diff --git a/LICENSES/BSD-2-Clause-Patent.txt b/LICENSES/BSD-2-Clause-Patent.txt new file mode 100644 index 000000000..31de6e498 --- /dev/null +++ b/LICENSES/BSD-2-Clause-Patent.txt @@ -0,0 +1,19 @@ +Copyright (c) + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + +Subject to the terms and conditions of this license, each copyright holder and contributor hereby grants to those receiving rights under this license a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except for failure to satisfy the conditions of this license) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer this software, where such license applies only to those patent claims, already acquired or hereafter acquired, licensable by such copyright holder or contributor that are necessarily infringed by: + +(a) their Contribution(s) (the licensed copyrights of copyright holders and non-copyrightable additions of contributors, in source or binary form) alone; or + +(b) combination of their Contribution(s) with the work of authorship to which such Contribution(s) was added by such copyright holder or contributor, if, at the time the Contribution is added, such addition causes such combination to be necessarily infringed. The patent license shall not apply to any other combinations which include the Contribution. + +Except as expressly stated above, no rights or licenses from any copyright holder or contributor is granted under this license, whether expressly, by implication, estoppel or otherwise. + +DISCLAIMER + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/LICENSES/GPL-2.0-only.txt b/LICENSES/GPL-2.0-only.txt new file mode 100644 index 000000000..17cb28643 --- /dev/null +++ b/LICENSES/GPL-2.0-only.txt @@ -0,0 +1,117 @@ +GNU GENERAL PUBLIC LICENSE +Version 2, June 1991 + +Copyright (C) 1989, 1991 Free Software Foundation, Inc. +51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + +Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. + +Preamble + +The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. + +To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. + +For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. + +We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. + +Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. + +Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. + +The precise terms and conditions for copying, distribution and modification follow. + +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + +0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. + +1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. + +You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. + +2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. + + c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. + +3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. + +If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. + +4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. + +5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. + +6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. + +7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. + +This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. + +8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. + +9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. + +10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. + +NO WARRANTY + +11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. + +To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. + + one line to give the program's name and an idea of what it does. Copyright (C) yyyy name of author + + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. + +signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice diff --git a/LICENSES/GPL-2.0-or-later.txt b/LICENSES/GPL-2.0-or-later.txt new file mode 100644 index 000000000..17cb28643 --- /dev/null +++ b/LICENSES/GPL-2.0-or-later.txt @@ -0,0 +1,117 @@ +GNU GENERAL PUBLIC LICENSE +Version 2, June 1991 + +Copyright (C) 1989, 1991 Free Software Foundation, Inc. +51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + +Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. + +Preamble + +The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. + +To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. + +For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. + +We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. + +Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. + +Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. + +The precise terms and conditions for copying, distribution and modification follow. + +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + +0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. + +1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. + +You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. + +2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. + + c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. + +3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. + +If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. + +4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. + +5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. + +6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. + +7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. + +This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. + +8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. + +9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. + +10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. + +NO WARRANTY + +11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. + +To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. + + one line to give the program's name and an idea of what it does. Copyright (C) yyyy name of author + + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. + +signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice diff --git a/LICENSES/GPL-3.0-only.txt b/LICENSES/GPL-3.0-only.txt new file mode 100644 index 000000000..f6cdd22a6 --- /dev/null +++ b/LICENSES/GPL-3.0-only.txt @@ -0,0 +1,232 @@ +GNU GENERAL PUBLIC LICENSE +Version 3, 29 June 2007 + +Copyright © 2007 Free Software Foundation, Inc. + +Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. + +Preamble + +The GNU General Public License is a free, copyleft license for software and other kinds of works. + +The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. + +To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. + +For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. + +Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. + +For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. + +Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. + +Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. + +The precise terms and conditions for copying, distribution and modification follow. + +TERMS AND CONDITIONS + +0. Definitions. + +“This License” refers to version 3 of the GNU General Public License. + +“Copyright” also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. + +“The Program” refers to any copyrightable work licensed under this License. Each licensee is addressed as “you”. “Licensees” and “recipients” may be individuals or organizations. + +To “modify” a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version” of the earlier work or a work “based on” the earlier work. + +A “covered work” means either the unmodified Program or a work based on the Program. + +To “propagate” a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. + +To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. + +An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. + +1. Source Code. +The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work. + +A “Standard Interface” means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. + +The “System Libraries” of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component”, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. + +The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. + +The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. + +The Corresponding Source for a work in source code form is that same work. + +2. Basic Permissions. +All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. + +You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. + +Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. + +3. Protecting Users' Legal Rights From Anti-Circumvention Law. +No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. + +When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. + +4. Conveying Verbatim Copies. +You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. + +You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. + +5. Conveying Modified Source Versions. +You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”. + + c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. + +A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. + +6. Conveying Non-Source Forms. +You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: + + a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. + + d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. + +A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. + +A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used” refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. + +“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. + +If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). + +The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. + +Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. + +7. Additional Terms. +“Additional permissions” are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. + +When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. + +Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or authors of the material; or + + e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. + +All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. + +If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. + +Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. + +8. Termination. +You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). + +However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. + +Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. + +Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. + +9. Acceptance Not Required for Having Copies. +You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. + +10. Automatic Licensing of Downstream Recipients. +Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. + +An “entity transaction” is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. + +You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. + +11. Patents. +A “contributor” is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version”. + +A contributor's “essential patent claims” are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. + +Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. + +In the following three paragraphs, a “patent license” is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To “grant” such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. + +If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. “Knowingly relying” means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. + +If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. + +A patent license is “discriminatory” if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. + +Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. + +12. No Surrender of Others' Freedom. +If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. + +13. Use with the GNU Affero General Public License. +Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. + +14. Revised Versions of this License. +The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. + +If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. + +Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. + +15. Disclaimer of Warranty. +THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +16. Limitation of Liability. +IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +17. Interpretation of Sections 15 and 16. +If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. + +END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. + +To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + +If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box”. + +You should also get your employer (if you work as a programmer) or school, if any, to sign a “copyright disclaimer” for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . + +The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . diff --git a/LICENSES/LGPL-2.1-or-later.txt b/LICENSES/LGPL-2.1-or-later.txt new file mode 100644 index 000000000..c6487f4fd --- /dev/null +++ b/LICENSES/LGPL-2.1-or-later.txt @@ -0,0 +1,176 @@ +GNU LESSER GENERAL PUBLIC LICENSE + +Version 2.1, February 1999 + +Copyright (C) 1991, 1999 Free Software Foundation, Inc. +51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. + +[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] + +Preamble + +The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. + +This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. + +When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. + +To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. + +For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. + +We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. + +To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. + +Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. + +Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. + +When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. + +We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. + +For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. + +In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. + +Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. + +The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. + +GNU LESSER GENERAL PUBLIC LICENSE +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + +0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". + +A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. + +The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) + +"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. + +Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. + +1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. + +You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. + +2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. + +(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. + +3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. + +Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. + +This option is useful when you wish to copy part of the code of the Library into a program that is not a library. + +4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. + +If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. + +5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. + +However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. + +When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. + +If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) + +Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. + +6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. + +You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: + + a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. + + d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. + + e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. + +For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. + +It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. + +7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. + + b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. + +8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. + +9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. + +10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. + +11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. + +This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. + +12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. + +13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. + +14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. + +NO WARRANTY + +15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Libraries + +If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). + +To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. + + one line to give the library's name and an idea of what it does. + Copyright (C) year name of author + + This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: + +Yoyodyne, Inc., hereby disclaims all copyright interest in +the library `Frob' (a library for tweaking knobs) written +by James Random Hacker. + +signature of Ty Coon, 1 April 1990 +Ty Coon, President of Vice +That's all there is to it! diff --git a/LICENSES/LicenseRef-NvidiaProprietary.txt b/LICENSES/LicenseRef-NvidiaProprietary.txt new file mode 100644 index 000000000..63ac26db7 --- /dev/null +++ b/LICENSES/LicenseRef-NvidiaProprietary.txt @@ -0,0 +1,265 @@ +/* + * Copyright (c) 2013-2021, NVIDIA CORPORATION. All rights reserved. + * + * NVIDIA CORPORATION and its licensors retain all intellectual property + * and proprietary rights in and to this software, related documentation + * and any modifications thereto. Any use, reproduction, disclosure or + * distribution of this software and related documentation without an express + * license agreement from NVIDIA CORPORATION is strictly prohibited. + * + * This product incorporates software provided under the following terms: + * + * --------------------------------------------------------------------------- + * + * Copyright (c) 2008-2015 Travis Geiselbrecht + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files + * (the "Software"), to deal in the Software without restriction, + * including without limitation the rights to use, copy, modify, merge, + * publish, distribute, sublicense, and/or sell copies of the Software, + * and to permit persons to whom the Software is furnished to do so, + * subject to the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + * + * --------------------------------------------------------------------------- + * + * libfdt - Flat Device Tree manipulation + * Copyright (C) 2006 David Gibson, IBM Corporation. + * + * Used under the BSD license: + * + * Redistribution and use in source and binary forms, with or + * without modification, are permitted provided that the following + * conditions are met: + * + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * --------------------------------------------------------------------------- + * + * The LLVM Project is under the Apache License v2.0 with LLVM Exceptions: + * + * Apache License + * Version 2.0, January 2004 + * http://www.apache.org/licenses/ + * + * TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + * + * 1. Definitions. + * + * "License" shall mean the terms and conditions for use, reproduction, + * and distribution as defined by Sections 1 through 9 of this document. + * + * "Licensor" shall mean the copyright owner or entity authorized by + * the copyright owner that is granting the License. + * + * "Legal Entity" shall mean the union of the acting entity and all + * other entities that control, are controlled by, or are under common + * control with that entity. For the purposes of this definition, + * "control" means (i) the power, direct or indirect, to cause the + * direction or management of such entity, whether by contract or + * otherwise, or (ii) ownership of fifty percent (50%) or more of the + * outstanding shares, or (iii) beneficial ownership of such entity. + * + * "You" (or "Your") shall mean an individual or Legal Entity + * exercising permissions granted by this License. + * + * "Source" form shall mean the preferred form for making modifications, + * including but not limited to software source code, documentation + * source, and configuration files. + * + * "Object" form shall mean any form resulting from mechanical + * transformation or translation of a Source form, including but + * not limited to compiled object code, generated documentation, + * and conversions to other media types. + * + * "Work" shall mean the work of authorship, whether in Source or + * Object form, made available under the License, as indicated by a + * copyright notice that is included in or attached to the work + * (an example is provided in the Appendix below). + * + * "Derivative Works" shall mean any work, whether in Source or Object + * form, that is based on (or derived from) the Work and for which the + * editorial revisions, annotations, elaborations, or other modifications + * represent, as a whole, an original work of authorship. For the purposes + * of this License, Derivative Works shall not include works that remain + * separable from, or merely link (or bind by name) to the interfaces of, + * the Work and Derivative Works thereof. + * + * "Contribution" shall mean any work of authorship, including + * the original version of the Work and any modifications or additions + * to that Work or Derivative Works thereof, that is intentionally + * submitted to Licensor for inclusion in the Work by the copyright owner + * or by an individual or Legal Entity authorized to submit on behalf of + * the copyright owner. For the purposes of this definition, "submitted" + * means any form of electronic, verbal, or written communication sent + * to the Licensor or its representatives, including but not limited to + * communication on electronic mailing lists, source code control systems, + * and issue tracking systems that are managed by, or on behalf of, the + * Licensor for the purpose of discussing and improving the Work, but + * excluding communication that is conspicuously marked or otherwise + * designated in writing by the copyright owner as "Not a Contribution." + * + * "Contributor" shall mean Licensor and any individual or Legal Entity + * on behalf of whom a Contribution has been received by Licensor and + * subsequently incorporated within the Work. + * + * 2. Grant of Copyright License. Subject to the terms and conditions of + * this License, each Contributor hereby grants to You a perpetual, + * worldwide, non-exclusive, no-charge, royalty-free, irrevocable + * copyright license to reproduce, prepare Derivative Works of, + * publicly display, publicly perform, sublicense, and distribute the + * Work and such Derivative Works in Source or Object form. + * + * 3. Grant of Patent License. Subject to the terms and conditions of + * this License, each Contributor hereby grants to You a perpetual, + * worldwide, non-exclusive, no-charge, royalty-free, irrevocable + * (except as stated in this section) patent license to make, have made, + * use, offer to sell, sell, import, and otherwise transfer the Work, + * where such license applies only to those patent claims licensable + * by such Contributor that are necessarily infringed by their + * Contribution(s) alone or by combination of their Contribution(s) + * with the Work to which such Contribution(s) was submitted. If You + * institute patent litigation against any entity (including a + * cross-claim or counterclaim in a lawsuit) alleging that the Work + * or a Contribution incorporated within the Work constitutes direct + * or contributory patent infringement, then any patent licenses + * granted to You under this License for that Work shall terminate + * as of the date such litigation is filed. + * + * 4. Redistribution. You may reproduce and distribute copies of the + * Work or Derivative Works thereof in any medium, with or without + * modifications, and in Source or Object form, provided that You + * meet the following conditions: + * + * (a) You must give any other recipients of the Work or + * Derivative Works a copy of this License; and + * + * (b) You must cause any modified files to carry prominent notices + * stating that You changed the files; and + * + * (c) You must retain, in the Source form of any Derivative Works + * that You distribute, all copyright, patent, trademark, and + * attribution notices from the Source form of the Work, + * excluding those notices that do not pertain to any part of + * the Derivative Works; and + * + * (d) If the Work includes a "NOTICE" text file as part of its + * distribution, then any Derivative Works that You distribute must + * include a readable copy of the attribution notices contained + * within such NOTICE file, excluding those notices that do not + * pertain to any part of the Derivative Works, in at least one + * of the following places: within a NOTICE text file distributed + * as part of the Derivative Works; within the Source form or + * documentation, if provided along with the Derivative Works; or, + * within a display generated by the Derivative Works, if and + * wherever such third-party notices normally appear. The contents + * of the NOTICE file are for informational purposes only and + * do not modify the License. You may add Your own attribution + * notices within Derivative Works that You distribute, alongside + * or as an addendum to the NOTICE text from the Work, provided + * that such additional attribution notices cannot be construed + * as modifying the License. + * + * You may add Your own copyright statement to Your modifications and + * may provide additional or different license terms and conditions + * for use, reproduction, or distribution of Your modifications, or + * for any such Derivative Works as a whole, provided Your use, + * reproduction, and distribution of the Work otherwise complies with + * the conditions stated in this License. + * + * 5. Submission of Contributions. Unless You explicitly state otherwise, + * any Contribution intentionally submitted for inclusion in the Work + * by You to the Licensor shall be under the terms and conditions of + * this License, without any additional terms or conditions. + * Notwithstanding the above, nothing herein shall supersede or modify + * the terms of any separate license agreement you may have executed + * with Licensor regarding such Contributions. + * + * 6. Trademarks. This License does not grant permission to use the trade + * names, trademarks, service marks, or product names of the Licensor, + * except as required for reasonable and customary use in describing the + * origin of the Work and reproducing the content of the NOTICE file. + * + * 7. Disclaimer of Warranty. Unless required by applicable law or + * agreed to in writing, Licensor provides the Work (and each + * Contributor provides its Contributions) on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied, including, without limitation, any warranties or conditions + * of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + * PARTICULAR PURPOSE. You are solely responsible for determining the + * appropriateness of using or redistributing the Work and assume any + * risks associated with Your exercise of permissions under this License. + * + * 8. Limitation of Liability. In no event and under no legal theory, + * whether in tort (including negligence), contract, or otherwise, + * unless required by applicable law (such as deliberate and grossly + * negligent acts) or agreed to in writing, shall any Contributor be + * liable to You for damages, including any direct, indirect, special, + * incidental, or consequential damages of any character arising as a + * result of this License or out of the use or inability to use the + * Work (including but not limited to damages for loss of goodwill, + * work stoppage, computer failure or malfunction, or any and all + * other commercial damages or losses), even if such Contributor + * has been advised of the possibility of such damages. + * + * 9. Accepting Warranty or Additional Liability. While redistributing + * the Work or Derivative Works thereof, You may choose to offer, + * and charge a fee for, acceptance of support, warranty, indemnity, + * or other liability obligations and/or rights consistent with this + * License. However, in accepting such obligations, You may act only + * on Your own behalf and on Your sole responsibility, not on behalf + * of any other Contributor, and only if You agree to indemnify, + * defend, and hold each Contributor harmless for any liability + * incurred by, or claims asserted against, such Contributor by reason + * of your accepting any such warranty or additional liability. + * + * LLVM Exceptions to the Apache 2.0 License: + * + * As an exception, if, as a result of your compiling your source code, + * portions of this Software are embedded into an Object form of such source + * code, you may redistribute such embedded portions in such Object form + * without complying with the conditions of Sections 4(a), 4(b) and 4(d) of + * the License. + * + * In addition, if you combine or link compiled forms of this Software with + * software that is licensed under the GPLv2 ("Combined Software") and if a + * court of competent jurisdiction determines that the patent provision + * (Section 3), the indemnity provision (Section 9) or other Section of the + * License conflicts with the conditions of the GPLv2, you may retroactively + * and prospectively choose to deem waived or otherwise exclude such + * Section(s) of the License, but only in their entirety and only with + * respect to the Combined Software. + * + * --------------------------------------------------------------------------- + */ diff --git a/LICENSES/WTFPL.txt b/LICENSES/WTFPL.txt new file mode 100644 index 000000000..8b1a9d818 --- /dev/null +++ b/LICENSES/WTFPL.txt @@ -0,0 +1,13 @@ + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + Version 2, December 2004 + +Copyright (C) 2004 Sam Hocevar + +Everyone is permitted to copy and distribute verbatim or modified +copies of this license document, and changing it is allowed as long +as the name is changed. + + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. You just DO WHAT THE FUCK YOU WANT TO. diff --git a/README.md b/README.md index 64d228f63..e4e29a696 100644 --- a/README.md +++ b/README.md @@ -36,18 +36,13 @@ See the documentation overview under [README-docs.md](./docs/README-docs.md). Other repositories that are a part of the Ghaf project: * [sbomnix](https://github.com/tiiuae/sbomnix): a utility that generates SBOMs given Nix derivations or out paths -* [ghaf-infra](https://github.com/tiiuae/ghaf-infra), [ci-public](https://github.com/tiiuae/ci-public), [ci-test-automation](https://github.com/tiiuae/ci-test-automation), [ghafscan](https://github.com/tiiuae/ghafscan): CI/CD related files +* [ghaf-infra](https://github.com/tiiuae/ghaf-infra), [ci-test-automation](https://github.com/tiiuae/ci-test-automation), [ghafscan](https://github.com/tiiuae/ghafscan): CI/CD related files * [ghaf-installation-wizard](https://github.com/tiiuae/ghaf-installation-wizard): helps you install Ghaf for the first time ## Build System -Ghaf images are built and tested by our continuous integration system. For more information on a general process, see [Continuous Integration and Distribution](./docs/src/scs/ci-cd-system.md). - -Targets: -Hydra builders on x86 servers: -Disk images successfully built with Hydra are published to . -Build results: +Ghaf images are built and tested by our continuous integration system. For more information on a general process, see [Continuous Integration and Distribution](https://tiiuae.github.io/ghaf/scs/ci-cd-system.html). ## Contributing diff --git a/REUSE.toml b/REUSE.toml new file mode 100644 index 000000000..bc599fa34 --- /dev/null +++ b/REUSE.toml @@ -0,0 +1,127 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 + +version = 1 + +SPDX-PackageName = "ghaf" +SPDX-PackageSupplier = "Technology Innovation Institute " +SPDX-PackageDownloadLocation = "https://github.com/tiiuae/ghaf" + +[[annotations]] +SPDX-License-Identifier = "Apache-2.0" +SPDX-FileCopyrightText = "2022-2024 TII (SSRC) and the Ghaf contributors" +precedence = "closest" +path = [ + "flake.lock", ".version", + "assets/**/*.png", "assets/**/*.svg", + "modules/common/development/audio_test/test_file1.mp3", + "modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86", + "modules/jetpack/ghaf_host_hardened_baseline-jetson-orin", + "modules/lanzaboote/demo-secure-boot-keys/**/*", + "modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/*", +] + +[[annotations]] +SPDX-License-Identifier = "CC-BY-SA-4.0" +SPDX-FileCopyrightText = "2022-2024 TII (SSRC) and the Ghaf contributors" +precedence = "closest" +path = [ + "docs/**/*.svg", "docs/**/*.png", +] + +# External code + +[[annotations]] +# See https://github.com/qemu/qemu/blob/master/LICENSE +# Our changes affects the GPL-2.0+ parts only. +SPDX-License-Identifier = "GPL-2.0-or-later" +SPDX-FileCopyrightText = [ + "Fabrice Bellard and the QEMU team", + "Copyright (c) 2021-2022 Canokeys.org ", + "Written by Hongren (Zenithal) Zheng ", + "Copyright (c) 2019 Janus Technologies, Inc. (http://janustech.com)", + "Copyright (C) 2008-2010 Kevin O'Connor ", + "Copyright (C) 2006 Fabrice Bellard", + "Copyright (C) 2013 Red Hat Inc", +] +path = [ + "overlays/custom-packages/qemu/*.patch", + "modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/overlays/qemu/patches/0001-qemu-v8.1.3_bpmp-virt.patch" +] + +[[annotations]] +SPDX-License-Identifier = "GPL-2.0-only" +SPDX-FileCopyrightText = "labwc contributors" +path = "overlays/custom-packages/labwc/*.patch" + +[[annotations]] +# gtklock doesn't specify if later versions is allowed +SPDX-License-Identifier = "GPL-3.0-only" +SPDX-FileCopyrightText = [ + "Copyright (c) 2022 Kenny Levinsen, Jovan Lanik, Erik Reider, Melih Darcan, Bhaskar Khoraja", + "Copyright (c) 2022 Zephyr Lykos" +] +path = "overlays/custom-packages/gtklock/*.patch" + +[[annotations]] +SPDX-License-Identifier = "LGPL-2.1-or-later" +SPDX-FileCopyrightText = "systemd contributors" +path = "modules/common/systemd/systemd-boot-double-dtb-buffer-size.patch" + +[[annotations]] +SPDX-License-Identifier = "MIT" +SPDX-FileCopyrightText = "Copyright © 2019 Manuel Stoeckl" +path = "overlays/custom-packages/waypipe/waypipe-window-borders.patch" + +[[annotations]] +SPDX-License-Identifier = "Apache-2.0" +SPDX-FileCopyrightText = "Copyright 2023 The Matrix.org Foundation C.I.C." +path = "packages/element-web/*.patch" + +[[annotations]] +SPDX-License-Identifier = "Apache-2.0" +SPDX-FileCopyrightText = [ + "Copyright 2016 Aviral Dasgupta", + "Copyright 2016 OpenMarket Ltd", + "Copyright 2017, 2019 Michael Telatynski <7t3chguy@gmail.com>", + "Copyright 2018 - 2021 New Vector Ltd", +] +path = "overlays/custom-packages/element-desktop/element-main.patch" + +[[annotations]] +SPDX-License-Identifier = "GPL-2.0-only" +SPDX-FileCopyrightText = [ + "Copyright (C) 2013 - Virtual Open Systems", + "Copyright (c) 2016, NVIDIA CORPORATION. All rights reserved.", + "Copyright (c) 2018, NVIDIA CORPORATION.", + "Copyright (C) 2006 Qumranet, Inc.", + "Copyright 2010 Red Hat, Inc. and/or its affiliates.", + "2022-2024 TII (SSRC) and the Ghaf contributors", +] +path = [ + "modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/patches/*.patch", + "modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/patches/*.patch", + "modules/jetpack-microvm/*.patch", + "modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/patches/net_vm_dtb_with_uarti.patch", + "modules/common/virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch", +] + +[[annotations]] +SPDX-License-Identifier = "BSD-2-Clause-Patent" +SPDX-FileCopyrightText = "Copyright (c) 2021-2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved." +path = "modules/jetpack/nvidia-jetson-orin/edk2-nvidia-always-reset-display.patch" + +[[annotations]] +SPDX-License-Identifier = "LicenseRef-NvidiaProprietary" +SPDX-FileCopyrightText = "Copyright (c) 2023-2024, NVIDIA CORPORATION & AFFILIATES. All rights reserved." +path = [ + "modules/jetpack/nvidia-jetson-orin/tegra2-mb2-bct-scr.patch", +] + + +[[annotations]] +SPDX-License-Identifier = "MIT" +SPDX-FileCopyrightText = "Copyright 2019-2021 Microchip Corporation." +path = [ + "packages/hart-software-services/0001-Workaround-for-a-compilation-issue.patch", +] diff --git a/assets/ghaf-logo.png b/assets/ghaf-logo.png deleted file mode 100644 index f36f50389..000000000 Binary files a/assets/ghaf-logo.png and /dev/null differ diff --git a/assets/icons/png/app.png b/assets/icons/png/app.png deleted file mode 100644 index 86e64c069..000000000 Binary files a/assets/icons/png/app.png and /dev/null differ diff --git a/assets/icons/png/browser.png b/assets/icons/png/browser.png deleted file mode 100644 index 2061e36df..000000000 Binary files a/assets/icons/png/browser.png and /dev/null differ diff --git a/assets/icons/png/pdf.png b/assets/icons/png/pdf.png deleted file mode 100644 index 9cf456f3f..000000000 Binary files a/assets/icons/png/pdf.png and /dev/null differ diff --git a/assets/icons/png/settings.png b/assets/icons/png/settings.png deleted file mode 100644 index aa2707b4c..000000000 Binary files a/assets/icons/png/settings.png and /dev/null differ diff --git a/assets/icons/png/windows.png b/assets/icons/png/windows.png deleted file mode 100644 index 78442b82d..000000000 Binary files a/assets/icons/png/windows.png and /dev/null differ diff --git a/assets/icons/svg/app.svg b/assets/icons/svg/app.svg deleted file mode 100644 index 56f137698..000000000 --- a/assets/icons/svg/app.svg +++ /dev/null @@ -1,27 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/assets/icons/svg/browser.svg b/assets/icons/svg/browser.svg deleted file mode 100644 index d69e35433..000000000 --- a/assets/icons/svg/browser.svg +++ /dev/null @@ -1,11 +0,0 @@ - - - - - - - - - - - diff --git a/assets/icons/svg/pdf.svg b/assets/icons/svg/pdf.svg deleted file mode 100644 index ec974128c..000000000 --- a/assets/icons/svg/pdf.svg +++ /dev/null @@ -1,27 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/assets/icons/svg/settings.svg b/assets/icons/svg/settings.svg deleted file mode 100644 index 362ba2f3e..000000000 --- a/assets/icons/svg/settings.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/assets/icons/svg/windows.svg b/assets/icons/svg/windows.svg deleted file mode 100644 index 16a385c0a..000000000 --- a/assets/icons/svg/windows.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - diff --git a/assets/wallpaper.png b/assets/wallpaper.png deleted file mode 100644 index 4bd7b6069..000000000 Binary files a/assets/wallpaper.png and /dev/null differ diff --git a/default.nix b/default.nix index 59dcb3cd4..4f8ffb1a0 100644 --- a/default.nix +++ b/default.nix @@ -5,10 +5,18 @@ # This file originates from: # https://github.com/nix-community/flake-compat # This file provides backward compatibility to nix < 2.4 clients -{system ? builtins.currentSystem}: let +{ + system ? builtins.currentSystem, +}: +let lock = builtins.fromJSON (builtins.readFile ./flake.lock); - inherit (lock.nodes.flake-compat.locked) owner repo rev narHash; + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; @@ -20,4 +28,4 @@ src = ./.; }; in - flake.defaultNix +flake.defaultNix diff --git a/docs/book.toml b/docs/book.toml index f2dbda7d4..c1e3068c7 100644 --- a/docs/book.toml +++ b/docs/book.toml @@ -14,5 +14,8 @@ src = "src" default-theme = "light" git-repository-url = "https://github.com/tiiuae/ghaf" git-repository-icon = "fa-github" +additional-css = ["theme/pagetoc.css"] +additional-js = ["theme/pagetoc.js"] [preprocessor.footnote] +[preprocessor.alerts] diff --git a/docs/default.nix b/docs/default.nix index 92f8bc682..a7d2d9fbc 100644 --- a/docs/default.nix +++ b/docs/default.nix @@ -3,26 +3,26 @@ # TODO should this be refactored { lib, - callPackage, runCommandLocal, nixosOptionsDoc, mdbook, + mdbook-alerts, + mdbook-footnote, revision ? "", - options ? {}, -}: let + options ? { }, +}: +let optionsDocMd = (nixosOptionsDoc { inherit revision options; - transformOptions = x: - # TODO this hides the other modules (e.g. microvm.nix) - # But they are stilled passed as options modules ??? - if lib.strings.hasPrefix "ghaf" x.name - then x - else x // {visible = false;}; + transformOptions = + x: + # TODO this hides the other modules (e.g. microvm.nix) + # But they are stilled passed as options modules ??? + if lib.strings.hasPrefix "ghaf" x.name then x else x // { visible = false; }; markdownByDefault = true; - }) - .optionsCommonMark; - combinedSrc = runCommandLocal "ghaf-doc-src" {} '' + }).optionsCommonMark; + combinedSrc = runCommandLocal "ghaf-doc-src" { } '' mkdir $out cp -r ${./.}/* $out chmod +w $out/src/ref_impl/modules_options.md @@ -31,16 +31,18 @@ sed 's/\(file:\/\/\)\?\/nix\/store\/[^/]*-source/https:\/\/github.com\/tiiuae\/ghaf\/blob\/main/g' ${optionsDocMd} >> $out/src/ref_impl/modules_options.md ''; in - # TODO Change this, runCommandLocal is not intended for longer running processes - runCommandLocal "ghaf-doc" +# TODO Change this, runCommandLocal is not intended for longer running processes +runCommandLocal "ghaf-doc" { - nativeBuildInputs = let - footnote = callPackage ./plugins/mdbook-footnote.nix {}; - in [mdbook footnote]; + nativeBuildInputs = [ + mdbook + mdbook-footnote + mdbook-alerts + ]; src = combinedSrc; # set the package Meta info - meta = with lib; { + meta = { description = "Ghaf Documentation"; # TODO should we Only push docs from one Architecture? platforms = [ @@ -48,6 +50,7 @@ in "aarch64-linux" ]; }; - } '' + } + '' ${mdbook}/bin/mdbook build -d $out $src '' diff --git a/docs/plugins/mdbook-footnote.nix b/docs/plugins/mdbook-footnote.nix deleted file mode 100644 index 6e27b3729..000000000 --- a/docs/plugins/mdbook-footnote.nix +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: CC-BY-SA-4.0 -{ - fetchFromGitHub, - rustPlatform, -}: -rustPlatform.buildRustPackage rec { - pname = "mdbook-footnote"; - version = "0.1.1"; - - src = fetchFromGitHub { - owner = "daviddrysdale"; - repo = "mdbook-footnote"; - rev = "refs/tags/v${version}"; - sha256 = "sha256-WUMgm1hwsU9BeheLfb8Di0AfvVQ6j92kXxH2SyG3ses="; - }; - - cargoHash = "sha256-Ig+uVCO5oHIkkvFsKiBiUFzjUgH/Pydn4MVJHb2wKGc="; -} -# TODO upstream this to nixpkgs - diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 09712b350..ef596c0ad 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -14,6 +14,7 @@ - [Architecture Decision Records](architecture/adr.md) - [Minimal Host](architecture/adr/minimal-host.md) - [Networking VM](architecture/adr/netvm.md) + - [Intrusion Detection System VM](architecture/adr/idsvm.md) - [Platform Bus for Rust VMM](architecture/adr/platform-bus-passthrough-support.md) - [Hardening](architecture/hardening.md) - [Secure Boot](architecture/secureboot.md) @@ -29,7 +30,11 @@ - [Installer](ref_impl/installer.md) - [Cross-Compilation](ref_impl/cross_compilation.md) - [Creating Application VM](ref_impl/creating_appvm.md) - - [labWC Desktop Environment](ref_impl/labwc.md) + - [Hardware Configuration](ref_impl/hw-config.md) + - [Profiles Configuration](ref_impl/profiles-config.md) + - [labwc Desktop Environment](ref_impl/labwc.md) + - [IDS VM Further Development](ref_impl/idsvm-development.md) + - [systemd Service Hardening](ref_impl/systemd-service-config.md) - [Ghaf as Library: Templates](ref_impl/ghaf-based-project.md) - [Example Project](ref_impl/example_project.md) - [Modules Options](ref_impl/modules_options.md) @@ -55,6 +60,7 @@ - [Public Key Infrastructure](scs/pki.md) - [Security Fix Automation](scs/ghaf-security-fix-automation.md) - [Release Notes](release_notes/release_notes.md) + - [Release ghaf-24.06](release_notes/ghaf-24.06.md) - [Release ghaf-24.03](release_notes/ghaf-24.03.md) - [Release ghaf-23.12](release_notes/ghaf-23.12.md) - [Release ghaf-23.09](release_notes/ghaf-23.09.md) @@ -66,7 +72,6 @@ - [Showcases](scenarios/showcases.md) - [Running Windows VM on Ghaf](scenarios/run_win_vm.md) - [Running Cuttlefish on Ghaf](scenarios/run_cuttlefish.md) -- [Build Your Environment]() ----------- diff --git a/docs/src/appendices/glossary.md b/docs/src/appendices/glossary.md index a50fd266d..9b48d7d9b 100644 --- a/docs/src/appendices/glossary.md +++ b/docs/src/appendices/glossary.md @@ -56,6 +56,7 @@ Source: ### CI/CD _Continuous Integration and Continuous Delivery is a Ghaf software development lifecycle. Continuous Integration refers to regularly integrating code changes into a shared repository, where they are automatically tested and verified. Continuous Delivery—software is released in short iterations._ +> [!NOTE] > Currently, Continuous Deployment is not set up. Continuous Deployment—code is deployed to customers automatically. ### SSRC @@ -86,6 +87,10 @@ Source: [NVIDIA Orin Series System-on-Chip, Technical Reference Manual, Version: _A board support package is a collection of software used to boot and run the embedded system._ +### CA + +_A certificate authority or certification authority is an entity that stores, signs, issues digital certificates, and bind them to cryptographic keys._ + ### DHCP _The Dynamic Host Configuration Protocol is a network protocol that automatically sets IP addresses and other attributes to enable information transfer between network nodes._ @@ -194,6 +199,10 @@ _A stock keeping unit, is a unique code used by sellers to identify and track pr _A system on chip, a microchip that contains the necessary electronic circuits for a fully functional system on a single integrated circuit (IC)._ +### SPKI + +_simple public-key infrastructure_ + ### SSD _solid-state drive_ @@ -301,3 +310,6 @@ Source: _Supply chain Levels for Software Artifacts is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises._ Source: + +[Back to Top ⏫](./glossary.md#glossary) +--- diff --git a/docs/src/architecture/adr.md b/docs/src/architecture/adr.md index cfd762442..559ac7bbf 100644 --- a/docs/src/architecture/adr.md +++ b/docs/src/architecture/adr.md @@ -12,8 +12,9 @@ The Ghaf platform decision log: | Decision Record | Status | | -------- | ----------- | | [Minimal Host](../architecture/adr/minimal-host.md) | Proposed. | -| [netvm—Networking Virtual Machine](../architecture/adr/netvm.md) | Proposed, partially implemented for development and testing. | -| [Platform Bus for RustVMM](../architecture/adr/platform-bus-passthrough-support.md) | Proposed, WIP. | +| [Networking VM](../architecture/adr/netvm.md) | Proposed, partially implemented for development and testing. | +| [IDS VM](../architecture/adr/idsvm.md) | Proposed, partially implemented for development and testing. | +| [Platform Bus for Rust VMM](../architecture/adr/platform-bus-passthrough-support.md) | Proposed, WIP. | To create an architectural decision proposal, open [a pull request](https://github.com/tiiuae/ghaf/blob/main/CONTRIBUTING.md#contributing-documentation) and use the [decision record template](https://github.com/tiiuae/ghaf/blob/main/docs/src/architecture/adr/template.md). Contributions to the Ghaf architecture decisions are welcome. diff --git a/docs/src/architecture/adr/idsvm.md b/docs/src/architecture/adr/idsvm.md new file mode 100644 index 000000000..754acd9ae --- /dev/null +++ b/docs/src/architecture/adr/idsvm.md @@ -0,0 +1,37 @@ + + +# Intrusion Detection System Virtual Machine + + +## Status + +Proposed, partially implemented for development and testing. + +Intrusion Detection VM (IDS VM) reference declaration will be available at [microvm/idsvm.nix](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/virtualization/microvm/idsvm/idsvm.nix). + + +## Context + +Ghaf's high-level design target is to secure a monolithic OS by modularizing the OS to networked VMs. The key security target is to detect intrusions by analyzing the network traffic in the internal network of the OS. + + +## Decision + +The main goal is to have a networking entity in Ghaf's internal network so that all network traffic goes through that entity. Traffic then can be analyzed to detect possible intrusions in inter VM communication and outgoing network traffic (from VM to the Internet). This goal is achieved by introducing a dedicated VM and routing all networking from other VMs to go through it. Then it is possible to use various IDS software solutions in IDS VM to detect possible suspicious network activities. + +![Scope!](../../img/idsvm.drawio.png "IDS VM Solution") + + +## Consequences + +A dedicated IDS VM provides a single checkpoint to detect intrusions and anomalies in the internal network of the OS and to initiate required countermeasures. + +Routing and analyzing the network traffic in a separate VM will reduce network performance. + + +## References + +[IDS VM Further Development](../../ref_impl/idsvm-development.md) diff --git a/docs/src/architecture/adr/minimal-host.md b/docs/src/architecture/adr/minimal-host.md index d5645b5ec..eba393962 100644 --- a/docs/src/architecture/adr/minimal-host.md +++ b/docs/src/architecture/adr/minimal-host.md @@ -85,8 +85,8 @@ No networking may have impact on how the guest-to-guest inter virtual machine co ### No graphics (MH04) -Ghaf minimal host profile for release target has no graphics. Graphics will be compartmentalized to GUIVM. -All graphics and display output related components and dependencies, including kernel drivers, must be removed from kernel configuration. Those are to be passed through to GUIVM. +Ghaf minimal host profile for release target has no graphics. Graphics will be compartmentalized to GUI VM. +All graphics and display output related components and dependencies, including kernel drivers, must be removed from kernel configuration. Those are to be passed through to GUI VM. ### No getty (MH05) diff --git a/docs/src/architecture/adr/netvm.md b/docs/src/architecture/adr/netvm.md index fecc29959..573f5e0a6 100644 --- a/docs/src/architecture/adr/netvm.md +++ b/docs/src/architecture/adr/netvm.md @@ -3,45 +3,50 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> -# netvm—Networking Virtual Machine +# Networking Virtual Machine + ## Status Proposed, partially implemented for development and testing. -*netvm* reference declaration is available at [netvm/default.nix](https://github.com/tiiuae/ghaf/blob/main/microvmConfigurations/netvm/default.nix). +Networking VM (Net VM) reference declaration is available at [microvm/netvm.nix](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/virtualization/microvm/netvm.nix). + ## Context -Ghaf high-level design target is to secure a monolithic OS by modularizing the OS to networked VMs. The key security target is to not expose the trusted host directly to the Internet. This isolates the attack surface from the Internet to *netvm*. +Ghaf's high-level design target is to secure a monolithic OS by modularizing the OS to networked VMs. The key security target is to not expose the trusted host directly to the Internet. This isolates the attack surface from the Internet to Net VM. The following context diagram illustrates development and secure scenarios: -![Scope!](../../img/netvm.drawio.png "netvm Context") +![Scope!](../../img/netvm.drawio.png "Net VM Context") **Left**: An insecure development scenario. The host is directly connected to the Internet, and the network is bridged from the host to other parts of the system. -**Right**: A secure scenario. The network is passed through to *netvm* and routed to other parts of the system. +**Right**: A secure scenario. The network is passed through to Net VM and routed to other parts of the system. + ## Decision -The development scenario simplifies the target system network access and configuration. This ADR proposes the development *netvm* configuration is maintained to support system development. +The development scenario simplifies the target system network access and configuration. This ADR proposes the development Net VM configuration is maintained to support system development. -The secure scenario is proposed to be implemented with the use of passthrough to DMA and remap the host physical network interface card (PHY NIC) to *netvm*. This cannot be generalized for all hardware targets as it requires: -- Low-level device tree configuration for bootloader and host (at least on platform NIC). -- VMM host user space NIC bus mapping from the host to *netvm*. -- Native network interface driver (not virtual) in *netvm*. Native driver is bound the vendor BSP supported kernel version. +The secure scenario is proposed to be implemented with the use of passthrough to DMA and remap the host physical network interface card (PHY NIC) to Net VM. This cannot be generalized for all hardware targets as it requires: + +* Low-level device tree configuration for bootloader and host (at least on platform NIC). +* VMM host user space NIC bus mapping from the host to Net VM. +* Native network interface driver (not virtual) in Net VM. Native driver is bound the vendor BSP supported kernel version. These depend on the hardware setup. The proposed target setup is that the passthrough network device(s) are implemented as declarative nix-modules for easier user hardware-specific configuration. In practice, a user may configure the declaration of a PCI or USB network card that is available to the available hardware setup. -*netvm* will provide: -- dynamic network configuration: - - A DHCP server for *netvm* to provide IP addresses for the other parts of the system, both static and dynamic. - - Routing from *netvm* to the Internet and/or inter VM. +Net VM will provide a dynamic network configuration: + +* A DHCP server for Net VM to provide IP addresses for the other parts of the system, both static and dynamic. +* Routing from Net VM to the Internet and/or Inter VM. For common reference hardware with platform NIC, the configured modules for network interface passthrough are provided. For more information, see [i.MX 8QM Ethernet Passthrough](https://tiiuae.github.io/ghaf/research/passthrough/ethernet.html). -Details of other network components, such as default firewall rules, DHCP (static and dynamic client addresses), routing, reverse proxies and security monitoring are to be described in their respective architecture decision records. In this context, these are illustrated in the context diagram on the right side of the *netvm* network interface driver. +Details of other network components, such as default firewall rules, DHCP (static and dynamic client addresses), routing, reverse proxies and security monitoring are to be described in their respective architecture decision records. In this context, these are illustrated in the context diagram on the right side of the Net VM network interface driver. + ## Consequences diff --git a/docs/src/architecture/adr/platform-bus-passthrough-support.md b/docs/src/architecture/adr/platform-bus-passthrough-support.md index 15b032704..45f411d9e 100644 --- a/docs/src/architecture/adr/platform-bus-passthrough-support.md +++ b/docs/src/architecture/adr/platform-bus-passthrough-support.md @@ -14,6 +14,7 @@ Proposed, work in progress. This ADR is a work-in-progress note for Ghaf bus passthrough implementation that will support rust-vmm-based hypervisors. +> [!NOTE] > *rust-vmm* is an open-source project that empowers the community to build custom Virtual Machine Monitors (VMMs) and hypervisors. For more information, see . It is crucial to have bus devices passthrough support for ARM-based hardware as the bus is mainly used to connect the peripherals. Nowadays, the only hypervisor with some support for Platform bus is QEMU but the code is dated 2013 and not frequently used. diff --git a/docs/src/architecture/adr/template.md b/docs/src/architecture/adr/template.md index a53fd0207..0630d1e09 100644 --- a/docs/src/architecture/adr/template.md +++ b/docs/src/architecture/adr/template.md @@ -3,19 +3,17 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> -# Decision record template - +# Decision Record Template -This is the template for managing the ADR files. - -In each ADR file, write these sections: +This is the template[^note1] for managing the ADR files. Use the following sections in each ADR file: # Title + ## Status -What is the status: proposed, accepted, rejected, deprecated, superseded, etc.? +What is the status? *Proposed*, *Accepted*, *Rejected*, *Deprecated*, *Superseded*, etc. ## Context @@ -31,3 +29,6 @@ What is the change that we are proposing and/or doing? ## Consequences What becomes easier or more difficult to do because of this change? + + +[^note1]: This template is based on a [template by Michael Nygard](https://github.com/joelparkerhenderson/architecture-decision-record/tree/main/locales/en/templates/decision-record-template-by-michael-nygard). For more suggestions on writing good ADRs, see the [Architecture decision record (ADR)](https://github.com/joelparkerhenderson/architecture-decision-record/tree/main?tab=readme-ov-file#suggestions-for-writing-good-adrs) public repository. diff --git a/docs/src/architecture/architecture.md b/docs/src/architecture/architecture.md index 727ad34f6..7ab41220d 100644 --- a/docs/src/architecture/architecture.md +++ b/docs/src/architecture/architecture.md @@ -22,5 +22,8 @@ The Ghaf Platform components are used in reference configurations to build image - [Architecture Decision Records](./adr.md) - [Minimal Host](./adr/minimal-host.md) - [Networking VM](./adr/netvm.md) + - [Intrusion Detection System VM](./adr/idsvm.md) - [Platform Bus for Rust VMM](./adr/platform-bus-passthrough-support.md) +- [Hardening](./hardening.md) +- [Secure Boot](./secureboot.md) - [Stack](./stack.md) \ No newline at end of file diff --git a/docs/src/architecture/hardening.md b/docs/src/architecture/hardening.md index 198e81335..75243a855 100644 --- a/docs/src/architecture/hardening.md +++ b/docs/src/architecture/hardening.md @@ -19,13 +19,13 @@ NixOS provides several mechanisms to customize the kernel. The main methods are: * [Declaring kernel command line parameters](https://nixos.wiki/wiki/Linux_kernel#Custom_kernel_commandline): [usage in Ghaf](https://github.com/search?q=repo%3Atiiuae%2Fghaf%20kernelparams&type=code). * [Declaring kernel custom configuration](https://nixos.org/manual/nixos/stable/#sec-linux-config-customizing): [usage in Ghaf](https://github.com/tiiuae/ghaf/blob/main/modules/host/kernel.nix). - + Example of entering the kernel development shell to customize the `.config` and build it: ``` ~/ghaf $ nix develop .#devShells.x86_64-linux.kernel-x86 ... - [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config + [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make menuconfig ... [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ make -j$(nproc) @@ -42,8 +42,8 @@ NixOS provides several mechanisms to customize the kernel. The main methods are: * [Validating with kernel hardening checker](https://github.com/a13xp0p0v/kernel-hardening-checker): ``` - [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config - [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/common/hardware/x86_64-generic/kernel/host/configs GS=../modules/common/hardware/x86_64-generic/kernel/guest/configs + [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ cp ../modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline .config + [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ HS=../modules/hardware/x86_64-generic/kernel/host/configs GS=../modules/hardware/x86_64-generic/kernel/guest/configs [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ ./scripts/kconfig/merge_config.sh .config $HS/virtualization.config $HS/networking.config $HS/usb.config $HS/user-input-devices.config $HS/debug.config $GS/guest.config $GS/display-gpu.config [ghaf-kernel-devshell:~/ghaf/linux-6.6.7]$ kernel-hardening-checker -c .config [+] Kconfig file to check: .config @@ -74,7 +74,7 @@ The host kernel runs on bare metal. The kernel is provided either with Linux ups The host kernel hardening is based on Linux `make tinyconfig`. The default `tinyconfig` fails to assertions on NixOS without modifications. Assertions are fixed in the `ghaf_host_hardened_baseline` Linux configuration under Ghaf -`modules/common/hardware/x86_64-generic/kernel/configs`. Resulting baseline +`modules/hardware/x86_64-generic/kernel/configs`. Resulting baseline kernel configuration is generic for x86_64 hardware architecture devices. In addition, NixOS (Ghaf baseline dependency) requires several kernel modules that are added to the config or ignored with `allowMissing = true`. As of now, the kernel builds and early boots on Lenovo X1. diff --git a/docs/src/architecture/variants.md b/docs/src/architecture/variants.md index 3b9e50146..e3c44b0e6 100644 --- a/docs/src/architecture/variants.md +++ b/docs/src/architecture/variants.md @@ -8,10 +8,10 @@ The main scope of the Ghaf platform is edge virtualization. However, to support modular development and testing of the platform, variants are supported with the following definitions: * `Default` - A default variant. Supports [minimal host](./adr/minimal-host.md), GUI VM[^note] and [netvm](./adr/netvm.md). May host other VMs. For more information, see [Stack](./stack.md). + A default variant. Supports [minimal host](./adr/minimal-host.md), GUI VM[^note1] and [netvm](./adr/netvm.md). May host other VMs. For more information, see [Stack](./stack.md). * `Headless` - A variant with [minimal host](./adr/minimal-host.md) and [netvm](./adr/netvm.md). May host other VMs but does not have GUI VM or graphics stack on a host. + A variant with [minimal host](./adr/minimal-host.md) and [netvm](./adr/netvm.md). May host other VMs but does not have a GUI VM or graphics stack on a host. * `Host only` A variant with [minimal host](./adr/minimal-host.md) *only*. A user can manually install software to a host, including VMs (if supported by hardware). @@ -22,9 +22,9 @@ The main scope of the Ghaf platform is edge virtualization. However, to support | Variant Name | Headless | Graphics | VMs | Devices | |--- |--- |--- | --- | --- | -| `Default` | No | GUI VM [^note] | Supported | Jetson, generic x86 | +| `Default` | No | GUI VM | Supported | Jetson, generic x86 | | `Headless` | Yes | No | Supported | Jetson, generic x86 | | `Host Only` | Yes | No | May be supported but not included | Jetson, generic x86 | | `No Virtualization`| Yes or no | Native on host | Not supported | Raspberry Pi, RISC-V | -[^note] As of early 2023, the graphics stack is deployed on a host to support application development. Work is ongoing to define the GUI VM and isolate graphics with GPU passthrough. +[^note1]: As of early 2023, the graphics stack is deployed on a host to support application development. Work is ongoing to define the GUI VM and isolate graphics with GPU passthrough. diff --git a/docs/src/features/features.md b/docs/src/features/features.md index a22924b73..1a01b645c 100644 --- a/docs/src/features/features.md +++ b/docs/src/features/features.md @@ -26,7 +26,7 @@ Ghaf demo desktop and applications are illustrated in the screen capture below: - `aarch64`—generic AArch64; tested on an ARM server, laptop (e.g. Apple MacBook's), or NVIDIA Jetson AGX Orin. - `All variants`—supported devices from [Architectural Variants](https://tiiuae.github.io/ghaf/architecture/variants.html). -The following tables show the status of Ghaf Platform features: +The following tables show the status of the Ghaf Platform features: ## Release Builds and Hardware Architecture Support @@ -35,7 +35,7 @@ The following tables show the status of Ghaf Platform features: |-------------------|-------------|------------------|-------------------------------------| | Ghaf in virtual machine | ✅ | `x86` | `nix run .#packages.x86_64-linux.vm-debug` | | `aarch64` reference image | ✅ | `Orin` | Based on [Jetson Linux](https://developer.nvidia.com/embedded/jetson-linux), [OE4T](https://github.com/OE4T) and [jetpack-nixos](https://github.com/anduril/jetpack-nixos). | -| `aarch64` reference image | ✅ | `imx8qm` | Based on NXP BSP, implemented as [nixos-hardware module](https://github.com/NixOS/nixos-hardware/tree/master/nxp)| +| `aarch64` reference image | ✅ | `imx8mp` | Based on NXP BSP, implemented as [nixos-hardware module](https://github.com/NixOS/nixos-hardware/tree/master/nxp)| | `x86` generic image | ✅ | `x86` | Generic x86 computer, based on generic [NixOS](https://nixos.org/). NOTE: requires device specific configuration.| | `Lenovo X1` reference image | ✅ | `Lenovo X1` | x86_64 laptop computer, supports basic compartmentalized environment | | Native build | ✅ | `aarch64, x86` | Remote `aarc64` nixos builders recommended | @@ -50,28 +50,28 @@ The following tables show the status of Ghaf Platform features: |-------------------|-------------|------------------|----------------------------------------------| | Quick target update | ✅ | `all` | `nixos-rebuild --flake .#nvidia-jetson-orin-debug --target-host root@ghaf-host --fast switch` | | `aarch64` device flashing | ✅ | `Orin` | [Full device software flashing using `x86` machine](https://tiiuae.github.io/ghaf/ref_impl/build_and_run.html#flashing-nvidia-jetson-orin-agx) | -| root filesystem flashing | ✅ | `x86, imx8qm` | `dd` image to bootable media - [see](https://tiiuae.github.io/ghaf/ref_impl/build_and_run.html#running-ghaf-image-for-x86-computer) | +| root filesystem flashing | ✅ | `x86, imx8mp` | `dd` image to bootable media - [see](https://tiiuae.github.io/ghaf/ref_impl/build_and_run.html#running-ghaf-image-for-x86-computer) | | Debug: SSH | ✅ | `Orin`, `x86` | Host access only in `-debug`-target, see [authentication.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/authentication.nix) | | Debug: Serial | ✅ | `all` | Host access only in `-debug`-target - e.g. `screen /dev/ttyACM0 115200` | -| Compartmentalized environment | 🚧 | `Lenovo X1` | NetVM, GUI VM (with GPU passthrough) plus some Application VMs | +| Compartmentalized environment | 🚧 | `Lenovo X1` | Net VM, GUI VM (with GPU passthrough) plus some App VMs | ## Target Architecture | Feature | Status | Reference Device | Details | |-------------------|-------------|------------------|----------------------------------------------| -| `minimal host` | 🚧 | [`all`](https://tiiuae.github.io/ghaf/architecture/variants.html) | See [Minimal Host](https://tiiuae.github.io/ghaf/architecture/adr/minimal-host.html) and [PR #140](https://github.com/tiiuae/ghaf/pull/140). | -| `netvm` | ✅ | `Orin` | See [netvm](https://tiiuae.github.io/ghaf/architecture/adr/netvm.html). Passthrough with Wifi works but requires SSID/password configuration | -| `idsvm` | ✅ | `Orin` | [Defensive security VM placeholder PR open](https://github.com/tiiuae/ghaf/pull/146) | -| `guivm` | 🚧 | `All`, `Lenovo X1`| Implemented for Lenovo X1 reference device, other devices have Wayland compositor running on the host.| -| `appvm` | 🚧 | `All`, `Lenovo X1`| Implemented for Lenovo X1 reference device: chromium, GALA and zathura VMs. Requires `guivm` in place | -| `adminvm` | ✅ | `All` | Not started | -| Inter VM comms - IP-based | 🚧 | `All` |`-debug`-targets have network bridges to access VMs from host | +| Minimal host | 🚧 | [`all`](https://tiiuae.github.io/ghaf/architecture/variants.html) | See [Minimal Host](https://tiiuae.github.io/ghaf/architecture/adr/minimal-host.html) and [PR #140](https://github.com/tiiuae/ghaf/pull/140). | +| Net VM | ✅ | `Orin` | See [Net VM](https://tiiuae.github.io/ghaf/architecture/adr/netvm.html). Passthrough with Wi-Fi works but requires SSID/password configuration. | +| IDS VM | ✅ | `Orin`, `Lenovo X1` | [Defensive networking mechanism](/docs/src/architecture/adr/idsvm.md). | +| GUI VM | 🚧 | `All`, `Lenovo X1`| Implemented for Lenovo X1 reference device, other devices have Wayland compositor running on the host.| +| App VM | 🚧 | `All`, `Lenovo X1`| Implemented for Lenovo X1 reference device: Chromium, GALA and Zathura VMs. Requires GUI VM in place. | +| Admin VM | ✅ | `All` | Not started | +| Inter VM comms - IP-based | 🚧 | `All` |`-debug`-targets have network bridges to access VMs from host. | | Inter VM comms - shared memory | 🚧 | `All` | | -| Inter VM Wayland | 🚧 | `All` | Currently it is `waypipe` over SSH, for test and demo purpose only | -| SW update | 🚧 | `All` | A/B update tooling being evaluated | -| USB passthrough | 🚧 | `Orin` | No reference implementation integrated yet | -| PCI passthrough | ✅ | `All` | Used for reference in `netvm` on `Orin` | +| Inter VM Wayland | 🚧 | `All` | Currently it is `waypipe` over SSH, for test and demo purpose only. | +| SW update | 🚧 | `All` | A/B update tooling being evaluated. | +| USB passthrough | 🚧 | `Orin` | No reference implementation integrated yet. | +| PCI passthrough | ✅ | `All` | Used for reference in Net VM on `Orin`. | | UART passthrough | 🚧 | `Orin` | See [NVIDIA Jetson AGX Orin: UART Passthrough](https://tiiuae.github.io/ghaf/build_config/passthrough/nvidia_agx_pt_uart.html). Not integrated to any VM. | | ARM platform bus devices passthrough | 🚧 | `Orin` | NVIDIA BPMP virtualization being developed | diff --git a/docs/src/img/idsvm.drawio.png b/docs/src/img/idsvm.drawio.png new file mode 100644 index 000000000..0f890d297 Binary files /dev/null and b/docs/src/img/idsvm.drawio.png differ diff --git a/docs/src/ref_impl/build_and_run.md b/docs/src/ref_impl/build_and_run.md index 0a8cca43a..e5acdc2ed 100644 --- a/docs/src/ref_impl/build_and_run.md +++ b/docs/src/ref_impl/build_and_run.md @@ -9,7 +9,8 @@ This tutorial assumes that you already have basic [git](https://git-scm.com/) ex The canonical URL for the upstream Ghaf git repository is . To try Ghaf, you can build it from the source. ->[Cross-compilation](../ref_impl/cross_compilation.md) support is currently under development and not available for the building process. +> [!WARNING] +> [Cross-compilation](../ref_impl/cross_compilation.md) support is currently under development and not available for the building process. ## Prerequisites @@ -32,10 +33,9 @@ Then you can use one of the following instructions for the supported targets: | Generic x86 Сomputer | x86_64 | [Running Ghaf Image for x86 Computer](./build_and_run.md#running-ghaf-image-for-x86-computer) | | Lenovo X1 Carbon Gen 11 | x86_64 | [Running Ghaf Image for Lenovo X1](./build_and_run.md#running-ghaf-image-for-lenovo-x1) | | NVIDIA Jetson AGX Orin | AArch64 | [Ghaf Image for NVIDIA Jetson Orin AGX](./build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | -| NXP i.MX 8QM-MEK | AArch64 | [Building Ghaf Image for NXP i.MX 8QM-MEK](./build_and_run.md#building-ghaf-image-for-nxp-imx-8qm-mek) | +| NXP i.MX 8MP-EVK | AArch64 | [Building Ghaf Image for NXP i.MX 8MP-EVK](./build_and_run.md#building-ghaf-image-for-nxp-imx-8mp-evk) | | MICROCHIP icicle-kit | RISCV64 | [Building Ghaf Image for Microchip Icicle Kit](./build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) | - --- ## Running Ghaf Image for x86 VM (ghaf-host) @@ -57,9 +57,9 @@ Do the following: ``` nix build github:tiiuae/ghaf#generic-x86_64-debug ``` -2. After the build is completed, prepare a USB boot media with the target image you built: +2. After the build is completed, prepare a USB boot media with the target image you built using the `flash.sh` script: ``` - dd if=./result/nixos.img of=/dev/ bs=32M status=progress oflag=direct + ./packages/flash/flash.sh -d /dev/ -i result/ ``` 3. Boot the computer from the USB media. @@ -74,9 +74,9 @@ Do the following: ``` nix build github:tiiuae/ghaf#lenovo-x1-carbon-gen11-debug ``` -2. After the build is completed, prepare a USB boot media with the target image you built: +2. After the build is completed, prepare a USB boot media with the target image you built using the `flash.sh` script: ``` - dd if=./result/nixos.img of=/dev/ bs=32M status=progress oflag=direct + ./packages/flash/flash.sh -d /dev/ -i result/ ``` 3. Boot the computer from the USB media. @@ -103,6 +103,7 @@ Before you begin: 2. Connect a Linux laptop to the board with the USB-C cable. 3. Connect the Linux laptop to the board with a Micro-USB cable to use [serial interface](https://developer.ridgerun.com/wiki/index.php/NVIDIA_Jetson_Orin/In_Board/Getting_in_Board/Serial_Console). + > [!NOTE] > For more information on the board's connections details, see the [Hardware Layout](https://developer.nvidia.com/embedded/learn/jetson-agx-orin-devkit-user-guide/developer_kit_layout.html) section of the Jetson AGX Orin Developer Kit User Guide. 3. After the build is completed, put the board in recovery mode. For more information, see the [Force Recovery](https://developer.nvidia.com/embedded/learn/jetson-agx-orin-devkit-user-guide/howto.html#force-recovery-mode) Mode section in the Jetson AGX Orin Developer Kit User Guide. @@ -127,9 +128,9 @@ After the latest firmware is [flashed](./build_and_run.md#flashing-nvidia-jetson ``` nix build github:tiiuae/ghaf#nvidia-jetson-orin-agx-debug ``` -2. After the build is completed, prepare a USB boot media with the target image you built: +2. After the build is completed, prepare a USB boot media with the target image you built using the `flash.sh` script: ``` - dd if=./result/nixos.img of=/dev/ bs=32M status=progress oflag=direct + ./packages/flash/flash.sh -d /dev/ -i result/sd-image/ ``` 3. Boot the hardware from the USB media. @@ -159,25 +160,17 @@ In the current state of Ghaf, it is a bit tricky to make NVIDIA Jetson Orin AGX --- -## Building Ghaf Image for NXP i.MX 8QM-MEK +## Building Ghaf Image for NXP i.MX 8MP-EVK Before you begin, check device-independent [prerequisites](./build_and_run.md#prerequisites). -In the case of i.MX8, Ghaf deployment consists of creating a bootable SD card with a first-stage bootloader (Tow-Boot) and USB media with the Ghaf image: - -1. To build and flash [**Tow-Boot**](https://github.com/tiiuae/Tow-Boot) bootloader: - - ``` - $ git clone https://github.com/tiiuae/Tow-Boot.git && cd Tow-Boot - $ nix-build -A imx8qm-mek - $ sudo dd if=result/ shared.disk-image.img of=/dev/ - ``` +In the case of i.MX8, Ghaf deployment consists of creating a bootable SD card and USB media with the Ghaf image: -2. To build and flash the Ghaf image: - 1. Run the `nix build .#packages.aarch64-linux.imx8qm-mek-release` command. - 2. Prepare the USB boot media with the target HW image you built: `dd if=./result/nixos.img of=/dev/ bs=32M status=progress oflag=direct`. +1. To build and flash the Ghaf image: + 1. Run the `nix build .#packages.aarch64-linux.imx8mp-evk-release` command. + 2. Prepare the USB boot media with the target HW image you built: `./packages/flash/flash.sh -d /dev/ -i result/`. -3. Insert an SD card and USB boot media into the board and switch the power on. +2. Insert an SD card and USB boot media into the board and switch the power on. --- @@ -199,11 +192,11 @@ In the case of the Icicle Kit, Ghaf deployment consists of creating an SD image 2. Flash the Ghaf SD image: * If you want to use a SD card: - * Prepare the SD card with the target HW image you built: `dd if=./result/nixos.img of=/dev/ bs=32M status=progress oflag=direct`. + * Prepare the SD card with the target HW image you built: `./packages/flash/flash.sh -d /dev/ -i result/`. * Insert an SD card into the board and switch the power on. * If you want to use the onboard MMC: - * You can directly flash a NixOS image to onboard an MMC card: `dd if=./result/nixos.img of=/dev/ bs=32M status=progress oflag=direct`. + * You can directly flash a NixOS image to an onboard MMC card: `./packages/flash/flash.sh -d /dev/ -i result/`. For more information on how to access the MMC card as a USB disk, see [MPFS Icicle Kit User Guide](https://tinyurl.com/48wycdka). diff --git a/docs/src/ref_impl/creating_appvm.md b/docs/src/ref_impl/creating_appvm.md index e394a7fea..9517408d2 100644 --- a/docs/src/ref_impl/creating_appvm.md +++ b/docs/src/ref_impl/creating_appvm.md @@ -5,69 +5,60 @@ # Creating Application VM -Application VM (AppVM) is a VM that improves trust in system components by isolating applications from the host OS and other applications. Virtualization with hardware-backed mechanisms provides better resource protection than traditional OS. This lets users use applications of different trust levels within the same system without compromising system security. While the VMs have overhead, it is acceptable as a result of improved security and usability that makes the application seem like it is running inside an ordinary OS. +Application VM (App VM) is a VM that improves trust in system components by isolating applications from the host OS and other applications. Virtualization with hardware-backed mechanisms provides better resource protection than traditional OS. This lets users use applications of different trust levels within the same system without compromising system security. While the VMs have overhead, it is acceptable as a result of improved security and usability that makes the application seem like it is running inside an ordinary OS. -As a result, both highly trusted applications and untrusted applications can be hosted in the same secure system when the concerns are separated in their own AppVMs. +As a result, both highly trusted applications and untrusted applications can be hosted in the same secure system when the concerns are separated in their own App VM. -To create an AppVM: -1. Add AppVM description. -2. Add an app launcher in GUI VM. +To create an App VM, do the following: +1. Create the new configuration file for your VM in the [modules/reference/appvms](https://github.com/tiiuae/ghaf/tree/main/modules/reference/appvms) directory. + You can use an already existing VM file as a reference, for example: `modules/reference/appvms/business.nix`. -## Adding AppVM Description + Each VM has the following properties: -Add the VM description in the target configuration. + | **Property** | **Type** | **Unique** | **Description** | **Example** | + | -------------- | --------------------------- | ------------ | --------------------------------------------------------------------------------------------------------------- | --------------------- | + | name | str | yes | This name is postfixed with `-vm` and will be shown in microvm list. The name, for example, `chromium-vm` will be also the VM hostname. The length of the name must be 8 characters or less. | “chromium” | + | packages | list of types.package | no | Packages to include in a VM. It is possible to make it empty or add several packages. | [chromium top] | + | macAddress | str | yes | Needed for network configuration. | "02:00:00:03:03:05" | + | ramMb | int, [1, …, host memory] | no | Memory in MB. | 3072 | + | cores | int, [1, …, host cores] | no | Virtual CPU cores. -[lenovo-x1-carbon.nix](https://github.com/tiiuae/ghaf/blob/main/targets/lenovo-x1-carbon.nix) already has AppVMs inside for Chromium, Gala, and Zathura applications. - - -#### AppVMs Example +2. Create a new option for your VM in [modules/reference/appvms/default.nix](https://github.com/tiiuae/ghaf/blob/main/modules/reference/appvms/default.nix). For example: ``` -vms = with pkgs; [ - { - name = "chromium"; - packages = [chromium]; - macAddress = "02:00:00:03:03:05"; - ramMb = 3072; - cores = 4; - } - { - name = "gala"; - packages = [(pkgs.callPackage ../packages/gala {})]; - macAddress = "02:00:00:03:03:06"; - ramMb = 1536; - cores = 2; - } - { - name = "zathura"; - packages = [zathura]; - macAddress = "02:00:00:03:03:07"; - ramMb = 512; - cores = 1; - } -]; + business-vm = lib.mkEnableOption "Enable the Business appvm"; + new-vm = lib.mkEnableOption "Enable the New appvm"; # your new vm here ``` -Each VM has the following properties: - - -| **Property** | **Type** | **Unique** | **Description** | **Example** | -| -------------- | --------------------------- | ------------ | --------------------------------------------------------------------------------------------------------------- | --------------------- | -| name | str | yes | This name is postfixed with `-vm` and will be shown in microvm list. The name - e.g. `chromium-vm` will be also the VM hostname. The lenght of the name must be 8 characters or less. | “chromium” | -| packages | list of types.package | no | Packages to include in a VM. It is possible to make it empty or add several packages. | [chromium top] | -| macAddress | str | yes | Needed for network configuration. | "02:00:00:03:03:05" | -| ramMb | int, [1, …, host memory] | no | Memory in MB. | 3072 | -| cores | int, [1, …, host cores] | no | Virtual CPU cores. | 4 | +``` + ++ (lib.optionals cfg.business-vm [(import ./business.nix {inherit pkgs lib config;})]) + ++ (lib.optionals cfg.new-vm [(import ./new_vm_name.nix {inherit pkgs lib config;})]); # your new vm here +``` +3. Add your new VM to the profile file, for example [mvp-user-trial.nix](https://github.com/tiiuae/ghaf/blob/main/modules/profiles/mvp-user-trial.nix): -## Adding Application Launcher in GUI VM +``` + business-vm = true; + new-vm = true; # your new vm here +``` -To add an application launcher, add an element in the [guivm.nix](https://github.com/tiiuae/ghaf/blob/main/modules/virtualization/microvm/guivm.nix) file to the **graphics.weston.launchers** list. +> [!NOTE] +> For more information on creating new profiles, see [Profiles Configuration](./profiles-config.md). -A launcher element has two properties: +4. Add an IP and the VM name in [modules/common/networking/hosts.nix](https://github.com/tiiuae/ghaf/blob/main/modules/common/networking/hosts.nix). For example: + +``` + { + ip = 105; + name = "business-vm"; + } +``` -* **path**–path to the executable you want to run, like a graphical application; -* **icon**–path to an icon to show. +5. Add an application launcher in [modules/common/services/desktop.nix](https://github.com/tiiuae/ghaf/blob/main/modules/common/services/desktop.nix). + + A launcher element has the following properties: -Check the example launchers at [guivm.nix](https://github.com/tiiuae/ghaf/blob/main/modules/virtualization/microvm/guivm.nix). + * **name**: the name of the launcher; + * **path**: path to the executable you want to run, like a graphical application; + * **icon**: path to an icon to show. If you have an icon package for your launcher, add it here as well: [packages/icon-pack/default.nix](https://github.com/tiiuae/ghaf/blob/main/packages/icon-pack/default.nix). \ No newline at end of file diff --git a/docs/src/ref_impl/cross_compilation.md b/docs/src/ref_impl/cross_compilation.md index 416a3b511..404dca0e1 100644 --- a/docs/src/ref_impl/cross_compilation.md +++ b/docs/src/ref_impl/cross_compilation.md @@ -5,6 +5,7 @@ # Cross-Compilation +> [!WARNING] > Cross-compilation is currently under development and cannot be used properly on all the supported device configurations. Ghaf is targeted at a range of devices and form factors that support different instruction set architectures (ISA). Many small form-factor edge devices are not powerful enough to compile the needed applications or OSs that run on them. As the most common ISA used in desktops and servers is ``x_86``, this will generally require that the code is cross-compiled for target ISA e.g. ``AArch64`` or ``RISC-V``. diff --git a/docs/src/ref_impl/development.md b/docs/src/ref_impl/development.md index 88845c3c7..d46820587 100644 --- a/docs/src/ref_impl/development.md +++ b/docs/src/ref_impl/development.md @@ -14,17 +14,22 @@ The scope of target support is updated with development progress: * [Installer](./installer.md) * [Cross-Compilation](./cross_compilation.md) * [Creating Application VM](./creating_appvm.md) +* [Hardware Configuration](ref_impl/hw-config.md) +* [Profiles Configuration](ref_impl/profiles-config.md) * [labwc Desktop Environment](./labwc.md) +* [IDS VM Further Development](./idsvm-development.md) +* [systemd Service Hardening](./systemd-service-config.md) -Once you are up and running, you can participate in the collaborative development process by building a development build with additional options. For example, with the development username and password that are defined in [accounts.nix](https://github.com/tiiuae/ghaf/blob/main/modules/users/accounts.nix). +Once you are up and running, you can participate in the collaborative development process by building a development build with additional options. For example, with the development username and password that are defined in [accounts.nix](https://github.com/tiiuae/ghaf/blob/main/modules/common/users/accounts.nix). -If you authorize your development SSH keys in the [ssh.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/ssh.nix#L10-L23) module and rebuild Ghaf for your target device, you can use `nixos-rebuild switch` to quickly deploy your configuration changes to the target device over the network using SSH. For example: +If you authorize your development SSH keys in the [ssh.nix](https://github.com/tiiuae/ghaf/blob/main/modules/common/development/authorized_ssh_keys.nix#L4-L21) module and rebuild Ghaf for your target device, you can use `nixos-rebuild switch` to quickly deploy your configuration changes to the target device over the network using SSH. For example: nixos-rebuild --flake .#nvidia-jetson-orin-agx-debug --target-host root@ --fast switch ... nixos-rebuild --flake .#lenovo-x1-carbon-gen11-debug --target-host root@ --fast switch ... +> [!TIP] > With the `-debug` targets, the debug ethernet is enabled on host. With Lenovo X1 Carbon, you can connect USB-Ethernet adapter for the debug and development access. Pull requests are the way for contributors to submit code to the Ghaf project. For more information, see [Contribution Guidelines](../appendices/contributing_general.md). diff --git a/docs/src/ref_impl/example_project.md b/docs/src/ref_impl/example_project.md index ab90a47e6..85e745f1c 100644 --- a/docs/src/ref_impl/example_project.md +++ b/docs/src/ref_impl/example_project.md @@ -11,7 +11,7 @@ The best way to do the Ghaf customization is by using Ghaf templates: 1. Create a template project as described in the [Ghaf as Library](../ref_impl/ghaf-based-project.md) section. 2. Adjust your system configuration in accordance with your HW specification. Determine all VIDs and PIDs of the devices that are passed to the VMs. -3. Add GUIVM configuration, NetworkVM configuration, and optionally some AppVMs. +3. Add GUI VM configuration, NetworkVM configuration, and optionally some AppVMs. 4. Set up Weston panel shortcuts. You can refer to the existing [project example for Lenovo T14 and Lenovo X1 laptops](https://github.com/unbel13ver/ghaf-lib). @@ -49,13 +49,14 @@ If after booting you see a black screen, try the following to detect the issue: 3. Identify an IP address by a MAC address with the `arp` command. If a MAC address is unknown, you can boot into the NixOS image or any other OS to find it, or try the latest addresses that `arp` returns. 4. Connect using SSH (login/password ghaf/ghaf). Then connect from netvm to the host using `ssh 192.168.101.2` (login/password ghaf/ghaf). 5. Check running VMs with `microvm -l`. -6. Check a GUIVM log using `journalctl -u microvm@guivm`. -7. If GUIVM does not start, you can try to start it manually with `/var/lib/microvms/guivm/current/bin/microvm-run`. +6. Check a GUI VM log using `journalctl -u microvm@guivm`. +7. If GUI VM does not start, you can try to start it manually with `/var/lib/microvms/guivm/current/bin/microvm-run`. -In case when GUIVM did not start with the error message that the device /dev/mouse or /dev/touchpad was not found, it means that the model of the touchpad in the laptop is different since it was bought in another country and has a different SKU (stock keeping unit). To add support for a new touchpad, do the following: +In case when GUI VM did not start with the error message that the device /dev/mouse or /dev/touchpad was not found, it means that the model of the touchpad in the laptop is different since it was bought in another country and has a different SKU (stock keeping unit). To add support for a new touchpad, do the following: 1. On the ghaf host, check the devices in `/dev/input/by-path` that contain “-event-” in the name. Use the command like `udevadm info -q all -a /dev/input/by-path/pci-0000:00:15.0-platform-i2c_designware.0-event-mouse | grep name` for the name of each of these devices. + > [!TIP] > By name you can understand which devices belong to the touchpad. For example, on laptops in Finland they look like “SYNA8016:00 06CB:CEB3 Mouse” and “SYNA8016:00 06CB:CEB3 Touchpad”, and in the UAE they are “ELAN067C:00 04F3:31F9 Mouse” and “ELAN067C:00 04F3:31F9 Touchpad.” 2. If there are no such devices in `/dev/input/by-path`, then you can check the devices /dev/input/event* with a similar command. diff --git a/docs/src/ref_impl/hw-config.md b/docs/src/ref_impl/hw-config.md new file mode 100644 index 000000000..d62f00af0 --- /dev/null +++ b/docs/src/ref_impl/hw-config.md @@ -0,0 +1,26 @@ + + +# Hardware Configuration + +All configuration files for reference target devices are in [modules/hardware](https://github.com/tiiuae/ghaf/tree/main/modules/hardware). + +The ghaf-24.06 release supports the following target hardware: + +* NVIDIA Jetson AGX Orin +* NVIDIA Jetson Orin NX +* Generic x86 (PC) +* Polarfire Icicle Kit +* Lenovo ThinkPad X1 Carbon Gen 11 +* Lenovo ThinkPad X1 Carbon Gen 10 +* NXP i.MX 8M Plus + +To add a new hardware configuration file, do the following: + +1. Create a separate folder for the device in [modules/hardware](https://github.com/tiiuae/ghaf/tree/main/modules/hardware). +2. Create the new configuration file with hardware-dependent parameters like host information, input and output device parameters, and others. + + > [!TIP] + > You can use an already existing file as a reference, for example [modules/hardware/lenovo-x1/definitions/x1-gen11.nix](https://github.com/tiiuae/ghaf/blob/main/modules/hardware/lenovo-x1/definitions/x1-gen11.nix). diff --git a/docs/src/ref_impl/idsvm-development.md b/docs/src/ref_impl/idsvm-development.md new file mode 100644 index 000000000..605df602e --- /dev/null +++ b/docs/src/ref_impl/idsvm-development.md @@ -0,0 +1,36 @@ + + +# IDS VM Further Development + + +## Implementation + +The [IDS VM](../architecture/adr/idsvm.md) is implemented as a regular Micro VM with static IP. + +The [mitmproxy](https://mitmproxy.org/) is included in the demonstrative interactive proxy to enable analysis of TLS-protected data on the fly. Also, [Snort](https://snort.org/) network intrusion detection and prevention system package is included but no dedicated UI nor proper utilization is provided. + +Enforcing network traffic to go through IDS VM is crucial to the IDS VM functionality. It is achieved by setting the IDS VM to be the gateway of other VMs in [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) configuration of Net VM. There is a risk that one could change the gateway settings of the VM to bypass the IDS VM. This however requires root (sudo) rights and it is assumed here that these rights are enabled only in the debug build. + + +## mitmproxy + +[**mitmproxy**](https://mitmproxy.org/) is a free and open-source interactive HTTPS proxy. It is your Swiss Army Knife for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols. + +In IDS VM, we use **mitmweb**[^note1] tool to demonstrate mitmproxy's capabilities. It provides a web-based user interface that allows interactive examination and modification of HTTP(s) traffic. The mtmproxy package also includes a console tool that provides the same functionalities in a text-based interface and a command-line tool **mitmdump** to view, record, and programmatically transform HTTP(s) traffic. + +The mitmweb tool is run in *ids-vm* as a systemd service. It starts automatically when *ids-vm* boots up. The UI it provides is accessible at , so it is available from *ids-vm* only. However, with SSH port forwarding it is possible to access the UI from other VMs. To that purpose, GUI VM has a script *mitmweb-ui* that creates an SSH tunnel between *ids-vm* and *chromium-vm*, launches Chromium, and connects to the UI address. + + +## Certificates + +mitmproxy can decrypt encrypted traffic on the fly, as long as the client trusts mitmproxy's built-in certificate authority (CA). CA certificates are the same for all *ids-vm* instances, as they are hardcoded to the IDS VM implementation. In the release version, these should be randomly generated and stored securely. + +By default, any of the clients should not trust mitmproxy's CA. These CA certificates should be installed in the OS's CA storage. However, many client applications (web browsers, for example) use their own CA bundles, and importing custom certificates there can be complicated or require manual user interaction. In our case, this difficulty is circumvented in *chromium-vm* by disabling certificate verification errors, if the certificate chain contains a certificate which SPKI fingerprint matches that of mitmproxy's CA certificate fingerprint. This does not degrade server verification security since mitmproxy validates upstream certificates using a certified Python package which provides Mozilla's CA Bundle. + +Some applications use certificate pinning to prevent man-in-the-middle attacks. As a consequence mitmproxy's certificates will not be accepted by these applications without patching applications manually. Other option is to set mitmproxy to use ignore_hosts option to prevent mitmproxy from intercepting traffic to these specific domains. + + +[^note1]: **mitmproxy** is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. **mitmweb** is a web-based interface for mitmproxy. **mitmdump** is the command-line version of mitmproxy. Source: [mitmproxy docs](https://docs.mitmproxy.org/stable/#3-powerful-core-tools). diff --git a/docs/src/ref_impl/installer.md b/docs/src/ref_impl/installer.md index 1ddb233b6..e7e4f4a5b 100644 --- a/docs/src/ref_impl/installer.md +++ b/docs/src/ref_impl/installer.md @@ -5,22 +5,23 @@ # Installer + ## Configuring and Building Installer for Ghaf You can obtain the installation image for your Ghaf configuration. -In addition to the live USB image that Ghaf provides it is also possible -to install Ghaf. This can either be achieved by downloading the desired image -or by building it as described below. +In addition to the live USB image that Ghaf provides it is also possible to install Ghaf. This can either be achieved by downloading the desired image or by building it as described below. + +Currently, only x86_64-linux systems are supported by the standalone installer. -Currently only x86_64-linux systems are supported by the standalone installer. So to build e.g. the debug image -for the Lenovo x1 follow the following steps +To build, for example, the debug image for the Lenovo x1, use the following command: ```sh nix build .#lenovo-x1-carbon-gen11-debug-installer ``` -## Flashing the installer + +## Flashing Installer Once built you must transfer it to the desired installation media. It requires at least a 4GB SSD, at the time of writing. @@ -28,24 +29,25 @@ Once built you must transfer it to the desired installation media. It requires a sudo dd if=./result/iso/ghaf--x86_64-linux.iso of=/dev/ bs=32M status=progress; sync ``` -## Installing the image -**Warning this is a destructive operation and will overwrite your system** +## Installing Image + +> [!CAUTION] +> This operation is destructive and will overwrite your system. Insert the SSD into the laptop, boot, and select the option to install. -When presented with the terminal run: +Then use the following command: ```nix sudo ghaf-install.sh ``` -Check the available options shown in the prompt for the install target -remember that the `/dev/sdX` is likely the install medium. +Check the available options shown in the prompt for the install target. Mind that the `/dev/sdX` is likely the install medium. -Once entered, remembering to include `/dev`, press ENTER to complete the process. +Once entered, include `/dev` and press [Enter] on the keyboard to complete the process. ```nix sudo reboot ``` -And remember to remove the installer drive +Remove the installer drive. diff --git a/docs/src/ref_impl/labwc.md b/docs/src/ref_impl/labwc.md index 117c0001c..398d8c43f 100644 --- a/docs/src/ref_impl/labwc.md +++ b/docs/src/ref_impl/labwc.md @@ -12,7 +12,7 @@ To use labwc as your default desktop environment, add it as a module to Ghaf: * change the configuration option `profiles.graphics.compositor = "labwc"` or -* uncomment the corresponding line in the [guivm.nix](https://github.com/tiiuae/ghaf/blob/main/modules/virtualization/microvm/guivm.nix) file. +* uncomment the corresponding line in the [guivm.nix](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/virtualization/microvm/guivm.nix) file. The basis of the labwc configuration is the set of following files: `rc.xml`, `menu.xml`, `autostart`, and `environment`. These files can be edited by substituting in the labwc overlay `overlays/custom-packages/labwc/default.nix`. @@ -24,7 +24,8 @@ The border color concept illustrates the application trustworthiness in a user-f Ghaf uses patched labwc which makes it possible to change the border color for the chosen application. The implementation is based on window rules by substituting the server decoration colors (`serverDecoration` = `yes`). The `borderColor` property is responsible for the frame color. -> **TIP:** According to the labwc specification, the **identifier** parameter is case-sensitive and relates to app_id for native Wayland windows and WM_CLASS for XWayland clients. +> [!IMPORTANT] +> According to the labwc specification, the **identifier** parameter is case-sensitive and relates to app_id for native Wayland windows and WM_CLASS for XWayland clients. For example, the foot terminal with Aqua colored frame: ``` diff --git a/docs/src/ref_impl/profiles-config.md b/docs/src/ref_impl/profiles-config.md new file mode 100644 index 000000000..30f9f71b3 --- /dev/null +++ b/docs/src/ref_impl/profiles-config.md @@ -0,0 +1,48 @@ + + +# Profiles Configuration + +A profile is a set of software needed for a particular use case. All profiles configuration files are in [modules/profiles](https://github.com/tiiuae/ghaf/tree/main/modules/profiles). + +To add a new profile, do the following: + +1. Create your own configuration file using [modules/profiles/mvp-user-trial.nix](https://github.com/tiiuae/ghaf/blob/main/modules/profiles/mvp-user-trial.nix) as a reference. +2. Depending on the location of your reference appvms, services, or programs change the includes to point to them. +3. Create a new enable option to enable the profile, for example, `new-cool-profile`. +4. In the lower section, under the correct area appvms, services, programs, make sure to describe additional definitions you need. + + +For example, a `safe-and-unsave-browsing.nix` file with a simple setup that includes business-vm and chrome-vm could look like this: + +``` + config = lib.mkIf cfg.enable { + ghaf = { + reference = { + appvms = { + enable = true; + chromium-vm = true; + business-vm = true; + }; + + services = { + enable = true; + }; + + programs = { + }; + }; + + profiles = { + laptop-x86 = { + enable = true; + netvmExtraModules = [../reference/services]; + guivmExtraModules = [../reference/programs]; + inherit (config.ghaf.reference.appvms) enabled-app-vms; + }; + }; + }; + }; +``` \ No newline at end of file diff --git a/docs/src/ref_impl/reference_implementations.md b/docs/src/ref_impl/reference_implementations.md index e90d40adc..83c713c79 100644 --- a/docs/src/ref_impl/reference_implementations.md +++ b/docs/src/ref_impl/reference_implementations.md @@ -26,6 +26,7 @@ NixOS, a Linux OS distribution packaged with Nix, provides us with: Even when unmodified upstream is often preferred, even ideal, to ensure timely security updates from upstream—customizations are sometimes required. + ### Example To support a reference board without a vendor board support package (BSP)—bootloader, kernel, device drivers—is often not feasible. With this approach, we can overlay the generic NixOS Linux kernel with the vendor kernel and add a vendor bootloader to build a target image. @@ -39,9 +40,15 @@ The same goes with the architectural variants as headless devices or end-user de - [Development](./development.md) - [Build and Run](./build_and_run.md) + - [Running Remote Build on NixOS](./remote_build_setup.md) - [Installer](./installer.md) - [Cross-Compilation](./cross_compilation.md) - [Creating Application VM](./creating_appvm.md) + - [Hardware Configuration](ref_impl/hw-config.md) + - [Profiles Configuration](ref_impl/profiles-config.md) + - [labwc Desktop Environment](./labwc.md) + - [IDS VM Further Development](./idsvm-development.md) + - [systemd Service Hardening](./systemd-service-config.md) - [Ghaf as Library: Templates](./ghaf-based-project.md) - [Example Project](./example_project.md) - [Modules Options](./modules_options.md) diff --git a/docs/src/ref_impl/remote_build_setup.md b/docs/src/ref_impl/remote_build_setup.md index 0a7652710..42b98b919 100644 --- a/docs/src/ref_impl/remote_build_setup.md +++ b/docs/src/ref_impl/remote_build_setup.md @@ -15,6 +15,7 @@ If you hit an issue, check [Troubleshooting](./remote_build_setup.md#troubleshoo ### 1. Configuring SSH Keys +> [!IMPORTANT] > This step assumes that public SSH keys were generated and copied (*ssh-copy-id*) both for normal and root users. For more information, see [Setting up public key authentication](https://www.ssh.com/academy/ssh/copy-id#setting-up-public-key-authentication). Before you begin, make sure an SSH connection is established to the remote host for both normal and root users: @@ -57,7 +58,8 @@ Do the following on a local machine: ``` cd .ssh ``` - > **TIP**:`.ssh` is a user-level access and `/etc/ssh` is system-wide. + > [!TIP] + > `.ssh` is a user-level access and `/etc/ssh` is system-wide. #### 1.2. Accessing Remote Machine Using SSH diff --git a/docs/src/ref_impl/systemd-service-config.md b/docs/src/ref_impl/systemd-service-config.md new file mode 100644 index 000000000..c3cb12682 --- /dev/null +++ b/docs/src/ref_impl/systemd-service-config.md @@ -0,0 +1,614 @@ + + +# systemd Service Hardening + +This document outlines systemd service configurations that significantly impact a service's exposure. The following configurations can be utilized to enhance the security of a systemd service: + + + + + + + + +
+ +1. Networking + - [PrivateNetwork](./systemd-service-config.md#11-privatenetwork) + - [IPAccounting](./systemd-service-config.md#12-ipaccounting) + - [IPAddressAllow, IPAddressDeny](./systemd-service-config.md#13-ipaddressallow-ipaddressdeny) + - [RestrictNetworkInterfaces](./systemd-service-config.md#14-restrictnetworkinterfaces) + - [RestrictAddressFamilies](./systemd-service-config.md#15-restrictaddressfamilies) +2. File system + - [ProtectHome](./systemd-service-config.md#21-protecthome) + - [ProtectSystem](./systemd-service-config.md#22-protectsystem) + - [ProtectProc](./systemd-service-config.md#23-protectproc) + - [ReadWritePaths, ReadOnlyPaths, InaccessiblePaths, ExecPaths, NoExecPaths](./systemd-service-config.md#24-readwritepaths-readonlypaths-inaccessiblepaths-execpaths-noexecpaths) + - [PrivateTmp](./systemd-service-config.md#25-privatetmp) + - [PrivateMounts](./systemd-service-config.md#26-privatemounts) + - [ProcSubset](./systemd-service-config.md#27-procsubset) +3. User separation + - [PrivateUsers](./systemd-service-config.md#31-privateusers) + - [DynamicUser](./systemd-service-config.md#32-dynamicuser) +4. Devices + - [PrivateDevices](./systemd-service-config.md#41-privatedevices) + - [DeviceAllow](./systemd-service-config.md#42-deviceallow) +5. Kernel + - [ProtectKernelTunables](./systemd-service-config.md#51-protectkerneltunables) + - [ProtectKernelModules](./systemd-service-config.md#52-protectkernelmodules) + - [ProtectKernelLogs](./systemd-service-config.md#53-protectkernellogs) + + + +6. Misc + - [Delegate](./systemd-service-config.md#61-delegate) + - [KeyringMode](./systemd-service-config.md#62-keyringmode) + - [NoNewPrivileges](./systemd-service-config.md#63-nonewprivileges) + - [UMask](./systemd-service-config.md#64-umask) + - [ProtectHostname](./systemd-service-config.md#65-protecthostname) + - [ProtectClock](./systemd-service-config.md#66-protectclock) + - [ProtectControlGroups](./systemd-service-config.md#67-protectcontrolgroups) + - [RestrictNamespaces](./systemd-service-config.md#68-restrictnamespaces) + - [LockPersonality](./systemd-service-config.md#69-lockpersonality) + - [MemoryDenyWriteExecute](./systemd-service-config.md#610-memorydenywriteexecute) + - [RestrictRealtime](./systemd-service-config.md#611-restrictrealtime) + - [RestrictSUIDSGID](./systemd-service-config.md#612-restrictsuidsgid) + - [RemoveIPC](./systemd-service-config.md#613-removeipc) + - [SystemCallArchitectures](./systemd-service-config.md#614-systemcallarchitectures) + - [NotifyAccess](./systemd-service-config.md#615-notifyaccess) +7. Capabilities + - [AmbientCapabilities](./systemd-service-config.md#71-ambientcapabilities) + - [CapabilityBoundingSet](./systemd-service-config.md#72-capabilityboundingset) +8. System calls + - [SystemCallFilter](./systemd-service-config.md#81-systemcallfilter) + +
+ +--- + +## 1. Networking + + +### 1.1. PrivateNetwork + +[PrivateNetwork](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateNetwork=) is useful for preventing the service from accessing the network. + +**Type**: *Boolean.* +**Default**: `false` +**Options**: +* `true` : Creates a new network namespace for the service. Only the loopback device "lo" is available in this namespace, other network devices are not accessible. +* `false` : The service will use the host's network namespace, it can access all the network devices available on the host. It can communicate over the network like any other process running on a host. + + +### 1.2. IPAccounting + +[IPAccounting](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAccounting=) helps in detecting unusual or unexpected network activity by a service. + +**Type**: *Boolean.* +**Default**: `false` +**Options**: +* `true`: Enables accounting for all IPv4 and IPv6 sockets created by the service: keeps track of the data sent and received by each socket in the service. +* `false`: Disables tracking of the sockets created by the service. + + +### 1.3. IPAddressAllow, IPAddressDeny + +[IPAddressAllow](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=)=ADDRESS[/PREFIXLENGTH]…, IPAddressDeny=ADDRESS[/PREFIXLENGTH]… + +Enables packet filtering on all IPv4 and IPv6 sockets created by the service. Useful for restricting/preventing a service from communicating only with certain IP addresses or networks. + +**Type**: *Space separated list of ip addresses and/or a symbolic name.* +**Default**: All IP addresses are allowed and no IP addresses are explicitly denied. +**Options**: +- *List of addresses*: Specify list of addresses allowed/denied. For example, `['192.168.1.8' '192.168.1.0/24']`. Any IP not explicitly allowed will be denied. +- *Symbolic Names*: Following symbolic names can also be used. + `any` : Any host (i.e., '0.0.0.0/0 ::/0'). + `localhost`: All addresses on the local loopback (i.e., '127.0.0.0/8 ::1/128'). + `link-local`: All link-local IP addresses(i.e., '169.254.0.0/16 fe80::/64'). + `multicast`: All IP multicasting addresses (i.e., 224.0.0.0/4 ff00::/8). + + +### 1.4. RestrictNetworkInterfaces + +[RestrictNetworkInterfaces](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#RestrictNetworkInterfaces=) is used to control which network interfaces a service has access to. This helps isolate services from the network or restrict them to specific network interfaces, enhancing security and reducing potential risk. + +**Type**: *Space-separated list of network interface names.* +**Default**: The service can access to all available network interfaces unless other network restrictions are in place. +**Options**: +* Specify individual network interface names to restrict the service to using only those interfaces. +* Prefix an interface name with '~' to invert the restriction, i.e. denying access to that specific interface while allowing all others. + + +### 1.5. RestrictAddressFamilies + +[RestrictAddressFamilies](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=) is used to control which address families a service can use. This setting restricts the service's ability to open sockets using specific address families, such as `'AF_INET'` for IPv4, `'AF_INET6'` for IPv6, or others. It is a security feature that helps limit the service's network capabilities and reduces its exposure to network-related vulnerabilities. + +**Type**: List of address family names. +**Default**: If not configured, the service is allowed to use all available address families. +**Options**: +* **`none`**: Apply no restriction. +* **Specific Address Families**: Specify one or more address families that the service is allowed to use, for example, `'AF_INET'`, `'AF_INET6'`, `'AF_UNIX'`. +* **Inverted Restriction**: Prepend character '~' to an address family name to deny access to it while allowing all others, for example, `'~AF_INET'` would block IPv4 access. + +[Back to Top ⏫](./systemd-service-config.md#systemd-service-hardening) +--- + + +## 2. File System + +### 2.1 ProtectHome + +[ProtectHome](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=) is used to restrict a service's access to home directories. This security feature can be used either completely to block access to `/home`, `/root`, and `/run/user` or make them appear empty to the service, thereby protecting user data from unauthorized access by system services. + +**Type**: *Boolean or String.* +**Default**: `false` i.e. the service has full access to home directories unless restricted by some other mean. +**Options**: +* **`true`**: The service is completely denied access to home directories. +* **`false`**: The service has unrestricted access to home directories. +* **`read-only`**: The service can view the contents of home directories but cannot modify them. +* **`tmpfs`**: Mounts a temporary filesystem in place of home directories, ensuring the service cannot access or modify the actual user data. Adding the tmpfs option provides a flexible approach by creating a volatile in-memory filesystem where the service believes it has access to home but any changes it makes do not affect the actual data and are lost when the service stops. This is particularly useful for services that require a temporary space in a home. + + +### 2.2. ProtectSystem + +[ProtectSystem](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=) controls access to the system's root directory (`/`) and other essential system directories. This setting enhances security by restricting a service's ability to modify or access critical system files and directories. + +**Type**: *Boolean or String.* +**Default**: `full` (Equivalent to `true`). The service is restricted from modifying or accessing critical system directories. +**Options**: +* **`true`**: Mounts the directories `/usr/`, `/boot`, and `/efi` read-only for processes. +* **`full`**: Additionally mounts the `/etc/` directory read-only. +* **`strict`**: Mounts the entire file system hierarchy read-only, except for essential API file system subtrees like `/dev/`, `/proc/`, and `/sys/`. +* **`false`**: Allows the service unrestricted access to system directories. + +Using `true` or `full` is recommended for services that do not require access to system directories to enhance security and stability. + + +### 2.3. ProtectProc + +[ProtectProc](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=) controls access to the `/proc` filesystem for a service. This setting enhances security by restricting a service's ability to view or manipulate processes and kernel information in the `/proc` directory. + +**Type**: *Boolean or String.* +**Default**: `default`. No restriction is imposed from viewing or manipulating processes and kernel information in `/proc`. +**Options**: +* **`noaccess`**: Restricts access to most process metadata of other users in `/proc`. +* **`invisible`**: Hides processes owned by other users from view in `/proc`. +* **`ptraceable`**: Hides processes that cannot be traced (`ptrace()`) by other processes. +* **`default`**: Imposes no restrictions on access or visibility to `/proc`. + + +### 2.4. ReadWritePaths, ReadOnlyPaths, InaccessiblePaths, ExecPaths, NoExecPaths + +[ReadWritePaths](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=) creates a new file system namespace for executed processes, enabling fine-grained control over file system access. + +* **ReadWritePaths=**: Paths listed here are accessible with the same access modes from within the namespace as from outside it. +* **ReadOnlyPaths=**: Allows reading from listed paths only; write attempts are refused even if file access controls would otherwise permit it. +* **InaccessiblePaths=**: Makes listed paths and everything below them in the file system hierarchy inaccessible to processes within the namespace. +* **NoExecPaths=**: Prevents execution of files from listed paths, overriding usual file access controls. Nest `ExecPaths=` within `NoExecPaths=` to selectively allow execution within directories otherwise marked non-executable. + +**Type**: *Space-separated list of paths.* +**Default**: No restriction to file system access until unless restricted by some other mechanism. +**Options**: +**Space separated list of paths** : Space-separated list of paths relative to the host's root directory. Symlinks are resolved relative to the root directory specified by `RootDirectory=` or `RootImage=`. + + +### 2.5. PrivateTmp + +[PrivateTmp](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=) uses a private, isolated `/tmp` directory for the service, enhancing security by preventing access to other processes' temporary files and ensuring data isolation. + +**Type**: *Boolean.* +**Default**: `false`. If not specified, the service shares the system `/tmp` directory with other processes. +**Options**: +* **`true`**: Enables private `/tmp` for the service, isolating its temporary files from other processes. +* **`false`**: The service shares the system `/tmp` directory with other processes. + +Additionally, when enabled, all temporary files created by a service in these directories will be automatically removed after the service is stopped. + + +### 2.6. PrivateMounts + +[PrivateMounts](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateMounts=) controls whether the service should have its mount namespace, isolating its mounts from the rest of the system. This setup ensures that any file system mount points created or removed by the unit's processes remain private to them and are not visible to the host. + +**Type**: *Boolean.* +**Default**: `false`. If not specified, the service shares the same mount namespace as other processes. +**Options**: +* **`true`**: Enables private mount namespace for the service, isolating its mounts from the rest of the system. +* **`false`**: The service shares the same mount namespace as other processes. + + +### 2.7. ProcSubset + +[ProcSubset](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProcSubset=) restricts the set of `/proc` entries visible to the service, enhancing security by limiting access to specific process information in the `/proc` filesystem. + +**Type**: *String.* +**Default**: `all`. If not specified, the service has access to all `/proc` entries. +**Options**: +* **`all`**: Allows the service access to all `/proc` entries. +* **`pid`**: Restricts the service to only its own process information (`/proc/self`, `/proc/thread-self/`). + +[Back to Top ⏫](./systemd-service-config.md#systemd-service-hardening) +--- + + +## 3. User Separation + +> **IMPORTANT:** Not applicable for the service runs as root. + + +### 3.1. PrivateUsers + +[PrivateUsers=](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=) controls whether the service should run with a private set of UIDs and GIDs, isolating the user and group databases used by the unit from the rest of the system, and creating a secure sandbox environment. The isolation reduces the privilege escalation potential of services. + +**Type**: *Boolean.* +**Default**: `false`. If not specified, the service runs with the same user and group IDs as other processes. +**Options**: +* **`true`**: Enables private user and group IDs for the service by creating a new user namespace, isolating them from the rest of the system. +* **`false`**: The service runs with the same user and group IDs as other processes. + + +### 3.2. DynamicUser + +[DynamicUser](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser=) enables systemd to dynamically allocate a unique user and group ID (UID/GID) for the service at runtime, enhancing security and resource isolation. These user and group entries are managed transiently during runtime and are not added to `/etc/passwd` or `/etc/group`. + +**Type**: *Boolean.* +**Default**: `false`. If not specified, the service uses a static user and group ID defined in the service unit file or defaults to `root`. +**Options**: +* **`true`**: A UNIX user and group pair are dynamically allocated when the unit is started and released as soon as it is stopped. +* **`false`**: The service uses a static UID/GID defined in the service unit file or defaults to `root`. + +[Back to Top ⏫](./systemd-service-config.md#systemd-service-hardening) +--- + + +## 4. Devices + + +### 4.1. PrivateDevices + +[PrivateDevices](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=) controls whether the service should have access to device nodes in `/dev`. + +**Type**: *Boolean.* +**Default**: `false`. If not specified, the service has access to device nodes in `/dev`. +**Options**: +* **`true`**: Restricts the service's access to device nodes in `/dev` by creating a new `/dev/` mount for the executed processes and includes only pseudo devices such as `/dev/null`, `/dev/zero`, or `/dev/random`. Physical devices are not added to this mount. This setup is useful for disabling physical device access by the service. +* **`false`**: The service has access to device nodes in `/dev`. + + +### 4.2. DeviceAllow + +[DeviceAllow](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#DeviceAllow=) specifies individual device access rules for the service, allowing fine-grained control over device permissions. + +**Type**: *Space-separated list of device access rules.* +**Default**: None. If not specified, the service does not have specific device access rules defined. +**Options**: +* Specify device access rules in the format: ` ` where `` can be `r` (read), `w` (write), or `m` (mknod, allowing creation of devices). + +[Back to Top ⏫](./systemd-service-config.md#systemd-service-hardening) +--- + + +## 5. Kernel + + +### 5.1. ProtectKernelTunables + +[ProtectKernelTunables](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=) controls whether the service is allowed to modify tunable kernel variables in `/proc/sys`, enhancing security by restricting access to critical kernel parameters. + +**Type**: *Boolean.* +**Default**: `true`. If not specified, the service is restricted from modifying kernel variables. +**Options**: +* **`true`**: Restricts the service from modifying the kernel variables accessible through paths like `/proc/sys/`, `/sys/`, `/proc/sysrq-trigger`, `/proc/latency_stats`, `/proc/acpi`, `/proc/timer_stats`, `/proc/fs`, and `/proc/irq`. These paths are made read-only to all processes of the unit. +* **`false`**: Allows the service to modify tunable kernel variables. + + +### 5.2. ProtectKernelModules + +[ProtectKernelModules](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=) controls whether the service is allowed to load or unload kernel modules, enhancing security by restricting module management capabilities. + +**Type**: *Boolean.* +**Default**: `true`. If not specified, the service is restricted from loading or unloading kernel modules. +**Options**: +* **`true`**: Restricts the service from loading or unloading kernel modules. It removes `CAP_SYS_MODULE` from the capability bounding set for the unit and installs a system call filter to block module system calls. `/usr/lib/modules` is also made inaccessible. +* **`false`**: Allows the service to load or unload kernel modules in a modular kernel. + + +### 5.3. ProtectKernelLogs + +[ProtectKernelLogs](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelLogs=) controls whether the service is allowed to access kernel log messages, enhancing security by restricting access to kernel logs. + +**Type**: *Boolean.* +**Default**: `false`. If not specified, the service is allowed to access kernel logs. +**Options**: +* **`trues`**: Restricts the service from accessing kernel logs from `/proc/kmsg` and `/dev/kmsg`. Enabling this option removes `CAP_SYSLOG` from the capability bounding set for the unit and installs a system call filter to block the syslog(2) system call. +* **`no`**: Allows the service to access kernel logs. + +[Back to Top ⏫](./systemd-service-config.md#systemd-service-hardening) +--- + + +## 6. Misc + +### 6.1. Delegate + +[Delegate](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Delegate=) controls whether systemd should delegate further control of resource management to the service's own resource management settings. + +**Type**: *Boolean.* +**Default**: `true`. If not specified, systemd delegates control to the service's resource management settings. +**Options**: +* **`true`**: Enables delegation and activates all supported controllers for the unit, allowing its processes to manage them. +* **`false`**: Disables delegation entirely. Systemd retains control over resource management, potentially overriding the service's settings. + + +### 6.2. KeyringMode + +[KeyringMode](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#KeyringMode=) specifies the handling mode for session keyrings by the service, controlling how it manages encryption keys and credentials. + +**Type**: *String.* +**Default**: `private`. If not specified, the service manages its session keyrings privately. +**Options**: +* **`private`**: The service manages its session keyrings privately. +* **`shared`**: The service shares its session keyrings with other services and processes. +* **`inherit`**: The service inherits session keyrings from its parent process or environment. + + +### 6.3. NoNewPrivileges + +[NoNewPrivileges](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NoNewPrivileges=) controls whether the service and its children processes are allowed to gain new privileges (capabilities). + +**Type**: *Boolean.* +**Default**: `false`. If not specified, the service and its children's processes can gain new privileges. +**Options**: +- **`true`**: Prevents the service and its children processes from gaining new privileges. +- **`false`**: Allows the service and its children processes to gain new privileges. + +> [!IMPORTANT] +> Some configurations may override this setting and ignore its value. + +### 6.4. UMask + +[UMask](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#UMask=) + sets the file mode creation mask (umask) for the service, controlling the default permissions applied to newly created files and directories. + +**Type**: *Octal numeric value.* +**Default**: If not specified, inherits the default umask of the systemd service manager(0022). +**Example**: `UMask=027`. + + +### 6.5. ProtectHostname + +[ProtectHostname](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHostname=) controls whether the service can modify its own hostname. + +**Type**: *Boolean.* +**Default**: `false`. +**Options**: +* **`true`**: Sets up a new UTS namespace for the executed processes. It prevents changes to the hostname or domainname. +* **`false`**: Allows the service to modify its own hostname. + + +### 6.6. ProtectClock + +[ProtectClock](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=) controls whether the service is allowed to manipulate the system clock. + +**Type**: *Boolean.* +**Default**: `false`. +**Options**: +* **`true`**: Prevents the service from manipulating the system clock. It removes `CAP_SYS_TIME` and `CAP_WAKE_ALARM` from the capability bounding set for this unit. Also creates a system call filter to block calls that can manipulate the system clock. +* **`false`**: Allows the service to manipulate the system clock. + + +### 6.7. ProtectControlGroups + +[ProtectControlGroups](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups=) controls whether the service is allowed to modify control groups (cgroups) settings. + +**Type**: *Boolean.* +**Default**: `false`. +**Options**: +* **`true`**: Prevents the service from modifying cgroups settings. Makes the Linux Control Groups (cgroups(7)) hierarchies accessible through `/sys/fs/cgroup/` read-only to all processes of the unit. +* **`false`**: Allows the service to modify cgroups settings. + + +### 6.8. RestrictNamespaces + +[RestrictNamespaces](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=) controls the namespace isolation settings for the service, restricting or allowing namespace access. + +**Type**: *Boolean* or *space-separated list of namespace type identifiers*. +**Default**: `false`. +**Options**: +* `false`: No restrictions on namespace creation and switching are imposed. +* `true`: Prohibits access to any kind of namespacing. +* Otherwise: Specifies a space-separated list of namespace type identifiers, which can include `cgroup`, `ipc`, `net`, `mnt`, `pid`, `user`, and `uts`. When the namespace identifier is prefixed with '~', it inverts the action. + + +### 6.9. LockPersonality + +[LockPersonality](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LockPersonality=) applies restriction on the service's ability to change its execution personality. + +**Type**: *Boolean.* +**Default**: `false`. +**Options**: +* **`true`**: Prevents the service from changing its execution personality. If the service runs in user mode or in system mode without the `CAP_SYS_ADMIN` capability (e.g., setting `User=`), enabling this option implies `NoNewPrivileges=yes`. +* **`false`**: Allows the service to change its execution personality. + + +### 6.10. MemoryDenyWriteExecute + +[MemoryDenyWriteExecute](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=) controls whether the service is allowed to execute code from writable memory pages. + +**Type**: *Boolean.* +**Default**: `false`. +**Options**: +* **`true`**: Prohibits attempts to create memory mappings that are writable and executable simultaneously, change existing memory mappings to become executable, or map shared memory segments as executable. This restriction is implemented by adding an appropriate system call filter. +* **`false`**: Allows the service to execute code from writable memory pages. + + +### 6.11. RestrictRealtime + +[RestrictRealtime](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictRealtime=) controls whether the service is allowed to utilize real-time scheduling policies. + +**Type**: *Boolean.* +**Default**: `false`. +**Options**: +* **`true`**: Prevents the service from utilizing real-time scheduling policies. Refuses any attempts to enable realtime scheduling in processes of the unit. This restriction prevents access to realtime task scheduling policies such as `SCHED_FIFO`, `SCHED_RR`, or `SCHED_DEADLINE`. +* **`false`**: Allows the service to utilize real-time scheduling policies. + + +### 6.12. RestrictSUIDSGID + +[RestrictSUIDSGID](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictSUIDSGID=) controls whether the service is allowed to execute processes with SUID and SGID privileges. + +**Type**: *Boolean.* +**Default**: `false`. +**Options**: +* **`true`**: Prevents the service from executing processes with SUID and SGID privileges. Denies any attempts to set the set-user-ID (SUID) or set-group-ID (SGID) bits on files or directories. These bits are used to elevate privileges and allow users to acquire the identity of other users. +* **`false`**: Allows the service to execute processes with SUID and SGID privileges. + + +### 6.13. RemoveIPC + +[RemoveIPC](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RemoveIPC=) controls whether to remove inter-process communication (IPC) resources associated with the service upon its termination. + +**Type**: *Boolean.* +**Default**: `false`. +**Options**: +* **`true`**: Removes IPC resources (**System V** and **POSIX IPC** objects) associated with the service upon its termination. This includes IPC objects such as message queues, semaphore sets, and shared memory segments. +* **`false`**: Retains IPC resources associated with the service after its termination. + + +### 6.14. SystemCallArchitectures + +[SystemCallArchitectures](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallArchitectures=) specifies the allowed system call architectures for the service to include in system call filter. + +**Type**: *Space-separated list of architecture identifiers.* +**Default**: Empty list. No filtering is applied. +**Options**: +* *List of architectures*: Processes of this unit will only be allowed to call native system calls and system calls specific to the architectures specified in the list. e.g. `native`, `x86`, `x86-64` or `arm64` etc. + + +### 6.15. NotifyAccess + +[NotifyAccess](https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#NotifyAccess=) specifies how the service can send service readiness notification signals. + +**Type**: *Access specifier string.* +**Default**: `none`. +**Options**: +* `none` (default): No daemon status updates are accepted from the service processes; all status update messages are ignored. +* `main`: Allows sending signals using the main process identifier (PID). +* `exec`: Only service updates sent from any main or control processes originating from one of the `Exec*=` commands are accepted. +* `all`: Allows sending signals using any process identifier (PID). + +[Back to Top ⏫](./systemd-service-config.md#systemd-service-hardening) +--- + + +## 7. Capabilities + + +### 7.1. AmbientCapabilities + +[AmbientCapabilities](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#AmbientCapabilities=) specifies which capabilities to include in the ambient capability set for the service, which are inherited by all processes within the service. + +**Type**: *Space-separated list of capabilities.* +**Default**: Processes inherit ambient capabilities from their parent process or the systemd service manager unless explicitly set. +**Options**: +* *List of capabilities*: Specifies the capabilities that are set as ambient for all processes within the service. + +This option can be specified multiple times to merge capability sets: +* If capabilities are listed without a prefix, those capabilities are included in the ambient capability set. +* If capabilities are prefixed with "~", all capabilities except those listed are included (inverted effect). +* Assigning the empty string (`""`) resets the ambient capability set to empty, overriding all prior settings. + + +### 7.2. CapabilityBoundingSet + +[CapabilityBoundingSet](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=) specifies the bounding set of capabilities for the service, limiting the capabilities available to processes within the service. + +**Type**: *Space-separated list of capabilities.* +**Default**: If not explicitly specified, the bounding set of capabilities is determined by systemd defaults or the system configuration. +**Options**: +* *List of capabilities*: Specifies the capabilities that are allowed for processes within the service. If capabilities are prefixed with "~", all capabilities except those listed are included (inverted effect). + + +**Capability** | **Description** +--- | -- +**CAP_AUDIT_CONTROL** | Allows processes to control kernel auditing behavior, including enabling and disabling auditing, and changing audit rules. +**CAP_AUDIT_READ** | Allows processes to read audit log via unicast netlink socket. +**CAP_AUDIT_WRITE** | Allows processes to write records to kernel auditing log. +**CAP_BLOCK_SUSPEND** | Allows processes to prevent the system from entering suspend mode. +**CAP_CHOWN** | Allows processes to change the ownership of files. +**CAP_DAC_OVERRIDE** | Allows processes to bypass file read, write, and execute permission checks. +**CAP_DAC_READ_SEARCH** | Allows processes to bypass file read permission checks and directory read and execute permission checks. +**CAP_FOWNER** | Allows processes to bypass permission checks on operations that normally require the filesystem UID of the file to match the calling process's UID. +**CAP_FSETID** | Allows processes to set arbitrary process and file capabilities. +**CAP_IPC_LOCK** | Allows processes to lock memory segments into RAM. +**CAP_IPC_OWNER** | Allows processes to perform various System V IPC operations, such as message queue management and shared memory management. +**CAP_KILL** | Allows processes to send signals to arbitrary processes. +**CAP_LEASE** | Allows processes to establish leases on open files. +**CAP_LINUX_IMMUTABLE** | Allows processes to modify the immutable and append-only flags of files. +**CAP_MAC_ADMIN** | Allows processes to perform MAC configuration changes. +**CAP_MAC_OVERRIDE** | Bypasses Mandatory Access Control (MAC) policies. +**CAP_MKNOD** | Allows processes to create special files using mknod(). +**CAP_NET_ADMIN** | Allows processes to perform network administration tasks, such as configuring network interfaces, setting routing tables, etc. +**CAP_NET_BIND_SERVICE** | Allows processes to bind to privileged ports (ports below 1024). +**CAP_NET_BROADCAST** | Allows processes to transmit packets to broadcast addresses. +**CAP_NET_RAW** | Allows processes to use raw and packet sockets. +**CAP_SETGID** | Allows processes to change their GID to any value. +**CAP_SETFCAP** | Allows processes to set any file capabilities. +**CAP_SETPCAP** | Allows processes to set the capabilities of other processes. +**CAP_SETUID** | Allows processes to change their UID to any value. +**CAP_SYS_ADMIN** | Allows processes to perform a range of system administration tasks, such as mounting filesystems, configuring network interfaces, loading kernel modules, etc. +**CAP_SYS_BOOT** | Allows processes to reboot or shut down the system. +**CAP_SYS_CHROOT** | Allows processes to use chroot(). +**CAP_SYS_MODULE** | Allows processes to load and unload kernel modules. +**CAP_SYS_NICE** | Allows processes to increase their scheduling priority. +**CAP_SYS_PACCT** | Allows processes to configure process accounting. +**CAP_SYS_PTRACE** | Allows processes to trace arbitrary processes using ptrace(). +**CAP_SYS_RAWIO** | Allows processes to perform I/O operations directly to hardware devices. +**CAP_SYS_RESOURCE** | Allows processes to override resource limits. +**CAP_SYS_TIME** | Allows processes to set system time and timers. +**CAP_SYS_TTY_CONFIG** | Allows processes to configure tty devices. +**CAP_WAKE_ALARM** | Allows processes to use the RTC wakeup alarm. + +[Back to Top ⏫](./systemd-service-config.md#systemd-service-hardening) +--- + + +## 8. System Calls + + +### 8.1. SystemCallFilter + +[SystemCallFilter](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=) specifies a system call filter for the service, restricting the types of system calls that processes within the service can make. + +**Type**: *Space-separated list of system calls.* +**Default**: If not explicitly specified, there are no restrictions imposed by systemd on system calls. +**Options**: +* *List of system calls*: Specifies the allowed system calls for processes within the service. If the list begins with "~", the effect is inverted, meaning only the listed system calls will result in termination. + +> [!TIP] +> Predefined sets of system calls are available, starting with "@" followed by the name of the set. + + +**Filter Set** | **Description** +--- | --- +**@clock** | Allows clock and timer-related system calls, such as clock_gettime, nanosleep, etc. This is essential for time-related operations. +**@cpu-emulation** | Allows CPU emulation-related system calls, typically used by virtualization software. +**@debug** | Allows debug-related system calls, which are often used for debugging purposes and may not be necessary for regular operations. +**@keyring** | Allows keyring-related system calls, which are used for managing security-related keys and keyrings. +**@module** | Allows module-related system calls, which are used for loading and unloading kernel modules. This can be restricted to prevent module loading for security purposes. +**@mount** | Allows mount-related system calls, which are essential for mounting and unmounting filesystems. +**@network** | Allows network-related system calls, which are crucial for networking operations such as socket creation, packet transmission, etc. +**@obsolete** | Allows obsolete system calls, which are no longer in common use and are often deprecated. +**@privileged** | Allows privileged system calls, which typically require elevated privileges or are potentially risky if misused. +**@raw-io** | Allows raw I/O-related system calls, which provide direct access to hardware devices. This can be restricted to prevent unauthorized access to hardware. +**@reboot** | Allows reboot-related system calls, which are necessary for initiating system reboots or shutdowns. +**@swap** | Allows swap-related system calls, which are used for managing swap space. +**@syslog** | Allows syslog-related system calls, which are used for system logging. +**@system-service** | Allows system service-related system calls, which are used for managing system services. +**@timer** | Allows timer-related system calls, which are essential for setting and managing timers. + + +[Back to Top ⏫](./systemd-service-config.md#systemd-service-hardening) +--- \ No newline at end of file diff --git a/docs/src/release_notes/ghaf-23.05.md b/docs/src/release_notes/ghaf-23.05.md index a2480a55e..f0b66e0da 100644 --- a/docs/src/release_notes/ghaf-23.05.md +++ b/docs/src/release_notes/ghaf-23.05.md @@ -30,6 +30,7 @@ This is the first release of Ghaf including support for: * Element, a Matrix-based chat client (on the host) * the Google Android look-alike (GALA) application +> [!WARNING] > Ghaf Framework is under active development, some of the features may not be stable. diff --git a/docs/src/release_notes/ghaf-23.06.md b/docs/src/release_notes/ghaf-23.06.md index fb6b3f8a7..9cb916870 100644 --- a/docs/src/release_notes/ghaf-23.06.md +++ b/docs/src/release_notes/ghaf-23.06.md @@ -27,7 +27,7 @@ The following target hardware is supported by this release: * the development status: . * SLSA v1.0 level provenance file included. * Ghaf version information (query). -* NixOS is updated to 23.05: [NixOS 23.05 released!](https://discourse.nixos.org/t/nixos-23-05-released/28649) +* NixOS is updated to NixOS 23.05: [NixOS 23.05 released!](https://discourse.nixos.org/t/nixos-23-05-released/28649) ## Bug Fixes diff --git a/docs/src/release_notes/ghaf-23.09.md b/docs/src/release_notes/ghaf-23.09.md index 96fd18414..91edadf68 100644 --- a/docs/src/release_notes/ghaf-23.09.md +++ b/docs/src/release_notes/ghaf-23.09.md @@ -31,8 +31,8 @@ The following target hardware is supported by this release: * Modularization of the Ghaf framework: [Ghaf as Library: Templates](../ref_impl/ghaf-based-project.md). * NVIDIA Jetson Orin NX Ethernet passthrough. * Lenovo X1 Carbon Gen 11: - * Graphics passthrough to GUIVM. - * Launching Application VMs through GUIVM (Chromium, Gala, and Zathura). + * Graphics passthrough to GUI VM. + * Launching Application VMs through GUI VM (Chromium, Gala, and Zathura). * Paravirtualized audio. * Webcam passthrough. * Touchpad passthrough. @@ -52,7 +52,7 @@ Fixed bugs that were in the ghaf-23.06 release: | Issue | Status | Comments | |-----------------|-------------|--------------------------------------| -| Chromium AppVM does not boot up on X1 | In Progress | Intermittent timing issue, under investigation. | +| Chromium App VM does not boot up on X1 | In Progress | Intermittent timing issue, under investigation. | | The GALA app does not work | In Progress | Will be fixed in the next release. | | Shutdown or reboot of Lenovo X1 takes a lot of time (7 minutes) | In Progress | Advice: be patient or, if in hurry, press power key for 15 sec. | | Copy and paste text from or to Chromium AppVM does not work | In Progress | | diff --git a/docs/src/release_notes/ghaf-23.12.md b/docs/src/release_notes/ghaf-23.12.md index 46b375e3b..8cfdce420 100644 --- a/docs/src/release_notes/ghaf-23.12.md +++ b/docs/src/release_notes/ghaf-23.12.md @@ -29,7 +29,7 @@ The following target hardware is supported by this release: * CLI-based installer. * Lenovo X1 Carbon Gen 11: * Configurable PCI and USB devices passthrough. - * Network Manager: support from GUIVM to NETVM. + * Network Manager: support from GUI VM to Net VM. * Windows VM support. * Added Ghaf icons and the background image. * Secure Boot is disabled by default. @@ -66,7 +66,7 @@ Fixed bugs that were in the ghaf-23.09 release: | Time synchronization between host and VMs does not work in all scenarios | In Progress | Under investigation. | | The taskbar disappears after the external display is disconnected from Lenovo X1 | In Progress | Under investigation. | | Closing and re-opening a deck lid of a X1 laptop with running Ghaf causes instability | In Progress | Workaround: keep a deck lid of a laptop open while working with Ghaf. | -| Applications do not open from icons when netvm is restarted | In Progress | Workaround: Restart AppVMs. | +| Applications do not open from icons when net-vm is restarted | In Progress | Workaround: Restart App VMs. | ## Environment Requirements diff --git a/docs/src/release_notes/ghaf-24.03.md b/docs/src/release_notes/ghaf-24.03.md index 6438ac613..fb597a3fc 100644 --- a/docs/src/release_notes/ghaf-24.03.md +++ b/docs/src/release_notes/ghaf-24.03.md @@ -6,9 +6,9 @@ # Release ghaf-24.03 -## Release Branch +## Release Tag - + ## Supported Hardware @@ -58,9 +58,9 @@ Fixed bugs that were in the ghaf-23.12 release: | Cannot log in to the Element chat with a Google account | In Progress | Workaround for x86: create a user specifically for Element. | | Windows launcher application does not work on AGX | In Progress | Workaround: launch a Windows VM from the command line. | | Time synchronization between host and VMs does not work in all scenarios | In Progress | Under investigation. | -| Closing and re-opening a deck lid of a X1 laptop with running Ghaf causes instability | In Progress | Workaround: keep a deck lid of a laptop open while working with Ghaf. | +| Closing and reopening a deck lid of a Lenovo ThinkPad X1 laptop with Ghaf running causes instability | In Progress | Workaround: keep a deck lid of a laptop open while working with Ghaf. | | Applications do not open from icons when netvm is restarted | In Progress | Workaround: restart AppVMs. | -| Cannot connect to a hidden Wi-Fi network from GUI | In Progress | Workaround: connect with SSH to netvm and run the command `nmcli dev wifi connect SSID password PASSWORD hidden yes`. | +| Cannot connect to a hidden Wi-Fi network from GUI | In Progress | Workaround: connect with SSH to a netvm and run the command: `nmcli dev wifi connect SSID password PASSWORD hidden yes`. | ## Environment Requirements @@ -79,7 +79,7 @@ Download the required image and use the following instructions: | ghaf-24.03_Generic_x86.tar.xz | [Running Ghaf Image for x86 Computer](../ref_impl/build_and_run.md#running-ghaf-image-for-x86-computer) | | ghaf-24.03_Lenovo_X1_Carbon_Gen11.tar.xz | [Running Ghaf Image for Lenovo X1](../ref_impl/build_and_run.md#running-ghaf-image-for-lenovo-x1) | | ghaf-24.03_Nvidia_Orin_AGX_cross-compiled-no-demoapps.tar.xz[^note], ghaf-24.03_Nvidia_Orin_AGX_cross-compiled.tar.xz, ghaf-24.03_Nvidia_Orin_AGX_native-build.