
OWCXKTpZcJ0KGTWapMf8ClYYsEgS0wvMWotJzAov7ijkoP2DyEQVOPTnGWcfjsTk
|
||||
QgbyqiFeBl+3IT4+xSzkPsd75dCYhsHBvCoT8cfUH4wvDXzU2CwpC1CDfHit6Hw5
|
||||
UigvZ8HXyn00Bm0UjLHGW+haS3kyOoz+z09gVFYd33cpjSnFr5is8ZMBPW31PE15
|
||||
q9/l6G/o6OGJCtOax3Yi6ttqn+KbDXIooZoRPZlayOSghyjoD40+ErevmqZPfJ3E
|
||||
o1kHz62B1YpoXmhUm2Ihf2SbjWJRaW9Hp2nd81kAAXjr+8k4yvOuHxwYPFnpBjfV
|
||||
cfYNQ3Zf5xF4nfszFuZMc5JYrIR3EYVgEk+n8VpulAqd0rXUEODwGy7rPjdxLY7w
|
||||
DhUEZMQN3xweIb4vjPDBb0Ax3ACyfWKIdT0kC3rGOy9xyCzxWO2CjHMjrbxy4jL7
|
||||
B0WIQ5fpRcV2+wozs2WYgJKVKJgJZGYsW8dDLYkCHAQQAQIABgUCUtgrXgAKCRBH
|
||||
1QFsQv98LIX0EADVefJUEMGKiTFLwUmWNF2X4oCzEZEMsQ6NliiQFvtNkKrT+OzZ
|
||||
zggxfINUr0XEKgjjoGZ03Hmm7xAFc1Y51QZEr25H18PuSixz2YSHPqYwwVgLUh0v
|
||||
u2AqaP0mQckssK+ZAQVvoZ7ZOI22ZXIZ6CPEPY6aJawHov8Strlm8oTbFgLfZ5Wo
|
||||
3NCxMkkq3NFNHuwesccelNPefgnFZWhwr1mkUeX+rCAbQF/QHYEAi7KjfKyY+XKs
|
||||
ccjYS+RWxpte21ejngp7pRYli3M8cZoaWKCzLTrD8gKztlo3op9Zc2+hjOY9gZtG
|
||||
CaXkN8lchJ1yMyWju61ZO++AJq6S2OdBVxgsj9xPm+x91RbZRHQmUuq8mefUzaEm
|
||||
NHE29udVFfuV//Fpabi04IrOuabkrSvP27eX9FT1y25tKFHuJdL5fDUFGnNnTvcR
|
||||
X51lJmvnuIKJQ+Lthup7npS0L06+dPIDoqyxF8hmdu3RtwEsvkboPaxx5XTB5d8y
|
||||
3wzBFWd4ePwBIumrY1YHSzdJCvyyLRXZbSOsHXgZfhfQ1LVgxxebP7E+stWqGLLC
|
||||
Fry0WGG8f/UUgVr1QpluT6NjioUnuI/ZmKR/aKewqVYWAnr54fF+np4VdxPfYwci
|
||||
lpbXpkamORZqPfq/nyoWgnp+y4AptDdDkSWnFxfcJ1wnFFcrHVUSFQ1wBYkCPgQT
|
||||
AQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlLV0QsFCQXdHmsACgkQ
|
||||
/BtUfI2BcsjV6w/9Fe1+3Mc6wG3R9VbxiYo13/JV4t+tA9/tcJ1R/Y96eAqVajoK
|
||||
c2ZQ7FrimmlzvLIvxpH4Z76h3NmPWfOQ6qEumZQ5BM3QwBfQQ3Tmj10gfiL5vOZJ
|
||||
6dUaJjwXgjz0Qyk1G3gw7K1xmtnXgBPyGT9T9q3OAhHHdV2b6xS9dWoNKhUV8GUn
|
||||
HfIKwq+87aZqexjFE7ubZdOAe+5nrqnlMEfJKgDjXbazES9IYvPQiSjwR3xaIPOa
|
||||
ma5WfQV0SHg3Vkhtv2PjuoYWNfNy17N7u+dfg7nAtKLIQCPht45uKk66BYWYBoDI
|
||||
VQfg6zcFLpdNcFzzwmgrYRZvEvBf5aSG3KFD7UReT0695/lHheRxEAA3thsx8gaM
|
||||
CCavtVxbVUluEfYZ7TgXLMuIO9OBKhi7MwB3iL5qacrNShMB+1J5FxieJBmWXdla
|
||||
+kCdCdS+9kIZH+mnQ8daGEJ5R9mNcVwcWasI0o9NObqIZwhKw4obrC5Q7m2NfXL6
|
||||
FUScfA7yn7+/icdQB9fH2ZXGJVuNm1b8OBN6Nbz0QauaCystWzKXKwpVb/5M623v
|
||||
Vw75RfnqCFiAf4tX58nL/QalJc4C0E+TvQ2pXC47VQvHmiAB31vKvU0nbo+lzi64
|
||||
hAPWJnhr2pmTvglquTFzLwEsWfO4zDtUwFo8KM1XFsonaoX5UzGTXPmIN5+0J0xl
|
||||
dmVudGUgUG9seWFrIDxhbnRocmF4eEBhcmNobGludXgub3JnPokCPwQTAQIAKQIb
|
||||
AwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJUl1PbBQkHwE8PAAoJEPwbVHyN
|
||||
gXLIdGAP/0ch1NeFyXWszqA5ow+itBn6iyUaplXB5I56Q77cTIFB6LqJ5+2kdUuO
|
||||
UqPvOilGS3dxbyDsSdWDLs+bHRFG4uqZyGUDhmu2mvS+uDqPFwcKJUNDlgdccxph
|
||||
sA5HJFGg1ca0TWWg8vjwANdU4sL9Ujbaw93v0Mx/1+aSIxyEJBNxc6DJWEfCjpSy
|
||||
R9JB8WTHgvxEAImVNsT1OGNTvd2DN+17WBhxBktLHDocIGJ/fttzFgKkv6NTPwt+
|
||||
y4QyP3UgeYRZR21B6MVckk2/UuCuCY7gAGruTFVoINa/Wqn2YPPZhJYrTX7ysDaV
|
||||
QLObxlepeo0UWC7wFEiuqu5OM75MWLUX8j/1OAIE6my85vrlcWSf0Z3jOAgPTjJw
|
||||
VT5h7T/7NPP2azoIlOE2bh5UcKXFkT0xDYPcMr2hV2Ih+jU+Ygiyg/1yIIxearmm
|
||||
PFjfIHMLepa+7RPtTlHwu4fpNPXzL13W6PXSoCTTi/suGlYmSyLtOwxq15GGT3vg
|
||||
1Xh8wfkuWwbWJnBKXtt8HkteQRgDngDnRSJwsO2nnQ7+sr+F8J3rQDdlVdVcolic
