diff --git a/.envrc.recommended b/.envrc.recommended
index 3e08e17..3550a30 100644
--- a/.envrc.recommended
+++ b/.envrc.recommended
@@ -1,3 +1 @@
-nix_direnv_manual_reload
use flake
-dotenv_if_exists
diff --git a/.gitignore b/.gitignore
index 97ab6ac..08acf41 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,6 @@
.task
/result
/target
-/out
.*.swp
.*.swo
.nixos-test-history
diff --git a/.woodpecker/ci.yaml b/.woodpecker/ci.yaml
index 3099d84..606a477 100644
--- a/.woodpecker/ci.yaml
+++ b/.woodpecker/ci.yaml
@@ -6,6 +6,17 @@ when:
steps:
check:
- image: docker.io/nixpkgs/nix-flakes:nixos-24.05
+ image: docker.io/nixpkgs/nix-flakes:nixos-25.05
commands:
- nix flake check
+
+ sign:
+ image: docker.io/nixpkgs/nix-flakes:nixos-25.05
+ environment:
+ DB_KEY:
+ from_secret: secure_boot_key
+ DB_CRT:
+ from_secret: secure_boot_crt
+ commands:
+ - ./scripts/sign-release.sh
+
diff --git a/flake.lock b/flake.lock
index affeabc..2cb3583 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,30 +1,12 @@
{
"nodes": {
- "flake-utils": {
- "inputs": {
- "systems": "systems"
- },
- "locked": {
- "lastModified": 1731533236,
- "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
- "owner": "numtide",
- "repo": "flake-utils",
- "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
- "type": "github"
- },
- "original": {
- "owner": "numtide",
- "repo": "flake-utils",
- "type": "github"
- }
- },
"nixpkgs": {
"locked": {
- "lastModified": 1746904237,
- "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
+ "lastModified": 1737469691,
+ "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
+ "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"type": "github"
},
"original": {
@@ -36,24 +18,8 @@
},
"root": {
"inputs": {
- "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
- },
- "systems": {
- "locked": {
- "lastModified": 1681028828,
- "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
- "owner": "nix-systems",
- "repo": "default",
- "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
- "type": "github"
- },
- "original": {
- "owner": "nix-systems",
- "repo": "default",
- "type": "github"
- }
}
},
"root": "root",
diff --git a/flake.nix b/flake.nix
index 99fce5b..e5f4787 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,104 +2,93 @@
description = "PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.";
inputs = {
- flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs =
+ { self, nixpkgs }:
+ let
+ releaseVersion = "0.0.1";
+ system = "x86_64-linux";
+ updateUrl = "https://images.dl.patagia.dev/patos/";
+ pkgs = import nixpkgs { inherit system; };
+ in
{
- self,
- flake-utils,
- nixpkgs,
- }:
- flake-utils.lib.eachDefaultSystem (
- system:
- let
- pkgs = import nixpkgs { inherit system; };
- patosPkgs = self.packages.${system};
- version = "0.0.1";
- secureBoot = "false";
- cpuArch = "intel";
- updateUrl = "http://10.0.2.2:8000/";
- in
- {
- packages = {
- default = patosPkgs.image;
- image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; };
- rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
- initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
- kernel = pkgs.callPackage ./pkgs/kernel { };
- glibc = pkgs.callPackage ./pkgs/glibc { };
- busybox = pkgs.callPackage ./pkgs/busybox { };
- openssl = pkgs.callPackage ./pkgs/openssl { };
- cert = pkgs.callPackage ./pkgs/cert { };
- kexec = pkgs.callPackage ./pkgs/kexec-tools { };
- lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
- tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
- tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
- systemd = pkgs.callPackage ./pkgs/systemd { };
- dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
+ nixosModules.devel.imports = [
+ ./modules/profiles/devel.nix
+ ];
- qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
+ nixosModules.server.imports = [
+ ./modules/profiles/server.nix
+ ];
- debug-tools-sysext = pkgs.callPackage ./lib/make-sysext.nix {
- name = "debug-tools";
- version = "0.0.1";
- packages = [
- { drv = pkgs.curl; path = "bin/curl"; }
- { drv = pkgs.bash; path = "bin/bash"; }
- { drv = patosPkgs.glibc; path = "bin/ldd"; }
- { drv = pkgs.keyutils; path = "bin/keyctl"; }
- { drv = pkgs.gnutar; path = "bin/tar"; }
- { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
- { drv = pkgs.strace; path = "bin/strace"; }
- { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
- { drv = patosPkgs.openssl; path = "bin/openssl"; }
- { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
- { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
- { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
- # shared lib required for cryptsetup
- { drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
- { drv = pkgs.popt; path = "lib/libpopt.so.0"; }
- { drv = pkgs.popt; path = "lib/libpopt.so"; }
- # shared lib required for mkfs.erofs
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
- # shared lib required for binutils
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
- # shared lib required for strace
- { drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
+ nixosModules.image.imports = [
+ ./modules
+ ./modules/profiles/base.nix
+ ./modules/image
+ ];
+
+ packages.${system} = {
+ devel =
+ (nixpkgs.lib.nixosSystem {
+ modules = [
+ (
+ { ... }:
+ {
+ nixpkgs.hostPlatform = system;
+ system.stateVersion = "25.05";
+ }
+ )
+ {
+ system.image.updates.url = "${updateUrl}";
+ system.image.id = "patos";
+ system.image.version = releaseVersion;
+ image.compress = false;
+ }
+ self.nixosModules.image
+ self.nixosModules.devel
];
- };
- };
+ }).config.system.build.updatePackage;
- checks = {
- simple-test = pkgs.runCommand "simple-test" { } ''
- ${self.packages.${system}.default}/bin/my-program
- touch $out
- '';
- };
+ patos =
+ (nixpkgs.lib.nixosSystem {
+ modules = [
+ (
+ { ... }:
+ {
+ nixpkgs.hostPlatform = system;
+ system.stateVersion = "25.05";
+ }
+ )
+ {
+ system.image.updates.url = "${updateUrl}";
+ system.image.id = "patos";
+ system.image.version = releaseVersion;
+ }
+ self.nixosModules.image
+ self.nixosModules.server
+ ];
+ }).config.system.build.updatePackage;
- formatter = pkgs.nixpkgs-fmt;
+ qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { inherit pkgs; };
+ };
- devShells.default = pkgs.mkShell {
- buildInputs = with pkgs; [
- just
- nixd
- nixfmt-rfc-style
- patosPkgs.qemu-uefi-tpm
- ];
- };
+ checks.${system} = {
+ podman = import ./tests/podman.nix { inherit pkgs self; };
+ system-update = import ./tests/system-update.nix { inherit pkgs self; };
+ };
- }
- );
+ devShells.${system}.default = pkgs.mkShell {
+ buildInputs = with pkgs; [
+ efitools
+ erofs-utils
+ just
+ openssl
+ sbsigntool
+ self.packages.${system}.qemu-uefi-tpm
+ squashfs-tools-ng
+ ];
+ };
+
+ };
}
diff --git a/keys/DB.auth b/keys/DB.auth
new file mode 100644
index 0000000..d8ce304
Binary files /dev/null and b/keys/DB.auth differ
diff --git a/keys/KEK.auth b/keys/KEK.auth
new file mode 100644
index 0000000..1e01cd3
Binary files /dev/null and b/keys/KEK.auth differ
diff --git a/keys/PK.auth b/keys/PK.auth
new file mode 100644
index 0000000..77ce10f
Binary files /dev/null and b/keys/PK.auth differ
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
deleted file mode 100644
index 6de1e63..0000000
--- a/lib/make-sysext.nix
+++ /dev/null
@@ -1,91 +0,0 @@
-{
- lib,
- runCommand,
- pkgs,
-
- name,
- packages,
- osId ? "patos",
- version ? null,
-}:
-
-
-let
- metadata = {
- ID = osId;
- VERSION_ID = osId;
- IMAGE_ID = name;
- IMAGE_VERSION = version;
- };
-
- metadataFile = lib.concatStringsSep "\n" (
- lib.mapAttrsToList (k: v: "${k}=${v}") (lib.filterAttrs (_: v: v != null) metadata)
- );
-
- doCopy =
- {
- drv,
- prefix ? "usr",
- path,
- destpath ? null,
- }:
- "do_copy ${prefix} ${drv} ${path}" + lib.optionalString (destpath != null) " ${destpath}";
-
-in
-
-runCommand name
- {
- passthru.name = name;
- inherit metadataFile;
- passAsFile = [ "metadataFile" ];
-
- buildInputs = [
- pkgs.erofs-utils
- pkgs.cryptsetup
- ];
-
- }
- ''
- do_copy () {
- local prefix="$1"
- local drv="$2"
- local path="$3"
- local destpath="''${4:-$path}"
-
- local srcfile
- local destdir
- local destfile
- srcfile="$drv/$path"
- destfile="$out/tree/$prefix/$destpath"
- destdir="$(dirname -- "$destfile")"
-
- mkdir -pv "$destdir"
- cp -Pv "$srcfile" "$destfile"
-
- chmod 755 "$destfile"
- patchelf --set-rpath /usr/lib $destfile || true
- patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $destfile || true
- }
-
- mkdir -p $out/tree
-
- ${lib.concatStringsSep "\n" (map doCopy packages)}
-
- # bake metadata into the structure
- if ! [ -f $out/tree/usr/lib/extension-release.d/extension-release."${name}" ]; then
- mkdir -p $out/tree/usr/lib/extension-release.d
- cat "$metadataFilePath" > $out/tree/usr/lib/extension-release.d/extension-release."${name}"
- fi
-
- pushd $out
- find tree -type d -exec chmod 0755 {} \;
- mkfs.erofs --all-root $name.raw tree/
- veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
- # TODO: pcks7 signature
- # openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \
- # -inkey key.pem -signer cert.pem -outform der -out ${name}.roothash.p7s
- rm -rf tree
- sha256sum * > SHA256SUMS
- # TODO: add gpg signature
- popd
- ''
diff --git a/modules/config/minimal-modules.nix b/modules/config/minimal-modules.nix
new file mode 100644
index 0000000..45bdb1f
--- /dev/null
+++ b/modules/config/minimal-modules.nix
@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+ boot = {
+ bootspec.enable = false;
+ initrd.kernelModules = config.boot.kernelModules;
+ kernel.enable = false; # No kernel or modules in the rootfs
+ modprobeConfig.enable = false;
+ };
+
+ system.build = {
+ inherit (config.boot.kernelPackages) kernel;
+ };
+
+ system.modulesTree = [ config.boot.kernelPackages.kernel ] ++ config.boot.extraModulePackages;
+}
diff --git a/modules/config/minimal-system.nix b/modules/config/minimal-system.nix
new file mode 100644
index 0000000..e77476b
--- /dev/null
+++ b/modules/config/minimal-system.nix
@@ -0,0 +1,26 @@
+{ ... }:
+{
+
+ nixpkgs.overlays = [
+ (final: prev: {
+
+ composefs = final.callPackage ../../pkgs/composefs.nix { inherit prev; };
+ qemu_tiny = final.callPackage ../../pkgs/qemu.nix { inherit prev; };
+ systemdUkify = final.callPackage ../../pkgs/systemd-ukify.nix { inherit prev; };
+
+ # # FIXME: Revisit + refine these below in a future image minimization effort
+ #
+ # util-linux = prev.util-linux.override {
+ # ncursesSupport = false;
+ # nlsSupport = false;
+ # };
+ #
+ # dbus = prev.dbus.override {
+ # enableSystemd = false;
+ # x11Support = false;
+ # };
+
+ })
+ ];
+
+}
diff --git a/modules/default.nix b/modules/default.nix
new file mode 100644
index 0000000..0a1a5e0
--- /dev/null
+++ b/modules/default.nix
@@ -0,0 +1,6 @@
+{
+ imports = [
+ ./config/minimal-modules.nix
+ ./config/minimal-system.nix
+ ];
+}
diff --git a/modules/image/builder.nix b/modules/image/builder.nix
new file mode 100644
index 0000000..65dc08a
--- /dev/null
+++ b/modules/image/builder.nix
@@ -0,0 +1,197 @@
+{
+ config,
+ lib,
+ options,
+ pkgs,
+ ...
