From df44527b5adb5d847accd2e7741efd3374b84540 Mon Sep 17 00:00:00 2001 From: Ville Ilvonen Date: Tue, 7 Nov 2023 10:35:45 +0200 Subject: [PATCH] devshell: for kernel development * Sets up dependencies for kernel configuration, compilation and kernel-hardening-checker for the dev shell. * Extracts and patches linux_latest kernel sources to current directory under ghaf if the directory is not already there. Enters the source directory. * Sets shell prompt to indicate ghaf kernel devshell. Signed-off-by: Ville Ilvonen --- docs/src/architecture/hardening.md | 35 +++++++++++++----------------- flake.nix | 31 ++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 20 deletions(-) diff --git a/docs/src/architecture/hardening.md b/docs/src/architecture/hardening.md index 5f3801e9e..ed9a389e4 100644 --- a/docs/src/architecture/hardening.md +++ b/docs/src/architecture/hardening.md @@ -19,35 +19,30 @@ NixOS provides several mechanisms to customize kernel. The main methods are: * [Usage in Ghaf](https://github.com/search?q=repo%3Atiiuae%2Fghaf%20kernelparams&type=code) * [declaring kernel custom configuration](https://nixos.org/manual/nixos/stable/#sec-linux-config-customizing) * [Usage in Ghaf](https://github.com/tiiuae/ghaf/blob/main/modules/host/kernel.nix) - * Example of entering the kernel menuconfig to customize the `.config`: + * Example of entering the kernel development shell to customize the `.config` and build it: ``` - ❯ nix-shell '' -p pkgs.ncurses pkgs.pkg-config - these 4 paths will be fetched (0.66 MiB download, 1.66 MiB unpacked): + ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel ... - - ~ via ❄️ impure (shell) - ❯ nix-shell '' -A pkgs.linux_latest.configfile - - ~ via ❄️ impure (shell) - ❯ unpackPhase - - ~ via ❄️ impure (linux-config-6.5.7) - ❯ cd linux-6.5.7/ - - ~/linux-6.5.7 via ❄️ impure (linux-config-6.5.7) - ❯ make menuconfig -* Enter the kernel build environment - ``` - nix-shell -E 'with import {}; linux.overrideAttrs (o: {nativeBuildInputs=o.nativeBuildInputs ++ [ pkg-config ncurses ];})' - make -j16 + [ghaf-kernel-devshell:~/ghaf/linux-6.5.5]$ make menuconfig + ... + [ghaf-kernel-devshell:~/ghaf/linux-6.5.5]$ make -j16 ... Kernel: arch/x86/boot/bzImage ``` * Boot the built kernel with QEMU ``` - qemu-system-x86_64 -kernel arch/x86/boot/bzImage + [ghaf-kernel-devshell:~/ghaf/linux-6.5.5]$ qemu-system-x86_64 -kernel arch/x86/boot/bzImage ``` * [validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker) + ``` + [ghaf-kernel-devshell:~/ghaf/linux-6.5.5]$ kernel-hardening-checker -c ../modules/host/ghaf_host_hardened_baseline + [+] Kconfig file to check: ../modules/host/ghaf_host_hardened_baseline + [+] Detected microarchitecture: X86_32 + [+] Detected kernel version: 6.5 + [+] Detected compiler: GCC 120200 + ... + [+] Config check is finished: 'OK' - 100 / 'FAIL' - 80 + ``` ### Host kernel diff --git a/flake.nix b/flake.nix index a1e029aaf..c9af02515 100644 --- a/flake.nix +++ b/flake.nix @@ -77,6 +77,37 @@ }; formatter = pkgs.alejandra; + + devShells.kernel = pkgs.mkShell { + packages = [ + pkgs.ncurses + pkgs.pkg-config + pkgs.python3 + pkgs.python3Packages.pip + ]; + inputsFrom = [pkgs.linux_latest]; + shellHook = '' + export src=${pkgs.linux_latest.src} + if [ ! -d "linux-${pkgs.linux_latest.version}" ]; then + unpackPhase + patchPhase + fi + cd linux-${pkgs.linux_latest.version} + + # python3+pip for kernel-hardening-checker + export PIP_PREFIX=$(pwd)/_build/pip_packages + export PYTHONPATH="$PIP_PREFIX/${pkgs.python3.sitePackages}:$PYTHONPATH" + export PATH="$PIP_PREFIX/bin:$PATH" + + # install kernel-hardening-checker via pip under "linux-