|
||||
ekup8ZgSjJYinfcpF+H+qy2kK2jOYyyHI/+zHQtwy1R7MbLwPJe7WNWrBmEvmazB
|
||||
2//Iu5EVIfFX3flPjeRQbKX4B/SuXF48uo0/8WfdgaMW8glRWJnbiQI/BBMBAgAp
|
||||
BQJUSwOnAhsDBQkF3R5rBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/BtU
|
||||
fI2Bcsj5ihAAg0d0A8OUsNWG7TiPQTuC/D4e/5JTkJARmQ5xO6gMPxTpjSZCyWEl
|
||||
7gQOg/liU8nz5HZGaJgg4HuBwTs6euqdnVi6zhW1c1wye2thGTQ7DeSPJnhju3Qe
|
||||
mPS1jEdC34lXCo6eGjdKnGb7TV7hkptHKHh7XCU9n6qcXQ2cNQQbdqSCRsfVm1XD
|
||||
+p+mM/FGOz8uFOrhERAUl99WkVZ4NKTdws8U6FXulbdWrWwI4eRggIdwI/Tl7zuy
|
||||
ja7KxBCCeJ/gFY6g+iOYmIo6//bJITgmAG60hFHJ9JigcN6xglYFI28TCdNqM0+C
|
||||
hgbZUner0vLmaxRNoXqV9Xw8ihNMQa7fUFYkX8VrXOdLdVvee7OaeLuWWE8x6usQ
|
||||
NzgLDQQx9fmxtrQY+dC6Y25IPMm094z0nrbM1wtfG2+8Vw4mQ2U099fT5t3Yl7fE
|
||||
PlanhgQxRZE78PxezyYxms4HV+wqvrhlBzFnWAd6H27uDPfUfO9cLgbmFTUlwFhg
|
||||
gsDeIFRFx8+h4/0xAIPqUODmTiN0mj5sLRW7zvqZW6zhsGIMdPd+IkhHiGjeJqme
|
||||
Ai0iOjpV3tRteoW51/+/ajPmyUBbvOxiFJNADHH2NvqoBMU1pkTvpc7Wy+2J9VcF
|
||||
4TFdWBbwjU8BoC3ZgixTrT0zCSwabnKriglOhA5Ik/n5HsR7S76V13y0KExldmVu
|
||||
dGUgUG9seWFrIDxhbnRocmF4eEBoYW1idXJnLmNjYy5kZT6JAj0EEwEIACcFAlSX
|
||||
VHICGwMFCQfATw8FCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ/BtUfI2Bcsia
|
||||
Wg//SKLFNUTEBQG11cV/AljxmI2s8y+cPKs3VqlwEjiuRMu4DRkFVaZNEuPq0b8q
|
||||
8pwcHIJ5/nZvOticm9M/g7TrTp3pOxmSYf7WG31vVrprig22dz8WxQAy76srNn1z
|
||||
stg0TFO7nKNVjZOFz5D0RpWazwnXyDed3l2/7RZ1CMv7ue/rZez8FnDHN7Di3daX
|
||||
AJ5XkvDAsD6AITYQd+4XEbh2rt9p8G6qUUjwzoVU/aGVgo1CGZydYMJQVccNL7kv
|
||||
fumnwkAED8u9j0ZI+xfaD3c1rP98bnqk9u8rJPCAeIkA4ppisDb7noz0NaO7dDyM
|
||||
ywBK4OR478fw5h7GfiIwZdVAHkCoEHNvF1ON8JnYgyplLvZvxZ0dtYGDYDiFdORN
|
||||
gVgGMU12kemPws4hEx3WMgUu/BBkF58XyQyqcwt7q+WGI2lQ88UzZ/FAsu8i8r/J
|
||||
jkV8FsiCJ2rSHEMddmOHoaTM+6oB2i9kZo7KmToSZu7DxuemlHpuOO3kG/iRga2y
|
||||
NeancRJwbxgZhNGBbhrA/7k5UOcXkmfW74oBkbCci0ncVhHu12dsJXhk+eprkOXv
|
||||
nD1vEIeuzL4V/SMDar3SxFlfLFwQk4cn9+pdeP3LxwHKBn74pABsbEBhEY4IjUEL
|
||||
YOTEVoP6s+Ou1NcLxFl3elmniwL2+GV5rDM8pctkKNemtZa5Ag0ETrg4RQEQALfu
|
||||
qEihKS+DTVlWUujzSq5zK/5oQ1ZL8AiTUTZuVtrRWCq0HE8tWaVxEP3Vt9FCo7yF
|
||||
afXigokChzHOgzczg80tctrlv+vbFyaZnjGQH20Nlz8EnZP102zudx/RdFXG/up8
|
||||
PX50Eck2lH+IvvosMLdvrZTkFJ4SgqMGSoAgMhJHZdZB5N0y8yPPAjcEnSXp8L2A
|
||||
mo9e0egCrEuqBrCZld00nIoipyDlYNZkLjPf0JRgFPO/AWWgBZLvLlteLu0emq8N
|
||||
96bT3QTdXpRVPM0qeX94+2gIj+0V1uQ9+k5Xkslbbii9TnOzMnLRO6dBAONVTTb3
|
||||
ajzdXK71iv2a8Y9lKShxhYWP9JNOFlXkAp+ZoD7EZex4dgu6giV3PrTDJLyWSu41
|
||||
WfqOz6cJGpJSTacrenC542ynAaSVKXH+1plqB9kq/M7HtE/P4GveQXIVT9Sho394
|
||||
4hwkuETo20KwCgFPMmiNaBysnOykIcDsDutBOyygdovzdGEyHVsM8/kz007QFgJf
|
||||
hKy91H6O/Cg7VH+yaUKllRZ+kFsoSy8/E0IqLzqBHG3sUGM6lJ0Q9fgSnpzIZsdE
|
||||
jRhczNCvlovGLa/kBHcEUWQ2zrjnfjsLkxvamKJ8N6LLIXIDRv5dE2smpdi3oiVg
|
||||
XdOKshyXB+obhRFlWtirK4udX5yYzUpcB0zBoo1hABEBAAGJAiUEGAECAA8CGwwF
|
||||
AlSXVAEFCQfATzwACgkQ/BtUfI2Bcsj0Tw//dyDYwcnh0BIb+nDCXFC91KiPUILa
|
||||
f+wI5w6c9YYEo6TR89q6Wsq8EDiqcqSJcztuNvw3MZGHWA25nNB/0046CGM/tUBd
|
||||
Jyudd3TxQBi6XMMSTbG1EMtSN1UMV4guuUfYcAGW38oZ+YJACCBFFz/Kt0aa/hhi
|
||||
