From 2879caafcf3fe36048fe25f99f32b91002128ca6 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Thu, 19 Mar 2026 10:00:08 +1000 Subject: [PATCH] linux_hardened: remove isn't maintained to the standards people expect of kernels in nixpkgs --- ci/OWNERS | 3 - doc/packages/linux.section.md | 9 - .../manual/release-notes/rl-2605.section.md | 2 + nixos/tests/kernel-generic/default.nix | 1 - pkgs/by-name/ch/chipsec/package.nix | 2 - pkgs/os-specific/linux/ajantv2/default.nix | 2 - pkgs/os-specific/linux/kernel/build.nix | 2 - pkgs/os-specific/linux/kernel/generic.nix | 2 - .../linux/kernel/hardened/anthraxx.asc | 325 ------------------ .../linux/kernel/hardened/config.nix | 112 ------ .../linux/kernel/hardened/patches.json | 12 - .../linux/kernel/hardened/update.py | 301 ---------------- pkgs/os-specific/linux/kernel/patches.nix | 22 -- pkgs/os-specific/linux/kernel/update.sh | 3 - .../linux/rtl8188eus-aircrack/default.nix | 4 +- pkgs/os-specific/linux/rtl8821ce/default.nix | 4 +- pkgs/os-specific/linux/rtl8852au/default.nix | 2 +- pkgs/os-specific/linux/rtl8852bu/default.nix | 2 +- pkgs/os-specific/linux/sysdig/default.nix | 3 +- pkgs/os-specific/linux/vmware/default.nix | 1 - pkgs/servers/openafs/1.8/module.nix | 1 - pkgs/top-level/aliases.nix | 8 +- pkgs/top-level/all-packages.nix | 2 - pkgs/top-level/linux-kernels.nix | 48 +-- 24 files changed, 15 insertions(+), 858 deletions(-) delete mode 100644 pkgs/os-specific/linux/kernel/hardened/anthraxx.asc delete mode 100644 pkgs/os-specific/linux/kernel/hardened/config.nix delete mode 100644 pkgs/os-specific/linux/kernel/hardened/patches.json delete mode 100755 pkgs/os-specific/linux/kernel/hardened/update.py diff --git a/ci/OWNERS b/ci/OWNERS index 15f639120bba..528c6d45622b 100644 --- a/ci/OWNERS +++ b/ci/OWNERS @@ -294,9 +294,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt /nixos/modules/services/databases/mysql.nix @6543 /nixos/modules/services/backup/mysql-backup.nix @6543 -# Hardened profile & related modules -/pkgs/os-specific/linux/kernel/hardened/ @fabianhjr - # Home Automation /nixos/modules/services/home-automation/home-assistant.nix @mweinelt /nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt diff --git a/doc/packages/linux.section.md b/doc/packages/linux.section.md index 4c2ec2fb63c0..eb3d1fa7afac 100644 --- a/doc/packages/linux.section.md +++ b/doc/packages/linux.section.md @@ -149,15 +149,6 @@ The change gets submitted like this: ``` * Update `linux_latest` to the new attribute. * __SQUASH__ the changes into the `linux: init at …` commit. -* If a new hardened is available: - * Instantiate a `linux_X_Y_hardened = hardenedKernelsFor kernels.linux_X_Y { };` in `kernels` and - `linux_X_Y_hardened = hardenedKernelFor kernels.linux_X_Y { };` in the `packages`-section. - * Make sure to remove the hardened variant of the previous kernel version unless it's LTS. - We only support the latest and latest LTS version of hardened. -* If no new hardened kernel is available: - * Keep the previously latest kernel until its mainline counterpart gets removed. - After that `linux_hardened` points to the latest LTS supported by hardened. -* __SQUASH__ the changes into the `linux_X_Y_hardened: init at …` commit. ### Policy for accepting new kernel flavours {#sec-linux-new-kernels} diff --git a/nixos/doc/manual/release-notes/rl-2605.section.md b/nixos/doc/manual/release-notes/rl-2605.section.md index 81863438b4e7..9053a81954bc 100644 --- a/nixos/doc/manual/release-notes/rl-2605.section.md +++ b/nixos/doc/manual/release-notes/rl-2605.section.md @@ -133,6 +133,8 @@ - `services.pyload` has been removed because the package it relies on does not exist anymore in nixpkgs due to vulnerabilities and being unmaintained. +- `linux_hardened` kernel has been removed due to a lack of maintenance. + - `services.tandoor-recipes` now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media). - `linux-rt` kernel has been removed due to a lack of maintenance. diff --git a/nixos/tests/kernel-generic/default.nix b/nixos/tests/kernel-generic/default.nix index e2883115b6f2..615b9c33abb0 100644 --- a/nixos/tests/kernel-generic/default.nix +++ b/nixos/tests/kernel-generic/default.nix @@ -79,7 +79,6 @@ let ) args); kernels = patchedPkgs.linuxKernel.vanillaPackages // { inherit (patchedPkgs.linuxKernel.packages) - linux_6_12_hardened linux_testing ; diff --git a/pkgs/by-name/ch/chipsec/package.nix b/pkgs/by-name/ch/chipsec/package.nix index bd9f6db867ff..fbfbdfbf1a6f 100644 --- a/pkgs/by-name/ch/chipsec/package.nix +++ b/pkgs/by-name/ch/chipsec/package.nix @@ -86,8 +86,6 @@ python3.pkgs.buildPythonApplication (finalAttrs: { staslyakhov ]; platforms = if withDriver then [ "x86_64-linux" ] else with lib.platforms; linux ++ darwin; - # https://github.com/chipsec/chipsec/issues/1793 - broken = withDriver && kernel.kernelOlder "5.4" && kernel.isHardened; mainProgram = "chipsec_main"; }; }) diff --git a/pkgs/os-specific/linux/ajantv2/default.nix b/pkgs/os-specific/linux/ajantv2/default.nix index ffaa13efbce5..eaaecb9eb0fc 100644 --- a/pkgs/os-specific/linux/ajantv2/default.nix +++ b/pkgs/os-specific/linux/ajantv2/default.nix @@ -45,7 +45,5 @@ stdenv.mkDerivation (finalAttrs: { "aarch64-linux" ]; description = "AJA video driver"; - # FTB for hardened 5.10/5.15 kernels - broken = kernel.kernelOlder "6" && kernel.isHardened; }; }) diff --git a/pkgs/os-specific/linux/kernel/build.nix b/pkgs/os-specific/linux/kernel/build.nix index 9635c9c0d7f5..ac191a3ba149 100644 --- a/pkgs/os-specific/linux/kernel/build.nix +++ b/pkgs/os-specific/linux/kernel/build.nix @@ -77,7 +77,6 @@ lib.makeOverridable ( # for module compatibility isZen ? false, - isHardened ? false, # Whether to utilize the controversial import-from-derivation feature to parse the config allowImportFromDerivation ? false, @@ -530,7 +529,6 @@ lib.makeOverridable ( ; inherit isZen - isHardened withRust ; baseVersion = lib.head (lib.splitString "-rc" version); diff --git a/pkgs/os-specific/linux/kernel/generic.nix b/pkgs/os-specific/linux/kernel/generic.nix index 32f8fd8f5e9b..336c70e2e29e 100644 --- a/pkgs/os-specific/linux/kernel/generic.nix +++ b/pkgs/os-specific/linux/kernel/generic.nix @@ -75,7 +75,6 @@ lib.makeOverridable ( isLTS ? false, isZen ? false, - isHardened ? false, # easy overrides to stdenv.hostPlatform.linux-kernel members autoModules ? stdenv.hostPlatform.linux-kernel.autoModules or true, @@ -315,7 +314,6 @@ lib.makeOverridable ( extraMakeFlags isLTS isZen - isHardened ; # Adds dependencies needed to edit the config: diff --git a/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc b/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc deleted file mode 100644 index 101ccfbf0f2b..000000000000 --- a/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc +++ /dev/null @@ -1,325 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2 - -mQINBE64OEUBEADPS1v+zoCdKA6zyfUtVIaBoIwMhCibqurXi30tVoC9LgM6W1ve -HwPFukWq7DAS0mZUPE3mSV63JFLaTy0bY/6GO1D4wLdWZx4ppH7XKNCvKCbsi70k -UozFykNVf+83WEskuF1oYzXlF3aB5suz2IWJl7ey1EXgIpehwQaTJUA5JIWYFp9A -566LRNJefYMzUR33xc4dRKj6Etg0xdLVq7/vZoo8HpLCBGNWiP0AKqFWEwTg0xQL -7nsJA5tfJJdwAJvrzjpFsvb63PKG6waAtdHhON4q7E2Udak9fz2tRjxA5l9l2zXk -aqsysUzkxPhNjwMENoQ04KZg4aT+ZhhBzTowSWLp3KV2uaZ66kdPUO3s+/1bPp5/ -N/IlykaUwyL773iYOZ5dOY/9hIuX/zssihcrGEMW6yIyZR5uKhzYdaM9ExTXP637 -UccgNS9/pskPGPx/xK23NDCfeHzL9YHS5KokA2wb/b9hqpwvLaeblbMl2pt79F1R -ac+rZlrRyX3NvlTQP4hqM9Ei2YBAU7QFDJEjH8pVIceL7grxi1Ju1iD5QiSK+je5 -Jj5EAikfwSeAttSzsqNvaXJHfABrv5mkkVt1z3icP3HIHTYnG+uj+t8kvW+o9/1i -pD6e6LUh4w5v1aY9kaK/M3+eBH59yNYI99crPUKUBVfW4gv4DBUJAQTWRQARAQAB -tDVMZXZlbnRlIFBvbHlhayAoYW50aHJheHgpIDxsZXZlbnRlQGxldmVudGVwb2x5 -YWsubmV0PokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4ACGQEF -AlSXU9QFCQfATw8ACgkQ/BtUfI2BcsjPbxAAs+UR/bJz/HeYTpPy+HnKwDJgI9GP -AZlNvp+QSIhOTtKCYkQ/Iu+5scY5J0Qyv0pcJW5Rxjx+l7KGovw84jzVznnYsJoy -UQ5H3Ev9T2xW1nrZT3abJ7j6ZIck+Q+WFHu5Plsq6doSXOXmJNoehvT3BVolvc6w -S1+CAoyA5Wm1yfocZgVOvWPWQaa1T4XA7OwxFWrvNWEZwAzTSjkGHkwmji+DxdBd -RPam9+qm/rcN1IJTu6xJPr38a9LydWonsUpTR2Qn7Bo4EJp8yHJLaiLEMV/Nmgrr -1orBYw/OzDzhbdMl+2zzwEBLUMPABdgnPM6ZCZ5PWyWnCU4jsBGyVd0IC5xEu3Eg -a0EtIdvx2lXiLfh2dulpMn52uJY5iNwaTleO+z9CENQVhh5R4FuN9H0BLiyAxf1+ -MkD3jLT+DGl02hQghtxz18iTkRk7KOw/NFn4z0is+TRl4/ocNt1LiWQXt8dr7qdx -zvUpDnxCSYZkeutzopo1TA4lKpnsS2mHabx6CbrUmF+wOIr8gHUfpBFeEQ8BHebU -5X0JrFF5mjeNl4uK9l9lD9ng74rsSpKPr15DU41jIuQDHJYd6H3TXQ4K1z7Ciivy -r4vgsruAFX/GduKseOx1obWW3GfIQzLAIuVdjldgREl61GWoLiGFqlcveiAIkN5p -Bxc20hSrHgZP9ZyIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GTK7AKC8Sd1ndNvc -1ispBaECbHT/JPfGrQCgvkfGBsFn/KBrgC5hTm0mSxdy942JAkEEEwECACsCGwMF -CQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOuD2qAhkBAAoJEPwbVHyN -gXLIXL4QAJtbs62EpOIFld0N+tTEFn1qQPPaExAXmH/RF5Epf+0rSS6B0OXEZBXz -cWtMPbHxoLjN1iY8o0QC1ex7/KDfYq8Ho18M9P+Lf6XfW0sJ9d021U5MJWGPs4zA -lNFXJqeMgfJZAno2N6dO/azcYHq1wmSgUbTb9Oyi1PHfn3g0UAW59dfkB8d2jEvY -Yed1X0mBPPXcbgnYNZ514JQtm9wuDdVWrh/Si9EhKg6+MPcbv18G4lpPGR+yNq9y -3Jze4vmmWen0ceDJEp06IAeTfJzzD80Oui2WXtLfaQxgf9uuZtGjrMX5l+mq7rBS -VH/dsHP1VYI0efKIs7qbmiLcMRVWYIGix9I1C3UYr3ImYiCGlBG/uQ929xbjWAHa -hy4W6rzruUWjyi/Kz7QRnyBgtHfhDO7hYziTr5hoGhd4VeUpcbxL+MegXFZsWJlE -kz8TOOsZ/4XxXHVoalg8fYOcA7j/aoszsPMQUOL/5jsVRhyP3evtVxb3m1EwvYDK -Lii4IkVxGztlBOIgeT4kwXgoJEASSZHgcd6tDv9q7o33n2I1DGL8X3axcHES2/C7 -cP+li3KL3Hc9vjgaJ9HfcQLuMcHqfoHn+YzVfbG5XeFcxhgQpwpYsZv3MTbXAQwI -fRHXRuIfOiFwqUXahi5N1WSIXNBGSyI7pu9ht5I7gIIOINE+VS7FiQJBBBMBAgAr -AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAIZAQUCUNol8QUJA/yTqwAKCRD8 -G1R8jYFyyIqUD/9yWw7WBQiWyIMpVuX9c2Ov1fAkDya43fDm0gqIgNsdaxCt5ATh -XaXZ/p2jglWwon5jDLDNsVR0/Q/t8ugdcP3bcwRtW2YYQ2F1PaNjfr5WsuPEadyc -J62DIobY4IzqBpDuqGLYdbzZeKr49VwbRRvIJpphrk3+CekFvdIs1ofEpA2Kn2oA -DXfYuaWoVBF7fTwAZmc3hYPOI1jK7nrFZbCnAT4WZPzZ4IY9lsaNTF/4mQ8vV1xF -De6HjfslHURlZWsWtQIKhIPBKoZC1nP5VRK3IHYgKw8toq780kalLH8ofv9BkSrs -t98JOoJX4etdmE8Ta/+Wg5C9EzR+909tQfdWdkaRbhvbtl/x7X76HU4ItefLR5pW -d0OSo488QZMQjCUWlzgPMsmnYMQm6ckNOp0B/RtMfbJV7t5H+JE3PLfFG55jcz3w -uNGhfZyl/ZhV9fvGLU/sPyhIW7ewuIwd+7i12fH9r4NAGB/mkSKK+tHGcTZvXxux -5QMKE+a9u6NMJRrbsIiTFwhrCLMgzLYL0mtX8FZXNFFZzGFYkiXymBR0ze4LKzRo -dMFpyP/w/IIjYBhVpgboT2EMMIgJHSsMJDCdDjI+9cAykVF6ccSiUQ11devHL6Pv -WwlT2Ub4TP4yCScHDPyfWq+tfdQlWFVRZMRJ7kmq0VagqomdRHgLPyPgDYkCHAQQ -AQIABgUCUtgrXgAKCRBH1QFsQv98LACcEACFq3Oz8nHAa6KsyspIWo0+HjzCtTv0 -G6TB+svf3fl24C93IfFhpSyxNf8XVa9h9kCU5ZImYN+LaoUGiz3lcYxjdOeFYDc4 -GU5TFrJwY9eOYYCsr+z+NLn7wlLZEO772lGUDPJMWxSGqR9yOGhQCTIADLLcp6mt -07zdejESYxMT6IjYR+rX6miWG5Hr9/lBdh/X4XhGpHEY64IL8vVB3C+FQfG3hiMB -bHbvJ4/S/cjfNM1T9oKiA0H6jklRHIdstj+2eeWA7lS+GE3Mpkra+8KmkEjV4O03 -izcRpMm1yTGoTjp9UddTNYErb/sha5YigYAqK8bj3gh6tTFNJHbN4RWgtPDyc5Va -1u+sH2ob6JS5tez8/Z6pMarGpTQujIGAlntP4igi0Q4hxyLof6Vtc6XF80uSwTvN -RRmQrcq+kLPwX0NbyZCBCI+kjBPu2b932JDTfVBKwJCLF3e1zvQqN0C7EZnIzveX -r7VtJ4WHIfSyi/HQP7xm5L0uQj+KRr+/LMaxkCDgrlqoWTgAoxCAPYH1XCvBoJRc -DHjNikyEAS8WUGl9ZHQyAoFngi/jqH6WoDAmfBUKRoBMR2hXLOKUBmObw0DHgauM -kk4kD6CW4UEy0SM/i9JD7sk9KiKoHMip1jguKRJkHJ1WSkNl7nZpeo+KG0WbGHXN -b7hnrQsNyqJkUokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AC -GQEFAlLV0QIFCQXdHmsACgkQ/BtUfI2Bcsj8DA//b8wZrFY/Fj/iR5ZaO0AjmMV1 -hM7lAFWLfDiLyYofuiGLUg9rqFWj+Ks2kedVN7+22Bjgi5fvpXv3Uy4trZKKw8Xs -FJ/s8HQ6jzIv6pFdIYPLFQBqS2tEgfsanPZWIqJI9fbhOrRGN7WV5tXiksCaRO+u -rLjIhAYmsDb//BD2xqsY54ouRdrz5nRG3qG2odq2Lw8XquW6srouGaSm+BI3sow6 -l2eAW8UjbxwICQg2ZPZYCBc9ArbgLS1ha+yPhp65nGpVbqDA8rUKC11op1ArAbY3 -Yt6xzLg+RCuCHBa1gNPpDoYV9V8Zve03mEIcsK10X0RhJQ+z4INvrjtelPRCOLpN -179JmsyxwOzwAPg773SK1Z31jSirsiEke/q8j13PGNDBCb4ZKpm/KOht+4d0jJLK -GLqD85cv3/uAeSh2zWkoKcVW6uVZpiz3KA3i4YMWnteOlrlZH28nIrDXevPzkOxo -pZlhuLboCD6g6yuZI4Wm9fEiga8xmRDw4RrOIuDXWjNW6IVaeFGvnYaNf0wnmBD+ -FE1SMWwcmqgB1yIylmKqH0lYce8SVAMLkkOlaijhWrfCO5iS7zjWaVz98HCqFfwR -gHuJTxOwwlf9Qb6cyC3bGsfILBUuE0L5vUAZUAc61H+6Sv88CDDUO1EOKaqAAYhR -plvoyYZ3xiSMgzYKGZ+0OkxldmVudGUgUG9seWFrIChKYWJiZXIvWE1QUCBvbmx5 -KSA8YW50aHJheHhAamFiYmVyLmNjYy5kZT6JAj4EEwECACgCGwMGCwkIBwMCBhUI -AgkKCwQWAgMBAh4BAheABQJUl1PaBQkHwE8PAAoJEPwbVHyNgXLIQokQAKxJB9/F -TfBae6eqcT+izxGSnsvbc2bcrtsmKkhu9HwpsJ4IDutphXFB0wFalI40BL0o1k54 -Wlfv5GHbq7Ju3kW2dmTMP0WpfFytV7rr2yqSmik+skJw27BDk74rP0v4TNOHaTrP -nokfTnlaKuv1bqlwbIwV7rJ5jbAtw5hueeN4jghGU8SGlCOEZ/xGxYYsvtyPhZhn -kmsAzcPr/BpW4NkSb2SnRIO8KzcPnzxz7JDdeIusq/YW7P5OlhDx4ejdh0Wg6ISl -zxB5VoqFqNuKTBQNz4HHpqDVQqEDE4JngMerDr+4qAiDYI4w6kN3Ce2LqciRyMVh -YYnTqyyjXYY3C1WwXIa1tZb2Cw2DorshNFdACr7wKQMOoJtAFpdd3d/DRKQWCc3x -jkBERqZ+55unTY0/0uyNPoK0noAcGydiU8WGh6wyi+Do+Zxq4QJEcqL/FHrhlaiw -LTmgDS+XDl7zRtQia7ykpi/xqe74ujOHcJO8tpY0ZCdR2A13xiOi+11wndbOkBFv -dQ0vgih9ROzwe3hBbBQQOdF4hkA9vEd2Ks4gF8IR+5ixWAIyZAVbnDiLelWgQgnE -aeEwTtfcXRNAxuj+MgMPQhXQ2/cK0dPD4z51DchVRIf9G3hAuBT/CEhTqNkkm5F0 -og7azwd75+vh5RxwVld3ES6CMXKaiV4csQkdiEYEEBECAAYFAk64PygACgkQvnQP -QT8iuxlligCeNgfNE4w1AQuOC4ef3HNNY0GXgVMAnjmtCVIUJv/w6PDimvf20rgF -GVHxiQI+BBMBAgAoBQJOuD0KAhsDBQkCHIcABgsJCAcDAgYVCAIJCgsEFgIDAQIe -AQIXgAAKCRD8G1R8jYFyyPv3D/wJ+sYXqSxoo8OriGMUzG5LXs2Hf1YULdlysGa8 -mxWTwCIEMSSx8AoOKf/FyXglDVl9msfOgv6jRiN+UyNCQEv+6a5ZCL7BlAVU0Q4W -w2/UUlOUlLMC1QAodGcC3kiPSy41jnDVswKYRrICuiW1Pqgad3h7u7caqvqG1D/A -YOR2Q8JjY15j6Qf62Xx+YANx2tPWKeDyPUAN/x1W6RrEDbN5F+1qOpPFuTnpPmqH -q4zxm4Dz4szypmAKsN+5/q8T6DJtSnP7COtsY467oX2XtNTTuCIsU79lBVo/yan9 -ofB6hu12KyXwJIl1OK34g9VEP5suU3hcEw7uVAvxyMYJQlxORUCG0DAFc/oPm3d0 -ypRdbxXJMjoS3pmCf7kwnEA9PIAjZDYuVHGZkAdmYYInTIH6ipjkVxDHEF1en0h2 -zHJEZC7NIYgPyzHXmH7Xy3VZVhhKKKM12VDOuIOOecQPuFIw3hG7dymjn5e9dMzv -+DMkbEZzoFahLYkbVGG1FGzhE6Uvb/IG0UJCC4nDz0pzZpV++QHvgEvbY/HLbHJ4 -o3CT5aVE0YIhTP+zqXNFMOao8yZy+AzdMzdX+Y3ADZfY0oiZ+JH1Zo++rdrgXUhg -Y98QgMwVwESbwaBKjsC0JnlmWyNivhIOS6NRyqR75E7j7JSvgJdxhvpQXXkQ/BzL -FM1Ej4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlDaJfoF -CQP8k6sACgkQ/BtUfI2BcsiEahAArZfD1yJK385eqgCZ5LryVLRXrocuF1zlHl/6 -ugRy2TEe43ex4eTOY+mv4ZJVSxbDzUqMbBv0m3IETbM0CSESjGD+i5I7K3IToZO9 -ZgIXDbpoy9x2KWjU+R5oaxCTmZ9jk1p+f4zHxc8lJdgOXPwcIIT5Euwk4LAFN+wn -CUHkO/D0xzP2ivTrM+VHNWqSUcNInAGRx+R0NvdSryIAsdA/5E3ql786WQhPy6L6 -1d7cmxaLsfAKIOf8ydNyoiqmJkT62omLLnqyERfLZRa9RKt5EgnxX6kR2BA+h/Gn -KVV18bCIJjF3Gjnh3qjJehKRaw9nmzrB9KtGQAHdIp8ivNvjMitc1ijRIECfidWd -lGxgmuI/gX58eaV3scjbs5YUFmGhcZIgjCxWWxFSwmzJTUVT5XqBpXFQB4dokj9m -NNMpM3YH8T9QaaS/m9j7cmCJ4gxp7i1bJsqsVG5BjRLiZv701eVKVmU6vqhubR0R -eSZghqho9e44ZMbn4rJ5kTQhGc7ZGNsIyChMSaYVreB8IBLDC7rg8dB/umg1OYOp -8EqRLJyXdtpa4DN3X0e4WcWb0Toj4QuyCh/es1CtBldhdqHr0aLZYCX4i/KuGTXI -kA8LTOJmZsE+K+/NCux1VHK9DADKcNjhSV0QTf+8ntGlNW6i2Mlt34thZK5eeB6W -Bbo1zl6JAhwEEAECAAYFAlLYK14ACgkQR9UBbEL/fCyyQBAA0931q8dBD/6COmat -8S+JSgcuIpylukFxU2vySBWSGRHFmFzwbokUE4bbNyutwNO2cNBa9zcxRPrkIg+7 -d65QjdZNDV2zWTjv5GwzEMjWxhP7VpTwTouYgx9j2d2KpFo2jfhTtZ7OU7DDF9YT -FsaRiZHHZT+W/JHuB9Lxc55HkSagu00yTaZURc0olBui5c/hqBte1b3OWTjCmysG -mwDL2FwdmFi9mbEm77sdD8PSVfkZaBv5rIaet+Xe/JMZoz0WUkZRCFXMr6B7aOdS -WeB7kUsPh2J5dhf4x4YaxKLOHod9JQF/DGJsdexKqMTqM/xOMSQ1FTUMCQ5SBWJc -3PywqMB/0eqlteHydlk7bb9HLCT3M6vVxTkpj834wGRsoVXPqWKzAHPpO2kjxXtc -4DBh7T88YGE2k5rxdJHb3MjWVJQzHGhrO5Ji8CQaHjUJ4BTyim++RDisDi4C/QJ4 -qPOrafw/+KyJoWyfmAUpxplPvY/LKJlvKaKxmpwlildYjH7HjoYvCjagbSCUOnzo -uM//YIJ8/o8QdxEDdYiTd7cwskYWphrAlV8+vCl/Y0lepRf+hsUS+uZi/NX4qYMx -CTsewnnqJQduuehQl9/RnoBX9T04kS64cWNaPZ4dxZUYJm3us5QFcQJMysZ4tT1Y -A0oEUX1KUTDzTQXT/kFi8MtmXauJAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQW -AgMBAh4BAheABQJS1dELBQkF3R5rAAoJEPwbVHyNgXLIV98P/jcu/DiP/muH2Qsy -FtjscyLu1NzBbSFB9q1jMVfx3VbaIT22Ly6BIQNHF7L2fpjf36EWpdJzpfR+Glp5 -1+KqZgIMAW5CGguSy8v7iHs6Rh5hzChiF48wCqxUmMdQ0ITTrnAXIYq6H6s8ytKF -Y31znXmne1XYBg8e4yb3pcBhkzIPeVU7rMz9PjPB0+Q2jWCpqPA4eUSV8rL2TxFR -KbEt8XlkZ6yuCLnkN84aLZFxfZA1tIGifi0PpeaO2z/IwOmftbQRiljMdnsPye49 -j4wlJS7yRIpnH3nH9Zku/MrDV/M0z7BVwKfF2F95/2QX4Tdyd/UESTdLqGtXpX4c -axahZKrOhNr+k60qSBxoBqKauZkSbZunRnbYmVa3nA2kQuIPF9/QmoZgDUfdkKZJ -u1RjwcRUGKd1XV19QjUvBMD3oHA4G6Jbi5vWKQZ40KVcL78YIL7C8dUOiPIasA45 -olaGpCSsGsfrMp5ngegxM+uh9Tc2kTFC9bTqp17VYI96cAqGrEBUQrmLmZLk0HUm -a6MNZO/+vKN4UTlgjpjxZon+/yK8bsmT/VNie5hzqZim6tfztl3rpJ9jPUeLgr5x -oGePYV02inapzNHdWFHk0L9zR/3KKfJ3IRJwUXp00Eya28hEepIvdxgLYcN1UqVn -VuFuMY8zYSl/VXtPxySCLENJHxvdtClMZXZlbnRlIFBvbHlhayA8bGV2ZW50ZUBs -ZXZlbnRlcG9seWFrLmRlPokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC -HgECF4AFAlSXU9oFCQfATw8ACgkQ/BtUfI2BcsiPxw//X2xUctIrd1O7UOk7LHBX -/xI7xXoWQcA7l/1XMuZhM8yC8yIoAgvFrWBP1a29I0P3/yigkQXs+eTDTdvb0QP2 -q72q7Azt852v5u8+dHzoOXDpbo+4lfX+0OBDWimwJuChD8LQH7b7jO0oqWIV0AzM -vegFJVp3cDbyqw08lBz3xZ79A9JtBeewf6PLpXKjEVS8bEAZjZKjsjAY+5ShtJAf -PsD8r353dmkaHgC5Aji74ijZeY3PUCvGVVCGeN9isLnRpTEn7qUvN2DfHJU4w6aw -sXu7m7zidISo6dQLUzo54dHKWPGFy6INNkzXPOgrlbYnjt7v0Ou21/R6HrhdmsSw -lt7GALJcgAUxrcT/ljB3SZhSB0BdH0DXPcUziEdfhgMhhrXYpMjwH2XFBD1MLusW -GaVDbpPrSoEnmPVePcDUonDHePcuLjfOl13mOER1Kf6WFapOCa+4HCLakfKcPnGY -eyfD7Dbz3/046MmfQ8/Iyf8ipFXN6tI2WkRKj8uq9IFYrX3yoCBxZJN837DM3Grq -h48/T3pYU1f9LiekxbsgXmcHoGNdXX5+EsuO+QILZPttlG5QLuqFdJHei77uvW+B -4u8mgzi1Zhh0hRLm4K6UaJ/fBJ87BZSHShPKI9PI073U1O/CcYXnb8cdPLu3UgSQ -FM/bxT70TSYKI01Dt4KXRfWIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GT9FAJ47 -X5+0dQaOFkfy3WnMgX3AmIXJYQCfR4XL47rZ9a66jWaD0IbcXMK4oE2JAj4EEwEC -ACgFAk64PJ4CGwMFCQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwb -VHyNgXLI2U8QAJGKPv1gWLn7P1KeHVsKkfRf+zgdsoY4mF3bUjX/03z1h1OKp+S7 -gZD/ZI80ckw/ElgFt9sr8J+pOgHk+aGHW+V0cZNgDHXCINb17s+Ra7SA/SWeJOrr -d4IpvTnjGc88C/j+bzRFagfnGXU601PeJdXIe6H75xVGIb0DgQBfPB9m+7p3sq/R -6UigzLwwhIQRW/l77hq79v5Rm77e0GTfcYHSuKu2Itim8p5OYCNchr4ZpBzrv5cF -/nH+HyD0AnM1q4a3mT9y4abNgtxJMGJBoIUEDT5vaTRpPowVHIGg9QroHkrYkMWA -ffIBzoq38WLnPjvjNtTncyP7sjbP8KS7NfjxZ6RAcNO6m6BTDYG/lM9jwCcOma90 -RZDVYD8hy+z1hXWFfB7zB+5TYuuKV5SXZpS9/JUR1BuI44WkY0hLHUa7inpqLlqc -b9O7KYikgyaeUKAN5LkF8A7rMVzuhrSItNzJVOs7WLnNAe9+Frzqx/jZ9aU04avS -r5OlWLdL7k9JNDnsLFqNtG/XQ7Hc8CPl0HvY3YXYGD3xwW6Ua6+ykxZGmQGPB68W -6a7G5EX+MEWKZgMQYsl1HgU49/sOD6QnCG3m2IB7bRAf5Kd527BnSgAaYHjVug8G -+X9opDwUW1b73Ut5tWfZJqQ4XBjl0Hc7Zi7OtlqdBeKGu/65QU+N9x33iQI+BBMB -AgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8 -G1R8jYFyyPv+D/9lA9yMXPBROLaCRab8Ca2QJBEtpT6lGVlkQ5Am2C8xdoLGiuJF -E7Cn/lS1j4RSVDK6DELeaBMXaY2g1eun8g2ERJIUGC98zrPjZXs/ZtCZtX8vYr1X -Bf9U8Ty6N3rKgt1XHc1oMgzkKLUc72RC+P/fkDsiAg62nVcmOFFykyTXnpM/5Ux/ -9kaahjf4LwGeRqkDIoLrXdZ7FHPjei8VlKSiHTkl4F+UCzEySxiInV+BWAhL5Lvb -zHxHaNDCquOb2zbgafVKON3oa8nCZoUw3iwpjrEy/JT+1BG6vxyT/LX7wPG3SKEw -8QTl8YBF8wvHS0JHW4KTc4grCMNWDwfkrlXnp6ZzTpy4JXZfYs/ltR4FH3atDG2C -xRCSAWXkGyTPMZkougdDbJ3jjViYcWO6B//LE1qDjeC05O9G3MXVxu16M5U8nVA2 -B3bo5cVv7+ECBTKaAvG3ZV6eOaeJ63gHRY8qI7y5OgzuNfxUXMTIAjHfO2mvSy5M -qFgDI10F8rYevGOKxvPVE1F8aiD1uRAOMCcLTy3oUKHIdaskSytL1D/bT9WqWzii -OXhLhSjMzkdPSUWVABeC6KM+Jcll0A0sHTkKWS3mavx3dUacB+O4efuTKNhSvo7n -XhUvSOOikRityipE5Ma5WlXBiu54DdIMGFzANHFdb5GmC7da9F1aALkshokCHAQQ -AQIABgUCUtgrXgAKCRBH1QFsQv98LMmaD/9W2qJyFlZAsjOWgNQPwUU4vV9/Ursj -kt4RI/oS0Gzovw2bmL0a+Q/dp6wM4PBMuYQXCepF8V+o4uKzL2OjVZDVtU/KqGCY -rEigiAhG0gHxgF1ukc9JQzhShFeq7/wkY+FQ4MOhuhuUsSMlvFzAd1hY+xlvckol -DEeS54loDspUh4EwxsWlopaA1rs5dzVXrYcinz9iDzLj6ujb6uJzCQVogk9w3dv8 -smKn81TVhtR4RFecqL9mURZcGnj7NV3n2Lrl2Pe0u/DiTtpavCkzVx7v9qiB/2Di -dqWR7OtYcywUr6lZeZsNabNwntPxSP7V6EcNXF3Qpi2IkAcwdJKb+aIG1v7/Wx77 -GhpBhbtdgKEebttzO4EVVeE8a2kmgqc8VXeAeqI89egU53dUdAinejFVDyemxHnJ -L4L6uVnSxbk/vRzu+fr6EaPyBsqORGXj2OuwxlWcnWs/N9XzNaiq6funedUSYtbP -trdpt7ogvzrQew7wetcwfxSB3IWcVwA9QvGDIBHTWPrb87jKV153w9I+cSfz9jg8 -qTIOw4qad7VOC4L1oaoRsLq6VFgnoW5DLsuhaVd6fgdY/byL6H5q2FPYJ+F8ovhR -2yPlQm8UYIFwmnwzpnuGBaPtU0bP7C+SNMK+G/9+b5q4psh1MnK8sg1RfSr1w7sw -b+Tur045QrUDu4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AF -AlLV0QsFCQXdHmsACgkQ/BtUfI2BcsitRA/7BbFuuAXPJMA4XtPhlYbfhNkYQ7+v -vx9HIZ1SgJfhpYwt/vbNTVclO79XD65v5JSWx+0gVJfHNolP5umB0++giIw9NCIx -uVa5eh3kS5NFfJ0YHrYgpFDdZPHRA9wI+oZgJBC/Cm40kafgTUoPFqXb0Sdlcz3R -hciLZBgYXV/uYubczfmAaJpmrVI1UuUWYrdPnmUkgitp9e6IePYiKVDeIGhBW8Bc -7Nbs2hc9yH1zwv3Affs8m+4tQQiwQHsB29WEZcmBuFllTbA5g5bvTvhfCRmYVgWC -Ti4SW+uA0B05a/aVP8fDXk82qCQ4cRB1BOwVNn+1/Aqcw+Zh8KKzH8gpPcsKGGP6 -uNg9uinuxYDneEY8cG7FSpm3XsXu4q4N6j5R63U6hz39pY/5Ib8mzYMEoLEZOLPu -CkVH9OOQc8zuiRL/wGc0pbMiGPEp13rAI0WbIFahrWS60bwtM1YEM5Ep8vD3TLl1 -pTWlF/zWpM/uJ6n/4nDXGQsGzKQn5D5Nsu7+55C0du0d1VRvYd8oG3AaNqhtM46V -C4eOqxH8XZtkJ3WMxhsHnV9acuDTpn5E5JKL7vEq0btN2UQ69lpKv7PmV/TgOJhf -KKvHZ0dh6KYY7iKW7NUCouLGibBoxDa+K4reh0i0M5UcsNiPkCqDIHUAIxW6FrvQ -xBr7NgCls+B9Kwu0JExldmVudGUgUG9seWFrIDxaM3IwLjB4MDBAZ21haWwuY29t -PokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlSXU9oFCQfA -Tw8ACgkQ/BtUfI2Bcsg4cw/5Af5/cxr5s8qiPvcGDglJyzFj8VBk0d7hpgdxcOi3 -VCOJY4YRoliu8WKThwxt7sD03fSZurFDDx+X27y3zPtgH/qBohmcr51jbSNom4mH -Gf8gpViFqbQlFh7tYz4kSQExgmpFx/FIaxmwFoEqiVrp6VpM2DZ6kg//4M+Ka2Mt -nuzV3C631A0eoMCJhPWPTgkGGknURvzhw6m2aGFWC/HE1yzf7Ej7fQeaqIxIG4Wy -Fk3lMV9rxMxGuUZTqIhvcU85JSriHowfX1VsAI2LXJYQ9c0jI737FcLwHv8VCa5s -NKDkLkb5S83/4Ep8e9M+a7u4WvkAqzmPfSna7bLxdsTS5gKGqEtMvMP2YGWWQxSR -GRSttiMmIC8Cnd45S8cASA2mR/ebNcrYOpa48cjYpBKDG2BIYU7oSLNulsM1qbxL -WJ0QM/g7iKHcrXhyIBaI22GS9hvmYcS960cox9oPCvNZcOKA6FBklnUg/ReJ3JTj -6D6v9SUxOOfXPQIon8EzB7BNKGedHxCFgniZnl10k+pP34YGyphMZTYGdhtAm6zq -T7PlraHQaFgQ3ba78lJcn3cWVZYpbCNJiH+Nna/Akm3/qQKTst3eW1lqopffCs1m -F6G6wjiHCw2bio5uX1c/gDr4Peh0E28heAqKopjultPXPZbSZL4D3fJIGP2j6e1B -wvmIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GcYrAKCgKW+qFwbMNeh4ikFg9fJx -4/lH9wCdGevT7dwBzPe6L+aWZxipEXYmjx6JAj4EEwECACgFAk64PN0CGwMFCQIc -hwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwbVHyNgXLIThYP/AnoLpQl -whEEKaIhOSOKXegfdUHK6cL4cHRACzRIbBk/S4G2Vg/bnUW8tvWZDQLZ3CGL8Z0F -tNQ6GusUxt7mcYdSj7xynbi7bZiurgYp7B7hh1hVG3pAXEwlDnJgfoc0YZHrHZwt -HnNVYOfGEQF4zyplmUUxDyp/ZMYcXMr3PVJkYBJhYKCHOkMUtzzNjSSginaqZY1p -fgbP+Gou/9qgotkYiH84oUG9yTSKLIO5x0WzQYuoPNJyOdSHaLPfEqCC435vCYT5 -YLZB1YI5xzQiGsAL//cUCe267oiFmO9Ioky/azeX1Ouy2DH8uEDQPQFTJYXt3CbL -i10HkoBWdmncPC6+b0IJjDUo8Iv4yk0xFt2/DGkGK3h6jJxJ9pzx5KBT46iLfU50 -iTWMTguXn9ud/UJV0MpKgKjvO9hB4fae60n2UootknzEw6Y5W55PfGkT14WcrGGo -WHLSbpR6+gA9apU1cdoOC8nXlf3Eb2No6LP3X7RJXqiRsdP0s6QXkZGfR/qyNXI9 -S5j6wIyqNFU0cX21UgI9oJSKEKIKEFacgyD9za0gswEI+DZr8/p3cJE89ZX8ySgO -FG148wgaakTNGyGwR6aogGZ8IAHc83bnwGCgTeK6ZPSKNLSE/sImcTOrxIN1/x39 -r8o0TxuZjqFH+zKWfpdHX+sJLyi8Gs29CsUhiQI+BBMBAgAoAhsDBgsJCAcDAgYV -CAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8G1R8jYFyyLl/EACG6QRV -kKVBoI2Ycr4UISk2+gCD2r4xSK/QLEhDFcZRgMctvPVnhod3uJOsMGJCk3aPGu91 -Jtwuj0CkeURa/cVzOjC+f7baveTuWQaAqW+r70m6F4gYHU0aDD/uQ75rTCcrsmt2 -pnZCyA9jLJxQGG11AvbOcV+7K7BuIvXs4iAactZ0hRvDVuGXuup2LnUbxyBU2oj7 -OWCXKTpZcJ0KGTWapMf8ClYYsEgS0wvMWotJzAov7ijkoP2DyEQVOPTnGWcfjsTk -QgbyqiFeBl+3IT4+xSzkPsd75dCYhsHBvCoT8cfUH4wvDXzU2CwpC1CDfHit6Hw5 -UigvZ8HXyn00Bm0UjLHGW+haS3kyOoz+z09gVFYd33cpjSnFr5is8ZMBPW31PE15 -q9/l6G/o6OGJCtOax3Yi6ttqn+KbDXIooZoRPZlayOSghyjoD40+ErevmqZPfJ3E -o1kHz62B1YpoXmhUm2Ihf2SbjWJRaW9Hp2nd81kAAXjr+8k4yvOuHxwYPFnpBjfV -cfYNQ3Zf5xF4nfszFuZMc5JYrIR3EYVgEk+n8VpulAqd0rXUEODwGy7rPjdxLY7w -DhUEZMQN3xweIb4vjPDBb0Ax3ACyfWKIdT0kC3rGOy9xyCzxWO2CjHMjrbxy4jL7 -B0WIQ5fpRcV2+wozs2WYgJKVKJgJZGYsW8dDLYkCHAQQAQIABgUCUtgrXgAKCRBH -1QFsQv98LIX0EADVefJUEMGKiTFLwUmWNF2X4oCzEZEMsQ6NliiQFvtNkKrT+OzZ -zggxfINUr0XEKgjjoGZ03Hmm7xAFc1Y51QZEr25H18PuSixz2YSHPqYwwVgLUh0v -u2AqaP0mQckssK+ZAQVvoZ7ZOI22ZXIZ6CPEPY6aJawHov8Strlm8oTbFgLfZ5Wo -3NCxMkkq3NFNHuwesccelNPefgnFZWhwr1mkUeX+rCAbQF/QHYEAi7KjfKyY+XKs -ccjYS+RWxpte21ejngp7pRYli3M8cZoaWKCzLTrD8gKztlo3op9Zc2+hjOY9gZtG -CaXkN8lchJ1yMyWju61ZO++AJq6S2OdBVxgsj9xPm+x91RbZRHQmUuq8mefUzaEm -NHE29udVFfuV//Fpabi04IrOuabkrSvP27eX9FT1y25tKFHuJdL5fDUFGnNnTvcR -X51lJmvnuIKJQ+Lthup7npS0L06+dPIDoqyxF8hmdu3RtwEsvkboPaxx5XTB5d8y -3wzBFWd4ePwBIumrY1YHSzdJCvyyLRXZbSOsHXgZfhfQ1LVgxxebP7E+stWqGLLC -Fry0WGG8f/UUgVr1QpluT6NjioUnuI/ZmKR/aKewqVYWAnr54fF+np4VdxPfYwci -lpbXpkamORZqPfq/nyoWgnp+y4AptDdDkSWnFxfcJ1wnFFcrHVUSFQ1wBYkCPgQT -AQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlLV0QsFCQXdHmsACgkQ -/BtUfI2BcsjV6w/9Fe1+3Mc6wG3R9VbxiYo13/JV4t+tA9/tcJ1R/Y96eAqVajoK -c2ZQ7FrimmlzvLIvxpH4Z76h3NmPWfOQ6qEumZQ5BM3QwBfQQ3Tmj10gfiL5vOZJ -6dUaJjwXgjz0Qyk1G3gw7K1xmtnXgBPyGT9T9q3OAhHHdV2b6xS9dWoNKhUV8GUn -HfIKwq+87aZqexjFE7ubZdOAe+5nrqnlMEfJKgDjXbazES9IYvPQiSjwR3xaIPOa -ma5WfQV0SHg3Vkhtv2PjuoYWNfNy17N7u+dfg7nAtKLIQCPht45uKk66BYWYBoDI -VQfg6zcFLpdNcFzzwmgrYRZvEvBf5aSG3KFD7UReT0695/lHheRxEAA3thsx8gaM -CCavtVxbVUluEfYZ7TgXLMuIO9OBKhi7MwB3iL5qacrNShMB+1J5FxieJBmWXdla -+kCdCdS+9kIZH+mnQ8daGEJ5R9mNcVwcWasI0o9NObqIZwhKw4obrC5Q7m2NfXL6 -FUScfA7yn7+/icdQB9fH2ZXGJVuNm1b8OBN6Nbz0QauaCystWzKXKwpVb/5M623v -Vw75RfnqCFiAf4tX58nL/QalJc4C0E+TvQ2pXC47VQvHmiAB31vKvU0nbo+lzi64 -hAPWJnhr2pmTvglquTFzLwEsWfO4zDtUwFo8KM1XFsonaoX5UzGTXPmIN5+0J0xl -dmVudGUgUG9seWFrIDxhbnRocmF4eEBhcmNobGludXgub3JnPokCPwQTAQIAKQIb -AwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJUl1PbBQkHwE8PAAoJEPwbVHyN -gXLIdGAP/0ch1NeFyXWszqA5ow+itBn6iyUaplXB5I56Q77cTIFB6LqJ5+2kdUuO -UqPvOilGS3dxbyDsSdWDLs+bHRFG4uqZyGUDhmu2mvS+uDqPFwcKJUNDlgdccxph -sA5HJFGg1ca0TWWg8vjwANdU4sL9Ujbaw93v0Mx/1+aSIxyEJBNxc6DJWEfCjpSy -R9JB8WTHgvxEAImVNsT1OGNTvd2DN+17WBhxBktLHDocIGJ/fttzFgKkv6NTPwt+ -y4QyP3UgeYRZR21B6MVckk2/UuCuCY7gAGruTFVoINa/Wqn2YPPZhJYrTX7ysDaV -QLObxlepeo0UWC7wFEiuqu5OM75MWLUX8j/1OAIE6my85vrlcWSf0Z3jOAgPTjJw -VT5h7T/7NPP2azoIlOE2bh5UcKXFkT0xDYPcMr2hV2Ih+jU+Ygiyg/1yIIxearmm -PFjfIHMLepa+7RPtTlHwu4fpNPXzL13W6PXSoCTTi/suGlYmSyLtOwxq15GGT3vg -1Xh8wfkuWwbWJnBKXtt8HkteQRgDngDnRSJwsO2nnQ7+sr+F8J3rQDdlVdVcolic -ekup8ZgSjJYinfcpF+H+qy2kK2jOYyyHI/+zHQtwy1R7MbLwPJe7WNWrBmEvmazB -2//Iu5EVIfFX3flPjeRQbKX4B/SuXF48uo0/8WfdgaMW8glRWJnbiQI/BBMBAgAp -BQJUSwOnAhsDBQkF3R5rBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/BtU -fI2Bcsj5ihAAg0d0A8OUsNWG7TiPQTuC/D4e/5JTkJARmQ5xO6gMPxTpjSZCyWEl -7gQOg/liU8nz5HZGaJgg4HuBwTs6euqdnVi6zhW1c1wye2thGTQ7DeSPJnhju3Qe -mPS1jEdC34lXCo6eGjdKnGb7TV7hkptHKHh7XCU9n6qcXQ2cNQQbdqSCRsfVm1XD -+p+mM/FGOz8uFOrhERAUl99WkVZ4NKTdws8U6FXulbdWrWwI4eRggIdwI/Tl7zuy -ja7KxBCCeJ/gFY6g+iOYmIo6//bJITgmAG60hFHJ9JigcN6xglYFI28TCdNqM0+C -hgbZUner0vLmaxRNoXqV9Xw8ihNMQa7fUFYkX8VrXOdLdVvee7OaeLuWWE8x6usQ -NzgLDQQx9fmxtrQY+dC6Y25IPMm094z0nrbM1wtfG2+8Vw4mQ2U099fT5t3Yl7fE -PlanhgQxRZE78PxezyYxms4HV+wqvrhlBzFnWAd6H27uDPfUfO9cLgbmFTUlwFhg -gsDeIFRFx8+h4/0xAIPqUODmTiN0mj5sLRW7zvqZW6zhsGIMdPd+IkhHiGjeJqme -Ai0iOjpV3tRteoW51/+/ajPmyUBbvOxiFJNADHH2NvqoBMU1pkTvpc7Wy+2J9VcF -4TFdWBbwjU8BoC3ZgixTrT0zCSwabnKriglOhA5Ik/n5HsR7S76V13y0KExldmVu -dGUgUG9seWFrIDxhbnRocmF4eEBoYW1idXJnLmNjYy5kZT6JAj0EEwEIACcFAlSX -VHICGwMFCQfATw8FCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ/BtUfI2Bcsia -Wg//SKLFNUTEBQG11cV/AljxmI2s8y+cPKs3VqlwEjiuRMu4DRkFVaZNEuPq0b8q -8pwcHIJ5/nZvOticm9M/g7TrTp3pOxmSYf7WG31vVrprig22dz8WxQAy76srNn1z -stg0TFO7nKNVjZOFz5D0RpWazwnXyDed3l2/7RZ1CMv7ue/rZez8FnDHN7Di3daX -AJ5XkvDAsD6AITYQd+4XEbh2rt9p8G6qUUjwzoVU/aGVgo1CGZydYMJQVccNL7kv -fumnwkAED8u9j0ZI+xfaD3c1rP98bnqk9u8rJPCAeIkA4ppisDb7noz0NaO7dDyM -ywBK4OR478fw5h7GfiIwZdVAHkCoEHNvF1ON8JnYgyplLvZvxZ0dtYGDYDiFdORN -gVgGMU12kemPws4hEx3WMgUu/BBkF58XyQyqcwt7q+WGI2lQ88UzZ/FAsu8i8r/J -jkV8FsiCJ2rSHEMddmOHoaTM+6oB2i9kZo7KmToSZu7DxuemlHpuOO3kG/iRga2y -NeancRJwbxgZhNGBbhrA/7k5UOcXkmfW74oBkbCci0ncVhHu12dsJXhk+eprkOXv -nD1vEIeuzL4V/SMDar3SxFlfLFwQk4cn9+pdeP3LxwHKBn74pABsbEBhEY4IjUEL -YOTEVoP6s+Ou1NcLxFl3elmniwL2+GV5rDM8pctkKNemtZa5Ag0ETrg4RQEQALfu -qEihKS+DTVlWUujzSq5zK/5oQ1ZL8AiTUTZuVtrRWCq0HE8tWaVxEP3Vt9FCo7yF -afXigokChzHOgzczg80tctrlv+vbFyaZnjGQH20Nlz8EnZP102zudx/RdFXG/up8 -PX50Eck2lH+IvvosMLdvrZTkFJ4SgqMGSoAgMhJHZdZB5N0y8yPPAjcEnSXp8L2A -mo9e0egCrEuqBrCZld00nIoipyDlYNZkLjPf0JRgFPO/AWWgBZLvLlteLu0emq8N -96bT3QTdXpRVPM0qeX94+2gIj+0V1uQ9+k5Xkslbbii9TnOzMnLRO6dBAONVTTb3 -ajzdXK71iv2a8Y9lKShxhYWP9JNOFlXkAp+ZoD7EZex4dgu6giV3PrTDJLyWSu41 -WfqOz6cJGpJSTacrenC542ynAaSVKXH+1plqB9kq/M7HtE/P4GveQXIVT9Sho394 -4hwkuETo20KwCgFPMmiNaBysnOykIcDsDutBOyygdovzdGEyHVsM8/kz007QFgJf -hKy91H6O/Cg7VH+yaUKllRZ+kFsoSy8/E0IqLzqBHG3sUGM6lJ0Q9fgSnpzIZsdE -jRhczNCvlovGLa/kBHcEUWQ2zrjnfjsLkxvamKJ8N6LLIXIDRv5dE2smpdi3oiVg -XdOKshyXB+obhRFlWtirK4udX5yYzUpcB0zBoo1hABEBAAGJAiUEGAECAA8CGwwF -AlSXVAEFCQfATzwACgkQ/BtUfI2Bcsj0Tw//dyDYwcnh0BIb+nDCXFC91KiPUILa -f+wI5w6c9YYEo6TR89q6Wsq8EDiqcqSJcztuNvw3MZGHWA25nNB/0046CGM/tUBd -Jyudd3TxQBi6XMMSTbG1EMtSN1UMV4guuUfYcAGW38oZ+YJACCBFFz/Kt0aa/hhi -/hBNyvI73vZfQ/fsScFDewkxikUEspRsLVmX6gaEmumOxOhJP3HBoxeBCM4Z3IXo -dON2SiiMxt9BPIPJOyKNkFQGQ3dqJIag3GnsZ1s0CEoi8iqF7uS4RjC7uOJtvn74 -CODxg1Ibl1IweyAuBEA80wUh9DGLAdRJpxWy1B2fDhIROvpcg0R5p6j9UX0b0esc -jKLQEiE1wRswjXhWpZhe7Pjl38KhwqMyaeR3OnDtP7JXazIG6HiBIp4cx4k5A2TT -X+LhvG3NHCeuxIyjLTRTWgv241kf7uAu+qgjHDSKXQqpjvo+cUYQgSxQZZXnmlz0 -sz/tEeiWl+i8kW/RNKQvNNR8ghWDW3YRak/zS+WFNoLZchecIzMj+je1vSg411o4 -Xd3LHDur6boCetaq7ZkqoS+NcX9n8MnKhHKYJblvXyc1h67s90+wSwhlumA8WqlM -yqn99m13aF8GuGZbw5B2/x/Cd7WW5wZV6ioola/yqDXB1XtDFBy2Hxr/VMRlE3Cu -kekzzVjVTZxOgZE= -=yRuG ------END PGP PUBLIC KEY BLOCK----- diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix deleted file mode 100644 index dacbf3bc9ab9..000000000000 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ /dev/null @@ -1,112 +0,0 @@ -# Based on recommendations from: -# https://kspp.github.io/Recommended_Settings -# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project -# -# Dangerous features that can be permanently (for the boot session) disabled at -# boot via sysctl or kernel cmdline are left enabled here, for improved -# flexibility. -# -{ - stdenv, - lib, - version, -}: - -with lib.kernel; -with (lib.kernel.whenHelpers version); - -assert (lib.versionAtLeast version "4.9"); - -{ - # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n - # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter - # implicitly marks LSM hooks read-only after init. - # - # SELinux can only be disabled at boot via selinux=0 - # - # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the - # config builder fails to detect that it has indeed been unset. - SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE - SECURITY_WRITABLE_HOOKS = whenOlder "6.4" no; - - # Perform additional validation of commonly targeted structures. - DEBUG_CREDENTIALS = whenOlder "6.6" yes; - DEBUG_NOTIFIERS = yes; - DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG() - DEBUG_PLIST = whenAtLeast "5.2" yes; - DEBUG_SG = yes; - DEBUG_VIRTUAL = yes; - SCHED_STACK_END_CHECK = yes; - - REFCOUNT_FULL = whenOlder "5.4.208" yes; - - # tell EFI to wipe memory during reset - # https://lwn.net/Articles/730006/ - RESET_ATTACK_MITIGATION = yes; - - # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE - CONFIG_LDISC_AUTOLOAD = option no; - - # Wipe higher-level memory allocations on free() with page_poison=1 - PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; - PAGE_POISONING_ZERO = whenOlder "5.11" yes; - - # Enable init_on_free by default - INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes; - - # Initialize all stack variables on function entry - INIT_STACK_ALL_ZERO = yes; - - # Wipe all caller-used registers on exit from a function - ZERO_CALL_USED_REGS = whenAtLeast "5.15" yes; - - # Enable the SafeSetId LSM - SECURITY_SAFESETID = whenAtLeast "5.1" yes; - - # Reboot devices immediately if kernel experiences an Oops. - PANIC_TIMEOUT = freeform "-1"; - - GCC_PLUGINS = yes; # Enable gcc plugin options - - GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin - GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; - - # Runtime undefined behaviour checks - # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html - # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan - UBSAN = yes; - UBSAN_TRAP = whenAtLeast "5.7" yes; - UBSAN_BOUNDS = whenAtLeast "5.7" yes; - UBSAN_SANITIZE_ALL = whenOlder "6.9" yes; - UBSAN_LOCAL_BOUNDS = option yes; # clang only - CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 - - # Disable various dangerous settings - ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory - PROC_KCORE = no; # Exposes kernel text image layout - INET_DIAG = no; # Has been used for heap based attacks in the past - - # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix, - # make them optional - INET_DIAG_DESTROY = option no; - INET_RAW_DIAG = option no; - INET_TCP_DIAG = option no; - INET_UDP_DIAG = option no; - INET_MPTCP_DIAG = option no; - - # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. - CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no); - CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; - - # CONFIG_DEVMEM=n causes these to not exist anymore. - STRICT_DEVMEM = option no; - IO_STRICT_DEVMEM = option no; - - # stricter IOMMU TLB invalidation - IOMMU_DEFAULT_DMA_STRICT = option yes; - IOMMU_DEFAULT_DMA_LAZY = option no; - - # not needed for less than a decade old glibc versions - LEGACY_VSYSCALL_NONE = lib.mkIf stdenv.hostPlatform.isx86 yes; -} diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json deleted file mode 100644 index bcda85c9fcc3..000000000000 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "6.12": { - "patch": { - "extra": "-hardened1", - "name": "linux-hardened-v6.12.69-hardened1.patch", - "sha256": "15zgha5qvn8a6ibx4b8mn5bwsm9z4xnpx3kz49ncpnk3iagcr2vw", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/v6.12.69-hardened1/linux-hardened-v6.12.69-hardened1.patch" - }, - "sha256": "0rbnbynhm7w4ig8snq97px4ljr5k4zq1a97jqhwk4w0qy9bkcjab", - "version": "6.12.69" - } -} diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py deleted file mode 100755 index 3e12a0e2dd5d..000000000000 --- a/pkgs/os-specific/linux/kernel/hardened/update.py +++ /dev/null @@ -1,301 +0,0 @@ -#! /usr/bin/env nix-shell -#! nix-shell -i python -p "python3.withPackages (ps: [ps.pygithub ps.packaging])" git gnupg - -# This is automatically called by ../update.sh. - -from __future__ import annotations - -import json -import os -import re -import subprocess -import sys -from dataclasses import dataclass -from pathlib import Path -from tempfile import TemporaryDirectory -from typing import ( - Dict, - Iterator, - List, - Optional, - Sequence, - Tuple, - TypedDict, - Union, -) - -from github import Github -from github.GitRelease import GitRelease - -from packaging.version import parse as parse_version, Version - -VersionComponent = Union[int, str] -Version = List[VersionComponent] - - -PatchData = TypedDict("PatchData", {"name": str, "url": str, "sha256": str, "extra": str}) -Patch = TypedDict("Patch", { - "patch": PatchData, - "version": str, - "sha256": str, -}) - - -def read_min_kernel_branch() -> List[str]: - with open(NIXPKGS_KERNEL_PATH / "kernels-org.json") as f: - return list(parse_version(sorted(json.load(f).keys())[0]).release) - - -@dataclass -class ReleaseInfo: - version: Version - release: GitRelease - - -HERE = Path(__file__).resolve().parent -NIXPKGS_KERNEL_PATH = HERE.parent -NIXPKGS_PATH = HERE.parents[4] -HARDENED_GITHUB_REPO = "anthraxx/linux-hardened" -HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc" -HARDENED_PATCHES_PATH = HERE / "patches.json" -MIN_KERNEL_VERSION: Version = read_min_kernel_branch() - - -def run(*args: Union[str, Path]) -> subprocess.CompletedProcess[bytes]: - try: - return subprocess.run( - args, - check=True, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - encoding="utf-8", - ) - except subprocess.CalledProcessError as err: - print( - f"error: `{err.cmd}` failed unexpectedly\n" - f"status code: {err.returncode}\n" - f"stdout:\n{err.stdout.strip()}\n" - f"stderr:\n{err.stderr.strip()}", - file=sys.stderr, - ) - sys.exit(1) - - -def nix_prefetch_url(url: str) -> Tuple[str, Path]: - output = run("nix-prefetch-url", "--print-path", url).stdout - sha256, path = output.strip().split("\n") - return sha256, Path(path) - - -def verify_openpgp_signature( - *, name: str, trusted_key: Path, sig_path: Path, data_path: Path, -) -> bool: - with TemporaryDirectory(suffix=".nixpkgs-gnupg-home") as gnupg_home_str: - gnupg_home = Path(gnupg_home_str) - run("gpg", "--homedir", gnupg_home, "--import", trusted_key) - keyring = gnupg_home / "pubring.kbx" - try: - subprocess.run( - ("gpgv", "--keyring", keyring, sig_path, data_path), - check=True, - stderr=subprocess.PIPE, - encoding="utf-8", - ) - return True - except subprocess.CalledProcessError as err: - print( - f"error: signature for {name} failed to verify!", - file=sys.stderr, - ) - print(err.stderr, file=sys.stderr, end="") - return False - - -def fetch_patch(*, name: str, release_info: ReleaseInfo) -> Optional[Patch]: - release = release_info.release - extra = f'-{release_info.version[-1]}' - - def find_asset(filename: str) -> str: - try: - it: Iterator[str] = ( - asset.browser_download_url - for asset in release.get_assets() - if asset.name == filename - ) - return next(it) - except StopIteration: - raise KeyError(filename) - - patch_filename = f"{name}.patch" - try: - patch_url = find_asset(patch_filename) - sig_url = find_asset(patch_filename + ".sig") - except KeyError: - print(f"error: {patch_filename}{{,.sig}} not present", file=sys.stderr) - return None - - sha256, patch_path = nix_prefetch_url(patch_url) - _, sig_path = nix_prefetch_url(sig_url) - sig_ok = verify_openpgp_signature( - name=name, - trusted_key=HARDENED_TRUSTED_KEY, - sig_path=sig_path, - data_path=patch_path, - ) - if not sig_ok: - return None - - kernel_ver = re.sub(r"v?(.*)(-hardened[\d]+)$", r'\1', release_info.release.tag_name) - major = kernel_ver.split('.')[0] - sha256_kernel, _ = nix_prefetch_url(f"mirror://kernel/linux/kernel/v{major}.x/linux-{kernel_ver}.tar.xz") - - return Patch( - patch=PatchData(name=patch_filename, url=patch_url, sha256=sha256, extra=extra), - version=kernel_ver, - sha256=sha256_kernel - ) - - -def normalize_kernel_version(version_str: str) -> list[str|int]: - # There have been two variants v6.10[..] and 6.10[..], drop the v - version_str_without_v = version_str[1:] if not version_str[0].isdigit() else version_str - - version: list[str|int] = [] - - for component in re.split(r'\.|\-', version_str_without_v): - try: - version.append(int(component)) - except ValueError: - version.append(component) - return version - - -def version_string(version: Version) -> str: - return ".".join(str(component) for component in version) - - -def major_kernel_version_key(kernel_version: list[int|str]) -> str: - return version_string(kernel_version[:-1]) - - -def commit_patches(*, kernel_key: Version, message: str) -> None: - new_patches_path = HARDENED_PATCHES_PATH.with_suffix(".new") - with open(new_patches_path, "w") as new_patches_file: - json.dump(patch_json, new_patches_file, indent=4, sort_keys=True) - new_patches_file.write("\n") - os.rename(new_patches_path, HARDENED_PATCHES_PATH) - message = f"linux/hardened/patches/{kernel_key}: {message}" - print(message) - if os.environ.get("COMMIT"): - run( - "git", - "-C", - NIXPKGS_PATH, - "commit", - f"--message={message}", - HARDENED_PATCHES_PATH, - ) - - -# Load the existing patches. -with open(HARDENED_PATCHES_PATH) as patches_file: - patch_json = json.load(patches_file) - patch_versions = set([parse_version(k) for k in patch_json.keys()]) - -with open(NIXPKGS_KERNEL_PATH / "kernels-org.json") as kernel_versions_json: - kernel_versions = json.load(kernel_versions_json) - - kernels = { - parse_version(version): meta - for version, meta in kernel_versions.items() - if version != "testing" - } - - latest_lts = sorted(ver for ver, meta in kernels.items() if meta.get("lts", False))[-1] - keys = sorted(kernels.keys()) - latest_release = keys[-1] - fallback = keys[-2] - -g = Github(os.environ.get("GITHUB_TOKEN")) -repo = g.get_repo(HARDENED_GITHUB_REPO) -failures = False - -all_candidates = set([latest_lts, latest_release, fallback]) -kernels_to_package = {} -for release in repo.get_releases()[:30]: - version = normalize_kernel_version(release.tag_name) - # needs to look like e.g. 5.6.3-hardened1 - if len(version) < 4: - continue - - if not (isinstance(version[-2], int)): - continue - - kernel_version = version[:-1] - kernel_key = parse_version(major_kernel_version_key(kernel_version)) - - if kernel_key not in all_candidates: - continue - - try: - found = kernels_to_package[kernel_key] - if found.version > version: - continue - except KeyError: - pass - - kernels_to_package[kernel_key] = ReleaseInfo(version=version, release=release) - -if latest_release in kernels_to_package: - if fallback != latest_lts: - del kernels_to_package[fallback] - kernel_versions = set([latest_lts, latest_release]) -else: - kernel_versions = set([latest_lts, fallback]) - -# Remove patches for unpackaged kernel versions. -removals = False -for kernel_key in sorted(patch_versions - kernels_to_package.keys()): - del patch_json[str(kernel_key)] - removals = True - commit_patches(kernel_key=kernel_key, message="remove") - -# Update hardened-patches.json for each release. -for kernel_key in sorted(kernels_to_package.keys()): - release_info = kernels_to_package[kernel_key] - release = release_info.release - version = release_info.version - version_str = release.tag_name - name = f"linux-hardened-{version_str}" - - old_version: Optional[list[int|str]] = None - old_version_str: Optional[str] = None - update: bool - try: - old_filename = patch_json[str(kernel_key)]["patch"]["name"] - old_version_str = old_filename.replace("linux-hardened-", "").replace( - ".patch", "" - ) - old_version = normalize_kernel_version(old_version_str) - update = old_version < version - except KeyError: - update = True - - if update: - patch = fetch_patch(name=name, release_info=release_info) - if patch is None: - failures = True - else: - if str(kernel_key) in patch_json: - message = f"{old_version_str} -> {version_str}" - else: - message = f"init at {version_str}" - patch_json[str(kernel_key)] = patch - - commit_patches(kernel_key=kernel_key, message=message) - -if removals: - print("Hardened kernels were removed. Don't forget to remove their attributes!") - -if failures: - sys.exit(1) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 2b20f994eef1..db617c867064 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -27,26 +27,4 @@ name = "request-key-helper"; patch = ./request-key-helper.patch; }; - - hardened = - let - mkPatch = - kernelVersion: - { - version, - sha256, - patch, - }: - let - src = patch; - in - { - name = lib.removeSuffix ".patch" src.name; - patch = fetchurl (lib.removeAttrs src [ "extra" ]); - extra = src.extra; - inherit version sha256; - }; - patches = lib.importJSON ./hardened/patches.json; - in - lib.mapAttrs mkPatch patches; } diff --git a/pkgs/os-specific/linux/kernel/update.sh b/pkgs/os-specific/linux/kernel/update.sh index 862c6c74ac5c..95894ff8ad65 100755 --- a/pkgs/os-specific/linux/kernel/update.sh +++ b/pkgs/os-specific/linux/kernel/update.sh @@ -3,6 +3,3 @@ cd "$(dirname "$(readlink -f "$0")")" || exit echo "Update linux (mainline)" COMMIT=1 ./update-mainline.py || echo "update-mainline failed with exit code $?" - -echo "Update linux-hardened" -COMMIT=1 ./hardened/update.py || echo "update-hardened failed with exit code $?" diff --git a/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix b/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix index 547b489f66e7..c1f1cbcf6454 100644 --- a/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix +++ b/pkgs/os-specific/linux/rtl8188eus-aircrack/default.nix @@ -39,8 +39,6 @@ stdenv.mkDerivation { homepage = "https://github.com/aircrack-ng/rtl8188eus"; license = lib.licenses.gpl2Only; maintainers = with lib.maintainers; [ moni ]; - broken = - ((lib.versions.majorMinor kernel.version) == "5.4" && kernel.isHardened) - || kernel.kernelAtLeast "6.17"; + broken = kernel.kernelAtLeast "6.17"; }; } diff --git a/pkgs/os-specific/linux/rtl8821ce/default.nix b/pkgs/os-specific/linux/rtl8821ce/default.nix index 45f4f3f89cd8..e7768683ed7e 100644 --- a/pkgs/os-specific/linux/rtl8821ce/default.nix +++ b/pkgs/os-specific/linux/rtl8821ce/default.nix @@ -45,8 +45,6 @@ stdenv.mkDerivation (finalAttrs: { license = lib.licenses.gpl2Only; platforms = lib.platforms.linux; maintainers = with lib.maintainers; [ defelo ]; - broken = - stdenv.hostPlatform.isAarch64 - || ((lib.versions.majorMinor kernel.version) == "5.4" && kernel.isHardened); + broken = stdenv.hostPlatform.isAarch64; }; }) diff --git a/pkgs/os-specific/linux/rtl8852au/default.nix b/pkgs/os-specific/linux/rtl8852au/default.nix index dc8e1df64408..20016d185c75 100644 --- a/pkgs/os-specific/linux/rtl8852au/default.nix +++ b/pkgs/os-specific/linux/rtl8852au/default.nix @@ -71,7 +71,7 @@ stdenv.mkDerivation (finalAttrs: { license = lib.licenses.gpl2Only; platforms = [ "x86_64-linux" ]; # FIX: error: invalid initializer - broken = (kernel.kernelOlder "6" && kernel.isHardened) || kernel.kernelAtLeast "6.17"; + broken = kernel.kernelAtLeast "6.17"; maintainers = with lib.maintainers; [ lonyelon ]; }; }) diff --git a/pkgs/os-specific/linux/rtl8852bu/default.nix b/pkgs/os-specific/linux/rtl8852bu/default.nix index 4c0b9030d797..6cf50b73f149 100644 --- a/pkgs/os-specific/linux/rtl8852bu/default.nix +++ b/pkgs/os-specific/linux/rtl8852bu/default.nix @@ -66,7 +66,7 @@ stdenv.mkDerivation (finalAttrs: { homepage = "https://github.com/morrownr/rtl8852bu-20240418"; license = lib.licenses.gpl2Only; platforms = [ "x86_64-linux" ]; - broken = (kernel.kernelOlder "6" && kernel.isHardened) || kernel.kernelAtLeast "6.18"; # Similar to 79c1cf6 + broken = kernel.kernelAtLeast "6.18"; # Similar to 79c1cf6 maintainers = with lib.maintainers; [ lonyelon thtrf diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 27f1b741ec20..676aca2ee11f 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -187,8 +187,7 @@ stdenv.mkDerivation { ]; maintainers = with lib.maintainers; [ raskin ]; platforms = lib.platforms.linux ++ lib.platforms.darwin; - broken = - kernel != null && ((lib.versionOlder kernel.version "4.14") || kernel.isHardened || kernel.isZen); + broken = kernel != null && ((lib.versionOlder kernel.version "4.14") || kernel.isZen); homepage = "https://sysdig.com/opensource/"; downloadPage = "https://github.com/draios/sysdig/releases"; }; diff --git a/pkgs/os-specific/linux/vmware/default.nix b/pkgs/os-specific/linux/vmware/default.nix index 12cf51154135..37d7f43fc931 100644 --- a/pkgs/os-specific/linux/vmware/default.nix +++ b/pkgs/os-specific/linux/vmware/default.nix @@ -46,7 +46,6 @@ stdenv.mkDerivation { homepage = "https://github.com/mkubecek/vmware-host-modules"; license = lib.licenses.gpl2Only; platforms = [ "x86_64-linux" ]; - broken = (kernel.kernelOlder "5.5" && kernel.isHardened); maintainers = with lib.maintainers; [ deinferno vifino diff --git a/pkgs/servers/openafs/1.8/module.nix b/pkgs/servers/openafs/1.8/module.nix index b03f06246b0c..8c88b291b7bd 100644 --- a/pkgs/servers/openafs/1.8/module.nix +++ b/pkgs/servers/openafs/1.8/module.nix @@ -146,6 +146,5 @@ stdenv.mkDerivation { andersk spacefrogg ]; - broken = kernel.isHardened; }; } diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 50f722a18c42..a5a4c14da001 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1157,7 +1157,7 @@ mapAliases { linux_6_6 = linuxKernel.kernels.linux_6_6; linux_6_6_hardened = throw "linux_hardened on nixpkgs only contains latest stable and latest LTS"; # Added 2025-08-10 linux_6_12 = linuxKernel.kernels.linux_6_12; - linux_6_12_hardened = linuxKernel.kernels.linux_6_12_hardened; + linux_6_12_hardened = throw "linux_6_12_hardened has been removed due to lack of maintenance"; # Added 2026-03-18 linux_6_13 = throw "linux 6.13 was removed because it has reached its end of life upstream"; # Added 2025-06-29 linux_6_13_hardened = throw "linux 6.13 was removed because it has reached its end of life upstream"; # Added 2025-06-29 linux_6_14 = throw "linux 6.14 was removed because it has reached its end of life upstream"; # Added 2025-06-29 @@ -1168,7 +1168,7 @@ mapAliases { linux_6_18 = linuxKernel.kernels.linux_6_18; linux_6_19 = linuxKernel.kernels.linux_6_19; linux_ham = throw "linux_ham has been removed in favour of the standard kernel packages"; # Added 2025-06-24 - linux_hardened = linuxPackages_hardened.kernel; # Added 2025-08-10 + linux_hardened = throw "linux_hardened has been removed due to lack of maintenance"; # Added 2026-03-18 linux_latest-libre = throw "linux_latest_libre has been removed due to lack of maintenance"; # Added 2025-10-01 linux_lqx = throw "linux_lqx has been removed due to lack of maintenance"; # Added 2026-03-13 linux_rpi0 = linuxKernel.kernels.linux_rpi1; @@ -1191,7 +1191,7 @@ mapAliases { linuxPackages_6_6 = linuxKernel.packages.linux_6_6; linuxPackages_6_6_hardened = throw "linux_hardened on nixpkgs only contains latest stable and latest LTS"; # Added 2025-08-10 linuxPackages_6_12 = linuxKernel.packages.linux_6_12; - linuxPackages_6_12_hardened = linuxKernel.packages.linux_6_12_hardened; # Added 2025-08-10 + linuxPackages_6_12_hardened = throw "linuxPackages_6_12_hardened has been removed due to lack of maintenance"; # Added 2026-03-18 linuxPackages_6_13 = throw "linux 6.13 was removed because it has reached its end of life upstream"; # Added 2025-06-29 linuxPackages_6_13_hardened = throw "linux 6.13 was removed because it has reached its end of life upstream"; # Added 2025-06-29 linuxPackages_6_14 = throw "linux 6.14 was removed because it has reached its end of life upstream"; # Added 2025-06-29 @@ -1202,7 +1202,7 @@ mapAliases { linuxPackages_6_18 = linuxKernel.packages.linux_6_18; linuxPackages_6_19 = linuxKernel.packages.linux_6_19; linuxPackages_ham = throw "linux_ham has been removed in favour of the standard kernel packages"; # Added 2025-06-24 - linuxPackages_hardened = linuxKernel.packages.linux_hardened; # Added 2025-08-10 + linuxPackages_hardened = throw "linuxPackages_hardened has been removed due to lack of maintenance"; # Added 2026-03-18 linuxPackages_latest-libre = throw "linux_latest_libre has been removed due to lack of maintenance"; # Added 2025-10-01 linuxPackages_latest_xen_dom0 = throw "'linuxPackages_latest_xen_dom0' has been renamed to/replaced by 'linuxPackages_latest'"; # Converted to throw 2025-10-27 linuxPackages_lqx = throw "linuxPackages_lqx has been removed due to lack of maintenance"; # Added 2026-03-13 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 3437155eedce..10e58b8c0268 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -8655,8 +8655,6 @@ with pkgs; linuxPackagesFor = linuxKernel.packagesFor; - hardenedLinuxPackagesFor = linuxKernel.hardenedPackagesFor; - linuxManualConfig = linuxKernel.manualConfig; linuxPackages_custom = linuxKernel.customPackage; diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix index 35510ecfad6f..1c65a10f26ef 100644 --- a/pkgs/top-level/linux-kernels.nix +++ b/pkgs/top-level/linux-kernels.nix @@ -14,7 +14,6 @@ # When adding a kernel: # - Update packageAliases.linux_latest to the latest version -# - Update linux_latest_hardened when the patches become available let inherit (lib) recurseIntoAttrs dontRecurseIntoAttrs; @@ -42,38 +41,6 @@ let }; } ); - - # Hardened Linux - hardenedKernelFor = - kernel': overrides: - let - kernel = kernel'.override overrides; - version = kernelPatches.hardened.${kernel.meta.branch}.version; - major = lib.versions.major version; - sha256 = kernelPatches.hardened.${kernel.meta.branch}.sha256; - modDirVersion' = builtins.replaceStrings [ kernel.version ] [ version ] kernel.modDirVersion; - in - kernel.override { - structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix { - inherit stdenv lib version; - }; - argsOverride = { - inherit version; - pname = "linux-hardened"; - modDirVersion = modDirVersion' + kernelPatches.hardened.${kernel.meta.branch}.extra; - src = fetchurl { - url = "mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz"; - inherit sha256; - }; - extraMeta = { - broken = kernel.meta.broken; - }; - }; - kernelPatches = kernel.kernelPatches ++ [ - kernelPatches.hardened.${kernel.meta.branch} - ]; - isHardened = true; - }; in { kernelPatches = callPackage ../os-specific/linux/kernel/patches.nix { }; @@ -197,10 +164,6 @@ in kernelPatches.request_key_helper ]; }; - - linux_6_12_hardened = hardenedKernelFor kernels.linux_6_12 { }; - - linux_hardened = linux_6_12_hardened; } // lib.optionalAttrs config.allowAliases { linux_lqx = throw "linux_lqx has been removed due to lack of maintenance"; @@ -228,9 +191,11 @@ in linux_6_9_hardened = throw "linux 6.9 was removed because it has reached its end of life upstream"; linux_6_10_hardened = throw "linux 6.10 was removed because it has reached its end of life upstream"; linux_6_11_hardened = throw "linux 6.11 was removed because it has reached its end of life upstream"; + linux_6_12_hardened = throw "linux_6_12_hardened has been removed due to lack of maintenance"; linux_6_13_hardened = throw "linux 6.13 was removed because it has reached its end of life upstream"; linux_6_14_hardened = throw "linux 6.14 was removed because it has reached its end of life upstream"; linux_6_15_hardened = throw "linux 6.15 was removed because it has reached its end of life upstream"; + linux_hardened = throw "linux_hardened has been removed due to lack of maintenance"; linux_rt_5_4 = throw "linux_rt 5.4 has been removed because it will reach its end of life within 25.11"; linux_rt_5_10 = throw "linux_rt_5_10 has been removed due to lack of maintenance"; @@ -317,7 +282,6 @@ in inherit (kernel) isLTS isZen - isHardened ; inherit (kernel) kernelOlder kernelAtLeast; kernelModuleMakeFlags = self.kernel.commonMakeFlags ++ [ @@ -704,8 +668,6 @@ in )).extend (lib.fixedPoints.composeManyExtensions kernelPackagesExtensions); - hardenedPackagesFor = kernel: overrides: packagesFor (hardenedKernelFor kernel overrides); - vanillaPackages = { # recurse to build modules for the kernels linux_5_10 = recurseIntoAttrs (packagesFor kernels.linux_5_10); @@ -744,10 +706,6 @@ in # Intentionally lacks recurseIntoAttrs, as -rc kernels will quite likely break out-of-tree modules and cause failed Hydra builds. linux_testing = packagesFor kernels.linux_testing; - linux_hardened = recurseIntoAttrs (packagesFor kernels.linux_hardened); - - linux_6_12_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_12_hardened); - linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen); linux_xanmod = recurseIntoAttrs (packagesFor kernels.linux_xanmod); linux_xanmod_stable = recurseIntoAttrs (packagesFor kernels.linux_xanmod_stable); @@ -768,9 +726,11 @@ in linux_6_9_hardened = throw "linux 6.9 was removed because it has reached its end of life upstream"; linux_6_10_hardened = throw "linux 6.10 was removed because it has reached its end of life upstream"; linux_6_11_hardened = throw "linux 6.11 was removed because it has reached its end of life upstream"; + linux_6_12_hardened = throw "linux_6_12_hardened has been removed due to lack of maintenance"; linux_6_13_hardened = throw "linux 6.13 was removed because it has reached its end of life upstream"; linux_6_14_hardened = throw "linux 6.14 was removed because it has reached its end of life upstream"; linux_6_15_hardened = throw "linux 6.15 was removed because it has reached its end of life upstream"; + linux_hardened = throw "linux_hardened has been removed due to lack of maintenance"; linux_ham = throw "linux_ham has been removed in favour of the standard kernel packages"; linux_rt_5_4 = throw "linux_rt 5.4 was removed because it will reach its end of life within 25.11"; # Added 2025-10-22