+}:
+let
+ inherit (pkgs.stdenv.hostPlatform) efiArch;
+
+ initialPartitions = {
+ "10-root" = {
+ storePaths = [ config.system.build.toplevel ];
+ repartConfig = {
+ Type = "root";
+ Minimize = "best";
+ Format = "erofs";
+ MakeDirectories = "/home /root /etc /dev /sys /bin /var /proc /run /usr /usr/bin /srv /tmp /mnt /lib /efi";
+ Verity = "data";
+ VerityMatchKey = "root";
+ SplitName = "root";
+ };
+ };
+
+ "20-root-verity" = {
+ repartConfig = {
+ Type = "root-verity";
+ Minimize = "best";
+ Verity = "hash";
+ VerityMatchKey = "root";
+ SplitName = "verity";
+ };
+ };
+ };
+
+ # TODO: We don't need a combined image here - add dry-run flag to repart invocation
+ verityRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {
+ inherit lib pkgs;
+ system = null;
+ modules = [
+ (
+ { modulesPath, ... }:
+ {
+ imports = [ (modulesPath + "/image/repart.nix") ];
+ image.repart = {
+ name = "verity";
+ split = true;
+ mkfsOptions = lib.mkIf config.image.compress {
+ erofs = [
+ "-zlz4hc,level=12"
+ "-Efragments,dedupe,ztailpacking"
+ ];
+ };
+ partitions = initialPartitions;
+ };
+ }
+ )
+ ];
+ };
+
+ rootPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";
+ verityPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";
+
+ verityImgAttrs = builtins.fromJSON (
+ builtins.readFile "${verityRepart.config.system.build.image}/repart-output.json"
+ );
+ rootAttrs = builtins.elemAt verityImgAttrs 0;
+ verityAttrs = builtins.elemAt verityImgAttrs 1;
+
+ rootUuid = rootAttrs.uuid;
+ verityUuid = verityAttrs.uuid;
+ verityRootHash = rootAttrs.roothash;
+
+ finalPartitions = {
+ "10-esp" = {
+ contents = {
+ "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
+ "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
+ "/EFI/loader/keys/patos".source = ../../keys;
+ "/EFI/memtest86/memtest86.efi".source = "${pkgs.memtest86plus}/memtest.efi";
+ "/loader/entries/patos-factory-reset.conf".source = pkgs.writeText "patos-factory-reset.conf" ''
+ title Patos Factory Reset
+ efi /EFI/Linux/${config.system.boot.loader.ukiFile}
+ options ${toString config.boot.kernelParams} systemd.factory_reset=yes
+ sort-key z_factory_reset
+ '';
+ "/loader/entries/memtest86.conf".source = pkgs.writeText "memtest86.conf" ''
+ title Memtest86+
+ efi /EFI/memtest86/memtest86.efi
+ options console=ttyS0
+ sort-key z_memtest
+ '';
+ "/loader/loader.conf".source = pkgs.writeText "loader.conf" ''
+ timeout 2
+ '';
+ };
+ repartConfig = {
+ Type = "esp";
+ Format = "vfat";
+ SizeMinBytes = "96M";
+ SizeMaxBytes = "96M";
+ SplitName = "-";
+ };
+ };
+ "20-root-verity-a" = {
+ repartConfig = {
+ Type = "root-verity";
+ Label = "verity-${config.system.image.version}";
+ CopyBlocks = "${verityPart}";
+ SplitName = "-";
+ SizeMinBytes = "64M";
+ SizeMaxBytes = "64M";
+ UUID = "${verityUuid}";
+ ReadOnly = 1;
+ };
+ };
+ # TODO: Add signature partition for systemd-nspawn
+ "22-root-a" = {
+ repartConfig = {
+ Type = "root";
+ Label = "root-${config.system.image.version}";
+ CopyBlocks = "${rootPart}";
+ SplitName = "-";
+ UUID = "${rootUuid}";
+ ReadOnly = 1;
+ };
+ };
+ };
+
+ finalRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {
+ inherit lib pkgs;
+ system = null;
+ modules = [
+ (
+ { modulesPath, ... }:
+ {
+ imports = [ (modulesPath + "/image/repart.nix") ];
+ image.repart = {
+ name = "${config.system.image.id}";
+ partitions = finalPartitions;
+ };
+ }
+ )
+ ];
+ };
+
+in
+{
+
+ # This fields is immutable by default, but can be overridden.
+ options.system.nixos.codeName = lib.mkOption { readOnly = false; };
+ options.system.nixos.release = lib.mkOption { readOnly = false; };
+
+ # FIXME: Should be configured somehow
+ config.system.nixos = {
+ codeName = "Finn";
+ distroId = "patos";
+ distroName = "PatOS";
+ release = "2024-11";
+ variant_id = "server";
+ variantName = "Server";
+ vendorName = "PatOS";
+ };
+
+ options.image.compress = lib.mkEnableOption "image compression" // {
+ default = true;
+ };
+
+ config.system.build = {
+ inherit verityRootHash;
+
+ image =
+ (pkgs.linkFarm "image-release" [
+ {
+ name = "${config.system.image.id}_${config.system.image.version}.efi";
+ path = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
+ }
+ {
+ name = "${config.system.image.id}_${config.system.image.version}_${verityUuid}.verity";
+ path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";
+ }
+ {
+ name = "${config.system.image.id}_${config.system.image.version}_${rootUuid}.root";
+ path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";
+ }
+ {
+ name = "${config.system.image.id}_${config.system.image.version}.img";
+ path = "${finalRepart.config.system.build.image}/${finalRepart.config.image.repart.imageFileBasename}.raw";
+ }
+ ])
+ // {
+ imageFile = "${config.system.image.id}_${config.system.image.version}.img";
+ };
+
+ };
+
+}
diff --git a/modules/image/default.nix b/modules/image/default.nix
new file mode 100644
index 0000000..dc705e9
--- /dev/null
+++ b/modules/image/default.nix
@@ -0,0 +1,136 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+{
+
+ imports = [
+ ./updater.nix
+ ./builder.nix
+ ./veritysetup.nix
+ ];
+
+ system.build.updatePackage = pkgs.runCommand "update-package" { } ''
+ mkdir "$out"
+ cd "$out"
+ cp "${config.system.build.image}"/* .
+ ${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS
+ '';
+
+ systemd.repart.partitions = {
+ "10-esp" = {
+ Type = "esp";
+ Format = "vfat";
+ SizeMinBytes = "96M";
+ SizeMaxBytes = "96M";
+ };
+ "20-root-verity-a" = {
+ Type = "root-verity";
+ SizeMinBytes = "64M";
+ SizeMaxBytes = "64M";
+ };
+ "22-root-a" = {
+ Type = "root";
+ SizeMinBytes = "512M";
+ SizeMaxBytes = "512M";
+ };
+ "30-root-verity-b" = {
+ Type = "root-verity";
+ SizeMinBytes = "64M";
+ SizeMaxBytes = "64M";
+ Label = "_empty";
+ ReadOnly = 1;
+ };
+ "32-root-b" = {
+ Type = "root";
+ SizeMinBytes = "512M";
+ SizeMaxBytes = "512M";
+ Label = "_empty";
+ ReadOnly = 1;
+ };
+ "40-var" = {
+ Type = "var";
+ UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known
+ Format = "btrfs";
+ Label = "patos-state";
+ Minimize = "off";
+ FactoryReset = "yes";
+ Encrypt = "tpm2";
+ SizeMinBytes = "2G";
+ SplitName = "-";
+ };
+ };
+
+ boot.loader.grub.enable = false;
+ boot.loader.efi.canTouchEfiVariables = true;
+ boot.loader.systemd-boot.enable = true;
+ boot.uki.name = "patos";
+
+ boot.initrd = {
+ compressor = "zstd";
+ compressorArgs = [ "-8" ];
+
+ luks.forceLuksSupportInInitrd = true;
+ kernelModules = [
+ "dm_mod"
+ "dm_crypt"
+ ] ++ config.boot.initrd.luks.cryptoModules;
+
+ supportedFilesystems = {
+ btrfs = true;
+ erofs = true;
+ };
+
+ systemd.enable = true;
+ systemd.repart.enable = true;
+ systemd.services.systemd-repart = {
+ after = lib.mkForce [ "sysroot.mount" ];
+ requires = [ "sysroot.mount" ];
+ serviceConfig.Environment = [
+ "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
+ ];
+ };
+ };
+
+ system.etc.overlay.mutable = false;
+ users.mutableUsers = false;
+
+ boot.kernelParams = [
+ "rootfstype=erofs"
+ "rootflags=ro"
+ "roothash=${config.system.build.verityRootHash}"
+ ];
+
+ fileSystems =
+ let
+ parts = config.systemd.repart.partitions;
+ in
+ {
+ "/var" = {
+ fsType = parts."40-var".Format;
+ device = "/dev/mapper/var";
+ encrypted = {
+ enable = true;
+ blkDev = "/dev/disk/by-partuuid/${parts."40-var".UUID}";
+ label = "var";
+ };
+ };
+ };
+
+ # Required to mount the efi partition
+ boot.kernelModules = [
+ "vfat"
+ "nls_cp437"
+ "nls_iso8859-1"
+ ];
+
+ environment.etc."machine-id" = {
+ text = "";
+ mode = "0755";
+ };
+
+ # Refuse to boot on mount failure
+ systemd.targets."sysinit".requires = [ "local-fs.target" ];
+}
diff --git a/modules/image/updater.nix b/modules/image/updater.nix
new file mode 100644
index 0000000..f3c1226
--- /dev/null
+++ b/modules/image/updater.nix
@@ -0,0 +1,87 @@
+{ config, lib, ... }:
+{
+
+ options.system.image.updates = {
+ enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {
+ default = config.system.image.updates.url != null;
+ };
+ url = lib.mkOption {
+ type = lib.types.nullOr lib.types.str;
+ default = null;
+ };
+ };
+