/hBNyvI73vZfQ/fsScFDewkxikUEspRsLVmX6gaEmumOxOhJP3HBoxeBCM4Z3IXo
|
||||
dON2SiiMxt9BPIPJOyKNkFQGQ3dqJIag3GnsZ1s0CEoi8iqF7uS4RjC7uOJtvn74
|
||||
CODxg1Ibl1IweyAuBEA80wUh9DGLAdRJpxWy1B2fDhIROvpcg0R5p6j9UX0b0esc
|
||||
jKLQEiE1wRswjXhWpZhe7Pjl38KhwqMyaeR3OnDtP7JXazIG6HiBIp4cx4k5A2TT
|
||||
X+LhvG3NHCeuxIyjLTRTWgv241kf7uAu+qgjHDSKXQqpjvo+cUYQgSxQZZXnmlz0
|
||||
sz/tEeiWl+i8kW/RNKQvNNR8ghWDW3YRak/zS+WFNoLZchecIzMj+je1vSg411o4
|
||||
Xd3LHDur6boCetaq7ZkqoS+NcX9n8MnKhHKYJblvXyc1h67s90+wSwhlumA8WqlM
|
||||
yqn99m13aF8GuGZbw5B2/x/Cd7WW5wZV6ioola/yqDXB1XtDFBy2Hxr/VMRlE3Cu
|
||||
kekzzVjVTZxOgZE=
|
||||
=yRuG
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
@@ -1,112 +0,0 @@
|
||||
# Based on recommendations from:
|
||||
# https://kspp.github.io/Recommended_Settings
|
||||
# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
|
||||
#
|
||||
# Dangerous features that can be permanently (for the boot session) disabled at
|
||||
# boot via sysctl or kernel cmdline are left enabled here, for improved
|
||||
# flexibility.
|
||||
#
|
||||
{
|
||||
stdenv,
|
||||
lib,
|
||||
version,
|
||||
}:
|
||||
|
||||
with lib.kernel;
|
||||
with (lib.kernel.whenHelpers version);
|
||||
|
||||
assert (lib.versionAtLeast version "4.9");
|
||||
|
||||
{
|
||||
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
|
||||
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
|
||||
# implicitly marks LSM hooks read-only after init.
|
||||
#
|
||||
# SELinux can only be disabled at boot via selinux=0
|
||||
#
|
||||
# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
|
||||
# config builder fails to detect that it has indeed been unset.
|
||||
SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
|
||||
SECURITY_WRITABLE_HOOKS = whenOlder "6.4" no;
|
||||
|
||||
# Perform additional validation of commonly targeted structures.
|
||||
DEBUG_CREDENTIALS = whenOlder "6.6" yes;
|
||||
DEBUG_NOTIFIERS = yes;
|
||||
DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG()
|
||||
DEBUG_PLIST = whenAtLeast "5.2" yes;
|
||||
DEBUG_SG = yes;
|
||||
DEBUG_VIRTUAL = yes;
|
||||
SCHED_STACK_END_CHECK = yes;
|
||||
|
||||
REFCOUNT_FULL = whenOlder "5.4.208" yes;
|
||||
|
||||
# tell EFI to wipe memory during reset
|
||||
# https://lwn.net/Articles/730006/
|
||||
RESET_ATTACK_MITIGATION = yes;
|
||||
|
||||
# restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
|
||||
CONFIG_LDISC_AUTOLOAD = option no;
|
||||
|
||||
# Wipe higher-level memory allocations on free() with page_poison=1
|
||||
PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
|
||||
PAGE_POISONING_ZERO = whenOlder "5.11" yes;
|
||||
|
||||
# Enable init_on_free by default
|
||||
INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes;
|
||||
|
||||
# Initialize all stack variables on function entry
|
||||
INIT_STACK_ALL_ZERO = yes;
|
||||
|
||||
# Wipe all caller-used registers on exit from a function
|
||||
ZERO_CALL_USED_REGS = whenAtLeast "5.15" yes;
|
||||
|
||||
# Enable the SafeSetId LSM
|
||||
SECURITY_SAFESETID = whenAtLeast "5.1" yes;