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | -| ghaf-24.03_Nvidia_Orin_NX_cross-compiled-no-demoapps[^note].tar.xz, ghaf-24.03_Nvidia_Orin_NX_cross-compiled.tar.xz, ghaf-24.03_Nvidia_Orin_NX_native-build.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | +| ghaf-24.03_Nvidia_Orin_NX_cross-compiled-no-demoapps[^note1].tar.xz, ghaf-24.03_Nvidia_Orin_NX_cross-compiled.tar.xz, ghaf-24.03_Nvidia_Orin_NX_native-build.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | | ghaf-24.03_PolarFire_RISC-V.tar.xz | [Building Ghaf Image for Microchip Icicle Kit](../ref_impl/build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) | -[^note] no-demoapps images do not include Chromium, Zathura, and GALA applications. \ No newline at end of file +[^note1] no-demoapps images do not include Chromium, Zathura, and GALA applications. \ No newline at end of file diff --git a/docs/src/release_notes/ghaf-24.06.md b/docs/src/release_notes/ghaf-24.06.md new file mode 100644 index 000000000..059c839cf --- /dev/null +++ b/docs/src/release_notes/ghaf-24.06.md @@ -0,0 +1,93 @@ + + +# Release ghaf-24.06 + + +## Release Tag + + + + +## Supported Hardware + +The following target hardware is supported by this release: + +* NVIDIA Jetson AGX Orin +* NVIDIA Jetson Orin NX +* Generic x86 (PC) +* Polarfire Icicle Kit +* Lenovo ThinkPad X1 Carbon Gen 11 +* Lenovo ThinkPad X1 Carbon Gen 10 +* NXP i.MX 8M Plus + + +## What is New in ghaf-24.06 + +* Added support for NXP i.MX 8M Plus. +* NixOS is updated to [NixOS 24.05](https://nixos.org/blog/announcements/2024/nixos-2405/) further to nixos-unstable. +* labwc is used as a default compositor on all platforms. Weston is no longer supported. +* Static networking with external DNS server support only. Internal DHCP and DNS are removed. + * This affects all new guest VM networking. + * Windows VM must be configured with static IP and DNS. +* Lenovo X1 Carbon Gen 10/11: + * Image compression uses the [Zstandard (zstd)](https://github.com/facebook/zstd) algorithm. + * Initial vTPM implementation for Application VMs is added. + * Audio VM with [PipeWire](https://gitlab.freedesktop.org/pipewire/pipewire) backend and [PulseAudio](https://www.freedesktop.org/wiki/Software/PulseAudio/) TCP remote communications layer. + * Multimedia function key passthrough. + * Initial implementation of [IDS VM](../architecture/adr/idsvm.md) as a defensive network mechanism. + * Support for [Element](https://element.io/) chat application. + * GPS location sharing through the Element application. + * [AppFlowy](https://github.com/AppFlowy-IO/AppFlowy) uses the [Flutter](https://github.com/flutter) application framework. +* NVIDIA Jetson Orin NX: + * UARTI passthrough. + * The Jetpack baseline software updates and fixes. +* Further refactoring and modularization of Ghaf Framework. +* Development, testing, and performance tooling improvements. + + +## Bug Fixes + +Fixed bugs that were in the ghaf-24.03 release: + +* Icons do not launch applications when a netvm is restarted. +* Closing and reopening a deck lid of a Lenovo ThinkPad X1 laptop with Ghaf running causes instability. + + +## Known Issues and Limitations + +| Issue | Status | Comments | +|-----------------|-------------|--------------------------------------| +| Cannot log in to the Element chat with a Google account | In Progress | Workaround for x86: create a user specifically for Element. | +| Windows launcher application does not work on AGX | In Progress | Workaround: launch a Windows VM from the command line. | +| Time synchronization between host and VMs does not work in all scenarios | In Progress | Under investigation. | +| Applications do not open from icons when netvm is restarted | In Progress | Workaround: restart AppVMs. | +| Cannot connect to a hidden Wi-Fi network from GUI | In Progress | Workaround: connect with SSH to a netvm and run the command: `nmcli dev wifi connect SSID password PASSWORD hidden yes`. | +| NVIDIA Jetson AGX Orin and NVIDIA Jetson Orin NX: cannot make voice calls using the Element application | In Progress | Under investigation. | +| The Element application cannot find a camera | In Progress | Under investigation. | + + +## Environment Requirements + +There are no specific requirements for the environment with this release. + + +## Installation Instructions + +Released images are available at [vedenemo.dev/files/releases/ghaf_24.06/](https://vedenemo.dev/files/releases/ghaf_24.06/). + +Download the required image and use the following instructions: + +| Release Image | Build and Run | +|-------------------------|--------------------| +| ghaf-24.06_Generic_x86.tar.xz | [Running Ghaf Image for x86 Computer](../ref_impl/build_and_run.md#running-ghaf-image-for-x86-computer) | +| ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz | [Running Ghaf Image for Lenovo X1](../ref_impl/build_and_run.md#running-ghaf-image-for-lenovo-x1) | +| ghaf-24.06_Nvidia_Orin_AGX_cross-compiled.tar.xz, ghaf-24.06_Nvidia_Orin_AGX_native-build.tar.xz, ghaf-24.06_Nvidia_Orin_NX_cross-compiled.tar.xz, ghaf-24.06_Nvidia_Orin_NX_native-build.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | +| ghaf-24.06_PolarFire_RISC-V.tar.xz | [Building Ghaf Image for Microchip Icicle Kit](../ref_impl/build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) | + + + diff --git a/docs/src/release_notes/release_notes.md b/docs/src/release_notes/release_notes.md index bd273a255..0d400d658 100644 --- a/docs/src/release_notes/release_notes.md +++ b/docs/src/release_notes/release_notes.md @@ -12,6 +12,7 @@ Release numbering scheme: *ghaf-yy.mm*. ## In This Chapter +- [Release ghaf-24.06](../release_notes/ghaf-24.06.md) - [Release ghaf-24.03](../release_notes/ghaf-24.03.md) - [Release ghaf-23.12](../release_notes/ghaf-23.12.md) - [Release ghaf-23.09](../release_notes/ghaf-23.09.md) diff --git a/docs/src/scenarios/run_cuttlefish.md b/docs/src/scenarios/run_cuttlefish.md index f69ddc73f..2d48aebf6 100644 --- a/docs/src/scenarios/run_cuttlefish.md +++ b/docs/src/scenarios/run_cuttlefish.md @@ -17,6 +17,7 @@ You can run Android as a VM on Ghaf for testing and development purposes using N * For NVIDIA Jetson Orin AGX (ARM64): [cvd-host_package.tar.gz](https://ci.android.com/builds/submitted/9970479/aosp_cf_arm64_phone-userdebug/latest/cvd-host_package.tar.gz) and [aosp_cf_arm64_phone-img-9970479.zip](https://ci.android.com/builds/submitted/9970479/aosp_cf_arm64_phone-userdebug/latest/aosp_cf_arm64_phone-img-9970479.zip) * For Generic x86: [cvd-host_package.tar.gz](https://ci.android.com/builds/submitted/9970479/aosp_cf_x86_64_phone-userdebug/latest/cvd-host_package.tar.gz) and [aosp_cf_x86_64_phone-img-9970479.zip](https://ci.android.com/builds/submitted/9970479/aosp_cf_x86_64_phone-userdebug/latest/aosp_cf_x86_64_phone-img-9970479.zip) + > [!NOTE] > Download a host package from the same build as the image. 2. Make sure Internet connection is working in Ghaf. If the system gets an IP address but the DNS server is not responding, set the correct date and time. diff --git a/docs/src/scenarios/run_win_vm.md b/docs/src/scenarios/run_win_vm.md index 9ffe3a643..c1909f2f0 100644 --- a/docs/src/scenarios/run_win_vm.md +++ b/docs/src/scenarios/run_win_vm.md @@ -22,7 +22,8 @@ You can run Windows 11 in a VM on Ghaf with NVIDIA Jetson Orin AGX (ARM64) or Ge sudo mkdir /mnt sudo mount /dev/sda /mnt ``` - > **WARNING:** [For NVIDIA Jetson Orin AGX] Make sure to use a fresh VHDX image file that was not booted in another environment before. + > [!WARNING] + > [For NVIDIA Jetson Orin AGX] Make sure to use a fresh VHDX image file that was not booted in another environment before. ## Running Windows 11 in VM @@ -38,7 +39,8 @@ You can run Windows 11 in a VM on Ghaf with NVIDIA Jetson Orin AGX (ARM64) or Ge 2. Windows 11 requires Internet access to finish the setup. To boot the VM without an Internet connection, open cmd with Shift+F10 and type `OOBE\BYPASSNRO`. After the configuration restart click “I don’t have internet“ to skip the Internet connection step and continue the installation. - > TIP: If after pressing Shift+F10 the command window is not displayed, try to switch between opened windows by using Alt+Tab. + > [!TIP] + > If after pressing Shift+F10 the command window is not displayed, try to switch between opened windows by using Alt+Tab. #### Running Windows 11 in VM on Generic x86 Device @@ -63,7 +65,8 @@ Do the following: * Name: `BypassTPMCheck`, value `1`. * Name: `BypassSecureBootCheck`, value `1`. - > TIP: [For Ghaf running on a laptop] If after pressing Shift+F10 the command window is not displayed, try again with the Fn key (Shift+Fn+F10) or switch between opened windows by using Alt+Tab. + > [!TIP] + > [For Ghaf running on a laptop] If after pressing Shift+F10 the command window is not displayed, try again with the Fn key (Shift+Fn+F10) or switch between opened windows by using Alt+Tab. 4. Install Windows 11 in the VM. 5. Windows 11 requires Internet access to finish the setup. To boot the VM without an Internet connection, open cmd with Shift+F10 and type `OOBE\BYPASSNRO`. After the configuration restart click “I don’t have internet“ to skip the Internet connection step and continue the installation. diff --git a/docs/src/scs/ci-cd-system.md b/docs/src/scs/ci-cd-system.md index 72a52d3b2..75e427bfb 100644 --- a/docs/src/scs/ci-cd-system.md +++ b/docs/src/scs/ci-cd-system.md @@ -9,6 +9,7 @@ Ghaf Framework uses a CI/CD (Continuous Integration and Continuous Delivery) app Our goal is to have the ability to deploy code quickly and safely: once a build is deployed, the next build undergoes testing, while the latest build is being coded. +> [!IMPORTANT] > Currently, Continuous Deployment is not set up. diff --git a/docs/src/scs/pki.md b/docs/src/scs/pki.md index a04659cba..82023175c 100644 --- a/docs/src/scs/pki.md +++ b/docs/src/scs/pki.md @@ -44,7 +44,8 @@ The following HSM solutions are considered for the Ghaf project: The following table provides feature comparison of the proposed solutions: ->Since the feature list is quite extensive, the table is limited to the features that are either planned to be used in Ghaf or might benefit the project in the future. +> [!IMPORTANT] +> Since the feature list is quite extensive, the table is limited to the features that are either planned to be used in Ghaf or might benefit the project in the future. | Feature | YubiHSM 2 | NitrokeyHSM2 | SoftHSMv2 | BreadboardHSM | |------------------------------|--------------|--------------|--------------|---------------| diff --git a/docs/src/technologies/hypervisor_options.md b/docs/src/technologies/hypervisor_options.md index 985e37025..3d83076ec 100644 --- a/docs/src/technologies/hypervisor_options.md +++ b/docs/src/technologies/hypervisor_options.md @@ -91,7 +91,12 @@ microvm.qemu.extraArgs = [ "--option 1 --option 2" ]; microvm may not supply parameters for all possible options as adding specific devices. Processing of all microvm configuration options is done in the mentioned above hypervisor’s runner .nix file. -The runners support the ``extraArgs`` parameter. It allows setting any option in QEMU command line invocation. Its value is a list of strings. In this example the following ``extraArgs`` definition: +The runners support the ``extraArgs`` parameter. It allows setting any option in QEMU command line invocation. Its value is a list of strings. + +> [!IMPORTANT] +> Support for the crosvm’s ``extraArgs`` parameter was added on April 7, 2023. Make sure to verify that your ``flakes.lock`` file refers to the proper version. + +In this example the following ``extraArgs`` definition: ``` microvm.qemu.extraArgs = [ @@ -106,5 +111,3 @@ results in the generated command line parameters: '-object memory-backend-file,id=mem1,mem-path=/dev/shm/virtio_pmem.img' '-device v irtio-pmem-pci,memdev=mem1,id=nv1' ``` - -> Support for the crosvm’s ``extraArgs`` parameter was added on April 7, 2023. Make sure to verify that your ``flakes.lock`` file refers to the proper version. diff --git a/docs/src/technologies/nvidia_agx_pt_pcie.md b/docs/src/technologies/nvidia_agx_pt_pcie.md index fbc7b3f5a..7c0731a3f 100644 --- a/docs/src/technologies/nvidia_agx_pt_pcie.md +++ b/docs/src/technologies/nvidia_agx_pt_pcie.md @@ -16,7 +16,7 @@ There are two (or actually three) PCIe slots in the Jetson AGX Orin board: * The other slot is a [smaller M.2 slot](#pcie-m2-slot) that is located at the bottom of the board. By default, the slot is in use of the included Wi-Fi and Bluetooth module. * The third slot is actually an [NVMe slot](#pcie-m2-nvme-2247-for-ssd) which can be used to add an NVMe SSD to the board. -> For more information on the board's connections details, see the [Hardware Layout](https://developer.nvidia.com/embedded/learn/jetson-agx-orin-devkit-user-guide/developer_kit_layout.html) section of the Jetson AGX Orin Developer Kit User Guide. +For more information on the board's connections details, see the [Hardware Layout](https://developer.nvidia.com/embedded/learn/jetson-agx-orin-devkit-user-guide/developer_kit_layout.html) section of the Jetson AGX Orin Developer Kit User Guide. When using one of the slots: @@ -28,11 +28,13 @@ When using one of the slots: The full-size PCIe connector is under the black plastic cover on one of the sides of the device. The cover is held in place with a fairly strong magnet. There is a small connector ribbon and a few delicate wires going from the board internals to a Wi-Fi antenna on the cover. -> **TIP:** Make sure to remove the cover carefully for not ripping the whole cover off along with the antenna cables. +> [!IMPORTANT] +> Make sure to remove the cover carefully for not ripping the whole cover off along with the antenna cables. The PCIe slot is simular to one inside a desktop computer. One key difference: the Jetson AGX Orin board has limited 12V power output capabilities and can only output a maximum of 40W power to its PCIe slot. Regular desktop PCIe slot can output 75W at 12V so some more power-hungry PCIe cards [^note1] may not work with the Jetson AGX Orin board. There may also be a risk of damaging the board if a card tries to pull too much power from the PCIe socket. -> **TIP:** We recommend to check carefully the power requirements of a device before turning the device on. +> [!IMPORTANT] +> We recommend to check carefully the power requirements of a device before turning the device on. A good rule of thumb might be if the device has a cooler to actively cool it down then some care should be taken before starting to use the card. Some trials have been done with GPU devices that use at maximum 30-34W power. The devices seem to work well in Jetson AGX Orin, but it is difficult to say how much power the card actually pulls from the slot at any given time. No real performance or stress tests have been done but under usual GUI and simple 3d application usage the cards (NVIDIA Quadro P1000 and NVIDIA Quadro T600) seem to work fine. @@ -114,6 +116,7 @@ You can also check the kernel logs to know which device belongs to which VFIO IO After binding a device to VFIO, you can access the device in a VM. To do so, use a command line argument (as in the example) for the PCI device to pass through to QEMU. +> [!NOTE] > It does not matter which VFIO node ID was assigned to the device earlier, as long as all the devices with the same VFIO node are passed through, and none of the devices in the same group is left behind. The QEMU command line argument for passthrough uses the PCIe device ID as identifier for the devices. Each diff --git a/docs/src/technologies/nvidia_agx_pt_uart.md b/docs/src/technologies/nvidia_agx_pt_uart.md index 6c7c30adb..459241248 100644 --- a/docs/src/technologies/nvidia_agx_pt_uart.md +++ b/docs/src/technologies/nvidia_agx_pt_uart.md @@ -31,11 +31,12 @@ The following table describes the UART units mapping and connections: | uarti: serial@31d0000 | UART5 | UART2 | USB Debug ttyACM1 | | uartj: serial@c270000 | Not mapped | | | -Notes: +In this table: * The first column shows how the UART units are defined in the UART device tree file *tegra234-soc-uart.dtsi* [^note1]. * The second and third columns show the CPU and SoC pin connections. Note that for UART2 and UART5 these are swapped. The pin mapping configuration is described in the file *tegra234-mb1-bct-pinmux-p3701-0000.dtsi* [^note2]. This device tree file is automatically generated by the macro Excel file *Jetson_AGX_Orin_Series_Pinmux_Config_Template_1.5.xlsm* which is available at the official Jetson Download Center as the *Jetson AGX Orin Series Pinmux*. * The last column describes where the UART units are connected to the exterior. +> [!NOTE] > Only two UART units are connected to the micro USB debug interface. The UART7 is not connected by default but it can be connected to the debug interface ttyACM1 by swapping the fuse resistors (see Debug MCU page 7 on P3737_A04_Concept_schematics.pdf [^note3]). @@ -110,7 +111,7 @@ Add the passthrough devices inside the platform node to this device tree: }; ``` -> In this example, the *uarti* node was added to the platform node. For this node the interrupt number was replaced to 0x70 and reg address to the one that was obtained from the QEMU monitor command: *info mtree -f*. +In this example, the *uarti* node was added to the platform node. For this node the interrupt number was replaced to 0x70 and the reg address to the one that was obtained from the QEMU monitor command: *info mtree -f*. ## Starting Guest VM diff --git a/docs/src/technologies/nvidia_virtualization_bpmp.md b/docs/src/technologies/nvidia_virtualization_bpmp.md index 235b1f313..bc8e537e8 100644 --- a/docs/src/technologies/nvidia_virtualization_bpmp.md +++ b/docs/src/technologies/nvidia_virtualization_bpmp.md @@ -28,14 +28,15 @@ The current implementation includes a host configuration for the UARTA passthrou 1. Enable NVIDIA BPMP virtualization on a Ghaf host for an NVIDIA Jetson-target using the following configuration options: -```nix - hardware.nvidia = { - virtualization.enable = true; - passthroughs.uarta.enable = true; -}; -``` + ```nix + hardware.nvidia = { + virtualization.enable = true; + passthroughs.uarta.enable = true; + }; + ``` -> **IMPORTANT:** These options are integrated to [NVIDIA Jetson Orin targets](https://github.com/tiiuae/ghaf/blob/main/targets/nvidia-jetson-orin/default.nix) but disabled by default until the implementation is finished. + > [!IMPORTANT] + > These options are integrated to [NVIDIA Jetson Orin targets](https://github.com/tiiuae/ghaf/blob/main/targets/nvidia-jetson-orin/default.nix) but disabled by default until the implementation is finished. 2. Build the target and boot the image. You can write the image to an SSD for testing with a recent NVIDIA UEFI FW. @@ -47,56 +48,58 @@ The current implementation includes a host configuration for the UARTA passthrou 1. Check the `bpmp-host` device: -``` -[ghaf@ghaf-host:~]$ ls /dev | grep bpmp-host -bpmp-host -``` + ``` + [ghaf@ghaf-host:~]$ ls /dev | grep bpmp-host + bpmp-host + ``` 2. Check that `vfio-platform` binding is successful: -``` -ghaf@ghaf-host:~]$ ls -l /sys/bus/platform/drivers/vfio-platform/3100000.serial -lrwxrwxrwx 1 root root 0 Dec 8 08:26 /sys/bus/platform/drivers/vfio-platform/3100000.serial -> ../../../../devices/platform/3100000.serial -``` + ``` + ghaf@ghaf-host:~]$ ls -l /sys/bus/platform/drivers/vfio-platform/3100000.serial + lrwxrwxrwx 1 root root 0 Dec 8 08:26 /sys/bus/platform/drivers/vfio-platform/3100000.serial -> ../../../../devices/platform/3100000.serial + ``` ### Guest for UARTA Testing +> [!TIP] > UARTA is an UART unit with a port A connection. For more information, see [UART Connections](nvidia_agx_pt_uart.md#uart-connections). -1. Build a guest kernel according to [UARTA passthrough instructions](https://github.com/jpruiz84/bpmp-virt)[^note] and use the following script to start the VM: - -> **TIP:** IMG is the kernel image and FS the rootfs. - -``` -IMG=$1 -FS=$2 - -qemu-system-aarch64 \ - -nographic \ - -machine virt,accel=kvm \ - -cpu host \ - -m 1G \ - -no-reboot \ - -kernel $IMG \ - -drive file=$FS,if=virtio,format=qcow2 \ - -net user,hostfwd=tcp::2222-:22 -net nic \ - -device vfio-platform,host=3100000.serial \ - -dtb virt.dtb \ - -append "rootwait root=/dev/vda console=ttyAMA0" -``` +1. Build a guest kernel according to [UARTA passthrough instructions](https://github.com/jpruiz84/bpmp-virt)[^note1] and use the following script to start the VM: + + > [!IMPORTANT] + > IMG is the kernel image and FS the rootfs. + + ``` + IMG=$1 + FS=$2 + + qemu-system-aarch64 \ + -nographic \ + -machine virt,accel=kvm \ + -cpu host \ + -m 1G \ + -no-reboot \ + -kernel $IMG \ + -drive file=$FS,if=virtio,format=qcow2 \ + -net user,hostfwd=tcp::2222-:22 -net nic \ + -device vfio-platform,host=3100000.serial \ + -dtb virt.dtb \ + -append "rootwait root=/dev/vda console=ttyAMA0" + ``` 2. With UARTA connected start Minicom on the working machine: -``` -minicom -b 9600 -D /dev/ttyUSB0 -``` + ``` + minicom -b 9600 -D /dev/ttyUSB0 + ``` 3. Test UARTA by echoing a string to the correct `tty` in the VM: -``` -echo 123 > /dev/ttyTHS0 -``` + ``` + echo 123 > /dev/ttyTHS0 + ``` ## Related Topics @@ -105,4 +108,4 @@ echo 123 > /dev/ttyTHS0 -[^note] That documentation is in the [bpmp-virt](https://github.com/jpruiz84/bpmp-virt) side repository, as that approach does not use microvm. +[^note1]: That documentation is in the [bpmp-virt](https://github.com/jpruiz84/bpmp-virt) side repository, as that approach does not use microvm. diff --git a/docs/src/technologies/technologies.md b/docs/src/technologies/technologies.md index 174911ed1..adfe7bd4b 100644 --- a/docs/src/technologies/technologies.md +++ b/docs/src/technologies/technologies.md @@ -36,5 +36,7 @@ In addition, we have also experimental, Aarch64 demonstrated support for a KVM v - [NVIDIA Jetson AGX Orin: UART Passthrough](./nvidia_agx_pt_uart.md) - [NVIDIA Jetson AGX Orin: PCIe Passthrough](./nvidia_agx_pt_pcie.md) - [Generic x86: PCIe Passthrough on crosvm](./x86_pcie_crosvm.md) + - [NVIDIA Jetson: UARTI Passthrough to netvm](./nvidia_uarti_net_vm.md) + - [Device Tree Overlays for Passthrough](./device_tree_overlays_pt.md) - [NVIDIA Jetson AGX Orin: Boot and Power Management Processor Virtualization](./nvidia_virtualization_bpmp.md) - [Hypervisor Options](./hypervisor_options.md) diff --git a/docs/src/technologies/x86_pcie_crosvm.md b/docs/src/technologies/x86_pcie_crosvm.md index 134a7e081..4bbfea067 100644 --- a/docs/src/technologies/x86_pcie_crosvm.md +++ b/docs/src/technologies/x86_pcie_crosvm.md @@ -11,6 +11,7 @@ As with other passthroughs, first, we need to set the target device to use VFIO driver. This can be done manually or by using the [driverctl](https://gitlab.com/driverctl/driverctl) tool as below. +> [!IMPORTANT] > Running driverctl requires root permissions. ``` diff --git a/docs/src/troubleshooting/README.md b/docs/src/troubleshooting/README.md new file mode 100644 index 000000000..90b729dd9 --- /dev/null +++ b/docs/src/troubleshooting/README.md @@ -0,0 +1,8 @@ + + +# GhafOS Troubleshooting Guide + +### 1. [systemd troubleshooting](systemd/index.md) diff --git a/docs/src/troubleshooting/systemd/early-shell.md b/docs/src/troubleshooting/systemd/early-shell.md new file mode 100644 index 000000000..636903537 --- /dev/null +++ b/docs/src/troubleshooting/systemd/early-shell.md @@ -0,0 +1,20 @@ + + +# Early shell access + +In some cases, the system may fail to boot due to the failure of a critical service. If this happens, you can follow these steps to diagnose the issue with systemd services: + +1. Increase the systemd log level using the previously mentioned option, and load the image. +2. Reboot the system. As expected, you will encounter a boot failure. +3. Force reboot the machine. When the machine starts again, interrupt the bootloader and add the following to the bootloader command line: + + ``` + rescue systemd.setenv=SYSTEMD_SULOGIN_FORCE=1 + ``` + + To modify the bootloader command, select the boot option and then press the 'e' key. + +4. You will now enter an early shell environment. Here, you can access the logs from the previous boot using `journalctl`. The logs will help you identify any service failures. diff --git a/docs/src/troubleshooting/systemd/index.md b/docs/src/troubleshooting/systemd/index.md new file mode 100644 index 000000000..fe92d295d --- /dev/null +++ b/docs/src/troubleshooting/systemd/index.md @@ -0,0 +1,14 @@ + + +# GhafOS: systemd troubleshooting guide + +Ghaf OS uses systemd and systemctl to manage services. Since security is the utmost priority, every service has restricted access to resources, which is achieved through hardened service configurations. While these restrictions enhance security, they may also limit the functionality of certain services. If a service fails, it may be necessary to adjust its configuration to restore functionality. This document focuses on troubleshooting common issues with systemd services on Ghaf OS. + +1. [Analyze system log](system-log.md) +2. [Use 'systemctl'](systemctl.md) +3. [Use systemd analyzer](systemd-analyzer.md) +4. [Use 'strace' to debug sys call and capability restrictions](strace.md) +5. [Early Shell access](early-shell.md) diff --git a/docs/src/troubleshooting/systemd/strace.md b/docs/src/troubleshooting/systemd/strace.md new file mode 100644 index 000000000..9cedb8a3a --- /dev/null +++ b/docs/src/troubleshooting/systemd/strace.md @@ -0,0 +1,26 @@ + + +# Use `strace` to debug initialization sequence + +`strace` can give detailed insight about system calls made by a service. This is very helpfull in debugging restrictions applied on system calls and capability of any service. Though we can attach `strace` with PID of a running process, but some time we may need to debug service initialization sequence also. + +To debug initialization sequence we need to attach `strace` with the service binary in `ExecStart` . To attach strace find out existing `ExecStart` of the service using command: + +```bash +$> systemctl cat .service | grep ExecStart +``` + +It will give command line options used with service binary. Now we need to override `ExecStart` of the service, in order to attach `strace`. We'll use same options with `strace`too to replicate same scenario. For example to attach `strace` with `auditd` service we'll use following configuration at a suitable location: + +```Nix +systemd.services."auditd".serviceConfig.ExecStart = lib.mkForce "${pkgs.strace}/bin/strace -o /etc/auditd_trace.log ${pkgs.audit}/bin/auditd -l -n -s nochange"; +``` + +Command`${pkgs.audit}/bin/auditd -l -n -s nochange`is used in regular `ExecStart`of `auditd`service. In above command we have attached `strace` with the command, which will generate system call traces in file `/etc/auditd_trace.log` + +After modifying above configuration you need to rebuild and load Ghaf image. + +The log may give you information about the system call restriction which caused the service failure. You can tune your service config accordingly. diff --git a/docs/src/troubleshooting/systemd/system-log.md b/docs/src/troubleshooting/systemd/system-log.md new file mode 100644 index 000000000..976c8556b --- /dev/null +++ b/docs/src/troubleshooting/systemd/system-log.md @@ -0,0 +1,74 @@ + + +# Analyze system log + +`systemd` has centralized logging mechanism which collects logs from all user processes in the system and kernel as well. This is called `journal`. systemd runs a journal daemon `journald`, which collects messages from the kernel, initrd, services, etc. + +Analyzing logs is the most effective way to diagnose issues with any systemd service. In Ghaf OS, the default systemd log level is set to `info`. To gain deeper insights into the service state, the log level can be elevated to `debug`using the following option: + +``` +ghaf.systemd.logLevel = "debug"; +``` + +While it is possible to elevate the log level on a live system using `systemctl`, this option is particularly useful when you need to inspect the startup sequence of critical services that cannot be restarted in a live environment. + +To change the log level to `debug`, you can run the following `systemctl` command: + +```bash +$> sudo systemctl log-level debug +``` + +This command will change the log level for the systemd daemon and all systemd-managed services. + +After adjusting the log level, it is recommended to reload the systemd daemon and restart the service you are debugging. + +## `journalctl` + +When `journalctl` command is run without any option, it will show all the messages, which can be pretty long. + +1. You can see logs of specific boot using -b option for example: + +```bash +$> journalctl -b #Log from current boot +$> journalctl -b -1 #Log from previous boo +``` + +2. To list available boots, use the following command. + +``` +$> journalctl --list-boots +``` + +3. To view the logs generated by any systemd unit, use the `-u` option. For example, the command below displays all logs recorded by the logind service. You can specify multiple units by using the -u` switch more than once. + +```bash +$> journalctl -u logind.service +``` + +4. `You can see log messages in real-time, similar to the `tail`command in Linux. To do this, use the`-f` option: + +```bash +$> journalctl -f +``` + +5. Similar to the `tail`command, the`-n` option allows you to display a specific number of the most recent log entries. The following command shows the last 50 messages logged. + +```bash +$> journalctl -n 50 +``` + +6. Log messages can be filtered based on their priority using -p option, for example follwing command will show only error message from service logind + + ```bash + $> journalctl -p error -u logind.service + ``` +7. To see kernel message use following options: + + ```bash + $> journalctl -k + $> journalctl -t kernel + ``` +8. The `-r` option displays log entries in reverse chronological order, with the latest messages shown first. diff --git a/docs/src/troubleshooting/systemd/systemctl.md b/docs/src/troubleshooting/systemd/systemctl.md new file mode 100644 index 000000000..b88234c8f --- /dev/null +++ b/docs/src/troubleshooting/systemd/systemctl.md @@ -0,0 +1,79 @@ + + +# Debuuging systemd using`systemctl` + +To debug failed services using `systemctl` follow below given steps: + +1) List failed services in the system: + + ```bash + $> sudo systemctl --failed + ``` + + Above command will give you list of failed services. You can see list of all the services in the system using the command: + + ``` + $> sudo systemctl list-unit-files --type=service + ``` + +2. Check status of the failed service, it will you give little more detailed information. + + ```bash + $> sudo systemctl status .service + ``` +3. See the service logs to get more insight: + + ``` + $> sudo journalctl -b -u .service + ``` +4. You can further increase log level to get debug level information: + + ```bash + $> sudo systemctl log-level debug + ``` + + Reload the systemd daemon and restart service: + + ```bash + $> sudo systemctl daemon-reload + $> sudo systemctl restart .service + ``` + + Now you can see debug level information in the service log. +5. You can also attach `strace` with the service daemon to see system call and signal status. + + - Get the PID of main process from service status. It is listed as `Main PID:` + - Attach strace with the PID: + + ```bash + $> sudo strace -f -s 100 -p + ``` +6. Retune the service configuration in runtime: + + ```bash + $> systemctl edit --runtime .service + ``` + + - Uncomment the `[Service]`section and also uncomment the configuration you want to enable or disable. You can add any new configuration. This basically overrides your base configuration. + - Save the configuration as `/run/systemd/system/.d/override.conf` + - Reload the systemd daemon and restart the service as mentioned in step 4. + - You can check if your service is using the new configuration using command: + + ``` + $> sudo systemctl show .service + ``` + - You see base configuration also: + + ```bash + $> sudo systemctl cat .service + ``` +7. If the new configuration works for you, you can check the exposure level of the service using command: + + ```bash + $> systemd-analyze security + $> systemd-analyze security .service #For detailed information + ``` +8. Update the configuration in Ghaf repo and build it. Hardened service configs are available in directory `ghaf/modules/common/systemd/hardened-configs` diff --git a/docs/src/troubleshooting/systemd/systemd-analyzer.md b/docs/src/troubleshooting/systemd/systemd-analyzer.md new file mode 100644 index 000000000..ee1c267f7 --- /dev/null +++ b/docs/src/troubleshooting/systemd/systemd-analyzer.md @@ -0,0 +1,88 @@ + + +# `systemd-analyze` Tool + +`systemd-analyze` is a powerful tool that helps diagnose and troubleshoot issues related to systemd services. It provides various commands to analyze the performance and dependencies of services, as well as to pinpoint issues during the boot process. + +### Steps to Analyze Systemd Services + +#### 1. **Analyze Boot Performance** + +`systemd-analyze` can help you understand how long each service takes to start during boot. This is useful for identifying services that are slowing down the boot process. + + +* To get a summary of the boot time: + + ```bash + $> systemd-analyze + ``` + + This command shows the overall time taken to boot, including the kernel, initrd, and userspace times. +* To see a detailed breakdown of how long each service took to start: + + ```bash + $> systemd-analyze blame + ``` + + This lists all services in order of their startup time, with the slowest services listed first. +* For a graphical representation of the boot process, you can use: + + ```bash + $> system-analyze plot > boot-time.svg + ``` + + This command generates an SVG file that visually represents the startup times of all services. You can view this file in any web browser. + +#### 2. View Service Dependencies + +To troubleshoot issues related to service dependencies, you can visualize the dependency tree of a specific service. To display the dependency tree of a service: + +```bash +systemd-analyze critical-chain .service +``` + +This command shows the critical path that affects the startup time of the service, highlighting any dependencies that may delay its startup. + + +#### 3. Verify Unit Files + +To verify the configuration of a service's unit file: + +- ```bash + $> systemd-analyze verify .service + ``` + + This command checks the syntax and can help identify configuration issues. + +#### 4. Check for Cyclic Dependencies + +Cyclic dependencies can cause services to fail or hang during boot. systemd-analyze can check for these issues: + +- To check for any cyclic dependencies: + + ``` + $> systemd-analyze verify --man=your-service-name.service + ``` + + This will warn you about any loops or issues within the unit's dependency tree. + + + +#### 5. Analyze Security Settings + +`systemd-analyze` can also assess the security of your service’s configuration: + +- To evaluate the overall threat exposure of systemd services, use: + + ```bash + $> systemd-analyze security + ``` +- To evaluate the security of a specific service: + + ```bash + $> systemd-analyze security .service + ``` + This command provides a security assessment, scoring the service based on various hardening options and highlighting potential weaknesses. diff --git a/docs/style_guide.md b/docs/style_guide.md index 824a7a5bc..7475f95ab 100644 --- a/docs/style_guide.md +++ b/docs/style_guide.md @@ -99,27 +99,41 @@ To make our Markdown files maintainable over time and across teams, follow the r * Notes with quoting - Use an angle bracket (>) for annotations. For example: - ``` - > This is a note. - ``` - To draw more attention, you can create note blocks simply by surrounding the content with two horizontal lines. For example: + Use an angle bracket (>) for annotations. + + Our mdBook is extended with the [mdbook-alerts](https://github.com/lambdalisue/rs-mdbook-alerts) third-party plugin[^note1] which adds usage of [GitHub Flavored Markdown's Alerts](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts). To emphasize critical information, please use the following syntax: + ``` - --- - **IMPORTANT** + > [!NOTE] + > Useful information that users should know, even when skimming content. + + > [!TIP] + > Helpful advice for doing things better or more easily. - Very importamt information. + > [!IMPORTANT] + > Key information users need to know to achieve their goal. - --- + > [!WARNING] + > Urgent info that needs immediate user attention to avoid problems. + + > [!CAUTION] + > Advises about risks or negative outcomes of certain actions. ``` +* Footnotes + + For footnote references, use an identifier inside brackets. For example: + in a text: `... this template[^note1] ...` + at the end of the file: `[^note1]: This template is based on...` + * Markdown shields (badges) In [README.md](../README.md) and [README-docs.md](./README-docs.md), we used those emblems so that the user can see the needed information at first glance. In fact, it is just a reference link. To make your own shield, use [shields.io](https://shields.io/). * Unicode characters - For GitHub .md files (not for GitHub Pages), emojis are welcome :octocat:. [Supported GitHub emojis](https://github-emoji-picker.vercel.app/). + For GitHub .md files (not for GitHub Pages), emojis are welcome :octocat:. + Check [Supported GitHub emojis](https://github-emoji-picker.vercel.app/) for more inspiration. @@ -222,3 +236,6 @@ Congratulations! You found the Room of Requirement that adjusts itself to its se Happy writing! + + +[^note1]: For the full list of available community-developed plugins for extending mdBook, see [Third party plugins](https://github.com/rust-lang/mdBook/wiki/Third-party-plugins). diff --git a/docs/theme/index.hbs b/docs/theme/index.hbs new file mode 100644 index 000000000..420e89c83 --- /dev/null +++ b/docs/theme/index.hbs @@ -0,0 +1,478 @@ + + + + + + + {{ title }} + {{#if is_print }} + + {{/if}} {{#if base_url}} + + {{/if}} + + + {{> head}} + + + + + + {{#if favicon_svg}} + + {{/if}} {{#if favicon_png}} + + {{/if}} + + + + {{#if print_enable}} + + {{/if}} + + + + {{#if copy_fonts}} + + {{/if}} + + + + + + + + {{#each additional_css}} + + {{/each}} {{#if mathjax_support}} + + + {{/if}} + + +
+ + + + + + + + + + + + + + + + + + + +
+
+ {{> header}} + + + + {{#if search_enabled}} + + {{/if}} + + + + +
+
+
{{{ content }}}
+
+ +
+
+ + +
+
+ + +
+ + {{#if live_reload_endpoint}} + + + {{/if}} {{#if google_analytics}} + + + {{/if}} {{#if playground_line_numbers}} + + {{/if}} {{#if playground_copyable}} + + {{/if}} {{#if playground_js}} + + + + + + {{/if}} {{#if search_js}} + + + + {{/if}} + + + + + + + {{#each additional_js}} + + {{/each}} {{#if is_print}} {{#if mathjax_support}} + + {{else}} + + {{/if}} {{/if}} +
+ + diff --git a/docs/theme/pagetoc.css b/docs/theme/pagetoc.css new file mode 100644 index 000000000..40fc81fbd --- /dev/null +++ b/docs/theme/pagetoc.css @@ -0,0 +1,107 @@ +/* +Copyright 2020 Jorel Ali +Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +SPDX-License-Identifier: WTFPL +*/ + +:root { + --toc-width: 270px; + --center-content-toc-shift: calc(-1 * var(--toc-width) / 2); +} + +.nav-chapters { + /* adjust width of buttons that bring to the previous or the next page */ + min-width: 50px; +} + +.previous { + /* + adjust the space between the left sidebar or the left side of the screen + and the button that leads to the previous page + */ + margin-left: var(--page-padding); +} + +@media only screen { + main { + display: flex; + } + + @media (max-width: 1179px) { + .sidebar-hidden .sidetoc { + display: none; + } + } + + @media (max-width: 1439px) { + .sidebar-visible .sidetoc { + display: none; + } + } + + @media (1180px <= width <= 1439px) { + .sidebar-hidden main { + position: relative; + left: var(--center-content-toc-shift); + } + } + + @media (1440px <= width <= 1700px) { + .sidebar-visible main { + position: relative; + left: var(--center-content-toc-shift); + } + } + + .content-wrap { + overflow-y: auto; + width: 100%; + } + + .sidetoc { + margin-top: 20px; + margin-left: 10px; + margin-right: auto; + } + .pagetoc { + position: fixed; + /* adjust TOC width */ + width: var(--toc-width); + height: calc(100vh - var(--menu-bar-height) - 0.67em * 4); + overflow: auto; + } + .pagetoc a { + border-left: 1px solid var(--sidebar-bg); + color: var(--fg) !important; + display: block; + padding-bottom: 5px; + padding-top: 5px; + padding-left: 10px; + text-align: left; + text-decoration: none; + } + .pagetoc a:hover, + .pagetoc a.active { + background: var(--sidebar-bg); + color: var(--sidebar-fg) !important; + } + .pagetoc .active { + background: var(--sidebar-bg); + color: var(--sidebar-fg); + } + .pagetoc .pagetoc-H2 { + padding-left: 20px; + } + .pagetoc .pagetoc-H3 { + padding-left: 40px; + } + .pagetoc .pagetoc-H4 { + padding-left: 60px; + } +} + +@media print { + .sidetoc { + display: none; + } +} diff --git a/docs/theme/pagetoc.js b/docs/theme/pagetoc.js new file mode 100644 index 000000000..9fdd878b2 --- /dev/null +++ b/docs/theme/pagetoc.js @@ -0,0 +1,120 @@ +/* +Copyright 2020 Jorel Ali +Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +SPDX-License-Identifier: WTFPL +*/ + +function forEach(elems, fun) { + Array.prototype.forEach.call(elems, fun); +} + +function getPagetoc() { + return document.getElementsByClassName("pagetoc")[0]; +} + +function getPagetocElems() { + return getPagetoc().children; +} + +function getHeaders() { + return document.getElementsByClassName("header"); +} + +// Un-active everything when you click it +function forPagetocElem(fun) { + forEach(getPagetocElems(), fun); +} + +function getRect(element) { + return element.getBoundingClientRect(); +} + +function overflowTop(container, element) { + return getRect(container).top - getRect(element).top; +} + +function overflowBottom(container, element) { + return getRect(container).bottom - getRect(element).bottom; +} + +var activeHref = location.href; + +var updateFunction = function (elem = undefined) { + var id = elem; + + if (!id && location.href != activeHref) { + activeHref = location.href; + forPagetocElem(function (el) { + if (el.href === activeHref) { + id = el; + } + }); + } + + if (!id) { + var elements = getHeaders(); + let margin = window.innerHeight / 3; + + forEach(elements, function (el, i, arr) { + if (!id && getRect(el).top >= 0) { + if (getRect(el).top < margin) { + id = el; + } else { + id = arr[Math.max(0, i - 1)]; + } + } + // a very long last section + // its heading is over the screen + if (!id && i == arr.length - 1) { + id = el; + } + }); + } + + forPagetocElem(function (el) { + el.classList.remove("active"); + }); + + if (!id) return; + + forPagetocElem(function (el) { + if (id.href.localeCompare(el.href) == 0) { + el.classList.add("active"); + let pagetoc = getPagetoc(); + if (overflowTop(pagetoc, el) > 0) { + pagetoc.scrollTop = el.offsetTop; + } + if (overflowBottom(pagetoc, el) < 0) { + pagetoc.scrollTop -= overflowBottom(pagetoc, el); + } + } + }); +}; + +let elements = getHeaders(); + +if (elements.length > 1) { + // Populate sidebar on load + window.addEventListener("load", function () { + var pagetoc = getPagetoc(); + var elements = getHeaders(); + forEach(elements, function (el) { + var link = document.createElement("a"); + link.appendChild(document.createTextNode(el.text)); + link.href = el.hash; + link.classList.add("pagetoc-" + el.parentElement.tagName); + pagetoc.appendChild(link); + link.onclick = function () { + updateFunction(link); + }; + }); + updateFunction(); + }); + + // Handle active elements on scroll + window.addEventListener("scroll", function () { + updateFunction(); + }); +} else { + document.getElementsByClassName("sidetoc")[0].remove(); +} diff --git a/flake.lock b/flake.lock index 76569b6c8..ed7792cee 100644 --- a/flake.lock +++ b/flake.lock @@ -2,29 +2,38 @@ "nodes": { "crane": { "inputs": { - "flake-compat": [ - "lanzaboote", - "flake-compat" - ], - "flake-utils": [ - "lanzaboote", - "flake-utils" - ], "nixpkgs": [ - "lanzaboote", + "givc", "nixpkgs" - ], - "rust-overlay": [ + ] + }, + "locked": { + "lastModified": 1720975002, + "narHash": "sha256-1i521ecK2MFg+lxSk9oRx/C0SsdlI6GS6eYT79nA6TA=", + "owner": "ipetkov", + "repo": "crane", + "rev": "1791a5b98d2c1bf143ad85469abcfa2426f3f087", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "inputs": { + "nixpkgs": [ "lanzaboote", - "rust-overlay" + "nixpkgs" ] }, "locked": { - "lastModified": 1681177078, - "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "lastModified": 1717535930, + "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", "owner": "ipetkov", "repo": "crane", - "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", "type": "github" }, "original": { @@ -35,17 +44,16 @@ }, "devshell": { "inputs": { - "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1705332421, - "narHash": "sha256-USpGLPme1IuqG78JNqSaRabilwkCyHmVWY0M9vYyqEA=", + "lastModified": 1722113426, + "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", "owner": "numtide", "repo": "devshell", - "rev": "83cb93d6d063ad290beee669f4badf9914cc16ec", + "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", "type": "github" }, "original": { @@ -61,28 +69,49 @@ ] }, "locked": { - "lastModified": 1712612224, - "narHash": "sha256-Tv4C8OSPVmm4LbpJGLFSODyvJy6DqrisEGPCQdNVOeY=", + "lastModified": 1723080788, + "narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=", "owner": "nix-community", "repo": "disko", - "rev": "79eab0e82cb126bf4ac170f44af82479f0895ab5", + "rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed", "type": "github" }, "original": { "owner": "nix-community", - "ref": "master", "repo": "disko", "type": "github" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "microvm", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1722580276, + "narHash": "sha256-VaNcSh7n8OaFW/DJsR6Fm23V+EGpSei0DyF71RKB+90=", + "owner": "nix-community", + "repo": "fenix", + "rev": "286f371b3cfeaa5c856c8e6dfb893018e86cc947", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { - "lastModified": 1688025799, - "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "lastModified": 1717312683, + "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", "owner": "nix-community", "repo": "flake-compat", - "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", "type": "github" }, "original": { @@ -98,11 +127,11 @@ ] }, "locked": { - "lastModified": 1706830856, - "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", "type": "github" }, "original": { @@ -113,11 +142,11 @@ }, "flake-root": { "locked": { - "lastModified": 1692742795, - "narHash": "sha256-f+Y0YhVCIJ06LemO+3Xx00lIcqQxSKJHXT/yk1RTKxw=", + "lastModified": 1713493429, + "narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=", "owner": "srid", "repo": "flake-root", - "rev": "d9a70d9c7a5fd7f3258ccf48da9335e9b47c3937", + "rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd", "type": "github" }, "original": { @@ -126,25 +155,22 @@ "type": "github" } }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, + "flake-root_2": { "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "lastModified": 1723604017, + "narHash": "sha256-rBtQ8gg+Dn4Sx/s+pvjdq3CB2wQNzx9XGFq/JVGCB6k=", + "owner": "srid", + "repo": "flake-root", + "rev": "b759a56851e10cb13f6b8e5698af7b59c44be26e", "type": "github" }, "original": { - "owner": "numtide", - "repo": "flake-utils", + "owner": "srid", + "repo": "flake-root", "type": "github" } }, - "flake-utils_2": { + "flake-utils": { "inputs": { "systems": [ "systems" @@ -164,6 +190,39 @@ "type": "github" } }, + "ghafpkgs": { + "inputs": { + "flake-compat": [ + "flake-compat" + ], + "flake-parts": [ + "flake-parts" + ], + "flake-root": "flake-root_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": [ + "pre-commit-hooks-nix" + ], + "treefmt-nix": [ + "treefmt-nix" + ] + }, + "locked": { + "lastModified": 1724328564, + "narHash": "sha256-dx3lpB8YRPtbFSKNAx2ngYXrfPciYxLNBzhnssdWoxg=", + "owner": "tiiuae", + "repo": "ghafpkgs", + "rev": "e41e2306eed51f0bdb915b2120006466456a87db", + "type": "github" + }, + "original": { + "owner": "tiiuae", + "repo": "ghafpkgs", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -185,6 +244,57 @@ "type": "github" } }, + "givc": { + "inputs": { + "crane": "crane", + "devshell": [ + "devshell" + ], + "flake-parts": [ + "flake-parts" + ], + "flake-root": [ + "flake-root" + ], + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": [ + "pre-commit-hooks-nix" + ], + "treefmt-nix": [ + "treefmt-nix" + ] + }, + "locked": { + "lastModified": 1724752104, + "narHash": "sha256-wNYN6dSsLPGLWkrb27/YswsE0kqkw29m6UCbMBDR600=", + "owner": "tiiuae", + "repo": "ghaf-givc", + "rev": "ff9f60e3059f940fad610c27393b4d101bf6693d", + "type": "github" + }, + "original": { + "owner": "tiiuae", + "repo": "ghaf-givc", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1717932370, + "narHash": "sha256-7C5lCpiWiyPoIACOcu2mukn/1JRtz6HC/1aEMhUdcw0=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "27979f1c3a0d3b9617a3563e2839114ba7d48d3f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "jetpack-nixos": { "inputs": { "nixpkgs": [ @@ -192,22 +302,23 @@ ] }, "locked": { - "lastModified": 1707323143, - "narHash": "sha256-Mfj2l2aE+3Vu/u1M1PtQTvIoOZfCkINgtCQagSZFU6Q=", + "lastModified": 1718600161, + "narHash": "sha256-f51gOZCrmNNOFTyfYxPSDxYZPALGydjWsSPVz6skY0o=", "owner": "anduril", "repo": "jetpack-nixos", - "rev": "6ae4ce1d368fb56235a8b15ef926db28c4643eb8", + "rev": "793716c1ca29a1be6d9bea84296a933c4acdddc1", "type": "github" }, "original": { "owner": "anduril", "repo": "jetpack-nixos", + "rev": "793716c1ca29a1be6d9bea84296a933c4acdddc1", "type": "github" } }, "lanzaboote": { "inputs": { - "crane": "crane", + "crane": "crane_2", "flake-compat": [ "flake-compat" ], @@ -226,22 +337,23 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1682802423, - "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "lastModified": 1718178907, + "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086", "type": "github" }, "original": { "owner": "nix-community", - "ref": "v0.3.0", + "ref": "v0.4.1", "repo": "lanzaboote", "type": "github" } }, "microvm": { "inputs": { + "fenix": "fenix", "flake-utils": [ "flake-utils" ], @@ -251,11 +363,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1707953231, - "narHash": "sha256-xdhJQH4ER3lqaNJ+ZxhmNhjFn47HIsWdSpzWhl6dRAY=", + "lastModified": 1723407630, + "narHash": "sha256-iBvdy5KAYWew4sAIVbrqrNL7jCMWFoB5hObocCXkHiY=", "owner": "astro", "repo": "microvm.nix", - "rev": "d350318cb7f40a300b4b4674acf9bee26933ecca", + "rev": "802ef1704f6a050f272bed5e226d0e86fa3e8c39", "type": "github" }, "original": { @@ -277,11 +389,11 @@ ] }, "locked": { - "lastModified": 1703607026, - "narHash": "sha256-Emh0BPoqlS4ntp2UJrwydXfIP4qIMF0VBB2FUE3/M/E=", + "lastModified": 1719475157, + "narHash": "sha256-8zW6eWvE9T03cMpo/hY8RRZIsSCfs1zmsJOkEZzuYwM=", "owner": "Mic92", "repo": "nix-fast-build", - "rev": "4376b8a33b217ee2f78ba3dcff01a3e464d13a46", + "rev": "030e586195c97424844965d2ce680140f6565c02", "type": "github" }, "original": { @@ -292,11 +404,11 @@ }, "nixlib": { "locked": { - "lastModified": 1693701915, - "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", + "lastModified": 1722732880, + "narHash": "sha256-do2Mfm3T6SR7a5A804RhjQ+JTsF5hk4JTPGjCTRM/m8=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", + "rev": "8bebd4c74f368aacb047f0141db09ec6b339733c", "type": "github" }, "original": { @@ -313,11 +425,11 @@ ] }, "locked": { - "lastModified": 1707873059, - "narHash": "sha256-simzllUEmzVqmQogcGCorfIbJpodAhgGSr6vuFtd4XQ=", + "lastModified": 1723078345, + "narHash": "sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "0aa24e93f75370454f0e03747b6836ac2a2c9fca", + "rev": "d6c5d29f58acc10ea82afff1de2b28f038f572bd", "type": "github" }, "original": { @@ -328,11 +440,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1707842204, - "narHash": "sha256-M+HAq1qWQBi/gywaMZwX0odU+Qb/XeqVeANGKRBDOwU=", + "lastModified": 1723149858, + "narHash": "sha256-3u51s7jdhavmEL1ggtd8wqrTH2clTy5yaZmhLvAXTqc=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "f1b2f71c86a5b1941d20608db0b1e88a07d31303", + "rev": "107bb46eef1f05e86fc485ee8af9b637e5157988", "type": "github" }, "original": { @@ -343,16 +455,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1707786466, - "narHash": "sha256-yLPfrmW87M2qt+8bAmwopJawa+MJLh3M9rUbXtpUc1o=", - "owner": "NixOS", + "lastModified": 1722593986, + "narHash": "sha256-JeH0R7hlzEWCFkQLnUxFm8hfcQMsXzdl4jCIejU6vzs=", + "owner": "tiiuae", "repo": "nixpkgs", - "rev": "01885a071465e223f8f68971f864b15829988504", + "rev": "c488d21b64527c6f4fb4a6ce686112b238791ec6", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-23.11", + "owner": "tiiuae", + "ref": "nixos-unstable-texinfo", "repo": "nixpkgs", "type": "github" } @@ -362,9 +474,6 @@ "flake-compat": [ "flake-compat" ], - "flake-utils": [ - "flake-utils" - ], "gitignore": "gitignore", "nixpkgs": [ "nixpkgs" @@ -374,11 +483,11 @@ ] }, "locked": { - "lastModified": 1707297608, - "narHash": "sha256-ADjo/5VySGlvtCW3qR+vdFF4xM9kJFlRDqcC9ZGI8EA=", + "lastModified": 1723056346, + "narHash": "sha256-YpzywjTAUHRRHcO8zz9x2gYqJ0JmZlcB9+RaUvD89qM=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "0db2e67ee49910adfa13010e7f012149660af7f0", + "rev": "3c977f1c9930f54066c085305b4b2291385e7a73", "type": "github" }, "original": { @@ -394,7 +503,10 @@ "flake-compat": "flake-compat", "flake-parts": "flake-parts", "flake-root": "flake-root", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", + "ghafpkgs": "ghafpkgs", + "givc": "givc", + "impermanence": "impermanence", "jetpack-nixos": "jetpack-nixos", "lanzaboote": "lanzaboote", "microvm": "microvm", @@ -403,10 +515,27 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "pre-commit-hooks-nix": "pre-commit-hooks-nix", - "systems": "systems_2", + "systems": "systems", "treefmt-nix": "treefmt-nix" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1722521768, + "narHash": "sha256-FvJ4FaMy1kJbZ3Iw1RyvuiUAsbHJXoU2HwylzaFzj1o=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "f149dc5029d8406fae8b2c541603bcac06e30deb", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "rust-overlay": { "inputs": { "flake-utils": [ @@ -419,11 +548,11 @@ ] }, "locked": { - "lastModified": 1682129965, - "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "lastModified": 1717813066, + "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "2c417c0460b788328220120c698630947547ee83", + "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", "type": "github" }, "original": { @@ -435,11 +564,11 @@ "spectrum": { "flake": false, "locked": { - "lastModified": 1703273931, - "narHash": "sha256-CJ1Crdi5fXHkCiemovsp20/RC4vpDaZl1R6V273FecI=", + "lastModified": 1720264467, + "narHash": "sha256-xzM92n3Q9L90faJIJrkrTtTx+JqCGRHMkHWztkV4PuY=", "ref": "refs/heads/main", - "rev": "97e2f3429ee61dc37664b4d096b2fec48a57b691", - "revCount": 597, + "rev": "fb59d42542049f586c84b0f8bb86ff3be338e9d3", + "revCount": 674, "type": "git", "url": "https://spectrum-os.org/git/spectrum" }, @@ -463,21 +592,6 @@ "type": "github" } }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -485,11 +599,11 @@ ] }, "locked": { - "lastModified": 1707300477, - "narHash": "sha256-qQF0fEkHlnxHcrKIMRzOETnRBksUK048MXkX0SOmxvA=", + "lastModified": 1722330636, + "narHash": "sha256-uru7JzOa33YlSRwf9sfXpJG+UAV+bnBEYMjrzKrQZFw=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "ac599dab59a66304eb511af07b3883114f061b9d", + "rev": "768acdb06968e53aa1ee8de207fd955335c754b7", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1d1d73605..8d005ef24 100644 --- a/flake.nix +++ b/flake.nix @@ -1,22 +1,25 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - description = "Ghaf - Documentation and implementation for TII SSRC Secure Technologies Ghaf Framework"; + description = "Ghaf Framework: Documentation and implementation for TII SSRC Secure Technologies"; nixConfig = { substituters = [ + "https://dev-cache.vedenemo.dev" "https://cache.vedenemo.dev" "https://cache.ssrcdevops.tii.ae" "https://ghaf-dev.cachix.org" "https://cache.nixos.org/" ]; extra-trusted-substituters = [ + "https://dev-cache.vedenemo.dev" "https://cache.vedenemo.dev" "https://cache.ssrcdevops.tii.ae" "https://ghaf-dev.cachix.org" "https://cache.nixos.org/" ]; extra-trusted-public-keys = [ + "ghaf-infra-dev:EdgcUJsErufZitluMOYmoJDMQE+HFyveI/D270Cr84I=" "cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E=" "cache.ssrcdevops.tii.ae:oOrzj9iCppf+me5/3sN/BxEkp5SaFkHfKTPPZ97xXQk=" "ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY=" @@ -25,7 +28,20 @@ }; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; + #TODO: clean this up before merging to main + nixpkgs.url = "github:tiiuae/nixpkgs/nixos-unstable-texinfo"; # "flake:mylocalnixpkgs"; # + #nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + ghafpkgs = { + url = "github:tiiuae/ghafpkgs"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-parts.follows = "flake-parts"; + treefmt-nix.follows = "treefmt-nix"; + pre-commit-hooks-nix.follows = "pre-commit-hooks-nix"; + flake-compat.follows = "flake-compat"; + }; + }; # # Flake and repo structuring configurations @@ -50,7 +66,6 @@ inputs = { nixpkgs.follows = "nixpkgs"; nixpkgs-stable.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; flake-compat.follows = "flake-compat"; }; }; @@ -102,12 +117,12 @@ nixos-hardware.url = "github:NixOS/nixos-hardware"; jetpack-nixos = { - url = "github:anduril/jetpack-nixos"; + url = "github:anduril/jetpack-nixos/793716c1ca29a1be6d9bea84296a933c4acdddc1"; inputs.nixpkgs.follows = "nixpkgs"; }; disko = { - url = "github:nix-community/disko/master"; + url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -115,7 +130,7 @@ # Security # lanzaboote = { - url = "github:nix-community/lanzaboote/v0.3.0"; + url = "github:nix-community/lanzaboote/v0.4.1"; inputs = { nixpkgs.follows = "nixpkgs"; flake-utils.follows = "flake-utils"; @@ -124,15 +139,30 @@ flake-compat.follows = "flake-compat"; }; }; + + impermanence = { + url = "github:nix-community/impermanence"; + }; + + givc = { + url = "github:tiiuae/ghaf-givc"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-parts.follows = "flake-parts"; + flake-root.follows = "flake-root"; + treefmt-nix.follows = "treefmt-nix"; + devshell.follows = "devshell"; + pre-commit-hooks-nix.follows = "pre-commit-hooks-nix"; + }; + }; }; - outputs = inputs @ {flake-parts, ...}: let - lib = import ./lib.nix {inherit inputs;}; - in - flake-parts.lib.mkFlake - { - inherit inputs; - } { + outputs = + inputs@{ flake-parts, ... }: + let + lib = import ./lib.nix { inherit inputs; }; + in + flake-parts.lib.mkFlake { inherit inputs; } { # Toggle this to allow debugging in the repl # see:https://flake.parts/debug debug = false; @@ -156,11 +186,6 @@ ./templates/flake-module.nix ]; - #TODO Fix this - #flake.nixosModules = with lib; - # mapAttrs (_: import) - # (flattenTree (rakeLeaves ./modules)); - flake.lib = lib; }; } diff --git a/hydrajobs/flake-module.nix b/hydrajobs/flake-module.nix index 3d76a62ae..a7c7fa1ea 100644 --- a/hydrajobs/flake-module.nix +++ b/hydrajobs/flake-module.nix @@ -1,37 +1,48 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{self, ...}: let - mkBpmpEnabled = cfg: let - bpmpEnableModule = {lib, ...}: { - ghaf.hardware.nvidia = { - virtualization.enable = lib.mkForce true; - virtualization.host.bpmp.enable = lib.mkForce true; - passthroughs.host.uarta.enable = lib.mkForce true; - }; - }; - newCfg = cfg.extendModules {modules = [bpmpEnableModule];}; - package = newCfg.config.system.build.${newCfg.config.formatAttr}; - in +{ self, ... }: +let + mkBpmpEnabled = + cfg: + let + bpmpEnableModule = + { lib, ... }: + { + ghaf.hardware.nvidia = { + virtualization.enable = lib.mkForce true; + virtualization.host.bpmp.enable = lib.mkForce true; + passthroughs.host.uarta.enable = lib.mkForce true; + }; + }; + newCfg = cfg.extendModules { modules = [ bpmpEnableModule ]; }; + package = newCfg.config.system.build.${newCfg.config.formatAttr}; + in package; -in { +in +{ flake.hydraJobs = { generic-x86_64-debug.x86_64-linux = self.packages.x86_64-linux.generic-x86_64-debug; lenovo-x1-carbon-gen11-debug.x86_64-linux = self.packages.x86_64-linux.lenovo-x1-carbon-gen11-debug; - nvidia-jetson-orin-agx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-agx-debug; + nvidia-jetson-orin-agx-debug.aarch64-linux = + self.packages.aarch64-linux.nvidia-jetson-orin-agx-debug; nvidia-jetson-orin-nx-debug.aarch64-linux = self.packages.aarch64-linux.nvidia-jetson-orin-nx-debug; intel-vm-debug.x86_64-linux = self.packages.x86_64-linux.vm-debug; - imx8qm-mek-debug.aarch64-linux = self.packages.aarch64-linux.imx8qm-mek-debug; + nxp-imx8mp-evk-debug.x86_64-linux = self.packages.aarch64-linux.nxp-imx8mp-evk-debug; docs.x86_64-linux = self.packages.x86_64-linux.doc; docs.aarch64-linux = self.packages.aarch64-linux.doc; - microchip-icicle-kit-debug.x86_64-linux = self.packages.riscv64-linux.microchip-icicle-kit-debug; - - # Build cross-copmiled images - nvidia-jetson-orin-agx-debug-from-x86_64.x86_64-linux = self.packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64; - nvidia-jetson-orin-nx-debug-from-x86_64.x86_64-linux = self.packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64; + # Build cross-compiled images + nvidia-jetson-orin-agx-debug-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64; + nvidia-jetson-orin-nx-debug-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64; + microchip-icicle-kit-debug-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.microchip-icicle-kit-debug-from-x86_64; # Build also cross-compiled images without demo apps - nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64.x86_64-linux = self.packages.x86_64-linux.nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64; - nvidia-jetson-orin-nx-debug-nodemoapps-from-x86_64.x86_64-linux = self.packages.x86_64-linux.nvidia-jetson-orin-nx-debug-nodemoapps-from-x86_64; + nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.nvidia-jetson-orin-agx-debug-nodemoapps-from-x86_64; + nvidia-jetson-orin-nx-debug-nodemoapps-from-x86_64.x86_64-linux = + self.packages.x86_64-linux.nvidia-jetson-orin-nx-debug-nodemoapps-from-x86_64; # BPMP virt enabled versions nvidia-jetson-orin-agx-debug-bpmp.aarch64-linux = mkBpmpEnabled self.nixosConfigurations.nvidia-jetson-orin-agx-debug; diff --git a/lib.nix b/lib.nix index 744f05ba7..174337f0d 100644 --- a/lib.nix +++ b/lib.nix @@ -4,13 +4,15 @@ # SPDX-License-Identifier: MIT # FlattenTree and rakeLeaves originate from # https://github.com/divnix/digga -{inputs, ...}: let +{ inputs, ... }: +let inherit (inputs) nixpkgs; in - nixpkgs.lib.extend (lib: _: - # some utils for importing trees - rec { - /* +nixpkgs.lib.extend ( + lib: _: + # some utils for importing trees + rec { + /* * Filters Nix packages based on the target system platform. Returns a filtered attribute set of Nix packages compatible with the target system. @@ -35,15 +37,21 @@ in - [system] Target system platform (e.g., "x86_64-linux"). - [pkgsSet] a set of Nix packages. - */ - platformPkgs = system: - lib.filterAttrs - (_: value: let - platforms = lib.attrByPath ["meta" "platforms"] [] value; + */ + platformPkgs = + system: + lib.filterAttrs ( + _: value: + let + platforms = lib.attrByPath [ + "meta" + "platforms" + ] [ ] value; in - lib.elem system platforms); + lib.elem system platforms + ); - /* + /* * Flattens a _tree_ of the shape that is produced by rakeLeaves. An attrset with names in the spirit of the Reverse DNS Notation form @@ -61,20 +69,19 @@ in } => { "a.b.c" = ; } ``` - */ - flattenTree = tree: let - op = sum: path: val: let - pathStr = builtins.concatStringsSep "." path; # dot-based reverse DNS notation - in - if builtins.isPath val - then + */ + flattenTree = + tree: + let + op = + sum: path: val: + let + pathStr = builtins.concatStringsSep "." path; # dot-based reverse DNS notation + in + if builtins.isPath val then # builtins.trace "${toString val} is a path" - (sum - // { - "${pathStr}" = val; - }) - else if builtins.isAttrs val - then + (sum // { "${pathStr}" = val; }) + else if builtins.isAttrs val then # builtins.trace "${builtins.toJSON val} is an attrset" # recurse into that attribute set (recurse sum path val) @@ -83,15 +90,13 @@ in # builtins.trace "${toString path} is something else" sum; - recurse = sum: path: val: - builtins.foldl' - (sum: key: op sum (path ++ [key]) val.${key}) - sum - (builtins.attrNames val); + recurse = + sum: path: val: + builtins.foldl' (sum: key: op sum (path ++ [ key ]) val.${key}) sum (builtins.attrNames val); in - recurse {} [] tree; + recurse { } [ ] tree; - /* + /* * Recursively collect the nix files of _path_ into attrs. Return an attribute set where all `.nix` files and directories with `default.nix` in them @@ -120,34 +125,38 @@ in }; } ``` - */ - - rakeLeaves = dirPath: let - seive = file: type: - # Only rake `.nix` files or directories + */ + + rakeLeaves = + dirPath: + let + seive = + file: type: + # Only rake `.nix` files or directories (type == "regular" && lib.hasSuffix ".nix" file) || (type == "directory"); collect = file: type: { name = lib.removeSuffix ".nix" file; - value = let - path = dirPath + "/${file}"; - in - if - (type == "regular") - || (type == "directory" && builtins.pathExists (path + "/default.nix")) - then path + value = + let + path = dirPath + "/${file}"; + in + if (type == "regular") || (type == "directory" && builtins.pathExists (path + "/default.nix")) then + path # recurse on directories that don't contain a `default.nix` - else rakeLeaves path; + else + rakeLeaves path; }; files = lib.filterAttrs seive (builtins.readDir dirPath); in - lib.filterAttrs (_n: v: v != {}) (lib.mapAttrs' collect files); - - importLeaves = - # - # Create an import stanza by recursing a directory to find all default.nix and - # files beneath withough manually having to list all the subsequent files. - # - path: builtins.attrValues (lib.mapAttrs (_: import) (rakeLeaves path)); - }) + lib.filterAttrs (_n: v: v != { }) (lib.mapAttrs' collect files); + + importLeaves = + # + # Create an import stanza by recursing a directory to find all default.nix and + # files beneath withough manually having to list all the subsequent files. + # + path: builtins.attrValues (lib.mapAttrs (_: import) (rakeLeaves path)); + } +) diff --git a/lib/ghaf-modules.nix b/lib/ghaf-modules.nix index 992a7da8a..c594e6098 100644 --- a/lib/ghaf-modules.nix +++ b/lib/ghaf-modules.nix @@ -2,11 +2,12 @@ # SPDX-FileCopyrightText: 2023 TII (SSRC) and the Ghaf contributors # # SPDX-License-Identifier: Apache-2.0 -{lib}: let +{ lib }: +let inherit (builtins) readFile filter; inherit (lib) filesystem hasInfix hasSuffix; isDesiredFile = path: hasSuffix ".nix" path && hasInfix "options" (readFile path); modulesDirectoryFiles = filesystem.listFilesRecursive ../modules; in - filter isDesiredFile modulesDirectoryFiles +filter isDesiredFile modulesDirectoryFiles diff --git a/lib/icons.nix b/lib/icons.nix new file mode 100644 index 000000000..96aeb6a7a --- /dev/null +++ b/lib/icons.nix @@ -0,0 +1,101 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ pkgs, ... }: +{ + /* + * + Resizes a PNG to fit the given size. + + # Inputs + + `name` + + : Name of the file, this will be included in the output filename. + + `path` + + : Path of the original PNG file to be resized. + + `size` + + : The new size for the image (x). + + # Type + + ``` + resizePNG :: [String] -> [String] -> [String] -> [String] + ``` + + # Example + :::{.example} + ## Simple example + + ```nix + resizePNG "my-icon" ./my-icon-hi-res.png "24x24"; + ``` + + ::: + */ + resizePNG = + name: path: size: + let + out = + pkgs.runCommand "${name}-${size}" { nativeBuildInputs = with pkgs; [ buildPackages.imagemagick ]; } + '' + mkdir -p $out + convert \ + ${path} \ + -resize ${size} \ + $out/${name}.png + ''; + in + "${out}/${name}.png"; + + /* + * + Converts an SVG file to a PNG of a specific size. + + # Inputs + + `name` + + : Name of the file, this will be included in the output filename. + + `path` + + : Path of the original SVG file to be converted. + + `size` + + : The size of the PNG image to be rendered. + + # Type + + ``` + svgToPNG :: [String] -> [String] -> [String] -> [String] + ``` + + # Example + :::{.example} + ## Simple example + + ```nix + svgToPNG "my-icon" ./my-icon.svg "24x24"; + ``` + + ::: + */ + svgToPNG = + name: path: size: + let + sizes = builtins.split "x" size; + width = builtins.head sizes; + height = builtins.elemAt sizes 2; + out = pkgs.runCommand "${name}-${size}" { nativeBuildInputs = with pkgs; [ librsvg ]; } '' + mkdir -p $out + rsvg-convert ${path} -o $out/${name}.png \ + --width=${width} --height=${height} --keep-aspect-ratio + ''; + in + "${out}/${name}.png"; +} diff --git a/lib/launcher.nix b/lib/launcher.nix new file mode 100644 index 000000000..a4f1742a2 --- /dev/null +++ b/lib/launcher.nix @@ -0,0 +1,18 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +_: { + rmDesktopEntries = + pkgs: + map ( + pkg: + pkg.overrideAttrs ( + old: + let + pInst = if (old ? postInstall) then old.postInstall else ""; + in + { + postInstall = pInst + "rm -rf \"$out/share/applications\""; + } + ) + ) pkgs; +} diff --git a/lib/mk-flash-script/default.nix b/lib/mk-flash-script/default.nix index d93586991..fba8966ae 100644 --- a/lib/mk-flash-script/default.nix +++ b/lib/mk-flash-script/default.nix @@ -7,7 +7,8 @@ hostConfiguration, jetpack-nixos, flash-tools-system, -}: let +}: +let cfg = hostConfiguration.config.hardware.nvidia-jetpack; inherit (jetpack-nixos.legacyPackages.${flash-tools-system}) flash-tools; @@ -19,18 +20,23 @@ isCross = hostConfiguration.config.nixpkgs.buildPlatform.system != hostConfiguration.config.nixpkgs.hostPlatform.system; - devicePkgsSystem = - if isCross - then "x86_64-linux" - else "aarch64-linux"; - devicePkgs = jetpack-nixos.legacyPackages.${devicePkgsSystem}.devicePkgsFromNixosConfig hostConfiguration.config; + devicePkgsSystem = if isCross then "x86_64-linux" else "aarch64-linux"; + devicePkgs = + jetpack-nixos.legacyPackages.${devicePkgsSystem}.devicePkgsFromNixosConfig + hostConfiguration.config; inherit (jetpack-nixos.legacyPackages.${devicePkgsSystem}) l4tVersion; flashScript = devicePkgs.mkFlashScript { - flash-tools = flash-tools.overrideAttrs ({postPatch ? "", ...}: { - postPatch = postPatch + cfg.flashScriptOverrides.postPatch; - }); + flash-tools = flash-tools.overrideAttrs ( + { + postPatch ? "", + ... + }: + { + postPatch = postPatch + cfg.flashScriptOverrides.postPatch; + } + ); preFlashCommands = nixpkgs.lib.optionalString (flash-tools-system == "aarch64-linux") '' echo "WARNING! WARNING! WARNING!" @@ -45,26 +51,22 @@ patchFlashScript = builtins.replaceStrings - [ - "@pzstd@" - "@sed@" - "@patch@" - "@l4tVersion@" - "@isCross@" - ] - [ - "${nixpkgs.legacyPackages.${flash-tools-system}.zstd}/bin/pzstd" - "${nixpkgs.legacyPackages.${flash-tools-system}.gnused}/bin/sed" - "${nixpkgs.legacyPackages.${flash-tools-system}.patch}/bin/patch" - "${l4tVersion}" - "${ - if isCross - then "true" - else "false" - }" - ]; + [ + "@pzstd@" + "@sed@" + "@patch@" + "@l4tVersion@" + "@isCross@" + ] + [ + "${nixpkgs.legacyPackages.${flash-tools-system}.zstd}/bin/pzstd" + "${nixpkgs.legacyPackages.${flash-tools-system}.gnused}/bin/sed" + "${nixpkgs.legacyPackages.${flash-tools-system}.patch}/bin/patch" + "${l4tVersion}" + "${if isCross then "true" else "false"}" + ]; in - nixpkgs.legacyPackages.${flash-tools-system}.writeShellApplication { - name = "flash-ghaf"; - text = patchFlashScript flashScript; - } +nixpkgs.legacyPackages.${flash-tools-system}.writeShellApplication { + name = "flash-ghaf"; + text = patchFlashScript flashScript; +} diff --git a/mk_patches.sh b/mk_patches.sh index cc641cec1..a927d2c05 100755 --- a/mk_patches.sh +++ b/mk_patches.sh @@ -74,11 +74,11 @@ mv /tmp/original_Makefile gpio-virt/drivers/Makefile # ------ # 0003-gpio-virt-kernel.patch # exclude /drive/Kconfig and drive/Makefile -git -C kernel-5.10/ diff basepoint -- drivers/gpio/ \ +git -C kernel-5.10/ diff jetson_35.4.1 -- drivers/gpio/ \ >${patchdir}/0003-gpio-virt-kernel.patch -git -C kernel-5.10/ diff basepoint -- drivers/pinctrl/ \ +git -C kernel-5.10/ diff jetson_35.4.1 -- drivers/pinctrl/ \ >>${patchdir}/0003-gpio-virt-kernel.patch -git -C kernel-5.10/ diff basepoint -- include/ \ +git -C kernel-5.10/ diff jetson_35.4.1 -- include/ \ >>${patchdir}/0003-gpio-virt-kernel.patch # ------ @@ -99,13 +99,13 @@ rm ${ghaf}/raw_MK_drivers.patch ${ghaf}/raw_u0_MK_drivers.patch # ------ # 0005-gpio-overlay.patch # included in raw-kernel.patch -- not needed because we do not use overlay -git -C kernel-5.10/ diff basepoint -- "kernel*overlays.txt" \ +git -C kernel-5.10/ diff jetson_35.4.1 -- "kernel*overlays.txt" \ >${patchdir}/0005-gpio-overlay.patch # ------ # 0006-defconfig-kernel.patch # included in raw-kernel.patch -git -C kernel-5.10/ diff basepoint -- "arch/arm64/configs/defconfig" \ +git -C kernel-5.10/ diff jetson_35.4.1 -- "arch/arm64/configs/defconfig" \ >${patchdir}/0006-defconfig-kernel.patch # ------ diff --git a/modules/common/boot/systemd-boot-dtb.nix b/modules/common/boot/systemd-boot-dtb.nix index 0bb47f1d7..a7e32ec55 100644 --- a/modules/common/boot/systemd-boot-dtb.nix +++ b/modules/common/boot/systemd-boot-dtb.nix @@ -11,25 +11,27 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.boot.loader.systemd-boot-dtb; + inherit (lib) mkEnableOption mkIf; in - with lib; { - options.ghaf.boot.loader.systemd-boot-dtb = { - enable = mkEnableOption "systemd-boot-dtb"; - }; +{ + options.ghaf.boot.loader.systemd-boot-dtb = { + enable = mkEnableOption "systemd-boot-dtb"; + }; - config = mkIf cfg.enable { - boot.loader.systemd-boot = { - extraFiles."dtbs/${config.hardware.deviceTree.name}" = "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}"; - extraInstallCommands = '' - # Find out the latest generation from loader.conf - default_cfg=$(${pkgs.coreutils}/bin/cat /boot/loader/loader.conf | ${pkgs.gnugrep}/bin/grep default | ${pkgs.gawk}/bin/awk '{print $2}') - FILEHASH=$(${pkgs.coreutils}/bin/sha256sum "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}" | ${pkgs.coreutils}/bin/cut -d ' ' -f 1) - FILENAME="/dtbs/$FILEHASH.dtb" - ${pkgs.coreutils}/bin/cp -fv "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}" "/boot$FILENAME" - echo "devicetree $FILENAME" >> /boot/loader/entries/$default_cfg - ''; - }; + config = mkIf cfg.enable { + boot.loader.systemd-boot = { + extraFiles."dtbs/${config.hardware.deviceTree.name}" = "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}"; + extraInstallCommands = '' + # Find out the latest generation from loader.conf + default_cfg=$(${pkgs.coreutils}/bin/cat /boot/loader/loader.conf | ${pkgs.gnugrep}/bin/grep default | ${pkgs.gawk}/bin/awk '{print $2}') + FILEHASH=$(${pkgs.coreutils}/bin/sha256sum "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}" | ${pkgs.coreutils}/bin/cut -d ' ' -f 1) + FILENAME="/dtbs/$FILEHASH.dtb" + ${pkgs.coreutils}/bin/cp -fv "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}" "/boot$FILENAME" + echo "devicetree $FILENAME" >> /boot/loader/entries/$default_cfg + ''; }; - } + }; +} diff --git a/modules/common/common.nix b/modules/common/common.nix index b86989e7d..d9b62d875 100644 --- a/modules/common/common.nix +++ b/modules/common/common.nix @@ -3,7 +3,8 @@ # # TODO: Refactor even more. # This is the old "host/default.nix" file. -{lib, ...}: { +{ lib, ... }: +{ imports = [ # TODO remove this when the minimal config is defined # Replace with the baseModules definition diff --git a/modules/common/default.nix b/modules/common/default.nix index 1656acd6c..86777a710 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -9,12 +9,15 @@ ./common.nix ./development ./firewall - ./hardware ./profiles - ./tpm2 + ./security ./users/accounts.nix ./version ./virtualization/docker.nix ./systemd + ./services + ./networking + ../hardware/definition.nix + ./logging ]; } diff --git a/modules/common/development/audio_test/test_file1.mp3 b/modules/common/development/audio_test/test_file1.mp3 new file mode 100644 index 000000000..95d345bae Binary files /dev/null and b/modules/common/development/audio_test/test_file1.mp3 differ diff --git a/modules/common/development/debug-tools.nix b/modules/common/development/debug-tools.nix index 02250108e..61152eb25 100644 --- a/modules/common/development/debug-tools.nix +++ b/modules/common/development/debug-tools.nix @@ -5,45 +5,88 @@ lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.development.debug.tools; + + rm-linux-bootmgrs = pkgs.callPackage ./scripts/rm_linux_bootmgr_entries.nix { }; + perf-test-script-icicle = pkgs.callPackage ./scripts/perf_test_icicle_kit.nix { }; + sysbench-test-script = pkgs.callPackage ./scripts/sysbench_test.nix { }; + sysbench-fileio-test-script = pkgs.callPackage ./scripts/sysbench_fileio_test.nix { }; + nvpmodel-check = pkgs.callPackage ./scripts/nvpmodel_check.nix { }; + + inherit (lib) mkEnableOption mkIf; + inherit (import ../../../lib/launcher.nix { inherit pkgs lib; }) rmDesktopEntries; in - with lib; { - options.ghaf.development.debug.tools = { - enable = mkEnableOption "Debug Tools"; - }; +{ + options.ghaf.development.debug.tools = { + enable = mkEnableOption "Debug Tools"; + }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; - [ + config = mkIf cfg.enable { + environment.etc = { + audio_test.source = ./audio_test; + }; + environment.systemPackages = + builtins.attrValues { + inherit (pkgs) # For lspci: - pciutils + pciutils # For lsusb: - usbutils + usbutils # Useful in NetVM - ethtool + ethtool # Basic monitors - htop + iftop iotop - traceroute dig evtest + # For deleting Linux Boot Manager entries in automated testing + efibootmgr # Performance testing + speedtest-cli iperf - # Match perf version with kernel. - config.boot.kernelPackages.perf + tree + file + # to build ghaf on target + + git + + # Grpc testing + + grpcurl + ; + } + ++ + # Match perf version with kernel. + [ + #(config.boot.kernelPackages.perf.override {python3 = pkgs.python311;}) + sysbench-test-script + sysbench-fileio-test-script + nvpmodel-check + rm-linux-bootmgrs ] - # TODO Can this be changed to platformPkgs to filter ? - # LuaJIT (which is sysbench dependency) not available on RISC-V - ++ lib.optional (config.nixpkgs.hostPlatform.system != "riscv64-linux") sysbench - # runtimeShell (unixbench dependency) not available on RISC-V nor on cross-compiled Orin AGX/NX - ++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) unixbench; - }; - } + ++ rmDesktopEntries [ pkgs.htop ] + #TODO tmp disable perf as it is broken in cross-compiled Orin AGX/NX + ++ lib.optional ( + config.nixpkgs.hostPlatform.system != "aarch64-linux" + ) config.boot.kernelPackages.perf + # LuaJIT (which is sysbench dependency) not available on RISC-V + ++ lib.optional (config.nixpkgs.hostPlatform.system != "riscv64-linux") pkgs.sysbench + # Icicle Kit performance test script available on RISC-V + ++ lib.optional (config.nixpkgs.hostPlatform.system == "riscv64-linux") perf-test-script-icicle + # runtimeShell (unixbench dependency) not available on RISC-V nor on cross-compiled Orin AGX/NX + ++ lib.optional (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) pkgs.unixbench + # Build VLC only on x86 + ++ lib.optionals (config.nixpkgs.hostPlatform.system == "x86_64-linux") (rmDesktopEntries [ + pkgs.vlc + ]); + }; +} diff --git a/modules/common/development/nix.nix b/modules/common/development/nix.nix index 868919555..7b7f45ffe 100644 --- a/modules/common/development/nix.nix +++ b/modules/common/development/nix.nix @@ -1,39 +1,54 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.development.nix-setup; + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; in - with lib; { - options.ghaf.development.nix-setup = { - enable = mkEnableOption "Target Nix config options"; - nixpkgs = mkOption { - type = types.nullOr types.path; - default = null; - description = "Path to the nixpkgs repository"; - }; +{ + options.ghaf.development.nix-setup = { + enable = mkEnableOption "Target Nix config options"; + nixpkgs = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to the nixpkgs repository"; }; + }; - config = mkIf cfg.enable { - nix = { - settings = { - experimental-features = ["nix-command" "flakes"]; - keep-outputs = true; - keep-derivations = true; - }; + config = mkIf cfg.enable { + nix = { + settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + keep-outputs = true; + keep-derivations = true; + }; + + # avoid scenario where the host rootfs gets filled + # with nixos-rebuild ... switch generated excess + # generations and becomes unbootable + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 3d"; + }; - # Set the path and registry so that e.g. nix-shell and repl work - nixPath = lib.mkIf (cfg.nixpkgs != null) ["nixpkgs=${cfg.nixpkgs}"]; + # Set the path and registry so that e.g. nix-shell and repl work + nixPath = lib.mkIf (cfg.nixpkgs != null) [ "nixpkgs=${cfg.nixpkgs}" ]; - registry = lib.mkIf (cfg.nixpkgs != null) { - nixpkgs.to = { - type = "path"; - path = cfg.nixpkgs; - }; + registry = lib.mkIf (cfg.nixpkgs != null) { + nixpkgs.to = { + type = "path"; + path = cfg.nixpkgs; }; }; }; - } + }; +} diff --git a/modules/common/development/scripts/nvpmodel_check.nix b/modules/common/development/scripts/nvpmodel_check.nix new file mode 100644 index 000000000..8dbe82552 --- /dev/null +++ b/modules/common/development/scripts/nvpmodel_check.nix @@ -0,0 +1,37 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ writeShellApplication, lib, ... }: +writeShellApplication { + name = "nvpmodel-check"; + text = '' + # Since performance depends heavily on power mode it should be checked before performance testing. + + # This integer is given with the command, e.g. 'nvpmodel-check 3' + ExpectedPowerModeNo="''$1" + + if hostname | grep -qw "ghaf-host"; then + if nvpmodel | grep -q "command not found"; then + echo -e "nvpmodel not available\ŋ" + else + echo -e "''$(nvpmodel -q)\n" + ModeNo=''$(nvpmodel -q | awk -F: 'NR==2 {print ''$1}') + if [ "''$ModeNo" -eq "''$ExpectedPowerModeNo" ]; then + echo "Power mode check ok: ''${ModeNo}" + exit 0 + else + echo "Unexpected power mode detected: ''${ModeNo}" + fi + fi + else + echo -e "\nVirtual environment detected. Power mode cannot be checked." + fi + exit 1 + ''; + meta = with lib; { + description = " + Script for checking power mode of an Orin AGX/NX target. + If executed in correct environment (ghaf-host) it gives return code 0 when the power mode number is as expected. + Otherwise the return code is 1. + "; + }; +} diff --git a/modules/common/development/scripts/perf_test_icicle_kit.nix b/modules/common/development/scripts/perf_test_icicle_kit.nix new file mode 100644 index 000000000..595206dd8 --- /dev/null +++ b/modules/common/development/scripts/perf_test_icicle_kit.nix @@ -0,0 +1,25 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ writeShellApplication, lib, ... }: +writeShellApplication { + name = "perf-test-icicle-kit"; + text = '' + time { + perf bench sched messaging; + perf bench sched pipe -l 50000; + perf bench syscall basic; + perf bench mem memcpy; + perf bench mem memset; + perf bench mem find_bit -i 5 -j 1000; + perf bench numa mem -p 1 -t 1 -P 1024 -C 0 -M 0 -s 5 -zZq --thp 1 --no-data_rand_walk; + perf bench futex all; + perf bench epoll wait; + perf bench epoll ctl; + perf bench internals synthesize -i 1000; + perf bench internals kallsyms-parse -i 10; + } | tee -a perf_results_YYYY-MM-DD_BUILDER-BuildID_SDorEMMC + ''; + meta = with lib; { + description = "Perf test script customized for measuring ghaf performance on Microchip Icicle Kit target"; + }; +} diff --git a/modules/common/development/scripts/rm_linux_bootmgr_entries.nix b/modules/common/development/scripts/rm_linux_bootmgr_entries.nix new file mode 100644 index 000000000..8aab934fb --- /dev/null +++ b/modules/common/development/scripts/rm_linux_bootmgr_entries.nix @@ -0,0 +1,15 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ writeShellApplication, lib, ... }: +writeShellApplication { + name = "rm-linux-bootmgrs"; + text = '' + for id in ''$(efibootmgr | grep Linux | awk 'NR > 0 {print ''$1}' | cut -c 5-8) + do + sudo efibootmgr -q -b "''${id}" -B + done + ''; + meta = with lib; { + description = "Helper script for removing all Linux Boot Manager entries from UEFI Boot order list"; + }; +} diff --git a/modules/common/development/scripts/sysbench_fileio_test.nix b/modules/common/development/scripts/sysbench_fileio_test.nix new file mode 100755 index 000000000..805b3ee54 --- /dev/null +++ b/modules/common/development/scripts/sysbench_fileio_test.nix @@ -0,0 +1,49 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ writeShellApplication, lib, ... }: +writeShellApplication { + name = "sysbench-fileio-test"; + text = '' + # Test set to be run with sysbench + + # These variable needs to be given on the command line. For example: sysbench-fileio-test 20 + THREADS="''$1" + + # Create a directory for the results + RESULT_DIR="sysbench_results" + echo -e "\nCreating directory for test results:\n./''$RESULT_DIR" + mkdir -p ''$RESULT_DIR + + # Create test_info file with system information + echo -e "\nSaving information about test environment to ./''$RESULT_DIR/test_info\n" + echo -e "''$(lscpu)" "\n\n" "''$(free)" "\n\n" "''$(df)" "\n\n" >> ./''$RESULT_DIR/test_info + echo -e "\nHost: ''$(hostname)\n" | tee -a ./''$RESULT_DIR/test_info + + # Calculate total memory in kB and set FILE_TOTAL_SIZE 4GB higher than the total memory + TOTAL_MEM_kB=''$(free | awk -F: 'NR==2 {print ''$2}' | awk '{print ''$1}') + FILE_TOTAL_SIZE_kB=''$((TOTAL_MEM_kB + 4000000)) + + # Read available disk space in kB and check for sufficient disk space + AVAILABLE_DISK_SPACE_kB=''$(df | grep -w "/" | awk '{print ''$4}') + if [ ''$((FILE_TOTAL_SIZE_kB + FILE_TOTAL_SIZE_kB / 10)) -gt "''$AVAILABLE_DISK_SPACE_kB" ]; then + echo -e "\nInsufficient disk space for fileio test." | tee -a ./''$RESULT_DIR/test_info + exit 1 + fi + + echo -e "\nDetected available total memory ''${TOTAL_MEM_kB} kB." | tee -a ./''$RESULT_DIR/test_info + echo -e "\nDetected available disk space ''${AVAILABLE_DISK_SPACE_kB} kB." | tee -a ./''$RESULT_DIR/test_info + echo -e "\nStarting fileio test with FILE_TOTAL_SIZE=''${FILE_TOTAL_SIZE_kB} kB." | tee -a ./''$RESULT_DIR/test_info + + # Execute sysbench fileio tests if the checks passed + sysbench fileio --file-total-size=''${FILE_TOTAL_SIZE_kB}K --threads="''${THREADS}" --file-test-mode=seqrd prepare + sysbench fileio --file-total-size=''${FILE_TOTAL_SIZE_kB}K --threads="''${THREADS}" --file-test-mode=seqrd --time=30 run | tee ./''$RESULT_DIR/fileio_rd_report + sysbench fileio cleanup + sysbench fileio --file-total-size=''${FILE_TOTAL_SIZE_kB}K --threads="''${THREADS}" --file-test-mode=seqwr --time=30 run | tee ./''$RESULT_DIR/fileio_wr_report + sysbench fileio cleanup + + echo -e "\nTest finished.\n" + ''; + meta = with lib; { + description = "Script for sysbench fileio tests"; + }; +} diff --git a/modules/common/development/scripts/sysbench_test.nix b/modules/common/development/scripts/sysbench_test.nix new file mode 100755 index 000000000..e28401d34 --- /dev/null +++ b/modules/common/development/scripts/sysbench_test.nix @@ -0,0 +1,46 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ writeShellApplication, lib, ... }: +writeShellApplication { + name = "sysbench-test"; + text = '' + # Threads variable needs to be given on the command line. + # For example: ./sysbench_simplified_test 20 + THREADS="''$1" + + # Create a directory for the results with a timestamp + RESULT_DIR="sysbench_results" + echo -e "\nCreating directory for test results:" + echo "./''$RESULT_DIR" + mkdir -p ''$RESULT_DIR + + # Create test_info file with information about the run environment: lscpu, free, df + echo -e "\nSaving information about test environment to ./''$RESULT_DIR/test_info\n" + echo -e "''$(lscpu)" "\n\n" "''$(free)" "\n\n" "''$(df)" "\n\n" >> ./''$RESULT_DIR/test_info + + echo -e "\nHost: ''$(hostname)\n" | tee -a ./''$RESULT_DIR/test_info + + # cpu tests + echo -e "\nRunning CPU tests...\n" + sysbench cpu --time=10 --threads=1 --cpu-max-prime=20000 run | tee ./''$RESULT_DIR/cpu_1thread_report + if [ "''$THREADS" -gt 1 ] + then + sysbench cpu --time=10 --threads="''${THREADS}" --cpu-max-prime=20000 run | tee ./''$RESULT_DIR/cpu_report + fi + + # memory tests + echo -e "\nRunning memory tests...\n" + sysbench memory --time=60 --memory-oper=read --threads=1 run | tee ./''$RESULT_DIR/memory_read_1thread_report + sysbench memory --time=60 --memory-oper=write --threads=1 run | tee ./''$RESULT_DIR/memory_write_1thread_report + if [ "''$THREADS" -gt 1 ] + then + sysbench memory --time=15 --memory-oper=read --threads="''${THREADS}" run | tee ./''$RESULT_DIR/memory_read_report + sysbench memory --time=30 --memory-oper=write --threads="''${THREADS}" run | tee ./''$RESULT_DIR/memory_write_report + fi + + echo -e "\nTest finished.\n" + ''; + meta = with lib; { + description = "Script for sysbench tests (excluding fileio)"; + }; +} diff --git a/modules/common/development/ssh.nix b/modules/common/development/ssh.nix index 3bb921f00..923e27897 100644 --- a/modules/common/development/ssh.nix +++ b/modules/common/development/ssh.nix @@ -1,24 +1,19 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.development.ssh.daemon; - inherit ((import ./authorized_ssh_keys.nix)) authorizedKeys; + inherit (lib) mkEnableOption mkIf; in - with lib; { - options.ghaf.development.ssh.daemon = { - enable = mkEnableOption "ssh daemon"; - }; +{ + options.ghaf.development.ssh.daemon = { + enable = mkEnableOption "ssh daemon"; + }; - config = mkIf cfg.enable { - services.openssh = { - enable = true; - settings.X11Forwarding = true; - }; - users.users.root.openssh.authorizedKeys.keys = authorizedKeys; - users.users.${config.ghaf.users.accounts.user}.openssh.authorizedKeys.keys = authorizedKeys; - }; - } + config = mkIf cfg.enable { + services.openssh = { + enable = true; + settings.X11Forwarding = true; + }; + }; +} diff --git a/modules/common/development/usb-serial.nix b/modules/common/development/usb-serial.nix index 6be47c754..c19db3a70 100644 --- a/modules/common/development/usb-serial.nix +++ b/modules/common/development/usb-serial.nix @@ -1,25 +1,23 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.development.usb-serial; + inherit (lib) mkEnableOption mkIf; in - with lib; { - options.ghaf.development.usb-serial = { - enable = mkEnableOption "Usb-Serial"; - }; +{ + options.ghaf.development.usb-serial = { + enable = mkEnableOption "Usb-Serial"; + }; - #TODO Should this be alos bound to only x86? - config = mkIf cfg.enable { - services.getty.extraArgs = ["115200"]; - systemd.services."autovt@ttyUSB0".enable = true; + #TODO Should this be alos bound to only x86? + config = mkIf cfg.enable { + services.getty.extraArgs = [ "115200" ]; + systemd.services."autovt@ttyUSB0".enable = true; - # ttyUSB0 service is active as soon as corresponding device appears - services.udev.extraRules = '' - SUBSYSTEM=="tty", KERNEL=="ttyUSB0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="autovt@ttyUSB0.service" - ''; - }; - } + # ttyUSB0 service is active as soon as corresponding device appears + services.udev.extraRules = '' + SUBSYSTEM=="tty", KERNEL=="ttyUSB0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="autovt@ttyUSB0.service" + ''; + }; +} diff --git a/modules/common/firewall/default.nix b/modules/common/firewall/default.nix index d13e33b8f..9d28c039a 100644 --- a/modules/common/firewall/default.nix +++ b/modules/common/firewall/default.nix @@ -3,8 +3,4 @@ # # Firewall related modules # -{ - imports = [ - ./kernel-modules.nix - ]; -} +{ imports = [ ./kernel-modules.nix ]; } diff --git a/modules/common/firewall/kernel-modules.nix b/modules/common/firewall/kernel-modules.nix index 2a72d8078..79aafe0b7 100644 --- a/modules/common/firewall/kernel-modules.nix +++ b/modules/common/firewall/kernel-modules.nix @@ -6,13 +6,11 @@ # Adds bunch of modules to the kernel, so firewall can start, as our custom # kernels don't seem to always have all necessary modules enabled. # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.firewall.kernel-modules; -in { +in +{ options.ghaf.firewall.kernel-modules = { enable = lib.mkEnableOption "kernel modules required for firewall"; }; diff --git a/modules/common/hardware/ax88179_178a.nix b/modules/common/hardware/ax88179_178a.nix deleted file mode 100644 index 3e0f686b5..000000000 --- a/modules/common/hardware/ax88179_178a.nix +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Fix for ax88179_178a USB network card kernel driver MAC-address issue. -{ - lib, - pkgs, - config, - ... -}: let - cfg = config.ghaf.hardware.ax88179_178a; -in { - options.ghaf.hardware.ax88179_178a = { - enable = lib.mkEnableOption "fix for ax88179_178a USB network card kernel driver MAC-address"; - }; - - config = lib.mkIf cfg.enable { - boot.kernelPatches = [ - # Fix MAC-address randomized on USB network cards because of kernel bug. - # This specifically affects network cards used in testing. - { - patch = pkgs.fetchpatch2 { - url = "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/patch/?id=2e91bb99b9d4f756e92e83c4453f894dda220f09"; - hash = "sha256-fX7yBsXW1oFt1Nfns42oZnCXf36qehXijvCNEmqBGsE="; - }; - } - ]; - }; -} diff --git a/modules/common/hardware/definition.nix b/modules/common/hardware/definition.nix deleted file mode 100644 index 2e99fdfb5..000000000 --- a/modules/common/hardware/definition.nix +++ /dev/null @@ -1,143 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Module for Hardware Definitions -# -# The point of this module is to only store information about the hardware -# configuration, and the logic that uses this information should be elsewhere. -{lib, ...}: { - options.ghaf.hardware.definition = with lib; let - pciDevSubmodule = types.submodule { - options = { - path = mkOption { - type = types.str; - description = '' - PCI device path - ''; - }; - vendorId = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - PCI Vendor ID (optional) - ''; - }; - productId = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - PCI Product ID (optional) - ''; - }; - name = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - PCI device name (optional) - ''; - }; - }; - }; - in { - name = mkOption { - description = "Name of the hardware"; - type = types.str; - default = ""; - }; - - mouse = mkOption { - description = "Name of the mouse device(s)"; - type = types.listOf types.str; - default = []; - }; - - touchpad = mkOption { - description = "Name of the touchpad device(s)"; - type = types.listOf types.str; - default = []; - }; - - network = { - # TODO? Should add NetVM enabler here? - # netvm.enable = mkEnableOption = "NetVM"; - - pciDevices = mkOption { - description = "PCI Devices to passthrough to NetVM"; - type = types.listOf pciDevSubmodule; - default = []; - example = literalExpression '' - [{ - path = "0000:00:14.3"; - vendorId = "8086"; - productId = "51f1"; - }] - ''; - }; - }; - - disks = mkOption { - description = "Disks to format and mount"; - type = types.attrsOf (types.submodule { - options.device = mkOption { - type = types.str; - description = '' - Path to the disk - ''; - }; - }); - default = {}; - example = literalExpression '' - { - disk1.device = "/dev/nvme0n1"; - } - ''; - }; - - gpu = { - # TODO? Should add GuiVM enabler here? - # guivm.enable = mkEnableOption = "NetVM"; - - pciDevices = mkOption { - description = "PCI Devices to passthrough to GuiVM"; - type = types.listOf pciDevSubmodule; - default = []; - example = literalExpression '' - [{ - path = "0000:00:02.0"; - vendorId = "8086"; - productId = "a7a1"; - }] - ''; - }; - }; - - virtioInputHostEvdevs = mkOption { - description = '' - List of input device files to passthrough to GuiVM using - "-device virtio-input-host-pci,evdev=" QEMU command line argument. - ''; - type = types.listOf types.str; - default = []; - example = literalExpression '' - [ - "evdev=/dev/input/by-path/platform-i8042-serio-0-event-kbd" - "evdev=/dev/mouse" - "evdev=/dev/touchpad" - "evdev=/dev/input/by-path/platform-i8042-serio-1-event-mouse" - ] - ''; - }; - - udevRules = mkOption { - description = '' - Definition of required udev rules. - ''; - type = types.str; - default = ""; - example = literalExpression '' - # Laptop keyboard - SUBSYSTEM=="input",ATTRS{name}=="AT Translated Set 2 keyboard",GROUP="kvm" - ''; - }; - }; -} diff --git a/modules/common/hardware/lenovo-x1/definitions/default.nix b/modules/common/hardware/lenovo-x1/definitions/default.nix deleted file mode 100644 index 8b28c75aa..000000000 --- a/modules/common/hardware/lenovo-x1/definitions/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{ - generation, - lib, -}: let - hwDefinition = import (./. + "/x1-${generation}.nix"); -in { - inherit (hwDefinition) mouse; - inherit (hwDefinition) touchpad; - inherit (hwDefinition) disks; - inherit (hwDefinition) network; - inherit (hwDefinition) gpu; - - # Notes: - # 1. This assembles udev rules for different hw configurations (i.e., different mice/touchpads) by adding - # all of them to the configuration. This was chosen for simplicity to not have to provide hw identifier at build, - # but is not ideal and should be changed. - # 2. USB camera "passthrough" is handled by qemu and thus available on host. If peripheral VM is implemented, - # the entire host controller should be passthrough'd using the PCI bus (14.0). In x1, bluetooth and fingerprint - # reader are on this bus. - udevRules = let - mapMouseRules = - builtins.map (d: '' SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="mouse" - ''); - mapTouchpadRules = - builtins.map (d: '' SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="touchpad" - ''); - in '' - # Laptop keyboard - SUBSYSTEM=="input", ATTRS{name}=="AT Translated Set 2 keyboard", GROUP="kvm" - # Laptop TrackPoint - SUBSYSTEM=="input", ATTRS{name}=="TPPS/2 Elan TrackPoint", GROUP="kvm" - # Lenovo X1 integrated webcam - KERNEL=="3-8", SUBSYSTEM=="usb", ATTR{busnum}=="3", ATTR{devnum}=="3", GROUP="kvm" - # Mouse and Touchpad - ${lib.strings.concatStrings (mapMouseRules hwDefinition.mouse)} - ${lib.strings.concatStrings (mapTouchpadRules hwDefinition.touchpad)} - ''; - - virtioInputHostEvdevs = [ - # Lenovo X1 touchpad and keyboard - "/dev/input/by-path/platform-i8042-serio-0-event-kbd" - "/dev/mouse" - "/dev/touchpad" - # Lenovo X1 trackpoint (red button/joystick) - "/dev/input/by-path/platform-i8042-serio-1-event-mouse" - ]; -} diff --git a/modules/common/hardware/lenovo-x1/definitions/x1-gen10.nix b/modules/common/hardware/lenovo-x1/definitions/x1-gen10.nix deleted file mode 100644 index 8cfc01b10..000000000 --- a/modules/common/hardware/lenovo-x1/definitions/x1-gen10.nix +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{ - name = "Lenovo X1 Carbon Gen 10"; - - mouse = ["ELAN067B:00 04F3:31F8 Mouse" "SYNA8016:00 06CB:CEB3 Mouse"]; - touchpad = ["ELAN067B:00 04F3:31F8 Touchpad" "SYNA8016:00 06CB:CEB3 Touchpad"]; - - disks = { - disk1.device = "/dev/nvme0n1"; - }; - - network.pciDevices = [ - { - # Passthrough Intel WiFi card - path = "0000:00:14.3"; - vendorId = "8086"; - productId = "51f0"; - name = "wlp0s5f0"; - } - ]; - - gpu.pciDevices = [ - { - # Passthrough Intel Iris GPU - path = "0000:00:02.0"; - vendorId = "8086"; - productId = "46a6"; - } - ]; -} diff --git a/modules/common/hardware/lenovo-x1/definitions/x1-gen11.nix b/modules/common/hardware/lenovo-x1/definitions/x1-gen11.nix deleted file mode 100644 index 72818febd..000000000 --- a/modules/common/hardware/lenovo-x1/definitions/x1-gen11.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{ - name = "Lenovo X1 Carbon Gen 11"; - - mouse = [ - "ELAN067C:00 04F3:31F9 Mouse" - "SYNA8016:00 06CB:CEB3 Mouse" - "ELAN067B:00 04F3:31F8 Mouse" - ]; - - touchpad = [ - "ELAN067C:00 04F3:31F9 Touchpad" - "SYNA8016:00 06CB:CEB3 Touchpad" - "ELAN067B:00 04F3:31F8 Touchpad" - ]; - - disks = { - disk1.device = "/dev/nvme0n1"; - }; - - network.pciDevices = [ - { - # Passthrough Intel WiFi card - path = "0000:00:14.3"; - vendorId = "8086"; - productId = "51f1"; - name = "wlp0s5f0"; - } - ]; - - gpu.pciDevices = [ - { - # Passthrough Intel Iris GPU - path = "0000:00:02.0"; - vendorId = "8086"; - productId = "a7a1"; - } - ]; -} diff --git a/modules/common/hardware/lenovo-x1/kernel/guest/test/default.nix b/modules/common/hardware/lenovo-x1/kernel/guest/test/default.nix deleted file mode 100644 index 288fd2e55..000000000 --- a/modules/common/hardware/lenovo-x1/kernel/guest/test/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let - config = pkgs.nixos [./test-configuration.nix]; -in - config.config.system.build.toplevel diff --git a/modules/common/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix b/modules/common/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix deleted file mode 100644 index cbb6e4694..000000000 --- a/modules/common/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: { - imports = [ - ../../../../x86_64-generic/kernel/host/default.nix - ../../../../x86_64-generic/kernel/guest/default.nix - ]; - - # baseline, virtualization and network hardening are - # generic to all x86_64 devices - config.ghaf.host.kernel.hardening.enable = true; - config.ghaf.host.kernel.hardening.virtualization.enable = true; - config.ghaf.host.kernel.hardening.networking.enable = true; - config.ghaf.host.kernel.hardening.inputdevices.enable = true; - # usb/debug hardening is host optional but required for -debug builds - config.ghaf.host.kernel.hardening.usb.enable = true; - config.ghaf.host.kernel.hardening.debug.enable = true; - - # guest VM kernel specific options - config.ghaf.guest.kernel.hardening.enable = true; - config.ghaf.guest.kernel.hardening.graphics.enable = true; - - # required to module test a module via top level configuration - config.boot.loader.systemd-boot.enable = true; - config.fileSystems."/" = { - device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000"; - fsType = "ext4"; - }; - config.system.stateVersion = lib.trivial.release; -} diff --git a/modules/common/hardware/x86_64-generic/kernel/guest/default.nix b/modules/common/hardware/x86_64-generic/kernel/guest/default.nix deleted file mode 100644 index 9d11d5288..000000000 --- a/modules/common/hardware/x86_64-generic/kernel/guest/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{lib, ...}: -with lib; { - options.ghaf.guest.kernel.hardening.enable = mkOption { - description = "Enable Ghaf Guest hardening feature"; - type = types.bool; - default = false; - }; - options.ghaf.guest.kernel.hardening.graphics.enable = mkOption { - description = "Enable support for Graphics in the Ghaf Guest"; - type = types.bool; - default = false; - }; -} diff --git a/modules/common/hardware/x86_64-generic/kernel/hardening.nix b/modules/common/hardware/x86_64-generic/kernel/hardening.nix deleted file mode 100644 index d1d61b1b9..000000000 --- a/modules/common/hardware/x86_64-generic/kernel/hardening.nix +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{...}: { - imports = [ - ./host - ./guest - ./host/pkvm - # other host hardening modules - to be defined later - ]; - - config = { - # host kernel hardening - ghaf.host.kernel.hardening.enable = false; - ghaf.host.kernel.hardening.virtualization.enable = false; - ghaf.host.kernel.hardening.networking.enable = false; - ghaf.host.kernel.hardening.usb.enable = false; - ghaf.host.kernel.hardening.inputdevices.enable = false; - ghaf.host.kernel.hardening.debug.enable = false; - # host kernel hypervisor (KVM) hardening - ghaf.host.kernel.hardening.hypervisor.enable = false; - # guest kernel hardening - ghaf.guest.kernel.hardening.enable = false; - ghaf.guest.kernel.hardening.graphics.enable = false; - # other host hardening options - user space, etc. - to be defined later - }; -} diff --git a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix b/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix deleted file mode 100644 index 288fd2e55..000000000 --- a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let - config = pkgs.nixos [./test-configuration.nix]; -in - config.config.system.build.toplevel diff --git a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix b/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix deleted file mode 100644 index 6dfb78431..000000000 --- a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: { - imports = [ - ../default.nix - ]; - - # pkvm hardening is generic to all x86_64 devices - config.ghaf.host.kernel.hardening.hypervisor.enable = true; - - # required to module test a module via top level configuration - config.boot.loader.systemd-boot.enable = true; - config.fileSystems."/" = { - device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000"; - fsType = "ext4"; - }; - config.system.stateVersion = lib.trivial.release; -} diff --git a/modules/common/hardware/x86_64-generic/kernel/host/test/default.nix b/modules/common/hardware/x86_64-generic/kernel/host/test/default.nix deleted file mode 100644 index 288fd2e55..000000000 --- a/modules/common/hardware/x86_64-generic/kernel/host/test/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let - config = pkgs.nixos [./test-configuration.nix]; -in - config.config.system.build.toplevel diff --git a/modules/common/hardware/x86_64-generic/kernel/host/test/test-configuration.nix b/modules/common/hardware/x86_64-generic/kernel/host/test/test-configuration.nix deleted file mode 100644 index 7b0688dfe..000000000 --- a/modules/common/hardware/x86_64-generic/kernel/host/test/test-configuration.nix +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: { - imports = [ - ../default.nix - # import guest also to bring the defaults (false) to scope - ../../guest/default.nix - ]; - - # baseline, virtualization and network hardening are - # generic to all x86_64 devices - config.ghaf.host.kernel.hardening.enable = true; - config.ghaf.host.kernel.hardening.virtualization.enable = true; - config.ghaf.host.kernel.hardening.networking.enable = true; - config.ghaf.host.kernel.hardening.inputdevices.enable = true; - # usb/debug hardening is host optional but required for -debug builds - config.ghaf.host.kernel.hardening.usb.enable = true; - config.ghaf.host.kernel.hardening.debug.enable = true; - - # required to module test a module via top level configuration - config.boot.loader.systemd-boot.enable = true; - config.fileSystems."/" = { - device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000"; - fsType = "ext4"; - }; - config.system.stateVersion = lib.trivial.release; -} diff --git a/modules/common/hardware/x86_64-linux.nix b/modules/common/hardware/x86_64-linux.nix deleted file mode 100644 index 28c356f60..000000000 --- a/modules/common/hardware/x86_64-linux.nix +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - ... -}: let - cfg = config.ghaf.hardware.x86_64.common; -in - with lib; { - options.ghaf.hardware.x86_64.common = { - enable = mkEnableOption "Common x86 configs"; - }; - - config = mkIf cfg.enable { - nixpkgs.hostPlatform.system = "x86_64-linux"; - - # Increase the support for different devices by allowing the use - # of proprietary drivers from the respective vendors - nixpkgs.config.allowUnfree = true; - - # Add this for x86_64 hosts to be able to more generically support hardware. - # For example Intel NUC 11's graphics card needs this in order to be able to - # properly provide acceleration. - hardware.enableRedistributableFirmware = true; - hardware.enableAllFirmware = true; - - boot = { - # Enable normal Linux console on the display - kernelParams = ["console=tty0"]; - - # To enable installation of ghaf into NVMe drives - initrd.availableKernelModules = [ - "nvme" - "uas" - ]; - loader = { - efi.canTouchEfiVariables = true; - systemd-boot.enable = true; - }; - }; - }; - } diff --git a/modules/common/logging/client.nix b/modules/common/logging/client.nix new file mode 100644 index 000000000..184d2ebed --- /dev/null +++ b/modules/common/logging/client.nix @@ -0,0 +1,51 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.logging.client; + endpointUrl = config.ghaf.logging.client.endpoint; +in +{ + options.ghaf.logging.client.endpoint = lib.mkOption { + description = '' + Assign endpoint url value to the alloy.service running in + different log producers. This endpoint URL will include + protocol, upstream, address along with port value. + ''; + type = lib.types.str; + }; + + config = lib.mkIf cfg.enable { + environment.etc."alloy/client.alloy" = { + text = '' + discovery.relabel "journal" { + targets = [] + rule { + source_labels = ["__journal__hostname"] + target_label = "nodename" + } + } + + loki.source.journal "journal" { + path = "/var/log/journal" + relabel_rules = discovery.relabel.journal.rules + forward_to = [loki.write.adminvm.receiver] + } + + loki.write "adminvm" { + endpoint { + url = "${endpointUrl}" + } + } + ''; + # The UNIX file mode bits + mode = "0644"; + }; + + services.alloy.enable = true; + # Once alloy.service in admin-vm stopped this service will + # still keep on retrying to send logs batch, so we need to + # stop it forcefully. + systemd.services.alloy.serviceConfig.TimeoutStopSec = 4; + }; +} diff --git a/modules/common/logging/default.nix b/modules/common/logging/default.nix new file mode 100644 index 000000000..4cab0fca7 --- /dev/null +++ b/modules/common/logging/default.nix @@ -0,0 +1,40 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, ... }: +let + inherit (lib) mkOption types; +in +{ + # Creating logging configuration options needed across the host and vms + options.ghaf.logging = { + client.enable = mkOption { + description = '' + Enable logging client service. Currently we have grafana alloy + running as client which will upload system journal logs to + grafana alloy running in admin-vm. + ''; + type = types.bool; + default = false; + }; + + listener.address = mkOption { + description = '' + Listener address will be used where log producers will + push logs and where admin-vm alloy.service will be + keep on listening or receiving logs. + ''; + type = types.str; + }; + + listener.port = mkOption { + description = '' + Listener port for the logproto endpoint which will be + used to receive logs from different log producers. + Also this port value will be used to open the port in + the admin-vm firewall. + ''; + type = types.port; + default = 9999; + }; + }; +} diff --git a/modules/common/logging/hw-mac-retrieve.nix b/modules/common/logging/hw-mac-retrieve.nix new file mode 100644 index 000000000..82cc8863c --- /dev/null +++ b/modules/common/logging/hw-mac-retrieve.nix @@ -0,0 +1,46 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + # TODO: replace sshCommand and MacCommand with givc rpc to retrieve Mac Address + sshCommand = "${pkgs.sshpass}/bin/sshpass -p ghaf ${pkgs.openssh}/bin/ssh -o StrictHostKeyChecking=no ghaf@net-vm"; + macCommand = "${pkgs.hwinfo}/bin/hwinfo --network --only /class/net/wlp0s5f0 | ${pkgs.gawk}/bin/awk '/Permanent HW Address/ {print $4}'"; + macAddressPath = config.ghaf.logging.identifierFilePath; +in +{ + options.ghaf.logging.identifierFilePath = lib.mkOption { + description = '' + This configuration option used to specify the identifier file path. + The identifier file will be text file which have unique identification + value per machine so that when logs will be uploaded to cloud + we can identify its origin. + ''; + type = lib.types.path; + example = "/tmp/MACAddress"; + }; + + config = lib.mkIf config.ghaf.logging.client.enable { + # TODO: Remove hw-mac.service and replace with givc rpc later + systemd.services."hw-mac" = { + description = "Retrieve MAC address from net-vm"; + wantedBy = [ "alloy.service" ]; + requires = [ "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + # Make sure we can ssh before we retrieve mac address + ExecStartPre = "${sshCommand} ls"; + ExecStart = '' + ${pkgs.bash}/bin/bash -c "echo -n $(${sshCommand} ${macCommand}) > ${macAddressPath}" + ''; + Restart = "on-failure"; + RestartSec = "1"; + }; + }; + }; +} diff --git a/modules/common/logging/logs-aggregator.nix b/modules/common/logging/logs-aggregator.nix new file mode 100644 index 000000000..37874cb23 --- /dev/null +++ b/modules/common/logging/logs-aggregator.nix @@ -0,0 +1,85 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + endpointUrl = config.ghaf.logging.server.endpoint; + listenerAddress = config.ghaf.logging.listener.address; + listenerPort = toString config.ghaf.logging.listener.port; + macAddressPath = config.ghaf.logging.identifierFilePath; +in +{ + options.ghaf.logging.server.endpoint = lib.mkOption { + description = '' + Assign endpoint url value to the alloy.service running in + admin-vm. This endpoint URL will include protocol, upstream + address along with port value. + ''; + type = lib.types.str; + }; + + config = lib.mkIf config.ghaf.logging.client.enable { + environment.etc."loki/pass" = { + text = "ghaf"; + }; + environment.etc."alloy/logs-aggregator.alloy" = { + text = '' + local.file "macAddress" { + // Alloy service can read file in this specific location + filename = "${macAddressPath}" + } + discovery.relabel "adminJournal" { + targets = [] + rule { + source_labels = ["__journal__hostname"] + target_label = "nodename" + } + } + + loki.source.journal "journal" { + path = "/var/log/journal" + relabel_rules = discovery.relabel.adminJournal.rules + forward_to = [loki.write.remote.receiver] + } + + loki.write "remote" { + endpoint { + url = "${endpointUrl}" + // TODO: To be replaced with stronger authentication method + basic_auth { + username = "ghaf" + password_file = "/etc/loki/pass" + } + } + // Write Ahead Log records incoming data and stores it on the local file + // system in order to guarantee persistence of acknowledged data. + wal { + enabled = true + max_segment_age = "240h" + drain_timeout = "4s" + } + external_labels = {systemdJournalLogs = local.file.macAddress.content } + } + + loki.source.api "listener" { + http { + listen_address = "${listenerAddress}" + listen_port = ${listenerPort} + } + + forward_to = [ + loki.write.remote.receiver, + ] + } + ''; + # The UNIX file mode bits + mode = "0644"; + }; + + services.alloy.enable = true; + systemd.services.alloy.serviceConfig.after = [ "hw-mac.service" ]; + # If there is no internet connection , shutdown/reboot will take around 100sec + # So, to fix that problem we need to add stop timeout + # https://github.com/grafana/loki/issues/6533 + systemd.services.alloy.serviceConfig.TimeoutStopSec = 4; + }; +} diff --git a/targets/lenovo-x1/releaseModules.nix b/modules/common/networking/default.nix similarity index 63% rename from targets/lenovo-x1/releaseModules.nix rename to modules/common/networking/default.nix index c2ee28a71..d488e28fb 100644 --- a/targets/lenovo-x1/releaseModules.nix +++ b/modules/common/networking/default.nix @@ -1,8 +1,3 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -# -[ - { - ghaf.profiles.release.enable = true; - } -] +{ imports = [ ./hosts.nix ]; } diff --git a/modules/common/networking/hosts.nix b/modules/common/networking/hosts.nix new file mode 100644 index 000000000..5b62e6d9e --- /dev/null +++ b/modules/common/networking/hosts.nix @@ -0,0 +1,133 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.networking.hosts; + inherit (lib) + mkIf + types + mkOption + optionals + ; + + hostsEntrySubmodule = types.submodule { + options = { + name = mkOption { + type = types.str; + description = '' + Host name as string. + ''; + }; + ip = mkOption { + type = types.str; + description = '' + Host IPv4 address as string. + ''; + }; + }; + }; + + # please note that .100. network is not + # reachable from ghaf-host. It's only reachable + # guest-to-guest. + # Use to .101. (debug) to access guests from host. + # debug network hosts are post-fixed: -debug + ipBase = "192.168.100"; + debugBase = "192.168.101"; + hostsEntries = [ + { + ip = 1; + name = "net-vm"; + } + { + ip = 2; + name = "ghaf-host"; + } + { + ip = 3; + name = "gui-vm"; + } + { + ip = 4; + name = "ids-vm"; + } + { + ip = 5; + name = "audio-vm"; + } + { + ip = 10; + name = "admin-vm"; + } + { + ip = 100; + name = "chromium-vm"; + } + { + ip = 101; + name = "gala-vm"; + } + { + ip = 102; + name = "zathura-vm"; + } + { + ip = 103; + name = "comms-vm"; + } + { + ip = 104; + name = "appflowy-vm"; + } + { + ip = 105; + name = "business-vm"; + } + ]; + + mkHostEntryTxt = + { ip, name }: + "${ipBase}.${toString ip}\t${name}\n" + + lib.optionalString config.ghaf.profiles.debug.enable "${debugBase}.${toString ip}\t${name}-debug\n"; + entriesTxt = map mkHostEntryTxt hostsEntries; + + mkHostEntry = + { ip, name }: + { + name = "${name}"; + ip = "${ipBase}.${toString ip}"; + }; + mkHostEntryDebug = + { ip, name }: + { + name = "${name}-debug"; + ip = "${debugBase}.${toString ip}"; + }; + entries = + (map mkHostEntry hostsEntries) + ++ optionals config.ghaf.profiles.debug.enable (map mkHostEntryDebug hostsEntries); +in +{ + options.ghaf.networking.hosts = { + enable = mkOption { + type = types.bool; + default = true; + }; + entries = mkOption { + type = types.listOf hostsEntrySubmodule; + default = null; + }; + }; + + config = mkIf cfg.enable { + ghaf.networking.hosts = { + inherit entries; + }; + + # Generate hosts file + environment.etc.hosts = lib.mkForce { + text = lib.foldl' (acc: x: acc + x) "127.0.0.1 localhost\n" entriesTxt; + mode = "0444"; + }; + }; +} diff --git a/modules/common/profiles/debug.nix b/modules/common/profiles/debug.nix index f17fd9830..5c8d50358 100644 --- a/modules/common/profiles/debug.nix +++ b/modules/common/profiles/debug.nix @@ -1,30 +1,28 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.debug; in - with lib; { - options.ghaf.profiles.debug = { - enable = mkEnableOption "debug profile"; - }; +{ + options.ghaf.profiles.debug = { + enable = lib.mkEnableOption "debug profile"; + }; - config = mkIf cfg.enable { - # Enable default accounts and passwords - ghaf = { - users.accounts.enable = true; - # Enable development on target - development = { - nix-setup.enable = true; - # Enable some basic monitoring and debug tools - debug.tools.enable = true; - # Let us in. - ssh.daemon.enable = true; - }; + config = lib.mkIf cfg.enable { + # Enable default accounts and passwords + ghaf = { + users.accounts.enable = true; + # Enable development on target + development = { + nix-setup.enable = true; + # Enable some basic monitoring and debug tools + debug.tools.enable = true; + # Let us in. + ssh.daemon.enable = true; + usb-serial.enable = true; }; }; - } + }; +} diff --git a/modules/common/profiles/default.nix b/modules/common/profiles/default.nix index dd8f95441..9dfc34788 100644 --- a/modules/common/profiles/default.nix +++ b/modules/common/profiles/default.nix @@ -4,5 +4,6 @@ imports = [ ./debug.nix ./release.nix + ./host-hardening.nix ]; } diff --git a/modules/common/profiles/host-hardening.nix b/modules/common/profiles/host-hardening.nix new file mode 100644 index 000000000..b02308b2f --- /dev/null +++ b/modules/common/profiles/host-hardening.nix @@ -0,0 +1,25 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ config, lib, ... }: +let + cfg = config.ghaf.profiles.host-hardening; + has_host = builtins.hasAttr "host" config.ghaf; + has_secureBoot = builtins.hasAttr "secureboot" config.ghaf.host; +in +{ + options.ghaf.profiles.host-hardening = { + enable = lib.mkEnableOption "Host hardening profile"; + }; + + config = lib.mkIf cfg.enable { + ghaf = + { } + // lib.optionalAttrs (has_host && has_secureBoot) { + host = { + # Enable secure boot in the host configuration + secureboot.enable = true; + }; + }; + }; +} diff --git a/modules/common/profiles/kernel-hardening.nix b/modules/common/profiles/kernel-hardening.nix new file mode 100644 index 000000000..f4c4bac06 --- /dev/null +++ b/modules/common/profiles/kernel-hardening.nix @@ -0,0 +1,37 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ config, lib, ... }: +let + cfg = config.ghaf.profiles.hardening; +in +{ + options.ghaf.profiles.kernel-hardening = { + enable = lib.mkEnableOption "hardened profile"; + }; + + config = lib.mkIf cfg.enable { + ghaf = { + host = { + # Kernel hardening + kernel.hardening = { + enable = true; + usb.enable = true; + debug.enable = true; + virtualization.enable = true; + networking.enable = true; + inputdevices.enable = true; + hypervisor.enable = true; + }; + }; + + guest = { + # Kernel hardening + kernel.hardening = { + enable = true; + graphics.enable = true; + }; + }; + }; + }; +} diff --git a/modules/common/profiles/release.nix b/modules/common/profiles/release.nix index 190720bd4..f443cb7da 100644 --- a/modules/common/profiles/release.nix +++ b/modules/common/profiles/release.nix @@ -1,25 +1,22 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.release; + inherit (lib) mkEnableOption mkIf; in - with lib; { - options.ghaf.profiles.release = { - enable = mkEnableOption "release profile"; - }; - - options.ghaf.time.timeZone = "Europe/Helsinki"; +{ + options.ghaf.profiles.release = { + enable = mkEnableOption "release profile"; + }; - config = mkIf cfg.enable { - # Enable default accounts and passwords - # TODO this needs to be refined when we define a policy for the - # processes and the UID/groups that should be enabled by default - # if not already covered by systemd - ghaf.users.accounts.enable = true; - }; - } + options.ghaf.time.timeZone = "Europe/Helsinki"; + config = mkIf cfg.enable { + # Enable default accounts and passwords + # TODO this needs to be refined when we define a policy for the + # processes and the UID/groups that should be enabled by default + # if not already covered by systemd + ghaf.users.accounts.enable = true; + }; +} diff --git a/modules/common/security/default.nix b/modules/common/security/default.nix new file mode 100644 index 000000000..e3c4b07a0 --- /dev/null +++ b/modules/common/security/default.nix @@ -0,0 +1,3 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ imports = [ ./sshkeys.nix ]; } diff --git a/targets/lenovo-x1/sshkeys.nix b/modules/common/security/sshkeys.nix similarity index 93% rename from targets/lenovo-x1/sshkeys.nix rename to modules/common/security/sshkeys.nix index 55a36eb94..12abe80e0 100644 --- a/targets/lenovo-x1/sshkeys.nix +++ b/modules/common/security/sshkeys.nix @@ -1,7 +1,11 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: { - options.ghaf.security.sshKeys = with lib; { +{ lib, ... }: +let + inherit (lib) mkOption types; +in +{ + options.ghaf.security.sshKeys = { getAuthKeysFileName = mkOption { type = types.str; default = "get-auth-keys"; diff --git a/modules/common/services/audio.nix b/modules/common/services/audio.nix new file mode 100644 index 000000000..fa7a88401 --- /dev/null +++ b/modules/common/services/audio.nix @@ -0,0 +1,104 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.ghaf.services.audio; + inherit (lib) + mkIf + mkEnableOption + mkOption + types + ; +in +{ + options.ghaf.services.audio = { + enable = mkEnableOption "Enable audio service for audio VM"; + pulseaudioTcpPort = mkOption { + type = types.int; + default = 4713; + description = "TCP port used by Pipewire-pulseaudio service"; + }; + }; + + config = mkIf cfg.enable { + # Enable pipewire service for audioVM with pulseaudio support + security.rtkit.enable = true; + hardware.firmware = [ pkgs.sof-firmware ]; + services.pipewire = { + enable = true; + pulse.enable = true; + systemWide = true; + extraConfig = { + pipewire."10-remote-simple" = { + "context.modules" = [ + { + name = "libpipewire-module-protocol-pulse"; + args = { + # Enable TCP socket for VMs pulseaudio clients + "server.address" = [ + { + address = "tcp:4713"; + "client.access" = "unrestricted"; + } + ]; + "pulse.min.req" = "128/48000"; # 2.7ms + "pulse.default.req" = "960/48000"; # 20 milliseconds + "pulse.min.frag" = "128/48000"; # 2.7ms + "pulse.default.frag" = "512/48000"; # ~10 ms + "pulse.default.tlength" = "512/48000"; # ~10 ms + "pulse.min.quantum" = "128/48000"; # 2.7ms + }; + } + ]; + }; + }; + }; + + hardware.pulseaudio.extraConfig = '' + # Set sink and source default max volume to about 75% (0-65536) + set-sink-volume @DEFAULT_SINK@ 48000 + set-source-volume @DEFAULT_SOURCE@ 48000 + ''; + + # Allow ghaf user to access pulseaudio and pipewire + users.extraUsers.ghaf.extraGroups = [ + "audio" + "video" + "pulse-access" + "pipewire" + ]; + + # Dummy service to get pipewire and pulseaudio services started at boot + # Normally Pipewire and pulseaudio are started when they are needed by user, + # We don't have users in audiovm so we need to give PW/PA a slight kick.. + # This calls pulseaudios pa-info binary to get information about pulseaudio current + # state which starts pipewire-pulseaudio service in the process. + systemd.services.pulseaudio-starter = { + after = [ + "pipewire.service" + "network-online.target" + ]; + requires = [ + "pipewire.service" + "network-online.target" + ]; + wantedBy = [ "default.target" ]; + path = [ pkgs.coreutils ]; + enable = true; + serviceConfig = { + User = "ghaf"; + Group = "ghaf"; + }; + script = ''${pkgs.pulseaudio}/bin/pa-info > /dev/null 2>&1''; + }; + + # Open TCP port for the PDF XDG socket + networking.firewall.allowedTCPPorts = [ cfg.pulseaudioTcpPort ]; + }; +} diff --git a/modules/common/services/default.nix b/modules/common/services/default.nix new file mode 100644 index 000000000..73795c0ac --- /dev/null +++ b/modules/common/services/default.nix @@ -0,0 +1,14 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + imports = [ + ./fprint.nix + ./audio.nix + ./wifi.nix + ./firmware.nix + ./desktop.nix + ./pdfopen.nix + ./namespaces.nix + ./yubikey.nix + ]; +} diff --git a/modules/common/services/desktop.nix b/modules/common/services/desktop.nix new file mode 100644 index 000000000..30f953659 --- /dev/null +++ b/modules/common/services/desktop.nix @@ -0,0 +1,149 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + inherit (builtins) hasAttr replaceStrings; + inherit (lib) + mkIf + mkEnableOption + optionals + optionalAttrs + optionalString + ; + + cfg = config.ghaf.services.desktop; + + winConfig = + if (hasAttr "reference" config.ghaf) then + if (hasAttr "programs" config.ghaf.reference) then + config.ghaf.reference.programs.windows-launcher + else + { } + else + { }; +in +# TODO: The desktop configuration needs to be re-worked. +# TODO it needs to be moved out of common and the launchers have to be set bu the reference programs NOT here +{ + options.ghaf.services.desktop = { + enable = mkEnableOption "Enable the desktop configuration"; + }; + + config = mkIf (cfg.enable && config.ghaf.givc.enable) { + ghaf = optionalAttrs (hasAttr "graphics" config.ghaf) { + profiles.graphics.compositor = "labwc"; + graphics = { + launchers = + let + cliArgs = replaceStrings [ "\n" ] [ " " ] '' + --name ${config.ghaf.givc.adminConfig.name} + --addr ${config.ghaf.givc.adminConfig.addr} + --port ${config.ghaf.givc.adminConfig.port} + ${optionalString config.ghaf.givc.enableTls "--cacert /run/givc/ca-cert.pem"} + ${optionalString config.ghaf.givc.enableTls "--cert /run/givc/gui-vm-cert.pem"} + ${optionalString config.ghaf.givc.enableTls "--key /run/givc/gui-vm-key.pem"} + ${optionalString (!config.ghaf.givc.enableTls) "--notls"} + ''; + in + [ + { + # The SPKI fingerprint is calculated like this: + # $ openssl x509 -noout -in mitmproxy-ca-cert.pem -pubkey | openssl asn1parse -noout -inform pem -out public.key + # $ openssl dgst -sha256 -binary public.key | openssl enc -base64 + name = "Chromium"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start chromium"; + icon = "${pkgs.icon-pack}/chromium.svg"; + } + + { + name = "Trusted Browser"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm chromium"; + icon = "${pkgs.icon-pack}/thorium-browser.svg"; + } + # TODO must enable the waypipe to support more than one app in a VM + { + name = "VPN"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm gpclient"; + icon = "${pkgs.icon-pack}/yast-vpn.svg"; + } + + { + name = "Microsoft Outlook"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm outlook"; + icon = "${pkgs.icon-pack}/ms-outlook.svg"; + } + { + name = "Microsoft 365"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm office"; + icon = "${pkgs.icon-pack}/microsoft-365.svg"; + } + { + name = "Teams"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm teams"; + icon = "${pkgs.icon-pack}/teams-for-linux.svg"; + } + + { + name = "GALA"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start gala"; + icon = "${pkgs.icon-pack}/distributor-logo-android.svg"; + } + + { + name = "PDF Viewer"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start zathura"; + icon = "${pkgs.icon-pack}/document-viewer.svg"; + } + + { + name = "Element"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm comms-vm element"; + icon = "${pkgs.icon-pack}/element-desktop.svg"; + } + + { + name = "Slack"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm comms-vm slack"; + icon = "${pkgs.icon-pack}/slack.svg"; + } + + { + name = "AppFlowy"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start appflowy"; + icon = "${pkgs.appflowy}/opt/data/flutter_assets/assets/images/flowy_logo.svg"; + } + + { + name = "Network Settings"; + path = "${pkgs.nm-launcher}/bin/nm-launcher"; + icon = "${pkgs.icon-pack}/preferences-system-network.svg"; + } + + { + name = "Shutdown"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} poweroff"; + icon = "${pkgs.icon-pack}/system-shutdown.svg"; + } + + { + name = "Reboot"; + path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} reboot"; + icon = "${pkgs.icon-pack}/system-reboot.svg"; + } + ] + ++ optionals config.ghaf.reference.programs.windows-launcher.enable [ + { + name = "Windows"; + path = "${pkgs.virt-viewer}/bin/remote-viewer -f spice://${winConfig.spice-host}:${toString winConfig.spice-port}"; + icon = "${pkgs.icon-pack}/distributor-logo-windows.svg"; + } + ]; + }; + }; + }; +} diff --git a/modules/common/services/firmware.nix b/modules/common/services/firmware.nix new file mode 100644 index 000000000..1bfa9d8f5 --- /dev/null +++ b/modules/common/services/firmware.nix @@ -0,0 +1,18 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.services.firmware; + inherit (lib) mkIf mkEnableOption; +in +{ + options.ghaf.services.firmware = { + enable = mkEnableOption "PLaceholder for firmware handling"; + }; + config = mkIf cfg.enable { + hardware = { + enableRedistributableFirmware = true; + enableAllFirmware = true; + }; + }; +} diff --git a/modules/common/services/fprint.nix b/modules/common/services/fprint.nix new file mode 100644 index 000000000..8c136b548 --- /dev/null +++ b/modules/common/services/fprint.nix @@ -0,0 +1,68 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + inherit (lib) mkEnableOption mkIf; + cfg = config.ghaf.services.fprint; +in +{ + options.ghaf.services.fprint = { + enable = mkEnableOption "Enable fingerprint reader support"; + }; + + config = mkIf cfg.enable { + # Enable service and package for fingerprint reader + services.fprintd.enable = true; + environment.systemPackages = [ pkgs.fprintd ]; + + # Enable polkit and add rules + ghaf.systemd.withPolkit = true; + security = { + polkit = { + enable = true; + debug = true; + # Polkit rules for fingerprint reader + extraConfig = '' + // Allow user to verify fingerprints + polkit.addRule(function(action, subject) { + if (action.id == "net.reactivated.fprint.device.verify" && + subject.user == "ghaf") { + return polkit.Result.YES; + } + }); + // Allow user to enroll fingerprints + polkit.addRule(function(action, subject) { + if (action.id == "net.reactivated.fprint.device.enroll" && + subject.user == "ghaf") { + return polkit.Result.YES; + } + }); + ''; + }; + # PAM rules for swaylock fingerprint reader + pam.services = { + swaylock.text = '' + # Account management. + account required pam_unix.so + + # Authentication management. + auth sufficient pam_unix.so likeauth try_first_pass + auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so + auth required pam_deny.so + + # Password management. + password sufficient pam_unix.so nullok sha512 + + # Session management. + session required pam_env.so conffile=/etc/pam/environment readenv=0 + session required pam_unix.so + ''; + }; + }; + }; +} diff --git a/modules/common/services/namespaces.nix b/modules/common/services/namespaces.nix new file mode 100644 index 000000000..c654fdf9f --- /dev/null +++ b/modules/common/services/namespaces.nix @@ -0,0 +1,21 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + inherit (builtins) attrNames hasAttr; + inherit (lib) mkOption types optionalAttrs; +in +{ + options.ghaf.namespaces = { + vms = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of VMs currently enabled."; + }; + }; + config = { + ghaf = optionalAttrs (hasAttr "microvm" config) { + namespaces = optionalAttrs (hasAttr "vms" config.microvm) { vms = attrNames config.microvm.vms; }; + }; + }; +} diff --git a/modules/common/services/pdfopen.nix b/modules/common/services/pdfopen.nix new file mode 100644 index 000000000..6012db915 --- /dev/null +++ b/modules/common/services/pdfopen.nix @@ -0,0 +1,65 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + inherit (builtins) toString; + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; + cfg = config.ghaf.services.pdfopener; + + # TODO: Fix the path to get the sshKeyPath so that + # openPdf can be exported as a normal package from + # packaged/flake-module.nix and hence easily imported + # into all targets + openPdf = pkgs.callPackage ../../../packages/openPdf { + inherit (config.ghaf.security.sshKeys) sshKeyPath; + }; +in +{ + options.ghaf.services.pdfopener = { + enable = mkEnableOption "Enable the pdf opening service"; + xdgPdfPort = mkOption { + type = types.int; + default = 1200; + description = "TCP port for the PDF XDG socket"; + }; + }; + + config = mkIf cfg.enable { + # PDF XDG handler service receives a PDF file path from the chromium-vm and executes the openpdf script + systemd.user = { + sockets."pdf" = { + unitConfig = { + Description = "PDF socket"; + }; + socketConfig = { + ListenStream = "${toString cfg.xdgPdfPort}"; + Accept = "yes"; + }; + wantedBy = [ "sockets.target" ]; + }; + + services."pdf@" = { + description = "PDF opener"; + serviceConfig = { + ExecStart = "${openPdf}/bin/openPdf"; + StandardInput = "socket"; + StandardOutput = "journal"; + StandardError = "journal"; + }; + }; + }; + + # Open TCP port for the PDF XDG socket. + networking.firewall.allowedTCPPorts = [ cfg.xdgPdfPort ]; + }; +} diff --git a/modules/common/services/wifi.nix b/modules/common/services/wifi.nix new file mode 100644 index 000000000..5685b929b --- /dev/null +++ b/modules/common/services/wifi.nix @@ -0,0 +1,54 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.ghaf.services.wifi; + inherit (lib) mkIf mkForce mkEnableOption; +in +{ + options.ghaf.services.wifi = { + enable = mkEnableOption "Wifi configuration for the net-vm"; + }; + config = mkIf cfg.enable { + networking = { + # wireless is disabled because we use NetworkManager for wireless + wireless.enable = mkForce false; + networkmanager = { + enable = true; + unmanaged = [ "ethint0" ]; + }; + }; + + environment = { + # noXlibs=false; needed for NetworkManager stuff + noXlibs = false; + + etc."NetworkManager/system-connections/Wifi-1.nmconnection" = { + text = '' + [connection] + id=Wifi-1 + uuid=33679db6-4cde-11ee-be56-0242ac120002 + type=wifi + [wifi] + mode=infrastructure + ssid=SSID_OF_NETWORK + [wifi-security] + key-mgmt=wpa-psk + psk=WPA_PASSWORD + [ipv4] + method=auto + [ipv6] + method=disabled + [proxy] + ''; + mode = "0600"; + }; + systemPackages = mkIf config.ghaf.profiles.debug.enable [ pkgs.tcpdump ]; + }; + }; +} diff --git a/modules/common/services/yubikey.nix b/modules/common/services/yubikey.nix new file mode 100644 index 000000000..1a240ab85 --- /dev/null +++ b/modules/common/services/yubikey.nix @@ -0,0 +1,60 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + inherit (lib) + mkEnableOption + mkIf + mkOption + types + concatStrings + ; + cfg = config.ghaf.services.yubikey; + u2f_file = pkgs.writeText "u2f_mapping" config.ghaf.services.yubikey.u2fKeys; +in +{ + options.ghaf.services.yubikey = { + enable = mkEnableOption "Enable yubikey support which provide 2FA"; + + u2fKeys = mkOption { + type = types.str; + default = [ ]; + example = concatStrings [ + ## Key should in following format :,,,:,,,:... + "ghaf:SZ2CwN7EAE4Ujfxhm+CediUaT9ngoaMOqsKRDrOC+wUkTriKlc1cVtsxkOSav2r9ztaNKn/OwoHiN3BmsBYdZA==,oIdGgoGmkVrVis1kdzpvX3kXrOmBe2noFrpHqh4VKlq/WxrFk+Du670BL7DzLas+GxIPNjgdDCHo9daVzthIwQ==,es256,+presence" + ":9CEdjOg0YGpvNeisK5OW1hjjg0nRvJDBpr7X8Q4QPtxJP4iC5C6dShTxEpxmLAkqAi8x/jKCDwpt146AYAXfFg==,q8ddSEI2tIyRwB2MhRlrGZRv6ZDkEC2RYn/n33fdmK1KjBkcMy6ELUMQQDVGtsvsiQFbRS3v4qxjsgXF5BVD0A==,es256,+presence+pin" + ]; + description = "It will contain U2F Keys / public keys reterived from Yubikey hardware"; + }; + }; + + config = mkIf cfg.enable { + # Enable service and package for Yubikey + services.pcscd.enable = true; + environment.systemPackages = [ pkgs.pam_u2f ]; + + security.pam.services = { + sudo.u2fAuth = true; + gtklock.u2fAuth = true; + }; + + security.pam.u2f = { + settings = { + authfile = "${u2f_file}"; + cue = true; + }; + control = "sufficient"; + }; + + # Below rules are needed for screen locker (gtklock) to work + services.udev.extraRules = '' + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", TAG+="uaccess", GROUP="kvm", MODE="0666" + ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" + ''; + }; +} diff --git a/modules/common/systemd/base.nix b/modules/common/systemd/base.nix index 22ad7dbe4..219134909 100644 --- a/modules/common/systemd/base.nix +++ b/modules/common/systemd/base.nix @@ -5,13 +5,23 @@ lib, pkgs, ... -}: let +}: +let # Ghaf systemd config cfg = config.ghaf.systemd; + inherit (lib) + mkEnableOption + mkOption + mkIf + mkForce + types + ; + # Override minimal systemd package configuration package = - (pkgs.systemdMinimal.override { + (pkgs.systemdMinimal.override ( + { pname = cfg.withName; withAcl = true; withAnalyze = cfg.withDebug; @@ -31,7 +41,7 @@ withLibseccomp = true; inherit (cfg) withLocaled; inherit (cfg) withLogind; - withMachined = cfg.withMachines; + withMachined = cfg.withMachines || cfg.withNss; # Required for NSS in nixos inherit (cfg) withNetworkd; inherit (cfg) withNss; withOomd = true; @@ -44,17 +54,15 @@ inherit (cfg) withTimesyncd; inherit (cfg) withTpm2Tss; withUtmp = cfg.withJournal || cfg.withAudit; - } # To be removed, current systemd version 254.6 < 255 - // lib.optionalAttrs (lib.hasAttr "withVmspawn" (lib.functionArgs pkgs.systemd.override)) { + } + // lib.optionalAttrs (lib.strings.versionAtLeast pkgs.systemdMinimal.version "255.0") { withVmspawn = cfg.withMachines; - }) - .overrideAttrs (prevAttrs: { - patches = - prevAttrs.patches - ++ [ - ./systemd-boot-double-dtb-buffer-size.patch - ]; - }); + withQrencode = true; # Required for systemd-bsod (currently hardcoded in nixos) + } + )).overrideAttrs + (prevAttrs: { + patches = prevAttrs.patches ++ [ ./systemd-boot-double-dtb-buffer-size.patch ]; + }); # Definition of suppressed system units in systemd configuration. This removes the units and has priority. # Required to avoid build failures compared to only disabling units for some options. Note that errors will be silently ignored. @@ -109,9 +117,7 @@ "auditd.service" "systemd-journald-audit.socket" ]) - ++ (lib.optionals ((!cfg.withDebug) && (!cfg.withMachines)) [ - "systemd-coredump.socket" - ]) + ++ (lib.optionals ((!cfg.withDebug) && (!cfg.withMachines)) [ "systemd-coredump.socket" ]) ++ (lib.optionals (!cfg.withLogind) [ "systemd-logind.service" "dbus-org.freedesktop.login1.service" @@ -125,12 +131,8 @@ "nss-lookup.target.requires" "nss-user-lookup.target.requires" ]) - ++ (lib.optionals (!cfg.withTimesyncd) [ - "systemd-timesyncd.service" - ]) - ++ (lib.optionals (!cfg.withResolved) [ - "systemd-resolved.service" - ]) + ++ (lib.optionals (!cfg.withTimesyncd) [ "systemd-timesyncd.service" ]) + ++ (lib.optionals (!cfg.withResolved) [ "systemd-resolved.service" ]) ++ (lib.optionals (!cfg.withNetworkd) [ "network.target" "network-pre.target" @@ -170,140 +172,144 @@ "prepare-kexec.target" ]); in - with lib; { - options.ghaf.systemd = { - enable = mkEnableOption "Enable minimal systemd configuration."; +{ + options.ghaf.systemd = { + enable = mkEnableOption "Enable minimal systemd configuration."; - withName = mkOption { - description = "Set systemd name."; - type = types.str; - default = "base-systemd"; - }; + withName = mkOption { + description = "Set systemd name."; + type = types.str; + default = "base-systemd"; + }; - withLogind = mkOption { - description = "Enable systemd login daemon."; - type = types.bool; - default = true; - }; + withLogind = mkOption { + description = "Enable systemd login daemon."; + type = types.bool; + default = true; + }; - withJournal = mkOption { - description = "Enable systemd journal daemon."; - type = types.bool; - default = true; - }; + withJournal = mkOption { + description = "Enable systemd journal daemon."; + type = types.bool; + default = true; + }; - withNetworkd = mkOption { - description = "Enable systemd networking daemon."; - type = types.bool; - default = true; - }; + withNetworkd = mkOption { + description = "Enable systemd networking daemon."; + type = types.bool; + default = true; + }; - withTimesyncd = mkOption { - description = "Enable systemd timesync daemon."; - type = types.bool; - default = false; - }; + withTimesyncd = mkOption { + description = "Enable systemd timesync daemon."; + type = types.bool; + default = false; + }; - withResolved = mkOption { - description = "Enable systemd resolve daemon."; - type = types.bool; - default = false; - }; + withResolved = mkOption { + description = "Enable systemd resolve daemon."; + type = types.bool; + default = false; + }; - withRepart = mkOption { - description = "Enable systemd repart functionality."; - type = types.bool; - default = false; - }; + withRepart = mkOption { + description = "Enable systemd repart functionality."; + type = types.bool; + default = false; + }; - withHostnamed = mkOption { - description = "Enable systemd hostname daemon."; - type = types.bool; - default = false; - }; + withHostnamed = mkOption { + description = "Enable systemd hostname daemon."; + type = types.bool; + default = false; + }; - withNss = mkOption { - description = "Enable systemd Name Service Switch (NSS) functionality."; - type = types.bool; - default = false; - }; + withNss = mkOption { + description = "Enable systemd Name Service Switch (NSS) functionality."; + type = types.bool; + default = false; + }; - withEfi = mkOption { - description = "Enable systemd EFI+bootloader functionality."; - type = types.bool; - default = pkgs.stdenv.hostPlatform.isEfi; - }; + withEfi = mkOption { + description = "Enable systemd EFI+bootloader functionality."; + type = types.bool; + default = pkgs.stdenv.hostPlatform.isEfi; + }; - withApparmor = mkOption { - description = "Enable systemd apparmor functionality."; - type = types.bool; - default = false; - }; + withApparmor = mkOption { + description = "Enable systemd apparmor functionality."; + type = types.bool; + default = false; + }; - withMachines = mkOption { - description = "Enable systemd container and VM functionality."; - type = types.bool; - default = false; - }; + withMachines = mkOption { + description = "Enable systemd container and VM functionality."; + type = types.bool; + default = false; + }; - withAudit = mkOption { - description = "Enable systemd audit functionality."; - type = types.bool; - default = false; - }; + withAudit = mkOption { + description = "Enable systemd audit functionality."; + type = types.bool; + default = false; + }; - withCryptsetup = mkOption { - description = "Enable systemd LUKS2 functionality."; - type = types.bool; - default = false; - }; + withCryptsetup = mkOption { + description = "Enable systemd LUKS2 functionality."; + type = types.bool; + default = false; + }; - withFido2 = mkOption { - description = "Enable systemd Fido2 token functionality."; - type = types.bool; - default = false; - }; + withFido2 = mkOption { + description = "Enable systemd Fido2 token functionality."; + type = types.bool; + default = false; + }; - withTpm2Tss = mkOption { - description = "Enable systemd TPM functionality."; - type = types.bool; - default = false; - }; + withTpm2Tss = mkOption { + description = "Enable systemd TPM functionality."; + type = types.bool; + default = false; + }; - withPolkit = mkOption { - description = "Enable systemd polkit functionality."; - type = types.bool; - default = false; - }; + withPolkit = mkOption { + description = "Enable systemd polkit functionality."; + type = types.bool; + default = false; + }; - withSerial = mkOption { - description = "Enable systemd serial console."; - type = types.bool; - default = false; - }; + withSerial = mkOption { + description = "Enable systemd serial console."; + type = types.bool; + default = false; + }; - withLocaled = mkOption { - description = "Enable systemd locale daemon."; - type = types.bool; - default = false; - }; + withLocaled = mkOption { + description = "Enable systemd locale daemon."; + type = types.bool; + default = false; + }; - withDebug = mkOption { - description = "Enable systemd debug functionality."; - type = types.bool; - default = false; - }; + withDebug = mkOption { + description = "Enable systemd debug functionality."; + type = types.bool; + default = false; }; + }; + + config = mkIf cfg.enable { + security.auditd.enable = cfg.withAudit; + systemd = { + # Package and unit configuration + inherit package; + inherit suppressedSystemUnits; - config = mkIf cfg.enable { - systemd = { - # Package and unit configuration - inherit package; - inherit suppressedSystemUnits; + # Misc. configurations + enableEmergencyMode = cfg.withDebug; + coredump.enable = cfg.withDebug || cfg.withMachines; - # Misc. configurations - enableEmergencyMode = cfg.withDebug; - coredump.enable = cfg.withDebug || cfg.withMachines; - }; + # Service startup optimization + services.systemd-networkd-wait-online.enable = mkForce false; }; - } + }; +} diff --git a/modules/common/systemd/boot.nix b/modules/common/systemd/boot.nix index 78aea7800..a73ca3b13 100644 --- a/modules/common/systemd/boot.nix +++ b/modules/common/systemd/boot.nix @@ -5,27 +5,33 @@ lib, pkgs, ... -}: let +}: +let # Ghaf configuration flags cfg = config.ghaf.systemd.boot; cfgBase = config.ghaf.systemd; + inherit (lib) mkEnableOption mkIf optionals; + # Package configuration - package = pkgs.systemdMinimal.override { - pname = "stage1-systemd"; - inherit (cfgBase) withAudit; - inherit (cfgBase) withCryptsetup; - inherit (cfgBase) withEfi; - inherit (cfgBase) withFido2; - inherit (cfgBase) withRepart; - inherit (cfgBase) withTpm2Tss; - }; + package = pkgs.systemdMinimal.override ( + { + pname = "stage1-systemd"; + inherit (cfgBase) withAudit; + inherit (cfgBase) withCryptsetup; + inherit (cfgBase) withEfi; + inherit (cfgBase) withFido2; + inherit (cfgBase) withRepart; + inherit (cfgBase) withTpm2Tss; + } + // lib.optionalAttrs (lib.strings.versionAtLeast pkgs.systemdMinimal.version "255.0") { + withQrencode = true; # Required for systemd-bsod, which is currently hardcoded in nixos + } + ); # Suppressed initrd systemd units suppressedUnits = - [ - "multi-user.target" - ] + [ "multi-user.target" ] ++ (lib.optionals ((!cfgBase.withDebug) && (!cfgBase.withJournal)) [ "systemd-journald.service" "systemd-journald.socket" @@ -44,23 +50,26 @@ "rpcbind.target" ]); in - with lib; { - options.ghaf.systemd.boot = { - enable = mkEnableOption "Enable systemd in stage 1 of the boot (initrd)."; - }; +{ + options.ghaf.systemd.boot = { + enable = mkEnableOption "Enable systemd in stage 1 of the boot (initrd)."; + }; - config = mkIf cfg.enable { - boot.initrd = { - verbose = config.ghaf.profiles.debug.enable; - services.lvm.enable = true; - systemd = { - enable = true; - inherit package; - inherit suppressedUnits; - emergencyAccess = config.ghaf.profiles.debug.enable; - enableTpm2 = cfgBase.withTpm2Tss; - initrdBin = optionals config.ghaf.profiles.debug.enable [pkgs.lvm2 pkgs.util-linux]; - }; + config = mkIf cfg.enable { + boot.initrd = { + verbose = config.ghaf.profiles.debug.enable; + services.lvm.enable = true; + systemd = { + enable = true; + inherit package; + inherit suppressedUnits; + emergencyAccess = config.ghaf.profiles.debug.enable; + enableTpm2 = cfgBase.withTpm2Tss; + initrdBin = optionals config.ghaf.profiles.debug.enable [ + pkgs.lvm2 + pkgs.util-linux + ]; }; }; - } + }; +} diff --git a/modules/common/systemd/default.nix b/modules/common/systemd/default.nix index fc9d3b06c..6b14912e0 100644 --- a/modules/common/systemd/default.nix +++ b/modules/common/systemd/default.nix @@ -4,6 +4,6 @@ imports = [ ./base.nix ./boot.nix - # TODO hardened configs + ./harden.nix ]; } diff --git a/modules/common/systemd/harden.nix b/modules/common/systemd/harden.nix new file mode 100644 index 000000000..083864b8a --- /dev/null +++ b/modules/common/systemd/harden.nix @@ -0,0 +1,63 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + # Ghaf systemd config + cfg = config.ghaf.systemd; + apply-service-configs = configs-dir: { + services = lib.foldl' ( + services: s: + let + svc = builtins.replaceStrings [ ".nix" ] [ "" ] s; + in + services + // lib.optionalAttrs (!builtins.elem "${svc}.service" cfg.excludedHardenedConfigs) { + ${svc}.serviceConfig = import "${configs-dir}/${svc}.nix"; + } + ) { } (builtins.attrNames (builtins.readDir configs-dir)); + }; +in +{ + options.ghaf.systemd = { + withHardenedConfigs = lib.mkOption { + description = "Enable common hardened configs."; + type = lib.types.bool; + default = false; + }; + + excludedHardenedConfigs = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + example = [ "sshd.service" ]; + description = '' + A list of units to skip when applying hardened systemd service configurations. + The main purpose of this is to provide a mechanism to exclude specific hardened + configurations for fast debugging and problem resolution. + ''; + }; + + logLevel = lib.mkOption { + description = '' + Log Level for systemd services. + Available options: "emerg", "alert", "crit", "err", "warning", "info", "debug" + ''; + type = lib.types.str; + default = "info"; + }; + }; + + config = { + systemd = lib.mkMerge [ + # Apply hardened systemd service configurations + (lib.mkIf cfg.withHardenedConfigs (apply-service-configs ./hardened-configs/common)) + + # Apply release only service configurations + (lib.mkIf ( + !cfg.withDebug && cfg.withHardenedConfigs + ) (apply-service-configs ./hardened-configs/release)) + + # Set systemd log level + { services."