+ config = lib.mkIf config.system.image.updates.enable {
+
+ assertions = [
+ { assertion = config.system.image.updates.url != null; }
+ ];
+
+ systemd.sysupdate.enable = true;
+ systemd.sysupdate.reboot.enable = lib.mkDefault true;
+
+ systemd.sysupdate.transfers = {
+ "10-uki" = {
+ Transfer = {
+ Verify = "no";
+ };
+ Source = {
+ Type = "url-file";
+ Path = "${config.system.image.updates.url}";
+ MatchPattern = "${config.boot.uki.name}_@v.efi";
+ };
+ Target = {
+ Type = "regular-file";
+ Path = "/EFI/Linux";
+ PathRelativeTo = "esp";
+ MatchPattern = "${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi";
+ Mode = "0444";
+ TriesLeft = 3;
+ TriesDone = 0;
+ InstancesMax = 2;
+ };
+ };
+ "20-root-verity" = {
+ Transfer = {
+ Verify = "no";
+ };
+ Source = {
+ Type = "url-file";
+ Path = "${config.system.image.updates.url}";
+ MatchPattern = "${config.system.image.id}_@v_@u.verity";
+ };
+ Target = {
+ Type = "partition";
+ Path = "auto";
+ MatchPattern = "verity-@v";
+ MatchPartitionType = "root-verity";
+ ReadOnly = 1;
+ };
+ };
+ "22-root" = {
+ Transfer = {
+ Verify = "no";
+ };
+ Source = {
+ Type = "url-file";
+ Path = "${config.system.image.updates.url}";
+ MatchPattern = "${config.system.image.id}_@v_@u.root";
+ };
+ Target = {
+ Type = "partition";
+ Path = "auto";
+ MatchPattern = "root-@v";
+ MatchPartitionType = "root";
+ ReadOnly = 1;
+ };
+ };
+ };
+
+ systemd.additionalUpstreamSystemUnits = [
+ "systemd-bless-boot.service"
+ "boot-complete.target"
+ ];
+
+ };
+
+}
diff --git a/modules/image/veritysetup.nix b/modules/image/veritysetup.nix
new file mode 100644
index 0000000..1505b45
--- /dev/null
+++ b/modules/image/veritysetup.nix
@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+{
+
+ options.boot.initrd.systemd.root = lib.mkOption {
+ type = lib.types.enum [
+ "fstab"
+ "gpt-auto"
+ ""
+ ];
+ };
+
+ config.boot.initrd = {
+
+ kernelModules = [
+ "dm_mod"
+ "dm_verity"
+ ];
+
+ systemd = {
+
+ # Required to activate systemd-fstab-generator
+ root = "";
+
+ additionalUpstreamUnits = [
+ "veritysetup-pre.target"
+ "veritysetup.target"
+ "remote-veritysetup.target"
+ ];
+
+ storePaths = [
+ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
+ "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
+ ];
+
+ };
+
+ };
+
+}
diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix
new file mode 100644
index 0000000..419c55d
--- /dev/null
+++ b/modules/profiles/base.nix
@@ -0,0 +1,95 @@
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
+{
+ imports = [
+ (modulesPath + "/profiles/image-based-appliance.nix")
+ (modulesPath + "/profiles/perlless.nix")
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
+
+ # system.forbiddenDependenciesRegexes = lib.mkForce [ ];
+
+ nixpkgs.flake.setNixPath = false;
+ nixpkgs.flake.setFlakeRegistry = false;
+ boot.enableContainers = false;
+
+ boot.kernelModules = [
+ "zram"
+ "usb_storage"
+ "uas"
+ "sd_mod"
+ "r8169"
+ "ehci-hcd"
+ "ehci-pci"
+ "xhci-hcd"
+ "xhci-pci"
+ "xhci-pci-renesas"
+ "nvme"
+ "virtio_net"
+ ];
+
+ system.etc.overlay.mutable = lib.mkDefault false;
+
+ systemd.watchdog = lib.mkDefault {
+ runtimeTime = "10s";
+ rebootTime = "30s";
+ };
+
+ zramSwap.enable = true;
+
+ # FIXME: fstrim should only be enabled for virtual machine images?
+ services.fstrim.enable = true;
+
+ users.allowNoPasswordLogin = true;
+ users.users.root.home = lib.mkForce "/";
+
+ security.sudo.enable = lib.mkDefault false;
+
+ security.polkit = {
+ enable = true;
+ extraConfig = ''
+ polkit.addRule(function(action, subject) {
+ if (subject.isInGroup("wheel")) {
+ return polkit.Result.YES;
+ }
+ });
+ '';
+ };
+
+ i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];
+
+ # Console
+
+ systemd.enableEmergencyMode = false;
+ boot.consoleLogLevel = lib.mkDefault 1;
+ boot.kernelParams = [
+ "panic=1"
+ "boot.panic_on_fail"
+ # "nomodeset"
+ "console=ttyS0,115200n8"
+ "earlyprintk=ttyS0,115200n8"
+ "systemd.mask=systemd-vconsole-setup.service" # FIXME: Figure out why vconsole-setup fails when loading keymap
+ ];
+
+ # This is vi country
+ programs.nano.enable = false;
+ programs.vim.enable = true;
+ programs.vim.defaultEditor = lib.mkDefault true;
+
+ # Temporary file
+ boot.tmp.useTmpfs = true;
+
+ # Logging
+ services.journald = {
+ storage = "volatile";
+ extraConfig = ''
+ SystemMaxUse=10M
+ '';
+ };
+
+}
diff --git a/modules/profiles/devel.nix b/modules/profiles/devel.nix
new file mode 100644
index 0000000..011f773
--- /dev/null
+++ b/modules/profiles/devel.nix
@@ -0,0 +1,39 @@
+{
+ modulesPath,
+ ...
+}:
+{
+
+ imports = [ ./server.nix ];
+
+ boot.kernel.sysctl = {
+ "net.ipv4.ip_unprivileged_port_start" = 0;
+ };
+
+ boot.kernelParams = [
+ "systemd.log_level=info"
+ "systemd.log_target=console"
+ "systemd.journald.forward_to_console"
+ ];
+
+ users.users."admin" = {
+ isNormalUser = true;
+ linger = true;
+ extraGroups = [ "wheel" ];
+ home = "/var/home/admin";
+ };
+
+ environment.etc = {
+ subuid = {
+ text = "admin:100000:65536";
+ mode = "0644";
+ };
+
+ subgid = {
+ text = "admin:100000:65536";
+ mode = "0644";
+ };
+ };
+
+ services.getty.autologinUser = "admin";
+}
diff --git a/modules/profiles/network.nix b/modules/profiles/network.nix
new file mode 100644
index 0000000..ccc21cb
--- /dev/null
+++ b/modules/profiles/network.nix
@@ -0,0 +1,65 @@
+{ lib, ... }:
+{
+ # Use networkd
+ networking.useNetworkd = true;
+ systemd.network.wait-online.enable = true;
+
+ # Firewall
+ networking.firewall.enable = false;
+ networking.nftables.enable = lib.mkDefault true;
+
+ # DNS
+ services.resolved = {
+ fallbackDns = [ ]; # Disable fallback DNS. DNS will fail if resolvers are unconfigured
+ extraConfig = ''
+ DNSStubListener=no
+ '';
+
+ };
+
+ # Configuration
+ networking.hostName = "";
+
+ # Kernel
+ boot.kernel.sysctl = {
+ "net.core.default_qdisc" = "fq"; # FIXME: manage these with networkd?
+ "net.ipv4.tcp_congestion_control" = "bbr";
+ };
+
+ # Modules
+ boot.kernelModules = [
+ "ip_tables"
+ "x_tables"
+ "nf_tables"
+ "nft_ct"
+ "nft_log"
+ "nf_log_syslog"
+ "nft_fib"
+ "nft_fib_inet"
+ "nft_compat"
+ "nft_nat"
+ "nft_chain_nat"
+ "nft_masq"
+ "nfnetlink"
+ "xt_conntrack"
+ "nf_conntrack"
+ "nf_log_syslog"
+ "nf_nat"
+ "af_packet"
+ "bridge"
+ "veth"
+ "tcp_bbr"
+ "sch_fq_codel"
+ "ipt_rpfilter"
+ "ip6t_rpfilter"
+ "sch_fq"
+ "tun"
+ "tap"
+ "xt_MASQUERADE"
+ "xt_mark"
+ "xt_comment"
+ "xt_multiport"
+ "xt_addrtype"
+ ];
+
+}
diff --git a/modules/profiles/server.nix b/modules/profiles/server.nix
new file mode 100644
index 0000000..830762e
--- /dev/null
+++ b/modules/profiles/server.nix
@@ -0,0 +1,18 @@
+{
+ modulesPath,
+ ...
+}:
+{
+
+ imports = [
+ (modulesPath + "/profiles/minimal.nix")
+ ./network.nix
+ ./sysext.nix
+ ];
+
+ boot.kernelParams = [
+ "quiet"
+ ];
+
+ virtualisation.podman.enable = true;
+}
diff --git a/modules/profiles/sysext.nix b/modules/profiles/sysext.nix
new file mode 100644
index 0000000..c356747
--- /dev/null
+++ b/modules/profiles/sysext.nix
@@ -0,0 +1,23 @@
+{ ... }:
+{
+ system.activationScripts.sysext = ''
+ mkdir -p /var/lib/confexts
+ mkdir -p /var/lib/extensions
+ mkdir -p /etc/systemd/extensions
+ '';
+
+ systemd.additionalUpstreamSystemUnits = [
+ "systemd-confext.service"
+ "systemd-sysext.service"
+ ];
+
+ # systemd.services."systemd-confext" = {
+ # enable = true;
+ # wantedBy = [ "multi-user.target" ];
+ # };
+
+ # systemd.services."systemd-sysext.service" = {
+ # enable = true;
+ # wantedBy = [ "multi-user.target" ];
+ # };
+}
diff --git a/pkgs/busybox/clang-cross.patch b/pkgs/busybox/clang-cross.patch
deleted file mode 100644
index b2d696b..0000000
--- a/pkgs/busybox/clang-cross.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 6fedcffba..3385836c4 100644
---- a/Makefile
-+++ b/Makefile
-@@ -271,8 +271,8 @@ export quiet Q KBUILD_VERBOSE
- # Look for make include files relative to root of kernel src
- MAKEFLAGS += --include-dir=$(srctree)
-
--HOSTCC = gcc
--HOSTCXX = g++
-+HOSTCC = cc
-+HOSTCXX = c++
- HOSTCFLAGS :=
- HOSTCXXFLAGS :=
- # We need some generic definitions
-@@ -289,7 +289,7 @@ MAKEFLAGS += -rR
- # Make variables (CC, etc...)