|
||||
|
||||
# Reboot devices immediately if kernel experiences an Oops.
|
||||
PANIC_TIMEOUT = freeform "-1";
|
||||
|
||||
GCC_PLUGINS = yes; # Enable gcc plugin options
|
||||
|
||||
GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
|
||||
GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin
|
||||
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;
|
||||
|
||||
# Runtime undefined behaviour checks
|
||||
# https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html
|
||||
# https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan
|
||||
UBSAN = yes;
|
||||
UBSAN_TRAP = whenAtLeast "5.7" yes;
|
||||
UBSAN_BOUNDS = whenAtLeast "5.7" yes;
|
||||
UBSAN_SANITIZE_ALL = whenOlder "6.9" yes;
|
||||
UBSAN_LOCAL_BOUNDS = option yes; # clang only
|
||||
CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1
|
||||
|
||||
# Disable various dangerous settings
|
||||
ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory
|
||||
PROC_KCORE = no; # Exposes kernel text image layout
|
||||
INET_DIAG = no; # Has been used for heap based attacks in the past
|
||||
|
||||
# INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
|
||||
# make them optional
|
||||
INET_DIAG_DESTROY = option no;
|
||||
INET_RAW_DIAG = option no;
|
||||
INET_TCP_DIAG = option no;
|
||||
INET_UDP_DIAG = option no;
|
||||
INET_MPTCP_DIAG = option no;
|
||||
|
||||
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
|
||||
CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
|
||||
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
|
||||
|
||||
# CONFIG_DEVMEM=n causes these to not exist anymore.
|
||||
STRICT_DEVMEM = option no;
|
||||
IO_STRICT_DEVMEM = option no;
|
||||
|
||||
# stricter IOMMU TLB invalidation
|
||||
IOMMU_DEFAULT_DMA_STRICT = option yes;
|
||||
IOMMU_DEFAULT_DMA_LAZY = option no;
|
||||
|
||||
# not needed for less than a decade old glibc versions
|
||||
LEGACY_VSYSCALL_NONE = lib.mkIf stdenv.hostPlatform.isx86 yes;
|
||||
}
|
||||
@@ -1,12 +0,0 @@
|
||||
{
|
||||
"6.12": {
|
||||
"patch": {
|
||||
"extra": "-hardened1",
|
||||
"name": "linux-hardened-v6.12.69-hardened1.patch",
|
||||
"sha256": "15zgha5qvn8a6ibx4b8mn5bwsm9z4xnpx3kz49ncpnk3iagcr2vw",
|
||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.69-hardened1/linux-hardened-v6.12.69-hardened1.patch"
|
||||
},
|
||||
"sha256": "0rbnbynhm7w4ig8snq97px4ljr5k4zq1a97jqhwk4w0qy9bkcjab",
|
||||
"version": "6.12.69"
|
||||
}
|
||||
}
|
||||
@@ -1,301 +0,0 @@
|
||||
#! /usr/bin/env nix-shell
|
||||
#! nix-shell -i python -p "python3.withPackages (ps: [ps.pygithub ps.packaging])" git gnupg
|
||||
|
||||
# This is automatically called by ../update.sh.
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import os
|
||||
import re
|
||||
import subprocess
|
||||
import sys
|
||||
from dataclasses import dataclass
|
||||
from pathlib import Path
|
||||
from tempfile import TemporaryDirectory
|
||||
from typing import (
|
||||
Dict,
|
||||
Iterator,
|
||||
List,
|
||||
Optional,
|
||||
Sequence,
|
||||
Tuple,
|
||||
TypedDict,
|
||||
Union,
|
||||
)
|
||||
|
||||
from github import Github
|
||||
from github.GitRelease import GitRelease
|
||||
|
||||
from packaging.version import parse as parse_version, Version
|
||||
|
||||
VersionComponent = Union[int, str]
|
||||
Version = List[VersionComponent]
|
||||
|
||||
|
||||
PatchData = TypedDict("PatchData", {"name": str, "url": str, "sha256": str, "extra": str})
|
||||
Patch = TypedDict("Patch", {
|
||||
"patch": PatchData,
|
||||
"version": str,
|
||||
"sha256": str,
|
||||
})
|
||||
|
||||
|
||||
def read_min_kernel_branch() -> List[str]:
|
||||
with open(NIXPKGS_KERNEL_PATH / "kernels-org.json") as f:
|
||||
return list(parse_version(sorted(json.load(f).keys())[0]).release)
|
||||
|
||||
|
||||
@dataclass
|
||||
class ReleaseInfo:
|
||||
version: Version
|
||||
release: GitRelease
|
||||
|
||||
|
||||
HERE = Path(__file__).resolve().parent
|
||||
NIXPKGS_KERNEL_PATH = HERE.parent
|
||||
NIXPKGS_PATH = HERE.parents[4]
|
||||
HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
|
||||
HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
|
||||
HARDENED_PATCHES_PATH = HERE / "patches.json"
|
||||
MIN_KERNEL_VERSION: Version = read_min_kernel_branch()
|
||||
|
||||
|
||||
def run(*args: Union[str, Path]) -> subprocess.CompletedProcess[bytes]:
|
||||
try:
|
||||
return subprocess.run(
|
||||
args,
|
||||
check=True,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE,
|
||||
encoding="utf-8",
|
||||
)
|
||||
except subprocess.CalledProcessError as err:
|
||||
print(
|
||||
f"error: `{err.cmd}` failed unexpectedly\n"
|
||||
f"status code: {err.returncode}\n"
|
||||
f"stdout:\n{err.stdout.strip()}\n"
|
||||
f"stderr:\n{err.stderr.strip()}",
|
||||
file=sys.stderr,
|
||||
)
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def nix_prefetch_url(url: str) -> Tuple[str, Path]:
|
||||
output = run("nix-prefetch-url", "--print-path", url).stdout
|
||||
sha256, path = output.strip().split("\n")
|
||||
return sha256, Path(path)
|
||||
|
||||
|
||||
def verify_openpgp_signature(
|
||||
*, name: str, trusted_key: Path, sig_path: Path, data_path: Path,
|
||||
) -> bool:
|
||||
with TemporaryDirectory(suffix=".nixpkgs-gnupg-home") as gnupg_home_str:
|
||||
gnupg_home = Path(gnupg_home_str)
|
||||