_global_".environment.SYSTEMD_LOG_LEVEL = cfg.logLevel; } + ]; + }; +} diff --git a/modules/common/systemd/hardened-configs/common/NetworkManager-dispatcher.nix b/modules/common/systemd/hardened-configs/common/NetworkManager-dispatcher.nix new file mode 100644 index 000000000..69c9b835a --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/NetworkManager-dispatcher.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "AF_PACKET" + "AF_NETLINK" + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + # NoNewPrivileges=true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/dbus.nix b/modules/common/systemd/hardened-configs/common/dbus.nix new file mode 100644 index 000000000..a0de4971a --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/dbus.nix @@ -0,0 +1,181 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + IPAccounting = true; + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + "AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "full"; + # ProtectProc="noaccess"; + # ReadWritePaths=[ "/etc"]; + ReadOnlyPaths = [ "/" ]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + DeviceAllow = [ + "/dev/null rw" + "/dev/urandom r" + ]; + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + LimitMEMLOCK = 0; + + ################ + # Capabilities # + ################ + + AmbientCapabilities = [ + "CAP_BPF" + "CAP_PERFMON" + ]; + CapabilityBoundingSet = [ + "CAP_SETGID" + "CAP_SETUID" + "CAP_SETPCAP" + "CAP_SYS_RESOURCE" + "CAP_AUDIT_WRITE" + # "~CAP_SYS_PACCT" + # "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + # "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + # "~CAP_SYS_MODULE" + # "~CAP_SYS_TTY_CONFIG" + # "~CAP_SYS_BOOT" + # "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + # "~CAP_LEASE" + # "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + # "~CAP_SYS_RAWIO" + # "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "@system-service" + "~@chown" + "@clock" + "@cpu-emulation" + "@debug" + "@module" + "@mount" + "@obsolete" + "@raw-io" + "@reboot" + "@resources" + "@swap" + "memfd_create" + "mincore" + "mlock" + "mlockall" + "personality" + # "~@clock" + # "~@cpu-emulation" + # "~@debug" + # "~@module" + # "~@mount" + # "~@obsolete" + # "~@privileged" + # "~@raw-io" + # "~@reboot" + # "~@resources" + # "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/dnsmasq.nix b/modules/common/systemd/hardened-configs/common/dnsmasq.nix new file mode 100644 index 000000000..ec96f2718 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/dnsmasq.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + "AF_PACKET" + "AF_NETLINK" + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = true; + ProtectProc = "invisible"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + # RestrictNamespaces=true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/enable-ksm.nix b/modules/common/systemd/hardened-configs/common/enable-ksm.nix new file mode 100644 index 000000000..2f097646e --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/enable-ksm.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + #"~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + # ProtectProc="noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + # ProtectKernelTunables=true; + # ProtectKernelModules=true; + # ProtectKernelLogs=true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + # RestrictSUIDSGID=true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + # "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + # "~@clock" + "~@cpu-emulation" + "~@debug" + # "~@module" + # "~@mount" + "~@obsolete" + "~@privileged" + "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/firewall.nix b/modules/common/systemd/hardened-configs/common/firewall.nix new file mode 100644 index 000000000..56bffddbe --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/firewall.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/generate-shutdown-ramfs.nix b/modules/common/systemd/hardened-configs/common/generate-shutdown-ramfs.nix new file mode 100644 index 000000000..e29e9fece --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/generate-shutdown-ramfs.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + "~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/ghaf-session.nix b/modules/common/systemd/hardened-configs/common/ghaf-session.nix new file mode 100644 index 000000000..e8246a625 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/ghaf-session.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + ProcSubset = "pid"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + # "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/install-microvm-netvm.nix b/modules/common/systemd/hardened-configs/common/install-microvm-netvm.nix new file mode 100644 index 000000000..d6880a9c9 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/install-microvm-netvm.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + # "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix b/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix new file mode 100644 index 000000000..dc5bf3997 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/logrotate-checkconf.nix b/modules/common/systemd/hardened-configs/common/logrotate-checkconf.nix new file mode 100644 index 000000000..b7d1399a4 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/logrotate-checkconf.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + "~@raw-io" + "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/logrotate.nix b/modules/common/systemd/hardened-configs/common/logrotate.nix new file mode 100644 index 000000000..b7d1399a4 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/logrotate.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + "~@raw-io" + "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/microvm-tap-interfaces@.nix b/modules/common/systemd/hardened-configs/common/microvm-tap-interfaces@.nix new file mode 100644 index 000000000..36420e297 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/microvm-tap-interfaces@.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/microvm-virtiofsd@.nix b/modules/common/systemd/hardened-configs/common/microvm-virtiofsd@.nix new file mode 100644 index 000000000..38f638906 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/microvm-virtiofsd@.nix @@ -0,0 +1,152 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressAllow = "localhost"; + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # TODO: change back to true when microvm catches up. + PrivateTmp = "yes"; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + # RestrictNamespaces = true; + RestrictNamespaces = [ + #"~user" + #"~pid" + #"~net" + "~uts" + #"~mnt" + #"~cgroup" + "~ipc" + ]; + + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_*" + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + # "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/microvm@.nix b/modules/common/systemd/hardened-configs/common/microvm@.nix new file mode 100644 index 000000000..47715ae7f --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/microvm@.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + # ProtectKernelTunables=true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/network-local-commands.nix b/modules/common/systemd/hardened-configs/common/network-local-commands.nix new file mode 100644 index 000000000..69e19684e --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/network-local-commands.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/nscd.nix b/modules/common/systemd/hardened-configs/common/nscd.nix new file mode 100644 index 000000000..bd5c5b61d --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/nscd.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/pulseaudio.nix b/modules/common/systemd/hardened-configs/common/pulseaudio.nix new file mode 100644 index 000000000..3a3b5c97a --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/pulseaudio.nix @@ -0,0 +1,154 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + ReadWritePaths = [ + "/var/run/" + "/var/lib/" + ]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + # RestrictNamespaces=true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + "~@raw-io" + "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/rtkit-daemon.nix b/modules/common/systemd/hardened-configs/common/rtkit-daemon.nix new file mode 100644 index 000000000..7f152cd20 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/rtkit-daemon.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + # RestrictNamespaces=true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + # RestrictRealtime=true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + # "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + "~@raw-io" + "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/seatd.nix b/modules/common/systemd/hardened-configs/common/seatd.nix new file mode 100644 index 000000000..8134aef04 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/seatd.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + # "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + "~@raw-io" + "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-fsck-root.nix b/modules/common/systemd/hardened-configs/common/systemd-fsck-root.nix new file mode 100644 index 000000000..efda36ea6 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-fsck-root.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + "~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-journal-catalog-update.nix b/modules/common/systemd/hardened-configs/common/systemd-journal-catalog-update.nix new file mode 100644 index 000000000..700f57cda --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-journal-catalog-update.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + "~CAP_SYS_TIME" + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-journal-flush.nix b/modules/common/systemd/hardened-configs/common/systemd-journal-flush.nix new file mode 100644 index 000000000..4174778d4 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-journal-flush.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + "~CAP_SYS_TIME" + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-networkd-wait-online.nix b/modules/common/systemd/hardened-configs/common/systemd-networkd-wait-online.nix new file mode 100644 index 000000000..c4450d066 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-networkd-wait-online.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-random-seed.nix b/modules/common/systemd/hardened-configs/common/systemd-random-seed.nix new file mode 100644 index 000000000..4bfd967a3 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-random-seed.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + "~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + DeviceAllow = [ "/dev/null rw" ]; + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix b/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix new file mode 100644 index 000000000..d6b241892 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-remount-fs.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + "~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices = true; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-rfkill.nix b/modules/common/systemd/hardened-configs/common/systemd-rfkill.nix new file mode 100644 index 000000000..471c0af31 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-rfkill.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + DeviceAllow = [ "/dev/null rw" ]; + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-clean.nix b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-clean.nix new file mode 100644 index 000000000..0aec328d1 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-clean.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + "~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + # ProtectKernelLogs=true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + # RestrictSUIDSGID=true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup-dev.nix b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup-dev.nix new file mode 100644 index 000000000..d6880a9c9 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup-dev.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + # "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup.nix b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup.nix new file mode 100644 index 000000000..cf6d109f4 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-tmpfiles-setup.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + "~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + # ProtectKernelLogs=true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + # RestrictSUIDSGID=true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + # "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-udev-trigger.nix b/modules/common/systemd/hardened-configs/common/systemd-udev-trigger.nix new file mode 100644 index 000000000..33b1c52b1 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-udev-trigger.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + "~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + DeviceAllow = [ "/dev/null rw" ]; + + ########## + # Kernel # + ########## + + # ProtectKernelTunables=true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-udevd.nix b/modules/common/systemd/hardened-configs/common/systemd-udevd.nix new file mode 100644 index 000000000..35a5837f4 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-udevd.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + # ProtectKernelTunables=true; + # ProtectKernelModules=true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + # ProtectHostname=true; + ProtectClock = true; + # ProtectControlGroups=true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + # LockPersonality=true; + # MemoryDenyWriteExecute=true; + # RestrictRealtime=true; + # RestrictSUIDSGID=true; + # RemoveIPC=true + # SystemCallArchitectures="native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + # "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + # "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + # "~CAP_SYS_MODULE" + # "~CAP_SYS_TTY_CONFIG" + # "~CAP_SYS_BOOT" + # "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + # "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + # "~@clock" + # "~@cpu-emulation" + # "~@debug" + # "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + # "~@reboot" + # "~@resources" + # "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/systemd-user-sessions.nix b/modules/common/systemd/hardened-configs/common/systemd-user-sessions.nix new file mode 100644 index 000000000..e29e9fece --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/systemd-user-sessions.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + "~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/tpm2-abrmd.nix b/modules/common/systemd/hardened-configs/common/tpm2-abrmd.nix new file mode 100644 index 000000000..7f152cd20 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/tpm2-abrmd.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + # RestrictNamespaces=true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + # RestrictRealtime=true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + # "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + "~@raw-io" + "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/user-runtime-dir@.nix b/modules/common/systemd/hardened-configs/common/user-runtime-dir@.nix new file mode 100644 index 000000000..d14ee7e79 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/user-runtime-dir@.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + "~AF_NETLINK" + #"~AF_UNIX" + "~AF_INET" + "~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + # ProtectProc="noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + # ProtectKernelTunables=true; + # ProtectKernelModules=true; + # ProtectKernelLogs=true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + # RestrictSUIDSGID=true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + # "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + # "~@clock" + "~@cpu-emulation" + "~@debug" + # "~@module" + # "~@mount" + "~@obsolete" + "~@privileged" + "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/vsockproxy.nix b/modules/common/systemd/hardened-configs/common/vsockproxy.nix new file mode 100644 index 000000000..7f152cd20 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/vsockproxy.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + # RestrictNamespaces=true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + # RestrictRealtime=true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + # "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + "~@raw-io" + "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/common/wpa_supplicant.nix b/modules/common/systemd/hardened-configs/common/wpa_supplicant.nix new file mode 100644 index 000000000..7938b9d20 --- /dev/null +++ b/modules/common/systemd/hardened-configs/common/wpa_supplicant.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + "AF_PACKET" + "AF_NETLINK" + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + # RestrictNamespaces=true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/release/NetworkManager.nix b/modules/common/systemd/hardened-configs/release/NetworkManager.nix new file mode 100644 index 000000000..8512d9a51 --- /dev/null +++ b/modules/common/systemd/hardened-configs/release/NetworkManager.nix @@ -0,0 +1,153 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + "AF_PACKET" + "AF_NETLINK" + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "strict"; + ProtectProc = "invisible"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + PrivateDevices = true; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + # UMask=077; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + # RestrictNamespaces=true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + # "~CAP_SYS_PACCT" + # "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + # "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + # "~CAP_SYS_MODULE" + # "~CAP_SYS_TTY_CONFIG" + # "~CAP_SYS_BOOT" + "CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + # "~CAP_LEASE" + # "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + "CAP_SETUID" + "CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + # "~CAP_SYS_RAWIO" + # "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "@system-service" + "@privileged" + # "~@clock" + # "~@cpu-emulation" + # "~@debug" + # "~@module" + # "~@mount" + # "~@obsolete" + # "~@privileged" + # "~@raw-io" + # "~@reboot" + # "~@resources" + # "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/release/audit.nix b/modules/common/systemd/hardened-configs/release/audit.nix new file mode 100644 index 000000000..5d7051b13 --- /dev/null +++ b/modules/common/systemd/hardened-configs/release/audit.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ######## + # Networking # + ############## + + PrivateNetwork = true; + # IPAccounting=yes + IPAddressDeny = "any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + ProtectHome = true; + ProtectSystem = "full"; + ProtectProc = "noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################ + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers= service runs as root + # DynamicUser= service runs as root + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/exampledevice + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + Delegate = false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC= service runs as root + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + "~CAP_NET_BIND_SERVICE" + "~CAP_NET_BROADCAST" + "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + "~@mount" + "~@obsolete" + "~@privileged" + # "~@raw-io" + "~@reboot" + "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/release/sshd.nix b/modules/common/systemd/hardened-configs/release/sshd.nix new file mode 100644 index 000000000..58b850821 --- /dev/null +++ b/modules/common/systemd/hardened-configs/release/sshd.nix @@ -0,0 +1,161 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes; + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + "~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + ProtectProc = "invisible"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + DeviceAllow = [ + "/dev/video0" + "/dev/video1" + "/dev/video2" + "/dev/video3" + "/dev/media0" + "/dev/media1" + ]; + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + ProtectControlGroups = true; + RestrictNamespaces = [ + "~cgroup" + "~uts" + ]; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + LockPersonality = true; + # MemoryDenyWriteExecute=true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + # "~CAP_SYS_BOOT" + # "~CAP_SYS_CHROOT" + "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + "~@raw-io" + # "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/release/user@.nix b/modules/common/systemd/hardened-configs/release/user@.nix new file mode 100644 index 000000000..47d72c29c --- /dev/null +++ b/modules/common/systemd/hardened-configs/release/user@.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + # ProtectProc="noaccess"; + # ReadWritePaths=[ "/etc"]; + PrivateTmp = true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + PrivateUsers = true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + NoNewPrivileges = true; + UMask = 77; + ProtectHostname = true; + ProtectClock = true; + # ProtectControlGroups=true; + RestrictNamespaces = true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + # LockPersonality=true; + # MemoryDenyWriteExecute=true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + # RemoveIPC=true + SystemCallArchitectures = "native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + "~CAP_SYS_PACCT" + # "~CAP_KILL" + "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + # "~CAP_SYS_MODULE" + "~CAP_SYS_TTY_CONFIG" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + "~CAP_LEASE" + "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + # "~CAP_SYS_RAWIO" + "~CAP_SYS_PTRACE" + "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + "~@clock" + # "~@cpu-emulation" + "~@debug" + "~@module" + # "~@mount" + "~@obsolete" + # "~@privileged" + # "~@raw-io" + # "~@reboot" + # "~@resources" + "~@swap" + ]; +} diff --git a/modules/common/systemd/hardened-configs/template.nix b/modules/common/systemd/hardened-configs/template.nix new file mode 100644 index 000000000..88e304ae5 --- /dev/null +++ b/modules/common/systemd/hardened-configs/template.nix @@ -0,0 +1,151 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + ############## + # Networking # + ############## + + # PrivateNetwork=true; + # IPAccounting=yes + # IPAddressDeny="any"; + RestrictAddressFamilies = [ + #"~AF_PACKET" + #"~AF_NETLINK" + #"~AF_UNIX" + #"~AF_INET" + #"~AF_INET6" + ]; + + ############### + # File system # + ############### + + # ProtectHome=true; + # ProtectSystem="full"; + # ProtectProc="noaccess"; + # ReadWritePaths=[ "/etc"]; + # PrivateTmp=true; + + # Not applicable for the service runs as root + # PrivateMounts=true; + # ProcSubset="all"; + + ################### + # User separation # + ################### + + # Not applicable for the service runs as root + # PrivateUsers=true; + # DynamicUser=true; + + ########### + # Devices # + ########### + + # PrivateDevices=false; + # DeviceAllow=/dev/null + + ########## + # Kernel # + ########## + + # ProtectKernelTunables=true; + # ProtectKernelModules=true; + # ProtectKernelLogs=true; + + ######## + # Misc # + ######## + + # Delegate=false; + # KeyringMode="private"; + # NoNewPrivileges=true; + # UMask=077; + # ProtectHostname=true; + # ProtectClock=true; + # ProtectControlGroups=true; + # RestrictNamespaces=true; + /* + RestrictNamespaces=[ + #"~user" + #"~pid" + #"~net" + #"~uts" + #"~mnt" + #"~cgroup" + #"~ipc" + ]; + */ + # LockPersonality=true; + # MemoryDenyWriteExecute=true; + # RestrictRealtime=true; + # RestrictSUIDSGID=true; + # RemoveIPC=true + # SystemCallArchitectures="native"; + # NotifyAccess=false; + + ################ + # Capabilities # + ################ + + #AmbientCapabilities= + CapabilityBoundingSet = [ + # "~CAP_SYS_PACCT" + # "~CAP_KILL" + # "~CAP_WAKE_ALARM" + # "~CAP_DAC_* + # "~CAP_FOWNER" + # "~CAP_IPC_OWNER" + # "~CAP_BPF" + # "~CAP_LINUX_IMMUTABLE" + # "~CAP_IPC_LOCK" + # "~CAP_SYS_MODULE" + # "~CAP_SYS_TTY_CONFIG" + # "~CAP_SYS_BOOT" + # "~CAP_SYS_CHROOT" + # "~CAP_BLOCK_SUSPEND" + # "~CAP_LEASE" + # "~CAP_MKNOD" + # "~CAP_CHOWN" + # "~CAP_FSETID" + # "~CAP_SETFCAP" + # "~CAP_SETUID" + # "~CAP_SETGID" + # "~CAP_SETPCAP" + # "~CAP_MAC_ADMIN" + # "~CAP_MAC_OVERRIDE" + # "~CAP_SYS_RAWIO" + # "~CAP_SYS_PTRACE" + # "~CAP_SYS_NICE" + # "~CAP_SYS_RESOURCE" + # "~CAP_NET_ADMIN" + # "~CAP_NET_BIND_SERVICE" + # "~CAP_NET_BROADCAST" + # "~CAP_NET_RAW" + # "~CAP_AUDIT_CONTROL" + # "~CAP_AUDIT_READ" + # "~CAP_AUDIT_WRITE" + # "~CAP_SYS_ADMIN" + # "~CAP_SYSLOG" + # "~CAP_SYS_TIME + ]; + + ################ + # System calls # + ################ + + SystemCallFilter = [ + # "~@clock" + # "~@cpu-emulation" + # "~@debug" + # "~@module" + # "~@mount" + # "~@obsolete" + # "~@privileged" + # "~@raw-io" + # "~@reboot" + # "~@resources" + # "~@swap" + ]; +} diff --git a/modules/common/tpm2/default.nix b/modules/common/tpm2/default.nix deleted file mode 100644 index feed3224c..000000000 --- a/modules/common/tpm2/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.ghaf.security.tpm2; -in - with lib; { - options.ghaf.security.tpm2 = { - enable = mkEnableOption "TPM2 PKCS#11 interface"; - }; - - config = mkIf cfg.enable { - security.tpm2 = { - enable = true; - pkcs11.enable = true; - abrmd.enable = true; - }; - - environment.systemPackages = mkIf config.ghaf.profiles.debug.enable [ - pkgs.opensc - pkgs.tpm2-tools - ]; - - assertions = [ - { - assertion = pkgs.stdenv.isx86_64; - message = "TPM2 is only supported on x86_64"; - } - ]; - }; - } diff --git a/modules/common/users/accounts.nix b/modules/common/users/accounts.nix index b44293022..e3822f8d7 100644 --- a/modules/common/users/accounts.nix +++ b/modules/common/users/accounts.nix @@ -1,51 +1,56 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - options, - ... -}: +{ config, lib, ... }: # account for the development time login with sudo rights let cfg = config.ghaf.users.accounts; + inherit (lib) + mkEnableOption + mkOption + optionals + mkIf + types + ; in - with lib; { - #TODO Extend this to allow definition of multiple users - options.ghaf.users.accounts = { - enable = mkEnableOption "Default account Setup"; - user = mkOption { - default = "ghaf"; - type = with types; str; - description = '' - A default user to create in the system. - ''; - }; - password = mkOption { - default = "ghaf"; - type = with types; str; - description = '' - A default password for the user. - ''; - }; +{ + #TODO Extend this to allow definition of multiple users + options.ghaf.users.accounts = { + enable = mkEnableOption "Default account Setup"; + user = mkOption { + default = "ghaf"; + type = with types; str; + description = '' + A default user to create in the system. + ''; + }; + password = mkOption { + default = "ghaf"; + type = with types; str; + description = '' + A default password for the user. + ''; }; + }; - config = mkIf cfg.enable { - users = { - mutableUsers = true; - users."${cfg.user}" = { - isNormalUser = true; - inherit (cfg) password; - #TODO add "docker" use "lib.optionals" - extraGroups = - ["wheel" "video" "networkmanager"] - ++ optionals - config.ghaf.security.tpm2.enable ["tss"]; - }; - groups."${cfg.user}" = { - name = cfg.user; - members = [cfg.user]; - }; + config = mkIf cfg.enable { + users = { + mutableUsers = true; + users."${cfg.user}" = { + isNormalUser = true; + inherit (cfg) password; + #TODO add "docker" use "lib.optionals" + extraGroups = [ + "wheel" + "video" + "networkmanager" + ] ++ optionals config.security.tpm2.enable [ "tss" ]; + }; + groups."${cfg.user}" = { + name = cfg.user; + members = [ cfg.user ]; }; }; - } + # to build ghaf as ghaf-user with caches + nix.settings.trusted-users = mkIf config.ghaf.profiles.debug.enable [ cfg.user ]; + }; +} diff --git a/modules/common/version/default.nix b/modules/common/version/default.nix index 531bd8292..04b6e254e 100644 --- a/modules/common/version/default.nix +++ b/modules/common/version/default.nix @@ -8,11 +8,13 @@ lib, config, ... -}: let +}: +let ghafVersion = pkgs.writeShellScriptBin "ghaf-version" '' echo "${config.ghaf.version}" ''; -in { +in +{ options = { ghaf.version = lib.mkOption { type = lib.types.str; @@ -23,8 +25,6 @@ in { }; }; config = { - environment.systemPackages = [ - ghafVersion - ]; + environment.systemPackages = [ ghafVersion ]; }; } diff --git a/modules/common/virtualization/docker.nix b/modules/common/virtualization/docker.nix index 44b8bf1c0..6b9fa77e2 100644 --- a/modules/common/virtualization/docker.nix +++ b/modules/common/virtualization/docker.nix @@ -1,22 +1,20 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.virtualization.docker.daemon; + inherit (lib) mkEnableOption mkIf; in - with lib; { - options.ghaf.virtualization.docker.daemon = { - enable = mkEnableOption "Docker Daemon"; - }; +{ + options.ghaf.virtualization.docker.daemon = { + enable = mkEnableOption "Docker Daemon"; + }; - config = mkIf cfg.enable { - virtualisation.docker.enable = true; - virtualisation.docker.rootless = { - enable = true; - setSocketVariable = true; - }; + config = mkIf cfg.enable { + virtualisation.docker.enable = true; + virtualisation.docker.rootless = { + enable = true; + setSocketVariable = true; }; - } + }; +} diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix index a0b4e68e1..c6aa68ab5 100644 --- a/modules/desktop/default.nix +++ b/modules/desktop/default.nix @@ -7,6 +7,5 @@ imports = [ ./graphics ./profiles - ./windows-launcher ]; } diff --git a/modules/desktop/graphics/boot.nix b/modules/desktop/graphics/boot.nix index 40599207d..bcf46262d 100644 --- a/modules/desktop/graphics/boot.nix +++ b/modules/desktop/graphics/boot.nix @@ -3,31 +3,36 @@ { config, lib, + pkgs, ... -}: let +}: +let cfg = config.ghaf.graphics.boot; in - with lib; { - options.ghaf.graphics.boot = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enables graphical boot with plymouth. - ''; - }; +{ + options.ghaf.graphics.boot = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enables graphical boot with plymouth. + ''; }; + }; - config = mkIf cfg.enable { - boot = { - plymouth = { - enable = true; - logo = ../../../assets/ghaf-logo.png; - }; - # Hide boot log from user completely - kernelParams = ["quiet" "udev.log_priority=3"]; - consoleLogLevel = 0; - initrd.verbose = false; + config = lib.mkIf cfg.enable { + boot = { + plymouth = { + enable = true; + logo = "${pkgs.ghaf-artwork}/ghaf-logo.png"; }; + # Hide boot log from user completely + kernelParams = [ + "quiet" + "udev.log_priority=3" + ]; + consoleLogLevel = 0; + initrd.verbose = false; }; - } + }; +} diff --git a/modules/desktop/graphics/default.nix b/modules/desktop/graphics/default.nix index 037f40502..ee8f20ddd 100644 --- a/modules/desktop/graphics/default.nix +++ b/modules/desktop/graphics/default.nix @@ -2,14 +2,12 @@ # SPDX-License-Identifier: Apache-2.0 { imports = [ - ./weston.nix ./labwc.nix - ./weston.ini.nix + ./labwc.config.nix ./waybar.config.nix ./demo-apps.nix ./fonts.nix - ./gnome.nix - ./window-manager.nix + ./login-manager.nix ./boot.nix ]; } diff --git a/modules/desktop/graphics/demo-apps.nix b/modules/desktop/graphics/demo-apps.nix index 5c10fc072..963259bcc 100644 --- a/modules/desktop/graphics/demo-apps.nix +++ b/modules/desktop/graphics/demo-apps.nix @@ -5,74 +5,64 @@ lib, config, ... -}: let +}: +let cfg = config.ghaf.graphics.demo-apps; /* - Scaled down firefox icon - */ - firefox-icon = pkgs.runCommand "firefox-icon-24x24" {} '' - mkdir -p $out/share/icons/hicolor/24x24/apps - ${pkgs.buildPackages.imagemagick}/bin/convert \ - ${pkgs.firefox}/share/icons/hicolor/128x128/apps/firefox.png \ - -resize 24x24 \ - $out/share/icons/hicolor/24x24/apps/firefox.png - ''; - - /* - Generate launchers to be used in weston.ini - - Type: mkProgramOption :: string -> bool -> option + Generate launchers to be used in the application drawer + Type: mkProgramOption :: string -> bool -> option */ - mkProgramOption = name: default: - with lib; - mkOption { - inherit default; - type = types.bool; - description = "Include package ${name} to menu and system environment"; - }; -in { - options.ghaf.graphics.demo-apps = with lib; { + mkProgramOption = + name: default: + lib.mkOption { + inherit default; + type = lib.types.bool; + description = "Include package ${name} to menu and system environment"; + }; +in +{ + options.ghaf.graphics.demo-apps = { chromium = mkProgramOption "Chromium browser" false; firefox = mkProgramOption "Firefox browser" config.ghaf.graphics.enableDemoApplications; gala-app = mkProgramOption "Gala App" false; element-desktop = mkProgramOption "Element desktop" config.ghaf.graphics.enableDemoApplications; zathura = mkProgramOption "zathura" config.ghaf.graphics.enableDemoApplications; + appflowy = mkProgramOption "Appflowy" config.ghaf.graphics.enableDemoApplications; }; config = lib.mkIf config.ghaf.profiles.graphics.enable { ghaf.graphics.launchers = lib.optional cfg.chromium { - name = "chromium"; + name = "Chromium"; path = "${pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; - icon = "${pkgs.chromium}/share/icons/hicolor/24x24/apps/chromium.png"; + icon = "${pkgs.icon-pack}/chromium.svg"; } ++ lib.optional cfg.firefox { - name = "firefox"; + name = "Firefox"; path = "${pkgs.firefox}/bin/firefox"; - icon = "${firefox-icon}/share/icons/hicolor/24x24/apps/firefox.png"; + icon = "${pkgs.icon-pack}/firefox.svg"; } ++ lib.optional cfg.element-desktop { - name = "element"; + name = "Element"; path = "${pkgs.element-desktop}/bin/element-desktop --enable-features=UseOzonePlatform --ozone-platform=wayland"; - icon = "${pkgs.element-desktop}/share/icons/hicolor/24x24/apps/element.png"; + icon = "${pkgs.icon-pack}/element-desktop.svg"; } ++ lib.optional cfg.gala-app { - name = "gala"; + name = "GALA"; path = "${pkgs.gala-app}/bin/gala --enable-features=UseOzonePlatform --ozone-platform=wayland"; - icon = "${pkgs.gala-app}/gala/resources/icon-24x24.png"; + icon = "${pkgs.icon-pack}/distributor-logo-android.svg"; } ++ lib.optional cfg.zathura { - name = "zathura"; + name = "PDF Viewer"; path = "${pkgs.zathura}/bin/zathura"; - icon = "${pkgs.zathura}/share/icons/hicolor/32x32/apps/org.pwmt.zathura.png"; + icon = "${pkgs.icon-pack}/document-viewer.svg"; + } + ++ lib.optional (cfg.appflowy && pkgs.stdenv.isx86_64) { + name = "AppFlowy"; + path = "${pkgs.appflowy}/bin/appflowy"; + icon = "${pkgs.appflowy}/opt/data/flutter_assets/assets/images/flowy_logo.svg"; }; - environment.systemPackages = - lib.optional cfg.chromium pkgs.chromium - ++ lib.optional cfg.element-desktop pkgs.element-desktop - ++ lib.optional cfg.firefox pkgs.firefox - ++ lib.optional cfg.gala-app pkgs.gala-app - ++ lib.optional cfg.zathura pkgs.zathura; }; } diff --git a/modules/desktop/graphics/fonts.nix b/modules/desktop/graphics/fonts.nix index 8db6814d8..fda3967d2 100644 --- a/modules/desktop/graphics/fonts.nix +++ b/modules/desktop/graphics/fonts.nix @@ -5,13 +5,12 @@ lib, config, ... -}: let - inherit (config.ghaf.graphics) weston labwc; -in { - config = lib.mkIf (weston.enable || labwc.enable) { - fonts.packages = with pkgs; [ - fira-code-nerdfont - hack-font - ]; +}: +let + inherit (config.ghaf.graphics) labwc; +in +{ + config = lib.mkIf labwc.enable { + fonts.packages = builtins.attrValues { inherit (pkgs) inter fira-code-nerdfont hack-font; }; }; } diff --git a/modules/desktop/graphics/ghaf-launcher.nix b/modules/desktop/graphics/ghaf-launcher.nix index c79b05b4c..c54996896 100644 --- a/modules/desktop/graphics/ghaf-launcher.nix +++ b/modules/desktop/graphics/ghaf-launcher.nix @@ -1,31 +1,35 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - writeShellScriptBin, - writeTextDir, - coreutils, - nwg-drawer, - ... -}: let - drawerCSS = writeTextDir "nwg-drawer/drawer.css" '' +{ pkgs, ... }: +let + drawerCSS = pkgs.writeTextDir "nwg-drawer/drawer.css" '' /* Example configuration from: https://github.com/nwg-piotr/nwg-drawer/blob/main/drawer.css */ window { - background-color: rgba (43, 48, 59, 0.95); - color: #eeeeee + background-color: rgba(32, 32, 32, 0.9); + color: #eeeeee; + border-radius: 7px; + border: 1px solid rgba(21, 36, 24, 0.3); + box-shadow: rgba(100, 100, 111, 0.2) 0px 7px 29px 0px; } /* search entry */ entry { - background-color: rgba (0, 0, 0, 0.2) + background-color: rgba (43, 43, 43, 1); + border: 1px solid rgba(46, 46, 46, 1); + } + entry:focus { + box-shadow: none; + border: 1px solid rgba(223, 92, 55, 1); } button, image { background: none; - border: none + border: none; + box-shadow: none; } button:hover { - background-color: rgba (255, 255, 255, 0.1) + background-color: rgba (255, 255, 255, 0.06) } /* in case you wanted to give category buttons a different look */ @@ -45,11 +49,22 @@ } ''; in - writeShellScriptBin - "ghaf-launcher" - '' - export XDG_CONFIG_HOME=${drawerCSS} - export XDG_CACHE_HOME=$HOME/.cache - ${coreutils}/bin/mkdir -p $XDG_CACHE_HOME - ${nwg-drawer}/bin/nwg-drawer - '' +pkgs.writeShellApplication { + name = "ghaf-launcher"; + runtimeInputs = [ + pkgs.coreutils + pkgs.nwg-drawer + ]; + bashOptions = [ ]; + text = '' + export XDG_CONFIG_HOME="$HOME/.config" + export XDG_CACHE_HOME="$HOME/.cache" + + # Temporary workaround + mkdir -p "$XDG_CACHE_HOME" "$XDG_CONFIG_HOME" + rm -rf "$HOME/.config/nwg-drawer" + ln -s "${drawerCSS}/nwg-drawer" "$HOME/.config/" + + nwg-drawer -r -c 5 -mb 60 -ml 440 -mr 440 -mt 420 -nofs -nocats -ovl + ''; +} diff --git a/modules/desktop/graphics/gnome.nix b/modules/desktop/graphics/gnome.nix deleted file mode 100644 index 0d564aee6..000000000 --- a/modules/desktop/graphics/gnome.nix +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# GNOME Desktop support -# -{ - lib, - pkgs, - config, - ... -}: let - cfg = config.ghaf.graphics.gnome; -in { - options.ghaf.graphics.gnome = { - enable = lib.mkEnableOption "gnome"; - }; - - config = lib.mkIf cfg.enable { - hardware.opengl = { - enable = true; - driSupport = true; - }; - - environment.noXlibs = false; - - services.xserver.enable = true; - services.xserver.displayManager.gdm = { - enable = true; - wayland = true; - }; - services.xserver.desktopManager.gnome.enable = true; - - environment.gnome.excludePackages = with pkgs; [ - gnome-tour - epiphany - evolution - evolutionWithPlugins - evolution-data-server - gnome.geary - gnome.gnome-music - gnome.gnome-contacts - gnome.cheese - ]; - }; -} diff --git a/modules/desktop/graphics/labwc.config.nix b/modules/desktop/graphics/labwc.config.nix new file mode 100644 index 000000000..df7cdf00c --- /dev/null +++ b/modules/desktop/graphics/labwc.config.nix @@ -0,0 +1,296 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + pkgs, + lib, + config, + ... +}: +let + cfg = config.ghaf.graphics.labwc; + + audio-ctrl = pkgs.callPackage ../../../packages/audio-ctrl { }; + gtklockStyle = pkgs.writeText "gtklock.css" '' + window { + background: rgba(29, 29, 29, 1); + color: #eee; + } + button { + box-shadow: none; + border-radius: 5px; + border: 1px solid rgba(255, 255, 255, 0.09); + background: rgba(255, 255, 255, 0.06); + } + entry { + background-color: rgba (43, 43, 43, 1); + border: 1px solid rgba(46, 46, 46, 1); + color: #eee; + } + entry:focus { + box-shadow: none; + border: 1px solid rgba(223, 92, 55, 1); + } + ''; + lockCmd = "${pkgs.gtklock}/bin/gtklock -s ${gtklockStyle}"; + + ghaf-launcher = pkgs.callPackage ./ghaf-launcher.nix { inherit config pkgs; }; + autostart = pkgs.writeShellApplication { + name = "labwc-autostart"; + + runtimeInputs = [ + pkgs.systemd + pkgs.dbus + ]; + + text = + '' + # Import environment variables to ensure it is available to user + # services + systemctl --user import-environment WAYLAND_DISPLAY + dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY XDG_CURRENT_DESKTOP + sleep 0.3 # make sure variables are set + systemctl --user reset-failed + systemctl --user stop ghaf-session.target + systemctl --user start ghaf-session.target + '' + + cfg.extraAutostart; + }; + rcXml = '' + + + 5 + + Ghaf + yes + + Inter + 12 + normal + bold + + + Inter + 12 + normal + bold + + + + + true + + + + + + + + + ${lib.optionalString config.ghaf.profiles.debug.enable '' + + + + ''} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${ + lib.optionalString (!config.ghaf.profiles.debug.enable) '' + + '' + } + + + + ${ + lib.concatStringsSep "\n" ( + map (rule: '' + + '') cfg.frameColouring + ) + } + + + yes + + + ''; + + menuXml = '' + + + + + + + + + + + + + + + + + + ${lib.optionalString config.ghaf.profiles.debug.enable '' + + + + ''} + + + ''; + + makoConfig = '' + font=Inter 12 + background-color=#202020e6 + progress-color=source #3D8252e6 + border-radius=5 + border-size=0 + padding=10 + default-timeout=10000 + ''; + + environment = '' + XCURSOR_THEME=breeze_cursors + + # Wayland compatibility + MOZ_ENABLE_WAYLAND=1 + ''; + + labwc-session = pkgs.writeShellApplication { + name = "labwc-session"; + + runtimeInputs = [ + pkgs.labwc + autostart + ]; + + text = "labwc -C /etc/labwc -s labwc-autostart"; + }; +in +{ + config = lib.mkIf cfg.enable { + environment.etc = { + "labwc/rc.xml".text = rcXml; + "labwc/menu.xml".text = menuXml; + "labwc/environment".text = environment; + + "mako/config".text = makoConfig; + + "greetd/environments".text = lib.mkAfter "${labwc-session}/bin/labwc-session\n"; + }; + + services.greetd.settings = { + initial_session = lib.mkIf (cfg.autologinUser != null) { + user = "ghaf"; + command = "${labwc-session}/bin/labwc-session"; + }; + }; + + systemd.user.services.ghaf-launcher = { + enable = true; + description = "Ghaf launcher daemon"; + serviceConfig = { + Type = "simple"; + ExecStart = "${ghaf-launcher}/bin/ghaf-launcher"; + Restart = "always"; + RestartSec = "1"; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; + }; + + systemd.user.services.swaybg = { + enable = true; + description = "Wallpaper daemon"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.swaybg}/bin/swaybg -m fill -i ${cfg.wallpaper}"; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; + }; + + systemd.user.services.mako = { + enable = true; + description = "Notification daemon"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.mako}/bin/mako -c /etc/mako/config"; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; + }; + + systemd.user.services.lock-event = { + enable = true; + description = "Lock Event Handler"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.swayidle}/bin/swayidle lock \"${lockCmd}\""; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; + }; + + systemd.user.services.autolock = lib.mkIf cfg.autolock.enable { + enable = true; + description = "System autolock"; + serviceConfig = { + Type = "simple"; + ExecStart = '' + ${pkgs.swayidle}/bin/swayidle -w timeout ${builtins.toString cfg.autolock.duration} \ + '${pkgs.chayang}/bin/chayang && ${lockCmd}' + ''; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; + }; + + ghaf.graphics.launchers = [ + { + name = "Lock"; + path = "${lockCmd}"; + icon = "${pkgs.icon-pack}/system-lock-screen.svg"; + } + { + name = "Log Out"; + path = "${pkgs.labwc}/bin/labwc --exit"; + icon = "${pkgs.icon-pack}/system-log-out.svg"; + } + ]; + }; +} diff --git a/modules/desktop/graphics/labwc.nix b/modules/desktop/graphics/labwc.nix index cd8d087d2..0876f9606 100644 --- a/modules/desktop/graphics/labwc.nix +++ b/modules/desktop/graphics/labwc.nix @@ -5,101 +5,82 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.graphics.labwc; - autostart = - pkgs.writeScriptBin "labwc-autostart" '' - # Import WAYLAND_DISPLAY variable to make it available to waypipe and other systemd services - ${pkgs.systemd}/bin/systemctl --user import-environment WAYLAND_DISPLAY 2>&1 & - - # Set the wallpaper. - ${pkgs.swaybg}/bin/swaybg -m fill -i ${cfg.wallpaper} >/dev/null 2>&1 & - - # Configure output directives such as mode, position, scale and transform. - ${pkgs.kanshi}/bin/kanshi >/dev/null 2>&1 & - - # Launch the top task bar. - ${pkgs.waybar}/bin/waybar -s /etc/waybar/style.css -c /etc/waybar/config >/dev/null 2>&1 & - - # Enable notifications. - ${pkgs.mako}/bin/mako >/dev/null 2>&1 & - - ${lib.optionalString cfg.lock.enable '' - # Lock screen after 5 minutes - ${pkgs.swayidle}/bin/swayidle -w timeout 300 \ - '${pkgs.swaylock-effects}/bin/swaylock -f -c 000000 \ - --clock --indicator --indicator-radius 150 --inside-ver-color 5ac379' & - ''} - '' - + cfg.extraAutostart; - rcXml = '' - - - 10 - - - - - - ${lib.concatStringsSep "\n" (map (rule: '' - - '') - cfg.frameColouring)} - - - ''; - - menuXml = '' - - - - - - - - - - - - - - - - - - - - - ''; - launchers = pkgs.callPackage ./launchers.nix {inherit config;}; -in { +in +{ options.ghaf.graphics.labwc = { enable = lib.mkEnableOption "labwc"; - lock.enable = lib.mkEnableOption "labwc screen locking"; + autolock = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether to enable screen autolocking."; + }; + duration = lib.mkOption { + type = lib.types.int; + default = 300; + description = "Timeout for screen autolock in seconds."; + }; + }; + autologinUser = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = config.ghaf.users.accounts.user; + description = '' + Username of the account that will be automatically logged in to the desktop. + If unspecified, the login manager is shown as usual. + ''; + }; wallpaper = lib.mkOption { type = lib.types.path; - default = ../../../assets/wallpaper.png; + default = "${pkgs.ghaf-artwork}/ghaf-wallpaper.png"; description = "Path to the wallpaper image"; }; frameColouring = lib.mkOption { - type = lib.types.listOf (lib.types.submodule { - options = { - identifier = lib.mkOption { - type = lib.types.str; - example = "foot"; - description = "Identifier of the application"; - }; - colour = lib.mkOption { - type = lib.types.str; - example = "#00ffff"; - description = "Colour of the window frame"; + type = lib.types.listOf ( + lib.types.submodule { + options = { + identifier = lib.mkOption { + type = lib.types.str; + example = "foot"; + description = "Identifier of the application"; + }; + colour = lib.mkOption { + type = lib.types.str; + example = "#006305"; + description = "Colour of the window frame"; + }; }; - }; - }); + } + ); default = [ { identifier = "foot"; - colour = "#00ffff"; + colour = "#006305"; + } + # TODO these should reference the VM and not the application that is + # relayed through waypipe. Ideally this would match using metadata + # through Wayland security context. + { + identifier = "dev.scpp.saca.gala"; + colour = "#027d7b"; + } + { + identifier = "chromium-browser"; + colour = "#630505"; + } + { + identifier = "org.pwmt.zathura"; + colour = "#122263"; + } + { + identifier = "Element"; + colour = "#337aff"; + } + { + identifier = "AppFlowy"; + colour = "#4c3f7a"; } ]; description = "List of applications and their frame colours"; @@ -112,63 +93,41 @@ in { }; config = lib.mkIf cfg.enable { - ghaf.graphics.window-manager-common.enable = true; + ghaf.graphics.login-manager.enable = true; - environment.systemPackages = with pkgs; - [labwc launchers] - # Below sway packages needed for screen locking - ++ lib.optionals config.ghaf.graphics.labwc.lock.enable [swaylock-effects swayidle] - # Grim screenshot tool is used for labwc debug-builds - ++ lib.optionals config.ghaf.profiles.debug.enable [grim]; + environment.systemPackages = + [ + pkgs.labwc + pkgs.ghaf-theme + pkgs.adwaita-icon-theme - # It will create /etc/pam.d/swaylock file for authentication - security.pam.services = lib.mkIf config.ghaf.graphics.labwc.lock.enable {swaylock = {};}; + (import ./launchers.nix { inherit pkgs config; }) + ] + # Grim screenshot tool is used for labwc debug-builds + ++ lib.optionals config.ghaf.profiles.debug.enable [ pkgs.grim ]; - environment.etc = { - "labwc/rc.xml".text = rcXml; - "labwc/menu.xml".text = menuXml; - "labwc/themerc".source = "${pkgs.labwc}/share/doc/labwc/themerc"; - }; + # It will create a /etc/pam.d/ file for authentication + security.pam.services.gtklock = { }; - # Next 2 services/targets are taken from official weston documentation - # and adjusted for labwc - # https://wayland.pages.freedesktop.org/weston/toc/running-weston.html - systemd.user.services."labwc" = { + systemd.user.targets.ghaf-session = { enable = true; - description = "labwc, a Wayland compositor, as a user service TEST"; - documentation = ["man:labwc(1)"]; - after = ["ghaf-session.service"]; - serviceConfig = { - # Previously there was "notify" type, but for some reason - # systemd kills labwc.service because of timeout (even if it is disabled). - # "simple" works pretty well, so let's leave it. - Type = "simple"; - #TimeoutStartSec = "60"; - #WatchdogSec = "20"; - # Defaults to journal - StandardOutput = "journal"; - StandardError = "journal"; - ExecStart = "${pkgs.labwc}/bin/labwc -C /etc/labwc -s ${autostart}/bin/labwc-autostart"; - #GPU pt needs some time to start - labwc fails to restart 3 times in avg. - ExecStartPre = "${pkgs.coreutils}/bin/sleep 3"; - Restart = "on-failure"; - RestartSec = "1"; - - # Ivan N: adding openssh into the PATH since it is needed for waypipe to work - Environment = "PATH=${pkgs.openssh}/bin:$PATH"; + description = "Ghaf labwc session"; + unitConfig = { + BindsTo = [ "graphical-session.target" ]; + After = [ "graphical-session-pre.target" ]; + Wants = [ "graphical-session-pre.target" ]; }; - environment = { - WLR_RENDERER = "pixman"; - # See: https://github.com/labwc/labwc/blob/0.6.5/docs/environment - XKB_DEFAULT_LAYOUT = "us,fi"; - XKB_DEFAULT_OPTIONS = "XKB_DEFAULT_OPTIONS=grp:alt_shift_toggle"; - XDG_CURRENT_DESKTOP = "wlroots"; - MOZ_ENABLE_WAYLAND = "1"; - XCURSOR_THEME = "breeze_cursors"; - WLR_NO_HARDWARE_CURSORS = "1"; - _JAVA_AWT_WM_NONREPARENTING = "1"; - }; - wantedBy = ["default.target"]; }; + + services.upower.enable = true; + fonts.fontconfig.defaultFonts.sansSerif = [ "Inter" ]; + + ghaf.graphics.launchers = lib.mkIf config.ghaf.profiles.debug.enable [ + { + name = "Terminal"; + path = "${pkgs.foot}/bin/foot"; + icon = "${pkgs.icon-pack}/utilities-terminal.svg"; + } + ]; }; } diff --git a/modules/desktop/graphics/launchers.nix b/modules/desktop/graphics/launchers.nix index 29133918c..dd61d8423 100644 --- a/modules/desktop/graphics/launchers.nix +++ b/modules/desktop/graphics/launchers.nix @@ -1,30 +1,27 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - pkgs, - config, - makeDesktopItem, - ... -}: let - toDesktop = elem: - (makeDesktopItem { +{ pkgs, config, ... }: +let + toDesktop = + elem: + (pkgs.makeDesktopItem { inherit (elem) name icon; genericName = elem.name; desktopName = elem.name; comment = "Secured Ghaf Application"; exec = elem.path; - }) - .overrideAttrs (prevAttrs: { - checkPhase = - prevAttrs.checkPhase - + '' + }).overrideAttrs + (prevAttrs: { + checkPhase = + prevAttrs.checkPhase + + '' - # Check that the icon's path exists - [[ -f "${elem.icon}" ]] || (echo "The icon's path ${elem.icon} doesn't exist" && exit 1) - ''; - }); + # Check that the icon's path exists + [[ -f "${elem.icon}" ]] || (echo "The icon's path ${elem.icon} doesn't exist" && exit 1) + ''; + }); in - pkgs.symlinkJoin { - name = "ghaf-desktop-entries"; - paths = map toDesktop config.ghaf.graphics.launchers; - } +pkgs.symlinkJoin { + name = "ghaf-desktop-entries"; + paths = map toDesktop config.ghaf.graphics.launchers; +} diff --git a/modules/desktop/graphics/login-manager.nix b/modules/desktop/graphics/login-manager.nix new file mode 100644 index 000000000..3b885ff7a --- /dev/null +++ b/modules/desktop/graphics/login-manager.nix @@ -0,0 +1,74 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + lib, + pkgs, + config, + ... +}: +let + cfg = config.ghaf.graphics.login-manager; + gtkgreetStyle = pkgs.writeText "gtkgreet.css" '' + window { + background: rgba(29, 29, 29, 1); + color: #eee; + } + button { + box-shadow: none; + border-radius: 5px; + border: 1px solid rgba(255, 255, 255, 0.09); + background: rgba(255, 255, 255, 0.06); + } + entry { + background-color: rgba (43, 43, 43, 1); + border: 1px solid rgba(46, 46, 46, 1); + color: #eee; + } + entry:focus { + box-shadow: none; + border: 1px solid rgba(223, 92, 55, 1); + } + ''; +in +{ + options.ghaf.graphics.login-manager = { + enable = lib.mkEnableOption "login manager using greetd"; + }; + + config = lib.mkIf cfg.enable { + services.greetd = { + enable = true; + settings = { + default_session = + let + greeter-autostart = pkgs.writeShellApplication { + name = "greeter-autostart"; + runtimeInputs = [ + pkgs.greetd.gtkgreet + pkgs.wayland-logout + ]; + text = '' + gtkgreet -l -s ${gtkgreetStyle} + wayland-logout + ''; + }; + in + { + command = "${pkgs.labwc}/bin/labwc -C /etc/labwc -s ${greeter-autostart}/bin/greeter-autostart"; + }; + }; + }; + + services.seatd = { + enable = true; + group = "video"; + }; + + users.users.greeter.extraGroups = [ "video" ]; + + #Allow video group to change brightness + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video $sys$devpath/brightness", RUN+="${pkgs.coreutils}/bin/chmod a+w $sys$devpath/brightness" + ''; + }; +} diff --git a/modules/desktop/graphics/waybar.config.nix b/modules/desktop/graphics/waybar.config.nix index 16e7117c9..d9e9e33ad 100644 --- a/modules/desktop/graphics/waybar.config.nix +++ b/modules/desktop/graphics/waybar.config.nix @@ -5,32 +5,29 @@ lib, config, ... -}: let +}: +let cfg = config.ghaf.graphics.labwc; - networkDevice = config.ghaf.hardware.definition.network.pciDevices; + inherit (config.ghaf.hardware.definition.network) pciDevices; + inherit (import ../../../lib/icons.nix { inherit pkgs lib; }) svgToPNG; - ghaf-icon = pkgs.runCommand "ghaf-icon-24x24" {} '' - mkdir -p $out/share/icons/hicolor/24x24/apps - ${pkgs.buildPackages.imagemagick}/bin/convert \ - ${../../../assets/ghaf-logo.png} \ - -resize 24x24 \ - $out/share/icons/hicolor/24x24/apps/ghaf-icon-24x24.png - ''; + launchpad-icon = svgToPNG "launchpad" "${pkgs.ghaf-artwork}/icons/launchpad.svg" "38x38"; + admin-icon = svgToPNG "admin" "${pkgs.ghaf-artwork}/icons/admin-cog.svg" "24x24"; + ghaf-icon = svgToPNG "ghaf-white" "${pkgs.ghaf-artwork}/icons/ghaf-white.svg" "24x24"; - wifiDevice = lib.lists.findFirst (d: d.name != null) null networkDevice; - wifi-signal-strength = pkgs.callPackage ../../../packages/wifi-signal-strength {wifiDevice = wifiDevice.name;}; - ghaf-launcher = pkgs.callPackage ./ghaf-launcher.nix {inherit config pkgs;}; - timeZone = - if config.time.timeZone != null - then config.time.timeZone - else "UTC"; -in { + wifiDevice = lib.lists.findFirst (d: d.name != null) null pciDevices; + wifi-signal-strength = pkgs.callPackage ../../../packages/wifi-signal-strength { + wifiDevice = wifiDevice.name; + }; + timeZone = if config.time.timeZone != null then config.time.timeZone else "UTC"; +in +{ config = lib.mkIf cfg.enable { ghaf.graphics.launchers = [ { name = "Terminal"; path = "${pkgs.foot}/bin/foot"; - icon = "${pkgs.foot}/share/icons/hicolor/48x48/apps/foot.png"; + icon = "${pkgs.icon-pack}/utilities-terminal.svg"; } ]; environment.etc."waybar/config" = { @@ -38,11 +35,18 @@ in { # Modified from default waybar configuration file https://github.com/Alexays/Waybar/blob/master/resources/config '' { - "height": 30, // Waybar height (to be removed for auto height) + "height": 48, // Waybar height "spacing": 4, // Gaps between modules (4px) - "modules-left": ["custom/launcher"], + "modules-left": ["custom/launchpad", "custom/ghaf-settings"], "modules-center": ["sway/window"], - "modules-right": ["pulseaudio", "custom/network1", "backlight", "battery", "clock", "tray"], + "position": "bottom", + "mode": "dock", + "spacing": 4, + "margin-top": 3, + "margin-bottom": 5, + "margin-left": 200, + "margin-right": 200, + "modules-right": ["pulseaudio", "custom/network1", "battery", "custom/admin", "clock", "tray"], "keyboard-state": { "numlock": true, "capslock": true, @@ -59,9 +63,7 @@ in { "clock": { "timezone": "${timeZone}", "tooltip-format": "{:%d %b %Y}\n{calendar}", - // should be "{:%a %-d %b %-I:%M %#p}" - // see github.com/Alexays/Waybar/issues/1469 - "format": "{:%a %d %b %I:%M %p}" + "format": "{:%a %d %b %H:%M}" }, "backlight": { // "device": "acpi_video1", @@ -91,9 +93,20 @@ in { }, '' + '' - "custom/launcher": { + "custom/launchpad": { + "format": " ", + "on-click": "${pkgs.procps}/bin/pkill -USR1 nwg-drawer", + "tooltip": false + }, + "custom/ghaf-settings": { + "format": " ", + // Placeholder for the actual Ghaf settings app + "on-click": "${pkgs.libnotify}/bin/notify-send 'Ghaf Platform ${lib.strings.fileContents ../../../.version}'", + "tooltip": false + }, + "custom/admin": { "format": " ", - "on-click": "${ghaf-launcher}/bin/ghaf-launcher", + "on-click": "${pkgs.nm-launcher}/bin/nm-launcher", "tooltip": false }, "pulseaudio": { @@ -119,13 +132,14 @@ in { # Modified from default waybar style file https://github.com/Alexays/Waybar/blob/master/resources/style.css '' * { - font-family: FontAwesome, Inter, Roboto, sans-serif; - font-size: 14px; + font-family: FontAwesome, Inter, sans-serif; + font-size: 16px; + border: none; + border-radius: 5px; } window#waybar { - background-color: rgba(43, 48, 59, 0.5); - border-bottom: 3px solid rgba(100, 114, 125, 0.5); + background-color: rgba(32, 32, 32, 0.9); color: #ffffff; transition-property: background-color; transition-duration: .5s; @@ -166,24 +180,22 @@ in { } #workspaces button.focused { - background-color: #64727D; box-shadow: inset 0 -3px #ffffff; } - #workspaces button.urgent { - background-color: #eb4d4b; - } #clock, #battery, #backlight, #custom-network1, - #custom-launcher, + #custom-launchpad, + #custom-ghaf-settings, + #custom-admin, #pulseaudio, #tray, #window, #workspaces { - margin: 0 4px; + padding: 0 20px; } .modules-left > widget:first-child > #workspaces { @@ -194,112 +206,43 @@ in { margin-right: 0; } + #pulseaudio, + #custom-network1, + #backlight, + #battery, #clock { - background-color: #64727D; - padding-left: 10; - padding-right: 10; - } - - #battery { - background-color: #ffffff; - color: #000000; padding-left: 10; padding-right: 10; } - #battery.charging, #battery.plugged { - color: #ffffff; - background-color: #26A65B; - } - - @keyframes blink { - to { - background-color: #ffffff; - color: #000000; - } - } - - #battery.critical:not(.charging) { - background-color: #f53c3c; - color: #ffffff; - animation-name: blink; - animation-duration: 0.5s; - animation-timing-function: linear; - animation-iteration-count: infinite; - animation-direction: alternate; - } - label:focus { background-color: #000000; } - #backlight { - background-color: #90b1b1; - padding-left: 10; - padding-right: 10; - } - - #custom-network1 { - background-color: #2980b9; - min-width: 16px; - padding-left: 10; - padding-right: 10; - } - - #custom-network1.disconnected { - background-color: #f53c3c; - } - - #pulseaudio { - background-color: #f1c40f; - color: #000000; - padding-left: 10; - padding-right: 10; - } - - #pulseaudio.muted { - background-color: #90b1b1; - color: #2a5c45; - } - - #tray { - background-color: #2980b9; - } - #tray > .passive { -gtk-icon-effect: dim; } - #tray > .needs-attention { - -gtk-icon-effect: highlight; - background-color: #eb4d4b; - } - - #language { - background: #00b093; - color: #740864; - padding: 0 5px; - margin: 0 5px; - min-width: 16px; - } - - #keyboard-state { - background: #97e1ad; - color: #000000; - padding: 0 0px; - margin: 0 5px; - min-width: 16px; + #custom-launchpad { + font-size: 20px; + background-image: url("${launchpad-icon}"); + background-position: center; + background-repeat: no-repeat; + margin-left: 13px; } - #keyboard-state > label { - padding: 0 5px; + #custom-ghaf-settings { + font-size: 20px; + background-image: url("${ghaf-icon}"); + background-position: center; + background-repeat: no-repeat; + padding-left: 10; + padding-right: 10; } - #keyboard-state > label.locked { - background: rgba(0, 0, 0, 0.2); - } - #custom-launcher { - font-size: 20px; background-image: url("${ghaf-icon}/share/icons/hicolor/24x24/apps/ghaf-icon-24x24.png"); + #custom-admin { + font-size: 20px; + background-image: url("${admin-icon}"); background-position: center; background-repeat: no-repeat; padding-left: 10; @@ -310,5 +253,16 @@ in { # The UNIX file mode bits mode = "0644"; }; + + systemd.user.services.waybar = { + enable = true; + description = "waybar menu"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.waybar}/bin/waybar -s /etc/waybar/style.css -c /etc/waybar/config"; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; + }; }; } diff --git a/modules/desktop/graphics/weston.ini.nix b/modules/desktop/graphics/weston.ini.nix deleted file mode 100644 index 144752c92..000000000 --- a/modules/desktop/graphics/weston.ini.nix +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - pkgs, - lib, - config, - ... -}: let - cfg = config.ghaf.graphics.weston; - mkLauncher = { - # Add the name field to unify with Labwc launchers - name, - path, - icon, - }: '' - [launcher] - name=${name} - path=${path} - icon=${icon} - - ''; - - /* - Generate launchers to be used in weston.ini - - Type: mkLaunchers :: [{path, icon}] -> string - - */ - mkLaunchers = lib.concatMapStrings mkLauncher; - - defaultLauncher = [ - # Keep weston-terminal launcher always enabled explicitly since if someone adds - # a launcher on the panel, the launcher will replace weston-terminal launcher. - { - name = "terminal"; - path = "${pkgs.weston}/bin/weston-terminal"; - icon = "${pkgs.weston}/share/weston/icon_terminal.png"; - } - ]; -in { - config = lib.mkIf cfg.enable { - ghaf.graphics.launchers = defaultLauncher; - environment.etc."xdg/weston/weston.ini" = { - text = - '' - # Disable screen locking - [core] - idle-time=0 - - [shell] - locking=false - background-image=${../../../assets/wallpaper.png} - background-type=scale-crop - num-workspaces=2 - - # Set the keyboard layout for weston to US by default - [keyboard] - keymap_layout=us,fi - - # Enable Hack font for weston-terminal - [terminal] - font=Hack - font-size=16 - - '' - + mkLaunchers config.ghaf.graphics.launchers; - - # The UNIX file mode bits - mode = "0644"; - }; - }; -} diff --git a/modules/desktop/graphics/weston.nix b/modules/desktop/graphics/weston.nix deleted file mode 100644 index 85a95bab8..000000000 --- a/modules/desktop/graphics/weston.nix +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - lib, - pkgs, - config, - ... -}: let - cfg = config.ghaf.graphics.weston; - waylandSocket = "wayland-1"; -in { - options.ghaf.graphics.weston = { - enable = lib.mkEnableOption "weston"; - }; - - config = lib.mkIf cfg.enable { - ghaf.graphics.window-manager-common.enable = true; - - environment.systemPackages = with pkgs; [ - weston - ]; - - # Next 2 services/targets are taken from official weston documentation: - # https://wayland.pages.freedesktop.org/weston/toc/running-weston.html - - # Weston socket - systemd.user.sockets."weston" = { - unitConfig = { - Description = "Weston, a Wayland compositor"; - Documentation = "man:weston(1) man:weston.ini(5)"; - }; - socketConfig = { - ListenStream = "%t/${waylandSocket}"; - }; - wantedBy = ["weston.service"]; - }; - - # Weston service - systemd.user.services."weston" = { - enable = true; - description = "Weston, a Wayland compositor, as a user service TEST"; - documentation = ["man:weston(1) man:weston.ini(5)" "https://wayland.freedesktop.org/"]; - requires = ["weston.socket"]; - after = ["weston.socket" "ghaf-session.service"]; - serviceConfig = { - Type = "notify"; - #TimeoutStartSec = "60"; - #WatchdogSec = "20"; - # Defaults to journal - StandardOutput = "journal"; - StandardError = "journal"; - ExecStart = "${pkgs.weston}/bin/weston --modules=systemd-notify.so"; - #GPU pt needs some time to start - weston fails to restart 3 times in avg. - ExecStartPre = "${pkgs.coreutils}/bin/sleep 3"; - # Set WAYLAND_DISPLAY variable to make it available to waypipe and other systemd services - ExecStartPost = "${pkgs.systemd}/bin/systemctl --user set-environment WAYLAND_DISPLAY=${waylandSocket}"; - Restart = "on-failure"; - RestartSec = "1"; - # Ivan N: I do not know if this is bug or feature of NixOS, but - # when I add weston.ini file to environment.etc, the file ends up in - # /etc/xdg directory on the filesystem, while NixOS uses - # /run/current-system/sw/etc/xdg directory and goes into same directory - # searching for weston.ini even if /etc/xdg is already in XDG_CONFIG_DIRS - # The solution is to add /etc/xdg one more time for weston service. - # It does not affect on system-wide XDG_CONFIG_DIRS variable. - # - # Ivan N: adding openssh into the PATH since it is needed for waypipe to work - Environment = "XDG_CONFIG_DIRS=$XDG_CONFIG_DIRS:/etc/xdg PATH=${pkgs.openssh}/bin:$PATH"; - }; - wantedBy = ["default.target"]; - }; - }; -} diff --git a/modules/desktop/graphics/window-manager.nix b/modules/desktop/graphics/window-manager.nix deleted file mode 100644 index 3249b553f..000000000 --- a/modules/desktop/graphics/window-manager.nix +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - lib, - pkgs, - config, - ... -}: let - cfg = config.ghaf.graphics.window-manager-common; -in { - options.ghaf.graphics.window-manager-common = with lib; { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Common parts for every wlroots-based window manager/compositor. - ''; - }; - }; - - config = lib.mkIf cfg.enable { - hardware.opengl = { - enable = true; - driSupport = true; - }; - - environment.noXlibs = false; - - environment.systemPackages = with pkgs; [ - # Seatd is needed to manage log-in process for wayland sessions - seatd - ]; - - # Next services/targets are taken from official weston documentation: - # https://wayland.pages.freedesktop.org/weston/toc/running-weston.html - - systemd.user.targets."ghaf-session" = { - description = "Ghaf graphical session"; - bindsTo = ["ghaf-session.target"]; - before = ["ghaf-session.target"]; - }; - - systemd.services."ghaf-session" = { - description = "Ghaf graphical session"; - - # Make sure we are started after logins are permitted. - after = ["systemd-user-sessions.service"]; - - # if you want you can make it part of the graphical session - #Before=graphical.target - - # not necessary but just in case - #ConditionPathExists=/dev/tty7 - - serviceConfig = { - Type = "simple"; - Environment = "XDG_SESSION_TYPE=wayland"; - ExecStart = "${pkgs.systemd}/bin/systemctl --wait --user start ghaf-session.target"; - - # The user to run the session as. Pick one! - User = config.ghaf.users.accounts.user; - Group = config.ghaf.users.accounts.user; - - # Set up a full user session for the user, required by desktop environment. - PAMName = "${pkgs.shadow}/bin/login"; - - # A virtual terminal is needed. - TTYPath = "/dev/tty7"; - TTYReset = "yes"; - TTYVHangup = "yes"; - TTYVTDisallocate = "yes"; - - # Try to grab tty . - StandardInput = "tty-force"; - - # Defaults to journal, in case it doesn't adjust it accordingly - #StandardOutput=journal - StandardError = "journal"; - - # Log this user with utmp, letting it show up with commands 'w' and 'who'. - UtmpIdentifier = "tty7"; - UtmpMode = "user"; - }; - wantedBy = ["multi-user.target"]; - }; - - # systemd service for seatd - systemd.services."seatd" = { - description = "Seat management daemon"; - documentation = ["man:seatd(1)"]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.seatd}/bin/seatd -g video"; - Restart = "always"; - RestartSec = "1"; - }; - wantedBy = ["multi-user.target"]; - }; - }; -} diff --git a/modules/desktop/profiles/applications.nix b/modules/desktop/profiles/applications.nix index c891708cc..4bd6628c0 100644 --- a/modules/desktop/profiles/applications.nix +++ b/modules/desktop/profiles/applications.nix @@ -1,26 +1,22 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.applications; in - with lib; { - options.ghaf.profiles.applications = { - enable = mkEnableOption "Some sample applications"; - #TODO Create options to allow enabling individual apps - #weston.ini.nix mods needed - }; +{ + options.ghaf.profiles.applications = { + enable = lib.mkEnableOption "Some sample applications"; + #TODO Create options to allow enabling individual apps + }; - config = mkIf cfg.enable { - # TODO: Needs more generic support for defining application launchers - # across different window managers. - ghaf = { - profiles.graphics.enable = true; - graphics.enableDemoApplications = true; - }; + config = lib.mkIf cfg.enable { + # TODO: Needs more generic support for defining application launchers + # across different window managers. + ghaf = { + profiles.graphics.enable = true; + graphics.enableDemoApplications = true; }; - } + }; +} diff --git a/modules/desktop/profiles/graphics.nix b/modules/desktop/profiles/graphics.nix index afbdb9929..426a908b7 100644 --- a/modules/desktop/profiles/graphics.nix +++ b/modules/desktop/profiles/graphics.nix @@ -4,52 +4,93 @@ { config, lib, + pkgs, ... -}: let +}: +let cfg = config.ghaf.profiles.graphics; - compositors = ["weston" "gnome" "labwc"]; + compositors = [ "labwc" ]; + renderers = [ + "vulkan" + "pixman" + "gles2" + ]; + ghaf-open = pkgs.callPackage ../../../packages/ghaf-open { }; + + inherit (lib) + mkEnableOption + mkOption + types + mkIf + ; in - with lib; { - options.ghaf.profiles.graphics = { - enable = mkEnableOption "Graphics profile"; - compositor = mkOption { - type = types.enum compositors; - default = "weston"; - description = '' - Which Wayland compositor to use. +{ + options.ghaf.profiles.graphics = { + enable = mkEnableOption "Graphics profile"; + compositor = mkOption { + type = types.enum compositors; + default = "labwc"; + description = '' + Which Wayland compositor to use. + + Choose one of: ${lib.concatStringsSep "," compositors} + ''; + }; + renderer = lib.mkOption { + type = lib.types.enum renderers; + default = "pixman"; + description = '' + Which wlroots renderer to use. - Choose one of: ${lib.concatStringsSep "," compositors} - ''; - }; + Choose one of: ${lib.concatStringsSep "," renderers} + ''; }; + }; - options.ghaf.graphics = with lib; { - launchers = mkOption { - description = "Labwc application launchers to show in launch bar"; - default = []; - type = with types; - listOf - (submodule { - options.name = mkOption { + options.ghaf.graphics = { + launchers = mkOption { + description = "Labwc application launchers to show in launch bar"; + default = [ ]; + type = types.listOf ( + types.submodule { + options = { + name = mkOption { description = "Name of the application"; - type = str; + type = types.str; }; - options.path = mkOption { + path = mkOption { description = "Path to the executable to be launched"; - type = path; + type = types.path; }; - options.icon = mkOption { + icon = mkOption { description = "Path of the icon"; - type = path; + type = types.path; }; - }); - }; - enableDemoApplications = mkEnableOption "some applications for demoing"; + }; + } + ); }; + enableDemoApplications = mkEnableOption "some applications for demoing"; + }; + + config = mkIf cfg.enable { + hardware.graphics.enable = true; + environment.noXlibs = false; + environment.sessionVariables = { + WLR_RENDERER = cfg.renderer; + XDG_SESSION_TYPE = "wayland"; + WLR_NO_HARDWARE_CURSORS = 1; + XKB_DEFAULT_LAYOUT = "us,ara,fi"; + XKB_DEFAULT_OPTIONS = "grp:alt_shift_toggle"; + # Set by default in labwc, but possibly not in other compositors + XDG_CURRENT_DESKTOP = "wlroots"; + _JAVA_AWT_WM_NONREPARENTING = 1; + }; + + environment.systemPackages = lib.optionals config.ghaf.profiles.debug.enable [ ghaf-open ]; - config = mkIf cfg.enable { - ghaf.graphics.weston.enable = cfg.compositor == "weston"; - ghaf.graphics.gnome.enable = cfg.compositor == "gnome"; - ghaf.graphics.labwc.enable = cfg.compositor == "labwc"; + ghaf.graphics = { + labwc.enable = cfg.compositor == "labwc"; }; - } + }; +} diff --git a/modules/desktop/windows-launcher/default.nix b/modules/desktop/windows-launcher/default.nix deleted file mode 100644 index 4f113aa5d..000000000 --- a/modules/desktop/windows-launcher/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - lib, - pkgs, - config, - ... -}: let - cfg = config.ghaf.windows-launcher; - windows-launcher = pkgs.callPackage ../../../packages/windows-launcher {enableSpice = cfg.spice;}; -in { - options.ghaf.windows-launcher = { - enable = lib.mkEnableOption "Windows launcher"; - }; - - options.ghaf.windows-launcher.spice = lib.mkEnableOption "remote access to the virtual machine using spice"; - - options.ghaf.windows-launcher.spice-port = lib.mkOption { - description = "Spice port"; - type = lib.types.int; - default = 5900; - }; - - options.ghaf.windows-launcher.spice-host = lib.mkOption { - description = "Spice host"; - type = lib.types.str; - default = "192.168.101.2"; - }; - - config = lib.mkIf cfg.enable { - ghaf.graphics.launchers = lib.mkIf (!cfg.spice) [ - { - name = "windows"; - path = "${windows-launcher}/bin/windows-launcher-ui"; - icon = "${pkgs.gnome.adwaita-icon-theme}/share/icons/Adwaita/16x16/mimetypes/application-x-executable.png"; - } - ]; - - networking.firewall.allowedTCPPorts = lib.mkIf cfg.spice [cfg.spice-port]; - environment.systemPackages = [windows-launcher]; - }; -} diff --git a/modules/disko/disko-ab-partitions.nix b/modules/disko/disko-ab-partitions.nix new file mode 100644 index 000000000..34bfc12a9 --- /dev/null +++ b/modules/disko/disko-ab-partitions.nix @@ -0,0 +1,168 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This partition scheme contains three common partitions and ZFS pool. +# Some partitions are duplicated for the future AB SWupdate implementation. +# +# First three partitions are related to the boot process: +# - boot : Bootloader partition +# - ESP-A : (500M) Kernel and initrd +# - ESP-B : (500M) +# +# ZFS datasets do not necessary need to have specified size and can be +# allocated dynamically. Quotas only restrict the maximum size of +# datasets, but do not reserve the space in the pool. +# The ZFS pool contains next datasets: +# - root-A : (30G) Root FS +# - root-B : (30G) +# - vm-storage-A : (30G) Possible standalone pre-built VM images are stored here +# - vm-storage-B : (30G) +# - reserved-A : (10G) Reserved dataset, no use +# - reserved-B : (10G) +# - gp-storage : (50G) General purpose storage for some common insecure cases +# - recovery : (no quota) Recovery factory image is stored here +# - storagevm: (no quota) Dataset is meant to be used for StorageVM +{ pkgs, ... }: +{ + # TODO Keep ZFS-related parts of the configuration here for now. + # This allows to have all config dependencies in one place and cleans + # other targets' configs from unnecessary components. + networking.hostId = "8425e349"; + boot = { + initrd.availableKernelModules = [ "zfs" ]; + supportedFilesystems = [ "zfs" ]; + }; + disko = { + # 8GB is the recommeneded minimum for ZFS, so we are using this for VMs to avoid `cp` oom errors. + memSize = 8192; + extraPostVM = '' + ${pkgs.zstd}/bin/zstd --compress $out/*raw + rm $out/*raw + ''; + extraRootModules = [ "zfs" ]; + devices = { + disk.disk1 = { + type = "disk"; + imageSize = "15G"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + priority = 1; # Needs to be first partition + }; + esp_a = { + name = "ESP_A"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "umask=0077" + "nofail" + ]; + }; + }; + esp_b = { + name = "ESP_B"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountOptions = [ + "umask=0077" + "nofail" + ]; + }; + }; + zfs_1 = { + size = "100%"; + content = { + type = "zfs"; + pool = "zfspool"; + }; + }; + }; + }; + }; + zpool = { + zfspool = { + type = "zpool"; + rootFsOptions = { + mountpoint = "none"; + acltype = "posixacl"; + }; + datasets = { + "root_a" = { + type = "zfs_fs"; + mountpoint = "/"; + options = { + mountpoint = "/"; + quota = "30G"; + }; + }; + "vm_storage_a" = { + type = "zfs_fs"; + options = { + mountpoint = "/vm_storage"; + quota = "30G"; + }; + }; + "reserved_a" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + quota = "10G"; + }; + }; + "root_b" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + quota = "30G"; + }; + }; + "vm_storage_b" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + quota = "30G"; + }; + }; + "reserved_b" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + quota = "10G"; + }; + }; + "gp_storage" = { + type = "zfs_fs"; + options = { + mountpoint = "/gp_storage"; + quota = "50G"; + }; + }; + "recovery" = { + type = "zfs_fs"; + options = { + mountpoint = "none"; + }; + }; + "storagevm" = { + type = "zfs_fs"; + options = { + mountpoint = "/storagevm"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/disko/lenovo-x1-disko-basic.nix b/modules/disko/disko-basic-partition-v1.nix similarity index 83% rename from modules/disko/lenovo-x1-disko-basic.nix rename to modules/disko/disko-basic-partition-v1.nix index 229f7a97a..527e44929 100644 --- a/modules/disko/lenovo-x1-disko-basic.nix +++ b/modules/disko/disko-basic-partition-v1.nix @@ -3,13 +3,14 @@ # Example to create a bios compatible gpt partition # To use this example, you will need to specify a device i.e. # { disko.devices.disk1.device = "/dev/sda"; } +{ pkgs, ... }: { disko.devices = { disk.disk1 = { type = "disk"; #TODO: hardcoding the size for now until 544 is merged #https://github.com/nix-community/disko/pull/544 - imageSize = "10G"; + imageSize = "15G"; content = { type = "gpt"; partitions = { @@ -26,7 +27,7 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = ["umask=0077"]; + mountOptions = [ "umask=0077" ]; }; }; root = { @@ -50,14 +51,18 @@ type = "filesystem"; format = "ext4"; mountpoint = "/"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; }; }; }; }; - disko.memSize = 2048; + disko = { + memSize = 4096; + extraPostVM = '' + ${pkgs.zstd}/bin/zstd --compress $out/*raw + rm $out/*raw + ''; + }; } diff --git a/modules/disko/disko-basic-postboot.nix b/modules/disko/disko-basic-postboot.nix index c0b48f731..cb601b9d3 100644 --- a/modules/disko/disko-basic-postboot.nix +++ b/modules/disko/disko-basic-postboot.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{pkgs, ...}: let +{ pkgs, ... }: +let postBootCmds = '' set -xeuo pipefail @@ -57,6 +58,7 @@ # Finally resize the filesystem inside the logical volume ${pkgs.e2fsprogs}/bin/resize2fs "$DEVPATH" ''; -in { +in +{ boot.postBootCommands = postBootCmds; } diff --git a/modules/disko/disko-zfs-postboot.nix b/modules/disko/disko-zfs-postboot.nix new file mode 100644 index 000000000..3c28cdac8 --- /dev/null +++ b/modules/disko/disko-zfs-postboot.nix @@ -0,0 +1,38 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ pkgs, ... }: +let + postBootCmds = '' + set -xeuo pipefail + + # Check which physical disk is used by ZFS + ZFS_POOLNAME=$(${pkgs.zfs}/bin/zpool list | ${pkgs.gnugrep}/bin/grep -v NAME | ${pkgs.gawk}/bin/awk '{print $1}') + ZFS_LOCATION=$(${pkgs.zfs}/bin/zpool status -P | ${pkgs.gnugrep}/bin/grep dev | ${pkgs.gawk}/bin/awk '{print $1}') + + # Get the actual device path + P_DEVPATH=$(readlink -f "$ZFS_LOCATION") + + # Extract the partition number using regex + if [[ "$P_DEVPATH" =~ [0-9]+$ ]]; then + PARTNUM=$(echo "$P_DEVPATH" | ${pkgs.gnugrep}/bin/grep -o '[0-9]*$') + PARENT_DISK=$(echo "$P_DEVPATH" | ${pkgs.gnused}/bin/sed 's/[0-9]*$//') + else + echo "No partition number found in device path: $P_DEVPATH" + fi + + # Fix GPT first + ${pkgs.gptfdisk}/bin/sgdisk "$PARENT_DISK" -e + + # Call partprobe to update kernel's partitions + ${pkgs.parted}/bin/partprobe + + # Extend the partition to use unallocated space + ${pkgs.parted}/bin/parted -s -a opt "$PARENT_DISK" "resizepart $PARTNUM 100%" + + # Extend ZFS pool to use newly allocated space + ${pkgs.zfs}/bin/zpool online -e "$ZFS_POOLNAME" "$ZFS_LOCATION" + ''; +in +{ + boot.postBootCommands = postBootCmds; +} diff --git a/modules/disko/flake-module.nix b/modules/disko/flake-module.nix index 34353f96a..1b94ecdf5 100644 --- a/modules/disko/flake-module.nix +++ b/modules/disko/flake-module.nix @@ -1,13 +1,18 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{inputs, ...}: { +{ inputs, ... }: +{ flake.nixosModules = { - # TODO: rename this module to what it actually does rather than what model it's for. - # We version the disko partitiong module so that we can update it without breaking existing systems - disko-lenovo-x1-basic-v1.imports = [ + disko-basic-partition-v1.imports = [ inputs.disko.nixosModules.disko - ./lenovo-x1-disko-basic.nix + ./disko-basic-partition-v1.nix ./disko-basic-postboot.nix ]; + + disko-ab-partitions-v1.imports = [ + inputs.disko.nixosModules.disko + ./disko-ab-partitions.nix + ./disko-zfs-postboot.nix + ]; }; } diff --git a/modules/flake-module.nix b/modules/flake-module.nix index cdbe92292..fe22ac7e8 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -3,20 +3,35 @@ # # Modules to be exported from Flake # -{inputs, ...}: { - imports = [./disko/flake-module.nix]; +{ inputs, ... }: +{ + imports = [ + ./disko/flake-module.nix + ./hardware/flake-module.nix + ./microvm/flake-module.nix + ./givc/flake-module.nix + ]; flake.nixosModules = { common.imports = [ ./common - {ghaf.development.nix-setup.nixpkgs = inputs.nixpkgs;} + { + ghaf.development.nix-setup.nixpkgs = inputs.nixpkgs; + nixpkgs.overlays = [ inputs.ghafpkgs.overlays.default ]; + } ]; - desktop.imports = [./desktop]; - host.imports = [./host]; - jetpack.imports = [./jetpack]; - jetpack-microvm.imports = [./jetpack-microvm]; - lanzaboote.imports = [./lanzaboote]; - microvm.imports = [./microvm]; - polarfire.imports = [./polarfire]; + desktop.imports = [ ./desktop ]; + host.imports = [ ./host ]; + imx8.imports = [ ./imx8 ]; + jetpack.imports = [ ./jetpack ]; + jetpack-microvm.imports = [ ./jetpack-microvm ]; + lanzaboote.imports = [ ./lanzaboote ]; + microvm.imports = [ ./microvm ]; + polarfire.imports = [ ./polarfire ]; + reference-appvms.imports = [ ./reference/appvms ]; + reference-personalize.imports = [ ./reference/personalize ]; + reference-profiles.imports = [ ./reference/profiles ]; + reference-programs.imports = [ ./reference/programs ]; + reference-services.imports = [ ./reference/services ]; }; } diff --git a/modules/givc/adminvm.nix b/modules/givc/adminvm.nix new file mode 100644 index 000000000..e501ea145 --- /dev/null +++ b/modules/givc/adminvm.nix @@ -0,0 +1,30 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.givc.adminvm; + inherit (lib) mkEnableOption mkIf; +in +{ + options.ghaf.givc.adminvm = { + enable = mkEnableOption "Enable adminvm givc module."; + }; + + config = mkIf (cfg.enable && config.ghaf.givc.enable) { + # Configure admin service + givc.admin = { + enable = true; + inherit (config.ghaf.givc.adminConfig) name; + inherit (config.ghaf.givc.adminConfig) addr; + inherit (config.ghaf.givc.adminConfig) port; + inherit (config.ghaf.givc.adminConfig) protocol; + services = [ + "givc-ghaf-host-debug.service" + "givc-net-vm.service" + "givc-gui-vm.service" + "givc-audio-vm.service" + ]; + tls.enable = config.ghaf.givc.enableTls; + }; + }; +} diff --git a/modules/givc/appvm.nix b/modules/givc/appvm.nix new file mode 100644 index 000000000..6fe698785 --- /dev/null +++ b/modules/givc/appvm.nix @@ -0,0 +1,50 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + givc, + ... +}: +let + cfg = config.ghaf.givc.appvm; + inherit (lib) + mkOption + mkEnableOption + mkIf + types + ; + vmEntry = vm: builtins.filter (x: x.name == vm) config.ghaf.networking.hosts.entries; + address = vm: lib.head (builtins.map (x: x.ip) (vmEntry vm)); +in +{ + options.ghaf.givc.appvm = { + enable = mkEnableOption "Enable appvm givc module."; + name = mkOption { + type = types.str; + default = "appvm"; + description = "Name of the appvm."; + }; + applications = mkOption { + type = types.str; + default = "{}"; + description = "Applications to run in the appvm."; + }; + }; + + config = mkIf (cfg.enable && config.ghaf.givc.enable) { + # Configure appvm service + givc.appvm = { + enable = true; + inherit (cfg) name; + inherit (cfg) applications; + addr = address cfg.name; + port = "9000"; + tls.enable = config.ghaf.givc.enableTls; + admin = config.ghaf.givc.adminConfig; + }; + + # Quick fix to allow linger (linger option in user def. currently doesn't work, e.g., bc mutable) + systemd.tmpfiles.rules = [ "f /var/lib/systemd/linger/${config.ghaf.users.accounts.user}" ]; + }; +} diff --git a/modules/givc/audiovm.nix b/modules/givc/audiovm.nix new file mode 100644 index 000000000..1ef30a751 --- /dev/null +++ b/modules/givc/audiovm.nix @@ -0,0 +1,30 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.givc.audiovm; + inherit (lib) mkEnableOption mkIf; + hostName = "audio-vm"; +in +{ + options.ghaf.givc.audiovm = { + enable = mkEnableOption "Enable audiovm givc module."; + }; + + config = mkIf (cfg.enable && config.ghaf.givc.enable) { + # Configure audiovm service + givc.sysvm = + let + audiovmEntry = builtins.filter (x: x.name == hostName) config.ghaf.networking.hosts.entries; + addr = lib.head (builtins.map (x: x.ip) audiovmEntry); + in + { + enable = true; + name = hostName; + inherit addr; + port = "9000"; + tls.enable = config.ghaf.givc.enableTls; + admin = config.ghaf.givc.adminConfig; + }; + }; +} diff --git a/modules/givc/common.nix b/modules/givc/common.nix new file mode 100644 index 000000000..6306376ec --- /dev/null +++ b/modules/givc/common.nix @@ -0,0 +1,73 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.givc; + inherit (lib) + mkOption + mkEnableOption + mkIf + types + ; + mitmEnabled = + config.ghaf.virtualization.microvm.idsvm.enable + && config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable; + mitmExtraArgs = lib.optionalString mitmEnabled "--user-data-dir=/home/${config.ghaf.users.accounts.user}/.config/chromium/Default --test-type --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU="; +in +{ + options.ghaf.givc = { + enable = mkEnableOption "Enable gRPC inter-vm communication"; + enableTls = mkOption { + description = "Enable TLS for gRPC communication globally, or disable for debugging."; + type = types.bool; + default = false; + }; + idsExtraArgs = mkOption { + description = "Extra arguments for applications when IDS/MITM is enabled."; + type = types.str; + default = mitmExtraArgs; + }; + appPrefix = mkOption { + description = "Common application path prefix."; + type = types.str; + default = "/run/current-system/sw/bin"; + }; + adminConfig = mkOption { + description = "Admin server configuration."; + type = types.submodule { + options = { + name = mkOption { + description = "Host name of admin server"; + type = types.str; + }; + addr = mkOption { + description = "Address of admin server"; + type = types.str; + }; + port = mkOption { + description = "Port of admin server"; + type = types.str; + }; + protocol = mkOption { + description = "Protocol of admin server"; + type = types.str; + }; + }; + }; + }; + }; + config = mkIf cfg.enable { + # Givc admin server configuration + ghaf.givc.adminConfig = + let + adminvmEntry = builtins.filter (x: x.name == "admin-vm-debug") config.ghaf.networking.hosts.entries; + addr = lib.head (builtins.map (x: x.ip) adminvmEntry); + in + { + name = "admin-vm-debug"; + inherit addr; + port = "9001"; + protocol = "tcp"; + }; + }; +} diff --git a/modules/givc/flake-module.nix b/modules/givc/flake-module.nix new file mode 100644 index 000000000..8118eb941 --- /dev/null +++ b/modules/givc/flake-module.nix @@ -0,0 +1,46 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ inputs, ... }: +{ + flake.nixosModules = { + givc-adminvm.imports = [ + inputs.givc.nixosModules.admin + ./common.nix + ./adminvm.nix + ]; + givc-host.imports = [ + inputs.givc.nixosModules.host + ./common.nix + ./host.nix + ]; + givc-guivm.imports = [ + inputs.givc.nixosModules.sysvm + ./common.nix + ./guivm.nix + { + # Include givc overlay to import app + nixpkgs.overlays = [ inputs.givc.overlays.default ]; + } + ]; + givc-netvm.imports = [ + inputs.givc.nixosModules.sysvm + ./common.nix + ./netvm.nix + ]; + givc-audiovm.imports = [ + inputs.givc.nixosModules.sysvm + ./common.nix + ./audiovm.nix + ]; + givc-appvm.imports = [ + inputs.givc.nixosModules.appvm + ./common.nix + ./appvm.nix + ]; + givc-gpiovm.imports = [ + inputs.givc.nixosModules.sysvm + ./common.nix + ./gpiovm.nix + ]; + }; +} diff --git a/modules/givc/gpiovm.nix b/modules/givc/gpiovm.nix new file mode 100644 index 000000000..adf960fff --- /dev/null +++ b/modules/givc/gpiovm.nix @@ -0,0 +1,37 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + givc, + ... +}: +let + cfg = config.ghaf.givc.gpiovm; + inherit (lib) mkEnableOption mkIf; + hostName = "gpio-vm"; +in +{ + options.ghaf.givc.gpiovm = { + enable = mkEnableOption "Enable gpiovm givc module."; + }; + + config = mkIf (cfg.enable && config.ghaf.givc.enable) { + # Configure gpiovm service + givc.sysvm = + let + gpiovmEntry = builtins.filter (x: x.name == hostName) config.ghaf.networking.hosts.entries; + addr = lib.head (builtins.map (x: x.ip) gpiovmEntry); + in + { + enable = true; + name = hostName; + inherit addr; + port = "9000"; + wifiManager = true; + hwidService = true; + tls.enable = config.ghaf.givc.enableTls; + admin = config.ghaf.givc.adminConfig; + }; + }; +} diff --git a/modules/givc/guivm.nix b/modules/givc/guivm.nix new file mode 100644 index 000000000..4a7e8d737 --- /dev/null +++ b/modules/givc/guivm.nix @@ -0,0 +1,30 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.givc.guivm; + inherit (lib) mkEnableOption mkIf; + hostName = "gui-vm"; +in +{ + options.ghaf.givc.guivm = { + enable = mkEnableOption "Enable guivm givc module."; + }; + + config = mkIf (cfg.enable && config.ghaf.givc.enable) { + # Configure guivm service + givc.sysvm = + let + guivmEntry = builtins.filter (x: x.name == hostName) config.ghaf.networking.hosts.entries; + addr = lib.head (builtins.map (x: x.ip) guivmEntry); + in + { + enable = true; + name = hostName; + inherit addr; + port = "9000"; + tls.enable = config.ghaf.givc.enableTls; + admin = config.ghaf.givc.adminConfig; + }; + }; +} diff --git a/modules/givc/host.nix b/modules/givc/host.nix new file mode 100644 index 000000000..6849accc9 --- /dev/null +++ b/modules/givc/host.nix @@ -0,0 +1,41 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + givc, + ... +}: +let + cfg = config.ghaf.givc.host; + inherit (builtins) map filter attrNames; + inherit (lib) mkEnableOption mkIf head; + hostName = "ghaf-host-debug"; +in +{ + options.ghaf.givc.host = { + enable = mkEnableOption "Enable host givc module."; + }; + + config = mkIf (cfg.enable && config.ghaf.givc.enable) { + # Configure host service + givc.host = + let + getIp = + name: head (map (x: x.ip) (filter (x: x.name == name) config.ghaf.networking.hosts.entries)); + addr = getIp hostName; + in + { + enable = true; + name = hostName; + inherit addr; + port = "9000"; + services = [ + "reboot.target" + "poweroff.target" + ] ++ map (vmName: "microvm@${vmName}.service") (attrNames config.microvm.vms); + tls.enable = config.ghaf.givc.enableTls; + admin = config.ghaf.givc.adminConfig; + }; + }; +} diff --git a/modules/givc/netvm.nix b/modules/givc/netvm.nix new file mode 100644 index 000000000..aa22d3b0f --- /dev/null +++ b/modules/givc/netvm.nix @@ -0,0 +1,37 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + givc, + ... +}: +let + cfg = config.ghaf.givc.netvm; + inherit (lib) mkEnableOption mkIf; + hostName = "net-vm"; +in +{ + options.ghaf.givc.netvm = { + enable = mkEnableOption "Enable netvm givc module."; + }; + + config = mkIf (cfg.enable && config.ghaf.givc.enable) { + # Configure netvm service + givc.sysvm = + let + netvmEntry = builtins.filter (x: x.name == hostName) config.ghaf.networking.hosts.entries; + addr = lib.head (builtins.map (x: x.ip) netvmEntry); + in + { + enable = true; + name = hostName; + inherit addr; + port = "9000"; + wifiManager = true; + hwidService = true; + tls.enable = config.ghaf.givc.enableTls; + admin = config.ghaf.givc.adminConfig; + }; + }; +} diff --git a/modules/hardware/common/default.nix b/modules/hardware/common/default.nix new file mode 100644 index 000000000..4ba3c653b --- /dev/null +++ b/modules/hardware/common/default.nix @@ -0,0 +1,12 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + imports = [ + ./usb/internal.nix + ./usb/external.nix + ./usb/vhotplug.nix + ./devices.nix + ./kernel.nix + ./qemu.nix + ]; +} diff --git a/modules/hardware/common/devices.nix b/modules/hardware/common/devices.nix new file mode 100644 index 000000000..6e47345f8 --- /dev/null +++ b/modules/hardware/common/devices.nix @@ -0,0 +1,90 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + inherit (lib) mkOption types mkForce; +in +{ + options.ghaf.hardware.devices = { + netvmPCIPassthroughModule = mkOption { + type = types.attrsOf types.anything; + default = { }; + description = '' + PCI devices to passthrough to the netvm. + ''; + }; + guivmPCIPassthroughModule = mkOption { + type = types.attrsOf types.anything; + default = { }; + description = '' + PCI devices to passthrough to the guivm. + ''; + }; + audiovmPCIPassthroughModule = mkOption { + type = types.attrsOf types.anything; + default = { }; + description = '' + PCI devices to passthrough to the audiovm. + ''; + }; + guivmVirtioInputHostEvdevModule = mkOption { + type = types.attrsOf types.anything; + default = { }; + description = '' + Virtio evdev paths' to passthrough to the guivm. + ''; + }; + }; + + config = { + ghaf.hardware.devices = { + netvmPCIPassthroughModule = { + microvm.devices = mkForce ( + builtins.map (d: { + bus = "pci"; + inherit (d) path; + }) config.ghaf.hardware.definition.network.pciDevices + ); + ghaf.hardware.definition.network.pciDevices = config.ghaf.hardware.definition.network.pciDevices; + }; + + guivmPCIPassthroughModule = { + microvm.devices = mkForce ( + builtins.map (d: { + bus = "pci"; + inherit (d) path; + }) config.ghaf.hardware.definition.gpu.pciDevices + ); + ghaf.hardware.definition.gpu.pciDevices = config.ghaf.hardware.definition.gpu.pciDevices; + }; + + audiovmPCIPassthroughModule = { + microvm.devices = mkForce ( + builtins.map (d: { + bus = "pci"; + inherit (d) path; + }) config.ghaf.hardware.definition.audio.pciDevices + ); + ghaf.hardware.definition.audio.pciDevices = config.ghaf.hardware.definition.audio.pciDevices; + }; + + guivmVirtioInputHostEvdevModule = { + microvm.qemu.extraArgs = + builtins.concatMap + (d: [ + "-device" + "virtio-input-host-pci,evdev=${d}" + ]) + ( + config.ghaf.hardware.definition.input.keyboard.evdev + ++ config.ghaf.hardware.definition.input.mouse.evdev + ++ config.ghaf.hardware.definition.input.touchpad.evdev + ++ config.ghaf.hardware.definition.input.misc.evdev + ); + + # TODO: Remove this once wifi-signal-strength is changed + ghaf.hardware.definition.network.pciDevices = config.ghaf.hardware.definition.network.pciDevices; + }; + }; + }; +} diff --git a/modules/hardware/common/kernel.nix b/modules/hardware/common/kernel.nix new file mode 100644 index 000000000..e13202295 --- /dev/null +++ b/modules/hardware/common/kernel.nix @@ -0,0 +1,90 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Module for Kernel Configuration Definitions +# +{ + config, + lib, + pkgs, + ... +}: +let + inherit (lib) mkOption types optionalAttrs; + inherit (builtins) + concatStringsSep + filter + map + hasAttr + ; + + # Only x86 targets with hw definition supported at the moment + inherit (pkgs.stdenv.hostPlatform) isx86; + fullVirtualization = isx86 && (hasAttr "hardware" config.ghaf); +in +{ + options.ghaf.kernel = { + host = mkOption { + type = types.attrs; + default = { }; + description = "Host kernel configuration"; + }; + guivm = mkOption { + type = types.attrs; + default = { }; + description = "GuiVM kernel configuration"; + }; + audiovm = mkOption { + type = types.attrs; + default = { }; + description = "AudioVM kernel configuration"; + }; + }; + + config = { + # Host kernel configuration + boot = optionalAttrs fullVirtualization { + initrd = { + inherit (config.ghaf.hardware.definition.host.kernelConfig.stage1) kernelModules; + }; + inherit (config.ghaf.hardware.definition.host.kernelConfig.stage2) kernelModules; + kernelParams = + let + # PCI device passthroughs for vfio + filterDevices = filter (d: d.vendorId != null && d.productId != null); + mapPciIdsToString = map (d: "${d.vendorId}:${d.productId}"); + vfioPciIds = mapPciIdsToString ( + filterDevices ( + config.ghaf.hardware.definition.network.pciDevices + ++ config.ghaf.hardware.definition.gpu.pciDevices + ++ config.ghaf.hardware.definition.audio.pciDevices + ) + ); + in + config.ghaf.hardware.definition.host.kernelConfig.kernelParams + ++ [ "vfio-pci.ids=${concatStringsSep "," vfioPciIds}" ]; + }; + + # Guest kernel configurations + ghaf.kernel = optionalAttrs fullVirtualization { + guivm = { + boot = { + initrd = { + inherit (config.ghaf.hardware.definition.gpu.kernelConfig.stage1) kernelModules; + }; + inherit (config.ghaf.hardware.definition.gpu.kernelConfig.stage2) kernelModules; + inherit (config.ghaf.hardware.definition.gpu.kernelConfig) kernelParams; + }; + }; + audiovm = { + boot = { + initrd = { + inherit (config.ghaf.hardware.definition.audio.kernelConfig.stage1) kernelModules; + }; + inherit (config.ghaf.hardware.definition.audio.kernelConfig.stage2) kernelModules; + inherit (config.ghaf.hardware.definition.audio.kernelConfig) kernelParams; + }; + }; + }; + }; +} diff --git a/modules/hardware/common/qemu.nix b/modules/hardware/common/qemu.nix new file mode 100644 index 000000000..d9a02c018 --- /dev/null +++ b/modules/hardware/common/qemu.nix @@ -0,0 +1,45 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ config, lib, ... }: +let + inherit (builtins) hasAttr; + inherit (lib) + mkOption + types + optionals + optionalAttrs + ; +in +{ + options.ghaf.qemu = { + guivm = mkOption { + type = types.attrs; + default = { }; + description = "Extra qemu arguments for GuiVM"; + }; + }; + + config = { + ghaf.qemu.guivm = optionalAttrs (hasAttr "hardware" config.ghaf) { + microvm.qemu.extraArgs = + [ + # Button + "-device" + "button" + # Battery + "-device" + "battery" + # AC adapter + "-device" + "acad" + ] + ++ optionals (hasAttr "yubikey" config.ghaf.hardware.usb.external.qemuExtraArgs) config.ghaf.hardware.usb.external.qemuExtraArgs.yubikey + ++ optionals (hasAttr "fpr0" config.ghaf.hardware.usb.internal.qemuExtraArgs) config.ghaf.hardware.usb.internal.qemuExtraArgs.fpr0 + ++ optionals config.ghaf.hardware.usb.vhotplug.enableEvdevPassthrough builtins.concatMap (n: [ + "-device" + "pcie-root-port,bus=pcie.0,id=${config.ghaf.hardware.usb.vhotplug.pcieBusPrefix}${toString n},chassis=${toString n}" + ]) (lib.range 1 config.ghaf.hardware.usb.vhotplug.pciePortCount); + }; + }; +} diff --git a/modules/hardware/common/usb/external.nix b/modules/hardware/common/usb/external.nix new file mode 100644 index 000000000..167c1aca4 --- /dev/null +++ b/modules/hardware/common/usb/external.nix @@ -0,0 +1,76 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.hardware.usb.external; + inherit (lib) + mkEnableOption + mkOption + types + mkIf + literalExpression + ; + + # Create USB argument strings for Qemu + qemuExtraArgs = + let + generateArg = + dev: + if ((dev.name != null) && (dev.vendorId != null) && (dev.productId != null)) then + { + name = "${dev.name}"; + value = [ + "-device" + "qemu-xhci" + "-device" + "usb-host,vendorid=0x${dev.vendorId},productid=0x${dev.productId}" + ]; + } + else + builtins.throw "The external USB device is configured incorrectly. Please provide name, vendorId and productId."; + in + builtins.listToAttrs (builtins.map generateArg config.ghaf.hardware.definition.usb.external); + + # Create udev argument strings + extraRules = + let + generateRule = + dev: + if ((dev.vendorId != null) && (dev.productId != null)) then + ''SUBSYSTEM=="usb", ATTR{idVendor}=="${dev.vendorId}", ATTR{idProduct}=="${dev.productId}", GROUP="kvm"'' + else + builtins.throw "The external USB device is configured incorrectly. Please provide name, vendorId and productId."; + in + lib.strings.concatMapStringsSep "\n" generateRule config.ghaf.hardware.definition.usb.external; +in +{ + options.ghaf.hardware.usb.external = { + enable = mkEnableOption "Enable external USB device(s) passthrough support"; + qemuExtraArgs = mkOption { + type = types.attrsOf types.anything; + default = { }; + description = '' + Extra arguments to pass to qemu when enabling the external USB device(s). + Since there can be several devices that may need to be passed to different + machines, the device names are used as keys to access the qemu arguments. + ''; + example = literalExpression '' + { + "device1" = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x1234,productid=0x1234"]; + "device2" = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x0001,productid=0x0001"]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + ghaf.hardware.usb.external = { + inherit qemuExtraArgs; + }; + + # Host udev rules for external USB devices + services.udev = { + inherit extraRules; + }; + }; +} diff --git a/modules/hardware/common/usb/internal.nix b/modules/hardware/common/usb/internal.nix new file mode 100644 index 000000000..280fc814f --- /dev/null +++ b/modules/hardware/common/usb/internal.nix @@ -0,0 +1,93 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.hardware.usb.internal; + inherit (lib) + mkOption + mkEnableOption + types + mkIf + literalExpression + ; + + # Create USB argument strings for Qemu + qemuExtraArgs = + let + generateArg = + dev: + if ((dev.name != null) && (dev.vendorId != null) && (dev.productId != null)) then + { + name = "${dev.name}"; + value = [ + "-device" + "qemu-xhci" + "-device" + "usb-host,vendorid=0x${dev.vendorId},productid=0x${dev.productId}" + ]; + } + else if ((dev.name != null) && (dev.hostbus != null) && (dev.hostport != null)) then + { + name = "${dev.name}"; + value = [ + "-device" + "qemu-xhci" + "-device" + "usb-host,hostbus=${dev.hostbus},hostport=${dev.hostport}" + ]; + } + else + builtins.throw '' + The internal USB device is configured incorrectly. + Please provide name, and either vendorId and productId or hostbus and hostport.''; + in + builtins.listToAttrs (builtins.map generateArg config.ghaf.hardware.definition.usb.internal); + + # Create udev argument strings + extraRules = + let + generateRule = + dev: + if ((dev.vendorId != null) && (dev.productId != null)) then + ''SUBSYSTEM=="usb", ATTR{idVendor}=="${dev.vendorId}", ATTR{idProduct}=="${dev.productId}", GROUP="kvm"'' + else if ((dev.hostbus != null) && (dev.hostport != null)) then + ''KERNEL=="${dev.hostbus}-${dev.hostport}", SUBSYSTEM=="usb", ATTR{busnum}=="${dev.hostbus}", GROUP="kvm"'' + else + builtins.throw '' + The internal USB device is configured incorrectly. + Please provide name, and either vendorId and productId or hostbus and hostport.''; + in + lib.strings.concatMapStringsSep "\n" generateRule config.ghaf.hardware.definition.usb.internal; +in +{ + options.ghaf.hardware.usb.internal = { + enable = mkEnableOption "Enable internal USB device(s) passthrough support"; + qemuExtraArgs = mkOption { + type = types.attrsOf types.anything; + default = { }; + description = '' + Extra arguments to pass to qemu when enabling the internal USB device(s). + Since there could be several devices that may need to be passed to different + machines, the device names are used as keys to access the qemu arguments. + Note that some devices require special names to be used correctly. + ''; + example = literalExpression '' + { + "device1" = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x1234,productid=0x1234"]; + "device2" = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x0001,productid=0x0001"]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + # Qemu arguments for internal USB devices + ghaf.hardware.usb.internal = { + inherit qemuExtraArgs; + }; + # Host udev rules for internal USB devices + services.udev = { + inherit extraRules; + }; + }; +} diff --git a/modules/hardware/common/usb/vhotplug.nix b/modules/hardware/common/usb/vhotplug.nix new file mode 100644 index 000000000..d67cc0498 --- /dev/null +++ b/modules/hardware/common/usb/vhotplug.nix @@ -0,0 +1,192 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.ghaf.hardware.usb.vhotplug; + inherit (lib) + mkEnableOption + mkOption + types + mkIf + literalExpression + ; + + vhotplug = pkgs.callPackage ../../../../packages/vhotplug { }; + defaultRules = [ + { + name = "GUIVM"; + qmpSocket = "/var/lib/microvms/gui-vm/gui-vm.sock"; + usbPassthrough = [ + { + class = 3; + protocol = 1; + description = "HID Keyboard"; + } + { + class = 3; + protocol = 2; + description = "HID Mouse"; + } + { + class = 11; + description = "Chip/SmartCard (e.g. YubiKey)"; + } + { + class = 224; + subclass = 1; + protocol = 1; + description = "Bluetooth"; + disable = true; + } + { + # Currently disabled to leave USB drives connected to the host + class = 8; + sublass = 6; + description = "Mass Storage - SCSI (USB drives)"; + disable = true; + } + ]; + evdevPassthrough = { + enable = cfg.enableEvdevPassthrough; + inherit (cfg) pcieBusPrefix; + }; + } + { + name = "NetVM"; + qmpSocket = "/var/lib/microvms/net-vm/net-vm.sock"; + usbPassthrough = [ + { + # Currently disabled to avoid breaking remote nixos-rebuild, + # which requires an Ethernet adapter connected to the host + class = 2; + sublass = 6; + description = "Communications - Ethernet Networking"; + disable = true; + } + ]; + } + { + name = "ChromiumVM"; + qmpSocket = "/var/lib/microvms/chromium-vm/chromium-vm.sock"; + usbPassthrough = [ + { + class = 14; + description = "Video (USB Webcams)"; + } + ]; + } + { + name = "AudioVM"; + qmpSocket = "/var/lib/microvms/audio-vm/audio-vm.sock"; + usbPassthrough = [ + { + class = 1; + description = "Audio"; + } + ]; + } + ]; +in +{ + options.ghaf.hardware.usb.vhotplug = { + enable = mkEnableOption "Enable hot plugging of USB devices"; + + rules = mkOption { + type = types.listOf types.attrs; + default = defaultRules; + description = '' + List of virtual machines with USB hot plugging rules. + ''; + example = literalExpression '' + [ + { + name = "GUIVM"; + qmpSocket = "/var/lib/microvms/gui-vm/gui-vm.sock"; + usbPassthrough = [ + { + class = 3; + protocol = 1; + description = "HID Keyboard"; + ignore = [ + { + vendorId = "046d"; + productId = "c52b"; + description = "Logitech, Inc. Unifying Receiver"; + } + ]; + } + { + vendorId = "067b"; + productId = "23a3"; + description = "Prolific Technology, Inc. USB-Serial Controller"; + disable = true; + } + ]; + } + { + name = "NetVM"; + qmpSocket = "/var/lib/microvms/net-vm/net-vm.sock"; + usbPassthrough = [ + { + productName = ".*ethernet.*"; + description = "Ethernet devices"; + } + ]; + } + ]; + ''; + }; + + enableEvdevPassthrough = mkOption { + description = '' + Enable passthrough of non-USB input devices on startup using QEMU virtio-input-host-pci device. + ''; + type = types.bool; + default = true; + }; + + pcieBusPrefix = mkOption { + type = types.nullOr types.str; + default = "rp"; + description = '' + PCIe bus prefix used for the pcie-root-port QEMU device when evdev passthrough is enabled. + ''; + }; + + pciePortCount = lib.mkOption { + type = lib.types.int; + default = 5; + description = '' + The number of PCIe ports used for hot-plugging virtio-input-host-pci devices. + ''; + }; + }; + + config = mkIf cfg.enable { + services.udev.extraRules = '' + SUBSYSTEM=="usb", GROUP="kvm" + KERNEL=="event*", GROUP="kvm" + ''; + + environment.etc."vhotplug.conf".text = builtins.toJSON { vms = cfg.rules; }; + + systemd.services.vhotplug = { + enable = true; + description = "vhotplug"; + wantedBy = [ "microvms.target" ]; + after = [ "microvms.target" ]; + serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = "1"; + ExecStart = "${vhotplug}/bin/vhotplug -a -c /etc/vhotplug.conf"; + }; + startLimitIntervalSec = 0; + }; + }; +} diff --git a/modules/hardware/definition.nix b/modules/hardware/definition.nix new file mode 100644 index 000000000..642f912ba --- /dev/null +++ b/modules/hardware/definition.nix @@ -0,0 +1,360 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Module for Hardware Definitions +# +# The point of this module is to only store information about the hardware +# configuration, and the logic that uses this information should be elsewhere. +{ lib, ... }: +let + inherit (lib) mkOption types literalExpression; +in +{ + options.ghaf.hardware.definition = + let + pciDevSubmodule = types.submodule { + options = { + path = mkOption { + type = types.str; + description = '' + PCI device path + ''; + }; + vendorId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + PCI Vendor ID (optional) + ''; + }; + productId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + PCI Product ID (optional) + ''; + }; + name = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + PCI device name (optional) + ''; + }; + }; + }; + + # USB device submodule, defined either by product ID and vendor ID, or by bus and port number + usbDevSubmodule = types.submodule { + options = { + name = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB device name. NOT optional for external devices, in which case it must not contain spaces + or extravagant characters. + ''; + }; + vendorId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB Vendor ID (optional). If this is set, the productId must also be set. + ''; + }; + productId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB Product ID (optional). If this is set, the vendorId must also be set. + ''; + }; + hostbus = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB device bus number (optional). If this is set, the hostport must also be set. + ''; + }; + hostport = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + USB device device number (optional). If this is set, the hostbus must also be set. + ''; + }; + }; + }; + + # Input devices submodule + inputDevSubmodule = types.submodule { + options = { + name = mkOption { + type = types.listOf types.any; + default = [ ]; + description = '' + List of input device names. Can either be a string, or a list of strings. + The list option allows to bind several input device names to the same evdev. + This allows to create one generic hardware definition for multiple SKUs. + ''; + }; + evdev = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of event devices. + ''; + }; + }; + }; + + # Kernel configuration submodule + kernelConfig = types.submodule { + options = { + stage1 = { + kernelModules = mkOption { + description = "Hardware specific kernel modules"; + type = types.listOf types.str; + default = [ ]; + example = literalExpression '' + [ + "i915" + ] + ''; + }; + }; + stage2 = { + kernelModules = mkOption { + description = "Hardware specific kernel modules"; + type = types.listOf types.str; + default = [ ]; + example = literalExpression '' + [ + "i915" + ] + ''; + }; + }; + kernelParams = mkOption { + description = "Hardware specific kernel parameters"; + type = types.listOf types.str; + default = [ ]; + example = literalExpression '' + [ + "intel_iommu=on,sm_on" + "iommu=pt" + "module_blacklist=i915" + "acpi_backlight=vendor" + "acpi_osi=linux" + ] + ''; + }; + }; + }; + in + { + name = mkOption { + description = "Name of the hardware"; + type = types.str; + default = ""; + }; + + skus = mkOption { + description = "List of hardware SKUs (Stock Keeping Unit) covered with this definition"; + type = types.listOf types.str; + default = [ ]; + }; + + host = { + kernelConfig = mkOption { + description = "Host kernel configuration"; + type = kernelConfig; + default = { }; + }; + }; + + input = { + keyboard = mkOption { + description = "Name of the keyboard device(s)"; + type = inputDevSubmodule; + default = { }; + }; + + mouse = mkOption { + description = "Name of the mouse device(s)"; + type = inputDevSubmodule; + default = { }; + }; + + touchpad = mkOption { + description = "Name of the touchpad device(s)"; + type = inputDevSubmodule; + default = { }; + }; + + misc = mkOption { + description = "Name of the misc device(s)"; + type = inputDevSubmodule; + default = { }; + }; + }; + + disks = mkOption { + description = "Disks to format and mount"; + type = types.attrsOf ( + types.submodule { + options.device = mkOption { + type = types.str; + description = '' + Path to the disk + ''; + }; + } + ); + default = { }; + example = literalExpression '' + { + disk1.device = "/dev/nvme0n1"; + } + ''; + }; + + network = { + # TODO? Should add NetVM enabler here? + # netvm.enable = mkEnableOption = "NetVM"; + + pciDevices = mkOption { + description = "PCI Devices to passthrough to NetVM"; + type = types.listOf pciDevSubmodule; + default = [ ]; + example = literalExpression '' + [{ + path = "0000:00:14.3"; + vendorId = "8086"; + productId = "51f1"; + }] + ''; + }; + kernelConfig = mkOption { + description = "Hardware specific kernel configuration for network devices"; + type = kernelConfig; + default = { }; + }; + }; + + gpu = { + # TODO? Should add GuiVM enabler here? + # guivm.enable = mkEnableOption = "NetVM"; + + pciDevices = mkOption { + description = "PCI Devices to passthrough to GuiVM"; + type = types.listOf pciDevSubmodule; + default = [ ]; + example = literalExpression '' + [{ + path = "0000:00:02.0"; + vendorId = "8086"; + productId = "a7a1"; + }] + ''; + }; + kernelConfig = mkOption { + description = "Hardware specific kernel configuration for gpu devices"; + type = kernelConfig; + default = { }; + }; + }; + + audio = { + # With the current implementation, the whole PCI IOMMU group 14: + # 00:1f.x in the example from Lenovo X1 Carbon + # must be defined for passthrough to AudioVM + pciDevices = mkOption { + description = "PCI Devices to passthrough to AudioVM"; + type = types.listOf pciDevSubmodule; + default = [ ]; + example = literalExpression '' + [ + { + path = "0000:00:1f.0"; + vendorId = "8086"; + productId = "519d"; + } + { + path = "0000:00:1f.3"; + vendorId = "8086"; + productId = "51ca"; + } + { + path = "0000:00:1f.4"; + vendorId = "8086"; + productId = "51a3"; + } + { + path = "0000:00:1f.5"; + vendorId = "8086"; + productId = "51a4"; + } + ] + ''; + }; + kernelConfig = mkOption { + description = "Hardware specific kernel configuration for audio devices"; + type = kernelConfig; + default = { }; + }; + }; + + usb = { + internal = mkOption { + description = '' + Internal USB device(s) to passthrough. + + Each device definition requires a name, and either vendorId and productId, or hostbus and hostport. + The latter is useful for addressing devices that may have different vendor and product IDs in the + same hardware generation. + + Note that internal devices must follow the naming convention to be correctly identified + and subsequently used. Current special names are: + - 'cam0' for the internal cam0 device + - 'fpr0' for the internal fingerprint reader device + ''; + type = types.listOf usbDevSubmodule; + default = [ ]; + example = literalExpression '' + [ + { + name = "cam0"; + vendorId = "0123"; + productId = "0123"; + } + { + name = "fpr0"; + hostbus = "3"; + hostport = "3"; + } + ] + ''; + }; + external = mkOption { + description = "External USB device(s) to passthrough. Requires name, vendorId, and productId."; + type = types.listOf usbDevSubmodule; + default = [ ]; + example = literalExpression '' + [ + { + name = "external-device-1"; + vendorId = "0123"; + productId = "0123"; + } + { + name = "external-device-2"; + vendorId = "0123"; + productId = "0123"; + } + ] + ''; + }; + }; + }; +} diff --git a/modules/hardware/definitions/dell-latitude/dell-latitude-7230.nix b/modules/hardware/definitions/dell-latitude/dell-latitude-7230.nix new file mode 100644 index 000000000..e4ec45561 --- /dev/null +++ b/modules/hardware/definitions/dell-latitude/dell-latitude-7230.nix @@ -0,0 +1,172 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + # System name + name = "Dell Latitude 7230 Rugged"; + + # List of system SKUs covered by this configuration + skus = [ "0BB7 Latitude 7230 Rugged Extreme Tablet" ]; + + # Host configuration + host = { + kernelConfig.kernelParams = [ + "intel_iommu=on,sm_on" + "iommu=pt" + "acpi_backlight=vendor" + "acpi_osi=linux" + "module_blacklist=i915,iwlwifi,snd_hda_intel,snd_sof_pci_intel_tgl" + ]; + }; + + # Input devices + input = { + keyboard = { + name = [ "AT Translated Set 2 keyboard" ]; + evdev = [ "/dev/keyboard0" ]; + }; + + mouse = { + name = [ + "PS/2 Generic Mouse" + "SYNAPTICS Synaptics HIDUSB TouchPad V1.05 Mouse" + ]; + evdev = [ + "/dev/mouse0" + "/dev/mouse1" + ]; + }; + + touchpad = { + name = [ + "SYNAPTICS Synaptics HIDUSB TouchPad V1.05 Touchpad" + "EETI8082:00 0EEF:C004" + "EETI8082:00 0EEF:C004 Stylus" + ]; + evdev = [ + "/dev/touchpad0" + "/dev/touchpad1" + "/dev/touchpad2" + ]; + }; + + misc = { + name = [ + # "Intel HID events" "Dell WMI hotkeys" "Video Bus" "HDA Intel PCH Headphone Mic" "HDA Intel PCH HDMI/DP,pcm=3" "HDA Intel PCH HDMI/DP,pcm=7" "HDA Intel PCH HDMI/DP,pcm=8" "HDA Intel PCH HDMI/DP,pcm=9" "Intel HID 5 button array" "Lid Switch" "Power Button" "Sleep Button" + ]; + evdev = [ + # /dev/input/by-path/platform-INTC1070:00-event /dev/input/by-path/platform-PNP0C14:02-event + ]; + }; + }; + + # Main disk device + disks = { + disk1.device = "/dev/nvme0n1"; + }; + + # Network devices for passthrough to netvm + network = { + pciDevices = [ + { + # Network controller: Intel Corporation Alder Lake-P PCH CNVi WiFi (rev 01) + name = "wlp0s5f0"; + path = "0000:00:14.3"; + vendorId = "8086"; + productId = "51f0"; + # Detected kernel driver: iwlwifi + # Detected kernel modules: iwlwifi + } + ]; + kernelConfig = { + stage1.kernelModules = [ ]; + stage2.kernelModules = [ "iwlwifi" ]; + kernelParams = [ ]; + }; + }; + + # GPU devices for passthrough to guivm + gpu = { + pciDevices = [ + { + # VGA compatible controller: Intel Corporation Alder Lake-UP4 GT2 [Iris Xe Graphics] (rev 0c) + name = "gpu0"; + path = "0000:00:02.0"; + vendorId = "8086"; + productId = "46aa"; + # Detected kernel driver: i915 + # Detected kernel modules: i915 + } + ]; + kernelConfig = { + stage1.kernelModules = [ "i915" ]; + stage2.kernelModules = [ ]; + kernelParams = [ "earlykms" ]; + }; + }; + + # Audio device for passthrough to audiovm + audio = { + pciDevices = [ + { + # ISA bridge: Intel Corporation Alder Lake LPC Controller (rev 01) + name = "snd0-0"; + path = "0000:00:1f.0"; + vendorId = "8086"; + productId = "5187"; + # Detected kernel driver: + # Detected kernel modules: + } + { + # Serial bus controller: Intel Corporation Alder Lake-P PCH SPI Controller (rev 01) + name = "snd0-1"; + path = "0000:00:1f.5"; + vendorId = "8086"; + productId = "51a4"; + # Detected kernel driver: intel-spi + # Detected kernel modules: spi_intel_pci + } + { + # Audio device: Intel Corporation Alder Lake Smart Sound Technology Audio Controller (rev 01) + name = "snd0-2"; + path = "0000:00:1f.3"; + vendorId = "8086"; + productId = "51cc"; + # Detected kernel driver: snd_hda_intel + # Detected kernel modules: snd_hda_intel,snd_sof_pci_intel_tgl + } + { + # SMBus: Intel Corporation Alder Lake PCH-P SMBus Host Controller (rev 01) + name = "snd0-3"; + path = "0000:00:1f.4"; + vendorId = "8086"; + productId = "51a3"; + # Detected kernel driver: i801_smbus + # Detected kernel modules: i2c_i801 + } + ]; + kernelConfig = { + stage1.kernelModules = [ ]; + stage2.kernelModules = [ + "i2c_i801" + "snd_hda_intel" + "snd_sof_pci_intel_tgl" + "spi_intel_pci" + ]; + kernelParams = [ ]; + }; + }; + + # USB devices for passthrough + usb = { + internal = [ + { + name = "gps0"; + hostbus = "3"; + hostport = "7"; + } + ]; + external = [ + # Add external USB devices here + ]; + }; +} diff --git a/modules/hardware/definitions/dell-latitude/dell-latitude-7330.nix b/modules/hardware/definitions/dell-latitude/dell-latitude-7330.nix new file mode 100644 index 000000000..fe294a679 --- /dev/null +++ b/modules/hardware/definitions/dell-latitude/dell-latitude-7330.nix @@ -0,0 +1,185 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + # System name + name = "Dell Inc. Not Specified"; + + # List of system SKUs covered by this configuration + skus = [ "0A9E Latitude 7330 Rugged Extreme" ]; + + # Host configuration + host = { + kernelConfig.kernelParams = [ + "intel_iommu=on,sm_on" + "iommu=pt" + "acpi_backlight=vendor" + "acpi_osi=linux" + #"module_blacklist=e1000e,i2c_i801,i915,iwlwifi,snd_hda_intel,snd_sof_pci_intel_tgl,spi_intel_pci" + ]; + }; + + # Input devices + input = { + keyboard = { + name = [ + "AT Translated Set 2 keyboard" + "DELL0A9E:00 214A:0028 Keyboard" + ]; + evdev = [ + "/dev/keyboard0" + "/dev/keyboard1" + ]; + }; + + mouse = { + name = [ + "DELL0A9E:00 214A:0028 Mouse" + "PS/2 Generic Mouse" + ]; + evdev = [ + "/dev/mouse0" + "/dev/mouse1" + ]; + }; + + touchpad = { + name = [ "CUST0000:00 0EEF:C003" ]; + evdev = [ "/dev/touchpad0" ]; + }; + + misc = { + name = [ + # "Lid Switch" "Video Bus" "HDA Intel PCH Headphone Mic" "HDA Intel PCH HDMI/DP,pcm=3" "HDA Intel PCH HDMI/DP,pcm=7" "HDA Intel PCH HDMI/DP,pcm=8" "HDA Intel PCH HDMI/DP,pcm=9" "Power Button" "Sleep Button" "Intel HID events" "Intel HID 5 button array" "Dell WMI hotkeys" + ]; + evdev = [ + # /dev/input/by-path/platform-INTC1051:00-event /dev/input/by-path/platform-PNP0C14:02-event + ]; + }; + }; + + # Main disk device + disks = { + disk1.device = "/dev/nvme0n1"; + }; + + # Network devices for passthrough to netvm + network = { + #TODO Add the Ethernet device + pciDevices = [ + { + # Network controller: Intel Corporation Wi-Fi 6E(802.11ax) AX210/AX1675* 2x2 [Typhoon Peak] (rev 1a) + name = "wlp0s5f0"; + path = "0000:72:00.0"; + vendorId = "8086"; + productId = "2725"; + # Detected kernel driver: iwlwifi + # Detected kernel modules: iwlwifi + } + ]; + kernelConfig = { + # Kernel modules are indicative only, please investigate with lsmod/modinfo + stage1.kernelModules = [ ]; + stage2.kernelModules = [ "iwlwifi" ]; + kernelParams = [ ]; + }; + }; + + # GPU devices for passthrough to guivm + gpu = { + pciDevices = [ + { + # VGA compatible controller: Intel Corporation TigerLake-LP GT2 [Iris Xe Graphics] (rev 01) + name = "gpu0"; + path = "0000:00:02.0"; + vendorId = "8086"; + productId = "9a49"; + # Detected kernel driver: i915 + # Detected kernel modules: i915 + } + ]; + kernelConfig = { + # Kernel modules are indicative only, please investigate with lsmod/modinfo + stage1.kernelModules = [ "i915" ]; + stage2.kernelModules = [ ]; + kernelParams = [ "earlykms" ]; + }; + }; + + # Audio device for passthrough to audiovm + audio = { + #TODO: Fix splitting the Ethernet from the Audio iommu + pciDevices = [ + { + # ISA bridge: Intel Corporation Tiger Lake-LP LPC Controller (rev 20) + name = "snd0-0"; + path = "0000:00:1f.0"; + vendorId = "8086"; + productId = "a082"; + # Detected kernel driver: + # Detected kernel modules: + } + { + # Serial bus controller: Intel Corporation Tiger Lake-LP SPI Controller (rev 20) + name = "snd0-1"; + path = "0000:00:1f.5"; + vendorId = "8086"; + productId = "a0a4"; + # Detected kernel driver: intel-spi + # Detected kernel modules: spi_intel_pci + } + { + # Audio device: Intel Corporation Tiger Lake-LP Smart Sound Technology Audio Controller (rev 20) + name = "snd0-2"; + path = "0000:00:1f.3"; + vendorId = "8086"; + productId = "a0c8"; + # Detected kernel driver: snd_hda_intel + # Detected kernel modules: snd_hda_intel,snd_sof_pci_intel_tgl + } + { + # Ethernet controller: Intel Corporation Ethernet Connection (13) I219-LM (rev 20) + name = "snd0-3"; + path = "0000:00:1f.6"; + vendorId = "8086"; + productId = "15fb"; + # Detected kernel driver: e1000e + # Detected kernel modules: e1000e + } + { + # SMBus: Intel Corporation Tiger Lake-LP SMBus Controller (rev 20) + name = "snd0-4"; + path = "0000:00:1f.4"; + vendorId = "8086"; + productId = "a0a3"; + # Detected kernel driver: i801_smbus + # Detected kernel modules: i2c_i801 + } + ]; + kernelConfig = { + # Kernel modules are indicative only, please investigate with lsmod/modinfo + stage1.kernelModules = [ ]; + stage2.kernelModules = [ + "e1000e" + "i2c_i801" + "snd_hda_intel" + "snd_sof_pci_intel_tgl" + "spi_intel_pci" + ]; + kernelParams = [ ]; + }; + }; + + # USB devices for passthrough + usb = { + internal = [ + { + name = "cam0"; + hostbus = "3"; + hostport = "6"; + } + ]; + external = [ + # Add external USB devices here + ]; + }; +} diff --git a/modules/hardware/flake-module.nix b/modules/hardware/flake-module.nix new file mode 100644 index 000000000..5dd2742bf --- /dev/null +++ b/modules/hardware/flake-module.nix @@ -0,0 +1,18 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ inputs, ... }: +{ + flake.nixosModules = { + laptop.imports = [ + ./definition.nix + ./x86_64-generic + ./laptop.nix + ./common + { nixpkgs.overlays = [ inputs.ghafpkgs.overlays.default ]; } + ]; + hw-x86_64-generic.imports = [ + ./definition.nix + ./x86_64-generic + ]; + }; +} diff --git a/modules/hardware/laptop.nix b/modules/hardware/laptop.nix new file mode 100644 index 000000000..bf538fe9a --- /dev/null +++ b/modules/hardware/laptop.nix @@ -0,0 +1,71 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ config, lib, ... }: +let + inherit (builtins) toString typeOf; + inherit (lib) + mkOption + types + concatImapStrings + concatMapStringsSep + ; + + cfg = config.ghaf.hardware.definition; + hwDefinition = import (./. + cfg.configFile); + + # Helper function to create udev rules for input devices + generateUdevRules = + devlink: deviceList: + concatImapStrings ( + i: d: + if (typeOf d) == "list" then + ''${ + concatMapStringsSep "\n" ( + sd: + ''SUBSYSTEM=="input", ATTRS{name}=="${sd}", KERNEL=="event*", GROUP="kvm", SYMLINK+="${devlink}${toString (i - 1)}"'' + ) d + }''\n'' + else + ''SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="${devlink}${toString (i - 1)}"''\n'' + ) deviceList; +in +{ + imports = [ ./definition.nix ]; + + options.ghaf.hardware.definition.configFile = mkOption { + description = "Path to the hardware configuration file."; + type = types.str; + default = ""; + }; + + config = { + # Hardware definition + ghaf.hardware.definition = { + inherit (hwDefinition) host; + inherit (hwDefinition) input; + inherit (hwDefinition) disks; + inherit (hwDefinition) network; + inherit (hwDefinition) gpu; + inherit (hwDefinition) audio; + inherit (hwDefinition) usb; + }; + + # Disk configuration + disko.devices.disk = hwDefinition.disks; + + # Host udev rules for input devices + services.udev.extraRules = '' + # Keyboard + ${generateUdevRules "keyboard" hwDefinition.input.keyboard.name} + # Mouse + ${generateUdevRules "mouse" hwDefinition.input.mouse.name} + # Touchpad + ${generateUdevRules "touchpad" hwDefinition.input.touchpad.name} + # Misc + ${lib.strings.concatMapStringsSep "\n" ( + d: ''SUBSYSTEM=="input", ATTRS{name}=="${d}", GROUP="kvm"'' + ) hwDefinition.input.misc.name} + ''; + }; +} diff --git a/modules/hardware/lenovo-x1/definitions/x1-gen10.nix b/modules/hardware/lenovo-x1/definitions/x1-gen10.nix new file mode 100644 index 000000000..82f3139c7 --- /dev/null +++ b/modules/hardware/lenovo-x1/definitions/x1-gen10.nix @@ -0,0 +1,150 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + # System name + name = "Lenovo X1 Carbon Gen 10"; + + # List of system SKUs covered by this configuration + skus = [ + # TODO Add SKUs + ]; + + host = { + kernelConfig.kernelParams = [ + "intel_iommu=on,sm_on" + "iommu=pt" + "module_blacklist=i915" # Prevent i915 module from being accidentally used by host + "acpi_backlight=vendor" + "acpi_osi=linux" + ]; + }; + + input = { + keyboard = { + name = [ "AT Translated Set 2 keyboard" ]; + evdev = [ "/dev/input/by-path/platform-i8042-serio-0-event-kbd" ]; + }; + + mouse = { + name = [ + [ + "ELAN067B:00 04F3:31F8 Mouse" + "SYNA8016:00 06CB:CEB3 Mouse" + ] + "TPPS/2 Elan TrackPoint" + ]; + evdev = [ + "/dev/mouse0" + "/dev/mouse1" + ]; + }; + + touchpad = { + name = [ + [ + "ELAN067B:00 04F3:31F8 Touchpad" + "SYNA8016:00 06CB:CEB3 Touchpad" + ] + ]; + evdev = [ "/dev/touchpad0" ]; + }; + + misc = { + name = [ "ThinkPad Extra Buttons" ]; + evdev = [ "/dev/input/by-path/platform-thinkpad_acpi-event" ]; + }; + }; + + disks = { + disk1.device = "/dev/nvme0n1"; + }; + + network.pciDevices = [ + { + # Passthrough Intel WiFi card + path = "0000:00:14.3"; + vendorId = "8086"; + productId = "51f0"; + name = "wlp0s5f0"; + } + ]; + + gpu = { + pciDevices = [ + { + # Passthrough Intel Iris GPU + path = "0000:00:02.0"; + vendorId = "8086"; + productId = "46a6"; + } + ]; + kernelConfig = { + stage1.kernelModules = [ "i915" ]; + kernelParams = [ "earlykms" ]; + }; + }; + + # With the current implementation, the whole PCI IOMMU group 13: + # 00:1f.x in the Lenovo X1 Carbon 10 gen + # must be defined for passthrough to AudioVM + audio = { + pciDevices = [ + { + # ISA bridge: Intel Corporation Alder Lake PCH eSPI Controller(rev 01) + path = "0000:00:1f.0"; + vendorId = "8086"; + productId = "5182"; + } + { + # Audio device: Intel Corporation Alder Lake PCH-P High Definition Audio Controller (rev 01) + path = "0000:00:1f.3"; + vendorId = "8086"; + productId = "51c8"; + } + { + # SMBus: Intel Corporation Alder Lake PCH-P SMBus Host Controller (rev 01) + path = "0000:00:1f.4"; + vendorId = "8086"; + productId = "51a3"; + } + { + # Serial bus controller: Intel Corporation Alder Lake-P PCH SPI Controller (rev 01) + path = "0000:00:1f.5"; + vendorId = "8086"; + productId = "51a4"; + } + ]; + kernelConfig.kernelParams = [ + "snd_intel_dspcfg.dsp_driver=3" + "snd_sof_intel_hda_common.dmic_num=4" + ]; + }; + + usb = { + internal = [ + { + name = "cam0"; + hostbus = "3"; + hostport = "8"; + } + { + name = "fpr0"; + hostbus = "3"; + hostport = "6"; + } + ]; + external = [ + { + name = "gps0"; + vendorId = "067b"; + productId = "23a3"; + } + { + name = "yubikey"; + vendorId = "1050"; + productId = "0407"; + } + ]; + }; +} diff --git a/modules/hardware/lenovo-x1/definitions/x1-gen11.nix b/modules/hardware/lenovo-x1/definitions/x1-gen11.nix new file mode 100644 index 000000000..ea9e01323 --- /dev/null +++ b/modules/hardware/lenovo-x1/definitions/x1-gen11.nix @@ -0,0 +1,153 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + # System name + name = "Lenovo X1 Carbon Gen 11"; + + # List of system SKUs covered by this configuration + skus = [ + "LENOVO_MT_21HM_BU_Think_FM_ThinkPad X1 Carbon Gen 11 21HM006EGR" + # TODO Add more SKUs + ]; + + host = { + kernelConfig.kernelParams = [ + "intel_iommu=on,sm_on" + "iommu=pt" + "module_blacklist=i915" # Prevent i915 module from being accidentally used by host + "acpi_backlight=vendor" + "acpi_osi=linux" + ]; + }; + + input = { + keyboard = { + name = [ "AT Translated Set 2 keyboard" ]; + evdev = [ "/dev/input/by-path/platform-i8042-serio-0-event-kbd" ]; + }; + + mouse = { + name = [ + [ + "ELAN067C:00 04F3:31F9 Mouse" + "SYNA8016:00 06CB:CEB3 Mouse" + "ELAN067B:00 04F3:31F8 Mouse" + ] + "TPPS/2 Elan TrackPoint" + ]; + evdev = [ + "/dev/mouse0" + "/dev/mouse1" + ]; + }; + + touchpad = { + name = [ + [ + "ELAN067C:00 04F3:31F9 Touchpad" + "SYNA8016:00 06CB:CEB3 Touchpad" + "ELAN067B:00 04F3:31F8 Touchpad" + ] + ]; + evdev = [ "/dev/touchpad0" ]; + }; + + misc = { + name = [ "ThinkPad Extra Buttons" ]; + evdev = [ "/dev/input/by-path/platform-thinkpad_acpi-event" ]; + }; + }; + + disks = { + disk1.device = "/dev/nvme0n1"; + }; + + network.pciDevices = [ + { + # Passthrough Intel WiFi card + path = "0000:00:14.3"; + vendorId = "8086"; + productId = "51f1"; + name = "wlp0s5f0"; + } + ]; + + gpu = { + pciDevices = [ + { + # Passthrough Intel Iris GPU + path = "0000:00:02.0"; + vendorId = "8086"; + productId = "a7a1"; + } + ]; + kernelConfig = { + stage1.kernelModules = [ "i915" ]; + kernelParams = [ "earlykms" ]; + }; + }; + + # With the current implementation, the whole PCI IOMMU group 14: + # 00:1f.x in the example from Lenovo X1 Carbon + # must be defined for passthrough to AudioVM + audio = { + pciDevices = [ + { + # ISA bridge: Intel Corporation Raptor Lake LPC/eSPI Controller (rev 01) + path = "0000:00:1f.0"; + vendorId = "8086"; + productId = "519d"; + } + { + # Audio device: Intel Corporation Raptor Lake-P/U/H cAVS (rev 01) + path = "0000:00:1f.3"; + vendorId = "8086"; + productId = "51ca"; + } + { + # SMBus: Intel Corporation Alder Lake PCH-P SMBus Host Controller (rev 01) + path = "0000:00:1f.4"; + vendorId = "8086"; + productId = "51a3"; + } + { + # Serial bus controller: Intel Corporation Alder Lake-P PCH SPI Controller (rev 01) + path = "0000:00:1f.5"; + vendorId = "8086"; + productId = "51a4"; + } + ]; + kernelConfig.kernelParams = [ + "snd_intel_dspcfg.dsp_driver=3" + "snd_sof_intel_hda_common.dmic_num=4" + ]; + }; + + usb = { + internal = [ + { + name = "cam0"; + hostbus = "3"; + hostport = "8"; + } + { + name = "fpr0"; + hostbus = "3"; + hostport = "6"; + } + ]; + external = [ + { + name = "gps0"; + vendorId = "067b"; + productId = "23a3"; + } + { + name = "yubikey"; + vendorId = "1050"; + productId = "0407"; + } + ]; + }; +} diff --git a/modules/hardware/lenovo-x1/kernel/guest/test/default.nix b/modules/hardware/lenovo-x1/kernel/guest/test/default.nix new file mode 100644 index 000000000..5e747d15b --- /dev/null +++ b/modules/hardware/lenovo-x1/kernel/guest/test/default.nix @@ -0,0 +1,7 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ pkgs, ... }: +let + config = pkgs.nixos [ ./test-configuration.nix ]; +in +config.config.system.build.toplevel diff --git a/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix b/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix new file mode 100644 index 000000000..b91f68595 --- /dev/null +++ b/modules/hardware/lenovo-x1/kernel/guest/test/test-configuration.nix @@ -0,0 +1,40 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, ... }: +{ + imports = [ + ../../../../x86_64-generic/kernel/host/default.nix + ../../../../x86_64-generic/kernel/guest/default.nix + ]; + + config = { + # baseline, virtualization and network hardening are + # generic to all x86_64 devices + ghaf = { + host.kernel.hardening = { + enable = true; + virtualization.enable = true; + networking.enable = true; + inputdevices.enable = true; + # usb/debug hardening is host optional but required for -debug builds + usb.enable = true; + debug.enable = true; + }; + # guest VM kernel specific options + guest.kernel.hardening = { + enable = true; + graphics.enable = true; + }; + }; + + # required to module test a module via top level configuration + boot.loader.systemd-boot.enable = true; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000"; + fsType = "ext4"; + }; + + system.stateVersion = lib.trivial.release; + }; +} diff --git a/modules/common/hardware/x86_64-generic/default.nix b/modules/hardware/x86_64-generic/default.nix similarity index 81% rename from modules/common/hardware/x86_64-generic/default.nix rename to modules/hardware/x86_64-generic/default.nix index 6ce0c0f5a..c09c4496b 100644 --- a/modules/common/hardware/x86_64-generic/default.nix +++ b/modules/hardware/x86_64-generic/default.nix @@ -6,5 +6,7 @@ ./kernel/hardening.nix ./kernel/host ./kernel/host/pkvm + ./x86_64-linux.nix + ./modules/tpm2.nix ]; } diff --git a/modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 b/modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 rename to modules/hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86 diff --git a/modules/common/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config b/modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config rename to modules/hardware/x86_64-generic/kernel/guest/configs/display-gpu.config diff --git a/modules/common/hardware/x86_64-generic/kernel/guest/configs/guest.config b/modules/hardware/x86_64-generic/kernel/guest/configs/guest.