-
- AS = $(CROSS_COMPILE)as
--CC = $(CROSS_COMPILE)gcc
-+CC = $(CROSS_COMPILE)cc
- LD = $(CC) -nostdlib
- CPP = $(CC) -E
- AR = $(CROSS_COMPILE)ar
-diff --git a/scripts/Makefile.IMA b/scripts/Makefile.IMA
-index f155108d7..185257064 100644
---- a/scripts/Makefile.IMA
-+++ b/scripts/Makefile.IMA
-@@ -39,7 +39,7 @@ ifndef HOSTCC
- HOSTCC = cc
- endif
- AS = $(CROSS_COMPILE)as
--CC = $(CROSS_COMPILE)gcc
-+CC = $(CROSS_COMPILE)cc
- LD = $(CC) -nostdlib
- CPP = $(CC) -E
- AR = $(CROSS_COMPILE)ar
diff --git a/pkgs/busybox/default.nix b/pkgs/busybox/default.nix
deleted file mode 100644
index 6f22641..0000000
--- a/pkgs/busybox/default.nix
+++ /dev/null
@@ -1,208 +0,0 @@
-{
- stdenv,
- lib,
- pkgs,
- buildPackages,
- fetchurl,
- fetchpatch,
- fetchFromGitLab,
- enableStatic ? stdenv.hostPlatform.isStatic,
- enableMinimal ? false,
- enableAppletSymlinks ? true,
- # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
- # nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
- useMusl ? stdenv.hostPlatform.libc == "musl",
- musl,
- extraConfig ? "",
-}:
-
-assert stdenv.hostPlatform.libc == "musl" -> useMusl;
-
-let
- configParser = ''
- function parseconfig {
- while read LINE; do
- NAME=`echo "$LINE" | cut -d \ -f 1`
- OPTION=`echo "$LINE" | cut -d \ -f 2`
-
- if ! [[ "$NAME" =~ ^CONFIG_ ]]; then continue; fi
-
- echo "parseconfig: removing $NAME"
- sed -i /$NAME'\(=\| \)'/d .config
-
- echo "parseconfig: setting $NAME=$OPTION"
- echo "$NAME=$OPTION" >> .config
- done
- }
- '';
-
- libcConfig = lib.optionalString useMusl ''
- CONFIG_FEATURE_UTMP n
- CONFIG_FEATURE_WTMP n
- '';
-
- # The debian version lags behind the upstream version and also contains
- # a debian-specific suffix. We only fetch the debian repository to get the
- # default.script
- debianVersion = "1.30.1-6";
- debianSource = fetchFromGitLab {
- domain = "salsa.debian.org";
- owner = "installer-team";
- repo = "busybox";
- rev = "debian/1%${debianVersion}";
- sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
- };
- debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
- outDispatchPath = "$out/default.script";
-in
-
-stdenv.mkDerivation rec {
- pname = "busybox";
- version = pkgs.busybox.version;
-
- # Note to whoever is updating busybox: please verify that:
- # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
- # still builds after the update.
- src = pkgs.busybox.src;
-
- hardeningDisable = [
- "format"
- "pie"
- ] ++ lib.optionals enableStatic [ "fortify" ];
-
- patches = [
- (fetchurl {
- name = "CVE-2022-28391.patch";
- url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
- sha256 = "sha256-yviw1GV+t9tbHbY7YNxEqPi7xEreiXVqbeRyf8c6Awo=";
- })
- (fetchurl {
- name = "CVE-2022-28391.patch";
- url = "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
- sha256 = "sha256-vl1wPbsHtXY9naajjnTicQ7Uj3N+EQ8pRNnrdsiow+w=";
- })
- (fetchpatch {
- name = "CVE-2022-48174.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15216
- url = "https://git.busybox.net/busybox/patch/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209";
- hash = "sha256-mpDEwYncpU6X6tmtj9xM2KCrB/v2ys5bYxmPPrhm6es=";
- })
- (fetchpatch {
- name = "CVE-2023-42366.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15874
- # This patch is also used by Alpine, see https://git.alpinelinux.org/aports/tree/main/busybox/0037-awk.c-fix-CVE-2023-42366-bug-15874.patch
- url = "https://bugs.busybox.net/attachment.cgi?id=9697";
- hash = "sha256-2eYfLZLjStea9apKXogff6sCAdG9yHx0ZsgUBaGfQIA=";
- })
- (fetchpatch {
- name = "CVE-2023-42363.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15865
- url = "https://git.launchpad.net/ubuntu/+source/busybox/plain/debian/patches/CVE-2023-42363.patch?id=c9d8a323b337d58e302717d41796aa0242963d5a";
- hash = "sha256-1W9Q8+yFkYQKzNTrvndie8QuaEbyAFL1ZASG2fPF+Z4=";
- })
- (fetchpatch {
- name = "CVE-2023-42364_CVE-2023-42365.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15871 https://bugs.busybox.net/show_bug.cgi?id=15868
- url = "https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2023-42364-CVE-2023-42365.patch?id=8a4bf5971168bf48201c05afda7bee0fbb188e13";
- hash = "sha256-nQPgT9eA1asCo38Z9X7LR9My0+Vz5YBPba3ARV3fWcc=";
- })
- ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
-
- separateDebugInfo = true;
-
- # postPatch = "patchShebangs .";
-
- configurePhase = ''
- export KCONFIG_NOTIMESTAMP=1
- make ${if enableMinimal then "allnoconfig" else "defconfig"}
-
- ${configParser}
-
- cat << EOF | parseconfig
-
- CONFIG_PREFIX "$out"
- CONFIG_INSTALL_NO_USR y
-
- CONFIG_LFS y
-
- # More features for modprobe.
- ${lib.optionalString (!enableMinimal) ''
- CONFIG_FEATURE_MODPROBE_BLACKLIST y
- CONFIG_FEATURE_MODUTILS_ALIAS y
- CONFIG_FEATURE_MODUTILS_SYMBOLS y
- CONFIG_MODPROBE_SMALL n
- ''}
-
- ${lib.optionalString enableStatic ''
- CONFIG_STATIC y
- ''}
-
- ${lib.optionalString (!enableAppletSymlinks) ''
- CONFIG_INSTALL_APPLET_DONT y
- CONFIG_INSTALL_APPLET_SYMLINKS n
- ''}
-
- # Use the external mount.cifs program.
- CONFIG_FEATURE_MOUNT_CIFS n
- CONFIG_FEATURE_MOUNT_HELPERS y
-
- # BB_SHADOW
- FEATURE_SHADOWPASSWDS y
- CONFIG_USE_BB_PWD_GRP y
- CONFIG_USE_BB_SHADOW y
- CONFIG_USE_BB_CRYPT y
- USE_BB_CRYPT_SHA y
- CONFIG_FEATURE_DEFAULT_PASSWD_ALGO "sha512"
-
- # Set paths for console fonts.
- CONFIG_DEFAULT_SETFONT_DIR "/etc/kbd"
-
- # Bump from 4KB, much faster I/O
- CONFIG_FEATURE_COPYBUF_KB 64
-
- # Doesn't build with current kernel headers.
- # https://bugs.busybox.net/show_bug.cgi?id=15934
- CONFIG_TC n
-
- # Set the path for the udhcpc script
- CONFIG_UDHCPC_DEFAULT_SCRIPT "/usr/share/busybox/"
-
- ${extraConfig}
- CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
- ${libcConfig}
- EOF
-
- make oldconfig
-
- runHook postConfigure
- '';
-
- postConfigure = lib.optionalString (useMusl && stdenv.hostPlatform.libc != "musl") ''
- makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib")
- '';
-
- makeFlags = [ "SKIP_STRIP=y" ];
-
- strictDeps = true;
-
- depsBuildBuild = [ buildPackages.stdenv.cc ];
-
- buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [
- stdenv.cc.libc
- stdenv.cc.libc.static
- ];
-
- enableParallelBuilding = true;
-
- doCheck = false; # tries to access the net
-
- passthru.shellPath = "/bin/ash";
-
- meta = with lib; {
- description = "Tiny versions of common UNIX utilities in a single small executable";
- homepage = "https://busybox.net/";
- license = licenses.gpl2Only;
- maintainers = with maintainers; [
- TethysSvensson
- qyliss
- ];
- platforms = platforms.linux;
- priority = 15; # below systemd (halt, init, poweroff, reboot) and coreutils
- };
-}
diff --git a/pkgs/cert/default.nix b/pkgs/cert/default.nix
deleted file mode 100644
index f3237e9..0000000
--- a/pkgs/cert/default.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{
- runCommand,
- pkgs,
-
-}:
-
-runCommand "patagia-certs"
- {
- buildInputs = with pkgs; [
- openssl
- ];
-
- }
- ''
- mkdir -pv $out
- openssl req -new -x509 -days 365 -nodes -out $out/cert.pem -keyout $out/key.pem -subj "/CN=patagia-signing"
- ''
diff --git a/pkgs/composefs.nix b/pkgs/composefs.nix
new file mode 100644
index 0000000..91e8443
--- /dev/null
+++ b/pkgs/composefs.nix
@@ -0,0 +1,5 @@
+{ prev, ... }:
+
+prev.composefs.overrideAttrs (final: prev: {
+ doCheck = false;
+})
diff --git a/pkgs/dbus-broker/default.nix b/pkgs/dbus-broker/default.nix
deleted file mode 100644
index 0002d9c..0000000
--- a/pkgs/dbus-broker/default.nix
+++ /dev/null
@@ -1,164 +0,0 @@
-{
- lib,
- stdenv,
- fetchFromGitHub,
- pkgs,
- ...
-}:
-
-let
- meta = {
- maintainers = with lib.maintainers; [ peterhoeg ];
- platforms = lib.platforms.linux;
- };
-
- dep =
- {
- pname,
- version,
- hash,
- rev ? "v${version}",
- buildInputs ? [ ],
- }:
- stdenv.mkDerivation {
- inherit pname version;
- src = fetchFromGitHub {
- owner = "c-util";
- repo = pname;
- inherit hash rev;
- };
- nativeBuildInputs = with pkgs; [
- meson
- ninja
- pkg-config
- ];
- inherit buildInputs;
- meta = meta // {
- description = "The C-Util Project is a collection of utility libraries for the C11 language.";
- homepage = "https://c-util.github.io/";
- license = [
- lib.licenses.asl20
- lib.licenses.lgpl21Plus
- ];
- };
- };
-
- # These libraries are not used outside of dbus-broker.
- #
- # If that changes, we can always break them out, but they are essentially
- # part of the dbus-broker project, just in separate repositories.