run("gpg", "--homedir", gnupg_home, "--import", trusted_key)
|
||||
keyring = gnupg_home / "pubring.kbx"
|
||||
try:
|
||||
subprocess.run(
|
||||
("gpgv", "--keyring", keyring, sig_path, data_path),
|
||||
check=True,
|
||||
stderr=subprocess.PIPE,
|
||||
encoding="utf-8",
|
||||
)
|
||||
return True
|
||||
except subprocess.CalledProcessError as err:
|
||||
print(
|
||||
f"error: signature for {name} failed to verify!",
|
||||
file=sys.stderr,
|
||||
)
|
||||
print(err.stderr, file=sys.stderr, end="")
|
||||
return False
|
||||
|
||||
|
||||
def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]:
|
||||
release = release_info.release
|
||||
extra = f'-{release_info.version[-1]}'
|
||||
|
||||
def find_asset(filename: str) -> str:
|
||||
try:
|
||||
it: Iterator[str] = (
|
||||
asset.browser_download_url
|
||||
for asset in release.get_assets()
|
||||
if asset.name == filename
|
||||
)
|
||||
return next(it)
|
||||
except StopIteration:
|
||||
raise KeyError(filename)
|
||||
|
||||
patch_filename = f"{name}.patch"
|
||||
try:
|
||||
patch_url = find_asset(patch_filename)
|
||||
sig_url = find_asset(patch_filename + ".sig")
|
||||
except KeyError:
|
||||
print(f"error: {patch_filename}{{,.sig}} not present", file=sys.stderr)
|
||||
return None
|
||||
|
||||
sha256, patch_path = nix_prefetch_url(patch_url)
|
||||
_, sig_path = nix_prefetch_url(sig_url)
|
||||
sig_ok = verify_openpgp_signature(
|
||||
name=name,
|
||||
trusted_key=HARDENED_TRUSTED_KEY,
|
||||
sig_path=sig_path,
|
||||
data_path=patch_path,
|
||||
)
|
||||
if not sig_ok:
|
||||
return None
|
||||
|
||||
kernel_ver = re.sub(r"v?(.*)(-hardened[\d]+)$", r'\1', release_info.release.tag_name)
|
||||
major = kernel_ver.split('.')[0]
|
||||
sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz")
|
||||
|
||||
return Patch(
|
||||
patch=PatchData(name=patch_filename, url=patch_url, sha256=sha256, extra=extra),
|
||||
version=kernel_ver,
|
||||
sha256=sha256_kernel
|
||||
)
|
||||
|
||||
|
||||
def normalize_kernel_version(version_str: str) -> list[str|int]:
|
||||
# There have been two variants v6.10[..] and 6.10[..], drop the v
|
||||
version_str_without_v = version_str[1:] if not version_str[0].isdigit() else version_str
|
||||
|
||||
version: list[str|int] = []
|
||||
|
||||
for component in re.split(r'\.|\-', version_str_without_v):
|
||||
try:
|
||||
version.append(int(component))
|
||||
except ValueError:
|
||||
version.append(component)
|
||||
return version
|
||||
|
||||
|
||||
def version_string(version: Version) -> str:
|
||||
return ".".join(str(component) for component in version)
|
||||
|
||||
|
||||
def major_kernel_version_key(kernel_version: list[int|str]) -> str:
|
||||
return version_string(kernel_version[:-1])
|
||||
|
||||
|
||||
def commit_patches(*, kernel_key: Version, message: str) -> None:
|
||||
new_patches_path = HARDENED_PATCHES_PATH.with_suffix(".new")
|
||||
with open(new_patches_path, "w") as new_patches_file:
|
||||
json.dump(patch_json, new_patches_file, indent=4, sort_keys=True)
|
||||
new_patches_file.write("\n")
|
||||
os.rename(new_patches_path, HARDENED_PATCHES_PATH)
|
||||
message = f"linux/hardened/patches/{kernel_key}: {message}"
|
||||
print(message)
|
||||
if os.environ.get("COMMIT"):
|
||||
run(
|
||||
"git",
|
||||
"-C",
|
||||
NIXPKGS_PATH,
|
||||
"commit",
|
||||
f"--message={message}",
|
||||
HARDENED_PATCHES_PATH,
|
||||
)
|
||||
|
||||
|
||||
# Load the existing patches.
|
||||
with open(HARDENED_PATCHES_PATH) as patches_file:
|
||||
patch_json = json.load(patches_file)
|
||||
patch_versions = set([parse_version(k) for k in patch_json.keys()])
|
||||
|
||||
with open(NIXPKGS_KERNEL_PATH / "kernels-org.json") as kernel_versions_json:
|
||||
kernel_versions = json.load(kernel_versions_json)
|
||||
|
||||
kernels = {
|
||||
parse_version(version): meta
|
||||
for version, meta in kernel_versions.items()
|
||||
if version != "testing"
|
||||
}
|
||||
|
||||
latest_lts = sorted(ver for ver, meta in kernels.items() if meta.get("lts", False))[-1]
|
||||
keys = sorted(kernels.keys())
|
||||
latest_release = keys[-1]
|
||||
fallback = keys[-2]
|
||||
|
||||
g = Github(os.environ.get("GITHUB_TOKEN"))
|
||||
repo = g.get_repo(HARDENED_GITHUB_REPO)
|
||||
failures = False
|
||||
|
||||
all_candidates = set([latest_lts, latest_release, fallback])
|
||||
kernels_to_package = {}
|
||||
for release in repo.get_releases()[:30]:
|
||||
version = normalize_kernel_version(release.tag_name)
|
||||
# needs to look like e.g. 5.6.3-hardened1
|
||||
if len(version) < 4:
|
||||
continue
|
||||
|
||||
if not (isinstance(version[-2], int)):
|
||||
continue
|
||||
|
||||
kernel_version = version[:-1]
|
||||
kernel_key = parse_version(major_kernel_version_key(kernel_version))
|
||||
|
||||
if kernel_key not in all_candidates:
|
||||
continue
|
||||
|
||||
try:
|
||||
found = kernels_to_package[kernel_key]
|
||||
if found.version > version:
|
||||
continue
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
kernels_to_package[kernel_key] = ReleaseInfo(version=version, release=release)
|
||||
|
||||
if latest_release in kernels_to_package:
|
||||
if fallback != latest_lts:
|
||||
del kernels_to_package[fallback]
|
||||
kernel_versions = set([latest_lts, latest_release])
|
||||
else:
|
||||
kernel_versions = set([latest_lts, fallback])