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/guest/configs/guest.config rename to modules/hardware/x86_64-generic/kernel/guest/configs/guest.config diff --git a/modules/hardware/x86_64-generic/kernel/guest/default.nix b/modules/hardware/x86_64-generic/kernel/guest/default.nix new file mode 100644 index 000000000..9d46dfde3 --- /dev/null +++ b/modules/hardware/x86_64-generic/kernel/guest/default.nix @@ -0,0 +1,18 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, ... }: +{ + options.ghaf.guest.kernel.hardening = { + enable = lib.mkOption { + description = "Enable Ghaf Guest hardening feature"; + type = lib.types.bool; + default = false; + }; + + graphics.enable = lib.mkOption { + description = "Enable support for Graphics in the Ghaf Guest"; + type = lib.types.bool; + default = false; + }; + }; +} diff --git a/modules/hardware/x86_64-generic/kernel/hardening.nix b/modules/hardware/x86_64-generic/kernel/hardening.nix new file mode 100644 index 000000000..f15623a00 --- /dev/null +++ b/modules/hardware/x86_64-generic/kernel/hardening.nix @@ -0,0 +1,37 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ ... }: +{ + imports = [ + ./host + ./guest + ./host/pkvm + # other host hardening modules - to be defined later + ]; + + config = { + # host kernel hardening + ghaf = { + host = { + kernel.hardening = { + enable = false; + virtualization.enable = false; + networking.enable = false; + usb.enable = false; + inputdevices.enable = false; + debug.enable = false; + # host kernel hypervisor (KVM) hardening + hypervisor.enable = false; + }; + }; + # guest kernel hardening + guest = { + kernel.hardening = { + enable = false; + graphics.enable = false; + }; + }; + # other host hardening options - user space, etc. - to be defined later + }; + }; +} diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/debug.config b/modules/hardware/x86_64-generic/kernel/host/configs/debug.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/debug.config rename to modules/hardware/x86_64-generic/kernel/host/configs/debug.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/networking.config b/modules/hardware/x86_64-generic/kernel/host/configs/networking.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/networking.config rename to modules/hardware/x86_64-generic/kernel/host/configs/networking.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/usb.config b/modules/hardware/x86_64-generic/kernel/host/configs/usb.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/usb.config rename to modules/hardware/x86_64-generic/kernel/host/configs/usb.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config b/modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config rename to modules/hardware/x86_64-generic/kernel/host/configs/user-input-devices.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/configs/virtualization.config b/modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config similarity index 100% rename from modules/common/hardware/x86_64-generic/kernel/host/configs/virtualization.config rename to modules/hardware/x86_64-generic/kernel/host/configs/virtualization.config diff --git a/modules/common/hardware/x86_64-generic/kernel/host/default.nix b/modules/hardware/x86_64-generic/kernel/host/default.nix similarity index 54% rename from modules/common/hardware/x86_64-generic/kernel/host/default.nix rename to modules/hardware/x86_64-generic/kernel/host/default.nix index 1a2cc2cb9..ba3fd004c 100644 --- a/modules/common/hardware/x86_64-generic/kernel/host/default.nix +++ b/modules/hardware/x86_64-generic/kernel/host/default.nix @@ -5,62 +5,64 @@ lib, pkgs, ... -}: let +}: +let + inherit (lib) types mkOption mkIf; + # Importing kernel builder function from packages and checking hardening options - buildKernel = import ../../../../../../packages/kernel {inherit config pkgs lib;}; + buildKernel = import ../../../../../packages/kernel { inherit config pkgs lib; }; config_baseline = ../configs/ghaf_host_hardened_baseline-x86; host_hardened_kernel = buildKernel { inherit config_baseline; host_build = true; }; - enable_kernel_hardening = config.ghaf.host.kernel.hardening.enable; + cfg = config.ghaf.host.kernel.hardening; in - with lib; { - options.ghaf.host.kernel.hardening.enable = mkOption { +{ + options.ghaf.host.kernel.hardening = { + enable = mkOption { description = "Enable Ghaf Host hardening feature"; type = types.bool; default = false; }; - options.ghaf.host.kernel.hardening.virtualization.enable = mkOption { + virtualization.enable = mkOption { description = "Enable support for virtualization in the Ghaf Host"; type = types.bool; default = false; }; - options.ghaf.host.kernel.hardening.networking.enable = mkOption { + networking.enable = mkOption { description = "Enable support for networking in the Ghaf Host"; type = types.bool; default = false; }; - options.ghaf.host.kernel.hardening.usb.enable = mkOption { + usb.enable = mkOption { description = "Enable support for USB in the Ghaf Host"; type = types.bool; default = false; }; - options.ghaf.host.kernel.hardening.inputdevices.enable = mkOption { + inputdevices.enable = mkOption { description = "Enable support for input devices in the Ghaf Host"; type = types.bool; default = false; }; - options.ghaf.host.kernel.hardening.debug.enable = mkOption { + debug.enable = mkOption { description = "Enable support for debug features in the Ghaf Host"; type = types.bool; default = false; }; + }; - config = mkIf enable_kernel_hardening { - boot.kernelPackages = pkgs.linuxPackagesFor host_hardened_kernel; - # https://github.com/NixOS/nixpkgs/issues/109280#issuecomment-973636212 - nixpkgs.overlays = [ - (_final: prev: { - makeModulesClosure = x: - prev.makeModulesClosure (x // {allowMissing = true;}); - }) - ]; - }; - } + config = mkIf cfg.enable { + boot.kernelPackages = pkgs.linuxPackagesFor host_hardened_kernel; + # https://github.com/NixOS/nixpkgs/issues/109280#issuecomment-973636212 + nixpkgs.overlays = [ + (_final: prev: { makeModulesClosure = x: prev.makeModulesClosure (x // { allowMissing = true; }); }) + ]; + }; +} diff --git a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/default.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix similarity index 64% rename from modules/common/hardware/x86_64-generic/kernel/host/pkvm/default.nix rename to modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix index f47651f59..9ccf91bc5 100644 --- a/modules/common/hardware/x86_64-generic/kernel/host/pkvm/default.nix +++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/default.nix @@ -5,7 +5,8 @@ lib, pkgs, ... -}: let +}: +let pkvmKernel = pkgs.linux_6_1.override { argsOverride = rec { src = pkgs.fetchurl { @@ -20,7 +21,7 @@ pkvm_patch = [ { name = "pkvm-patch"; - patch = ../../../../../virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch; + patch = ../../../../../common/virtualization/pkvm/0001-pkvm-enable-pkvm-on-intel-x86-6.1-lts.patch; structuredExtraConfig = with lib.kernel; { KVM_INTEL = yes; KSM = no; @@ -35,14 +36,14 @@ hyp_cfg = config.ghaf.host.kernel.hardening.hypervisor; in - with lib; { - options.ghaf.host.kernel.hardening.hypervisor.enable = mkOption { - description = "Enable Hypervisor hardening feature"; - type = types.bool; - default = false; - }; - config = mkIf hyp_cfg.enable { - boot.kernelPackages = pkgs.linuxPackagesFor pkvmKernel; - boot.kernelPatches = pkvm_patch; - }; - } +{ + options.ghaf.host.kernel.hardening.hypervisor.enable = lib.mkOption { + description = "Enable Hypervisor hardening feature"; + type = lib.types.bool; + default = false; + }; + config = lib.mkIf hyp_cfg.enable { + boot.kernelPackages = pkgs.linuxPackagesFor pkvmKernel; + boot.kernelPatches = pkvm_patch; + }; +} diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix new file mode 100644 index 000000000..5e747d15b --- /dev/null +++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/default.nix @@ -0,0 +1,7 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ pkgs, ... }: +let + config = pkgs.nixos [ ./test-configuration.nix ]; +in +config.config.system.build.toplevel diff --git a/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix new file mode 100644 index 000000000..fbc6d75f4 --- /dev/null +++ b/modules/hardware/x86_64-generic/kernel/host/pkvm/test/test-configuration.nix @@ -0,0 +1,19 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, ... }: +{ + imports = [ ../default.nix ]; + + # pkvm hardening is generic to all x86_64 devices + config = { + ghaf.host.kernel.hardening.hypervisor.enable = true; + + # required to module test a module via top level configuration + boot.loader.systemd-boot.enable = true; + fileSystems."/" = { + device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000"; + fsType = "ext4"; + }; + system.stateVersion = lib.trivial.release; + }; +} diff --git a/modules/hardware/x86_64-generic/kernel/host/test/default.nix b/modules/hardware/x86_64-generic/kernel/host/test/default.nix new file mode 100644 index 000000000..5e747d15b --- /dev/null +++ b/modules/hardware/x86_64-generic/kernel/host/test/default.nix @@ -0,0 +1,7 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ pkgs, ... }: +let + config = pkgs.nixos [ ./test-configuration.nix ]; +in +config.config.system.build.toplevel diff --git a/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix b/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix new file mode 100644 index 000000000..ff8005f0e --- /dev/null +++ b/modules/hardware/x86_64-generic/kernel/host/test/test-configuration.nix @@ -0,0 +1,31 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, ... }: +{ + imports = [ + ../default.nix + # import guest also to bring the defaults (false) to scope + ../../guest/default.nix + ]; + + # baseline, virtualization and network hardening are + # generic to all x86_64 devices + config = { + ghaf.host.kernel.hardening = { + enable = true; + virtualization.enable = true; + networking.enable = true; + inputdevices.enable = true; + # usb/debug hardening is host optional but required for -debug builds + usb.enable = true; + debug.enable = true; + }; + # required to module test a module via top level configuration + boot.loader.systemd-boot.enable = true; + fileSystems."/" = { + device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000"; + fsType = "ext4"; + }; + system.stateVersion = lib.trivial.release; + }; +} diff --git a/modules/hardware/x86_64-generic/modules/tpm2.nix b/modules/hardware/x86_64-generic/modules/tpm2.nix new file mode 100644 index 000000000..4b6368a62 --- /dev/null +++ b/modules/hardware/x86_64-generic/modules/tpm2.nix @@ -0,0 +1,36 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.ghaf.hardware.tpm2; +in +{ + options.ghaf.hardware.tpm2 = { + enable = lib.mkEnableOption "TPM2 PKCS#11 interface"; + }; + + config = lib.mkIf cfg.enable { + security.tpm2 = { + enable = true; + pkcs11.enable = true; + abrmd.enable = true; + }; + + environment.systemPackages = lib.mkIf config.ghaf.profiles.debug.enable [ + pkgs.opensc + pkgs.tpm2-tools + ]; + + assertions = [ + { + assertion = pkgs.stdenv.isx86_64; + message = "TPM2 is only supported on x86_64"; + } + ]; + }; +} diff --git a/modules/hardware/x86_64-generic/x86_64-linux.nix b/modules/hardware/x86_64-generic/x86_64-linux.nix new file mode 100644 index 000000000..8b80b3739 --- /dev/null +++ b/modules/hardware/x86_64-generic/x86_64-linux.nix @@ -0,0 +1,44 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.hardware.x86_64.common; +in +{ + options.ghaf.hardware.x86_64.common = { + enable = lib.mkEnableOption "Common x86 configs"; + }; + + config = lib.mkIf cfg.enable { + nixpkgs.hostPlatform.system = "x86_64-linux"; + + # Increase the support for different devices by allowing the use + # of proprietary drivers from the respective vendors + nixpkgs.config.allowUnfree = true; + + # Add this for x86_64 hosts to be able to more generically support hardware. + # For example Intel NUC 11's graphics card needs this in order to be able to + # properly provide acceleration. + hardware.enableRedistributableFirmware = true; + hardware.enableAllFirmware = true; + + boot = { + # Enable normal Linux console on the display + kernelParams = [ "console=tty0" ]; + + # To enable installation of ghaf into NVMe drives + initrd.availableKernelModules = [ + "nvme" + "uas" + ]; + loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = true; + }; + # ZFS-compatible kernel is used for every applicable target since for certain + # targets ZFS support is required, and having the same kernel version for + # different targets simplifies and hardens the resulting configuration. + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + }; + }; +} diff --git a/modules/host/default.nix b/modules/host/default.nix index 802a37a08..5d2413b27 100644 --- a/modules/host/default.nix +++ b/modules/host/default.nix @@ -3,13 +3,16 @@ # # Modules that should be only imported to host # -{lib, ...}: { +{ lib, ... }: +{ networking.hostName = lib.mkDefault "ghaf-host"; # Overlays should be only defined for host, because microvm.nix uses the # pkgs that already has overlays in place. Otherwise the overlay will be # applied twice. - nixpkgs.overlays = [ - (import ../../overlays/custom-packages) + nixpkgs.overlays = [ (import ../../overlays/custom-packages) ]; + imports = [ + # To push logs to central location + ../common/logging/client.nix ]; } diff --git a/modules/imx8/default.nix b/modules/imx8/default.nix new file mode 100644 index 000000000..bfa01f956 --- /dev/null +++ b/modules/imx8/default.nix @@ -0,0 +1,6 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Support for Microchip Polarfire Icicle-Kit +# +{ imports = [ ./imx8mp-sdimage.nix ]; } diff --git a/modules/imx8/imx8mp-sdimage.nix b/modules/imx8/imx8mp-sdimage.nix new file mode 100644 index 000000000..c1977c446 --- /dev/null +++ b/modules/imx8/imx8mp-sdimage.nix @@ -0,0 +1,55 @@ +# SPDX-FileCopyrightText: 2023-2024 TII (SSRC) and the Ghaf contributors +# +# SPDX-License-Identifier: Apache-2.0 +{ + config, + pkgs, + modulesPath, + ... +}: +{ + imports = [ (modulesPath + "/installer/sd-card/sd-image.nix") ]; + + disabledModules = [ (modulesPath + "/profiles/all-hardware.nix") ]; + sdImage = { + compressImage = false; + + populateFirmwareCommands = '' + cp ${pkgs.imx8m-boot}/image/flash.bin firmware/ + ''; + + populateRootCommands = '' + mkdir -p ./files/boot + ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot + ''; + + postBuildCommands = '' + sdimage="$out/nixos.img" + fwoffset=64 + blocksize=512 + fwsize=20400 + rootoffset=20800 + + sfdisk --list $img | grep Linux + rootstart=$(sfdisk --list $img | grep Linux | awk '{print $3}') + rootsize=$(sfdisk --list $img | grep Linux | awk '{print $5}') + imagesize=$(((rootoffset + rootsize)*blocksize)) + touch $sdimage + truncate -s $imagesize $sdimage + echo -e " + label: dos + label-id: 0x2178694e + unit: sectors + sector-size: 512 + + start=$fwoffset, size=$fwsize, type=60 + start=$rootoffset, size=$rootsize, type=83, bootable" > "$out/partition.txt" + sfdisk -d $img + sfdisk $sdimage < "$out/partition.txt" + dd conv=notrunc if=${pkgs.imx8m-boot}/image/flash.bin of=$sdimage seek=$fwoffset + dd conv=notrunc if=$img of=$sdimage seek=$rootoffset skip=$rootstart count=$rootsize + sfdisk --list $sdimage + rm -rf $out/sd-image + ''; + }; +} diff --git a/modules/jetpack-microvm/agx-gpiovm-passthrough.nix b/modules/jetpack-microvm/agx-gpiovm-passthrough.nix index 33a409c88..94e795d8b 100644 --- a/modules/jetpack-microvm/agx-gpiovm-passthrough.nix +++ b/modules/jetpack-microvm/agx-gpiovm-passthrough.nix @@ -56,13 +56,5 @@ in { */ } ]; - - /* tmp note: further kernel settings for nvidia in: - ../jetpack/nvidia-jetson-orin/virtualization/default.nix - ../jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/default.nix - ../jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix - ../jetpack/nvidia-jetson-orin/virtualization/host/gpio-virt-host/default.nix - ../jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix - */ }; } diff --git a/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix b/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix index 6c2ff08bc..c34dc858b 100644 --- a/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix +++ b/modules/jetpack-microvm/agx-netvm-wlan-pci-passthrough.nix @@ -1,15 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.orin.agx; -in { - options.ghaf.hardware.nvidia.orin.agx.enableNetvmWlanPCIPassthrough = - lib.mkEnableOption - "WLAN card PCI passthrough to NetVM"; +in +{ + options.ghaf.hardware.nvidia.orin.agx.enableNetvmWlanPCIPassthrough = lib.mkEnableOption "WLAN card PCI passthrough to NetVM"; config = lib.mkIf cfg.enableNetvmWlanPCIPassthrough { # Orin AGX WLAN card PCI passthrough ghaf.hardware.nvidia.orin.enablePCIPassthroughCommon = true; diff --git a/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix b/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix index 5ff7e906a..6869654ab 100644 --- a/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix +++ b/modules/jetpack-microvm/nx-netvm-ethernet-pci-passthrough.nix @@ -1,15 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.orin.nx; -in { - options.ghaf.hardware.nvidia.orin.nx.enableNetvmEthernetPCIPassthrough = - lib.mkEnableOption - "Ethernet card PCI passthrough to NetVM"; +in +{ + options.ghaf.hardware.nvidia.orin.nx.enableNetvmEthernetPCIPassthrough = lib.mkEnableOption "Ethernet card PCI passthrough to NetVM"; config = lib.mkIf cfg.enableNetvmEthernetPCIPassthrough { # Orin NX Ethernet card PCI Passthrough ghaf.hardware.nvidia.orin.enablePCIPassthroughCommon = true; diff --git a/modules/jetpack/nvidia-jetson-orin/format-module.nix b/modules/jetpack/nvidia-jetson-orin/format-module.nix index 182dd68fd..ca707decb 100644 --- a/modules/jetpack/nvidia-jetson-orin/format-module.nix +++ b/modules/jetpack/nvidia-jetson-orin/format-module.nix @@ -5,9 +5,7 @@ # nixos-generators flake input as an argument. # { - imports = [ - ./sdimage.nix - ]; + imports = [ ./sdimage.nix ]; formatAttr = "sdImage"; } diff --git a/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix b/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix index 98cf604a1..b378a15af 100644 --- a/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix +++ b/modules/jetpack/nvidia-jetson-orin/jetson-orin.nix @@ -2,77 +2,85 @@ # SPDX-License-Identifier: Apache-2.0 # # Configuration for NVIDIA Jetson Orin AGX/NX reference boards -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.orin; + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; in - with lib; { - options.ghaf.hardware.nvidia.orin = { - # Enable the Orin boards - enable = mkEnableOption "Orin hardware"; +{ + options.ghaf.hardware.nvidia.orin = { + # Enable the Orin boards + enable = mkEnableOption "Orin hardware"; - flashScriptOverrides.onlyQSPI = - mkEnableOption - "to only flash QSPI partitions, i.e. disable flashing of boot and root partitions to eMMC"; + flashScriptOverrides.onlyQSPI = mkEnableOption "to only flash QSPI partitions, i.e. disable flashing of boot and root partitions to eMMC"; - flashScriptOverrides.preFlashCommands = mkOption { - description = "Commands to run before the actual flashing"; - type = types.str; - default = ""; - }; + flashScriptOverrides.preFlashCommands = mkOption { + description = "Commands to run before the actual flashing"; + type = types.str; + default = ""; + }; - somType = mkOption { - description = "SoM config Type (NX|AGX|Nano)"; - type = types.str; - default = "agx"; - }; + somType = mkOption { + description = "SoM config Type (NX|AGX|Nano)"; + type = types.str; + default = "agx"; + }; - carrierBoard = mkOption { - description = "Board Type"; - type = types.str; - default = "devkit"; - }; + carrierBoard = mkOption { + description = "Board Type"; + type = types.str; + default = "devkit"; }; + }; - config = mkIf cfg.enable { - hardware.nvidia-jetpack = { - enable = true; - som = "orin-${cfg.somType}"; - carrierBoard = "${cfg.carrierBoard}"; - modesetting.enable = true; + config = mkIf cfg.enable { + hardware.nvidia-jetpack = { + enable = true; + som = "orin-${cfg.somType}"; + carrierBoard = "${cfg.carrierBoard}"; + modesetting.enable = true; - flashScriptOverrides = lib.optionalAttrs (cfg.somType == "agx") { - flashArgs = lib.mkForce ["-r" config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard "mmcblk0p1"]; - }; + flashScriptOverrides = lib.optionalAttrs (cfg.somType == "agx") { + flashArgs = lib.mkForce [ + "-r" + config.hardware.nvidia-jetpack.flashScriptOverrides.targetBoard + "mmcblk0p1" + ]; + }; - firmware.uefi = { - logo = ../../../docs/src/img/1600px-Ghaf_logo.svg; - edk2NvidiaPatches = [ - # This effectively disables EFI FB Simple Framebuffer, which does - # not work properly but causes kernel panic during the boot if the - # HDMI cable is connected during boot time. - # - # The patch reverts back to old behavior, which is to always reset - # the display when exiting UEFI, instead of doing handoff, when - # means not to reset anything. - ./edk2-nvidia-always-reset-display.patch - ]; - }; + firmware.uefi = { + logo = ../../../docs/src/img/1600px-Ghaf_logo.svg; + edk2NvidiaPatches = [ + # This effectively disables EFI FB Simple Framebuffer, which does + # not work properly but causes kernel panic during the boot if the + # HDMI cable is connected during boot time. + # + # The patch reverts back to old behavior, which is to always reset + # the display when exiting UEFI, instead of doing handoff, when + # means not to reset anything. + ./edk2-nvidia-always-reset-display.patch + ]; }; + }; - nixpkgs.hostPlatform.system = "aarch64-linux"; + nixpkgs.hostPlatform.system = "aarch64-linux"; - ghaf.boot.loader.systemd-boot-dtb.enable = true; + ghaf.boot.loader.systemd-boot-dtb.enable = true; - boot.loader = { + boot = { + loader = { efi.canTouchEfiVariables = true; systemd-boot.enable = true; }; - boot.modprobeConfig.enable = true; - boot.kernelPatches = [ + + modprobeConfig.enable = true; + + kernelPatches = [ { name = "vsock-config"; patch = null; @@ -88,27 +96,28 @@ in }; } ]; + }; - services.nvpmodel = { + services.nvpmodel = { + enable = lib.mkDefault true; + # Enable all CPU cores, full power consumption (50W on AGX, 25W on NX) + profileNumber = lib.mkDefault 3; + }; + hardware.deviceTree = + { enable = lib.mkDefault true; - # Enable all CPU cores, full power consumption (50W on AGX, 25W on NX) - profileNumber = lib.mkDefault 3; + # Add the include paths to build the dtb overlays + dtboBuildExtraIncludePaths = [ + "${lib.getDev config.hardware.deviceTree.kernelPackage}/lib/modules/${config.hardware.deviceTree.kernelPackage.modDirVersion}/source/nvidia/soc/t23x/kernel-include" + ]; + } + # Versions of the device tree without PCI passthrough related + # modifications. + // lib.optionalAttrs (cfg.somType == "agx") { + name = lib.mkDefault "tegra234-p3701-0000-p3737-0000.dtb"; + } + // lib.optionalAttrs (cfg.somType == "nx") { + name = lib.mkDefault "tegra234-p3767-0000-p3509-a02.dtb"; }; - hardware.deviceTree = - { - enable = lib.mkDefault true; - # Add the include paths to build the dtb overlays - dtboBuildExtraIncludePaths = [ - "${lib.getDev config.hardware.deviceTree.kernelPackage}/lib/modules/${config.hardware.deviceTree.kernelPackage.modDirVersion}/source/nvidia/soc/t23x/kernel-include" - ]; - } - # Versions of the device tree without PCI passthrough related - # modifications. - // lib.optionalAttrs (cfg.somType == "agx") { - name = lib.mkDefault "tegra234-p3701-0000-p3737-0000.dtb"; - } - // lib.optionalAttrs (cfg.somType == "nx") { - name = lib.mkDefault "tegra234-p3767-0000-p3509-a02.dtb"; - }; - }; - } + }; +} diff --git a/modules/jetpack/nvidia-jetson-orin/mk-esp-contents.py b/modules/jetpack/nvidia-jetson-orin/mk-esp-contents.py index f6e9cd6d1..0f6077efb 100755 --- a/modules/jetpack/nvidia-jetson-orin/mk-esp-contents.py +++ b/modules/jetpack/nvidia-jetson-orin/mk-esp-contents.py @@ -11,13 +11,14 @@ * Use bootspec JSON as primary source of truth about system * Be enough close to standard bootctl behavior, to allow local system updates """ + import argparse import errno import json import os import shutil import sys -from typing import List, Optional, TypedDict +from typing import TypedDict BOOT_ENTRY = """title {title} version Generation {generation} {description} @@ -41,7 +42,7 @@ class BootSpec(TypedDict): kernel: str initrd: str init: str - kernelParams: List[str] + kernelParams: list[str] system: str label: str @@ -85,7 +86,7 @@ def copy_file(src: str, dst: str) -> None: def make_efi_name(store_file_path: str, root: str = "/") -> str: suffix = os.path.basename(store_file_path) store_dir = os.path.basename(os.path.dirname(store_file_path)) - return os.path.join(root, "EFI/nixos/%s-%s.efi" % (store_dir, suffix)) + return os.path.join(root, f"EFI/nixos/{store_dir}-{suffix}.efi") def copy_loader(loader: str, esp: str, target_name: str) -> None: @@ -94,7 +95,7 @@ def copy_loader(loader: str, esp: str, target_name: str) -> None: copy_file(loader, os.path.join(efi, "BOOT", target_name)) -def copy_nixos(esp: str, kernel: str, initrd: str, dtb: Optional[str] = None) -> None: +def copy_nixos(esp: str, kernel: str, initrd: str, dtb: str | None = None) -> None: copy_file(kernel, make_efi_name(kernel, esp)) copy_file(initrd, make_efi_name(initrd, esp)) if dtb: @@ -104,10 +105,10 @@ def copy_nixos(esp: str, kernel: str, initrd: str, dtb: Optional[str] = None) -> def write_loader_entry( esp: str, boot: BootSpec, - kernel_params: List[str], - machine_id: Optional[str], - random_seed: Optional[str], - device_tree: Optional[str], + kernel_params: list[str], + machine_id: str | None, + random_seed: str | None, + device_tree: str | None, ) -> None: entry = BOOT_ENTRY.format( kernel=make_efi_name(boot["kernel"]), @@ -135,9 +136,9 @@ def write_loader_entry( def read_bootspec_file(toplevel: str) -> BootSpec: bootfile = os.path.join(toplevel, "boot.json") ensure_file(bootfile) - with open(bootfile, "r") as boot_json: + with open(bootfile) as boot_json: content = json.load(boot_json) - bootspec: Optional[BootSpec] = content.get("org.nixos.bootspec.v1") + bootspec: BootSpec | None = content.get("org.nixos.bootspec.v1") if bootspec is None: eprint(f"""Can't find "org.nixos.bootspec.v1" in {bootfile}""") sys.exit(1) @@ -147,9 +148,9 @@ def read_bootspec_file(toplevel: str) -> BootSpec: def create_esp_contents( toplevel: str, output: str, - machine_id: Optional[str], - random_seed: Optional[str], - device_tree: Optional[str], + machine_id: str | None, + random_seed: str | None, + device_tree: str | None, ) -> None: mkdir_p(output) boot = read_bootspec_file(toplevel) diff --git a/modules/jetpack/nvidia-jetson-orin/optee.nix b/modules/jetpack/nvidia-jetson-orin/optee.nix index b967a7fc7..1b9f6b8ac 100644 --- a/modules/jetpack/nvidia-jetson-orin/optee.nix +++ b/modules/jetpack/nvidia-jetson-orin/optee.nix @@ -1,6 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: { +{ lib, ... }: +{ options.ghaf.hardware.nvidia.orin.optee = { xtest = lib.mkOption { type = lib.types.bool; diff --git a/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix b/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix index 847e910be..5c2667eb3 100644 --- a/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix +++ b/modules/jetpack/nvidia-jetson-orin/ota-utils-fix.nix @@ -6,28 +6,25 @@ # There is upstream PR waiting for review: # https://github.com/anduril/jetpack-nixos/pull/162 # +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { # mkAfter needed here so that we can be sure the overlay is after the overlay # included from jetpack-nixos. Otherwise it will just override the whole # nvidia-jetpack set. nixpkgs.overlays = lib.mkAfter [ (_final: prev: { - nvidia-jetpack = - prev.nvidia-jetpack - // { - otaUtils = prev.nvidia-jetpack.otaUtils.overrideAttrs (_finalAttrs: prevAttrs: { - depsBuildHost = [pkgs.bash]; + nvidia-jetpack = prev.nvidia-jetpack // { + otaUtils = prev.nvidia-jetpack.otaUtils.overrideAttrs ( + _finalAttrs: prevAttrs: { + depsBuildHost = [ pkgs.bash ]; installPhase = prevAttrs.installPhase + '' substituteInPlace $out/bin/* --replace '#!/usr/bin/env bash' '#!${pkgs.bash}/bin/bash' ''; - }); - }; + } + ); + }; }) ]; } diff --git a/modules/jetpack/nvidia-jetson-orin/partition-template.nix b/modules/jetpack/nvidia-jetson-orin/partition-template.nix index fd5b0eade..fda796b80 100644 --- a/modules/jetpack/nvidia-jetson-orin/partition-template.nix +++ b/modules/jetpack/nvidia-jetson-orin/partition-template.nix @@ -8,7 +8,8 @@ config, lib, ... -}: let +}: +let # Using the same config for all orin boards (for now) # TODO should this be changed when NX added cfg = config.ghaf.hardware.nvidia.orin; @@ -75,18 +76,20 @@ # NVIDIA-supplied flash_t234_qspi_sdmmc.xml, with the partitions specified in # the above partitionsEmmc variable. partitionTemplateReplaceRange = - if !cfg.flashScriptOverrides.onlyQSPI - then { - firstLineCount = 588; - lastLineCount = 2; - } - else { - # If we don't flash anything to eMMC, then we don't need to have the - # XML-tag at all. - firstLineCount = 587; - lastLineCount = 1; - }; - partitionTemplate = pkgs.runCommand "flash.xml" {} ('' + if !cfg.flashScriptOverrides.onlyQSPI then + { + firstLineCount = 588; + lastLineCount = 2; + } + else + { + # If we don't flash anything to eMMC, then we don't need to have the + # XML-tag at all. + firstLineCount = 587; + lastLineCount = 1; + }; + partitionTemplate = pkgs.runCommand "flash.xml" { } ( + '' head -n ${builtins.toString partitionTemplateReplaceRange.firstLineCount} ${pkgs.nvidia-jetpack.bspSrc}/bootloader/t186ref/cfg/flash_t234_qspi_sdmmc.xml >"$out" '' @@ -99,64 +102,65 @@ + '' tail -n ${builtins.toString partitionTemplateReplaceRange.lastLineCount} ${pkgs.nvidia-jetpack.bspSrc}/bootloader/t186ref/cfg/flash_t234_qspi_sdmmc.xml >>"$out" - ''); + '' + ); in - with lib; { - config = mkIf cfg.enable { - hardware.nvidia-jetpack.flashScriptOverrides.partitionTemplate = partitionTemplate; +{ + config = lib.mkIf cfg.enable { + hardware.nvidia-jetpack.flashScriptOverrides.partitionTemplate = partitionTemplate; - ghaf.hardware.nvidia.orin.flashScriptOverrides.preFlashCommands = - '' - echo "============================================================" - echo "ghaf flashing script" - echo "============================================================" - echo "ghaf version: ${config.ghaf.version}" - echo "cross-compiled build: @isCross@" - echo "l4tVersion: @l4tVersion@" - echo "som: ${config.hardware.nvidia-jetpack.som}" - echo "carrierBoard: ${config.hardware.nvidia-jetpack.carrierBoard}" - echo "============================================================" - echo "" - echo "Working dir: $WORKDIR" - echo "Removing bootlodaer/esp.img if it exists ..." - rm -fv "$WORKDIR/bootloader/esp.img" - mkdir -pv "$WORKDIR/bootloader" + ghaf.hardware.nvidia.orin.flashScriptOverrides.preFlashCommands = + '' + echo "============================================================" + echo "ghaf flashing script" + echo "============================================================" + echo "ghaf version: ${config.ghaf.version}" + echo "cross-compiled build: @isCross@" + echo "l4tVersion: @l4tVersion@" + echo "som: ${config.hardware.nvidia-jetpack.som}" + echo "carrierBoard: ${config.hardware.nvidia-jetpack.carrierBoard}" + echo "============================================================" + echo "" + echo "Working dir: $WORKDIR" + echo "Removing bootlodaer/esp.img if it exists ..." + rm -fv "$WORKDIR/bootloader/esp.img" + mkdir -pv "$WORKDIR/bootloader" - # See https://developer.download.nvidia.com/embedded/L4T/r35_Release_v4.1/docs/Jetson_Linux_Release_Notes_r35.4.1.pdf - # and https://developer.download.nvidia.com/embedded/L4T/r35_Release_v5.0/docs/Jetson_Linux_Release_Notes_r35.5.0.pdf - # - # In Section: Adaptation to the Carrier Board with HDMI for the Orin - # NX/Nano Modules - @patch@ -p0 < ${./tegra2-mb2-bct-scr.patch} - '' - + lib.optionalString (!cfg.flashScriptOverrides.onlyQSPI) '' - ESP_OFFSET=$(cat "${images}/esp.offset") - ESP_SIZE=$(cat "${images}/esp.size") - ROOT_OFFSET=$(cat "${images}/root.offset") - ROOT_SIZE=$(cat "${images}/root.size") + # See https://developer.download.nvidia.com/embedded/L4T/r35_Release_v4.1/docs/Jetson_Linux_Release_Notes_r35.4.1.pdf + # and https://developer.download.nvidia.com/embedded/L4T/r35_Release_v5.0/docs/Jetson_Linux_Release_Notes_r35.5.0.pdf + # + # In Section: Adaptation to the Carrier Board with HDMI for the Orin + # NX/Nano Modules + @patch@ -p0 < ${./tegra2-mb2-bct-scr.patch} + '' + + lib.optionalString (!cfg.flashScriptOverrides.onlyQSPI) '' + ESP_OFFSET=$(cat "${images}/esp.offset") + ESP_SIZE=$(cat "${images}/esp.size") + ROOT_OFFSET=$(cat "${images}/root.offset") + ROOT_SIZE=$(cat "${images}/root.size") - img="${images}/sd-image/${config.sdImage.imageName}.zst" - echo "Extracting ESP partition to $WORKDIR/bootloader/esp.img ..." - dd if=<(@pzstd@ -d "$img" -c) of="$WORKDIR/bootloader/esp.img" bs=512 iseek="$ESP_OFFSET" count="$ESP_SIZE" - echo "Extracting root partition to $WORKDIR/root.img ..." - dd if=<(@pzstd@ -d "$img" -c) of="$WORKDIR/bootloader/root.img" bs=512 iseek="$ROOT_OFFSET" count="$ROOT_SIZE" + img="${images}/sd-image/${config.sdImage.imageName}.zst" + echo "Extracting ESP partition to $WORKDIR/bootloader/esp.img ..." + dd if=<(@pzstd@ -d "$img" -c) of="$WORKDIR/bootloader/esp.img" bs=512 iseek="$ESP_OFFSET" count="$ESP_SIZE" + echo "Extracting root partition to $WORKDIR/root.img ..." + dd if=<(@pzstd@ -d "$img" -c) of="$WORKDIR/bootloader/root.img" bs=512 iseek="$ROOT_OFFSET" count="$ROOT_SIZE" - echo "Patching flash.xml with absolute paths to esp.img and root.img ..." - @sed@ -i \ - -e "s#bootloader/esp.img#$WORKDIR/bootloader/esp.img#" \ - -e "s#root.img#$WORKDIR/root.img#" \ - -e "s#ESP_SIZE#$((ESP_SIZE * 512))#" \ - -e "s#ROOT_SIZE#$((ROOT_SIZE * 512))#" \ - flash.xml + echo "Patching flash.xml with absolute paths to esp.img and root.img ..." + @sed@ -i \ + -e "s#bootloader/esp.img#$WORKDIR/bootloader/esp.img#" \ + -e "s#root.img#$WORKDIR/root.img#" \ + -e "s#ESP_SIZE#$((ESP_SIZE * 512))#" \ + -e "s#ROOT_SIZE#$((ROOT_SIZE * 512))#" \ + flash.xml - '' - + lib.optionalString cfg.flashScriptOverrides.onlyQSPI '' - echo "Flashing QSPI only, boot and root images not included." - '' - + '' - echo "Ready to flash!" - echo "============================================================" - echo "" - ''; - }; - } + '' + + lib.optionalString cfg.flashScriptOverrides.onlyQSPI '' + echo "Flashing QSPI only, boot and root images not included." + '' + + '' + echo "Ready to flash!" + echo "============================================================" + echo "" + ''; + }; +} diff --git a/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix b/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix index 49791462a..56d447427 100644 --- a/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix +++ b/modules/jetpack/nvidia-jetson-orin/pci-passthrough-common.nix @@ -1,15 +1,11 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.ghaf.hardware.nvidia.orin; -in { - options.ghaf.hardware.nvidia.orin.enablePCIPassthroughCommon = - lib.mkEnableOption - "Enable common options related to PCI passthrough on Orin AGX and NX"; +in +{ + options.ghaf.hardware.nvidia.orin.enablePCIPassthroughCommon = lib.mkEnableOption "Enable common options related to PCI passthrough on Orin AGX and NX"; config = lib.mkIf cfg.enablePCIPassthroughCommon { boot.kernelModules = [ "vfio_pci" diff --git a/modules/jetpack/nvidia-jetson-orin/sdimage.nix b/modules/jetpack/nvidia-jetson-orin/sdimage.nix index 6bb8ba69d..870d834fa 100644 --- a/modules/jetpack/nvidia-jetson-orin/sdimage.nix +++ b/modules/jetpack/nvidia-jetson-orin/sdimage.nix @@ -16,66 +16,71 @@ pkgs, modulesPath, ... -}: { - imports = [ - (modulesPath + "/installer/sd-card/sd-image.nix") - ]; +}: +{ + imports = [ (modulesPath + "/installer/sd-card/sd-image.nix") ]; boot.loader.grub.enable = false; - disabledModules = [(modulesPath + "/profiles/all-hardware.nix")]; + disabledModules = [ (modulesPath + "/profiles/all-hardware.nix") ]; - sdImage = let - mkESPContentSource = pkgs.substituteAll { - src = ./mk-esp-contents.py; - isExecutable = true; - inherit (pkgs.buildPackages) python3; - }; - mkESPContent = - pkgs.runCommand "mk-esp-contents" { - nativeBuildInputs = with pkgs; [mypy python3]; - } '' - install -m755 ${mkESPContentSource} $out - mypy \ - --no-implicit-optional \ - --disallow-untyped-calls \ - --disallow-untyped-defs \ - $out + sdImage = + let + mkESPContentSource = pkgs.substituteAll { + src = ./mk-esp-contents.py; + isExecutable = true; + inherit (pkgs.buildPackages) python3; + }; + mkESPContent = + pkgs.runCommand "mk-esp-contents" + { + nativeBuildInputs = with pkgs; [ + mypy + python3 + ]; + } + '' + install -m755 ${mkESPContentSource} $out + mypy \ + --no-implicit-optional \ + --disallow-untyped-calls \ + --disallow-untyped-defs \ + $out + ''; + fdtPath = "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}"; + in + { + firmwareSize = 256; + populateFirmwareCommands = '' + mkdir -pv firmware + ${mkESPContent} \ + --toplevel ${config.system.build.toplevel} \ + --output firmware/ \ + --device-tree ${fdtPath} ''; - fdtPath = "${config.hardware.deviceTree.package}/${config.hardware.deviceTree.name}"; - in { - firmwareSize = 256; - populateFirmwareCommands = '' - mkdir -pv firmware - ${mkESPContent} \ - --toplevel ${config.system.build.toplevel} \ - --output firmware/ \ - --device-tree ${fdtPath} - ''; - populateRootCommands = '' - ''; - postBuildCommands = '' - img=$out/sd-image/${config.sdImage.imageName} - fdisk_output=$(fdisk -l "$img") + populateRootCommands = ''''; + postBuildCommands = '' + img=$out/sd-image/${config.sdImage.imageName} + fdisk_output=$(fdisk -l "$img") - # Offsets and sizes are in 512 byte sectors - blocksize=512 + # Offsets and sizes are in 512 byte sectors + blocksize=512 - # ESP partition offset and sector count - part_esp=$(echo -n "$fdisk_output" | tail -n 2 | head -n 1 | tr -s ' ') - part_esp_begin=$(echo -n "$part_esp" | cut -d ' ' -f2) - part_esp_count=$(echo -n "$part_esp" | cut -d ' ' -f4) + # ESP partition offset and sector count + part_esp=$(echo -n "$fdisk_output" | tail -n 2 | head -n 1 | tr -s ' ') + part_esp_begin=$(echo -n "$part_esp" | cut -d ' ' -f2) + part_esp_count=$(echo -n "$part_esp" | cut -d ' ' -f4) - # root-partition offset and sector count - part_root=$(echo -n "$fdisk_output" | tail -n 1 | head -n 1 | tr -s ' ') - part_root_begin=$(echo -n "$part_root" | cut -d ' ' -f3) - part_root_count=$(echo -n "$part_root" | cut -d ' ' -f4) + # root-partition offset and sector count + part_root=$(echo -n "$fdisk_output" | tail -n 1 | head -n 1 | tr -s ' ') + part_root_begin=$(echo -n "$part_root" | cut -d ' ' -f3) + part_root_count=$(echo -n "$part_root" | cut -d ' ' -f4) - echo -n $part_esp_begin > $out/esp.offset - echo -n $part_esp_count > $out/esp.size - echo -n $part_root_begin > $out/root.offset - echo -n $part_root_count > $out/root.size - ''; - }; + echo -n $part_esp_begin > $out/esp.offset + echo -n $part_esp_count > $out/esp.size + echo -n $part_root_begin > $out/root.offset + echo -n $part_root_count > $out/root.size + ''; + }; fileSystems."/boot" = { device = "/dev/disk/by-label/${config.sdImage.firmwarePartitionName}"; diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix index 8af097266..3f509de4c 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/common/bpmp-virt-common/default.nix @@ -1,12 +1,24 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ lib, config, ... }: +let + cfg = config.ghaf.hardware.nvidia.virtualization; +in { - lib, - config, - ... -}: let - cfg = config.ghaf.hardware.nvidia.virtualization.host.bpmp; -in { + /* already declared in ./modules/jetpack/nvidia-jetson-orin/virtualization/ + options.ghaf.hardware.nvidia.virtualization.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable virtualization support for NVIDIA Orin + + This option is an implementation level detail and is toggled automatically + by modules that need it. Manually enabling this option is not recommended in + release builds. + ''; + }; + */ + config = lib.mkIf cfg.enable { boot.kernelPatches = [ /* configure kernel in modules/hardware/nvidia-jetson-orin/virtualization/default.nix for all virtualisation @@ -52,6 +64,6 @@ in { } ]; - boot.kernelParams = ["vfio_iommu_type1.allow_unsafe_interrupts=1"]; + boot.kernelParams = [ "vfio_iommu_type1.allow_unsafe_interrupts=1" ]; }; } diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/default.nix index a9bf5bf17..744e41b99 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/default.nix @@ -8,31 +8,7 @@ cfg = config.ghaf.hardware.nvidia.virtualization.host.gpio; in { config = lib.mkIf cfg.enable { - boot.kernelPatches = [ - /* configure kernel in modules/hardware/nvidia-jetson-orin/virtualization/default.nix for all virtualisation - * TODO: differentiate config - { - name = "Added Configurations to Support GPIO passthrough"; - patch = null; - extraStructuredConfig = { - PCI_STUB = lib.mkDefault lib.kernel.yes; - HOTPLUG_PCI = lib.mkDefault lib.kernel.yes; - HOTPLUG_PCI_ACPI = lib.mkDefault lib.kernel.yes; - PCI_DEBUG = lib.mkDefault lib.kernel.yes; - PCI_HOST_GENERIC = lib.mkDefault lib.kernel.yes; - PCI_HOST_COMMON = lib.mkDefault lib.kernel.yes; - VFIO = lib.mkDefault lib.kernel.yes; - VFIO_IOMMU_TYPE1 = lib.mkDefault lib.kernel.yes; - VFIO_PLATFORM = lib.mkDefault lib.kernel.yes; - VIRTIO_PCI = lib.mkDefault lib.kernel.yes; - VIRTIO_MMIO = lib.mkDefault lib.kernel.yes; - CONFIG_GPIO_TEGRA = lib.mkDefault lib.kernel.yes; - CONFIG_GPIO_TEGRA186 = lib.mkDefault lib.kernel.yes; - TEGRA_GPIO_GUEST_PROXY = lib.mkDefault lib.kernel.yes; - TEGRA_GPIO_HOST_PROXY = lib.mkDefault lib.kernel.yes; - }; - } - */ + boot.kernelPatches = builtins.trace "Patching kernel for GPIO passthrough" [ /* This patch is not needed because of the kernel parameters { name = "Vfio_platform Reset Required False"; @@ -62,12 +38,13 @@ in { } */ ]; - + /* boot.kernelParams = [ "iommu=pt" "vfio.enable_unsafe_noiommu_mode=0" "vfio_iommu_type1.allow_unsafe_interrupts=1" "vfio_platform.reset_required=0" ]; + */ }; } diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0003-gpio-virt-kernel.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0003-gpio-virt-kernel.patch index e5eeb58cf..c51aa75a3 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0003-gpio-virt-kernel.patch +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0003-gpio-virt-kernel.patch @@ -351,7 +351,7 @@ index f66fc17faee4..9706a77fe5a5 100644 } subsys_initcall(tegra_gpio_init); diff --git a/drivers/gpio/gpio-tegra186.c b/drivers/gpio/gpio-tegra186.c -index 5e57824b283e..43f83675ec3f 100644 +index 5e57824b283e..65a9cd915e3e 100644 --- a/drivers/gpio/gpio-tegra186.c +++ b/drivers/gpio/gpio-tegra186.c @@ -20,6 +20,46 @@ @@ -359,7 +359,7 @@ index 5e57824b283e..43f83675ec3f 100644 #include +#define GPIO_DEBUG -+#define GPIO_DEBUG_VERBOSE ++// #define GPIO_DEBUG_VERBOSE + +#ifdef GPIO_DEBUG + #define deb_info(fmt, ...) printk(KERN_INFO "GPIO func \'%s\' in file \'%s\' -- " fmt, __func__, kbasename(__FILE__), ##__VA_ARGS__) @@ -933,7 +933,7 @@ index 5e57824b283e..43f83675ec3f 100644 } } } -@@ -1107,6 +1235,232 @@ static unsigned int tegra186_gpio_irqs_per_bank(struct tegra_gpio *gpio) +@@ -1107,6 +1235,235 @@ static unsigned int tegra186_gpio_irqs_per_bank(struct tegra_gpio *gpio) return -EINVAL; } @@ -1042,6 +1042,9 @@ index 5e57824b283e..43f83675ec3f 100644 +#if defined(CONFIG_TEGRA_GPIO_GUEST_PROXY) || defined(CONFIG_TEGRA_GPIO_HOST_PROXY) + + extern int tegra_gpio_guest_init(void); ++ extern int tegra_gpio_host_init(void); ++ extern int tegra_gpio_guest_cleanup(void); ++ extern int tegra_gpio_host_cleanup(void); + + #define MAX_CHIP 2 // check this value against value in gpio_host-proxy.h + @@ -1166,11 +1169,12 @@ index 5e57824b283e..43f83675ec3f 100644 static int tegra186_gpio_probe(struct platform_device *pdev) { unsigned int i, j, offset; -@@ -1120,17 +1474,40 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1120,17 +1477,41 @@ static int tegra186_gpio_probe(struct platform_device *pdev) int value; void __iomem *base; + static bool guest_proxy_is_set_up = false; ++ static bool host_proxy_is_set_up = false; + + deb_debug("Probing gpio"); + @@ -1211,7 +1215,7 @@ index 5e57824b283e..43f83675ec3f 100644 /* count the number of banks in the controller */ for (i = 0; i < gpio->soc->num_ports; i++) -@@ -1139,11 +1516,15 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1139,11 +1520,15 @@ static int tegra186_gpio_probe(struct platform_device *pdev) gpio->num_banks++; @@ -1228,7 +1232,7 @@ index 5e57824b283e..43f83675ec3f 100644 sizeof(*gpio->gpio_rval), GFP_KERNEL); if (!gpio->gpio_rval) return -ENOMEM; -@@ -1154,9 +1535,12 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1154,9 +1539,12 @@ static int tegra186_gpio_probe(struct platform_device *pdev) return -EINVAL; } @@ -1241,7 +1245,7 @@ index 5e57824b283e..43f83675ec3f 100644 res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gte"); if (!res) { dev_err(&pdev->dev, "Missing gte MEM resource\n"); -@@ -1172,14 +1556,20 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1172,14 +1560,20 @@ static int tegra186_gpio_probe(struct platform_device *pdev) } err = platform_irq_count(pdev); @@ -1265,7 +1269,7 @@ index 5e57824b283e..43f83675ec3f 100644 gpio->irq = devm_kcalloc(&pdev->dev, gpio->num_irq, sizeof(*gpio->irq), GFP_KERNEL); -@@ -1188,27 +1578,43 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1188,27 +1582,48 @@ static int tegra186_gpio_probe(struct platform_device *pdev) for (i = 0; i < gpio->num_irq; i++) { err = platform_get_irq(pdev, i); @@ -1300,7 +1304,7 @@ index 5e57824b283e..43f83675ec3f 100644 + tegra_gte_setup(gpio); + + if(kernel_is_on_guest) { -+ deb_debug("GPIO Guest init section\n"); ++ deb_debug("GPIO Proxy init section\n"); + if( ! guest_proxy_is_set_up ) { + ret = tegra_gpio_guest_init(); + guest_proxy_is_set_up = true; @@ -1309,11 +1313,16 @@ index 5e57824b283e..43f83675ec3f 100644 + gpio_hook(gpio); + } + else { ++ if( ! host_proxy_is_set_up ) { ++ ret = tegra_gpio_host_init(); ++ host_proxy_is_set_up = true; ++ } + // gpio_unhook is the same as standard settings + // unhooked pointers are for the host driver on host only + BUG_ON(gpio_vpa != 0); // assert we do not set up the vpa driver + gpio_unhook(gpio); // set standard function pointers -+ } ++ }; ++ + gpio->gpio.base = -1; + deb_debug("gpio function pointers are set for gpio label=%s\n", gpio->gpio.label); + #else @@ -1325,7 +1334,7 @@ index 5e57824b283e..43f83675ec3f 100644 for (i = 0; i < gpio->soc->num_ports; i++) gpio->gpio.ngpio += gpio->soc->ports[i].pins; -@@ -1229,6 +1635,7 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1229,6 +1644,7 @@ static int tegra186_gpio_probe(struct platform_device *pdev) return -ENOMEM; names[offset + j] = name; @@ -1333,7 +1342,7 @@ index 5e57824b283e..43f83675ec3f 100644 } offset += port->pins; -@@ -1260,6 +1667,8 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1260,6 +1676,8 @@ static int tegra186_gpio_probe(struct platform_device *pdev) irq->parent_handler_data = gpio; irq->num_parents = gpio->num_irq; @@ -1342,7 +1351,7 @@ index 5e57824b283e..43f83675ec3f 100644 /* * To simplify things, use a single interrupt per bank for now. Some -@@ -1284,7 +1693,18 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1284,7 +1702,18 @@ static int tegra186_gpio_probe(struct platform_device *pdev) } if (gpio->soc->num_irqs_per_bank > 1) @@ -1361,7 +1370,7 @@ index 5e57824b283e..43f83675ec3f 100644 np = of_find_matching_node(NULL, tegra186_pmc_of_match); if (!of_device_is_available(np)) -@@ -1315,9 +1735,31 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1315,9 +1744,31 @@ static int tegra186_gpio_probe(struct platform_device *pdev) platform_set_drvdata(pdev, gpio); @@ -1396,7 +1405,7 @@ index 5e57824b283e..43f83675ec3f 100644 if (gpio->soc->is_hw_ts_sup) { for (i = 0, offset = 0; i < gpio->soc->num_ports; i++) { -@@ -1325,28 +1767,29 @@ static int tegra186_gpio_probe(struct platform_device *pdev) +@@ -1325,28 +1776,29 @@ static int tegra186_gpio_probe(struct platform_device *pdev) &gpio->soc->ports[i]; for (j = 0; j < port->pins; j++) { @@ -1434,7 +1443,7 @@ index 5e57824b283e..43f83675ec3f 100644 static int tegra_gpio_resume_early(struct device *dev) { struct tegra_gpio *gpio = dev_get_drvdata(dev); -@@ -1355,7 +1798,7 @@ static int tegra_gpio_resume_early(struct device *dev) +@@ -1355,7 +1807,7 @@ static int tegra_gpio_resume_early(struct device *dev) void __iomem *base; int i; @@ -1443,7 +1452,7 @@ index 5e57824b283e..43f83675ec3f 100644 if (WARN_ON(base == NULL)) return -EINVAL; -@@ -1366,9 +1809,9 @@ static int tegra_gpio_resume_early(struct device *dev) +@@ -1366,9 +1818,9 @@ static int tegra_gpio_resume_early(struct device *dev) regs->restore_needed = false; @@ -1456,7 +1465,20 @@ index 5e57824b283e..43f83675ec3f 100644 } return 0; -@@ -1723,7 +2166,9 @@ static struct platform_driver tegra186_gpio_driver = { +@@ -1392,6 +1844,12 @@ static const struct dev_pm_ops tegra_gpio_pm = { + + static int tegra186_gpio_remove(struct platform_device *pdev) + { ++ if(kernel_is_on_guest) { ++ tegra_gpio_guest_cleanup(); ++ } ++ else { ++ tegra_gpio_host_cleanup(); ++ } + return 0; + } + +@@ -1723,7 +2181,9 @@ static struct platform_driver tegra186_gpio_driver = { .probe = tegra186_gpio_probe, .remove = tegra186_gpio_remove, }; @@ -1781,7 +1803,7 @@ index 30e2476a6dc4..aab40f1cd52f 100644 err = gpio_request_one(array->gpio, array->flags, array->label); if (err) diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c -index 647e77db82b1..4b85fcb8b62b 100644 +index f54b5905e2cc..5d9425f0f7fe 100644 --- a/drivers/gpio/gpiolib-of.c +++ b/drivers/gpio/gpiolib-of.c @@ -24,6 +24,26 @@ @@ -1903,7 +1925,7 @@ index 3ef71ca242ba..bf62aeee66a1 100644 /* If buf is not a number then try to find by name */ diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c -index 50abb1c20df0..cf7296db3190 100644 +index 94b70e0636fe..38de01b3da7d 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -31,6 +31,26 @@ @@ -1933,20 +1955,6 @@ index 50abb1c20df0..cf7296db3190 100644 /* Implementation infrastructure for GPIO interfaces. * * The GPIO programming interface allows for inlining speed-critical -@@ -45,11 +65,11 @@ - * - * Otherwise, minimize overhead in what may be bitbanging codepaths. - */ --#ifdef DEBUG -+ #ifdef DEBUG - #define extra_checks 1 - #else - #define extra_checks 0 --#endif -+ #endif - - /* Device and char device-related information */ - static DEFINE_IDA(gpio_ida); @@ -105,6 +125,8 @@ struct gpio_desc *gpio_to_desc(unsigned gpio) { struct gpio_device *gdev; @@ -2000,7 +2008,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (list_empty(&gpio_devices)) { /* initial entry in list */ list_add_tail(&gdev->list, &gpio_devices); -@@ -270,14 +301,12 @@ static int gpiodev_add_to_list(struct gpio_device *gdev) +@@ -270,6 +301,7 @@ static int gpiodev_add_to_list(struct gpio_device *gdev) if (prev->base + prev->ngpio <= gdev->base) { /* add behind last entry */ list_add_tail(&gdev->list, &gpio_devices); @@ -2008,15 +2016,7 @@ index 50abb1c20df0..cf7296db3190 100644 return 0; } - list_for_each_entry_safe(prev, next, &gpio_devices, list) { - /* at the end of the list */ -- if (&next->list == &gpio_devices) -- break; -- - /* add between prev and next */ - if (prev->base + prev->ngpio <= gdev->base - && gdev->base + gdev->ngpio <= next->base) { -@@ -301,6 +330,8 @@ struct gpio_desc *gpio_name_to_desc(const char * const name) +@@ -301,6 +333,8 @@ struct gpio_desc *gpio_name_to_desc(const char * const name) struct gpio_device *gdev; unsigned long flags; @@ -2025,7 +2025,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!name) return NULL; -@@ -340,6 +371,8 @@ static int gpiochip_set_desc_names(struct gpio_chip *gc) +@@ -340,6 +374,8 @@ static int gpiochip_set_desc_names(struct gpio_chip *gc) struct gpio_device *gdev = gc->gpiodev; int i; @@ -2034,7 +2034,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* First check all names if they are unique */ for (i = 0; i != gc->ngpio; ++i) { struct gpio_desc *gpio; -@@ -375,6 +408,8 @@ static int devprop_gpiochip_set_names(struct gpio_chip *chip) +@@ -375,6 +411,8 @@ static int devprop_gpiochip_set_names(struct gpio_chip *chip) int ret, i; int count; @@ -2043,7 +2043,7 @@ index 50abb1c20df0..cf7296db3190 100644 count = fwnode_property_string_array_count(fwnode, "gpio-line-names"); if (count < 0) return 0; -@@ -409,6 +444,8 @@ static unsigned long *gpiochip_allocate_mask(struct gpio_chip *gc) +@@ -409,6 +447,8 @@ static unsigned long *gpiochip_allocate_mask(struct gpio_chip *gc) { unsigned long *p; @@ -2052,7 +2052,7 @@ index 50abb1c20df0..cf7296db3190 100644 p = bitmap_alloc(gc->ngpio, GFP_KERNEL); if (!p) return NULL; -@@ -421,6 +458,8 @@ static unsigned long *gpiochip_allocate_mask(struct gpio_chip *gc) +@@ -421,6 +461,8 @@ static unsigned long *gpiochip_allocate_mask(struct gpio_chip *gc) static int gpiochip_alloc_valid_mask(struct gpio_chip *gc) { @@ -2061,7 +2061,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!(of_gpio_need_valid_mask(gc) || gc->init_valid_mask)) return 0; -@@ -433,6 +472,8 @@ static int gpiochip_alloc_valid_mask(struct gpio_chip *gc) +@@ -433,6 +475,8 @@ static int gpiochip_alloc_valid_mask(struct gpio_chip *gc) static int gpiochip_init_valid_mask(struct gpio_chip *gc) { @@ -2070,7 +2070,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (gc->init_valid_mask) return gc->init_valid_mask(gc, gc->valid_mask, -@@ -443,12 +484,16 @@ static int gpiochip_init_valid_mask(struct gpio_chip *gc) +@@ -443,12 +487,16 @@ static int gpiochip_init_valid_mask(struct gpio_chip *gc) static void gpiochip_free_valid_mask(struct gpio_chip *gc) { @@ -2087,7 +2087,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (gc->add_pin_ranges) return gc->add_pin_ranges(gc); -@@ -458,6 +503,8 @@ static int gpiochip_add_pin_ranges(struct gpio_chip *gc) +@@ -458,6 +506,8 @@ static int gpiochip_add_pin_ranges(struct gpio_chip *gc) bool gpiochip_line_is_valid(const struct gpio_chip *gc, unsigned int offset) { @@ -2096,7 +2096,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* No mask means all valid */ if (likely(!gc->valid_mask)) return true; -@@ -470,6 +517,8 @@ static void gpiodevice_release(struct device *dev) +@@ -470,6 +520,8 @@ static void gpiodevice_release(struct device *dev) struct gpio_device *gdev = dev_get_drvdata(dev); unsigned long flags; @@ -2105,7 +2105,7 @@ index 50abb1c20df0..cf7296db3190 100644 spin_lock_irqsave(&gpio_lock, flags); list_del(&gdev->list); spin_unlock_irqrestore(&gpio_lock, flags); -@@ -480,7 +529,7 @@ static void gpiodevice_release(struct device *dev) +@@ -480,7 +532,7 @@ static void gpiodevice_release(struct device *dev) kfree(gdev); } @@ -2114,7 +2114,7 @@ index 50abb1c20df0..cf7296db3190 100644 #define gcdev_register(gdev, devt) gpiolib_cdev_register((gdev), (devt)) #define gcdev_unregister(gdev) gpiolib_cdev_unregister((gdev)) #else -@@ -490,13 +539,66 @@ static void gpiodevice_release(struct device *dev) +@@ -490,13 +542,27 @@ static void gpiodevice_release(struct device *dev) */ #define gcdev_register(gdev, devt) device_add(&(gdev)->dev) #define gcdev_unregister(gdev) device_del(&(gdev)->dev) @@ -2138,28 +2138,15 @@ index 50abb1c20df0..cf7296db3190 100644 + proxy_host_gpio_dev[gpio_dev_count++] = gdev; + // we continue to populate gdev + -+ ret = gcdev_register(gdev, gpio_devt); -+ -+ if (ret) -+ return ret; -+ -+ ret = gpiochip_sysfs_register(gdev); -+ if (ret) -+ goto err_remove_device; -+ -+ /* From this point, the .release() function cleans up gpio_device */ -+ gdev->dev.release = gpiodevice_release; -+ pr_info("%s: registered GPIOs %d to %d on %s\n", -+ dev_name(&gdev->dev), gdev->base, -+ gdev->base + gdev->ngpio - 1, gdev->chip->label ? : "generic"); -+ -+ return 0; -+ -+err_remove_device: -+ gcdev_unregister(gdev); -+ return ret; -+} + ret = gcdev_register(gdev, gpio_devt); + + if (ret) + return ret; + +@@ -517,11 +583,55 @@ static int gpiochip_setup_dev(struct gpio_device *gdev) + return ret; + } + +/* redirecting function to allow guest VMto use it even if hardware is not present */ +static int gpiochip_setup_dev__redirect(struct gpio_device *gdev) +{ @@ -2177,22 +2164,33 @@ index 50abb1c20df0..cf7296db3190 100644 +// FIXIT -- debug +//goto debug_end; + - ret = gcdev_register(gdev, gpio_devt); ++ ret = gcdev_register(gdev, gpio_devt); ++ ++ if (ret) ++ return ret; ++ ++ ret = gpiochip_sysfs_register(gdev); ++ if (ret) ++ goto err_remove_device; + - if (ret) - return ret; - -@@ -504,6 +606,9 @@ static int gpiochip_setup_dev(struct gpio_device *gdev) - if (ret) - goto err_remove_device; - +// FIXIT --debug +//debug_end: + - /* From this point, the .release() function cleans up gpio_device */ - gdev->dev.release = gpiodevice_release; - pr_info("%s: registered GPIOs %d to %d on %s\n", -@@ -522,6 +627,8 @@ static void gpiochip_machine_hog(struct gpio_chip *gc, struct gpiod_hog *hog) ++ /* From this point, the .release() function cleans up gpio_device */ ++ gdev->dev.release = gpiodevice_release; ++ pr_info("%s: registered GPIOs %d to %d on %s\n", ++ dev_name(&gdev->dev), gdev->base, ++ gdev->base + gdev->ngpio - 1, gdev->chip->label ? : "generic"); ++ ++ return 0; ++ ++err_remove_device: ++ gcdev_unregister(gdev); ++ return ret; ++} ++ + static void gpiochip_machine_hog(struct gpio_chip *gc, struct gpiod_hog *hog) + { struct gpio_desc *desc; int rv; @@ -2201,7 +2199,7 @@ index 50abb1c20df0..cf7296db3190 100644 desc = gpiochip_get_desc(gc, hog->chip_hwnum); if (IS_ERR(desc)) { chip_err(gc, "%s: unable to get GPIO desc: %ld\n", __func__, -@@ -542,6 +649,8 @@ static void machine_gpiochip_add(struct gpio_chip *gc) +@@ -542,6 +652,8 @@ static void machine_gpiochip_add(struct gpio_chip *gc) { struct gpiod_hog *hog; @@ -2210,7 +2208,7 @@ index 50abb1c20df0..cf7296db3190 100644 mutex_lock(&gpio_machine_hogs_mutex); list_for_each_entry(hog, &gpio_machine_hogs, list) { -@@ -557,6 +666,8 @@ static void gpiochip_setup_devs(void) +@@ -557,6 +669,8 @@ static void gpiochip_setup_devs(void) struct gpio_device *gdev; int ret; @@ -2219,7 +2217,7 @@ index 50abb1c20df0..cf7296db3190 100644 list_for_each_entry(gdev, &gpio_devices, list) { ret = gpiochip_setup_dev(gdev); if (ret) -@@ -576,6 +687,8 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, +@@ -576,6 +690,8 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, int base = gc->base; struct gpio_device *gdev; @@ -2228,7 +2226,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * First: allocate and populate the internal stat container, and * set up the struct device. -@@ -591,13 +704,13 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, +@@ -591,13 +707,13 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, gdev->dev.of_node = gc->parent->of_node; } @@ -2244,7 +2242,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * Assign fwnode depending on the result of the previous calls, -@@ -689,9 +802,9 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, +@@ -689,9 +805,9 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, BLOCKING_INIT_NOTIFIER_HEAD(&gdev->notifier); @@ -2256,7 +2254,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (gc->names) ret = gpiochip_set_desc_names(gc); -@@ -793,6 +906,256 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, +@@ -793,6 +909,256 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, } EXPORT_SYMBOL_GPL(gpiochip_add_data_with_key); @@ -2513,7 +2511,7 @@ index 50abb1c20df0..cf7296db3190 100644 /** * gpiochip_get_data() - get per-subdriver data for the chip * @gc: GPIO chip -@@ -802,6 +1165,8 @@ EXPORT_SYMBOL_GPL(gpiochip_add_data_with_key); +@@ -802,6 +1168,8 @@ EXPORT_SYMBOL_GPL(gpiochip_add_data_with_key); */ void *gpiochip_get_data(struct gpio_chip *gc) { @@ -2522,7 +2520,7 @@ index 50abb1c20df0..cf7296db3190 100644 return gc->gpiodev->data; } EXPORT_SYMBOL_GPL(gpiochip_get_data); -@@ -818,6 +1183,8 @@ void gpiochip_remove(struct gpio_chip *gc) +@@ -818,6 +1186,8 @@ void gpiochip_remove(struct gpio_chip *gc) unsigned long flags; unsigned int i; @@ -2531,7 +2529,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* FIXME: should the legacy sysfs handling be moved to gpio_device? */ gpiochip_sysfs_unregister(gdev); gpiochip_free_hogs(gc); -@@ -875,10 +1242,13 @@ struct gpio_chip *gpiochip_find(void *data, +@@ -875,10 +1245,13 @@ struct gpio_chip *gpiochip_find(void *data, struct gpio_chip *gc = NULL; unsigned long flags; @@ -2545,7 +2543,7 @@ index 50abb1c20df0..cf7296db3190 100644 break; } -@@ -895,12 +1265,15 @@ static int gpiochip_match_name(struct gpio_chip *gc, void *data) +@@ -895,12 +1268,15 @@ static int gpiochip_match_name(struct gpio_chip *gc, void *data) return !strcmp(gc->label, name); } @@ -2563,7 +2561,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * The following is irqchip helper code for gpiochips. -@@ -910,6 +1283,8 @@ static int gpiochip_irqchip_init_hw(struct gpio_chip *gc) +@@ -910,6 +1286,8 @@ static int gpiochip_irqchip_init_hw(struct gpio_chip *gc) { struct gpio_irq_chip *girq = &gc->irq; @@ -2572,7 +2570,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!girq->init_hw) return 0; -@@ -920,6 +1295,8 @@ static int gpiochip_irqchip_init_valid_mask(struct gpio_chip *gc) +@@ -920,6 +1298,8 @@ static int gpiochip_irqchip_init_valid_mask(struct gpio_chip *gc) { struct gpio_irq_chip *girq = &gc->irq; @@ -2581,7 +2579,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!girq->init_valid_mask) return 0; -@@ -934,6 +1311,8 @@ static int gpiochip_irqchip_init_valid_mask(struct gpio_chip *gc) +@@ -934,6 +1314,8 @@ static int gpiochip_irqchip_init_valid_mask(struct gpio_chip *gc) static void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) { @@ -2590,7 +2588,7 @@ index 50abb1c20df0..cf7296db3190 100644 bitmap_free(gc->irq.valid_mask); gc->irq.valid_mask = NULL; } -@@ -941,6 +1320,8 @@ static void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) +@@ -941,6 +1323,8 @@ static void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) bool gpiochip_irqchip_irq_valid(const struct gpio_chip *gc, unsigned int offset) { @@ -2599,7 +2597,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!gpiochip_line_is_valid(gc, offset)) return false; /* No mask means all valid */ -@@ -966,6 +1347,8 @@ static void gpiochip_set_cascaded_irqchip(struct gpio_chip *gc, +@@ -966,6 +1350,8 @@ static void gpiochip_set_cascaded_irqchip(struct gpio_chip *gc, struct gpio_irq_chip *girq = &gc->irq; struct device *dev = &gc->gpiodev->dev; @@ -2608,7 +2606,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!girq->domain) { chip_err(gc, "called %s before setting up irqchip\n", __func__); -@@ -1011,7 +1394,7 @@ void gpiochip_set_nested_irqchip(struct gpio_chip *gc, +@@ -1011,7 +1397,7 @@ void gpiochip_set_nested_irqchip(struct gpio_chip *gc, } EXPORT_SYMBOL_GPL(gpiochip_set_nested_irqchip); @@ -2617,7 +2615,7 @@ index 50abb1c20df0..cf7296db3190 100644 /** * gpiochip_set_hierarchical_irqchip() - connects a hierarchical irqchip -@@ -1250,6 +1633,8 @@ void *gpiochip_populate_parent_fwspec_twocell(struct gpio_chip *gc, +@@ -1250,6 +1636,8 @@ void *gpiochip_populate_parent_fwspec_twocell(struct gpio_chip *gc, { struct irq_fwspec *fwspec; @@ -2626,7 +2624,7 @@ index 50abb1c20df0..cf7296db3190 100644 fwspec = kmalloc(sizeof(*fwspec), GFP_KERNEL); if (!fwspec) return NULL; -@@ -1269,6 +1654,8 @@ void *gpiochip_populate_parent_fwspec_fourcell(struct gpio_chip *gc, +@@ -1269,6 +1657,8 @@ void *gpiochip_populate_parent_fwspec_fourcell(struct gpio_chip *gc, { struct irq_fwspec *fwspec; @@ -2635,7 +2633,7 @@ index 50abb1c20df0..cf7296db3190 100644 fwspec = kmalloc(sizeof(*fwspec), GFP_KERNEL); if (!fwspec) return NULL; -@@ -1296,7 +1683,7 @@ static bool gpiochip_hierarchy_is_hierarchical(struct gpio_chip *gc) +@@ -1296,7 +1686,7 @@ static bool gpiochip_hierarchy_is_hierarchical(struct gpio_chip *gc) return false; } @@ -2644,7 +2642,7 @@ index 50abb1c20df0..cf7296db3190 100644 /** * gpiochip_irq_map() - maps an IRQ into a GPIO irqchip -@@ -1314,6 +1701,8 @@ int gpiochip_irq_map(struct irq_domain *d, unsigned int irq, +@@ -1314,6 +1704,8 @@ int gpiochip_irq_map(struct irq_domain *d, unsigned int irq, struct gpio_chip *gc = d->host_data; int ret = 0; @@ -2653,25 +2651,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!gpiochip_irqchip_irq_valid(gc, hwirq)) return -ENXIO; -@@ -1415,7 +1804,7 @@ static int gpiochip_to_irq(struct gpio_chip *gc, unsigned offset) - if (!gpiochip_irqchip_irq_valid(gc, offset)) - return -ENXIO; - --#ifdef CONFIG_IRQ_DOMAIN_HIERARCHY -+ #ifdef CONFIG_IRQ_DOMAIN_HIERARCHY - if (irq_domain_is_hierarchy(domain)) { - struct irq_fwspec spec; - -@@ -1426,7 +1815,7 @@ static int gpiochip_to_irq(struct gpio_chip *gc, unsigned offset) - - return irq_create_fwspec_mapping(&spec); - } --#endif -+ #endif - - return irq_create_mapping(domain, offset); - } -@@ -1709,7 +2098,7 @@ int gpiochip_irqchip_add_key(struct gpio_chip *gc, +@@ -1728,7 +2120,7 @@ int gpiochip_irqchip_add_key(struct gpio_chip *gc, } gc->irq.threaded = threaded; of_node = gc->parent->of_node; @@ -2680,7 +2660,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * If the gpiochip has an assigned OF node this takes precedence * FIXME: get rid of this and use gc->parent->of_node -@@ -1717,7 +2106,7 @@ int gpiochip_irqchip_add_key(struct gpio_chip *gc, +@@ -1736,7 +2128,7 @@ int gpiochip_irqchip_add_key(struct gpio_chip *gc, */ if (gc->of_node) of_node = gc->of_node; @@ -2689,7 +2669,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * Specifying a default trigger is a terrible idea if DT or ACPI is * used to configure the interrupts, as you may end-up with -@@ -1796,7 +2185,7 @@ static inline int gpiochip_irqchip_init_valid_mask(struct gpio_chip *gc) +@@ -1815,7 +2207,7 @@ static inline int gpiochip_irqchip_init_valid_mask(struct gpio_chip *gc) static inline void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) { } @@ -2698,7 +2678,7 @@ index 50abb1c20df0..cf7296db3190 100644 /** * gpiochip_generic_request() - request the gpio function for a pin -@@ -1805,10 +2194,12 @@ static inline void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) +@@ -1824,10 +2216,12 @@ static inline void gpiochip_irqchip_free_valid_mask(struct gpio_chip *gc) */ int gpiochip_generic_request(struct gpio_chip *gc, unsigned offset) { @@ -2713,7 +2693,7 @@ index 50abb1c20df0..cf7296db3190 100644 return pinctrl_gpio_request(gc->gpiodev->base + offset); } -@@ -1821,10 +2212,12 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_request); +@@ -1840,10 +2234,12 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_request); */ void gpiochip_generic_free(struct gpio_chip *gc, unsigned offset) { @@ -2728,7 +2708,7 @@ index 50abb1c20df0..cf7296db3190 100644 pinctrl_gpio_free(gc->gpiodev->base + offset); } -@@ -1839,11 +2232,13 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_free); +@@ -1858,11 +2254,13 @@ EXPORT_SYMBOL_GPL(gpiochip_generic_free); int gpiochip_generic_config(struct gpio_chip *gc, unsigned offset, unsigned long config) { @@ -2743,7 +2723,7 @@ index 50abb1c20df0..cf7296db3190 100644 /** * gpiochip_add_pingroup_range() - add a range for GPIO <-> pin mapping -@@ -1865,6 +2260,8 @@ int gpiochip_add_pingroup_range(struct gpio_chip *gc, +@@ -1884,6 +2282,8 @@ int gpiochip_add_pingroup_range(struct gpio_chip *gc, struct gpio_device *gdev = gc->gpiodev; int ret; @@ -2752,7 +2732,7 @@ index 50abb1c20df0..cf7296db3190 100644 pin_range = kzalloc(sizeof(*pin_range), GFP_KERNEL); if (!pin_range) { chip_err(gc, "failed to allocate pin ranges\n"); -@@ -1923,6 +2320,8 @@ int gpiochip_add_pin_range(struct gpio_chip *gc, const char *pinctl_name, +@@ -1942,6 +2342,8 @@ int gpiochip_add_pin_range(struct gpio_chip *gc, const char *pinctl_name, struct gpio_device *gdev = gc->gpiodev; int ret; @@ -2761,7 +2741,7 @@ index 50abb1c20df0..cf7296db3190 100644 pin_range = kzalloc(sizeof(*pin_range), GFP_KERNEL); if (!pin_range) { chip_err(gc, "failed to allocate pin ranges\n"); -@@ -1964,6 +2363,8 @@ void gpiochip_remove_pin_ranges(struct gpio_chip *gc) +@@ -1983,6 +2385,8 @@ void gpiochip_remove_pin_ranges(struct gpio_chip *gc) struct gpio_pin_range *pin_range, *tmp; struct gpio_device *gdev = gc->gpiodev; @@ -2770,7 +2750,7 @@ index 50abb1c20df0..cf7296db3190 100644 list_for_each_entry_safe(pin_range, tmp, &gdev->pin_ranges, node) { list_del(&pin_range->node); pinctrl_remove_gpio_range(pin_range->pctldev, -@@ -1973,7 +2374,7 @@ void gpiochip_remove_pin_ranges(struct gpio_chip *gc) +@@ -1992,7 +2396,7 @@ void gpiochip_remove_pin_ranges(struct gpio_chip *gc) } EXPORT_SYMBOL_GPL(gpiochip_remove_pin_ranges); @@ -2779,7 +2759,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* These "optional" allocation calls help prevent drivers from stomping * on each other, and help provide better diagnostics in debugfs. -@@ -1987,6 +2388,8 @@ static int gpiod_request_commit(struct gpio_desc *desc, const char *label) +@@ -2006,6 +2410,8 @@ static int gpiod_request_commit(struct gpio_desc *desc, const char *label) bool hogged = false; unsigned offset; @@ -2788,7 +2768,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (label) { /* Free desc->label if already allocated. */ if (desc->label) { -@@ -2092,6 +2495,8 @@ int gpiod_request(struct gpio_desc *desc, const char *label) +@@ -2111,6 +2517,8 @@ int gpiod_request(struct gpio_desc *desc, const char *label) int ret = -EPROBE_DEFER; struct gpio_device *gdev; @@ -2797,7 +2777,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); gdev = desc->gdev; -@@ -2108,6 +2513,7 @@ int gpiod_request(struct gpio_desc *desc, const char *label) +@@ -2127,6 +2535,7 @@ int gpiod_request(struct gpio_desc *desc, const char *label) return ret; } @@ -2805,7 +2785,7 @@ index 50abb1c20df0..cf7296db3190 100644 static bool gpiod_free_commit(struct gpio_desc *desc) { -@@ -2115,6 +2521,8 @@ static bool gpiod_free_commit(struct gpio_desc *desc) +@@ -2134,6 +2543,8 @@ static bool gpiod_free_commit(struct gpio_desc *desc) unsigned long flags; struct gpio_chip *gc; @@ -2814,7 +2794,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep(); gpiod_unexport(desc); -@@ -2141,12 +2549,12 @@ static bool gpiod_free_commit(struct gpio_desc *desc) +@@ -2160,12 +2571,12 @@ static bool gpiod_free_commit(struct gpio_desc *desc) clear_bit(FLAG_EDGE_RISING, &desc->flags); clear_bit(FLAG_EDGE_FALLING, &desc->flags); clear_bit(FLAG_IS_HOGGED, &desc->flags); @@ -2831,7 +2811,7 @@ index 50abb1c20df0..cf7296db3190 100644 ret = true; } -@@ -2159,6 +2567,8 @@ static bool gpiod_free_commit(struct gpio_desc *desc) +@@ -2178,6 +2589,8 @@ static bool gpiod_free_commit(struct gpio_desc *desc) void gpiod_free(struct gpio_desc *desc) { @@ -2840,7 +2820,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (desc && desc->gdev && gpiod_free_commit(desc)) { module_put(desc->gdev->owner); put_device(&desc->gdev->dev); -@@ -2166,6 +2576,7 @@ void gpiod_free(struct gpio_desc *desc) +@@ -2185,6 +2598,7 @@ void gpiod_free(struct gpio_desc *desc) WARN_ON(extra_checks); } } @@ -2848,7 +2828,7 @@ index 50abb1c20df0..cf7296db3190 100644 /** * gpiochip_is_requested - return string iff signal was requested -@@ -2184,6 +2595,8 @@ const char *gpiochip_is_requested(struct gpio_chip *gc, unsigned offset) +@@ -2203,6 +2617,8 @@ const char *gpiochip_is_requested(struct gpio_chip *gc, unsigned offset) { struct gpio_desc *desc; @@ -2857,7 +2837,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (offset >= gc->ngpio) return NULL; -@@ -2227,6 +2640,8 @@ struct gpio_desc *gpiochip_request_own_desc(struct gpio_chip *gc, +@@ -2246,6 +2662,8 @@ struct gpio_desc *gpiochip_request_own_desc(struct gpio_chip *gc, struct gpio_desc *desc = gpiochip_get_desc(gc, hwnum); int ret; @@ -2866,7 +2846,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (IS_ERR(desc)) { chip_err(gc, "failed to get GPIO descriptor\n"); return desc; -@@ -2274,6 +2689,8 @@ EXPORT_SYMBOL_GPL(gpiochip_free_own_desc); +@@ -2293,6 +2711,8 @@ EXPORT_SYMBOL_GPL(gpiochip_free_own_desc); static int gpio_do_set_config(struct gpio_chip *gc, unsigned int offset, unsigned long config) { @@ -2875,7 +2855,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!gc->set_config) return -ENOTSUPP; -@@ -2286,6 +2703,8 @@ static int gpio_set_config(struct gpio_desc *desc, enum pin_config_param mode) +@@ -2305,6 +2725,8 @@ static int gpio_set_config(struct gpio_desc *desc, enum pin_config_param mode) unsigned long config; unsigned arg; @@ -2884,7 +2864,7 @@ index 50abb1c20df0..cf7296db3190 100644 switch (mode) { case PIN_CONFIG_BIAS_PULL_DOWN: case PIN_CONFIG_BIAS_PULL_UP: -@@ -2305,6 +2724,8 @@ static int gpio_set_bias(struct gpio_desc *desc) +@@ -2324,6 +2746,8 @@ static int gpio_set_bias(struct gpio_desc *desc) int bias = 0; int ret = 0; @@ -2893,7 +2873,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (test_bit(FLAG_BIAS_DISABLE, &desc->flags)) bias = PIN_CONFIG_BIAS_DISABLE; else if (test_bit(FLAG_PULL_UP, &desc->flags)) -@@ -2334,6 +2755,8 @@ int gpiod_direction_input(struct gpio_desc *desc) +@@ -2353,6 +2777,8 @@ int gpiod_direction_input(struct gpio_desc *desc) struct gpio_chip *gc; int ret = 0; @@ -2902,7 +2882,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); gc = desc->gdev->chip; -@@ -2381,6 +2804,8 @@ static int gpiod_direction_output_raw_commit(struct gpio_desc *desc, int value) +@@ -2400,6 +2826,8 @@ static int gpiod_direction_output_raw_commit(struct gpio_desc *desc, int value) int val = !!value; int ret = 0; @@ -2911,7 +2891,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * It's OK not to specify .direction_output() if the gpiochip is * output-only, but if there is then not even a .set() operation it -@@ -2431,6 +2856,8 @@ static int gpiod_direction_output_raw_commit(struct gpio_desc *desc, int value) +@@ -2450,6 +2878,8 @@ static int gpiod_direction_output_raw_commit(struct gpio_desc *desc, int value) */ int gpiod_direction_output_raw(struct gpio_desc *desc, int value) { @@ -2920,7 +2900,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); return gpiod_direction_output_raw_commit(desc, value); } -@@ -2452,6 +2879,8 @@ int gpiod_direction_output(struct gpio_desc *desc, int value) +@@ -2471,6 +2901,8 @@ int gpiod_direction_output(struct gpio_desc *desc, int value) { int ret; @@ -2929,7 +2909,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); if (test_bit(FLAG_ACTIVE_LOW, &desc->flags)) value = !value; -@@ -2523,6 +2952,8 @@ int gpiod_timestamp_control(struct gpio_desc *desc, int enable) +@@ -2542,6 +2974,8 @@ int gpiod_timestamp_control(struct gpio_desc *desc, int enable) { struct gpio_chip *chip; @@ -2938,7 +2918,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); chip = desc->gdev->chip; if (!chip->timestamp_control) { -@@ -2550,6 +2981,8 @@ int gpiod_timestamp_read(struct gpio_desc *desc, u64 *ts) +@@ -2569,6 +3003,8 @@ int gpiod_timestamp_read(struct gpio_desc *desc, u64 *ts) u64 gpio_ts; int ret; @@ -2947,7 +2927,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); chip = desc->gdev->chip; if (!chip->timestamp_read) { -@@ -2578,6 +3011,8 @@ int gpiod_set_config(struct gpio_desc *desc, unsigned long config) +@@ -2597,6 +3033,8 @@ int gpiod_set_config(struct gpio_desc *desc, unsigned long config) { struct gpio_chip *gc; @@ -2956,7 +2936,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); gc = desc->gdev->chip; -@@ -2598,6 +3033,8 @@ int gpiod_set_debounce(struct gpio_desc *desc, unsigned debounce) +@@ -2617,6 +3055,8 @@ int gpiod_set_debounce(struct gpio_desc *desc, unsigned debounce) { unsigned long config; @@ -2965,7 +2945,7 @@ index 50abb1c20df0..cf7296db3190 100644 config = pinconf_to_config_packed(PIN_CONFIG_INPUT_DEBOUNCE, debounce); return gpiod_set_config(desc, config); } -@@ -2618,6 +3055,8 @@ int gpiod_set_transitory(struct gpio_desc *desc, bool transitory) +@@ -2637,6 +3077,8 @@ int gpiod_set_transitory(struct gpio_desc *desc, bool transitory) int gpio; int rc; @@ -2974,7 +2954,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); /* * Handle FLAG_TRANSITORY first, enabling queries to gpiolib for -@@ -2652,6 +3091,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_transitory); +@@ -2671,6 +3113,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_transitory); */ int gpiod_is_active_low(const struct gpio_desc *desc) { @@ -2983,7 +2963,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); return test_bit(FLAG_ACTIVE_LOW, &desc->flags); } -@@ -2663,6 +3104,8 @@ EXPORT_SYMBOL_GPL(gpiod_is_active_low); +@@ -2682,6 +3126,8 @@ EXPORT_SYMBOL_GPL(gpiod_is_active_low); */ void gpiod_toggle_active_low(struct gpio_desc *desc) { @@ -2992,7 +2972,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC_VOID(desc); change_bit(FLAG_ACTIVE_LOW, &desc->flags); } -@@ -2696,6 +3139,8 @@ static int gpiod_get_raw_value_commit(const struct gpio_desc *desc) +@@ -2715,6 +3161,8 @@ static int gpiod_get_raw_value_commit(const struct gpio_desc *desc) int offset; int value; @@ -3001,7 +2981,7 @@ index 50abb1c20df0..cf7296db3190 100644 gc = desc->gdev->chip; offset = gpio_chip_hwgpio(desc); value = gc->get ? gc->get(gc, offset) : -EIO; -@@ -2707,6 +3152,8 @@ static int gpiod_get_raw_value_commit(const struct gpio_desc *desc) +@@ -2726,6 +3174,8 @@ static int gpiod_get_raw_value_commit(const struct gpio_desc *desc) static int gpio_chip_get_multiple(struct gpio_chip *gc, unsigned long *mask, unsigned long *bits) { @@ -3010,7 +2990,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (gc->get_multiple) { return gc->get_multiple(gc, mask, bits); } else if (gc->get) { -@@ -2731,6 +3178,8 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep, +@@ -2750,6 +3200,8 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep, { int ret, i = 0; @@ -3019,7 +2999,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * Validate array_info against desc_array and its size. * It should immediately follow desc_array if both -@@ -2837,6 +3286,8 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep, +@@ -2856,6 +3308,8 @@ int gpiod_get_array_value_complex(bool raw, bool can_sleep, */ int gpiod_get_raw_value(const struct gpio_desc *desc) { @@ -3028,7 +3008,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); /* Should be using gpiod_get_raw_value_cansleep() */ WARN_ON(desc->gdev->chip->can_sleep); -@@ -2858,6 +3309,8 @@ int gpiod_get_value(const struct gpio_desc *desc) +@@ -2877,6 +3331,8 @@ int gpiod_get_value(const struct gpio_desc *desc) { int value; @@ -3037,7 +3017,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); /* Should be using gpiod_get_value_cansleep() */ WARN_ON(desc->gdev->chip->can_sleep); -@@ -2892,6 +3345,8 @@ int gpiod_get_raw_array_value(unsigned int array_size, +@@ -2911,6 +3367,8 @@ int gpiod_get_raw_array_value(unsigned int array_size, struct gpio_array *array_info, unsigned long *value_bitmap) { @@ -3046,7 +3026,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!desc_array) return -EINVAL; return gpiod_get_array_value_complex(true, false, array_size, -@@ -2918,6 +3373,8 @@ int gpiod_get_array_value(unsigned int array_size, +@@ -2937,6 +3395,8 @@ int gpiod_get_array_value(unsigned int array_size, struct gpio_array *array_info, unsigned long *value_bitmap) { @@ -3055,7 +3035,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!desc_array) return -EINVAL; return gpiod_get_array_value_complex(false, false, array_size, -@@ -2937,6 +3394,8 @@ static void gpio_set_open_drain_value_commit(struct gpio_desc *desc, bool value) +@@ -2956,6 +3416,8 @@ static void gpio_set_open_drain_value_commit(struct gpio_desc *desc, bool value) struct gpio_chip *gc = desc->gdev->chip; int offset = gpio_chip_hwgpio(desc); @@ -3064,7 +3044,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (value) { ret = gc->direction_input(gc, offset); } else { -@@ -2962,6 +3421,8 @@ static void gpio_set_open_source_value_commit(struct gpio_desc *desc, bool value +@@ -2981,6 +3443,8 @@ static void gpio_set_open_source_value_commit(struct gpio_desc *desc, bool value struct gpio_chip *gc = desc->gdev->chip; int offset = gpio_chip_hwgpio(desc); @@ -3073,7 +3053,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (value) { ret = gc->direction_output(gc, offset, 1); if (!ret) -@@ -2980,6 +3441,8 @@ static void gpiod_set_raw_value_commit(struct gpio_desc *desc, bool value) +@@ -2999,6 +3463,8 @@ static void gpiod_set_raw_value_commit(struct gpio_desc *desc, bool value) { struct gpio_chip *gc; @@ -3082,7 +3062,7 @@ index 50abb1c20df0..cf7296db3190 100644 gc = desc->gdev->chip; trace_gpio_value(desc_to_gpio(desc), 0, value); gc->set(gc, gpio_chip_hwgpio(desc), value); -@@ -2998,6 +3461,8 @@ static void gpiod_set_raw_value_commit(struct gpio_desc *desc, bool value) +@@ -3017,6 +3483,8 @@ static void gpiod_set_raw_value_commit(struct gpio_desc *desc, bool value) static void gpio_chip_set_multiple(struct gpio_chip *gc, unsigned long *mask, unsigned long *bits) { @@ -3091,7 +3071,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (gc->set_multiple) { gc->set_multiple(gc, mask, bits); } else { -@@ -3017,6 +3482,8 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep, +@@ -3036,6 +3504,8 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep, { int i = 0; @@ -3100,7 +3080,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * Validate array_info against desc_array and its size. * It should immediately follow desc_array if both -@@ -3122,6 +3589,8 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep, +@@ -3141,6 +3611,8 @@ int gpiod_set_array_value_complex(bool raw, bool can_sleep, */ void gpiod_set_raw_value(struct gpio_desc *desc, int value) { @@ -3109,7 +3089,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC_VOID(desc); /* Should be using gpiod_set_raw_value_cansleep() */ WARN_ON(desc->gdev->chip->can_sleep); -@@ -3140,6 +3609,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_raw_value); +@@ -3159,6 +3631,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_raw_value); */ static void gpiod_set_value_nocheck(struct gpio_desc *desc, int value) { @@ -3118,7 +3098,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (test_bit(FLAG_ACTIVE_LOW, &desc->flags)) value = !value; if (test_bit(FLAG_OPEN_DRAIN, &desc->flags)) -@@ -3163,6 +3634,8 @@ static void gpiod_set_value_nocheck(struct gpio_desc *desc, int value) +@@ -3182,6 +3656,8 @@ static void gpiod_set_value_nocheck(struct gpio_desc *desc, int value) */ void gpiod_set_value(struct gpio_desc *desc, int value) { @@ -3127,7 +3107,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC_VOID(desc); /* Should be using gpiod_set_value_cansleep() */ WARN_ON(desc->gdev->chip->can_sleep); -@@ -3188,6 +3661,8 @@ int gpiod_set_raw_array_value(unsigned int array_size, +@@ -3207,6 +3683,8 @@ int gpiod_set_raw_array_value(unsigned int array_size, struct gpio_array *array_info, unsigned long *value_bitmap) { @@ -3136,7 +3116,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!desc_array) return -EINVAL; return gpiod_set_array_value_complex(true, false, array_size, -@@ -3213,6 +3688,8 @@ int gpiod_set_array_value(unsigned int array_size, +@@ -3232,6 +3710,8 @@ int gpiod_set_array_value(unsigned int array_size, struct gpio_array *array_info, unsigned long *value_bitmap) { @@ -3145,7 +3125,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!desc_array) return -EINVAL; return gpiod_set_array_value_complex(false, false, array_size, -@@ -3228,6 +3705,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_array_value); +@@ -3247,6 +3727,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_array_value); */ int gpiod_cansleep(const struct gpio_desc *desc) { @@ -3154,7 +3134,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); return desc->gdev->chip->can_sleep; } -@@ -3240,6 +3719,8 @@ EXPORT_SYMBOL_GPL(gpiod_cansleep); +@@ -3259,6 +3741,8 @@ EXPORT_SYMBOL_GPL(gpiod_cansleep); */ int gpiod_set_consumer_name(struct gpio_desc *desc, const char *name) { @@ -3163,7 +3143,7 @@ index 50abb1c20df0..cf7296db3190 100644 VALIDATE_DESC(desc); if (name) { name = kstrdup_const(name, GFP_KERNEL); -@@ -3266,6 +3747,8 @@ int gpiod_to_irq(const struct gpio_desc *desc) +@@ -3285,6 +3769,8 @@ int gpiod_to_irq(const struct gpio_desc *desc) struct gpio_chip *gc; int offset; @@ -3172,7 +3152,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* * Cannot VALIDATE_DESC() here as gpiod_to_irq() consumer semantics * requires this function to not return zero on an invalid descriptor -@@ -3300,6 +3783,8 @@ EXPORT_SYMBOL_GPL(gpiod_to_irq); +@@ -3329,6 +3815,8 @@ EXPORT_SYMBOL_GPL(gpiod_to_irq); int gpiochip_lock_as_irq(struct gpio_chip *gc, unsigned int offset) { struct gpio_desc *desc; @@ -3181,7 +3161,7 @@ index 50abb1c20df0..cf7296db3190 100644 desc = gpiochip_get_desc(gc, offset); if (IS_ERR(desc)) -@@ -3355,6 +3840,8 @@ void gpiochip_unlock_as_irq(struct gpio_chip *gc, unsigned int offset) +@@ -3384,6 +3872,8 @@ void gpiochip_unlock_as_irq(struct gpio_chip *gc, unsigned int offset) { struct gpio_desc *desc; @@ -3190,7 +3170,7 @@ index 50abb1c20df0..cf7296db3190 100644 desc = gpiochip_get_desc(gc, offset); if (IS_ERR(desc)) return; -@@ -3372,6 +3859,8 @@ void gpiochip_disable_irq(struct gpio_chip *gc, unsigned int offset) +@@ -3401,6 +3891,8 @@ void gpiochip_disable_irq(struct gpio_chip *gc, unsigned int offset) { struct gpio_desc *desc = gpiochip_get_desc(gc, offset); @@ -3199,7 +3179,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!IS_ERR(desc) && !WARN_ON(!test_bit(FLAG_USED_AS_IRQ, &desc->flags))) clear_bit(FLAG_IRQ_IS_ENABLED, &desc->flags); -@@ -3382,6 +3871,8 @@ void gpiochip_enable_irq(struct gpio_chip *gc, unsigned int offset) +@@ -3411,6 +3903,8 @@ void gpiochip_enable_irq(struct gpio_chip *gc, unsigned int offset) { struct gpio_desc *desc = gpiochip_get_desc(gc, offset); @@ -3208,7 +3188,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!IS_ERR(desc) && !WARN_ON(!test_bit(FLAG_USED_AS_IRQ, &desc->flags))) { /* -@@ -3397,6 +3888,8 @@ EXPORT_SYMBOL_GPL(gpiochip_enable_irq); +@@ -3426,6 +3920,8 @@ EXPORT_SYMBOL_GPL(gpiochip_enable_irq); bool gpiochip_line_is_irq(struct gpio_chip *gc, unsigned int offset) { @@ -3217,7 +3197,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (offset >= gc->ngpio) return false; -@@ -3430,6 +3923,8 @@ EXPORT_SYMBOL_GPL(gpiochip_relres_irq); +@@ -3459,6 +3955,8 @@ EXPORT_SYMBOL_GPL(gpiochip_relres_irq); bool gpiochip_line_is_open_drain(struct gpio_chip *gc, unsigned int offset) { @@ -3226,7 +3206,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (offset >= gc->ngpio) return false; -@@ -3439,6 +3934,8 @@ EXPORT_SYMBOL_GPL(gpiochip_line_is_open_drain); +@@ -3468,6 +3966,8 @@ EXPORT_SYMBOL_GPL(gpiochip_line_is_open_drain); bool gpiochip_line_is_open_source(struct gpio_chip *gc, unsigned int offset) { @@ -3235,7 +3215,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (offset >= gc->ngpio) return false; -@@ -3448,6 +3945,8 @@ EXPORT_SYMBOL_GPL(gpiochip_line_is_open_source); +@@ -3477,6 +3977,8 @@ EXPORT_SYMBOL_GPL(gpiochip_line_is_open_source); bool gpiochip_line_is_persistent(struct gpio_chip *gc, unsigned int offset) { @@ -3244,7 +3224,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (offset >= gc->ngpio) return false; -@@ -3466,6 +3965,8 @@ EXPORT_SYMBOL_GPL(gpiochip_line_is_persistent); +@@ -3495,6 +3997,8 @@ EXPORT_SYMBOL_GPL(gpiochip_line_is_persistent); */ int gpiod_get_raw_value_cansleep(const struct gpio_desc *desc) { @@ -3253,7 +3233,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep_if(extra_checks); VALIDATE_DESC(desc); return gpiod_get_raw_value_commit(desc); -@@ -3485,6 +3986,8 @@ int gpiod_get_value_cansleep(const struct gpio_desc *desc) +@@ -3514,6 +4018,8 @@ int gpiod_get_value_cansleep(const struct gpio_desc *desc) { int value; @@ -3262,7 +3242,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep_if(extra_checks); VALIDATE_DESC(desc); value = gpiod_get_raw_value_commit(desc); -@@ -3516,6 +4019,8 @@ int gpiod_get_raw_array_value_cansleep(unsigned int array_size, +@@ -3545,6 +4051,8 @@ int gpiod_get_raw_array_value_cansleep(unsigned int array_size, struct gpio_array *array_info, unsigned long *value_bitmap) { @@ -3271,7 +3251,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep_if(extra_checks); if (!desc_array) return -EINVAL; -@@ -3542,6 +4047,8 @@ int gpiod_get_array_value_cansleep(unsigned int array_size, +@@ -3571,6 +4079,8 @@ int gpiod_get_array_value_cansleep(unsigned int array_size, struct gpio_array *array_info, unsigned long *value_bitmap) { @@ -3280,7 +3260,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep_if(extra_checks); if (!desc_array) return -EINVAL; -@@ -3563,6 +4070,8 @@ EXPORT_SYMBOL_GPL(gpiod_get_array_value_cansleep); +@@ -3592,6 +4102,8 @@ EXPORT_SYMBOL_GPL(gpiod_get_array_value_cansleep); */ void gpiod_set_raw_value_cansleep(struct gpio_desc *desc, int value) { @@ -3289,7 +3269,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep_if(extra_checks); VALIDATE_DESC_VOID(desc); gpiod_set_raw_value_commit(desc, value); -@@ -3581,6 +4090,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_raw_value_cansleep); +@@ -3610,6 +4122,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_raw_value_cansleep); */ void gpiod_set_value_cansleep(struct gpio_desc *desc, int value) { @@ -3298,7 +3278,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep_if(extra_checks); VALIDATE_DESC_VOID(desc); gpiod_set_value_nocheck(desc, value); -@@ -3604,6 +4115,8 @@ int gpiod_set_raw_array_value_cansleep(unsigned int array_size, +@@ -3633,6 +4147,8 @@ int gpiod_set_raw_array_value_cansleep(unsigned int array_size, struct gpio_array *array_info, unsigned long *value_bitmap) { @@ -3307,7 +3287,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep_if(extra_checks); if (!desc_array) return -EINVAL; -@@ -3621,6 +4134,8 @@ void gpiod_add_lookup_tables(struct gpiod_lookup_table **tables, size_t n) +@@ -3650,6 +4166,8 @@ void gpiod_add_lookup_tables(struct gpiod_lookup_table **tables, size_t n) { unsigned int i; @@ -3316,7 +3296,7 @@ index 50abb1c20df0..cf7296db3190 100644 mutex_lock(&gpio_lookup_lock); for (i = 0; i < n; i++) -@@ -3646,6 +4161,8 @@ int gpiod_set_array_value_cansleep(unsigned int array_size, +@@ -3675,6 +4193,8 @@ int gpiod_set_array_value_cansleep(unsigned int array_size, struct gpio_array *array_info, unsigned long *value_bitmap) { @@ -3325,7 +3305,7 @@ index 50abb1c20df0..cf7296db3190 100644 might_sleep_if(extra_checks); if (!desc_array) return -EINVAL; -@@ -3661,6 +4178,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_array_value_cansleep); +@@ -3690,6 +4210,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_array_value_cansleep); */ void gpiod_add_lookup_table(struct gpiod_lookup_table *table) { @@ -3334,7 +3314,7 @@ index 50abb1c20df0..cf7296db3190 100644 mutex_lock(&gpio_lookup_lock); list_add_tail(&table->list, &gpio_lookup_list); -@@ -3675,6 +4194,8 @@ EXPORT_SYMBOL_GPL(gpiod_add_lookup_table); +@@ -3704,6 +4226,8 @@ EXPORT_SYMBOL_GPL(gpiod_add_lookup_table); */ void gpiod_remove_lookup_table(struct gpiod_lookup_table *table) { @@ -3343,7 +3323,7 @@ index 50abb1c20df0..cf7296db3190 100644 mutex_lock(&gpio_lookup_lock); list_del(&table->list); -@@ -3692,6 +4213,8 @@ void gpiod_add_hogs(struct gpiod_hog *hogs) +@@ -3721,6 +4245,8 @@ void gpiod_add_hogs(struct gpiod_hog *hogs) struct gpio_chip *gc; struct gpiod_hog *hog; @@ -3352,7 +3332,7 @@ index 50abb1c20df0..cf7296db3190 100644 mutex_lock(&gpio_machine_hogs_mutex); for (hog = &hogs[0]; hog->chip_label; hog++) { -@@ -3715,6 +4238,8 @@ static struct gpiod_lookup_table *gpiod_find_lookup_table(struct device *dev) +@@ -3744,6 +4270,8 @@ static struct gpiod_lookup_table *gpiod_find_lookup_table(struct device *dev) const char *dev_id = dev ? dev_name(dev) : NULL; struct gpiod_lookup_table *table; @@ -3361,7 +3341,7 @@ index 50abb1c20df0..cf7296db3190 100644 mutex_lock(&gpio_lookup_lock); list_for_each_entry(table, &gpio_lookup_list, list) { -@@ -3748,6 +4273,8 @@ static struct gpio_desc *gpiod_find(struct device *dev, const char *con_id, +@@ -3777,6 +4305,8 @@ static struct gpio_desc *gpiod_find(struct device *dev, const char *con_id, struct gpiod_lookup_table *table; struct gpiod_lookup *p; @@ -3370,7 +3350,7 @@ index 50abb1c20df0..cf7296db3190 100644 table = gpiod_find_lookup_table(dev); if (!table) return desc; -@@ -3813,6 +4340,8 @@ static int platform_gpio_count(struct device *dev, const char *con_id) +@@ -3842,6 +4372,8 @@ static int platform_gpio_count(struct device *dev, const char *con_id) struct gpiod_lookup *p; unsigned int count = 0; @@ -3379,7 +3359,7 @@ index 50abb1c20df0..cf7296db3190 100644 table = gpiod_find_lookup_table(dev); if (!table) return -ENOENT; -@@ -3858,6 +4387,8 @@ struct gpio_desc *fwnode_gpiod_get_index(struct fwnode_handle *fwnode, +@@ -3887,6 +4419,8 @@ struct gpio_desc *fwnode_gpiod_get_index(struct fwnode_handle *fwnode, char prop_name[32]; /* 32 is max size of property name */ unsigned int i; @@ -3388,7 +3368,7 @@ index 50abb1c20df0..cf7296db3190 100644 for (i = 0; i < ARRAY_SIZE(gpio_suffixes); i++) { if (con_id) snprintf(prop_name, sizeof(prop_name), "%s-%s", -@@ -3886,6 +4417,8 @@ int gpiod_count(struct device *dev, const char *con_id) +@@ -3915,6 +4449,8 @@ int gpiod_count(struct device *dev, const char *con_id) { int count = -ENOENT; @@ -3397,7 +3377,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (IS_ENABLED(CONFIG_OF) && dev && dev->of_node) count = of_gpio_get_count(dev, con_id); else if (IS_ENABLED(CONFIG_ACPI) && dev && ACPI_HANDLE(dev)) -@@ -3911,6 +4444,8 @@ EXPORT_SYMBOL_GPL(gpiod_count); +@@ -3940,6 +4476,8 @@ EXPORT_SYMBOL_GPL(gpiod_count); struct gpio_desc *__must_check gpiod_get(struct device *dev, const char *con_id, enum gpiod_flags flags) { @@ -3406,7 +3386,7 @@ index 50abb1c20df0..cf7296db3190 100644 return gpiod_get_index(dev, con_id, 0, flags); } EXPORT_SYMBOL_GPL(gpiod_get); -@@ -3951,6 +4486,8 @@ int gpiod_configure_flags(struct gpio_desc *desc, const char *con_id, +@@ -3980,6 +4518,8 @@ int gpiod_configure_flags(struct gpio_desc *desc, const char *con_id, { int ret; @@ -3415,7 +3395,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (lflags & GPIO_ACTIVE_LOW) set_bit(FLAG_ACTIVE_LOW, &desc->flags); -@@ -4121,6 +4658,8 @@ struct gpio_desc *fwnode_get_named_gpiod(struct fwnode_handle *fwnode, +@@ -4150,6 +4690,8 @@ struct gpio_desc *fwnode_get_named_gpiod(struct fwnode_handle *fwnode, struct gpio_desc *desc = ERR_PTR(-ENODEV); int ret; @@ -3424,7 +3404,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (!fwnode) return ERR_PTR(-EINVAL); -@@ -4178,6 +4717,8 @@ struct gpio_desc *__must_check gpiod_get_index_optional(struct device *dev, +@@ -4207,6 +4749,8 @@ struct gpio_desc *__must_check gpiod_get_index_optional(struct device *dev, { struct gpio_desc *desc; @@ -3433,7 +3413,7 @@ index 50abb1c20df0..cf7296db3190 100644 desc = gpiod_get_index(dev, con_id, index, flags); if (IS_ERR(desc)) { if (PTR_ERR(desc) == -ENOENT) -@@ -4204,6 +4745,8 @@ int gpiod_hog(struct gpio_desc *desc, const char *name, +@@ -4233,6 +4777,8 @@ int gpiod_hog(struct gpio_desc *desc, const char *name, int hwnum; int ret; @@ -3442,7 +3422,7 @@ index 50abb1c20df0..cf7296db3190 100644 gc = gpiod_to_chip(desc); hwnum = gpio_chip_hwgpio(desc); -@@ -4235,6 +4778,8 @@ static void gpiochip_free_hogs(struct gpio_chip *gc) +@@ -4264,6 +4810,8 @@ static void gpiochip_free_hogs(struct gpio_chip *gc) { int id; @@ -3451,7 +3431,7 @@ index 50abb1c20df0..cf7296db3190 100644 for (id = 0; id < gc->ngpio; id++) { if (test_bit(FLAG_IS_HOGGED, &gc->gpiodev->descs[id].flags)) gpiochip_free_own_desc(&gc->gpiodev->descs[id]); -@@ -4263,6 +4808,8 @@ struct gpio_descs *__must_check gpiod_get_array(struct device *dev, +@@ -4292,6 +4840,8 @@ struct gpio_descs *__must_check gpiod_get_array(struct device *dev, struct gpio_chip *gc; int count, bitmap_size; @@ -3460,7 +3440,7 @@ index 50abb1c20df0..cf7296db3190 100644 count = gpiod_count(dev, con_id); if (count < 0) return ERR_PTR(count); -@@ -4383,6 +4930,8 @@ struct gpio_descs *__must_check gpiod_get_array_optional(struct device *dev, +@@ -4412,6 +4962,8 @@ struct gpio_descs *__must_check gpiod_get_array_optional(struct device *dev, { struct gpio_descs *descs; @@ -3469,7 +3449,7 @@ index 50abb1c20df0..cf7296db3190 100644 descs = gpiod_get_array(dev, con_id, flags); if (PTR_ERR(descs) == -ENOENT) return NULL; -@@ -4399,6 +4948,8 @@ EXPORT_SYMBOL_GPL(gpiod_get_array_optional); +@@ -4428,6 +4980,8 @@ EXPORT_SYMBOL_GPL(gpiod_get_array_optional); */ void gpiod_put(struct gpio_desc *desc) { @@ -3478,7 +3458,7 @@ index 50abb1c20df0..cf7296db3190 100644 if (desc) gpiod_free(desc); } -@@ -4412,6 +4963,8 @@ void gpiod_put_array(struct gpio_descs *descs) +@@ -4441,6 +4995,8 @@ void gpiod_put_array(struct gpio_descs *descs) { unsigned int i; @@ -3487,7 +3467,7 @@ index 50abb1c20df0..cf7296db3190 100644 for (i = 0; i < descs->ndescs; i++) gpiod_put(descs->desc[i]); -@@ -4423,6 +4976,8 @@ static int __init gpiolib_dev_init(void) +@@ -4452,6 +5008,8 @@ static int __init gpiolib_dev_init(void) { int ret; @@ -3496,7 +3476,7 @@ index 50abb1c20df0..cf7296db3190 100644 /* Register GPIO sysfs bus */ ret = bus_register(&gpio_bus_type); if (ret < 0) { -@@ -4442,13 +4997,13 @@ static int __init gpiolib_dev_init(void) +@@ -4471,13 +5029,13 @@ static int __init gpiolib_dev_init(void) #if IS_ENABLED(CONFIG_OF_DYNAMIC) && IS_ENABLED(CONFIG_OF_GPIO) WARN_ON(of_reconfig_notifier_register(&gpio_of_notifier)); @@ -3512,12 +3492,12 @@ index 50abb1c20df0..cf7296db3190 100644 static void gpiolib_dbg_show(struct seq_file *s, struct gpio_device *gdev) { -@@ -4575,4 +5130,4 @@ static int __init gpiolib_debugfs_init(void) +@@ -4604,4 +5162,4 @@ static int __init gpiolib_debugfs_init(void) } subsys_initcall(gpiolib_debugfs_init); -#endif /* DEBUG_FS */ -+ #endif /* FIXIT -- debug_FS */ ++ #endif /* DEBUG_FS */ diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c index c73b34e03aae..4c46d7faac5e 100644 --- a/drivers/pinctrl/core.c diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0004-gpio-virt-drivers.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0004-gpio-virt-drivers.patch index edeb89aa8..4741d6c73 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0004-gpio-virt-drivers.patch +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0004-gpio-virt-drivers.patch @@ -15,13 +15,15 @@ index dcecc9f6e33f..ed7d58d68ba6 100644 endmenu diff --git a/drivers/Makefile b/drivers/Makefile --- a/drivers/Makefile 2024-05-02 12:06:58.097355696 +0000 -+++ b/drivers/Makefile 2024-08-01 14:32:02.521803787 +0000 -@@ -193,0 +194,5 @@ ++++ b/drivers/Makefile 2024-09-03 09:17:29.592284124 +0000 +@@ -193,0 +194,7 @@ +# +# +# ++$(info Building GPIO proxy modules...) +obj-y += gpio-host-proxy/ +obj-y += gpio-guest-proxy/ ++$(info Finished building GPIO proxy modules...) diff --git a/drivers/gpio-guest-proxy/Kconfig b/drivers/gpio-guest-proxy/Kconfig new file mode 100644 index 0000000..e25a19a @@ -48,10 +50,10 @@ index 0000000..2580e02 +obj-$(CONFIG_TEGRA_GPIO_GUEST_PROXY) += gpio-guest-proxy.o diff --git a/drivers/gpio-guest-proxy/gpio-guest-proxy.c b/drivers/gpio-guest-proxy/gpio-guest-proxy.c new file mode 100644 -index 0000000..6fbc960 +index 0000000..e7215dd --- /dev/null +++ b/drivers/gpio-guest-proxy/gpio-guest-proxy.c -@@ -0,0 +1,909 @@ +@@ -0,0 +1,905 @@ +// SPDX-License-Identifier: GPL-2.0-only +/** + * NVIDIA GPIO Guest Proxy Kernel Module @@ -408,7 +410,7 @@ index 0000000..6fbc960 + return ret; +} + -+// unpreserve_all_tegrachips also does unhooking ? ++// unpreserve_all_tegrachips also does unhooking +extern void unpreserve_all_tegrachips(void); +struct gpio_chip * find_chip_by_id(int id); + @@ -512,15 +514,13 @@ index 0000000..6fbc960 +/* + * Removes module, sends appropriate message to kernel + */ -+void tegra_gpio_guest_cleanup(void) ++int tegra_gpio_guest_cleanup(void) +{ + deb_info("removing module.\n"); + + // unmap iomem + iounmap((void __iomem*)gpio_vpa); + -+ // gpio_unhook is called by unpreserve_all_tegrachips() -+ // gpio_unhook() + // clean up shared memory with stock driver and unhook all functions + unpreserve_all_tegrachips(); + @@ -532,11 +532,9 @@ index 0000000..6fbc960 + unregister_chrdev(major_number, DEVICE_NAME); + + is_set_up = false; -+ return; ++ return 0; +} -+ -+ -+ ++EXPORT_SYMBOL_GPL(tegra_gpio_guest_cleanup); + +/* + * Opens device module, sends appropriate message to kernel @@ -986,10 +984,10 @@ index 0000000..c2e0184 +obj-$(CONFIG_TEGRA_GPIO_HOST_PROXY) += gpio-host-proxy.o diff --git a/drivers/gpio-host-proxy/gpio-host-proxy.c b/drivers/gpio-host-proxy/gpio-host-proxy.c new file mode 100644 -index 0000000..399befa +index 0000000..e9d1e72 --- /dev/null +++ b/drivers/gpio-host-proxy/gpio-host-proxy.c -@@ -0,0 +1,805 @@ +@@ -0,0 +1,821 @@ +// SPDX-License-Identifier: GPL-2.0-only +/** + * NVIDIA GPIO host Proxy Kernel Module @@ -1229,10 +1227,10 @@ index 0000000..399befa + major_number = register_chrdev(0, DEVICE_NAME, &fops); + if (major_number < 0) + { -+ deb_error("could not register number.\n"); ++ deb_error("chardev could not register number.\n"); + return major_number; + } -+ deb_debug("registered correctly with major number %d", major_number); ++ deb_debug("chardev registered correctly with major number %d", major_number); + + // Register the device class + gpio_host_proxy_class = class_create(THIS_MODULE, CLASS_NAME); @@ -1269,8 +1267,7 @@ index 0000000..399befa + class_unregister(gpio_host_proxy_class); // unregister the device class + class_destroy(gpio_host_proxy_class); // remove the device class + unregister_chrdev(major_number, DEVICE_NAME); // unregister the major number -+ deb_info("Goodbye from the GPIO passthrough\n"); -+ unregister_chrdev(major_number, DEVICE_NAME); ++ deb_info("Goodbye from GPIO passthrough\n"); + return 0; +} + @@ -1753,7 +1750,22 @@ index 0000000..399befa + return len; // return length of read data +} + -+/* module creation -- see also gpio_host_proxy_probe and gpio_host_proxy_remove */ ++int tegra_gpio_host_init(void) ++{ ++ struct platform_device *pdev = NULL; // not used -- param is for the kernel module version of code ++ return gpio_host_proxy_probe(pdev); ++} ++EXPORT_SYMBOL_GPL(tegra_gpio_host_init); ++ ++int tegra_gpio_host_cleanup(void) ++{ ++ struct platform_device *pdev = NULL; // not used -- param is for the kernel module version of code ++ return gpio_host_proxy_remove(pdev); ++} ++EXPORT_SYMBOL_GPL(tegra_gpio_host_cleanup); ++ ++/* proxy driver as module removed ++ * module creation -- see also gpio_host_proxy_probe and gpio_host_proxy_remove + +static const struct of_device_id gpio_host_proxy_ids[] = { + { .compatible = "nvidia,gpio-host-proxy" }, @@ -1795,6 +1807,8 @@ index 0000000..399befa + +module_init(gpio_host_proxy_init); +module_exit(gpio_host_proxy_exit); ++ ++*/ diff --git a/drivers/gpio-host-proxy/gpio-host-proxy.h b/drivers/gpio-host-proxy/gpio-host-proxy.h new file mode 100644 index 0000000..295c2b6 diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0006-defconfig-kernel.patch b/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0006-defconfig-kernel.patch index cc906b8b0..e69de29bb 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0006-defconfig-kernel.patch +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/common/gpio-virt-common/patches/0006-defconfig-kernel.patch @@ -1,8481 +0,0 @@ -diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig -index bda2dff571c4..73a92ece4ca0 100644 ---- a/arch/arm64/configs/defconfig -+++ b/arch/arm64/configs/defconfig -@@ -1,201 +1,1283 @@ -+# -+# Automatically generated file; DO NOT EDIT. -+# Linux/arm64 5.10.104 Kernel Configuration -+# -+CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.5.0" -+CONFIG_CC_IS_GCC=y -+CONFIG_GCC_VERSION=90500 -+CONFIG_LD_VERSION=240000000 -+CONFIG_CLANG_VERSION=0 -+CONFIG_LLD_VERSION=0 -+CONFIG_CC_CAN_LINK=y -+CONFIG_CC_HAS_ASM_GOTO=y -+CONFIG_CC_HAS_ASM_INLINE=y -+CONFIG_IRQ_WORK=y -+CONFIG_BUILDTIME_TABLE_SORT=y -+CONFIG_THREAD_INFO_IN_TASK=y -+ -+# -+# General setup -+# -+CONFIG_INIT_ENV_ARG_LIMIT=32 -+# CONFIG_COMPILE_TEST is not set -+CONFIG_LOCALVERSION="" - # CONFIG_LOCALVERSION_AUTO is not set -+CONFIG_BUILD_SALT="" -+CONFIG_DEFAULT_INIT="" -+CONFIG_DEFAULT_HOSTNAME="(none)" -+CONFIG_SWAP=y - CONFIG_SYSVIPC=y -+CONFIG_SYSVIPC_SYSCTL=y - CONFIG_POSIX_MQUEUE=y -+CONFIG_POSIX_MQUEUE_SYSCTL=y - CONFIG_WATCH_QUEUE=y -+CONFIG_CROSS_MEMORY_ATTACH=y -+# CONFIG_USELIB is not set - CONFIG_AUDIT=y -+CONFIG_HAVE_ARCH_AUDITSYSCALL=y -+CONFIG_AUDITSYSCALL=y -+ -+# -+# IRQ subsystem -+# -+CONFIG_GENERIC_IRQ_PROBE=y -+CONFIG_GENERIC_IRQ_SHOW=y -+CONFIG_GENERIC_IRQ_SHOW_LEVEL=y -+CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK=y -+CONFIG_GENERIC_IRQ_MIGRATION=y -+CONFIG_HARDIRQS_SW_RESEND=y -+CONFIG_IRQ_DOMAIN=y -+CONFIG_IRQ_SIM=y -+CONFIG_IRQ_DOMAIN_HIERARCHY=y -+CONFIG_GENERIC_IRQ_IPI=y -+CONFIG_GENERIC_MSI_IRQ=y -+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y -+CONFIG_IRQ_MSI_IOMMU=y -+CONFIG_HANDLE_DOMAIN_IRQ=y -+CONFIG_IRQ_FORCED_THREADING=y -+CONFIG_SPARSE_IRQ=y -+# CONFIG_GENERIC_IRQ_DEBUGFS is not set -+# end of IRQ subsystem -+ -+CONFIG_GENERIC_IRQ_MULTI_HANDLER=y -+CONFIG_GENERIC_TIME_VSYSCALL=y -+CONFIG_GENERIC_CLOCKEVENTS=y -+CONFIG_ARCH_HAS_TICK_BROADCAST=y -+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y -+ -+# -+# Timers subsystem -+# -+CONFIG_TICK_ONESHOT=y -+CONFIG_NO_HZ_COMMON=y -+# CONFIG_HZ_PERIODIC is not set -+CONFIG_NO_HZ_IDLE=y -+# CONFIG_NO_HZ_FULL is not set - CONFIG_NO_HZ=y - CONFIG_HIGH_RES_TIMERS=y -+# end of Timers subsystem -+ -+# CONFIG_PREEMPT_NONE is not set -+# CONFIG_PREEMPT_VOLUNTARY is not set - CONFIG_PREEMPT=y -+CONFIG_PREEMPT_COUNT=y -+CONFIG_PREEMPTION=y -+ -+# -+# CPU/Task time and stats accounting -+# -+CONFIG_TICK_CPU_ACCOUNTING=y -+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set - CONFIG_IRQ_TIME_ACCOUNTING=y -+CONFIG_HAVE_SCHED_AVG_IRQ=y -+CONFIG_SCHED_THERMAL_PRESSURE=y - CONFIG_BSD_PROCESS_ACCT=y - CONFIG_BSD_PROCESS_ACCT_V3=y -+CONFIG_TASKSTATS=y -+CONFIG_TASK_DELAY_ACCT=y - CONFIG_TASK_XACCT=y - CONFIG_TASK_IO_ACCOUNTING=y -+# CONFIG_PSI is not set -+# end of CPU/Task time and stats accounting -+ -+CONFIG_CPU_ISOLATION=y -+ -+# -+# RCU Subsystem -+# -+CONFIG_TREE_RCU=y -+CONFIG_PREEMPT_RCU=y -+# CONFIG_RCU_EXPERT is not set -+CONFIG_SRCU=y -+CONFIG_TREE_SRCU=y -+CONFIG_TASKS_RCU_GENERIC=y -+CONFIG_TASKS_RCU=y -+CONFIG_TASKS_RUDE_RCU=y -+CONFIG_TASKS_TRACE_RCU=y -+CONFIG_RCU_STALL_COMMON=y -+CONFIG_RCU_NEED_SEGCBLIST=y -+# end of RCU Subsystem -+ - CONFIG_IKCONFIG=y - CONFIG_IKCONFIG_PROC=y -+# CONFIG_IKHEADERS is not set -+CONFIG_LOG_BUF_SHIFT=20 -+CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 -+CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=14 -+CONFIG_GENERIC_SCHED_CLOCK=y -+ -+# -+# Scheduler features -+# -+# CONFIG_UCLAMP_TASK is not set -+# end of Scheduler features -+ -+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y -+CONFIG_CC_HAS_INT128=y -+CONFIG_ARCH_SUPPORTS_INT128=y - CONFIG_CGROUPS=y -+CONFIG_PAGE_COUNTER=y - CONFIG_MEMCG=y -+CONFIG_MEMCG_SWAP=y -+CONFIG_MEMCG_KMEM=y - CONFIG_BLK_CGROUP=y -+CONFIG_CGROUP_WRITEBACK=y - CONFIG_CGROUP_SCHED=y -+CONFIG_FAIR_GROUP_SCHED=y - CONFIG_CFS_BANDWIDTH=y - CONFIG_RT_GROUP_SCHED=y - CONFIG_CGROUP_PIDS=y -+# CONFIG_CGROUP_RDMA is not set - CONFIG_CGROUP_FREEZER=y - CONFIG_CGROUP_HUGETLB=y - CONFIG_CPUSETS=y -+CONFIG_PROC_PID_CPUSET=y - CONFIG_CGROUP_DEVICE=y - CONFIG_CGROUP_CPUACCT=y - CONFIG_CGROUP_PERF=y -+# CONFIG_CGROUP_BPF is not set -+# CONFIG_CGROUP_DEBUG is not set -+CONFIG_SOCK_CGROUP_DATA=y - CONFIG_NAMESPACES=y -+CONFIG_UTS_NS=y -+CONFIG_TIME_NS=y -+CONFIG_IPC_NS=y - CONFIG_USER_NS=y -+CONFIG_PID_NS=y -+CONFIG_NET_NS=y -+# CONFIG_CHECKPOINT_RESTORE is not set -+# CONFIG_SCHED_AUTOGROUP is not set -+# CONFIG_SYSFS_DEPRECATED is not set - CONFIG_RELAY=y - CONFIG_BLK_DEV_INITRD=y -+CONFIG_INITRAMFS_SOURCE="" -+CONFIG_RD_GZIP=y -+CONFIG_RD_BZIP2=y -+CONFIG_RD_LZMA=y -+CONFIG_RD_XZ=y -+CONFIG_RD_LZO=y -+CONFIG_RD_LZ4=y -+CONFIG_RD_ZSTD=y -+# CONFIG_BOOT_CONFIG is not set -+CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y -+# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set -+CONFIG_LD_ORPHAN_WARN=y -+CONFIG_SYSCTL=y -+CONFIG_HAVE_UID16=y -+CONFIG_SYSCTL_EXCEPTION_TRACE=y -+CONFIG_BPF=y -+CONFIG_EXPERT=y -+CONFIG_UID16=y -+CONFIG_MULTIUSER=y -+# CONFIG_SGETMASK_SYSCALL is not set -+CONFIG_SYSFS_SYSCALL=y -+CONFIG_FHANDLE=y -+CONFIG_POSIX_TIMERS=y -+CONFIG_PRINTK=y -+CONFIG_PRINTK_NMI=y -+CONFIG_BUG=y -+CONFIG_ELF_CORE=y -+CONFIG_BASE_FULL=y -+CONFIG_FUTEX=y -+CONFIG_FUTEX_PI=y -+CONFIG_HAVE_FUTEX_CMPXCHG=y -+CONFIG_EPOLL=y -+CONFIG_SIGNALFD=y -+CONFIG_TIMERFD=y -+CONFIG_EVENTFD=y -+CONFIG_SHMEM=y -+CONFIG_AIO=y -+CONFIG_IO_URING=y -+CONFIG_ADVISE_SYSCALLS=y -+CONFIG_MEMBARRIER=y -+CONFIG_KALLSYMS=y - CONFIG_KALLSYMS_ALL=y -+CONFIG_KALLSYMS_BASE_RELATIVE=y -+CONFIG_BPF_SYSCALL=y -+CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y -+# CONFIG_BPF_JIT_ALWAYS_ON is not set -+CONFIG_BPF_JIT_DEFAULT_ON=y -+# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set -+# CONFIG_BPF_PRELOAD is not set -+# CONFIG_USERFAULTFD is not set -+CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y -+CONFIG_KCMP=y -+CONFIG_RSEQ=y -+# CONFIG_DEBUG_RSEQ is not set - CONFIG_EMBEDDED=y -+CONFIG_HAVE_PERF_EVENTS=y -+# CONFIG_PC104 is not set -+ -+# -+# Kernel Performance Events And Counters -+# -+CONFIG_PERF_EVENTS=y -+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -+# end of Kernel Performance Events And Counters -+ -+CONFIG_VM_EVENT_COUNTERS=y -+CONFIG_SLUB_DEBUG=y -+# CONFIG_SLUB_MEMCG_SYSFS_ON is not set - # CONFIG_COMPAT_BRK is not set -+# CONFIG_SLAB is not set -+CONFIG_SLUB=y -+# CONFIG_SLOB is not set -+CONFIG_SLAB_MERGE_DEFAULT=y - CONFIG_SLAB_FREELIST_RANDOM=y - CONFIG_SLAB_FREELIST_HARDENED=y - CONFIG_SHUFFLE_PAGE_ALLOCATOR=y -+CONFIG_SLUB_CPU_PARTIAL=y -+CONFIG_SYSTEM_DATA_VERIFICATION=y - CONFIG_PROFILING=y -+CONFIG_TRACEPOINTS=y -+# end of General setup -+ -+CONFIG_ARM64=y -+CONFIG_64BIT=y -+CONFIG_MMU=y -+CONFIG_ARM64_PAGE_SHIFT=12 -+CONFIG_ARM64_CONT_PTE_SHIFT=4 -+CONFIG_ARM64_CONT_PMD_SHIFT=4 -+CONFIG_ARCH_MMAP_RND_BITS_MIN=18 -+CONFIG_ARCH_MMAP_RND_BITS_MAX=33 -+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=11 -+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 -+CONFIG_STACKTRACE_SUPPORT=y -+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 -+CONFIG_LOCKDEP_SUPPORT=y -+CONFIG_TRACE_IRQFLAGS_SUPPORT=y -+CONFIG_GENERIC_BUG=y -+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y -+CONFIG_GENERIC_HWEIGHT=y -+CONFIG_GENERIC_CSUM=y -+CONFIG_GENERIC_CALIBRATE_DELAY=y -+CONFIG_ZONE_DMA=y -+CONFIG_ZONE_DMA32=y -+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y -+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y -+CONFIG_SMP=y -+CONFIG_KERNEL_MODE_NEON=y -+CONFIG_FIX_EARLYCON_MEM=y -+CONFIG_PGTABLE_LEVELS=4 -+CONFIG_ARCH_SUPPORTS_UPROBES=y -+CONFIG_ARCH_PROC_KCORE_TEXT=y -+ -+# -+# Platform selection -+# -+# CONFIG_ARCH_ACTIONS is not set -+# CONFIG_ARCH_AGILEX is not set -+# CONFIG_ARCH_SUNXI is not set -+# CONFIG_ARCH_ALPINE is not set -+# CONFIG_ARCH_BCM2835 is not set -+# CONFIG_ARCH_BCM_IPROC is not set -+# CONFIG_ARCH_BERLIN is not set -+# CONFIG_ARCH_BITMAIN is not set -+# CONFIG_ARCH_BRCMSTB is not set -+# CONFIG_ARCH_EXYNOS is not set -+# CONFIG_ARCH_SPARX5 is not set -+# CONFIG_ARCH_K3 is not set -+# CONFIG_ARCH_LAYERSCAPE is not set -+# CONFIG_ARCH_LG1K is not set -+# CONFIG_ARCH_HISI is not set -+# CONFIG_ARCH_KEEMBAY is not set -+# CONFIG_ARCH_MEDIATEK is not set -+# CONFIG_ARCH_MESON is not set -+# CONFIG_ARCH_MVEBU is not set -+# CONFIG_ARCH_MXC is not set -+# CONFIG_ARCH_QCOM is not set -+# CONFIG_ARCH_REALTEK is not set -+# CONFIG_ARCH_RENESAS is not set -+# CONFIG_ARCH_ROCKCHIP is not set -+# CONFIG_ARCH_S32 is not set -+# CONFIG_ARCH_SEATTLE is not set -+# CONFIG_ARCH_STRATIX10 is not set -+# CONFIG_ARCH_SYNQUACER is not set - CONFIG_ARCH_TEGRA=y -+# CONFIG_ARCH_SPRD is not set -+# CONFIG_ARCH_THUNDER is not set -+# CONFIG_ARCH_THUNDER2 is not set -+# CONFIG_ARCH_UNIPHIER is not set -+# CONFIG_ARCH_VEXPRESS is not set -+# CONFIG_ARCH_VISCONTI is not set -+# CONFIG_ARCH_XGENE is not set -+# CONFIG_ARCH_ZX is not set -+# CONFIG_ARCH_ZYNQMP is not set -+# end of Platform selection -+ -+# -+# Kernel Features -+# -+ -+# -+# ARM errata workarounds via the alternatives framework -+# -+CONFIG_ARM64_WORKAROUND_CLEAN_CACHE=y -+CONFIG_ARM64_ERRATUM_826319=y -+CONFIG_ARM64_ERRATUM_827319=y -+CONFIG_ARM64_ERRATUM_824069=y -+CONFIG_ARM64_ERRATUM_819472=y -+CONFIG_ARM64_ERRATUM_832075=y -+CONFIG_ARM64_ERRATUM_834220=y -+CONFIG_ARM64_ERRATUM_845719=y -+CONFIG_ARM64_ERRATUM_843419=y -+CONFIG_ARM64_ERRATUM_1024718=y -+CONFIG_ARM64_ERRATUM_1418040=y -+CONFIG_ARM64_WORKAROUND_SPECULATIVE_AT=y -+CONFIG_ARM64_ERRATUM_1165522=y -+CONFIG_ARM64_ERRATUM_1319367=y -+CONFIG_ARM64_ERRATUM_1530923=y -+CONFIG_ARM64_WORKAROUND_REPEAT_TLBI=y -+CONFIG_ARM64_ERRATUM_1286807=y -+CONFIG_ARM64_ERRATUM_1463225=y -+CONFIG_ARM64_ERRATUM_1542419=y -+CONFIG_ARM64_ERRATUM_1508412=y -+CONFIG_CAVIUM_ERRATUM_22375=y -+CONFIG_CAVIUM_ERRATUM_23154=y -+CONFIG_CAVIUM_ERRATUM_27456=y -+CONFIG_CAVIUM_ERRATUM_30115=y -+CONFIG_CAVIUM_TX2_ERRATUM_219=y -+CONFIG_FUJITSU_ERRATUM_010001=y -+CONFIG_HISILICON_ERRATUM_161600802=y -+CONFIG_QCOM_FALKOR_ERRATUM_1003=y -+CONFIG_QCOM_FALKOR_ERRATUM_1009=y -+CONFIG_QCOM_QDF2400_ERRATUM_0065=y -+CONFIG_QCOM_FALKOR_ERRATUM_E1041=y -+CONFIG_NVIDIA_CARMEL_CNP_ERRATUM=y -+CONFIG_SOCIONEXT_SYNQUACER_PREITS=y -+# end of ARM errata workarounds via the alternatives framework -+ -+CONFIG_ARM64_4K_PAGES=y -+# CONFIG_ARM64_16K_PAGES is not set -+# CONFIG_ARM64_64K_PAGES is not set -+# CONFIG_ARM64_VA_BITS_39 is not set - CONFIG_ARM64_VA_BITS_48=y -+CONFIG_ARM64_VA_BITS=48 -+CONFIG_ARM64_PA_BITS_48=y -+CONFIG_ARM64_PA_BITS=48 -+# CONFIG_CPU_BIG_ENDIAN is not set -+CONFIG_CPU_LITTLE_ENDIAN=y - CONFIG_SCHED_MC=y - CONFIG_SCHED_SMT=y -+CONFIG_NR_CPUS=256 -+CONFIG_HOTPLUG_CPU=y -+# CONFIG_NUMA is not set -+CONFIG_HOLES_IN_ZONE=y -+# CONFIG_HZ_100 is not set -+CONFIG_HZ_250=y -+# CONFIG_HZ_300 is not set -+# CONFIG_HZ_1000 is not set -+CONFIG_HZ=250 -+CONFIG_SCHED_HRTICK=y -+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y -+CONFIG_ARCH_SPARSEMEM_ENABLE=y -+CONFIG_ARCH_SPARSEMEM_DEFAULT=y -+CONFIG_ARCH_SELECT_MEMORY_MODEL=y -+CONFIG_ARCH_FLATMEM_ENABLE=y -+CONFIG_HAVE_ARCH_PFN_VALID=y -+CONFIG_HW_PERF_EVENTS=y -+CONFIG_SYS_SUPPORTS_HUGETLBFS=y -+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y -+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y -+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y - CONFIG_PARAVIRT=y -+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set - CONFIG_KEXEC=y - CONFIG_KEXEC_FILE=y -+# CONFIG_KEXEC_SIG is not set - CONFIG_CRASH_DUMP=y -+# CONFIG_XEN is not set -+CONFIG_FORCE_MAX_ZONEORDER=11 -+CONFIG_UNMAP_KERNEL_AT_EL0=y - # CONFIG_RODATA_FULL_DEFAULT_ENABLED is not set - CONFIG_ARM64_SW_TTBR0_PAN=y -+CONFIG_ARM64_TAGGED_ADDR_ABI=y - CONFIG_COMPAT=y -+CONFIG_KUSER_HELPERS=y - CONFIG_ARMV8_DEPRECATED=y - CONFIG_SWP_EMULATION=y - CONFIG_CP15_BARRIER_EMULATION=y - CONFIG_SETEND_EMULATION=y -+ -+# -+# ARMv8.1 architectural features -+# - # CONFIG_ARM64_HW_AFDBM is not set -+CONFIG_ARM64_PAN=y -+CONFIG_AS_HAS_LSE_ATOMICS=y -+CONFIG_ARM64_LSE_ATOMICS=y -+CONFIG_ARM64_USE_LSE_ATOMICS=y -+CONFIG_ARM64_VHE=y -+# end of ARMv8.1 architectural features -+ -+# -+# ARMv8.2 architectural features -+# -+CONFIG_ARM64_UAO=y -+# CONFIG_ARM64_PMEM is not set -+CONFIG_ARM64_RAS_EXTN=y -+CONFIG_ARM64_CNP=y -+# end of ARMv8.2 architectural features -+ -+# -+# ARMv8.3 architectural features -+# -+CONFIG_CC_HAS_BRANCH_PROT_PAC_RET=y -+CONFIG_CC_HAS_SIGN_RETURN_ADDRESS=y -+CONFIG_AS_HAS_PAC=y -+CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y -+# end of ARMv8.3 architectural features -+ -+# -+# ARMv8.4 architectural features -+# -+CONFIG_ARM64_AMU_EXTN=y -+# end of ARMv8.4 architectural features -+ -+# -+# ARMv8.5 architectural features -+# -+CONFIG_ARM64_BTI=y -+CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI=y -+CONFIG_ARM64_E0PD=y -+CONFIG_ARCH_RANDOM=y -+CONFIG_ARM64_AS_HAS_MTE=y -+CONFIG_ARM64_MTE=y -+# end of ARMv8.5 architectural features -+ -+CONFIG_ARM64_SVE=y -+CONFIG_ARM64_MODULE_PLTS=y -+# CONFIG_ARM64_PSEUDO_NMI is not set -+CONFIG_RELOCATABLE=y - CONFIG_RANDOMIZE_BASE=y -+CONFIG_RANDOMIZE_MODULE_REGION_FULL=y -+CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y -+CONFIG_STACKPROTECTOR_PER_TASK=y -+# CONFIG_TEGRA_EBP is not set -+CONFIG_TEGRA_PSC=y -+# end of Kernel Features -+ -+# -+# Boot options -+# -+# CONFIG_ARM64_ACPI_PARKING_PROTOCOL is not set -+CONFIG_CMDLINE="" -+CONFIG_EFI_STUB=y -+CONFIG_EFI=y -+CONFIG_DMI=y -+# end of Boot options -+ -+CONFIG_SYSVIPC_COMPAT=y -+CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y -+CONFIG_ARCH_ENABLE_THP_MIGRATION=y -+ -+# -+# Power management options -+# -+CONFIG_SUSPEND=y -+CONFIG_SUSPEND_FREEZER=y -+# CONFIG_SUSPEND_SKIP_SYNC is not set -+# CONFIG_HIBERNATION is not set -+CONFIG_PM_SLEEP=y -+CONFIG_PM_SLEEP_SMP=y - CONFIG_PM_AUTOSLEEP=y - CONFIG_PM_WAKELOCKS=y -+CONFIG_PM_WAKELOCKS_LIMIT=100 -+CONFIG_PM_WAKELOCKS_GC=y -+CONFIG_PM=y -+# CONFIG_PM_DEBUG is not set -+CONFIG_PM_CLK=y -+CONFIG_PM_GENERIC_DOMAINS=y - CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y -+CONFIG_PM_GENERIC_DOMAINS_SLEEP=y -+CONFIG_PM_GENERIC_DOMAINS_OF=y -+CONFIG_CPU_PM=y - CONFIG_ENERGY_MODEL=y -+CONFIG_ARCH_HIBERNATION_POSSIBLE=y -+CONFIG_ARCH_SUSPEND_POSSIBLE=y -+# end of Power management options -+ -+# -+# CPU Power Management -+# -+ -+# -+# CPU Idle -+# -+CONFIG_CPU_IDLE=y -+CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=y -+# CONFIG_CPU_IDLE_GOV_LADDER is not set -+CONFIG_CPU_IDLE_GOV_MENU=y -+# CONFIG_CPU_IDLE_GOV_TEO is not set -+CONFIG_DT_IDLE_STATES=y -+ -+# -+# ARM CPU Idle Drivers -+# - CONFIG_ARM_CPUIDLE=y - CONFIG_ARM_PSCI_CPUIDLE=y -+CONFIG_ARM_PSCI_CPUIDLE_DOMAIN=y -+CONFIG_CPU_IDLE_TEGRA19X=y - CONFIG_CPU_IDLE_TEGRA_AUTO=y -+# end of ARM CPU Idle Drivers -+# end of CPU Idle -+ -+# -+# CPU Frequency scaling -+# - CONFIG_CPU_FREQ=y -+CONFIG_CPU_FREQ_GOV_ATTR_SET=y -+CONFIG_CPU_FREQ_GOV_COMMON=y - CONFIG_CPU_FREQ_STAT=y - CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y -+# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set -+# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set -+# CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND is not set -+# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set -+# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set -+CONFIG_CPU_FREQ_GOV_PERFORMANCE=y - CONFIG_CPU_FREQ_GOV_POWERSAVE=y - CONFIG_CPU_FREQ_GOV_USERSPACE=y - CONFIG_CPU_FREQ_GOV_ONDEMAND=y - CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y - CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y -+ -+# -+# CPU frequency scaling drivers -+# - CONFIG_CPUFREQ_DT=y -+CONFIG_CPUFREQ_DT_PLATDEV=y - CONFIG_ACPI_CPPC_CPUFREQ=m -+CONFIG_ARM_TEGRA20_CPUFREQ=y -+CONFIG_ARM_TEGRA124_CPUFREQ=y - CONFIG_ARM_TEGRA186_CPUFREQ=y -+CONFIG_ARM_TEGRA194_CPUFREQ=y -+# end of CPU Frequency scaling -+# end of CPU Power Management -+ -+# -+# Firmware Drivers -+# -+# CONFIG_ARM_SCMI_PROTOCOL is not set - CONFIG_ARM_SCPI_PROTOCOL=m -+CONFIG_ARM_SCPI_POWER_DOMAIN=m -+# CONFIG_ARM_SDE_INTERFACE is not set -+# CONFIG_FIRMWARE_MEMMAP is not set -+CONFIG_DMIID=y - CONFIG_DMI_SYSFS=y -+# CONFIG_ISCSI_IBFT is not set -+# CONFIG_FW_CFG_SYSFS is not set -+# CONFIG_GOOGLE_FIRMWARE is not set -+ -+# -+# EFI (Extensible Firmware Interface) Support -+# -+CONFIG_EFI_ESRT=y - # CONFIG_EFI_VARS_PSTORE is not set -+CONFIG_EFI_PARAMS_FROM_FDT=y -+CONFIG_EFI_RUNTIME_WRAPPERS=y -+CONFIG_EFI_GENERIC_STUB=y -+CONFIG_EFI_ARMSTUB_DTB_LOADER=y -+CONFIG_EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER=y -+# CONFIG_EFI_BOOTLOADER_CONTROL is not set - CONFIG_EFI_CAPSULE_LOADER=y - CONFIG_EFI_TEST=m --CONFIG_FB_EFI=y -+# CONFIG_RESET_ATTACK_MITIGATION is not set -+# CONFIG_EFI_DISABLE_PCI_DMA is not set -+# end of EFI (Extensible Firmware Interface) Support -+ -+CONFIG_UEFI_CPER=y -+CONFIG_UEFI_CPER_ARM=y -+CONFIG_EFI_EARLYCON=y -+CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y -+CONFIG_ARM_PSCI_FW=y -+# CONFIG_ARM_PSCI_CHECKER is not set -+CONFIG_HAVE_ARM_SMCCC=y -+CONFIG_HAVE_ARM_SMCCC_DISCOVERY=y -+CONFIG_ARM_SMCCC_SOC_ID=y -+ -+# -+# Tegra firmware driver -+# -+CONFIG_TEGRA_IVC=y -+CONFIG_TEGRA_BPMP=y -+# end of Tegra firmware driver -+ -+# -+# Tegra BPMP Driver -+# -+# end of Tegra BPMP Driver -+ -+# -+# Tegra firmware driver -+# -+# end of Tegra firmware driver -+ -+# -+# Tegra BPMP Driver -+# -+# end of Tegra BPMP Driver -+# end of Firmware Drivers -+ -+CONFIG_ARCH_SUPPORTS_ACPI=y - CONFIG_ACPI=y -+CONFIG_ACPI_GENERIC_GSI=y -+CONFIG_ACPI_CCA_REQUIRED=y -+# CONFIG_ACPI_DEBUGGER is not set -+CONFIG_ACPI_SPCR_TABLE=y -+# CONFIG_ACPI_EC_DEBUGFS is not set -+CONFIG_ACPI_AC=y -+CONFIG_ACPI_BATTERY=y -+CONFIG_ACPI_BUTTON=y -+CONFIG_ACPI_FAN=y -+# CONFIG_ACPI_TAD is not set -+# CONFIG_ACPI_DOCK is not set -+CONFIG_ACPI_PROCESSOR_IDLE=y -+CONFIG_ACPI_MCFG=y -+CONFIG_ACPI_CPPC_LIB=y -+CONFIG_ACPI_PROCESSOR=y -+CONFIG_ACPI_HOTPLUG_CPU=y -+CONFIG_ACPI_THERMAL=y -+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y -+CONFIG_ACPI_TABLE_UPGRADE=y -+# CONFIG_ACPI_DEBUG is not set -+# CONFIG_ACPI_PCI_SLOT is not set -+CONFIG_ACPI_CONTAINER=y -+CONFIG_ACPI_HED=y -+# CONFIG_ACPI_CUSTOM_METHOD is not set -+# CONFIG_ACPI_BGRT is not set -+CONFIG_ACPI_REDUCED_HARDWARE_ONLY=y -+CONFIG_HAVE_ACPI_APEI=y - CONFIG_ACPI_APEI=y - CONFIG_ACPI_APEI_GHES=y -+# CONFIG_ACPI_APEI_PCIEAER is not set -+CONFIG_ACPI_APEI_SEA=y - CONFIG_ACPI_APEI_MEMORY_FAILURE=y - CONFIG_ACPI_APEI_EINJ=y -+# CONFIG_ACPI_APEI_ERST_DEBUG is not set -+# CONFIG_ACPI_CONFIGFS is not set -+CONFIG_ACPI_IORT=y -+CONFIG_ACPI_GTDT=y -+CONFIG_ACPI_PPTT=y -+# CONFIG_PMIC_OPREGION is not set -+CONFIG_IRQ_BYPASS_MANAGER=y -+CONFIG_VIRTUALIZATION=y - CONFIG_KVM=y -+CONFIG_HAVE_KVM_IRQCHIP=y -+CONFIG_HAVE_KVM_IRQFD=y -+CONFIG_HAVE_KVM_IRQ_ROUTING=y -+CONFIG_HAVE_KVM_EVENTFD=y -+CONFIG_KVM_MMIO=y -+CONFIG_HAVE_KVM_MSI=y -+CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y -+CONFIG_KVM_VFIO=y -+CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL=y -+CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y -+CONFIG_HAVE_KVM_IRQ_BYPASS=y -+CONFIG_HAVE_KVM_VCPU_RUN_PID_CHANGE=y -+CONFIG_KVM_ARM_PMU=y - CONFIG_TEGRA_DTC_SUPPRESS_WARNINGS=y - CONFIG_ARM64_CRYPTO=y -+CONFIG_CRYPTO_SHA256_ARM64=m -+CONFIG_CRYPTO_SHA512_ARM64=m - CONFIG_CRYPTO_SHA1_ARM64_CE=m - CONFIG_CRYPTO_SHA2_ARM64_CE=m - CONFIG_CRYPTO_SHA512_ARM64_CE=m - CONFIG_CRYPTO_SHA3_ARM64=m - CONFIG_CRYPTO_SM3_ARM64_CE=m -+# CONFIG_CRYPTO_SM4_ARM64_CE is not set - CONFIG_CRYPTO_GHASH_ARM64_CE=m -+# CONFIG_CRYPTO_CRCT10DIF_ARM64_CE is not set -+CONFIG_CRYPTO_AES_ARM64=m -+CONFIG_CRYPTO_AES_ARM64_CE=m - CONFIG_CRYPTO_AES_ARM64_CE_CCM=m - CONFIG_CRYPTO_AES_ARM64_CE_BLK=m - CONFIG_CRYPTO_AES_ARM64_NEON_BLK=m -+# CONFIG_CRYPTO_CHACHA20_NEON is not set -+# CONFIG_CRYPTO_POLY1305_NEON is not set -+# CONFIG_CRYPTO_NHPOLY1305_NEON is not set -+# CONFIG_CRYPTO_AES_ARM64_BS is not set -+# CONFIG_ARCH_TEGRA_18x_SOC is not set -+# CONFIG_ARCH_TEGRA_19x_SOC is not set -+# CONFIG_ARCH_TEGRA_21x_SOC is not set - CONFIG_ARCH_TEGRA_23x_SOC=y --CONFIG_ARCH_TEGRA_239_SOC=y -+ -+# -+# General architecture-dependent options -+# -+CONFIG_CRASH_CORE=y -+CONFIG_KEXEC_CORE=y -+CONFIG_SET_FS=y -+# CONFIG_KPROBES is not set - CONFIG_JUMP_LABEL=y -+# CONFIG_STATIC_KEYS_SELFTEST is not set -+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y -+CONFIG_HAVE_KPROBES=y -+CONFIG_HAVE_KRETPROBES=y -+CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y -+CONFIG_HAVE_NMI=y -+CONFIG_HAVE_ARCH_TRACEHOOK=y -+CONFIG_HAVE_DMA_CONTIGUOUS=y -+CONFIG_GENERIC_SMP_IDLE_THREAD=y -+CONFIG_GENERIC_IDLE_POLL_SETUP=y -+CONFIG_ARCH_HAS_FORTIFY_SOURCE=y -+CONFIG_ARCH_HAS_KEEPINITRD=y -+CONFIG_ARCH_HAS_SET_MEMORY=y -+CONFIG_ARCH_HAS_SET_DIRECT_MAP=y -+CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y -+CONFIG_HAVE_ASM_MODVERSIONS=y -+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y -+CONFIG_HAVE_RSEQ=y -+CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y -+CONFIG_HAVE_HW_BREAKPOINT=y -+CONFIG_HAVE_PERF_REGS=y -+CONFIG_HAVE_PERF_USER_STACK_DUMP=y -+CONFIG_HAVE_ARCH_JUMP_LABEL=y -+CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y -+CONFIG_MMU_GATHER_TABLE_FREE=y -+CONFIG_MMU_GATHER_RCU_TABLE_FREE=y -+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y -+CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y -+CONFIG_HAVE_CMPXCHG_LOCAL=y -+CONFIG_HAVE_CMPXCHG_DOUBLE=y -+CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y -+CONFIG_HAVE_ARCH_SECCOMP=y -+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y -+CONFIG_SECCOMP=y -+CONFIG_SECCOMP_FILTER=y -+CONFIG_HAVE_ARCH_STACKLEAK=y -+CONFIG_HAVE_STACKPROTECTOR=y -+CONFIG_STACKPROTECTOR=y -+CONFIG_STACKPROTECTOR_STRONG=y -+CONFIG_HAVE_CONTEXT_TRACKING=y -+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y -+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y -+CONFIG_HAVE_MOVE_PMD=y -+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y -+CONFIG_HAVE_ARCH_HUGE_VMAP=y -+CONFIG_HAVE_MOD_ARCH_SPECIFIC=y -+CONFIG_MODULES_USE_ELF_RELA=y -+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y -+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y -+CONFIG_ARCH_MMAP_RND_BITS=18 -+CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y -+CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11 -+CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y -+CONFIG_CLONE_BACKWARDS=y -+CONFIG_OLD_SIGSUSPEND3=y -+CONFIG_COMPAT_OLD_SIGACTION=y -+CONFIG_COMPAT_32BIT_TIME=y -+CONFIG_HAVE_ARCH_VMAP_STACK=y -+CONFIG_VMAP_STACK=y -+CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y -+CONFIG_STRICT_KERNEL_RWX=y -+CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y -+CONFIG_STRICT_MODULE_RWX=y -+CONFIG_HAVE_ARCH_COMPILER_H=y -+CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y -+CONFIG_ARCH_USE_MEMREMAP_PROT=y -+# CONFIG_LOCK_EVENT_COUNTS is not set -+CONFIG_ARCH_HAS_RELR=y -+CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y -+ -+# -+# GCOV-based kernel profiling -+# -+# CONFIG_GCOV_KERNEL is not set -+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y -+# end of GCOV-based kernel profiling -+ -+CONFIG_HAVE_GCC_PLUGINS=y -+CONFIG_GCC_PLUGINS=y -+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set -+# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set -+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set -+# end of General architecture-dependent options -+ -+CONFIG_RT_MUTEXES=y -+CONFIG_BASE_SMALL=0 -+CONFIG_MODULE_SIG_FORMAT=y - CONFIG_MODULES=y -+# CONFIG_MODULE_FORCE_LOAD is not set - CONFIG_MODULE_UNLOAD=y -+# CONFIG_MODULE_FORCE_UNLOAD is not set - CONFIG_MODVERSIONS=y -+CONFIG_ASM_MODVERSIONS=y -+# CONFIG_MODULE_SRCVERSION_ALL is not set - CONFIG_MODULE_SIG=y -+# CONFIG_MODULE_SIG_FORCE is not set -+CONFIG_MODULE_SIG_ALL=y -+# CONFIG_MODULE_SIG_SHA1 is not set -+# CONFIG_MODULE_SIG_SHA224 is not set -+# CONFIG_MODULE_SIG_SHA256 is not set -+# CONFIG_MODULE_SIG_SHA384 is not set - CONFIG_MODULE_SIG_SHA512=y -+CONFIG_MODULE_SIG_HASH="sha512" -+# CONFIG_MODULE_COMPRESS is not set -+# CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set -+# CONFIG_UNUSED_SYMBOLS is not set -+# CONFIG_TRIM_UNUSED_KSYMS is not set -+CONFIG_MODULES_TREE_LOOKUP=y -+CONFIG_BLOCK=y -+CONFIG_BLK_SCSI_REQUEST=y -+CONFIG_BLK_CGROUP_RWSTAT=y -+CONFIG_BLK_DEV_BSG=y -+CONFIG_BLK_DEV_BSGLIB=y -+CONFIG_BLK_DEV_INTEGRITY=y -+CONFIG_BLK_DEV_INTEGRITY_T10=y -+# CONFIG_BLK_DEV_ZONED is not set - CONFIG_BLK_DEV_THROTTLING=y -+# CONFIG_BLK_DEV_THROTTLING_LOW is not set -+# CONFIG_BLK_CMDLINE_PARSER is not set -+# CONFIG_BLK_WBT is not set -+# CONFIG_BLK_CGROUP_IOLATENCY is not set -+# CONFIG_BLK_CGROUP_IOCOST is not set -+CONFIG_BLK_DEBUG_FS=y -+# CONFIG_BLK_SED_OPAL is not set -+# CONFIG_BLK_INLINE_ENCRYPTION is not set -+ -+# -+# Partition Types -+# - CONFIG_PARTITION_ADVANCED=y -+# CONFIG_ACORN_PARTITION is not set -+# CONFIG_AIX_PARTITION is not set -+# CONFIG_OSF_PARTITION is not set -+# CONFIG_AMIGA_PARTITION is not set -+# CONFIG_ATARI_PARTITION is not set -+# CONFIG_MAC_PARTITION is not set -+CONFIG_MSDOS_PARTITION=y -+# CONFIG_BSD_DISKLABEL is not set -+# CONFIG_MINIX_SUBPARTITION is not set -+# CONFIG_SOLARIS_X86_PARTITION is not set -+# CONFIG_UNIXWARE_DISKLABEL is not set -+# CONFIG_LDM_PARTITION is not set -+# CONFIG_SGI_PARTITION is not set -+# CONFIG_ULTRIX_PARTITION is not set -+# CONFIG_SUN_PARTITION is not set -+# CONFIG_KARMA_PARTITION is not set -+CONFIG_EFI_PARTITION=y -+# CONFIG_SYSV68_PARTITION is not set -+# CONFIG_CMDLINE_PARTITION is not set -+# end of Partition Types -+ -+CONFIG_BLOCK_COMPAT=y -+CONFIG_BLK_MQ_PCI=y -+CONFIG_BLK_MQ_VIRTIO=y -+CONFIG_BLK_MQ_RDMA=y -+CONFIG_BLK_PM=y -+ -+# -+# IO Schedulers -+# -+CONFIG_MQ_IOSCHED_DEADLINE=y -+CONFIG_MQ_IOSCHED_KYBER=y -+# CONFIG_IOSCHED_BFQ is not set -+# end of IO Schedulers -+ -+CONFIG_PREEMPT_NOTIFIERS=y -+CONFIG_ASN1=y -+CONFIG_UNINLINE_SPIN_UNLOCK=y -+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y -+CONFIG_MUTEX_SPIN_ON_OWNER=y -+CONFIG_RWSEM_SPIN_ON_OWNER=y -+CONFIG_LOCK_SPIN_ON_OWNER=y -+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y -+CONFIG_QUEUED_SPINLOCKS=y -+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y -+CONFIG_QUEUED_RWLOCKS=y -+CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y -+CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y -+CONFIG_FREEZER=y -+ -+# -+# Executable file formats -+# -+CONFIG_BINFMT_ELF=y -+CONFIG_COMPAT_BINFMT_ELF=y -+CONFIG_ARCH_BINFMT_ELF_STATE=y -+CONFIG_ARCH_HAVE_ELF_PROT=y -+CONFIG_ARCH_USE_GNU_PROPERTY=y -+CONFIG_ELFCORE=y - # CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set -+CONFIG_BINFMT_SCRIPT=y - CONFIG_BINFMT_MISC=m -+CONFIG_COREDUMP=y -+# end of Executable file formats -+ -+# -+# Memory Management options -+# -+CONFIG_SELECT_MEMORY_MODEL=y -+# CONFIG_FLATMEM_MANUAL is not set -+CONFIG_SPARSEMEM_MANUAL=y -+CONFIG_SPARSEMEM=y -+CONFIG_SPARSEMEM_EXTREME=y -+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y -+CONFIG_SPARSEMEM_VMEMMAP=y -+CONFIG_HAVE_FAST_GUP=y -+CONFIG_ARCH_KEEP_MEMBLOCK=y -+CONFIG_MEMORY_ISOLATION=y -+# CONFIG_MEMORY_HOTPLUG is not set -+CONFIG_SPLIT_PTLOCK_CPUS=4 -+CONFIG_MEMORY_BALLOON=y -+CONFIG_BALLOON_COMPACTION=y -+CONFIG_COMPACTION=y -+CONFIG_PAGE_REPORTING=y -+CONFIG_MIGRATION=y -+CONFIG_CONTIG_ALLOC=y -+CONFIG_PHYS_ADDR_T_64BIT=y -+CONFIG_BOUNCE=y -+CONFIG_MMU_NOTIFIER=y - CONFIG_KSM=y - CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 -+CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y - CONFIG_MEMORY_FAILURE=y -+# CONFIG_HWPOISON_INJECT is not set - CONFIG_TRANSPARENT_HUGEPAGE=y -+CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y -+# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set -+# CONFIG_CLEANCACHE is not set -+# CONFIG_FRONTSWAP is not set - CONFIG_CMA=y -+# CONFIG_CMA_DEBUG is not set -+# CONFIG_CMA_DEBUGFS is not set -+CONFIG_CMA_AREAS=7 -+# CONFIG_ZPOOL is not set -+# CONFIG_ZBUD is not set - CONFIG_ZSMALLOC=y -+# CONFIG_ZSMALLOC_STAT is not set -+CONFIG_GENERIC_EARLY_IOREMAP=y -+# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set -+# CONFIG_IDLE_PAGE_TRACKING is not set -+CONFIG_ARCH_HAS_PTE_DEVMAP=y -+CONFIG_HMM_MIRROR=y -+CONFIG_FRAME_VECTOR=y -+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y -+# CONFIG_PERCPU_STATS is not set -+# CONFIG_GUP_BENCHMARK is not set -+# CONFIG_READ_ONLY_THP_FOR_FS is not set -+CONFIG_ARCH_HAS_PTE_SPECIAL=y -+# end of Memory Management options -+ - CONFIG_NET=y -+CONFIG_COMPAT_NETLINK_MESSAGES=y -+CONFIG_NET_INGRESS=y -+CONFIG_NET_EGRESS=y -+CONFIG_SKB_EXTENSIONS=y -+ -+# -+# Networking options -+# - CONFIG_PACKET=y -+# CONFIG_PACKET_DIAG is not set - CONFIG_UNIX=y -+CONFIG_UNIX_SCM=y -+# CONFIG_UNIX_DIAG is not set -+# CONFIG_TLS is not set -+CONFIG_XFRM=y -+CONFIG_XFRM_ALGO=y - CONFIG_XFRM_USER=y -+# CONFIG_XFRM_INTERFACE is not set -+# CONFIG_XFRM_SUB_POLICY is not set -+# CONFIG_XFRM_MIGRATE is not set -+# CONFIG_XFRM_STATISTICS is not set -+CONFIG_XFRM_AH=m -+CONFIG_XFRM_ESP=m -+CONFIG_XFRM_IPCOMP=m - CONFIG_NET_KEY=y -+# CONFIG_NET_KEY_MIGRATE is not set -+# CONFIG_SMC is not set -+# CONFIG_XDP_SOCKETS is not set - CONFIG_INET=y - CONFIG_IP_MULTICAST=y - CONFIG_IP_ADVANCED_ROUTER=y -+# CONFIG_IP_FIB_TRIE_STATS is not set - CONFIG_IP_MULTIPLE_TABLES=y -+# CONFIG_IP_ROUTE_MULTIPATH is not set -+# CONFIG_IP_ROUTE_VERBOSE is not set - CONFIG_IP_PNP=y - CONFIG_IP_PNP_DHCP=y - CONFIG_IP_PNP_BOOTP=y -+# CONFIG_IP_PNP_RARP is not set -+# CONFIG_NET_IPIP is not set - CONFIG_NET_IPGRE_DEMUX=m -+CONFIG_NET_IP_TUNNEL=y -+# CONFIG_NET_IPGRE is not set -+# CONFIG_IP_MROUTE is not set - CONFIG_SYN_COOKIES=y -+# CONFIG_NET_IPVTI is not set -+CONFIG_NET_UDP_TUNNEL=y -+# CONFIG_NET_FOU is not set -+# CONFIG_NET_FOU_IP_TUNNELS is not set -+# CONFIG_INET_AH is not set - CONFIG_INET_ESP=m -+# CONFIG_INET_ESP_OFFLOAD is not set -+# CONFIG_INET_ESPINTCP is not set -+# CONFIG_INET_IPCOMP is not set -+CONFIG_INET_TUNNEL=m - CONFIG_INET_DIAG=m -+CONFIG_INET_TCP_DIAG=m -+# CONFIG_INET_UDP_DIAG is not set -+# CONFIG_INET_RAW_DIAG is not set -+# CONFIG_INET_DIAG_DESTROY is not set -+# CONFIG_TCP_CONG_ADVANCED is not set -+CONFIG_TCP_CONG_CUBIC=y -+CONFIG_DEFAULT_TCP_CONG="cubic" -+# CONFIG_TCP_MD5SIG is not set -+CONFIG_IPV6=y - CONFIG_IPV6_ROUTER_PREF=y - CONFIG_IPV6_ROUTE_INFO=y - CONFIG_IPV6_OPTIMISTIC_DAD=y - CONFIG_INET6_AH=m - CONFIG_INET6_ESP=m -+# CONFIG_INET6_ESP_OFFLOAD is not set -+# CONFIG_INET6_ESPINTCP is not set - CONFIG_INET6_IPCOMP=m - CONFIG_IPV6_MIP6=m -+# CONFIG_IPV6_ILA is not set -+CONFIG_INET6_XFRM_TUNNEL=m -+CONFIG_INET6_TUNNEL=m -+# CONFIG_IPV6_VTI is not set - CONFIG_IPV6_SIT=m -+# CONFIG_IPV6_SIT_6RD is not set -+CONFIG_IPV6_NDISC_NODETYPE=y - CONFIG_IPV6_TUNNEL=m -+# CONFIG_IPV6_GRE is not set - CONFIG_IPV6_MULTIPLE_TABLES=y -+# CONFIG_IPV6_SUBTREES is not set -+# CONFIG_IPV6_MROUTE is not set -+# CONFIG_IPV6_SEG6_LWTUNNEL is not set -+# CONFIG_IPV6_SEG6_HMAC is not set -+# CONFIG_IPV6_RPL_LWTUNNEL is not set -+# CONFIG_NETLABEL is not set -+# CONFIG_MPTCP is not set -+CONFIG_NETWORK_SECMARK=y -+CONFIG_NET_PTP_CLASSIFY=y -+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set - CONFIG_NETFILTER=y -+CONFIG_NETFILTER_ADVANCED=y - CONFIG_BRIDGE_NETFILTER=m -+ -+# -+# Core Netfilter Configuration -+# -+CONFIG_NETFILTER_INGRESS=y -+CONFIG_NETFILTER_NETLINK=m -+CONFIG_NETFILTER_FAMILY_BRIDGE=y -+CONFIG_NETFILTER_FAMILY_ARP=y - CONFIG_NETFILTER_NETLINK_ACCT=m - CONFIG_NETFILTER_NETLINK_QUEUE=m - CONFIG_NETFILTER_NETLINK_LOG=m -+# CONFIG_NETFILTER_NETLINK_OSF is not set - CONFIG_NF_CONNTRACK=m -+CONFIG_NF_LOG_COMMON=m -+# CONFIG_NF_LOG_NETDEV is not set -+CONFIG_NETFILTER_CONNCOUNT=m -+CONFIG_NF_CONNTRACK_MARK=y -+# CONFIG_NF_CONNTRACK_SECMARK is not set -+# CONFIG_NF_CONNTRACK_ZONES is not set -+CONFIG_NF_CONNTRACK_PROCFS=y - CONFIG_NF_CONNTRACK_EVENTS=y -+# CONFIG_NF_CONNTRACK_TIMEOUT is not set -+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set -+# CONFIG_NF_CONNTRACK_LABELS is not set -+CONFIG_NF_CT_PROTO_DCCP=y -+CONFIG_NF_CT_PROTO_GRE=y -+CONFIG_NF_CT_PROTO_SCTP=y -+CONFIG_NF_CT_PROTO_UDPLITE=y - CONFIG_NF_CONNTRACK_AMANDA=m - CONFIG_NF_CONNTRACK_FTP=m - CONFIG_NF_CONNTRACK_H323=m - CONFIG_NF_CONNTRACK_IRC=m -+CONFIG_NF_CONNTRACK_BROADCAST=m - CONFIG_NF_CONNTRACK_NETBIOS_NS=m -+# CONFIG_NF_CONNTRACK_SNMP is not set - CONFIG_NF_CONNTRACK_PPTP=m - CONFIG_NF_CONNTRACK_SANE=m - CONFIG_NF_CONNTRACK_SIP=m - CONFIG_NF_CONNTRACK_TFTP=m - CONFIG_NF_CT_NETLINK=m -+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set -+CONFIG_NF_NAT=m -+CONFIG_NF_NAT_AMANDA=m -+CONFIG_NF_NAT_FTP=m -+CONFIG_NF_NAT_IRC=m -+CONFIG_NF_NAT_SIP=m -+CONFIG_NF_NAT_TFTP=m -+CONFIG_NF_NAT_REDIRECT=y -+CONFIG_NF_NAT_MASQUERADE=y -+# CONFIG_NF_TABLES is not set -+CONFIG_NETFILTER_XTABLES=m -+ -+# -+# Xtables combined modules -+# -+CONFIG_NETFILTER_XT_MARK=m -+CONFIG_NETFILTER_XT_CONNMARK=m -+ -+# -+# Xtables targets -+# -+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set - CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m - CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m - CONFIG_NETFILTER_XT_TARGET_CONNMARK=m -+# CONFIG_NETFILTER_XT_TARGET_CT is not set -+# CONFIG_NETFILTER_XT_TARGET_DSCP is not set -+# CONFIG_NETFILTER_XT_TARGET_HL is not set -+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set - CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m -+# CONFIG_NETFILTER_XT_TARGET_LED is not set - CONFIG_NETFILTER_XT_TARGET_LOG=m - CONFIG_NETFILTER_XT_TARGET_MARK=m -+CONFIG_NETFILTER_XT_NAT=m -+CONFIG_NETFILTER_XT_TARGET_NETMAP=m -+# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set -+# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set -+# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set -+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set -+CONFIG_NETFILTER_XT_TARGET_REDIRECT=m -+CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m - CONFIG_NETFILTER_XT_TARGET_TEE=m - CONFIG_NETFILTER_XT_TARGET_TPROXY=m - CONFIG_NETFILTER_XT_TARGET_TRACE=m -+# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set - CONFIG_NETFILTER_XT_TARGET_TCPMSS=m -+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set -+ -+# -+# Xtables matches -+# - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m -+# CONFIG_NETFILTER_XT_MATCH_BPF is not set -+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set -+# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set - CONFIG_NETFILTER_XT_MATCH_COMMENT=m - CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m -+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set - CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m - CONFIG_NETFILTER_XT_MATCH_CONNMARK=m - CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m -+# CONFIG_NETFILTER_XT_MATCH_CPU is not set -+# CONFIG_NETFILTER_XT_MATCH_DCCP is not set -+# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set -+# CONFIG_NETFILTER_XT_MATCH_DSCP is not set -+CONFIG_NETFILTER_XT_MATCH_ECN=m -+# CONFIG_NETFILTER_XT_MATCH_ESP is not set - CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m - CONFIG_NETFILTER_XT_MATCH_HELPER=m -+CONFIG_NETFILTER_XT_MATCH_HL=m -+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set - CONFIG_NETFILTER_XT_MATCH_IPRANGE=m - CONFIG_NETFILTER_XT_MATCH_IPVS=m -+# CONFIG_NETFILTER_XT_MATCH_L2TP is not set - CONFIG_NETFILTER_XT_MATCH_LENGTH=m - CONFIG_NETFILTER_XT_MATCH_LIMIT=m - CONFIG_NETFILTER_XT_MATCH_MAC=m - CONFIG_NETFILTER_XT_MATCH_MARK=m - CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m -+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set -+# CONFIG_NETFILTER_XT_MATCH_OSF is not set - CONFIG_NETFILTER_XT_MATCH_OWNER=m -+# CONFIG_NETFILTER_XT_MATCH_POLICY is not set -+# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set - CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m - CONFIG_NETFILTER_XT_MATCH_QUOTA=m -+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set -+# CONFIG_NETFILTER_XT_MATCH_REALM is not set - CONFIG_NETFILTER_XT_MATCH_RECENT=m -+# CONFIG_NETFILTER_XT_MATCH_SCTP is not set - CONFIG_NETFILTER_XT_MATCH_SOCKET=m - CONFIG_NETFILTER_XT_MATCH_STATE=m - CONFIG_NETFILTER_XT_MATCH_STATISTIC=m - CONFIG_NETFILTER_XT_MATCH_STRING=m -+# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set - CONFIG_NETFILTER_XT_MATCH_TIME=m - CONFIG_NETFILTER_XT_MATCH_U32=m -+# end of Core Netfilter Configuration -+ -+# CONFIG_IP_SET is not set - CONFIG_IP_VS=m -+# CONFIG_IP_VS_IPV6 is not set -+# CONFIG_IP_VS_DEBUG is not set -+CONFIG_IP_VS_TAB_BITS=12 -+ -+# -+# IPVS transport protocol load balancing support -+# - CONFIG_IP_VS_PROTO_TCP=y - CONFIG_IP_VS_PROTO_UDP=y -+# CONFIG_IP_VS_PROTO_ESP is not set -+# CONFIG_IP_VS_PROTO_AH is not set -+# CONFIG_IP_VS_PROTO_SCTP is not set -+ -+# -+# IPVS scheduler -+# - CONFIG_IP_VS_RR=m -+# CONFIG_IP_VS_WRR is not set -+# CONFIG_IP_VS_LC is not set -+# CONFIG_IP_VS_WLC is not set -+# CONFIG_IP_VS_FO is not set -+# CONFIG_IP_VS_OVF is not set -+# CONFIG_IP_VS_LBLC is not set -+# CONFIG_IP_VS_LBLCR is not set -+# CONFIG_IP_VS_DH is not set -+# CONFIG_IP_VS_SH is not set -+# CONFIG_IP_VS_MH is not set -+# CONFIG_IP_VS_SED is not set -+# CONFIG_IP_VS_NQ is not set -+ -+# -+# IPVS SH scheduler -+# -+CONFIG_IP_VS_SH_TAB_BITS=8 -+ -+# -+# IPVS MH scheduler -+# -+CONFIG_IP_VS_MH_TAB_INDEX=12 -+ -+# -+# IPVS application helper -+# -+# CONFIG_IP_VS_FTP is not set - CONFIG_IP_VS_NFCT=y -+# CONFIG_IP_VS_PE_SIP is not set -+ -+# -+# IP: Netfilter Configuration -+# -+CONFIG_NF_DEFRAG_IPV4=m -+CONFIG_NF_SOCKET_IPV4=m -+CONFIG_NF_TPROXY_IPV4=m -+CONFIG_NF_DUP_IPV4=m -+# CONFIG_NF_LOG_ARP is not set -+CONFIG_NF_LOG_IPV4=m -+CONFIG_NF_REJECT_IPV4=m -+CONFIG_NF_NAT_PPTP=m -+CONFIG_NF_NAT_H323=m - CONFIG_IP_NF_IPTABLES=m - CONFIG_IP_NF_MATCH_AH=m - CONFIG_IP_NF_MATCH_ECN=m -@@ -203,89 +1285,326 @@ CONFIG_IP_NF_MATCH_RPFILTER=m - CONFIG_IP_NF_MATCH_TTL=m - CONFIG_IP_NF_FILTER=m - CONFIG_IP_NF_TARGET_REJECT=m -+# CONFIG_IP_NF_TARGET_SYNPROXY is not set - CONFIG_IP_NF_NAT=m - CONFIG_IP_NF_TARGET_MASQUERADE=m - CONFIG_IP_NF_TARGET_NETMAP=m - CONFIG_IP_NF_TARGET_REDIRECT=m - CONFIG_IP_NF_MANGLE=m -+# CONFIG_IP_NF_TARGET_CLUSTERIP is not set -+# CONFIG_IP_NF_TARGET_ECN is not set -+# CONFIG_IP_NF_TARGET_TTL is not set - CONFIG_IP_NF_RAW=m - CONFIG_IP_NF_SECURITY=m - CONFIG_IP_NF_ARPTABLES=m - CONFIG_IP_NF_ARPFILTER=m - CONFIG_IP_NF_ARP_MANGLE=m -+# end of IP: Netfilter Configuration -+ -+# -+# IPv6: Netfilter Configuration -+# -+CONFIG_NF_SOCKET_IPV6=m -+CONFIG_NF_TPROXY_IPV6=m -+CONFIG_NF_DUP_IPV6=m -+CONFIG_NF_REJECT_IPV6=m -+CONFIG_NF_LOG_IPV6=m - CONFIG_IP6_NF_IPTABLES=m -+# CONFIG_IP6_NF_MATCH_AH is not set -+# CONFIG_IP6_NF_MATCH_EUI64 is not set -+# CONFIG_IP6_NF_MATCH_FRAG is not set -+# CONFIG_IP6_NF_MATCH_OPTS is not set -+# CONFIG_IP6_NF_MATCH_HL is not set -+# CONFIG_IP6_NF_MATCH_IPV6HEADER is not set -+# CONFIG_IP6_NF_MATCH_MH is not set -+# CONFIG_IP6_NF_MATCH_RPFILTER is not set -+# CONFIG_IP6_NF_MATCH_RT is not set -+# CONFIG_IP6_NF_MATCH_SRH is not set -+# CONFIG_IP6_NF_TARGET_HL is not set - CONFIG_IP6_NF_FILTER=m - CONFIG_IP6_NF_TARGET_REJECT=m -+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set - CONFIG_IP6_NF_MANGLE=m - CONFIG_IP6_NF_RAW=m -+# CONFIG_IP6_NF_SECURITY is not set - CONFIG_IP6_NF_NAT=m - CONFIG_IP6_NF_TARGET_MASQUERADE=m -+# CONFIG_IP6_NF_TARGET_NPT is not set -+# end of IPv6: Netfilter Configuration -+ -+CONFIG_NF_DEFRAG_IPV6=m -+# CONFIG_NF_CONNTRACK_BRIDGE is not set -+# CONFIG_BRIDGE_NF_EBTABLES is not set -+# CONFIG_BPFILTER is not set -+# CONFIG_IP_DCCP is not set -+# CONFIG_IP_SCTP is not set -+# CONFIG_RDS is not set -+# CONFIG_TIPC is not set -+# CONFIG_ATM is not set -+# CONFIG_L2TP is not set -+CONFIG_STP=y -+CONFIG_GARP=m -+CONFIG_MRP=m - CONFIG_BRIDGE=y -+CONFIG_BRIDGE_IGMP_SNOOPING=y - CONFIG_BRIDGE_VLAN_FILTERING=y -+# CONFIG_BRIDGE_MRP is not set -+CONFIG_HAVE_NET_DSA=y - CONFIG_NET_DSA=m -+# CONFIG_NET_DSA_TAG_AR9331 is not set -+# CONFIG_NET_DSA_TAG_BRCM is not set -+# CONFIG_NET_DSA_TAG_BRCM_PREPEND is not set -+# CONFIG_NET_DSA_TAG_GSWIP is not set -+# CONFIG_NET_DSA_TAG_DSA is not set -+# CONFIG_NET_DSA_TAG_EDSA is not set -+# CONFIG_NET_DSA_TAG_MTK is not set -+# CONFIG_NET_DSA_TAG_KSZ is not set -+# CONFIG_NET_DSA_TAG_RTL4_A is not set - CONFIG_NET_DSA_TAG_OCELOT=m -+# CONFIG_NET_DSA_TAG_QCA is not set -+# CONFIG_NET_DSA_TAG_LAN9303 is not set -+# CONFIG_NET_DSA_TAG_SJA1105 is not set -+# CONFIG_NET_DSA_TAG_TRAILER is not set - CONFIG_VLAN_8021Q=m - CONFIG_VLAN_8021Q_GVRP=y - CONFIG_VLAN_8021Q_MVRP=y -+# CONFIG_DECNET is not set -+CONFIG_LLC=y -+# CONFIG_LLC2 is not set -+# CONFIG_ATALK is not set -+# CONFIG_X25 is not set -+# CONFIG_LAPB is not set -+# CONFIG_PHONET is not set -+# CONFIG_6LOWPAN is not set -+# CONFIG_IEEE802154 is not set - CONFIG_NET_SCHED=y -+ -+# -+# Queueing/Scheduling -+# -+# CONFIG_NET_SCH_CBQ is not set - CONFIG_NET_SCH_HTB=y -+# CONFIG_NET_SCH_HFSC is not set -+# CONFIG_NET_SCH_PRIO is not set -+# CONFIG_NET_SCH_MULTIQ is not set -+# CONFIG_NET_SCH_RED is not set -+# CONFIG_NET_SCH_SFB