- c-dvar = dep {
- pname = "c-dvar";
- version = "1.1.0";
- hash = "sha256-p/C+BktclVseCtZJ1Q/YK03vP2ClnYRLB1Vmj2OQJD4=";
- buildInputs = [
- c-stdaux
- c-utf8
- ];
- };
- c-ini = dep {
- pname = "c-ini";
- version = "1.1.0";
- hash = "sha256-wa7aNl20hkb/83c4AkQ/0YFDdmBs4XGW+WLUtBWIC98=";
- buildInputs = [
- c-list
- c-rbtree
- c-stdaux
- c-utf8
- ];
- };
- c-list = dep {
- pname = "c-list";
- version = "3.1.0";
- hash = "sha256-fp3EAqcbFCLaT2EstLSzwP2X13pi2EFpFAullhoCtpw=";
- };
- c-rbtree = dep {
- pname = "c-rbtree";
- version = "3.2.0";
- hash = "sha256-dTMeawhPLRtHvMXfXCrT5iCdoh7qS3v+raC6c+t+X38=";
- buildInputs = [ c-stdaux ];
- };
- c-shquote = dep {
- pname = "c-shquote";
- version = "1.1.0";
- hash = "sha256-z6hpQ/kpCYAngMNfxLkfsxaGtvP4yBMigX1lGpIIzMQ=";
- buildInputs = [ c-stdaux ];
- };
- c-stdaux = dep {
- pname = "c-stdaux";
- version = "1.5.0";
- hash = "sha256-MsnuEyVCmOIr/q6I1qyPsNXp48jxIEcXoYLHbOAZtW0=";
- };
- c-utf8 = dep {
- pname = "c-utf8";
- version = "1.1.0";
- hash = "sha256-9vBYylbt1ypJwIAQJd/oiAueh+4VYcn/KzofQuhUea0=";
- buildInputs = [ c-stdaux ];
- };
-
-in
-
-stdenv.mkDerivation (finalAttrs: {
- pname = "dbus-broker";
- version = pkgs.dbus-broker.version;
-
- src = pkgs.dbus-broker.src;
-
- nativeBuildInputs = with pkgs; [
- docutils
- meson
- ninja
- pkg-config
- ];
-
- buildInputs = [
- c-dvar
- c-ini
- c-list
- c-rbtree
- c-shquote
- c-stdaux
- c-utf8
- pkgs.dbus
- pkgs.linuxHeaders
- pkgs.systemd
- ];
-
- mesonFlags = [
- # while we technically support 4.9 and 4.14, the NixOS module will throw an
- # error when using a kernel that's too old
- "--prefix=/"
- "--bindir=/usr/bin"
- "-D=linux-4-17=true"
- "-D=system-console-users=gdm,sddm,lightdm"
- ];
-
- PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "/usr/lib/systemd/system";
- PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "/usr/lib/systemd/user";
- PKG_CONFIG_SYSTEMD_CATALOGDIR = "/usr/lib/systemd/catalog";
-
- preInstall = ''
- export DESTDIR=${placeholder "out"}
- '';
-
- postInstall = ''
- mkdir -p $out/usr/share
- cp -Pr ${pkgs.dbus.out}/share/* $out/usr/share/
- cp ${pkgs.dbus.out}/etc/systemd/system/dbus.socket $out/usr/lib/systemd/system/
- mv $out/usr/lib/systemd/system/dbus-broker.service $out/usr/lib/systemd/system/dbus.service
- find $out/usr/share/ -type d -exec chmod 755 {} \;
- sed -i 's#/nix/store.*/share#/usr/share#' $out/usr/share/xml/dbus-1/catalog.xml
- sed -i 's#/nix/store.*/libexec#/usr/bin#' $out/usr/share/dbus-1/system.conf
-
- mkdir -p $out/usr/lib/sysusers.d/
- echo 'u! messagebus - "DBus broker"' > $out/usr/lib/sysusers.d/dbus-broker.conf
- '';
-
- doCheck = false;
-
- meta = meta // {
- description = "Linux D-Bus Message Broker";
- homepage = "https://github.com/bus1/dbus-broker/wiki";
- license = lib.licenses.asl20;
- };
-})
diff --git a/pkgs/glibc/default.nix b/pkgs/glibc/default.nix
deleted file mode 100644
index b5028c0..0000000
--- a/pkgs/glibc/default.nix
+++ /dev/null
@@ -1,53 +0,0 @@
-{
- pkgs,
- stdenv,
-
- ...
-}:
-let
- version = pkgs.glibc.version;
- src = pkgs.glibc.src;
- pname = "glibcPatos";
-in
-stdenv.mkDerivation (finalAttrs: {
- inherit version;
- inherit src;
- inherit pname;
-
- enableParallelBuilding = true;
- dontPatchShebangs = true;
-
- configureFlags = [
- "--prefix=/"
- "--libdir=/lib"
- "--bindir=/bin"
- "--sysconfdir=/etc"
- ];
-
- preConfigure =
- ''
- export PWD_P=$(type -tP pwd)
- for i in configure io/ftwtest-sh; do
- sed -i "$i" -e "s^/bin/pwd^$PWD_P^g"
- done
-
- mkdir ../build
- cd ../build
-
- configureScript="`pwd`/../$sourceRoot/configure"
- '';
-
- nativeBuildInputs = with pkgs; [
- bison
- python3Minimal
- ];
-
- outputs = [
- "out"
- ];
-
- preInstall = ''
- export DESTDIR=${placeholder "out"}
- '';
-
-})
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
deleted file mode 100644
index 05d9c72..0000000
--- a/pkgs/image/default.nix
+++ /dev/null
@@ -1,256 +0,0 @@
-{
- lib,
- pkgs,
- patosPkgs,
- version,
- runCommand,
- updateUrl,
- cpuArch ? "",
- secureBoot ? "false"
-}:
-let
- pname = "patos-image";
-in
-runCommand pname {
- inherit version cpuArch updateUrl secureBoot;
-
- microcode = lib.optionalString (cpuArch == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
- + lib.optionalString (cpuArch == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
-
- buildInputs = with pkgs; [
- erofs-utils
- dosfstools
- mtools
- jq
- ];
-
- env = {
- # vfat options won't efi won't find the fs otherwise.
- SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
- SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
- };
-
- kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
-}
-''
-mkdir -p $out/init.repart.d $out/final.repart.d
-pushd $out
-
-mkdir rootfs
-cp -prP ${patosPkgs.rootfs}/* rootfs/
-find rootfs/ -type d -exec chmod 755 {} \;
-
-# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
-mkdir rootfs/etc/extensions
-rm -rf rootfs/usr/lib/modules
-cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
-
-# set default target to multi-user
-ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
-
-# enable dbus
-ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
-ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
-
-# enable network services
-ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
-ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
-ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
-# enable default network config
-mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
-
-# enable confext/sysext services
-ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
-ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
-
-cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
-[Unit]
-Description=Import Secure Boot keys
-DefaultDependencies=no
-RequiresMountsFor=/var/lib/sbctl /boot
-ConditionPathExists=/boot/sbctl/keys
-After=local-fs.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=sbctl import-keys -d /boot/sbctl/keys
-ExecStartPost=rm -rf /boot/sbctl
-EOF
-ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
-
-# sysupdate
-mkdir -p rootfs/etc/sysupdate.d
-cat <<EOF > rootfs/etc/sysupdate.d/10-uki.transfer
-[Source]
-Path=${updateUrl}
-MatchPattern=patos_@v.efi
-Type=url-file
-
-[Target]
-InstancesMax=2
-MatchPattern=patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi
-Mode=0444
-Path=/EFI/Linux
-PathRelativeTo=esp
-TriesDone=0
-TriesLeft=3
-Type=regular-file
-
-[Transfer]
-Verify=no
-EOF
-
-cat <<EOF > rootfs/etc/sysupdate.d/20-root-verity.transfer
-[Source]
-Type=url-file
-Path=${updateUrl}
-MatchPattern=patos_@v_@u.verity
-
-[Target]
-Type=partition
-Path=auto
-MatchPattern=verity-@v
-MatchPartitionType=root-verity
-ReadOnly=1
-
-[Transfer]
-Verify=no
-EOF
-
-cat <<EOF > rootfs/etc/sysupdate.d/22-root.transfer
-[Source]
-Type=url-file
-Path=${updateUrl}
-MatchPattern=patos_@v_@u.root
-
-[Target]
-Type=partition
-Path=auto
-MatchPattern=root-@v
-MatchPartitionType=root
-ReadOnly=1
-
-[Transfer]
-Verify=no
-EOF
-
-# Initial partitioning
-cat <<EOF > init.repart.d/10-root.conf
-[Partition]
-Type=root
-Format=erofs
-Minimize=best
-CopyFiles=/rootfs:/
-Verity=data
-VerityMatchKey=root
-SplitName=root
-EOF
-
-cat <<EOF > init.repart.d/20-root-verity.conf
-[Partition]
-Type=root-verity
-Verity=hash
-VerityMatchKey=root
-Minimize=best
-SplitName=verity
-EOF
-
-#TODO: Add verity signature partition
-
-${patosPkgs.systemd}/usr/bin/systemd-repart \
- --no-pager \
- --empty=create \
- --size=auto \
- --definitions=./init.repart.d \