|
||||
|
||||
# Remove patches for unpackaged kernel versions.
|
||||
removals = False
|
||||
for kernel_key in sorted(patch_versions - kernels_to_package.keys()):
|
||||
del patch_json[str(kernel_key)]
|
||||
removals = True
|
||||
commit_patches(kernel_key=kernel_key, message="remove")
|
||||
|
||||
# Update hardened-patches.json for each release.
|
||||
for kernel_key in sorted(kernels_to_package.keys()):
|
||||
release_info = kernels_to_package[kernel_key]
|
||||
release = release_info.release
|
||||
version = release_info.version
|
||||
version_str = release.tag_name
|
||||
name = f"linux-hardened-{version_str}"
|
||||
|
||||
old_version: Optional[list[int|str]] = None
|
||||
old_version_str: Optional[str] = None
|
||||
update: bool
|
||||
try:
|
||||
old_filename = patch_json[str(kernel_key)]["patch"]["name"]
|
||||
old_version_str = old_filename.replace("linux-hardened-", "").replace(
|
||||
".patch", ""
|
||||
)
|
||||
old_version = normalize_kernel_version(old_version_str)
|
||||
update = old_version < version
|
||||
except KeyError:
|
||||
update = True
|
||||
|
||||
if update:
|
||||
patch = fetch_patch(name=name, release_info=release_info)
|
||||
if patch is None:
|
||||
failures = True
|
||||
else:
|
||||
if str(kernel_key) in patch_json:
|
||||
message = f"{old_version_str} -> {version_str}"
|
||||
else:
|
||||
message = f"init at {version_str}"
|
||||
patch_json[str(kernel_key)] = patch
|
||||
|
||||
commit_patches(kernel_key=kernel_key, message=message)
|
||||
|
||||
if removals:
|
||||
print("Hardened kernels were removed. Don't forget to remove their attributes!")
|
||||
|
||||
if failures:
|
||||
sys.exit(1)
|
||||
@@ -27,26 +27,4 @@
|
||||
name = "request-key-helper";
|
||||
patch = ./request-key-helper.patch;
|
||||
};
|
||||
|
||||
hardened =
|
||||
let
|
||||
mkPatch =
|
||||
kernelVersion:
|
||||
{
|
||||
version,
|
||||
sha256,
|
||||
patch,
|
||||
}:
|
||||
let
|
||||
src = patch;
|
||||
in
|
||||
{
|
||||
name = lib.removeSuffix ".patch" src.name;
|
||||
patch = fetchurl (lib.removeAttrs src [ "extra" ]);
|
||||
extra = src.extra;
|
||||
inherit version sha256;
|
||||
};
|
||||
patches = lib.importJSON ./hardened/patches.json;
|
||||
in
|
||||
lib.mapAttrs mkPatch patches;
|
||||
}
|
||||
|
||||
@@ -3,6 +3,3 @@ cd "$(dirname "$(readlink -f "$0")")" || exit
|
||||
|
||||
echo "Update linux (mainline)"
|
||||
COMMIT=1 ./update-mainline.py || echo "update-mainline failed with exit code $?"
|
||||
|
||||
echo "Update linux-hardened"
|
||||
COMMIT=1 ./hardened/update.py || echo "update-hardened failed with exit code $?"
|
||||
|
||||
@@ -39,8 +39,6 @@ stdenv.mkDerivation {
|
||||
homepage = "https://github.com/aircrack-ng/rtl8188eus";
|
||||
license = lib.licenses.gpl2Only;
|
||||
maintainers = with lib.maintainers; [ moni ];
|
||||
broken =
|
||||
((lib.versions.majorMinor kernel.version) == "5.4" && kernel.isHardened)
|
||||
|| kernel.kernelAtLeast "6.17";
|
||||
broken = kernel.kernelAtLeast "6.17";
|
||||
};
|
||||
}
|
||||
|
||||
@@ -45,8 +45,6 @@ stdenv.mkDerivation (finalAttrs: {
|
||||
license = lib.licenses.gpl2Only;
|
||||
platforms = lib.platforms.linux;
|
||||
maintainers = with lib.maintainers; [ defelo ];
|
||||
broken =
|
||||
stdenv.hostPlatform.isAarch64
|
||||
|| ((lib.versions.majorMinor kernel.version) == "5.4" && kernel.isHardened);
|
||||
broken = stdenv.hostPlatform.isAarch64;
|
||||
};
|
||||
})
|
||||
|
||||
@@ -71,7 +71,7 @@ stdenv.mkDerivation (finalAttrs: {
|
||||
license = lib.licenses.gpl2Only;
|
||||
platforms = [ "x86_64-linux" ];
|
||||
# FIX: error: invalid initializer
|
||||
broken = (kernel.kernelOlder "6" && kernel.isHardened) || kernel.kernelAtLeast "6.17";
|
||||
broken = kernel.kernelAtLeast "6.17";
|
||||
maintainers = with lib.maintainers; [ lonyelon ];
|
||||
};
|
||||
})
|
||||
|
||||
@@ -66,7 +66,7 @@ stdenv.mkDerivation (finalAttrs: {
|
||||
homepage = "https://github.com/morrownr/rtl8852bu-20240418";
|
||||
license = lib.licenses.gpl2Only;
|
||||
platforms = [ "x86_64-linux" ];
|
||||
broken = (kernel.kernelOlder "6" && kernel.isHardened) || kernel.kernelAtLeast "6.18"; # Similar to 79c1cf6
|
||||
broken = kernel.kernelAtLeast "6.18"; # Similar to 79c1cf6
|
||||
maintainers = with lib.maintainers; [
|
||||
lonyelon
|
||||
thtrf
|
||||
|
||||
@@ -187,8 +187,7 @@ stdenv.mkDerivation {
|
||||
];
|
||||
maintainers = with lib.maintainers; [ raskin ];
|
||||
platforms = lib.platforms.linux ++ lib.platforms.darwin;
|
||||
broken =
|
||||
kernel != null && ((lib.versionOlder kernel.version "4.14") || kernel.isHardened || kernel.isZen);
|
||||
broken = kernel != null && ((lib.versionOlder kernel.version "4.14") || kernel.isZen);
|
||||
homepage = "https://sysdig.com/opensource/";
|
||||
downloadPage = "https://github.com/draios/sysdig/releases";
|
||||