is not set -+# CONFIG_NET_SCH_SFQ is not set -+# CONFIG_NET_SCH_TEQL is not set -+# CONFIG_NET_SCH_TBF is not set - CONFIG_NET_SCH_CBS=y - CONFIG_NET_SCH_ETF=m - CONFIG_NET_SCH_TAPRIO=m -+# CONFIG_NET_SCH_GRED is not set -+# CONFIG_NET_SCH_DSMARK is not set -+# CONFIG_NET_SCH_NETEM is not set -+# CONFIG_NET_SCH_DRR is not set - CONFIG_NET_SCH_MQPRIO=m -+# CONFIG_NET_SCH_SKBPRIO is not set -+# CONFIG_NET_SCH_CHOKE is not set -+# CONFIG_NET_SCH_QFQ is not set -+# CONFIG_NET_SCH_CODEL is not set -+# CONFIG_NET_SCH_FQ_CODEL is not set -+# CONFIG_NET_SCH_CAKE is not set -+# CONFIG_NET_SCH_FQ is not set -+# CONFIG_NET_SCH_HHF is not set -+# CONFIG_NET_SCH_PIE is not set - CONFIG_NET_SCH_INGRESS=m -+# CONFIG_NET_SCH_PLUG is not set -+# CONFIG_NET_SCH_ETS is not set -+# CONFIG_NET_SCH_DEFAULT is not set -+ -+# -+# Classification -+# -+CONFIG_NET_CLS=y - CONFIG_NET_CLS_BASIC=m -+# CONFIG_NET_CLS_TCINDEX is not set -+# CONFIG_NET_CLS_ROUTE4 is not set -+# CONFIG_NET_CLS_FW is not set - CONFIG_NET_CLS_U32=y -+# CONFIG_CLS_U32_PERF is not set -+# CONFIG_CLS_U32_MARK is not set -+# CONFIG_NET_CLS_RSVP is not set -+# CONFIG_NET_CLS_RSVP6 is not set -+# CONFIG_NET_CLS_FLOW is not set - CONFIG_NET_CLS_CGROUP=y -+# CONFIG_NET_CLS_BPF is not set - CONFIG_NET_CLS_FLOWER=m -+# CONFIG_NET_CLS_MATCHALL is not set - CONFIG_NET_EMATCH=y -+CONFIG_NET_EMATCH_STACK=32 -+# CONFIG_NET_EMATCH_CMP is not set -+# CONFIG_NET_EMATCH_NBYTE is not set - CONFIG_NET_EMATCH_U32=y -+# CONFIG_NET_EMATCH_META is not set -+# CONFIG_NET_EMATCH_TEXT is not set -+# CONFIG_NET_EMATCH_CANID is not set -+# CONFIG_NET_EMATCH_IPT is not set - CONFIG_NET_CLS_ACT=y - CONFIG_NET_ACT_POLICE=m - CONFIG_NET_ACT_GACT=m -+# CONFIG_GACT_PROB is not set - CONFIG_NET_ACT_MIRRED=m -+# CONFIG_NET_ACT_SAMPLE is not set -+# CONFIG_NET_ACT_IPT is not set -+# CONFIG_NET_ACT_NAT is not set -+# CONFIG_NET_ACT_PEDIT is not set -+# CONFIG_NET_ACT_SIMP is not set -+# CONFIG_NET_ACT_SKBEDIT is not set -+# CONFIG_NET_ACT_CSUM is not set -+# CONFIG_NET_ACT_MPLS is not set -+# CONFIG_NET_ACT_VLAN is not set -+# CONFIG_NET_ACT_BPF is not set -+# CONFIG_NET_ACT_CONNMARK is not set -+# CONFIG_NET_ACT_CTINFO is not set -+# CONFIG_NET_ACT_SKBMOD is not set -+# CONFIG_NET_ACT_IFE is not set -+# CONFIG_NET_ACT_TUNNEL_KEY is not set - CONFIG_NET_ACT_GATE=m -+# CONFIG_NET_TC_SKB_EXT is not set -+CONFIG_NET_SCH_FIFO=y -+# CONFIG_DCB is not set -+CONFIG_DNS_RESOLVER=y -+# CONFIG_BATMAN_ADV is not set -+# CONFIG_OPENVSWITCH is not set -+# CONFIG_VSOCKETS is not set -+# CONFIG_NETLINK_DIAG is not set -+# CONFIG_MPLS is not set -+# CONFIG_NET_NSH is not set -+# CONFIG_HSR is not set -+CONFIG_NET_SWITCHDEV=y -+CONFIG_NET_L3_MASTER_DEV=y -+# CONFIG_QRTR is not set -+# CONFIG_NET_NCSI is not set -+CONFIG_RPS=y -+CONFIG_RFS_ACCEL=y -+CONFIG_XPS=y - CONFIG_CGROUP_NET_PRIO=y -+CONFIG_CGROUP_NET_CLASSID=y -+CONFIG_NET_RX_BUSY_POLL=y -+CONFIG_BQL=y - CONFIG_BPF_JIT=y -+CONFIG_NET_FLOW_LIMIT=y -+ -+# -+# Network testing -+# -+# CONFIG_NET_PKTGEN is not set -+# CONFIG_NET_DROP_MONITOR is not set -+# end of Network testing -+# end of Networking options -+ -+# CONFIG_HAMRADIO is not set - CONFIG_CAN=m -+CONFIG_CAN_RAW=m -+CONFIG_CAN_BCM=m -+CONFIG_CAN_GW=m -+# CONFIG_CAN_J1939 is not set -+# CONFIG_CAN_ISOTP is not set -+ -+# -+# CAN Device Drivers -+# - CONFIG_CAN_VCAN=m -+# CONFIG_CAN_VXCAN is not set - CONFIG_CAN_SLCAN=m -+CONFIG_CAN_DEV=m -+CONFIG_CAN_CALC_BITTIMING=y -+# CONFIG_CAN_FLEXCAN is not set -+# CONFIG_CAN_GRCAN is not set -+# CONFIG_CAN_KVASER_PCIEFD is not set -+# CONFIG_CAN_XILINXCAN is not set - CONFIG_CAN_C_CAN=m -+# CONFIG_CAN_C_CAN_PLATFORM is not set -+# CONFIG_CAN_C_CAN_PCI is not set - CONFIG_CAN_CC770=m - CONFIG_CAN_CC770_ISA=m - CONFIG_CAN_CC770_PLATFORM=m -+# CONFIG_CAN_IFI_CANFD is not set - CONFIG_CAN_M_CAN=m -+# CONFIG_CAN_M_CAN_PLATFORM is not set -+# CONFIG_CAN_M_CAN_TCAN4X5X is not set -+# CONFIG_CAN_PEAK_PCIEFD is not set - CONFIG_CAN_SJA1000=m - CONFIG_CAN_EMS_PCI=m -+# CONFIG_CAN_F81601 is not set - CONFIG_CAN_KVASER_PCI=m -+# CONFIG_CAN_PEAK_PCI is not set - CONFIG_CAN_PLX_PCI=m - CONFIG_CAN_SJA1000_ISA=m - CONFIG_CAN_SJA1000_PLATFORM=m - CONFIG_CAN_SOFTING=m -+ -+# -+# CAN SPI interfaces -+# -+# CONFIG_CAN_HI311X is not set - CONFIG_CAN_MCP251X=m -+# CONFIG_CAN_MCP251XFD is not set -+# end of CAN SPI interfaces -+ -+# -+# CAN USB interfaces -+# - CONFIG_CAN_8DEV_USB=m - CONFIG_CAN_EMS_USB=m - CONFIG_CAN_ESD_USB2=m - CONFIG_CAN_GS_USB=m - CONFIG_CAN_KVASER_USB=m -+# CONFIG_CAN_MCBA_USB is not set - CONFIG_CAN_PEAK_USB=m -+# CONFIG_CAN_UCAN is not set -+# end of CAN USB interfaces -+ -+# CONFIG_CAN_DEBUG_DEVICES is not set -+# end of CAN Device Drivers -+ - CONFIG_MTTCAN=m - CONFIG_TEGRA_HV_SECCAN=m - CONFIG_BT=y -+CONFIG_BT_BREDR=y - CONFIG_BT_RFCOMM=y -+# CONFIG_BT_RFCOMM_TTY is not set - CONFIG_BT_BNEP=m -+# CONFIG_BT_BNEP_MC_FILTER is not set -+# CONFIG_BT_BNEP_PROTO_FILTER is not set - CONFIG_BT_HIDP=y -+# CONFIG_BT_HS is not set - # CONFIG_BT_LE is not set - CONFIG_BT_LEDS=y -+# CONFIG_BT_MSFTEXT is not set - # CONFIG_BT_DEBUGFS is not set -+# CONFIG_BT_SELFTEST is not set -+# CONFIG_BT_FEATURE_DEBUG is not set -+ -+# -+# Bluetooth device drivers -+# -+CONFIG_BT_INTEL=m -+CONFIG_BT_BCM=m -+CONFIG_BT_RTL=m -+CONFIG_BT_QCA=m - CONFIG_BT_HCIBTUSB=m -+# CONFIG_BT_HCIBTUSB_AUTOSUSPEND is not set -+CONFIG_BT_HCIBTUSB_BCM=y -+# CONFIG_BT_HCIBTUSB_MTK is not set -+CONFIG_BT_HCIBTUSB_RTL=y -+# CONFIG_BT_HCIBTSDIO is not set - CONFIG_BT_HCIUART=m -+CONFIG_BT_HCIUART_SERDEV=y -+CONFIG_BT_HCIUART_H4=y -+# CONFIG_BT_HCIUART_NOKIA is not set - CONFIG_BT_HCIUART_BCSP=y - CONFIG_BT_HCIUART_ATH3K=y - CONFIG_BT_HCIUART_LL=y -+# CONFIG_BT_HCIUART_3WIRE is not set - CONFIG_BT_HCIUART_INTEL=y - CONFIG_BT_HCIUART_BCM=y -+# CONFIG_BT_HCIUART_RTL is not set - CONFIG_BT_HCIUART_QCA=y -+# CONFIG_BT_HCIUART_AG6XX is not set -+# CONFIG_BT_HCIUART_MRVL is not set - CONFIG_BT_HCIBCM203X=m - CONFIG_BT_HCIBPA10X=m - CONFIG_BT_HCIBFUSB=m -@@ -293,222 +1612,1218 @@ CONFIG_BT_HCIVHCI=m - CONFIG_BT_MRVL=m - CONFIG_BT_MRVL_SDIO=m - CONFIG_BT_ATH3K=m -+# CONFIG_BT_MTKSDIO is not set -+# CONFIG_BT_MTKUART is not set -+# end of Bluetooth device drivers -+ - CONFIG_AF_RXRPC=m -+# CONFIG_AF_RXRPC_IPV6 is not set -+# CONFIG_AF_RXRPC_INJECT_LOSS is not set -+# CONFIG_AF_RXRPC_DEBUG is not set -+# CONFIG_RXKAD is not set - CONFIG_AF_KCM=m -+CONFIG_STREAM_PARSER=y -+CONFIG_FIB_RULES=y -+CONFIG_WIRELESS=y -+CONFIG_WIRELESS_EXT=y -+CONFIG_WEXT_CORE=y -+CONFIG_WEXT_PROC=y -+CONFIG_WEXT_SPY=y -+CONFIG_WEXT_PRIV=y - CONFIG_CFG80211=m -+# CONFIG_NL80211_TESTMODE is not set -+# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set - CONFIG_CFG80211_CERTIFICATION_ONUS=y - # CONFIG_CFG80211_REQUIRE_SIGNED_REGDB is not set -+# CONFIG_CFG80211_REG_CELLULAR_HINTS is not set -+# CONFIG_CFG80211_REG_RELAX_NO_IR is not set -+CONFIG_CFG80211_DEFAULT_PS=y -+# CONFIG_CFG80211_DEBUGFS is not set -+CONFIG_CFG80211_CRDA_SUPPORT=y -+CONFIG_CFG80211_WEXT=y -+CONFIG_CFG80211_WEXT_EXPORT=y -+CONFIG_LIB80211=m -+CONFIG_LIB80211_CRYPT_WEP=m -+CONFIG_LIB80211_CRYPT_CCMP=m -+CONFIG_LIB80211_CRYPT_TKIP=m -+# CONFIG_LIB80211_DEBUG is not set - CONFIG_MAC80211=m -+CONFIG_MAC80211_HAS_RC=y -+CONFIG_MAC80211_RC_MINSTREL=y -+CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y -+CONFIG_MAC80211_RC_DEFAULT="minstrel_ht" -+# CONFIG_MAC80211_MESH is not set -+CONFIG_MAC80211_LEDS=y -+CONFIG_MAC80211_DEBUGFS=y -+# CONFIG_MAC80211_MESSAGE_TRACING is not set -+# CONFIG_MAC80211_DEBUG_MENU is not set -+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 -+# CONFIG_WIMAX is not set - CONFIG_RFKILL=y -+CONFIG_RFKILL_LEDS=y -+# CONFIG_RFKILL_INPUT is not set -+# CONFIG_RFKILL_GPIO is not set - CONFIG_NET_9P=y -+# CONFIG_NET_9P_VIRTIO is not set -+# CONFIG_NET_9P_RDMA is not set -+# CONFIG_NET_9P_DEBUG is not set -+# CONFIG_CAIF is not set -+# CONFIG_CEPH_LIB is not set - CONFIG_NFC=m -+# CONFIG_NFC_DIGITAL is not set - CONFIG_NFC_NCI=m -+# CONFIG_NFC_NCI_SPI is not set -+# CONFIG_NFC_NCI_UART is not set -+# CONFIG_NFC_HCI is not set -+ -+# -+# Near Field Communication (NFC) devices -+# -+# CONFIG_NFC_FDP is not set -+# CONFIG_NFC_PN533_USB is not set -+# CONFIG_NFC_PN533_I2C is not set -+# CONFIG_NFC_PN532_UART is not set -+# CONFIG_NFC_MRVL_USB is not set -+# CONFIG_NFC_ST_NCI_I2C is not set -+# CONFIG_NFC_ST_NCI_SPI is not set -+# CONFIG_NFC_NXP_NCI is not set -+CONFIG_NFC_S3FWRN5=m - CONFIG_NFC_S3FWRN5_I2C=m -+# end of Near Field Communication (NFC) devices -+ -+# CONFIG_PSAMPLE is not set -+# CONFIG_NET_IFE is not set -+# CONFIG_LWTUNNEL is not set -+CONFIG_DST_CACHE=y -+CONFIG_GRO_CELLS=y -+CONFIG_NET_DEVLINK=y -+CONFIG_PAGE_POOL=y -+CONFIG_FAILOVER=y -+CONFIG_ETHTOOL_NETLINK=y -+CONFIG_HAVE_EBPF_JIT=y -+ -+# -+# Device Drivers -+# -+CONFIG_ARM_AMBA=y -+CONFIG_TEGRA_AHB=y -+CONFIG_HAVE_PCI=y - CONFIG_PCI=y -+CONFIG_PCI_DOMAINS=y -+CONFIG_PCI_DOMAINS_GENERIC=y -+CONFIG_PCI_SYSCALL=y - CONFIG_PCIEPORTBUS=y -+# CONFIG_HOTPLUG_PCI_PCIE is not set - CONFIG_PCIEAER=y -+# CONFIG_PCIEAER_INJECT is not set - CONFIG_PCIE_ECRC=y -+CONFIG_PCIEASPM=y -+# CONFIG_PCIEASPM_DEFAULT is not set -+# CONFIG_PCIEASPM_POWERSAVE is not set - CONFIG_PCIEASPM_POWER_SUPERSAVE=y --CONFIG_PCI_STUB=m -+# CONFIG_PCIEASPM_PERFORMANCE is not set -+CONFIG_PCIE_PME=y -+# CONFIG_PCIE_DPC is not set -+# CONFIG_PCIE_PTM is not set -+CONFIG_PCI_MSI=y -+CONFIG_PCI_MSI_IRQ_DOMAIN=y -+CONFIG_PCI_MSI_ARCH_FALLBACKS=y -+CONFIG_PCI_QUIRKS=y -+CONFIG_PCI_DEBUG=y -+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set -+CONFIG_PCI_STUB=y -+# CONFIG_PCI_PF_STUB is not set -+CONFIG_PCI_ATS=y -+CONFIG_PCI_ECAM=y - CONFIG_PCI_IOV=y -+# CONFIG_PCI_PRI is not set -+# CONFIG_PCI_PASID is not set -+CONFIG_PCI_LABEL=y -+# CONFIG_PCIE_BUS_TUNE_OFF is not set -+# CONFIG_PCIE_BUS_DEFAULT is not set - CONFIG_PCIE_BUS_SAFE=y -+# CONFIG_PCIE_BUS_PERFORMANCE is not set -+# CONFIG_PCIE_BUS_PEER2PEER is not set -+CONFIG_HOTPLUG_PCI=y -+CONFIG_HOTPLUG_PCI_ACPI=y -+# CONFIG_HOTPLUG_PCI_ACPI_IBM is not set -+# CONFIG_HOTPLUG_PCI_CPCI is not set -+# CONFIG_HOTPLUG_PCI_SHPC is not set -+ -+# -+# PCI controller drivers -+# -+# CONFIG_PCI_FTPCI100 is not set - CONFIG_PCI_TEGRA=y -+CONFIG_PCI_HOST_COMMON=y -+CONFIG_PCI_HOST_GENERIC=y -+# CONFIG_PCIE_XILINX is not set -+# CONFIG_PCI_XGENE is not set -+# CONFIG_PCIE_ALTERA is not set -+# CONFIG_PCI_HOST_THUNDER_PEM is not set -+# CONFIG_PCI_HOST_THUNDER_ECAM is not set -+# CONFIG_PCIE_HISI_ERR is not set -+ -+# -+# DesignWare PCI Core Support -+# -+CONFIG_PCIE_DW=y -+CONFIG_PCIE_DW_HOST=y -+CONFIG_PCIE_DW_EP=y -+# CONFIG_PCIE_DW_PLAT_HOST is not set -+# CONFIG_PCIE_DW_PLAT_EP is not set -+# CONFIG_PCI_HISI is not set -+# CONFIG_PCIE_KIRIN is not set -+# CONFIG_PCI_MESON is not set -+CONFIG_PCIE_TEGRA194=y -+CONFIG_PCIE_TEGRA194_HOST=y - CONFIG_PCIE_TEGRA194_EP=y -+# CONFIG_PCIE_RP_DMA_TEST is not set -+# CONFIG_PCIE_AL is not set -+# end of DesignWare PCI Core Support -+ -+# -+# Mobiveil PCIe Core Support -+# -+CONFIG_PCIE_MOBIVEIL=y -+CONFIG_PCIE_MOBIVEIL_HOST=y - CONFIG_PCIE_LAYERSCAPE_GEN4=y -+# end of Mobiveil PCIe Core Support -+ -+# -+# Cadence PCIe controllers support -+# -+# CONFIG_PCIE_CADENCE_PLAT_HOST is not set -+# CONFIG_PCIE_CADENCE_PLAT_EP is not set -+# CONFIG_PCI_J721E_HOST is not set -+# CONFIG_PCI_J721E_EP is not set -+# end of Cadence PCIe controllers support -+# end of PCI controller drivers -+ - CONFIG_PCIE_TEGRA_VF=y -+ -+# -+# PCI Endpoint -+# - CONFIG_PCI_ENDPOINT=y - CONFIG_PCI_ENDPOINT_CONFIGFS=y - CONFIG_PCI_EPF_TEST=y - CONFIG_PCIE_EPF_NV_TEST=y - CONFIG_PCIE_EPF_TEGRA_VNET=y --CONFIG_PCI_SERIAL_CH384=m -+# CONFIG_PCIE_EPF_DMA_TEST is not set -+# end of PCI Endpoint -+ -+# -+# PCI switch controller drivers -+# -+CONFIG_PCI_SW_SWITCHTEC=m -+# end of PCI switch controller drivers -+ -+# -+# PCI Endpoint -+# -+# CONFIG_PCIE_TEGRA_DW_EP is not set -+# end of PCI Endpoint -+ -+# CONFIG_PCCARD is not set -+# CONFIG_RAPIDIO is not set -+ -+# -+# Generic Driver Options -+# - CONFIG_UEVENT_HELPER=y -+CONFIG_UEVENT_HELPER_PATH="" - CONFIG_DEVTMPFS=y - CONFIG_DEVTMPFS_MOUNT=y -+CONFIG_STANDALONE=y -+CONFIG_PREVENT_FIRMWARE_BUILD=y -+ -+# -+# Firmware loader -+# -+CONFIG_FW_LOADER=y -+CONFIG_FW_LOADER_PAGED_BUF=y -+CONFIG_EXTRA_FIRMWARE="" - CONFIG_FW_LOADER_USER_HELPER=y - CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y -+# CONFIG_FW_LOADER_COMPRESS is not set -+CONFIG_FW_CACHE=y -+# end of Firmware loader -+ -+CONFIG_WANT_DEV_COREDUMP=y -+CONFIG_ALLOW_DEV_COREDUMP=y -+CONFIG_DEV_COREDUMP=y -+# CONFIG_DEBUG_DRIVER is not set -+# CONFIG_DEBUG_DEVRES is not set -+# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set -+# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set -+CONFIG_GENERIC_CPU_AUTOPROBE=y -+CONFIG_GENERIC_CPU_VULNERABILITIES=y -+CONFIG_SOC_BUS=y -+CONFIG_REGMAP=y -+CONFIG_REGMAP_I2C=y -+CONFIG_REGMAP_SPI=y -+CONFIG_REGMAP_SPMI=m -+CONFIG_REGMAP_MMIO=y -+CONFIG_REGMAP_IRQ=y -+CONFIG_DMA_SHARED_BUFFER=y -+# CONFIG_DMA_FENCE_TRACE is not set -+CONFIG_GENERIC_ARCH_TOPOLOGY=y -+# end of Generic Driver Options -+ -+# -+# Bus devices -+# - CONFIG_BRCMSTB_GISB_ARB=y -+# CONFIG_MOXTET is not set - CONFIG_SIMPLE_PM_BUS=y - CONFIG_TEGRA_ACONNECT=y -+# CONFIG_TEGRA_GMI is not set - CONFIG_VEXPRESS_CONFIG=y -+# CONFIG_MHI_BUS is not set -+# end of Bus devices -+ -+# CONFIG_CONNECTOR is not set -+# CONFIG_GNSS is not set - CONFIG_MTD=m -+# CONFIG_MTD_TESTS is not set -+ -+# -+# Partition parsers -+# -+# CONFIG_MTD_AR7_PARTS is not set - CONFIG_MTD_CMDLINE_PARTS=m -+CONFIG_MTD_OF_PARTS=m -+# CONFIG_MTD_AFS_PARTS is not set -+# CONFIG_MTD_REDBOOT_PARTS is not set -+# end of Partition parsers -+ -+# -+# User Modules And Translation Layers -+# -+CONFIG_MTD_BLKDEVS=m - CONFIG_MTD_BLOCK=m -+# CONFIG_MTD_BLOCK_RO is not set -+# CONFIG_FTL is not set -+# CONFIG_NFTL is not set -+# CONFIG_INFTL is not set -+# CONFIG_RFD_FTL is not set -+# CONFIG_SSFDC is not set -+# CONFIG_SM_FTL is not set -+# CONFIG_MTD_OOPS is not set -+# CONFIG_MTD_SWAP is not set -+# CONFIG_MTD_PARTITIONED_MASTER is not set -+ -+# -+# RAM/ROM/Flash chip drivers -+# -+# CONFIG_MTD_CFI is not set -+# CONFIG_MTD_JEDECPROBE is not set -+CONFIG_MTD_MAP_BANK_WIDTH_1=y -+CONFIG_MTD_MAP_BANK_WIDTH_2=y -+CONFIG_MTD_MAP_BANK_WIDTH_4=y -+CONFIG_MTD_CFI_I1=y -+CONFIG_MTD_CFI_I2=y -+# CONFIG_MTD_RAM is not set -+# CONFIG_MTD_ROM is not set -+# CONFIG_MTD_ABSENT is not set -+# end of RAM/ROM/Flash chip drivers -+ -+# -+# Mapping drivers for chip access -+# -+# CONFIG_MTD_COMPLEX_MAPPINGS is not set -+# CONFIG_MTD_INTEL_VR_NOR is not set -+# CONFIG_MTD_PLATRAM is not set -+# end of Mapping drivers for chip access -+ -+# -+# Self-contained MTD device drivers -+# -+# CONFIG_MTD_PMC551 is not set -+# CONFIG_MTD_DATAFLASH is not set -+# CONFIG_MTD_MCHP23K256 is not set -+# CONFIG_MTD_SST25L is not set - CONFIG_MTD_QSPI_FLASH=m -+# CONFIG_MTD_SLRAM is not set -+# CONFIG_MTD_PHRAM is not set -+# CONFIG_MTD_MTDRAM is not set -+# CONFIG_MTD_BLOCK2MTD is not set -+ -+# -+# Disk-On-Chip Device Drivers -+# -+# CONFIG_MTD_DOCG3 is not set -+# end of Self-contained MTD device drivers -+ - CONFIG_MTD_TEGRA_VIRT=m -+ -+# -+# NAND -+# -+CONFIG_MTD_NAND_CORE=m -+# CONFIG_MTD_ONENAND is not set -+CONFIG_MTD_NAND_ECC_SW_HAMMING=m -+# CONFIG_MTD_NAND_ECC_SW_HAMMING_SMC is not set - CONFIG_MTD_RAW_NAND=m -+# CONFIG_MTD_NAND_ECC_SW_BCH is not set -+ -+# -+# Raw/parallel NAND flash controllers -+# -+# CONFIG_MTD_NAND_DENALI_PCI is not set -+# CONFIG_MTD_NAND_DENALI_DT is not set -+# CONFIG_MTD_NAND_CAFE is not set -+# CONFIG_MTD_NAND_BRCMNAND is not set -+# CONFIG_MTD_NAND_MXIC is not set -+# CONFIG_MTD_NAND_TEGRA is not set -+# CONFIG_MTD_NAND_GPIO is not set -+# CONFIG_MTD_NAND_PLATFORM is not set -+# CONFIG_MTD_NAND_CADENCE is not set -+# CONFIG_MTD_NAND_ARASAN is not set -+ -+# -+# Misc -+# -+# CONFIG_MTD_NAND_NANDSIM is not set -+# CONFIG_MTD_NAND_RICOH is not set -+# CONFIG_MTD_NAND_DISKONCHIP is not set -+# CONFIG_MTD_SPI_NAND is not set -+ -+# -+# ECC engine support -+# -+CONFIG_MTD_NAND_ECC=y -+# end of ECC engine support -+# end of NAND -+ -+# -+# LPDDR & LPDDR2 PCM memory drivers -+# -+# CONFIG_MTD_LPDDR is not set -+# end of LPDDR & LPDDR2 PCM memory drivers -+ - CONFIG_MTD_SPI_NOR=m -+CONFIG_MTD_SPI_NOR_USE_4K_SECTORS=y - CONFIG_MTD_UBI=m -+CONFIG_MTD_UBI_WL_THRESHOLD=4096 -+CONFIG_MTD_UBI_BEB_LIMIT=20 -+# CONFIG_MTD_UBI_FASTMAP is not set -+# CONFIG_MTD_UBI_GLUEBI is not set -+# CONFIG_MTD_UBI_BLOCK is not set -+# CONFIG_MTD_HYPERBUS is not set -+CONFIG_DTC=y -+CONFIG_OF=y -+# CONFIG_OF_UNITTEST is not set -+CONFIG_OF_FLATTREE=y -+CONFIG_OF_EARLY_FLATTREE=y -+CONFIG_OF_KOBJ=y -+CONFIG_OF_DYNAMIC=y -+CONFIG_OF_ADDRESS=y -+CONFIG_OF_IRQ=y -+CONFIG_OF_NET=y -+CONFIG_OF_RESERVED_MEM=y -+CONFIG_OF_RESOLVE=y -+CONFIG_OF_OVERLAY=y -+# CONFIG_PARPORT is not set -+CONFIG_PNP=y - # CONFIG_PNP_DEBUG_MESSAGES is not set -+ -+# -+# Protocols -+# -+CONFIG_PNPACPI=y -+CONFIG_BLK_DEV=y -+# CONFIG_BLK_DEV_NULL_BLK is not set -+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set - CONFIG_ZRAM=m -+# CONFIG_ZRAM_WRITEBACK is not set -+# CONFIG_ZRAM_MEMORY_TRACKING is not set -+# CONFIG_BLK_DEV_UMEM is not set - CONFIG_BLK_DEV_LOOP=m -+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 -+# CONFIG_BLK_DEV_CRYPTOLOOP is not set -+# CONFIG_BLK_DEV_DRBD is not set - CONFIG_BLK_DEV_NBD=m -+# CONFIG_BLK_DEV_SKD is not set -+# CONFIG_BLK_DEV_SX8 is not set - CONFIG_BLK_DEV_RAM=m -+CONFIG_BLK_DEV_RAM_COUNT=16 - CONFIG_BLK_DEV_RAM_SIZE=8192 -+# CONFIG_CDROM_PKTCDVD is not set -+# CONFIG_ATA_OVER_ETH is not set - CONFIG_VIRTIO_BLK=y -+# CONFIG_BLK_DEV_RBD is not set -+# CONFIG_BLK_DEV_RSXX is not set - CONFIG_TEGRA_HV_BLKDEV=y - CONFIG_TEGRA_HV_BLKDEV_OOPS=y -+ -+# -+# NVME Support -+# -+CONFIG_NVME_CORE=y - CONFIG_BLK_DEV_NVME=y -+# CONFIG_NVME_MULTIPATH is not set -+# CONFIG_NVME_HWMON is not set -+CONFIG_NVME_FABRICS=m - CONFIG_NVME_RDMA=m - CONFIG_NVME_FC=m -+# CONFIG_NVME_TCP is not set -+# CONFIG_NVME_TARGET is not set -+# end of NVME Support -+ -+# -+# Misc devices -+# -+# CONFIG_AD525X_DPOT is not set -+# CONFIG_DUMMY_IRQ is not set -+# CONFIG_PHANTOM is not set - CONFIG_TIFM_CORE=m -+CONFIG_TIFM_7XX1=m -+# CONFIG_ICS932S401 is not set -+# CONFIG_ENCLOSURE_SERVICES is not set -+# CONFIG_HP_ILO is not set -+# CONFIG_APDS9802ALS is not set -+# CONFIG_ISL29003 is not set -+# CONFIG_ISL29020 is not set -+# CONFIG_SENSORS_TSL2550 is not set -+# CONFIG_SENSORS_BH1770 is not set -+# CONFIG_SENSORS_APDS990X is not set -+# CONFIG_HMC6352 is not set -+# CONFIG_DS1682 is not set -+# CONFIG_LATTICE_ECP3_CONFIG is not set - CONFIG_SRAM=y - CONFIG_PCI_ENDPOINT_TEST=m -+# CONFIG_XILINX_SDFEC is not set -+# CONFIG_PVPANIC is not set -+# CONFIG_HISI_HIKEY_USB is not set -+# CONFIG_C2PORT is not set -+ -+# -+# EEPROM support -+# - CONFIG_EEPROM_AT24=m - CONFIG_EEPROM_AT25=m -+# CONFIG_EEPROM_LEGACY is not set -+# CONFIG_EEPROM_MAX6875 is not set -+CONFIG_EEPROM_93CX6=m -+# CONFIG_EEPROM_93XX46 is not set -+# CONFIG_EEPROM_IDT_89HPESX is not set -+# CONFIG_EEPROM_EE1004 is not set -+# end of EEPROM support -+ - CONFIG_CB710_CORE=m -+# CONFIG_CB710_DEBUG is not set -+CONFIG_CB710_DEBUG_ASSUMPTIONS=y -+ -+# -+# Texas Instruments shared transport line discipline -+# -+# CONFIG_TI_ST is not set -+# end of Texas Instruments shared transport line discipline -+ -+# CONFIG_SENSORS_LIS3_I2C is not set -+# CONFIG_ALTERA_STAPL is not set -+# CONFIG_GENWQE is not set -+# CONFIG_ECHO is not set -+# CONFIG_MISC_ALCOR_PCI is not set -+# CONFIG_MISC_RTSX_PCI is not set -+# CONFIG_MISC_RTSX_USB is not set -+# CONFIG_HABANA_AI is not set -+# CONFIG_UACCE is not set - CONFIG_MODS=m --CONFIG_SENSORS_F75308=m -+# CONFIG_SAF775x_HWDEP is not set - CONFIG_SENSORS_NCT1008=m - CONFIG_SENSORS_PEX9749=y -+# CONFIG_TEGRA_CPC is not set -+# CONFIG_THERM_EST is not set - CONFIG_FAN_THERM_EST=y - CONFIG_EQOS_APE_HWDEP=m - CONFIG_TEGRA_ACSL=m -+# CONFIG_TEGRA_SKIN is not set - CONFIG_TEGRA_PCIE_EP_MEM=y -+# CONFIG_TEGRA_PCIE_DMA_TEST is not set -+# CONFIG_NVS is not set - CONFIG_NVS_LIGHT=m - CONFIG_NVS_PROXIMITY=y -+# CONFIG_NVS_TRIGGERED_BUFFER is not set - CONFIG_NVS_GTE=m - CONFIG_TEGRA_PROFILER=y -+CONFIG_EVENTLIB=y - CONFIG_NVSCIC2C_PCIE=m - CONFIG_NVSCIIPC=y - CONFIG_BLUEDROID_PM=m -+# end of Misc devices -+ -+# -+# SCSI device support -+# -+CONFIG_SCSI_MOD=y -+CONFIG_RAID_ATTRS=m - CONFIG_SCSI=y -+CONFIG_SCSI_DMA=y -+CONFIG_SCSI_PROC_FS=y -+ -+# -+# SCSI support type (disk, tape, CD-ROM) -+# - CONFIG_BLK_DEV_SD=y -+# CONFIG_CHR_DEV_ST is not set -+# CONFIG_BLK_DEV_SR is not set -+# CONFIG_CHR_DEV_SG is not set -+# CONFIG_CHR_DEV_SCH is not set -+# CONFIG_SCSI_CONSTANTS is not set -+# CONFIG_SCSI_LOGGING is not set -+# CONFIG_SCSI_SCAN_ASYNC is not set -+ -+# -+# SCSI Transports -+# -+# CONFIG_SCSI_SPI_ATTRS is not set -+# CONFIG_SCSI_FC_ATTRS is not set -+# CONFIG_SCSI_ISCSI_ATTRS is not set -+CONFIG_SCSI_SAS_ATTRS=m -+CONFIG_SCSI_SAS_LIBSAS=m - CONFIG_SCSI_SAS_ATA=y -+CONFIG_SCSI_SAS_HOST_SMP=y -+CONFIG_SCSI_SRP_ATTRS=m -+# end of SCSI Transports -+ -+CONFIG_SCSI_LOWLEVEL=y -+# CONFIG_ISCSI_TCP is not set -+# CONFIG_ISCSI_BOOT_SYSFS is not set -+# CONFIG_SCSI_CXGB3_ISCSI is not set -+# CONFIG_SCSI_CXGB4_ISCSI is not set -+# CONFIG_SCSI_BNX2_ISCSI is not set -+# CONFIG_BE2ISCSI is not set -+# CONFIG_BLK_DEV_3W_XXXX_RAID is not set -+# CONFIG_SCSI_HPSA is not set -+# CONFIG_SCSI_3W_9XXX is not set -+# CONFIG_SCSI_3W_SAS is not set -+# CONFIG_SCSI_ACARD is not set -+# CONFIG_SCSI_AACRAID is not set -+# CONFIG_SCSI_AIC7XXX is not set -+# CONFIG_SCSI_AIC79XX is not set -+# CONFIG_SCSI_AIC94XX is not set - CONFIG_SCSI_HISI_SAS=m - CONFIG_SCSI_HISI_SAS_PCI=m -+# CONFIG_SCSI_MVSAS is not set -+# CONFIG_SCSI_MVUMI is not set -+# CONFIG_SCSI_ADVANSYS is not set -+# CONFIG_SCSI_ARCMSR is not set -+# CONFIG_SCSI_ESAS2R is not set -+# CONFIG_MEGARAID_NEWGEN is not set -+# CONFIG_MEGARAID_LEGACY is not set -+# CONFIG_MEGARAID_SAS is not set - CONFIG_SCSI_MPT3SAS=m -+CONFIG_SCSI_MPT2SAS_MAX_SGE=128 -+CONFIG_SCSI_MPT3SAS_MAX_SGE=128 -+# CONFIG_SCSI_MPT2SAS is not set -+# CONFIG_SCSI_SMARTPQI is not set - CONFIG_SCSI_UFSHCD=y -+# CONFIG_SCSI_UFSHCD_PCI is not set - CONFIG_SCSI_UFSHCD_PLATFORM=y -+# CONFIG_SCSI_UFS_CDNS_PLATFORM is not set -+# CONFIG_SCSI_UFS_DWC_TC_PLATFORM is not set -+# CONFIG_SCSI_UFS_BSG is not set - CONFIG_SCSI_UFSHCD_TEGRA=y -+# CONFIG_SCSI_HPTIOP is not set -+# CONFIG_SCSI_MYRB is not set -+# CONFIG_SCSI_MYRS is not set -+# CONFIG_SCSI_SNIC is not set -+# CONFIG_SCSI_DMX3191D is not set -+# CONFIG_SCSI_FDOMAIN_PCI is not set -+# CONFIG_SCSI_GDTH is not set -+# CONFIG_SCSI_IPS is not set -+# CONFIG_SCSI_INITIO is not set -+# CONFIG_SCSI_INIA100 is not set -+# CONFIG_SCSI_STEX is not set -+# CONFIG_SCSI_SYM53C8XX_2 is not set -+# CONFIG_SCSI_IPR is not set -+# CONFIG_SCSI_QLOGIC_1280 is not set -+# CONFIG_SCSI_QLA_ISCSI is not set -+# CONFIG_SCSI_DC395x is not set -+# CONFIG_SCSI_AM53C974 is not set -+# CONFIG_SCSI_WD719X is not set -+# CONFIG_SCSI_DEBUG is not set -+# CONFIG_SCSI_PMCRAID is not set -+# CONFIG_SCSI_PM8001 is not set -+# CONFIG_SCSI_VIRTIO is not set -+# CONFIG_SCSI_DH is not set -+# end of SCSI device support -+ -+CONFIG_HAVE_PATA_PLATFORM=y - CONFIG_ATA=m -+CONFIG_SATA_HOST=y -+CONFIG_ATA_VERBOSE_ERROR=y -+CONFIG_ATA_FORCE=y - # CONFIG_ATA_ACPI is not set -+CONFIG_SATA_PMP=y -+ -+# -+# Controllers with non-SFF native interface -+# - CONFIG_SATA_AHCI=m -+CONFIG_SATA_MOBILE_LPM_POLICY=0 - CONFIG_SATA_AHCI_PLATFORM=m -+# CONFIG_AHCI_CEVA is not set -+# CONFIG_AHCI_TEGRA is not set -+# CONFIG_AHCI_QORIQ is not set -+# CONFIG_SATA_INIC162X is not set -+# CONFIG_SATA_ACARD_AHCI is not set -+# CONFIG_SATA_SIL24 is not set -+CONFIG_ATA_SFF=y -+ -+# -+# SFF controllers with custom DMA interface -+# -+# CONFIG_PDC_ADMA is not set -+# CONFIG_SATA_QSTOR is not set -+# CONFIG_SATA_SX4 is not set -+CONFIG_ATA_BMDMA=y -+ -+# -+# SATA SFF controllers with BMDMA -+# -+# CONFIG_ATA_PIIX is not set -+# CONFIG_SATA_DWC is not set -+# CONFIG_SATA_MV is not set -+# CONFIG_SATA_NV is not set -+# CONFIG_SATA_PROMISE is not set -+# CONFIG_SATA_SIL is not set -+# CONFIG_SATA_SIS is not set -+# CONFIG_SATA_SVW is not set -+# CONFIG_SATA_ULI is not set -+# CONFIG_SATA_VIA is not set -+# CONFIG_SATA_VITESSE is not set -+ -+# -+# PATA SFF controllers with BMDMA -+# -+# CONFIG_PATA_ALI is not set -+# CONFIG_PATA_AMD is not set -+# CONFIG_PATA_ARTOP is not set -+# CONFIG_PATA_ATIIXP is not set -+# CONFIG_PATA_ATP867X is not set -+# CONFIG_PATA_CMD64X is not set -+# CONFIG_PATA_CYPRESS is not set -+# CONFIG_PATA_EFAR is not set -+# CONFIG_PATA_HPT366 is not set -+# CONFIG_PATA_HPT37X is not set -+# CONFIG_PATA_HPT3X2N is not set -+# CONFIG_PATA_HPT3X3 is not set -+# CONFIG_PATA_IT8213 is not set -+# CONFIG_PATA_IT821X is not set -+# CONFIG_PATA_JMICRON is not set -+# CONFIG_PATA_MARVELL is not set -+# CONFIG_PATA_NETCELL is not set -+# CONFIG_PATA_NINJA32 is not set -+# CONFIG_PATA_NS87415 is not set -+# CONFIG_PATA_OLDPIIX is not set -+# CONFIG_PATA_OPTIDMA is not set -+# CONFIG_PATA_PDC2027X is not set -+# CONFIG_PATA_PDC_OLD is not set -+# CONFIG_PATA_RADISYS is not set -+# CONFIG_PATA_RDC is not set -+# CONFIG_PATA_SCH is not set -+# CONFIG_PATA_SERVERWORKS is not set -+# CONFIG_PATA_SIL680 is not set -+# CONFIG_PATA_SIS is not set -+# CONFIG_PATA_TOSHIBA is not set -+# CONFIG_PATA_TRIFLEX is not set -+# CONFIG_PATA_VIA is not set -+# CONFIG_PATA_WINBOND is not set -+ -+# -+# PIO-only SFF controllers -+# -+# CONFIG_PATA_CMD640_PCI is not set -+# CONFIG_PATA_MPIIX is not set -+# CONFIG_PATA_NS87410 is not set -+# CONFIG_PATA_OPTI is not set -+# CONFIG_PATA_PLATFORM is not set -+# CONFIG_PATA_RZ1000 is not set -+ -+# -+# Generic fallback / legacy drivers -+# -+# CONFIG_ATA_GENERIC is not set -+# CONFIG_PATA_LEGACY is not set -+# CONFIG_AHCI_TEGRA_DOWNSTREAM is not set -+# CONFIG_SATA_AHCI_TEGRA_SHIELD is not set - CONFIG_MD=y -+# CONFIG_BLK_DEV_MD is not set -+# CONFIG_BCACHE is not set -+CONFIG_BLK_DEV_DM_BUILTIN=y - CONFIG_BLK_DEV_DM=y -+# CONFIG_DM_DEBUG is not set -+CONFIG_DM_BUFIO=y -+# CONFIG_DM_DEBUG_BLOCK_MANAGER_LOCKING is not set -+# CONFIG_DM_UNSTRIPED is not set - CONFIG_DM_CRYPT=y -+# CONFIG_DM_SNAPSHOT is not set -+# CONFIG_DM_THIN_PROVISIONING is not set -+# CONFIG_DM_CACHE is not set -+# CONFIG_DM_WRITECACHE is not set -+# CONFIG_DM_EBS is not set -+# CONFIG_DM_ERA is not set -+# CONFIG_DM_CLONE is not set -+# CONFIG_DM_MIRROR is not set -+# CONFIG_DM_RAID is not set -+# CONFIG_DM_ZERO is not set -+# CONFIG_DM_MULTIPATH is not set -+# CONFIG_DM_DELAY is not set -+# CONFIG_DM_DUST is not set -+# CONFIG_DM_INIT is not set - CONFIG_DM_UEVENT=y -+# CONFIG_DM_FLAKEY is not set - CONFIG_DM_VERITY=y - CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y -+# CONFIG_DM_VERITY_FEC is not set -+# CONFIG_DM_SWITCH is not set -+# CONFIG_DM_LOG_WRITES is not set -+# CONFIG_DM_INTEGRITY is not set -+# CONFIG_TARGET_CORE is not set -+# CONFIG_FUSION is not set -+ -+# -+# IEEE 1394 (FireWire) support -+# -+# CONFIG_FIREWIRE is not set -+# CONFIG_FIREWIRE_NOSY is not set -+# end of IEEE 1394 (FireWire) support -+ - CONFIG_NETDEVICES=y -+CONFIG_MII=y -+CONFIG_NET_CORE=y -+# CONFIG_BONDING is not set - CONFIG_DUMMY=y -+# CONFIG_WIREGUARD is not set -+# CONFIG_EQUALIZER is not set -+# CONFIG_NET_FC is not set -+# CONFIG_IFB is not set -+# CONFIG_NET_TEAM is not set - CONFIG_MACVLAN=m - CONFIG_MACVTAP=m -+CONFIG_IPVLAN_L3S=y - CONFIG_IPVLAN=m -+# CONFIG_IPVTAP is not set - CONFIG_VXLAN=y -+# CONFIG_GENEVE is not set -+# CONFIG_BAREUDP is not set -+# CONFIG_GTP is not set -+# CONFIG_MACSEC is not set -+# CONFIG_NETCONSOLE is not set -+# CONFIG_NTB_NETDEV is not set - CONFIG_TUN=y -+CONFIG_TAP=m -+# CONFIG_TUN_VNET_CROSS_LE is not set - CONFIG_VETH=m - CONFIG_VIRTIO_NET=y -+# CONFIG_NLMON is not set -+# CONFIG_NET_VRF is not set -+# CONFIG_ARCNET is not set -+ -+# -+# Distributed Switch Architecture drivers -+# -+# CONFIG_B53 is not set -+# CONFIG_NET_DSA_BCM_SF2 is not set -+# CONFIG_NET_DSA_LOOP is not set -+# CONFIG_NET_DSA_LANTIQ_GSWIP is not set -+# CONFIG_NET_DSA_MT7530 is not set -+# CONFIG_NET_DSA_MV88E6060 is not set -+# CONFIG_NET_DSA_MICROCHIP_KSZ9477 is not set -+# CONFIG_NET_DSA_MICROCHIP_KSZ8795 is not set -+# CONFIG_NET_DSA_MV88E6XXX is not set -+# CONFIG_NET_DSA_MSCC_SEVILLE is not set -+# CONFIG_NET_DSA_AR9331 is not set -+# CONFIG_NET_DSA_SJA1105 is not set -+# CONFIG_NET_DSA_QCA8K is not set -+# CONFIG_NET_DSA_REALTEK_SMI is not set -+# CONFIG_NET_DSA_SMSC_LAN9303_I2C is not set -+# CONFIG_NET_DSA_SMSC_LAN9303_MDIO is not set -+# CONFIG_NET_DSA_VITESSE_VSC73XX_SPI is not set -+# CONFIG_NET_DSA_VITESSE_VSC73XX_PLATFORM is not set -+# end of Distributed Switch Architecture drivers -+ -+CONFIG_ETHERNET=y -+CONFIG_MDIO=m -+CONFIG_NET_VENDOR_3COM=y -+# CONFIG_VORTEX is not set - CONFIG_TYPHOON=m -+CONFIG_NET_VENDOR_ADAPTEC=y -+# CONFIG_ADAPTEC_STARFIRE is not set -+CONFIG_NET_VENDOR_AGERE=y - CONFIG_ET131X=m -+CONFIG_NET_VENDOR_ALACRITECH=y - CONFIG_SLICOSS=m -+CONFIG_NET_VENDOR_ALTEON=y - CONFIG_ACENIC=m -+# CONFIG_ACENIC_OMIT_TIGON_I is not set - CONFIG_ALTERA_TSE=m -+CONFIG_NET_VENDOR_AMAZON=y -+# CONFIG_ENA_ETHERNET is not set -+CONFIG_NET_VENDOR_AMD=y -+# CONFIG_AMD8111_ETH is not set -+# CONFIG_PCNET32 is not set -+# CONFIG_AMD_XGBE is not set -+CONFIG_NET_VENDOR_AQUANTIA=y - CONFIG_AQTION=m -+CONFIG_NET_VENDOR_ARC=y -+CONFIG_NET_VENDOR_ATHEROS=y - CONFIG_ATL2=m - CONFIG_ATL1=m - CONFIG_ATL1E=m - CONFIG_ATL1C=m - CONFIG_ALX=m - # CONFIG_NET_VENDOR_AURORA is not set -+CONFIG_NET_VENDOR_BROADCOM=y - CONFIG_B44=m -+CONFIG_B44_PCI_AUTOSELECT=y -+CONFIG_B44_PCICORE_AUTOSELECT=y -+CONFIG_B44_PCI=y -+# CONFIG_BCMGENET is not set -+CONFIG_BNX2=m - CONFIG_CNIC=m - CONFIG_TIGON3=y -+CONFIG_TIGON3_HWMON=y - CONFIG_BNX2X=m -+CONFIG_BNX2X_SRIOV=y -+# CONFIG_SYSTEMPORT is not set - CONFIG_BNXT=m -+CONFIG_BNXT_SRIOV=y -+CONFIG_BNXT_FLOWER_OFFLOAD=y -+CONFIG_BNXT_HWMON=y -+CONFIG_NET_VENDOR_BROCADE=y - CONFIG_BNA=m -+CONFIG_NET_VENDOR_CADENCE=y - CONFIG_MACB=y -+CONFIG_MACB_USE_HWSTAMP=y -+# CONFIG_MACB_PCI is not set -+CONFIG_NET_VENDOR_CAVIUM=y - CONFIG_THUNDER_NIC_PF=m - CONFIG_THUNDER_NIC_VF=m -+CONFIG_THUNDER_NIC_BGX=m -+CONFIG_THUNDER_NIC_RGX=m - # CONFIG_CAVIUM_PTP is not set - CONFIG_LIQUIDIO=m - CONFIG_LIQUIDIO_VF=m -+CONFIG_NET_VENDOR_CHELSIO=y - CONFIG_CHELSIO_T1=m - CONFIG_CHELSIO_T1_1G=y - CONFIG_CHELSIO_T3=m - CONFIG_CHELSIO_T4=m - CONFIG_CHELSIO_T4VF=m -+CONFIG_CHELSIO_INLINE_CRYPTO=y -+CONFIG_NET_VENDOR_CISCO=y - CONFIG_ENIC=m -+CONFIG_NET_VENDOR_CORTINA=y -+# CONFIG_GEMINI_ETHERNET is not set -+# CONFIG_DNET is not set -+CONFIG_NET_VENDOR_DEC=y -+# CONFIG_NET_TULIP is not set -+CONFIG_NET_VENDOR_DLINK=y - CONFIG_DL2K=m -+# CONFIG_SUNDANCE is not set -+CONFIG_NET_VENDOR_EMULEX=y - CONFIG_BE2NET=m -+CONFIG_BE2NET_HWMON=y -+CONFIG_BE2NET_BE2=y -+CONFIG_BE2NET_BE3=y -+CONFIG_BE2NET_LANCER=y -+CONFIG_BE2NET_SKYHAWK=y -+CONFIG_NET_VENDOR_EZCHIP=y -+# CONFIG_EZCHIP_NPS_MANAGEMENT_ENET is not set -+CONFIG_NET_VENDOR_GOOGLE=y -+# CONFIG_GVE is not set -+CONFIG_NET_VENDOR_HISILICON=y -+# CONFIG_HIX5HD2_GMAC is not set -+# CONFIG_HISI_FEMAC is not set -+# CONFIG_HIP04_ETH is not set -+CONFIG_HNS_MDIO=y -+CONFIG_HNS=y - CONFIG_HNS_DSAF=y - CONFIG_HNS_ENET=y - CONFIG_HNS3=y - # CONFIG_HNS3_HCLGE is not set - CONFIG_HNS3_ENET=y -+CONFIG_NET_VENDOR_HUAWEI=y - CONFIG_HINIC=m -+CONFIG_NET_VENDOR_I825XX=y -+CONFIG_NET_VENDOR_INTEL=y - CONFIG_E100=m - CONFIG_E1000=m - CONFIG_E1000E=y - CONFIG_IGB=y -+CONFIG_IGB_HWMON=y - CONFIG_IGBVF=m - CONFIG_IXGB=m - CONFIG_IXGBE=m - # CONFIG_IXGBE_HWMON is not set - CONFIG_IXGBEVF=m - CONFIG_I40E=m -+CONFIG_IAVF=m - CONFIG_I40EVF=m - CONFIG_ICE=m - CONFIG_FM10K=m - CONFIG_IGC=m - CONFIG_JME=m -+CONFIG_NET_VENDOR_MARVELL=y -+# CONFIG_MVMDIO is not set - CONFIG_SKGE=m -+# CONFIG_SKGE_DEBUG is not set -+# CONFIG_SKGE_GENESIS is not set - CONFIG_SKY2=m - CONFIG_SKY2_DEBUG=y - CONFIG_OAK=m -+# CONFIG_OCTEONTX2_AF is not set -+# CONFIG_OCTEONTX2_PF is not set -+# CONFIG_PRESTERA is not set -+CONFIG_NET_VENDOR_MELLANOX=y - CONFIG_MLX4_EN=m -+CONFIG_MLX4_CORE=m -+CONFIG_MLX4_DEBUG=y -+CONFIG_MLX4_CORE_GEN2=y - CONFIG_MLX5_CORE=m -+# CONFIG_MLX5_FPGA is not set - CONFIG_MLX5_CORE_EN=y -+CONFIG_MLX5_EN_ARFS=y -+CONFIG_MLX5_EN_RXNFC=y -+CONFIG_MLX5_MPFS=y -+CONFIG_MLX5_ESWITCH=y -+CONFIG_MLX5_CLS_ACT=y - CONFIG_MLX5_CORE_IPOIB=y -+CONFIG_MLX5_SW_STEERING=y - CONFIG_MLX5_CORE_THERMAL=y - CONFIG_MLXSW_CORE=y -+CONFIG_MLXSW_CORE_HWMON=y -+CONFIG_MLXSW_CORE_THERMAL=y -+CONFIG_MLXSW_PCI=m -+CONFIG_MLXSW_I2C=m -+CONFIG_MLXSW_SWITCHIB=m -+CONFIG_MLXSW_SWITCHX2=m -+CONFIG_MLXSW_SPECTRUM=m -+CONFIG_MLXSW_MINIMAL=m -+CONFIG_MLXFW=y - CONFIG_MLX_MFT=m -+CONFIG_NET_VENDOR_MICREL=y -+# CONFIG_KS8842 is not set -+# CONFIG_KS8851 is not set -+# CONFIG_KS8851_MLL is not set -+# CONFIG_KSZ884X_PCI is not set -+CONFIG_NET_VENDOR_MICROCHIP=y -+# CONFIG_ENC28J60 is not set -+# CONFIG_ENCX24J600 is not set - CONFIG_LAN743X=m -+CONFIG_NET_VENDOR_MICROSEMI=y -+# CONFIG_MSCC_OCELOT_SWITCH is not set -+CONFIG_NET_VENDOR_MYRI=y -+# CONFIG_MYRI10GE is not set -+# CONFIG_FEALNX is not set -+CONFIG_NET_VENDOR_NATSEMI=y - CONFIG_NATSEMI=m - CONFIG_NS83820=m -+CONFIG_NET_VENDOR_NETERION=y - CONFIG_S2IO=m - CONFIG_VXGE=m -+# CONFIG_VXGE_DEBUG_TRACE_ALL is not set -+CONFIG_NET_VENDOR_NETRONOME=y - CONFIG_NFP=m -+CONFIG_NFP_APP_FLOWER=y -+CONFIG_NFP_APP_ABM_NIC=y - CONFIG_NFP_DEBUG=y -+CONFIG_NET_VENDOR_NI=y - CONFIG_NI_XGE_MANAGEMENT_ENET=m -+CONFIG_NET_VENDOR_8390=y - CONFIG_NE2K_PCI=m -+CONFIG_NET_VENDOR_NVIDIA=y - CONFIG_FORCEDETH=y - CONFIG_PCIE_TEGRA_VNET=y -+CONFIG_NET_VENDOR_OKI=y -+# CONFIG_ETHOC is not set -+CONFIG_NET_VENDOR_PACKET_ENGINES=y - CONFIG_HAMACHI=m - CONFIG_YELLOWFIN=m -+CONFIG_NET_VENDOR_PENSANDO=y - CONFIG_IONIC=m -+CONFIG_NET_VENDOR_QLOGIC=y - CONFIG_QLA3XXX=m - CONFIG_QLCNIC=m -+CONFIG_QLCNIC_SRIOV=y -+CONFIG_QLCNIC_HWMON=y - CONFIG_NETXEN_NIC=m -+# CONFIG_QED is not set -+CONFIG_NET_VENDOR_QUALCOMM=y -+CONFIG_QCA7000=m - CONFIG_QCA7000_SPI=m -+# CONFIG_QCA7000_UART is not set - CONFIG_QCOM_EMAC=m -+# CONFIG_RMNET is not set -+CONFIG_NET_VENDOR_RDC=y -+# CONFIG_R6040 is not set -+CONFIG_NET_VENDOR_REALTEK=y - CONFIG_8139CP=m - CONFIG_8139TOO=m -+CONFIG_8139TOO_PIO=y -+# CONFIG_8139TOO_TUNE_TWISTER is not set -+# CONFIG_8139TOO_8129 is not set -+# CONFIG_8139_OLD_RX_RESET is not set - CONFIG_R8169=m - CONFIG_R8168=m -+CONFIG_R8168_NAPI=y -+CONFIG_R8168_VLAN=y -+CONFIG_R8168_ASPM=y -+CONFIG_R8168_S5WOL=y -+CONFIG_NET_VENDOR_RENESAS=y -+CONFIG_NET_VENDOR_ROCKER=y -+# CONFIG_ROCKER is not set -+CONFIG_NET_VENDOR_SAMSUNG=y - CONFIG_SXGBE_ETH=m -+CONFIG_NET_VENDOR_SEEQ=y -+CONFIG_NET_VENDOR_SOLARFLARE=y - CONFIG_SFC=m -+CONFIG_SFC_MTD=y -+CONFIG_SFC_MCDI_MON=y -+CONFIG_SFC_SRIOV=y -+CONFIG_SFC_MCDI_LOGGING=y -+# CONFIG_SFC_FALCON is not set -+CONFIG_NET_VENDOR_SILAN=y -+# CONFIG_SC92031 is not set -+CONFIG_NET_VENDOR_SIS=y -+# CONFIG_SIS900 is not set -+# CONFIG_SIS190 is not set -+CONFIG_NET_VENDOR_SMSC=y - CONFIG_SMC91X=y -+# CONFIG_EPIC100 is not set - CONFIG_SMSC911X=y -+# CONFIG_SMSC9420 is not set - # CONFIG_NET_VENDOR_SOCIONEXT is not set -+CONFIG_NET_VENDOR_STMICRO=y - CONFIG_STMMAC_ETH=m -+# CONFIG_STMMAC_SELFTESTS is not set -+CONFIG_STMMAC_PLATFORM=m -+# CONFIG_DWMAC_DWC_QOS_ETH is not set -+CONFIG_DWMAC_GENERIC=m -+# CONFIG_DWMAC_INTEL_PLAT is not set -+# CONFIG_STMMAC_PCI is not set -+CONFIG_NET_VENDOR_SUN=y -+# CONFIG_HAPPYMEAL is not set -+# CONFIG_SUNGEM is not set -+# CONFIG_CASSINI is not set -+# CONFIG_NIU is not set -+CONFIG_NET_VENDOR_SYNOPSYS=y -+# CONFIG_DWC_XLGMAC is not set -+CONFIG_NET_VENDOR_TEHUTI=y -+# CONFIG_TEHUTI is not set -+CONFIG_NET_VENDOR_TI=y -+# CONFIG_TI_CPSW_PHY_SEL is not set -+# CONFIG_TLAN is not set -+CONFIG_NET_VENDOR_VIA=y -+# CONFIG_VIA_RHINE is not set -+# CONFIG_VIA_VELOCITY is not set -+CONFIG_NET_VENDOR_WIZNET=y -+# CONFIG_WIZNET_W5100 is not set -+# CONFIG_WIZNET_W5300 is not set - # CONFIG_NET_VENDOR_XILINX is not set - CONFIG_NVETHERNET=y - CONFIG_NVETHERNET_SELFTESTS=y -+# CONFIG_FDDI is not set -+# CONFIG_HIPPI is not set -+# CONFIG_NET_SB1000 is not set -+CONFIG_PHYLINK=y -+CONFIG_PHYLIB=y -+CONFIG_SWPHY=y -+# CONFIG_LED_TRIGGER_PHY is not set -+CONFIG_FIXED_PHY=y -+# CONFIG_SFP is not set -+ -+# -+# MII PHY device drivers -+# -+# CONFIG_AMD_PHY is not set -+# CONFIG_ADIN_PHY is not set - CONFIG_AQUANTIA_PHY=y -+# CONFIG_AX88796B_PHY is not set - CONFIG_BROADCOM_PHY=y -+# CONFIG_BCM54140_PHY is not set -+# CONFIG_BCM7XXX_PHY is not set -+# CONFIG_BCM84881_PHY is not set -+# CONFIG_BCM87XX_PHY is not set -+CONFIG_BCM_NET_PHYLIB=y -+# CONFIG_CICADA_PHY is not set -+# CONFIG_CORTINA_PHY is not set -+# CONFIG_DAVICOM_PHY is not set -+# CONFIG_ICPLUS_PHY is not set -+# CONFIG_LXT_PHY is not set -+# CONFIG_INTEL_XWAY_PHY is not set -+# CONFIG_LSI_ET1011C_PHY is not set - CONFIG_MARVELL_PHY=y - CONFIG_MARVELL_10G_PHY=m - CONFIG_MICREL_PHY=m -+CONFIG_MICROCHIP_PHY=m -+# CONFIG_MICROCHIP_T1_PHY is not set -+# CONFIG_MICROSEMI_PHY is not set -+# CONFIG_NATIONAL_PHY is not set -+# CONFIG_NXP_TJA11XX_PHY is not set -+# CONFIG_AT803X_PHY is not set -+# CONFIG_QSEMI_PHY is not set -+CONFIG_REALTEK_PHY=m -+# CONFIG_RENESAS_PHY is not set -+# CONFIG_ROCKCHIP_PHY is not set -+CONFIG_SMSC_PHY=m -+# CONFIG_STE10XP is not set -+# CONFIG_TERANETICS_PHY is not set -+# CONFIG_DP83822_PHY is not set -+# CONFIG_DP83TC811_PHY is not set -+# CONFIG_DP83848_PHY is not set -+# CONFIG_DP83867_PHY is not set -+# CONFIG_DP83869_PHY is not set -+# CONFIG_VITESSE_PHY is not set -+# CONFIG_XILINX_GMII2RGMII is not set -+# CONFIG_MICREL_KS8995MA is not set -+CONFIG_MDIO_DEVICE=y -+CONFIG_MDIO_BUS=y -+CONFIG_OF_MDIO=y -+CONFIG_MDIO_DEVRES=y - CONFIG_MDIO_BITBANG=y -+# CONFIG_MDIO_BCM_UNIMAC is not set -+CONFIG_MDIO_CAVIUM=m -+# CONFIG_MDIO_GPIO is not set -+# CONFIG_MDIO_HISI_FEMAC is not set -+# CONFIG_MDIO_MVUSB is not set -+# CONFIG_MDIO_MSCC_MIIM is not set -+# CONFIG_MDIO_OCTEON is not set -+# CONFIG_MDIO_IPQ4019 is not set -+# CONFIG_MDIO_IPQ8064 is not set -+CONFIG_MDIO_THUNDER=m -+ -+# -+# MDIO Multiplexers -+# -+# CONFIG_MDIO_BUS_MUX_GPIO is not set -+# CONFIG_MDIO_BUS_MUX_MULTIPLEXER is not set -+# CONFIG_MDIO_BUS_MUX_MMIOREG is not set -+ -+# -+# PCS device drivers -+# -+CONFIG_PCS_XPCS=m -+# end of PCS device drivers -+ - CONFIG_PPP=y - CONFIG_PPP_BSDCOMP=y - CONFIG_PPP_DEFLATE=y - CONFIG_PPP_FILTER=y - CONFIG_PPP_MPPE=y -+# CONFIG_PPP_MULTILINK is not set -+# CONFIG_PPPOE is not set -+# CONFIG_PPTP is not set - CONFIG_PPP_ASYNC=y - CONFIG_PPP_SYNC_TTY=y -+# CONFIG_SLIP is not set -+CONFIG_SLHC=y -+CONFIG_USB_NET_DRIVERS=y - CONFIG_USB_CATC=m - CONFIG_USB_KAWETH=m - CONFIG_USB_PEGASUS=m -@@ -516,7 +2831,12 @@ CONFIG_USB_RTL8150=m - CONFIG_USB_RTL8152=y - CONFIG_USB_LAN78XX=m - CONFIG_USB_USBNET=y -+CONFIG_USB_NET_AX8817X=y -+CONFIG_USB_NET_AX88179_178A=y -+CONFIG_USB_NET_CDCETHER=y - CONFIG_USB_NET_CDC_EEM=m -+CONFIG_USB_NET_CDC_NCM=y -+# CONFIG_USB_NET_HUAWEI_CDC_NCM is not set - CONFIG_USB_NET_CDC_MBIM=m - CONFIG_USB_NET_DM9601=m - CONFIG_USB_NET_SR9700=m -@@ -524,90 +2844,259 @@ CONFIG_USB_NET_SR9800=m - CONFIG_USB_NET_SMSC75XX=m - CONFIG_USB_NET_SMSC95XX=m - CONFIG_USB_NET_GL620A=m -+CONFIG_USB_NET_NET1080=y - CONFIG_USB_NET_PLUSB=m - CONFIG_USB_NET_MCS7830=m - CONFIG_USB_NET_RNDIS_HOST=m -+CONFIG_USB_NET_CDC_SUBSET_ENABLE=y -+CONFIG_USB_NET_CDC_SUBSET=y - CONFIG_USB_ALI_M5632=y - CONFIG_USB_AN2720=y -+CONFIG_USB_BELKIN=y -+CONFIG_USB_ARMLINUX=y -+# CONFIG_USB_EPSON2888 is not set - CONFIG_USB_KC2190=y -+CONFIG_USB_NET_ZAURUS=y - CONFIG_USB_NET_CX82310_ETH=m -+# CONFIG_USB_NET_KALMIA is not set -+# CONFIG_USB_NET_QMI_WWAN is not set -+# CONFIG_USB_HSO is not set -+# CONFIG_USB_NET_INT51X1 is not set -+# CONFIG_USB_IPHETH is not set -+# CONFIG_USB_SIERRA_NET is not set -+# CONFIG_USB_VL600 is not set -+# CONFIG_USB_NET_CH9200 is not set - CONFIG_USB_NET_AQC111=y -+# CONFIG_USB_RTL8152_SHIELD is not set -+CONFIG_WLAN=y -+# CONFIG_WIRELESS_WDS is not set -+CONFIG_WLAN_VENDOR_ADMTEK=y -+# CONFIG_ADM8211 is not set -+CONFIG_ATH_COMMON=m -+CONFIG_WLAN_VENDOR_ATH=y -+# CONFIG_ATH_DEBUG is not set -+# CONFIG_ATH_REG_DYNAMIC_USER_REG_HINTS is not set -+# CONFIG_ATH5K is not set -+# CONFIG_ATH5K_PCI is not set -+CONFIG_ATH9K_HW=m -+CONFIG_ATH9K_COMMON=m -+CONFIG_ATH9K_COMMON_DEBUG=y -+CONFIG_ATH9K_BTCOEX_SUPPORT=y - CONFIG_ATH9K=m -+CONFIG_ATH9K_PCI=y -+# CONFIG_ATH9K_AHB is not set - CONFIG_ATH9K_DEBUGFS=y - CONFIG_ATH9K_STATION_STATISTICS=y -+# CONFIG_ATH9K_TX99 is not set -+# CONFIG_ATH9K_DFS_CERTIFIED is not set -+# CONFIG_ATH9K_DYNACK is not set - CONFIG_ATH9K_WOW=y -+CONFIG_ATH9K_RFKILL=y -+# CONFIG_ATH9K_CHANNEL_CONTEXT is not set -+CONFIG_ATH9K_PCOEM=y -+# CONFIG_ATH9K_PCI_NO_EEPROM is not set - CONFIG_ATH9K_HTC=m - CONFIG_ATH9K_HTC_DEBUGFS=y -+# CONFIG_ATH9K_HWRNG is not set -+# CONFIG_ATH9K_COMMON_SPECTRAL is not set - CONFIG_CARL9170=m -+CONFIG_CARL9170_LEDS=y - CONFIG_CARL9170_DEBUGFS=y -+CONFIG_CARL9170_WPC=y -+# CONFIG_CARL9170_HWRNG is not set - CONFIG_ATH6KL=m - CONFIG_ATH6KL_SDIO=m - CONFIG_ATH6KL_USB=m -+# CONFIG_ATH6KL_DEBUG is not set -+# CONFIG_ATH6KL_TRACING is not set -+# CONFIG_ATH6KL_REGDOMAIN is not set - CONFIG_AR5523=m - CONFIG_WIL6210=m -+CONFIG_WIL6210_ISR_COR=y -+# CONFIG_WIL6210_TRACING is not set -+CONFIG_WIL6210_DEBUGFS=y - CONFIG_ATH10K=m -+CONFIG_ATH10K_CE=y - CONFIG_ATH10K_PCI=m - CONFIG_ATH10K_AHB=y - CONFIG_ATH10K_SDIO=m - CONFIG_ATH10K_USB=m -+# CONFIG_ATH10K_DEBUG is not set - CONFIG_ATH10K_DEBUGFS=y -+# CONFIG_ATH10K_SPECTRAL is not set -+# CONFIG_ATH10K_TRACING is not set -+# CONFIG_ATH10K_DFS_CERTIFIED is not set - CONFIG_WCN36XX=m - CONFIG_WCN36XX_DEBUGFS=y -+# CONFIG_ATH11K is not set -+CONFIG_WLAN_VENDOR_ATMEL=y - CONFIG_ATMEL=m -+# CONFIG_PCI_ATMEL is not set - CONFIG_AT76C50X_USB=m -+CONFIG_WLAN_VENDOR_BROADCOM=y - CONFIG_B43=m -+CONFIG_B43_BCMA=y -+CONFIG_B43_SSB=y -+CONFIG_B43_BUSES_BCMA_AND_SSB=y -+# CONFIG_B43_BUSES_BCMA is not set -+# CONFIG_B43_BUSES_SSB is not set -+CONFIG_B43_PCI_AUTOSELECT=y -+CONFIG_B43_PCICORE_AUTOSELECT=y - CONFIG_B43_SDIO=y -+CONFIG_B43_BCMA_PIO=y -+CONFIG_B43_PIO=y -+CONFIG_B43_PHY_G=y -+CONFIG_B43_PHY_N=y -+CONFIG_B43_PHY_LP=y -+CONFIG_B43_PHY_HT=y -+CONFIG_B43_LEDS=y -+CONFIG_B43_HWRNG=y -+# CONFIG_B43_DEBUG is not set - CONFIG_B43LEGACY=m -+CONFIG_B43LEGACY_PCI_AUTOSELECT=y -+CONFIG_B43LEGACY_PCICORE_AUTOSELECT=y -+CONFIG_B43LEGACY_LEDS=y -+CONFIG_B43LEGACY_HWRNG=y -+CONFIG_B43LEGACY_DEBUG=y -+CONFIG_B43LEGACY_DMA=y -+CONFIG_B43LEGACY_PIO=y -+CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y -+# CONFIG_B43LEGACY_DMA_MODE is not set -+# CONFIG_B43LEGACY_PIO_MODE is not set -+CONFIG_BRCMUTIL=m -+# CONFIG_BRCMSMAC is not set - CONFIG_BRCMFMAC=m -+CONFIG_BRCMFMAC_PROTO_MSGBUF=y - # CONFIG_BRCMFMAC_SDIO is not set -+# CONFIG_BRCMFMAC_USB is not set - CONFIG_BRCMFMAC_PCIE=y -+# CONFIG_BRCM_TRACING is not set -+# CONFIG_BRCMDBG is not set -+CONFIG_WLAN_VENDOR_CISCO=y -+CONFIG_WLAN_VENDOR_INTEL=y - CONFIG_IPW2100=m -+# CONFIG_IPW2100_MONITOR is not set -+# CONFIG_IPW2100_DEBUG is not set - CONFIG_IPW2200=m -+# CONFIG_IPW2200_MONITOR is not set -+# CONFIG_IPW2200_QOS is not set -+# CONFIG_IPW2200_DEBUG is not set -+CONFIG_LIBIPW=m -+# CONFIG_LIBIPW_DEBUG is not set -+CONFIG_IWLEGACY=m -+# CONFIG_IWL4965 is not set - CONFIG_IWL3945=m -+ -+# -+# iwl3945 / iwl4965 Debugging Options -+# -+# CONFIG_IWLEGACY_DEBUG is not set -+# CONFIG_IWLEGACY_DEBUGFS is not set -+# end of iwl3945 / iwl4965 Debugging Options -+ - CONFIG_IWLWIFI=m -+CONFIG_IWLWIFI_LEDS=y - CONFIG_IWLDVM=m - CONFIG_IWLMVM=m -+CONFIG_IWLWIFI_OPMODE_MODULAR=y - CONFIG_IWLWIFI_BCAST_FILTERING=y -+ -+# -+# Debugging Options -+# - CONFIG_IWLWIFI_DEBUG=y - CONFIG_IWLWIFI_DEBUGFS=y -+CONFIG_IWLWIFI_DEVICE_TRACING=y -+# end of Debugging Options -+ -+CONFIG_WLAN_VENDOR_INTERSIL=y -+# CONFIG_HOSTAP is not set - CONFIG_HERMES=m - CONFIG_HERMES_PRISM=y -+CONFIG_HERMES_CACHE_FW_ON_INIT=y - CONFIG_PLX_HERMES=m - CONFIG_TMD_HERMES=m - CONFIG_NORTEL_HERMES=m -+# CONFIG_PCI_HERMES is not set - CONFIG_ORINOCO_USB=m - CONFIG_P54_COMMON=m - CONFIG_P54_USB=m - CONFIG_P54_PCI=m - CONFIG_P54_SPI=m -+# CONFIG_P54_SPI_DEFAULT_EEPROM is not set -+CONFIG_P54_LEDS=y -+# CONFIG_PRISM54 is not set -+CONFIG_WLAN_VENDOR_MARVELL=y - CONFIG_LIBERTAS=m -+# CONFIG_LIBERTAS_USB is not set -+# CONFIG_LIBERTAS_SDIO is not set -+# CONFIG_LIBERTAS_SPI is not set -+# CONFIG_LIBERTAS_DEBUG is not set -+# CONFIG_LIBERTAS_MESH is not set - CONFIG_LIBERTAS_THINFIRM=m -+# CONFIG_LIBERTAS_THINFIRM_DEBUG is not set -+# CONFIG_LIBERTAS_THINFIRM_USB is not set - CONFIG_MWIFIEX=m - CONFIG_MWIFIEX_SDIO=m - CONFIG_MWIFIEX_PCIE=m - CONFIG_MWIFIEX_USB=m - CONFIG_MWL8K=m -+CONFIG_WLAN_VENDOR_MEDIATEK=y - CONFIG_MT7601U=m -+CONFIG_MT76_CORE=m -+CONFIG_MT76_LEDS=y -+CONFIG_MT76_USB=m -+CONFIG_MT76x02_LIB=m -+CONFIG_MT76x02_USB=m -+CONFIG_MT76x0_COMMON=m - CONFIG_MT76x0U=m - CONFIG_MT76x0E=m -+CONFIG_MT76x2_COMMON=m - CONFIG_MT76x2E=m - CONFIG_MT76x2U=m - CONFIG_MT7603E=m -+CONFIG_MT7615_COMMON=m - CONFIG_MT7615E=m -+CONFIG_MT7663_USB_SDIO_COMMON=m - CONFIG_MT7663U=m -+# CONFIG_MT7663S is not set - CONFIG_MT7915E=m - # CONFIG_WLAN_VENDOR_MICROCHIP is not set -+CONFIG_WLAN_VENDOR_RALINK=y - CONFIG_RT2X00=m -+# CONFIG_RT2400PCI is not set -+# CONFIG_RT2500PCI is not set -+# CONFIG_RT61PCI is not set - CONFIG_RT2800PCI=m -+CONFIG_RT2800PCI_RT33XX=y -+CONFIG_RT2800PCI_RT35XX=y -+CONFIG_RT2800PCI_RT53XX=y -+CONFIG_RT2800PCI_RT3290=y - CONFIG_RT2500USB=m - CONFIG_RT73USB=m - CONFIG_RT2800USB=m -+CONFIG_RT2800USB_RT33XX=y -+CONFIG_RT2800USB_RT35XX=y - CONFIG_RT2800USB_RT3573=y - CONFIG_RT2800USB_RT53XX=y - CONFIG_RT2800USB_RT55XX=y - CONFIG_RT2800USB_UNKNOWN=y -+CONFIG_RT2800_LIB=m -+CONFIG_RT2800_LIB_MMIO=m -+CONFIG_RT2X00_LIB_MMIO=m -+CONFIG_RT2X00_LIB_PCI=m -+CONFIG_RT2X00_LIB_USB=m -+CONFIG_RT2X00_LIB=m -+CONFIG_RT2X00_LIB_FIRMWARE=y -+CONFIG_RT2X00_LIB_CRYPTO=y -+CONFIG_RT2X00_LIB_LEDS=y - CONFIG_RT2X00_LIB_DEBUGFS=y -+# CONFIG_RT2X00_DEBUG is not set -+CONFIG_WLAN_VENDOR_REALTEK=y -+# CONFIG_RTL8180 is not set - CONFIG_RTL8187=m -+CONFIG_RTL8187_LEDS=y -+CONFIG_RTL_CARDS=m - CONFIG_RTL8192CE=m - CONFIG_RTL8192SE=m - CONFIG_RTL8192DE=m -@@ -617,36 +3106,120 @@ CONFIG_RTL8188EE=m - CONFIG_RTL8192EE=m - CONFIG_RTL8821AE=m - CONFIG_RTL8192CU=m -+CONFIG_RTLWIFI=m -+CONFIG_RTLWIFI_PCI=m -+CONFIG_RTLWIFI_USB=m -+CONFIG_RTLWIFI_DEBUG=y -+CONFIG_RTL8192C_COMMON=m -+CONFIG_RTL8723_COMMON=m -+CONFIG_RTLBTCOEXIST=m - CONFIG_RTL8XXXU=m - CONFIG_RTL8XXXU_UNTESTED=y -+# CONFIG_RTW88 is not set -+CONFIG_WLAN_VENDOR_RSI=y - CONFIG_RSI_91X=m -+CONFIG_RSI_DEBUGFS=y -+CONFIG_RSI_SDIO=m -+CONFIG_RSI_USB=m - # CONFIG_RSI_COEX is not set -+CONFIG_WLAN_VENDOR_ST=y - CONFIG_CW1200=m - CONFIG_CW1200_WLAN_SDIO=m -+# CONFIG_CW1200_WLAN_SPI is not set -+CONFIG_WLAN_VENDOR_TI=y - CONFIG_WL1251=m -+# CONFIG_WL1251_SPI is not set - CONFIG_WL1251_SDIO=m - CONFIG_WL12XX=m - CONFIG_WL18XX=m -+CONFIG_WLCORE=m -+# CONFIG_WLCORE_SPI is not set - CONFIG_WLCORE_SDIO=m -+CONFIG_WILINK_PLATFORM_DATA=y -+CONFIG_WLAN_VENDOR_ZYDAS=y - CONFIG_USB_ZD1201=m - CONFIG_ZD1211RW=m -+# CONFIG_ZD1211RW_DEBUG is not set -+CONFIG_WLAN_VENDOR_QUANTENNA=y -+# CONFIG_QTNFMAC_PCIE is not set -+# CONFIG_MAC80211_HWSIM is not set -+# CONFIG_USB_NET_RNDIS_WLAN is not set -+# CONFIG_VIRT_WIFI is not set - CONFIG_BCMDHD=m -+# CONFIG_BCMDHD_SDIO is not set -+# CONFIG_BCMDHD_PCIE is not set -+# CONFIG_BCMDYNAMIC is not set -+# CONFIG_BCM43241 is not set - CONFIG_BCM4354=y -+CONFIG_BCMDHD_FW_PATH="/system/vendor/firmware/fw_bcmdhd.bin" -+CONFIG_BCMDHD_NVRAM_PATH="/system/etc/wifi/bcmdhd.cal" - CONFIG_BCMDHD_HW_OOB=y -+# CONFIG_DHD_USE_STATIC_BUF is not set - CONFIG_DHD_USE_SCHED_SCAN=y - CONFIG_BCMDHD_DISABLE_MCC=y -+# CONFIG_BCMDHD_CUSTOM_SYSFS_TEGRA is not set -+# CONFIG_BCMDHD_CUSTOM_NET_PERF_TEGRA is not set -+# CONFIG_BCMDHD_QMONITOR is not set -+# CONFIG_BCMDHD_CUSTOM_NET_BW_EST_TEGRA is not set -+# CONFIG_BCMDHD_CUSTOM_NET_DIAG_TEGRA is not set -+CONFIG_BCM4359=y -+CONFIG_BCMDHD_PCIE_FW_PATH="/system/vendor/firmware/fw_bcmdhd.bin" -+CONFIG_BCMDHD_PCIE_NVRAM_PATH="/system/etc/wifi/bcmdhd.cal" -+CONFIG_BCMDHD_CLM_PATH="/lib/firmware/brcm/bcmdhd.clm_blob" -+CONFIG_BCMDHD_PCIE_ES4_NVRAM_PATH="/system/etc/wifi/bcmdhd.cal" -+CONFIG_DHD_SET_RANDOM_MAC_VAL=0x001A11 -+# CONFIG_RTL8812AU is not set -+# CONFIG_RTL8814AU is not set -+# CONFIG_RTL8821AU is not set -+# CONFIG_RTL8821CU is not set -+# CONFIG_RTL8822BU is not set - CONFIG_RTL8822CE=m -+ -+# -+# Enable WiMAX (Networking options) to see the WiMAX drivers -+# -+# CONFIG_WAN is not set -+# CONFIG_VMXNET3 is not set -+# CONFIG_FUJITSU_ES is not set -+# CONFIG_NETDEVSIM is not set -+CONFIG_NET_FAILOVER=y - CONFIG_TEGRA_HV_NET=y -+# CONFIG_ISDN is not set -+# CONFIG_NVM is not set -+ -+# -+# Input device support -+# -+CONFIG_INPUT=y - CONFIG_INPUT_LEDS=m -+CONFIG_INPUT_FF_MEMLESS=y - CONFIG_INPUT_POLLDEV=m -+# CONFIG_INPUT_SPARSEKMAP is not set -+CONFIG_INPUT_MATRIXKMAP=m -+ -+# -+# Userland interfaces -+# - CONFIG_INPUT_MOUSEDEV=y -+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set -+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 -+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 - CONFIG_INPUT_JOYDEV=y - CONFIG_INPUT_EVDEV=y -+# CONFIG_INPUT_EVBUG is not set -+ -+# -+# Input Device Drivers -+# -+CONFIG_INPUT_KEYBOARD=y -+# CONFIG_KEYBOARD_ADC is not set - CONFIG_KEYBOARD_ADP5588=m - CONFIG_KEYBOARD_ADP5589=m - CONFIG_KEYBOARD_ATKBD=m -+# CONFIG_KEYBOARD_QT1050 is not set - CONFIG_KEYBOARD_QT1070=m - CONFIG_KEYBOARD_QT2160=m -+# CONFIG_KEYBOARD_DLINK_DIR685 is not set - CONFIG_KEYBOARD_LKKBD=m - CONFIG_KEYBOARD_GPIO=y - CONFIG_KEYBOARD_GPIO_POLLED=m -@@ -663,165 +3236,1225 @@ CONFIG_KEYBOARD_TEGRA=m - CONFIG_KEYBOARD_OPENCORES=m - CONFIG_KEYBOARD_SAMSUNG=m - CONFIG_KEYBOARD_STOWAWAY=m -+# CONFIG_KEYBOARD_SUNKBD is not set - CONFIG_KEYBOARD_OMAP4=m -+# CONFIG_KEYBOARD_TM2_TOUCHKEY is not set - CONFIG_KEYBOARD_XTKBD=m - CONFIG_KEYBOARD_CAP11XX=m - CONFIG_KEYBOARD_BCM=m -+# CONFIG_KEYBOARD_TIMED_GPIO is not set -+CONFIG_INPUT_MOUSE=y - CONFIG_MOUSE_PS2=m -+CONFIG_MOUSE_PS2_ALPS=y -+CONFIG_MOUSE_PS2_BYD=y -+CONFIG_MOUSE_PS2_LOGIPS2PP=y -+CONFIG_MOUSE_PS2_SYNAPTICS=y -+CONFIG_MOUSE_PS2_SYNAPTICS_SMBUS=y -+CONFIG_MOUSE_PS2_CYPRESS=y -+CONFIG_MOUSE_PS2_TRACKPOINT=y -+# CONFIG_MOUSE_PS2_ELANTECH is not set -+# CONFIG_MOUSE_PS2_SENTELIC is not set -+# CONFIG_MOUSE_PS2_TOUCHKIT is not set -+CONFIG_MOUSE_PS2_FOCALTECH=y -+CONFIG_MOUSE_PS2_SMBUS=y - CONFIG_MOUSE_SERIAL=m - CONFIG_MOUSE_APPLETOUCH=m - CONFIG_MOUSE_BCM5974=m - CONFIG_MOUSE_CYAPA=m -+# CONFIG_MOUSE_ELAN_I2C is not set - CONFIG_MOUSE_VSXXXAA=m - CONFIG_MOUSE_GPIO=m - CONFIG_MOUSE_SYNAPTICS_I2C=m - CONFIG_MOUSE_SYNAPTICS_USB=m - CONFIG_INPUT_JOYSTICK=y -+# CONFIG_JOYSTICK_ANALOG is not set -+# CONFIG_JOYSTICK_A3D is not set -+# CONFIG_JOYSTICK_ADC is not set -+# CONFIG_JOYSTICK_ADI is not set -+# CONFIG_JOYSTICK_COBRA is not set -+# CONFIG_JOYSTICK_GF2K is not set -+# CONFIG_JOYSTICK_GRIP is not set -+# CONFIG_JOYSTICK_GRIP_MP is not set -+# CONFIG_JOYSTICK_GUILLEMOT is not set -+# CONFIG_JOYSTICK_INTERACT is not set -+# CONFIG_JOYSTICK_SIDEWINDER is not set -+# CONFIG_JOYSTICK_TMDC is not set -+# CONFIG_JOYSTICK_IFORCE is not set -+# CONFIG_JOYSTICK_WARRIOR is not set -+# CONFIG_JOYSTICK_MAGELLAN is not set -+# CONFIG_JOYSTICK_SPACEORB is not set -+# CONFIG_JOYSTICK_SPACEBALL is not set -+# CONFIG_JOYSTICK_STINGER is not set -+# CONFIG_JOYSTICK_TWIDJOY is not set -+# CONFIG_JOYSTICK_ZHENHUA is not set -+# CONFIG_JOYSTICK_AS5011 is not set -+# CONFIG_JOYSTICK_JOYDUMP is not set - CONFIG_JOYSTICK_XPAD=y -+# CONFIG_JOYSTICK_XPAD_FF is not set -+# CONFIG_JOYSTICK_XPAD_LEDS is not set -+# CONFIG_JOYSTICK_PSXPAD_SPI is not set -+# CONFIG_JOYSTICK_PXRC is not set -+# CONFIG_JOYSTICK_FSIA6B is not set - CONFIG_INPUT_TABLET=y -+# CONFIG_TABLET_USB_ACECAD is not set -+# CONFIG_TABLET_USB_AIPTEK is not set -+# CONFIG_TABLET_USB_GTCO is not set -+# CONFIG_TABLET_USB_HANWANG is not set -+# CONFIG_TABLET_USB_KBTAB is not set -+# CONFIG_TABLET_USB_PEGASUS is not set -+# CONFIG_TABLET_SERIAL_WACOM4 is not set - CONFIG_INPUT_TOUCHSCREEN=y -+CONFIG_TOUCHSCREEN_PROPERTIES=y -+# CONFIG_TOUCHSCREEN_ADS7846 is not set -+# CONFIG_TOUCHSCREEN_AD7877 is not set -+# CONFIG_TOUCHSCREEN_AD7879 is not set -+# CONFIG_TOUCHSCREEN_ADC is not set -+# CONFIG_TOUCHSCREEN_AR1021_I2C is not set - CONFIG_TOUCHSCREEN_ATMEL_MXT=m -+# CONFIG_TOUCHSCREEN_ATMEL_MXT_T37 is not set -+# CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set -+# CONFIG_TOUCHSCREEN_BU21013 is not set -+# CONFIG_TOUCHSCREEN_BU21029 is not set -+# CONFIG_TOUCHSCREEN_CHIPONE_ICN8318 is not set -+# CONFIG_TOUCHSCREEN_CHIPONE_ICN8505 is not set -+# CONFIG_TOUCHSCREEN_CY8CTMA140 is not set -+# CONFIG_TOUCHSCREEN_CY8CTMG110 is not set -+# CONFIG_TOUCHSCREEN_CYTTSP_CORE is not set -+# CONFIG_TOUCHSCREEN_CYTTSP4_CORE is not set -+# CONFIG_TOUCHSCREEN_DYNAPRO is not set -+# CONFIG_TOUCHSCREEN_HAMPSHIRE is not set -+# CONFIG_TOUCHSCREEN_EETI is not set -+# CONFIG_TOUCHSCREEN_EGALAX is not set -+# CONFIG_TOUCHSCREEN_EGALAX_SERIAL is not set -+# CONFIG_TOUCHSCREEN_EXC3000 is not set -+# CONFIG_TOUCHSCREEN_FUJITSU is not set -+# CONFIG_TOUCHSCREEN_GOODIX is not set -+# CONFIG_TOUCHSCREEN_HIDEEP is not set -+# CONFIG_TOUCHSCREEN_ILI210X is not set -+# CONFIG_TOUCHSCREEN_S6SY761 is not set -+# CONFIG_TOUCHSCREEN_GUNZE is not set -+# CONFIG_TOUCHSCREEN_EKTF2127 is not set -+# CONFIG_TOUCHSCREEN_ELAN is not set -+# CONFIG_TOUCHSCREEN_ELO is not set -+# CONFIG_TOUCHSCREEN_WACOM_W8001 is not set -+# CONFIG_TOUCHSCREEN_WACOM_I2C is not set -+# CONFIG_TOUCHSCREEN_MAX11801 is not set -+# CONFIG_TOUCHSCREEN_MCS5000 is not set -+# CONFIG_TOUCHSCREEN_MMS114 is not set -+# CONFIG_TOUCHSCREEN_MELFAS_MIP4 is not set -+# CONFIG_TOUCHSCREEN_MTOUCH is not set -+# CONFIG_TOUCHSCREEN_IMX6UL_TSC is not set -+# CONFIG_TOUCHSCREEN_INEXIO is not set -+# CONFIG_TOUCHSCREEN_MK712 is not set -+# CONFIG_TOUCHSCREEN_PENMOUNT is not set -+# CONFIG_TOUCHSCREEN_EDT_FT5X06 is not set -+# CONFIG_TOUCHSCREEN_TOUCHRIGHT is not set -+# CONFIG_TOUCHSCREEN_TOUCHWIN is not set -+# CONFIG_TOUCHSCREEN_PIXCIR is not set -+# CONFIG_TOUCHSCREEN_WDT87XX_I2C is not set -+# CONFIG_TOUCHSCREEN_USB_COMPOSITE is not set -+# CONFIG_TOUCHSCREEN_TOUCHIT213 is not set -+# CONFIG_TOUCHSCREEN_TSC_SERIO is not set -+# CONFIG_TOUCHSCREEN_TSC2004 is not set -+# CONFIG_TOUCHSCREEN_TSC2005 is not set -+# CONFIG_TOUCHSCREEN_TSC2007 is not set -+# CONFIG_TOUCHSCREEN_RM_TS is not set -+# CONFIG_TOUCHSCREEN_SILEAD is not set -+# CONFIG_TOUCHSCREEN_SIS_I2C is not set -+# CONFIG_TOUCHSCREEN_ST1232 is not set -+# CONFIG_TOUCHSCREEN_STMFTS is not set -+# CONFIG_TOUCHSCREEN_SUR40 is not set -+# CONFIG_TOUCHSCREEN_SURFACE3_SPI is not set -+# CONFIG_TOUCHSCREEN_SX8654 is not set -+# CONFIG_TOUCHSCREEN_TPS6507X is not set -+# CONFIG_TOUCHSCREEN_ZET6223 is not set -+# CONFIG_TOUCHSCREEN_ZFORCE is not set -+# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set -+# CONFIG_TOUCHSCREEN_IQS5XX is not set -+# CONFIG_TOUCHSCREEN_ZINITIX is not set -+# CONFIG_TOUCHSCREEN_NVIDIA_ATMEL_MXT is not set -+# CONFIG_TOUCHSCREEN_LR388K7 is not set -+# CONFIG_TOUCHSCREEN_RM31080A is not set -+# CONFIG_TOUCHSCREEN_EXC80 is not set -+# CONFIG_TOUCHSCREEN_EXC80_USB is not set - CONFIG_INPUT_MISC=y -+# CONFIG_INPUT_AD714X is not set -+# CONFIG_INPUT_ATMEL_CAPTOUCH is not set -+# CONFIG_INPUT_BMA150 is not set -+# CONFIG_INPUT_E3X0_BUTTON is not set -+# CONFIG_INPUT_MMA8450 is not set -+# CONFIG_INPUT_GPIO_BEEPER is not set -+# CONFIG_INPUT_GPIO_DECODER is not set -+# CONFIG_INPUT_GPIO_VIBRA is not set -+# CONFIG_INPUT_ATI_REMOTE2 is not set -+# CONFIG_INPUT_KEYSPAN_REMOTE is not set -+# CONFIG_INPUT_KXTJ9 is not set -+# CONFIG_INPUT_POWERMATE is not set -+# CONFIG_INPUT_YEALINK is not set -+# CONFIG_INPUT_CM109 is not set -+# CONFIG_INPUT_REGULATOR_HAPTIC is not set - CONFIG_INPUT_UINPUT=y -+# CONFIG_INPUT_PCF8574 is not set -+# CONFIG_INPUT_PWM_BEEPER is not set -+# CONFIG_INPUT_PWM_VIBRA is not set -+# CONFIG_INPUT_RK805_PWRKEY is not set -+# CONFIG_INPUT_GPIO_ROTARY_ENCODER is not set -+# CONFIG_INPUT_ADXL34X is not set -+# CONFIG_INPUT_IMS_PCU is not set -+# CONFIG_INPUT_IQS269A is not set -+# CONFIG_INPUT_CMA3000 is not set -+# CONFIG_INPUT_SOC_BUTTON_ARRAY is not set -+# CONFIG_INPUT_DRV260X_HAPTICS is not set -+# CONFIG_INPUT_DRV2665_HAPTICS is not set -+# CONFIG_INPUT_DRV2667_HAPTICS is not set -+CONFIG_RMI4_CORE=m -+# CONFIG_RMI4_I2C is not set -+# CONFIG_RMI4_SPI is not set -+# CONFIG_RMI4_SMB is not set -+CONFIG_RMI4_F03=y -+CONFIG_RMI4_F03_SERIO=m -+CONFIG_RMI4_2D_SENSOR=y -+CONFIG_RMI4_F11=y -+CONFIG_RMI4_F12=y -+CONFIG_RMI4_F30=y -+# CONFIG_RMI4_F34 is not set -+# CONFIG_RMI4_F3A is not set -+# CONFIG_RMI4_F54 is not set -+# CONFIG_RMI4_F55 is not set -+ -+# -+# Hardware I/O ports -+# -+CONFIG_SERIO=y - CONFIG_SERIO_SERPORT=m - CONFIG_SERIO_AMBAKMI=m -+# CONFIG_SERIO_PCIPS2 is not set -+CONFIG_SERIO_LIBPS2=m -+# CONFIG_SERIO_RAW is not set -+# CONFIG_SERIO_ALTERA_PS2 is not set -+# CONFIG_SERIO_PS2MULT is not set -+# CONFIG_SERIO_ARC_PS2 is not set -+# CONFIG_SERIO_APBPS2 is not set -+# CONFIG_SERIO_GPIO_PS2 is not set -+# CONFIG_USERIO is not set -+# CONFIG_GAMEPORT is not set -+# end of Hardware I/O ports -+# end of Input device support -+ -+# CONFIG_INPUT_CFBOOST is not set -+ -+# -+# Character devices -+# -+CONFIG_TTY=y -+CONFIG_VT=y -+CONFIG_CONSOLE_TRANSLATIONS=y -+CONFIG_VT_CONSOLE=y -+CONFIG_VT_CONSOLE_SLEEP=y -+CONFIG_HW_CONSOLE=y -+CONFIG_VT_HW_CONSOLE_BINDING=y -+CONFIG_UNIX98_PTYS=y -+CONFIG_LEGACY_PTYS=y - CONFIG_LEGACY_PTY_COUNT=16 -+CONFIG_LDISC_AUTOLOAD=y -+ -+# -+# Serial drivers -+# -+CONFIG_SERIAL_EARLYCON=y - CONFIG_SERIAL_8250=y -+CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y -+CONFIG_SERIAL_8250_PNP=y -+CONFIG_SERIAL_8250_16550A_VARIANTS=y -+# CONFIG_SERIAL_8250_FINTEK is not set - CONFIG_SERIAL_8250_CONSOLE=y -+CONFIG_SERIAL_8250_DMA=y -+CONFIG_SERIAL_8250_PCI=y -+CONFIG_SERIAL_8250_EXAR=y -+CONFIG_SERIAL_8250_NR_UARTS=4 -+CONFIG_SERIAL_8250_RUNTIME_UARTS=4 - CONFIG_SERIAL_8250_EXTENDED=y -+# CONFIG_SERIAL_8250_MANY_PORTS is not set -+# CONFIG_SERIAL_8250_ASPEED_VUART is not set - CONFIG_SERIAL_8250_SHARE_IRQ=y -+# CONFIG_SERIAL_8250_DETECT_IRQ is not set -+# CONFIG_SERIAL_8250_RSA is not set -+CONFIG_SERIAL_8250_DWLIB=y -+CONFIG_SERIAL_8250_FSL=y - CONFIG_SERIAL_8250_DW=m -+# CONFIG_SERIAL_8250_RT288X is not set -+CONFIG_SERIAL_8250_TEGRA=y - CONFIG_SERIAL_OF_PLATFORM=y -+ -+# -+# Non-8250 serial port support -+# -+# CONFIG_SERIAL_AMBA_PL010 is not set - CONFIG_SERIAL_AMBA_PL011=y - CONFIG_SERIAL_AMBA_PL011_CONSOLE=y -+# CONFIG_SERIAL_EARLYCON_ARM_SEMIHOST is not set - CONFIG_SERIAL_TEGRA=y - CONFIG_SERIAL_TEGRA_TCU=y -+CONFIG_SERIAL_TEGRA_TCU_CONSOLE=y -+# CONFIG_SERIAL_MAX3100 is not set -+# CONFIG_SERIAL_MAX310X is not set -+# CONFIG_SERIAL_UARTLITE is not set -+CONFIG_SERIAL_CORE=y -+CONFIG_SERIAL_CORE_CONSOLE=y -+# CONFIG_SERIAL_JSM is not set -+# CONFIG_SERIAL_SIFIVE is not set -+# CONFIG_SERIAL_SCCNXP is not set -+# CONFIG_SERIAL_SC16IS7XX is not set -+# CONFIG_SERIAL_ALTERA_JTAGUART is not set -+# CONFIG_SERIAL_ALTERA_UART is not set -+# CONFIG_SERIAL_IFX6X60 is not set - CONFIG_SERIAL_XILINX_PS_UART=y -+# CONFIG_SERIAL_XILINX_PS_UART_CONSOLE is not set -+# CONFIG_SERIAL_ARC is not set -+# CONFIG_SERIAL_RP2 is not set - CONFIG_SERIAL_FSL_LPUART=y -+# CONFIG_SERIAL_FSL_LPUART_CONSOLE is not set -+# CONFIG_SERIAL_FSL_LINFLEXUART is not set -+# CONFIG_SERIAL_CONEXANT_DIGICOLOR is not set -+# CONFIG_SERIAL_SPRD is not set -+# end of Serial drivers -+ -+CONFIG_SERIAL_MCTRL_GPIO=y - CONFIG_TEGRA_COMBINED_UART_EARLY=y -+# CONFIG_TEGRA_HV_COMM is not set -+# CONFIG_SERIAL_TEGRA_NOHW is not set -+# CONFIG_SERIAL_NONSTANDARD is not set -+# CONFIG_N_GSM is not set -+# CONFIG_NOZOMI is not set -+# CONFIG_NULL_TTY is not set -+# CONFIG_TRACE_SINK is not set -+CONFIG_HVC_DRIVER=y -+# CONFIG_HVC_DCC is not set - CONFIG_SERIAL_DEV_BUS=y -+CONFIG_SERIAL_DEV_CTRL_TTYPORT=y -+# CONFIG_TTY_PRINTK is not set - CONFIG_VIRTIO_CONSOLE=y -+# CONFIG_IPMI_HANDLER is not set -+# CONFIG_IPMB_DEVICE_INTERFACE is not set -+CONFIG_HW_RANDOM=m -+# CONFIG_HW_RANDOM_TIMERIOMEM is not set -+# CONFIG_HW_RANDOM_BA431 is not set -+# CONFIG_HW_RANDOM_VIRTIO is not set -+CONFIG_HW_RANDOM_HISI_V2=m -+CONFIG_HW_RANDOM_CAVIUM=m -+CONFIG_HW_RANDOM_OPTEE=m -+# CONFIG_HW_RANDOM_CCTRNG is not set -+# CONFIG_HW_RANDOM_XIPHERA is not set -+# CONFIG_APPLICOM is not set -+CONFIG_DEVMEM=y -+# CONFIG_RAW_DRIVER is not set -+CONFIG_DEVPORT=y -+# CONFIG_TCG_TPM is not set -+# CONFIG_XILLYBUS is not set -+# end of Character devices -+ -+# CONFIG_RANDOM_TRUST_CPU is not set -+# CONFIG_RANDOM_TRUST_BOOTLOADER is not set -+ -+# -+# I2C support -+# -+CONFIG_I2C=y -+CONFIG_ACPI_I2C_OPREGION=y -+CONFIG_I2C_BOARDINFO=y -+CONFIG_I2C_COMPAT=y - CONFIG_I2C_CHARDEV=y - CONFIG_I2C_MUX=y -+ -+# -+# Multiplexer I2C Chip support -+# -+# CONFIG_I2C_ARB_GPIO_CHALLENGE is not set - CONFIG_I2C_MUX_GPIO=y -+# CONFIG_I2C_MUX_GPMUX is not set -+# CONFIG_I2C_MUX_LTC4306 is not set -+# CONFIG_I2C_MUX_PCA9541 is not set - CONFIG_I2C_MUX_PCA954x=y -+# CONFIG_I2C_MUX_PINCTRL is not set -+# CONFIG_I2C_MUX_REG is not set -+# CONFIG_I2C_DEMUX_PINCTRL is not set -+# CONFIG_I2C_MUX_MLXCPLD is not set -+# end of Multiplexer I2C Chip support -+ -+CONFIG_I2C_HELPER_AUTO=y -+CONFIG_I2C_SMBUS=m -+CONFIG_I2C_ALGOBIT=y -+CONFIG_I2C_ALGOPCA=m -+ -+# -+# I2C Hardware Bus support -+# -+ -+# -+# PC SMBus host controller drivers -+# - CONFIG_I2C_ALI1535=m - CONFIG_I2C_ALI1563=m - CONFIG_I2C_ALI15X3=m - CONFIG_I2C_AMD756=m - CONFIG_I2C_AMD8111=m -+# CONFIG_I2C_AMD_MP2 is not set - CONFIG_I2C_I801=m - CONFIG_I2C_ISCH=m - CONFIG_I2C_PIIX4=m - CONFIG_I2C_NFORCE2=m -+# CONFIG_I2C_NVIDIA_GPU is not set -+# CONFIG_I2C_SIS5595 is not set - CONFIG_I2C_SIS630=m -+# CONFIG_I2C_SIS96X is not set -+# CONFIG_I2C_VIA is not set - CONFIG_I2C_VIAPRO=m -+ -+# -+# ACPI drivers -+# -+# CONFIG_I2C_SCMI is not set -+ -+# -+# I2C system bus drivers (mostly embedded / system-on-chip) -+# - CONFIG_I2C_CADENCE=m - CONFIG_I2C_CBUS_GPIO=m -+CONFIG_I2C_DESIGNWARE_CORE=m -+# CONFIG_I2C_DESIGNWARE_SLAVE is not set - CONFIG_I2C_DESIGNWARE_PLATFORM=m - CONFIG_I2C_DESIGNWARE_PCI=m - CONFIG_I2C_EMEV2=m - CONFIG_I2C_GPIO=m -+# CONFIG_I2C_GPIO_FAULT_INJECTOR is not set - CONFIG_I2C_NOMADIK=m - CONFIG_I2C_OCORES=m - CONFIG_I2C_PCA_PLATFORM=m - CONFIG_I2C_RK3X=m - CONFIG_I2C_SIMTEC=m - CONFIG_I2C_TEGRA=y -+CONFIG_I2C_TEGRA_BPMP=y -+# CONFIG_I2C_THUNDERX is not set -+# CONFIG_I2C_XILINX is not set -+ -+# -+# External I2C/SMBus adapter drivers -+# - CONFIG_I2C_DIOLAN_U2C=m -+# CONFIG_I2C_ROBOTFUZZ_OSIF is not set -+# CONFIG_I2C_TAOS_EVM is not set -+# CONFIG_I2C_TINY_USB is not set -+ -+# -+# Other I2C/SMBus bus drivers -+# -+# CONFIG_I2C_TEGRA_VI is not set - CONFIG_I2C_NVVRS11=m - CONFIG_I2C_TEGRA_CAMRTC=y -+CONFIG_I2C_TEGRA_HV=y - CONFIG_I2C_TEGRA_SLAVE=m - CONFIG_I2C_TEGRA194_SLAVE=m -+# end of I2C Hardware Bus support -+ - CONFIG_I2C_STUB=m -+CONFIG_I2C_SLAVE=y - CONFIG_I2C_SLAVE_EEPROM=m -+# CONFIG_I2C_SLAVE_TESTUNIT is not set -+# CONFIG_I2C_DEBUG_CORE is not set -+# CONFIG_I2C_DEBUG_ALGO is not set -+# CONFIG_I2C_DEBUG_BUS is not set -+# end of I2C support -+ -+# CONFIG_I3C is not set - CONFIG_SPI=y -+# CONFIG_SPI_DEBUG is not set -+CONFIG_SPI_MASTER=y -+CONFIG_SPI_MEM=y -+ -+# -+# SPI Master Controller Drivers -+# -+# CONFIG_SPI_ALTERA is not set -+# CONFIG_SPI_AXI_SPI_ENGINE is not set -+# CONFIG_SPI_BITBANG is not set - CONFIG_SPI_CADENCE=m - CONFIG_SPI_CADENCE_QUADSPI=y -+# CONFIG_SPI_DESIGNWARE is not set -+# CONFIG_SPI_HISI_SFC_V3XX is not set - CONFIG_SPI_NXP_FLEXSPI=y -+# CONFIG_SPI_GPIO is not set -+# CONFIG_SPI_FSL_SPI is not set -+# CONFIG_SPI_OC_TINY is not set -+# CONFIG_SPI_PL022 is not set - CONFIG_SPI_PXA2XX=m -+CONFIG_SPI_PXA2XX_PCI=m -+# CONFIG_SPI_ROCKCHIP is not set - CONFIG_SPI_SC18IS602=m -+# CONFIG_SPI_SIFIVE is not set -+# CONFIG_SPI_MXIC is not set - CONFIG_SPI_TEGRA114=m - CONFIG_SPI_TEGRA124_SLAVE=y - CONFIG_SPI_TEGRA194_SLAVE=y -+# CONFIG_SPI_TEGRA20_SFLASH is not set -+# CONFIG_SPI_TEGRA20_SLINK is not set - CONFIG_QSPI_TEGRA23x=y - CONFIG_QSPI_TEGRA210=m -+CONFIG_QSPI_TEGRA=y -+# CONFIG_SPI_THUNDERX is not set - CONFIG_SPI_XCOMM=m -+# CONFIG_SPI_XILINX is not set - CONFIG_SPI_ZYNQMP_GQSPI=m -+# CONFIG_SPI_AMD is not set -+ -+# -+# SPI Multiplexer support -+# -+# CONFIG_SPI_MUX is not set -+ -+# -+# SPI Protocol Masters -+# - CONFIG_SPI_SPIDEV=m -+# CONFIG_SPI_LOOPBACK_TEST is not set - CONFIG_SPI_TLE62X0=m -+# CONFIG_SPI_SLAVE is not set -+CONFIG_SPI_DYNAMIC=y -+# CONFIG_SPI_AURIX_TEGRA is not set - CONFIG_SPMI=m -+# CONFIG_HSI is not set -+CONFIG_PPS=y - CONFIG_PPS_DEBUG=y -+ -+# -+# PPS clients support -+# -+# CONFIG_PPS_CLIENT_KTIMER is not set -+# CONFIG_PPS_CLIENT_LDISC is not set - CONFIG_PPS_CLIENT_GPIO=y -+ -+# -+# PPS generators support -+# -+ -+# -+# PTP clock support -+# -+CONFIG_PTP_1588_CLOCK=y -+ -+# -+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. -+# -+# CONFIG_PTP_1588_CLOCK_IDT82P33 is not set -+# CONFIG_PTP_1588_CLOCK_IDTCM is not set -+# end of PTP clock support -+ -+CONFIG_PINCTRL=y -+CONFIG_PINCTRL_TEGRA186=y - CONFIG_PINCTRL_TEGRA186_DPAUX=y -+CONFIG_PINCTRL_TEGRA194=y - CONFIG_PINCTRL_TEGRA234_DPAUX=y -+CONFIG_PINCTRL_TEGRA234=y -+CONFIG_GENERIC_PINCTRL_GROUPS=y -+CONFIG_PINMUX=y -+CONFIG_GENERIC_PINMUX_FUNCTIONS=y -+CONFIG_PINCONF=y -+CONFIG_GENERIC_PINCONF=y -+# CONFIG_DEBUG_PINCTRL is not set -+# CONFIG_PINCTRL_AMD is not set -+# CONFIG_PINCTRL_MCP23S08 is not set - CONFIG_PINCTRL_SINGLE=y -+# CONFIG_PINCTRL_SX150X is not set -+# CONFIG_PINCTRL_STMFX is not set - CONFIG_PINCTRL_MAX77620=y -+# CONFIG_PINCTRL_RK805 is not set -+# CONFIG_PINCTRL_OCELOT is not set -+ -+# -+# Renesas pinctrl drivers -+# -+# end of Renesas pinctrl drivers -+ -+CONFIG_PINCTRL_TEGRA=y -+CONFIG_PINCTRL_TEGRA210=y -+CONFIG_PINCTRL_TEGRA_XUSB=y -+CONFIG_GPIOLIB=y -+CONFIG_GPIOLIB_FASTPATH_LIMIT=512 -+CONFIG_OF_GPIO=y -+CONFIG_GPIO_ACPI=y -+CONFIG_GPIOLIB_IRQCHIP=y -+CONFIG_DEBUG_GPIO=y - CONFIG_GPIO_SYSFS=y -+CONFIG_GPIO_CDEV=y -+CONFIG_GPIO_CDEV_V1=y -+CONFIG_GPIO_GENERIC=y -+ -+# -+# Memory mapped GPIO drivers -+# -+# CONFIG_GPIO_74XX_MMIO is not set -+# CONFIG_GPIO_ALTERA is not set -+# CONFIG_GPIO_AMDPT is not set -+# CONFIG_GPIO_CADENCE is not set -+# CONFIG_GPIO_DWAPB is not set -+# CONFIG_GPIO_EXAR is not set -+# CONFIG_GPIO_FTGPIO010 is not set -+CONFIG_GPIO_GENERIC_PLATFORM=y -+# CONFIG_GPIO_GRGPIO is not set -+# CONFIG_GPIO_HLWD is not set -+# CONFIG_GPIO_LOGICVC is not set - CONFIG_GPIO_MB86S7X=y -+# CONFIG_GPIO_PL061 is not set -+# CONFIG_GPIO_SAMA5D2_PIOBU is not set -+# CONFIG_GPIO_SIFIVE is not set -+# CONFIG_GPIO_SYSCON is not set -+CONFIG_GPIO_TEGRA=y -+CONFIG_GPIO_TEGRA186=y -+# CONFIG_GPIO_XGENE is not set -+# CONFIG_GPIO_XILINX is not set -+# CONFIG_GPIO_AMD_FCH is not set -+# end of Memory mapped GPIO drivers -+ -+# -+# I2C GPIO expanders -+# -+# CONFIG_GPIO_ADP5588 is not set -+# CONFIG_GPIO_ADNP is not set -+# CONFIG_GPIO_GW_PLD is not set -+# CONFIG_GPIO_MAX7300 is not set -+# CONFIG_GPIO_MAX732X is not set - CONFIG_GPIO_PCA953X=y - CONFIG_GPIO_PCA953X_IRQ=y -+# CONFIG_GPIO_PCA9570 is not set -+# CONFIG_GPIO_PCF857X is not set -+# CONFIG_GPIO_TPIC2810 is not set -+# end of I2C GPIO expanders -+ -+# -+# MFD GPIO expanders -+# - CONFIG_GPIO_BD9571MWV=m - CONFIG_GPIO_MAX77620=y -+# end of MFD GPIO expanders -+ -+# -+# PCI GPIO expanders -+# -+# CONFIG_GPIO_BT8XX is not set -+# CONFIG_GPIO_PCI_IDIO_16 is not set -+# CONFIG_GPIO_PCIE_IDIO_24 is not set -+# CONFIG_GPIO_RDC321X is not set -+# end of PCI GPIO expanders -+ -+# -+# SPI GPIO expanders -+# -+# CONFIG_GPIO_74X164 is not set -+# CONFIG_GPIO_MAX3191X is not set -+# CONFIG_GPIO_MAX7301 is not set -+# CONFIG_GPIO_MC33880 is not set -+# CONFIG_GPIO_PISOSR is not set -+# CONFIG_GPIO_XRA1403 is not set -+# end of SPI GPIO expanders -+ -+# -+# USB GPIO expanders -+# -+# end of USB GPIO expanders -+ -+# CONFIG_GPIO_AGGREGATOR is not set -+CONFIG_GPIO_MOCKUP=y - CONFIG_GPIO_TMPM32X_I2C=y -+# CONFIG_W1 is not set -+CONFIG_POWER_RESET=y -+# CONFIG_POWER_RESET_BRCMSTB is not set -+# CONFIG_POWER_RESET_GPIO is not set -+# CONFIG_POWER_RESET_GPIO_RESTART is not set - CONFIG_POWER_RESET_MAX77620=y -+# CONFIG_POWER_RESET_LTC2952 is not set -+# CONFIG_POWER_RESET_RESTART is not set -+# CONFIG_POWER_RESET_VEXPRESS is not set -+# CONFIG_POWER_RESET_XGENE is not set -+# CONFIG_POWER_RESET_SYSCON is not set -+# CONFIG_POWER_RESET_SYSCON_POWEROFF is not set -+# CONFIG_SYSCON_REBOOT_MODE is not set -+# CONFIG_NVMEM_REBOOT_MODE is not set -+CONFIG_SYSTEM_PMIC=y -+# CONFIG_POWER_OFF_TMPM32X_I2C is not set -+CONFIG_POWER_SUPPLY=y -+# CONFIG_POWER_SUPPLY_DEBUG is not set -+CONFIG_POWER_SUPPLY_HWMON=y -+# CONFIG_PDA_POWER is not set -+# CONFIG_GENERIC_ADC_BATTERY is not set -+# CONFIG_TEST_POWER is not set -+# CONFIG_CHARGER_ADP5061 is not set -+# CONFIG_BATTERY_CW2015 is not set -+# CONFIG_BATTERY_DS2780 is not set -+# CONFIG_BATTERY_DS2781 is not set -+# CONFIG_BATTERY_DS2782 is not set - CONFIG_BATTERY_SBS=m -+# CONFIG_CHARGER_SBS is not set -+# CONFIG_MANAGER_SBS is not set - CONFIG_BATTERY_BQ27XXX=y -+CONFIG_BATTERY_BQ27XXX_I2C=y -+# CONFIG_BATTERY_BQ27XXX_DT_UPDATES_NVM is not set -+# CONFIG_BATTERY_MAX17040 is not set -+# CONFIG_BATTERY_MAX17042 is not set -+# CONFIG_CHARGER_ISP1704 is not set -+# CONFIG_CHARGER_MAX8903 is not set -+# CONFIG_CHARGER_LP8727 is not set -+# CONFIG_CHARGER_GPIO is not set -+# CONFIG_CHARGER_MANAGER is not set -+# CONFIG_CHARGER_LT3651 is not set -+# CONFIG_CHARGER_DETECTOR_MAX14656 is not set -+# CONFIG_CHARGER_BQ2415X is not set -+# CONFIG_CHARGER_BQ24190 is not set -+# CONFIG_CHARGER_BQ24257 is not set -+# CONFIG_CHARGER_BQ24735 is not set -+# CONFIG_CHARGER_BQ2515X is not set -+# CONFIG_CHARGER_BQ25890 is not set -+# CONFIG_CHARGER_BQ25980 is not set -+# CONFIG_CHARGER_SMB347 is not set -+# CONFIG_BATTERY_GAUGE_LTC2941 is not set -+# CONFIG_BATTERY_RT5033 is not set -+# CONFIG_CHARGER_RT9455 is not set -+# CONFIG_CHARGER_UCS1002 is not set -+# CONFIG_CHARGER_BD99954 is not set -+CONFIG_HWMON=y -+# CONFIG_HWMON_DEBUG_CHIP is not set -+ -+# -+# Native drivers -+# -+# CONFIG_SENSORS_AD7314 is not set -+# CONFIG_SENSORS_AD7414 is not set -+# CONFIG_SENSORS_AD7418 is not set -+# CONFIG_SENSORS_ADM1021 is not set -+# CONFIG_SENSORS_ADM1025 is not set -+# CONFIG_SENSORS_ADM1026 is not set -+# CONFIG_SENSORS_ADM1029 is not set -+# CONFIG_SENSORS_ADM1031 is not set -+# CONFIG_SENSORS_ADM1177 is not set -+# CONFIG_SENSORS_ADM9240 is not set -+# CONFIG_SENSORS_ADT7310 is not set -+# CONFIG_SENSORS_ADT7410 is not set -+# CONFIG_SENSORS_ADT7411 is not set -+# CONFIG_SENSORS_ADT7462 is not set -+# CONFIG_SENSORS_ADT7470 is not set -+# CONFIG_SENSORS_ADT7475 is not set -+# CONFIG_SENSORS_AS370 is not set -+# CONFIG_SENSORS_ASC7621 is not set -+# CONFIG_SENSORS_AXI_FAN_CONTROL is not set -+# CONFIG_SENSORS_ARM_SCPI is not set -+# CONFIG_SENSORS_ASPEED is not set -+# CONFIG_SENSORS_ATXP1 is not set -+# CONFIG_SENSORS_CORSAIR_CPRO is not set -+# CONFIG_SENSORS_DRIVETEMP is not set -+# CONFIG_SENSORS_DS620 is not set -+# CONFIG_SENSORS_DS1621 is not set -+# CONFIG_SENSORS_I5K_AMB is not set -+# CONFIG_SENSORS_F71805F is not set -+# CONFIG_SENSORS_F71882FG is not set -+# CONFIG_SENSORS_F75375S is not set -+# CONFIG_SENSORS_FTSTEUTATES is not set -+# CONFIG_SENSORS_GL518SM is not set -+# CONFIG_SENSORS_GL520SM is not set -+# CONFIG_SENSORS_G760A is not set -+# CONFIG_SENSORS_G762 is not set -+# CONFIG_SENSORS_GPIO_FAN is not set -+# CONFIG_SENSORS_HIH6130 is not set -+# CONFIG_SENSORS_IIO_HWMON is not set -+# CONFIG_SENSORS_IT87 is not set -+# CONFIG_SENSORS_JC42 is not set -+# CONFIG_SENSORS_POWR1220 is not set -+# CONFIG_SENSORS_LINEAGE is not set -+# CONFIG_SENSORS_LTC2945 is not set -+# CONFIG_SENSORS_LTC2947_I2C is not set -+# CONFIG_SENSORS_LTC2947_SPI is not set -+# CONFIG_SENSORS_LTC2990 is not set -+# CONFIG_SENSORS_LTC4151 is not set -+# CONFIG_SENSORS_LTC4215 is not set -+# CONFIG_SENSORS_LTC4222 is not set -+# CONFIG_SENSORS_LTC4245 is not set -+# CONFIG_SENSORS_LTC4260 is not set -+# CONFIG_SENSORS_LTC4261 is not set -+# CONFIG_SENSORS_MAX1111 is not set -+# CONFIG_SENSORS_MAX16065 is not set -+# CONFIG_SENSORS_MAX1619 is not set -+# CONFIG_SENSORS_MAX1668 is not set -+# CONFIG_SENSORS_MAX197 is not set -+# CONFIG_SENSORS_MAX31722 is not set -+# CONFIG_SENSORS_MAX31730 is not set -+# CONFIG_SENSORS_MAX6621 is not set -+# CONFIG_SENSORS_MAX6639 is not set -+# CONFIG_SENSORS_MAX6642 is not set -+# CONFIG_SENSORS_MAX6650 is not set -+# CONFIG_SENSORS_MAX6697 is not set -+# CONFIG_SENSORS_MAX31790 is not set -+# CONFIG_SENSORS_MCP3021 is not set -+# CONFIG_SENSORS_TC654 is not set -+# CONFIG_SENSORS_MR75203 is not set -+# CONFIG_SENSORS_ADCXX is not set -+# CONFIG_SENSORS_LM63 is not set -+# CONFIG_SENSORS_LM70 is not set -+# CONFIG_SENSORS_LM73 is not set -+# CONFIG_SENSORS_LM75 is not set -+# CONFIG_SENSORS_LM77 is not set -+# CONFIG_SENSORS_LM78 is not set -+# CONFIG_SENSORS_LM80 is not set -+# CONFIG_SENSORS_LM83 is not set -+# CONFIG_SENSORS_LM85 is not set -+# CONFIG_SENSORS_LM87 is not set -+# CONFIG_SENSORS_LM90 is not set -+# CONFIG_SENSORS_LM92 is not set -+# CONFIG_SENSORS_LM93 is not set -+# CONFIG_SENSORS_LM95234 is not set -+# CONFIG_SENSORS_LM95241 is not set -+# CONFIG_SENSORS_LM95245 is not set -+# CONFIG_SENSORS_PC87360 is not set -+# CONFIG_SENSORS_PC87427 is not set -+# CONFIG_SENSORS_NTC_THERMISTOR is not set -+# CONFIG_SENSORS_NCT6683 is not set -+# CONFIG_SENSORS_NCT6775 is not set -+# CONFIG_SENSORS_NCT7802 is not set -+# CONFIG_SENSORS_NCT7904 is not set -+# CONFIG_SENSORS_NPCM7XX is not set -+# CONFIG_SENSORS_OCC_P8_I2C is not set -+# CONFIG_SENSORS_PCF8591 is not set -+# CONFIG_PMBUS is not set - CONFIG_SENSORS_PWM_FAN=m -+# CONFIG_SENSORS_SHT15 is not set -+# CONFIG_SENSORS_SHT21 is not set -+# CONFIG_SENSORS_SHT3x is not set -+# CONFIG_SENSORS_SHTC1 is not set -+# CONFIG_SENSORS_SIS5595 is not set -+# CONFIG_SENSORS_DME1737 is not set -+# CONFIG_SENSORS_EMC1403 is not set -+# CONFIG_SENSORS_EMC2103 is not set -+# CONFIG_SENSORS_EMC6W201 is not set -+# CONFIG_SENSORS_SMSC47M1 is not set -+# CONFIG_SENSORS_SMSC47M192 is not set -+# CONFIG_SENSORS_SMSC47B397 is not set -+# CONFIG_SENSORS_SCH5627 is not set -+# CONFIG_SENSORS_SCH5636 is not set -+# CONFIG_SENSORS_STTS751 is not set -+# CONFIG_SENSORS_SMM665 is not set -+# CONFIG_SENSORS_ADC128D818 is not set -+# CONFIG_SENSORS_ADS7828 is not set -+# CONFIG_SENSORS_ADS7871 is not set -+# CONFIG_SENSORS_AMC6821 is not set -+# CONFIG_SENSORS_INA209 is not set - CONFIG_SENSORS_INA2XX=m - CONFIG_SENSORS_INA3221=m -+# CONFIG_SENSORS_TC74 is not set -+# CONFIG_SENSORS_THMC50 is not set -+# CONFIG_SENSORS_TMP102 is not set -+# CONFIG_SENSORS_TMP103 is not set -+# CONFIG_SENSORS_TMP108 is not set -+# CONFIG_SENSORS_TMP401 is not set -+# CONFIG_SENSORS_TMP421 is not set -+# CONFIG_SENSORS_TMP513 is not set -+# CONFIG_SENSORS_VEXPRESS is not set -+# CONFIG_SENSORS_VIA686A is not set -+# CONFIG_SENSORS_VT1211 is not set -+# CONFIG_SENSORS_VT8231 is not set -+# CONFIG_SENSORS_W83773G is not set -+# CONFIG_SENSORS_W83781D is not set -+# CONFIG_SENSORS_W83791D is not set -+# CONFIG_SENSORS_W83792D is not set -+# CONFIG_SENSORS_W83793 is not set -+# CONFIG_SENSORS_W83795 is not set -+# CONFIG_SENSORS_W83L785TS is not set -+# CONFIG_SENSORS_W83L786NG is not set -+# CONFIG_SENSORS_W83627HF is not set -+# CONFIG_SENSORS_W83627EHF is not set -+# CONFIG_SENSORS_XGENE is not set - CONFIG_GPIO_TACHOMETER=y -+ -+# -+# ACPI drivers -+# -+# CONFIG_SENSORS_ACPI_POWER is not set -+ -+# -+# HWMON devices -+# -+CONFIG_SENSORS_F75308=m -+# end of HWMON devices -+ -+CONFIG_THERMAL=y -+# CONFIG_THERMAL_NETLINK is not set -+# CONFIG_THERMAL_STATISTICS is not set -+CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 -+CONFIG_THERMAL_HWMON=y -+CONFIG_THERMAL_OF=y - CONFIG_THERMAL_WRITABLE_TRIPS=y -+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y -+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set -+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set -+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set -+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set -+CONFIG_THERMAL_GOV_STEP_WISE=y -+# CONFIG_THERMAL_GOV_BANG_BANG is not set -+# CONFIG_THERMAL_GOV_USER_SPACE is not set - CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y - CONFIG_CPU_THERMAL=y -+CONFIG_CPU_FREQ_THERMAL=y - CONFIG_DEVFREQ_THERMAL=y - CONFIG_THERMAL_EMULATION=y -+# CONFIG_THERMAL_MMIO is not set - CONFIG_MAX77620_THERMAL=m -+ -+# -+# NVIDIA Tegra thermal drivers -+# - CONFIG_TEGRA_SOCTHERM=y - CONFIG_TEGRA_BPMP_THERMAL=m - CONFIG_TEGRA_AOTAG=y - CONFIG_TEGRA_TJ_THERMAL=y - CONFIG_TEGRA_CORE_CAPS=y - CONFIG_TEGRA_DFLL_CAPS=y -+# end of NVIDIA Tegra thermal drivers -+ -+# CONFIG_GENERIC_ADC_THERMAL is not set -+ -+# -+# Nvidia Thermal Drivers -+# -+# CONFIG_PWM_FAN is not set - CONFIG_THERMAL_GOV_PID=y --CONFIG_USERSPACE_THERM_ALERT=m -+# CONFIG_THERMAL_GOV_CONTINUOUS is not set -+# CONFIG_TEGRA_THERMAL_THROTTLE is not set - CONFIG_TEGRA23X_OC_EVENT=y - CONFIG_TEGRA19X_OC_EVENT=y -+CONFIG_USERSPACE_THERM_ALERT=m -+# end of Nvidia Thermal Drivers -+ - CONFIG_WATCHDOG=y -+CONFIG_WATCHDOG_CORE=y - CONFIG_WATCHDOG_NOWAYOUT=y -+CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y -+CONFIG_WATCHDOG_OPEN_TIMEOUT=0 -+# CONFIG_WATCHDOG_SYSFS is not set -+ -+# -+# Watchdog Pretimeout Governors -+# -+# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set -+ -+# -+# Watchdog Device Drivers -+# -+# CONFIG_SOFT_WATCHDOG is not set -+# CONFIG_SOFT_PLATFORM_WATCHDOG is not set -+# CONFIG_GPIO_WATCHDOG is not set -+# CONFIG_WDAT_WDT is not set -+# CONFIG_XILINX_WATCHDOG is not set -+# CONFIG_ZIIRAVE_WATCHDOG is not set -+# CONFIG_ARM_SP805_WATCHDOG is not set -+# CONFIG_ARM_SBSA_WATCHDOG is not set -+# CONFIG_CADENCE_WATCHDOG is not set -+# CONFIG_DW_WATCHDOG is not set -+# CONFIG_MAX63XX_WATCHDOG is not set - CONFIG_MAX77620_WATCHDOG=y -+# CONFIG_TEGRA_WATCHDOG_LEGACY is not set -+# CONFIG_TEGRA_WATCHDOG is not set - CONFIG_ARM_SMC_WATCHDOG=y -+# CONFIG_ALIM7101_WDT is not set -+# CONFIG_I6300ESB_WDT is not set -+# CONFIG_MEN_A21_WDT is not set -+ -+# -+# PCI-based Watchdog Cards -+# -+# CONFIG_PCIPCWATCHDOG is not set -+# CONFIG_WDTPCI is not set -+ -+# -+# USB-based Watchdog Cards -+# -+# CONFIG_USBPCWATCHDOG is not set - CONFIG_TEGRA21X_WATCHDOG=y - CONFIG_TEGRA18X_WATCHDOG=y - CONFIG_TEGRA_HV_WATCHDOG=y -+CONFIG_SSB_POSSIBLE=y -+CONFIG_SSB=m -+CONFIG_SSB_SPROM=y -+CONFIG_SSB_BLOCKIO=y -+CONFIG_SSB_PCIHOST_POSSIBLE=y -+CONFIG_SSB_PCIHOST=y -+CONFIG_SSB_B43_PCI_BRIDGE=y -+CONFIG_SSB_SDIOHOST_POSSIBLE=y -+CONFIG_SSB_SDIOHOST=y -+CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y -+CONFIG_SSB_DRIVER_PCICORE=y -+# CONFIG_SSB_DRIVER_GPIO is not set -+CONFIG_BCMA_POSSIBLE=y -+CONFIG_BCMA=m -+CONFIG_BCMA_BLOCKIO=y -+CONFIG_BCMA_HOST_PCI_POSSIBLE=y -+CONFIG_BCMA_HOST_PCI=y -+# CONFIG_BCMA_HOST_SOC is not set -+CONFIG_BCMA_DRIVER_PCI=y -+# CONFIG_BCMA_DRIVER_GMAC_CMN is not set -+# CONFIG_BCMA_DRIVER_GPIO is not set -+# CONFIG_BCMA_DEBUG is not set -+ -+# -+# Multifunction device drivers -+# -+CONFIG_MFD_CORE=y -+# CONFIG_MFD_ACT8945A is not set -+# CONFIG_MFD_AS3711 is not set -+# CONFIG_MFD_AS3722 is not set -+# CONFIG_PMIC_ADP5520 is not set -+# CONFIG_MFD_AAT2870_CORE is not set -+# CONFIG_MFD_ATMEL_FLEXCOM is not set -+# CONFIG_MFD_ATMEL_HLCDC is not set -+# CONFIG_MFD_BCM590XX is not set - CONFIG_MFD_BD9571MWV=y -+# CONFIG_MFD_AXP20X_I2C is not set -+# CONFIG_MFD_MADERA is not set -+# CONFIG_PMIC_DA903X is not set -+# CONFIG_MFD_DA9052_SPI is not set -+# CONFIG_MFD_DA9052_I2C is not set -+# CONFIG_MFD_DA9055 is not set -+# CONFIG_MFD_DA9062 is not set -+# CONFIG_MFD_DA9063 is not set -+# CONFIG_MFD_DA9150 is not set -+# CONFIG_MFD_DLN2 is not set -+# CONFIG_MFD_GATEWORKS_GSC is not set -+# CONFIG_MFD_MC13XXX_SPI is not set -+# CONFIG_MFD_MC13XXX_I2C is not set -+# CONFIG_MFD_MP2629 is not set - CONFIG_MFD_HI6421_PMIC=y -+# CONFIG_HTC_PASIC3 is not set -+# CONFIG_HTC_I2CPLD is not set -+# CONFIG_LPC_ICH is not set -+CONFIG_LPC_SCH=m -+# CONFIG_MFD_IQS62X is not set -+# CONFIG_MFD_JANZ_CMODIO is not set -+# CONFIG_MFD_KEMPLD is not set -+# CONFIG_MFD_88PM800 is not set -+# CONFIG_MFD_88PM805 is not set -+# CONFIG_MFD_88PM860X is not set -+# CONFIG_MFD_MAX14577 is not set - CONFIG_MFD_MAX77620=y -+# CONFIG_MFD_MAX77650 is not set -+# CONFIG_MFD_MAX77686 is not set -+# CONFIG_MFD_MAX77693 is not set -+# CONFIG_MFD_MAX77843 is not set -+# CONFIG_MFD_MAX8907 is not set -+# CONFIG_MFD_MAX8925 is not set -+# CONFIG_MFD_MAX8997 is not set -+# CONFIG_MFD_MAX8998 is not set -+# CONFIG_MFD_MT6360 is not set -+# CONFIG_MFD_MT6397 is not set -+# CONFIG_MFD_MENF21BMC is not set -+# CONFIG_EZX_PCAP is not set -+# CONFIG_MFD_CPCAP is not set -+# CONFIG_MFD_VIPERBOARD is not set -+# CONFIG_MFD_RETU is not set -+# CONFIG_MFD_PCF50633 is not set -+# CONFIG_MFD_RDC321X is not set -+# CONFIG_MFD_RT5033 is not set -+# CONFIG_MFD_RC5T583 is not set - CONFIG_MFD_RK808=y -+# CONFIG_MFD_RN5T618 is not set - CONFIG_MFD_SEC_CORE=y -+# CONFIG_MFD_SI476X_CORE is not set -+# CONFIG_MFD_SM501 is not set -+# CONFIG_MFD_SKY81452 is not set -+# CONFIG_ABX500_CORE is not set -+# CONFIG_MFD_STMPE is not set -+CONFIG_MFD_SYSCON=y -+# CONFIG_MFD_TI_AM335X_TSCADC is not set -+# CONFIG_MFD_LP3943 is not set -+# CONFIG_MFD_LP8788 is not set -+# CONFIG_MFD_TI_LMU is not set -+# CONFIG_MFD_PALMAS is not set -+# CONFIG_TPS6105X is not set -+# CONFIG_TPS65010 is not set -+# CONFIG_TPS6507X is not set -+# CONFIG_MFD_TPS65086 is not set -+# CONFIG_MFD_TPS65090 is not set -+# CONFIG_MFD_TPS65217 is not set -+# CONFIG_MFD_TI_LP873X is not set -+# CONFIG_MFD_TI_LP87565 is not set -+# CONFIG_MFD_TPS65218 is not set -+# CONFIG_MFD_TPS6586X is not set -+# CONFIG_MFD_TPS65910 is not set -+# CONFIG_MFD_TPS65912_I2C is not set -+# CONFIG_MFD_TPS65912_SPI is not set -+# CONFIG_MFD_TPS80031 is not set -+# CONFIG_TWL4030_CORE is not set -+# CONFIG_TWL6040_CORE is not set -+# CONFIG_MFD_WL1273_CORE is not set -+# CONFIG_MFD_LM3533 is not set -+# CONFIG_MFD_TC3589X is not set -+# CONFIG_MFD_TQMX86 is not set -+# CONFIG_MFD_VX855 is not set -+# CONFIG_MFD_LOCHNAGAR is not set -+# CONFIG_MFD_ARIZONA_I2C is not set -+# CONFIG_MFD_ARIZONA_SPI is not set -+# CONFIG_MFD_WM8400 is not set -+# CONFIG_MFD_WM831X_I2C is not set -+# CONFIG_MFD_WM831X_SPI is not set -+# CONFIG_MFD_WM8350_I2C is not set -+# CONFIG_MFD_WM8994 is not set - CONFIG_MFD_ROHM_BD718XX=y -+# CONFIG_MFD_ROHM_BD70528 is not set -+# CONFIG_MFD_ROHM_BD71828 is not set -+# CONFIG_MFD_STPMIC1 is not set -+# CONFIG_MFD_STMFX is not set -+CONFIG_MFD_VEXPRESS_SYSREG=y -+# CONFIG_RAVE_SP_CORE is not set -+# CONFIG_MFD_INTEL_M10_BMC is not set -+# end of Multifunction device drivers -+ -+CONFIG_MFD_TMPM32X_I2C=y - CONFIG_MFD_NVVRS_PSEQ=y --CONFIG_NVVRS_PSEQ_RTC=y - CONFIG_REGULATOR=y -+# CONFIG_REGULATOR_DEBUG is not set - CONFIG_REGULATOR_FIXED_VOLTAGE=y -+# CONFIG_REGULATOR_VIRTUAL_CONSUMER is not set -+# CONFIG_REGULATOR_USERSPACE_CONSUMER is not set -+# CONFIG_REGULATOR_88PG86X is not set -+# CONFIG_REGULATOR_ACT8865 is not set -+# CONFIG_REGULATOR_AD5398 is not set -+# CONFIG_REGULATOR_BD718XX is not set -+# CONFIG_REGULATOR_BD9571MWV is not set -+# CONFIG_REGULATOR_DA9210 is not set -+# CONFIG_REGULATOR_DA9211 is not set -+# CONFIG_REGULATOR_FAN53555 is not set -+# CONFIG_REGULATOR_FAN53880 is not set - CONFIG_REGULATOR_GPIO=y -+# CONFIG_REGULATOR_HI6421 is not set -+# CONFIG_REGULATOR_HI6421V530 is not set -+# CONFIG_REGULATOR_ISL9305 is not set -+# CONFIG_REGULATOR_ISL6271A is not set -+# CONFIG_REGULATOR_LP3971 is not set -+# CONFIG_REGULATOR_LP3972 is not set -+# CONFIG_REGULATOR_LP872X is not set -+# CONFIG_REGULATOR_LP8755 is not set -+# CONFIG_REGULATOR_LTC3589 is not set -+# CONFIG_REGULATOR_LTC3676 is not set -+# CONFIG_REGULATOR_MAX1586 is not set - CONFIG_REGULATOR_MAX77620=y -+# CONFIG_REGULATOR_MAX16989 is not set -+# CONFIG_REGULATOR_MAX8649 is not set -+# CONFIG_REGULATOR_MAX8660 is not set -+# CONFIG_REGULATOR_MAX8952 is not set -+# CONFIG_REGULATOR_MAX8973 is not set -+# CONFIG_REGULATOR_MAX77812 is not set -+# CONFIG_REGULATOR_MAX77826 is not set -+# CONFIG_REGULATOR_MCP16502 is not set -+# CONFIG_REGULATOR_MP5416 is not set -+# CONFIG_REGULATOR_MP8859 is not set -+# CONFIG_REGULATOR_MP886X is not set -+# CONFIG_REGULATOR_MPQ7920 is not set -+# CONFIG_REGULATOR_MT6311 is not set -+# CONFIG_REGULATOR_PCA9450 is not set -+# CONFIG_REGULATOR_PFUZE100 is not set -+# CONFIG_REGULATOR_PV88060 is not set -+# CONFIG_REGULATOR_PV88080 is not set -+# CONFIG_REGULATOR_PV88090 is not set - CONFIG_REGULATOR_PWM=y -+# CONFIG_REGULATOR_QCOM_SPMI is not set -+# CONFIG_REGULATOR_QCOM_USB_VBUS is not set -+# CONFIG_REGULATOR_RASPBERRYPI_TOUCHSCREEN_ATTINY is not set -+# CONFIG_REGULATOR_RK808 is not set -+# CONFIG_REGULATOR_RT4801 is not set -+# CONFIG_REGULATOR_RTMV20 is not set -+# CONFIG_REGULATOR_S2MPA01 is not set -+# CONFIG_REGULATOR_S2MPS11 is not set -+# CONFIG_REGULATOR_S5M8767 is not set -+# CONFIG_REGULATOR_SLG51000 is not set -+# CONFIG_REGULATOR_SY8106A is not set -+# CONFIG_REGULATOR_SY8824X is not set -+# CONFIG_REGULATOR_SY8827N is not set -+# CONFIG_REGULATOR_TPS51632 is not set -+# CONFIG_REGULATOR_TPS62360 is not set -+# CONFIG_REGULATOR_TPS65023 is not set -+# CONFIG_REGULATOR_TPS6507X is not set - CONFIG_REGULATOR_TPS65132=y -+# CONFIG_REGULATOR_TPS6524X is not set -+# CONFIG_REGULATOR_TPS61280 is not set -+# CONFIG_REGULATOR_VCTRL is not set -+# CONFIG_REGULATOR_VEXPRESS is not set -+# CONFIG_REGULATOR_QCOM_LABIBB is not set - CONFIG_REGULATOR_PMIC_OTP=y - CONFIG_REGULATOR_NCP81599=y - CONFIG_RC_CORE=y -+CONFIG_RC_MAP=y -+# CONFIG_LIRC is not set -+# CONFIG_RC_DECODERS is not set -+# CONFIG_RC_DEVICES is not set -+# CONFIG_MEDIA_CEC_SUPPORT is not set - CONFIG_MEDIA_SUPPORT=y - CONFIG_MEDIA_SUPPORT_FILTER=y - # CONFIG_MEDIA_SUBDRV_AUTOSELECT is not set -+ -+# -+# Media device types -+# - CONFIG_MEDIA_CAMERA_SUPPORT=y -+# CONFIG_MEDIA_ANALOG_TV_SUPPORT is not set - CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y -+# CONFIG_MEDIA_RADIO_SUPPORT is not set -+# CONFIG_MEDIA_SDR_SUPPORT is not set - CONFIG_MEDIA_PLATFORM_SUPPORT=y - CONFIG_MEDIA_TEST_SUPPORT=y -+# end of Media device types -+ -+CONFIG_VIDEO_DEV=y -+CONFIG_MEDIA_CONTROLLER=y -+CONFIG_DVB_CORE=y -+ -+# -+# Video4Linux options -+# -+CONFIG_VIDEO_V4L2=y -+CONFIG_VIDEO_V4L2_I2C=y - CONFIG_VIDEO_V4L2_SUBDEV_API=y -+# CONFIG_VIDEO_ADV_DEBUG is not set -+# CONFIG_VIDEO_FIXED_MINOR_RANGES is not set -+CONFIG_V4L2_FWNODE=y -+CONFIG_VIDEOBUF_GEN=m -+CONFIG_VIDEOBUF_VMALLOC=m -+# end of Video4Linux options -+ -+# -+# Media controller options -+# -+# CONFIG_MEDIA_CONTROLLER_DVB is not set -+# end of Media controller options -+ -+# -+# Digital TV options -+# -+# CONFIG_DVB_MMAP is not set -+CONFIG_DVB_NET=y -+CONFIG_DVB_MAX_ADAPTERS=16 - # CONFIG_DVB_DYNAMIC_MINORS is not set -+# CONFIG_DVB_DEMUX_SECTION_LOSS_LOG is not set -+# CONFIG_DVB_ULE_DEBUG is not set -+# end of Digital TV options -+ -+# -+# Media drivers -+# -+ -+# -+# Drivers filtered as selected at 'Filter media drivers' -+# - CONFIG_MEDIA_USB_SUPPORT=y -+ -+# -+# Webcam devices -+# - CONFIG_USB_VIDEO_CLASS=m -+CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y -+CONFIG_USB_GSPCA=m - CONFIG_USB_M5602=m - CONFIG_USB_STV06XX=m - CONFIG_USB_GL860=m -@@ -872,20 +4505,265 @@ CONFIG_USB_GSPCA_VICAM=m - CONFIG_USB_GSPCA_XIRLINK_CIT=m - CONFIG_USB_GSPCA_ZC3XX=m - CONFIG_USB_PWC=m -+# CONFIG_USB_PWC_DEBUG is not set -+CONFIG_USB_PWC_INPUT_EVDEV=y - CONFIG_VIDEO_CPIA2=m - CONFIG_USB_ZR364XX=m - CONFIG_USB_STKWEBCAM=m - CONFIG_USB_S2255=m - CONFIG_VIDEO_USBTV=m -+ -+# -+# Analog/digital TV USB devices -+# -+# CONFIG_VIDEO_AU0828 is not set -+# CONFIG_VIDEO_CX231XX is not set -+# CONFIG_VIDEO_TM6000 is not set -+ -+# -+# Digital TV USB devices -+# -+# CONFIG_DVB_USB is not set -+# CONFIG_DVB_USB_V2 is not set -+# CONFIG_DVB_TTUSB_BUDGET is not set -+# CONFIG_DVB_TTUSB_DEC is not set -+# CONFIG_SMS_USB_DRV is not set -+# CONFIG_DVB_B2C2_FLEXCOP_USB is not set -+# CONFIG_DVB_AS102 is not set -+ -+# -+# Webcam, TV (analog/digital) USB devices -+# -+# CONFIG_VIDEO_EM28XX is not set -+# CONFIG_MEDIA_PCI_SUPPORT is not set -+CONFIG_VIDEOBUF2_CORE=y -+CONFIG_VIDEOBUF2_V4L2=y -+CONFIG_VIDEOBUF2_MEMOPS=y -+CONFIG_VIDEOBUF2_DMA_CONTIG=y -+CONFIG_VIDEOBUF2_VMALLOC=m - CONFIG_V4L_PLATFORM_DRIVERS=y -+# CONFIG_VIDEO_CAFE_CCIC is not set -+# CONFIG_VIDEO_CADENCE is not set -+# CONFIG_VIDEO_ASPEED is not set -+# CONFIG_VIDEO_MUX is not set -+# CONFIG_VIDEO_XILINX is not set -+# CONFIG_V4L_MEM2MEM_DRIVERS is not set -+# CONFIG_DVB_PLATFORM_DRIVERS is not set -+ -+# -+# NVIDIA overlay V4L platform devices -+# -+CONFIG_TEGRA_MIPI_CAL=y - CONFIG_VIDEO_CAMERA=y -+CONFIG_VIDEO_TEGRA_VI=y -+CONFIG_VIDEO_TEGRA_VI_TPG=m -+CONFIG_VIDEO_CAMERA_SKT=m - CONFIG_VIDEO_ISC=m - CONFIG_VIDEO_CDI=m -+# CONFIG_VIDEO_TEGRA_VIVID is not set -+# end of NVIDIA overlay V4L platform devices -+ -+# -+# MMC/SDIO DVB adapters -+# -+# CONFIG_SMS_SDIO_DRV is not set - CONFIG_V4L_TEST_DRIVERS=y --CONFIG_VIDEO_ECAM=m -+# CONFIG_VIDEO_VIMC is not set -+# CONFIG_VIDEO_VIVID is not set -+# CONFIG_VIDEO_VIM2M is not set -+# CONFIG_VIDEO_VICODEC is not set -+# CONFIG_DVB_TEST_DRIVERS is not set -+# end of Media drivers -+ -+# -+# Media ancillary drivers -+# -+CONFIG_MEDIA_ATTACH=y -+CONFIG_VIDEO_IR_I2C=y -+ -+# -+# Audio decoders, processors and mixers -+# -+# CONFIG_VIDEO_TVAUDIO is not set -+# CONFIG_VIDEO_TDA7432 is not set -+# CONFIG_VIDEO_TDA9840 is not set -+# CONFIG_VIDEO_TDA1997X is not set -+# CONFIG_VIDEO_TEA6415C is not set -+# CONFIG_VIDEO_TEA6420 is not set -+# CONFIG_VIDEO_MSP3400 is not set -+# CONFIG_VIDEO_CS3308 is not set -+# CONFIG_VIDEO_CS5345 is not set -+# CONFIG_VIDEO_CS53L32A is not set -+# CONFIG_VIDEO_TLV320AIC23B is not set -+# CONFIG_VIDEO_UDA1342 is not set -+# CONFIG_VIDEO_WM8775 is not set -+# CONFIG_VIDEO_WM8739 is not set -+# CONFIG_VIDEO_VP27SMPX is not set -+# CONFIG_VIDEO_SONY_BTF_MPX is not set -+# end of Audio decoders, processors and mixers -+ -+# -+# RDS decoders -+# -+# CONFIG_VIDEO_SAA6588 is not set -+# end of RDS decoders -+ -+# -+# Video decoders -+# -+# CONFIG_VIDEO_ADV7180 is not set -+# CONFIG_VIDEO_ADV7183 is not set -+# CONFIG_VIDEO_ADV748X is not set -+# CONFIG_VIDEO_ADV7604 is not set -+# CONFIG_VIDEO_ADV7842 is not set -+# CONFIG_VIDEO_BT819 is not set -+# CONFIG_VIDEO_BT856 is not set -+# CONFIG_VIDEO_BT866 is not set -+# CONFIG_VIDEO_KS0127 is not set -+# CONFIG_VIDEO_ML86V7667 is not set -+# CONFIG_VIDEO_SAA7110 is not set -+# CONFIG_VIDEO_SAA711X is not set -+# CONFIG_VIDEO_TC358743 is not set -+# CONFIG_VIDEO_TVP514X is not set -+# CONFIG_VIDEO_TVP5150 is not set -+# CONFIG_VIDEO_TVP7002 is not set -+# CONFIG_VIDEO_TW2804 is not set -+# CONFIG_VIDEO_TW9903 is not set -+# CONFIG_VIDEO_TW9906 is not set -+# CONFIG_VIDEO_TW9910 is not set -+# CONFIG_VIDEO_VPX3220 is not set -+# CONFIG_VIDEO_MAX9286 is not set -+ -+# -+# Video and audio decoders -+# -+# CONFIG_VIDEO_SAA717X is not set -+# CONFIG_VIDEO_CX25840 is not set -+# end of Video decoders -+ -+# -+# Video encoders -+# -+# CONFIG_VIDEO_SAA7127 is not set -+# CONFIG_VIDEO_SAA7185 is not set -+# CONFIG_VIDEO_ADV7170 is not set -+# CONFIG_VIDEO_ADV7175 is not set -+# CONFIG_VIDEO_ADV7343 is not set -+# CONFIG_VIDEO_ADV7393 is not set -+# CONFIG_VIDEO_ADV7511 is not set -+# CONFIG_VIDEO_AD9389B is not set -+# CONFIG_VIDEO_AK881X is not set -+# CONFIG_VIDEO_THS8200 is not set -+# end of Video encoders -+ -+# -+# Video improvement chips -+# -+# CONFIG_VIDEO_UPD64031A is not set -+# CONFIG_VIDEO_UPD64083 is not set -+# end of Video improvement chips -+ -+# -+# Audio/Video compression chips -+# -+# CONFIG_VIDEO_SAA6752HS is not set -+# end of Audio/Video compression chips -+ -+# -+# SDR tuner chips -+# -+# end of SDR tuner chips -+ -+# -+# Miscellaneous helper chips -+# -+# CONFIG_VIDEO_THS7303 is not set -+# CONFIG_VIDEO_M52790 is not set -+# CONFIG_VIDEO_I2C is not set -+# CONFIG_VIDEO_ST_MIPID02 is not set -+# end of Miscellaneous helper chips -+ -+# -+# Camera sensor devices -+# -+# CONFIG_VIDEO_HI556 is not set -+# CONFIG_VIDEO_IMX214 is not set -+# CONFIG_VIDEO_IMX219 is not set -+# CONFIG_VIDEO_IMX258 is not set -+# CONFIG_VIDEO_IMX274 is not set -+# CONFIG_VIDEO_IMX290 is not set -+# CONFIG_VIDEO_IMX319 is not set -+# CONFIG_VIDEO_IMX355 is not set -+# CONFIG_VIDEO_OV2640 is not set -+# CONFIG_VIDEO_OV2659 is not set -+# CONFIG_VIDEO_OV2680 is not set -+# CONFIG_VIDEO_OV2685 is not set -+# CONFIG_VIDEO_OV2740 is not set -+# CONFIG_VIDEO_OV5640 is not set -+# CONFIG_VIDEO_OV5645 is not set -+# CONFIG_VIDEO_OV5647 is not set -+# CONFIG_VIDEO_OV6650 is not set -+# CONFIG_VIDEO_OV5670 is not set -+# CONFIG_VIDEO_OV5675 is not set -+# CONFIG_VIDEO_OV5695 is not set -+# CONFIG_VIDEO_OV7251 is not set -+# CONFIG_VIDEO_OV772X is not set -+# CONFIG_VIDEO_OV7640 is not set -+# CONFIG_VIDEO_OV7670 is not set -+# CONFIG_VIDEO_OV7740 is not set -+# CONFIG_VIDEO_OV8856 is not set -+# CONFIG_VIDEO_OV9640 is not set -+# CONFIG_VIDEO_OV9650 is not set -+# CONFIG_VIDEO_OV13858 is not set -+# CONFIG_VIDEO_VS6624 is not set -+# CONFIG_VIDEO_MT9M001 is not set -+# CONFIG_VIDEO_MT9M032 is not set -+# CONFIG_VIDEO_MT9M111 is not set -+# CONFIG_VIDEO_MT9P031 is not set -+# CONFIG_VIDEO_MT9T001 is not set -+# CONFIG_VIDEO_MT9T112 is not set -+# CONFIG_VIDEO_MT9V011 is not set -+# CONFIG_VIDEO_MT9V032 is not set -+# CONFIG_VIDEO_MT9V111 is not set -+# CONFIG_VIDEO_SR030PC30 is not set -+# CONFIG_VIDEO_NOON010PC30 is not set -+# CONFIG_VIDEO_M5MOLS is not set -+# CONFIG_VIDEO_RDACM20 is not set -+# CONFIG_VIDEO_RJ54N1 is not set -+# CONFIG_VIDEO_S5K6AA is not set -+# CONFIG_VIDEO_S5K6A3 is not set -+# CONFIG_VIDEO_S5K4ECGX is not set -+# CONFIG_VIDEO_S5K5BAF is not set -+# CONFIG_VIDEO_SMIAPP is not set -+# CONFIG_VIDEO_ET8EK8 is not set -+# CONFIG_VIDEO_S5C73M3 is not set -+# end of Camera sensor devices -+ -+# -+# Lens drivers -+# -+# CONFIG_VIDEO_AD5820 is not set -+# CONFIG_VIDEO_AK7375 is not set -+# CONFIG_VIDEO_DW9714 is not set -+# CONFIG_VIDEO_DW9768 is not set -+# CONFIG_VIDEO_DW9807_VCM is not set -+# end of Lens drivers -+ -+# -+# Flash devices -+# -+# CONFIG_VIDEO_ADP1653 is not set -+# CONFIG_VIDEO_LM3560 is not set -+# CONFIG_VIDEO_LM3646 is not set -+# end of Flash devices -+ -+# -+# NVIDIA overlay Encoders, decoders, sensors and other helper chips -+# - CONFIG_NV_VIDEO_IMX185=m --CONFIG_NV_VIDEO_IMX219=m - CONFIG_NV_VIDEO_IMX477=m -+CONFIG_VIDEO_ECAM=m -+CONFIG_NV_VIDEO_IMX219=m - CONFIG_NV_VIDEO_IMX268=m - CONFIG_NV_VIDEO_IMX274=m - CONFIG_NV_VIDEO_IMX318=m -@@ -903,16 +4781,55 @@ CONFIG_NV_VIDEO_IMX390=y - CONFIG_NV_DESER_MAX96712=m - CONFIG_NV_VIDEO_AR0234=m - CONFIG_NV_VIDEO_HAWK_OWL=m -+# end of NVIDIA overlay Encoders, decoders, sensors and other helper chips -+ -+# -+# SPI helper chips -+# -+# CONFIG_VIDEO_GS1662 is not set -+# end of SPI helper chips -+ -+# -+# Media SPI Adapters -+# - # CONFIG_CXD2880_SPI_DRV is not set -+# end of Media SPI Adapters -+ -+# CONFIG_VIDEO_IMX204 is not set -+CONFIG_MEDIA_TUNER=y -+ -+# -+# Customize TV tuners -+# - CONFIG_MEDIA_TUNER_SIMPLE=y - # CONFIG_MEDIA_TUNER_TDA18250 is not set - CONFIG_MEDIA_TUNER_TDA8290=y -+CONFIG_MEDIA_TUNER_TDA827X=y -+CONFIG_MEDIA_TUNER_TDA18271=y - # CONFIG_MEDIA_TUNER_TDA18272 is not set -+CONFIG_MEDIA_TUNER_TDA9887=y -+CONFIG_MEDIA_TUNER_TEA5761=m -+CONFIG_MEDIA_TUNER_TEA5767=m -+CONFIG_MEDIA_TUNER_MSI001=m - CONFIG_MEDIA_TUNER_MT20XX=y -+CONFIG_MEDIA_TUNER_MT2060=m -+CONFIG_MEDIA_TUNER_MT2063=m -+CONFIG_MEDIA_TUNER_MT2266=m -+CONFIG_MEDIA_TUNER_MT2131=m -+CONFIG_MEDIA_TUNER_QT1010=m - CONFIG_MEDIA_TUNER_XC2028=y - CONFIG_MEDIA_TUNER_XC5000=y - CONFIG_MEDIA_TUNER_XC4000=y -+CONFIG_MEDIA_TUNER_MXL5005S=m -+CONFIG_MEDIA_TUNER_MXL5007T=m - CONFIG_MEDIA_TUNER_MC44S803=y -+CONFIG_MEDIA_TUNER_MAX2165=m -+CONFIG_MEDIA_TUNER_TDA18218=m -+CONFIG_MEDIA_TUNER_FC0011=m -+CONFIG_MEDIA_TUNER_FC0012=m -+CONFIG_MEDIA_TUNER_FC0013=m -+CONFIG_MEDIA_TUNER_TDA18212=m -+CONFIG_MEDIA_TUNER_E4000=m - # CONFIG_MEDIA_TUNER_FC2580 is not set - # CONFIG_MEDIA_TUNER_M88RS6000T is not set - # CONFIG_MEDIA_TUNER_TUA9001 is not set -@@ -922,51 +4839,716 @@ CONFIG_MEDIA_TUNER_MC44S803=y - # CONFIG_MEDIA_TUNER_MXL301RF is not set - # CONFIG_MEDIA_TUNER_QM1D1C0042 is not set - # CONFIG_MEDIA_TUNER_QM1D1B0004 is not set -+# end of Customize TV tuners -+ -+# -+# Nvidia overlay Customize TV tuners -+# -+# end of Nvidia overlay Customize TV tuners -+ -+# -+# Customise DVB Frontends -+# -+ -+# -+# Multistandard (satellite) frontends -+# -+CONFIG_DVB_STB0899=m -+CONFIG_DVB_STB6100=m -+CONFIG_DVB_STV090x=m -+CONFIG_DVB_STV0910=m -+CONFIG_DVB_STV6110x=m -+CONFIG_DVB_STV6111=m -+CONFIG_DVB_MXL5XX=m -+CONFIG_DVB_M88DS3103=m -+ -+# -+# Multistandard (cable + terrestrial) frontends -+# -+CONFIG_DVB_DRXK=m -+CONFIG_DVB_TDA18271C2DD=m -+CONFIG_DVB_SI2165=m -+CONFIG_DVB_MN88472=m -+CONFIG_DVB_MN88473=m -+ -+# -+# DVB-S (satellite) frontends -+# -+CONFIG_DVB_CX24110=m -+CONFIG_DVB_CX24123=m -+CONFIG_DVB_MT312=m -+CONFIG_DVB_ZL10036=m -+CONFIG_DVB_ZL10039=m -+CONFIG_DVB_S5H1420=m -+CONFIG_DVB_STV0288=m -+CONFIG_DVB_STB6000=m -+CONFIG_DVB_STV0299=m -+CONFIG_DVB_STV6110=m -+CONFIG_DVB_STV0900=m -+CONFIG_DVB_TDA8083=m -+CONFIG_DVB_TDA10086=m -+CONFIG_DVB_TDA8261=m -+CONFIG_DVB_VES1X93=m -+CONFIG_DVB_TUNER_ITD1000=m -+CONFIG_DVB_TUNER_CX24113=m -+CONFIG_DVB_TDA826X=m -+CONFIG_DVB_TUA6100=m -+CONFIG_DVB_CX24116=m -+CONFIG_DVB_CX24117=m -+CONFIG_DVB_CX24120=m -+CONFIG_DVB_SI21XX=m -+CONFIG_DVB_TS2020=m -+CONFIG_DVB_DS3000=m -+CONFIG_DVB_MB86A16=m -+CONFIG_DVB_TDA10071=m -+ -+# -+# DVB-T (terrestrial) frontends -+# -+CONFIG_DVB_SP8870=m -+CONFIG_DVB_SP887X=m -+CONFIG_DVB_CX22700=m -+CONFIG_DVB_CX22702=m -+CONFIG_DVB_S5H1432=m -+CONFIG_DVB_DRXD=m -+CONFIG_DVB_L64781=m -+CONFIG_DVB_TDA1004X=m -+CONFIG_DVB_NXT6000=m -+CONFIG_DVB_MT352=m -+CONFIG_DVB_ZL10353=m -+CONFIG_DVB_DIB3000MB=m -+CONFIG_DVB_DIB3000MC=m -+CONFIG_DVB_DIB7000M=m -+CONFIG_DVB_DIB7000P=m -+CONFIG_DVB_DIB9000=m -+CONFIG_DVB_TDA10048=m -+CONFIG_DVB_AF9013=m -+CONFIG_DVB_EC100=m -+CONFIG_DVB_STV0367=m -+CONFIG_DVB_CXD2820R=m -+CONFIG_DVB_CXD2841ER=m -+CONFIG_DVB_RTL2830=m -+CONFIG_DVB_RTL2832=m -+CONFIG_DVB_SI2168=m -+CONFIG_DVB_ZD1301_DEMOD=m - # CONFIG_DVB_CXD2880 is not set -+ -+# -+# DVB-C (cable) frontends -+# -+CONFIG_DVB_VES1820=m -+CONFIG_DVB_TDA10021=m -+CONFIG_DVB_TDA10023=m -+CONFIG_DVB_STV0297=m -+ -+# -+# ATSC (North American/Korean Terrestrial/Cable DTV) frontends -+# -+CONFIG_DVB_NXT200X=m -+CONFIG_DVB_OR51211=m -+CONFIG_DVB_OR51132=m -+CONFIG_DVB_BCM3510=m -+CONFIG_DVB_LGDT330X=m -+CONFIG_DVB_LGDT3305=m -+CONFIG_DVB_LGDT3306A=m -+CONFIG_DVB_LG2160=m -+CONFIG_DVB_S5H1409=m -+CONFIG_DVB_AU8522=m -+CONFIG_DVB_AU8522_DTV=m -+CONFIG_DVB_AU8522_V4L=m -+CONFIG_DVB_S5H1411=m -+ -+# -+# ISDB-T (terrestrial) frontends -+# -+CONFIG_DVB_S921=m -+CONFIG_DVB_DIB8000=m -+CONFIG_DVB_MB86A20S=m -+ -+# -+# ISDB-S (satellite) & ISDB-T (terrestrial) frontends -+# -+CONFIG_DVB_TC90522=m - # CONFIG_DVB_MN88443X is not set -+ -+# -+# Digital terrestrial only tuners/PLL -+# -+CONFIG_DVB_PLL=m -+CONFIG_DVB_TUNER_DIB0070=m -+CONFIG_DVB_TUNER_DIB0090=m -+ -+# -+# SEC control devices for DVB-S -+# -+CONFIG_DVB_DRX39XYJ=m -+CONFIG_DVB_LNBH25=m - # CONFIG_DVB_LNBH29 is not set -+CONFIG_DVB_LNBP21=m -+CONFIG_DVB_LNBP22=m -+CONFIG_DVB_ISL6405=m -+CONFIG_DVB_ISL6421=m -+CONFIG_DVB_ISL6423=m -+CONFIG_DVB_A8293=m -+CONFIG_DVB_LGS8GL5=m -+CONFIG_DVB_LGS8GXX=m -+CONFIG_DVB_ATBM8830=m -+CONFIG_DVB_TDA665x=m -+CONFIG_DVB_IX2505V=m -+CONFIG_DVB_M88RS2000=m -+CONFIG_DVB_AF9033=m -+CONFIG_DVB_HORUS3A=m -+CONFIG_DVB_ASCOT2E=m -+CONFIG_DVB_HELENE=m -+ -+# -+# Common Interface (EN50221) controller drivers -+# - # CONFIG_DVB_CXD2099 is not set -+CONFIG_DVB_SP2=m -+# end of Customise DVB Frontends -+ -+# -+# Tools to develop new frontends -+# -+# CONFIG_DVB_DUMMY_FE is not set -+# end of Media ancillary drivers -+ -+# -+# Graphics support -+# - # CONFIG_VGA_ARB is not set -+# CONFIG_TEGRA_HOST1X is not set - CONFIG_DRM=y -+CONFIG_DRM_MIPI_DSI=y -+# CONFIG_DRM_DP_AUX_CHARDEV is not set -+# CONFIG_DRM_DEBUG_MM is not set -+# CONFIG_DRM_DEBUG_SELFTEST is not set -+CONFIG_DRM_KMS_HELPER=y -+CONFIG_DRM_KMS_FB_HELPER=y -+# CONFIG_DRM_DEBUG_DP_MST_TOPOLOGY_REFS is not set -+CONFIG_DRM_FBDEV_EMULATION=y -+CONFIG_DRM_FBDEV_OVERALLOC=100 -+# CONFIG_DRM_FBDEV_LEAK_PHYS_SMEM is not set -+# CONFIG_DRM_LOAD_EDID_FIRMWARE is not set -+# CONFIG_DRM_DP_CEC is not set -+CONFIG_DRM_TTM=m -+CONFIG_DRM_TTM_DMA_PAGE_POOL=y -+CONFIG_DRM_VRAM_HELPER=m -+CONFIG_DRM_TTM_HELPER=m -+CONFIG_DRM_GEM_CMA_HELPER=y -+CONFIG_DRM_KMS_CMA_HELPER=y -+ -+# -+# I2C encoder or helper chips -+# -+# CONFIG_DRM_I2C_CH7006 is not set -+# CONFIG_DRM_I2C_SIL164 is not set - CONFIG_DRM_I2C_NXP_TDA998X=m -+# CONFIG_DRM_I2C_NXP_TDA9950 is not set -+# end of I2C encoder or helper chips -+ -+# -+# ARM devices -+# -+# CONFIG_DRM_HDLCD is not set -+# CONFIG_DRM_MALI_DISPLAY is not set -+# CONFIG_DRM_KOMEDA is not set -+# end of ARM devices -+ -+# CONFIG_DRM_RADEON is not set -+# CONFIG_DRM_AMDGPU is not set -+# CONFIG_DRM_NOUVEAU is not set -+# CONFIG_DRM_VGEM is not set -+# CONFIG_DRM_VKMS is not set -+# CONFIG_DRM_UDL is not set -+# CONFIG_DRM_AST is not set -+# CONFIG_DRM_MGAG200 is not set - CONFIG_DRM_RCAR_DW_HDMI=m - CONFIG_DRM_RCAR_LVDS=m -+# CONFIG_DRM_QXL is not set -+# CONFIG_DRM_BOCHS is not set -+# CONFIG_DRM_VIRTIO_GPU is not set -+# CONFIG_DRM_TEGRA is not set -+CONFIG_DRM_PANEL=y -+ -+# -+# Display Panels -+# -+# CONFIG_DRM_PANEL_ARM_VERSATILE is not set -+# CONFIG_DRM_PANEL_ASUS_Z00T_TM5P5_NT35596 is not set -+# CONFIG_DRM_PANEL_BOE_HIMAX8279D is not set -+# CONFIG_DRM_PANEL_BOE_TV101WUM_NL6 is not set - CONFIG_DRM_PANEL_LVDS=m - CONFIG_DRM_PANEL_SIMPLE=m -+# CONFIG_DRM_PANEL_ELIDA_KD35T133 is not set -+# CONFIG_DRM_PANEL_FEIXIN_K101_IM2BA02 is not set -+# CONFIG_DRM_PANEL_FEIYANG_FY07024DI26A30D is not set -+# CONFIG_DRM_PANEL_ILITEK_IL9322 is not set -+# CONFIG_DRM_PANEL_ILITEK_ILI9881C is not set -+# CONFIG_DRM_PANEL_INNOLUX_P079ZCA is not set -+# CONFIG_DRM_PANEL_JDI_LT070ME05000 is not set -+# CONFIG_DRM_PANEL_KINGDISPLAY_KD097D04 is not set -+# CONFIG_DRM_PANEL_LEADTEK_LTK050H3146W is not set -+# CONFIG_DRM_PANEL_LEADTEK_LTK500HD1829 is not set -+# CONFIG_DRM_PANEL_SAMSUNG_LD9040 is not set -+# CONFIG_DRM_PANEL_LG_LB035Q02 is not set -+# CONFIG_DRM_PANEL_LG_LG4573 is not set -+# CONFIG_DRM_PANEL_NEC_NL8048HL11 is not set -+# CONFIG_DRM_PANEL_NOVATEK_NT35510 is not set -+# CONFIG_DRM_PANEL_NOVATEK_NT39016 is not set -+# CONFIG_DRM_PANEL_MANTIX_MLAF057WE51 is not set -+# CONFIG_DRM_PANEL_OLIMEX_LCD_OLINUXINO is not set -+# CONFIG_DRM_PANEL_ORISETECH_OTM8009A is not set -+# CONFIG_DRM_PANEL_OSD_OSD101T2587_53TS is not set -+# CONFIG_DRM_PANEL_PANASONIC_VVX10F034N00 is not set -+# CONFIG_DRM_PANEL_RASPBERRYPI_TOUCHSCREEN is not set -+# CONFIG_DRM_PANEL_RAYDIUM_RM67191 is not set -+# CONFIG_DRM_PANEL_RAYDIUM_RM68200 is not set -+# CONFIG_DRM_PANEL_RONBO_RB070D30 is not set -+# CONFIG_DRM_PANEL_SAMSUNG_S6D16D0 is not set -+# CONFIG_DRM_PANEL_SAMSUNG_S6E3HA2 is not set -+# CONFIG_DRM_PANEL_SAMSUNG_S6E63J0X03 is not set -+# CONFIG_DRM_PANEL_SAMSUNG_S6E63M0 is not set -+# CONFIG_DRM_PANEL_SAMSUNG_S6E88A0_AMS452EF01 is not set -+# CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0 is not set -+# CONFIG_DRM_PANEL_SEIKO_43WVF1G is not set -+# CONFIG_DRM_PANEL_SHARP_LQ101R1SX01 is not set -+# CONFIG_DRM_PANEL_SHARP_LS037V7DW01 is not set -+# CONFIG_DRM_PANEL_SHARP_LS043T1LE01 is not set -+# CONFIG_DRM_PANEL_SITRONIX_ST7701 is not set -+# CONFIG_DRM_PANEL_SITRONIX_ST7703 is not set -+# CONFIG_DRM_PANEL_SITRONIX_ST7789V is not set -+# CONFIG_DRM_PANEL_SONY_ACX424AKP is not set -+# CONFIG_DRM_PANEL_SONY_ACX565AKM is not set -+# CONFIG_DRM_PANEL_TPO_TD028TTEC1 is not set -+# CONFIG_DRM_PANEL_TPO_TD043MTEA1 is not set -+# CONFIG_DRM_PANEL_TPO_TPG110 is not set -+# CONFIG_DRM_PANEL_TRULY_NT35597_WQXGA is not set -+# CONFIG_DRM_PANEL_VISIONOX_RM69299 is not set -+# CONFIG_DRM_PANEL_XINPENG_XPP055C272 is not set -+# end of Display Panels -+ -+CONFIG_DRM_BRIDGE=y -+CONFIG_DRM_PANEL_BRIDGE=y -+ -+# -+# Display Interface Bridges -+# -+# CONFIG_DRM_CDNS_DSI is not set -+# CONFIG_DRM_CHRONTEL_CH7033 is not set -+# CONFIG_DRM_DISPLAY_CONNECTOR is not set -+# CONFIG_DRM_LONTIUM_LT9611 is not set -+# CONFIG_DRM_LVDS_CODEC is not set -+# CONFIG_DRM_MEGACHIPS_STDPXXXX_GE_B850V3_FW is not set -+# CONFIG_DRM_NWL_MIPI_DSI is not set -+# CONFIG_DRM_NXP_PTN3460 is not set -+# CONFIG_DRM_PARADE_PS8622 is not set -+# CONFIG_DRM_PARADE_PS8640 is not set -+# CONFIG_DRM_SIL_SII8620 is not set - CONFIG_DRM_SII902X=m -+# CONFIG_DRM_SII9234 is not set -+# CONFIG_DRM_SIMPLE_BRIDGE is not set -+# CONFIG_DRM_THINE_THC63LVD1024 is not set -+# CONFIG_DRM_TOSHIBA_TC358762 is not set -+# CONFIG_DRM_TOSHIBA_TC358764 is not set -+# CONFIG_DRM_TOSHIBA_TC358767 is not set -+# CONFIG_DRM_TOSHIBA_TC358768 is not set -+# CONFIG_DRM_TOSHIBA_TC358775 is not set -+# CONFIG_DRM_TI_TFP410 is not set -+# CONFIG_DRM_TI_SN65DSI86 is not set -+# CONFIG_DRM_TI_TPD12S015 is not set -+# CONFIG_DRM_ANALOGIX_ANX6345 is not set -+# CONFIG_DRM_ANALOGIX_ANX78XX is not set -+# CONFIG_DRM_I2C_ADV7511 is not set -+# CONFIG_DRM_CDNS_MHDP8546 is not set -+CONFIG_DRM_DW_HDMI=m -+# CONFIG_DRM_DW_HDMI_AHB_AUDIO is not set -+# CONFIG_DRM_DW_HDMI_I2S_AUDIO is not set -+# CONFIG_DRM_DW_HDMI_CEC is not set -+# end of Display Interface Bridges -+ -+# CONFIG_DRM_ETNAVIV is not set -+# CONFIG_DRM_ARCPGU is not set - CONFIG_DRM_HISI_HIBMC=m - CONFIG_DRM_HISI_KIRIN=m -+# CONFIG_DRM_MXSFB is not set -+# CONFIG_DRM_CIRRUS_QEMU is not set -+# CONFIG_DRM_GM12U320 is not set -+# CONFIG_TINYDRM_HX8357D is not set -+# CONFIG_TINYDRM_ILI9225 is not set -+# CONFIG_TINYDRM_ILI9341 is not set -+# CONFIG_TINYDRM_ILI9486 is not set -+# CONFIG_TINYDRM_MI0283QT is not set -+# CONFIG_TINYDRM_REPAPER is not set -+# CONFIG_TINYDRM_ST7586 is not set -+# CONFIG_TINYDRM_ST7735R is not set -+# CONFIG_DRM_PL111 is not set -+# CONFIG_DRM_LIMA is not set -+# CONFIG_DRM_PANFROST is not set -+# CONFIG_DRM_TIDSS is not set -+# CONFIG_DRM_LEGACY is not set -+CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y - CONFIG_DRM_TEGRA_UDRM=m -+ -+# -+# Frame buffer Devices -+# -+CONFIG_FB_CMDLINE=y -+CONFIG_FB_NOTIFY=y -+CONFIG_FB=y -+# CONFIG_FIRMWARE_EDID is not set -+CONFIG_FB_CFB_FILLRECT=y -+CONFIG_FB_CFB_COPYAREA=y -+CONFIG_FB_CFB_IMAGEBLIT=y -+CONFIG_FB_SYS_FILLRECT=y -+CONFIG_FB_SYS_COPYAREA=y -+CONFIG_FB_SYS_IMAGEBLIT=y -+# CONFIG_FB_FOREIGN_ENDIAN is not set -+CONFIG_FB_SYS_FOPS=y -+CONFIG_FB_DEFERRED_IO=y -+CONFIG_FB_MODE_HELPERS=y - CONFIG_FB_MODE_PIXCLOCK_HZ=y -+# CONFIG_FB_TILEBLITTING is not set -+ -+# -+# Frame buffer hardware drivers -+# -+# CONFIG_FB_CIRRUS is not set -+# CONFIG_FB_PM2 is not set -+# CONFIG_FB_ARMCLCD is not set -+# CONFIG_FB_CYBER2000 is not set -+# CONFIG_FB_ASILIANT is not set -+# CONFIG_FB_IMSTT is not set -+CONFIG_FB_EFI=y -+# CONFIG_FB_OPENCORES is not set -+# CONFIG_FB_S1D13XXX is not set -+# CONFIG_FB_NVIDIA is not set -+# CONFIG_FB_RIVA is not set -+# CONFIG_FB_I740 is not set -+# CONFIG_FB_MATROX is not set -+# CONFIG_FB_RADEON is not set -+# CONFIG_FB_ATY128 is not set -+# CONFIG_FB_ATY is not set -+# CONFIG_FB_S3 is not set -+# CONFIG_FB_SAVAGE is not set -+# CONFIG_FB_SIS is not set -+# CONFIG_FB_NEOMAGIC is not set -+# CONFIG_FB_KYRO is not set -+# CONFIG_FB_3DFX is not set -+# CONFIG_FB_VOODOO1 is not set -+# CONFIG_FB_VT8623 is not set -+# CONFIG_FB_TRIDENT is not set -+# CONFIG_FB_ARK is not set -+# CONFIG_FB_PM3 is not set -+# CONFIG_FB_CARMINE is not set -+# CONFIG_FB_SMSCUFX is not set -+# CONFIG_FB_UDL is not set -+# CONFIG_FB_IBM_GXT4500 is not set -+# CONFIG_FB_VIRTUAL is not set -+# CONFIG_FB_METRONOME is not set -+# CONFIG_FB_MB862XX is not set -+# CONFIG_FB_SIMPLE is not set -+# CONFIG_FB_SSD1307 is not set -+# CONFIG_FB_SM712 is not set -+# end of Frame buffer Devices -+ -+# -+# Backlight & LCD device support -+# - CONFIG_LCD_CLASS_DEVICE=m -+# CONFIG_LCD_L4F00242T03 is not set -+# CONFIG_LCD_LMS283GF05 is not set -+# CONFIG_LCD_LTV350QV is not set -+# CONFIG_LCD_ILI922X is not set -+# CONFIG_LCD_ILI9320 is not set -+# CONFIG_LCD_TDO24M is not set -+# CONFIG_LCD_VGG2432A4 is not set -+# CONFIG_LCD_PLATFORM is not set -+# CONFIG_LCD_AMS369FG06 is not set -+# CONFIG_LCD_LMS501KF03 is not set -+# CONFIG_LCD_HX8357 is not set -+# CONFIG_LCD_OTM3225A is not set -+CONFIG_BACKLIGHT_CLASS_DEVICE=y -+# CONFIG_BACKLIGHT_KTD253 is not set - CONFIG_BACKLIGHT_PWM=y -+# CONFIG_BACKLIGHT_QCOM_WLED is not set -+# CONFIG_BACKLIGHT_ADP8860 is not set -+# CONFIG_BACKLIGHT_ADP8870 is not set -+# CONFIG_BACKLIGHT_LM3630A is not set -+# CONFIG_BACKLIGHT_LM3639 is not set - CONFIG_BACKLIGHT_LP855X=y -+# CONFIG_BACKLIGHT_GPIO is not set -+# CONFIG_BACKLIGHT_LV5207LP is not set -+# CONFIG_BACKLIGHT_BD6107 is not set -+# CONFIG_BACKLIGHT_ARCXCNN is not set -+# CONFIG_BACKLIGHT_LED is not set -+# end of Backlight & LCD device support -+ - CONFIG_TEGRA_GRHOST=y -+CONFIG_TEGRA_GRHOST_ISP=y -+CONFIG_TEGRA_GRHOST_VIC=y -+CONFIG_TEGRA_GRHOST_NVDEC=y -+CONFIG_TEGRA_GRHOST_NVDEC_SECURE=y -+CONFIG_TEGRA_GRHOST_NVENC=y -+CONFIG_TEGRA_GRHOST_NVJPG=y -+CONFIG_TEGRA_GRHOST_OFA=y -+CONFIG_TEGRA_GRHOST_TSEC=y - CONFIG_TEGRA_GRHOST_NVCSI=y -+CONFIG_TEGRA_GRHOST_SCALE=y -+CONFIG_TEGRA_GRHOST_DEFAULT_TIMEOUT=10000 -+CONFIG_TEGRA_GRHOST_SYNC=y -+CONFIG_TEGRA_GRHOST_VHOST=y - CONFIG_TEGRA_GR_VIRTUALIZATION=y -+# CONFIG_NVDEC_BOOTLOADER is not set -+CONFIG_TEGRA_CAMERA_PLATFORM=y -+ -+# -+# NVIDIA Tegra Display Driver options -+# - CONFIG_TEGRA_DC=y -+# CONFIG_TEGRA_NVDISPLAY is not set -+CONFIG_TEGRA_DC_64BIT_SUPPORT=y -+CONFIG_TEGRA_DC_TEMPORAL_DITHER=y -+CONFIG_FB_TEGRA=y - CONFIG_TEGRA_DC_SCREEN_CAPTURE=y - CONFIG_TEGRA_DSI=y -+# CONFIG_TEGRA_DSI2EDP_TC358767 is not set -+# CONFIG_TEGRA_DSI2EDP_SN65DSI86 is not set -+# CONFIG_TEGRA_DSI2LVDS_SN65DSI85 is not set -+# CONFIG_TEGRA_LVDS2FPDL_DS90UB947 is not set -+# CONFIG_TEGRA_DS90UH948Q_DESER is not set - CONFIG_MAXIM_GMSL_DP_SERIALIZER=y -+# CONFIG_TEGRA_EDP2LVDS_PS8625 is not set -+CONFIG_TEGRA_DP=y - CONFIG_TEGRA_HDMI2_0=y -+# CONFIG_TEGRA_HDMI2GMSL_MAX929x is not set -+# CONFIG_TEGRA_HDMI2DSI_TC358870 is not set -+CONFIG_TEGRA_HDA_DC=y -+# CONFIG_TEGRA_HDMI2FPD_DS90UH949 is not set -+# CONFIG_TEGRA_NVSR is not set -+# CONFIG_TEGRA_VRR is not set -+# CONFIG_TEGRA_HDMIVRR is not set - CONFIG_TEGRA_HDMIHDCP=y -+# CONFIG_TEGRA_DEBUG_HDCP is not set - CONFIG_TEGRA_DPHDCP=y -+# CONFIG_TEGRA_DEBUG_DP_HDCP is not set -+# CONFIG_TEGRA_YUV_BYPASS_MODE_FILTER is not set -+CONFIG_TEGRA_DC_FAKE_PANEL_SUPPORT=y - CONFIG_TEGRA_CEC_SUPPORT=y -+CONFIG_TEGRA_T23X_GRHOST=y -+CONFIG_TEGRA_T23X_GRHOST_PVA=y -+CONFIG_TEGRA_GRHOST_NVDLA=y -+CONFIG_TEGRA_T19x_GRHOST_PVA=y -+CONFIG_TEGRA_GRHOST_PVA=y - CONFIG_TEGRA_GRHOST_SLVSEC=y -+CONFIG_TEGRA_GRHOST_CAPTURE_SUPPORT=y -+# CONFIG_TEGRA_GRHOST_LEGACY_PD is not set -+# CONFIG_TEGRA_PVA_V1 is not set -+CONFIG_VIDEOMODE_HELPERS=y -+CONFIG_HDMI=y -+ -+# -+# Console display driver support -+# -+CONFIG_DUMMY_CONSOLE=y -+CONFIG_DUMMY_CONSOLE_COLUMNS=80 -+CONFIG_DUMMY_CONSOLE_ROWS=25 - CONFIG_FRAMEBUFFER_CONSOLE=y -+# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set -+CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y -+# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set -+# CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set -+# end of Console display driver support -+ - CONFIG_LOGO=y - # CONFIG_LOGO_LINUX_MONO is not set - # CONFIG_LOGO_LINUX_VGA16 is not set - # CONFIG_LOGO_LINUX_CLUT224 is not set -+ -+# -+# NVIDIA Tegra Display Driver options -+# -+# end of Graphics support -+ - CONFIG_SOUND=y - CONFIG_SND=y -+CONFIG_SND_TIMER=y -+CONFIG_SND_PCM=y -+CONFIG_SND_PCM_ELD=y -+CONFIG_SND_PCM_IEC958=y -+CONFIG_SND_DMAENGINE_PCM=y -+CONFIG_SND_HWDEP=y -+CONFIG_SND_RAWMIDI=y -+CONFIG_SND_COMPRESS_OFFLOAD=y -+CONFIG_SND_JACK=y -+CONFIG_SND_JACK_INPUT_DEV=y -+# CONFIG_SND_OSSEMUL is not set -+CONFIG_SND_PCM_TIMER=y -+# CONFIG_SND_HRTIMER is not set -+CONFIG_SND_DYNAMIC_MINORS=y -+CONFIG_SND_MAX_CARDS=32 -+CONFIG_SND_SUPPORT_OLD_API=y -+CONFIG_SND_PROC_FS=y -+CONFIG_SND_VERBOSE_PROCFS=y -+# CONFIG_SND_VERBOSE_PRINTK is not set -+# CONFIG_SND_DEBUG is not set -+CONFIG_SND_VMASTER=y -+# CONFIG_SND_SEQUENCER is not set -+CONFIG_SND_DRIVERS=y -+# CONFIG_SND_DUMMY is not set - CONFIG_SND_ALOOP=m -+# CONFIG_SND_MTPAV is not set -+# CONFIG_SND_SERIAL_U16550 is not set -+# CONFIG_SND_MPU401 is not set -+CONFIG_SND_PCI=y -+# CONFIG_SND_AD1889 is not set -+# CONFIG_SND_ALS300 is not set -+# CONFIG_SND_ALI5451 is not set -+# CONFIG_SND_ATIIXP is not set -+# CONFIG_SND_ATIIXP_MODEM is not set -+# CONFIG_SND_AU8810 is not set -+# CONFIG_SND_AU8820 is not set -+# CONFIG_SND_AU8830 is not set -+# CONFIG_SND_AW2 is not set -+# CONFIG_SND_AZT3328 is not set -+# CONFIG_SND_BT87X is not set -+# CONFIG_SND_CA0106 is not set -+# CONFIG_SND_CMIPCI is not set -+# CONFIG_SND_OXYGEN is not set -+# CONFIG_SND_CS4281 is not set -+# CONFIG_SND_CS46XX is not set -+# CONFIG_SND_CTXFI is not set -+# CONFIG_SND_DARLA20 is not set -+# CONFIG_SND_GINA20 is not set -+# CONFIG_SND_LAYLA20 is not set -+# CONFIG_SND_DARLA24 is not set -+# CONFIG_SND_GINA24 is not set -+# CONFIG_SND_LAYLA24 is not set -+# CONFIG_SND_MONA is not set -+# CONFIG_SND_MIA is not set -+# CONFIG_SND_ECHO3G is not set -+# CONFIG_SND_INDIGO is not set -+# CONFIG_SND_INDIGOIO is not set -+# CONFIG_SND_INDIGODJ is not set -+# CONFIG_SND_INDIGOIOX is not set -+# CONFIG_SND_INDIGODJX is not set -+# CONFIG_SND_EMU10K1 is not set -+# CONFIG_SND_EMU10K1X is not set -+# CONFIG_SND_ENS1370 is not set -+# CONFIG_SND_ENS1371 is not set -+# CONFIG_SND_ES1938 is not set -+# CONFIG_SND_ES1968 is not set -+# CONFIG_SND_FM801 is not set -+# CONFIG_SND_HDSP is not set -+# CONFIG_SND_HDSPM is not set -+# CONFIG_SND_ICE1712 is not set -+# CONFIG_SND_ICE1724 is not set -+# CONFIG_SND_INTEL8X0 is not set -+# CONFIG_SND_INTEL8X0M is not set -+# CONFIG_SND_KORG1212 is not set -+# CONFIG_SND_LOLA is not set -+# CONFIG_SND_LX6464ES is not set -+# CONFIG_SND_MAESTRO3 is not set -+# CONFIG_SND_MIXART is not set -+# CONFIG_SND_NM256 is not set -+# CONFIG_SND_PCXHR is not set -+# CONFIG_SND_RIPTIDE is not set -+# CONFIG_SND_RME32 is not set -+# CONFIG_SND_RME96 is not set -+# CONFIG_SND_RME9652 is not set -+# CONFIG_SND_SE6X is not set -+# CONFIG_SND_SONICVIBES is not set -+# CONFIG_SND_TRIDENT is not set -+# CONFIG_SND_VIA82XX is not set -+# CONFIG_SND_VIA82XX_MODEM is not set -+# CONFIG_SND_VIRTUOSO is not set -+# CONFIG_SND_VX222 is not set -+# CONFIG_SND_YMFPCI is not set -+ -+# -+# HD-Audio -+# -+CONFIG_SND_HDA=m -+# CONFIG_SND_HDA_INTEL is not set - CONFIG_SND_HDA_TEGRA=m -+# CONFIG_SND_HDA_HWDEP is not set -+# CONFIG_SND_HDA_RECONFIG is not set -+# CONFIG_SND_HDA_INPUT_BEEP is not set -+# CONFIG_SND_HDA_PATCH_LOADER is not set -+# CONFIG_SND_HDA_CODEC_REALTEK is not set -+# CONFIG_SND_HDA_CODEC_ANALOG is not set -+# CONFIG_SND_HDA_CODEC_SIGMATEL is not set -+# CONFIG_SND_HDA_CODEC_VIA is not set - CONFIG_SND_HDA_CODEC_HDMI=m -+# CONFIG_SND_HDA_CODEC_CIRRUS is not set -+# CONFIG_SND_HDA_CODEC_CONEXANT is not set -+# CONFIG_SND_HDA_CODEC_CA0110 is not set -+# CONFIG_SND_HDA_CODEC_CA0132 is not set -+# CONFIG_SND_HDA_CODEC_CMEDIA is not set -+# CONFIG_SND_HDA_CODEC_SI3054 is not set -+# CONFIG_SND_HDA_GENERIC is not set - CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1 -+# end of HD-Audio -+ -+CONFIG_SND_HDA_CORE=m -+CONFIG_SND_HDA_ALIGNED_MMIO=y -+CONFIG_SND_HDA_PREALLOC_SIZE=64 -+CONFIG_SND_SPI=y -+CONFIG_SND_USB=y - CONFIG_SND_USB_AUDIO=y -+CONFIG_SND_USB_AUDIO_USE_MEDIA_CONTROLLER=y -+# CONFIG_SND_USB_UA101 is not set -+# CONFIG_SND_USB_CAIAQ is not set -+# CONFIG_SND_USB_6FIRE is not set -+# CONFIG_SND_USB_HIFACE is not set -+# CONFIG_SND_BCD2000 is not set -+# CONFIG_SND_USB_POD is not set -+# CONFIG_SND_USB_PODHD is not set -+# CONFIG_SND_USB_TONEPORT is not set -+# CONFIG_SND_USB_VARIAX is not set - CONFIG_SND_SOC=y -+CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y -+CONFIG_SND_SOC_COMPRESS=y -+# CONFIG_SND_SOC_AMD_ACP is not set -+# CONFIG_SND_ATMEL_SOC is not set -+# CONFIG_SND_BCM63XX_I2S_WHISTLER is not set -+# CONFIG_SND_DESIGNWARE_I2S is not set -+ -+# -+# SoC Audio for Freescale CPUs -+# -+ -+# -+# Common SoC Audio options for Freescale CPUs: -+# -+# CONFIG_SND_SOC_FSL_ASRC is not set -+# CONFIG_SND_SOC_FSL_SAI is not set -+# CONFIG_SND_SOC_FSL_AUDMIX is not set -+# CONFIG_SND_SOC_FSL_SSI is not set -+# CONFIG_SND_SOC_FSL_SPDIF is not set -+# CONFIG_SND_SOC_FSL_ESAI is not set -+# CONFIG_SND_SOC_FSL_MICFIL is not set -+# CONFIG_SND_SOC_IMX_AUDMUX is not set -+# end of SoC Audio for Freescale CPUs -+ -+# CONFIG_SND_I2S_HI6210_I2S is not set -+# CONFIG_SND_SOC_IMG is not set -+# CONFIG_SND_SOC_MTK_BTCVSD is not set -+# CONFIG_SND_SOC_SOF_TOPLEVEL is not set -+ -+# -+# STMicroelectronics STM32 SOC audio support -+# -+# end of STMicroelectronics STM32 SOC audio support -+ - CONFIG_SND_SOC_TEGRA=m -+# CONFIG_SND_SOC_TEGRA20_AC97 is not set -+# CONFIG_SND_SOC_TEGRA20_DAS is not set -+# CONFIG_SND_SOC_TEGRA20_I2S is not set -+CONFIG_SND_SOC_TEGRA20_SPDIF=m -+# CONFIG_SND_SOC_TEGRA30_AHUB is not set -+# CONFIG_SND_SOC_TEGRA30_I2S is not set - CONFIG_SND_SOC_TEGRA210_AHUB=m - CONFIG_SND_SOC_TEGRA210_DMIC=m - CONFIG_SND_SOC_TEGRA210_I2S=m -@@ -985,20 +5567,199 @@ CONFIG_SND_SOC_TEGRA210_OPE=m - CONFIG_SND_SOC_TEGRA210_ADSP=m - CONFIG_SND_SOC_TEGRA210_AUDIO=m - CONFIG_SND_SOC_TEGRA_AUDIO_GRAPH_CARD=m -+# CONFIG_SND_SOC_TEGRA_RT5640 is not set -+# CONFIG_SND_SOC_TEGRA_WM8753 is not set -+# CONFIG_SND_SOC_TEGRA_WM8903 is not set -+# CONFIG_SND_SOC_TEGRA_WM9712 is not set -+# CONFIG_SND_SOC_TEGRA_TRIMSLICE is not set -+# CONFIG_SND_SOC_TEGRA_ALC5632 is not set -+# CONFIG_SND_SOC_TEGRA_MAX98090 is not set -+# CONFIG_SND_SOC_TEGRA_RT5677 is not set -+# CONFIG_SND_SOC_TEGRA_SGTL5000 is not set -+# CONFIG_SND_SOC_XILINX_I2S is not set -+# CONFIG_SND_SOC_XILINX_AUDIO_FORMATTER is not set -+# CONFIG_SND_SOC_XILINX_SPDIF is not set -+# CONFIG_SND_SOC_XTFPGA_I2S is not set -+# CONFIG_ZX_TDM is not set -+CONFIG_SND_SOC_I2C_AND_SPI=y -+ -+# -+# CODEC drivers -+# -+# CONFIG_SND_SOC_AC97_CODEC is not set -+# CONFIG_SND_SOC_ADAU1701 is not set -+# CONFIG_SND_SOC_ADAU1761_I2C is not set -+# CONFIG_SND_SOC_ADAU1761_SPI is not set -+# CONFIG_SND_SOC_ADAU7002 is not set -+# CONFIG_SND_SOC_ADAU7118_HW is not set -+# CONFIG_SND_SOC_ADAU7118_I2C is not set -+# CONFIG_SND_SOC_AK4104 is not set -+# CONFIG_SND_SOC_AK4118 is not set -+# CONFIG_SND_SOC_AK4458 is not set -+# CONFIG_SND_SOC_AK4554 is not set - CONFIG_SND_SOC_AK4613=m -+# CONFIG_SND_SOC_AK4642 is not set -+# CONFIG_SND_SOC_AK5386 is not set -+# CONFIG_SND_SOC_AK5558 is not set -+# CONFIG_SND_SOC_ALC5623 is not set -+# CONFIG_SND_SOC_BD28623 is not set -+# CONFIG_SND_SOC_BT_SCO is not set -+# CONFIG_SND_SOC_CS35L32 is not set -+# CONFIG_SND_SOC_CS35L33 is not set -+# CONFIG_SND_SOC_CS35L34 is not set -+# CONFIG_SND_SOC_CS35L35 is not set -+# CONFIG_SND_SOC_CS35L36 is not set -+# CONFIG_SND_SOC_CS42L42 is not set -+# CONFIG_SND_SOC_CS42L51_I2C is not set -+# CONFIG_SND_SOC_CS42L52 is not set -+# CONFIG_SND_SOC_CS42L56 is not set -+# CONFIG_SND_SOC_CS42L73 is not set -+# CONFIG_SND_SOC_CS4234 is not set -+# CONFIG_SND_SOC_CS4265 is not set -+# CONFIG_SND_SOC_CS4270 is not set -+# CONFIG_SND_SOC_CS4271_I2C is not set -+# CONFIG_SND_SOC_CS4271_SPI is not set -+# CONFIG_SND_SOC_CS42XX8_I2C is not set -+# CONFIG_SND_SOC_CS43130 is not set -+# CONFIG_SND_SOC_CS4341 is not set -+# CONFIG_SND_SOC_CS4349 is not set -+# CONFIG_SND_SOC_CS53L30 is not set -+# CONFIG_SND_SOC_CX2072X is not set -+# CONFIG_SND_SOC_DA7213 is not set -+# CONFIG_SND_SOC_DMIC is not set -+CONFIG_SND_SOC_HDMI_CODEC=m - CONFIG_SND_SOC_ES7134=m -+# CONFIG_SND_SOC_ES7241 is not set -+# CONFIG_SND_SOC_ES8316 is not set -+# CONFIG_SND_SOC_ES8328_I2C is not set -+# CONFIG_SND_SOC_ES8328_SPI is not set -+# CONFIG_SND_SOC_GTM601 is not set -+# CONFIG_SND_SOC_INNO_RK3036 is not set -+# CONFIG_SND_SOC_MAX98088 is not set -+# CONFIG_SND_SOC_MAX98357A is not set -+# CONFIG_SND_SOC_MAX98504 is not set -+# CONFIG_SND_SOC_MAX9867 is not set - CONFIG_SND_SOC_MAX98927=m -+# CONFIG_SND_SOC_MAX98373_I2C is not set -+# CONFIG_SND_SOC_MAX98373_SDW is not set -+# CONFIG_SND_SOC_MAX98390 is not set -+# CONFIG_SND_SOC_MAX9860 is not set -+# CONFIG_SND_SOC_MSM8916_WCD_ANALOG is not set -+# CONFIG_SND_SOC_MSM8916_WCD_DIGITAL is not set -+# CONFIG_SND_SOC_PCM1681 is not set -+# CONFIG_SND_SOC_PCM1789_I2C is not set -+# CONFIG_SND_SOC_PCM179X_I2C is not set -+# CONFIG_SND_SOC_PCM179X_SPI is not set -+# CONFIG_SND_SOC_PCM186X_I2C is not set -+# CONFIG_SND_SOC_PCM186X_SPI is not set -+# CONFIG_SND_SOC_PCM3060_I2C is not set -+# CONFIG_SND_SOC_PCM3060_SPI is not set -+CONFIG_SND_SOC_PCM3168A=m - CONFIG_SND_SOC_PCM3168A_I2C=m -+# CONFIG_SND_SOC_PCM3168A_SPI is not set -+# CONFIG_SND_SOC_PCM512x_I2C is not set -+# CONFIG_SND_SOC_PCM512x_SPI is not set -+# CONFIG_SND_SOC_RK3328 is not set -+CONFIG_SND_SOC_RL6231=m -+# CONFIG_SND_SOC_RT1308_SDW is not set -+# CONFIG_SND_SOC_RT5616 is not set -+# CONFIG_SND_SOC_RT5631 is not set - CONFIG_SND_SOC_RT5640=m -+CONFIG_SND_SOC_RT5659=m -+# CONFIG_SND_SOC_RT5682_SDW is not set -+# CONFIG_SND_SOC_RT700_SDW is not set -+# CONFIG_SND_SOC_RT711_SDW is not set -+# CONFIG_SND_SOC_RT715_SDW is not set -+CONFIG_SND_SOC_SGTL5000=m -+# CONFIG_SND_SOC_SIMPLE_AMPLIFIER is not set -+# CONFIG_SND_SOC_SIRF_AUDIO_CODEC is not set - CONFIG_SND_SOC_SPDIF=m -+# CONFIG_SND_SOC_SSM2305 is not set -+# CONFIG_SND_SOC_SSM2602_SPI is not set -+# CONFIG_SND_SOC_SSM2602_I2C is not set -+# CONFIG_SND_SOC_SSM4567 is not set -+# CONFIG_SND_SOC_STA32X is not set -+# CONFIG_SND_SOC_STA350 is not set -+# CONFIG_SND_SOC_STI_SAS is not set -+CONFIG_SND_SOC_TAS2552=m -+# CONFIG_SND_SOC_TAS2562 is not set -+# CONFIG_SND_SOC_TAS2764 is not set -+# CONFIG_SND_SOC_TAS2770 is not set -+# CONFIG_SND_SOC_TAS5086 is not set - CONFIG_SND_SOC_TAS571X=m -+# CONFIG_SND_SOC_TAS5720 is not set -+# CONFIG_SND_SOC_TAS6424 is not set -+# CONFIG_SND_SOC_TDA7419 is not set -+# CONFIG_SND_SOC_TFA9879 is not set -+# CONFIG_SND_SOC_TLV320AIC23_I2C is not set -+# CONFIG_SND_SOC_TLV320AIC23_SPI is not set -+# CONFIG_SND_SOC_TLV320AIC31XX is not set -+# CONFIG_SND_SOC_TLV320AIC32X4_I2C is not set -+# CONFIG_SND_SOC_TLV320AIC32X4_SPI is not set -+# CONFIG_SND_SOC_TLV320AIC3X is not set -+# CONFIG_SND_SOC_TLV320ADCX140 is not set -+# CONFIG_SND_SOC_TS3A227E is not set -+# CONFIG_SND_SOC_TSCS42XX is not set -+# CONFIG_SND_SOC_TSCS454 is not set -+# CONFIG_SND_SOC_UDA1334 is not set -+# CONFIG_SND_SOC_WM8510 is not set -+# CONFIG_SND_SOC_WM8523 is not set -+# CONFIG_SND_SOC_WM8524 is not set -+# CONFIG_SND_SOC_WM8580 is not set -+# CONFIG_SND_SOC_WM8711 is not set -+# CONFIG_SND_SOC_WM8728 is not set -+# CONFIG_SND_SOC_WM8731 is not set -+# CONFIG_SND_SOC_WM8737 is not set -+# CONFIG_SND_SOC_WM8741 is not set -+# CONFIG_SND_SOC_WM8750 is not set -+# CONFIG_SND_SOC_WM8753 is not set -+# CONFIG_SND_SOC_WM8770 is not set -+# CONFIG_SND_SOC_WM8776 is not set -+# CONFIG_SND_SOC_WM8782 is not set -+# CONFIG_SND_SOC_WM8804_I2C is not set -+# CONFIG_SND_SOC_WM8804_SPI is not set -+# CONFIG_SND_SOC_WM8903 is not set -+# CONFIG_SND_SOC_WM8904 is not set -+# CONFIG_SND_SOC_WM8960 is not set -+# CONFIG_SND_SOC_WM8962 is not set -+# CONFIG_SND_SOC_WM8974 is not set -+# CONFIG_SND_SOC_WM8978 is not set -+# CONFIG_SND_SOC_WM8985 is not set -+# CONFIG_SND_SOC_WSA881X is not set -+# CONFIG_SND_SOC_ZL38060 is not set -+# CONFIG_SND_SOC_ZX_AUD96P22 is not set -+# CONFIG_SND_SOC_MAX9759 is not set -+# CONFIG_SND_SOC_MT6351 is not set -+# CONFIG_SND_SOC_MT6358 is not set -+# CONFIG_SND_SOC_MT6660 is not set -+# CONFIG_SND_SOC_NAU8540 is not set -+# CONFIG_SND_SOC_NAU8810 is not set -+# CONFIG_SND_SOC_NAU8822 is not set -+# CONFIG_SND_SOC_NAU8824 is not set -+# CONFIG_SND_SOC_TPA6130A2 is not set -+# end of CODEC drivers -+ -+CONFIG_SND_SIMPLE_CARD_UTILS=m - CONFIG_SND_SIMPLE_CARD=m - CONFIG_SND_AUDIO_GRAPH_CARD=m - CONFIG_SND_SOC_TEGRA210_ADSP_VIRT_ALT=m - CONFIG_SND_SOC_TEGRA_VIRT_T210REF_PCM=m -+CONFIG_SND_T23X_SAFETY_I2S=m -+ -+# -+# HID support -+# -+CONFIG_HID=y -+# CONFIG_HID_BATTERY_STRENGTH is not set - CONFIG_HIDRAW=y - CONFIG_UHID=y -+CONFIG_HID_GENERIC=y -+ -+# -+# Special HID drivers -+# - CONFIG_HID_A4TECH=m -+# CONFIG_HID_ACCUTOUCH is not set - CONFIG_HID_ACRUX=y - CONFIG_HID_ACRUX_FF=y - CONFIG_HID_APPLE=y -@@ -1007,41 +5768,62 @@ CONFIG_HID_ASUS=m - CONFIG_HID_AUREAL=m - CONFIG_HID_BELKIN=m - CONFIG_HID_BETOP_FF=m -+# CONFIG_HID_BIGBEN_FF is not set - CONFIG_HID_CHERRY=m - CONFIG_HID_CHICONY=m - CONFIG_HID_CORSAIR=m -+# CONFIG_HID_COUGAR is not set -+# CONFIG_HID_MACALLY is not set - CONFIG_HID_PRODIKEYS=m - CONFIG_HID_CMEDIA=m -+# CONFIG_HID_CP2112 is not set -+# CONFIG_HID_CREATIVE_SB0540 is not set - CONFIG_HID_CYPRESS=m - CONFIG_HID_DRAGONRISE=y - CONFIG_DRAGONRISE_FF=y - CONFIG_HID_EMS_FF=m -+# CONFIG_HID_ELAN is not set - CONFIG_HID_ELECOM=m - CONFIG_HID_ELO=m - CONFIG_HID_EZKEY=m - CONFIG_HID_GEMBIRD=m - CONFIG_HID_GFRM=m -+# CONFIG_HID_GLORIOUS is not set - CONFIG_HID_HOLTEK=y -+# CONFIG_HOLTEK_FF is not set -+# CONFIG_HID_VIVALDI is not set - CONFIG_HID_GT683R=m - CONFIG_HID_KEYTOUCH=y - CONFIG_HID_KYE=y - CONFIG_HID_UCLOGIC=y - CONFIG_HID_WALTOP=y -+# CONFIG_HID_VIEWSONIC is not set - CONFIG_HID_GYRATION=y - CONFIG_HID_ICADE=m - CONFIG_HID_ITE=m -+# CONFIG_HID_JABRA is not set - CONFIG_HID_TWINHAN=y - CONFIG_HID_KENSINGTON=m - CONFIG_HID_LCPOWER=y -+CONFIG_HID_LED=m - CONFIG_HID_LENOVO=m - CONFIG_HID_LOGITECH=m - CONFIG_HID_LOGITECH_DJ=m -+CONFIG_HID_LOGITECH_HIDPP=m -+# CONFIG_LOGITECH_FF is not set -+# CONFIG_LOGIRUMBLEPAD2_FF is not set -+# CONFIG_LOGIG940_FF is not set -+# CONFIG_LOGIWHEELS_FF is not set - CONFIG_HID_MAGICMOUSE=y -+# CONFIG_HID_MALTRON is not set -+# CONFIG_HID_MAYFLASH is not set -+# CONFIG_HID_REDRAGON is not set - CONFIG_HID_MICROSOFT=m - CONFIG_HID_MONTEREY=m - CONFIG_HID_MULTITOUCH=y - CONFIG_HID_NTI=m - CONFIG_HID_NTRIG=y -+# CONFIG_HID_NVIDIA_STAND is not set - CONFIG_HID_ORTEK=y - CONFIG_HID_PANTHERLORD=y - CONFIG_PANTHERLORD_FF=y -@@ -1050,6 +5832,9 @@ CONFIG_HID_PETALYNX=m - CONFIG_HID_PICOLCD=m - CONFIG_HID_PICOLCD_FB=y - CONFIG_HID_PICOLCD_BACKLIGHT=y -+# CONFIG_HID_PICOLCD_LCD is not set -+# CONFIG_HID_PICOLCD_LEDS is not set -+# CONFIG_HID_PICOLCD_CIR is not set - CONFIG_HID_PLANTRONICS=m - CONFIG_HID_PRIMAX=m - CONFIG_HID_RETRODE=m -@@ -1057,7 +5842,9 @@ CONFIG_HID_ROCCAT=m - CONFIG_HID_SAITEK=m - CONFIG_HID_SAMSUNG=m - CONFIG_HID_SONY=m -+# CONFIG_SONY_FF is not set - CONFIG_HID_SPEEDLINK=m -+# CONFIG_HID_STEAM is not set - CONFIG_HID_STEELSERIES=m - CONFIG_HID_SUNPLUS=m - CONFIG_HID_RMI=m -@@ -1069,28 +5856,112 @@ CONFIG_HID_TIVO=m - CONFIG_HID_TOPSEED=m - CONFIG_HID_THINGM=m - CONFIG_HID_THRUSTMASTER=m -+# CONFIG_THRUSTMASTER_FF is not set - CONFIG_HID_UDRAW_PS3=m -+# CONFIG_HID_U2FZERO is not set - CONFIG_HID_WACOM=m - CONFIG_HID_WIIMOTE=m - CONFIG_HID_XINMO=m - CONFIG_HID_ZEROPLUS=m -+# CONFIG_ZEROPLUS_FF is not set - CONFIG_HID_ZYDACRON=m - CONFIG_HID_SENSOR_HUB=m - CONFIG_HID_SENSOR_CUSTOM_SENSOR=m - CONFIG_HID_ALPS=m -+# CONFIG_HID_MCP2221 is not set -+# end of Special HID drivers -+ -+# -+# USB HID support -+# -+CONFIG_USB_HID=y -+# CONFIG_HID_PID is not set - CONFIG_USB_HIDDEV=y -+# end of USB HID support -+ -+# -+# I2C HID support -+# -+# CONFIG_I2C_HID is not set -+# end of I2C HID support -+ -+# -+# SHIELD accessory HID drivers -+# -+# CONFIG_HID_SHIELD_BLAKE is not set - CONFIG_HID_SHIELD_REMOTE=m -+# end of SHIELD accessory HID drivers -+# end of HID support -+ -+CONFIG_USB_OHCI_LITTLE_ENDIAN=y -+CONFIG_USB_SUPPORT=y -+CONFIG_USB_COMMON=y -+# CONFIG_USB_LED_TRIG is not set -+CONFIG_USB_ULPI_BUS=m -+CONFIG_USB_CONN_GPIO=y -+CONFIG_USB_ARCH_HAS_HCD=y -+CONFIG_USB=y -+CONFIG_USB_PCI=y - CONFIG_USB_ANNOUNCE_NEW_DEVICES=y -+ -+# -+# Miscellaneous USB options -+# -+CONFIG_USB_DEFAULT_PERSIST=y -+# CONFIG_USB_FEW_INIT_RETRIES is not set -+# CONFIG_USB_DYNAMIC_MINORS is not set - CONFIG_USB_OTG=y -+# CONFIG_USB_OTG_PRODUCTLIST is not set -+# CONFIG_USB_OTG_DISABLE_EXTERNAL_HUB is not set -+# CONFIG_USB_OTG_FSM is not set -+# CONFIG_USB_LEDS_TRIGGER_USBPORT is not set -+CONFIG_USB_AUTOSUSPEND_DELAY=2 - CONFIG_USB_MON=m -+ -+# -+# USB Host Controller Drivers -+# -+# CONFIG_USB_C67X00_HCD is not set - CONFIG_USB_XHCI_HCD=y -+# CONFIG_USB_XHCI_DBGCAP is not set -+CONFIG_USB_XHCI_PCI=y -+# CONFIG_USB_XHCI_PCI_RENESAS is not set -+# CONFIG_USB_XHCI_PLATFORM is not set - CONFIG_USB_XHCI_TEGRA=y -+# CONFIG_USB_EHCI_HCD is not set -+# CONFIG_USB_OXU210HP_HCD is not set -+# CONFIG_USB_ISP116X_HCD is not set -+# CONFIG_USB_FOTG210_HCD is not set -+# CONFIG_USB_MAX3421_HCD is not set - CONFIG_USB_OHCI_HCD=y -+CONFIG_USB_OHCI_HCD_PCI=y - CONFIG_USB_OHCI_HCD_PLATFORM=y -+# CONFIG_USB_UHCI_HCD is not set -+# CONFIG_USB_SL811_HCD is not set -+# CONFIG_USB_R8A66597_HCD is not set -+# CONFIG_USB_HCD_BCMA is not set -+# CONFIG_USB_HCD_SSB is not set -+# CONFIG_USB_HCD_TEST_MODE is not set -+ -+# -+# USB Device Class drivers -+# - CONFIG_USB_ACM=m - CONFIG_USB_PRINTER=m -+CONFIG_USB_WDM=m -+# CONFIG_USB_TMC is not set -+ -+# -+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may -+# -+ -+# -+# also be needed; see USB_STORAGE Help for more info -+# - CONFIG_USB_STORAGE=y -+# CONFIG_USB_STORAGE_DEBUG is not set - CONFIG_USB_STORAGE_REALTEK=m -+CONFIG_REALTEK_AUTOPM=y - CONFIG_USB_STORAGE_DATAFAB=m - CONFIG_USB_STORAGE_FREECOM=m - CONFIG_USB_STORAGE_ISD200=m -@@ -1104,100 +5975,723 @@ CONFIG_USB_STORAGE_KARMA=m - CONFIG_USB_STORAGE_CYPRESS_ATACB=m - CONFIG_USB_STORAGE_ENE_UB6250=m - CONFIG_USB_UAS=y -+ -+# -+# USB Imaging devices -+# - CONFIG_USB_MDC800=m -+# CONFIG_USB_MICROTEK is not set -+# CONFIG_USBIP_CORE is not set -+# CONFIG_USB_CDNS3 is not set -+# CONFIG_USB_MUSB_HDRC is not set -+# CONFIG_USB_DWC3 is not set -+# CONFIG_USB_DWC2 is not set - CONFIG_USB_CHIPIDEA=m -+# CONFIG_USB_CHIPIDEA_UDC is not set -+CONFIG_USB_CHIPIDEA_MSM=m -+CONFIG_USB_CHIPIDEA_IMX=m -+CONFIG_USB_CHIPIDEA_GENERIC=m -+# CONFIG_USB_ISP1760 is not set -+ -+# -+# USB port drivers -+# - CONFIG_USB_SERIAL=m -+# CONFIG_USB_SERIAL_GENERIC is not set -+# CONFIG_USB_SERIAL_SIMPLE is not set -+# CONFIG_USB_SERIAL_AIRCABLE is not set -+# CONFIG_USB_SERIAL_ARK3116 is not set -+# CONFIG_USB_SERIAL_BELKIN is not set - CONFIG_USB_SERIAL_CH341=m -+# CONFIG_USB_SERIAL_WHITEHEAT is not set -+# CONFIG_USB_SERIAL_DIGI_ACCELEPORT is not set - CONFIG_USB_SERIAL_CP210X=m -+# CONFIG_USB_SERIAL_CYPRESS_M8 is not set -+# CONFIG_USB_SERIAL_EMPEG is not set - CONFIG_USB_SERIAL_FTDI_SIO=m -+# CONFIG_USB_SERIAL_VISOR is not set -+# CONFIG_USB_SERIAL_IPAQ is not set -+# CONFIG_USB_SERIAL_IR is not set -+# CONFIG_USB_SERIAL_EDGEPORT is not set -+# CONFIG_USB_SERIAL_EDGEPORT_TI is not set -+# CONFIG_USB_SERIAL_F81232 is not set -+# CONFIG_USB_SERIAL_F8153X is not set - CONFIG_USB_SERIAL_GARMIN=m -+# CONFIG_USB_SERIAL_IPW is not set -+# CONFIG_USB_SERIAL_IUU is not set -+# CONFIG_USB_SERIAL_KEYSPAN_PDA is not set - CONFIG_USB_SERIAL_KEYSPAN=m -+# CONFIG_USB_SERIAL_KLSI is not set -+# CONFIG_USB_SERIAL_KOBIL_SCT is not set -+# CONFIG_USB_SERIAL_MCT_U232 is not set -+# CONFIG_USB_SERIAL_METRO is not set -+# CONFIG_USB_SERIAL_MOS7720 is not set -+# CONFIG_USB_SERIAL_MOS7840 is not set -+# CONFIG_USB_SERIAL_MXUPORT is not set -+# CONFIG_USB_SERIAL_NAVMAN is not set - CONFIG_USB_SERIAL_PL2303=m -+# CONFIG_USB_SERIAL_OTI6858 is not set -+# CONFIG_USB_SERIAL_QCAUX is not set -+# CONFIG_USB_SERIAL_QUALCOMM is not set -+# CONFIG_USB_SERIAL_SPCP8X5 is not set -+# CONFIG_USB_SERIAL_SAFE is not set -+# CONFIG_USB_SERIAL_SIERRAWIRELESS is not set -+# CONFIG_USB_SERIAL_SYMBOL is not set -+# CONFIG_USB_SERIAL_TI is not set -+# CONFIG_USB_SERIAL_CYBERJACK is not set -+# CONFIG_USB_SERIAL_XIRCOM is not set -+CONFIG_USB_SERIAL_WWAN=m - CONFIG_USB_SERIAL_OPTION=m -+# CONFIG_USB_SERIAL_OMNINET is not set -+# CONFIG_USB_SERIAL_OPTICON is not set - CONFIG_USB_SERIAL_XSENS_MT=m -+# CONFIG_USB_SERIAL_WISHBONE is not set -+# CONFIG_USB_SERIAL_SSU100 is not set -+# CONFIG_USB_SERIAL_QT2 is not set -+# CONFIG_USB_SERIAL_UPD78F0730 is not set -+# CONFIG_USB_SERIAL_DEBUG is not set -+ -+# -+# USB Miscellaneous drivers -+# - CONFIG_USB_EMI62=m - CONFIG_USB_EMI26=m -+# CONFIG_USB_ADUTUX is not set - CONFIG_USB_SEVSEG=m -+# CONFIG_USB_LEGOTOWER is not set - CONFIG_USB_LCD=m - CONFIG_USB_CYPRESS_CY7C63=m - CONFIG_USB_CYTHERM=m - CONFIG_USB_IDMOUSE=m -+# CONFIG_USB_FTDI_ELAN is not set - CONFIG_USB_APPLEDISPLAY=m -+# CONFIG_APPLE_MFI_FASTCHARGE is not set - CONFIG_USB_LD=m -+# CONFIG_USB_TRANCEVIBRATOR is not set -+# CONFIG_USB_IOWARRIOR is not set - CONFIG_USB_TEST=m - CONFIG_USB_EHSET_TEST_FIXTURE=m -+# CONFIG_USB_ISIGHTFW is not set - CONFIG_USB_YUREX=m -+CONFIG_USB_EZUSB_FX2=m -+# CONFIG_USB_HUB_USB251XB is not set -+# CONFIG_USB_HSIC_USB3503 is not set - CONFIG_USB_HSIC_USB4604=m -+# CONFIG_USB_LINK_LAYER_TEST is not set -+# CONFIG_USB_CHAOSKEY is not set -+ -+# -+# USB Physical Layer drivers -+# -+CONFIG_USB_PHY=y -+# CONFIG_NOP_USB_XCEIV is not set -+# CONFIG_USB_GPIO_VBUS is not set -+# CONFIG_USB_ISP1301 is not set -+CONFIG_USB_TEGRA_PHY=m -+CONFIG_USB_ULPI=y -+CONFIG_USB_ULPI_VIEWPORT=y -+# end of USB Physical Layer drivers -+ - CONFIG_USB_GADGET=y -+# CONFIG_USB_GADGET_DEBUG is not set -+# CONFIG_USB_GADGET_DEBUG_FILES is not set -+# CONFIG_USB_GADGET_DEBUG_FS is not set -+CONFIG_USB_GADGET_VBUS_DRAW=2 -+CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 -+# CONFIG_U_SERIAL_CONSOLE is not set -+ -+# -+# USB Peripheral Controller -+# -+# CONFIG_USB_FOTG210_UDC is not set -+# CONFIG_USB_GR_UDC is not set -+# CONFIG_USB_R8A66597 is not set -+# CONFIG_USB_PXA27X is not set -+# CONFIG_USB_MV_UDC is not set -+# CONFIG_USB_MV_U3D is not set -+# CONFIG_USB_SNP_UDC_PLAT is not set -+# CONFIG_USB_M66592 is not set -+# CONFIG_USB_BDC_UDC is not set -+# CONFIG_USB_AMD5536UDC is not set -+# CONFIG_USB_NET2272 is not set -+# CONFIG_USB_NET2280 is not set -+# CONFIG_USB_GOKU is not set -+# CONFIG_USB_EG20T is not set -+# CONFIG_USB_GADGET_XILINX is not set -+# CONFIG_USB_MAX3420_UDC is not set - CONFIG_USB_TEGRA_XUDC=y -+# CONFIG_USB_DUMMY_HCD is not set -+# end of USB Peripheral Controller -+ -+CONFIG_USB_LIBCOMPOSITE=y -+CONFIG_USB_F_ACM=y -+CONFIG_USB_F_SS_LB=y -+CONFIG_USB_U_SERIAL=y -+CONFIG_USB_U_ETHER=y -+CONFIG_USB_F_NCM=y -+CONFIG_USB_F_ECM=y -+CONFIG_USB_F_RNDIS=y -+CONFIG_USB_F_MASS_STORAGE=y -+CONFIG_USB_F_FS=y -+CONFIG_USB_F_ACC=y - CONFIG_USB_CONFIGFS=y -+# CONFIG_USB_CONFIGFS_SERIAL is not set - CONFIG_USB_CONFIGFS_ACM=y -+# CONFIG_USB_CONFIGFS_OBEX is not set - CONFIG_USB_CONFIGFS_NCM=y - CONFIG_USB_CONFIGFS_ECM=y -+# CONFIG_USB_CONFIGFS_ECM_SUBSET is not set - CONFIG_USB_CONFIGFS_RNDIS=y -+# CONFIG_USB_CONFIGFS_EEM is not set - CONFIG_USB_CONFIGFS_MASS_STORAGE=y - CONFIG_USB_CONFIGFS_F_LB_SS=y - CONFIG_USB_CONFIGFS_F_FS=y - CONFIG_USB_CONFIGFS_F_ACC=y -+# CONFIG_USB_CONFIGFS_F_UAC1 is not set -+# CONFIG_USB_CONFIGFS_F_UAC1_LEGACY is not set -+# CONFIG_USB_CONFIGFS_F_UAC2 is not set -+# CONFIG_USB_CONFIGFS_F_MIDI is not set -+# CONFIG_USB_CONFIGFS_F_HID is not set -+# CONFIG_USB_CONFIGFS_F_UVC is not set -+# CONFIG_USB_CONFIGFS_F_PRINTER is not set -+ -+# -+# USB Gadget precomposed configurations -+# -+# CONFIG_USB_ZERO is not set -+# CONFIG_USB_AUDIO is not set -+# CONFIG_USB_ETH is not set -+# CONFIG_USB_G_NCM is not set -+# CONFIG_USB_GADGETFS is not set -+# CONFIG_USB_FUNCTIONFS is not set -+# CONFIG_USB_MASS_STORAGE is not set -+# CONFIG_USB_G_SERIAL is not set -+# CONFIG_USB_MIDI_GADGET is not set -+# CONFIG_USB_G_PRINTER is not set -+# CONFIG_USB_CDC_COMPOSITE is not set -+# CONFIG_USB_G_ACM_MS is not set -+# CONFIG_USB_G_MULTI is not set -+# CONFIG_USB_G_HID is not set -+# CONFIG_USB_G_DBGP is not set -+# CONFIG_USB_G_WEBCAM is not set -+# CONFIG_USB_RAW_GADGET is not set -+# end of USB Gadget precomposed configurations -+ - CONFIG_TYPEC=m --CONFIG_TYPEC_FUSB301=m -+# CONFIG_TYPEC_TCPM is not set - CONFIG_TYPEC_UCSI=m - CONFIG_UCSI_CCG=m -+# CONFIG_UCSI_ACPI is not set -+# CONFIG_TYPEC_HD3SS3220 is not set -+# CONFIG_TYPEC_TPS6598X is not set - CONFIG_TYPEC_STUSB160X=m -+CONFIG_TYPEC_FUSB301=m -+ -+# -+# USB Type-C Multiplexer/DeMultiplexer Switch support -+# -+# CONFIG_TYPEC_MUX_PI3USB30532 is not set -+# end of USB Type-C Multiplexer/DeMultiplexer Switch support -+ -+# -+# USB Type-C Alternate Mode drivers -+# -+# CONFIG_TYPEC_DP_ALTMODE is not set -+# end of USB Type-C Alternate Mode drivers -+ -+CONFIG_USB_ROLE_SWITCH=y - CONFIG_MMC=y -+CONFIG_PWRSEQ_EMMC=y -+# CONFIG_PWRSEQ_SD8787 is not set -+CONFIG_PWRSEQ_SIMPLE=y -+CONFIG_MMC_BLOCK=y - CONFIG_MMC_BLOCK_MINORS=32 -+# CONFIG_SDIO_UART is not set - CONFIG_MMC_TEST=m -+# CONFIG_MMC_FFU is not set -+ -+# -+# MMC/SD/SDIO Host Controller Drivers -+# -+# CONFIG_MMC_DEBUG is not set - CONFIG_MMC_ARMMMCI=y - # CONFIG_MMC_STM32_SDMMC is not set - CONFIG_MMC_SDHCI=y -+CONFIG_MMC_SDHCI_IO_ACCESSORS=y -+# CONFIG_MMC_SDHCI_PCI is not set -+# CONFIG_MMC_SDHCI_ACPI is not set - CONFIG_MMC_SDHCI_PLTFM=y -+# CONFIG_MMC_SDHCI_OF_ARASAN is not set -+# CONFIG_MMC_SDHCI_OF_ASPEED is not set -+# CONFIG_MMC_SDHCI_OF_AT91 is not set -+# CONFIG_MMC_SDHCI_OF_DWCMSHC is not set -+# CONFIG_MMC_SDHCI_CADENCE is not set - CONFIG_MMC_SDHCI_TEGRA=y -+# CONFIG_MMC_SDHCI_F_SDH30 is not set -+# CONFIG_MMC_SDHCI_MILBEAUT is not set -+# CONFIG_MMC_TIFM_SD is not set - CONFIG_MMC_SPI=m -+# CONFIG_MMC_CB710 is not set -+# CONFIG_MMC_VIA_SDMMC is not set - CONFIG_MMC_DW=y -+CONFIG_MMC_DW_PLTFM=y -+# CONFIG_MMC_DW_BLUEFIELD is not set -+# CONFIG_MMC_DW_EXYNOS is not set -+# CONFIG_MMC_DW_HI3798CV200 is not set -+# CONFIG_MMC_DW_K3 is not set -+# CONFIG_MMC_DW_PCI is not set -+# CONFIG_MMC_VUB300 is not set -+# CONFIG_MMC_USHC is not set -+# CONFIG_MMC_USDHI6ROL0 is not set -+CONFIG_MMC_CQHCI=y -+# CONFIG_MMC_HSQ is not set -+# CONFIG_MMC_TOSHIBA_PCI is not set -+# CONFIG_MMC_MTK is not set - CONFIG_MMC_SDHCI_XENON=y -+# CONFIG_MMC_SDHCI_OMAP is not set -+# CONFIG_MMC_SDHCI_AM654 is not set -+# CONFIG_MEMSTICK is not set -+CONFIG_NEW_LEDS=y - CONFIG_LEDS_CLASS=y -+# CONFIG_LEDS_CLASS_FLASH is not set -+# CONFIG_LEDS_CLASS_MULTICOLOR is not set -+# CONFIG_LEDS_BRIGHTNESS_HW_CHANGED is not set -+ -+# -+# LED drivers -+# -+# CONFIG_LEDS_AN30259A is not set -+# CONFIG_LEDS_AW2013 is not set -+# CONFIG_LEDS_BCM6328 is not set -+# CONFIG_LEDS_BCM6358 is not set -+# CONFIG_LEDS_CR0014114 is not set -+# CONFIG_LEDS_EL15203000 is not set -+# CONFIG_LEDS_LM3530 is not set -+# CONFIG_LEDS_LM3532 is not set -+# CONFIG_LEDS_LM3642 is not set -+# CONFIG_LEDS_LM3692X is not set -+# CONFIG_LEDS_PCA9532 is not set - CONFIG_LEDS_GPIO=m -+# CONFIG_LEDS_LP3944 is not set -+# CONFIG_LEDS_LP3952 is not set -+# CONFIG_LEDS_LP50XX is not set -+# CONFIG_LEDS_LP55XX_COMMON is not set -+# CONFIG_LEDS_LP8860 is not set -+# CONFIG_LEDS_PCA955X is not set -+# CONFIG_LEDS_PCA963X is not set -+# CONFIG_LEDS_DAC124S085 is not set - CONFIG_LEDS_PWM=m -+# CONFIG_LEDS_REGULATOR is not set - CONFIG_LEDS_BD2802=m -+# CONFIG_LEDS_LT3593 is not set -+# CONFIG_LEDS_TCA6507 is not set -+# CONFIG_LEDS_TLC591XX is not set -+# CONFIG_LEDS_LM355x is not set - CONFIG_LEDS_IS31FL319X=m -+# CONFIG_LEDS_IS31FL32XX is not set -+ -+# -+# LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM) -+# -+# CONFIG_LEDS_BLINKM is not set -+# CONFIG_LEDS_SYSCON is not set -+# CONFIG_LEDS_MLXREG is not set -+# CONFIG_LEDS_USER is not set -+# CONFIG_LEDS_SPI_BYTE is not set -+# CONFIG_LEDS_TI_LMU_COMMON is not set -+ -+# -+# LED Triggers -+# -+CONFIG_LEDS_TRIGGERS=y -+# CONFIG_LEDS_TRIGGER_TIMER is not set -+# CONFIG_LEDS_TRIGGER_ONESHOT is not set -+# CONFIG_LEDS_TRIGGER_DISK is not set -+# CONFIG_LEDS_TRIGGER_MTD is not set -+# CONFIG_LEDS_TRIGGER_HEARTBEAT is not set -+# CONFIG_LEDS_TRIGGER_BACKLIGHT is not set -+# CONFIG_LEDS_TRIGGER_CPU is not set -+# CONFIG_LEDS_TRIGGER_ACTIVITY is not set -+# CONFIG_LEDS_TRIGGER_GPIO is not set -+# CONFIG_LEDS_TRIGGER_DEFAULT_ON is not set -+ -+# -+# iptables trigger is under Netfilter config (LED target) -+# -+# CONFIG_LEDS_TRIGGER_TRANSIENT is not set -+# CONFIG_LEDS_TRIGGER_CAMERA is not set -+# CONFIG_LEDS_TRIGGER_PANIC is not set -+# CONFIG_LEDS_TRIGGER_NETDEV is not set -+# CONFIG_LEDS_TRIGGER_PATTERN is not set -+# CONFIG_LEDS_TRIGGER_AUDIO is not set -+# CONFIG_LEDS_CY8C is not set -+# CONFIG_ACCESSIBILITY is not set - CONFIG_INFINIBAND=m - CONFIG_INFINIBAND_USER_MAD=m - CONFIG_INFINIBAND_USER_ACCESS=m -+CONFIG_INFINIBAND_USER_MEM=y -+CONFIG_INFINIBAND_ON_DEMAND_PAGING=y -+CONFIG_INFINIBAND_ADDR_TRANS=y -+CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y -+CONFIG_INFINIBAND_VIRT_DMA=y - CONFIG_INFINIBAND_MTHCA=m -+CONFIG_INFINIBAND_MTHCA_DEBUG=y -+# CONFIG_INFINIBAND_CXGB4 is not set -+# CONFIG_INFINIBAND_EFA is not set -+# CONFIG_INFINIBAND_I40IW is not set - CONFIG_MLX4_INFINIBAND=m - CONFIG_MLX5_INFINIBAND=m -+# CONFIG_INFINIBAND_OCRDMA is not set -+# CONFIG_INFINIBAND_HNS is not set -+# CONFIG_RDMA_RXE is not set -+# CONFIG_RDMA_SIW is not set - CONFIG_INFINIBAND_IPOIB=m - CONFIG_INFINIBAND_IPOIB_CM=y -+CONFIG_INFINIBAND_IPOIB_DEBUG=y -+# CONFIG_INFINIBAND_IPOIB_DEBUG_DATA is not set - CONFIG_INFINIBAND_SRP=m -+# CONFIG_INFINIBAND_ISER is not set -+# CONFIG_INFINIBAND_RTRS_CLIENT is not set -+# CONFIG_INFINIBAND_RTRS_SERVER is not set -+CONFIG_EDAC_SUPPORT=y -+# CONFIG_EDAC is not set -+CONFIG_RTC_LIB=y - CONFIG_RTC_CLASS=y -+CONFIG_RTC_HCTOSYS=y - CONFIG_RTC_HCTOSYS_DEVICE="rtc1" -+CONFIG_RTC_SYSTOHC=y -+CONFIG_RTC_SYSTOHC_DEVICE="rtc1" -+# CONFIG_RTC_DEBUG is not set - # CONFIG_RTC_NVMEM is not set -+ -+# -+# RTC interfaces -+# -+CONFIG_RTC_INTF_SYSFS=y -+CONFIG_RTC_INTF_PROC=y -+CONFIG_RTC_INTF_DEV=y -+# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set -+# CONFIG_RTC_DRV_TEST is not set -+ -+# -+# I2C RTC drivers -+# -+# CONFIG_RTC_DRV_ABB5ZES3 is not set -+# CONFIG_RTC_DRV_ABEOZ9 is not set -+# CONFIG_RTC_DRV_ABX80X is not set -+# CONFIG_RTC_DRV_DS1307 is not set -+# CONFIG_RTC_DRV_DS1374 is not set -+# CONFIG_RTC_DRV_DS1672 is not set -+# CONFIG_RTC_DRV_HYM8563 is not set -+# CONFIG_RTC_DRV_MAX6900 is not set - CONFIG_RTC_DRV_MAX77686=y -+# CONFIG_RTC_DRV_RK808 is not set -+# CONFIG_RTC_DRV_RS5C372 is not set -+# CONFIG_RTC_DRV_ISL1208 is not set -+# CONFIG_RTC_DRV_ISL12022 is not set -+# CONFIG_RTC_DRV_ISL12026 is not set -+# CONFIG_RTC_DRV_X1205 is not set -+# CONFIG_RTC_DRV_PCF8523 is not set -+# CONFIG_RTC_DRV_PCF85063 is not set -+# CONFIG_RTC_DRV_PCF85363 is not set -+# CONFIG_RTC_DRV_PCF8563 is not set -+# CONFIG_RTC_DRV_PCF8583 is not set -+# CONFIG_RTC_DRV_M41T80 is not set -+# CONFIG_RTC_DRV_BQ32K is not set -+# CONFIG_RTC_DRV_S35390A is not set -+# CONFIG_RTC_DRV_FM3130 is not set -+# CONFIG_RTC_DRV_RX8010 is not set -+# CONFIG_RTC_DRV_RX8581 is not set - CONFIG_RTC_DRV_RX8025=m -+# CONFIG_RTC_DRV_EM3027 is not set -+# CONFIG_RTC_DRV_RV3028 is not set -+# CONFIG_RTC_DRV_RV3032 is not set -+# CONFIG_RTC_DRV_RV8803 is not set -+# CONFIG_RTC_DRV_S5M is not set -+# CONFIG_RTC_DRV_SD3078 is not set -+ -+# -+# SPI RTC drivers -+# -+# CONFIG_RTC_DRV_M41T93 is not set -+# CONFIG_RTC_DRV_M41T94 is not set -+# CONFIG_RTC_DRV_DS1302 is not set -+# CONFIG_RTC_DRV_DS1305 is not set -+# CONFIG_RTC_DRV_DS1343 is not set -+# CONFIG_RTC_DRV_DS1347 is not set -+# CONFIG_RTC_DRV_DS1390 is not set -+# CONFIG_RTC_DRV_MAX6916 is not set -+# CONFIG_RTC_DRV_R9701 is not set -+# CONFIG_RTC_DRV_RX4581 is not set -+# CONFIG_RTC_DRV_RX6110 