kernel mitigation

2024-03-29 22:02:47 +00:00 · 2024-03-29 22:02:47 +00:00 · 4ce363374e
commit 4ce363374e
parent a13cd3a690
4 changed files with 36 additions and 1 deletions
--- a/backports/default.nix
+++ b/backports/default.nix
@ -3,6 +3,9 @@ let
  inherit (prev) callPackage fetchFromGitHub;
  inherit (prev.lib) recurseIntoAttrs optionalAttrs;

+  xz-hold = nixfiles.inputs.nixpkgs-unstable.legacyPackages.${prev.system}.xz.version == "5.6.1";
+  xz-fixed = (nixfiles.inputs.nixpkgs-staging-next.legacyPackages.${prev.system}.xz);
+
  # if you can't do version based just make it time based and deal with it in a
  # month if it's not fixed
  # 2024-04-10T08:11:11
@ -15,4 +18,5 @@ let
      hash="sha256-oat4TwOorFevUMZdBFgaQHx/UKqGW7CGMoOHVgQxVdM="; 
    };
  in recurseIntoAttrs (callPackage "${src}/pkgs/applications/graphics/gimp/plugins" {});
-in (optionalAttrs gap-hold { gimpPlugins = gimpPlugins-gap; })
+in (optionalAttrs gap-hold { gimpPlugins = gimpPlugins-gap; }) //
+  (optionalAttrs xz-hold { xz=xz-fixed; })
--- a/flake.lock
+++ b/flake.lock
@ -417,6 +417,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-staging-next": {
+      "locked": {
+        "lastModified": 1711735267,
+        "narHash": "sha256-Zj44dQ38cqN3NddIE/eA8t36eAKv0SVoMZPK8FF1pQ0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1149e1edb772e5f8e87d1a9be91bc34795fdafe8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "staging-next",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1711593151,
@ -477,6 +493,7 @@
        "nix-wsl": "nix-wsl",
        "nixfiles-assets": "nixfiles-assets",
        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-staging-next": "nixpkgs-staging-next",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pkg-android-tools": "pkg-android-tools",
        "rust-overlay": "rust-overlay",
--- a/flake.nix
+++ b/flake.nix
@ -6,6 +6,8 @@
                 # ^^^^^^^^^^^^^ this part is optional
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";

+    nixpkgs-staging-next.url = "github:NixOS/nixpkgs/staging-next";
+
    # this seems to be a popular way to declare systems
    systems.url = "github:nix-systems/default";

--- a/system/mitigations.nix
+++ b/system/mitigations.nix
@ -2,8 +2,20 @@
 let
  p5 = config.services.xserver.desktopManager.plasma5.enable;
  p6 = config.services.desktopManager.plasma6.enable;
+
+  isNewer = ref: ver: ((builtins.compareVersions ver ref) == 1);
+
+  # kernel update
+  newKernelPackages = inputs.nixpkgs-staging-next.legacyPackages.${pkgs.system}.linuxPackages_latest;
 in
 {
  config = lib.mkMerge [
+    {
+      boot.kernelPackages = newKernelPackages;
+      assertions = [
+        { assertion = (!(isNewer "6.8" nixpkgs.legacyPackages.${pkgs.system}.linuxPackages.kernel.version));
+          message = "Kernel is no longer outdated. Please remove this."; }
+      ];
+    }
  ];
 }