};
|
||||
|
||||
@@ -46,7 +46,6 @@ stdenv.mkDerivation {
|
||||
homepage = "https://github.com/mkubecek/vmware-host-modules";
|
||||
license = lib.licenses.gpl2Only;
|
||||
platforms = [ "x86_64-linux" ];
|
||||
broken = (kernel.kernelOlder "5.5" && kernel.isHardened);
|
||||
maintainers = with lib.maintainers; [
|
||||
deinferno
|
||||
vifino
|
||||
|
||||
@@ -146,6 +146,5 @@ stdenv.mkDerivation {
|
||||
andersk
|
||||
spacefrogg
|
||||
];
|
||||
broken = kernel.isHardened;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1157,7 +1157,7 @@ mapAliases {
|
||||
linux_6_6 = linuxKernel.kernels.linux_6_6;
|
||||
linux_6_6_hardened = throw "linux_hardened on nixpkgs only contains latest stable and latest LTS"; # Added 2025-08-10
|
||||
linux_6_12 = linuxKernel.kernels.linux_6_12;
|
||||
linux_6_12_hardened = linuxKernel.kernels.linux_6_12_hardened;
|
||||
linux_6_12_hardened = throw "linux_6_12_hardened has been removed due to lack of maintenance"; # Added 2026-03-18
|
||||
linux_6_13 = throw "linux 6.13 was removed because it has reached its end of life upstream"; # Added 2025-06-29
|
||||
linux_6_13_hardened = throw "linux 6.13 was removed because it has reached its end of life upstream"; # Added 2025-06-29
|
||||
linux_6_14 = throw "linux 6.14 was removed because it has reached its end of life upstream"; # Added 2025-06-29
|
||||
@@ -1168,7 +1168,7 @@ mapAliases {
|
||||
linux_6_18 = linuxKernel.kernels.linux_6_18;
|
||||
linux_6_19 = linuxKernel.kernels.linux_6_19;
|
||||
linux_ham = throw "linux_ham has been removed in favour of the standard kernel packages"; # Added 2025-06-24
|
||||
linux_hardened = linuxPackages_hardened.kernel; # Added 2025-08-10
|
||||
linux_hardened = throw "linux_hardened has been removed due to lack of maintenance"; # Added 2026-03-18
|
||||
linux_latest-libre = throw "linux_latest_libre has been removed due to lack of maintenance"; # Added 2025-10-01
|
||||
linux_lqx = throw "linux_lqx has been removed due to lack of maintenance"; # Added 2026-03-13
|
||||
linux_rpi0 = linuxKernel.kernels.linux_rpi1;
|
||||
@@ -1191,7 +1191,7 @@ mapAliases {
|
||||
linuxPackages_6_6 = linuxKernel.packages.linux_6_6;
|
||||
linuxPackages_6_6_hardened = throw "linux_hardened on nixpkgs only contains latest stable and latest LTS"; # Added 2025-08-10
|
||||
linuxPackages_6_12 = linuxKernel.packages.linux_6_12;
|
||||
linuxPackages_6_12_hardened = linuxKernel.packages.linux_6_12_hardened; # Added 2025-08-10
|
||||
linuxPackages_6_12_hardened = throw "linuxPackages_6_12_hardened has been removed due to lack of maintenance"; # Added 2026-03-18
|
||||
linuxPackages_6_13 = throw "linux 6.13 was removed because it has reached its end of life upstream"; # Added 2025-06-29
|
||||
linuxPackages_6_13_hardened = throw "linux 6.13 was removed because it has reached its end of life upstream"; # Added 2025-06-29
|
||||
linuxPackages_6_14 = throw "linux 6.14 was removed because it has reached its end of life upstream"; # Added 2025-06-29
|
||||
@@ -1202,7 +1202,7 @@ mapAliases {
|
||||
linuxPackages_6_18 = linuxKernel.packages.linux_6_18;
|
||||
linuxPackages_6_19 = linuxKernel.packages.linux_6_19;
|
||||
linuxPackages_ham = throw "linux_ham has been removed in favour of the standard kernel packages"; # Added 2025-06-24
|
||||
linuxPackages_hardened = linuxKernel.packages.linux_hardened; # Added 2025-08-10
|
||||
linuxPackages_hardened = throw "linuxPackages_hardened has been removed due to lack of maintenance"; # Added 2026-03-18
|
||||
linuxPackages_latest-libre = throw "linux_latest_libre has been removed due to lack of maintenance"; # Added 2025-10-01
|
||||
linuxPackages_latest_xen_dom0 = throw "'linuxPackages_latest_xen_dom0' has been renamed to/replaced by 'linuxPackages_latest'"; # Converted to throw 2025-10-27
|
||||
linuxPackages_lqx = throw "linuxPackages_lqx has been removed due to lack of maintenance"; # Added 2026-03-13
|
||||
|
||||
@@ -8655,8 +8655,6 @@ with pkgs;
|
||||
|
||||
linuxPackagesFor = linuxKernel.packagesFor;
|
||||
|
||||
hardenedLinuxPackagesFor = linuxKernel.hardenedPackagesFor;
|
||||
|
||||
linuxManualConfig = linuxKernel.manualConfig;
|
||||
|
||||
linuxPackages_custom = linuxKernel.customPackage;
|
||||
|
||||
@@ -14,7 +14,6 @@
|
||||
|
||||
# When adding a kernel:
|
||||
# - Update packageAliases.linux_latest to the latest version
|
||||
# - Update linux_latest_hardened when the patches become available
|
||||
|
||||
let
|
||||
inherit (lib) recurseIntoAttrs dontRecurseIntoAttrs;
|
||||
@@ -42,38 +41,6 @@ let
|
||||
};
|
||||
}
|
||||
);
|
||||
|
||||
# Hardened Linux
|
||||
hardenedKernelFor =
|
||||
kernel': overrides:
|
||||
let
|
||||
kernel = kernel'.override overrides;
|
||||
version = kernelPatches.hardened.${kernel.meta.branch}.version;
|
||||
major = lib.versions.major version;