is not set -+# CONFIG_RTC_DRV_RS5C348 is not set -+# CONFIG_RTC_DRV_MAX6902 is not set -+# CONFIG_RTC_DRV_PCF2123 is not set -+# CONFIG_RTC_DRV_MCP795 is not set -+CONFIG_RTC_I2C_AND_SPI=y -+ -+# -+# SPI and I2C RTC drivers -+# -+# CONFIG_RTC_DRV_DS3232 is not set -+# CONFIG_RTC_DRV_PCF2127 is not set -+# CONFIG_RTC_DRV_RV3029C2 is not set -+ -+# -+# Platform RTC drivers -+# -+# CONFIG_RTC_DRV_DS1286 is not set -+# CONFIG_RTC_DRV_DS1511 is not set -+# CONFIG_RTC_DRV_DS1553 is not set -+# CONFIG_RTC_DRV_DS1685_FAMILY is not set -+# CONFIG_RTC_DRV_DS1742 is not set -+# CONFIG_RTC_DRV_DS2404 is not set -+# CONFIG_RTC_DRV_EFI is not set -+# CONFIG_RTC_DRV_STK17TA8 is not set -+# CONFIG_RTC_DRV_M48T86 is not set -+# CONFIG_RTC_DRV_M48T35 is not set -+# CONFIG_RTC_DRV_M48T59 is not set -+# CONFIG_RTC_DRV_MSM6242 is not set -+# CONFIG_RTC_DRV_BQ4802 is not set -+# CONFIG_RTC_DRV_RP5C01 is not set -+# CONFIG_RTC_DRV_V3020 is not set -+# CONFIG_RTC_DRV_ZYNQMP is not set -+ -+# -+# on-CPU RTC drivers -+# -+# CONFIG_RTC_DRV_PL030 is not set -+# CONFIG_RTC_DRV_PL031 is not set -+# CONFIG_RTC_DRV_CADENCE is not set -+# CONFIG_RTC_DRV_FTRTC010 is not set -+CONFIG_RTC_DRV_TEGRA=y -+# CONFIG_RTC_DRV_R7301 is not set -+ -+# -+# HID Sensor RTC drivers -+# -+# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set -+CONFIG_NVVRS_PSEQ_RTC=y - CONFIG_DMADEVICES=y -+# CONFIG_DMADEVICES_DEBUG is not set -+ -+# -+# DMA Devices -+# -+CONFIG_DMA_ENGINE=y -+CONFIG_DMA_VIRTUAL_CHANNELS=y -+CONFIG_DMA_ACPI=y -+CONFIG_DMA_OF=y -+# CONFIG_ALTERA_MSGDMA is not set -+# CONFIG_AMBA_PL08X is not set -+# CONFIG_BCM_SBA_RAID is not set -+# CONFIG_DW_AXI_DMAC is not set -+# CONFIG_FSL_EDMA is not set -+# CONFIG_FSL_QDMA is not set -+# CONFIG_HISI_DMA is not set -+# CONFIG_INTEL_IDMA64 is not set -+# CONFIG_MV_XOR_V2 is not set -+# CONFIG_PL330_DMA is not set -+# CONFIG_PLX_DMA is not set - CONFIG_TEGRA20_APB_DMA=y - CONFIG_TEGRA210_ADMA=m - CONFIG_TEGRA_GPC_DMA=y -+# CONFIG_XILINX_DMA is not set -+# CONFIG_XILINX_ZYNQMP_DMA is not set -+# CONFIG_XILINX_ZYNQMP_DPDMA is not set -+# CONFIG_QCOM_HIDMA_MGMT is not set -+# CONFIG_QCOM_HIDMA is not set -+# CONFIG_DW_DMAC is not set -+# CONFIG_DW_DMAC_PCI is not set -+# CONFIG_DW_EDMA is not set -+# CONFIG_DW_EDMA_PCIE is not set -+# CONFIG_SF_PDMA is not set -+ -+# -+# DMA Clients -+# -+# CONFIG_ASYNC_TX_DMA is not set - CONFIG_DMATEST=y -+CONFIG_DMA_ENGINE_RAID=y -+ -+# -+# DMABUF options -+# -+CONFIG_SYNC_FILE=y -+# CONFIG_SW_SYNC is not set -+# CONFIG_UDMABUF is not set -+# CONFIG_DMABUF_MOVE_NOTIFY is not set -+# CONFIG_DMABUF_SELFTESTS is not set -+CONFIG_DMABUF_DEFERRED_UNMAPPING=y - CONFIG_DMABUF_HEAPS=y - CONFIG_DMABUF_HEAPS_SYSTEM=y - CONFIG_DMABUF_HEAPS_CMA=y --CONFIG_VFIO=m --CONFIG_VFIO_PCI=m -+# end of DMABUF options -+ -+# CONFIG_AUXDISPLAY is not set -+CONFIG_UIO=m -+# CONFIG_UIO_CIF is not set -+# CONFIG_UIO_PDRV_GENIRQ is not set -+# CONFIG_UIO_DMEM_GENIRQ is not set -+# CONFIG_UIO_AEC is not set -+# CONFIG_UIO_SERCOS3 is not set -+# CONFIG_UIO_PCI_GENERIC is not set -+# CONFIG_UIO_NETX is not set -+# CONFIG_UIO_PRUSS is not set -+# CONFIG_UIO_MF624 is not set -+CONFIG_VFIO_IOMMU_TYPE1=y -+CONFIG_VFIO_VIRQFD=y -+CONFIG_VFIO=y -+# CONFIG_VFIO_NOIOMMU is not set -+CONFIG_VFIO_PCI=y -+CONFIG_VFIO_PCI_MMAP=y -+CONFIG_VFIO_PCI_INTX=y -+CONFIG_VFIO_PLATFORM=y -+# CONFIG_VFIO_AMBA is not set -+# CONFIG_VFIO_PLATFORM_CALXEDAXGMAC_RESET is not set -+# CONFIG_VFIO_PLATFORM_AMDXGBE_RESET is not set -+# CONFIG_VFIO_MDEV is not set - CONFIG_VIRT_DRIVERS=y --CONFIG_VIRTIO_PCI=m -+CONFIG_VIRTIO=y -+CONFIG_VIRTIO_MENU=y -+CONFIG_VIRTIO_PCI=y -+CONFIG_VIRTIO_PCI_LEGACY=y - CONFIG_VIRTIO_BALLOON=m --CONFIG_VIRTIO_MMIO=m -+# CONFIG_VIRTIO_INPUT is not set -+CONFIG_VIRTIO_MMIO=y -+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set -+# CONFIG_VDPA is not set -+CONFIG_VHOST_MENU=y -+# CONFIG_VHOST_NET is not set -+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set -+ -+# -+# Microsoft Hyper-V guest support -+# -+# end of Microsoft Hyper-V guest support -+ -+# CONFIG_GREYBUS is not set -+CONFIG_STAGING=y - CONFIG_PRISM2_USB=m -+# CONFIG_COMEDI is not set - CONFIG_RTL8192U=m - CONFIG_RTLLIB=m -+CONFIG_RTLLIB_CRYPTO_CCMP=m -+CONFIG_RTLLIB_CRYPTO_TKIP=m -+CONFIG_RTLLIB_CRYPTO_WEP=m - CONFIG_RTL8192E=m -+# CONFIG_RTL8723BS is not set - CONFIG_R8712U=m - CONFIG_R8188EU=m -+CONFIG_88EU_AP_MODE=y -+# CONFIG_RTS5208 is not set -+# CONFIG_VT6655 is not set -+# CONFIG_VT6656 is not set -+ -+# -+# IIO staging drivers -+# -+ -+# -+# Accelerometers -+# -+# CONFIG_ADIS16203 is not set -+# CONFIG_ADIS16240 is not set -+# end of Accelerometers -+ -+# -+# Analog to digital converters -+# -+# CONFIG_AD7816 is not set -+# CONFIG_AD7280 is not set -+# end of Analog to digital converters -+ -+# -+# Analog digital bi-direction converters -+# -+# CONFIG_ADT7316 is not set -+# end of Analog digital bi-direction converters -+ -+# -+# Capacitance to digital converters -+# -+# CONFIG_AD7150 is not set -+# CONFIG_AD7746 is not set -+# end of Capacitance to digital converters -+ -+# -+# Direct Digital Synthesis -+# -+# CONFIG_AD9832 is not set -+# CONFIG_AD9834 is not set -+# end of Direct Digital Synthesis -+ -+# -+# Network Analyzer, Impedance Converters -+# -+# CONFIG_AD5933 is not set -+# end of Network Analyzer, Impedance Converters -+ -+# -+# Active energy metering IC -+# -+# CONFIG_ADE7854 is not set -+# CONFIG_INA219 is not set -+# CONFIG_INA230 is not set -+# CONFIG_INA3221 is not set -+# end of Active energy metering IC -+ -+# -+# Resolver to digital converters -+# -+# CONFIG_AD2S1210 is not set -+# end of Resolver to digital converters -+# end of IIO staging drivers -+ -+# CONFIG_FB_SM750 is not set -+# CONFIG_MFD_NVEC is not set -+# CONFIG_STAGING_MEDIA is not set -+ -+# -+# Android -+# -+# end of Android -+ -+# CONFIG_STAGING_BOARD is not set -+# CONFIG_LTE_GDM724X is not set -+# CONFIG_GS_FPGABOOT is not set -+# CONFIG_UNISYSSPAR is not set -+# CONFIG_COMMON_CLK_XLNX_CLKWZRD is not set -+# CONFIG_FB_TFT is not set -+# CONFIG_KS7010 is not set -+# CONFIG_PI433 is not set -+ -+# -+# Gasket devices -+# -+# CONFIG_STAGING_GASKET_FRAMEWORK is not set -+# end of Gasket devices -+ -+# CONFIG_XIL_AXIS_FIFO is not set -+# CONFIG_FIELDBUS_DEV is not set -+# CONFIG_KPC2000 is not set - CONFIG_QLGE=m -+# CONFIG_WFX is not set -+# CONFIG_SPMI_HISI3670 is not set -+# CONFIG_MFD_HI6421_SPMI is not set -+# CONFIG_USB_WPAN_HCD is not set - CONFIG_TEGRA_HTS_GTE=y -+# CONFIG_TEGRA_GTE_TEST is not set -+# CONFIG_DUMMY_MEMORY_CARVEOUT is not set -+# CONFIG_GOLDFISH is not set -+# CONFIG_CHROME_PLATFORMS is not set -+# CONFIG_MELLANOX_PLATFORM is not set - CONFIG_DENVER_CPU=y -+# CONFIG_DENVER_MCA is not set - CONFIG_TEGRA_AON=y -+# CONFIG_TEGRA_ARI_MCA is not set -+# CONFIG_TEGRA_BRIDGE_MCA is not set -+# CONFIG_TEGRA_A57_SERR is not set - CONFIG_TEGRA_BWMGR=y - CONFIG_TEGRA_CAMERA_RTCPU=y - CONFIG_TEGRA_CAMERA_HSP_MBOX_CLIENT=y -@@ -1205,147 +6699,1444 @@ CONFIG_TEGRA_FSICOM=y - CONFIG_TEGRA_EPL=y - CONFIG_TEGRA_DCE=y - CONFIG_TEGRA_ISOMGR=y -+CONFIG_TEGRA_ISOMGR_POOL_KB_PER_SEC=0 - CONFIG_TEGRA_ISOMGR_SYSFS=y -+# CONFIG_TEGRA_ISOMGR_MAX_ISO_BW_QUIRK is not set -+CONFIG_NV_TEGRA_MC=y -+# CONFIG_TEGRA_VPR is not set -+CONFIG_TEGRA_MCE=y -+CONFIG_TEGRA_CACHE=y -+CONFIG_TEGRA_OF_MCERR=y -+# CONFIG_TEGRA_PM_IRQ is not set -+# CONFIG_TEGRA_PMC_AO_WAKE is not set -+# CONFIG_TEGRA_WAKEUP is not set -+CONFIG_TEGRA_PTP_NOTIFIER=y -+CONFIG_TEGRA_SOC_HWPM=y - CONFIG_TEGRA_SPE=y - CONFIG_TEGRA_SPE_HSP_MBOX_CLIENT=y -+# CONFIG_TEGRA_CBB_NOC is not set -+# CONFIG_TEGRA_HV_XHCI_DEBUG is not set -+# CONFIG_TEGRA_NVDUMPER is not set - CONFIG_TEGRA_CENTRAL_ACTMON=y -+CONFIG_TEGRA_FIRMWARES_CLASS=y -+CONFIG_TEGRA_FIRMWARES_INVENTORY=y -+# CONFIG_TEGRA_FIQ_DEBUGGER is not set - CONFIG_TEGRA_BOOTLOADER_DEBUG=m -+CONFIG_TEGRA_BOOTLOADER_DEBUG_INIT=y -+# CONFIG_TEGRA_BOOTLOADER_BOOT_CFG is not set -+CONFIG_NV_TEGRA_IVC=y -+# CONFIG_TEGRA_PM_DEBUG is not set - CONFIG_TEGRA_CLOCKS_CONFIGURE=y - CONFIG_TEGRA_USS_IO_PROXY=y -+CONFIG_TEGRA_CVNAS=y - CONFIG_TEGRA_SAFETY=y -+# CONFIG_TEGRA_SAFETY_IVC_DEBUG is not set -+# CONFIG_TEGRA_HSIERRRPTINJ is not set -+CONFIG_TEGRA_T234_HWPM=y - CONFIG_TEGRA_NVADSP=m - CONFIG_TEGRA_NVADSP_ON_SMMU=y -+# CONFIG_TEGRA_ADSP_DFS is not set -+# CONFIG_TEGRA_ADSP_CPUSTAT is not set - CONFIG_TEGRA_ADSP_FILEIO=y - CONFIG_TEGRA_ADSP_LPTHREAD=y -+# CONFIG_TEGRA_EMC_APE_DFS is not set -+CONFIG_TEGRA_ADSP_CONSOLE=y -+# CONFIG_MBOX_ACK_HANDLER is not set - CONFIG_TEGRA_VIRT_AUDIO_IVC=y -+CONFIG_HAVE_CLK=y -+CONFIG_CLKDEV_LOOKUP=y -+CONFIG_HAVE_CLK_PREPARE=y -+CONFIG_COMMON_CLK=y -+# CONFIG_COMMON_CLK_MAX77686 is not set -+# CONFIG_COMMON_CLK_MAX9485 is not set -+# CONFIG_COMMON_CLK_RK808 is not set -+# CONFIG_COMMON_CLK_SCPI is not set -+# CONFIG_COMMON_CLK_SI5341 is not set -+# CONFIG_COMMON_CLK_SI5351 is not set -+# CONFIG_COMMON_CLK_SI514 is not set -+# CONFIG_COMMON_CLK_SI544 is not set -+# CONFIG_COMMON_CLK_SI570 is not set -+# CONFIG_COMMON_CLK_CDCE706 is not set -+# CONFIG_COMMON_CLK_CDCE925 is not set -+# CONFIG_COMMON_CLK_CS2000_CP is not set -+# CONFIG_COMMON_CLK_S2MPS11 is not set -+# CONFIG_CLK_QORIQ is not set -+# CONFIG_COMMON_CLK_XGENE is not set -+# CONFIG_COMMON_CLK_PWM is not set -+# CONFIG_COMMON_CLK_VC5 is not set -+# CONFIG_COMMON_CLK_BD718XX is not set -+# CONFIG_COMMON_CLK_FIXED_MMIO is not set - CONFIG_COMMON_CLK_FREQ_STATS_ACCOUNTING=y -+# CONFIG_COMMON_CLK_BEGIN_ACCOUNTING_FROM_BOOT is not set -+CONFIG_CLK_TEGRA_BPMP=y -+CONFIG_TEGRA_CLK_DFLL=y -+CONFIG_TEGRA_CLK_DEBUG=y -+# CONFIG_HWSPINLOCK is not set -+ -+# -+# Clock Source drivers -+# -+CONFIG_TIMER_OF=y -+CONFIG_TIMER_ACPI=y -+CONFIG_TIMER_PROBE=y -+CONFIG_CLKSRC_MMIO=y -+CONFIG_TEGRA_TIMER=y -+CONFIG_ARM_ARCH_TIMER=y -+CONFIG_ARM_ARCH_TIMER_EVTSTREAM=y -+CONFIG_ARM_ARCH_TIMER_OOL_WORKAROUND=y -+CONFIG_FSL_ERRATUM_A008585=y -+CONFIG_HISILICON_ERRATUM_161010101=y -+CONFIG_ARM64_ERRATUM_858921=y -+# CONFIG_MICROCHIP_PIT64B is not set -+# end of Clock Source drivers -+ - CONFIG_CLK_SRC_TEGRA18_TIMER=y -+CONFIG_MAILBOX=y - CONFIG_ARM_MHU=m -+# CONFIG_PLATFORM_MHU is not set -+# CONFIG_PL320_MBOX is not set -+CONFIG_PCC=y -+# CONFIG_ALTERA_MBOX is not set -+# CONFIG_MAILBOX_TEST is not set -+CONFIG_TEGRA_HSP_MBOX=y -+CONFIG_IOMMU_IOVA=y -+CONFIG_IOMMU_API=y -+CONFIG_IOMMU_SUPPORT=y -+ -+# -+# Generic IOMMU Pagetable Support -+# -+CONFIG_IOMMU_IO_PGTABLE=y -+CONFIG_IOMMU_IO_PGTABLE_LPAE=y -+# CONFIG_IOMMU_IO_PGTABLE_LPAE_SELFTEST is not set -+# CONFIG_IOMMU_IO_PGTABLE_ARMV7S is not set -+# end of Generic IOMMU Pagetable Support -+ -+# CONFIG_IOMMU_DEBUGFS is not set -+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set -+CONFIG_OF_IOMMU=y -+CONFIG_IOMMU_DMA=y - CONFIG_TEGRA_IOMMU_SMMU=y - CONFIG_ARM_SMMU=y - CONFIG_ARM_SMMU_DEBUG=y -+# CONFIG_ARM_SMMU_LEGACY_DT_BINDINGS is not set -+CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT=y - CONFIG_ARM_SMMU_V3=y -+# CONFIG_ARM_SMMU_V3_SVA is not set -+# CONFIG_VIRTIO_IOMMU is not set -+CONFIG_ARM_SMMU_SUSPEND=y -+ -+# -+# Remoteproc drivers -+# -+# CONFIG_REMOTEPROC is not set -+# end of Remoteproc drivers -+ -+# -+# Rpmsg drivers -+# -+# CONFIG_RPMSG_QCOM_GLINK_RPM is not set -+# CONFIG_RPMSG_VIRTIO is not set -+# end of Rpmsg drivers -+ - CONFIG_SOUNDWIRE=m -+ -+# -+# SoundWire Devices -+# -+# CONFIG_SOUNDWIRE_INTEL is not set -+# CONFIG_SOUNDWIRE_QCOM is not set -+ -+# -+# SOC (System On Chip) specific Drivers -+# -+ -+# -+# Amlogic SoC drivers -+# -+# end of Amlogic SoC drivers -+ -+# -+# Aspeed SoC drivers -+# -+# end of Aspeed SoC drivers -+ -+# -+# Broadcom SoC drivers -+# -+# CONFIG_SOC_BRCMSTB is not set -+# end of Broadcom SoC drivers -+ -+# -+# NXP/Freescale QorIQ SoC drivers -+# -+# CONFIG_QUICC_ENGINE is not set -+# CONFIG_FSL_RCPM is not set -+# end of NXP/Freescale QorIQ SoC drivers -+ -+# -+# i.MX SoC drivers -+# -+# end of i.MX SoC drivers -+ -+# -+# Qualcomm SoC drivers -+# -+# end of Qualcomm SoC drivers -+ -+# CONFIG_ARCH_TEGRA_132_SOC is not set - CONFIG_ARCH_TEGRA_210_SOC=y - CONFIG_ARCH_TEGRA_186_SOC=y - CONFIG_ARCH_TEGRA_194_SOC=y - CONFIG_ARCH_TEGRA_234_SOC=y -+CONFIG_SOC_TEGRA_FUSE=y -+CONFIG_SOC_TEGRA_FLOWCTRL=y -+CONFIG_SOC_TEGRA_PMC=y -+CONFIG_SOC_TEGRA_POWERGATE_BPMP=y -+CONFIG_TEGRA_USE_NA_GPCPLL=y -+CONFIG_SOC_TEGRA_CBB=y - CONFIG_TEGRA_KFUSE=y -+# CONFIG_TEGRA_FUSE_DOWNSTREAM is not set - CONFIG_TEGRA_FUSE_BURN=y -+# CONFIG_TEGRA_PROC_POWER_MODEL is not set -+CONFIG_TEGRA_DVFS=y - CONFIG_TEGRA_210_DVFS=y -+# CONFIG_SOC_TI is not set -+ -+# -+# Xilinx SoC drivers -+# -+# CONFIG_XILINX_VCU is not set -+# end of Xilinx SoC drivers -+# end of SOC (System On Chip) specific Drivers -+ -+CONFIG_PM_DEVFREQ=y -+ -+# -+# DEVFREQ Governors -+# -+CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=y - CONFIG_DEVFREQ_GOV_PERFORMANCE=y -+# CONFIG_DEVFREQ_GOV_POWERSAVE is not set - CONFIG_DEVFREQ_GOV_USERSPACE=y -+# CONFIG_DEVFREQ_GOV_PASSIVE is not set -+ -+# -+# DEVFREQ Drivers -+# -+# CONFIG_ARM_TEGRA_DEVFREQ is not set -+# CONFIG_PM_DEVFREQ_EVENT is not set -+ -+# -+# NVIDIA DEVFREQ Governors -+# -+# CONFIG_DEVFREQ_GOV_POD_SCALING is not set - CONFIG_DEVFREQ_GOV_POD_SCALING_V2=y -+CONFIG_DEVFREQ_GOV_POD_SCALING_HISTORY_BUFFER_SIZE_MAX=100 -+# CONFIG_DEVFREQ_GOV_WMARK_SIMPLE is not set - CONFIG_DEVFREQ_GOV_WMARK_ACTIVE=y -+CONFIG_EXTCON=y -+ -+# -+# Extcon Device Drivers -+# -+# CONFIG_EXTCON_ADC_JACK is not set -+# CONFIG_EXTCON_FSA9480 is not set - CONFIG_EXTCON_GPIO=y -+# CONFIG_EXTCON_MAX3355 is not set -+# CONFIG_EXTCON_CABLE_XLATE is not set -+# CONFIG_EXTCON_PTN5150 is not set -+# CONFIG_EXTCON_RT8973A is not set -+# CONFIG_EXTCON_SM5502 is not set - CONFIG_EXTCON_USB_GPIO=y -+CONFIG_EXTCON_DISP_STATE=y - CONFIG_MEMORY=y -+# CONFIG_ARM_PL172_MPMC is not set -+CONFIG_TEGRA_MC=y -+# CONFIG_TEGRA210_EMC is not set - CONFIG_IIO=y -+CONFIG_IIO_BUFFER=y -+# CONFIG_IIO_BUFFER_CB is not set -+# CONFIG_IIO_BUFFER_DMA is not set -+# CONFIG_IIO_BUFFER_DMAENGINE is not set -+# CONFIG_IIO_BUFFER_HW_CONSUMER is not set -+CONFIG_IIO_KFIFO_BUF=m -+CONFIG_IIO_TRIGGERED_BUFFER=m -+# CONFIG_IIO_CONFIGFS is not set -+CONFIG_IIO_TRIGGER=y -+CONFIG_IIO_CONSUMERS_PER_TRIGGER=2 -+# CONFIG_IIO_SW_DEVICE is not set -+# CONFIG_IIO_SW_TRIGGER is not set -+# CONFIG_IIO_TRIGGERED_EVENT is not set -+ -+# -+# Accelerometers -+# -+# CONFIG_ADIS16201 is not set -+# CONFIG_ADIS16209 is not set -+# CONFIG_ADXL345_I2C is not set -+# CONFIG_ADXL345_SPI is not set -+# CONFIG_ADXL372_SPI is not set -+# CONFIG_ADXL372_I2C is not set -+# CONFIG_BMA180 is not set -+# CONFIG_BMA220 is not set -+# CONFIG_BMA400 is not set -+# CONFIG_BMC150_ACCEL is not set -+# CONFIG_DA280 is not set -+# CONFIG_DA311 is not set -+# CONFIG_DMARD06 is not set -+# CONFIG_DMARD09 is not set -+# CONFIG_DMARD10 is not set - CONFIG_HID_SENSOR_ACCEL_3D=m -+# CONFIG_IIO_ST_ACCEL_3AXIS is not set -+# CONFIG_KXSD9 is not set -+# CONFIG_KXCJK1013 is not set -+# CONFIG_MC3230 is not set -+# CONFIG_MMA7455_I2C is not set -+# CONFIG_MMA7455_SPI is not set -+# CONFIG_MMA7660 is not set -+# CONFIG_MMA8452 is not set -+# CONFIG_MMA9551 is not set -+# CONFIG_MMA9553 is not set -+# CONFIG_MXC4005 is not set -+# CONFIG_MXC6255 is not set -+# CONFIG_SCA3000 is not set -+# CONFIG_STK8312 is not set -+# CONFIG_STK8BA50 is not set -+# end of Accelerometers -+ -+# -+# Analog to digital converters -+# -+# CONFIG_AD7091R5 is not set -+# CONFIG_AD7124 is not set -+# CONFIG_AD7192 is not set -+# CONFIG_AD7266 is not set -+# CONFIG_AD7291 is not set -+# CONFIG_AD7292 is not set -+# CONFIG_AD7298 is not set -+# CONFIG_AD7476 is not set -+# CONFIG_AD7606_IFACE_PARALLEL is not set -+# CONFIG_AD7606_IFACE_SPI is not set -+# CONFIG_AD7766 is not set -+# CONFIG_AD7768_1 is not set -+# CONFIG_AD7780 is not set -+# CONFIG_AD7791 is not set -+# CONFIG_AD7793 is not set -+# CONFIG_AD7887 is not set -+# CONFIG_AD7923 is not set -+# CONFIG_AD7949 is not set -+# CONFIG_AD799X is not set -+# CONFIG_ADI_AXI_ADC is not set -+# CONFIG_CC10001_ADC is not set -+# CONFIG_ENVELOPE_DETECTOR is not set -+# CONFIG_HI8435 is not set -+# CONFIG_HX711 is not set -+# CONFIG_INA2XX_ADC is not set -+# CONFIG_LTC2471 is not set -+# CONFIG_LTC2485 is not set -+# CONFIG_LTC2496 is not set -+# CONFIG_LTC2497 is not set -+# CONFIG_MAX1027 is not set -+# CONFIG_MAX11100 is not set -+# CONFIG_MAX1118 is not set -+# CONFIG_MAX1241 is not set -+# CONFIG_MAX1363 is not set -+# CONFIG_MAX9611 is not set -+# CONFIG_MCP320X is not set -+# CONFIG_MCP3422 is not set -+# CONFIG_MCP3911 is not set -+# CONFIG_NAU7802 is not set -+CONFIG_QCOM_VADC_COMMON=m -+# CONFIG_QCOM_SPMI_IADC is not set -+# CONFIG_QCOM_SPMI_VADC is not set - CONFIG_QCOM_SPMI_ADC5=m -+# CONFIG_SD_ADC_MODULATOR is not set -+# CONFIG_TI_ADC081C is not set -+# CONFIG_TI_ADC0832 is not set -+# CONFIG_TI_ADC084S021 is not set -+# CONFIG_TI_ADC12138 is not set -+# CONFIG_TI_ADC108S102 is not set -+# CONFIG_TI_ADC128S052 is not set -+# CONFIG_TI_ADC161S626 is not set -+# CONFIG_TI_ADS1015 is not set -+# CONFIG_TI_ADS7950 is not set -+# CONFIG_TI_ADS8344 is not set -+# CONFIG_TI_ADS8688 is not set -+# CONFIG_TI_ADS124S08 is not set -+# CONFIG_TI_TLC4541 is not set -+# CONFIG_VF610_ADC is not set -+# CONFIG_XILINX_XADC is not set -+# end of Analog to digital converters -+ -+# -+# Analog Front Ends -+# -+# CONFIG_IIO_RESCALE is not set -+# end of Analog Front Ends -+ -+# -+# Amplifiers -+# -+# CONFIG_AD8366 is not set -+# CONFIG_HMC425 is not set -+# end of Amplifiers -+ -+# -+# Chemical Sensors -+# -+# CONFIG_ATLAS_PH_SENSOR is not set -+# CONFIG_ATLAS_EZO_SENSOR is not set -+# CONFIG_BME680 is not set -+# CONFIG_CCS811 is not set -+# CONFIG_IAQCORE is not set -+# CONFIG_PMS7003 is not set -+# CONFIG_SCD30_CORE is not set -+# CONFIG_SENSIRION_SGP30 is not set -+# CONFIG_SPS30 is not set -+# CONFIG_VZ89X is not set -+# end of Chemical Sensors -+ -+# -+# Hid Sensor IIO Common -+# -+CONFIG_HID_SENSOR_IIO_COMMON=m -+CONFIG_HID_SENSOR_IIO_TRIGGER=m -+# end of Hid Sensor IIO Common -+ -+# -+# SSP Sensor Common -+# -+# CONFIG_IIO_SSP_SENSORHUB is not set -+# end of SSP Sensor Common -+ -+# -+# Digital to analog converters -+# -+# CONFIG_AD5064 is not set -+# CONFIG_AD5360 is not set -+# CONFIG_AD5380 is not set -+# CONFIG_AD5421 is not set -+# CONFIG_AD5446 is not set -+# CONFIG_AD5449 is not set -+# CONFIG_AD5592R is not set -+# CONFIG_AD5593R is not set -+# CONFIG_AD5504 is not set -+# CONFIG_AD5624R_SPI is not set -+# CONFIG_AD5686_SPI is not set -+# CONFIG_AD5696_I2C is not set -+# CONFIG_AD5755 is not set -+# CONFIG_AD5758 is not set -+# CONFIG_AD5761 is not set -+# CONFIG_AD5764 is not set -+# CONFIG_AD5770R is not set -+# CONFIG_AD5791 is not set -+# CONFIG_AD7303 is not set -+# CONFIG_AD8801 is not set -+# CONFIG_DPOT_DAC is not set - CONFIG_DS4424=m -+# CONFIG_LTC1660 is not set -+# CONFIG_LTC2632 is not set -+# CONFIG_M62332 is not set -+# CONFIG_MAX517 is not set -+# CONFIG_MAX5821 is not set -+# CONFIG_MCP4725 is not set -+# CONFIG_MCP4922 is not set -+# CONFIG_TI_DAC082S085 is not set -+# CONFIG_TI_DAC5571 is not set -+# CONFIG_TI_DAC7311 is not set -+# CONFIG_TI_DAC7612 is not set -+# CONFIG_VF610_DAC is not set -+# end of Digital to analog converters -+ -+# -+# IIO dummy driver -+# -+# end of IIO dummy driver -+ -+# -+# Frequency Synthesizers DDS/PLL -+# -+ -+# -+# Clock Generator/Distribution -+# -+# CONFIG_AD9523 is not set -+# end of Clock Generator/Distribution -+ -+# -+# Phase-Locked Loop (PLL) frequency synthesizers -+# -+# CONFIG_ADF4350 is not set -+# CONFIG_ADF4371 is not set -+# end of Phase-Locked Loop (PLL) frequency synthesizers -+# end of Frequency Synthesizers DDS/PLL -+ -+# -+# Digital gyroscope sensors -+# -+# CONFIG_ADIS16080 is not set -+# CONFIG_ADIS16130 is not set -+# CONFIG_ADIS16136 is not set -+# CONFIG_ADIS16260 is not set -+# CONFIG_ADXRS290 is not set -+# CONFIG_ADXRS450 is not set -+# CONFIG_BMG160 is not set -+# CONFIG_FXAS21002C is not set - CONFIG_HID_SENSOR_GYRO_3D=m -+# CONFIG_MPU3050_I2C is not set -+# CONFIG_IIO_ST_GYRO_3AXIS is not set -+# CONFIG_ITG3200 is not set -+# end of Digital gyroscope sensors -+ -+# -+# Health Sensors -+# -+ -+# -+# Heart Rate Monitors -+# -+# CONFIG_AFE4403 is not set -+# CONFIG_AFE4404 is not set -+# CONFIG_MAX30100 is not set -+# CONFIG_MAX30102 is not set -+# end of Heart Rate Monitors -+# end of Health Sensors -+ -+# -+# Humidity sensors -+# -+# CONFIG_AM2315 is not set -+# CONFIG_DHT11 is not set -+# CONFIG_HDC100X is not set -+# CONFIG_HDC2010 is not set -+# CONFIG_HID_SENSOR_HUMIDITY is not set -+# CONFIG_HTS221 is not set -+# CONFIG_HTU21 is not set -+# CONFIG_SI7005 is not set -+# CONFIG_SI7020 is not set -+# end of Humidity sensors -+ -+# -+# Inertial measurement units -+# -+# CONFIG_ADIS16400 is not set -+# CONFIG_ADIS16460 is not set -+# CONFIG_ADIS16475 is not set -+# CONFIG_ADIS16480 is not set -+# CONFIG_BMI160_I2C is not set -+# CONFIG_BMI160_SPI is not set -+# CONFIG_FXOS8700_I2C is not set -+# CONFIG_FXOS8700_SPI is not set -+# CONFIG_KMX61 is not set -+# CONFIG_INV_ICM42600_I2C is not set -+# CONFIG_INV_ICM42600_SPI is not set -+# CONFIG_INV_MPU6050_I2C is not set -+# CONFIG_INV_MPU6050_SPI is not set -+# CONFIG_IIO_ST_LSM6DSX is not set -+# CONFIG_NVI_MPU_IIO is not set -+# CONFIG_NVI_MPU_INPUT is not set -+# CONFIG_NVI_MPU_RELAY is not set -+# CONFIG_NVS_BMI160_IIO is not set -+# CONFIG_NVS_BMI160_INPUT is not set -+# CONFIG_NVS_BMI160_RELAY is not set -+# CONFIG_NVS_BMI08X_IIO is not set -+# CONFIG_NVS_BMI08X_INPUT is not set -+# CONFIG_NVS_BMI08X_RELAY is not set - CONFIG_BMI088_IIO=m -+# CONFIG_TSFW_ICM is not set -+# end of Inertial measurement units -+ -+# -+# Light sensors -+# -+# CONFIG_ACPI_ALS is not set -+# CONFIG_ADJD_S311 is not set -+# CONFIG_ADUX1020 is not set -+# CONFIG_AL3010 is not set -+# CONFIG_AL3320A is not set -+# CONFIG_APDS9300 is not set -+# CONFIG_APDS9960 is not set -+# CONFIG_AS73211 is not set -+# CONFIG_BH1750 is not set -+# CONFIG_BH1780 is not set -+# CONFIG_CM32181 is not set -+# CONFIG_CM3232 is not set -+# CONFIG_CM3323 is not set -+# CONFIG_CM3605 is not set -+# CONFIG_CM36651 is not set -+# CONFIG_GP2AP002 is not set -+# CONFIG_GP2AP020A00F is not set -+# CONFIG_SENSORS_ISL29018 is not set -+# CONFIG_SENSORS_ISL29028 is not set -+# CONFIG_ISL29125 is not set -+# CONFIG_HID_SENSOR_ALS is not set -+# CONFIG_HID_SENSOR_PROX is not set -+# CONFIG_JSA1212 is not set -+# CONFIG_RPR0521 is not set -+# CONFIG_LTR501 is not set -+# CONFIG_LV0104CS is not set -+# CONFIG_MAX44000 is not set -+# CONFIG_MAX44009 is not set -+# CONFIG_NOA1305 is not set -+# CONFIG_OPT3001 is not set -+# CONFIG_PA12203001 is not set -+# CONFIG_SI1133 is not set -+# CONFIG_SI1145 is not set -+# CONFIG_STK3310 is not set -+# CONFIG_ST_UVIS25 is not set -+# CONFIG_TCS3414 is not set -+# CONFIG_TCS3472 is not set -+# CONFIG_SENSORS_TSL2563 is not set -+# CONFIG_TSL2583 is not set -+# CONFIG_TSL2772 is not set -+# CONFIG_TSL4531 is not set -+# CONFIG_US5182D is not set -+# CONFIG_VCNL4000 is not set -+# CONFIG_VCNL4035 is not set -+# CONFIG_VEML6030 is not set -+# CONFIG_VEML6070 is not set -+# CONFIG_VL6180 is not set -+# CONFIG_ZOPT2201 is not set -+# end of Light sensors -+ -+# -+# Magnetometer sensors -+# -+# CONFIG_AK8974 is not set -+# CONFIG_AK8975 is not set -+# CONFIG_AK09911 is not set -+# CONFIG_BMC150_MAGN_I2C is not set -+# CONFIG_BMC150_MAGN_SPI is not set -+# CONFIG_MAG3110 is not set -+# CONFIG_HID_SENSOR_MAGNETOMETER_3D is not set -+# CONFIG_MMC35240 is not set -+# CONFIG_IIO_ST_MAGN_3AXIS is not set -+# CONFIG_SENSORS_HMC5843_I2C is not set -+# CONFIG_SENSORS_HMC5843_SPI is not set -+# CONFIG_SENSORS_RM3100_I2C is not set -+# CONFIG_SENSORS_RM3100_SPI is not set -+# end of Magnetometer sensors -+ -+# -+# Multiplexers -+# -+# CONFIG_IIO_MUX is not set -+# end of Multiplexers -+ -+# -+# Inclinometer sensors -+# -+# CONFIG_HID_SENSOR_INCLINOMETER_3D is not set -+# CONFIG_HID_SENSOR_DEVICE_ROTATION is not set -+# end of Inclinometer sensors -+ -+# -+# Triggers - standalone -+# -+# CONFIG_IIO_INTERRUPT_TRIGGER is not set -+# CONFIG_IIO_SYSFS_TRIGGER is not set -+# end of Triggers - standalone -+ -+# -+# Linear and angular position sensors -+# -+# end of Linear and angular position sensors -+ -+# -+# Digital potentiometers -+# -+# CONFIG_AD5272 is not set -+# CONFIG_DS1803 is not set -+# CONFIG_MAX5432 is not set -+# CONFIG_MAX5481 is not set -+# CONFIG_MAX5487 is not set -+# CONFIG_MCP4018 is not set -+# CONFIG_MCP4131 is not set -+# CONFIG_MCP4531 is not set -+# CONFIG_MCP41010 is not set -+# CONFIG_TPL0102 is not set -+# end of Digital potentiometers -+ -+# -+# Digital potentiostats -+# -+# CONFIG_LMP91000 is not set -+# end of Digital potentiostats -+ -+# -+# Pressure sensors -+# -+# CONFIG_ABP060MG is not set -+# CONFIG_BMP280 is not set -+# CONFIG_DLHL60D is not set -+# CONFIG_DPS310 is not set -+# CONFIG_HID_SENSOR_PRESS is not set -+# CONFIG_HP03 is not set -+# CONFIG_ICP10100 is not set -+# CONFIG_MPL115_I2C is not set -+# CONFIG_MPL115_SPI is not set -+# CONFIG_MPL3115 is not set -+# CONFIG_MS5611 is not set -+# CONFIG_MS5637 is not set -+# CONFIG_IIO_ST_PRESS is not set -+# CONFIG_T5403 is not set -+# CONFIG_HP206C is not set -+# CONFIG_ZPA2326 is not set -+# end of Pressure sensors -+ -+# -+# Lightning sensors -+# -+# CONFIG_AS3935 is not set -+# end of Lightning sensors -+ -+# -+# Proximity and distance sensors -+# -+# CONFIG_ISL29501 is not set -+# CONFIG_LIDAR_LITE_V2 is not set -+# CONFIG_MB1232 is not set -+# CONFIG_PING is not set -+# CONFIG_RFD77402 is not set -+# CONFIG_SRF04 is not set -+# CONFIG_SX9310 is not set -+# CONFIG_SX9500 is not set -+# CONFIG_SRF08 is not set -+# CONFIG_VCNL3020 is not set -+# CONFIG_VL53L0X_I2C is not set -+# end of Proximity and distance sensors -+ -+# -+# Proximity sensors -+# -+# end of Proximity sensors -+ -+# -+# Resolver to digital converters -+# -+# CONFIG_AD2S90 is not set -+# CONFIG_AD2S1200 is not set -+# end of Resolver to digital converters -+ -+# -+# Temperature sensors -+# -+# CONFIG_LTC2983 is not set -+# CONFIG_MAXIM_THERMOCOUPLE is not set -+# CONFIG_HID_SENSOR_TEMP is not set -+# CONFIG_MLX90614 is not set -+# CONFIG_MLX90632 is not set -+# CONFIG_TMP006 is not set -+# CONFIG_TMP007 is not set -+# CONFIG_TSYS01 is not set -+# CONFIG_TSYS02D is not set -+# CONFIG_MAX31856 is not set -+# CONFIG_NVS_TMP1X2_IIO is not set -+# CONFIG_NVS_TMP1X2_INPUT is not set -+# CONFIG_NVS_TMP1X2_RELAY is not set -+# end of Temperature sensors -+ -+# CONFIG_NVS_LED_TEST is not set - CONFIG_NTB=m -+# CONFIG_NTB_MSI is not set -+# CONFIG_NTB_IDT is not set - CONFIG_NTB_SWITCHTEC=m - CONFIG_NTB_PINGPONG=m - CONFIG_NTB_TOOL=m - CONFIG_NTB_PERF=m - CONFIG_NTB_TRANSPORT=m -+# CONFIG_VME_BUS is not set - CONFIG_PWM=y -+CONFIG_PWM_SYSFS=y -+# CONFIG_PWM_DEBUG is not set -+# CONFIG_PWM_FSL_FTM is not set -+# CONFIG_PWM_PCA9685 is not set - CONFIG_PWM_TEGRA=y -+# CONFIG_PWM_TEGRA_PMC_SOFT_LED_BLINK is not set - CONFIG_PWM_TEGRA_PMC_BLINK=m - CONFIG_PWM_TEGRA_TACHOMETER=y - CONFIG_PWM_TEGRA_DFLL=y -+ -+# -+# IRQ chip support -+# -+CONFIG_IRQCHIP=y -+CONFIG_ARM_GIC=y -+CONFIG_FIQ=y -+CONFIG_ARM_GIC_PM=y -+CONFIG_ARM_GIC_MAX_NR=1 -+CONFIG_ARM_GIC_V2M=y -+CONFIG_ARM_GIC_V3=y -+CONFIG_ARM_GIC_V3_ITS=y -+CONFIG_ARM_GIC_V3_ITS_PCI=y -+# CONFIG_AL_FIC is not set -+CONFIG_PARTITION_PERCPU=y -+# end of IRQ chip support -+ -+# CONFIG_IPACK_BUS is not set -+CONFIG_ARCH_HAS_RESET_CONTROLLER=y -+CONFIG_RESET_CONTROLLER=y -+# CONFIG_RESET_TI_SYSCON is not set -+CONFIG_RESET_TEGRA_BPMP=y -+ -+# -+# PHY Subsystem -+# -+CONFIG_GENERIC_PHY=y -+# CONFIG_PHY_XGENE is not set -+# CONFIG_BCM_KONA_USB2_PHY is not set -+# CONFIG_PHY_CADENCE_TORRENT is not set -+# CONFIG_PHY_CADENCE_DPHY is not set -+# CONFIG_PHY_CADENCE_SIERRA is not set -+# CONFIG_PHY_CADENCE_SALVO is not set - CONFIG_PHY_FSL_IMX8MQ_USB=y -+# CONFIG_PHY_MIXEL_MIPI_DPHY is not set -+# CONFIG_PHY_PXA_28NM_HSIC is not set -+# CONFIG_PHY_PXA_28NM_USB2 is not set -+# CONFIG_PHY_CPCAP_USB is not set -+# CONFIG_PHY_MAPPHONE_MDM6600 is not set -+# CONFIG_PHY_OCELOT_SERDES is not set -+# CONFIG_PHY_QCOM_USB_HS is not set -+# CONFIG_PHY_QCOM_USB_HSIC is not set - CONFIG_PHY_TEGRA_XUSB=y -+CONFIG_PHY_TEGRA194_P2U=y -+# CONFIG_TEGRA_P2U is not set -+# CONFIG_PHY_TUSB1210 is not set -+# end of PHY Subsystem -+ -+# CONFIG_POWERCAP is not set -+# CONFIG_MCB is not set -+ -+# -+# Performance monitor support -+# -+# CONFIG_ARM_CCI_PMU is not set -+# CONFIG_ARM_CCN is not set -+# CONFIG_ARM_CMN is not set -+CONFIG_ARM_PMU=y -+CONFIG_ARM_PMU_ACPI=y - CONFIG_ARM_SMMU_V3_PMU=m - CONFIG_ARM_DSU_PMU=y - CONFIG_ARM_SPE_PMU=y -+# CONFIG_HISI_PMU is not set -+# end of Performance monitor support -+ -+CONFIG_RAS=y -+CONFIG_ARM64_RAS=y -+# CONFIG_USB4 is not set -+ -+# -+# Android -+# -+# CONFIG_ANDROID is not set -+# end of Android -+ -+# CONFIG_LIBNVDIMM is not set - CONFIG_DAX=y -+# CONFIG_DEV_DAX is not set -+CONFIG_NVMEM=y -+CONFIG_NVMEM_SYSFS=y -+# CONFIG_NVMEM_SPMI_SDAM is not set -+ -+# -+# HW tracing support -+# -+# CONFIG_STM is not set -+# CONFIG_INTEL_TH is not set -+# end of HW tracing support -+ - CONFIG_FPGA=y -+# CONFIG_ALTERA_PR_IP_CORE is not set -+# CONFIG_FPGA_MGR_ALTERA_PS_SPI is not set -+# CONFIG_FPGA_MGR_ALTERA_CVP is not set -+# CONFIG_FPGA_MGR_XILINX_SPI is not set -+# CONFIG_FPGA_MGR_ICE40_SPI is not set -+# CONFIG_FPGA_MGR_MACHXO2_SPI is not set - CONFIG_FPGA_BRIDGE=m -+# CONFIG_ALTERA_FREEZE_BRIDGE is not set -+# CONFIG_XILINX_PR_DECOUPLER is not set - CONFIG_FPGA_REGION=m - CONFIG_OF_FPGA_REGION=m -+# CONFIG_FPGA_DFL is not set -+# CONFIG_FSI is not set - CONFIG_TEE=y -+ -+# -+# TEE drivers -+# - CONFIG_OPTEE=y -+CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1 -+# end of TEE drivers -+ -+CONFIG_PM_OPP=y -+# CONFIG_SIOX is not set -+# CONFIG_SLIMBUS is not set - CONFIG_INTERCONNECT=y - CONFIG_INTERCONNECT_TEGRA=y -+# CONFIG_COUNTER is not set -+# CONFIG_MOST is not set - CONFIG_RTK_BTUSB=m - CONFIG_NVPMODEL_EMC=y - CONFIG_TEGRA_RDMA=m -+ -+# -+# Generic IOMMU Pagetable Support -+# -+# end of Generic IOMMU Pagetable Support -+ - CONFIG_NVPPS=m -+ -+# -+# Trusty -+# -+# CONFIG_TRUSTY is not set -+# end of Trusty -+ - CONFIG_TEGRA_HV_PM_CTL=y - CONFIG_TEGRA_HV_MANAGER=y - CONFIG_TEGRA_VIRTUALIZATION=y -+CONFIG_TEGRA_GPIO_HOST_PROXY=y -+CONFIG_TEGRA_GPIO_GUEST_PROXY=y -+# end of Device Drivers -+ -+# -+# File systems -+# -+CONFIG_DCACHE_WORD_ACCESS=y -+# CONFIG_VALIDATE_FS_PARSER is not set -+CONFIG_FS_IOMAP=y -+# CONFIG_EXT2_FS is not set - CONFIG_EXT3_FS=y -+# CONFIG_EXT3_FS_POSIX_ACL is not set -+# CONFIG_EXT3_FS_SECURITY is not set -+CONFIG_EXT4_FS=y -+CONFIG_EXT4_USE_FOR_EXT2=y - CONFIG_EXT4_FS_POSIX_ACL=y - CONFIG_EXT4_FS_SECURITY=y -+# CONFIG_EXT4_DEBUG is not set -+CONFIG_JBD2=y -+# CONFIG_JBD2_DEBUG is not set -+CONFIG_FS_MBCACHE=y -+# CONFIG_REISERFS_FS is not set -+# CONFIG_JFS_FS is not set -+# CONFIG_XFS_FS is not set -+# CONFIG_GFS2_FS is not set -+# CONFIG_OCFS2_FS is not set - CONFIG_BTRFS_FS=m - CONFIG_BTRFS_FS_POSIX_ACL=y -+# CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set -+# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set -+# CONFIG_BTRFS_DEBUG is not set -+# CONFIG_BTRFS_ASSERT is not set -+# CONFIG_BTRFS_FS_REF_VERIFY is not set -+# CONFIG_NILFS2_FS is not set -+# CONFIG_F2FS_FS is not set -+# CONFIG_FS_DAX is not set -+CONFIG_FS_POSIX_ACL=y -+CONFIG_EXPORTFS=y -+# CONFIG_EXPORTFS_BLOCK_OPS is not set -+CONFIG_FILE_LOCKING=y -+CONFIG_MANDATORY_FILE_LOCKING=y -+# CONFIG_FS_ENCRYPTION is not set -+# CONFIG_FS_VERITY is not set -+CONFIG_FSNOTIFY=y -+CONFIG_DNOTIFY=y -+CONFIG_INOTIFY_USER=y - CONFIG_FANOTIFY=y - CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y - CONFIG_QUOTA=y - CONFIG_QUOTA_NETLINK_INTERFACE=y -+CONFIG_PRINT_QUOTA_WARNING=y -+# CONFIG_QUOTA_DEBUG is not set -+CONFIG_QUOTA_TREE=m -+# CONFIG_QFMT_V1 is not set - CONFIG_QFMT_V2=m -+CONFIG_QUOTACTL=y - CONFIG_AUTOFS4_FS=y -+CONFIG_AUTOFS_FS=y - CONFIG_FUSE_FS=m - CONFIG_CUSE=m --CONFIG_ISO9660_FS=y -+# CONFIG_VIRTIO_FS is not set - CONFIG_OVERLAY_FS=m -+# CONFIG_OVERLAY_FS_REDIRECT_DIR is not set - # CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW is not set -+# CONFIG_OVERLAY_FS_INDEX is not set -+# CONFIG_OVERLAY_FS_XINO_AUTO is not set -+# CONFIG_OVERLAY_FS_METACOPY is not set -+ -+# -+# Caches -+# -+# CONFIG_FSCACHE is not set -+# end of Caches -+ -+# -+# CD-ROM/DVD Filesystems -+# -+CONFIG_ISO9660_FS=y -+# CONFIG_JOLIET is not set -+# CONFIG_ZISOFS is not set -+# CONFIG_UDF_FS is not set -+# end of CD-ROM/DVD Filesystems -+ -+# -+# DOS/FAT/EXFAT/NT Filesystems -+# -+CONFIG_FAT_FS=y - CONFIG_MSDOS_FS=y - CONFIG_VFAT_FS=y -+CONFIG_FAT_DEFAULT_CODEPAGE=437 -+CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" -+# CONFIG_FAT_DEFAULT_UTF8 is not set - CONFIG_EXFAT_FS=y -+CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" - CONFIG_NTFS_FS=y -+# CONFIG_NTFS_DEBUG is not set - CONFIG_NTFS_RW=y -+# end of DOS/FAT/EXFAT/NT Filesystems -+ -+# -+# Pseudo filesystems -+# -+CONFIG_PROC_FS=y -+# CONFIG_PROC_KCORE is not set -+CONFIG_PROC_VMCORE=y -+# CONFIG_PROC_VMCORE_DEVICE_DUMP is not set -+CONFIG_PROC_SYSCTL=y -+CONFIG_PROC_PAGE_MONITOR=y -+# CONFIG_PROC_CHILDREN is not set -+CONFIG_KERNFS=y -+CONFIG_SYSFS=y - CONFIG_TMPFS=y - CONFIG_TMPFS_POSIX_ACL=y -+CONFIG_TMPFS_XATTR=y -+# CONFIG_TMPFS_INODE64 is not set - CONFIG_HUGETLBFS=y -+CONFIG_HUGETLB_PAGE=y -+CONFIG_MEMFD_CREATE=y -+CONFIG_ARCH_HAS_GIGANTIC_PAGE=y -+CONFIG_CONFIGFS_FS=y - CONFIG_EFIVAR_FS=y -+# end of Pseudo filesystems -+ -+CONFIG_MISC_FILESYSTEMS=y -+# CONFIG_ORANGEFS_FS is not set -+# CONFIG_ADFS_FS is not set -+# CONFIG_AFFS_FS is not set -+# CONFIG_ECRYPT_FS is not set -+# CONFIG_HFS_FS is not set -+# CONFIG_HFSPLUS_FS is not set -+# CONFIG_BEFS_FS is not set -+# CONFIG_BFS_FS is not set -+# CONFIG_EFS_FS is not set -+# CONFIG_JFFS2_FS is not set -+# CONFIG_UBIFS_FS is not set -+# CONFIG_CRAMFS is not set - CONFIG_SQUASHFS=y -+CONFIG_SQUASHFS_FILE_CACHE=y -+# CONFIG_SQUASHFS_FILE_DIRECT is not set -+CONFIG_SQUASHFS_DECOMP_SINGLE=y -+# CONFIG_SQUASHFS_DECOMP_MULTI is not set -+# CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set - CONFIG_SQUASHFS_XATTR=y -+CONFIG_SQUASHFS_ZLIB=y - CONFIG_SQUASHFS_LZ4=y - CONFIG_SQUASHFS_LZO=y - CONFIG_SQUASHFS_XZ=y -+# CONFIG_SQUASHFS_ZSTD is not set -+# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set -+# CONFIG_SQUASHFS_EMBEDDED is not set -+CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3 -+# CONFIG_VXFS_FS is not set -+# CONFIG_MINIX_FS is not set -+# CONFIG_OMFS_FS is not set -+# CONFIG_HPFS_FS is not set -+# CONFIG_QNX4FS_FS is not set -+# CONFIG_QNX6FS_FS is not set -+# CONFIG_ROMFS_FS is not set -+CONFIG_PSTORE=y -+CONFIG_PSTORE_DEFLATE_COMPRESS=y -+# CONFIG_PSTORE_LZO_COMPRESS is not set -+# CONFIG_PSTORE_LZ4_COMPRESS is not set -+# CONFIG_PSTORE_LZ4HC_COMPRESS is not set -+# CONFIG_PSTORE_842_COMPRESS is not set -+# CONFIG_PSTORE_ZSTD_COMPRESS is not set -+CONFIG_PSTORE_COMPRESS=y -+CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y -+CONFIG_PSTORE_COMPRESS_DEFAULT="deflate" - CONFIG_PSTORE_CONSOLE=y -+# CONFIG_PSTORE_PMSG is not set -+# CONFIG_PSTORE_FTRACE is not set - CONFIG_PSTORE_RAM=m -+CONFIG_PSTORE_ZONE=y -+# CONFIG_SYSV_FS is not set -+# CONFIG_UFS_FS is not set -+# CONFIG_EROFS_FS is not set -+CONFIG_NETWORK_FILESYSTEMS=y - CONFIG_NFS_FS=y -+CONFIG_NFS_V2=y -+CONFIG_NFS_V3=y - CONFIG_NFS_V3_ACL=y - CONFIG_NFS_V4=y -+# CONFIG_NFS_SWAP is not set - CONFIG_NFS_V4_1=y - CONFIG_NFS_V4_2=y -+CONFIG_PNFS_FILE_LAYOUT=y -+CONFIG_PNFS_BLOCK=y -+CONFIG_PNFS_FLEXFILE_LAYOUT=y -+CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" -+# CONFIG_NFS_V4_1_MIGRATION is not set -+CONFIG_NFS_V4_SECURITY_LABEL=y - CONFIG_ROOT_NFS=y -+# CONFIG_NFS_USE_LEGACY_DNS is not set -+CONFIG_NFS_USE_KERNEL_DNS=y - # CONFIG_NFS_DISABLE_UDP_SUPPORT is not set -+# CONFIG_NFS_V4_2_READ_PLUS is not set - CONFIG_NFSD=m -+CONFIG_NFSD_V2_ACL=y - CONFIG_NFSD_V3=y - CONFIG_NFSD_V3_ACL=y -+# CONFIG_NFSD_V4 is not set -+CONFIG_GRACE_PERIOD=y -+CONFIG_LOCKD=y -+CONFIG_LOCKD_V4=y -+CONFIG_NFS_ACL_SUPPORT=y -+CONFIG_NFS_COMMON=y -+CONFIG_SUNRPC=y -+CONFIG_SUNRPC_GSS=y -+CONFIG_SUNRPC_BACKCHANNEL=y -+# CONFIG_SUNRPC_DEBUG is not set -+CONFIG_SUNRPC_XPRT_RDMA=m -+# CONFIG_CEPH_FS is not set - CONFIG_CIFS=m -+# CONFIG_CIFS_STATS2 is not set -+CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y -+# CONFIG_CIFS_WEAK_PW_HASH is not set -+# CONFIG_CIFS_UPCALL is not set -+# CONFIG_CIFS_XATTR is not set -+CONFIG_CIFS_DEBUG=y -+# CONFIG_CIFS_DEBUG2 is not set -+# CONFIG_CIFS_DEBUG_DUMP_KEYS is not set -+# CONFIG_CIFS_DFS_UPCALL is not set -+# CONFIG_CIFS_SMB_DIRECT is not set -+# CONFIG_CODA_FS is not set -+# CONFIG_AFS_FS is not set - CONFIG_9P_FS=m -+# CONFIG_9P_FS_POSIX_ACL is not set -+# CONFIG_9P_FS_SECURITY is not set -+CONFIG_NLS=y -+CONFIG_NLS_DEFAULT="iso8859-1" - CONFIG_NLS_CODEPAGE_437=y -+# CONFIG_NLS_CODEPAGE_737 is not set -+# CONFIG_NLS_CODEPAGE_775 is not set -+# CONFIG_NLS_CODEPAGE_850 is not set -+# CONFIG_NLS_CODEPAGE_852 is not set -+# CONFIG_NLS_CODEPAGE_855 is not set -+# CONFIG_NLS_CODEPAGE_857 is not set -+# CONFIG_NLS_CODEPAGE_860 is not set -+# CONFIG_NLS_CODEPAGE_861 is not set -+# CONFIG_NLS_CODEPAGE_862 is not set -+# CONFIG_NLS_CODEPAGE_863 is not set -+# CONFIG_NLS_CODEPAGE_864 is not set -+# CONFIG_NLS_CODEPAGE_865 is not set -+# CONFIG_NLS_CODEPAGE_866 is not set -+# CONFIG_NLS_CODEPAGE_869 is not set -+# CONFIG_NLS_CODEPAGE_936 is not set -+# CONFIG_NLS_CODEPAGE_950 is not set -+# CONFIG_NLS_CODEPAGE_932 is not set -+# CONFIG_NLS_CODEPAGE_949 is not set -+# CONFIG_NLS_CODEPAGE_874 is not set -+# CONFIG_NLS_ISO8859_8 is not set -+# CONFIG_NLS_CODEPAGE_1250 is not set -+# CONFIG_NLS_CODEPAGE_1251 is not set -+# CONFIG_NLS_ASCII is not set - CONFIG_NLS_ISO8859_1=y -+# CONFIG_NLS_ISO8859_2 is not set -+# CONFIG_NLS_ISO8859_3 is not set -+# CONFIG_NLS_ISO8859_4 is not set -+# CONFIG_NLS_ISO8859_5 is not set -+# CONFIG_NLS_ISO8859_6 is not set -+# CONFIG_NLS_ISO8859_7 is not set -+# CONFIG_NLS_ISO8859_9 is not set -+# CONFIG_NLS_ISO8859_13 is not set -+# CONFIG_NLS_ISO8859_14 is not set -+# CONFIG_NLS_ISO8859_15 is not set -+# CONFIG_NLS_KOI8_R is not set -+# CONFIG_NLS_KOI8_U is not set -+# CONFIG_NLS_MAC_ROMAN is not set -+# CONFIG_NLS_MAC_CELTIC is not set -+# CONFIG_NLS_MAC_CENTEURO is not set -+# CONFIG_NLS_MAC_CROATIAN is not set -+# CONFIG_NLS_MAC_CYRILLIC is not set -+# CONFIG_NLS_MAC_GAELIC is not set -+# CONFIG_NLS_MAC_GREEK is not set -+# CONFIG_NLS_MAC_ICELAND is not set -+# CONFIG_NLS_MAC_INUIT is not set -+# CONFIG_NLS_MAC_ROMANIAN is not set -+# CONFIG_NLS_MAC_TURKISH is not set - CONFIG_NLS_UTF8=m -+# CONFIG_DLM is not set -+# CONFIG_UNICODE is not set -+CONFIG_IO_WQ=y -+# end of File systems -+ -+# -+# Security options -+# -+CONFIG_KEYS=y -+# CONFIG_KEYS_REQUEST_CACHE is not set -+# CONFIG_PERSISTENT_KEYRINGS is not set -+# CONFIG_ENCRYPTED_KEYS is not set -+# CONFIG_KEY_DH_OPERATIONS is not set -+# CONFIG_KEY_NOTIFICATIONS is not set - CONFIG_SECURITY_DMESG_RESTRICT=y - CONFIG_SECURITY=y -+# CONFIG_SECURITYFS is not set - CONFIG_SECURITY_NETWORK=y -+# CONFIG_SECURITY_INFINIBAND is not set -+# CONFIG_SECURITY_NETWORK_XFRM is not set -+# CONFIG_SECURITY_PATH is not set -+CONFIG_LSM_MMAP_MIN_ADDR=32768 -+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y - CONFIG_HARDENED_USERCOPY=y -+CONFIG_HARDENED_USERCOPY_FALLBACK=y -+# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set - CONFIG_FORTIFY_SOURCE=y -+# CONFIG_STATIC_USERMODEHELPER is not set - CONFIG_SECURITY_SELINUX=y -+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set -+# CONFIG_SECURITY_SELINUX_DISABLE is not set -+CONFIG_SECURITY_SELINUX_DEVELOP=y -+CONFIG_SECURITY_SELINUX_AVC_STATS=y -+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 -+CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 -+CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 -+# CONFIG_SECURITY_SMACK is not set -+# CONFIG_SECURITY_TOMOYO is not set -+# CONFIG_SECURITY_APPARMOR is not set -+# CONFIG_SECURITY_LOADPIN is not set - CONFIG_SECURITY_YAMA=y -+# CONFIG_SECURITY_SAFESETID is not set -+# CONFIG_SECURITY_LOCKDOWN_LSM is not set -+CONFIG_INTEGRITY=y -+# CONFIG_INTEGRITY_SIGNATURE is not set -+CONFIG_INTEGRITY_AUDIT=y -+# CONFIG_IMA is not set -+# CONFIG_EVM is not set -+CONFIG_DEFAULT_SECURITY_SELINUX=y -+# CONFIG_DEFAULT_SECURITY_DAC is not set - CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,bpf" -+ -+# -+# Kernel hardening options -+# -+ -+# -+# Memory initialization -+# -+CONFIG_INIT_STACK_NONE=y -+# CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set -+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set -+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set -+# CONFIG_GCC_PLUGIN_STACKLEAK is not set -+# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set -+# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set -+# end of Memory initialization -+# end of Kernel hardening options -+ -+# CONFIG_TRUSTED_LITTLE_KERNEL is not set -+# end of Security options -+ -+CONFIG_XOR_BLOCKS=m -+CONFIG_CRYPTO=y -+ -+# -+# Crypto core or helper -+# -+CONFIG_CRYPTO_ALGAPI=y -+CONFIG_CRYPTO_ALGAPI2=y -+CONFIG_CRYPTO_AEAD=y -+CONFIG_CRYPTO_AEAD2=y -+CONFIG_CRYPTO_SKCIPHER=y -+CONFIG_CRYPTO_SKCIPHER2=y -+CONFIG_CRYPTO_HASH=y -+CONFIG_CRYPTO_HASH2=y -+CONFIG_CRYPTO_RNG=y -+CONFIG_CRYPTO_RNG2=y -+CONFIG_CRYPTO_RNG_DEFAULT=y -+CONFIG_CRYPTO_AKCIPHER2=y -+CONFIG_CRYPTO_AKCIPHER=y -+CONFIG_CRYPTO_KPP2=y -+CONFIG_CRYPTO_KPP=y -+CONFIG_CRYPTO_ACOMP2=y -+CONFIG_CRYPTO_ECDSA=y -+CONFIG_CRYPTO_MANAGER=y -+CONFIG_CRYPTO_MANAGER2=y -+# CONFIG_CRYPTO_USER is not set -+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y -+CONFIG_CRYPTO_GF128MUL=y -+CONFIG_CRYPTO_NULL=y -+CONFIG_CRYPTO_NULL2=y -+# CONFIG_CRYPTO_PCRYPT is not set -+CONFIG_CRYPTO_CRYPTD=m -+CONFIG_CRYPTO_AUTHENC=y - CONFIG_CRYPTO_TEST=m -+CONFIG_CRYPTO_SIMD=m -+CONFIG_CRYPTO_ENGINE=m -+ -+# -+# Public-key cryptography -+# -+CONFIG_CRYPTO_RSA=y - CONFIG_CRYPTO_DH=y -+CONFIG_CRYPTO_ECC=y -+CONFIG_CRYPTO_ECDH=y -+# CONFIG_CRYPTO_ECRDSA is not set -+# CONFIG_CRYPTO_SM2 is not set -+# CONFIG_CRYPTO_CURVE25519 is not set -+ -+# -+# Authenticated Encryption with Associated Data -+# -+CONFIG_CRYPTO_CCM=m -+CONFIG_CRYPTO_GCM=m -+# CONFIG_CRYPTO_CHACHA20POLY1305 is not set -+# CONFIG_CRYPTO_AEGIS128 is not set - CONFIG_CRYPTO_SEQIV=y - CONFIG_CRYPTO_ECHAINIV=y -+ -+# -+# Block modes -+# -+CONFIG_CRYPTO_CBC=y -+# CONFIG_CRYPTO_CFB is not set - CONFIG_CRYPTO_CTR=y -+# CONFIG_CRYPTO_CTS is not set -+CONFIG_CRYPTO_ECB=y -+# CONFIG_CRYPTO_LRW is not set -+# CONFIG_CRYPTO_OFB is not set -+# CONFIG_CRYPTO_PCBC is not set -+CONFIG_CRYPTO_XTS=m -+# CONFIG_CRYPTO_KEYWRAP is not set -+# CONFIG_CRYPTO_ADIANTUM is not set -+CONFIG_CRYPTO_ESSIV=y -+ -+# -+# Hash modes -+# -+CONFIG_CRYPTO_CMAC=y -+CONFIG_CRYPTO_HMAC=y -+# CONFIG_CRYPTO_XCBC is not set -+# CONFIG_CRYPTO_VMAC is not set -+ -+# -+# Digest -+# -+CONFIG_CRYPTO_CRC32C=y -+# CONFIG_CRYPTO_CRC32 is not set -+CONFIG_CRYPTO_XXHASH=m -+CONFIG_CRYPTO_BLAKE2B=m -+# CONFIG_CRYPTO_BLAKE2S is not set -+CONFIG_CRYPTO_CRCT10DIF=y - CONFIG_CRYPTO_GHASH=y -+# CONFIG_CRYPTO_POLY1305 is not set -+CONFIG_CRYPTO_MD4=m -+CONFIG_CRYPTO_MD5=m -+CONFIG_CRYPTO_MICHAEL_MIC=m -+# CONFIG_CRYPTO_RMD128 is not set -+# CONFIG_CRYPTO_RMD160 is not set -+# CONFIG_CRYPTO_RMD256 is not set -+# CONFIG_CRYPTO_RMD320 is not set -+CONFIG_CRYPTO_SHA1=y -+CONFIG_CRYPTO_SHA256=y -+CONFIG_CRYPTO_SHA512=y -+CONFIG_CRYPTO_SHA3=m -+CONFIG_CRYPTO_SM3=m -+# CONFIG_CRYPTO_STREEBOG is not set -+# CONFIG_CRYPTO_TGR192 is not set -+# CONFIG_CRYPTO_WP512 is not set -+ -+# -+# Ciphers -+# -+CONFIG_CRYPTO_AES=y -+# CONFIG_CRYPTO_AES_TI is not set -+# CONFIG_CRYPTO_ANUBIS is not set - CONFIG_CRYPTO_ARC4=y -+# CONFIG_CRYPTO_BLOWFISH is not set -+# CONFIG_CRYPTO_CAMELLIA is not set -+# CONFIG_CRYPTO_CAST5 is not set -+# CONFIG_CRYPTO_CAST6 is not set - CONFIG_CRYPTO_DES=m -+# CONFIG_CRYPTO_FCRYPT is not set -+# CONFIG_CRYPTO_KHAZAD is not set -+# CONFIG_CRYPTO_SALSA20 is not set -+# CONFIG_CRYPTO_CHACHA20 is not set -+# CONFIG_CRYPTO_SEED is not set -+# CONFIG_CRYPTO_SERPENT is not set -+CONFIG_CRYPTO_SM4=m -+# CONFIG_CRYPTO_TEA is not set - CONFIG_CRYPTO_TWOFISH=m -+CONFIG_CRYPTO_TWOFISH_COMMON=m -+ -+# -+# Compression -+# -+CONFIG_CRYPTO_DEFLATE=y -+CONFIG_CRYPTO_LZO=m -+# CONFIG_CRYPTO_842 is not set -+# CONFIG_CRYPTO_LZ4 is not set -+# CONFIG_CRYPTO_LZ4HC is not set -+# CONFIG_CRYPTO_ZSTD is not set -+ -+# -+# Random Number Generation -+# - CONFIG_CRYPTO_ANSI_CPRNG=m -+CONFIG_CRYPTO_DRBG_MENU=y -+CONFIG_CRYPTO_DRBG_HMAC=y -+# CONFIG_CRYPTO_DRBG_HASH is not set -+# CONFIG_CRYPTO_DRBG_CTR is not set -+CONFIG_CRYPTO_DRBG=y -+CONFIG_CRYPTO_JITTERENTROPY=y -+CONFIG_CRYPTO_USER_API=y -+# CONFIG_CRYPTO_USER_API_HASH is not set - CONFIG_CRYPTO_USER_API_SKCIPHER=y - CONFIG_CRYPTO_USER_API_RNG=m -+# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set -+# CONFIG_CRYPTO_USER_API_AEAD is not set -+CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y -+CONFIG_CRYPTO_HASH_INFO=y -+ -+# -+# Crypto library routines -+# -+CONFIG_CRYPTO_LIB_AES=y -+CONFIG_CRYPTO_LIB_ARC4=y -+# CONFIG_CRYPTO_LIB_BLAKE2S is not set -+# CONFIG_CRYPTO_LIB_CHACHA is not set -+# CONFIG_CRYPTO_LIB_CURVE25519 is not set -+CONFIG_CRYPTO_LIB_DES=m -+CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 -+# CONFIG_CRYPTO_LIB_POLY1305 is not set -+# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set -+CONFIG_CRYPTO_LIB_SHA256=y -+CONFIG_CRYPTO_HW=y -+# CONFIG_CRYPTO_DEV_ATMEL_ECC is not set -+# CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set -+# CONFIG_CRYPTO_DEV_CCP is not set -+# CONFIG_CRYPTO_DEV_NITROX_CNN55XX is not set -+# CONFIG_CRYPTO_DEV_CAVIUM_ZIP is not set -+# CONFIG_CRYPTO_DEV_CHELSIO is not set -+CONFIG_CRYPTO_DEV_VIRTIO=m -+# CONFIG_CRYPTO_DEV_SAFEXCEL is not set - CONFIG_CRYPTO_DEV_CCREE=m -+# CONFIG_CRYPTO_DEV_HISI_SEC is not set -+# CONFIG_CRYPTO_DEV_HISI_SEC2 is not set -+# CONFIG_CRYPTO_DEV_HISI_ZIP is not set -+# CONFIG_CRYPTO_DEV_HISI_HPRE is not set -+# CONFIG_CRYPTO_DEV_AMLOGIC_GXL is not set - CONFIG_TEGRA_CRYPTO_DEV=y - CONFIG_CRYPTO_DEV_TEGRA_SE=y - CONFIG_CRYPTO_DEV_TEGRA_ELLIPTIC_SE=y -@@ -1353,28 +8144,406 @@ CONFIG_CRYPTO_DEV_TEGRA_SE_USE_HOST1X_INTERFACE=y - CONFIG_CRYPTO_DEV_TEGRA_VIRTUAL_SE_INTERFACE=y - CONFIG_CRYPTO_DEV_TEGRA_SE_NVRNG=y - CONFIG_CRYPTO_DEV_TEGRA_NVVSE=y --CONFIG_CRYPTO_DEV_TEGRA_FDE=m -+CONFIG_ASYMMETRIC_KEY_TYPE=y -+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y -+CONFIG_X509_CERTIFICATE_PARSER=y -+# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set -+CONFIG_PKCS7_MESSAGE_PARSER=y -+# CONFIG_PKCS7_TEST_KEY is not set -+# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set -+ -+# -+# Certificates for signature checking -+# -+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" -+CONFIG_SYSTEM_TRUSTED_KEYRING=y -+CONFIG_SYSTEM_TRUSTED_KEYS="" -+# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set -+# CONFIG_SECONDARY_TRUSTED_KEYRING is not set -+# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set -+# end of Certificates for signature checking -+ -+CONFIG_BINARY_PRINTF=y -+ -+# -+# Library routines -+# -+CONFIG_RAID6_PQ=m - # CONFIG_RAID6_PQ_BENCHMARK is not set -+CONFIG_LINEAR_RANGES=y -+CONFIG_PACKING=y -+CONFIG_BITREVERSE=y -+CONFIG_HAVE_ARCH_BITREVERSE=y -+CONFIG_GENERIC_STRNCPY_FROM_USER=y -+CONFIG_GENERIC_STRNLEN_USER=y -+CONFIG_GENERIC_NET_UTILS=y -+CONFIG_CORDIC=m -+# CONFIG_PRIME_NUMBERS is not set -+CONFIG_RATIONAL=y -+CONFIG_GENERIC_PCI_IOMAP=y -+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y -+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y -+CONFIG_ARCH_USE_SYM_ANNOTATIONS=y -+# CONFIG_INDIRECT_PIO is not set -+CONFIG_CRC_CCITT=y -+CONFIG_CRC16=y -+CONFIG_CRC_T10DIF=y -+CONFIG_CRC_ITU_T=m -+CONFIG_CRC32=y -+# CONFIG_CRC32_SELFTEST is not set -+CONFIG_CRC32_SLICEBY8=y -+# CONFIG_CRC32_SLICEBY4 is not set -+# CONFIG_CRC32_SARWATE is not set -+# CONFIG_CRC32_BIT is not set -+# CONFIG_CRC64 is not set -+# CONFIG_CRC4 is not set -+CONFIG_CRC7=m -+CONFIG_LIBCRC32C=m -+# CONFIG_CRC8 is not set -+CONFIG_XXHASH=y -+CONFIG_AUDIT_GENERIC=y -+CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y -+CONFIG_AUDIT_COMPAT_GENERIC=y -+# CONFIG_RANDOM32_SELFTEST is not set -+CONFIG_ZLIB_INFLATE=y -+CONFIG_ZLIB_DEFLATE=y -+CONFIG_LZO_COMPRESS=m -+CONFIG_LZO_DECOMPRESS=y -+CONFIG_LZ4_DECOMPRESS=y -+CONFIG_ZSTD_COMPRESS=m -+CONFIG_ZSTD_DECOMPRESS=y -+CONFIG_XZ_DEC=y -+CONFIG_XZ_DEC_X86=y -+CONFIG_XZ_DEC_POWERPC=y -+CONFIG_XZ_DEC_IA64=y -+CONFIG_XZ_DEC_ARM=y -+CONFIG_XZ_DEC_ARMTHUMB=y -+CONFIG_XZ_DEC_SPARC=y -+CONFIG_XZ_DEC_BCJ=y -+# CONFIG_XZ_DEC_TEST is not set -+CONFIG_DECOMPRESS_GZIP=y -+CONFIG_DECOMPRESS_BZIP2=y -+CONFIG_DECOMPRESS_LZMA=y -+CONFIG_DECOMPRESS_XZ=y -+CONFIG_DECOMPRESS_LZO=y -+CONFIG_DECOMPRESS_LZ4=y -+CONFIG_DECOMPRESS_ZSTD=y -+CONFIG_GENERIC_ALLOCATOR=y -+CONFIG_REED_SOLOMON=m -+CONFIG_REED_SOLOMON_ENC8=y -+CONFIG_REED_SOLOMON_DEC8=y -+CONFIG_TEXTSEARCH=y -+CONFIG_TEXTSEARCH_KMP=m -+CONFIG_TEXTSEARCH_BM=m -+CONFIG_TEXTSEARCH_FSM=m -+CONFIG_INTERVAL_TREE=y -+CONFIG_XARRAY_MULTI=y -+CONFIG_ASSOCIATIVE_ARRAY=y -+CONFIG_HAS_IOMEM=y -+CONFIG_HAS_IOPORT_MAP=y -+CONFIG_HAS_DMA=y -+CONFIG_DMA_OPS=y -+CONFIG_NEED_SG_DMA_LENGTH=y -+CONFIG_NEED_DMA_MAP_STATE=y -+CONFIG_ARCH_DMA_ADDR_T_64BIT=y -+CONFIG_DMA_DECLARE_COHERENT=y -+CONFIG_ARCH_HAS_SETUP_DMA_OPS=y -+CONFIG_ARCH_HAS_TEARDOWN_DMA_OPS=y -+CONFIG_ARCH_HAS_SYNC_DMA_FOR_DEVICE=y -+CONFIG_ARCH_HAS_SYNC_DMA_FOR_CPU=y -+CONFIG_ARCH_HAS_DMA_PREP_COHERENT=y -+CONFIG_SWIOTLB=y -+CONFIG_DMA_NONCOHERENT_MMAP=y -+CONFIG_DMA_COHERENT_POOL=y -+CONFIG_DMA_REMAP=y -+CONFIG_DMA_DIRECT_REMAP=y - CONFIG_DMA_CMA=y -+# CONFIG_DMA_PERNUMA_CMA is not set -+ -+# -+# Default contiguous memory area size: -+# - CONFIG_CMA_SIZE_MBYTES=64 -+CONFIG_CMA_SIZE_SEL_MBYTES=y -+# CONFIG_CMA_SIZE_SEL_PERCENTAGE is not set -+# CONFIG_CMA_SIZE_SEL_MIN is not set -+# CONFIG_CMA_SIZE_SEL_MAX is not set - CONFIG_CMA_ALIGNMENT=9 -+# CONFIG_DMA_API_DEBUG is not set -+CONFIG_SGL_ALLOC=y -+CONFIG_CPU_RMAP=y -+CONFIG_DQL=y -+CONFIG_GLOB=y -+# CONFIG_GLOB_SELFTEST is not set -+CONFIG_NLATTR=y -+CONFIG_CLZ_TAB=y -+CONFIG_IRQ_POLL=y -+CONFIG_MPILIB=y -+CONFIG_DIMLIB=y -+CONFIG_LIBFDT=y -+CONFIG_OID_REGISTRY=y -+CONFIG_UCS2_STRING=y -+CONFIG_HAVE_GENERIC_VDSO=y -+CONFIG_GENERIC_GETTIMEOFDAY=y -+CONFIG_GENERIC_VDSO_TIME_NS=y -+CONFIG_FONT_SUPPORT=y -+# CONFIG_FONTS is not set -+CONFIG_FONT_8x8=y -+CONFIG_FONT_8x16=y -+CONFIG_SG_POOL=y -+CONFIG_ARCH_STACKWALK=y -+CONFIG_SBITMAP=y -+CONFIG_PARMAN=m -+CONFIG_OBJAGG=m -+# CONFIG_STRING_SELFTEST is not set -+# end of Library routines -+ -+CONFIG_PLDMFW=y -+ -+# -+# Kernel hacking -+# -+ -+# -+# printk and dmesg options -+# - CONFIG_PRINTK_TIME=y -+# CONFIG_PRINTK_CALLER is not set -+CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 -+CONFIG_CONSOLE_LOGLEVEL_QUIET=4 -+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 -+# CONFIG_BOOT_PRINTK_DELAY is not set -+# CONFIG_DYNAMIC_DEBUG is not set - CONFIG_DYNAMIC_DEBUG_CORE=y - # CONFIG_SYMBOLIC_ERRNAME is not set -+CONFIG_DEBUG_BUGVERBOSE=y -+# end of printk and dmesg options -+ -+# -+# Compile-time checks and compiler options -+# - CONFIG_DEBUG_INFO=y -+# CONFIG_DEBUG_INFO_REDUCED is not set -+# CONFIG_DEBUG_INFO_COMPRESSED is not set -+# CONFIG_DEBUG_INFO_SPLIT is not set -+# CONFIG_DEBUG_INFO_DWARF4 is not set -+# CONFIG_DEBUG_INFO_BTF is not set -+# CONFIG_GDB_SCRIPTS is not set -+CONFIG_ENABLE_MUST_CHECK=y - CONFIG_FRAME_WARN=4096 -+# CONFIG_STRIP_ASM_SYMS is not set -+# CONFIG_READABLE_ASM is not set -+# CONFIG_HEADERS_INSTALL is not set -+# CONFIG_DEBUG_SECTION_MISMATCH is not set - # CONFIG_SECTION_MISMATCH_WARN_ONLY is not set -+# CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_32B is not set -+CONFIG_ARCH_WANT_FRAME_POINTERS=y -+CONFIG_FRAME_POINTER=y -+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -+# end of Compile-time checks and compiler options -+ -+# -+# Generic Kernel Debugging Instruments -+# - CONFIG_MAGIC_SYSRQ=y -+CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1 -+CONFIG_MAGIC_SYSRQ_SERIAL=y -+CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE="" - CONFIG_DEBUG_FS=y -+CONFIG_DEBUG_FS_ALLOW_ALL=y -+# CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set -+# CONFIG_DEBUG_FS_ALLOW_NONE is not set -+CONFIG_HAVE_ARCH_KGDB=y -+# CONFIG_KGDB is not set -+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y -+# CONFIG_UBSAN is not set -+# end of Generic Kernel Debugging Instruments -+ -+CONFIG_DEBUG_KERNEL=y - # CONFIG_DEBUG_MISC is not set -+ -+# -+# Memory Debugging -+# -+# CONFIG_PAGE_EXTENSION is not set -+# CONFIG_DEBUG_PAGEALLOC is not set -+# CONFIG_PAGE_OWNER is not set -+# CONFIG_PAGE_POISONING is not set -+# CONFIG_DEBUG_PAGE_REF is not set -+# CONFIG_DEBUG_RODATA_TEST is not set -+CONFIG_ARCH_HAS_DEBUG_WX=y -+# CONFIG_DEBUG_WX is not set -+CONFIG_GENERIC_PTDUMP=y -+# CONFIG_PTDUMP_DEBUGFS is not set -+# CONFIG_DEBUG_OBJECTS is not set -+# CONFIG_SLUB_DEBUG_ON is not set -+# CONFIG_SLUB_STATS is not set -+CONFIG_HAVE_DEBUG_KMEMLEAK=y -+# CONFIG_DEBUG_KMEMLEAK is not set -+# CONFIG_DEBUG_STACK_USAGE is not set -+# CONFIG_SCHED_STACK_END_CHECK is not set -+CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y -+# CONFIG_DEBUG_VM is not set -+# CONFIG_DEBUG_VM_PGTABLE is not set -+CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y -+# CONFIG_DEBUG_VIRTUAL is not set -+# CONFIG_DEBUG_MEMORY_INIT is not set -+# CONFIG_DEBUG_PER_CPU_MAPS is not set -+CONFIG_HAVE_ARCH_KASAN=y -+CONFIG_HAVE_ARCH_KASAN_SW_TAGS=y -+CONFIG_CC_HAS_KASAN_GENERIC=y -+CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y -+# CONFIG_KASAN is not set -+# end of Memory Debugging -+ -+# CONFIG_DEBUG_SHIRQ is not set -+ -+# -+# Debug Oops, Lockups and Hangs -+# - CONFIG_PANIC_ON_OOPS=y -+CONFIG_PANIC_ON_OOPS_VALUE=1 -+CONFIG_PANIC_TIMEOUT=0 -+CONFIG_LOCKUP_DETECTOR=y - CONFIG_SOFTLOCKUP_DETECTOR=y - CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y -+CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=1 -+CONFIG_DETECT_HUNG_TASK=y -+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 -+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 - CONFIG_WQ_WATCHDOG=y -+# CONFIG_TEST_LOCKUP is not set -+# end of Debug Oops, Lockups and Hangs -+ -+# -+# Scheduler Debugging -+# -+CONFIG_SCHED_DEBUG=y -+CONFIG_SCHED_INFO=y - CONFIG_SCHEDSTATS=y -+# end of Scheduler Debugging -+ -+# CONFIG_DEBUG_TIMEKEEPING is not set - # CONFIG_DEBUG_PREEMPT is not set -+ -+# -+# Lock Debugging (spinlocks, mutexes, etc...) -+# -+CONFIG_LOCK_DEBUGGING_SUPPORT=y -+# CONFIG_PROVE_LOCKING is not set -+# CONFIG_LOCK_STAT is not set -+# CONFIG_DEBUG_RT_MUTEXES is not set -+# CONFIG_DEBUG_SPINLOCK is not set -+# CONFIG_DEBUG_MUTEXES is not set -+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set -+# CONFIG_DEBUG_RWSEMS is not set -+# CONFIG_DEBUG_LOCK_ALLOC is not set -+# CONFIG_DEBUG_ATOMIC_SLEEP is not set -+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set -+# CONFIG_LOCK_TORTURE_TEST is not set -+# CONFIG_WW_MUTEX_SELFTEST is not set -+# CONFIG_SCF_TORTURE_TEST is not set -+# CONFIG_CSD_LOCK_WAIT_DEBUG is not set -+# end of Lock Debugging (spinlocks, mutexes, etc...) -+ -+CONFIG_STACKTRACE=y -+# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set -+# CONFIG_DEBUG_KOBJECT is not set -+CONFIG_HAVE_DEBUG_BUGVERBOSE=y -+ -+# -+# Debug kernel data structures -+# -+# CONFIG_DEBUG_LIST is not set -+# CONFIG_DEBUG_PLIST is not set -+# CONFIG_DEBUG_SG is not set -+# CONFIG_DEBUG_NOTIFIERS is not set -+# CONFIG_BUG_ON_DATA_CORRUPTION is not set -+# end of Debug kernel data structures -+ -+# CONFIG_DEBUG_CREDENTIALS is not set -+ -+# -+# RCU Debugging -+# -+# CONFIG_RCU_SCALE_TEST is not set -+# CONFIG_RCU_TORTURE_TEST is not set -+# CONFIG_RCU_REF_SCALE_TEST is not set -+CONFIG_RCU_CPU_STALL_TIMEOUT=21 -+CONFIG_RCU_TRACE=y -+# CONFIG_RCU_EQS_DEBUG is not set -+# end of RCU Debugging -+ -+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set -+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set -+# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set -+# CONFIG_LATENCYTOP is not set -+CONFIG_NOP_TRACER=y -+CONFIG_HAVE_FUNCTION_TRACER=y -+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y -+CONFIG_HAVE_DYNAMIC_FTRACE=y -+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y -+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y -+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y -+CONFIG_HAVE_C_RECORDMCOUNT=y -+CONFIG_TRACE_CLOCK=y -+CONFIG_RING_BUFFER=y -+CONFIG_EVENT_TRACING=y -+CONFIG_CONTEXT_SWITCH_TRACER=y -+CONFIG_TRACING=y -+CONFIG_GENERIC_TRACER=y -+CONFIG_TRACING_SUPPORT=y -+CONFIG_FTRACE=y -+# CONFIG_BOOTTIME_TRACING is not set -+CONFIG_FUNCTION_TRACER=y -+CONFIG_FUNCTION_GRAPH_TRACER=y - # CONFIG_DYNAMIC_FTRACE is not set -+# CONFIG_FUNCTION_PROFILER is not set - CONFIG_STACK_TRACER=y -+# CONFIG_IRQSOFF_TRACER is not set -+# CONFIG_PREEMPT_TRACER is not set -+# CONFIG_SCHED_TRACER is not set -+# CONFIG_HWLAT_TRACER is not set -+# CONFIG_FTRACE_SYSCALLS is not set -+# CONFIG_TRACER_SNAPSHOT is not set -+CONFIG_BRANCH_PROFILE_NONE=y -+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set -+# CONFIG_BLK_DEV_IO_TRACE is not set - # CONFIG_UPROBE_EVENTS is not set -+# CONFIG_SYNTH_EVENTS is not set -+# CONFIG_HIST_TRIGGERS is not set -+# CONFIG_TRACE_EVENT_INJECT is not set -+# CONFIG_TRACEPOINT_BENCHMARK is not set -+# CONFIG_RING_BUFFER_BENCHMARK is not set -+# CONFIG_TRACE_EVAL_MAP_FILE is not set -+# CONFIG_FTRACE_STARTUP_TEST is not set -+# CONFIG_RING_BUFFER_STARTUP_TEST is not set -+# CONFIG_PREEMPTIRQ_DELAY_TEST is not set -+# CONFIG_SAMPLES is not set -+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y -+CONFIG_STRICT_DEVMEM=y -+# CONFIG_IO_STRICT_DEVMEM is not set -+ -+# -+# arm64 Debugging -+# - CONFIG_PID_IN_CONTEXTIDR=y -+# CONFIG_DEBUG_EFI is not set -+# CONFIG_ARM64_RELOC_TEST is not set -+# CONFIG_CORESIGHT is not set -+# end of arm64 Debugging -+ -+# -+# Kernel Testing and Coverage -+# -+# CONFIG_KUNIT is not set -+# CONFIG_NOTIFIER_ERROR_INJECTION is not set -+# CONFIG_FAULT_INJECTION is not set -+CONFIG_ARCH_HAS_KCOV=y -+CONFIG_CC_HAS_SANCOV_TRACE_PC=y -+# CONFIG_KCOV is not set - # CONFIG_RUNTIME_TESTING_MENU is not set -+# CONFIG_MEMTEST is not set -+# end of Kernel Testing and Coverage -+# end of Kernel hacking diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix index 6910c9833..67f9d3664 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/host/bpmp-virt-host/default.nix @@ -5,9 +5,11 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.hardware.nvidia.virtualization.host.bpmp; -in { +in +{ options.ghaf.hardware.nvidia.virtualization.host.bpmp.enable = lib.mkOption { type = lib.types.bool; default = false; @@ -21,7 +23,7 @@ in { }; config = lib.mkIf cfg.enable { - ghaf.hardware.nvidia.virtualization.enable = true; + nixpkgs.overlays = [ (import ./overlays/qemu) ]; # in practice this configures both host and guest kernel becaue we use only one kernel in the whole system§ boot.kernelPatches = [ @@ -45,5 +47,11 @@ in { }; } ]; + + # TODO: Consider are these really needed, maybe add only in debug builds? + environment.systemPackages = with pkgs; [ + qemu_kvm + dtc + ]; }; } diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/host/gpio-virt-host/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/gpio-virt-host/default.nix index 6b288952c..d4f05a514 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/host/gpio-virt-host/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/host/gpio-virt-host/default.nix @@ -50,8 +50,8 @@ in { dtsFile = ./gpio_pt_host_overlay.dtso; # Apply overlay only to host passthrough device tree - filter = builtins.trace "Debug dtb filter (gpio-virt-host): tegra234-p3701-0000-p3737-0000.dtb" "tegra234-p3701-0000-p3737-0000.dtb"; - # filter = builtins.trace "Debug dtb filter (gpio-virt-host): tegra234-p3701-host-passthrough.dtb" "tegra234-p3701-host-passthrough.dtb"; + filter = "tegra234-p3701-0000-p3737-0000.dtb"; + # filter = "tegra234-p3701-host-passthrough.dtb"; # filter = "tegra234-p3701-host-passthrough.dtb"; } ]; diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix index 2bbf06656..2b0474b54 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/host/uarta-host/default.nix @@ -5,9 +5,11 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.hardware.nvidia.passthroughs.host.uarta; -in { +in +{ options.ghaf.hardware.nvidia.passthroughs.host.uarta.enable = lib.mkOption { type = lib.types.bool; default = false; @@ -15,31 +17,35 @@ in { }; config = lib.mkIf cfg.enable { - ghaf.hardware.nvidia.virtualization.enable = true; - ghaf.hardware.nvidia.virtualization.host.bpmp.enable = true; + ghaf.hardware.nvidia.virtualization = { + enable = true; + host.bpmp.enable = true; + }; - systemd.services.enableVfioPlatform = { - description = "Enable the vfio-platform driver for UARTA"; - wantedBy = ["bindSerial3100000.service"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = '' - ${pkgs.bash}/bin/bash -c "echo vfio-platform > /sys/bus/platform/devices/3100000.serial/driver_override" - ''; + systemd.services = { + enableVfioPlatform = { + description = "Enable the vfio-platform driver for UARTA"; + wantedBy = [ "bindSerial3100000.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = '' + ${pkgs.bash}/bin/bash -c "echo vfio-platform > /sys/bus/platform/devices/3100000.serial/driver_override" + ''; + }; }; - }; - systemd.services.bindSerial3100000 = { - description = "Bind UARTA to the vfio-platform driver"; - wantedBy = ["multi-user.target"]; - after = ["enableVfioPlatform.service"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = '' - ${pkgs.bash}/bin/bash -c "echo 3100000.serial > /sys/bus/platform/drivers/vfio-platform/bind" - ''; + bindSerial3100000 = { + description = "Bind UARTA to the vfio-platform driver"; + wantedBy = [ "multi-user.target" ]; + after = [ "enableVfioPlatform.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = '' + ${pkgs.bash}/bin/bash -c "echo 3100000.serial > /sys/bus/platform/drivers/vfio-platform/bind" + ''; + }; }; }; }; diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/overlays/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/overlays/default.nix index 3f1811644..8517238f6 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/overlays/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/overlays/default.nix @@ -1,11 +1,7 @@ # Copyright 2022-2023 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 (_final: prev: { - qemu = prev.qemu.overrideAttrs (_final: prev: { - patches = - prev.patches - ++ [ - ./patches/0001-qemu-v8.1.3_bpmp-virt.patch - ]; - }); + qemu_kvm = prev.qemu_kvm.overrideAttrs ( + _final: prev: { patches = prev.patches ++ [ ./patches/0001-qemu-v8.1.3_bpmp-virt.patch ]; } + ); }) diff --git a/modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/default.nix b/modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/default.nix index c77905e8e..334032a54 100644 --- a/modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/default.nix +++ b/modules/jetpack/nvidia-jetson-orin/virtualization/passthrough/uarti-net-vm/default.nix @@ -5,9 +5,11 @@ pkgs, config, ... -}: let +}: +let cfg = config.ghaf.hardware.nvidia.passthroughs.uarti_net_vm; -in { +in +{ options.ghaf.hardware.nvidia.passthroughs.uarti_net_vm.enable = lib.mkOption { type = lib.types.bool; default = false; @@ -25,26 +27,28 @@ in { { # Use serial passthrough (ttyAMA0) and virtual PCI serial (ttyS0) # as Linux console - microvm.kernelParams = [ - "console=ttyAMA0 console=ttyS0" - ]; - microvm.qemu.serialConsole = false; - microvm.qemu.extraArgs = [ - # Add custom dtb to Net-VM with 31d0000.serial in platform devices - "-dtb" - "${config.hardware.deviceTree.package}/tegra234-p3701-ghaf-net-vm.dtb" - # Add UARTI (31d0000.serial) as passtrhough device - "-device" - "vfio-platform,host=31d0000.serial" - # Add a virtual PCI serial device as console - "-device" - "pci-serial,chardev=stdio,id=serial0" - ]; + microvm = { + kernelParams = [ "console=ttyAMA0 console=ttyS0" ]; + qemu = { + serialConsole = false; + extraArgs = [ + # Add custom dtb to Net-VM with 31d0000.serial in platform devices + "-dtb" + "${config.hardware.deviceTree.package}/tegra234-p3701-ghaf-net-vm.dtb" + # Add UARTI (31d0000.serial) as passtrhough device + "-device" + "vfio-platform,host=31d0000.serial" + # Add a virtual PCI serial device as console + "-device" + "pci-serial,chardev=stdio,id=serial0" + ]; + }; + }; } ]; # Make sure that Net-VM runs after the binding services are enabled - systemd.services."microvm@net-vm".after = ["bindSerial31d0000.service"]; + systemd.services."microvm@net-vm".after = [ "bindSerial31d0000.service" ]; boot.kernelPatches = [ { @@ -55,7 +59,7 @@ in { systemd.services.bindSerial31d0000 = { description = "Bind UARTI to the vfio-platform driver"; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; @@ -79,7 +83,7 @@ in { # Apply overlay only to host passthrough device tree # TODO: make this avaliable if PCI passthrough is disabled - filter = builtins.trace "Debug dtb filter (uarti-net-vm): tegra234-p3701-host-passthrough.dtb" "tegra234-p3701-host-passthrough.dtb"; + filter = "tegra234-p3701-host-passthrough.dtb"; } ]; }; diff --git a/modules/jetpack/profiles/debug.nix b/modules/jetpack/profiles/debug.nix index 63009e03e..ec85ad421 100644 --- a/modules/jetpack/profiles/debug.nix +++ b/modules/jetpack/profiles/debug.nix @@ -1,13 +1,11 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 # -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.ghaf.profiles.debug; -in { +in +{ config = lib.mkIf cfg.enable { # Enable default accounts and passwords ghaf.hardware.nvidia.orin.optee = { diff --git a/modules/jetpack/profiles/default.nix b/modules/jetpack/profiles/default.nix index 23deb7be2..1fe227f67 100644 --- a/modules/jetpack/profiles/default.nix +++ b/modules/jetpack/profiles/default.nix @@ -1,7 +1,3 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - imports = [ - ./debug.nix - ]; -} +{ imports = [ ./debug.nix ]; } diff --git a/modules/lanzaboote/default.nix b/modules/lanzaboote/default.nix index 00952d051..ca65483b9 100644 --- a/modules/lanzaboote/default.nix +++ b/modules/lanzaboote/default.nix @@ -6,34 +6,41 @@ lib, pkgs, config, - lanzaboote, ... -}: let +}: +let cfg = config.ghaf.host.secureboot; -in { +in +{ options.ghaf.host.secureboot = { enable = lib.mkEnableOption "Host secureboot"; }; config = lib.mkIf cfg.enable { # To copy demo keys to /etc/secureboot directory - environment.etc.secureboot.source = ./demo-secure-boot-keys; + environment = { + etc.secureboot.source = ./demo-secure-boot-keys; - environment.systemPackages = [ - # For debugging and troubleshooting Secure Boot. - pkgs.sbctl - ]; + systemPackages = [ + # For debugging and troubleshooting Secure Boot. + pkgs.sbctl + ]; + }; # Lanzaboote currently replaces the systemd-boot module. # This setting is usually set to true in configuration.nix # generated at installation time. So we force it to false # for now. - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.loader.efi.canTouchEfiVariables = lib.mkForce false; + boot = { + loader = { + systemd-boot.enable = lib.mkForce false; + efi.canTouchEfiVariables = lib.mkForce false; + }; - boot.lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; }; }; } diff --git a/modules/lanzaboote/demo-secure-boot-keys/GUID.license b/modules/lanzaboote/demo-secure-boot-keys/GUID.license deleted file mode 100644 index 4c903bea8..000000000 --- a/modules/lanzaboote/demo-secure-boot-keys/GUID.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors - -SPDX-License-Identifier: Apache-2.0 diff --git a/modules/microvm/default.nix b/modules/microvm/default.nix deleted file mode 100644 index 933958140..000000000 --- a/modules/microvm/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Implementation of ghaf's virtual machines based on microvm.nix -# -{ - imports = [ - ./virtualization/microvm/microvm-host.nix - ./virtualization/microvm/netvm.nix - ./virtualization/microvm/appvm.nix - ./virtualization/microvm/guivm.nix - ./virtualization/microvm/gpiovm.nix - ./networking.nix - ]; -} diff --git a/modules/microvm/flake-module.nix b/modules/microvm/flake-module.nix new file mode 100644 index 000000000..feb4c5bef --- /dev/null +++ b/modules/microvm/flake-module.nix @@ -0,0 +1,22 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ inputs, ... }: +{ + flake.nixosModules = { + microvm.imports = [ + inputs.microvm.nixosModules.host + (import ./virtualization/microvm/microvm-host.nix { inherit inputs; }) + (import ./virtualization/microvm/netvm.nix { inherit inputs; }) + (import ./virtualization/microvm/gpiovm.nix { inherit inputs; }) + (import ./virtualization/microvm/adminvm.nix { inherit inputs; }) + (import ./virtualization/microvm/appvm.nix { inherit inputs; }) + (import ./virtualization/microvm/guivm.nix { inherit inputs; }) + (import ./virtualization/microvm/audiovm.nix { inherit inputs; }) + ./virtualization/microvm/idsvm/idsvm.nix + ./virtualization/microvm/idsvm/mitmproxy + ./virtualization/microvm/modules.nix + ./networking.nix + ./power-control.nix + ]; + }; +} diff --git a/modules/microvm/networking.nix b/modules/microvm/networking.nix index 589902b3a..01d075856 100644 --- a/modules/microvm/networking.nix +++ b/modules/microvm/networking.nix @@ -3,44 +3,52 @@ { config, lib, + pkgs, ... -}: let +}: +let cfg = config.ghaf.host.networking; + sshKeysHelper = pkgs.callPackage ../../packages/ssh-keys-helper { + inherit pkgs; + inherit config; + }; in - with lib; { - options.ghaf.host.networking = { - enable = mkEnableOption "Host networking"; - # TODO add options to configure the network, e.g. ip addr etc +{ + options.ghaf.host.networking = { + enable = lib.mkEnableOption "Host networking"; + # TODO add options to configure the network, e.g. ip addr etc + }; + + config = lib.mkIf cfg.enable { + networking = { + enableIPv6 = false; + useNetworkd = true; + interfaces.virbr0.useDHCP = false; }; - config = mkIf cfg.enable { - networking = { - enableIPv6 = false; - useNetworkd = true; - interfaces.virbr0.useDHCP = false; + systemd.network = { + netdevs."10-virbr0".netdevConfig = { + Kind = "bridge"; + Name = "virbr0"; + # MACAddress = "02:00:00:02:02:02"; }; - - systemd.network = { - netdevs."10-virbr0".netdevConfig = { - Kind = "bridge"; - Name = "virbr0"; - # MACAddress = "02:00:00:02:02:02"; - }; - networks."10-virbr0" = { - matchConfig.Name = "virbr0"; - networkConfig.DHCPServer = false; - addresses = [ - { - addressConfig.Address = "192.168.101.2/24"; - } - ]; - }; - # Connect VM tun/tap device to the bridge - # TODO configure this based on IF the netvm is enabled - networks."11-netvm" = { - matchConfig.Name = "tap-*"; - networkConfig.Bridge = "virbr0"; - }; + networks."10-virbr0" = { + matchConfig.Name = "virbr0"; + networkConfig.DHCPServer = false; + addresses = [ { Address = "192.168.101.2/24"; } ]; + }; + # Connect VM tun/tap device to the bridge + # TODO configure this based on IF the netvm is enabled + networks."11-netvm" = { + matchConfig.Name = "tap-*"; + networkConfig.Bridge = "virbr0"; }; }; - } + + environment.etc = { + ${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource; + }; + + services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; + }; +} diff --git a/modules/microvm/power-control.nix b/modules/microvm/power-control.nix new file mode 100644 index 000000000..323d01087 --- /dev/null +++ b/modules/microvm/power-control.nix @@ -0,0 +1,15 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.host.powercontrol; +in +{ + options.ghaf.host.powercontrol.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable host power control"; + }; + + config = lib.mkIf cfg.enable { }; +} diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix new file mode 100644 index 000000000..0395c1d04 --- /dev/null +++ b/modules/microvm/virtualization/microvm/adminvm.nix @@ -0,0 +1,134 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ inputs }: +{ config, lib, ... }: +let + configHost = config; + vmName = "admin-vm"; + macAddress = "02:00:00:AD:01:01"; + isLoggingEnabled = config.ghaf.logging.client.enable; + + adminvmBaseConfiguration = { + imports = [ + inputs.self.nixosModules.givc-adminvm + (import ./common/vm-networking.nix { + inherit + config + lib + vmName + macAddress + ; + internalIP = 10; + }) + # We need to retrieve mac address and start log aggregator + ../../../common/logging/hw-mac-retrieve.nix + ../../../common/logging/logs-aggregator.nix + ( + { lib, ... }: + { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to VM + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "adminvm-systemd"; + withAudit = configHost.ghaf.profiles.debug.enable; + withNss = true; + withResolved = true; + withPolkit = true; + withTimesyncd = true; + withDebug = configHost.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + + givc.adminvm.enable = true; + + # Log aggregation configuration + logging.client.enable = isLoggingEnabled; + logging.listener.address = configHost.ghaf.logging.listener.address; + logging.listener.port = configHost.ghaf.logging.listener.port; + logging.identifierFilePath = "/var/lib/private/alloy/MACAddress"; + logging.server.endpoint = "https://loki.ghaflogs.vedenemo.dev/loki/api/v1/push"; + }; + + system.stateVersion = lib.trivial.release; + + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + + networking = { + firewall.allowedTCPPorts = lib.mkIf isLoggingEnabled [ config.ghaf.logging.listener.port ]; + firewall.allowedUDPPorts = [ ]; + }; + + systemd.network = { + enable = true; + networks."10-ethint0" = { + matchConfig.MACAddress = macAddress; + linkConfig.ActivationPolicy = "always-up"; + }; + }; + + microvm = { + optimize.enable = true; + #TODO: Add back support cloud-hypervisor + #the system fails to switch root to the stage2 with cloud-hypervisor + hypervisor = "qemu"; + shares = + [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + } + ] + ++ lib.optionals isLoggingEnabled [ + { + # Creating a persistent log-store which is mapped on ghaf-host + # This is only to preserve logs state across adminvm reboots + tag = "log-store"; + source = "/var/lib/private/alloy"; + mountPoint = "/var/lib/private/alloy"; + proto = "virtiofs"; + } + ]; + + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + }; + imports = [ ../../../common ]; + } + ) + ]; + }; + cfg = config.ghaf.virtualization.microvm.adminvm; +in +{ + options.ghaf.virtualization.microvm.adminvm = { + enable = lib.mkEnableOption "AdminVM"; + + extraModules = lib.mkOption { + description = '' + List of additional modules to be imported and evaluated as part of + AdminVM's NixOS configuration. + ''; + default = [ ]; + }; + }; + + config = lib.mkIf cfg.enable { + microvm.vms."${vmName}" = { + autostart = true; + config = adminvmBaseConfiguration // { + imports = adminvmBaseConfiguration.imports ++ cfg.extraModules; + }; + }; + }; +} diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix index 2481666f6..fb6659a8a 100644 --- a/modules/microvm/virtualization/microvm/appvm.nix +++ b/modules/microvm/virtualization/microvm/appvm.nix @@ -1,199 +1,257 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ inputs }: { config, lib, + pkgs, ... -}: let +}: +let + inherit (lib) mkOption types optional; + configHost = config; cfg = config.ghaf.virtualization.microvm.appvm; - makeVm = { - vm, - index, - }: let - vmName = "${vm.name}-vm"; - cid = - if vm.cid > 0 - then vm.cid - else cfg.vsockBaseCID + index; - appvmConfiguration = { - imports = [ - (import ./common/vm-networking.nix { - inherit vmName; - inherit (vm) macAddress; - }) - ({ - lib, - config, - pkgs, - ... - }: let - waypipeBorder = - if vm.borderColor != null - then "--border \"${vm.borderColor}\"" - else ""; - runWaypipe = with pkgs; - writeScriptBin "run-waypipe" '' - #!${runtimeShell} -e - ${pkgs.waypipe}/bin/waypipe --vsock -s ${toString configHost.ghaf.virtualization.microvm.guivm.waypipePort} ${waypipeBorder} server $@ - ''; - in { - ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; - - development = { - ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; - }; - systemd = { - enable = true; - withName = "appvm-systemd"; - withNss = true; - withResolved = true; - withPolkit = true; - withDebug = configHost.ghaf.profiles.debug.enable; - }; - }; - # SSH is very picky about the file permissions and ownership and will - # accept neither direct path inside /nix/store or symlink that points - # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by - # setting mode), instead of symlinking it. - environment.etc."ssh/get-auth-keys" = { - source = let - script = pkgs.writeShellScriptBin "get-auth-keys" '' - [[ "$1" != "ghaf" ]] && exit 0 - ${pkgs.coreutils}/bin/cat /run/waypipe-ssh-public-key/id_ed25519.pub + sshKeysHelper = pkgs.callPackage ../../../../packages/ssh-keys-helper { + inherit pkgs; + config = configHost; + }; + + makeVm = + { vm, index }: + let + vmName = "${vm.name}-vm"; + cid = if vm.cid > 0 then vm.cid else cfg.vsockBaseCID + index; + appvmConfiguration = { + imports = [ + inputs.impermanence.nixosModules.impermanence + inputs.self.nixosModules.givc-appvm + (import ./common/vm-networking.nix { + inherit config lib vmName; + inherit (vm) macAddress; + internalIP = index + 100; + }) + + ./common/storagevm.nix + + # To push logs to central location + ../../../common/logging/client.nix + ( + { + lib, + config, + pkgs, + ... + }: + let + waypipeBorder = if vm.borderColor != null then "--border \"${vm.borderColor}\"" else ""; + runWaypipe = pkgs.writeScriptBin "run-waypipe" '' + #!${pkgs.runtimeShell} -e + ${pkgs.waypipe}/bin/waypipe --vsock -s ${toString configHost.ghaf.virtualization.microvm.guivm.waypipePort} ${waypipeBorder} server "$@" ''; - in "${script}/bin/get-auth-keys"; - mode = "0555"; - }; - services.openssh = { - authorizedKeysCommand = "/etc/ssh/get-auth-keys"; - authorizedKeysCommandUser = "nobody"; - }; + in + { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - system.stateVersion = lib.trivial.release; - - nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; - - environment.systemPackages = [ - pkgs.waypipe - runWaypipe - ]; - - microvm = { - optimize.enable = false; - mem = vm.ramMb; - vcpu = vm.cores; - hypervisor = "qemu"; - shares = [ - { - tag = "waypipe-ssh-public-key"; - source = "/run/waypipe-ssh-public-key"; - mountPoint = "/run/waypipe-ssh-public-key"; - } - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + development = { + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "appvm-systemd"; + withAudit = configHost.ghaf.profiles.debug.enable; + withNss = true; + withResolved = true; + withTimesyncd = true; + withPolkit = true; + withDebug = configHost.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + # Logging client configuration + logging.client.enable = configHost.ghaf.logging.client.enable; + logging.client.endpoint = configHost.ghaf.logging.client.endpoint; + }; - qemu.extraArgs = [ - "-M" - "q35,accel=kvm:tcg,mem-merge=on,sata=off" - "-device" - "vhost-vsock-pci,guest-cid=${toString cid}" - ]; - }; - fileSystems."/run/waypipe-ssh-public-key".options = ["ro"]; + # SSH is very picky about the file permissions and ownership and will + # accept neither direct path inside /nix/store or symlink that points + # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by + # setting mode), instead of symlinking it. + environment.etc.${configHost.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = + sshKeysHelper.getAuthKeysSource; + services.openssh = configHost.ghaf.security.sshKeys.sshAuthorizedKeysCommand; + + system.stateVersion = lib.trivial.release; + + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + + environment.systemPackages = [ + pkgs.waypipe + runWaypipe + pkgs.tpm2-tools + pkgs.opensc + ]; + + security.tpm2 = { + enable = true; + abrmd.enable = true; + }; + + security.pki.certificateFiles = + lib.mkIf configHost.ghaf.virtualization.microvm.idsvm.mitmproxy.enable + [ ./idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.pem ]; + + microvm = { + optimize.enable = false; + mem = vm.ramMb; + vcpu = vm.cores; + hypervisor = "qemu"; + shares = [ + { + tag = "waypipe-ssh-public-key"; + source = configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - imports = [../../../common]; - }) - ]; + qemu = { + extraArgs = + [ + "-M" + "accel=kvm:tcg,mem-merge=on,sata=off" + "-device" + "vhost-vsock-pci,guest-cid=${toString cid}" + ] + ++ lib.optionals vm.vtpm.enable [ + "-chardev" + "socket,id=chrtpm,path=/var/lib/swtpm/${vm.name}-sock" + "-tpmdev" + "emulator,id=tpm0,chardev=chrtpm" + "-device" + "tpm-tis,tpmdev=tpm0" + ]; + + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${configHost.nixpkgs.hostPlatform.system}; + }; + }; + fileSystems."${configHost.ghaf.security.sshKeys.waypipeSshPublicKeyDir}".options = [ "ro" ]; + + imports = [ ../../../common ]; + } + ) + ]; + }; + in + { + autostart = true; + config = appvmConfiguration // { + imports = + appvmConfiguration.imports + ++ cfg.extraModules + ++ vm.extraModules + ++ [ { environment.systemPackages = vm.packages; } ]; + }; }; - in { - autostart = true; - config = appvmConfiguration // {imports = appvmConfiguration.imports ++ cfg.extraModules ++ vm.extraModules ++ [{environment.systemPackages = vm.packages;}];}; - }; -in { - options.ghaf.virtualization.microvm.appvm = with lib; { + + # Host service dependencies + after = optional config.ghaf.services.audio.enable "pulseaudio.service"; + requires = after; + # Sleep appvms to give gui-vm time to start + serviceConfig.ExecStartPre = "/bin/sh -c 'sleep 8'"; +in +{ + options.ghaf.virtualization.microvm.appvm = { enable = lib.mkEnableOption "appvm"; - vms = with types; - mkOption { - description = '' - List of AppVMs to be created - ''; - type = lib.types.listOf (submodule { + vms = mkOption { + description = '' + List of AppVMs to be created + ''; + type = lib.types.listOf ( + types.submodule { options = { name = mkOption { description = '' Name of the AppVM ''; - type = str; + type = types.str; }; packages = mkOption { description = '' Packages that are included into the AppVM ''; - type = types.listOf package; - default = []; + type = types.listOf types.package; + default = [ ]; }; macAddress = mkOption { description = '' AppVM's network interface MAC address ''; - type = str; + type = types.str; }; ramMb = mkOption { description = '' Amount of RAM for this AppVM ''; - type = int; + type = types.int; }; cores = mkOption { description = '' Amount of processor cores for this AppVM ''; - type = int; + type = types.int; }; extraModules = mkOption { description = '' List of additional modules to be imported and evaluated as part of appvm's NixOS configuration. ''; - default = []; + default = [ ]; }; cid = mkOption { description = '' VSOCK context identifier (CID) for the AppVM Default value 0 means auto-assign using vsockBaseCID and AppVM index ''; - type = int; + type = types.int; default = 0; }; borderColor = mkOption { description = '' Border color of the AppVM window ''; - type = nullOr str; + type = types.nullOr types.str; default = null; }; + vtpm.enable = lib.mkEnableOption "vTPM support in the virtual machine"; }; - }); - default = []; - }; + } + ); + default = [ ]; + }; extraModules = mkOption { description = '' List of additional modules to be imported and evaluated as part of appvm's NixOS configuration. ''; - default = []; + default = [ ]; }; # Base VSOCK CID which is used for auto assigning CIDs for all AppVMs @@ -208,10 +266,59 @@ in { }; }; - config = lib.mkIf cfg.enable { - microvm.vms = let - vms = lib.imap0 (index: vm: {"${vm.name}-vm" = makeVm {inherit index vm;};}) cfg.vms; + config = + let + makeSwtpmService = + { vm }: + let + swtpmScript = pkgs.writeShellApplication { + name = "${vm.name}-swtpm"; + runtimeInputs = with pkgs; [ + coreutils + swtpm + ]; + text = '' + mkdir -p /var/lib/swtpm/${vm.name}-state + swtpm socket --tpmstate dir=/var/lib/swtpm/${vm.name}-state \ + --ctrl type=unixio,path=/var/lib/swtpm/${vm.name}-sock \ + --tpm2 \ + --log level=20 + ''; + }; + in + lib.mkIf vm.vtpm.enable { + enable = true; + description = "swtpm service for ${vm.name}"; + path = [ swtpmScript ]; + wantedBy = [ "microvms.target" ]; + serviceConfig = { + Type = "simple"; + User = "microvm"; + Restart = "always"; + StateDirectory = "swtpm"; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${swtpmScript}/bin/${vm.name}-swtpm"; + }; + }; in - lib.foldr lib.recursiveUpdate {} vms; - }; + lib.mkIf cfg.enable { + microvm.vms = + let + vms = lib.imap0 (index: vm: { "${vm.name}-vm" = makeVm { inherit index vm; }; }) cfg.vms; + in + lib.foldr lib.recursiveUpdate { } vms; + + # Apply host service dependencies, add swtpm + systemd.services = + let + serviceDependencies = map (vm: { + "microvm@${vm.name}-vm" = { + inherit after requires serviceConfig; + }; + "${vm.name}-swtpm" = makeSwtpmService { inherit vm; }; + }) cfg.vms; + in + lib.foldr lib.recursiveUpdate { } serviceDependencies; + }; } diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix new file mode 100644 index 000000000..7d90ee030 --- /dev/null +++ b/modules/microvm/virtualization/microvm/audiovm.nix @@ -0,0 +1,164 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ inputs }: +{ + config, + lib, + pkgs, + ... +}: +let + configHost = config; + vmName = "audio-vm"; + macAddress = "02:00:00:03:03:03"; + isGuiVmEnabled = config.ghaf.virtualization.microvm.guivm.enable; + + sshKeysHelper = pkgs.callPackage ../../../../packages/ssh-keys-helper { + inherit pkgs; + inherit config; + }; + + audiovmBaseConfiguration = { + imports = [ + inputs.self.nixosModules.givc-audiovm + (import ./common/vm-networking.nix { + inherit + config + lib + vmName + macAddress + ; + internalIP = 5; + }) + ( + { lib, pkgs, ... }: + { + imports = [ ../../../common ]; + + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; + + development = { + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "audiovm-systemd"; + withAudit = configHost.ghaf.profiles.debug.enable; + withNss = true; + withResolved = true; + withTimesyncd = true; + withDebug = configHost.ghaf.profiles.debug.enable; + }; + givc.audiovm.enable = true; + services.audio.enable = true; + }; + + environment = { + systemPackages = [ + pkgs.pulseaudio + pkgs.pamixer + pkgs.pipewire + ] ++ lib.optional config.ghaf.development.debug.tools.enable pkgs.alsa-utils; + }; + + time.timeZone = config.time.timeZone; + system.stateVersion = lib.trivial.release; + + nixpkgs = { + buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + }; + + services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; + + microvm = { + # Optimize is disabled because when it is enabled, qemu is built without libusb + optimize.enable = false; + vcpu = 1; + mem = 256; + hypervisor = "qemu"; + shares = + [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] + ++ lib.optionals isGuiVmEnabled [ + { + # Add the waypipe-ssh public key to the microvm + tag = config.ghaf.security.sshKeys.waypipeSshPublicKeyName; + source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } + ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + qemu = { + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${configHost.nixpkgs.hostPlatform.system}; + extraArgs = [ + "-device" + "qemu-xhci" + ]; + }; + }; + + fileSystems = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = [ "ro" ]; + }; + + # Fixed IP-address for debugging subnet + # SSH is very picky about to file permissions and ownership and will + # accept neither direct path inside /nix/store or symlink that points + # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by + # setting mode), instead of symlinking it. + environment.etc = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource; + }; + + systemd.network.networks."10-ethint0".addresses = + let + getAudioVmEntry = builtins.filter ( + x: x.name == "audio-vm" + lib.optionalString config.ghaf.profiles.debug.enable "-debug" + ) config.ghaf.networking.hosts.entries; + ip = lib.head (builtins.map (x: x.ip) getAudioVmEntry); + in + [ { Address = "${ip}/24"; } ]; + } + ) + ]; + }; + cfg = config.ghaf.virtualization.microvm.audiovm; +in +{ + options.ghaf.virtualization.microvm.audiovm = { + enable = lib.mkEnableOption "AudioVM"; + + extraModules = lib.mkOption { + description = '' + List of additional modules to be imported and evaluated as part of + AudioVM's NixOS configuration. + ''; + default = [ ]; + }; + }; + + config = lib.mkIf cfg.enable { + microvm.vms."${vmName}" = { + autostart = true; + config = audiovmBaseConfiguration // { + imports = audiovmBaseConfiguration.imports ++ cfg.extraModules; + }; + }; + }; +} diff --git a/modules/microvm/virtualization/microvm/common/storagevm.nix b/modules/microvm/virtualization/microvm/common/storagevm.nix new file mode 100644 index 000000000..6f86423b0 --- /dev/null +++ b/modules/microvm/virtualization/microvm/common/storagevm.nix @@ -0,0 +1,88 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, config, ... }: +let + cfg = config.ghaf.storagevm; + mountPath = "/tmp/storagevm"; +in +{ + options.ghaf.storagevm = with lib; { + enable = mkEnableOption "StorageVM support"; + + name = mkOption { + description = '' + Name of the corresponding directory on the storage virtual machine. + ''; + type = types.str; + }; + + directories = mkOption { + # FIXME: Probably will lead to disgraceful error messages, as we + # put typechecking on nix impermanence option. But other, + # proper, ways are much harder. + type = types.anything; + default = [ ]; + example = [ + "Downloads" + "Music" + "Pictures" + "Documents" + "Videos" + ]; + description = '' + Directories to bind mount to persistent storage. + ''; + }; + + users = mkOption { + type = types.anything; + default = { }; + example = { + "user".directories = [ + "Downloads" + "Music" + "Pictures" + "Documents" + "Videos" + ]; + }; + description = '' + User-specific directories to bind mount to persistent storage. + ''; + }; + + files = mkOption { + type = types.anything; + default = [ ]; + example = [ "/etc/machine-id" ]; + description = '' + Files to bind mount to persistent storage. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + fileSystems.${mountPath}.neededForBoot = true; + + microvm.shares = [ + { + tag = "hostshare"; + proto = "virtiofs"; + securityModel = "passthrough"; + source = "/storagevm/${cfg.name}"; + mountPoint = mountPath; + } + ]; + + environment.persistence.${mountPath} = lib.mkMerge [ + { + hideMounts = true; + files = [ + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + ]; + } + { inherit (cfg) directories users files; } + ]; + }; +} diff --git a/modules/microvm/virtualization/microvm/common/vm-networking.nix b/modules/microvm/virtualization/microvm/common/vm-networking.nix index 5f977355c..6d9dc1886 100644 --- a/modules/microvm/virtualization/microvm/common/vm-networking.nix +++ b/modules/microvm/virtualization/microvm/common/vm-networking.nix @@ -1,21 +1,33 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { + config, + lib, vmName, macAddress, + internalIP, + isGateway ? false, ... -}: let +}: +let networkName = "ethint0"; -in { + netVmEntry = builtins.filter (x: x.name == "net-vm") config.ghaf.networking.hosts.entries; + netVmAddress = builtins.map (x: x.ip) netVmEntry; + isIdsvmEnabled = config.ghaf.virtualization.microvm.idsvm.enable; + idsVmEntry = builtins.filter (x: x.name == "ids-vm") config.ghaf.networking.hosts.entries; + idsVmAddress = lib.optionals isIdsvmEnabled (builtins.map (x: x.ip) idsVmEntry); + gateway = if isIdsvmEnabled && (vmName != "ids-vm") then idsVmAddress else netVmAddress; +in +{ networking = { hostName = vmName; enableIPv6 = false; - firewall.allowedTCPPorts = [22]; - firewall.allowedUDPPorts = [67]; + firewall.allowedTCPPorts = [ 22 ]; + firewall.allowedUDPPorts = [ 67 ]; useNetworkd = true; nat = { enable = true; - internalInterfaces = [networkName]; + internalInterfaces = [ networkName ]; }; }; @@ -37,10 +49,17 @@ in { }; networks."10-${networkName}" = { matchConfig.MACAddress = macAddress; - DHCP = "yes"; + addresses = + [ { Address = "192.168.100.${toString internalIP}/24"; } ] + ++ lib.optionals config.ghaf.profiles.debug.enable [ + { + # IP-address for debugging subnet + Address = "192.168.101.${toString internalIP}/24"; + } + ]; linkConfig.RequiredForOnline = "routable"; linkConfig.ActivationPolicy = "always-up"; - }; + } // lib.optionalAttrs (!isGateway) { inherit gateway; }; }; # systemd-resolved does not support local names resolution diff --git a/modules/microvm/virtualization/microvm/qemu-gpio-guestvm.dtb b/modules/microvm/virtualization/microvm/dtb/qemu-gpio-guestvm.dtb similarity index 100% rename from modules/microvm/virtualization/microvm/qemu-gpio-guestvm.dtb rename to modules/microvm/virtualization/microvm/dtb/qemu-gpio-guestvm.dtb diff --git a/modules/jetpack-microvm/qemu-gpio-guestvm.dts b/modules/microvm/virtualization/microvm/dtb/qemu-gpio-guestvm.dts similarity index 100% rename from modules/jetpack-microvm/qemu-gpio-guestvm.dts rename to modules/microvm/virtualization/microvm/dtb/qemu-gpio-guestvm.dts diff --git a/modules/microvm/virtualization/microvm/gpiovm.nix b/modules/microvm/virtualization/microvm/gpiovm.nix index eee981865..9a8d37b41 100644 --- a/modules/microvm/virtualization/microvm/gpiovm.nix +++ b/modules/microvm/virtualization/microvm/gpiovm.nix @@ -1,100 +1,210 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ inputs }: { config, lib, pkgs, ... -} : with pkgs; let +}: with pkgs; +let configHost = config; vmName = "gpio-vm"; + macAddress = "03:00:00:07:06:05"; - gpioGuestDtbName = ./qemu-gpio-guestvm.dtb; - tmp_rootfs = ./tegra_rootfs.qcow2; + isGuiVmEnabled = config.ghaf.virtualization.microvm.guivm.enable; + + sshKeysHelper = pkgs.callPackage ../../../../packages/ssh-keys-helper { + inherit pkgs; + inherit config; + }; + + kernelPath = "${config.system.build.kernel}"; + guestKernel = "${kernelPath}/Image"; # the host's kernel image can be used in the guest + + dtsName = "qemu-gpio-guestvm.dts"; + dtbName = "qemu-gpio-guestvm.dtb"; + + # Build the guest specific DTB file for GPIO passthrough + gpioDtbDerivation = builtins.trace "Creating guest DTB" pkgs.stdenv.mkDerivation { + pname = "gpio-vm-dtb"; + version = "1.0"; + + src = ./dtb; + buildInputs = [ pkgs.dtc ]; + + # unpackPhase = '' + # mkdir -p ${kernelPath}/dtbs + # cp ${dtsName} ${kernelPath}/dtbs/ + # ''; + + buildPhase = '' + mkdir -p $out + # ls -thog $src + dtc -I dts -O dtb -o $out/${dtbName} $src/${dtsName} + # ls -thog $out + ''; + + installPhase = '' + # cp $src/${dtsName} ${kernelPath}/dtbs/ + # cp $out/${dtbName} ${kernelPath}/dtbs/ + ''; + + outputs = [ "out" ]; + }; + + gpioGuestDtb = "${gpioDtbDerivation}/${dtbName}"; gpiovmBaseConfiguration = { imports = [ - ({lib, ...}: { - ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; - /* - development = { - debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + inputs.impermanence.nixosModules.impermanence + inputs.self.nixosModules.givc-gpiovm + (import ./common/vm-networking.nix { + inherit + config + lib + vmName + macAddress + ; + internalIP = 1; + isGateway = true; + }) + + ./common/storagevm.nix + + # To push logs to central location + ../../../common/logging/client.nix + ( + { lib, ... }: + { + imports = [ ../../../common ]; + ghaf = { + users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to gpiovm + ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "gpiovm-systemd"; + # withAudit = config.ghaf.profiles.debug.enable; + # withPolkit = true; + # withResolved = true; + # withTimesyncd = true; + # withDebug = config.ghaf.profiles.debug.enable; + # withHardenedConfigs = true; + }; + givc.gpiovm.enable = true; + # Logging client configuration + logging.client.enable = config.ghaf.logging.client.enable; + logging.client.endpoint = config.ghaf.logging.client.endpoint; + storagevm = { + enable = true; + name = "gpiovm"; + directories = [ "/etc/NetworkManager/system-connections/" ]; + }; }; - */ - systemd = { - enable = true; - withName = "gpiovm-systemd"; - withPolkit = true; - # withDebug = configHost.ghaf.profiles.debug.enable; + + time.timeZone = config.time.timeZone; + system.stateVersion = lib.trivial.release; + + nixpkgs = { + buildPlatform.system = config.nixpkgs.buildPlatform.system; + hostPlatform.system = config.nixpkgs.hostPlatform.system; }; - }; - system.stateVersion = lib.trivial.release; + networking = { + firewall.allowedTCPPorts = [ 53 ]; + firewall.allowedUDPPorts = [ 53 ]; + }; - nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; + # WORKAROUND: Create a rule to temporary hardcode device name for Wi-Fi adapter on x86 + # TODO this is a dirty hack to guard against adding this to Nvidia/vm targets which + /* + # dont have that definition structure yet defined. FIXME. + # TODO the hardware.definition should not even be exposed in targets that do not consume it + services.udev.extraRules = lib.mkIf (config.ghaf.hardware.definition.network.pciDevices != [ ]) '' + SUBSYSTEM=="net", ACTION=="add", ATTRS{vendor}=="0x${(lib.head config.ghaf.hardware.definition.network.pciDevices).vendorId}", ATTRS{device}=="0x${(lib.head config.ghaf.hardware.definition.network.pciDevices).productId}", NAME="${(lib.head config.ghaf.hardware.definition.network.pciDevices).name}" + ''; + */ + microvm = { + optimize.enable = true; + hypervisor = "qemu"; + shares = + [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] + ++ lib.optionals isGuiVmEnabled [ + { + # Add the waypipe-ssh public key to the microvm + tag = config.ghaf.security.sshKeys.waypipeSshPublicKeyName; + source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } + ]; - /* - services.xxx = { - # we define a servce in extraModules variable below with import ./gpio-test.nix - } - */ - microvm = { - optimize.enable = true; - hypervisor = "qemu"; - - shares = [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - # writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - - graphics.enable= false; - qemu = { - /* tmp removed for GPIO testing - machine = - { - # Use the same machine type as the host - x86_64-linux = "q35"; - aarch64-linux ="virt"; - } - .${configHost.nixpkgs.hostPlatform.system}; - */ - serialConsole = true; - extraArgs = builtins.trace "GpioVM: Evaluating QEMU parameters for gpio-vm" [ - "-dtb" "${gpioGuestDtbName}" - # "-serial" "/dev/tty10" # Could not open '/dev/tty10': Permission denied - ]; - /* - extraArgs = builtins.trace "GpioVM: Evaluating qemu.extraArgs for gpio-vm" [ - # Add custom dtb to Gpio-VM with VDA - "-dtb ${gpioGuestDtbName}" - "-monitor chardev=mon0,mode=readline" - "-no-reboot" - # "-drive file=${tmp_rootfs},if=virtio,format=qcow2" - # -nographic \ - # -machine virt,accel=kvm \q - # -cpu host \ - # -m 4G \ - # -smp 2 \ - # -kernel ${kernel} \ - # "-monitor" "chardev=ttyTHS2,mode=readline" + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + + kernelParams = [ + "rootwait root=/dev/vda" ]; - */ + graphics.enable = false; + qemu = { + # qemu = builtins.trace "Qemu params, filenames: ${dtsName}, ${dtbName}, ${guestKernel}, ${guestRootFsName}" { + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${config.nixpkgs.hostPlatform.system}; + serialConsole = true; + extraArgs = lib.mkForce [ + # extraArgs = builtins.trace "GpioVM: Evaluating qemu.extraArgs for gpio-vm" [ + "-sandbox" "on" + "-nographic" + "-no-reboot" + "-dtb" "${gpioGuestDtb}" + "-kernel" "${guestKernel}" + # "-drive" "file=${guestRootFs},if=virtio,format=qcow2" + "-machine" "virt,accel=kvm" + "-cpu" "host" + "-m" "2G" + "-smp" "2" + "-serial" "pty" + # "-net" "user,hostfwd=tcp::2222-:22" + # "-net" "nic" + ]; + }; }; - }; - imports = [../../../common]; - }) + fileSystems = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = [ "ro" ]; + }; + + # SSH is very picky about to file permissions and ownership and will + # accept neither direct path inside /nix/store or symlink that points + # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by + # setting mode), instead of symlinking it. + environment.etc = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource; + }; + } + ) ]; }; cfg = config.ghaf.virtualization.microvm.gpiovm; -in { +in +{ options.ghaf.virtualization.microvm.gpiovm = { enable = lib.mkEnableOption "GpioVM"; diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix index b8200e874..c86ff6222 100644 --- a/modules/microvm/virtualization/microvm/guivm.nix +++ b/modules/microvm/virtualization/microvm/guivm.nix @@ -1,142 +1,197 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ inputs }: { config, lib, pkgs, ... -}: let - configHost = config; +}: +let vmName = "gui-vm"; macAddress = "02:00:00:02:02:02"; + inherit (import ../../../../lib/launcher.nix { inherit pkgs lib; }) rmDesktopEntries; guivmBaseConfiguration = { imports = [ - (import ./common/vm-networking.nix {inherit vmName macAddress;}) - ({ - lib, - pkgs, - ... - }: { - ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; - profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; - profiles.graphics.enable = true; - # To enable screen locking set graphics.labwc.lock to true - graphics.labwc.lock.enable = false; - profiles.applications.enable = false; - windows-launcher.enable = false; - development = { - ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + inputs.impermanence.nixosModules.impermanence + inputs.self.nixosModules.givc-guivm + (import ./common/vm-networking.nix { + inherit + config + lib + vmName + macAddress + ; + internalIP = 3; + }) + + ./common/storagevm.nix + + # To push logs to central location + ../../../common/logging/client.nix + ( + { lib, pkgs, ... }: + { + ghaf = { + users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; + profiles = { + debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; + applications.enable = false; + graphics.enable = true; + }; + # To enable screen locking set to true + graphics.labwc.autolock.enable = false; + development = { + ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "guivm-systemd"; + withAudit = config.ghaf.profiles.debug.enable; + withNss = true; + withResolved = true; + withTimesyncd = true; + withDebug = config.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + givc.guivm.enable = true; + # Logging client configuration + logging.client.enable = config.ghaf.logging.client.enable; + logging.client.endpoint = config.ghaf.logging.client.endpoint; + storagevm = { + enable = true; + name = "guivm"; + directories = [ + { + directory = "/home/${config.ghaf.users.accounts.user}/"; + inherit (config.ghaf.users.accounts) user; + group = config.ghaf.users.accounts.user; + mode = "u=rwx,g=,o="; + } + ]; + }; }; - systemd = { - enable = true; - withName = "guivm-systemd"; - withNss = true; - withResolved = true; - withTimesyncd = true; - withDebug = configHost.ghaf.profiles.debug.enable; + + systemd.services."waypipe-ssh-keygen" = + let + keygenScript = pkgs.writeShellScriptBin "waypipe-ssh-keygen" '' + set -xeuo pipefail + mkdir -p /run/waypipe-ssh + echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/waypipe-ssh/id_ed25519 -C "" + chown ghaf:ghaf /run/waypipe-ssh/* + cp /run/waypipe-ssh/id_ed25519.pub /run/waypipe-ssh-public-key/id_ed25519.pub + ''; + in + { + enable = true; + description = "Generate SSH keys for Waypipe"; + path = [ keygenScript ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${keygenScript}/bin/waypipe-ssh-keygen"; + }; + }; + + environment = { + systemPackages = + (rmDesktopEntries [ + pkgs.waypipe + pkgs.networkmanagerapplet + ]) + ++ [ + pkgs.nm-launcher + pkgs.pamixer + ] + ++ (lib.optional ( + config.ghaf.profiles.debug.enable && config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable + ) pkgs.mitmweb-ui); }; - }; - systemd.services."waypipe-ssh-keygen" = let - keygenScript = pkgs.writeShellScriptBin "waypipe-ssh-keygen" '' - set -xeuo pipefail - mkdir -p /run/waypipe-ssh - echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/waypipe-ssh/id_ed25519 -C "" - chown ghaf:ghaf /run/waypipe-ssh/* - cp /run/waypipe-ssh/id_ed25519.pub /run/waypipe-ssh-public-key/id_ed25519.pub - ''; - in { - enable = true; - description = "Generate SSH keys for Waypipe"; - path = [keygenScript]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - StandardOutput = "journal"; - StandardError = "journal"; - ExecStart = "${keygenScript}/bin/waypipe-ssh-keygen"; + time.timeZone = config.time.timeZone; + system.stateVersion = lib.trivial.release; + + nixpkgs = { + buildPlatform.system = config.nixpkgs.buildPlatform.system; + hostPlatform.system = config.nixpkgs.hostPlatform.system; }; - }; - environment = { - systemPackages = [ - pkgs.waypipe - pkgs.networkmanagerapplet - pkgs.nm-launcher - ]; - }; + # Suspend inside Qemu causes segfault + # See: https://gitlab.com/qemu-project/qemu/-/issues/2321 + services.logind.lidSwitch = "ignore"; - system.stateVersion = lib.trivial.release; + microvm = { + optimize.enable = false; + vcpu = 2; + mem = 2048; + hypervisor = "qemu"; + shares = [ + { + tag = "rw-waypipe-ssh-public-key"; + source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + qemu = { + extraArgs = [ + "-device" + "vhost-vsock-pci,guest-cid=${toString cfg.vsockCID}" + ]; - microvm = { - optimize.enable = false; - vcpu = 2; - mem = 2048; - hypervisor = "qemu"; - shares = [ - { - tag = "rw-waypipe-ssh-public-key"; - source = "/run/waypipe-ssh-public-key"; - mountPoint = "/run/waypipe-ssh-public-key"; - } - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${config.nixpkgs.hostPlatform.system}; + }; + }; - qemu.extraArgs = [ - "-device" - "vhost-vsock-pci,guest-cid=${toString cfg.vsockCID}" + imports = [ + ../../../common + ../../../desktop ]; - }; - imports = [ - ../../../common - ../../../desktop - ]; - - # Waypipe service runs in the GUIVM and listens for incoming connections from AppVMs - systemd.user.services.waypipe = { - enable = true; - description = "waypipe"; - after = ["weston.service" "labwc.service"]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.waypipe}/bin/waypipe --vsock -s ${toString cfg.waypipePort} client"; - Restart = "always"; - RestartSec = "1"; + # Waypipe service runs in the GUIVM and listens for incoming connections from AppVMs + systemd.user.services.waypipe = { + enable = true; + description = "waypipe"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.waypipe}/bin/waypipe --vsock -s ${toString cfg.waypipePort} client"; + Restart = "always"; + RestartSec = "1"; + }; + startLimitIntervalSec = 0; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; }; - startLimitIntervalSec = 0; - wantedBy = ["ghaf-session.target"]; - }; - - # Fixed IP-address for debugging subnet - systemd.network.networks."10-ethint0".addresses = [ - { - addressConfig.Address = "192.168.101.3/24"; - } - ]; - }) + } + ) ]; }; cfg = config.ghaf.virtualization.microvm.guivm; - vsockproxy = pkgs.callPackage ../../../../packages/vsockproxy {}; + vsockproxy = pkgs.callPackage ../../../../packages/vsockproxy { }; # Importing kernel builder function and building guest_graphics_hardened_kernel - buildKernel = import ../../../packages/kernel {inherit config pkgs lib;}; - config_baseline = ../../hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86; - guest_graphics_hardened_kernel = buildKernel {inherit config_baseline;}; -in { + buildKernel = import ../../../../packages/kernel { inherit config pkgs lib; }; + config_baseline = ../../../hardware/x86_64-generic/kernel/configs/ghaf_host_hardened_baseline-x86; + guest_graphics_hardened_kernel = buildKernel { inherit config_baseline; }; +in +{ options.ghaf.virtualization.microvm.guivm = { enable = lib.mkEnableOption "GUIVM"; @@ -145,7 +200,7 @@ in { List of additional modules to be imported and evaluated as part of GUIVM's NixOS configuration. ''; - default = []; + default = [ ]; }; # GUIVM uses a VSOCK which requires a CID @@ -174,38 +229,36 @@ in { config = lib.mkIf cfg.enable { microvm.vms."${vmName}" = { autostart = true; - config = - guivmBaseConfiguration - // { - boot.kernelPackages = - lib.mkIf config.ghaf.guest.kernel.hardening.graphics.enable - (pkgs.linuxPackagesFor guest_graphics_hardened_kernel); - - imports = - guivmBaseConfiguration.imports - ++ cfg.extraModules; - }; + config = guivmBaseConfiguration // { + boot.kernelPackages = lib.mkIf config.ghaf.guest.kernel.hardening.graphics.enable ( + pkgs.linuxPackagesFor guest_graphics_hardened_kernel + ); + + imports = guivmBaseConfiguration.imports ++ cfg.extraModules; + }; }; # This directory needs to be created before any of the microvms start. - systemd.services."create-waypipe-ssh-public-key-directory" = let - script = pkgs.writeShellScriptBin "create-waypipe-ssh-public-key-directory" '' - mkdir -pv /run/waypipe-ssh-public-key - chown -v microvm /run/waypipe-ssh-public-key - ''; - in { - enable = true; - description = "Create shared directory on host"; - path = []; - wantedBy = ["microvms.target"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - StandardOutput = "journal"; - StandardError = "journal"; - ExecStart = "${script}/bin/create-waypipe-ssh-public-key-directory"; + systemd.services."create-waypipe-ssh-public-key-directory" = + let + script = pkgs.writeShellScriptBin "create-waypipe-ssh-public-key-directory" '' + mkdir -pv ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir} + chown -v microvm ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir} + ''; + in + { + enable = true; + description = "Create shared directory on host"; + path = [ ]; + wantedBy = [ "microvms.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${script}/bin/create-waypipe-ssh-public-key-directory"; + }; }; - }; # Waypipe in GUIVM needs to communicate with AppVMs over VSOCK # However, VSOCK does not support direct guest to guest communication @@ -214,13 +267,13 @@ in { systemd.services.vsockproxy = { enable = true; description = "vsockproxy"; - unitConfig = { - Type = "simple"; - }; serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = "1"; ExecStart = "${vsockproxy}/bin/vsockproxy ${toString cfg.waypipePort} ${toString cfg.vsockCID} ${toString cfg.waypipePort}"; }; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; }; }; } diff --git a/modules/microvm/virtualization/microvm/idsvm/idsvm.nix b/modules/microvm/virtualization/microvm/idsvm/idsvm.nix new file mode 100644 index 000000000..4354e26c0 --- /dev/null +++ b/modules/microvm/virtualization/microvm/idsvm/idsvm.nix @@ -0,0 +1,98 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + configHost = config; + vmName = "ids-vm"; + macAddress = "02:00:00:01:01:02"; + idsvmBaseConfiguration = { + imports = [ + (import ../common/vm-networking.nix { + inherit + config + lib + vmName + macAddress + ; + internalIP = 4; + }) + ( + { lib, ... }: + { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; + + virtualization.microvm.idsvm.mitmproxy.enable = + configHost.ghaf.virtualization.microvm.idsvm.mitmproxy.enable; + + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to NetVM + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + }; + }; + + system.stateVersion = lib.trivial.release; + + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + + microvm.hypervisor = "qemu"; + + environment.systemPackages = [ + pkgs.snort # TODO: put into separate module + ] ++ (lib.optional configHost.ghaf.profiles.debug.enable pkgs.tcpdump); + + microvm = { + optimize.enable = true; + shares = [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + } + ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + }; + + imports = [ + ../../../../common + ./mitmproxy + ]; + } + ) + ]; + }; + cfg = config.ghaf.virtualization.microvm.idsvm; +in +{ + options.ghaf.virtualization.microvm.idsvm = { + enable = lib.mkEnableOption "Whether to enable IDS-VM on the system"; + + extraModules = lib.mkOption { + description = '' + List of additional modules to be imported and evaluated as part of + IDSVM's NixOS configuration. + ''; + default = [ ]; + }; + }; + + config = lib.mkIf cfg.enable { + microvm.vms."${vmName}" = { + autostart = true; + config = idsvmBaseConfiguration // { + imports = idsvmBaseConfiguration.imports ++ cfg.extraModules; + }; + }; + }; +} diff --git a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/default.nix b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/default.nix new file mode 100644 index 000000000..3eb43094f --- /dev/null +++ b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/default.nix @@ -0,0 +1,68 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + lib, + pkgs, + config, + ... +}: +let + cfg = config.ghaf.virtualization.microvm.idsvm.mitmproxy; + mitmproxyport = 8080; + mitmwebUIport = 8081; +in +{ + options.ghaf.virtualization.microvm.idsvm.mitmproxy = { + enable = lib.mkEnableOption "Whether to enable mitmproxy on ids-vm"; + }; + + config = lib.mkIf cfg.enable { + # Here we add default CA keypair and corresponding self-signed certificate + # for mitmproxy in different formats. These should be, of course, randomly and + # securely generated and stored for each instance, but for development purposes + # we use these fixed ones. + environment.etc = { + "mitmproxy/mitmproxy-ca-cert.cer".source = ./mitmproxy-ca/mitmproxy-ca-cert.cer; + "mitmproxy/mitmproxy-ca-cert.p12".source = ./mitmproxy-ca/mitmproxy-ca-cert.p12; + "mitmproxy/mitmproxy-ca-cert.pem".source = ./mitmproxy-ca/mitmproxy-ca-cert.pem; + "mitmproxy/mitmproxy-ca.pem".source = ./mitmproxy-ca/mitmproxy-ca.pem; + "mitmproxy/mitmproxy-ca.p12".source = ./mitmproxy-ca/mitmproxy-ca.p12; + "mitmproxy/mitmproxy-dhparam.pem".source = ./mitmproxy-ca/mitmproxy-dhparam.pem; + }; + + systemd.services."mitmweb-server" = + let + mitmwebScript = pkgs.writeShellScriptBin "mitmweb-server" '' + ${pkgs.mitmproxy}/bin/mitmweb --web-host localhost --web-port ${toString mitmwebUIport} --set confdir=/etc/mitmproxy + ''; + in + { + enable = true; + description = "Run mitmweb to establish web interface for mitmproxy"; + path = [ mitmwebScript ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${mitmwebScript}/bin/mitmweb-server"; + Restart = "on-failure"; + RestartSec = "1"; + }; + }; + + networking = { + firewall.allowedTCPPorts = [ + mitmproxyport + mitmwebUIport + ]; + nat.extraCommands = + # Redirect http(s) traffic to mitmproxy. + '' + iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 80 -j REDIRECT --to-port ${toString mitmproxyport} + iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 443 -j REDIRECT --to-port ${toString mitmproxyport} + ''; + }; + environment.systemPackages = [ pkgs.mitmproxy ]; + }; +} diff --git a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.cer b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.cer new file mode 100644 index 000000000..9beb77739 --- /dev/null +++ b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.cer @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL +BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN +MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv +eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i +0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2 +B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU +KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr +9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC +iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S +Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo +WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB +vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93 +7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5 +cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA ++PqFqfsCDYU1 +-----END CERTIFICATE----- diff --git a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.p12 b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.p12 new file mode 100644 index 000000000..b7103f08e Binary files /dev/null and b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.p12 differ diff --git a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.pem b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.pem new file mode 100644 index 000000000..9beb77739 --- /dev/null +++ b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL +BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN +MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv +eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i +0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2 +B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU +KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr +9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC +iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S +Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo +WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB +vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93 +7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5 +cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA ++PqFqfsCDYU1 +-----END CERTIFICATE----- diff --git a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca.p12 b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca.p12 new file mode 100644 index 000000000..c7060fa0e Binary files /dev/null and b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca.p12 differ diff --git a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca.pem b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca.pem new file mode 100644 index 000000000..b2c545328 --- /dev/null +++ b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-ca.pem @@ -0,0 +1,47 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA4+ScTpL5qd+vnaI7nxWw8FwqtNulYJXU0+alaHpiZnG7MDci +M27xf2LQHJWC63Kyashdaq3sQ52zy8KosJff6kYHpew0wLiSyfjZIfpCZZRNmLNS +MIj7tzYHV9jHNTlpobZn1MO18TF1aqcdHRzR1NHtzYhR4fuqDL/yhK6RB4V2Gn+P +935yixQq1fEyX2+TjCKx4tFLYkFv5Ap0z5N00oukBmZhPrxYgg8H/RWzGjVl5J/w +DgosSWv3P2iSxPlE9kCS6pXhO1ZmhI9/TWUHmMEJFuVIarDeb0BECMfcw3VwO/Aq +Q60+sQKIEq/1LnULIY8uSsRChCuxy8YqQSnmYQIDAQABAoIBAQC/S1L5kd4Ifj+H +7nplm2ufF36xuf4kCSFRjjYicTjQDX+3hVAsJGCLMYLHu6jdwrWJdQ8VUVEVoPcf +fxLiyVmn6YjZ+mB9tXFiIIUDRHMfmVFZcIz5OMMykyOu1cTCJKNKnzahHndHMuEA +2a5SlbJ9FoqrEFbLftjLQwRr46zRxduoF2Znz/XhPMcoOsMoFuUIEtS3kmblW8Zr +UzKkvT2GUb5b19WNIbK/1ZWnkYTh6nTQPNz8FYpNb7ZuS/UfNGP05r+ZbgzmSS8B +Mwl2u2AqXEo15ULjEP8XQpmQXDbaOAjZHzF0nqx2Sw7iY9MfAarIekGLVRJ+LRwA +mkT8TPuRAoGBAP+20Ah6SCJN4DpDLC/Zu/2rRanpxxyk1awseFlfNOPegAuM+Gic +fHeUDYooHxZwbowAjyo4o36rnHJJi8ZniTHZG9ddy9U75TgVZK4Xr7MkmmOCpv1Q +50BTxsnWir3pTspgWCZ8oXmyvNJV/hl0fGqFW3WxI41upMM6w3uSMdvnAoGBAOQl +1dgXh+Qo8DhAaWmhmDLpcfWD2XB3rhZxQfbYCC+oyrQgpgyQpOEgmPKcjDrsToRK +Ze08O3t5inrvyH41THhByDfV6pxZSGRPoBxr1ZMej6V50FFHctQbDqDhmBdlKpkx +3ryGBrhUxjwklg915UwvZc1iewYdZxd0JeST+CJ3AoGBALbU9QU6uRyd5baClLNZ +0InczaBhIBYg3Q2PdjUgV2adjZu0nV/ekzfESbIAYcnfdYrwU2xytqM4/FDSuPeQ +y40ymC9yRu0dOBTTZvr6wIsrnp+LqO3xzIY34CgsF2MVz1nvbNeHwMSMwWj6RwXY +PaTD2NLbZnoXJALany5ZJwD9AoGAVKqZ1my9GHX819NHi1TVx6cMjIFWsz8m0ttL +EJERUKaCOyCWnrkbBxTyza48+Czz4nI9qzGcHXF4a7EKpZOgAkzfQaFYRJd5nwhR +sdpu0v8XbeBr543tVjuITToLGDuJ+HoiX7IZUlTbkDw/mBM3efNpAzRV1WoZ9QE8 +grxK7HcCgYAT0dGsFd1RY+m/Ik/jTxRDSi7zLLtyZO8AsGsfqsm0b8GhTTlXzEmH +kgp75/W058vjc7H1PY7FNr5neUn/Dtom2YtJRhANK/dhzh+RDSfFgbCX+VHTwh1a +nb7F25+bEhlvfe5yLb+O6ZzbsL/EdJYg0BoHCgTI2bZJkzRtAzdHuA== +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL +BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN +MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv +eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i +0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2 +B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU +KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr +9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC +iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S +Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo +WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB +vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93 +7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5 +cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA ++PqFqfsCDYU1 +-----END CERTIFICATE----- diff --git a/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-dhparam.pem b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-dhparam.pem new file mode 100644 index 000000000..c10121fbf --- /dev/null +++ b/modules/microvm/virtualization/microvm/idsvm/mitmproxy/mitmproxy-ca/mitmproxy-dhparam.pem @@ -0,0 +1,14 @@ + +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3 +O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv +j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ +Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB +chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC +ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq +o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX +IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv +A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8 +6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I +rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI= +-----END DH PARAMETERS----- diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix index da9a427b2..53f5c275e 100644 --- a/modules/microvm/virtualization/microvm/microvm-host.nix +++ b/modules/microvm/virtualization/microvm/microvm-host.nix @@ -1,35 +1,61 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ inputs }: { config, lib, pkgs, ... -}: let +}: +let cfg = config.ghaf.virtualization.microvm-host; in - with lib; { - options.ghaf.virtualization.microvm-host = { - enable = mkEnableOption "MicroVM Host"; - networkSupport = mkEnableOption "Network support services to run host applications."; - }; +{ + imports = [ + inputs.impermanence.nixosModules.impermanence + inputs.self.nixosModules.givc-host + ]; + options.ghaf.virtualization.microvm-host = { + enable = lib.mkEnableOption "MicroVM Host"; + networkSupport = lib.mkEnableOption "Network support services to run host applications."; + }; - config = mkIf cfg.enable { - microvm.host.enable = true; - ghaf.systemd = { - withName = "host-systemd"; - enable = true; - boot.enable = true; - withPolkit = true; - withTpm2Tss = pkgs.stdenv.hostPlatform.isx86; - withRepart = true; - withFido2 = true; - withCryptsetup = true; - withTimesyncd = cfg.networkSupport; - withNss = cfg.networkSupport; - withResolved = cfg.networkSupport; - withSerial = config.ghaf.profiles.debug.enable; - withDebug = config.ghaf.profiles.debug.enable; - }; + config = lib.mkIf cfg.enable { + microvm.host.enable = true; + ghaf.systemd = { + withName = "host-systemd"; + enable = true; + boot.enable = true; + withAudit = config.ghaf.profiles.debug.enable; + withPolkit = true; + withTpm2Tss = pkgs.stdenv.hostPlatform.isx86; + withRepart = true; + withFido2 = true; + withCryptsetup = true; + withTimesyncd = cfg.networkSupport; + withNss = cfg.networkSupport; + withResolved = cfg.networkSupport; + withSerial = config.ghaf.profiles.debug.enable; + withDebug = config.ghaf.profiles.debug.enable; + withHardenedConfigs = true; }; - } + ghaf.givc.host.enable = true; + + # TODO: remove hardcoded paths + systemd.services."microvm@audio-vm".serviceConfig = + lib.optionalAttrs config.ghaf.virtualization.microvm.audiovm.enable + { + # The + here is a systemd feature to make the script run as root. + ExecStopPost = [ + "+${pkgs.writeShellScript "reload-audio" '' + # The script makes audio device internal state to reset + # This fixes issue of audio device getting into some unexpected + # state when the VM is being shutdown during audio mic recording + echo "1" > /sys/bus/pci/devices/0000:00:1f.3/remove + sleep 0.1 + echo "1" > /sys/bus/pci/devices/0000:00:1f.0/rescan + ''}" + ]; + }; + }; +} diff --git a/modules/microvm/virtualization/microvm/modules.nix b/modules/microvm/virtualization/microvm/modules.nix new file mode 100644 index 000000000..f61200817 --- /dev/null +++ b/modules/microvm/virtualization/microvm/modules.nix @@ -0,0 +1,170 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + inherit (builtins) hasAttr; + inherit (lib) + mkOption + types + optionals + optionalAttrs + ; + + cfg = config.ghaf.virtualization.microvm; + + # Currently only x86 with hw definition supported + inherit (pkgs.stdenv.hostPlatform) isx86; + fullVirtualization = + isx86 && (hasAttr "hardware" config.ghaf) && (hasAttr "devices" config.ghaf.hardware); + + # Hardware devices passthrough modules + deviceModules = optionalAttrs fullVirtualization { + inherit (config.ghaf.hardware.devices) + netvmPCIPassthroughModule + audiovmPCIPassthroughModule + guivmPCIPassthroughModule + guivmVirtioInputHostEvdevModule + ; + }; + + # Kernel configurations + kernelConfigs = optionalAttrs fullVirtualization { inherit (config.ghaf.kernel) guivm audiovm; }; + + # Firmware module + firmwareModule = { + config.ghaf.services.firmware.enable = true; + }; + + # Qemu configuration modules + qemuModules = { + inherit (config.ghaf.qemu) guivm; + }; + + # Service modules + serviceModules = { + # Givc module + givc = { + config.ghaf.givc.enable = config.ghaf.givc.enable; + }; + + # Audio module + audio = optionalAttrs cfg.audiovm.audio { config.ghaf.services.audio.enable = true; }; + + # Wifi module + wifi = optionalAttrs cfg.netvm.wifi { config.ghaf.services.wifi.enable = true; }; + + # Fprint module + fprint = optionalAttrs cfg.guivm.fprint { config.ghaf.services.fprint.enable = true; }; + + # Desktop module + desktop = { + config.ghaf.services.desktop.enable = true; + }; + + # PDF opener + pdfOpener = { + config.ghaf.services.pdfopener.enable = true; + }; + + # Yubikey module + yubikey = optionalAttrs cfg.guivm.yubikey { config.ghaf.services.yubikey.enable = true; }; + + # Common namespace to share (built-time) between host and VMs + commonNamespace = { + config.ghaf.namespaces = config.ghaf.namespaces; + }; + }; + + # Reference services module + referenceServiceModule = { + config.ghaf = optionalAttrs (hasAttr "reference" config.ghaf) { + reference = optionalAttrs (hasAttr "services" config.ghaf.reference) { + inherit (config.ghaf.reference) services; + }; + }; + }; + + # Reference programs module + referenceProgramsModule = { + config.ghaf = optionalAttrs (hasAttr "reference" config.ghaf) { + reference = optionalAttrs (hasAttr "programs" config.ghaf.reference) { + inherit (config.ghaf.reference) programs; + }; + }; + }; +in +{ + options.ghaf.virtualization.microvm = { + netvm.wifi = mkOption { + type = types.bool; + default = isx86 && cfg.netvm.enable; + description = '' + Enable Wifi module configuration. + ''; + }; + audiovm.audio = mkOption { + type = types.bool; + default = cfg.audiovm.enable; + description = '' + Enable Audio module configuration. + ''; + }; + guivm.fprint = mkOption { + type = types.bool; + default = cfg.guivm.enable; + description = '' + Enable Fingerprint module configuration. + ''; + }; + guivm.yubikey = mkOption { + type = types.bool; + default = cfg.guivm.enable; + description = '' + Enable Yubikey module configuration. + ''; + }; + }; + + config = { + # System VM configurations + ghaf.virtualization.microvm = optionalAttrs fullVirtualization { + # Netvm modules + netvm.extraModules = optionals cfg.netvm.enable [ + deviceModules.netvmPCIPassthroughModule + firmwareModule + serviceModules.wifi + serviceModules.givc + referenceServiceModule + ]; + # Audiovm modules + audiovm.extraModules = optionals cfg.audiovm.enable [ + deviceModules.audiovmPCIPassthroughModule + kernelConfigs.audiovm + serviceModules.audio + serviceModules.givc + ]; + # Guivm modules + guivm.extraModules = optionals cfg.guivm.enable [ + deviceModules.guivmPCIPassthroughModule + deviceModules.guivmVirtioInputHostEvdevModule + kernelConfigs.guivm + firmwareModule + qemuModules.guivm + serviceModules.desktop + serviceModules.fprint + serviceModules.yubikey + serviceModules.pdfOpener + serviceModules.commonNamespace + serviceModules.givc + referenceProgramsModule + ]; + adminvm.extraModules = optionals cfg.adminvm.enable [ serviceModules.givc ]; + appvm.extraModules = optionals cfg.appvm.enable [ serviceModules.givc ]; + }; + }; +} diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix index 680bf2831..b22ace700 100644 --- a/modules/microvm/virtualization/microvm/netvm.nix +++ b/modules/microvm/virtualization/microvm/netvm.nix @@ -1,109 +1,156 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ inputs }: { config, lib, pkgs, ... -}: let - configHost = config; +}: +let vmName = "net-vm"; macAddress = "02:00:00:01:01:01"; + + isGuiVmEnabled = config.ghaf.virtualization.microvm.guivm.enable; + + sshKeysHelper = pkgs.callPackage ../../../../packages/ssh-keys-helper { + inherit pkgs; + inherit config; + }; + netvmBaseConfiguration = { imports = [ - (import ./common/vm-networking.nix {inherit vmName macAddress;}) - ({lib, ...}: { - ghaf = { - users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; - development = { - # NOTE: SSH port also becomes accessible on the network interface - # that has been passed through to NetVM - ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; - debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; - nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; + inputs.impermanence.nixosModules.impermanence + inputs.self.nixosModules.givc-netvm + (import ./common/vm-networking.nix { + inherit + config + lib + vmName + macAddress + ; + internalIP = 1; + isGateway = true; + }) + + ./common/storagevm.nix + + # To push logs to central location + ../../../common/logging/client.nix + ( + { lib, ... }: + { + imports = [ ../../../common ]; + + ghaf = { + users.accounts.enable = lib.mkDefault config.ghaf.users.accounts.enable; + profiles.debug.enable = lib.mkDefault config.ghaf.profiles.debug.enable; + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to NetVM + ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable; + nix-setup.enable = lib.mkDefault config.ghaf.development.nix-setup.enable; + }; + systemd = { + enable = true; + withName = "netvm-systemd"; + withAudit = config.ghaf.profiles.debug.enable; + withPolkit = true; + withResolved = true; + withTimesyncd = true; + withDebug = config.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + givc.netvm.enable = true; + # Logging client configuration + logging.client.enable = config.ghaf.logging.client.enable; + logging.client.endpoint = config.ghaf.logging.client.endpoint; + storagevm = { + enable = true; + name = "netvm"; + directories = [ "/etc/NetworkManager/system-connections/" ]; + }; }; - systemd = { - enable = true; - withName = "netvm-systemd"; - withPolkit = true; - withDebug = configHost.ghaf.profiles.debug.enable; + + time.timeZone = config.time.timeZone; + system.stateVersion = lib.trivial.release; + + nixpkgs = { + buildPlatform.system = config.nixpkgs.buildPlatform.system; + hostPlatform.system = config.nixpkgs.hostPlatform.system; }; - }; - - system.stateVersion = lib.trivial.release; - - nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; - - microvm.hypervisor = "qemu"; - - networking = { - firewall.allowedTCPPorts = [53]; - firewall.allowedUDPPorts = [53]; - }; - - # Add simple wi-fi connection helper - environment.systemPackages = lib.mkIf config.ghaf.profiles.debug.enable [pkgs.wifi-connector]; - - # Dnsmasq is used as a DHCP/DNS server inside the NetVM - services.dnsmasq = { - enable = true; - resolveLocalQueries = true; - settings = { - server = ["8.8.8.8"]; - dhcp-range = ["192.168.100.2,192.168.100.254"]; - dhcp-sequential-ip = true; - dhcp-authoritative = true; - domain = "ghaf"; - listen-address = ["127.0.0.1,192.168.100.1"]; - dhcp-option = [ - "option:router,192.168.100.1" - "6,192.168.100.1" - ]; - expand-hosts = true; - domain-needed = true; - bogus-priv = true; + + networking = { + firewall.allowedTCPPorts = [ 53 ]; + firewall.allowedUDPPorts = [ 53 ]; }; - }; - - # Disable resolved since we are using Dnsmasq - services.resolved.enable = false; - - systemd.network = { - enable = true; - networks."10-ethint0" = { - matchConfig.MACAddress = macAddress; - addresses = [ - { - addressConfig.Address = "192.168.100.1/24"; - } - { - # IP-address for debugging subnet - addressConfig.Address = "192.168.101.1/24"; - } - ]; - linkConfig.ActivationPolicy = "always-up"; + + services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; + + # WORKAROUND: Create a rule to temporary hardcode device name for Wi-Fi adapter on x86 + # TODO this is a dirty hack to guard against adding this to Nvidia/vm targets which + # dont have that definition structure yet defined. FIXME. + # TODO the hardware.definition should not even be exposed in targets that do not consume it + services.udev.extraRules = lib.mkIf (config.ghaf.hardware.definition.network.pciDevices != [ ]) '' + SUBSYSTEM=="net", ACTION=="add", ATTRS{vendor}=="0x${(lib.head config.ghaf.hardware.definition.network.pciDevices).vendorId}", ATTRS{device}=="0x${(lib.head config.ghaf.hardware.definition.network.pciDevices).productId}", NAME="${(lib.head config.ghaf.hardware.definition.network.pciDevices).name}" + ''; + + microvm = { + # Optimize is disabled because when it is enabled, qemu is built without libusb + optimize.enable = false; + hypervisor = "qemu"; + shares = + [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] + ++ lib.optionals isGuiVmEnabled [ + { + # Add the waypipe-ssh public key to the microvm + tag = config.ghaf.security.sshKeys.waypipeSshPublicKeyName; + source = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + mountPoint = config.ghaf.security.sshKeys.waypipeSshPublicKeyDir; + } + ]; + + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + qemu = { + machine = + { + # Use the same machine type as the host + x86_64-linux = "q35"; + aarch64-linux = "virt"; + } + .${config.nixpkgs.hostPlatform.system}; + extraArgs = [ + "-device" + "qemu-xhci" + ]; + }; }; - }; - - microvm = { - optimize.enable = true; - shares = [ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; - }; - - imports = [../../../common]; - }) + + fileSystems = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = [ "ro" ]; + }; + + # SSH is very picky about to file permissions and ownership and will + # accept neither direct path inside /nix/store or symlink that points + # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by + # setting mode), instead of symlinking it. + environment.etc = lib.mkIf isGuiVmEnabled { + ${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = sshKeysHelper.getAuthKeysSource; + }; + } + ) ]; }; cfg = config.ghaf.virtualization.microvm.netvm; -in { +in +{ options.ghaf.virtualization.microvm.netvm = { enable = lib.mkEnableOption "NetVM"; @@ -112,21 +159,17 @@ in { List of additional modules to be imported and evaluated as part of NetVM's NixOS configuration. ''; - default = []; + default = [ ]; }; }; config = lib.mkIf cfg.enable { microvm.vms."${vmName}" = { - autostart = false; - # autostart = true; - config = - netvmBaseConfiguration - // { - imports = - netvmBaseConfiguration.imports - ++ cfg.extraModules; - }; + autostart = true; + restartIfChanged = false; + config = netvmBaseConfiguration // { + imports = netvmBaseConfiguration.imports ++ cfg.extraModules; + }; }; }; } diff --git a/modules/polarfire/default.nix b/modules/polarfire/default.nix index 3f64e4f29..dc1dfc364 100644 --- a/modules/polarfire/default.nix +++ b/modules/polarfire/default.nix @@ -3,8 +3,4 @@ # # Support for Microchip Polarfire Icicle-Kit # -{ - imports = [ - ./mpfs-nixos-sdimage.nix - ]; -} +{ imports = [ ./mpfs-nixos-sdimage.nix ]; } diff --git a/modules/polarfire/mpfs-nixos-sdimage.nix b/modules/polarfire/mpfs-nixos-sdimage.nix index 8b2676e32..59ad28e9c 100644 --- a/modules/polarfire/mpfs-nixos-sdimage.nix +++ b/modules/polarfire/mpfs-nixos-sdimage.nix @@ -6,10 +6,9 @@ pkgs, modulesPath, ... -}: { - imports = [ - (modulesPath + "/installer/sd-card/sd-image.nix") - ]; +}: +{ + imports = [ (modulesPath + "/installer/sd-card/sd-image.nix") ]; sdImage = { compressImage = false; diff --git a/modules/reference/appvms/appflowy.nix b/modules/reference/appvms/appflowy.nix new file mode 100644 index 000000000..584b08852 --- /dev/null +++ b/modules/reference/appvms/appflowy.nix @@ -0,0 +1,28 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + lib, + pkgs, + config, + ... +}: +{ + name = "appflowy"; + packages = [ pkgs.appflowy ]; + macAddress = "02:00:00:03:08:01"; + ramMb = 768; + cores = 1; + extraModules = [ + { + hardware.graphics.enable = true; + time.timeZone = config.time.timeZone; + ghaf.givc.appvm = { + enable = true; + name = lib.mkForce "appflowy-vm"; + applications = lib.mkForce ''{"appflowy": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/appflowy"}''; + }; + } + ]; + borderColor = "#4c3f7a"; +} diff --git a/modules/reference/appvms/business.nix b/modules/reference/appvms/business.nix new file mode 100644 index 000000000..2fe8908bb --- /dev/null +++ b/modules/reference/appvms/business.nix @@ -0,0 +1,296 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + pkgs, + config, + lib, + ... +}: +let + #TODO: Move this to a common place + xdgPdfPort = 1200; + name = "business"; +in +{ + name = "${name}"; + packages = + let + # PDF XDG handler is executed when the user opens a PDF file in the browser + # The xdgopenpdf script sends a command to the guivm with the file path over TCP connection + xdgPdfItem = pkgs.makeDesktopItem { + name = "ghaf-pdf"; + desktopName = "Ghaf PDF handler"; + exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; + mimeTypes = [ "application/pdf" ]; + }; + xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' + filepath=$(realpath "$1") + echo "Opening $filepath" | systemd-cat -p info + echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort} + ''; + in + [ + pkgs.chromium + pkgs.pulseaudio + pkgs.xdg-utils + xdgPdfItem + xdgOpenPdf + pkgs.globalprotect-openconnect + pkgs.openconnect + pkgs.nftables + ]; + # TODO create a repository of mac addresses to avoid conflicts + macAddress = "02:00:00:03:10:01"; + ramMb = 3072; + cores = 4; + extraModules = [ + { + imports = [ ../programs/chromium.nix ]; + # Enable pulseaudio for Chromium VM + security.rtkit.enable = true; + users.extraUsers.ghaf.extraGroups = [ + "audio" + "video" + ]; + + hardware.pulseaudio = { + enable = true; + extraConfig = '' + load-module module-tunnel-sink sink_name=chromium-speaker server=audio-vm:4713 format=s16le channels=2 rate=48000 + load-module module-tunnel-source source_name=chromium-mic server=audio-vm:4713 format=s16le channels=1 rate=48000 + + # Set sink and source default max volume to about 90% (0-65536) + set-sink-volume chromium-speaker 60000 + set-source-volume chromium-mic 60000 + ''; + }; + + time.timeZone = config.time.timeZone; + + microvm = { + qemu.extraArgs = lib.optionals ( + config.ghaf.hardware.usb.internal.enable + && (lib.hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs) + ) config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0; + devices = [ ]; + }; + + ghaf.givc.appvm = { + enable = true; + name = lib.mkForce "business-vm"; + applications = lib.mkForce '' + { + "chromium": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs}", + "outlook": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs}", + "office": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs}", + "teams": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs}", + "gpclient": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gpclient -platform wayland" + }''; + }; + + ghaf.reference.programs.chromium.enable = true; + ghaf.storagevm = { + enable = true; + name = "${name}"; + users.${config.ghaf.users.accounts.user}.directories = [ ".config" ]; + }; + + # Set default PDF XDG handler + xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop"; + + # TODO: Add a way to configure the gpclient + # also check the openconnect cli options https://discourse.nixos.org/t/globalprotect-vpn/24014/5 + services.globalprotect = { + enable = true; + csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh"; + }; + + #Firewall Settings + networking = { + firewall.enable = true; + firewall.extraCommands = '' + + iptables -F + add_rule() { + local ip=$1 + iptables -I OUTPUT -p tcp -d $ip --dport 80 -j ACCEPT + iptables -I OUTPUT -p tcp -d $ip --dport 443 -j ACCEPT + iptables -I INPUT -p tcp -s $ip --sport 80 -j ACCEPT + iptables -I INPUT -p tcp -s $ip --sport 443 -j ACCEPT + } + # Urls can be found from Source: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges + # Allow microsoft365.com + add_rule 13.107.6.156 + add_rule 13.107.9.156 + + # Exchange + add_rule 13.107.6.152/31 + add_rule 13.107.18.10/31 + add_rule 13.107.128.0/22 + add_rule 23.103.160.0/20 + add_rule 40.96.0.0/13 + add_rule 40.104.0.0/15 + add_rule 52.96.0.0/14 + add_rule 131.253.33.215/32 + add_rule 132.245.0.0/16 + add_rule 150.171.32.0/22 + add_rule 204.79.197.215/32 + + + # Exchange Online + add_rule 40.92.0.0/15 + add_rule 40.107.0.0/16 + add_rule 52.100.0.0/14 + add_rule 52.238.78.88/32 + add_rule 104.47.0.0/17 + + + # Sharepoint + add_rule 13.107.136.0/22 + add_rule 40.108.128.0/17 + add_rule 52.104.0.0/14 + add_rule 104.146.128.0/17 + add_rule 150.171.40.0/22 + + + # Common + add_rule 13.107.6.171/32 + add_rule 13.107.18.15/32 + add_rule 13.107.140.6/32 + add_rule 52.108.0.0/14 + add_rule 52.244.37.168/32 + add_rule 20.20.32.0/19 + add_rule 20.190.128.0/18 + add_rule 20.231.128.0/19 + add_rule 40.126.0.0/18 + add_rule 13.107.6.192/32 + add_rule 13.107.9.192/32 + add_rule 52.108.0.0/14 + + # Teams + add_rule 13.107.64.0/18 + add_rule 52.112.0.0/14 + add_rule 52.122.0.0/15 + add_rule 52.108.0.0/14 + add_rule 52.238.119.141/32 + add_rule 52.244.160.207/32 + add_rule 2.16.234.57 + add_rule 23.56.21.152 + add_rule 23.33.233.129 + add_rule 52.123.0.0/16 + + + # Allow VPN access.tii.ae and iservice + add_rule 151.253.154.18 + add_rule 10.161.10.120 + + # To be checked + # Allow res.cdn.office.net + add_rule 152.199.21.175 + add_rule 152.199.39.108 + add_rule 2.21.231.0/24 + add_rule 2.20.249.0/24 + add_rule 152.199.0.0/16 + + + # Allow js.monitor.azure.com + add_rule 13.107.246.0/24 + + # Allow c.s-microsoft.com + add_rule 23.207.193.242 + add_rule 23.208.213.121 + add_rule 23.208.173.122 + add_rule 23.44.1.243 + add_rule 104.65.229.0/24 + add_rule 23.53.113.0/24 + add_rule 2.19.105.47 + + # Allow microsoft.com + add_rule 20.70.246.20 + add_rule 20.236.44.162 + add_rule 20.76.201.171 + add_rule 20.231.239.246 + add_rule 20.112.250.133 + add_rule 184.25.221.172 + + # statics.teams.cdn.office.net + add_rule 95.101.0.0/16 + add_rule 184.87.193.0/24 + add_rule 23.44.0.0/14 + add_rule 96.16.53.0/24 + add_rule 23.59.80.0/24 + add_rule 23.202.33.0/24 + add_rule 104.73.172.0/24 + add_rule 184.27.123.0/24 + add_rule 2.16.56.0/24 + add_rule 23.219.73.130 + add_rule 104.93.18.174 + add_rule 2.21.225.158 + add_rule 23.45.137.145 + add_rule 23.48.121.167 + add_rule 23.46.197.94 + add_rule 104.80.21.47 + add_rule 23.195.154.8 + add_rule 193.229.113.0/24 + + # edge.skype.com for teams + add_rule 13.107.254.0/24 + add_rule 13.107.3.0/24 + + # api.flightproxy.skype.com for teams + add_rule 98.66.0.0/16 + add_rule 4.208.0.0/16 + add_rule 4.225.208.0/24 + add_rule 4.210.0.0/16 + add_rule 108.141.240.0/24 + add_rule 74.241.0.0/16 + add_rule 20.216.0.0/16 + add_rule 172.211.0.0/16 + add_rule 20.50.217.0/24 + add_rule 68.219.14.0/24 + add_rule 20.107.136.0/24 + add_rule 4.175.191.0/24 + add_rule 98.64.0.0/16 + + # Allow tiiuae.sharepoint.com + add_rule 52.104.7.53 + add_rule 52.105.255.39 + add_rule 13.107.138.10 + add_rule 13.107.136.10 + add_rule 118.215.84.0/24 + add_rule 104.69.171.0/24 + add_rule 13.107.136.10 + add_rule 23.15.111.0/24 + # Allow shell.cdn.office.net + add_rule 23.50.92.176 + add_rule 23.15.30.57 + add_rule 23.50.187.58 + add_rule 104.73.234.244 + add_rule 104.83.143.131 + # Allow res-1.cdn.office.net + add_rule 23.52.40.0/24 + add_rule 23.64.122.0/24 + add_rule 2.16.106.0/24 + # Allow publiccdn.sharepointonline.com + add_rule 23.50.86.117 + add_rule 104.69.168.125 + add_rule 2.16.43.238 + add_rule 23.34.79.0/24 + add_rule 23.39.68.0/24 + # r4.res.office365.com + add_rule 2.19.97.32 + add_rule 2.22.61.139 + + + # Block all other HTTP and HTTPS traffic + iptables -A OUTPUT -p tcp --dport 80 -j REJECT + iptables -A OUTPUT -p tcp --dport 443 -j REJECT + + ''; + }; + } + ]; + borderColor = "#00FF00"; + vtpm.enable = true; +} diff --git a/modules/reference/appvms/chromium.nix b/modules/reference/appvms/chromium.nix new file mode 100644 index 000000000..2b7094720 --- /dev/null +++ b/modules/reference/appvms/chromium.nix @@ -0,0 +1,96 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + pkgs, + lib, + config, + ... +}: +let + inherit (lib) hasAttr optionals; + xdgPdfPort = 1200; + name = "chromium"; +in +{ + name = "${name}"; + packages = + let + # PDF XDG handler is executed when the user opens a PDF file in the browser + # The xdgopenpdf script sends a command to the guivm with the file path over TCP connection + xdgPdfItem = pkgs.makeDesktopItem { + name = "ghaf-pdf"; + desktopName = "Ghaf PDF handler"; + exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; + mimeTypes = [ "application/pdf" ]; + }; + xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' + filepath=$(realpath "$1") + echo "Opening $filepath" | systemd-cat -p info + echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort} + ''; + in + [ + pkgs.chromium + pkgs.pulseaudio + pkgs.xdg-utils + xdgPdfItem + xdgOpenPdf + ]; + # TODO create a repository of mac addresses to avoid conflicts + macAddress = "02:00:00:03:05:01"; + ramMb = 3072; + cores = 4; + extraModules = [ + { + imports = [ ../programs/chromium.nix ]; + # Enable pulseaudio for Chromium VM + security.rtkit.enable = true; + users.extraUsers.ghaf.extraGroups = [ + "audio" + "video" + ]; + + hardware.pulseaudio = { + enable = true; + extraConfig = '' + load-module module-tunnel-sink sink_name=chromium-speaker server=audio-vm:4713 format=s16le channels=2 rate=48000 + load-module module-tunnel-source source_name=chromium-mic server=audio-vm:4713 format=s16le channels=1 rate=48000 + + # Set sink and source default max volume to about 90% (0-65536) + set-sink-volume chromium-speaker 60000 + set-source-volume chromium-mic 60000 + ''; + }; + + time.timeZone = config.time.timeZone; + + microvm.qemu.extraArgs = optionals ( + config.ghaf.hardware.usb.internal.enable + && (hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs) + ) config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0; + microvm.devices = [ ]; + + ghaf.givc.appvm = { + enable = true; + name = lib.mkForce "chromium-vm"; + applications = lib.mkForce '' + { + "chromium": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs}" + }''; + }; + + ghaf.reference.programs.chromium.enable = true; + ghaf.storagevm = { + enable = true; + name = "${name}"; + users.${config.ghaf.users.accounts.user}.directories = [ ".config" ]; + }; + + # Set default PDF XDG handler + xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop"; + } + ]; + borderColor = "#630505"; + vtpm.enable = true; +} diff --git a/modules/reference/appvms/comms.nix b/modules/reference/appvms/comms.nix new file mode 100644 index 000000000..78dcc0055 --- /dev/null +++ b/modules/reference/appvms/comms.nix @@ -0,0 +1,115 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + lib, + pkgs, + config, + ... +}: +let + inherit (lib) hasAttr optionals; + dendrite-pinecone = pkgs.callPackage ../../../packages/dendrite-pinecone { }; + isDendritePineconeEnabled = + if (hasAttr "services" config.ghaf.reference) then + config.ghaf.reference.services.dendrite + else + false; +in +{ + name = "comms"; + + packages = [ + pkgs.chromium + pkgs.element-desktop + pkgs.element-gps + pkgs.gpsd + pkgs.tcpdump + pkgs.pulseaudio + ] ++ pkgs.lib.optionals isDendritePineconeEnabled [ dendrite-pinecone ]; + macAddress = "02:00:00:03:09:01"; + ramMb = 4096; + cores = 4; + extraModules = [ + { + # Enable pulseaudio for user ghaf to access mic + security.rtkit.enable = true; + users.extraUsers.ghaf.extraGroups = [ + "audio" + "video" + ]; + + hardware.pulseaudio = { + enable = true; + extraConfig = '' + load-module module-tunnel-sink sink_name=element-speaker server=audio-vm:4713 format=s16le channels=2 rate=48000 + load-module module-tunnel-source source_name=element-mic server=audio-vm:4713 format=s16le channels=1 rate=48000 + + # Set sink and source default max volume to about 90% (0-65536) + set-sink-volume element-speaker 60000 + set-source-volume element-mic 60000 + ''; + }; + + systemd = { + services = { + element-gps = { + description = "Element-gps is a GPS location provider for Element websocket interface."; + enable = true; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.element-gps}/bin/main.py"; + Restart = "on-failure"; + RestartSec = "2"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + "dendrite-pinecone" = pkgs.lib.mkIf isDendritePineconeEnabled { + description = "Dendrite is a second-generation Matrix homeserver with Pinecone which is a next-generation P2P overlay network"; + enable = true; + serviceConfig = { + Type = "simple"; + ExecStart = "${dendrite-pinecone}/bin/dendrite-demo-pinecone"; + Restart = "on-failure"; + RestartSec = "2"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; + + networking = pkgs.lib.mkIf isDendritePineconeEnabled { + firewall.allowedTCPPorts = [ dendrite-pinecone.TcpPortInt ]; + firewall.allowedUDPPorts = [ dendrite-pinecone.McastUdpPortInt ]; + }; + + time.timeZone = config.time.timeZone; + + services.gpsd = { + enable = true; + devices = [ "/dev/ttyUSB0" ]; + readonly = true; + debugLevel = 2; + listenany = true; + extraArgs = [ "-n" ]; # Do not wait for a client to connect before polling + }; + + microvm.qemu.extraArgs = optionals ( + config.ghaf.hardware.usb.external.enable + && (hasAttr "gps0" config.ghaf.hardware.usb.external.qemuExtraArgs) + ) config.ghaf.hardware.usb.external.qemuExtraArgs.gps0; + + ghaf.givc.appvm = { + enable = true; + name = lib.mkForce "comms-vm"; + applications = lib.mkForce '' + { + "element": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/element-desktop --enable-features=UseOzonePlatform --ozone-platform=wayland", + "slack": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://app.slack.com/client ${config.ghaf.givc.idsExtraArgs}" + }''; + }; + } + ]; + borderColor = "#337aff"; +} diff --git a/modules/reference/appvms/default.nix b/modules/reference/appvms/default.nix new file mode 100644 index 000000000..9e2664aea --- /dev/null +++ b/modules/reference/appvms/default.nix @@ -0,0 +1,47 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.ghaf.reference.appvms; +in +{ + imports = [ ]; + + options.ghaf.reference.appvms = { + enable = lib.mkEnableOption "Enable the Ghaf reference appvms module"; + chromium-vm = lib.mkEnableOption "Enable the Chromium appvm"; + gala-vm = lib.mkEnableOption "Enable the Gala appvm"; + zathura-vm = lib.mkEnableOption "Enable the Zathura appvm"; + comms-vm = lib.mkEnableOption '' + Enable the communications appvm + - Element + - Slack + ''; + appflowy-vm = lib.mkEnableOption "Enable the Appflowy appvm"; + business-vm = lib.mkEnableOption "Enable the Business appvm"; + enabled-app-vms = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + default = [ ]; + description = '' + List of appvms to include in the Ghaf reference appvms module + ''; + }; + }; + + config = lib.mkIf cfg.enable { + ghaf.reference.appvms = { + enabled-app-vms = + (lib.optionals cfg.chromium-vm [ (import ./chromium.nix { inherit pkgs lib config; }) ]) + ++ (lib.optionals cfg.gala-vm [ (import ./gala.nix { inherit pkgs lib config; }) ]) + ++ (lib.optionals cfg.zathura-vm [ (import ./zathura.nix { inherit pkgs lib config; }) ]) + ++ (lib.optionals cfg.comms-vm [ (import ./comms.nix { inherit pkgs lib config; }) ]) + ++ (lib.optionals cfg.appflowy-vm [ (import ./appflowy.nix { inherit pkgs lib config; }) ]) + ++ (lib.optionals cfg.business-vm [ (import ./business.nix { inherit pkgs lib config; }) ]); + }; + }; +} diff --git a/modules/reference/appvms/gala.nix b/modules/reference/appvms/gala.nix new file mode 100644 index 000000000..b895b7ae1 --- /dev/null +++ b/modules/reference/appvms/gala.nix @@ -0,0 +1,27 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + lib, + pkgs, + config, + ... +}: +{ + name = "gala"; + packages = [ pkgs.gala-app ]; + macAddress = "02:00:00:03:06:01"; + ramMb = 1536; + cores = 2; + extraModules = [ + { + time.timeZone = config.time.timeZone; + ghaf.givc.appvm = { + enable = true; + name = lib.mkForce "gala-vm"; + applications = lib.mkForce ''{"gala": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gala --enable-features=UseOzonePlatform --ozone-platform=wayland"}''; + }; + } + ]; + borderColor = "#027d7b"; +} diff --git a/modules/reference/appvms/zathura.nix b/modules/reference/appvms/zathura.nix new file mode 100644 index 000000000..d8f7a7d52 --- /dev/null +++ b/modules/reference/appvms/zathura.nix @@ -0,0 +1,29 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + lib, + pkgs, + config, + ... +}: +{ + name = "zathura"; + packages = [ pkgs.zathura ]; + macAddress = "02:00:00:03:07:01"; + ramMb = 512; + cores = 1; + extraModules = [ + { + imports = [ ../programs/zathura.nix ]; + time.timeZone = config.time.timeZone; + ghaf.reference.programs.zathura.enable = true; + ghaf.givc.appvm = { + enable = true; + name = lib.mkForce "zathura-vm"; + applications = lib.mkForce ''{"zathura": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/zathura"}''; + }; + } + ]; + borderColor = "#122263"; +} diff --git a/modules/common/development/authorized_ssh_keys.nix b/modules/reference/personalize/authorizedSshKeys.nix similarity index 72% rename from modules/common/development/authorized_ssh_keys.nix rename to modules/reference/personalize/authorizedSshKeys.nix index 0056d4c10..5bdff3b50 100644 --- a/modules/common/development/authorized_ssh_keys.nix +++ b/modules/reference/personalize/authorizedSshKeys.nix @@ -1,7 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - authorizedKeys = [ + authorizedSshKeys = [ # Add your SSH Public Keys here # NOTE: adding your pub ssh key here will make accessing and "nixos-rebuild switching" development mode # builds easy but still secure. Given that you protect your private keys. Do not share your keypairs across hosts. @@ -13,9 +13,14 @@ # You have been helped and you have been warned. "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/pwHnzGNM+ZU4lANGROTRe2ZHbes7cnZn72Oeun/MCAAAABHNzaDo= brian@arcadia" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEJ9ewKwo5FLj6zE30KnTn8+nw7aKdei9SeTwaAeRdJDAAAABHNzaDo= brian@minerva" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILu6O3swRVWAjP7J8iYGT6st7NAa+o/XaemokmtKdpGa brian@builder" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdNDuKwAsAff4iFRfujo77W4cyAbfQHjHP57h/7tJde ville.ilvonen@unikie.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKm9NtS/ZmrxQhY/pbRlX+9O1VaBEd8D9vojDtvS0Ru juliuskoskela@vega" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnTMRhhsaZKKL1fwyXE6kRJkiTJwJxI4WoTAkUM99nV kisandst@kim-nvidia" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJau0tg0qHhqFVarjNOJLi+ekSZNNqxal4iRD/pwM5W tervis@tervis-thinkpad" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAHVXc4s7e8j1uFsgHPBzpWvSI/hk5Zf6Btuj79D4hf3 tervis@tervis-servu" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3w7NzqMuF+OAiIcYWyP9+J3kwvYMKQ+QeY9J8QjAXm shamma-alblooshi@tii.ae" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/iv9RWMN6D9zmEU85XkaU8fAWJreWkv3znan87uqTW humaid@tahr" # For ghaf-installer automated testing: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAolaKCuIUBQSBFGFZI1taNX+JTAr8edqUts7A6k2Kv7" diff --git a/modules/reference/personalize/default.nix b/modules/reference/personalize/default.nix new file mode 100644 index 000000000..c967c24f3 --- /dev/null +++ b/modules/reference/personalize/default.nix @@ -0,0 +1,3 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ imports = [ ./keys.nix ]; } diff --git a/modules/reference/personalize/keys.nix b/modules/reference/personalize/keys.nix new file mode 100644 index 000000000..6058c2263 --- /dev/null +++ b/modules/reference/personalize/keys.nix @@ -0,0 +1,37 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.reference.personalize.keys; + inherit (lib) + mkEnableOption + mkIf + concatStrings + mkForce + ; + + authorizedYubikeys = [ + # Yubikey public keys for testing team, enabled only in debug mode + #1 + "ghaf:3HbulvTWYKkZEX6VaFX/EWLUp2FwHMUQQvhi8dGjOd1U+5gUxarLyqGcVzeAte5wpvTGkcRckcfN3Ce9iK0smA==,/j1T0Z4vNv72218WkRemtSMaqv4ysw6Oa6Db8KnLFczv5DxzBhHj+e3kinNX89wvwJWe9XlxPQqE54jmzi227w==,es256,+presence" + #2 + "ghaf:fkBGKisgW8B1AAQDe6l6QWMbvaM3vfIahYwnlWcyKoI0aM62hPBL3l1x5IUyQy41kpe1+nbR4K6KX43utDz7kA==,nEVF0RHTNpzRvem1Ng3KnHhlXXj28tvQvbA+YF39p6fzJpq0t9czGb85kmPms9pGquQiOFTDrEURUmdC6PA8Ng==,es256,+presence" + #3 + "ghaf:zQlVob4+w3DcvtN6BPjBPaEssJ3PYNSQVlWLk/Uq/Qlbqk9D0IjPjZDm5XwTuKhropVR1hVA4XdZKsSs9BlUEQ==,G3qgBAhmCwANuCdCZzo68QLFFQ4aud/a3X5r1m8UeUpMh5BlDHrHAR0sE0H/d4v7RiScex2TZaHrgYV507BFRA==,es256,+presence" + #4 + "ghaf:QaA1B4u1GzLt+HSwXpMxmdCOKiBN4WZSUAuEXZahNSpcv8xiYagp0ntVsl8TOx4K+sKls3gTn37Uso/dmncwdA==,mr0Nhwkok7VLUtkBMryOA0lZghU23SCYtU3CZeW5P4WVtnPax3N/6GkfuAv6Zw5ejC4BDvov3oKHTQT/F8eYqA==,es256,+presence" + ]; + + inherit ((import ./authorizedSshKeys.nix)) authorizedSshKeys; +in +{ + options.ghaf.reference.personalize.keys = { + enable = mkEnableOption "Enable personalization of keys for dev team"; + }; + + config = mkIf cfg.enable { + users.users.root.openssh.authorizedKeys.keys = authorizedSshKeys; + users.users.${config.ghaf.users.accounts.user}.openssh.authorizedKeys.keys = authorizedSshKeys; + ghaf.services.yubikey.u2fKeys = mkForce (concatStrings authorizedYubikeys); + }; +} diff --git a/modules/common/hardware/default.nix b/modules/reference/profiles/default.nix similarity index 56% rename from modules/common/hardware/default.nix rename to modules/reference/profiles/default.nix index c19ca9dd8..d2820a398 100644 --- a/modules/common/hardware/default.nix +++ b/modules/reference/profiles/default.nix @@ -1,11 +1,11 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +# +# Ghaf Desktop Experience +# { imports = [ - ./x86_64-linux.nix - ./x86_64-generic - ./definition.nix - - ./ax88179_178a.nix + ./laptop-x86.nix + ./mvp-user-trial.nix ]; } diff --git a/modules/reference/profiles/laptop-x86.nix b/modules/reference/profiles/laptop-x86.nix new file mode 100644 index 000000000..5d838b9ed --- /dev/null +++ b/modules/reference/profiles/laptop-x86.nix @@ -0,0 +1,123 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.reference.profiles.laptop-x86; + listenerAddress = config.ghaf.logging.listener.address; + listenerPort = toString config.ghaf.logging.listener.port; +in +{ + imports = [ + ../../desktop/graphics + ../../common + ../../host + #TODO how to reference the miocrovm module here? + #self.nixosModules.microvm + #../microvm + ../../hardware/x86_64-generic + ../../hardware/common + ../../hardware/definition.nix + ../../lanzaboote + ]; + + options.ghaf.reference.profiles.laptop-x86 = { + enable = lib.mkEnableOption "Enable the basic x86 laptop config"; + + netvmExtraModules = lib.mkOption { + description = '' + List of additional modules to be passed to the netvm. + ''; + default = [ ]; + }; + + guivmExtraModules = lib.mkOption { + description = '' + List of additional modules to be passed to the guivm. + ''; + default = [ ]; + }; + + enabled-app-vms = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + default = [ ]; + description = '' + List of appvms to include in the Ghaf reference appvms module + ''; + }; + }; + + config = lib.mkIf cfg.enable { + + ghaf = { + # Hardware definitions + hardware = { + x86_64.common.enable = true; + tpm2.enable = true; + usb.internal.enable = true; + usb.external.enable = true; + usb.vhotplug.enable = true; + }; + + # Virtualization options + virtualization = { + microvm-host = { + enable = true; + networkSupport = true; + }; + + microvm = { + netvm = { + enable = true; + wifi = true; + extraModules = cfg.netvmExtraModules; + }; + + adminvm = { + enable = true; + }; + + idsvm = { + enable = false; + mitmproxy.enable = false; + }; + + guivm = { + enable = true; + extraModules = cfg.guivmExtraModules; + }; + + audiovm = { + enable = true; + audio = true; + }; + + appvm = { + enable = true; + vms = cfg.enabled-app-vms; + }; + }; + }; + + # Enable givc + # @TODO change this flag to enable givc in release + givc.enable = config.ghaf.profiles.debug.enable; + + host = { + networking.enable = true; + }; + + # UI applications + # TODO fix this when defining desktop and apps + profiles = { + applications.enable = false; + }; + + # Logging configuration + logging.client.enable = true; + logging.client.endpoint = "http://${listenerAddress}:${listenerPort}/loki/api/v1/push"; + logging.listener.address = + "admin-vm" + lib.optionalString config.ghaf.profiles.debug.enable "-debug"; + logging.listener.port = 9999; + }; + }; +} diff --git a/modules/reference/profiles/mvp-user-trial.nix b/modules/reference/profiles/mvp-user-trial.nix new file mode 100644 index 000000000..a19200843 --- /dev/null +++ b/modules/reference/profiles/mvp-user-trial.nix @@ -0,0 +1,67 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.reference.profiles.mvp-user-trial; +in +{ + imports = [ + ../appvms + ../programs + ../services + ../personalize + ]; + + options.ghaf.reference.profiles.mvp-user-trial = { + enable = lib.mkEnableOption "Enable the mvp configuration for apps and services"; + }; + + config = lib.mkIf cfg.enable { + ghaf = { + reference = { + appvms = { + enable = true; + chromium-vm = true; + gala-vm = true; + zathura-vm = true; + comms-vm = true; + appflowy-vm = true; + business-vm = true; + }; + + services = { + enable = true; + dendrite = true; + }; + + programs = { + windows-launcher = { + enable = false; + spice = false; + }; + }; + + personalize = { + keys.enable = true; + }; + + profiles = { + laptop-x86 = { + enable = true; + netvmExtraModules = [ + ../services + ../personalize + { ghaf.reference.personalize.keys.enable = true; } + ]; + guivmExtraModules = [ + ../programs + ../personalize + { ghaf.reference.personalize.keys.enable = true; } + ]; + inherit (config.ghaf.reference.appvms) enabled-app-vms; + }; + }; + }; + }; + }; +} diff --git a/modules/reference/programs/chromium.nix b/modules/reference/programs/chromium.nix new file mode 100644 index 000000000..74c375d1c --- /dev/null +++ b/modules/reference/programs/chromium.nix @@ -0,0 +1,23 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.reference.programs.chromium; +in +{ + options.ghaf.reference.programs.chromium = { + enable = lib.mkEnableOption "Enable Chromium program settings"; + useZathuraVM = lib.mkEnableOption "Open PDFs in Zathura VM"; + }; + config = lib.mkIf cfg.enable { + programs.chromium = { + enable = true; + + # Fix border glitch when going maximised->minimised. + initialPrefs.browser.custom_chrome_frame = false; + + # Don't use pdf.js, open externally. + extraOpts."AlwaysOpenPdfExternally" = true; + }; + }; +} diff --git a/modules/reference/programs/default.nix b/modules/reference/programs/default.nix new file mode 100644 index 000000000..d10a53184 --- /dev/null +++ b/modules/reference/programs/default.nix @@ -0,0 +1,9 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + imports = [ + ./zathura.nix + ./chromium.nix + ./windows-launcher.nix + ]; +} diff --git a/modules/reference/programs/windows-launcher.nix b/modules/reference/programs/windows-launcher.nix new file mode 100644 index 000000000..d95f2b12f --- /dev/null +++ b/modules/reference/programs/windows-launcher.nix @@ -0,0 +1,47 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + lib, + pkgs, + config, + ... +}: +let + cfg = config.ghaf.reference.programs.windows-launcher; + windows-launcher = pkgs.callPackage ../../../packages/windows-launcher { enableSpice = cfg.spice; }; +in +{ + #TODO fix all these imports to correct scoping + imports = [ ../../desktop ]; + + options.ghaf.reference.programs.windows-launcher = { + enable = lib.mkEnableOption "Windows launcher"; + + spice = lib.mkEnableOption "remote access to the virtual machine using spice"; + + spice-port = lib.mkOption { + description = "Spice port"; + type = lib.types.int; + default = 5900; + }; + + spice-host = lib.mkOption { + description = "Spice host"; + type = lib.types.str; + default = "192.168.101.2"; + }; + }; + + config = lib.mkIf cfg.enable { + ghaf.graphics.launchers = lib.mkIf (!cfg.spice) [ + { + name = "Windows"; + path = "${windows-launcher}/bin/windows-launcher-ui"; + icon = "${pkgs.icon-pack}/distributor-logo-windows.svg"; + } + ]; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.spice [ cfg.spice-port ]; + environment.systemPackages = [ windows-launcher ]; + }; +} diff --git a/modules/reference/programs/zathura.nix b/modules/reference/programs/zathura.nix new file mode 100644 index 000000000..85b6b559f --- /dev/null +++ b/modules/reference/programs/zathura.nix @@ -0,0 +1,17 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + cfg = config.ghaf.reference.programs.zathura; +in +{ + options.ghaf.reference.programs.zathura = { + enable = lib.mkEnableOption "Enable Zathura program settings"; + }; + config = lib.mkIf cfg.enable { + # Use regular clipboard instead of primary clipboard. + environment.etc."zathurarc".text = '' + set selection-clipboard clipboard + ''; + }; +} diff --git a/modules/reference/services/default.nix b/modules/reference/services/default.nix new file mode 100644 index 000000000..2dbb1f824 --- /dev/null +++ b/modules/reference/services/default.nix @@ -0,0 +1,23 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +let + inherit (lib) mkEnableOption mkIf mkForce; + cfg = config.ghaf.reference.services; + isNetVM = "net-vm" == config.system.name; +in +{ + imports = [ + ./dendrite-pinecone/dendrite-pinecone.nix + ./dendrite-pinecone/dendrite-config.nix + ]; + options.ghaf.reference.services = { + enable = mkEnableOption "Enable the Ghaf reference services"; + dendrite = mkEnableOption "Enable the dendrite-pinecone service"; + }; + config = mkIf cfg.enable { + ghaf.reference.services = { + dendrite-pinecone.enable = mkForce (cfg.dendrite && isNetVM); + }; + }; +} diff --git a/modules/reference/services/dendrite-pinecone/dendrite-config.nix b/modules/reference/services/dendrite-pinecone/dendrite-config.nix new file mode 100644 index 000000000..4f8409015 --- /dev/null +++ b/modules/reference/services/dendrite-pinecone/dendrite-config.nix @@ -0,0 +1,34 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ config, lib, ... }: +{ + config.ghaf.reference.services.dendrite-pinecone = + let + externalNic = + let + firstPciWifiDevice = lib.head config.ghaf.hardware.definition.network.pciDevices; + in + "${firstPciWifiDevice.name}"; + + internalNic = + let + vmNetworking = import ../../../microvm/virtualization/microvm/common/vm-networking.nix { + inherit config; + inherit lib; + vmName = "net-vm"; + inherit (config.microvm.net-vm) macAddress; + internalIP = 1; + }; + in + "${lib.head vmNetworking.networking.nat.internalInterfaces}"; + + getCommsVmEntry = builtins.filter (x: x.name == "comms-vm") config.ghaf.networking.hosts.entries; + serverIpAddr = lib.head (builtins.map (x: x.ip) getCommsVmEntry); + in + { + enable = lib.mkDefault false; + inherit externalNic; + inherit internalNic; + inherit serverIpAddr; + }; +} diff --git a/modules/reference/services/dendrite-pinecone/dendrite-pinecone.nix b/modules/reference/services/dendrite-pinecone/dendrite-pinecone.nix new file mode 100644 index 000000000..b925f5165 --- /dev/null +++ b/modules/reference/services/dendrite-pinecone/dendrite-pinecone.nix @@ -0,0 +1,159 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.ghaf.reference.services.dendrite-pinecone; + dendrite-pineconePkg = pkgs.callPackage ../../../../packages/dendrite-pinecone/default.nix { }; + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; +in +{ + options.ghaf.reference.services.dendrite-pinecone = { + enable = mkEnableOption "Enable dendrite pinecone module"; + + externalNic = mkOption { + type = types.str; + default = ""; + description = '' + External network interface + ''; + }; + internalNic = mkOption { + type = types.str; + default = ""; + description = '' + Internal network interface + ''; + }; + + serverIpAddr = mkOption { + type = types.str; + default = ""; + description = '' + Dendrite Server Ip address + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.externalNic != ""; + message = "External Nic must be set"; + } + { + assertion = cfg.internalNic != ""; + message = "Internal Nic must be set"; + } + { + assertion = cfg.serverIpAddr != ""; + message = "Dendrite Pinecone server ip must be set"; + } + ]; + + # ip forwarding functionality is needed for iptables + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + + # https://github.com/troglobit/smcroute?tab=readme-ov-file#linux-requirements + boot.kernelPatches = [ + { + name = "multicast-routing-config"; + patch = null; + extraStructuredConfig = with lib.kernel; { + IP_MULTICAST = yes; + IP_MROUTE = yes; + IP_PIMSM_V1 = yes; + IP_PIMSM_V2 = yes; + IP_MROUTE_MULTIPLE_TABLES = yes; # For multiple routing tables + }; + } + ]; + environment.systemPackages = [ pkgs.smcroute ]; + systemd.services."smcroute" = { + description = "Static Multicast Routing daemon"; + bindsTo = [ "sys-subsystem-net-devices-${cfg.externalNic}.device" ]; + after = [ "sys-subsystem-net-devices-${cfg.externalNic}.device" ]; + preStart = '' + configContent=$(cat < $filePath + chmod 400 $filePath + + # wait until ${cfg.externalNic} has an ip + while [ -z "$ip" ]; do + ip=$(${pkgs.nettools}/bin/ifconfig ${cfg.externalNic} | ${pkgs.gawk}/bin/awk '/inet / {print $2}') + [ -z "$ip" ] && ${pkgs.coreutils}/bin/sleep 1 + done + exit 0 + ''; + + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.smcroute}/sbin/smcrouted -n -s -f /etc/smcroute.conf"; + #TODO sudo setcap cap_net_admin=ep ${pkgs.smcroute}/sbin/smcroute + # TODO: Add proper AmbientCapabilities= or CapabilityBoundingSet=, + # preferably former and then change user to something else than + # root. + User = "root"; + # Automatically restart service when it exits. + Restart = "always"; + # Wait a second before restarting. + RestartSec = "5s"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + networking = { + firewall.enable = true; + firewall.extraCommands = " + # Set the default policies + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT ACCEPT + + # Allow loopback traffic + iptables -A INPUT -i lo -j ACCEPT + + # TODO: Move all these TcpPort and things like that, to the options of + # this module, away from from package itself. + + # Forward incoming TCP traffic on port ${dendrite-pineconePkg.TcpPort} to internal network(comms-vm) + iptables -t nat -A PREROUTING -i ${cfg.externalNic} -p tcp --dport ${dendrite-pineconePkg.TcpPort} -j DNAT --to-destination ${cfg.serverIpAddr}:${dendrite-pineconePkg.TcpPort} + + # Enable NAT for outgoing traffic + iptables -t nat -A POSTROUTING -o ${cfg.externalNic} -p tcp --dport ${dendrite-pineconePkg.TcpPort} -j MASQUERADE + + # Enable NAT for outgoing traffic + iptables -t nat -A POSTROUTING -o ${cfg.externalNic} -p tcp --sport ${dendrite-pineconePkg.TcpPort} -j MASQUERADE + + # Enable NAT for outgoing udp multicast traffic + iptables -t nat -A POSTROUTING -o ${cfg.externalNic} -p udp -d ${dendrite-pineconePkg.McastUdpIp} --dport ${dendrite-pineconePkg.McastUdpPort} -j MASQUERADE + + # https://github.com/troglobit/smcroute?tab=readme-ov-file#usage + iptables -t mangle -I PREROUTING -i ${cfg.externalNic} -d ${dendrite-pineconePkg.McastUdpIp} -j TTL --ttl-set 1 + # ttl value must be set to 1 for avoiding multicast looping + iptables -t mangle -I PREROUTING -i ${cfg.internalNic} -d ${dendrite-pineconePkg.McastUdpIp} -j TTL --ttl-inc 1 + + # Accept forwarding + iptables -A FORWARD -j ACCEPT + "; + }; + }; +} diff --git a/nix/checks.nix b/nix/checks.nix index 47b2c062a..69167d988 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -1,28 +1,29 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{lib, ...}: { - perSystem = { - pkgs, - self', - ... - }: { - checks = - { - reuse = - pkgs.runCommandLocal "reuse-lint" { - buildInputs = [pkgs.reuse]; - } '' - cd ${../.} - reuse lint - touch $out - ''; - module-test-hardened-generic-host-kernel = - pkgs.callPackage ../modules/common/hardware/x86_64-generic/kernel/host/test {inherit pkgs;}; - module-test-hardened-lenovo-x1-guest-guivm-kernel = - pkgs.callPackage ../modules/common/hardware/lenovo-x1/kernel/guest/test {inherit pkgs;}; - module-test-hardened-pkvm-kernel = - pkgs.callPackage ../modules/common/hardware/x86_64-generic/kernel/host/pkvm/test {inherit pkgs;}; - } - // (lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages); - }; +{ + perSystem = + { + pkgs, + self', + lib, + ... + }: + { + checks = { + reuse = pkgs.runCommandLocal "reuse-lint" { buildInputs = [ pkgs.reuse ]; } '' + cd ${../.} + reuse lint + touch $out + ''; + #module-test-hardened-generic-host-kernel = + # pkgs.callPackage ../modules/hardware/x86_64-generic/kernel/host/test + # { inherit pkgs; }; + #module-test-hardened-lenovo-x1-guest-guivm-kernel = + # pkgs.callPackage ../modules/hardware/lenovo-x1/kernel/guest/test + # { inherit pkgs; }; + #module-test-hardened-pkvm-kernel = + # pkgs.callPackage ../modules/hardware/x86_64-generic/kernel/host/pkvm/test + # { inherit pkgs; }; + } // (lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages); + }; } diff --git a/nix/devshell.nix b/nix/devshell.nix index c3fe4bb32..06f864584 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -1,39 +1,47 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{inputs, ...}: { - imports = with inputs; [ - flake-root.flakeModule - ./devshell/kernel.nix - # TODO this import needs to be filtered to remove RISCV - # pre-commit-hooks-nix.flakeModule - ]; - perSystem = { - pkgs, - inputs', - self', - lib, - system, - ... - }: { - devShells.default = pkgs.mkShell { - name = "Ghaf devshell"; - #TODO look at adding Mission control etc here - packages = with pkgs; - [ - git - nix - nixci - nixos-rebuild - reuse - alejandra - mdbook - inputs'.nix-fast-build.packages.default - self'.packages.kernel-hardening-checker - ] - ++ lib.optional (pkgs.hostPlatform.system != "riscv64-linux") cachix; +{ + imports = [ ./devshell/kernel.nix ]; + perSystem = + { + config, + pkgs, + inputs', + lib, + ... + }: + { + devShells.default = pkgs.mkShell { + name = "Ghaf devshell"; + meta.description = "Ghaf development environment"; + #TODO look at adding Mission control etc here + inputsFrom = [ + config.treefmt.build.programs # See ./treefmt.nix + ]; + packages = + builtins.attrValues { + inherit (pkgs) + git + mdbook + nix + nixci + nixos-rebuild + nix-output-monitor + nix-tree + reuse + nix-eval-jobs + jq + ; + } + ++ [ inputs'.nix-fast-build.packages.default ] + ++ [ + (pkgs.callPackage ../packages/flash { }) + (pkgs.callPackage ../packages/make-checks { }) + ] + ++ lib.optional (pkgs.hostPlatform.system != "riscv64-linux") pkgs.cachix; - # TODO Add pre-commit.devShell (needs to exclude RiscV) - # https://flake.parts/options/pre-commit-hooks-nix + # TODO Add pre-commit.devShell (needs to exclude RiscV) + # https://flake.parts/options/pre-commit-hooks-nix + }; }; - }; } diff --git a/nix/devshell/kernel.nix b/nix/devshell/kernel.nix index 5cdc41249..111bc56c1 100644 --- a/nix/devshell/kernel.nix +++ b/nix/devshell/kernel.nix @@ -1,65 +1,68 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{inputs, ...}: { - perSystem = { - pkgs, - self', - system, - ... - }: let - mkKernelShell = { - platform, - arch ? "", - linux, - extraPackages ? [], - shellHook ? "", +{ inputs, ... }: +{ + perSystem = + { + pkgs, + self', + system, + ... }: - pkgs.mkShell { - name = "Kernel-${platform} devshell"; - packages = with pkgs; - [ - ncurses - pkg-config + let + mkKernelShell = + { + platform, + arch ? "", + linux, + extraPackages ? [ ], + shellHook ? "", + }: + pkgs.mkShell { + name = "Kernel-${platform} devshell"; + packages = [ + pkgs.ncurses + pkgs.pkg-config self'.packages.kernel-hardening-checker - ] - ++ extraPackages; + ] ++ extraPackages; - inputsFrom = [linux]; + inputsFrom = [ linux ]; - shellHook = '' - export src=${linux.src} - if [ -d "$src" ]; then - # Jetpack's kernel named "source-patched" or likewise, workaround it - linuxDir=$(stripHash ${linux.src}) - else - linuxDir="linux-${linux.version}" - fi - if [ ! -d "$linuxDir" ]; then - unpackPhase - patchPhase - fi - cd "$linuxDir" - # extra post-patching for NVidia - ${shellHook} + shellHook = '' + export src=${linux.src} + if [ -d "$src" ]; then + # Jetpack's kernel named "source-patched" or likewise, workaround it + linuxDir=$(stripHash ${linux.src}) + else + linuxDir="linux-${linux.version}" + fi + if [ ! -d "$linuxDir" ]; then + unpackPhase + patchPhase + fi + cd "$linuxDir" + # extra post-patching for NVidia + ${shellHook} - export PS1="[ghaf-kernel-${platform}-devshell:\w]$ " + export PS1="[ghaf-kernel-${platform}-devshell:\w]$ " + ''; + # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707 + checkPhase = "cp ../modules/hardware/${platform}/kernel/configs/ghaf_host_hardened_baseline-${arch} ./.config && make -j$(nproc)"; + }; + in + { + devShells.kernel-x86 = mkKernelShell { + platform = "x86_64-generic"; + arch = "x86"; + linux = pkgs.linux_latest; + }; + devShells.kernel-jetson-orin = mkKernelShell { + platform = "jetson-orin"; + linux = inputs.jetpack-nixos.legacyPackages.${system}.kernel; + extraPackages = [ pkgs.gawk ]; + shellHook = '' + patchShebangs scripts/ ''; - # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707 - checkPhase = "cp ../modules/common/hardware/${platform}/kernel/configs/ghaf_host_hardened_baseline-${arch} ./.config && make -j$(nproc)"; }; - in { - devShells.kernel-x86 = mkKernelShell { - platform = "x86_64-generic"; - arch = "x86"; - linux = pkgs.linux_latest; - }; - devShells.kernel-jetson-orin = mkKernelShell { - platform = "jetson-orin"; - linux = inputs.jetpack-nixos.legacyPackages.${system}.kernel; - extraPackages = [pkgs.gawk]; - shellHook = '' - patchShebangs scripts/ - ''; }; - }; } diff --git a/nix/nixpkgs.nix b/nix/nixpkgs.nix index e0e4f5392..fecabf1a0 100644 --- a/nix/nixpkgs.nix +++ b/nix/nixpkgs.nix @@ -1,19 +1,18 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 +{ lib, inputs, ... }: { - lib, - inputs, - ... -}: { - perSystem = {system, ...}: { - # customise pkgs - _module.args.pkgs = import inputs.nixpkgs { - inherit system inputs; - config = { - allowUnfree = true; + perSystem = + { system, ... }: + { + # customise pkgs + _module.args.pkgs = import inputs.nixpkgs { + inherit system inputs; + config = { + allowUnfree = true; + }; }; + # make custom top-level lib available to all `perSystem` functions + _module.args.lib = lib; }; - # make custom top-level lib available to all `perSystem` functions - _module.args.lib = lib; - }; } diff --git a/nix/treefmt.nix b/nix/treefmt.nix index c167a3b29..086b2cb3a 100644 --- a/nix/treefmt.nix +++ b/nix/treefmt.nix @@ -1,44 +1,75 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{inputs, ...}: { - imports = with inputs; [ - flake-root.flakeModule - treefmt-nix.flakeModule +{ inputs, ... }: +{ + imports = [ + inputs.flake-root.flakeModule + inputs.treefmt-nix.flakeModule + inputs.pre-commit-hooks-nix.flakeModule ]; - perSystem = { - config, - pkgs, - ... - }: { - treefmt.config = { - package = pkgs.treefmt; - inherit (config.flake-root) projectRootFile; + perSystem = + { config, pkgs, ... }: + { + treefmt.config = { + package = pkgs.treefmt; + inherit (config.flake-root) projectRootFile; - programs = { - # Nix - alejandra.enable = true; # nix formatter https://github.com/kamadorueda/alejandra - deadnix.enable = true; # removes dead nix code https://github.com/astro/deadnix - statix.enable = true; # prevents use of nix anti-patterns https://github.com/nerdypepper/statix + programs = { + # Nix + # nix standard formatter according to rfc 166 (https://github.com/NixOS/rfcs/pull/166) + nixfmt.enable = true; + nixfmt.package = pkgs.nixfmt-rfc-style; - # Python - # It was found out that the best outcome comes from running mulitple - # formatters. - black.enable = true; # The Classic Python formatter - isort.enable = true; # Python import sorter - # Ruff, a Python formatter written in Rust (30x faster than Black). - # Also provides additional linting. - # Do not enable ruff.format = true; because then it won't complaing - # about linting errors. The default mode is the check mode. - ruff.enable = true; + deadnix.enable = true; # removes dead nix code https://github.com/astro/deadnix + statix.enable = true; # prevents use of nix anti-patterns https://github.com/nerdypepper/statix - # Bash - shellcheck.enable = true; # lints shell scripts https://github.com/koalaman/shellcheck + # Python + # Ruff, a Python formatter and linter written in Rust (30x faster than Black). + ruff.check = true; + ruff.format = true; + + # Bash + shellcheck.enable = true; # lints shell scripts https://github.com/koalaman/shellcheck + + yamlfmt.enable = true; # YAML formatter + }; + + settings.global.excludes = [ + "*.key" + "*.lock" + "*.config" + "*.dts" + "*.pfx" + "*.p12" + "*.crt" + "*.cer" + "*.csr" + "*.der" + "*.jks" + "*.keystore" + "*.pem" + "*.pkcs12" + "*.pfx" + "*.p12" + "*.pem" + "*.pkcs7" + "*.p7b" + "*.p7c" + "*.p7r" + "*.p7m" + "*.p7s" + "*.p8" + "*.png" + "*.svg" + "*.license" + "*.db" + "*.mp3" + "*.txt" + #TODO: fix the MD + "*.md" + ]; }; - # Automatically fix linting errors and formatting errors where possible - settings.formatter.ruff.options = ["check" "--fix"]; + formatter = config.treefmt.build.wrapper; }; - - formatter = config.treefmt.build.wrapper; - }; } diff --git a/overlays/README.md b/overlays/README.md index eaf9fa8e1..1bc6e4e69 100644 --- a/overlays/README.md +++ b/overlays/README.md @@ -26,3 +26,21 @@ previous (unmodified) package vs final (finalazed, adjusted) package. Use deps[X][Y] variations instead of juggling dependencies between nativeBuildInputs and buildInputs where possible. It makes things clear and robust. + +# Upstream PR and commit tracking + +Some patches are carried as overlays and others are patches that are cherry-picked +from staging and main into a tiiuae maintained version of nixpkgs +[tiiuae/nixpkgs/...](https://github.com/tiiuae/nixpkgs/tree/patched-unstable-proc-qemu) + +The status of the integration in nixpkgs can be tracked using the [Pull Request Tracker](https://nixpk.gs/pr-tracker.html) + +## From Overlays + +[gtklock: Guard against race condition](https://github.com/jovanlanik/gtklock/pull/95) + +[gtklock: Fix black screen SP-4849](https://github.com/jovanlanik/gtklock/commit/e0e7f6d5ae7667fcc3479b6732046c67275b2f2f) + + +## carried in tiiuae/nixpkgs/... +[texinfo: cross compile failure](https://github.com/NixOS/nixpkgs/pull/328919) diff --git a/overlays/cross-compilation/chromium/default.nix b/overlays/cross-compilation/chromium/default.nix deleted file mode 100644 index 39ac10ab7..000000000 --- a/overlays/cross-compilation/chromium/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2023-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Chromium & Electron cross-compilation fixes -# -{ - final, - prev, -}: let - inherit (builtins) map; - inherit (final.lib) pipe; - opusWithCustomModes = final.pkgsBuildBuild.libopus.override { - withCustomModes = true; - }; - opusWithCustomModes' = final.pkgsBuildTarget.libopus.override { - withCustomModes = true; - }; - replace = needle: replacement: haystack: - map (each: - if each == needle - then replacement - else each) - haystack; -in - prev.chromium.overrideAttrs (oa: { - passthru = - oa.passthru - // { - mkDerivation = fun: - oa.passthru.mkDerivation (finalAttrs: - { - depsBuildBuild = pipe finalAttrs.depsBuildBuild [ - (replace (final.libpng.override {apngSupport = false;}) (final.pkgsBuildBuild.libpng.override {apngSupport = false;})) - (replace final.zlib final.pkgsBuildBuild.zlib) - (replace opusWithCustomModes opusWithCustomModes') - ]; - buildInputs = replace opusWithCustomModes' opusWithCustomModes finalAttrs.buildInputs; - env = finalAttrs.env // {NIX_DEBUG = "1";}; - } - // fun finalAttrs); - }; - }) diff --git a/overlays/cross-compilation/default.nix b/overlays/cross-compilation/default.nix index a7ec98939..d22e75137 100644 --- a/overlays/cross-compilation/default.nix +++ b/overlays/cross-compilation/default.nix @@ -3,14 +3,4 @@ # # This overlay is for specific fixes needed only to enable cross-compilation. # -(final: prev: { - chromium = import ./chromium {inherit prev final;}; - edk2 = import ./edk2 {inherit final prev;}; - element-desktop = import ./element-desktop {inherit prev;}; - jbig2dec = import ./jbig2dec {inherit prev;}; - pipewire = import ./pipewire {inherit prev;}; - - # libck is dependency of sysbench - libck = import ./libck {inherit prev;}; - sysbench = import ./sysbench {inherit final prev;}; -}) +(_final: prev: { papirus-icon-theme = import ./papirus-icon-theme { inherit prev; }; }) diff --git a/overlays/cross-compilation/edk2/default.nix b/overlays/cross-compilation/edk2/default.nix deleted file mode 100644 index 4a9d88a38..000000000 --- a/overlays/cross-compilation/edk2/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2023-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# edk2 & OVMF cross-compilation fixes -# -{ - final, - prev, -}: -prev.edk2.overrideAttrs (oa: { - # Fix cross-compilation issue, use build cc/c++ for building antlr and dlg - postPatch = - (oa.postPatch or "") - + '' - substituteInPlace BaseTools/Source/C/VfrCompile/GNUmakefile \ - --replace '$(MAKE) -C Pccts/antlr' '$(MAKE) -C Pccts/antlr CC=cc CXX=c++' \ - --replace '$(MAKE) -C Pccts/dlg' '$(MAKE) -C Pccts/dlg CC=cc CXX=c++' - ''; - passthru = { - mkDerivation = dsc: fun: - oa.passthru.mkDerivation dsc (finalAttrs: - { - prePatch = '' - echo "prePatch hooked!" - rm -rf BaseTools - ln -sv ${final.buildPackages.edk2}/BaseTools BaseTools - ''; - - configurePhase = '' - echo "configurePhase hooked" - runHook preConfigure - export WORKSPACE="$PWD" - . ${final.buildPackages.edk2}/edksetup.sh BaseTools - runHook postConfigure - ''; - } - // fun finalAttrs); - }; -}) diff --git a/overlays/cross-compilation/element-desktop/default.nix b/overlays/cross-compilation/element-desktop/default.nix deleted file mode 100644 index ed37e040d..000000000 --- a/overlays/cross-compilation/element-desktop/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# This overlay is for specific fixes needed only to enable cross-compilation. -# -# Overlay for element-desktop based on https://github.com/NixOS/nixpkgs/pull/241710 -{prev}: -(prev.element-desktop.override { - # Disable keytar, it breaks cross-build. Saving passwords would be not available. - useKeytar = false; -}) -.overrideAttrs (oldED: { - seshat = oldED.seshat.overrideAttrs (oldSeshat: { - buildPhase = - builtins.replaceStrings - # Add extra cargo options required for cross-compilation - ["build --release"] - ["build --release -- --target ${prev.rust.toRustTargetSpec prev.stdenv.hostPlatform} -Z unstable-options --out-dir target/release"] - # Replace target 'fixup_yarn_lock' with build one - (builtins.replaceStrings ["${prev.fixup_yarn_lock}"] ["${prev.buildPackages.fixup_yarn_lock}"] oldSeshat.buildPhase); - }); -}) diff --git a/overlays/cross-compilation/jbig2dec/default.nix b/overlays/cross-compilation/jbig2dec/default.nix deleted file mode 100644 index caf0d014c..000000000 --- a/overlays/cross-compilation/jbig2dec/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -# Copyright 2023-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{prev}: -prev.jbig2dec.overrideAttrs (_oa: { - configureScript = "./autogen.sh"; - preConfigure = ""; -}) diff --git a/overlays/cross-compilation/libck/default.nix b/overlays/cross-compilation/libck/default.nix deleted file mode 100644 index 0114e378b..000000000 --- a/overlays/cross-compilation/libck/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# libck cross-compilation fixes -# -{prev}: -prev.libck.overrideAttrs (_old: { - postPatch = '' - substituteInPlace \ - configure \ - --replace \ - 'COMPILER=`./.1 2> /dev/null`' \ - "COMPILER=gcc" - ''; - configureFlags = ["--platform=${prev.stdenv.hostPlatform.parsed.cpu.name}}"]; -}) diff --git a/overlays/cross-compilation/papirus-icon-theme/default.nix b/overlays/cross-compilation/papirus-icon-theme/default.nix new file mode 100644 index 000000000..a749efb0d --- /dev/null +++ b/overlays/cross-compilation/papirus-icon-theme/default.nix @@ -0,0 +1,9 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# papirus-icon-theme cross-compilation fixes (removing qt dependency) +# +{ prev }: +prev.papirus-icon-theme.overrideAttrs (old: { + propagatedBuildInputs = prev.lib.lists.remove prev.breeze-icons old.propagatedBuildInputs; +}) diff --git a/overlays/cross-compilation/pipewire/default.nix b/overlays/cross-compilation/pipewire/default.nix deleted file mode 100644 index f80093261..000000000 --- a/overlays/cross-compilation/pipewire/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright 2023-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{prev}: -# It defaulted to -# { ... -# , x11Support ? true -# , ffadoSupport ? x11Support && stdenv.buildPlatform.canExecute stdenv.hostPlatform -# } -# It should evaluate to `false` in case of cross-compilation, but it doesn't happens for unknown reasons. -prev.pipewire.override {ffadoSupport = false;} diff --git a/overlays/cross-compilation/sysbench/default.nix b/overlays/cross-compilation/sysbench/default.nix deleted file mode 100644 index 39ed5606d..000000000 --- a/overlays/cross-compilation/sysbench/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Sysbench cross-compilation fixes -# -{ - final, - prev, -}: -prev.sysbench.overrideAttrs (old: { - configureFlags = [ - "--with-system-luajit" - "--with-system-ck" - "--with-mysql-includes=${prev.lib.getDev final.libmysqlclient}/include/mysql" - "--with-mysql-libs=${final.libmysqlclient}/lib/mysql" - ]; - buildInputs = old.buildInputs ++ [final.libck]; - depsBuildBuild = [final.pkg-config]; -}) diff --git a/overlays/custom-packages/default.nix b/overlays/custom-packages/default.nix index 2d4f39484..82ef7845d 100644 --- a/overlays/custom-packages/default.nix +++ b/overlays/custom-packages/default.nix @@ -5,18 +5,18 @@ # packages. # (final: prev: { - gala-app = final.callPackage ../../packages/gala {}; - systemd = import ./systemd {inherit final prev;}; - waypipe = import ./waypipe {inherit final prev;}; - weston = import ./weston {inherit final prev;}; - wifi-connector = final.callPackage ../../packages/wifi-connector {}; - wifi-connector-nmcli = final.callPackage ../../packages/wifi-connector {useNmcli = true;}; - qemu_kvm = import ./qemu {inherit final prev;}; - nm-launcher = final.callPackage ../../packages/nm-launcher {}; - labwc = import ./labwc {inherit prev;}; - tpm2-pkcs11 = import ./tpm2-pkcs11 {inherit prev;}; - waybar = import ./waybar {inherit prev;}; - # launcher overlays - networkmanagerapplet = import ./networkmanagerapplet {inherit prev;}; - htop = import ./htop {inherit prev;}; + gala-app = final.callPackage ../../packages/gala { }; + element-desktop = import ./element-desktop { inherit prev; }; + element-gps = final.callPackage ../../packages/element-gps { }; + element-web = final.callPackage ../../packages/element-web { }; + waypipe = import ./waypipe { inherit final prev; }; + qemu_kvm = import ./qemu { inherit final prev; }; + nm-launcher = final.callPackage ../../packages/nm-launcher { }; + icon-pack = final.callPackage ../../packages/icon-pack { }; + labwc = import ./labwc { inherit prev; }; + tpm2-pkcs11 = import ./tpm2-pkcs11 { inherit prev; }; + waybar = import ./waybar { inherit prev; }; + mitmweb-ui = final.callPackage ../../packages/mitmweb-ui { }; + gtklock = import ./gtklock { inherit prev; }; + hardware-scan = final.callPackage ../../packages/hardware-scan { }; }) diff --git a/overlays/custom-packages/element-desktop/default.nix b/overlays/custom-packages/element-desktop/default.nix new file mode 100644 index 000000000..874543fd2 --- /dev/null +++ b/overlays/custom-packages/element-desktop/default.nix @@ -0,0 +1,9 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This overlay customizes element-desktop +# +{ prev }: +prev.element-desktop.overrideAttrs (_prevAttrs: { + patches = [ ./element-main.patch ]; +}) diff --git a/overlays/custom-packages/element-desktop/element-main.patch b/overlays/custom-packages/element-desktop/element-main.patch new file mode 100644 index 000000000..22b9fa6da --- /dev/null +++ b/overlays/custom-packages/element-desktop/element-main.patch @@ -0,0 +1,91 @@ +diff --git a/src/electron-main.ts b/src/electron-main.ts +index b5d13ac..ffffb76 100644 +--- a/src/electron-main.ts ++++ b/src/electron-main.ts +@@ -458,11 +458,10 @@ + // https://www.electronjs.org/docs/faq#the-font-looks-blurry-what-is-this-and-what-can-i-do + backgroundColor: "#fff", + +- titleBarStyle: process.platform === "darwin" ? "hidden" : "default", + trafficLightPosition: { x: 9, y: 8 }, + + icon: global.trayConfig.icon_path, +- show: false, ++ show: true, + autoHideMenuBar: global.store.get("autoHideMenuBar", true), + + x: mainWindowState.x, +@@ -477,67 +476,35 @@ + webgl: true, + }, + }); +- void global.mainWindow.loadURL("vector://vector/webapp/"); +- +- if (process.platform === "darwin") { +- setupMacosTitleBar(global.mainWindow); +- } + + // Handle spellchecker + // For some reason spellCheckerEnabled isn't persisted, so we have to use the store here + global.mainWindow.webContents.session.setSpellCheckerEnabled(global.store.get("spellCheckerEnabled", true)); + +- // Create trayIcon icon +- if (global.store.get("minimizeToTray", true)) tray.create(global.trayConfig); +- +- global.mainWindow.once("ready-to-show", () => { ++ global.mainWindow.webContents.once('did-finish-load',function(){ + if (!global.mainWindow) return; + mainWindowState.manage(global.mainWindow); + + if (!argv["hidden"]) { + global.mainWindow.show(); ++ global.mainWindow.restore(); ++ global.mainWindow.focus(); + } else { + // hide here explicitly because window manage above sometimes shows it + global.mainWindow.hide(); + } + }); + +- global.mainWindow.webContents.on("before-input-event", warnBeforeExit); ++ global.mainWindow.loadURL("vector://vector/webapp/"); + + global.mainWindow.on("closed", () => { + global.mainWindow = null; + }); + global.mainWindow.on("close", async (e) => { +- // If we are not quitting and have a tray icon then minimize to tray +- if (!global.appQuitting && (tray.hasTray() || process.platform === "darwin")) { +- // On Mac, closing the window just hides it +- // (this is generally how single-window Mac apps +- // behave, eg. Mail.app) +- e.preventDefault(); +- +- if (global.mainWindow?.isFullScreen()) { +- global.mainWindow.once("leave-full-screen", () => global.mainWindow?.hide()); +- +- global.mainWindow.setFullScreen(false); +- } else { +- global.mainWindow?.hide(); +- } +- +- return false; +- } ++ // Close event handler ++ // Default behaviour is minimize to tray, that feature is removed since there is no tray support on Ghaf + }); + +- if (process.platform === "win32") { +- // Handle forward/backward mouse buttons in Windows +- global.mainWindow.on("app-command", (e, cmd) => { +- if (cmd === "browser-backward" && global.mainWindow?.webContents.canGoBack()) { +- global.mainWindow.webContents.goBack(); +- } else if (cmd === "browser-forward" && global.mainWindow?.webContents.canGoForward()) { +- global.mainWindow.webContents.goForward(); +- } +- }); +- } +- + webContentsHandler(global.mainWindow.webContents); + + global.appLocalization = new AppLocalization({ diff --git a/overlays/custom-packages/element-gps/default.nix b/overlays/custom-packages/element-gps/default.nix new file mode 100644 index 000000000..94c81581e --- /dev/null +++ b/overlays/custom-packages/element-gps/default.nix @@ -0,0 +1,3 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +(final: _prev: { element-gps = final.callPackage ../../../packages/element-gps { }; }) diff --git a/overlays/custom-packages/element-web/default.nix b/overlays/custom-packages/element-web/default.nix new file mode 100644 index 000000000..fcfef04ca --- /dev/null +++ b/overlays/custom-packages/element-web/default.nix @@ -0,0 +1,3 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +(final: _prev: { element-web = final.callPackage ../../../packages/element-web { }; }) diff --git a/overlays/custom-packages/gtklock/auth-guard-against-race-condition-with-messages.patch b/overlays/custom-packages/gtklock/auth-guard-against-race-condition-with-messages.patch new file mode 100644 index 000000000..9d7b3e38f --- /dev/null +++ b/overlays/custom-packages/gtklock/auth-guard-against-race-condition-with-messages.patch @@ -0,0 +1,36 @@ +From d22127f0fd61bbeba8c12378b3c5b46cc3064d63 Mon Sep 17 00:00:00 2001 +From: Zephyr Lykos +Date: Sat, 22 Jun 2024 18:48:54 +0800 +Subject: [PATCH] auth: guard against race condition with messages + +--- + src/auth.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/auth.c b/src/auth.c +index a3a99b3..a5eb33d 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -148,15 +148,15 @@ enum pwcheck auth_pw_check(const char *s) { + size_t len; + ssize_t nread; + nread = read(err_pipe[PIPE_PARENT], &len, sizeof(size_t)); +- if(nread > 0) { +- error_string = malloc(len+1); ++ if(nread > 0 && len <= PAM_MAX_MSG_SIZE) { ++ error_string = malloc(PAM_MAX_MSG_SIZE); + nread = read(err_pipe[PIPE_PARENT], error_string, len); + error_string[nread] = '\0'; + return PW_ERROR; + } + nread = read(out_pipe[PIPE_PARENT], &len, sizeof(size_t)); +- if(nread > 0) { +- message_string = malloc(len+1); ++ if(nread > 0 && len <= PAM_MAX_MSG_SIZE) { ++ message_string = malloc(PAM_MAX_MSG_SIZE); + nread = read(out_pipe[PIPE_PARENT], message_string, len); + message_string[nread] = '\0'; + return PW_MESSAGE; +-- +2.40.1 + diff --git a/overlays/custom-packages/gtklock/default.nix b/overlays/custom-packages/gtklock/default.nix new file mode 100644 index 000000000..aec6e2d05 --- /dev/null +++ b/overlays/custom-packages/gtklock/default.nix @@ -0,0 +1,15 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This overlay will apply gtklock patches which are merged in master branch +# https://github.com/jovanlanik/gtklock/commit/d22127f0fd61bbeba8c12378b3c5b46cc3064d63 +# https://github.com/jovanlanik/gtklock/commit/e0e7f6d5ae7667fcc3479b6732046c67275b2f2f +# TODO: Remove patches, once there new release for gtlk-lock +# +{ prev }: +prev.gtklock.overrideAttrs { + patches = [ + ./auth-guard-against-race-condition-with-messages.patch + ./update.patch + ]; +} diff --git a/overlays/custom-packages/gtklock/update.patch b/overlays/custom-packages/gtklock/update.patch new file mode 100644 index 000000000..8dace56f6 --- /dev/null +++ b/overlays/custom-packages/gtklock/update.patch @@ -0,0 +1,116 @@ +From e0e7f6d5ae7667fcc3479b6732046c67275b2f2f Mon Sep 17 00:00:00 2001 +From: Jovan Lanik +Date: Tue, 16 Jul 2024 15:30:18 +0200 +Subject: [PATCH] update + +--- + include/window.h | 2 ++ + res/gtklock.ui | 20 +++++++++++++++++++- + src/window.c | 27 ++++++++++++++++++--------- + 3 files changed, 39 insertions(+), 10 deletions(-) + +diff --git a/include/window.h b/include/window.h +index 75b8372..77ba2c3 100644 +--- a/include/window.h ++++ b/include/window.h +@@ -17,6 +17,8 @@ struct Window { + GtkWidget *body_grid; + GtkWidget *input_label; + GtkWidget *input_field; ++ GtkWidget *message_revealer; ++ GtkWidget *message_scrolled_window; + GtkWidget *message_box; + GtkWidget *unlock_button; + GtkWidget *error_label; +diff --git a/res/gtklock.ui b/res/gtklock.ui +index 150a4d2..3aab413 100644 +--- a/res/gtklock.ui ++++ b/res/gtklock.ui +@@ -57,8 +57,26 @@ + + + +- ++ ++ none + 1 ++ ++ ++ never ++ 256 ++ 1 ++ ++ ++ ++ ++ vertical ++ 1 ++ ++ ++ ++ ++ ++ + + + 1 +diff --git a/src/window.c b/src/window.c +index a1a268b..d73eab0 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -86,27 +86,34 @@ static GtkInfoBar *window_new_message(struct Window *ctx, char *msg) { + return GTK_INFO_BAR(bar); + } + ++static void destroy_callback(GtkWidget* widget, gpointer _data) { ++ gtk_widget_destroy(widget); ++} ++ + static void window_setup_messages(struct Window *ctx) { +- if(ctx->message_box != NULL) { +- gtk_widget_destroy(ctx->message_box); +- ctx->message_box = NULL; +- } +- ctx->message_box = gtk_box_new(GTK_ORIENTATION_VERTICAL, 0); +- gtk_widget_set_no_show_all(ctx->message_box, TRUE); +- gtk_grid_attach(GTK_GRID(ctx->body_grid), ctx->message_box, 1, 1, 2, 1); ++ gtk_container_foreach(GTK_CONTAINER(ctx->message_box), destroy_callback, NULL); ++ gtk_revealer_set_reveal_child(GTK_REVEALER(ctx->message_revealer), FALSE); ++ gtk_widget_hide(ctx->message_revealer); + + for(guint idx = 0; idx < gtklock->errors->len; idx++) { + char *err = g_array_index(gtklock->errors, char *, idx); + GtkInfoBar *bar = window_new_message(ctx, err); + gtk_info_bar_set_message_type(bar, GTK_MESSAGE_WARNING); +- gtk_widget_show(ctx->message_box); ++ ++ gtk_revealer_set_reveal_child(GTK_REVEALER(ctx->message_revealer), TRUE); ++ gtk_widget_show(ctx->message_revealer); ++ gtk_widget_show_all(ctx->message_scrolled_window); + } + for(guint idx = 0; idx < gtklock->messages->len; idx++) { + char *msg = g_array_index(gtklock->messages, char *, idx); + GtkInfoBar *bar = window_new_message(ctx, msg); + gtk_info_bar_set_message_type(bar, GTK_MESSAGE_INFO); +- gtk_widget_show(ctx->message_box); ++ ++ gtk_revealer_set_reveal_child(GTK_REVEALER(ctx->message_revealer), TRUE); ++ gtk_widget_show(ctx->message_revealer); ++ gtk_widget_show_all(ctx->message_scrolled_window); + } ++ + } + + static void window_set_busy(struct Window *ctx, gboolean busy) { +@@ -342,6 +349,8 @@ struct Window *create_window(GdkMonitor *monitor) { + w->input_field = GTK_WIDGET(gtk_builder_get_object(builder, "input-field")); + g_signal_connect(w->input_field, "button-press-event", G_CALLBACK(entry_button_press), NULL); + ++ w->message_revealer = GTK_WIDGET(gtk_builder_get_object(builder, "message-revealer")); ++ w->message_scrolled_window = GTK_WIDGET(gtk_builder_get_object(builder, "message-scrolled-window")); + w->message_box = GTK_WIDGET(gtk_builder_get_object(builder, "message-box")); + w->unlock_button = GTK_WIDGET(gtk_builder_get_object(builder, "unlock-button")); + w->error_label = GTK_WIDGET(gtk_builder_get_object(builder, "error-label")); +-- +2.40.1 + diff --git a/overlays/custom-packages/htop/default.nix b/overlays/custom-packages/htop/default.nix deleted file mode 100644 index 7fc7a7ed3..000000000 --- a/overlays/custom-packages/htop/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# This overlay hides the desktop entry for htop -# -{prev}: -prev.htop.overrideAttrs { - postInstall = '' - echo "Hidden=true" >> $out/share/applications/htop.desktop - ''; -} diff --git a/overlays/custom-packages/labwc/default.nix b/overlays/custom-packages/labwc/default.nix index 51931b4f1..f67d47ad4 100644 --- a/overlays/custom-packages/labwc/default.nix +++ b/overlays/custom-packages/labwc/default.nix @@ -3,7 +3,4 @@ # # This overlay customizes labwc - see comments for details # -{prev}: -prev.labwc.overrideAttrs { - patches = [./labwc-colored-borders.patch]; -} +{ prev }: prev.labwc.overrideAttrs { patches = [ ./labwc-colored-borders.patch ]; } diff --git a/overlays/custom-packages/labwc/labwc-colored-borders.patch b/overlays/custom-packages/labwc/labwc-colored-borders.patch index 2fce4f393..833e4e719 100644 --- a/overlays/custom-packages/labwc/labwc-colored-borders.patch +++ b/overlays/custom-packages/labwc/labwc-colored-borders.patch @@ -1,49 +1,72 @@ -diff --git a/.gitignore b/.gitignore -new file mode 100644 -index 0000000..02f1769 ---- /dev/null -+++ b/.gitignore -@@ -0,0 +1,2 @@ -+result -+.vscode +From a89bc92a032d6c4fc50d711de92b068a0ed0a636 Mon Sep 17 00:00:00 2001 +From: Humaid Alqasimi +Date: Thu, 2 May 2024 10:02:56 +0400 +Subject: [PATCH] Add colored borders + +This allows to change the frame color of choosen app by using window +rules. As an example foot terminal has aqua colored frame. + +The patch approach was choosen cause there is no better solution +(which should revise the theme handling) ready. + +The discussion about better soultion will be held here: +labwc/labwc#1092. + +Co-authored-by: dmitry-erin +Signed-off-by: Humaid Alqasimi +--- + include/ssd-internal.h | 5 +++-- + include/theme.h | 10 ++++++++++ + include/window-rules.h | 17 +++++++++++++++++ + src/config/rcxml.c | 12 ++++++++++++ + src/ssd/ssd-border.c | 21 ++++++++++++++++----- + src/ssd/ssd-part.c | 2 +- + src/ssd/ssd-titlebar.c | 30 ++++++++++++++++++++++++++---- + src/ssd/ssd.c | 9 ++++++--- + src/theme.c | 34 ++++++++++++++++++++++++++++++++-- + src/window-rules.c | 25 +++++++++++++++++++++++++ + 10 files changed, 148 insertions(+), 17 deletions(-) + diff --git a/include/ssd-internal.h b/include/ssd-internal.h -index 9fe0ebf..6dfc2d4 100644 +index fda196e..b0e0cac 100644 --- a/include/ssd-internal.h +++ b/include/ssd-internal.h -@@ -118,8 +118,8 @@ struct ssd_part *add_scene_button( - struct wlr_buffer *icon_buffer, int x, struct view *view); +@@ -136,8 +136,9 @@ void add_toggled_icon(struct ssd_button *button, struct wl_list *part_list, struct ssd_part *add_scene_button_corner( struct wl_list *part_list, enum ssd_part_type type, -- enum ssd_part_type corner_type, struct wlr_scene_tree *parent, + enum ssd_part_type corner_type, struct wlr_scene_tree *parent, - struct wlr_buffer *corner_buffer, struct wlr_buffer *icon_buffer, -+ enum ssd_part_type corner_type, struct wlr_scene_tree *parent, -+ float *bg_color, struct wlr_buffer *corner_buffer, struct wlr_buffer *icon_buffer, - int x, struct view *view); +- struct wlr_buffer *hover_buffer, int x, struct view *view); ++ float *bg_color, struct wlr_buffer *corner_buffer, ++ struct wlr_buffer *icon_buffer, struct wlr_buffer *hover_buffer, ++ int x, struct view *view); /* SSD internal helpers */ + struct ssd_part *ssd_get_part( diff --git a/include/theme.h b/include/theme.h -index 47ef3b9..e0e5da4 100644 +index 50a69f6..7a0f976 100644 --- a/include/theme.h +++ b/include/theme.h -@@ -110,4 +110,13 @@ void theme_init(struct theme *theme, const char *theme_name); +@@ -162,4 +162,14 @@ void theme_init(struct theme *theme, struct server *server, const char *theme_na */ void theme_finish(struct theme *theme); +/** + * theme_customize_with_border_color - fill in the given theme color fields by custom color + * @theme: theme data ++ * @server: server + * @color: pointer to color array + */ -+void theme_customize_with_border_color(struct theme *theme, float *color); ++void theme_customize_with_border_color(struct theme *theme,struct server *server, float *color); + +void parse_hexstr(const char *hex, float *rgba); + #endif /* LABWC_THEME_H */ diff --git a/include/window-rules.h b/include/window-rules.h -index fae1daf..ff8163e 100644 +index b93bc36..066cc7f 100644 --- a/include/window-rules.h +++ b/include/window-rules.h -@@ -18,6 +18,7 @@ enum property { +@@ -21,6 +21,7 @@ enum property { * - 'app_id' for native Wayland windows * - 'WM_CLASS' for XWayland clients */ @@ -51,8 +74,8 @@ index fae1daf..ff8163e 100644 struct window_rule { char *identifier; char *title; -@@ -32,11 +33,27 @@ struct window_rule { - enum property ignore_focus_request; +@@ -40,11 +41,27 @@ struct window_rule { + enum property fixed_position; struct wl_list link; /* struct rcxml.window_rules */ + @@ -80,26 +103,26 @@ index fae1daf..ff8163e 100644 + #endif /* LABWC_WINDOW_RULES_H */ diff --git a/src/config/rcxml.c b/src/config/rcxml.c -index c8da660..57e40f0 100644 +index 84c117b..daab831 100644 --- a/src/config/rcxml.c +++ b/src/config/rcxml.c -@@ -29,6 +29,7 @@ - #include "regions.h" +@@ -35,6 +35,7 @@ + #include "view.h" #include "window-rules.h" #include "workspaces.h" +#include "theme.h" static bool in_regions; static bool in_usable_area_override; -@@ -112,6 +113,7 @@ fill_window_rule(char *nodename, char *content) - { +@@ -167,6 +168,7 @@ fill_window_rule(char *nodename, char *content) if (!strcasecmp(nodename, "windowRule.windowRules")) { current_window_rule = znew(*current_window_rule); + current_window_rule->window_type = -1; // Window types are >= 0 + init_window_rule(current_window_rule); wl_list_append(&rc.window_rules, ¤t_window_rule->link); wl_list_init(¤t_window_rule->actions); return; -@@ -127,6 +129,8 @@ fill_window_rule(char *nodename, char *content) +@@ -182,6 +184,8 @@ fill_window_rule(char *nodename, char *content) } else if (!strcmp(nodename, "identifier")) { free(current_window_rule->identifier); current_window_rule->identifier = xstrdup(content); @@ -108,45 +131,25 @@ index c8da660..57e40f0 100644 } else if (!strcmp(nodename, "title")) { free(current_window_rule->title); current_window_rule->title = xstrdup(content); -@@ -153,6 +157,14 @@ fill_window_rule(char *nodename, char *content) - } else if (!strcasecmp(nodename, "ignoreFocusRequest")) { - set_property(content, ¤t_window_rule->ignore_focus_request); +@@ -220,6 +224,14 @@ fill_window_rule(char *nodename, char *content) + } else if (!strcasecmp(nodename, "fixedPosition")) { + set_property(content, ¤t_window_rule->fixed_position); + /* Custom border properties: color */ + } else if (!strcasecmp(nodename, "borderColor")) { + parse_hexstr(content, current_window_rule->custom_border_color); + current_window_rule->has_custom_border = true; + wlr_log(WLR_DEBUG, "Custom borderColor was found in config: %s, parsed into: %f, %f, %f, %f\n", -+ content, current_window_rule->custom_border_color[0], current_window_rule->custom_border_color[1], ++ content, current_window_rule->custom_border_color[0], current_window_rule->custom_border_color[1], + current_window_rule->custom_border_color[2], current_window_rule->custom_border_color[3]); + /* Actions */ } else if (!strcmp(nodename, "name.action")) { current_window_rule_action = action_create(content); -diff --git a/src/ssd/ssd.c b/src/ssd/ssd.c -index ef821b8..8fe1479 100644 ---- a/src/ssd/ssd.c -+++ b/src/ssd/ssd.c -@@ -333,9 +333,12 @@ ssd_enable_keybind_inhibit_indicator(struct ssd *ssd, bool enable) - return; - } - -- float *color = enable -- ? rc.theme->window_toggled_keybinds_color -- : rc.theme->window_active_border_color; -+ float customColor[4]; -+ bool isCustomColorAvailable = window_rules_get_custom_border_color(ssd->view, customColor); -+ -+ float *color = isCustomColorAvailable ? customColor : -+ (enable ? rc.theme->window_toggled_keybinds_color -+ : rc.theme->window_active_border_color); - - struct ssd_part *part = ssd_get_part(&ssd->border.active.parts, LAB_SSD_PART_TOP); - struct wlr_scene_rect *rect = lab_wlr_scene_get_rect(part->node); -diff --git a/src/ssd/ssd_border.c b/src/ssd/ssd_border.c -index 6512ab8..9c042c6 100644 ---- a/src/ssd/ssd_border.c -+++ b/src/ssd/ssd_border.c +diff --git a/src/ssd/ssd-border.c b/src/ssd/ssd-border.c +index 06ce55c..6e2fc06 100644 +--- a/src/ssd/ssd-border.c ++++ b/src/ssd/ssd-border.c @@ -6,6 +6,7 @@ #include "ssd-internal.h" #include "theme.h" @@ -183,40 +186,24 @@ index 6512ab8..9c042c6 100644 wl_list_init(&subtree->parts); add_scene_rect(&subtree->parts, LAB_SSD_PART_LEFT, parent, theme->border_width, height, 0, 0, color); -diff --git a/src/ssd/ssd_part.c b/src/ssd/ssd_part.c -index 4c72d29..9399435 100644 ---- a/src/ssd/ssd_part.c -+++ b/src/ssd/ssd_part.c -@@ -80,12 +80,11 @@ add_scene_buffer(struct wl_list *list, enum ssd_part_type type, +diff --git a/src/ssd/ssd-part.c b/src/ssd/ssd-part.c +index 3933cd1..8889c9e 100644 +--- a/src/ssd/ssd-part.c ++++ b/src/ssd/ssd-part.c +@@ -80,7 +80,7 @@ add_scene_buffer(struct wl_list *list, enum ssd_part_type type, struct ssd_part * add_scene_button_corner(struct wl_list *part_list, enum ssd_part_type type, - enum ssd_part_type corner_type, struct wlr_scene_tree *parent, + enum ssd_part_type corner_type, struct wlr_scene_tree *parent, float *bg_color, struct wlr_buffer *corner_buffer, struct wlr_buffer *icon_buffer, - int x, struct view *view) + struct wlr_buffer *hover_buffer, int x, struct view *view) { - int offset_x; -- float invisible[4] = { 0, 0, 0, 0 }; - - if (corner_type == LAB_SSD_PART_CORNER_TOP_LEFT) { - offset_x = rc.theme->border_width; -@@ -107,8 +106,8 @@ add_scene_button_corner(struct wl_list *part_list, enum ssd_part_type type, - add_scene_buffer(part_list, corner_type, parent, corner_buffer, - -offset_x, -rc.theme->border_width); - -- /* Finally just put a usual theme button on top, using an invisible hitbox */ -- add_scene_button(part_list, type, parent, invisible, icon_buffer, 0, view); -+ /* Finally just put a usual theme button on top, using an invisible/custom colored hitbox */ -+ add_scene_button(part_list, type, parent, bg_color, icon_buffer, 0, view); - return button_root; - } - -diff --git a/src/ssd/ssd_titlebar.c b/src/ssd/ssd_titlebar.c -index b0aaa2d..837bb4b 100644 ---- a/src/ssd/ssd_titlebar.c -+++ b/src/ssd/ssd_titlebar.c -@@ -24,6 +24,15 @@ ssd_titlebar_create(struct ssd *ssd) +diff --git a/src/ssd/ssd-titlebar.c b/src/ssd/ssd-titlebar.c +index 32d6131..d183e52 100644 +--- a/src/ssd/ssd-titlebar.c ++++ b/src/ssd/ssd-titlebar.c +@@ -26,6 +26,15 @@ ssd_titlebar_create(struct ssd *ssd) { struct view *view = ssd->view; struct theme *theme = view->server->theme; @@ -225,51 +212,51 @@ index b0aaa2d..837bb4b 100644 + struct theme custom_theme = { 0 }; + float customColor[4]; + if (window_rules_get_custom_border_color(view, customColor)) { -+ theme_customize_with_border_color(&custom_theme, customColor); ++ theme_customize_with_border_color(&custom_theme, view->server, customColor); + theme = &custom_theme; + } + int width = view->current.width; float *color; -@@ -43,6 +52,7 @@ ssd_titlebar_create(struct ssd *ssd) +@@ -52,6 +61,7 @@ ssd_titlebar_create(struct ssd *ssd) subtree->tree = wlr_scene_tree_create(ssd->titlebar.tree); parent = subtree->tree; wlr_scene_node_set_position(&parent->node, 0, -theme->title_height); -+ ++ if (subtree == &ssd->titlebar.active) { color = theme->window_active_title_bg_color; corner_top_left = &theme->corner_top_left_active_normal->base; -@@ -62,6 +72,7 @@ ssd_titlebar_create(struct ssd *ssd) - close_button_unpressed = &theme->button_close_inactive_unpressed->base; +@@ -86,6 +96,7 @@ ssd_titlebar_create(struct ssd *ssd) + wlr_scene_node_set_enabled(&parent->node, false); } + wl_list_init(&subtree->parts); /* Title */ -@@ -71,7 +82,7 @@ ssd_titlebar_create(struct ssd *ssd) +@@ -95,7 +106,7 @@ ssd_titlebar_create(struct ssd *ssd) /* Buttons */ add_scene_button_corner(&subtree->parts, LAB_SSD_BUTTON_WINDOW_MENU, LAB_SSD_PART_CORNER_TOP_LEFT, parent, -- corner_top_left, menu_button_unpressed, 0, view); -+ color, corner_top_left, menu_button_unpressed, 0, view); +- corner_top_left, menu_button_unpressed, menu_button_hover, 0, view); ++ color, corner_top_left, menu_button_unpressed, menu_button_hover, 0, view); add_scene_button(&subtree->parts, LAB_SSD_BUTTON_ICONIFY, parent, - color, iconify_button_unpressed, + color, iconify_button_unpressed, iconify_button_hover, width - SSD_BUTTON_WIDTH * 3, view); -@@ -80,7 +91,7 @@ ssd_titlebar_create(struct ssd *ssd) - width - SSD_BUTTON_WIDTH * 2, view); +@@ -111,7 +122,7 @@ ssd_titlebar_create(struct ssd *ssd) + add_scene_button_corner(&subtree->parts, LAB_SSD_BUTTON_CLOSE, LAB_SSD_PART_CORNER_TOP_RIGHT, parent, -- corner_top_right, close_button_unpressed, -+ color, corner_top_right, close_button_unpressed, +- corner_top_right, close_button_unpressed, close_button_hover, ++ color, corner_top_right, close_button_unpressed, close_button_hover, width - SSD_BUTTON_WIDTH * 1, view); } FOR_EACH_END -@@ -111,10 +122,13 @@ set_squared_corners(struct ssd *ssd, bool enable) +@@ -149,10 +160,13 @@ set_squared_corners(struct ssd *ssd, bool enable) /* Toggle background between invisible and titlebar background color */ - struct wlr_scene_rect *rect = lab_wlr_scene_get_rect(button->background); + struct wlr_scene_rect *rect = wlr_scene_rect_from_node(button->background); - wlr_scene_rect_set_color(rect, !enable ? (float[4]) {0, 0, 0, 0} : ( + /*Check for custom color as well*/ + float customColor[4]; @@ -282,11 +269,46 @@ index b0aaa2d..837bb4b 100644 /* Toggle rounded corner image itself */ struct wlr_scene_node *rounded_corner = +@@ -348,6 +362,14 @@ ssd_update_title(struct ssd *ssd) + } + + struct theme *theme = view->server->theme; ++ ++ /* Here the whole theme changing is more preferable */ ++ struct theme custom_theme = { 0 }; ++ float customColor[4]; ++ if (window_rules_get_custom_border_color(view, customColor)) { ++ theme_customize_with_border_color(&custom_theme, view->server, customColor); ++ theme = &custom_theme; ++ } + struct ssd_state_title *state = &ssd->state.title; + bool title_unchanged = state->text && !strcmp(title, state->text); + +diff --git a/src/ssd/ssd.c b/src/ssd/ssd.c +index 70b1b0d..9dcc797 100644 +--- a/src/ssd/ssd.c ++++ b/src/ssd/ssd.c +@@ -411,9 +411,12 @@ ssd_enable_keybind_inhibit_indicator(struct ssd *ssd, bool enable) + return; + } + +- float *color = enable +- ? rc.theme->window_toggled_keybinds_color +- : rc.theme->window_active_border_color; ++ float customColor[4]; ++ bool isCustomColorAvailable = window_rules_get_custom_border_color(ssd->view, customColor); ++ ++ float *color = isCustomColorAvailable ? customColor : ++ (enable ? rc.theme->window_toggled_keybinds_color ++ : rc.theme->window_active_border_color); + + struct ssd_part *part = ssd_get_part(&ssd->border.active.parts, LAB_SSD_PART_TOP); + struct wlr_scene_rect *rect = wlr_scene_rect_from_node(part->node); diff --git a/src/theme.c b/src/theme.c -index 37dc803..d46e619 100644 +index 248a352..6f47bba 100644 --- a/src/theme.c +++ b/src/theme.c -@@ -168,7 +168,7 @@ hex_to_dec(char c) +@@ -401,7 +401,7 @@ hex_to_dec(char c) * @hex: hex string to be parsed * @rgba: pointer to float[4] for return value */ @@ -295,44 +317,41 @@ index 37dc803..d46e619 100644 parse_hexstr(const char *hex, float *rgba) { if (!hex || hex[0] != '#' || strlen(hex) < 7) { -@@ -211,7 +211,7 @@ parse_justification(const char *str) +@@ -470,7 +470,7 @@ parse_justification(const char *str) static void - theme_builtin(struct theme *theme) + theme_builtin(struct theme *theme, struct server *server) { - theme->border_width = 1; + theme->border_width = 5; theme->padding_height = 3; + theme->title_height = INT_MIN; theme->menu_overlap_x = 0; - theme->menu_overlap_y = 0; -@@ -807,7 +807,7 @@ theme_init(struct theme *theme, const char *theme_name) - theme_builtin(theme); - - /* Read /share/themes/$theme_name/openbox-3/themerc */ -- theme_read(theme, theme_name); -+ theme_read(theme, rc.theme_name); - - /* Read /labwc/themerc-override */ - theme_read_override(theme); -@@ -829,3 +829,27 @@ theme_finish(struct theme *theme) - theme->corner_top_right_active_normal = NULL; - theme->corner_top_right_inactive_normal = NULL; +@@ -1433,3 +1433,33 @@ theme_finish(struct theme *theme) + zdrop(&theme->shadow_corner_bottom_inactive); + zdrop(&theme->shadow_edge_inactive); } + -+void theme_customize_with_border_color(struct theme *theme, float *color) ++void theme_customize_with_border_color(struct theme *theme, struct server ++ *server, float *color) +{ -+ theme_builtin(theme); ++ theme_builtin(theme, server); + + /* Read /share/themes/$theme_name/openbox-3/themerc */ -+ theme_read(theme, rc.theme_name); ++ struct wl_list paths; ++ paths_theme_create(&paths, rc.theme_name, "themerc"); ++ theme_read(theme, &paths); ++ paths_destroy(&paths); + + /* Read /labwc/themerc-override */ -+ theme_read_override(theme); -+ ++ paths_config_create(&paths, "themerc-override"); ++ theme_read(theme, &paths); ++ paths_destroy(&paths); ++ + memcpy(theme->window_active_border_color, color, sizeof(float)*4); + memcpy(theme->window_inactive_border_color, color, sizeof(float)*4); + memcpy(theme->window_active_title_bg_color, color, sizeof(float)*4); + memcpy(theme->window_inactive_title_bg_color, color, sizeof(float)*4); -+ ++ + memcpy(theme->osd_bg_color, color, sizeof(float)*4); + memcpy(theme->osd_border_color, color, sizeof(float)*4); + memcpy(theme->window_toggled_keybinds_color, color, sizeof(float)*4); @@ -341,13 +360,12 @@ index 37dc803..d46e619 100644 + create_corners(theme); + load_buttons(theme); +} -\ No newline at end of file diff --git a/src/window-rules.c b/src/window-rules.c -index 2607199..7fc8d34 100644 +index f543f7e..5ea5d53 100644 --- a/src/window-rules.c +++ b/src/window-rules.c -@@ -74,6 +74,14 @@ view_matches_criteria(struct window_rule *rule, struct view *view) - } +@@ -43,6 +43,14 @@ view_matches_criteria(struct window_rule *rule, struct view *view) + return view_matches_query(view, &query); } +void @@ -361,7 +379,7 @@ index 2607199..7fc8d34 100644 void window_rules_apply(struct view *view, enum window_rule_event event) { -@@ -132,3 +140,20 @@ window_rules_get_property(struct view *view, const char *property) +@@ -109,3 +117,20 @@ window_rules_get_property(struct view *view, const char *property) } return LAB_PROP_UNSPECIFIED; } @@ -382,3 +400,6 @@ index 2607199..7fc8d34 100644 + + return false; +} +-- +2.44.1 + diff --git a/overlays/custom-packages/mitmweb-ui/default.nix b/overlays/custom-packages/mitmweb-ui/default.nix new file mode 100644 index 000000000..a0994ce8f --- /dev/null +++ b/overlays/custom-packages/mitmweb-ui/default.nix @@ -0,0 +1,3 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +(final: _prev: { mitmweb-ui = final.callPackage ../../../packages/mitmweb-ui { }; }) diff --git a/overlays/custom-packages/networkmanagerapplet/default.nix b/overlays/custom-packages/networkmanagerapplet/default.nix deleted file mode 100644 index fb840b72b..000000000 --- a/overlays/custom-packages/networkmanagerapplet/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# This overlay hides the desktop entry for network settings -# -{prev}: -prev.networkmanagerapplet.overrideAttrs { - postInstall = '' - echo "Hidden=true" >> $out/share/applications/nm-connection-editor.desktop - ''; -} diff --git a/overlays/custom-packages/qemu/default.nix b/overlays/custom-packages/qemu/default.nix index 43492a877..ec0008eda 100644 --- a/overlays/custom-packages/qemu/default.nix +++ b/overlays/custom-packages/qemu/default.nix @@ -1,19 +1,17 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - final, - prev, -}: let +{ final, prev }: +let qemu_version = prev.qemu_kvm.version; qemu_major = final.lib.versions.major qemu_version; qemu_minor = final.lib.versions.minor qemu_version; in - prev.qemu_kvm.overrideAttrs ( - _final: prev: - (final.lib.optionalAttrs (qemu_major == "8" && qemu_minor == "0") { - patches = prev.patches ++ [./acpi-devices-passthrough-qemu-8.0.patch]; - }) - // (final.lib.optionalAttrs (qemu_major == "8" && qemu_minor == "1") { - patches = prev.patches ++ [./acpi-devices-passthrough-qemu-8.1.patch]; - }) - ) +prev.qemu_kvm.overrideAttrs ( + _final: prev: + (final.lib.optionalAttrs (qemu_major == "8" && qemu_minor == "0") { + patches = prev.patches ++ [ ./acpi-devices-passthrough-qemu-8.0.patch ]; + }) + // (final.lib.optionalAttrs (final.lib.versionAtLeast qemu_version "8.1") { + patches = prev.patches ++ [ ./acpi-devices-passthrough-qemu-8.1.patch ]; + }) +) diff --git a/overlays/custom-packages/systemd/default.nix b/overlays/custom-packages/systemd/default.nix deleted file mode 100644 index 846879293..000000000 --- a/overlays/custom-packages/systemd/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - final, - prev, -}: let - # The patch has been added nixpkgs upstream, don't override attributes if - # the patch is already present. - # - # https://github.com/NixOS/nixpkgs/pull/239201 - shouldOverride = !(final.lib.lists.any (p: final.lib.strings.hasSuffix "timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch" (toString p)) prev.systemd.patches); -in - prev.systemd.overrideAttrs (prevAttrs: - final.lib.optionalAttrs shouldOverride { - patches = prevAttrs.patches ++ [./systemd-timesyncd-disable-nscd.patch]; - postPatch = - prevAttrs.postPatch - + '' - substituteInPlace units/systemd-timesyncd.service.in \ - --replace \ - "Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0" \ - "${final.lib.concatStringsSep "\n" [ - "Environment=LD_LIBRARY_PATH=$out/lib" - "Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0" - ]}" - ''; - }) diff --git a/overlays/custom-packages/systemd/systemd-timesyncd-disable-nscd.patch b/overlays/custom-packages/systemd/systemd-timesyncd-disable-nscd.patch deleted file mode 100644 index 3b22174f8..000000000 --- a/overlays/custom-packages/systemd/systemd-timesyncd-disable-nscd.patch +++ /dev/null @@ -1,46 +0,0 @@ -From bb150a178bebb88ce3bfe8c726c75d495423b4a2 Mon Sep 17 00:00:00 2001 -From: Yuri Nesterov -Date: Wed, 21 Jun 2023 17:17:38 +0300 -Subject: [PATCH] timesyncd: disable NSCD when DNSSEC validation is disabled - -Systemd-timesyncd sets SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file -to disable DNSSEC validation but it doesn't work when NSCD is used in -the system. This patch disabes NSCD in systemd-timesyncd when -SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries -directly. ---- - src/timesync/timesyncd.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c -index 1d8ebecc91..2b0ae361ff 100644 ---- a/src/timesync/timesyncd.c -+++ b/src/timesync/timesyncd.c -@@ -21,6 +21,11 @@ - #include "timesyncd-conf.h" - #include "timesyncd-manager.h" - #include "user-util.h" -+#include "env-util.h" -+ -+struct traced_file; -+extern void __nss_disable_nscd(void (*)(size_t, struct traced_file *)); -+static void register_traced_file(size_t dbidx, struct traced_file *finfo) {} - - static int advance_tstamp(int fd, const struct stat *st) { - assert_se(fd >= 0); -@@ -198,6 +203,12 @@ static int run(int argc, char *argv[]) { - if (r < 0) - return log_error_errno(r, "Failed to parse fallback server strings: %m"); - -+ r = getenv_bool_secure("SYSTEMD_NSS_RESOLVE_VALIDATE"); -+ if (r == 0) { -+ log_info("Disabling NSCD because DNSSEC validation is turned off"); -+ __nss_disable_nscd(register_traced_file); -+ } -+ - log_debug("systemd-timesyncd running as pid " PID_FMT, getpid_cached()); - - notify_message = notify_start("READY=1\n" --- -2.34.1 - diff --git a/overlays/custom-packages/tpm2-pkcs11/default.nix b/overlays/custom-packages/tpm2-pkcs11/default.nix index af36ef686..003024b1d 100644 --- a/overlays/custom-packages/tpm2-pkcs11/default.nix +++ b/overlays/custom-packages/tpm2-pkcs11/default.nix @@ -3,7 +3,7 @@ # # This overlay customizes tpm2-pkcs11 - see comments for details # -{prev}: +{ prev }: prev.tpm2-pkcs11.overrideAttrs (_prevAttrs: { - configureFlags = ["--with-fapi=no --enable-fapi=no"]; + configureFlags = [ "--with-fapi=no --enable-fapi=no" ]; }) diff --git a/overlays/custom-packages/waybar/default.nix b/overlays/custom-packages/waybar/default.nix index f303a54f4..d4445aded 100644 --- a/overlays/custom-packages/waybar/default.nix +++ b/overlays/custom-packages/waybar/default.nix @@ -3,11 +3,11 @@ # # This overlay customizes waybar # -{prev}: ( - prev.waybar.override { - hyprlandSupport = false; - swaySupport = false; - jackSupport = false; - cavaSupport = false; - } -) +{ prev }: +(prev.waybar.override { + hyprlandSupport = false; + swaySupport = false; + jackSupport = false; + cavaSupport = false; + pulseSupport = false; +}) diff --git a/overlays/custom-packages/waypipe/default.nix b/overlays/custom-packages/waypipe/default.nix index 526cd3eed..1fec6db3f 100644 --- a/overlays/custom-packages/waypipe/default.nix +++ b/overlays/custom-packages/waypipe/default.nix @@ -1,17 +1,8 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - final, - prev, -}: +{ prev, ... }: # Waypipe with vsock and window borders prev.waypipe.overrideAttrs (_prevAttrs: { - src = final.pkgs.fetchFromGitLab { - domain = "gitlab.freedesktop.org"; - owner = "mstoeckl"; - repo = "waypipe"; - rev = "ca4809435e781dfc6bd3006fde605860c8dcf179"; - sha256 = "sha256-tSLPlf7fVq8vwbr7fHotqM/sBSXYMDM1V5yth5bhi38="; - }; - patches = [./waypipe-window-borders.patch]; + # Upstream pull request: https://gitlab.freedesktop.org/mstoeckl/waypipe/-/merge_requests/21 + patches = [ ./waypipe-window-borders.patch ]; }) diff --git a/overlays/custom-packages/waypipe/waypipe-window-borders.patch b/overlays/custom-packages/waypipe/waypipe-window-borders.patch index c2968a309..31d781dc2 100644 --- a/overlays/custom-packages/waypipe/waypipe-window-borders.patch +++ b/overlays/custom-packages/waypipe/waypipe-window-borders.patch @@ -1,34 +1,63 @@ -From 134f22a39a360ebf9cd9f118766edb7df925b732 Mon Sep 17 00:00:00 2001 +From b993dca0e0919cf16c207026605f0fe5a61f479f Mon Sep 17 00:00:00 2001 From: Yuri Nesterov -Date: Tue, 10 Oct 2023 14:57:03 +0300 +Date: Fri, 24 May 2024 11:15:41 +0200 Subject: [PATCH] Add support for coloured window borders +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +This is usefor to visually distinguish between different windows when +using waypipe. The border is drawn around the window and can be +configured with a hex color and a border size in pixels. + +Signed-off-by: Jörg Thalheim --- - protocols/function_list.txt | 3 + - src/handlers.c | 112 ++++++++++++++++++++++++++++++++++++ + protocols/function_list.txt | 4 ++ + src/handlers.c | 121 ++++++++++++++++++++++++++++++++++++ src/main.h | 3 + src/parsing.h | 4 ++ - src/util.c | 14 ++++- + src/util.c | 12 ++++ src/util.h | 6 ++ - src/waypipe.c | 68 +++++++++++++++++++++- - 7 files changed, 207 insertions(+), 3 deletions(-) + src/waypipe.c | 70 ++++++++++++++++++++- + waypipe.scd | 5 ++ + 8 files changed, 223 insertions(+), 2 deletions(-) diff --git a/protocols/function_list.txt b/protocols/function_list.txt -index 300408d..eb2d8b5 100644 +index 4acaec5..4750263 100644 --- a/protocols/function_list.txt +++ b/protocols/function_list.txt -@@ -49,3 +49,6 @@ zwp_linux_dmabuf_v1_req_get_default_feedback - zwp_linux_dmabuf_v1_req_get_surface_feedback - zwp_primary_selection_offer_v1_req_receive - zwp_primary_selection_source_v1_evt_send -+xdg_wm_base_req_get_xdg_surface -+xdg_surface_req_set_window_geometry +@@ -16,6 +16,7 @@ wl_registry_req_bind + wl_shm_req_create_pool + wl_shm_pool_req_create_buffer + wl_shm_pool_req_resize ++wl_surface_evt_preferred_buffer_scale + wl_surface_req_attach + wl_surface_req_commit + wl_surface_req_damage +@@ -25,7 +26,10 @@ wl_surface_req_set_buffer_scale + wp_presentation_evt_clock_id + wp_presentation_feedback_evt_presented + wp_presentation_req_feedback +xdg_surface_req_get_toplevel ++xdg_surface_req_set_window_geometry + xdg_toplevel_req_set_title ++xdg_wm_base_req_get_xdg_surface + zwlr_data_control_offer_v1_req_receive + zwlr_data_control_source_v1_evt_send + zwlr_export_dmabuf_frame_v1_evt_frame diff --git a/src/handlers.c b/src/handlers.c -index db08ee5..fd4650e 100644 +index c82f4e0..50ff7a3 100644 --- a/src/handlers.c +++ b/src/handlers.c -@@ -345,6 +345,13 @@ struct wp_object *create_wp_object(uint32_t id, const struct wp_interface *type) +@@ -98,6 +98,7 @@ struct obj_wl_surface { + uint32_t attached_buffer_id; /* protocol object id */ + int32_t scale; + int32_t transform; ++ int32_t preferred_buffer_scale; + }; + + struct obj_wlr_screencopy_frame { +@@ -357,6 +358,13 @@ struct wp_object *create_wp_object(uint32_t id, const struct wp_interface *type) } else if (type == &intf_wl_surface) { ((struct obj_wl_surface *)new_obj)->scale = 1; } @@ -42,7 +71,7 @@ index db08ee5..fd4650e 100644 return new_obj; } -@@ -730,6 +737,87 @@ static void rotate_damage_lists(struct obj_wl_surface *surface) +@@ -743,6 +751,88 @@ static void rotate_damage_lists(struct obj_wl_surface *surface) (SURFACE_DAMAGE_BACKLOG - 1) * sizeof(uint64_t)); surface->attached_buffer_uids[0] = 0; } @@ -108,16 +137,17 @@ index db08ee5..fd4650e 100644 + + if ((buf->shm_format != WL_SHM_FORMAT_ARGB8888) && (buf->shm_format != WL_SHM_FORMAT_XRGB8888)) { + wp_debug("Unable to draw the border, SHM format %d is not supported", buf->shm_format); -+ } -+ else { ++ } else { + if (ctx->obj->xdg_surface_id) { + struct wp_object *xdg_surface = tracker_get(ctx->tracker, ctx->obj->xdg_surface_id); + if (xdg_surface && xdg_surface->is_window) { -+ int32_t x1 = xdg_surface->window_x; -+ int32_t y1 = xdg_surface->window_y; -+ int32_t x2 = min(buf->shm_width, xdg_surface->window_x + xdg_surface->window_width); -+ int32_t y2 = min(buf->shm_height, xdg_surface->window_y + xdg_surface->window_height); ++ int32_t scale = surface->preferred_buffer_scale > 0 ? surface->preferred_buffer_scale : 1; ++ int32_t x1 = xdg_surface->window_x * scale; ++ int32_t y1 = xdg_surface->window_y * scale; ++ int32_t x2 = min(buf->shm_width, (xdg_surface->window_x + xdg_surface->window_width) * scale); ++ int32_t y2 = min(buf->shm_height, (xdg_surface->window_y + xdg_surface->window_height) * scale); + int32_t border_size = min(min(ctx->g->config->border_size, x2 - x1), y2 - y1); ++ + draw_rect(buf, x1, y1, x2, y1 + border_size, &ctx->g->config->border_color); // top + draw_rect(buf, x1, y1 + border_size, x1 + border_size, y2, &ctx->g->config->border_color); // left + draw_rect(buf, x1 + border_size, y2 - border_size, x2, y2, &ctx->g->config->border_color); // bottom @@ -130,7 +160,7 @@ index db08ee5..fd4650e 100644 void do_wl_surface_req_commit(struct context *ctx) { struct obj_wl_surface *surface = (struct obj_wl_surface *)ctx->obj; -@@ -747,6 +835,10 @@ void do_wl_surface_req_commit(struct context *ctx) +@@ -760,6 +850,10 @@ void do_wl_surface_req_commit(struct context *ctx) /* commit signifies a client-side update only */ return; } @@ -141,7 +171,21 @@ index db08ee5..fd4650e 100644 struct wp_object *obj = tracker_get(ctx->tracker, surface->attached_buffer_id); if (!obj) { -@@ -1976,3 +2068,23 @@ void do_zwlr_gamma_control_v1_req_set_gamma(struct context *ctx, int fd) +@@ -921,6 +1015,13 @@ static void append_damage_record(struct obj_wl_surface *surface, int32_t x, + damage->width = width; + damage->height = height; + } ++ ++void do_wl_surface_evt_preferred_buffer_scale(struct context *ctx, int32_t scale) ++{ ++ struct obj_wl_surface *surface = (struct obj_wl_surface *)ctx->obj; ++ surface->preferred_buffer_scale = scale; ++} ++ + void do_wl_surface_req_damage(struct context *ctx, int32_t x, int32_t y, + int32_t width, int32_t height) + { +@@ -2021,3 +2122,23 @@ void do_xdg_toplevel_req_set_title(struct context *ctx, const char *str) } const struct wp_interface *the_display_interface = &intf_wl_display; @@ -166,13 +210,13 @@ index db08ee5..fd4650e 100644 + ctx->obj->window_height = height; +} diff --git a/src/main.h b/src/main.h -index cf260b0..75e0a27 100644 +index 48ddae8..919b069 100644 --- a/src/main.h +++ b/src/main.h -@@ -45,6 +45,9 @@ struct main_config { - uint32_t vsock_cid; +@@ -46,6 +46,9 @@ struct main_config { uint32_t vsock_port; bool vsock_to_host; + const char *title_prefix; + bool border; + struct color border_color; + uint32_t border_size; @@ -195,16 +239,13 @@ index f3580b0..5739001 100644 struct message_tracker { /* Tree containing all objects that are currently alive or zombie */ diff --git a/src/util.c b/src/util.c -index d43aa17..6aade78 100644 +index 8b4bce9..c4ff390 100644 --- a/src/util.c +++ b/src/util.c -@@ -739,4 +739,16 @@ int listen_on_vsock(uint32_t port, int nmaxclients, int *socket_fd_out) - *socket_fd_out = sock; +@@ -794,3 +794,15 @@ int listen_on_vsock(uint32_t port, int nmaxclients, int *socket_fd_out) return 0; } --#endif -\ No newline at end of file -+#endif + #endif + +uint8_t hex_char_to_int(uint8_t hex) +{ @@ -218,10 +259,10 @@ index d43aa17..6aade78 100644 + return 0; +} diff --git a/src/util.h b/src/util.h -index 81cb2a8..780bff2 100644 +index 9970840..8e5cec1 100644 --- a/src/util.h +++ b/src/util.h -@@ -514,4 +514,10 @@ int connect_to_vsock(uint32_t port, uint32_t cid, bool to_host, int *socket_fd); +@@ -517,4 +517,10 @@ int connect_to_vsock(uint32_t port, uint32_t cid, bool to_host, int *socket_fd); int listen_on_vsock(uint32_t port, int nmaxclients, int *socket_fd_out); #endif @@ -233,10 +274,18 @@ index 81cb2a8..780bff2 100644 + #endif // WAYPIPE_UTIL_H diff --git a/src/waypipe.c b/src/waypipe.c -index 1c1be71..61e2200 100644 +index c66a971..0dbec96 100644 --- a/src/waypipe.c +++ b/src/waypipe.c -@@ -399,6 +399,53 @@ static int parse_vsock_addr(const char *str, struct main_config *config) +@@ -86,6 +86,7 @@ static const char usage_string[] = + " vsock: [[s]CID:]port\n" + " --version print waypipe version and exit\n" + " --allow-tiled allow gpu buffers (DMABUFs) with format modifiers\n" ++ " --border C,S server: add a border with hex color C and border size S in hex around the window\n" + " --control C server,ssh: set control pipe to reconnect server\n" + " --display D server,ssh: the Wayland display name or path\n" + " --drm-node R set the local render node. default: /dev/dri/renderD128\n" +@@ -400,6 +401,53 @@ static int parse_vsock_addr(const char *str, struct main_config *config) } #endif @@ -290,20 +339,19 @@ index 1c1be71..61e2200 100644 static const char *feature_names[] = { "lz4", "zstd", -@@ -448,6 +495,7 @@ static const bool feature_flags[] = { - #define ARG_WAYPIPE_BINARY 1011 +@@ -450,6 +498,7 @@ static const bool feature_flags[] = { #define ARG_BENCH_TEST_SIZE 1012 #define ARG_VSOCK 1013 -+#define ARG_BORDER 1014 + #define ARG_TITLE_PREFIX 1014 ++#define ARG_BORDER 1015 static const struct option options[] = { {"compress", required_argument, NULL, 'c'}, -@@ -469,7 +517,11 @@ static const struct option options[] = { - {"display", required_argument, NULL, ARG_DISPLAY}, - {"control", required_argument, NULL, ARG_CONTROL}, +@@ -473,7 +522,10 @@ static const struct option options[] = { {"test-size", required_argument, NULL, ARG_BENCH_TEST_SIZE}, -- {"vsock", no_argument, NULL, ARG_VSOCK}, {0, 0, NULL, 0}}; -+ {"vsock", no_argument, NULL, ARG_VSOCK}, + {"vsock", no_argument, NULL, ARG_VSOCK}, + {"title-prefix", required_argument, NULL, ARG_TITLE_PREFIX}, +- {0, 0, NULL, 0}}; + {"border", required_argument, NULL, ARG_BORDER}, + {0, 0, NULL, 0} +}; @@ -311,41 +359,59 @@ index 1c1be71..61e2200 100644 struct arg_permissions { int val; uint32_t mode_mask; -@@ -497,6 +549,7 @@ static const struct arg_permissions arg_permissions[] = { +@@ -498,7 +550,9 @@ static const struct arg_permissions arg_permissions[] = { {ARG_CONTROL, MODE_SSH | MODE_SERVER}, {ARG_BENCH_TEST_SIZE, MODE_BENCH}, {ARG_VSOCK, MODE_SSH | MODE_CLIENT | MODE_SERVER}, -+ {ARG_BORDER, MODE_SERVER}, - }; +- {ARG_TITLE_PREFIX, MODE_SSH | MODE_CLIENT | MODE_SERVER}}; ++ {ARG_TITLE_PREFIX, MODE_SSH | MODE_CLIENT | MODE_SERVER}, ++ {ARG_BORDER, MODE_SERVER}, ++}; /* envp is nonstandard, so use environ */ -@@ -533,7 +586,12 @@ int main(int argc, char **argv) - .vsock = false, - .vsock_cid = 2, /* VMADDR_CID_HOST */ + extern char **environ; +@@ -541,6 +595,11 @@ int main(int argc, char **argv) .vsock_to_host = false, /* VMADDR_FLAG_TO_HOST */ -- .vsock_port = 0}; -+ .vsock_port = 0, + .vsock_port = 0, + .title_prefix = NULL, + .border = false, + .border_color = { + .a = 255, .r = 0, .g = 0, .b = 0 + }, -+ .border_size = 5}; ++ .border_size = 3 + }; /* We do not parse any getopt arguments happening after the mode choice - * string, so as not to interfere with them. */ -@@ -705,6 +763,12 @@ int main(int argc, char **argv) - fprintf(stderr, "Option --vsock not allowed: this copy of Waypipe was not built with support for Linux VM sockets.\n"); - return EXIT_FAILURE; - #endif -+ case ARG_BORDER: { +@@ -724,6 +783,13 @@ int main(int argc, char **argv) + } + config.title_prefix = optarg; + break; ++ case ARG_BORDER: + config.border = true; + if (parse_border(optarg, &config) == -1) { -+ fail = true; ++ fprintf(stderr, "Invalid border argument: %s\n", optarg); ++ return EXIT_FAILURE; + } -+ } break; ++ break; default: fail = true; break; +diff --git a/waypipe.scd b/waypipe.scd +index d0b300d..f555b30 100644 +--- a/waypipe.scd ++++ b/waypipe.scd +@@ -111,6 +111,11 @@ compressible as images containing pictures. + absolute path, the socket will be created in the folder given by the + environment variable _XDG_RUNTIME_DIR_.) + ++*--border C,S* ++ For server: add a border with hex color C and border size S in hex around the ++ window. The hex color should be in the format #RRGGBB or #RRGGBBAA and ++ the border size is in pixels. ++ + *--drm-node R* + Specify the path *R* to the drm device that this instance of waypipe should + use and (in server mode) notify connecting applications about. -- -2.34.1 +2.45.1 diff --git a/overlays/custom-packages/weston/default.nix b/overlays/custom-packages/weston/default.nix deleted file mode 100644 index d65439756..000000000 --- a/overlays/custom-packages/weston/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# This overlay customizes weston - see comments for details -# -{ - final, - prev, -}: -# First, weston package is overridden -( - prev.weston.override { - freerdp = null; - pipewire = null; - pipewireSupport = false; - rdpSupport = false; - vncSupport = false; - xwayland = null; - xwaylandSupport = false; - } -) -# and then this overridden package's attributes are overridden -.overrideAttrs ( - _prevAttrs: - # TODO: Add patch for 13.0 which is coming in NixOS 24.05 - final.lib.optionalAttrs ((final.lib.versions.majorMinor prev.weston.version) == "12.0") { - patches = [./weston-backport-workspaces.patch]; - } -) diff --git a/overlays/custom-packages/weston/weston-backport-workspaces.patch b/overlays/custom-packages/weston/weston-backport-workspaces.patch deleted file mode 100644 index 9ab9cb5e1..000000000 --- a/overlays/custom-packages/weston/weston-backport-workspaces.patch +++ /dev/null @@ -1,807 +0,0 @@ -commit 5aaed50e2cd1635084325ff5fe5fad2bd72354cf -Author: Yuri Nesterov -Date: Thu Oct 5 15:56:08 2023 +0300 - - Revert "desktop-shell: Remove multiple workspace support" - - This reverts commit 61d8238874d9c0ad6530c6826209f87c332627eb. - -diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c -index e4ea90f9..e57f5ccd 100644 ---- a/desktop-shell/shell.c -+++ b/desktop-shell/shell.c -@@ -127,6 +127,8 @@ struct shell_surface { - struct weston_curtain *black_view; - } fullscreen; - -+ struct weston_transform workspace_transform; -+ - struct weston_output *fullscreen_output; - struct weston_output *output; - struct wl_listener output_destroy_listener; -@@ -495,6 +497,9 @@ shell_configuration(struct desktop_shell *shell) - weston_config_section_get_string(section, "focus-animation", &s, "none"); - shell->focus_animation_type = get_animation_type(s); - free(s); -+ weston_config_section_get_uint(section, "num-workspaces", -+ &shell->workspaces.num, -+ DEFAULT_NUM_WORKSPACES); - } - - static int -@@ -510,6 +515,15 @@ focus_surface_committed(struct weston_surface *es, int32_t sx, int32_t sy) - { - } - -+static struct focus_surface * -+get_focus_surface(struct weston_surface *surface) -+{ -+ if (surface->committed == focus_surface_committed) -+ return surface->committed_private; -+ else -+ return NULL; -+} -+ - static bool - is_focus_view (struct weston_view *view) - { -@@ -541,6 +555,8 @@ create_focus_surface(struct weston_compositor *ec, - weston_view_set_output(fsurf->curtain->view, output); - fsurf->curtain->view->is_mapped = true; - -+ wl_list_init(&fsurf->workspace_transform.link); -+ - return fsurf; - } - -@@ -733,6 +749,21 @@ restore_focus_state(struct desktop_shell *shell, struct workspace *ws) - } - } - -+static void -+replace_focus_state(struct desktop_shell *shell, struct workspace *ws, -+ struct weston_seat *seat) -+{ -+ struct weston_keyboard *keyboard = weston_seat_get_keyboard(seat); -+ struct focus_state *state; -+ -+ wl_list_for_each(state, &ws->focus_list, link) { -+ if (state->seat == seat) { -+ focus_state_set_focus(state, keyboard->focus); -+ return; -+ } -+ } -+} -+ - static void - drop_focus_state(struct desktop_shell *shell, struct workspace *ws, - struct weston_surface *surface) -@@ -826,6 +857,7 @@ workspace_destroy(struct workspace *ws) - focus_surface_destroy(ws->fsurf_back); - - desktop_shell_destroy_layer(&ws->layer); -+ free(ws); - } - - static void -@@ -842,13 +874,14 @@ seat_destroyed(struct wl_listener *listener, void *data) - wl_list_remove(&state->link); - } - --static void -+static struct workspace * - workspace_create(struct desktop_shell *shell) - { -- struct workspace *ws = &shell->workspace; -+ struct workspace *ws = malloc(sizeof *ws); -+ if (ws == NULL) -+ return NULL; - - weston_layer_init(&ws->layer, shell->compositor); -- weston_layer_set_position(&ws->layer, WESTON_LAYER_POSITION_NORMAL); - - wl_list_init(&ws->focus_list); - wl_list_init(&ws->seat_destroyed_listener.link); -@@ -856,12 +889,343 @@ workspace_create(struct desktop_shell *shell) - ws->fsurf_front = NULL; - ws->fsurf_back = NULL; - ws->focus_animation = NULL; -+ -+ return ws; -+} -+ -+static int -+workspace_is_empty(struct workspace *ws) -+{ -+ return wl_list_empty(&ws->layer.view_list.link); -+} -+ -+static struct workspace * -+get_workspace(struct desktop_shell *shell, unsigned int index) -+{ -+ struct workspace **pws = shell->workspaces.array.data; -+ assert(index < shell->workspaces.num); -+ pws += index; -+ return *pws; - } - - struct workspace * - get_current_workspace(struct desktop_shell *shell) - { -- return &shell->workspace; -+ return get_workspace(shell, shell->workspaces.current); -+} -+ -+static void -+activate_workspace(struct desktop_shell *shell, unsigned int index) -+{ -+ struct workspace *ws; -+ -+ ws = get_workspace(shell, index); -+ weston_layer_set_position(&ws->layer, WESTON_LAYER_POSITION_NORMAL); -+ -+ shell->workspaces.current = index; -+} -+ -+static unsigned int -+get_output_height(struct weston_output *output) -+{ -+ return abs(output->region.extents.y1 - output->region.extents.y2); -+} -+ -+static struct weston_transform * -+view_get_transform(struct weston_view *view) -+{ -+ struct focus_surface *fsurf = NULL; -+ struct shell_surface *shsurf = NULL; -+ -+ if (is_focus_view(view)) { -+ fsurf = get_focus_surface(view->surface); -+ return &fsurf->workspace_transform; -+ } -+ -+ shsurf = get_shell_surface(view->surface); -+ if (shsurf) -+ return &shsurf->workspace_transform; -+ -+ return NULL; -+} -+ -+static void -+view_translate(struct workspace *ws, struct weston_view *view, double d) -+{ -+ struct weston_transform *transform = view_get_transform(view); -+ -+ if (!transform) -+ return; -+ -+ if (wl_list_empty(&transform->link)) -+ wl_list_insert(view->geometry.transformation_list.prev, -+ &transform->link); -+ -+ weston_matrix_init(&transform->matrix); -+ weston_matrix_translate(&transform->matrix, -+ 0.0, d, 0.0); -+ weston_view_geometry_dirty(view); -+} -+ -+static void -+workspace_translate_out(struct workspace *ws, double fraction) -+{ -+ struct weston_view *view; -+ unsigned int height; -+ double d; -+ -+ wl_list_for_each(view, &ws->layer.view_list.link, layer_link.link) { -+ height = get_output_height(view->surface->output); -+ d = height * fraction; -+ -+ view_translate(ws, view, d); -+ } -+} -+ -+static void -+workspace_translate_in(struct workspace *ws, double fraction) -+{ -+ struct weston_view *view; -+ unsigned int height; -+ double d; -+ -+ wl_list_for_each(view, &ws->layer.view_list.link, layer_link.link) { -+ height = get_output_height(view->surface->output); -+ -+ if (fraction > 0) -+ d = -(height - height * fraction); -+ else -+ d = height + height * fraction; -+ -+ view_translate(ws, view, d); -+ } -+} -+ -+static void -+reverse_workspace_change_animation(struct desktop_shell *shell, -+ unsigned int index, -+ struct workspace *from, -+ struct workspace *to) -+{ -+ shell->workspaces.current = index; -+ -+ shell->workspaces.anim_to = to; -+ shell->workspaces.anim_from = from; -+ shell->workspaces.anim_dir = -1 * shell->workspaces.anim_dir; -+ shell->workspaces.anim_timestamp = (struct timespec) { 0 }; -+ -+ weston_layer_set_position(&to->layer, WESTON_LAYER_POSITION_NORMAL); -+ weston_layer_set_position(&from->layer, WESTON_LAYER_POSITION_NORMAL - 1); -+ -+ weston_compositor_schedule_repaint(shell->compositor); -+} -+ -+static void -+workspace_deactivate_transforms(struct workspace *ws) -+{ -+ struct weston_view *view; -+ struct weston_transform *transform; -+ -+ wl_list_for_each(view, &ws->layer.view_list.link, layer_link.link) { -+ transform = view_get_transform(view); -+ if (!transform) -+ continue; -+ -+ if (!wl_list_empty(&transform->link)) { -+ wl_list_remove(&transform->link); -+ wl_list_init(&transform->link); -+ } -+ weston_view_geometry_dirty(view); -+ } -+} -+ -+static void -+finish_workspace_change_animation(struct desktop_shell *shell, -+ struct workspace *from, -+ struct workspace *to) -+{ -+ struct weston_view *view; -+ -+ weston_compositor_schedule_repaint(shell->compositor); -+ -+ /* Views that extend past the bottom of the output are still -+ * visible after the workspace animation ends but before its layer -+ * is hidden. In that case, we need to damage below those views so -+ * that the screen is properly repainted. */ -+ wl_list_for_each(view, &from->layer.view_list.link, layer_link.link) -+ weston_view_damage_below(view); -+ -+ wl_list_remove(&shell->workspaces.animation.link); -+ workspace_deactivate_transforms(from); -+ workspace_deactivate_transforms(to); -+ shell->workspaces.anim_to = NULL; -+ -+ weston_layer_unset_position(&shell->workspaces.anim_from->layer); -+} -+ -+static void -+animate_workspace_change_frame(struct weston_animation *animation, -+ struct weston_output *output, -+ const struct timespec *time) -+{ -+ struct desktop_shell *shell = -+ container_of(animation, struct desktop_shell, -+ workspaces.animation); -+ struct workspace *from = shell->workspaces.anim_from; -+ struct workspace *to = shell->workspaces.anim_to; -+ int64_t t; -+ double x, y; -+ -+ if (workspace_is_empty(from) && workspace_is_empty(to)) { -+ finish_workspace_change_animation(shell, from, to); -+ return; -+ } -+ -+ if (timespec_is_zero(&shell->workspaces.anim_timestamp)) { -+ if (shell->workspaces.anim_current == 0.0) -+ shell->workspaces.anim_timestamp = *time; -+ else -+ timespec_add_msec(&shell->workspaces.anim_timestamp, -+ time, -+ /* Inverse of movement function 'y' below. */ -+ -(asin(1.0 - shell->workspaces.anim_current) * -+ DEFAULT_WORKSPACE_CHANGE_ANIMATION_LENGTH * -+ M_2_PI)); -+ } -+ -+ t = timespec_sub_to_msec(time, &shell->workspaces.anim_timestamp); -+ -+ /* -+ * x = [0, π/2] -+ * y(x) = sin(x) -+ */ -+ x = t * (1.0/DEFAULT_WORKSPACE_CHANGE_ANIMATION_LENGTH) * M_PI_2; -+ y = sin(x); -+ -+ if (t < DEFAULT_WORKSPACE_CHANGE_ANIMATION_LENGTH) { -+ weston_compositor_schedule_repaint(shell->compositor); -+ -+ workspace_translate_out(from, shell->workspaces.anim_dir * y); -+ workspace_translate_in(to, shell->workspaces.anim_dir * y); -+ shell->workspaces.anim_current = y; -+ -+ weston_compositor_schedule_repaint(shell->compositor); -+ } -+ else -+ finish_workspace_change_animation(shell, from, to); -+} -+ -+static void -+animate_workspace_change(struct desktop_shell *shell, -+ unsigned int index, -+ struct workspace *from, -+ struct workspace *to) -+{ -+ struct weston_output *output; -+ -+ int dir; -+ -+ if (index > shell->workspaces.current) -+ dir = -1; -+ else -+ dir = 1; -+ -+ shell->workspaces.current = index; -+ -+ shell->workspaces.anim_dir = dir; -+ shell->workspaces.anim_from = from; -+ shell->workspaces.anim_to = to; -+ shell->workspaces.anim_current = 0.0; -+ shell->workspaces.anim_timestamp = (struct timespec) { 0 }; -+ -+ output = container_of(shell->compositor->output_list.next, -+ struct weston_output, link); -+ wl_list_insert(&output->animation_list, -+ &shell->workspaces.animation.link); -+ -+ weston_layer_set_position(&to->layer, WESTON_LAYER_POSITION_NORMAL); -+ weston_layer_set_position(&from->layer, WESTON_LAYER_POSITION_NORMAL - 1); -+ -+ workspace_translate_in(to, 0); -+ -+ restore_focus_state(shell, to); -+ -+ weston_compositor_schedule_repaint(shell->compositor); -+} -+ -+static void -+update_workspace(struct desktop_shell *shell, unsigned int index, -+ struct workspace *from, struct workspace *to) -+{ -+ shell->workspaces.current = index; -+ weston_layer_set_position(&to->layer, WESTON_LAYER_POSITION_NORMAL); -+ weston_layer_unset_position(&from->layer); -+} -+ -+static void -+change_workspace(struct desktop_shell *shell, unsigned int index) -+{ -+ struct workspace *from; -+ struct workspace *to; -+ struct focus_state *state; -+ -+ if (index == shell->workspaces.current) -+ return; -+ -+ /* Don't change workspace when there is any fullscreen surfaces. */ -+ if (!wl_list_empty(&shell->fullscreen_layer.view_list.link)) -+ return; -+ -+ from = get_current_workspace(shell); -+ to = get_workspace(shell, index); -+ -+ if (shell->workspaces.anim_from == to && -+ shell->workspaces.anim_to == from) { -+ restore_focus_state(shell, to); -+ reverse_workspace_change_animation(shell, index, from, to); -+ return; -+ } -+ -+ if (shell->workspaces.anim_to != NULL) -+ finish_workspace_change_animation(shell, -+ shell->workspaces.anim_from, -+ shell->workspaces.anim_to); -+ -+ restore_focus_state(shell, to); -+ -+ if (shell->focus_animation_type != ANIMATION_NONE) { -+ wl_list_for_each(state, &from->focus_list, link) -+ if (state->keyboard_focus) -+ animate_focus_change(shell, from, -+ get_default_view(state->keyboard_focus), NULL); -+ -+ wl_list_for_each(state, &to->focus_list, link) -+ if (state->keyboard_focus) -+ animate_focus_change(shell, to, -+ NULL, get_default_view(state->keyboard_focus)); -+ } -+ -+ if (workspace_is_empty(to) && workspace_is_empty(from)) -+ update_workspace(shell, index, from, to); -+ else -+ animate_workspace_change(shell, index, from, to); -+} -+ -+static bool -+workspace_has_only(struct workspace *ws, struct weston_surface *surface) -+{ -+ struct wl_list *list = &ws->layer.view_list.link; -+ struct wl_list *e; -+ -+ if (wl_list_empty(list)) -+ return false; -+ -+ e = list->next; -+ -+ if (e->next != list) -+ return false; -+ -+ return container_of(e, struct weston_view, layer_link.link)->surface == surface; - } - - static void -@@ -884,6 +1248,68 @@ surface_keyboard_focus_lost(struct weston_surface *surface) - } - } - -+static void -+take_surface_to_workspace_by_seat(struct desktop_shell *shell, -+ struct weston_seat *seat, -+ unsigned int index) -+{ -+ struct weston_keyboard *keyboard = weston_seat_get_keyboard(seat); -+ struct weston_surface *surface; -+ struct weston_view *view; -+ struct shell_surface *shsurf; -+ struct workspace *from; -+ struct workspace *to; -+ struct focus_state *state; -+ -+ surface = weston_surface_get_main_surface(keyboard->focus); -+ view = get_default_view(surface); -+ if (view == NULL || -+ index == shell->workspaces.current || -+ is_focus_view(view)) -+ return; -+ -+ from = get_current_workspace(shell); -+ to = get_workspace(shell, index); -+ -+ weston_layer_entry_remove(&view->layer_link); -+ weston_layer_entry_insert(&to->layer.view_list, &view->layer_link); -+ -+ shsurf = get_shell_surface(surface); -+ if (shsurf != NULL) -+ shell_surface_update_child_surface_layers(shsurf); -+ -+ replace_focus_state(shell, to, seat); -+ drop_focus_state(shell, from, surface); -+ -+ if (shell->workspaces.anim_from == to && -+ shell->workspaces.anim_to == from) { -+ reverse_workspace_change_animation(shell, index, from, to); -+ -+ return; -+ } -+ -+ if (shell->workspaces.anim_to != NULL) -+ finish_workspace_change_animation(shell, -+ shell->workspaces.anim_from, -+ shell->workspaces.anim_to); -+ -+ if (workspace_is_empty(from) && -+ workspace_has_only(to, surface)) -+ update_workspace(shell, index, from, to); -+ else { -+ if (shsurf != NULL && -+ wl_list_empty(&shsurf->workspace_transform.link)) -+ wl_list_insert(&shell->workspaces.anim_sticky_list, -+ &shsurf->workspace_transform.link); -+ -+ animate_workspace_change(shell, index, from, to); -+ } -+ -+ state = ensure_focus_state(shell, seat); -+ if (state != NULL) -+ focus_state_set_focus(state, surface); -+} -+ - static void - touch_move_grab_down(struct weston_touch_grab *grab, - const struct timespec *time, -@@ -1875,6 +2301,8 @@ desktop_surface_added(struct weston_desktop_surface *desktop_surface, - wl_list_init(&shsurf->rotation.transform.link); - weston_matrix_init(&shsurf->rotation.rotation); - -+ wl_list_init(&shsurf->workspace_transform.link); -+ - /* - * initialize list as well as link. The latter allows to use - * wl_list_remove() even when this surface is not in another list. -@@ -4234,6 +4662,86 @@ force_kill_binding(struct weston_keyboard *keyboard, - kill(pid, SIGKILL); - } - -+static void -+workspace_up_binding(struct weston_keyboard *keyboard, -+ const struct timespec *time, uint32_t key, void *data) -+{ -+ struct desktop_shell *shell = data; -+ unsigned int new_index = shell->workspaces.current; -+ -+ if (shell->locked) -+ return; -+ if (new_index != 0) -+ new_index--; -+ -+ change_workspace(shell, new_index); -+} -+ -+static void -+workspace_down_binding(struct weston_keyboard *keyboard, -+ const struct timespec *time, uint32_t key, void *data) -+{ -+ struct desktop_shell *shell = data; -+ unsigned int new_index = shell->workspaces.current; -+ -+ if (shell->locked) -+ return; -+ if (new_index < shell->workspaces.num - 1) -+ new_index++; -+ -+ change_workspace(shell, new_index); -+} -+ -+static void -+workspace_f_binding(struct weston_keyboard *keyboard, -+ const struct timespec *time, uint32_t key, void *data) -+{ -+ struct desktop_shell *shell = data; -+ unsigned int new_index; -+ -+ if (shell->locked) -+ return; -+ new_index = key - KEY_F1; -+ if (new_index >= shell->workspaces.num) -+ new_index = shell->workspaces.num - 1; -+ -+ change_workspace(shell, new_index); -+} -+ -+static void -+workspace_move_surface_up_binding(struct weston_keyboard *keyboard, -+ const struct timespec *time, uint32_t key, -+ void *data) -+{ -+ struct desktop_shell *shell = data; -+ unsigned int new_index = shell->workspaces.current; -+ -+ if (shell->locked) -+ return; -+ -+ if (new_index != 0) -+ new_index--; -+ -+ take_surface_to_workspace_by_seat(shell, keyboard->seat, new_index); -+} -+ -+static void -+workspace_move_surface_down_binding(struct weston_keyboard *keyboard, -+ const struct timespec *time, uint32_t key, -+ void *data) -+{ -+ struct desktop_shell *shell = data; -+ unsigned int new_index = shell->workspaces.current; -+ -+ if (shell->locked) -+ return; -+ -+ if (new_index < shell->workspaces.num - 1) -+ new_index++; -+ -+ take_surface_to_workspace_by_seat(shell, keyboard->seat, new_index); -+} -+ - static void - shell_reposition_view_on_output_change(struct weston_view *view) - { -@@ -4287,12 +4795,16 @@ void - shell_for_each_layer(struct desktop_shell *shell, - shell_for_each_layer_func_t func, void *data) - { -+ struct workspace **ws; -+ - func(shell, &shell->fullscreen_layer, data); - func(shell, &shell->panel_layer, data); - func(shell, &shell->background_layer, data); - func(shell, &shell->lock_layer, data); - func(shell, &shell->input_panel_layer, data); -- func(shell, &shell->workspace.layer, data); -+ -+ wl_array_for_each(ws, &shell->workspaces.array) -+ func(shell, &(*ws)->layer, data); - } - - static void -@@ -4497,6 +5009,7 @@ shell_destroy(struct wl_listener *listener, void *data) - { - struct desktop_shell *shell = - container_of(listener, struct desktop_shell, destroy_listener); -+ struct workspace **ws; - struct shell_output *shell_output, *tmp; - struct shell_seat *shseat, *shseat_next; - -@@ -4529,7 +5042,9 @@ shell_destroy(struct wl_listener *listener, void *data) - - weston_desktop_destroy(shell->desktop); - -- workspace_destroy(&shell->workspace); -+ wl_array_for_each(ws, &shell->workspaces.array) -+ workspace_destroy(*ws); -+ wl_array_release(&shell->workspaces.array); - - desktop_shell_destroy_layer(&shell->panel_layer); - desktop_shell_destroy_layer(&shell->background_layer); -@@ -4546,6 +5061,7 @@ static void - shell_add_bindings(struct weston_compositor *ec, struct desktop_shell *shell) - { - uint32_t mod; -+ int i, num_workspace_bindings; - - if (shell->allow_zap) - weston_compositor_add_key_binding(ec, KEY_BACKSPACE, -@@ -4611,6 +5127,27 @@ shell_add_bindings(struct weston_compositor *ec, struct desktop_shell *shell) - ec); - weston_compositor_add_key_binding(ec, KEY_K, mod, - force_kill_binding, shell); -+ weston_compositor_add_key_binding(ec, KEY_UP, mod, -+ workspace_up_binding, shell); -+ weston_compositor_add_key_binding(ec, KEY_DOWN, mod, -+ workspace_down_binding, shell); -+ weston_compositor_add_key_binding(ec, KEY_UP, mod | MODIFIER_SHIFT, -+ workspace_move_surface_up_binding, -+ shell); -+ weston_compositor_add_key_binding(ec, KEY_DOWN, mod | MODIFIER_SHIFT, -+ workspace_move_surface_down_binding, -+ shell); -+ -+ /* Add bindings for mod+F[1-6] for workspace 1 to 6. */ -+ if (shell->workspaces.num > 1) { -+ num_workspace_bindings = shell->workspaces.num; -+ if (num_workspace_bindings > 6) -+ num_workspace_bindings = 6; -+ for (i = 0; i < num_workspace_bindings; i++) -+ weston_compositor_add_key_binding(ec, KEY_F1 + i, mod, -+ workspace_f_binding, -+ shell); -+ } - - weston_install_debug_key_binding(ec, mod); - } -@@ -4631,6 +5168,8 @@ wet_shell_init(struct weston_compositor *ec, - { - struct weston_seat *seat; - struct desktop_shell *shell; -+ struct workspace **pws; -+ unsigned int i; - struct wl_event_loop *loop; - - shell = zalloc(sizeof *shell); -@@ -4666,6 +5205,8 @@ wet_shell_init(struct weston_compositor *ec, - weston_layer_set_position(&shell->background_layer, - WESTON_LAYER_POSITION_BACKGROUND); - -+ wl_array_init(&shell->workspaces.array); -+ wl_list_init(&shell->workspaces.client_list); - wl_list_init(&shell->seat_list); - - if (input_panel_setup(shell) < 0) -@@ -4677,10 +5218,23 @@ wet_shell_init(struct weston_compositor *ec, - - shell_configuration(shell); - -- workspace_create(shell); -+ for (i = 0; i < shell->workspaces.num; i++) { -+ pws = wl_array_add(&shell->workspaces.array, sizeof *pws); -+ if (pws == NULL) -+ return -1; -+ -+ *pws = workspace_create(shell); -+ if (*pws == NULL) -+ return -1; -+ } -+ activate_workspace(shell, 0); - - weston_layer_init(&shell->minimized_layer, ec); - -+ wl_list_init(&shell->workspaces.anim_sticky_list); -+ wl_list_init(&shell->workspaces.animation.link); -+ shell->workspaces.animation.frame = animate_workspace_change_frame; -+ - shell->desktop = weston_desktop_create(ec, &shell_desktop_api, shell); - if (!shell->desktop) - return -1; -diff --git a/desktop-shell/shell.h b/desktop-shell/shell.h -index e9e123e9..f4cb40fd 100644 ---- a/desktop-shell/shell.h -+++ b/desktop-shell/shell.h -@@ -47,6 +47,7 @@ enum fade_type { - - struct focus_surface { - struct weston_curtain *curtain; -+ struct weston_transform workspace_transform; - }; - - struct workspace { -@@ -127,7 +128,21 @@ struct desktop_shell { - struct weston_surface *lock_surface; - struct wl_listener lock_surface_listener; - -- struct workspace workspace; -+ struct { -+ struct wl_array array; -+ unsigned int current; -+ unsigned int num; -+ -+ struct wl_list client_list; -+ -+ struct weston_animation animation; -+ struct wl_list anim_sticky_list; -+ int anim_dir; -+ struct timespec anim_timestamp; -+ double anim_current; -+ struct workspace *anim_from; -+ struct workspace *anim_to; -+ } workspaces; - - struct { - struct wl_resource *binding; -diff --git a/man/weston-bindings.man b/man/weston-bindings.man -index d528a807..bdeb9912 100644 ---- a/man/weston-bindings.man -+++ b/man/weston-bindings.man -@@ -58,6 +58,21 @@ Make the active window tiled bottom. - Switch active window - .P - .RE -+.B mod + Up, mod + Down -+.RS 4 -+Increment/decrement active workspace number, if there are multiple -+.P -+.RE -+.B mod + Shift + Up, mod + Shift + Down -+.RS 4 -+Move active window to the succeeding/preceding workspace, if possible -+.P -+.RE -+.B mod + F1/F2/F3/F4/F5/F6 -+.RS 4 -+Jump to the numbered workspace, if it exists -+.P -+.RE - .B Ctrl + Alt + Backspace - .RS 4 - If supported, terminate Weston. (Note this combination often is used to hard restart Xorg.) -diff --git a/man/weston.ini.man b/man/weston.ini.man -index 179e0882..d9b17d85 100644 ---- a/man/weston.ini.man -+++ b/man/weston.ini.man -@@ -426,6 +426,11 @@ for windows, controlling the backlight and zooming the desktop. See - .BR weston-bindings (7). - Possible values: none, ctrl, alt, super (default) - .TP 7 -+.BI "num-workspaces=" 6 -+defines the number of workspaces (unsigned integer). The user can switch -+workspaces by using the -+binding+F1, F2 keys. If this key is not set, fall back to one workspace. -+.TP 7 - .BI "cursor-theme=" theme - sets the cursor theme (string). - .TP 7 diff --git a/packages/audio-ctrl/default.nix b/packages/audio-ctrl/default.nix new file mode 100644 index 000000000..07644a091 --- /dev/null +++ b/packages/audio-ctrl/default.nix @@ -0,0 +1,29 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This is a temporary solution for volume control. +# +{ pamixer, writeShellApplication, ... }: +writeShellApplication { + name = "audio-ctrl"; + runtimeInputs = [ pamixer ]; + text = '' + export PULSE_SERVER=audio-vm:4713 + + case "$1" in + inc) + pamixer -i 5 + ;; + dec) + pamixer -d 5 + ;; + mut) + if [ "$(pamixer --get-mute)" = "false" ]; then + pamixer -m + else + pamixer -u + fi + ;; + esac + ''; +} diff --git a/packages/dendrite-pinecone/default.nix b/packages/dendrite-pinecone/default.nix new file mode 100644 index 000000000..bb073e164 --- /dev/null +++ b/packages/dendrite-pinecone/default.nix @@ -0,0 +1,27 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ buildGoModule, fetchFromGitHub }: +buildGoModule { + pname = "dendrite-pinecone"; + version = "0.9.1"; + + # TODO: Move all these to the options module. + TcpPort = "49000"; + McastUdpPort = "60606"; + McastUdpIp = "239.0.0.114"; + TcpPortInt = 49000; + McastUdpPortInt = 60606; + + src = fetchFromGitHub { + owner = "tiiuae"; + repo = "dendrite"; + # branch is feature/ghaf-integration + rev = "d8e62f3d1bf6607d243c53673fc02064fed863e8"; + sha256 = "sha256-GtaFDfXssym3eNrTSOB8JW2awIvZsTGdUPdLL+ae7Pw="; + }; + subPackages = [ "cmd/dendrite-demo-pinecone" ]; + # patches = [./turnserver-crendentials-flags.patch]; + + vendorHash = "sha256-599pZlX7SdUYOmGnYGIngyPKagIxri6KKJh+e5UDBps="; +} diff --git a/packages/element-gps/default.nix b/packages/element-gps/default.nix new file mode 100644 index 000000000..457e55569 --- /dev/null +++ b/packages/element-gps/default.nix @@ -0,0 +1,12 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ python3Packages }: +with python3Packages; +buildPythonApplication { + pname = "gpswebsock"; + version = "1.0"; + + propagatedBuildInputs = [ websockets ]; + + src = ./.; +} diff --git a/packages/element-gps/main.py b/packages/element-gps/main.py new file mode 100755 index 000000000..74cccbe16 --- /dev/null +++ b/packages/element-gps/main.py @@ -0,0 +1,124 @@ +#!/usr/bin/env python + +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 + +import asyncio +import functools +import json +import signal +import threading + +import websockets + + +class GpsProcessState: + def __init__(self): + self._gps_data = "" + self.data_lock = asyncio.Lock() + self.condition = asyncio.Condition() + self.abort_websockets = False + self.terminate = asyncio.Event() + self.stop_event = threading.Event() + self.stop_wait_asyncio = asyncio.get_event_loop().run_in_executor( + None, self.stop_event.wait + ) + + def get_data(self): + return self._gps_data + + def set_data(self, value): + self._gps_data = value + + def del_data(self): + del self._gps_data + + message = property(get_data, set_data, del_data) + + +async def read_continuous_gps(data): + process = await asyncio.create_subprocess_exec( + "./run/current-system/sw/bin/gpspipe", + "-w", + stdin=asyncio.subprocess.PIPE, + stdout=asyncio.subprocess.PIPE, + ) + print("GPS reader process PID:", {process.pid}, "starting...") + + while not data.terminate.is_set(): + if process.returncode is not None: + print("gpspipe process has exited") + break + + line = await process.stdout.readline() + line = line.decode() + + if len(line) != 0: + reply_json = json.loads(line) + if reply_json["class"] == "TPV": + async with data.data_lock: + data.message = line + async with data.condition: + data.condition.notify_all() + + print("Closing service...") + # Notify all websockets to quit + async with data.condition: + data.abort_websockets = True + data.condition.notify_all() + await asyncio.sleep(2) + data.stop_event.set() + + +async def handler(websocket, path, gps_state): + print("New connection received") + while not gps_state.abort_websockets: + async with gps_state.condition: + await gps_state.condition.wait() + if gps_state.abort_websockets: + break + async with gps_state.data_lock: + output = gps_state.message + try: + await websocket.send(output) + except Exception: + print("Client disconnected.") + break + print("Closing websocket...") + + +async def wait_connection(gps_state): + print("Websocket listener on localhost:8000.") + async with websockets.serve( + functools.partial(handler, gps_state=gps_state), "localhost", 8000 + ): + await gps_state.stop_wait_asyncio + print("Closing websocket listener.") + + +def signal_handler(signum, frame, state_object): + # ignore additional signals + signal.signal(signum, signal.SIG_IGN) + state_object.terminate.set() + + +async def main(): + gps_state = GpsProcessState() + # The stop condition is set when receiving SIGTERM or SIGINT. + signal.signal( + signal.SIGINT, functools.partial(signal_handler, state_object=gps_state) + ) + signal.signal( + signal.SIGTERM, functools.partial(signal_handler, state_object=gps_state) + ) + await asyncio.gather(read_continuous_gps(gps_state), wait_connection(gps_state)) + + +if __name__ == "__main__": + loop = asyncio.get_event_loop() + stop = loop.create_future() + loop.add_signal_handler(signal.SIGTERM, stop.set_result, None) + try: + loop.run_until_complete(main()) + finally: + loop.close() diff --git a/packages/element-gps/setup.py b/packages/element-gps/setup.py new file mode 100644 index 000000000..a0e2748ba --- /dev/null +++ b/packages/element-gps/setup.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python + +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 + +from setuptools import find_packages, setup + +setup( + name="gpswebsock", + version="1.0", + # Modules to import from other scripts: + packages=find_packages(), + # Executables + scripts=["main.py"], +) diff --git a/packages/element-web/default.nix b/packages/element-web/default.nix new file mode 100644 index 000000000..76c7f67e8 --- /dev/null +++ b/packages/element-web/default.nix @@ -0,0 +1,97 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + lib, + stdenv, + fetchFromGitHub, + fetchYarnDeps, + jq, + yarn, + fixup_yarn_lock, + nodejs, + jitsi-meet, +}: +let + pinData = import ./pin.nix; + inherit (pinData.hashes) webSrcHash webYarnHash; + noPhoningHome = { + disable_guests = true; # disable automatic guest account registration at matrix.org + }; +in +stdenv.mkDerivation ( + finalAttrs: + builtins.removeAttrs pinData [ "hashes" ] + // { + pname = "element-web"; + + src = fetchFromGitHub { + owner = "vector-im"; + repo = finalAttrs.pname; + rev = "v${finalAttrs.version}"; + hash = webSrcHash; + }; + + offlineCache = fetchYarnDeps { + yarnLock = finalAttrs.src + "/yarn.lock"; + sha256 = webYarnHash; + }; + + nativeBuildInputs = [ + yarn + fixup_yarn_lock + jq + nodejs + ]; + + configurePhase = '' + runHook preConfigure + + export HOME=$PWD/tmp + # with the update of openssl3, some key ciphers are not supported anymore + # this flag will allow those codecs again as a workaround + # see https://medium.com/the-node-js-collection/node-js-17-is-here-8dba1e14e382#5f07 + # and https://github.com/vector-im/element-web/issues/21043 + export NODE_OPTIONS=--openssl-legacy-provider + mkdir -p $HOME + + fixup_yarn_lock yarn.lock + yarn config --offline set yarn-offline-mirror $offlineCache + yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive + patch -p1 < ${./matrix-react-sdk.patch} + patchShebangs node_modules + + runHook postConfigure + ''; + + buildPhase = '' + runHook preBuild + + export VERSION=${finalAttrs.version} + yarn build:res --offline + yarn build:module_system --offline + yarn build:bundle --offline + + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + + cp -R webapp $out + cp ${jitsi-meet}/libs/external_api.min.js $out/jitsi_external_api.min.js + echo "${finalAttrs.version}" > "$out/version" + jq -s '.[0] * $conf' "config.sample.json" --argjson "conf" '${builtins.toJSON noPhoningHome}' > "$out/config.json" + + runHook postInstall + ''; + + meta = { + description = "A glossy Matrix collaboration client for the web"; + homepage = "https://element.io/"; + changelog = "https://github.com/vector-im/element-web/blob/v${finalAttrs.version}/CHANGELOG.md"; + maintainers = lib.teams.matrix.members; + license = lib.licenses.asl20; + platforms = lib.platforms.all; + }; + } +) diff --git a/packages/element-web/matrix-react-sdk.patch b/packages/element-web/matrix-react-sdk.patch new file mode 100644 index 000000000..00c8bdab2 --- /dev/null +++ b/packages/element-web/matrix-react-sdk.patch @@ -0,0 +1,206 @@ +diff --unified --recursive --text --color element-web.orig/node_modules/matrix-react-sdk/src/components/views/location/LocationPicker.tsx element-web.new/node_modules/matrix-react-sdk/src/components/views/location/LocationPicker.tsx +--- element-web.orig/node_modules/matrix-react-sdk/src/components/views/location/LocationPicker.tsx 2023-10-17 09:32:00.594000000 +0300 ++++ element-web.new/node_modules/matrix-react-sdk/src/components/views/location/LocationPicker.tsx 2023-10-18 11:18:59.659372442 +0300 +@@ -45,6 +45,188 @@ + error?: LocationShareError; + } + ++interface Coordinates { ++ latitude: number; ++ longitude: number; ++ altitude?: number | null; ++ accuracy?: number; ++ altitudeAccuracy?: number | null; ++ heading?: number | null; ++ speed?: number | null; ++} ++ ++interface Position { ++ coords: Coordinates; ++ timestamp: number; ++ isHighAccuracy?: boolean; ++} ++ ++interface PositionError { ++ code: number; ++ message: string; ++} ++ ++class ExternalGeolocation { ++ private static sockets: Map = new Map(); ++ private static cachedPosition: Position | null = null; ++ ++ static getCurrentPosition( ++ successCallback: (position: Position) => void, ++ errorCallback?: (error: PositionError) => void, ++ options?: PositionOptions ++ ){ ++ if (ExternalGeolocation.cachedPosition && options?.maximumAge && options.maximumAge > 0 && Date.now() - options.maximumAge > ExternalGeolocation.cachedPosition.timestamp ) { ++ successCallback(ExternalGeolocation.cachedPosition); ++ return; ++ } ++ ++ const socket = new WebSocket("ws://localhost:8000"); ++ ++ let timeout: ReturnType; ++ if (options?.timeout) { ++ timeout = setInterval(function () { ++ socket.close(); ++ if (errorCallback) { ++ errorCallback({ ++ code: 3, ++ message: `Timeout elapsed: ${options.timeout}ms` ++ }); ++ } ++ }, options.timeout); ++ } ++ ++ socket.onmessage = (event) => { ++ const p = JSON.parse(event.data); ++ ++ if (p.mode > 1) { ++ if (timeout) { ++ clearInterval(timeout); ++ } ++ socket.close(); ++ ++ const timestamp = new Date(p.time).getTime(); ++ ++ const position: Position = { ++ coords: { ++ latitude: p.lat, ++ longitude: p.lon, ++ accuracy: p.eph, ++ altitude: p.altMSL, ++ altitudeAccuracy: p.epv, ++ heading: p.track, ++ speed: p.speed, ++ }, ++ timestamp, ++ isHighAccuracy: true, ++ }; ++ ++ ExternalGeolocation.cachedPosition = position; ++ successCallback(position); ++ } ++ }; ++ ++ socket.onerror = (event) => { ++ if (timeout) { ++ clearInterval(timeout); ++ } ++ if (errorCallback) { ++ errorCallback({ ++ code: 2, ++ message: `WebSocket error: ${event.type}` ++ }); ++ } ++ }; ++ } ++ ++ static watchPosition( ++ successCallback: (position: Position) => void, ++ errorCallback?: (error: PositionError) => void, ++ options?: PositionOptions ++ ){ ++ const watchId = ExternalGeolocation.sockets.size; ++ ++ if (ExternalGeolocation.cachedPosition && options?.maximumAge && options.maximumAge > 0 && Date.now() - options.maximumAge > ExternalGeolocation.cachedPosition.timestamp ) { ++ successCallback(ExternalGeolocation.cachedPosition); ++ } ++ ++ const socket = new WebSocket("ws://localhost:8000"); ++ ++ let timeout: ReturnType; ++ if (options?.timeout) { ++ timeout = setInterval(function () { ++ socket.close(); ++ if (errorCallback) { ++ errorCallback({ ++ code: 3, ++ message: `Timeout elapsed: ${options.timeout}ms` ++ }); ++ } ++ }, options.timeout); ++ } ++ ++ socket.onmessage = (event) => { ++ const p = JSON.parse(event.data); ++ const timestamp = new Date(p.time).getTime(); ++ ++ if (p.mode > 1) { ++ if (timeout) { ++ clearInterval(timeout); ++ } ++ const position: Position = { ++ coords: { ++ latitude: p.lat, ++ longitude: p.lon, ++ accuracy: p.eph, ++ altitude: p.altMSL, ++ altitudeAccuracy: p.epv, ++ heading: p.track, ++ speed: p.speed, ++ }, ++ timestamp, ++ isHighAccuracy: true, ++ }; ++ ++ ExternalGeolocation.cachedPosition = position; ++ successCallback(position); ++ } ++ }; ++ ++ socket.onerror = (event) => { ++ if (timeout) { ++ clearInterval(timeout); ++ } ++ ++ if (errorCallback) { ++ errorCallback({ ++ code: 2, ++ message: `WebSocket error: ${event.type}`, ++ }); ++ } ++ }; ++ ++ ExternalGeolocation.sockets.set(watchId, socket); ++ ++ return watchId; ++ } ++ ++ static clearWatch(watchId: number) { ++ const socket = ExternalGeolocation.sockets.get(watchId); ++ if (socket) { ++ socket.close(); ++ ExternalGeolocation.sockets.delete(watchId); ++ } ++ } ++} ++ ++Object.defineProperty(navigator, 'geolocation', { ++ value: { ++ getCurrentPosition: ExternalGeolocation.getCurrentPosition, ++ watchPosition: ExternalGeolocation.watchPosition, ++ clearWatch: ExternalGeolocation.clearWatch, ++ }, ++ writable: false, ++}); ++ + const isSharingOwnLocation = (shareType: LocationShareType): boolean => + shareType === LocationShareType.Own || shareType === LocationShareType.Live; + +diff --unified --recursive --text --color element-web.orig/node_modules/matrix-react-sdk/src/components/views/rooms/MessageComposer.tsx element-web.new/node_modules/matrix-react-sdk/src/components/views/rooms/MessageComposer.tsx +--- element-web.orig/node_modules/matrix-react-sdk/src/components/views/rooms/MessageComposer.tsx 2023-10-17 09:32:00.594000000 +0300 ++++ element-web.new/node_modules/matrix-react-sdk/src/components/views/rooms/MessageComposer.tsx 2023-10-17 09:49:26.617200503 +0300 +@@ -624,9 +624,7 @@ + relation={this.props.relation} + onRecordStartEndClick={this.onRecordStartEndClick} + setStickerPickerOpen={this.setStickerPickerOpen} +- showLocationButton={ +- !window.electron && SettingsStore.getValue(UIFeature.LocationSharing) +- } ++ showLocationButton={SettingsStore.getValue(UIFeature.LocationSharing)} + showPollsButton={this.state.showPollsButton} + showStickersButton={this.showStickersButton} + isRichTextEnabled={this.state.isRichTextEnabled} diff --git a/packages/element-web/pin.nix b/packages/element-web/pin.nix new file mode 100644 index 000000000..6bcb14e78 --- /dev/null +++ b/packages/element-web/pin.nix @@ -0,0 +1,11 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + "version" = "1.11.47"; + "hashes" = { + "desktopSrcHash" = "sha256-Ea3LJt+3HAOX2PTREMojtuPVTeA6u7VJtysd8bbTbwU="; + "desktopYarnHash" = "1nssv92yk1a53v7mvijkrb3gzif5xrz2j6lxvg7p340z42rm7f9v"; + "webSrcHash" = "sha256-DPBMZMjDnwjdNsePcUBBU0KRGOpOmNHgQZn9/ad/Qss="; + "webYarnHash" = "0rzipmaq0jarzdawl7lmxnapwzl52kklxadm859hgx9b1hd5vwj7"; + }; +} diff --git a/packages/flake-module.nix b/packages/flake-module.nix index 556c5be10..a592437e8 100644 --- a/packages/flake-module.nix +++ b/packages/flake-module.nix @@ -1,41 +1,49 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{self, ...}: { - flake.packages.riscv64-linux.hart-software-services = - self.nixosConfigurations.microchip-icicle-kit-debug.pkgs.callPackage ./hart-software-services {}; - perSystem = { - pkgs, - lib, - system, - ... - }: let - inherit (pkgs) callPackage; - in { - packages = self.lib.platformPkgs system { - gala-app = callPackage ./gala {}; - kernel-hardening-checker = callPackage ./kernel-hardening-checker {}; - windows-launcher = callPackage ./windows-launcher {enableSpice = false;}; - windows-launcher-spice = callPackage ./windows-launcher {enableSpice = true;}; - doc = callPackage ../docs { - revision = lib.strings.fileContents ../.version; - # options = ; - # TODO Add the options in from the self.nixosModules - # The below is not needed anymore to setoptions - # - # options = let - # cfg = nixpkgs.lib.nixosSystem { - # inherit system; - # modules = - # lib.ghaf.modules - # ++ [ - # jetpack-nixos.nixosModules.default - # microvm.nixosModules.host - # lanzaboote.nixosModules.lanzaboote - # ]; - # }; - # in - # cfg.options; +{ self, ... }: +{ + flake.packages.x86_64-linux.hart-software-services = + self.nixosConfigurations.microchip-icicle-kit-debug-from-x86_64.pkgs.callPackage + ./hart-software-services + { }; + perSystem = + { + pkgs, + lib, + system, + ... + }: + let + inherit (pkgs) callPackage; + in + { + packages = self.lib.platformPkgs system { + gala-app = callPackage ./gala { }; + kernel-hardening-checker = callPackage ./kernel-hardening-checker { }; + make-checks = callPackage ./make-checks { }; + windows-launcher = callPackage ./windows-launcher { enableSpice = false; }; + windows-launcher-spice = callPackage ./windows-launcher { enableSpice = true; }; + hardware-scan = callPackage ./hardware-scan { }; + doc = callPackage ../docs { + revision = lib.strings.fileContents ../.version; + # options = ; + # TODO Add the options in from the self.nixosModules + # The below is not needed anymore to setoptions + # + # options = let + # cfg = nixpkgs.lib.nixosSystem { + # inherit system; + # modules = + # lib.ghaf.modules + # ++ [ + # jetpack-nixos.nixosModules.default + # microvm.nixosModules.host + # lanzaboote.nixosModules.lanzaboote + # ]; + # }; + # in + # cfg.options; + }; }; }; - }; } diff --git a/packages/flash/default.nix b/packages/flash/default.nix new file mode 100644 index 000000000..5a7c4ecbe --- /dev/null +++ b/packages/flash/default.nix @@ -0,0 +1,17 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + coreutils, + util-linux, + writeShellApplication, + zstd, +}: +writeShellApplication { + name = "flash-script"; + runtimeInputs = [ + coreutils + util-linux + zstd + ]; + text = builtins.readFile ./flash.sh; +} diff --git a/packages/flash/flash.sh b/packages/flash/flash.sh new file mode 100755 index 000000000..b952000eb --- /dev/null +++ b/packages/flash/flash.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 + +# Function to print usage and exit +print_usage() { + echo "Usage: $0 -d -i " + exit 1 +} + +if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit +fi + +# Check the number of parameters +if [ "$#" -ne 4 ]; then + print_usage +fi + +# Parse the parameters +while getopts "d:i:" opt; do + case $opt in + d) DEVICE="$OPTARG" ;; + i) FILENAME="$OPTARG" ;; + *) print_usage ;; + esac +done + +# Check if disk and imagefile exist +if [ ! -e "$DEVICE" ]; then + echo "No such block device: ${DEVICE}" + exit 1 +fi + +if [ ! -e "$FILENAME" ]; then + echo "No such file: ${FILENAME}" + exit 1 +fi + +# Function to wipe any ZFS leftovers exising on the disk +wipe_filesystem () { + echo "Wiping filesystem..." + # Set sector size to 512 bytes + SECTOR=512 + # 10 MiB in 512-byte sectors + MIB_TO_SECTORS=20480 + # Disk size in 512-byte sectors + SECTORS=$(blockdev --getsz "$DEVICE") + # Unmount possible mounted filesystems + sync; umount -q "$DEVICE"* || true; + # Wipe first 10MiB of disk + dd if=/dev/zero of="$DEVICE" bs="$SECTOR" count="$MIB_TO_SECTORS" conv=fsync status=none + # Wipe last 10MiB of disk + dd if=/dev/zero of="$DEVICE" bs="$SECTOR" count="$MIB_TO_SECTORS" seek="$((SECTORS - MIB_TO_SECTORS))" conv=fsync status=none + echo "Flashing..." +} + +echo "Found ${FILENAME}..." + +# Check the extension of the image file and run appropriate command +if [[ "$FILENAME" == *.zst ]]; then + wipe_filesystem + zstdcat "$FILENAME" | dd of="$DEVICE" bs=32M status=progress conv=fsync oflag=direct iflag=fullblock +elif [[ "$FILENAME" == *.iso || "$FILENAME" == *.img ]]; then + wipe_filesystem + dd if="$FILENAME" of="$DEVICE" bs=32M status=progress conv=fsync oflag=direct iflag=fullblock +else + echo "Unsupported file format" + exit 1 +fi diff --git a/packages/gala/default.nix b/packages/gala/default.nix index 13bf710e3..10c2bdc25 100644 --- a/packages/gala/default.nix +++ b/packages/gala/default.nix @@ -40,7 +40,8 @@ mesa, unzip, wayland, -}: let +}: +let dynamic-linker = stdenv.cc.bintools.dynamicLinker; libPath = lib.makeLibraryPath [ @@ -82,57 +83,56 @@ wayland ]; in - stdenv.mkDerivation rec { - name = "gala"; +stdenv.mkDerivation rec { + name = "gala"; - nativeBuildInputs = [unzip]; + nativeBuildInputs = [ unzip ]; - buildInputs = [unzip]; + buildInputs = [ unzip ]; - # See meta.platforms section for supported platforms - src = - if stdenv.isAarch64 - then - fetchurl { - url = "https://vedenemo.dev/files/gala/eb56901d-410c-4c09-bbac-9e954a3f16b0-gala-electron-test-0.1.26-arm64.zip"; - sha256 = "16d8g6h22zsnw4kq8nkama5yxp5swn7fj8m197kgm58w3dai3mn7"; - } - else - fetchurl { - url = "https://vedenemo.dev/files/gala/eb56901d-410c-4c09-bbac-9e954a3f16b0-gala-electron-test-0.1.26.zip"; - sha256 = "0chn1rbdvs71mxfdwpld4v2zdg2crrqln9ckscivas48rmg6sj6f"; - }; + # See meta.platforms section for supported platforms + src = + if stdenv.isAarch64 then + fetchurl { + url = "https://vedenemo.dev/files/gala/eb56901d-410c-4c09-bbac-9e954a3f16b0-gala-electron-test-0.1.26-arm64.zip"; + sha256 = "16d8g6h22zsnw4kq8nkama5yxp5swn7fj8m197kgm58w3dai3mn7"; + } + else + fetchurl { + url = "https://vedenemo.dev/files/gala/eb56901d-410c-4c09-bbac-9e954a3f16b0-gala-electron-test-0.1.26.zip"; + sha256 = "0chn1rbdvs71mxfdwpld4v2zdg2crrqln9ckscivas48rmg6sj6f"; + }; - phases = "unpackPhase fixupPhase"; - targetPath = "$out/gala"; - intLibPath = "$out/gala/swiftshader"; + phases = "unpackPhase fixupPhase"; + targetPath = "$out/gala"; + intLibPath = "$out/gala/swiftshader"; - unpackPhase = '' - mkdir -p ${targetPath} - unzip $src -d ${targetPath} - ''; + unpackPhase = '' + mkdir -p ${targetPath} + unzip $src -d ${targetPath} + ''; - rpath = lib.concatStringsSep ":" [ - libPath - targetPath - intLibPath - ]; + rpath = lib.concatStringsSep ":" [ + libPath + targetPath + intLibPath + ]; - fixupPhase = '' - patchelf \ - --set-interpreter "${dynamic-linker}" \ - --set-rpath "${rpath}" \ - ${targetPath}/dev.scpp.saca.gala + fixupPhase = '' + patchelf \ + --set-interpreter "${dynamic-linker}" \ + --set-rpath "${rpath}" \ + ${targetPath}/dev.scpp.saca.gala - mkdir -p $out/bin - ln -s $out/gala/dev.scpp.saca.gala $out/bin/gala - ''; + mkdir -p $out/bin + ln -s $out/gala/dev.scpp.saca.gala $out/bin/gala + ''; - meta = with lib; { - description = "Google Android look-alike"; - platforms = [ - "aarch64-linux" - "x86_64-linux" - ]; - }; - } + meta = with lib; { + description = "Google Android look-alike"; + platforms = [ + "aarch64-linux" + "x86_64-linux" + ]; + }; +} diff --git a/packages/ghaf-open/default.nix b/packages/ghaf-open/default.nix new file mode 100644 index 000000000..362d16e41 --- /dev/null +++ b/packages/ghaf-open/default.nix @@ -0,0 +1,38 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# A debug script that allows executing applications from the command line. +{ writeShellApplication, gawk, ... }: +writeShellApplication { + name = "ghaf-open"; + runtimeInputs = [ gawk ]; + text = '' + APPS=/run/current-system/sw/share/applications + + function list_apps() { + for e in "$APPS"/*.desktop; do + [[ -e "$e" ]] || continue # in case of no entries + + basename "$e" .desktop + done + } + + if [ $# -eq 0 ]; then + echo -e "Usage: ghaf-open <-l|application> [args...]