|
||||
sha256 = kernelPatches.hardened.${kernel.meta.branch}.sha256;
|
||||
modDirVersion' = builtins.replaceStrings [ kernel.version ] [ version ] kernel.modDirVersion;
|
||||
in
|
||||
kernel.override {
|
||||
structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
|
||||
inherit stdenv lib version;
|
||||
};
|
||||
argsOverride = {
|
||||
inherit version;
|
||||
pname = "linux-hardened";
|
||||
modDirVersion = modDirVersion' + kernelPatches.hardened.${kernel.meta.branch}.extra;
|
||||
src = fetchurl {
|
||||
url = "mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz";
|
||||
inherit sha256;
|
||||
};
|
||||
extraMeta = {
|
||||
broken = kernel.meta.broken;
|
||||
};
|
||||
};
|
||||
kernelPatches = kernel.kernelPatches ++ [
|
||||
kernelPatches.hardened.${kernel.meta.branch}
|
||||
];
|
||||
isHardened = true;
|
||||
};
|
||||
in
|
||||
{
|
||||
kernelPatches = callPackage ../os-specific/linux/kernel/patches.nix { };
|
||||
@@ -197,10 +164,6 @@ in
|
||||
kernelPatches.request_key_helper
|
||||
];
|
||||
};
|
||||
|
||||
linux_6_12_hardened = hardenedKernelFor kernels.linux_6_12 { };
|
||||
|
||||
linux_hardened = linux_6_12_hardened;
|
||||
}
|
||||
// lib.optionalAttrs config.allowAliases {
|
||||
linux_lqx = throw "linux_lqx has been removed due to lack of maintenance";
|
||||
@@ -228,9 +191,11 @@ in
|
||||
linux_6_9_hardened = throw "linux 6.9 was removed because it has reached its end of life upstream";
|
||||
linux_6_10_hardened = throw "linux 6.10 was removed because it has reached its end of life upstream";
|
||||
linux_6_11_hardened = throw "linux 6.11 was removed because it has reached its end of life upstream";
|
||||
linux_6_12_hardened = throw "linux_6_12_hardened has been removed due to lack of maintenance";
|
||||
linux_6_13_hardened = throw "linux 6.13 was removed because it has reached its end of life upstream";
|
||||
linux_6_14_hardened = throw "linux 6.14 was removed because it has reached its end of life upstream";
|
||||
linux_6_15_hardened = throw "linux 6.15 was removed because it has reached its end of life upstream";
|
||||
linux_hardened = throw "linux_hardened has been removed due to lack of maintenance";
|
||||
|
||||
linux_rt_5_4 = throw "linux_rt 5.4 has been removed because it will reach its end of life within 25.11";
|
||||
linux_rt_5_10 = throw "linux_rt_5_10 has been removed due to lack of maintenance";
|
||||
@@ -317,7 +282,6 @@ in
|
||||
inherit (kernel)
|
||||
isLTS
|
||||
isZen
|
||||
isHardened
|
||||
;
|
||||
inherit (kernel) kernelOlder kernelAtLeast;
|
||||
kernelModuleMakeFlags = self.kernel.commonMakeFlags ++ [
|
||||
@@ -704,8 +668,6 @@ in
|
||||
)).extend
|
||||
(lib.fixedPoints.composeManyExtensions kernelPackagesExtensions);
|
||||
|
||||
hardenedPackagesFor = kernel: overrides: packagesFor (hardenedKernelFor kernel overrides);
|
||||
|
||||
vanillaPackages = {
|
||||
# recurse to build modules for the kernels
|
||||
linux_5_10 = recurseIntoAttrs (packagesFor kernels.linux_5_10);
|
||||
@@ -744,10 +706,6 @@ in
|
||||
# Intentionally lacks recurseIntoAttrs, as -rc kernels will quite likely break out-of-tree modules and cause failed Hydra builds.
|
||||
linux_testing = packagesFor kernels.linux_testing;
|
||||
|
||||
linux_hardened = recurseIntoAttrs (packagesFor kernels.linux_hardened);
|
||||
|
||||
linux_6_12_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_12_hardened);
|
||||
|
||||
linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen);
|
||||
linux_xanmod = recurseIntoAttrs (packagesFor kernels.linux_xanmod);
|
||||
linux_xanmod_stable = recurseIntoAttrs (packagesFor kernels.linux_xanmod_stable);
|
||||
@@ -768,9 +726,11 @@ in
|
||||
linux_6_9_hardened = throw "linux 6.9 was removed because it has reached its end of life upstream";
|
||||
linux_6_10_hardened = throw "linux 6.10 was removed because it has reached its end of life upstream";
|
||||
linux_6_11_hardened = throw "linux 6.11 was removed because it has reached its end of life upstream";
|
||||
linux_6_12_hardened = throw "linux_6_12_hardened has been removed due to lack of maintenance";
|
||||
linux_6_13_hardened = throw "linux 6.13 was removed because it has reached its end of life upstream";
|
||||
linux_6_14_hardened = throw "linux 6.14 was removed because it has reached its end of life upstream";
|
||||
linux_6_15_hardened = throw "linux 6.15 was removed because it has reached its end of life upstream";
|
||||
linux_hardened = throw "linux_hardened has been removed due to lack of maintenance";
|
||||
linux_ham = throw "linux_ham has been removed in favour of the standard kernel packages";
|
||||
|
||||
linux_rt_5_4 = throw "linux_rt 5.4 was removed because it will reach its end of life within 25.11"; # Added 2025-10-22
|
||||
|
||||
Reference in New Issue
Block a user