\n" + echo -e "\t-l\tList available applications" + exit 1 + fi + + if [ "$1" = "-l" ]; then + list_apps + exit 0 + fi + + if [ ! -e "$APPS/$1.desktop" ]; then + echo "No launcher entry for $1" + exit 1 + fi + + eval "$(awk '/^Exec=/{sub(/^Exec=/, ""); print}' "$APPS/$1.desktop") ''${*:2}" + ''; +} diff --git a/packages/hardware-scan/default.nix b/packages/hardware-scan/default.nix new file mode 100644 index 000000000..9864c0f0b --- /dev/null +++ b/packages/hardware-scan/default.nix @@ -0,0 +1,28 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This is a temporary solution for hardware detection. +# +{ + writeShellApplication, + util-linux, + pciutils, + usbutils, + dmidecode, + alejandra, +}: +writeShellApplication { + name = "hardware-scan"; + runtimeInputs = [ + util-linux + pciutils + usbutils + dmidecode + alejandra + ]; + text = builtins.readFile ./hardware-scan.sh; + meta = { + description = "Helper script for hardware discovery and configuration file generation"; + platforms = [ "x86_64-linux" ]; + }; +} diff --git a/packages/hardware-scan/hardware-scan.sh b/packages/hardware-scan/hardware-scan.sh new file mode 100755 index 000000000..785ee9702 --- /dev/null +++ b/packages/hardware-scan/hardware-scan.sh @@ -0,0 +1,631 @@ +#! /usr/bin/env bash +# shellcheck shell=bash +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 + +# Notes: +# 1. This script needs to run on a nix-enabled system, with either internet access or packages installed +# 2. The script uses lspci and dmidecode to detect system information and hardware devices, using simple key words +# 3. The host this script runs on needs to be able to detect all hardware, e.g., no passthrough should be enabled +# 4. Do not attach external devices when running this script +# 5. The script generates commented-out sections for some input devices, which need to be manually selected as many of them need to stay in the host +# 6. Do NOT rely fully on the output of this script; especially for kernel modules and parameters! +# 7. Use the hardware dump generated with the '-e' option to inspect the hardware and manually adjust the configuration file +# 8. If you copied this script, include the following: +# #! /usr/bin/env nix-shell +# #! nix-shell -i bash -p pciutils dmidecode usbutils alejandra + +usage() { +cat < pci_info.txt). +EOF +} + +set +xo pipefail + +# Global Variables +CONFIG_FILE="" # name is auto-generated from system information (-y, -a) +system_name="" +system_sku="" +declare -A pci_devices=() +declare -A kernel_modules=() +keyboard_attr_names=() +mouse_attr_names=() +touchpad_attr_names=() +misc_devlinks=() +misc_attr_names=() +usb_devices=() +disk="" +host_blacklist="" + +# Default device groups +NET_ID_1="wlp0s5f" +NET_ID_2="eth" +GPU_ID="gpu" +SND_ID="snd" + +# Default entries +pci_devices[$NET_ID_1]="" +pci_devices[$NET_ID_2]="" +pci_devices[$GPU_ID]="" +pci_devices[$SND_ID]="" +kernel_modules[$NET_ID_1]="" +kernel_modules[$NET_ID_2]="" +kernel_modules[$GPU_ID]="" +kernel_modules[$SND_ID]="" + +# Detecting system information via dmidecode +detect_system_info() { + system_manufacturer=$(sudo dmidecode -s system-manufacturer) + system_version=$(sudo dmidecode -s system-version) + system_product_name=$(sudo dmidecode -s system-product-name) + system_sku_number=$(sudo dmidecode -s system-sku-number) + system_name="$system_manufacturer $system_version" + system_sku="$system_sku_number $system_product_name" + CONFIG_FILE="$system_name.nix" + CONFIG_FILE=${CONFIG_FILE// /-} + CONFIG_FILE=${CONFIG_FILE,,} + if $verbose; then + echo "System: $system_name" + echo "SKU: $system_sku" + fi +} + +### PCI DEVICE DETECTION ### + +add_pci_device () { + + # Parse input params + local pci_device="$1" + local device_group_name="$2" + local group_num="$3" + local devices=() + local drivers="" + local modules="" + + # Find all devices in the IOMMU group + pci_address=$(echo "$pci_device" | awk '{print $1}') + iommu_group=$(lspci -vns "$pci_address" | grep "IOMMU group" | awk -F "IOMMU group " '{print $2}') + iommu_path="/sys/kernel/iommu_groups/$iommu_group" + readarray -t iommu_devices <<< "$(find "$iommu_path" -type l | awk -F "$iommu_path/devices/" '{print $2}')" + + # Add entries for each device in the IOMMU group + for i in "${!iommu_devices[@]}"; do + + # Fetch info + address=${iommu_devices[$i]} + name=$(lspci -s "$address" | cut -d " " -f 2-) + vendor_id=$(lspci -mmns "$address" | awk '{print $3}') + product_id=$(lspci -mmns "$address" | awk '{print $4}') + drv=$(lspci -nnks "$address" | grep "Kernel driver in use:" | awk -F ": " '{print $2}' | tr -d '[:space:]') + mods=$(lspci -nnks "$address" | grep "Kernel modules:" | awk -F ": " '{print $2}' | tr -d '[:space:]') + + # Check if device is already passed through + if echo "${pci_devices[*]}" | grep -q "$address"; then + echo -e "\n# Error: Cannot add $pci_address to $device_group_name$group_num: already passed through." + echo "# Device $pci_address and $address are in the same IOMMU group $iommu_group:" + for j in "${!iommu_devices[@]}"; do echo -n "# "; lspci -s "${iommu_devices[$j]}"; done + echo -e "# Skipping passthrough of device $pci_address\n" + return 0 + fi + + # Create device name and entry + local n=""; if [ "${#iommu_devices[@]}" -gt 1 ]; then n="-$i"; fi + device_name="$device_group_name$group_num$n" + devices+=("$(cat << EOF +{ + # $name + name = "$device_name"; + path = "$address"; + vendorId = $vendor_id; + productId = $product_id; + # Detected kernel driver: $drv + # Detected kernel modules: $mods +} +EOF +)") + drivers="$drivers,$drv" + modules="$modules,$mods" + done + + if $verbose; then + echo -e "Device entry: \n${devices[*]}" + fi + + modules=${modules#','} + modules=$(echo "$modules" | tr ',' '\n' | sort -u | tr '\n' ',') + modules=${modules%','} + + local modules_to_load=() + IFS=',' + for elem in $modules; do + if [ -n "$elem" ]; then modules_to_load+=("\"$elem\""); fi + done + IFS= + + # Add detected devices and kernel modules to global arrays + pci_devices["$device_group_name"]="${devices[*]}" + kernel_modules["$device_group_name"]="${modules_to_load[*]}" + + # Add kernel modules to host blacklist + if [ "${modules}" != "" ]; then + host_blacklist="$host_blacklist,$modules" + fi + host_blacklist=$(echo "$host_blacklist" | tr ',' '\n' | sort -u | tr '\n' ',') + host_blacklist=${host_blacklist%','} + host_blacklist=${host_blacklist#','} +} + +detect_pci_devices() { + + # Check if IOMMU is enabled + if [ -z "$(ls -A /sys/kernel/iommu_groups)" ]; then + echo "# It seems that the IOMMU groups are not setup (ls /sys/kernel/iommu_groups). Please enable virtualization in the BIOS, and/or pass the respective kernel parameters." + fi + + # Parse params + if [ "$#" -eq 0 ]; then + read -r -p "Enter search pattern for PCI devices: " search_pattern + read -r -p "Enter group id PCI devices: " group_id + group_id=${group_id:-"pci"} + else + local search_pattern="$1" + local group_id="$2" + fi + + # Search for PCI devices + readarray -t pci_devs <<< "$(lspci -nn | grep -i "$search_pattern")" + + # Select PCI devices + if [ ${#pci_devs[@]} -ge 1 ] && [ -n "${pci_devs[0]}" ]; then + local n=0 + for i in "${!pci_devs[@]}"; do + read -r -p "Select '${pci_devs[$i]}' for passthrough? [Y/n] " answer + answer=${answer:-Y} + case $answer in + [Yy]* ) add_pci_device "${pci_devs[$i]}" "$group_id" "$n"; n=$((n+1)); continue;; + [Nn]* ) continue;; + * ) echo "Please answer yY or nN.";; + esac + done + else + echo "No device found searching for '$search_pattern'." + return + fi +} + +### INPUT DEVICE DETECTION ### + +# Search for input devices using /dev/input/event* +detect_input_devices() { + + local input_events=() + local keyboard_devices=() + local mouse_devices=() + local touchpad_devices=() + + while IFS= read -r line; do + input_events+=("$line") + done <<< "$(ls /dev/input/event*)" + + # Use udevadm to iterate through input_events and determine devices + for event in "${input_events[@]}"; do + device_info=$(udevadm info --query=all --name="$event") + if [[ $device_info =~ ID_INPUT_KEYBOARD=1 ]]; then + keyboard_devices+=("$event") + elif [[ $device_info =~ ID_INPUT_KEY=1 ]] || [[ $device_info =~ ID_INPUT_SWITCH=1 ]]; then + misc_devices+=("$event") + fi + if [[ $device_info =~ ID_INPUT_MOUSE=1 ]] && ! [[ $device_info =~ ID_INPUT_TOUCHPAD=1 ]]; then + mouse_devices+=("$event") + elif [[ $device_info =~ ID_INPUT_TOUCHPAD=1 ]]; then + touchpad_devices+=("$event") + fi + if [[ $device_info =~ ID_INPUT_TOUCHSCREEN=1 ]] || [[ $device_info =~ ID_INPUT_TABLET=1 ]]; then + touchpad_devices+=("$event") + fi + done + # Check if any keyboard device found + if [ ${#keyboard_devices[@]} -eq 0 ]; then + echo "# No keyboard device found." + fi + # Check if any mouse device found + if [ ${#mouse_devices[@]} -eq 0 ]; then + echo "# No mouse device found." + fi + + # Use udevadm to query keyboard info + tmp_names=() + for event in "${keyboard_devices[@]}"; do + keyboard_attr_name=$(udevadm info -a "$event" | grep "ATTRS{name}" | head -1 | awk -F "==" '{print $2}' | tr -d '\n') + tmp_names+=("$keyboard_attr_name") + done + # Remove duplicates + for elem in "${tmp_names[@]}"; do + if [[ ! " ${keyboard_attr_names[*]} " =~ $elem ]]; then + keyboard_attr_names+=("$elem") + fi + done + + # Use udevadm to query mouse info + tmp_names=() + for event in "${mouse_devices[@]}"; do + mouse_attr_name=$(udevadm info -a "$event" | grep "ATTRS{name}" | head -1 | awk -F "==" '{print $2}' | tr -d '\n') + tmp_names+=("$mouse_attr_name") + done + + # Remove duplicates + for elem in "${tmp_names[@]}"; do + if [[ ! " ${mouse_attr_names[*]} " =~ $elem ]]; then + mouse_attr_names+=("$elem") + fi + done + + # Use udevadm to query touchpad info + tmp_names=() + for event in "${touchpad_devices[@]}"; do + touchpad_attr_name=$(udevadm info -a "$event" | grep "ATTRS{name}" | head -1 | awk -F "==" '{print $2}' | tr -d '\n') + tmp_names+=("$touchpad_attr_name") + done + + # Remove duplicates + for elem in "${tmp_names[@]}"; do + if [[ ! " ${touchpad_attr_names[*]} " =~ $elem ]]; then + touchpad_attr_names+=("$elem") + fi + done + + # Create evdev entries + for i in "${!keyboard_attr_names[@]}"; do keyboard_devlinks+=("\"/dev/keyboard$i\""); done + for i in "${!mouse_attr_names[@]}"; do mouse_devlinks+=("\"/dev/mouse$i\""); done + for i in "${!touchpad_attr_names[@]}"; do touchpad_devlinks+=("\"/dev/touchpad$i\""); done + + # Use udevadm to query misc info (INPUT_KEY, INPUT_SWITCH) + tmp_devs=() + tmp_names=() + for event in "${misc_devices[@]}"; do + read -r -a devlinks <<< "$(udevadm info "$event" | grep "DEVLINKS" | awk -F "=" '{print $2}')" + misc_attr_name=$(udevadm info -a "$event" | grep "ATTRS{name}" | awk -F "==" '{print $2}' | tr -d '\n') + tmp_names+=("$misc_attr_name"); + for dev in "${devlinks[@]}"; do tmp_devs+=("$dev"); done; + done + + # Remove duplicates + for elem in "${tmp_names[@]}"; do + if [[ ! " ${misc_attr_names[*]} " =~ $elem ]]; then + misc_attr_names+=("$elem") + fi + done + for elem in "${tmp_devs[@]}"; do + if [[ ! " ${misc_devlinks[*]} " =~ $elem ]]; then + misc_devlinks+=("$elem") + fi + done + + if $verbose; then + echo -e "Detected keyboard device names:\n${keyboard_attr_names[*]}\n" + echo -e "Detected mouse device names:\n${mouse_attr_names[*]}\n" + echo -e "Detected touchpad device names:\n${touchpad_attr_names[*]}\n" + echo -e "Miscellaneous device names:\n${misc_attr_names[*]}\n" + echo -e "Miscellaneous device links:\n${misc_devlinks[*]}\n" + fi +} + +### USB DEVICE DETECTION ### + +# Function to create USB device entry +add_usb() { + usb_device="$1" + name="$2" + + # Get USB device info + bus=$(echo "$usb_device" | awk '{print $2}') + dev=$(echo "$usb_device" | awk '{print $4}' | tr -d ':') + hostport=$(udevadm info "/dev/bus/usb/$bus/$dev" | grep R: | awk -F "R: " '{print $2}') + hostbus=${bus//00/} + + # Write USB device entry + usb_entry=$(cat << EOF +{ + name="$name"; + hostbus="$hostbus"; + hostport="$hostport"; +} +EOF +) + usb_devices+=("$usb_entry") + if $verbose; then + echo "USB device: $usb_entry" + fi +} +# Search for USB devices using lsusb +detect_usb_devices() { + search_pattern="$1" + group_id="$2" + + # Detect USB devices + usb_devs=() + while IFS= read -r line; do + usb_devs+=("$line") + done <<< "$(lsusb | grep -i "$search_pattern")" + if [ ${#usb_devs[@]} -ge 1 ] && [ "${usb_devs[0]}" != "" ]; then + local n=0 + for i in "${!usb_devs[@]}"; do + read -r -p "Select '${usb_devs[$i]}'? [Y/n] " answer + answer=${answer:-Y} + case $answer in + [Yy]* ) add_usb "${usb_devs[$i]}" "$group_id$n"; n=$((n+1)); continue;; + [Nn]* ) continue;; + * ) echo "Please answer yY or nN.";; + esac + done + fi +} + +### DISK DETECTION ### + +# Detect disks +detect_disks() { + echo "" + lsblk -o NAME,TYPE,SIZE,MODEL -d + read -r -p "Enter the disk device name (default: nvme0n1): " disk_name + disk_name=${disk_name:-nvme0n1} + disk="/dev/$disk_name" + if $verbose; then + echo "disks.disk1.device = { $disk }" + fi +} + +### HW INFO & CONFIG FILE ### + +# Generate extended hardware info +ext_output() { + if [ ! -d hwinfo/ ]; then mkdir -p hwinfo/; fi + lspci -nn >> hwinfo/lspci.txt + lspci_long=$(sudo lspci -nnvvv) + echo "$lspci_long" >> hwinfo/lspci-long.txt + lsusb >> hwinfo/lsusb.txt + lsusb_v=$(sudo lsusb -v) + echo "$lsusb_v" >> hwinfo/lsusb-v.txt + lsusb -t >> hwinfo/lsusb-t.txt + dmi_info=$(sudo dmidecode) + echo "$dmi_info" >> hwinfo/dmidecode.txt + lsblk -o NAME,TYPE,SIZE,MODEL -d > hwinfo/lsblk.txt + udev_db=$(udevadm info --export-db) + echo "$udev_db" >> hwinfo/udevadm.txt + dmesg > hwinfo/dmesg.txt + if [ -f "$CONFIG_FILE" ]; then + cp "$CONFIG_FILE" hwinfo/ + fi + tar -czf hwinfo.tar.gz hwinfo/ + echo "> Extended output files written to hwinfo/ directory." +} + +# Write the hardware configuration file +write_file() { + echo "> Writing hardware configuration file..." + cat << EOF > "$CONFIG_FILE" +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ +# System name +name = "$system_name"; + +# List of system SKUs covered by this configuration +skus = [ + "$system_sku" +]; + +# Host configuration +host = { + kernelConfig.kernelParams = [ + "intel_iommu=on,sm_on" + "iommu=pt" + "acpi_backlight=vendor" + "acpi_osi=linux" + #"module_blacklist=$host_blacklist" + ]; +}; + +# Input devices +input = { + keyboard = { + name = [ + ${keyboard_attr_names[@]} + ]; + evdev = [ + ${keyboard_devlinks[@]} + ]; + }; + + mouse = { + name = [ + ${mouse_attr_names[@]} + ]; + evdev = [ + ${mouse_devlinks[@]} + ]; + }; + + touchpad = { + name = [ + ${touchpad_attr_names[@]} + ]; + evdev = [ + ${touchpad_devlinks[@]} + ]; + }; + + misc = { + name = [ + # ${misc_attr_names[@]} + ]; + evdev = [ + # ${misc_devlinks[@]} + ]; + }; +}; + +# Main disk device +disks = { + disk1.device = "$disk"; +}; + +# Network devices for passthrough to netvm +network = { + pciDevices = [ + ${pci_devices[$NET_ID_1]} + ${pci_devices[$NET_ID_2]} + ]; + kernelConfig = { + # Kernel modules are indicative only, please investigate with lsmod/modinfo + stage1.kernelModules = []; + stage2.kernelModules = [ + ${kernel_modules[$NET_ID_1]} + ${kernel_modules[$NET_ID_2]} + ]; + kernelParams = []; + }; +}; + +# GPU devices for passthrough to guivm +gpu = { + pciDevices = [${pci_devices[$GPU_ID]}]; + kernelConfig = { + # Kernel modules are indicative only, please investigate with lsmod/modinfo + stage1.kernelModules = [ + ${kernel_modules[$GPU_ID]} + ]; + stage2.kernelModules = []; + kernelParams = [ + "earlykms" + ]; + }; +}; + +# Audio device for passthrough to audiovm +audio = { + pciDevices = [ + ${pci_devices["$SND_ID"]} + ]; + kernelConfig = { + # Kernel modules are indicative only, please investigate with lsmod/modinfo + stage1.kernelModules = []; + stage2.kernelModules = [ + ${kernel_modules[$SND_ID]} + ]; + kernelParams = []; + }; +}; + +# USB devices for passthrough +usb = { + internal = [${usb_devices[@]}]; + external = [ + # Add external USB devices here + ]; +}; +} +EOF + + # Format the output file + alejandra --quiet "$CONFIG_FILE" + echo "> File written: $CONFIG_FILE" +} + +### MAIN ### +echo "> Running hardware detection tool..." + +# Default options +verbose=true +if [ $# -eq 0 ]; then + set -- "-s" "-n" "-g" "-a" "-i" "-u" "-d" + verbose=false +fi + +# Run commands +for cmd in "$@"; do + case $cmd in + -s | --sys) + echo "> Scanning system information..." + detect_system_info + continue + ;; + -n | --network) + echo "> Scanning network PCI devices..." + detect_pci_devices "network" $NET_ID_1 + detect_pci_devices "ethernet" $NET_ID_2 + continue + ;; + -g | --gpu) + echo "> Scanning GPU PCI devices..." + detect_pci_devices "vga" $GPU_ID + continue + ;; + -a | --audio) + echo "> Scanning audio PCI devices..." + detect_pci_devices "audio" $SND_ID + continue + ;; + -p | --pci) + echo "> Scanning PCI devices..." + detect_pci_devices + continue + ;; + -i | --input) + echo "> Scanning input devices..." + detect_input_devices + continue + ;; + -u | --usb) + echo "> Scanning USB devices..." + detect_usb_devices "cam" "cam" + detect_usb_devices "fingerprint\|fprint\|biometric" "fpr" + detect_usb_devices "gps\|gnss" "gps" + continue + ;; + -d | --disk) + echo "> Scanning disk devices..." + detect_disks + continue + ;; + -e | --ext) + echo "> Searching for more hardware info..." + ext_output + continue + ;; + -h | --help) + usage + exit 0 + ;; + *) + usage + exit 1 + ;; + esac +done + +if ! $verbose; then + write_file + echo "> Searching for more hardware info..." + ext_output + exit 0 +fi \ No newline at end of file diff --git a/packages/hart-software-services/0001-Workaround-for-a-compilation-issue.patch b/packages/hart-software-services/0001-Workaround-for-a-compilation-issue.patch new file mode 100644 index 000000000..6ae109f5c --- /dev/null +++ b/packages/hart-software-services/0001-Workaround-for-a-compilation-issue.patch @@ -0,0 +1,16 @@ +diff --git a/application/rules.mk b/application/rules.mk +index ff3905e..f663089 100644 +--- a/application/rules.mk ++++ b/application/rules.mk +@@ -113,7 +113,7 @@ ifdef CONFIG_CC_STACKPROTECTOR_STRONG + # CORE_CFLAGS+=-fstack-clash-protection # currently does nothing on RISC-V + else + $(info INFO: NOTICE: enabling -flto (which means stack protection is disabled)) +- OPT-y+=-flto=auto -ffat-lto-objects -fcompare-debug -fno-stack-protector ++ OPT-y+=-flto=auto -ffat-lto-objects -fno-stack-protector + endif + + ############################################################################## +-- +2.42.0 + diff --git a/packages/hart-software-services/default.nix b/packages/hart-software-services/default.nix index 785ebf322..9967fef93 100644 --- a/packages/hart-software-services/default.nix +++ b/packages/hart-software-services/default.nix @@ -5,50 +5,50 @@ lib, python3, stdenv, -}: let +}: +let version = "v2022.09"; in - stdenv.mkDerivation ( - { - pname = "hart-software-services"; - inherit version; - - src = fetchFromGitHub { - owner = "polarfire-soc"; - repo = "hart-software-services"; - rev = version; - sha256 = "sha256-j/nda7//CjJW09zt/YrBy6h+q+VKE5t/ueXxDzwVWQ0="; - }; - - depsBuildBuild = [ - python3 - ]; - - configurePhase = '' - runHook preConfigure - - cp boards/mpfs-icicle-kit-es/def_config .config - - runHook postConfigure - ''; - - makeFlags = [ - "V=1" - "BOARD=mpfs-icicle-kit-es" - "PLATFORM_RISCV_ABI=lp64d" - "PLATFORM_RISCV_ISA=rv64imadc_zicsr_zifencei" - ]; - - installPhase = '' - runHook preInstall - - mkdir -p $out - cp Default/*.elf Default/*.bin $out/ - - runHook postInstall - ''; - } - // lib.optionalAttrs (stdenv.buildPlatform.system != stdenv.hostPlatform.system) { - CROSS_COMPILE = stdenv.cc.targetPrefix; - } - ) +stdenv.mkDerivation ( + { + pname = "hart-software-services"; + inherit version; + + src = fetchFromGitHub { + owner = "polarfire-soc"; + repo = "hart-software-services"; + rev = version; + sha256 = "sha256-j/nda7//CjJW09zt/YrBy6h+q+VKE5t/ueXxDzwVWQ0="; + }; + + patches = [ ./0001-Workaround-for-a-compilation-issue.patch ]; + depsBuildBuild = [ python3 ]; + + configurePhase = '' + runHook preConfigure + + cp boards/mpfs-icicle-kit-es/def_config .config + + runHook postConfigure + ''; + + makeFlags = [ + "V=1" + "BOARD=mpfs-icicle-kit-es" + "PLATFORM_RISCV_ABI=lp64d" + "PLATFORM_RISCV_ISA=rv64imadc_zicsr_zifencei" + ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out + cp Default/*.elf Default/*.bin $out/ + + runHook postInstall + ''; + } + // lib.optionalAttrs (stdenv.buildPlatform.system != stdenv.hostPlatform.system) { + CROSS_COMPILE = stdenv.cc.targetPrefix; + } +) diff --git a/packages/icon-pack/default.nix b/packages/icon-pack/default.nix new file mode 100644 index 000000000..d9f9d419b --- /dev/null +++ b/packages/icon-pack/default.nix @@ -0,0 +1,49 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This package contains only the assets that we need from papirus-icon-theme, +# so we don't include the entire theme in the distribution. +{ + lib, + runCommand, + papirus-icon-theme, +}: +let + icons = [ + "chromium.svg" + "distributor-logo-android.svg" + "distributor-logo-windows.svg" + "document-viewer.svg" + "element-desktop.svg" + "firefox.svg" + "microsoft-365.svg" + "ms-outlook.svg" + "preferences-system-network.svg" + "slack.svg" + "system-lock-screen.svg" + "system-log-out.svg" + "system-reboot.svg" + "system-shutdown.svg" + "system-suspend-hibernate.svg" + "system-suspend.svg" + "teams-for-linux.svg" + "thorium-browser.svg" + "utilities-terminal.svg" + "yast-vpn.svg" + ]; +in +runCommand "icon-pack" + { + # Preserve Papirus license + meta.license = papirus-icon-theme.meta.license; + } + '' + mkdir -p $out + # All SVGs are located inside 64x64, all other sizes are symlinks. + + ${lib.concatStringsSep "\n" ( + map (icon: '' + cp ${papirus-icon-theme}/share/icons/Papirus/64x64/apps/${icon} $out/ + '') icons + )} + '' diff --git a/packages/installer/default.nix b/packages/installer/default.nix index 554dd014e..18fe555d6 100644 --- a/packages/installer/default.nix +++ b/packages/installer/default.nix @@ -1,23 +1,19 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - bash, - imagePath, - substituteAll, + coreutils, + util-linux, + hwinfo, + writeShellApplication, + zstd, }: -substituteAll { - dir = "bin"; - isExecutable = true; - - pname = "ghaf-installer"; - src = ./ghaf-installer.sh; - inherit imagePath; - - buildInputs = [ - bash +writeShellApplication { + name = "ghaf-installer"; + runtimeInputs = [ + coreutils + util-linux + zstd + hwinfo ]; - - postInstall = '' - patchShebangs $out/bin/ghaf-installer.sh - ''; + text = builtins.readFile ./ghaf-installer.sh; } diff --git a/packages/installer/ghaf-installer.sh b/packages/installer/ghaf-installer.sh index b4632c27a..4b5f693c0 100755 --- a/packages/installer/ghaf-installer.sh +++ b/packages/installer/ghaf-installer.sh @@ -1,7 +1,40 @@ #!/usr/bin/env bash # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 + +if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit +fi + +# Make sure $IMG_PATH env is set +if [ -z "$IMG_PATH" ]; then + echo "IMG_PATH is not set!" + exit +fi + +usage() { + echo " " + echo "Usage: $(basename "$0") [-w]" + echo " -w Wipe only" + exit 1 +} + +WIPE_ONLY=false + +while getopts "w" opt; do + case $opt in + w) + WIPE_ONLY=true + ;; + ?) + usage + ;; + esac +done + clear + cat <<"EOF" ,----.. ,---, / / \ ,--.' | .--., @@ -20,15 +53,66 @@ EOF echo "Welcome to Ghaf installer!" -echo "To install image choose path to the device on which image will be installed." +echo "To install image or wipe installed image choose path to the device." + +hwinfo --disk --short + +while true; do + read -r -p "Device name [e.g. /dev/nvme0n1]: " DEVICE_NAME + + if [ ! -d "/sys/block/$(basename "$DEVICE_NAME")" ]; then + echo "Device not found!" + continue + fi + + # Check if removable + if [ "$(cat "/sys/block/$(basename "$DEVICE_NAME")/removable")" != "0" ]; then + read -r -p "Device provided is removable, do you want to continue? [y/N] " response + case "$response" in + [yY][eE][sS] | [yY]) + break + ;; + *) + continue + ;; + esac + fi + + break +done + +echo "Installing/Deleting Ghaf on $DEVICE_NAME" +read -r -p 'Do you want to continue? [y/N] ' response + +case "$response" in +[yY][eE][sS] | [yY]) ;; +*) + echo "Exiting..." + exit + ;; +esac -lsblk -read -r -p "Device name [e.g. /dev/nvme0n1]: " DEVICE_NAME +echo "Wiping device..." +# Wipe any possible ZFS leftovers from previous installations +# Set sector size to 512 bytes +SECTOR=512 +# 10 MiB in 512-byte sectors +MIB_TO_SECTORS=20480 +# Disk size in 512-byte sectors +SECTORS=$(blockdev --getsz "$DEVICE_NAME") +# Wipe first 10MiB of disk +dd if=/dev/zero of="$DEVICE_NAME" bs="$SECTOR" count="$MIB_TO_SECTORS" conv=fsync status=none +# Wipe last 10MiB of disk +dd if=/dev/zero of="$DEVICE_NAME" bs="$SECTOR" count="$MIB_TO_SECTORS" seek="$((SECTORS - MIB_TO_SECTORS))" conv=fsync status=none +echo "Wipe done." -read -r -p 'WARNING: Next command will destroy all previous data from your device, press Enter to proceed. ' +if [ "$WIPE_ONLY" = true ]; then + echo "Wipe only option selected. Exiting..." + echo "Please remove the installation media and reboot" + exit +fi echo "Installing..." -dd if=@imagePath@ of="${DEVICE_NAME}" bs=32M status=progress +zstdcat "$IMG_PATH" | dd of="$DEVICE_NAME" bs=32M status=progress -echo "" echo "Installation done. Please remove the installation media and reboot" diff --git a/packages/kernel-hardening-checker/default.nix b/packages/kernel-hardening-checker/default.nix index dedd96cff..c47fb0ba1 100644 --- a/packages/kernel-hardening-checker/default.nix +++ b/packages/kernel-hardening-checker/default.nix @@ -1,9 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ - python3Packages, - fetchFromGitHub, -}: +{ python3Packages, fetchFromGitHub }: python3Packages.buildPythonApplication rec { pname = "kernel-hardening-checker"; version = "0.6.1-git${src.rev}"; diff --git a/packages/kernel/default.nix b/packages/kernel/default.nix index 81ce5cd1f..d958ad330 100644 --- a/packages/kernel/default.nix +++ b/packages/kernel/default.nix @@ -6,78 +6,92 @@ config, pkgs, lib, -}: { - kernelPatches ? [], +}: +{ + kernelPatches ? [ ], config_baseline, host_build ? false, -}: let +}: +let kernel_package = pkgs.linux_latest; version = "${kernel_package.version}-ghaf-hardened"; modDirVersion = version; - base_kernel = - pkgs.linuxManualConfig rec - { - inherit (kernel_package) src; - inherit version modDirVersion kernelPatches; - /* + base_kernel = pkgs.linuxManualConfig rec { + inherit (kernel_package) src; + inherit version modDirVersion kernelPatches; + /* NixOS required (asserted) kernel features to comply with no import from derivation. For the actual kernel build these config options must come via the kernel config_baseline argument - */ - config = { - CONFIG_DEVTMPFS = "y"; - CONFIG_CGROUPS = "y"; - CONFIG_INOTIFY_USER = "y"; - CONFIG_SIGNALFD = "y"; - CONFIG_TIMERFD = "y"; - CONFIG_EPOLL = "y"; - CONFIG_NET = "y"; - CONFIG_SYSFS = "y"; - CONFIG_PROC_FS = "y"; - CONFIG_FHANDLE = "y"; - CONFIG_CRYPTO_USER_API_HASH = "y"; - CONFIG_CRYPTO_HMAC = "y"; - CONFIG_CRYPTO_SHA256 = "y"; - CONFIG_DMIID = "y"; - CONFIG_AUTOFS_FS = "y"; - CONFIG_TMPFS_POSIX_ACL = "y"; - CONFIG_TMPFS_XATTR = "y"; - CONFIG_SECCOMP = "y"; - CONFIG_TMPFS = "y"; - CONFIG_BLK_DEV_INITRD = "y"; - CONFIG_EFI_STUB = "y"; - CONFIG_MODULES = "y"; - CONFIG_BINFMT_ELF = "y"; - CONFIG_UNIX = "y"; - }; - configfile = config_baseline; + */ + config = { + CONFIG_DEVTMPFS = "y"; + CONFIG_CGROUPS = "y"; + CONFIG_INOTIFY_USER = "y"; + CONFIG_SIGNALFD = "y"; + CONFIG_TIMERFD = "y"; + CONFIG_EPOLL = "y"; + CONFIG_NET = "y"; + CONFIG_SYSFS = "y"; + CONFIG_PROC_FS = "y"; + CONFIG_FHANDLE = "y"; + CONFIG_CRYPTO_USER_API_HASH = "y"; + CONFIG_CRYPTO_HMAC = "y"; + CONFIG_CRYPTO_SHA256 = "y"; + CONFIG_DMIID = "y"; + CONFIG_AUTOFS_FS = "y"; + CONFIG_TMPFS_POSIX_ACL = "y"; + CONFIG_TMPFS_XATTR = "y"; + CONFIG_SECCOMP = "y"; + CONFIG_TMPFS = "y"; + CONFIG_BLK_DEV_INITRD = "y"; + CONFIG_EFI_STUB = "y"; + CONFIG_MODULES = "y"; + CONFIG_BINFMT_ELF = "y"; + CONFIG_UNIX = "y"; }; + configfile = config_baseline; + }; - generic_host_configs = ../../modules/common/hardware/x86_64-generic/kernel/host/configs; - generic_guest_configs = ../../modules/common/hardware/x86_64-generic/kernel/guest/configs; + generic_host_configs = ../../modules/hardware/x86_64-generic/kernel/host/configs; + generic_guest_configs = ../../modules/hardware/x86_64-generic/kernel/guest/configs; # TODO: refactor - do we yet have any X1 specific host kernel configuration options? # - we could add a configuration fragment for host debug via usb-ethernet-adapter(s) kernel_features = - lib.optionals config.ghaf.host.kernel.hardening.virtualization.enable ["${generic_host_configs}/virtualization.config"] - ++ lib.optionals config.ghaf.host.kernel.hardening.networking.enable ["${generic_host_configs}/networking.config"] - ++ lib.optionals config.ghaf.host.kernel.hardening.usb.enable ["${generic_host_configs}/usb.config"] - ++ lib.optionals config.ghaf.host.kernel.hardening.inputdevices.enable ["${generic_host_configs}/user-input-devices.config"] - ++ lib.optionals config.ghaf.host.kernel.hardening.debug.enable ["${generic_host_configs}/debug.config"] - ++ lib.optionals (config.ghaf.guest.kernel.hardening.enable && !host_build) ["${generic_guest_configs}/guest.config"] - ++ lib.optionals (config.ghaf.guest.kernel.hardening.graphics.enable && !host_build) ["${generic_guest_configs}/display-gpu.config"]; + lib.optionals config.ghaf.host.kernel.hardening.virtualization.enable [ + "${generic_host_configs}/virtualization.config" + ] + ++ lib.optionals config.ghaf.host.kernel.hardening.networking.enable [ + "${generic_host_configs}/networking.config" + ] + ++ lib.optionals config.ghaf.host.kernel.hardening.usb.enable [ + "${generic_host_configs}/usb.config" + ] + ++ lib.optionals config.ghaf.host.kernel.hardening.inputdevices.enable [ + "${generic_host_configs}/user-input-devices.config" + ] + ++ lib.optionals config.ghaf.host.kernel.hardening.debug.enable [ + "${generic_host_configs}/debug.config" + ] + ++ lib.optionals (config.ghaf.guest.kernel.hardening.enable && !host_build) [ + "${generic_guest_configs}/guest.config" + ] + ++ lib.optionals (config.ghaf.guest.kernel.hardening.graphics.enable && !host_build) [ + "${generic_guest_configs}/display-gpu.config" + ]; kernel = - if lib.length kernel_features > 0 - then + if lib.length kernel_features > 0 then base_kernel.overrideAttrs (_old: { inherit kernel_features; postConfigure = '' ./scripts/kconfig/merge_config.sh -O $buildRoot $buildRoot/.config $kernel_features; ''; }) - else base_kernel; + else + base_kernel; in - kernel +kernel diff --git a/packages/make-checks/default.nix b/packages/make-checks/default.nix new file mode 100644 index 000000000..6146b10f6 --- /dev/null +++ b/packages/make-checks/default.nix @@ -0,0 +1,69 @@ +# Copyright 2020 Jonas Chevalier +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Shamelessly derived from https://github.com/numtide/nixpkgs-unfree/blob/main/ci.sh +# +# Check that all of the projects can be evaluated. +# This does not build any packages or run any tests, just evaluates the flake packages. +{ + writeShellApplication, + nix-eval-jobs, + jq, + ... +}: +writeShellApplication { + name = "make-checks"; + runtimeInputs = [ + nix-eval-jobs + jq + ]; + text = '' + args=( + "$@" + --accept-flake-config + --gc-roots-dir gcroot + #--max-memory-size "3072" #allow users to set this themselves in extra params if needed + --option allow-import-from-derivation false + --force-recurse + --flake .#checks + ) + + if [[ -n "''${GITHUB_STEP_SUMMARY-}" ]]; then + log() { + #Print to the Summary + echo "$*" >> "$GITHUB_STEP_SUMMARY" + #Print to the inline log + echo "$*" + } + else + log() { + echo "$*" + } + fi + + echo "starting..." + echo "Grab some Coffee, this will take a while..." + + retError=0 + + for job in $(nix-eval-jobs "''${args[@]}" 2>/dev/null | jq -r '. | @base64'); do + job=$(echo "$job" | base64 -d) + attr=$(echo "$job" | jq -r .attr) + error=$(echo "$job" | jq -r .error) + if [[ $error != null ]]; then + log "### ❌ $attr" + log + log "
Eval error:
"
+        log "$error"
+        log "
" + retError=1 + else + log "### ✅ $attr" + fi + done + + #TODO: should we remove gcroot? + exit "$retError" + ''; +} diff --git a/packages/mitmweb-ui/default.nix b/packages/mitmweb-ui/default.nix new file mode 100644 index 000000000..66c902303 --- /dev/null +++ b/packages/mitmweb-ui/default.nix @@ -0,0 +1,51 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + stdenvNoCC, + pkgs, + lib, + ... +}: +let + waypipePort = 1100; # TODO: remove hardcoded port number + idsvmIP = "ids-vm"; + mitmwebUI = pkgs.writeShellScript "mitmweb-ui" '' + # Create ssh-tunnel between chromium-vm and ids-vm + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ + -o StrictHostKeyChecking=no \ + -t ghaf@chromium-vm \ + ${pkgs.openssh}/bin/ssh -M -S /tmp/control_socket \ + -f -N -L 8081:localhost:8081 ghaf@${idsvmIP} + # TODO: check pipe creation failures + + # Launch chromium application and open mitmweb page + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 -o StrictHostKeyChecking=no chromium-vm \ + ${pkgs.waypipe}/bin/waypipe --border=#ff5733,5 --vsock -s ${toString waypipePort} server \ + chromium --enable-features=UseOzonePlatform --ozone-platform=wayland \ + http://localhost:8081 + + # Use the control socket to close the ssh tunnel between chromium-vm and ids-vm + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ + -o StrictHostKeyChecking=no \ + -t ghaf@chromium-vm \ + ${pkgs.openssh}/bin/ssh -q -S /tmp/control_socket -O exit ghaf@${idsvmIP} + ''; +in +stdenvNoCC.mkDerivation { + name = "mitmweb-ui"; + + phases = [ "installPhase" ]; + + installPhase = '' + mkdir -p $out/bin + cp ${mitmwebUI} $out/bin/mitmweb-ui + ''; + + meta = with lib; { + description = "Script to launch Chromium to open mitmweb interface using ssh-tunneling and authentication."; + platforms = [ + "x86_64-linux" + "aarch64-linux" + ]; + }; +} diff --git a/packages/nm-launcher/default.nix b/packages/nm-launcher/default.nix index d624dd2c1..f41f570f4 100644 --- a/packages/nm-launcher/default.nix +++ b/packages/nm-launcher/default.nix @@ -1,7 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - lib, # NOTE: By default networkmanagerapplet and openssh are taken from the same # callPackage set! This means they will be both taken from the same # /nix/store, so it is recommended to override the networkmanagerapplet @@ -9,6 +8,7 @@ networkmanagerapplet, openssh, writeShellApplication, + lib, ... }: writeShellApplication { @@ -18,22 +18,21 @@ writeShellApplication { export DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/ssh_session_dbus.sock export DBUS_SYSTEM_BUS_ADDRESS=unix:path=/tmp/ssh_system_dbus.sock ${openssh}/bin/ssh -M -S /tmp/control_socket \ - -f -N -q ghaf@192.168.100.1 \ + -f -N -q ghaf@net-vm \ -i /run/waypipe-ssh/id_ed25519 \ -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ -o StreamLocalBindUnlink=yes \ -o ExitOnForwardFailure=yes \ -L /tmp/ssh_session_dbus.sock:/run/user/1000/bus \ -L /tmp/ssh_system_dbus.sock:/run/dbus/system_bus_socket ${networkmanagerapplet}/bin/nm-connection-editor # Use the control socket to close the ssh tunnel. - ${openssh}/bin/ssh -q -S /tmp/control_socket -O exit ghaf@192.168.100.1 + ${openssh}/bin/ssh -q -S /tmp/control_socket -O exit ghaf@net-vm ''; - meta = with lib; { + meta = { description = "Script to launch nm-connection-editor to configure network of netvm using D-Bus over SSH."; - platforms = [ - "x86_64-linux" - ]; + platforms = lib.platforms.linux; }; } diff --git a/targets/lenovo-x1/openPdf.nix b/packages/openPdf/default.nix similarity index 63% rename from targets/lenovo-x1/openPdf.nix rename to packages/openPdf/default.nix index 18d1a4bf5..37b123bc1 100644 --- a/targets/lenovo-x1/openPdf.nix +++ b/packages/openPdf/default.nix @@ -2,34 +2,39 @@ # SPDX-License-Identifier: Apache-2.0 # { - pkgs, + writeShellApplication, + dnsutils, + openssh, sshKeyPath, ... }: # The openpdf script is executed by the xdg handler from the chromium-vm # It reads the file path, copies it from chromium-vm to zathura-vm and opens it there -pkgs.writeShellApplication { +writeShellApplication { name = "openPdf"; - runtimeInputs = [pkgs.dnsutils pkgs.openssh]; + runtimeInputs = [ + dnsutils + openssh + ]; text = '' read -r sourcepath filename=$(basename "$sourcepath") zathurapath="/var/tmp/$filename" - chromiumip=$(dig +short chromium-vm.ghaf | head -1) + chromiumip=$(dig +short chromium-vm | head -1) if [[ "$chromiumip" != "$REMOTE_ADDR" ]]; then - echo "Open PDF request received from $REMOTE_ADDR, but it is only permitted for chromium-vm.ghaf with IP $chromiumip" + echo "Open PDF request received from $REMOTE_ADDR, but it is only permitted for chromium-vm with IP $chromiumip" exit 0 fi echo "Copying $sourcepath from $REMOTE_ADDR to $zathurapath in zathura-vm" - scp -i ${sshKeyPath} -o StrictHostKeyChecking=no "$REMOTE_ADDR":"$sourcepath" zathura-vm.ghaf:"$zathurapath" + scp -i ${sshKeyPath} -o StrictHostKeyChecking=no "$REMOTE_ADDR":"$sourcepath" zathura-vm:"$zathurapath" echo "Opening $zathurapath in zathura-vm" - ssh -i ${sshKeyPath} -o StrictHostKeyChecking=no zathura-vm.ghaf run-waypipe zathura "$zathurapath" + ssh -i ${sshKeyPath} -o StrictHostKeyChecking=no zathura-vm run-waypipe zathura "'$zathurapath'" echo "Deleting $zathurapath in zathura-vm" - ssh -i ${sshKeyPath} -o StrictHostKeyChecking=no zathura-vm.ghaf rm -f "$zathurapath" + ssh -i ${sshKeyPath} -o StrictHostKeyChecking=no zathura-vm rm -f "$zathurapath" ''; } diff --git a/packages/powercontrol/default.nix b/packages/powercontrol/default.nix index 189503420..664867dde 100644 --- a/packages/powercontrol/default.nix +++ b/packages/powercontrol/default.nix @@ -5,81 +5,74 @@ openssh, stdenv, writeShellScript, -}: let +}: +let systemctl = "/run/current-system/systemd/bin/systemctl"; busName = "org.freedesktop.login1"; - makeSystemCtlPowerActionViaSsh = { - hostAddress, - sshKeyPath, - method, - }: - writeShellScript - "${method}-host" - '' ${openssh}/bin/ssh \ - -i ${sshKeyPath} \ + makeSystemCtlPowerActionViaSsh = + { + hostAddress, + privateSshKeyPath, + method, + }: + writeShellScript "${method}-host" '' + ${openssh}/bin/ssh \ + -i ${privateSshKeyPath} \ -o StrictHostKeyChecking=no \ ghaf@${hostAddress} \ ${systemctl} ${method}''; in - stdenv.mkDerivation { - name = "powercontrol"; +stdenv.mkDerivation { + name = "powercontrol"; - makePowerOffCommand = { - hostAddress, - sshKeyPath, - }: - makeSystemCtlPowerActionViaSsh { - inherit hostAddress sshKeyPath; - method = "poweroff"; - }; + makePowerOffCommand = + { hostAddress, privateSshKeyPath }: + makeSystemCtlPowerActionViaSsh { + inherit hostAddress privateSshKeyPath; + method = "poweroff"; + }; - makeRebootCommand = { - hostAddress, - sshKeyPath, - }: - makeSystemCtlPowerActionViaSsh { - inherit hostAddress sshKeyPath; - method = "reboot"; - }; + makeRebootCommand = + { hostAddress, privateSshKeyPath }: + makeSystemCtlPowerActionViaSsh { + inherit hostAddress privateSshKeyPath; + method = "reboot"; + }; - makeSuspendCommand = { - hostAddress, - sshKeyPath, - }: - makeSystemCtlPowerActionViaSsh { - inherit hostAddress sshKeyPath; - method = "suspend"; - }; + makeSuspendCommand = + { hostAddress, privateSshKeyPath }: + makeSystemCtlPowerActionViaSsh { + inherit hostAddress privateSshKeyPath; + method = "suspend"; + }; - makeHibernateCommand = { - hostAddress, - sshKeyPath, - }: - makeSystemCtlPowerActionViaSsh { - inherit hostAddress sshKeyPath; - method = "hibernate"; - }; + makeHibernateCommand = + { hostAddress, privateSshKeyPath }: + makeSystemCtlPowerActionViaSsh { + inherit hostAddress privateSshKeyPath; + method = "hibernate"; + }; - polkitExtraConfig = '' - polkit.addRule(function(action, subject) { - if ((subject.user == "ghaf") && - (action.id == "${busName}.power-off" || - action.id == "${busName}.power-off-multiple-sessions" || - action.id == "${busName}.reboot" || - action.id == "${busName}.reboot-multiple-sessions" || - action.id == "${busName}.suspend" || - action.id == "${busName}.suspend-multiple-sessions" || - action.id == "${busName}.hibernate" || - action.id == "${busName}.hibernate-multiple-sessions") - ) { - return polkit.Result.YES; - } - }); - ''; + polkitExtraConfig = '' + polkit.addRule(function(action, subject) { + if ((subject.user == "ghaf") && + (action.id == "${busName}.power-off" || + action.id == "${busName}.power-off-multiple-sessions" || + action.id == "${busName}.reboot" || + action.id == "${busName}.reboot-multiple-sessions" || + action.id == "${busName}.suspend" || + action.id == "${busName}.suspend-multiple-sessions" || + action.id == "${busName}.hibernate" || + action.id == "${busName}.hibernate-multiple-sessions") + ) { + return polkit.Result.YES; + } + }); + ''; - meta = { - description = "Scripts for host power control"; - platforms = lib.platforms.linux; - }; - } + meta = { + description = "Scripts for host power control"; + platforms = lib.platforms.linux; + }; +} diff --git a/packages/powercontrol/png-icons.nix b/packages/powercontrol/png-icons.nix deleted file mode 100644 index e3a7d0669..000000000 --- a/packages/powercontrol/png-icons.nix +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - adwaita-icon-theme, - librsvg, - stdenv, -}: let - shutdownIconName = "system-shutdown-symbolic"; - rebootIconName = "system-reboot-symbolic"; - - iconColor = "white"; - - changeColorCcs = "path { fill: ${iconColor} !important; }"; - changeColorCcsPath = "$out/bin/color.css"; - - getIconPath = {iconName}: "bin/${iconName}.png"; -in - stdenv.mkDerivation { - name = "powercontrol-png-icons"; - - phases = ["installPhase"]; - - relativeShutdownIconPath = getIconPath {iconName = shutdownIconName;}; - relativeRebootIconPath = getIconPath {iconName = rebootIconName;}; - - installPhase = let - adwaitaRoot = "${adwaita-icon-theme}/share/icons/Adwaita/symbolic/actions/"; - convertIconCommand = {iconName}: let - outIconPath = getIconPath {inherit iconName;}; - in "${librsvg}/bin/rsvg-convert --stylesheet=${changeColorCcsPath} ${adwaitaRoot}/${iconName}.svg -o $out/${outIconPath}"; - - shutdown = convertIconCommand {iconName = shutdownIconName;}; - reboot = convertIconCommand {iconName = rebootIconName;}; - in '' - mkdir -p $out/bin; - - echo '${changeColorCcs}' > ${changeColorCcsPath}; - - ${shutdown}; - ${reboot}; - ''; - - meta = { - description = "Icons for power control"; - inherit (adwaita-icon-theme.meta) license; - inherit (librsvg.meta) platforms; - }; - } diff --git a/packages/qemuqmp/default.nix b/packages/qemuqmp/default.nix new file mode 100644 index 000000000..0979b8b50 --- /dev/null +++ b/packages/qemuqmp/default.nix @@ -0,0 +1,26 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + python3Packages, + fetchPypi, + lib, +}: +python3Packages.buildPythonPackage rec { + pname = "qemu.qmp"; + version = "0.0.3"; + + src = fetchPypi { + inherit pname version; + sha256 = "sha256-y8iPvMEV7pQ9hER9FyxkLaEgIgRRQWwvYhrPM98eEBA="; + }; + + pyproject = true; + + nativeBuildInputs = [ python3Packages.setuptools-scm ]; + + meta = { + homepage = "https://www.qemu.org/"; + description = "QEMU Monitor Protocol library"; + license = lib.licenses.lgpl2Plus; + }; +} diff --git a/packages/ssh-keys-helper/default.nix b/packages/ssh-keys-helper/default.nix new file mode 100644 index 000000000..e0dabb719 --- /dev/null +++ b/packages/ssh-keys-helper/default.nix @@ -0,0 +1,16 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ pkgs, config }: +{ + getAuthKeysSource = { + source = + let + script = pkgs.writeShellScriptBin config.ghaf.security.sshKeys.getAuthKeysFileName '' + [[ "$1" != "ghaf" ]] && exit 0 + ${pkgs.coreutils}/bin/cat ${config.ghaf.security.sshKeys.waypipeSshPublicKeyFile} + ''; + in + "${script}/bin/${config.ghaf.security.sshKeys.getAuthKeysFileName}"; + mode = "0555"; + }; +} diff --git a/packages/vhotplug/default.nix b/packages/vhotplug/default.nix new file mode 100644 index 000000000..890bfaa13 --- /dev/null +++ b/packages/vhotplug/default.nix @@ -0,0 +1,29 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + python3Packages, + pkgs, + fetchFromGitHub, +}: +let + qemuqmp = pkgs.callPackage ../qemuqmp { }; +in +python3Packages.buildPythonApplication rec { + pname = "vhotplug"; + version = "0.1"; + + propagatedBuildInputs = [ + python3Packages.pyudev + python3Packages.psutil + qemuqmp + ]; + + doCheck = false; + + src = fetchFromGitHub { + owner = "tiiuae"; + repo = "vhotplug"; + rev = "fd05361ed893d06cdb5ac4a538c171e4a86b6f5a"; + hash = "sha256-6fl5xeSpcIIBKn3dZUAEHiNRRpn9LbYC4Imap5KBH2M="; + }; +} diff --git a/packages/vsockproxy/default.nix b/packages/vsockproxy/default.nix index 287279a8c..c078456ac 100644 --- a/packages/vsockproxy/default.nix +++ b/packages/vsockproxy/default.nix @@ -2,7 +2,6 @@ # SPDX-License-Identifier: Apache-2.0 { fetchFromGitHub, - lib, meson, ninja, stdenv, @@ -10,13 +9,16 @@ stdenv.mkDerivation { name = "vsockproxy"; - depsBuildBuild = [meson ninja]; + depsBuildBuild = [ + meson + ninja + ]; src = fetchFromGitHub { owner = "tiiuae"; repo = "vsockproxy"; - rev = "aad625f9a27ce4c68d9996c65ece8477ace37534"; - sha256 = "sha256-3WgpDlF8oIdlgwkvl7TPR6WAh+qk0mowzuYiPY0rwaU="; + rev = "851e995b4c24a776f78d56310010e4e29456921c"; + sha256 = "sha256-fyawskwts4OIBshGDeh5ANeBCEm3h5AyHCyhwfxgP14="; }; installPhase = '' @@ -28,7 +30,7 @@ stdenv.mkDerivation { runHook postInstall ''; - meta = with lib; { + meta = { description = "vsockproxy"; platforms = [ "x86_64-linux" diff --git a/packages/wifi-connector/default.nix b/packages/wifi-connector/default.nix deleted file mode 100644 index f4d9f74fa..000000000 --- a/packages/wifi-connector/default.nix +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - lib, - writeShellApplication, - useNmcli ? false, - ... -}: -writeShellApplication { - name = "wifi-connector"; - - text = - '' - # Check if the script is run as root - if [ "$EUID" -ne 0 ]; then - echo "Please run this script as root or with sudo." - exit 1 - fi - - while getopts ":ds:p:" opt; do - case $opt in - d) - echo "Disconnecting..." - '' - + lib.optionalString useNmcli '' - CONNECTION=$(nmcli d | grep -w wifi | grep -w connected | awk '{print $4}') - if [ -z "$CONNECTION" ]; then - echo "No active Wi-Fi connection found"; - exit 0; - fi - nmcli con down id "$CONNECTION" - '' - + lib.optionalString (!useNmcli) '' - #Stop any running wpa_supplicant instances - pkill wpa_supplicant - '' - + '' - exit 0 - ;; - s) - SSID=$OPTARG - ;; - p) - PSK=$OPTARG - ;; - \?) - echo "Invalid option: -$OPTARG" >&2 - exit 1 - ;; - :) - echo "Option -$OPTARG does not take an argument." >&2 - exit 1 - ;; - esac - done - - if [ -z "$SSID" ] || [ -z "$PSK" ]; then - echo "Usage: $0 -s -p OR -d to disconnect" - exit 1 - fi - - '' - + lib.optionalString useNmcli '' - #Run nmcli command, get its output; - #split above result with ' as a delimiter and take the second part (devicename) - DEVICE=$(nmcli device wifi connect "$SSID" password "$PSK" | cut -d"'" -f2) - '' - + lib.optionalString (!useNmcli) '' - #Stop any running wpa_supplicant instances - pkill wpa_supplicant - - DEVICE=$(ifconfig | grep wlp | cut -d":" -f1) - - # Create a wpa_supplicant configuration file - cat > ./wpa_supplicant.conf <"$LOCK_FILE" - ${pkgs.util-linux}/bin/flock -w 60 -x 99 || exit 1 + # Lock the script to reuse + LOCK_FILE=/tmp/wifi-signal.lock + exec 99>"$LOCK_FILE" + flock -w 60 -x 99 || exit 1 - # Return the result as json format for waybar and use the control socket to close the ssh tunnel. - trap "${pkgs.openssh}/bin/ssh -q -S /tmp/nmcli_socket -O exit ghaf@${netvm_address} && ${pkgs.coreutils-full}/bin/cat $NETWORK_STATUS_FILE" EXIT + # Return the result as json format for waybar and use the control socket to close the ssh tunnel. + trap 'ssh -q -S /tmp/nmcli_socket -O exit ghaf@net-vm && cat "$NETWORK_STATUS_FILE"' EXIT - # Connect to netvm - ${pkgs.openssh}/bin/ssh -M -S /tmp/nmcli_socket \ - -f -N -q ghaf@${netvm_address} \ - -i /run/waypipe-ssh/id_ed25519 \ - -o StrictHostKeyChecking=no \ - -o StreamLocalBindUnlink=yes \ - -o ExitOnForwardFailure=yes \ - -L /tmp/ssh_session_dbus.sock:/run/user/1000/bus \ - -L /tmp/ssh_system_dbus.sock:/run/dbus/system_bus_socket - signal0=󰤟 - signal1=󰤢 - signal2=󰤥 - signal3=󰤨 - no_signal=󰤭 - # Get IP address of netvm - address=$(${pkgs.networkmanager}/bin/nmcli device show ${wifiDevice} | ${pkgs.gawk}/bin/awk '{ if ($1=="IP4.ADDRESS[1]:") {print $2}}') - # Get signal strength and ssid - connection=($(${pkgs.networkmanager}/bin/nmcli -f IN-USE,SIGNAL,SSID dev wifi | ${pkgs.gawk}/bin/awk '/^\*/{if (NR!=1) {print $2; print $3}}')) - connection[0]=$(if [ -z ''${connection[0]} ]; then echo "-1"; else echo ''${connection[0]}; fi) - # Set the icon of signal level - signal_level=$(if [ ''${connection[0]} -gt 80 ]; then echo $signal3; elif [ ''${connection[0]} -gt 60 ]; then echo $signal2; elif [ ''${connection[0]} -gt 30 ]; then echo $signal1; elif [ ''${connection[0]} -gt 0 ]; then echo signal0; else echo $no_signal; fi) - tooltip=$(if [ -z $address ]; then echo ''${connection[0]}%; else echo $address ''${connection[0]}%; fi) - text=$(if [ -z ''${connection[1]} ]; then echo "No connection"; else echo ''${connection[1]} $signal_level; fi) - # Save the result in json format - RESULT="{\"percentage\":\""''${connection[0]}"\", \"text\":\""$text"\", \"tooltip\":\""$tooltip"\", \"class\":\"1\"}" - echo $RESULT>/tmp/network-status - ${pkgs.util-linux}/bin/flock -u 99 - ''; -in - stdenvNoCC.mkDerivation { - name = "wifi-signal-strength"; - - phases = ["installPhase"]; - - installPhase = '' - mkdir -p $out/bin - cp ${wifiSignalStrength} $out/bin/wifi-signal-strength - ''; - - meta = with lib; { - description = "Script to get wifi data from nmcli to show network of netvm using D-Bus over SSH on Waybar."; - platforms = [ - "x86_64-linux" - ]; - }; - } + # Connect to netvm + ssh -M -S /tmp/nmcli_socket \ + -f -N -q ghaf@net-vm \ + -i /run/waypipe-ssh/id_ed25519 \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + -o StreamLocalBindUnlink=yes \ + -o ExitOnForwardFailure=yes \ + -L /tmp/ssh_session_dbus.sock:/run/user/1000/bus \ + -L /tmp/ssh_system_dbus.sock:/run/dbus/system_bus_socket + signal0="\UF091F" + signal1="\UF0922" + signal2="\UF0925" + signal3="\UF0928" + no_signal="\UF092D" + # Get IP address of netvm + address=$(nmcli device show ${wifiDevice} | awk '{ if ($1=="IP4.ADDRESS[1]:") {print $2}}') + # Get signal strength and ssi + mapfile -t connection < <(nmcli -f IN-USE,SIGNAL,SSID dev wifi | awk '/^\*/{if (NR!=1) {print $2; print $3}}') + connection[0]=$(if [ -z "''${connection[0]}" ]; then echo "-1"; else echo "''${connection[0]}"; fi) + # Set the icon of signal level + signal_level=$(if [ "''${connection[0]}" -gt 80 ]; then echo "''${signal3}"; elif [ "''${connection[0]}" -gt 60 ]; then echo "''${signal2}"; elif [ "''${connection[0]}" -gt 30 ]; then echo "''${signal1}"; elif [ "''${connection[0]}" -gt 0 ]; then echo "''${signal0};" else echo "''${no_signal}"; fi) + tooltip=$(if [ -z "''${address}" ]; then echo "''${connection[0]}%"; else echo "''${address} ''${connection[0]}%"; fi) + text=$(if [ -z "''${connection[1]}" ]; then echo "No connection"; else echo "''${connection[1]} $signal_level"; fi) + # Save the result in json format + RESULT="{\"percentage\":\"''${connection[0]}\", \"text\":\"''${text}\", \"tooltip\":\"''${tooltip}\", \"class\":\"1\"}" + echo -e "$RESULT">/tmp/network-status + flock -u 99 + ''; +} diff --git a/packages/windows-launcher/default.nix b/packages/windows-launcher/default.nix index 5554ccd7c..049cc1016 100644 --- a/packages/windows-launcher/default.nix +++ b/packages/windows-launcher/default.nix @@ -4,167 +4,171 @@ stdenvNoCC, lib, stdenv, - qemu, + qemu_kvm, OVMF, - gnome, + yad, writeShellScript, enableSpice ? false, ... -}: let +}: +let ovmfPrefix = - if stdenv.isx86_64 - then "OVMF" - else if stdenv.isAarch64 - then "AAVMF" - else throw "Unsupported architecture"; - windowsLauncher = - writeShellScript - "windows-launcher" - ('' - IMG_FILE=$1 - ISO_FILE="" - if [ $# -eq 0 ]; then - '' - + lib.optionalString stdenv.isAarch64 '' - echo "Usage: windows-launcher ./Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX" - '' - + lib.optionalString stdenv.isx86_64 '' - echo "Usage: windows-launcher ./Win11_22H2_English_x64v2.iso or ./win11.qcow2" - '' - + '' - exit - fi - '' - + lib.optionalString (!enableSpice) '' - if [[ -z "''${WAYLAND_DISPLAY}" ]]; then - echo "Wayland display not found" - exit - fi - '' - + '' - IMG_DIR="$(dirname "$IMG_FILE")" - OVMF_VARS="$IMG_DIR/${ovmfPrefix}_VARS.fd" - OVMF_CODE="$IMG_DIR/${ovmfPrefix}_CODE.fd" + if stdenv.isx86_64 then + "OVMF" + else if stdenv.isAarch64 then + "AAVMF" + else + throw "Unsupported architecture"; + windowsLauncher = writeShellScript "windows-launcher" ( + '' + IMG_FILE=$1 + ISO_FILE="" + if [ $# -eq 0 ]; then + '' + + lib.optionalString stdenv.isAarch64 '' + echo "Usage: windows-launcher ./Windows11_InsiderPreview_Client_ARM64_en-us_25324.VHDX" + '' + + lib.optionalString stdenv.isx86_64 '' + echo "Usage: windows-launcher ./Win11_22H2_English_x64v2.iso or ./win11.qcow2" + '' + + '' + exit + fi + '' + + lib.optionalString (!enableSpice) '' + if [[ -z "''${WAYLAND_DISPLAY}" ]]; then + echo "Wayland display not found" + exit + fi + '' + + '' + IMG_DIR="$(dirname "$IMG_FILE")" + OVMF_VARS="$IMG_DIR/${ovmfPrefix}_VARS.fd" + OVMF_CODE="$IMG_DIR/${ovmfPrefix}_CODE.fd" - if [ ! -f $OVMF_VARS ] || [ ! -f $OVMF_CODE ]; then - cp ${OVMF.fd}/FV/${ovmfPrefix}_VARS.fd $OVMF_VARS - cp ${OVMF.fd}/FV/${ovmfPrefix}_CODE.fd $OVMF_CODE - chmod 644 $OVMF_VARS + if [ ! -f $OVMF_VARS ] || [ ! -f $OVMF_CODE ]; then + cp ${OVMF.fd}/FV/${ovmfPrefix}_VARS.fd $OVMF_VARS + cp ${OVMF.fd}/FV/${ovmfPrefix}_CODE.fd $OVMF_CODE + chmod 644 $OVMF_VARS + fi + '' + + lib.optionalString stdenv.isx86_64 '' + if [[ $1 == *.iso || $1 == *.ISO ]]; then + ISO_FILE=$1 + IMG_FILE="$IMG_DIR/win11.qcow2" + if [ ! -f $IMG_FILE ]; then + ${qemu_kvm}/bin/qemu-img create -f qcow2 $IMG_FILE 64G fi - '' - + lib.optionalString stdenv.isx86_64 '' - if [[ $1 == *.iso || $1 == *.ISO ]]; then - ISO_FILE=$1 - IMG_FILE="$IMG_DIR/win11.qcow2" - if [ ! -f $IMG_FILE ]; then - ${qemu}/bin/qemu-img create -f qcow2 $IMG_FILE 64G - fi - fi - '' - + '' - QEMU_PARAMS=( - "-name \"Windows VM\"" - "-cpu host" - "-enable-kvm" - "-smp 6" - "-m 8G" - "-drive file=$OVMF_CODE,format=raw,if=pflash,readonly=on" - "-drive file=$OVMF_VARS,format=raw,if=pflash" - '' - + lib.optionalString (!enableSpice) '' - "-vga none" - "-device ramfb" - "-device virtio-gpu-pci" - "-nic user,model=virtio" - '' - + lib.optionalString enableSpice '' - "-vga qxl" - "-device virtio-serial-pci" - "-spice port=5900,addr=0.0.0.0,disable-ticketing=on" - "-netdev tap,id=tap-windows,ifname=tap-windows,script=no,downscript=no" - "-device e1000,netdev=tap-windows,mac=02:00:00:03:55:01" - '' - + '' - "-device qemu-xhci" - "-device usb-kbd" - "-device usb-tablet" - '' - + lib.optionalString stdenv.isAarch64 '' - "-M virt,highmem=on,gic-version=max" - "-drive file=$IMG_FILE,format=vhdx,if=none,id=boot" - "-device usb-storage,drive=boot,serial=boot,bootindex=1" - ) - '' - + lib.optionalString stdenv.isx86_64 '' - "-drive file=$IMG_FILE,format=qcow2,if=none,id=boot" - "-device nvme,drive=boot,serial=boot,bootindex=1" - ) + fi + '' + + '' + QEMU_PARAMS=( + "-name \"Windows VM\"" + "-cpu host" + "-enable-kvm" + "-smp 6" + "-m 8G" + "-drive file=$OVMF_CODE,format=raw,if=pflash,readonly=on" + "-drive file=$OVMF_VARS,format=raw,if=pflash" + '' + + lib.optionalString (!enableSpice) '' + "-vga none" + "-device ramfb" + "-device virtio-gpu-pci" + "-nic user,model=virtio" + '' + + lib.optionalString enableSpice '' + "-vga qxl" + "-device virtio-serial-pci" + "-spice port=5900,addr=0.0.0.0,disable-ticketing=on" + "-netdev tap,id=tap-windows,ifname=tap-windows,script=no,downscript=no" + "-device e1000,netdev=tap-windows,mac=02:00:00:03:55:01" + '' + + '' + "-device qemu-xhci" + "-device usb-kbd" + "-device usb-tablet" + '' + + lib.optionalString stdenv.isAarch64 '' + "-M virt,highmem=on,gic-version=max" + "-drive file=$IMG_FILE,format=vhdx,if=none,id=boot" + "-device usb-storage,drive=boot,serial=boot,bootindex=1" + ) + '' + + lib.optionalString stdenv.isx86_64 '' + "-drive file=$IMG_FILE,format=qcow2,if=none,id=boot" + "-device nvme,drive=boot,serial=boot,bootindex=1" + ) - if [ ! -z "$ISO_FILE" ]; then - QEMU_PARAMS+=( - "-drive file=$ISO_FILE,media=cdrom,if=none,id=installcd" - "-device usb-storage,drive=installcd,bootindex=0" - ) - fi - '' - + '' - eval "${qemu}/bin/qemu-system-${stdenv.hostPlatform.qemuArch} ''${QEMU_PARAMS[@]} ''${@:2}" - ''); - windowsLauncherUI = - writeShellScript - "windows-launcher-ui" - ('' - if [[ -z "''${WAYLAND_DISPLAY}" ]]; then - echo "Wayland display not found" - exit - fi + if [ ! -z "$ISO_FILE" ]; then + QEMU_PARAMS+=( + "-drive file=$ISO_FILE,media=cdrom,if=none,id=installcd" + "-device usb-storage,drive=installcd,bootindex=0" + ) + fi + '' + + '' + eval "${qemu_kvm}/bin/qemu-kvm ''${QEMU_PARAMS[@]} ''${@:2}" + '' + ); + windowsLauncherUI = writeShellScript "windows-launcher-ui" ( + '' + if [[ -z "''${WAYLAND_DISPLAY}" ]]; then + echo "Wayland display not found" + exit + fi - CONFIG=~/.config/windows-launcher-ui.conf - if [ -f "$CONFIG" ]; then - source $CONFIG - fi + CONFIG=~/.config/windows-launcher-ui.conf + if [ -f "$CONFIG" ]; then + source $CONFIG + fi - if [ ! -f "$FILE" ]; then - '' - + lib.optionalString stdenv.isAarch64 '' - FILE=`${gnome.zenity}/bin/zenity --file-selection --title="Select Windows VM image (VHDX)"` - '' - + lib.optionalString stdenv.isx86_64 '' - FILE=`${gnome.zenity}/bin/zenity --file-selection --title="Select Windows VM image (QCOW2 or ISO)"` - '' - + '' - if [ ''$? -ne 0 ]; then - exit - else - if [[ $FILE != *.iso && $FILE != *.ISO ]]; then - echo FILE="$FILE" > "$CONFIG" - fi + if [ ! -f "$FILE" ]; then + '' + + lib.optionalString stdenv.isAarch64 '' + FILE=`${yad}/bin/yad --file --title="Select Windows VM image (VHDX)"` + '' + + lib.optionalString stdenv.isx86_64 '' + FILE=`${yad}/bin/yad --file --title="Select Windows VM image (QCOW2 or ISO)"` + '' + + '' + if [ ''$? -ne 0 ]; then + exit + else + if [[ $FILE != *.iso && $FILE != *.ISO ]]; then + echo FILE="$FILE" > "$CONFIG" fi fi + fi - if ! ${windowsLauncher} $FILE; then - ${gnome.zenity}/bin/zenity --error --text="Failed to run Windows VM: $?" - fi - ''); + if ! ${windowsLauncher} $FILE; then + ${yad}/bin/yad --image=gtk-dialog-error --text="Failed to run Windows VM: $?" + fi + '' + ); in - stdenvNoCC.mkDerivation { - name = "windows-launcher"; +stdenvNoCC.mkDerivation { + name = "windows-launcher"; - buildInputs = [gnome.zenity qemu OVMF]; + buildInputs = [ + yad + qemu_kvm + OVMF + ]; - phases = ["installPhase"]; + phases = [ "installPhase" ]; - installPhase = '' - mkdir -p $out/bin - cp ${windowsLauncher} $out/bin/windows-launcher - cp ${windowsLauncherUI} $out/bin/windows-launcher-ui - ''; + installPhase = '' + mkdir -p $out/bin + cp ${windowsLauncher} $out/bin/windows-launcher + cp ${windowsLauncherUI} $out/bin/windows-launcher-ui + ''; - meta = with lib; { - description = "Helper scripts for launching Windows virtual machines using QEMU"; - platforms = [ - "x86_64-linux" - "aarch64-linux" - ]; - }; - } + meta = { + description = "Helper scripts for launching Windows virtual machines using QEMU"; + platforms = [ + "x86_64-linux" + "aarch64-linux" + ]; + }; +} diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 000000000..029f887df --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,7 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +[tool.ruff] +line-length = 88 +target-version = "py312" +lint.select = [ "E", "F", "I", "U", "N", "RUF", "A" ] +lint.ignore = [ "E501", "A003"] diff --git a/shell.nix b/shell.nix index 867a3e382..e5368b16b 100644 --- a/shell.nix +++ b/shell.nix @@ -5,10 +5,18 @@ # This file originates from: # https://github.com/nix-community/flake-compat # This file provides backward compatibility to nix < 2.4 clients -{system ? builtins.currentSystem}: let +{ + system ? builtins.currentSystem, +}: +let lock = builtins.fromJSON (builtins.readFile ./flake.lock); - inherit (lock.nodes.flake-compat.locked) owner repo rev narHash; + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; @@ -20,4 +28,4 @@ src = ./.; }; in - flake.shellNix +flake.shellNix diff --git a/targets/flake-module.nix b/targets/flake-module.nix index 483f2caa6..ff74abcc3 100644 --- a/targets/flake-module.nix +++ b/targets/flake-module.nix @@ -6,9 +6,10 @@ { imports = [ ./generic-x86_64/flake-module.nix - ./imx8qm-mek/flake-module.nix + ./imx8mp-evk/flake-module.nix ./lenovo-x1-installer/flake-module.nix - ./lenovo-x1/flake-module.nix + ./laptop/flake-module.nix + ./laptop-hw-scan/flake-module.nix ./microchip-icicle-kit/flake-module.nix ./nvidia-jetson-orin/flake-module.nix ./vm/flake-module.nix diff --git a/targets/generic-x86_64/flake-module.nix b/targets/generic-x86_64/flake-module.nix index 71cc549ff..e358890b1 100644 --- a/targets/generic-x86_64/flake-module.nix +++ b/targets/generic-x86_64/flake-module.nix @@ -7,54 +7,66 @@ lib, self, ... -}: let - inherit (inputs) microvm nixos-generators; +}: +let + inherit (inputs) nixos-generators; name = "generic-x86_64"; system = "x86_64-linux"; - generic-x86 = variant: extraModules: let - netvmExtraModules = [ - { - microvm.devices = [ - { - bus = "pci"; - path = "0000:00:14.3"; - } - ]; + generic-x86 = + variant: extraModules: + let + netvmExtraModules = [ + { + microvm.devices = [ + { + bus = "pci"; + path = "0000:00:14.3"; + } + ]; - # For WLAN firmwares - hardware.enableRedistributableFirmware = true; + # For WLAN firmwares + hardware.enableRedistributableFirmware = true; - networking.wireless = { - enable = true; + networking.wireless = { + enable = true; - # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; - }; - } - ]; - hostConfiguration = lib.nixosSystem { - inherit system; - modules = - [ - microvm.nixosModules.host + # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; + }; + services.dnsmasq.settings.dhcp-option = [ + "option:router,192.168.100.1" # set net-vm as a default gw + "option:dns-server,192.168.100.1" + ]; + } + ]; + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ nixos-generators.nixosModules.raw-efi self.nixosModules.common self.nixosModules.desktop self.nixosModules.host self.nixosModules.microvm + self.nixosModules.hw-x86_64-generic + self.nixosModules.reference-programs { ghaf = { hardware.x86_64.common.enable = true; - hardware.ax88179_178a.enable = true; - virtualization.microvm-host.enable = true; - virtualization.microvm-host.networkSupport = true; - host.networking.enable = true; - virtualization.microvm.netvm = { - enable = true; - extraModules = netvmExtraModules; + virtualization = { + microvm-host = { + enable = true; + networkSupport = true; + }; + + microvm.netvm = { + enable = true; + extraModules = netvmExtraModules; + }; }; + host.networking.enable = true; + # Enable all the default UI applications profiles = { applications.enable = true; @@ -63,7 +75,7 @@ # Uncomment this line to use Labwc instead of Weston: #graphics.compositor = "labwc"; }; - windows-launcher.enable = true; + reference.programs.windows-launcher.enable = true; }; #TODO: how to handle the majority of laptops that need a little @@ -80,26 +92,27 @@ "vfio-pci.ids=8086:a0f0" ]; } - ] - ++ extraModules; + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - in { - inherit hostConfiguration; - name = "${name}-${variant}"; - package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; - }; - debugModules = [{ghaf.development.usb-serial.enable = true;}]; + debugModules = [ { ghaf.development.usb-serial.enable = true; } ]; targets = [ (generic-x86 "debug" debugModules) - (generic-x86 "release" []) + (generic-x86 "release" [ ]) ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); packages = { - x86_64-linux = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; }; } diff --git a/targets/imx8mp-evk/flake-module.nix b/targets/imx8mp-evk/flake-module.nix new file mode 100644 index 000000000..4dc8fbd2c --- /dev/null +++ b/targets/imx8mp-evk/flake-module.nix @@ -0,0 +1,82 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# i.MX8M Plus Evaluation Kit +{ + self, + lib, + inputs, + ... +}: +let + inherit (inputs) nixos-hardware; + name = "nxp-imx8mp-evk"; + system = "aarch64-linux"; + nxp-imx8mp-evk = + variant: extraModules: + let + hostConfiguration = lib.nixosSystem { + inherit system; + specialArgs = { + inherit lib; + }; + modules = [ + nixos-hardware.nixosModules.nxp-imx8mp-evk + self.nixosModules.common + self.nixosModules.host + self.nixosModules.imx8 + self.nixosModules.reference-personalize + { + boot = { + kernelParams = lib.mkForce [ "root=/dev/mmcblk0p2" ]; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + }; + + # Disable all the default UI applications + ghaf = { + profiles = { + release.enable = variant == "release"; + debug.enable = variant == "debug"; + }; + development = { + debug.tools.enable = variant == "debug"; + ssh.daemon.enable = true; + }; + firewall.kernel-modules.enable = true; + reference.personalize.keys.enable = variant == "debug"; + }; + nixpkgs = { + buildPlatform.system = "x86_64-linux"; + overlays = [ self.overlays.cross-compilation ]; + }; + hardware.deviceTree.name = lib.mkForce "freescale/imx8mp-evk.dtb"; + disabledModules = [ "profiles/all-hardware.nix" ]; + } + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.sdImage; + }; + debugModules = [ ]; + releaseModules = [ ]; + targets = [ + (nxp-imx8mp-evk "debug" debugModules) + (nxp-imx8mp-evk "release" releaseModules) + ]; +in +{ + flake = { + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); + packages = { + aarch64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + }; + }; +} diff --git a/targets/imx8qm-mek/flake-module.nix b/targets/imx8qm-mek/flake-module.nix deleted file mode 100644 index bf695400a..000000000 --- a/targets/imx8qm-mek/flake-module.nix +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# i.MX8QuadMax Multisensory Enablement Kit -{ - self, - lib, - inputs, - ... -}: let - inherit (inputs) microvm nixos-generators nixos-hardware; - name = "imx8qm-mek"; - system = "aarch64-linux"; - imx8qm-mek = variant: extraModules: let - hostConfiguration = lib.nixosSystem { - inherit system; - modules = - [ - microvm.nixosModules.host - nixos-generators.nixosModules.raw-efi - nixos-hardware.nixosModules.nxp-imx8qm-mek - self.nixosModules.common - self.nixosModules.desktop - self.nixosModules.host - self.nixosModules.microvm - - { - ghaf = { - virtualization.microvm-host.enable = true; - host.networking.enable = true; - # TODO: NetVM enabled, but it does not include anything specific - # for iMX8 - virtualization.microvm.netvm.enable = true; - - # Enable all the default UI applications - profiles = { - applications.enable = true; - #TODO clean this up when the microvm is updated to latest - release.enable = variant == "release"; - debug.enable = variant == "debug"; - }; - }; - } - ] - ++ extraModules; - }; - in { - inherit hostConfiguration; - name = "${name}-${variant}"; - package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; - }; - debugModules = []; - targets = [ - (imx8qm-mek "debug" debugModules) - (imx8qm-mek "release" []) - ]; -in { - flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); - packages = { - aarch64-linux = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); - }; - }; -} diff --git a/targets/laptop-hw-scan/flake-module.nix b/targets/laptop-hw-scan/flake-module.nix new file mode 100644 index 000000000..d703207ec --- /dev/null +++ b/targets/laptop-hw-scan/flake-module.nix @@ -0,0 +1,49 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Laptop image to run hardware scan and generate config files +{ lib, self, ... }: +let + name = "laptop-hw-scan"; + system = "x86_64-linux"; + hw-scan = + let + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ + ( + { modulesPath, ... }: + { + imports = [ "${toString modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ]; + users.users.nixos.openssh.authorizedKeys.keys = + (import ../../modules/reference/personalize/authorizedSshKeys.nix).authorizedSshKeys; + systemd.services.wpa_supplicant.wantedBy = lib.mkForce [ "multi-user.target" ]; + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; + isoImage.isoBaseName = "ghaf"; + isoImage.squashfsCompression = "zstd -Xcompression-level 3"; + environment.systemPackages = [ self.packages.x86_64-linux.hardware-scan ]; + boot.kernelParams = [ + # TODO AMD support + "intel_iommu=on,sm_on" + "iommu=pt" + ]; + } + ) + ]; + }; + in + { + inherit hostConfiguration; + inherit name; + package = hostConfiguration.config.system.build.isoImage; + }; + targets = [ hw-scan ]; +in +{ + flake = { + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); + packages.${system} = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + }; +} diff --git a/targets/laptop/flake-module.nix b/targets/laptop/flake-module.nix new file mode 100644 index 000000000..2b022cf91 --- /dev/null +++ b/targets/laptop/flake-module.nix @@ -0,0 +1,101 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Configuration for laptop devices based on the hardware and usecase profile +{ + lib, + self, + inputs, + ... +}: +let + system = "x86_64-linux"; + + laptop-configuration = import ./laptop-configuration-builder.nix { inherit lib self inputs; }; + + targets = [ + # Laptop Debug configurations + (laptop-configuration "lenovo-x1-carbon-gen10" "debug" [ + self.nixosModules.disko-ab-partitions-v1 + { + ghaf = { + hardware.definition.configFile = "/lenovo-x1/definitions/x1-gen10.nix"; + reference.profiles.mvp-user-trial.enable = true; + }; + } + ]) + (laptop-configuration "lenovo-x1-carbon-gen11" "debug" [ + self.nixosModules.disko-ab-partitions-v1 + { + ghaf = { + hardware.definition.configFile = "/lenovo-x1/definitions/x1-gen11.nix"; + reference.profiles.mvp-user-trial.enable = true; + }; + } + ]) + (laptop-configuration "dell-latitude-7230" "debug" [ + self.nixosModules.disko-basic-partition-v1 + { + ghaf = { + hardware.definition.configFile = "/definitions/dell-latitude/dell-latitude-7230.nix"; + reference.profiles.mvp-user-trial.enable = true; + }; + } + ]) + (laptop-configuration "dell-latitude-7330" "debug" [ + self.nixosModules.disko-basic-partition-v1 + { + ghaf = { + hardware.definition.configFile = "/definitions/dell-latitude/dell-latitude-7330.nix"; + reference.profiles.mvp-user-trial.enable = true; + }; + } + ]) + + # Laptop Release configurations + (laptop-configuration "lenovo-x1-carbon-gen10" "release" [ + self.nixosModules.disko-ab-partitions-v1 + { + ghaf = { + hardware.definition.configFile = "/lenovo-x1/definitions/x1-gen10.nix"; + reference.profiles.mvp-user-trial.enable = true; + }; + } + ]) + (laptop-configuration "lenovo-x1-carbon-gen11" "release" [ + self.nixosModules.disko-ab-partitions-v1 + { + ghaf = { + hardware.definition.configFile = "/lenovo-x1/definitions/x1-gen11.nix"; + reference.profiles.mvp-user-trial.enable = true; + }; + } + ]) + (laptop-configuration "dell-latitude-7230" "release" [ + self.nixosModules.disko-basic-partition-v1 + { + ghaf = { + hardware.definition.configFile = "/definitions/dell-latitude/dell-latitude-7230.nix"; + reference.profiles.mvp-user-trial.enable = true; + }; + } + ]) + (laptop-configuration "dell-latitude-7330" "release" [ + self.nixosModules.disko-basic-partition-v1 + { + ghaf = { + hardware.definition.configFile = "/definitions/dell-latitude/dell-latitude-7330.nix"; + reference.profiles.mvp-user-trial.enable = true; + }; + } + ]) + ]; +in +{ + flake = { + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); + packages.${system} = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + }; +} diff --git a/targets/laptop/laptop-configuration-builder.nix b/targets/laptop/laptop-configuration-builder.nix new file mode 100644 index 000000000..e47f04ffb --- /dev/null +++ b/targets/laptop/laptop-configuration-builder.nix @@ -0,0 +1,50 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + lib, + self, + inputs, + ... +}: +let + system = "x86_64-linux"; + + #TODO move this to a standalone function + #should it live in the library or just as a function file + mkLaptopConfiguration = + machineType: variant: extraModules: + let + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ + self.nixosModules.reference-profiles + self.nixosModules.laptop + inputs.lanzaboote.nixosModules.lanzaboote + + #TODO can we move microvm to the profile/laptop-x86? + self.nixosModules.microvm + #TODO see the twisted dependencies in common/desktop + + (_: { + time.timeZone = "Asia/Dubai"; + + ghaf = { + profiles = { + # variant type, turn on debug or release + debug.enable = variant == "debug"; + release.enable = variant == "release"; + # Enable below option for host hardening features + host-hardening.enable = false; + }; + }; + }) + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${machineType}-${variant}"; + package = hostConfiguration.config.system.build.diskoImages; + }; +in +mkLaptopConfiguration diff --git a/targets/lenovo-x1-installer/flake-module.nix b/targets/lenovo-x1-installer/flake-module.nix index c618b943d..27cd39d5f 100644 --- a/targets/lenovo-x1-installer/flake-module.nix +++ b/targets/lenovo-x1-installer/flake-module.nix @@ -2,69 +2,82 @@ # SPDX-License-Identifier: Apache-2.0 # # Lenovo X1 Carbon Installer -{ - lib, - self, - ... -}: let +{ lib, self, ... }: +let name = "lenovo-x1-carbon"; system = "x86_64-linux"; - installer = generation: variant: let - imagePath = self.packages.x86_64-linux."${name}-${generation}-${variant}" + "/disk1.raw"; - hostConfiguration = lib.nixosSystem { - inherit system; - modules = [ - ({ - pkgs, - modulesPath, - ... - }: let - installScript = pkgs.callPackage ../../packages/installer { - inherit imagePath; - }; - in { - imports = [ - "${toString modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" - ../../modules/common/hardware/ax88179_178a.nix - ]; + installer = + generation: variant: + let + imagePath = self.packages.x86_64-linux."${name}-${generation}-${variant}" + "/disk1.raw.zst"; + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ + ( + { pkgs, modulesPath, ... }: + let + installScript = pkgs.callPackage ../../packages/installer { }; + in + { + imports = [ "${toString modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ]; + + environment.sessionVariables = { + IMG_PATH = imagePath; + }; + + # SSH key to installer for test automation. + users.users.nixos.openssh.authorizedKeys.keys = lib.mkIf ( + variant == "debug" + ) (import ../../modules/reference/personalize/authorizedSshKeys.nix).authorizedSshKeys; - ghaf.hardware.ax88179_178a.enable = true; + systemd.services.wpa_supplicant.wantedBy = lib.mkForce [ "multi-user.target" ]; + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; - # SSH key to installer for test automation. - users.users.nixos.openssh.authorizedKeys.keys = lib.mkIf (variant == "debug") (import ../../modules/common/development/authorized_ssh_keys.nix).authorizedKeys; + isoImage.isoBaseName = "ghaf"; + networking.hostName = "ghaf-installer"; - systemd.services.wpa_supplicant.wantedBy = lib.mkForce ["multi-user.target"]; - systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; + environment.systemPackages = [ + installScript + self.packages.x86_64-linux.hardware-scan + ]; - isoImage.isoBaseName = "ghaf"; + services.getty = { + greetingLine = ''<<< Welcome to the Ghaf installer >>>''; + helpLine = lib.mkAfter '' - environment.systemPackages = [ - installScript - ]; + To run the installer, type + `sudo ghaf-installer` and select the installation target. + ''; + }; - # NOTE: Stop nixos complains about "warning: - # mdadm: Neither MAILADDR nor PROGRAM has been set. This will cause the `mdmon` service to crash." - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L112 - boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true"; - }) - ]; + isoImage.squashfsCompression = "zstd -Xcompression-level 3"; + + # NOTE: Stop nixos complains about "warning: + # mdadm: Neither MAILADDR nor PROGRAM has been set. This will cause the `mdmon` service to crash." + # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L112 + boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true"; + } + ) + ]; + }; + in + { + inherit hostConfiguration; + name = "${name}-${generation}-${variant}-installer"; + package = hostConfiguration.config.system.build.isoImage; }; - in { - inherit hostConfiguration; - name = "${name}-${generation}-${variant}-installer"; - package = hostConfiguration.config.system.build.isoImage; - }; targets = [ (installer "gen10" "debug") (installer "gen11" "debug") (installer "gen10" "release") (installer "gen11" "release") ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); - packages.${system} = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); + packages.${system} = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; } diff --git a/targets/lenovo-x1/appvms/chromium.nix b/targets/lenovo-x1/appvms/chromium.nix deleted file mode 100644 index 8caaf9319..000000000 --- a/targets/lenovo-x1/appvms/chromium.nix +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{pkgs, ...}: let - xdgPdfPort = 1200; -in { - name = "chromium"; - packages = let - # PDF XDG handler is executed when the user opens a PDF file in the browser - # The xdgopenpdf script sends a command to the guivm with the file path over TCP connection - xdgPdfItem = pkgs.makeDesktopItem { - name = "ghaf-pdf"; - desktopName = "Ghaf PDF handler"; - exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; - mimeTypes = ["application/pdf"]; - }; - xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' - filepath=$(realpath $1) - echo "Opening $filepath" | systemd-cat -p info - echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm.ghaf ${toString xdgPdfPort} - ''; - in [ - pkgs.chromium - pkgs.pamixer - pkgs.xdg-utils - xdgPdfItem - xdgOpenPdf - ]; - # TODO create a repository of mac addresses to avoid conflicts - macAddress = "02:00:00:03:05:01"; - ramMb = 3072; - cores = 4; - extraModules = [ - { - # Enable pulseaudio for user ghaf - sound.enable = true; - hardware.pulseaudio.enable = true; - users.extraUsers.ghaf.extraGroups = ["audio"]; - - time.timeZone = "Asia/Dubai"; - - microvm.qemu.extraArgs = [ - # Connect sound device to hosts pulseaudio socket - "-audiodev" - "pa,id=pa1,server=unix:/run/pulse/native" - # Add HDA sound device to guest - "-device" - "intel-hda" - "-device" - "hda-duplex,audiodev=pa1" - # Lenovo X1 integrated usb webcam - "-device" - "qemu-xhci" - "-device" - "usb-host,hostbus=3,hostport=8" - ]; - microvm.devices = []; - - # Disable chromium built-in PDF viewer to make it execute xdg-open - programs.chromium.enable = true; - programs.chromium.extraOpts."AlwaysOpenPdfExternally" = true; - # Set default PDF XDG handler - xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop"; - } - ]; - borderColor = "#ff5733"; -} diff --git a/targets/lenovo-x1/appvms/default.nix b/targets/lenovo-x1/appvms/default.nix deleted file mode 100644 index d6b3ad303..000000000 --- a/targets/lenovo-x1/appvms/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{pkgs, ...}: let - chromium = import ./chromium.nix {inherit pkgs;}; - gala = import ./gala.nix {inherit pkgs;}; - zathura = import ./zathura.nix {inherit pkgs;}; -in [ - chromium - gala - zathura -] diff --git a/targets/lenovo-x1/appvms/gala.nix b/targets/lenovo-x1/appvms/gala.nix deleted file mode 100644 index 20aff4be1..000000000 --- a/targets/lenovo-x1/appvms/gala.nix +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{pkgs, ...}: { - name = "gala"; - packages = [pkgs.gala-app]; - macAddress = "02:00:00:03:06:01"; - ramMb = 1536; - cores = 2; - extraModules = [ - { - time.timeZone = "Asia/Dubai"; - } - ]; - borderColor = "#33ff57"; -} diff --git a/targets/lenovo-x1/appvms/zathura.nix b/targets/lenovo-x1/appvms/zathura.nix deleted file mode 100644 index d2ca18710..000000000 --- a/targets/lenovo-x1/appvms/zathura.nix +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{pkgs, ...}: { - name = "zathura"; - packages = [pkgs.zathura]; - macAddress = "02:00:00:03:07:01"; - ramMb = 512; - cores = 1; - extraModules = [ - { - time.timeZone = "Asia/Dubai"; - } - ]; - borderColor = "#337aff"; -} diff --git a/targets/lenovo-x1/debugModules.nix b/targets/lenovo-x1/debugModules.nix deleted file mode 100644 index 189f91cdf..000000000 --- a/targets/lenovo-x1/debugModules.nix +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -[ - { - ghaf.development.usb-serial.enable = true; - ghaf.profiles.debug.enable = true; - ghaf.host.secureboot.enable = false; - ghaf.host.kernel.hardening.usb.enable = false; - ghaf.host.kernel.hardening.debug.enable = false; - } -] diff --git a/targets/lenovo-x1/everything.nix b/targets/lenovo-x1/everything.nix deleted file mode 100644 index fb24b326e..000000000 --- a/targets/lenovo-x1/everything.nix +++ /dev/null @@ -1,158 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{ - self, - lib, - microvm, - lanzaboote, - name, - system, - ... -}: let - # From here - # These can be added back to default.nix to form part of the target template - debugModules = import ./debugModules.nix; - releaseModules = import ./releaseModules.nix; - - ## To here - - lenovo-x1 = generation: variant: extraModules: let - hwDefinition = import ../../modules/common/hardware/lenovo-x1/definitions { - inherit generation lib; - }; - hostConfiguration = lib.nixosSystem { - inherit system; - modules = - [ - lanzaboote.nixosModules.lanzaboote - microvm.nixosModules.host - self.nixosModules.common - self.nixosModules.desktop - self.nixosModules.host - self.nixosModules.lanzaboote - self.nixosModules.microvm - - self.nixosModules.disko-lenovo-x1-basic-v1 - - ./sshkeys.nix - ({ - pkgs, - config, - ... - }: let - powerControl = pkgs.callPackage ../../packages/powercontrol {}; - in { - security.polkit.extraConfig = powerControl.polkitExtraConfig; - services.udev.extraRules = hwDefinition.udevRules; - time.timeZone = "Asia/Dubai"; - - # Enable pulseaudio support for host as a service - sound.enable = true; - hardware.pulseaudio.enable = true; - hardware.pulseaudio.systemWide = true; - # Add systemd to require pulseaudio before starting chromium-vm - systemd.services."microvm@chromium-vm".after = ["pulseaudio.service"]; - systemd.services."microvm@chromium-vm".requires = ["pulseaudio.service"]; - - # Allow microvm user to access pulseaudio - hardware.pulseaudio.extraConfig = "load-module module-combine-sink module-native-protocol-unix auth-anonymous=1"; - users.extraUsers.microvm.extraGroups = ["audio" "pulse-access"]; - - environment.etc.${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = import ./getAuthKeysSource.nix {inherit pkgs config;}; - services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand; - - disko.devices.disk = config.ghaf.hardware.definition.disks; - - ghaf = { - hardware.definition = hwDefinition; - # To enable guest hardening enable host hardening first - host.kernel.hardening.enable = false; - host.kernel.hardening.virtualization.enable = false; - host.kernel.hardening.networking.enable = false; - host.kernel.hardening.inputdevices.enable = false; - - guest.kernel.hardening.enable = false; - guest.kernel.hardening.graphics.enable = false; - - host.kernel.hardening.hypervisor.enable = false; - - hardware.x86_64.common.enable = true; - hardware.ax88179_178a.enable = true; - - security.tpm2.enable = true; - - virtualization.microvm-host.enable = true; - virtualization.microvm-host.networkSupport = true; - - host.networking.enable = true; - virtualization.microvm.netvm = { - enable = true; - extraModules = import ./netvmExtraModules.nix { - inherit lib pkgs microvm; - configH = config; - }; - }; - virtualization.microvm.guivm = { - enable = true; - extraModules = - # TODO convert this to an actual module - import ./guivmExtraModules.nix { - inherit lib pkgs microvm; - configH = config; - }; - }; - virtualization.microvm.appvm = { - enable = true; - vms = import ./appvms/default.nix {inherit pkgs;}; - }; - - # Enable all the default UI applications - profiles = { - applications.enable = false; - }; - windows-launcher = { - enable = true; - spice = true; - }; - }; - }) - - #TODO: how to handle the majority of laptops that need a little - # something extra? - # SEE: https://github.com/NixOS/nixos-hardware/blob/master/flake.nix - # nixos-hardware.nixosModules.lenovo-thinkpad-x1-10th-gen - - ({config, ...}: { - boot.kernelParams = let - filterDevices = builtins.filter (d: d.vendorId != null && d.productId != null); - mapPciIdsToString = builtins.map (d: "${d.vendorId}:${d.productId}"); - vfioPciIds = mapPciIdsToString (filterDevices ( - config.ghaf.hardware.definition.network.pciDevices - ++ config.ghaf.hardware.definition.gpu.pciDevices - )); - in [ - "intel_iommu=on,sm_on" - "iommu=pt" - # Prevent i915 module from being accidentally used by host - "module_blacklist=i915" - - "vfio-pci.ids=${builtins.concatStringsSep "," vfioPciIds}" - ]; - - boot.initrd.availableKernelModules = ["nvme"]; - }) - ] - ++ extraModules; - }; - in { - inherit hostConfiguration; - name = "${name}-${generation}-${variant}"; - package = hostConfiguration.config.system.build.diskoImages; - }; -in [ - (lenovo-x1 "gen10" "debug" debugModules) - (lenovo-x1 "gen11" "debug" debugModules) - (lenovo-x1 "gen10" "release" releaseModules) - (lenovo-x1 "gen11" "release" releaseModules) -] diff --git a/targets/lenovo-x1/flake-module.nix b/targets/lenovo-x1/flake-module.nix deleted file mode 100644 index 7eb158aee..000000000 --- a/targets/lenovo-x1/flake-module.nix +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Configuration for Lenovo X1 Carbon Gen 11 -{ - inputs, - lib, - self, - ... -}: let - inherit (inputs) microvm lanzaboote disko; - name = "lenovo-x1-carbon"; - system = "x86_64-linux"; - targets = import ./everything.nix {inherit self lib microvm lanzaboote disko name system;}; -in { - flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); - packages.${system} = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); - }; -} diff --git a/targets/lenovo-x1/getAuthKeysSource.nix b/targets/lenovo-x1/getAuthKeysSource.nix deleted file mode 100644 index 28cf0bb3a..000000000 --- a/targets/lenovo-x1/getAuthKeysSource.nix +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{ - pkgs, - config, - ... -}: { - source = let - script = pkgs.writeShellScriptBin config.ghaf.security.sshKeys.getAuthKeysFileName '' - [[ "$1" != "ghaf" ]] && exit 0 - ${pkgs.coreutils}/bin/cat ${config.ghaf.security.sshKeys.waypipeSshPublicKeyFile} - ''; - in "${script}/bin/${config.ghaf.security.sshKeys.getAuthKeysFileName}"; - mode = "0555"; -} diff --git a/targets/lenovo-x1/guivmExtraModules.nix b/targets/lenovo-x1/guivmExtraModules.nix deleted file mode 100644 index f5f18fecc..000000000 --- a/targets/lenovo-x1/guivmExtraModules.nix +++ /dev/null @@ -1,161 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{ - lib, - pkgs, - microvm, - configH, - ... -}: let - openPdf = pkgs.callPackage ./openPdf.nix { - inherit pkgs; - inherit (configH.ghaf.security.sshKeys) sshKeyPath; - }; - # TODO generalize this TCP port used by PDF XDG handler - xdgPdfPort = 1200; - - winConfig = configH.ghaf.windows-launcher; - - guivmPCIPassthroughModule = { - microvm.devices = lib.mkForce ( - builtins.map (d: { - bus = "pci"; - inherit (d) path; - }) - configH.ghaf.hardware.definition.gpu.pciDevices - ); - }; - - guivmVirtioInputHostEvdevModule = { - microvm.qemu.extraArgs = - builtins.concatMap (d: [ - "-device" - "virtio-input-host-pci,evdev=${d}" - ]) - configH.ghaf.hardware.definition.virtioInputHostEvdevs; - }; - - guivmExtraConfigurations = { - ghaf.hardware.definition.network.pciDevices = configH.ghaf.hardware.definition.network.pciDevices; - ghaf.profiles.graphics.compositor = "labwc"; - ghaf.graphics.launchers = let - hostAddress = "192.168.101.2"; - powerControl = pkgs.callPackage ../../packages/powercontrol {}; - powerControlIcons = pkgs.gnome.callPackage ../../packages/powercontrol/png-icons.nix {}; - in [ - { - name = "chromium"; - path = "${pkgs.openssh}/bin/ssh -i ${configH.ghaf.security.sshKeys.sshKeyPath} -o StrictHostKeyChecking=no chromium-vm.ghaf run-waypipe chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; - icon = "${../../assets/icons/png/browser.png}"; - } - - { - name = "gala"; - path = "${pkgs.openssh}/bin/ssh -i ${configH.ghaf.security.sshKeys.sshKeyPath} -o StrictHostKeyChecking=no gala-vm.ghaf run-waypipe gala --enable-features=UseOzonePlatform --ozone-platform=wayland"; - icon = "${../../assets/icons/png/app.png}"; - } - - { - name = "zathura"; - path = "${pkgs.openssh}/bin/ssh -i ${configH.ghaf.security.sshKeys.sshKeyPath} -o StrictHostKeyChecking=no zathura-vm.ghaf run-waypipe zathura"; - icon = "${../../assets/icons/png/pdf.png}"; - } - - { - name = "windows"; - path = "${pkgs.virt-viewer}/bin/remote-viewer -f spice://${winConfig.spice-host}:${toString winConfig.spice-port}"; - icon = "${../../assets/icons/png/windows.png}"; - } - - { - name = "nm-launcher"; - path = "${pkgs.nm-launcher}/bin/nm-launcher"; - icon = "${pkgs.networkmanagerapplet}/share/icons/hicolor/22x22/apps/nm-device-wwan.png"; - } - - { - name = "poweroff"; - path = "${powerControl.makePowerOffCommand { - inherit hostAddress; - inherit (configH.ghaf.security.sshKeys) sshKeyPath; - }}"; - icon = "${powerControlIcons}/${powerControlIcons.relativeShutdownIconPath}"; - } - - { - name = "reboot"; - path = "${powerControl.makeRebootCommand { - inherit hostAddress; - inherit (configH.ghaf.security.sshKeys) sshKeyPath; - }}"; - icon = "${powerControlIcons}/${powerControlIcons.relativeRebootIconPath}"; - } - - # Temporarly disabled as it doesn't work stable - # { - # path = powerControl.makeSuspendCommand {inherit hostAddress sshKeyPath;}; - # icon = "${adwaitaIconsRoot}/media-playback-pause-symbolic.symbolic.png"; - # } - - # Temporarly disabled as it doesn't work at all - # { - # path = powerControl.makeHibernateCommand {inherit hostAddress sshKeyPath;}; - # icon = "${adwaitaIconsRoot}/media-record-symbolic.symbolic.png"; - # } - ]; - - time.timeZone = "Asia/Dubai"; - - # PDF XDG handler service receives a PDF file path from the chromium-vm and executes the openpdf script - systemd.user = { - sockets."pdf" = { - unitConfig = { - Description = "PDF socket"; - }; - socketConfig = { - ListenStream = "${toString xdgPdfPort}"; - Accept = "yes"; - }; - wantedBy = ["sockets.target"]; - }; - - services."pdf@" = { - description = "PDF opener"; - serviceConfig = { - ExecStart = "${openPdf}/bin/openPdf"; - StandardInput = "socket"; - StandardOutput = "journal"; - StandardError = "journal"; - }; - }; - }; - - # Open TCP port for the PDF XDG socket - networking.firewall.allowedTCPPorts = [xdgPdfPort]; - # Early KMS needed for GNOME to work inside GuiVM - boot.initrd.kernelModules = ["i915"]; - - microvm.qemu = { - extraArgs = [ - # Lenovo X1 Lid button - "-device" - "button" - # Lenovo X1 battery - "-device" - "battery" - # Lenovo X1 AC adapter - "-device" - "acad" - # Connect sound device to hosts pulseaudio socket - "-audiodev" - "pa,id=pa1,server=unix:/run/pulse/native" - ]; - }; - }; -in [ - ./sshkeys.nix - guivmPCIPassthroughModule - guivmVirtioInputHostEvdevModule - guivmExtraConfigurations -] diff --git a/targets/lenovo-x1/netvmExtraModules.nix b/targets/lenovo-x1/netvmExtraModules.nix deleted file mode 100644 index f54933729..000000000 --- a/targets/lenovo-x1/netvmExtraModules.nix +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -# -{ - lib, - pkgs, - microvm, - configH, - ... -}: let - netvmPCIPassthroughModule = { - microvm.devices = lib.mkForce ( - builtins.map (d: { - bus = "pci"; - inherit (d) path; - }) - configH.ghaf.hardware.definition.network.pciDevices - ); - }; - - netvmAdditionalConfig = { - # Add the waypipe-ssh public key to the microvm - microvm = { - shares = [ - { - tag = configH.ghaf.security.sshKeys.waypipeSshPublicKeyName; - source = configH.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - mountPoint = configH.ghaf.security.sshKeys.waypipeSshPublicKeyDir; - } - ]; - }; - fileSystems.${configH.ghaf.security.sshKeys.waypipeSshPublicKeyDir}.options = ["ro"]; - - # For WLAN firmwares - hardware.enableRedistributableFirmware = true; - - networking = { - # wireless is disabled because we use NetworkManager for wireless - wireless.enable = lib.mkForce false; - networkmanager = { - enable = true; - unmanaged = ["ethint0"]; - }; - }; - # noXlibs=false; needed for NetworkManager stuff - environment.noXlibs = false; - environment.etc."NetworkManager/system-connections/Wifi-1.nmconnection" = { - text = '' - [connection] - id=Wifi-1 - uuid=33679db6-4cde-11ee-be56-0242ac120002 - type=wifi - [wifi] - mode=infrastructure - ssid=SSID_OF_NETWORK - [wifi-security] - key-mgmt=wpa-psk - psk=WPA_PASSWORD - [ipv4] - method=auto - [ipv6] - method=disabled - [proxy] - ''; - mode = "0600"; - }; - # Waypipe-ssh key is used here to create keys for ssh tunneling to forward D-Bus sockets. - # SSH is very picky about to file permissions and ownership and will - # accept neither direct path inside /nix/store or symlink that points - # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by - # setting mode), instead of symlinking it. - environment.etc.${configH.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = import ./getAuthKeysSource.nix { - inherit pkgs; - config = configH; - }; - # Add simple wi-fi connection helper - environment.systemPackages = lib.mkIf configH.ghaf.profiles.debug.enable [pkgs.wifi-connector-nmcli]; - - services.openssh = configH.ghaf.security.sshKeys.sshAuthorizedKeysCommand; - - time.timeZone = "Asia/Dubai"; - }; -in [./sshkeys.nix netvmPCIPassthroughModule netvmAdditionalConfig] diff --git a/targets/microchip-icicle-kit/flake-module.nix b/targets/microchip-icicle-kit/flake-module.nix index 7da8c0fa5..ba5ee7729 100644 --- a/targets/microchip-icicle-kit/flake-module.nix +++ b/targets/microchip-icicle-kit/flake-module.nix @@ -7,19 +7,22 @@ lib, self, ... -}: let - inherit (inputs) nixos-hardware nixpkgs; +}: +let + inherit (inputs) nixos-hardware; name = "microchip-icicle-kit"; system = "riscv64-linux"; - microchip-icicle-kit = variant: extraModules: let - hostConfiguration = lib.nixosSystem { - inherit system; - modules = - [ + microchip-icicle-kit = + variant: extraModules: + let + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ nixos-hardware.nixosModules.microchip-icicle-kit self.nixosModules.common self.nixosModules.host self.nixosModules.polarfire + self.nixosModules.reference-personalize { boot = { @@ -40,37 +43,40 @@ ssh.daemon.enable = true; }; firewall.kernel-modules.enable = true; + reference.personalize.keys.enable = variant == "debug"; }; nixpkgs = { buildPlatform.system = "x86_64-linux"; hostPlatform.system = "riscv64-linux"; - overlays = [ - self.overlays.cross-compilation - ]; + overlays = [ self.overlays.cross-compilation ]; }; - boot.kernelParams = ["root=/dev/mmcblk0p2" "rootdelay=5"]; - disabledModules = ["profiles/all-hardware.nix"]; + boot.kernelParams = [ + "root=/dev/mmcblk0p2" + "rootdelay=5" + ]; + disabledModules = [ "profiles/all-hardware.nix" ]; } - ] - ++ extraModules; + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${name}-${variant}-from-x86_64"; + package = hostConfiguration.config.system.build.sdImage; }; - in { - inherit hostConfiguration; - name = "${name}-${variant}"; - package = hostConfiguration.config.system.build.sdImage; - }; targets = [ - (microchip-icicle-kit "debug" []) - (microchip-icicle-kit "release" []) + (microchip-icicle-kit "debug" [ ]) + (microchip-icicle-kit "release" [ ]) ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); packages = { - riscv64-linux = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; }; } diff --git a/targets/nvidia-jetson-orin/cross-compilation.nix b/targets/nvidia-jetson-orin/cross-compilation.nix index 8f16d935b..181bcfb3d 100644 --- a/targets/nvidia-jetson-orin/cross-compilation.nix +++ b/targets/nvidia-jetson-orin/cross-compilation.nix @@ -6,8 +6,6 @@ { nixpkgs = { buildPlatform.system = "x86_64-linux"; - overlays = [ - (import ../../overlays/cross-compilation) - ]; + overlays = [ (import ../../overlays/cross-compilation) ]; }; } diff --git a/targets/nvidia-jetson-orin/flake-module.nix b/targets/nvidia-jetson-orin/flake-module.nix index a28022de7..fd7cf21e7 100644 --- a/targets/nvidia-jetson-orin/flake-module.nix +++ b/targets/nvidia-jetson-orin/flake-module.nix @@ -8,52 +8,61 @@ lib, self, ... -}: let - inherit (inputs) nixpkgs nixos-generators microvm jetpack-nixos; +}: +let + inherit (inputs) nixpkgs nixos-generators jetpack-nixos; name = "nvidia-jetson-orin"; system = "aarch64-linux"; - nvidia-jetson-orin = som: variant: extraModules: let - netvmExtraModules = [ - { - # The Nvidia Orin hardware dependent configuration is in - # modules/jetpack and modules/jetpack-microvm. Please refer to that - # section for hardware dependent netvm configuration. + nvidia-jetson-orin = + som: variant: extraModules: + let + netvmExtraModules = [ + { + # The Nvidia Orin hardware dependent configuration is in + # modules/jetpack and modules/jetpack-microvm. Please refer to that + # section for hardware dependent netvm configuration. - # Wireless Configuration. Orin AGX has WiFi enabled where Orin NX does - # not. + # Wireless Configuration. Orin AGX has WiFi enabled where Orin NX does + # not. - # To enable or disable wireless - networking.wireless.enable = som == "agx"; + # To enable or disable wireless + networking.wireless.enable = som == "agx"; - # For WLAN firmwares - hardware = { - enableRedistributableFirmware = som == "agx"; - wirelessRegulatoryDatabase = true; - }; - } - ]; - gpiovmExtraModules = [ - { - # The Nvidia Orin hardware dependent configuration is in - # modules/jetpack and modules/jetpack-microvm. Please refer to that - # section for hardware dependent gpiovm configuration. - } - ]; - hostConfiguration = lib.nixosSystem { - inherit system; + # For WLAN firmwares + hardware = { + enableRedistributableFirmware = som == "agx"; + wirelessRegulatoryDatabase = true; + }; - modules = - [ + services.dnsmasq.settings.dhcp-option = [ + "option:router,192.168.100.1" # set net-vm as a default gw + "option:dns-server,192.168.100.1" + ]; + } + ]; + gpiovmExtraModules = [ + { + # The Nvidia Orin hardware dependent configuration is in + # modules/jetpack and modules/jetpack-microvm. Please refer to that + # section for hardware dependent gpiovm configuration. + } + ]; + hostConfiguration = lib.nixosSystem { + inherit system; + + modules = [ (nixos-generators + "/format-module.nix") ../../modules/jetpack/nvidia-jetson-orin/format-module.nix jetpack-nixos.nixosModules.default - microvm.nixosModules.host self.nixosModules.common self.nixosModules.desktop self.nixosModules.host self.nixosModules.jetpack self.nixosModules.jetpack-microvm self.nixosModules.microvm + self.nixosModules.reference-programs + self.nixosModules.reference-personalize + { ghaf = { hardware.nvidia.orin = { @@ -67,69 +76,75 @@ hardware.nvidia = { virtualization.enable = true; virtualization.host.bpmp.enable = false; + virtualization.host.gpio.enable = som == "agx"; passthroughs.host.uarta.enable = false; # passthroughs.uarti_net_vm.enable = som == "agx"; passthroughs.uarti_net_vm.enable = false; - virtualization.host.gpio.enable = som == "agx"; + # passthroughs.gpio_vm.enable = false; # not implemented }; - virtualization.microvm-host.enable = true; - virtualization.microvm-host.networkSupport = true; - # virtualization.microvm-host.networkSupport = false; - host.networking.enable = true; - - virtualization.microvm.netvm.enable = true; - # virtualization.microvm.netvm.enable = false; - virtualization.microvm.netvm.extraModules = netvmExtraModules; + virtualization = { + microvm-host = { + enable = true; + networkSupport = true; + }; - virtualization.microvm.gpiovm.enable = true; - virtualization.microvm.gpiovm.extraModules = gpiovmExtraModules; + microvm = { + netvm = { + enable = true; + extraModules = netvmExtraModules; + }; + gpiovm = { + enable = true; + extraModules = gpiovmExtraModules; + }; + }; + }; # Enable all the default UI applications profiles = { applications.enable = true; release.enable = variant == "release"; debug.enable = variant == "debug"; + graphics.renderer = "gles2"; }; - windows-launcher.enable = true; + reference.programs.windows-launcher.enable = true; + reference.personalize.keys.enable = variant == "debug"; + + # To enable screen locking set to true + graphics.labwc.autolock.enable = false; }; } - (import ./optee.nix {inherit jetpack-nixos;}) - ] - ++ extraModules; + (import ./optee.nix { }) + ] ++ extraModules; + }; + in + { + inherit hostConfiguration; + name = "${name}-${som}-${variant}"; + package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - in { - inherit hostConfiguration; - name = "${name}-${som}-${variant}"; - package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; - }; - nvidia-jetson-orin-agx-debug = nvidia-jetson-orin "agx" "debug" []; - nvidia-jetson-orin-agx-release = nvidia-jetson-orin "agx" "release" []; - nvidia-jetson-orin-nx-debug = nvidia-jetson-orin "nx" "debug" []; - nvidia-jetson-orin-nx-release = nvidia-jetson-orin "nx" "release" []; - generate-nodemoapps = tgt: + nvidia-jetson-orin-agx-debug = nvidia-jetson-orin "agx" "debug" [ ]; + nvidia-jetson-orin-agx-release = nvidia-jetson-orin "agx" "release" [ ]; + nvidia-jetson-orin-nx-debug = nvidia-jetson-orin "nx" "debug" [ ]; + nvidia-jetson-orin-nx-release = nvidia-jetson-orin "nx" "release" [ ]; + generate-nodemoapps = + tgt: tgt // rec { name = tgt.name + "-nodemoapps"; hostConfiguration = tgt.hostConfiguration.extendModules { - modules = [ - { - ghaf.graphics.enableDemoApplications = lib.mkForce false; - } - ]; + modules = [ { ghaf.graphics.enableDemoApplications = lib.mkForce false; } ]; }; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - generate-cross-from-x86_64 = tgt: + generate-cross-from-x86_64 = + tgt: tgt // rec { name = tgt.name + "-from-x86_64"; - hostConfiguration = tgt.hostConfiguration.extendModules { - modules = [ - ./cross-compilation.nix - ]; - }; + hostConfiguration = tgt.hostConfiguration.extendModules { modules = [ ./cross-compilation.nix ]; }; package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; # Base targets to use for generating demoapps and cross-compilation targets @@ -144,7 +159,8 @@ crossTargets = map generate-cross-from-x86_64 targets; mkFlashScript = import ../../lib/mk-flash-script; # Generate flash script variant which flashes both QSPI and eMMC - generate-flash-script = tgt: flash-tools-system: + generate-flash-script = + tgt: flash-tools-system: mkFlashScript { inherit nixpkgs; inherit (tgt) hostConfiguration; @@ -153,35 +169,48 @@ }; # Generate flash script variant which flashes QSPI only. Useful for Orin NX # and non-eMMC based development. - generate-flash-qspi = tgt: flash-tools-system: + generate-flash-qspi = + tgt: flash-tools-system: mkFlashScript { inherit nixpkgs; hostConfiguration = tgt.hostConfiguration.extendModules { - modules = [ - { - ghaf.hardware.nvidia.orin.flashScriptOverrides.onlyQSPI = true; - } - ]; + modules = [ { ghaf.hardware.nvidia.orin.flashScriptOverrides.onlyQSPI = true; } ]; }; inherit jetpack-nixos; inherit flash-tools-system; }; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) (targets ++ crossTargets)); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) (targets ++ crossTargets) + ); packages = { aarch64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets) # EXPERIMENTAL: The aarch64-linux hosted flashing support is experimental # and it simply might not work. Providing the script anyway - // builtins.listToAttrs (map (t: lib.nameValuePair "${t.name}-flash-script" (generate-flash-script t "aarch64-linux")) targets) - // builtins.listToAttrs (map (t: lib.nameValuePair "${t.name}-flash-qspi" (generate-flash-qspi t "aarch64-linux")) targets); + // builtins.listToAttrs ( + map ( + t: lib.nameValuePair "${t.name}-flash-script" (generate-flash-script t "aarch64-linux") + ) targets + ) + // builtins.listToAttrs ( + map (t: lib.nameValuePair "${t.name}-flash-qspi" (generate-flash-qspi t "aarch64-linux")) targets + ); x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) crossTargets) - // builtins.listToAttrs (map (t: lib.nameValuePair "${t.name}-flash-script" (generate-flash-script t "x86_64-linux")) (targets ++ crossTargets)) - // builtins.listToAttrs (map (t: lib.nameValuePair "${t.name}-flash-qspi" (generate-flash-qspi t "x86_64-linux")) (targets ++ crossTargets)); + // builtins.listToAttrs ( + map (t: lib.nameValuePair "${t.name}-flash-script" (generate-flash-script t "x86_64-linux")) ( + targets ++ crossTargets + ) + ) + // builtins.listToAttrs ( + map (t: lib.nameValuePair "${t.name}-flash-qspi" (generate-flash-qspi t "x86_64-linux")) ( + targets ++ crossTargets + ) + ); }; }; } diff --git a/targets/nvidia-jetson-orin/optee.nix b/targets/nvidia-jetson-orin/optee.nix index b12903761..98d27f84b 100644 --- a/targets/nvidia-jetson-orin/optee.nix +++ b/targets/nvidia-jetson-orin/optee.nix @@ -1,13 +1,15 @@ # SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors # # SPDX-License-Identifier: Apache-2.0 -{jetpack-nixos}: ( +_: +( { pkgs, config, lib, ... - }: let + }: + let # TODO: Refactor this later, if this gets proper implementation on the # jetpack-nixos stdenv = pkgs.gcc9Stdenv; @@ -16,15 +18,15 @@ opteeSource = pkgs.fetchgit { url = "https://nv-tegra.nvidia.com/r/tegra/optee-src/nv-optee"; - rev = "jetson_${l4tVersion}"; - sha256 = "sha256-44RBXFNUlqZoq3OY/OFwhiU4Qxi4xQNmetFmlrr6jzY="; + rev = builtins.trace "jetson_${l4tVersion}" "jetson_${l4tVersion}"; + sha256 = "sha256-jJOMig2+9FlKA9gJUCH/dva7ZtAq1typZSNGKyM7tlg="; }; opteeXtest = stdenv.mkDerivation { pname = "optee_xtest"; version = l4tVersion; src = opteeSource; - nativeBuildInputs = [(pkgs.buildPackages.python3.withPackages (p: [p.cryptography]))]; + nativeBuildInputs = [ (pkgs.buildPackages.python3.withPackages (p: [ p.cryptography ])) ]; postPatch = '' patchShebangs --build $(find optee/optee_test -type d -name scripts -printf '%p ') ''; @@ -47,7 +49,7 @@ pname = "pkcs11"; version = l4tVersion; src = opteeSource; - nativeBuildInputs = [(pkgs.buildPackages.python3.withPackages (p: [p.cryptography]))]; + nativeBuildInputs = [ (pkgs.buildPackages.python3.withPackages (p: [ p.cryptography ])) ]; makeFlags = [ "-C optee/optee_os/ta/pkcs11" "CROSS_COMPILE=${stdenv.cc.targetPrefix}" @@ -68,67 +70,74 @@ pkcs11-tool-optee = pkgs.writeShellScriptBin "pkcs11-tool-optee" '' exec "${pkgs.opensc}/bin/pkcs11-tool" --module "${opteeClient}/lib/libckteec.so" $@ ''; - in { - hardware.nvidia-jetpack.firmware.optee.supplicant.trustedApplications = let - xTestTaDir = "${opteeXtest}/ta"; - xTestTaPaths = - builtins.map (ta: { - name = ta; - path = xTestTaDir + "/" + ta; - }) [ - # List of OP-TEE's xtest required TA's - # - # A short guide about a ways of constructing xtest TA list - # - # A) Run xtest and based on errors add TAs to the list - # - Run xtest and you might see following error - # E/LD: init_elf:453 sys_open_ta_bin(cb3e5ba0-adf1-11e0-998b-0002a5d5c51b) - # E/TC:?? 0 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff0008 - # --> Add cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta into list and repeat - # - # B) From OP-TEE's xtest sources https://github.com/OP-TEE/optee_test - # - Navigate into optee_test repo and run - # $ find ta -path ta/supp_plugin -prune -o -name Makefile -exec grep -oP 'BINARY = \K.*' {} \; - # --> Above comaand produces a list of TAs UUID - # --> It does not produce all UUID due some of them are hardcode into source files - # --> It produce more TA than needed - # - # C) At "find ./out -name "*.ta"" into opteeXtest derivation installPhase - # and uild package with "-L"-flag - # --> Scroll output until find TAs - # ./out/ta/crypt/cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta - # ./out/ta/concurrent_large/5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta - # - # Below list used option C + in + { + hardware.nvidia-jetpack.firmware.optee.supplicant.trustedApplications = + let + xTestTaDir = "${opteeXtest}/ta"; + xTestTaPaths = + builtins.map + (ta: { + name = ta; + path = xTestTaDir + "/" + ta; + }) + [ + # List of OP-TEE's xtest required TA's + # + # A short guide about a ways of constructing xtest TA list + # + # A) Run xtest and based on errors add TAs to the list + # - Run xtest and you might see following error + # E/LD: init_elf:453 sys_open_ta_bin(cb3e5ba0-adf1-11e0-998b-0002a5d5c51b) + # E/TC:?? 0 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff0008 + # --> Add cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta into list and repeat + # + # B) From OP-TEE's xtest sources https://github.com/OP-TEE/optee_test + # - Navigate into optee_test repo and run + # $ find ta -path ta/supp_plugin -prune -o -name Makefile -exec grep -oP 'BINARY = \K.*' {} \; + # --> Above comaand produces a list of TAs UUID + # --> It does not produce all UUID due some of them are hardcode into source files + # --> It produce more TA than needed + # + # C) At "find ./out -name "*.ta"" into opteeXtest derivation installPhase + # and uild package with "-L"-flag + # --> Scroll output until find TAs + # ./out/ta/crypt/cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta + # ./out/ta/concurrent_large/5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta + # + # Below list used option C - "cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta" - "5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta" - "e626662e-c0e2-485c-b8c8-09fbce6edf3d.ta" - "c3f6e2c0-3548-11e1-b86c-0800200c9a66.ta" - "873bcd08-c2c3-11e6-a937-d0bf9c45c61c.ta" - "b689f2a7-8adf-477a-9f99-32e90c0ad0a2.ta" - "a4c04d50-f180-11e8-8eb2-f2801f1b9fd1.ta" - "25497083-a58a-4fc5-8a72-1ad7b69b8562.ta" - "731e279e-aafb-4575-a771-38caa6f0cca6.ta" - "5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.ta" - "380231ac-fb99-47ad-a689-9e017eb6e78a.ta" - "d17f73a0-36ef-11e1-984a-0002a5d5c51b.ta" - "614789f2-39c0-4ebf-b235-92b32ac107ed.ta" - "e6a33ed4-562b-463a-bb7e-ff5e15a493c8.ta" - "e13010e0-2ae1-11e5-896a-0002a5d5c51b.ta" - "528938ce-fc59-11e8-8eb2-f2801f1b9fd1.ta" - "ffd2bded-ab7d-4988-95ee-e4962fff7154.ta" - "b3091a65-9751-4784-abf7-0298a7cc35ba.ta" - "f157cda0-550c-11e5-a6fa-0002a5d5c51b.ta" - ]; - pkcs11TaPath = { - name = "fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta"; - path = "${pcks11Ta}/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta"; - }; - paths = - lib.optionals config.ghaf.hardware.nvidia.orin.optee.xtest xTestTaPaths - ++ lib.optional config.ghaf.hardware.nvidia.orin.optee.pkcs11.enable pkcs11TaPath; - in [(pkgs.linkFarm "optee-load-path" paths)]; + "cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta" + "5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta" + "e626662e-c0e2-485c-b8c8-09fbce6edf3d.ta" + "c3f6e2c0-3548-11e1-b86c-0800200c9a66.ta" + "873bcd08-c2c3-11e6-a937-d0bf9c45c61c.ta" + "b689f2a7-8adf-477a-9f99-32e90c0ad0a2.ta" + "a4c04d50-f180-11e8-8eb2-f2801f1b9fd1.ta" + "25497083-a58a-4fc5-8a72-1ad7b69b8562.ta" + "731e279e-aafb-4575-a771-38caa6f0cca6.ta" + "5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.ta" + "380231ac-fb99-47ad-a689-9e017eb6e78a.ta" + "d17f73a0-36ef-11e1-984a-0002a5d5c51b.ta" + "614789f2-39c0-4ebf-b235-92b32ac107ed.ta" + "e6a33ed4-562b-463a-bb7e-ff5e15a493c8.ta" + "e13010e0-2ae1-11e5-896a-0002a5d5c51b.ta" + "528938ce-fc59-11e8-8eb2-f2801f1b9fd1.ta" + "ffd2bded-ab7d-4988-95ee-e4962fff7154.ta" + "b3091a65-9751-4784-abf7-0298a7cc35ba.ta" + "f157cda0-550c-11e5-a6fa-0002a5d5c51b.ta" + "5c206987-16a3-59cc-ab0f-64b9cfc9e758.ta" + "a720ccbb-51da-417d-b82e-e5445d474a7a.ta" + ]; + pkcs11TaPath = { + name = "fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta"; + path = "${pcks11Ta}/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta"; + }; + paths = + lib.optionals config.ghaf.hardware.nvidia.orin.optee.xtest xTestTaPaths + ++ lib.optional config.ghaf.hardware.nvidia.orin.optee.pkcs11.enable pkcs11TaPath; + in + [ (pkgs.linkFarm "optee-load-path" paths) ]; environment.systemPackages = (lib.optional config.ghaf.hardware.nvidia.orin.optee.pkcs11-tool pkcs11-tool-optee) diff --git a/targets/vm/flake-module.nix b/targets/vm/flake-module.nix index 992e611aa..13091b366 100644 --- a/targets/vm/flake-module.nix +++ b/targets/vm/flake-module.nix @@ -5,58 +5,69 @@ lib, self, ... -}: let - inherit (inputs) microvm nixos-generators; +}: +let + inherit (inputs) nixos-generators; name = "vm"; system = "x86_64-linux"; - vm = variant: let - hostConfiguration = lib.nixosSystem { - inherit system; - modules = [ - microvm.nixosModules.host - nixos-generators.nixosModules.vm - self.nixosModules.common - self.nixosModules.desktop - self.nixosModules.host - self.nixosModules.microvm + vm = + variant: + let + hostConfiguration = lib.nixosSystem { + inherit system; + modules = [ + nixos-generators.nixosModules.vm + self.nixosModules.common + self.nixosModules.desktop + self.nixosModules.host + self.nixosModules.microvm + self.nixosModules.hw-x86_64-generic - { - ghaf = { - hardware.x86_64.common.enable = true; + { + ghaf = { + hardware.x86_64.common.enable = true; - virtualization.microvm-host.enable = true; - virtualization.microvm-host.networkSupport = true; - host.networking.enable = true; - # TODO: NetVM enabled, but it does not include anything specific - # for this Virtual Machine target - virtualization.microvm.netvm.enable = true; + virtualization = { + microvm-host = { + enable = true; + networkSupport = true; + }; - # Enable all the default UI applications - profiles = { - applications.enable = true; - release.enable = variant == "release"; - debug.enable = variant == "debug"; + # TODO: NetVM enabled, but it does not include anything specific + # for this Virtual Machine target + microvm.netvm.enable = true; + }; + + host.networking.enable = true; + + # Enable all the default UI applications + profiles = { + applications.enable = true; + release.enable = variant == "release"; + debug.enable = variant == "debug"; + }; }; - }; - } - ]; + } + ]; + }; + in + { + inherit hostConfiguration; + name = "${name}-${variant}"; + package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; }; - in { - inherit hostConfiguration; - name = "${name}-${variant}"; - package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr}; - }; targets = [ (vm "debug") (vm "release") ]; -in { +in +{ flake = { - nixosConfigurations = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.hostConfiguration) targets); + nixosConfigurations = builtins.listToAttrs ( + map (t: lib.nameValuePair t.name t.hostConfiguration) targets + ); packages = { - x86_64-linux = - builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); + x86_64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets); }; }; } diff --git a/templates/boilerplate/.gitignore b/templates/boilerplate/.gitignore new file mode 100644 index 000000000..50c1eb8d5 --- /dev/null +++ b/templates/boilerplate/.gitignore @@ -0,0 +1,10 @@ +# SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors +# +# SPDX-License-Identifier: CC-BY-SA-4.0 +# SPDX-License-Identifier: CC0-1.0 + +result* +ghaf-host.qcow2 +.direnv/ +.idea +linux-*/ diff --git a/templates/boilerplate/default.nix b/templates/boilerplate/default.nix new file mode 100644 index 000000000..4f8ffb1a0 --- /dev/null +++ b/templates/boilerplate/default.nix @@ -0,0 +1,31 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# SPDX-FileCopyrightText: 2020-2023 Eelco Dolstra and the flake-compat contributors +# +# SPDX-License-Identifier: MIT +# This file originates from: +# https://github.com/nix-community/flake-compat +# This file provides backward compatibility to nix < 2.4 clients +{ + system ? builtins.currentSystem, +}: +let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; + + flake-compat = fetchTarball { + url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; + sha256 = narHash; + }; + + flake = import flake-compat { + inherit system; + src = ./.; + }; +in +flake.defaultNix diff --git a/templates/boilerplate/flake.nix b/templates/boilerplate/flake.nix new file mode 100644 index 000000000..a43b2303c --- /dev/null +++ b/templates/boilerplate/flake.nix @@ -0,0 +1,113 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + description = "Ghaf derived NixOS configuration"; + + nixConfig = { + substituters = [ + "https://cache.vedenemo.dev" + "https://cache.ssrcdevops.tii.ae" + "https://ghaf-dev.cachix.org" + "https://cache.nixos.org/" + ]; + extra-trusted-substituters = [ + "https://cache.vedenemo.dev" + "https://cache.ssrcdevops.tii.ae" + "https://ghaf-dev.cachix.org" + "https://cache.nixos.org/" + ]; + extra-trusted-public-keys = [ + "cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E=" + "cache.ssrcdevops.tii.ae:oOrzj9iCppf+me5/3sN/BxEkp5SaFkHfKTPPZ97xXQk=" + "ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY=" + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + ghaf = { + url = "github:tiiuae/ghaf"; + # do not over ride the ghaf nixpkgs as it is sometimes following a custom branch + # and will likely break horribly + }; + + # + # Flake and repo structuring configurations + # + # Allows us to structure the flake with the NixOS module system + flake-parts = { + url = "github:hercules-ci/flake-parts"; + inputs.nixpkgs-lib.follows = "nixpkgs"; + }; + + flake-root.url = "github:srid/flake-root"; + + # Format all the things + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # For preserving compatibility with non-Flake users + flake-compat = { + url = "github:nix-community/flake-compat"; + flake = false; + }; + + nix-fast-build = { + url = "github:Mic92/nix-fast-build"; + inputs = { + flake-parts.follows = "flake-parts"; + nixpkgs.follows = "nixpkgs"; + treefmt-nix.follows = "treefmt-nix"; + }; + }; + + # Dependencies used by other inputs + systems.url = "github:nix-systems/default"; + devshell = { + url = "github:numtide/devshell"; + inputs = { + nixpkgs.follows = "nixpkgs"; + }; + }; + + # + # Target Building and services + # + disko = { + url = "github:nix-community/disko/"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + inputs@{ flake-parts, ... }: + flake-parts.lib.mkFlake { inherit inputs; } { + # Toggle this to allow debugging in the repl + # see:https://flake.parts/debug + debug = false; + + systems = [ + "x86_64-linux" + "aarch64-linux" + # RISC-V is a target built from cross compilation and is not + # included as a host build possibility at this point + # Future HW permitting this can be re-evaluated + #"riscv64-linux" + ]; + + imports = [ + ./overlays/flake-module.nix + ./modules/flake-module.nix + ./nix/flake-module.nix + ./packages/flake-module.nix + ./targets/flake-module.nix + ./hydrajobs/flake-module.nix + inputs.flake-root.flakeModule + inputs.treefmt-nix.flakeModule + ]; + }; +} diff --git a/templates/boilerplate/hydrajobs/flake-module.nix b/templates/boilerplate/hydrajobs/flake-module.nix new file mode 100644 index 000000000..7655fa3ee --- /dev/null +++ b/templates/boilerplate/hydrajobs/flake-module.nix @@ -0,0 +1,3 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +_: { flake.hydraJobs = { }; } diff --git a/templates/boilerplate/modules/flake-module.nix b/templates/boilerplate/modules/flake-module.nix new file mode 100644 index 000000000..6174729f4 --- /dev/null +++ b/templates/boilerplate/modules/flake-module.nix @@ -0,0 +1,10 @@ +# Copyright 2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Modules to be exported from Flake +# +_: { + imports = [ ]; + + flake.nixosModules = { }; +} diff --git a/templates/boilerplate/modules/hardware/default.nix b/templates/boilerplate/modules/hardware/default.nix new file mode 100644 index 000000000..982744d36 --- /dev/null +++ b/templates/boilerplate/modules/hardware/default.nix @@ -0,0 +1,152 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +{ + name = "HARDWARE-NAME definition"; + + # All of the following fields should be replaced with the actual values + # that are dependent on the hardware that you wish to run ghaf on. + # the following tools can help you determine the values that you need + # lspci + # lsblk + # lsusb + # udevadm info + # networkctl list + # + host = { + kernelConfig.kernelParams = [ + "intel_iommu=on,sm_on" + "iommu=pt" + "module_blacklist=i915" # Prevent i915 module from being accidentally used by host + "acpi_backlight=vendor" + "acpi_osi=linux" + ]; + }; + + input = { + keyboard = { + name = [ "AT Translated Set 2 keyboard" ]; + evdev = [ "/dev/input/by-path/platform-i8042-serio-0-event-kbd" ]; + }; + + mouse = { + name = [ + [ + "ELAN067C:00 04F3:31F9 Mouse" + "SYNA8016:00 06CB:CEB3 Mouse" + "ELAN067B:00 04F3:31F8 Mouse" + ] + ]; + evdev = [ "/dev/mouse0" ]; + }; + + touchpad = { + name = [ + [ + "ELAN067C:00 04F3:31F9 Touchpad" + "SYNA8016:00 06CB:CEB3 Touchpad" + "ELAN067B:00 04F3:31F8 Touchpad" + ] + ]; + evdev = [ "/dev/touchpad0" ]; + }; + + misc = { + name = [ + "ThinkPad Extra Buttons" + "TPPS/2 Elan TrackPoint" + ]; + evdev = [ + "/dev/input/by-path/platform-i8042-serio-1-event-mouse" + "/dev/input/by-path/platform-thinkpad_acpi-event" + ]; + }; + }; + + disks = { + disk1.device = "/dev/nvme0n1"; + }; + + network.pciDevices = [ + { + # Passthrough Intel WiFi card + path = "0000:00:14.3"; + vendorId = "8086"; + productId = "51f1"; + name = "wlp0s5f0"; + } + ]; + + gpu = { + pciDevices = [ + { + # Passthrough Intel Iris GPU + path = "0000:00:02.0"; + vendorId = "8086"; + productId = "a7a1"; + } + ]; + kernelConfig = { + stage1.kernelModules = [ "i915" ]; + kernelParams = [ "earlykms" ]; + }; + }; + + # With the current implementation, the whole PCI IOMMU group 14: + # 00:1f.x in the example from Lenovo X1 Carbon + # must be defined for passthrough to AudioVM + audio = { + pciDevices = [ + { + # ISA bridge: Intel Corporation Raptor Lake LPC/eSPI Controller (rev 01) + path = "0000:00:1f.0"; + vendorId = "8086"; + productId = "519d"; + } + { + # Audio device: Intel Corporation Raptor Lake-P/U/H cAVS (rev 01) + path = "0000:00:1f.3"; + vendorId = "8086"; + productId = "51ca"; + } + { + # SMBus: Intel Corporation Alder Lake PCH-P SMBus Host Controller (rev 01) + path = "0000:00:1f.4"; + vendorId = "8086"; + productId = "51a3"; + } + { + # Serial bus controller: Intel Corporation Alder Lake-P PCH SPI Controller (rev 01) + path = "0000:00:1f.5"; + vendorId = "8086"; + productId = "51a4"; + } + ]; + kernelConfig.kernelParams = [ + "snd_intel_dspcfg.dsp_driver=3" + "snd_sof_intel_hda_common.dmic_num=4" + ]; + }; + + usb = { + internal = [ + { + name = "cam0"; + hostbus = "3"; + hostport = "8"; + } + { + name = "fpr0"; + hostbus = "3"; + hostport = "6"; + } + ]; + external = [ + { + name = "gps0"; + vendorId = "067b"; + productId = "23a3"; + } + ]; + }; +} diff --git a/templates/boilerplate/nix/checks.nix b/templates/boilerplate/nix/checks.nix new file mode 100644 index 000000000..1f6e264b9 --- /dev/null +++ b/templates/boilerplate/nix/checks.nix @@ -0,0 +1,16 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + perSystem = + { pkgs, ... }: + { + checks = { + reuse = pkgs.runCommandLocal "reuse-lint" { buildInputs = [ pkgs.reuse ]; } '' + cd ${../.} + reuse lint + touch $out + ''; + }; + # // (lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages); + }; +} diff --git a/templates/boilerplate/nix/devshell.nix b/templates/boilerplate/nix/devshell.nix new file mode 100644 index 000000000..c2b4d71de --- /dev/null +++ b/templates/boilerplate/nix/devshell.nix @@ -0,0 +1,34 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + imports = [ ]; + perSystem = + { + pkgs, + inputs', + lib, + ... + }: + { + devShells.default = pkgs.mkShell { + name = "Ghaf derived devshell"; + packages = + builtins.attrValues { + inherit (pkgs) + alejandra + git + mdbook + nix + nixci + nixos-rebuild + nix-output-monitor + nix-tree + reuse + statix + ; + } + ++ [ inputs'.nix-fast-build.packages.default ] + ++ lib.optional (pkgs.hostPlatform.system != "riscv64-linux") pkgs.cachix; + }; + }; +} diff --git a/templates/boilerplate/nix/flake-module.nix b/templates/boilerplate/nix/flake-module.nix new file mode 100644 index 000000000..3cde3a865 --- /dev/null +++ b/templates/boilerplate/nix/flake-module.nix @@ -0,0 +1,10 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + imports = [ + ./checks.nix + ./devshell.nix + ./nixpkgs.nix + ./treefmt.nix + ]; +} diff --git a/templates/boilerplate/nix/nixpkgs.nix b/templates/boilerplate/nix/nixpkgs.nix new file mode 100644 index 000000000..fecabf1a0 --- /dev/null +++ b/templates/boilerplate/nix/nixpkgs.nix @@ -0,0 +1,18 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, inputs, ... }: +{ + perSystem = + { system, ... }: + { + # customise pkgs + _module.args.pkgs = import inputs.nixpkgs { + inherit system inputs; + config = { + allowUnfree = true; + }; + }; + # make custom top-level lib available to all `perSystem` functions + _module.args.lib = lib; + }; +} diff --git a/templates/boilerplate/nix/treefmt.nix b/templates/boilerplate/nix/treefmt.nix new file mode 100644 index 000000000..6483a9b4f --- /dev/null +++ b/templates/boilerplate/nix/treefmt.nix @@ -0,0 +1,35 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + perSystem = + { config, pkgs, ... }: + { + treefmt.config = { + package = pkgs.treefmt; + inherit (config.flake-root) projectRootFile; + + programs = { + # Nix + alejandra.enable = true; # nix formatter https://github.com/kamadorueda/alejandra + deadnix.enable = true; # removes dead nix code https://github.com/astro/deadnix + statix.enable = true; # prevents use of nix anti-patterns https://github.com/nerdypepper/statix + + # Python + # It was found out that the best outcome comes from running mulitple + # formatters. + black.enable = true; # The Classic Python formatter + isort.enable = true; # Python import sorter + # Ruff, a Python formatter written in Rust (30x faster than Black). + # Also provides additional linting. + # Do not enable ruff.format = true; because then it won't complaing + # about linting errors. The default mode is the check mode. + ruff.check = true; + + # Bash + shellcheck.enable = true; # lints shell scripts https://github.com/koalaman/shellcheck + }; + }; + + formatter = config.treefmt.build.wrapper; + }; +} diff --git a/templates/boilerplate/overlays/README.md b/templates/boilerplate/overlays/README.md new file mode 100644 index 000000000..769076456 --- /dev/null +++ b/templates/boilerplate/overlays/README.md @@ -0,0 +1,40 @@ + + +# Custom packages overlay + +This overlay is for custom packages - new packages, like Gala, or +fixed/adjusted packages from nixpkgs. The overlay might be used as +an example and starting point for any other overlays. + +# Cross-compilation overlay + +This overlay is for fixes regarding cross-compilation. It is maintained as a +separate overlay, because some of the changes might trigger heavy rebuilds of +packages in nixpkgs. It can then be separately added to cross-compilation +builds. + +## General Requirements + +Use final/prev pair in your overlays instead of other variations +since it looks more logical: +previous (unmodified) package vs final (finalazed, adjusted) package. + +Use deps[X][Y] variations instead of juggling dependencies between +nativeBuildInputs and buildInputs where possible. +It makes things clear and robust. + +# Upstream PR and commit tracking + +Some patches are carried as overlays and others are patches that are cherry-picked +from staging and main into a tiiuae maintained version of nixpkgs + +The status of the integration in nixpkgs can be tracked using the [Pull Request Tracker](https://nixpk.gs/pr-tracker.html) + +## From Overlays + + +## carried in tiiuae/nixpkgs/ diff --git a/templates/boilerplate/overlays/cross-compilation/default.nix b/templates/boilerplate/overlays/cross-compilation/default.nix new file mode 100644 index 000000000..bd0a3dc74 --- /dev/null +++ b/templates/boilerplate/overlays/cross-compilation/default.nix @@ -0,0 +1,8 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This overlay is for specific fixes needed only to enable cross-compilation. +# +(_final: _prev: { + #some-overlay = import ./some-package {inherit prev;}; +}) diff --git a/templates/boilerplate/overlays/custom-packages/default.nix b/templates/boilerplate/overlays/custom-packages/default.nix new file mode 100644 index 000000000..5d332d0fb --- /dev/null +++ b/templates/boilerplate/overlays/custom-packages/default.nix @@ -0,0 +1,9 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# This overlay patches packages in nixpkgs, and adds in some of the ghaf's +# packages. +# +(_final: _prev: { + #some-package = import ./some-package {inherit prev;}; +}) diff --git a/templates/boilerplate/overlays/flake-module.nix b/templates/boilerplate/overlays/flake-module.nix new file mode 100644 index 000000000..46aabf6be --- /dev/null +++ b/templates/boilerplate/overlays/flake-module.nix @@ -0,0 +1,10 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Flake module for exporting overlays +{ + flake.overlays = { + cross-compilation = import ./cross-compilation; + custom-packages = import ./custom-packages; + }; +} diff --git a/templates/boilerplate/packages/flake-module.nix b/templates/boilerplate/packages/flake-module.nix new file mode 100644 index 000000000..2a44c2515 --- /dev/null +++ b/templates/boilerplate/packages/flake-module.nix @@ -0,0 +1,9 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +_: { + perSystem = _: { + # packages = self.lib.platformPkgs system { + #some-package = callPackage ./some-package {}; + # }; + }; +} diff --git a/templates/boilerplate/shell.nix b/templates/boilerplate/shell.nix new file mode 100644 index 000000000..e5368b16b --- /dev/null +++ b/templates/boilerplate/shell.nix @@ -0,0 +1,31 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# SPDX-FileCopyrightText: 2020-2023 Eelco Dolstra and the flake-compat contributors +# +# SPDX-License-Identifier: MIT +# This file originates from: +# https://github.com/nix-community/flake-compat +# This file provides backward compatibility to nix < 2.4 clients +{ + system ? builtins.currentSystem, +}: +let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + + inherit (lock.nodes.flake-compat.locked) + owner + repo + rev + narHash + ; + + flake-compat = fetchTarball { + url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; + sha256 = narHash; + }; + + flake = import flake-compat { + inherit system; + src = ./.; + }; +in +flake.shellNix diff --git a/templates/boilerplate/targets/flake-module.nix b/templates/boilerplate/targets/flake-module.nix new file mode 100644 index 000000000..bb568bee9 --- /dev/null +++ b/templates/boilerplate/targets/flake-module.nix @@ -0,0 +1,3 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +_: { } diff --git a/templates/flake-module.nix b/templates/flake-module.nix index 9793cac0c..1601f868f 100644 --- a/templates/flake-module.nix +++ b/templates/flake-module.nix @@ -1,7 +1,6 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { - # TODO rework the templates to match the new modules flake.templates = { # Module template ghaf-module = { @@ -9,33 +8,10 @@ description = "A config to bootstrap a Ghaf compatible module"; }; - # A Selection of targets that utilize Ghaf to define more feature rich - # projects/products. - - # ARM targets - target-aarch64-nvidia-orin-agx = { - path = ./targets/aarch64/nvidia/orin-agx; - description = "A Ghaf based configuration for the Nvidia Orin AGX"; - }; - target-aarch64-nvidia-orin-nx = { - path = ./targets/aarch64/nvidia/orin-nx; - description = "A Ghaf based configuration for the Nvidia Orin NX"; - }; - target-aarch64-nxp-imx8 = { - path = ./targets/aarch64/nxp/imx8; - description = "A Ghaf based configuration for the NXP iMX8"; - }; - - # x86 targets - target-x86_64-generic = { - path = ./targets/x86_64/generic; - description = "A Ghaf based configuration for x86_64 targets"; - }; - - # RISC-v targets - target-riscv64-microchip-polarfire = { - path = ./targets/riscv64/microchip/polarfire; - description = "A Ghaf based configuration for the Microchip Polarfire"; + # Boilerplate for a derived project that uses the Ghaf framework + target-boilerplate = { + path = ./boilerplate; + description = "Some boilerplate code to get you started"; }; }; } diff --git a/templates/modules/default.nix b/templates/modules/default.nix index dd0d597c0..0614f7712 100644 --- a/templates/modules/default.nix +++ b/templates/modules/default.nix @@ -6,24 +6,19 @@ # # https://nixos.org/manual/nixos/stable/index.html#sec-writing-modules # -{ - config, - options, - lib, - ... -}: let +{ config, lib, ... }: +let # inherit (builtins) A B C; # inherit (lib) D E F; # inherit (lib.ghaf) G H I; cfg = config.ghaf.X.Y; in - with lib; { - imports = [ - ]; +{ + imports = [ ]; - options.ghaf.X.Y = { - enable = mkEnableOption "Option"; - }; + options.ghaf.X.Y = { + enable = lib.mkEnableOption "Option"; + }; - config = mkIf cfg.enable {}; - } + config = lib.mkIf cfg.enable { }; +} diff --git a/templates/targets/aarch64/nvidia/orin-agx/flake.nix b/templates/targets/aarch64/nvidia/orin-agx/flake.nix deleted file mode 100644 index 68f640d00..000000000 --- a/templates/targets/aarch64/nvidia/orin-agx/flake.nix +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - description = " - Ghaf based configuration"; - - nixConfig = { - substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-public-keys = [ - "cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E=" - "cache.ssrcdevops.tii.ae:oOrzj9iCppf+me5/3sN/BxEkp5SaFkHfKTPPZ97xXQk=" - "ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - ]; - }; - - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - flake-utils.url = "github:numtide/flake-utils"; - jetpack-nixos = { - url = "github:anduril/jetpack-nixos"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - ghaf = { - url = "github:tiiuae/ghaf"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; - jetpack-nixos.follows = "jetpack-nixos"; - }; - }; - }; - - outputs = { - self, - ghaf, - nixpkgs, - jetpack-nixos, - flake-utils, - ... - }: let - systems = with flake-utils.lib.system; [ - x86_64-linux - aarch64-linux - ]; - mkFlashScript = import (ghaf + "/lib/mk-flash-script"); - in - # Combine list of attribute sets together - nixpkgs.lib.foldr nixpkgs.lib.recursiveUpdate {} [ - (flake-utils.lib.eachSystem systems (system: { - formatter = nixpkgs.legacyPackages.${system}.alejandra; - })) - - { - nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.nvidia-jetson-orin-agx-debug.extendModules { - modules = [ - { - #insert your additional modules here e.g. - # virtualisation.docker.enable = true; - # users.users."ghaf".extraGroups = ["docker"]; - } - ]; - }; - packages.aarch64-linux.PROJ_NAME-ghaf-debug = self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.system.build.${self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.formatAttr}; - - packages.x86_64-linux.PROJ_NAME-ghaf-debug-flash-script = mkFlashScript { - inherit nixpkgs jetpack-nixos; - hostConfiguration = self.nixosConfigurations.PROJ_NAME-ghaf-debug; - flash-tools-system = flake-utils.lib.system.x86_64-linux; - }; - } - ]; -} diff --git a/templates/targets/aarch64/nvidia/orin-nx/flake.nix b/templates/targets/aarch64/nvidia/orin-nx/flake.nix deleted file mode 100644 index dd0cb2552..000000000 --- a/templates/targets/aarch64/nvidia/orin-nx/flake.nix +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - description = "PROJ_NAME - Ghaf based configuration"; - - nixConfig = { - substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-public-keys = [ - "cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E=" - "cache.ssrcdevops.tii.ae:oOrzj9iCppf+me5/3sN/BxEkp5SaFkHfKTPPZ97xXQk=" - "ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - ]; - }; - - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - flake-utils.url = "github:numtide/flake-utils"; - jetpack-nixos = { - url = "github:anduril/jetpack-nixos"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - ghaf = { - url = "github:tiiuae/ghaf"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; - jetpack-nixos.follows = "jetpack-nixos"; - }; - }; - }; - - outputs = { - self, - ghaf, - nixpkgs, - jetpack-nixos, - flake-utils, - ... - }: let - systems = with flake-utils.lib.system; [ - x86_64-linux - aarch64-linux - ]; - mkFlashScript = import (ghaf + "/lib/mk-flash-script"); - in - # Combine list of attribute sets together - nixpkgs.lib.foldr nixpkgs.lib.recursiveUpdate {} [ - (flake-utils.lib.eachSystem systems (system: { - formatter = nixpkgs.legacyPackages.${system}.alejandra; - })) - - { - nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.nvidia-jetson-orin-nx-debug.extendModules { - modules = [ - { - #insert your additional modules here e.g. - # virtualisation.docker.enable = true; - # users.users."ghaf".extraGroups = ["docker"]; - } - ]; - }; - packages.aarch64-linux.PROJ_NAME-ghaf-debug = self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.system.build.${self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.formatAttr}; - - packages.x86_64-linux.PROJ_NAME-ghaf-debug-flash-script = mkFlashScript { - inherit nixpkgs jetpack-nixos; - hostConfiguration = self.nixosConfigurations.PROJ_NAME-ghaf-debug; - flash-tools-system = flake-utils.lib.system.x86_64-linux; - }; - } - ]; -} diff --git a/templates/targets/aarch64/nxp/imx8/flake.nix b/templates/targets/aarch64/nxp/imx8/flake.nix deleted file mode 100644 index 1c762c9ef..000000000 --- a/templates/targets/aarch64/nxp/imx8/flake.nix +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - description = "PROJ_NAME - Ghaf based configuration"; - - nixConfig = { - substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-public-keys = [ - "cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E=" - "cache.ssrcdevops.tii.ae:oOrzj9iCppf+me5/3sN/BxEkp5SaFkHfKTPPZ97xXQk=" - "ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - ]; - }; - - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - flake-utils.url = "github:numtide/flake-utils"; - nixos-hardware.url = "github:nixos/nixos-hardware"; - ghaf = { - url = "github:tiiuae/ghaf"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; - nixos-hardware.follows = "nixos-hardware"; - }; - }; - }; - - outputs = { - self, - ghaf, - nixpkgs, - flake-utils, - ... - }: let - systems = with flake-utils.lib.system; [ - x86_64-linux - aarch64-linux - ]; - in - # Combine list of attribute sets together - nixpkgs.lib.foldr nixpkgs.lib.recursiveUpdate {} [ - (flake-utils.lib.eachSystem systems (system: { - formatter = nixpkgs.legacyPackages.${system}.alejandra; - })) - - { - nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.imx8qm-mek-debug.extendModules { - modules = [ - { - #insert your additional modules here e.g. - # virtualisation.docker.enable = true; - # users.users."ghaf".extraGroups = ["docker"]; - } - ]; - }; - packages.aarch64-linux.PROJ_NAME-ghaf-debug = self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.system.build.${self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.formatAttr}; - } - ]; -} diff --git a/templates/targets/riscv64/microchip/polarfire/flake.nix b/templates/targets/riscv64/microchip/polarfire/flake.nix deleted file mode 100644 index ab8314803..000000000 --- a/templates/targets/riscv64/microchip/polarfire/flake.nix +++ /dev/null @@ -1,77 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - description = "PROJ_NAME - Ghaf based configuration"; - - nixConfig = { - substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-public-keys = [ - "cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E=" - "cache.ssrcdevops.tii.ae:oOrzj9iCppf+me5/3sN/BxEkp5SaFkHfKTPPZ97xXQk=" - "ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - ]; - }; - - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; - flake-utils.url = "github:numtide/flake-utils"; - nixos-hardware.url = "github:NixOS/nixos-hardware"; - ghaf = { - url = "github:tiiuae/ghaf"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; - nixos-hardware.follows = "nixos-hardware"; - }; - }; - }; - - outputs = { - self, - ghaf, - nixpkgs, - flake-utils, - ... - }: let - systems = with flake-utils.lib.system; [ - x86_64-linux - riscv64-linux - ]; - in - # Combine list of attribute sets together - nixpkgs.lib.foldr nixpkgs.lib.recursiveUpdate {} [ - (flake-utils.lib.eachSystem systems (system: { - formatter = nixpkgs.legacyPackages.${system}.alejandra; - })) - - { - nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.microchip-icicle-kit-debug.extendModules { - modules = [ - { - #insert your additional modules here e.g. - # virtualisation.docker.enable = true; - # users.users."ghaf".extraGroups = ["docker"]; - } - ({pkgs, ...}: { - environment.systemPackages = with pkgs; [ - #Add additional system packages here - ]; - }) - ]; - }; - packages.riscv64-linux.PROJ_NAME-ghaf-debug = self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.system.build.sdImage; - } - ]; -} diff --git a/templates/targets/x86_64/generic/flake.nix b/templates/targets/x86_64/generic/flake.nix deleted file mode 100644 index 1fc90ce33..000000000 --- a/templates/targets/x86_64/generic/flake.nix +++ /dev/null @@ -1,75 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ - description = "PROJ_NAME - Ghaf based configuration"; - - nixConfig = { - substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-substituters = [ - "https://cache.vedenemo.dev" - "https://cache.ssrcdevops.tii.ae" - "https://ghaf-dev.cachix.org" - "https://cache.nixos.org/" - ]; - extra-trusted-public-keys = [ - "cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E=" - "cache.ssrcdevops.tii.ae:oOrzj9iCppf+me5/3sN/BxEkp5SaFkHfKTPPZ97xXQk=" - "ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - ]; - }; - - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - flake-utils.url = "github:numtide/flake-utils"; - nixos-hardware.url = "github:nixos/nixos-hardware"; - ghaf = { - url = "github:tiiuae/ghaf"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; - nixos-hardware.follows = "nixos-hardware"; - }; - }; - }; - - outputs = { - self, - ghaf, - nixpkgs, - flake-utils, - ... - }: let - systems = with flake-utils.lib.system; [ - x86_64-linux - ]; - in - # Combine list of attribute sets together - nixpkgs.lib.foldr nixpkgs.lib.recursiveUpdate {} [ - (flake-utils.lib.eachSystem systems (system: { - formatter = nixpkgs.legacyPackages.${system}.alejandra; - })) - - { - nixosConfigurations.PROJ_NAME-ghaf-debug = ghaf.nixosConfigurations.generic-x86_64-debug.extendModules { - modules = [ - { - #insert your additional modules here e.g. - # virtualisation.docker.enable = true; - # users.users."ghaf".extraGroups = ["docker"]; - - # To handle the majority of laptops we need a little something extra - # TODO:: SEE: https://github.com/NixOS/nixos-hardware/blob/master/flake.nix - # nixos-hardware.nixosModules.lenovo-thinkpad-x1-10th-gen - } - ]; - }; - packages.x86_64-linux.PROJ_NAME-ghaf-debug = self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.system.build.${self.nixosConfigurations.PROJ_NAME-ghaf-debug.config.formatAttr}; - } - ]; -}