- --split=true \
- --json=pretty \
- --root=$out \
- patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
-
-roothash=$(jq -r '.[0].roothash' init-repart-output.json)
-rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
-rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
-
-verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
-verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
-
-ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
-ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
-
-${patosPkgs.systemd}/usr/bin/ukify build \
- --linux ${patosPkgs.kernel}/bzImage \
- --initrd ${patosPkgs.initrd}/initrd.xz \
- $microcode \
- --os-release @rootfs/etc/os-release \
- --cmdline "$kernelCmdLine roothash=$roothash" \
- -o patos_${version}.efi
-
-# install ESP
-SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
-
-# setup factory reset
-mkdir -p rootfs/boot/EFI/tools
-cp ${pkgs.edk2-uefi-shell}/shell.efi rootfs/boot/EFI/tools/
-
-cat <<EOF > rootfs/boot/EFI/tools/factoryreset.nsh
-setvar FactoryReset -guid 8cf2644b-4b0b-428f-9387-6d876050dc67 -nv -rt =%1
-reset
-EOF
-
-cat <<EOF > rootfs/boot/loader/entries/factoryreset.conf
-title Enable Factory Reset
-options -nostartup -nomap
-options \EFI\tools\factoryreset.nsh L"t"
-efi EFI/tools/shell.efi
-EOF
-
-echo "timeout 2" > rootfs/boot/loader/loader.conf
-
-# install UKI
-cp patos_${version}.efi rootfs/boot/EFI/Linux
-
-# Final partitioning
-cat <<EOF > final.repart.d/10-esp.conf
-[Partition]
-Type=esp
-Format=vfat
-SizeMinBytes=128M
-SizeMaxBytes=128M
-CopyFiles=/rootfs/boot:/
-EOF
-
-cat <<EOF > final.repart.d/20-root.conf
-[Partition]
-Type=root
-Label=root-${version}
-CopyBlocks=/$rootPart
-UUID=$rootUuid
-SizeMinBytes=64M
-SizeMaxBytes=64M
-ReadOnly=1
-EOF
-
-cat <<EOF > final.repart.d/22-root-verity.conf
-[Partition]
-Type=root-verity
-Label=verity-${version}
-CopyBlocks=/$verityPart
-UUID=$verityUuid
-ReadOnly=1
-EOF
-
-# finalize image ready for boot
-${patosPkgs.systemd}/usr/bin/systemd-repart \
- --no-pager \
- --empty=create \
- --size=auto \
- --definitions=./final.repart.d \
- --root=$out \
- patos_${version}.img > final-repart-output.json
-
-rm -rf rootfs init.repart.d final.repart.d *.json
-sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
-
-popd
-''
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
deleted file mode 100644
index 6b8bb21..0000000
--- a/pkgs/kernel/default.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ pkgs }:
-let
- version = "6.14.6";
- hash = "sha256-IYF/GZjiIw+B9+T2Bfpv3LBA4U+ifZnCfdsWznSXl6k=";
-in
-(pkgs.callPackage ./manual-config.nix { }) {
- version = "${version}-patos1";
- modDirVersion = version;
- src = pkgs.fetchurl {
- url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
- hash = hash;
- };
- configfile = ./generic.config;
- allowImportFromDerivation = true;
-}
diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config
deleted file mode 100644
index 4c67b0a..0000000
--- a/pkgs/kernel/generic.config
+++ /dev/null
@@ -1,2514 +0,0 @@
-CONFIG_64BIT=y
-CONFIG_ACPI_AC=y
-CONFIG_ACPI_BATTERY=y
-CONFIG_ACPI_BUTTON=y
-CONFIG_ACPI_CONTAINER=y
-CONFIG_ACPI_CPPC_LIB=y
-CONFIG_ACPI_CPU_FREQ_PSS=y
-CONFIG_ACPI_FAN=y
-CONFIG_ACPI_HOTPLUG_CPU=y
-CONFIG_ACPI_HOTPLUG_IOAPIC=y
-CONFIG_ACPI_I2C_OPREGION=y
-CONFIG_ACPI_IPMI=y
-CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
-CONFIG_ACPI_LPIT=y
-CONFIG_ACPI_MDIO=y
-CONFIG_ACPI_NUMA=y
-CONFIG_ACPI_PCC=y
-CONFIG_ACPI_PRMT=y
-CONFIG_ACPI_PROCESSOR_CSTATE=y
-CONFIG_ACPI_PROCESSOR_IDLE=y
-CONFIG_ACPI_PROCESSOR=y
-CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
-CONFIG_ACPI_SLEEP=y
-CONFIG_ACPI_SPCR_TABLE=y
-CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
-CONFIG_ACPI_TABLE_UPGRADE=y
-CONFIG_ACPI_THERMAL=y
-CONFIG_ACPI_VIDEO=y
-CONFIG_ACPI_WATCHDOG=y
-CONFIG_ACPI_WMI=y
-CONFIG_ACPI=y
-CONFIG_ADDRESS_MASKING=y
-CONFIG_ADVISE_SYSCALLS=y
-CONFIG_AF_UNIX_OOB=y
-CONFIG_AIO=y
-CONFIG_ALLOW_DEV_COREDUMP=y
-CONFIG_ALX=m
-CONFIG_AMD_IOMMU_V2=y
-CONFIG_AMD_IOMMU=y
-CONFIG_AMD_NB=y
-CONFIG_AMD_NUMA=y
-CONFIG_AMD_PMC=m
-CONFIG_APERTURE_HELPERS=y
-CONFIG_AQTION=m
-CONFIG_ARCH_CLOCKSOURCE_INIT=y
-CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y
-CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE=y
-CONFIG_ARCH_CPUIDLE_HALTPOLL=y
-CONFIG_ARCH_DMA_ADDR_T_64BIT=y
-CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
-CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
-CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
-CONFIG_ARCH_HAS_ADD_PAGES=y
-CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
-CONFIG_ARCH_HAS_COPY_MC=y
-CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION=y
-CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y
-CONFIG_ARCH_HAS_CPU_RELAX=y
-CONFIG_ARCH_HAS_CURRENT_STACK_POINTER=y
-CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
-CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y
-CONFIG_ARCH_HAS_DEBUG_WX=y
-CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
-CONFIG_ARCH_HAS_ELFCORE_COMPAT=y
-CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
-CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
-CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
-CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
-CONFIG_ARCH_HAS_KCOV=y
-CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
-CONFIG_ARCH_HAS_MEM_ENCRYPT=y
-CONFIG_ARCH_HAS_NMI_SAFE_THIS_CPU_OPS=y
-CONFIG_ARCH_HAS_NONLEAF_PMD_YOUNG=y
-CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y
-CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y
-CONFIG_ARCH_HAS_PKEYS=y
-CONFIG_ARCH_HAS_PMEM_API=y
-CONFIG_ARCH_HAS_PTE_DEVMAP=y
-CONFIG_ARCH_HAS_PTE_SPECIAL=y
-CONFIG_ARCH_HAS_SET_DIRECT_MAP=y
-CONFIG_ARCH_HAS_SET_MEMORY=y
-CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
-CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
-CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y
-CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y
-CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
-CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-CONFIG_ARCH_HAS_ZONE_DMA_SET=y
-CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
-CONFIG_ARCH_HIBERNATION_POSSIBLE=y
-CONFIG_ARCH_MAY_HAVE_PC_FDC=y
-CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
-CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
-CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
-CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
-CONFIG_ARCH_MMAP_RND_BITS=28
-CONFIG_ARCH_MMAP_RND_BITS_MAX=32
-CONFIG_ARCH_MMAP_RND_BITS_MIN=28
-CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
-CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
-CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
-CONFIG_ARCH_SELECTS_KEXEC_FILE=y
-CONFIG_ARCH_SPARSEMEM_DEFAULT=y
-CONFIG_ARCH_SPARSEMEM_ENABLE=y
-CONFIG_ARCH_STACKWALK=y
-CONFIG_ARCH_SUPPORTS_ACPI=y
-CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
-CONFIG_ARCH_SUPPORTS_CFI_CLANG=y
-CONFIG_ARCH_SUPPORTS_CRASH_DUMP=y
-CONFIG_ARCH_SUPPORTS_CRASH_HOTPLUG=y
-CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
-CONFIG_ARCH_SUPPORTS_INT128=y
-CONFIG_ARCH_SUPPORTS_KEXEC_BZIMAGE_VERIFY_SIG=y
-CONFIG_ARCH_SUPPORTS_KEXEC_FILE=y
-CONFIG_ARCH_SUPPORTS_KEXEC_JUMP=y
-CONFIG_ARCH_SUPPORTS_KEXEC_PURGATORY=y
-CONFIG_ARCH_SUPPORTS_KEXEC_SIG_FORCE=y
-CONFIG_ARCH_SUPPORTS_KEXEC_SIG=y
-CONFIG_ARCH_SUPPORTS_KEXEC=y
-CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y
-CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y
-CONFIG_ARCH_SUPPORTS_LTO_CLANG=y
-CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
-CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
-CONFIG_ARCH_SUPPORTS_PAGE_TABLE_CHECK=y
-CONFIG_ARCH_SUPPORTS_PER_VMA_LOCK=y
-CONFIG_ARCH_SUPPORTS_UPROBES=y
-CONFIG_ARCH_SUSPEND_POSSIBLE=y
-CONFIG_ARCH_USE_BUILTIN_BSWAP=y
-CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
-CONFIG_ARCH_USE_MEMREMAP_PROT=y
-CONFIG_ARCH_USE_MEMTEST=y
-CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
-CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
-CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
-CONFIG_ARCH_USES_PG_UNCACHED=y
-CONFIG_ARCH_USE_SYM_ANNOTATIONS=y
-CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
-CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
-CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
-CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
-CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
-CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y
-CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
-CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=y
-CONFIG_ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP=y
-CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
-CONFIG_ARCH_WANTS_NO_INSTR=y
-CONFIG_ARCH_WANTS_THP_SWAP=y
-CONFIG_AS_AVX512=y
-CONFIG_AS_GFNI=y
-CONFIG_AS_HAS_NON_CONST_LEB128=y
-CONFIG_AS_IS_GNU=y
-CONFIG_ASM_MODVERSIONS=y
-CONFIG_ASN1=y
-CONFIG_AS_SHA1_NI=y
-CONFIG_AS_SHA256_NI=y
-CONFIG_ASSOCIATIVE_ARRAY=y
-CONFIG_AS_TPAUSE=y
-CONFIG_AS_VERSION=24200
-CONFIG_AS_WRUSS=y
-CONFIG_ASYMMETRIC_KEY_TYPE=y
-CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
-CONFIG_ASYNC_CORE=m
-CONFIG_ASYNC_MEMCPY=m
-CONFIG_ASYNC_PQ=m
-CONFIG_ASYNC_RAID6_RECOV=m
-CONFIG_ASYNC_XOR=m
-CONFIG_ATA_ACPI=y
-CONFIG_ATA_BMDMA=y
-CONFIG_ATA_FORCE=y
-CONFIG_ATA_PIIX=y
-CONFIG_ATA_SFF=y
-CONFIG_ATA_VERBOSE_ERROR=y
-CONFIG_ATA=y
-CONFIG_ATM_DRIVERS=y
-CONFIG_ATM=y
-CONFIG_AUDIT_ARCH=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT=y
-CONFIG_AUTOFS_FS=y
-CONFIG_AUXILIARY_BUS=y
-CONFIG_AX88796B_PHY=m
-CONFIG_BACKLIGHT_CLASS_DEVICE=y
-CONFIG_BALLOON_COMPACTION=y
-CONFIG_BASE_FULL=y
-CONFIG_BASE_SMALL=0
-CONFIG_BCMA_POSSIBLE=y
-CONFIG_BE2NET_BE2=y
-CONFIG_BE2NET_BE3=y
-CONFIG_BE2NET_HWMON=y
-CONFIG_BE2NET_LANCER=y
-CONFIG_BE2NET=m
-CONFIG_BE2NET_SKYHAWK=y
-CONFIG_BFQ_GROUP_IOSCHED=y
-CONFIG_BINARY_PRINTF=y
-CONFIG_BINFMT_ELF=y
-CONFIG_BINFMT_MISC=m
-CONFIG_BINFMT_SCRIPT=y
-CONFIG_BITREVERSE=y
-CONFIG_BLK_CGROUP_PUNT_BIO=y
-CONFIG_BLK_CGROUP_RWSTAT=y
-CONFIG_BLK_CGROUP=y
-CONFIG_BLK_DEBUG_FS=y
-CONFIG_BLK_DEV_BSG_COMMON=y
-CONFIG_BLK_DEV_BSGLIB=y
-CONFIG_BLK_DEV_BSG=y
-CONFIG_BLK_DEV_DM_BUILTIN=y
-CONFIG_BLK_DEV_DM=y
-CONFIG_BLK_DEV_INITRD=y
-CONFIG_BLK_DEV_IO_TRACE=y
-CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
-CONFIG_BLK_DEV_LOOP=y
-CONFIG_BLK_DEV_MD=y
-CONFIG_BLK_DEV_NBD=m
-CONFIG_BLK_DEV_NVME=m
-CONFIG_BLK_DEV_RBD=y
-CONFIG_BLK_DEV_SD=y
-CONFIG_BLK_DEV_SR=y
-CONFIG_BLK_DEV_THROTTLING=y
-CONFIG_BLK_DEV=y
-CONFIG_BLK_ICQ=y
-CONFIG_BLK_MQ_PCI=y
-CONFIG_BLK_MQ_STACKING=y
-CONFIG_BLK_MQ_VIRTIO=y
-CONFIG_BLK_PM=y
-CONFIG_BLOCK_HOLDER_DEPRECATED=y
-CONFIG_BLOCK_LEGACY_AUTOLOAD=y
-CONFIG_BLOCK=y
-CONFIG_BNX2=m
-CONFIG_BNX2X=m
-CONFIG_BNX2X_SRIOV=y
-CONFIG_BNXT_FLOWER_OFFLOAD=y
-CONFIG_BNXT_HWMON=y
-CONFIG_BNXT=m
-CONFIG_BNXT_SRIOV=y
-CONFIG_BONDING=y
-CONFIG_BOOT_VESA_SUPPORT=y
-CONFIG_BPF_EVENTS=y
-CONFIG_BPF_JIT_ALWAYS_ON=y
-CONFIG_BPF_JIT_DEFAULT_ON=y
-CONFIG_BPF_JIT=y
-CONFIG_BPF_LSM=y
-CONFIG_BPF_STREAM_PARSER=y
-CONFIG_BPF_SYSCALL=y
-CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
-CONFIG_BPF=y
-CONFIG_BQL=y
-CONFIG_BRANCH_PROFILE_NONE=y
-CONFIG_BRIDGE_EBT_802_3=y
-CONFIG_BRIDGE_EBT_AMONG=y
-CONFIG_BRIDGE_EBT_ARPREPLY=y
-CONFIG_BRIDGE_EBT_ARP=y
-CONFIG_BRIDGE_EBT_BROUTE=y
-CONFIG_BRIDGE_EBT_DNAT=y
-CONFIG_BRIDGE_EBT_IP6=y
-CONFIG_BRIDGE_EBT_IP=y
-CONFIG_BRIDGE_EBT_LIMIT=y
-CONFIG_BRIDGE_EBT_LOG=y
-CONFIG_BRIDGE_EBT_MARK_T=y
-CONFIG_BRIDGE_EBT_MARK=y
-CONFIG_BRIDGE_EBT_NFLOG=y
-CONFIG_BRIDGE_EBT_PKTTYPE=y
-CONFIG_BRIDGE_EBT_REDIRECT=y
-CONFIG_BRIDGE_EBT_SNAT=y
-CONFIG_BRIDGE_EBT_STP=y
-CONFIG_BRIDGE_EBT_T_FILTER=y
-CONFIG_BRIDGE_EBT_T_NAT=y
-CONFIG_BRIDGE_EBT_VLAN=y
-CONFIG_BRIDGE_IGMP_SNOOPING=y
-CONFIG_BRIDGE_NETFILTER=y
-CONFIG_BRIDGE_NF_EBTABLES=y
-CONFIG_BRIDGE_VLAN_FILTERING=y
-CONFIG_BRIDGE=y
-CONFIG_BSD_DISKLABEL=y
-CONFIG_BSD_PROCESS_ACCT=y
-CONFIG_BTRFS_FS=y
-CONFIG_BTRFS_FS_POSIX_ACL=y
-CONFIG_BUFFER_HEAD=y
-CONFIG_BUG_ON_DATA_CORRUPTION=y
-CONFIG_BUG=y
-CONFIG_BUILD_SALT=""
-CONFIG_BUILDTIME_MCOUNT_SORT=y
-CONFIG_BUILDTIME_TABLE_SORT=y
-CONFIG_CACHESTAT_SYSCALL=y
-CONFIG_CALL_DEPTH_TRACKING=y
-CONFIG_CALL_PADDING=y
-CONFIG_CALL_THUNKS=y
-CONFIG_CAVIUM_PTP=m
-CONFIG_CC10001_ADC=m
-CONFIG_CC_CAN_LINK=y
-CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
-CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
-CONFIG_CC_HAS_ASM_INLINE=y
-CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y
-CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_BARE=y
-CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y
-CONFIG_CC_HAS_ENTRY_PADDING=y
-CONFIG_CC_HAS_IBT=y
-CONFIG_CC_HAS_INT128=y
-CONFIG_CC_HAS_KASAN_GENERIC=y
-CONFIG_CC_HAS_NAMED_AS_FIXED_SANITIZERS=y
-CONFIG_CC_HAS_NAMED_AS=y
-CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
-CONFIG_CC_HAS_RETURN_THUNK=y
-CONFIG_CC_HAS_SANCOV_TRACE_PC=y
-CONFIG_CC_HAS_SANE_STACKPROTECTOR=y
-CONFIG_CC_HAS_SLS=y
-CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y
-CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y
-CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_CC_IS_GCC=y
-CONFIG_CC_NO_ARRAY_BOUNDS=y
-CONFIG_CC_NO_STRINGOP_OVERFLOW=y
-CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
-CONFIG_CCS811=m
-CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.3.0"
-CONFIG_CDROM=y
-CONFIG_CEPH_FS_POSIX_ACL=y
-CONFIG_CEPH_FS=y
-CONFIG_CEPH_LIB=y
-CONFIG_CFS_BANDWIDTH=y
-CONFIG_CGROUP_BPF=y
-CONFIG_CGROUP_CPUACCT=y
-CONFIG_CGROUP_DEVICE=y
-CONFIG_CGROUP_FREEZER=y
-CONFIG_CGROUP_HUGETLB=y
-CONFIG_CGROUP_MISC=y
-CONFIG_CGROUP_NET_CLASSID=y
-CONFIG_CGROUP_NET_PRIO=y
-CONFIG_CGROUP_PERF=y
-CONFIG_CGROUP_PIDS=y
-CONFIG_CGROUP_SCHED=y
-CONFIG_CGROUPS=y
-CONFIG_CGROUP_WRITEBACK=y
-CONFIG_CHECK_SIGNATURE=y
-CONFIG_CHELSIO_INLINE_CRYPTO=y
-CONFIG_CHELSIO_IPSEC_INLINE=m
-CONFIG_CHELSIO_T1=m
-CONFIG_CHELSIO_T3=m
-CONFIG_CHELSIO_T4=m
-CONFIG_CHELSIO_T4VF=m
-CONFIG_CHR_DEV_SG=y
-CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y
-CONFIG_CIFS_DEBUG=y
-CONFIG_CIFS_DFS_UPCALL=y
-CONFIG_CIFS_UPCALL=y
-CONFIG_CIFS_XATTR=y
-CONFIG_CIFS=y
-CONFIG_CLANG_VERSION=0
-CONFIG_CLKBLD_I8253=y
-CONFIG_CLKEVT_I8253=y
-CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
-CONFIG_CLOCKSOURCE_WATCHDOG_MAX_SKEW_US=100
-CONFIG_CLOCKSOURCE_WATCHDOG=y
-CONFIG_CLZ_TAB=y
-CONFIG_COMMON_CLK=y
-CONFIG_COMPACTION=y
-CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1
-CONFIG_COMPAT_32BIT_TIME=y
-CONFIG_COMPAT_32=y
-CONFIG_COMPAT_BINFMT_ELF=y
-CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
-CONFIG_COMPAT_OLD_SIGACTION=y
-CONFIG_COMPAT=y
-CONFIG_CONFIGFS_FS=y
-CONFIG_CONNECTOR=y
-CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
-CONFIG_CONSOLE_LOGLEVEL_QUIET=4
-CONFIG_CONSOLE_TRANSLATIONS=y
-CONFIG_CONTEXT_SWITCH_TRACER=y
-CONFIG_CONTEXT_TRACKING_IDLE=y
-CONFIG_CONTEXT_TRACKING=y
-CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
-CONFIG_COREDUMP=y
-CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL=y
-CONFIG_CPU_FREQ_GOV_ATTR_SET=y
-CONFIG_CPU_FREQ_GOV_COMMON=y
-CONFIG_CPU_FREQ_GOV_ONDEMAND=y
-CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
-CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y
-CONFIG_CPU_FREQ_GOV_USERSPACE=y
-CONFIG_CPU_FREQ=y
-CONFIG_CPU_IBPB_ENTRY=y
-CONFIG_CPU_IBRS_ENTRY=y
-CONFIG_CPU_IDLE_GOV_HALTPOLL=y
-CONFIG_CPU_IDLE_GOV_MENU=y
-CONFIG_CPU_IDLE=y
-CONFIG_CPU_ISOLATION=y
-CONFIG_CPU_MITIGATIONS=y
-CONFIG_CPU_RMAP=y
-CONFIG_CPUSETS=y
-CONFIG_CPU_SRSO=y
-CONFIG_CPU_SUP_AMD=y
-CONFIG_CPU_SUP_CENTAUR=y
-CONFIG_CPU_SUP_HYGON=y
-CONFIG_CPU_SUP_INTEL=y
-CONFIG_CPU_SUP_ZHAOXIN=y
-CONFIG_CPU_UNRET_ENTRY=y
-CONFIG_CRASH_CORE=y
-CONFIG_CRASH_DUMP=y
-CONFIG_CRASH_HOTPLUG=y
-CONFIG_CRASH_MAX_MEMORY_RANGES=8192
-CONFIG_CRC16=y
-CONFIG_CRC32_SLICEBY8=y
-CONFIG_CRC32=y
-CONFIG_CRC8=y
-CONFIG_CRC_CCITT=y
-CONFIG_CRC_ITU_T=y
-CONFIG_CROSS_MEMORY_ATTACH=y
-CONFIG_CRYPTO_ACOMP2=y
-CONFIG_CRYPTO_ADIANTUM=y
-CONFIG_CRYPTO_AEAD2=y
-CONFIG_CRYPTO_AEAD=y
-CONFIG_CRYPTO_AES_NI_INTEL=y
-CONFIG_CRYPTO_AES=y
-CONFIG_CRYPTO_AKCIPHER2=y
-CONFIG_CRYPTO_AKCIPHER=y
-CONFIG_CRYPTO_ALGAPI2=y
-CONFIG_CRYPTO_ALGAPI=y
-CONFIG_CRYPTO_ARC4=y
-CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y
-CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
-CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y
-CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
-CONFIG_CRYPTO_AUTHENC=y
-CONFIG_CRYPTO_BLAKE2B=y
-CONFIG_CRYPTO_BLAKE2S_X86=y
-CONFIG_CRYPTO_CBC=y
-CONFIG_CRYPTO_CCM=y
-CONFIG_CRYPTO_CHACHA20_X86_64=y
-CONFIG_CRYPTO_CHACHA20=y
-CONFIG_CRYPTO_CMAC=y
-CONFIG_CRYPTO_CRC32C=y
-CONFIG_CRYPTO_CRC32C_INTEL=y
-CONFIG_CRYPTO_CRC32=y
-CONFIG_CRYPTO_CRYPTD=y
-CONFIG_CRYPTO_CTR=y
-CONFIG_CRYPTO_CURVE25519_X86=y
-CONFIG_CRYPTO_DEFLATE=y
-CONFIG_CRYPTO_DES=y
-CONFIG_CRYPTO_DEV_VIRTIO=y
-CONFIG_CRYPTO_DH_RFC7919_GROUPS=y
-CONFIG_CRYPTO_DH=y
-CONFIG_CRYPTO_DRBG_HMAC=y
-CONFIG_CRYPTO_DRBG_MENU=y
-CONFIG_CRYPTO_DRBG=y
-CONFIG_CRYPTO_ECB=y
-CONFIG_CRYPTO_ECHAINIV=y
-CONFIG_CRYPTO_ENGINE=y
-CONFIG_CRYPTO_ESSIV=y
-CONFIG_CRYPTO_GCM=y
-CONFIG_CRYPTO_GENIV=y
-CONFIG_CRYPTO_GHASH=y
-CONFIG_CRYPTO_HASH2=y
-CONFIG_CRYPTO_HASH_INFO=y
-CONFIG_CRYPTO_HASH=y
-CONFIG_CRYPTO_HMAC=y
-CONFIG_CRYPTO_HW=y
-CONFIG_CRYPTO_JITTERENTROPY=y
-CONFIG_CRYPTO_KPP2=y
-CONFIG_CRYPTO_KPP=y
-CONFIG_CRYPTO_LIB_AES=y
-CONFIG_CRYPTO_LIB_ARC4=y
-CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y
-CONFIG_CRYPTO_LIB_CHACHA20POLY1305=y
-CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y
-CONFIG_CRYPTO_LIB_CHACHA=y
-CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=y
-CONFIG_CRYPTO_LIB_CURVE25519=y
-CONFIG_CRYPTO_LIB_DES=y
-CONFIG_CRYPTO_LIB_GF128MUL=y
-CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y
-CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
-CONFIG_CRYPTO_LIB_POLY1305=y
-CONFIG_CRYPTO_LIB_SHA1=y
-CONFIG_CRYPTO_LIB_SHA256=y
-CONFIG_CRYPTO_LIB_UTILS=y
-CONFIG_CRYPTO_LZO=y
-CONFIG_CRYPTO_MANAGER2=y
-CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
-CONFIG_CRYPTO_MANAGER=y
-CONFIG_CRYPTO_MD4=y
-CONFIG_CRYPTO_MD5=y
-CONFIG_CRYPTO_NHPOLY1305_AVX2=y
-CONFIG_CRYPTO_NHPOLY1305_SSE2=y
-CONFIG_CRYPTO_NHPOLY1305=y
-CONFIG_CRYPTO_NULL2=y
-CONFIG_CRYPTO_NULL=y
-CONFIG_CRYPTO_POLY1305_X86_64=y
-CONFIG_CRYPTO_RNG2=y
-CONFIG_CRYPTO_RNG_DEFAULT=y
-CONFIG_CRYPTO_RNG=y
-CONFIG_CRYPTO_RSA=y
-CONFIG_CRYPTO_SEQIV=y
-CONFIG_CRYPTO_SHA1=y
-CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA3=y
-CONFIG_CRYPTO_SHA512=y
-CONFIG_CRYPTO_SIG2=y
-CONFIG_CRYPTO_SIG=y
-CONFIG_CRYPTO_SIMD=y
-CONFIG_CRYPTO_SKCIPHER2=y
-CONFIG_CRYPTO_SKCIPHER=y
-CONFIG_CRYPTO_USER_API_AEAD=y
-CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y
-CONFIG_CRYPTO_USER_API_HASH=y
-CONFIG_CRYPTO_USER_API_SKCIPHER=y
-CONFIG_CRYPTO_USER_API=y
-CONFIG_CRYPTO_XTS=y
-CONFIG_CRYPTO_XXHASH=m
-CONFIG_CRYPTO=y
-CONFIG_CRYPTO_ZSTD=m
-CONFIG_DAX=y
-CONFIG_DCACHE_WORD_ACCESS=y
-CONFIG_DCA=y
-CONFIG_DCB=y
-CONFIG_DEBUG_BOOT_PARAMS=y
-CONFIG_DEBUG_BUGVERBOSE=y
-CONFIG_DEBUG_ENTRY=y
-CONFIG_DEBUG_FS_ALLOW_ALL=y
-CONFIG_DEBUG_FS=y
-CONFIG_DEBUG_INFO=n
-CONFIG_DEBUG_KERNEL=y
-CONFIG_DEBUG_LIST=y
-CONFIG_DEBUG_MISC=y
-CONFIG_DEBUG_WX=y
-CONFIG_DECOMPRESS_BZIP2=y
-CONFIG_DECOMPRESS_GZIP=y
-CONFIG_DECOMPRESS_LZ4=y
-CONFIG_DECOMPRESS_LZMA=y
-CONFIG_DECOMPRESS_LZO=y
-CONFIG_DECOMPRESS_XZ=y
-CONFIG_DECOMPRESS_ZSTD=y
-CONFIG_DEFAULT_CUBIC=y
-CONFIG_DEFAULT_FQ_CODEL=y
-CONFIG_DEFAULT_HOSTNAME="(none)"
-CONFIG_DEFAULT_INIT=""
-CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
-CONFIG_DEFAULT_NET_SCH="fq_codel"
-CONFIG_DEFAULT_PFIFO_FAST=y
-CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_DEFAULT_SECURITY_APPARMOR=y
-CONFIG_DEFAULT_TCP_CONG="cubic"
-CONFIG_DEVPORT=y
-CONFIG_DEVTMPFS=y
-CONFIG_DEVTMPFS_MOUNT=y
-CONFIG_DIMLIB=y
-CONFIG_DMA_ACPI=y
-CONFIG_DMADEVICES=y
-CONFIG_DMA_ENGINE_RAID=y
-CONFIG_DMA_ENGINE=y
-CONFIG_DMA_OPS=y
-CONFIG_DMAR_TABLE=y
-CONFIG_DMA_SHARED_BUFFER=y
-CONFIG_DM_AUDIT=y
-CONFIG_DMA_VIRTUAL_CHANNELS=y
-CONFIG_DM_BIO_PRISON=m
-CONFIG_DM_BUFIO=y
-CONFIG_DM_CACHE=m
-CONFIG_DM_CACHE_SMQ=m
-CONFIG_DM_CLONE=m
-CONFIG_DM_CRYPT=y
-CONFIG_DM_DELAY=m
-CONFIG_DM_DUST=m
-CONFIG_DM_EBS=m
-CONFIG_DM_ERA=m
-CONFIG_DM_FLAKEY=m
-CONFIG_DMIID=y
-CONFIG_DM_INTEGRITY=m
-CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
-CONFIG_DMI=y
-CONFIG_DM_LOG_USERSPACE=m
-CONFIG_DM_LOG_WRITES=m
-CONFIG_DM_MIRROR=y
-CONFIG_DM_MULTIPATH_HST=m
-CONFIG_DM_MULTIPATH_IOA=m
-CONFIG_DM_MULTIPATH=m
-CONFIG_DM_MULTIPATH_QL=m
-CONFIG_DM_MULTIPATH_ST=m
-CONFIG_DM_PERSISTENT_DATA=m
-CONFIG_DM_RAID=m
-CONFIG_DM_SNAPSHOT=y
-CONFIG_DM_SWITCH=m
-CONFIG_DM_THIN_PROVISIONING=m
-CONFIG_DM_UNSTRIPED=m
-CONFIG_DM_VDO=m
-CONFIG_DM_VERITY=y
-CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
-CONFIG_DM_WRITECACHE=m
-CONFIG_DM_ZERO=y
-CONFIG_DM_ZONED=m
-CONFIG_DNOTIFY=y
-CONFIG_DNS_RESOLVER=y
-CONFIG_DQL=y
-CONFIG_DST_CACHE=y
-CONFIG_DUMMY_CONSOLE_COLUMNS=80
-CONFIG_DUMMY_CONSOLE_ROWS=25
-CONFIG_DUMMY_CONSOLE=y
-CONFIG_DUMMY=y
-CONFIG_DW_DMAC_CORE=y
-CONFIG_DYNAMIC_EVENTS=y
-CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
-CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_MEMORY_LAYOUT=y
-CONFIG_DYNAMIC_SIGFRAME=y
-CONFIG_E1000E_HWTS=y
-CONFIG_E1000E=m
-CONFIG_E1000=m
-CONFIG_EARLY_PRINTK_DBGP=y
-CONFIG_EARLY_PRINTK_USB=y
-CONFIG_EARLY_PRINTK=y
-CONFIG_ECRYPT_FS=m
-CONFIG_EDAC_ATOMIC_SCRUB=y
-CONFIG_EDAC_DECODE_MCE=y
-CONFIG_EDAC_LEGACY_SYSFS=y
-CONFIG_EDAC_SUPPORT=y
-CONFIG_EDAC=y
-CONFIG_EFI_BOOTLOADER_CONTROL=m
-CONFIG_EFI_CAPSULE_LOADER=m
-CONFIG_EFI_COCO_SECRET=y
-CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
-CONFIG_EFI_DEV_PATH_PARSER=y
-CONFIG_EFI_DXE_MEM_ATTRIBUTES=y
-CONFIG_EFI_EARLYCON=y
-CONFIG_EFI_ESRT=y
-CONFIG_EFI_HANDOVER_PROTOCOL=y
-CONFIG_EFI_MIXED=y
-CONFIG_EFI_PARTITION=y
-CONFIG_EFI_RUNTIME_MAP=y
-CONFIG_EFI_RUNTIME_WRAPPERS=y
-CONFIG_EFI_SECRET=m
-CONFIG_EFI_SOFT_RESERVE=y
-CONFIG_EFI_STUB=y
-CONFIG_EFIVAR_FS=y
-CONFIG_EFI_VARS_PSTORE=m
-CONFIG_EFI=y
-CONFIG_ELF_CORE=y
-CONFIG_ELFCORE=y
-CONFIG_ENA_ETHERNET=y
-CONFIG_ENCLOSURE_SERVICES=y
-CONFIG_ENCRYPTED_KEYS=y
-CONFIG_ENIC=m
-CONFIG_EPOLL=y
-CONFIG_EROFS_FS_POSIX_ACL=y
-CONFIG_EROFS_FS_SECURITY=y
-CONFIG_EROFS_FS_XATTR=y
-CONFIG_EROFS_FS=y
-CONFIG_EROFS_FS_ZIP=y
-CONFIG_EROFS_FS_ZIP_ZSTD=y
-CONFIG_ETHERNET=y
-CONFIG_ETHTOOL_NETLINK=y
-CONFIG_EVENTFD=y
-CONFIG_EVENT_TRACING=y
-CONFIG_EXCLUSIVE_SYSTEM_RAM=y
-CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
-CONFIG_EXFAT_FS=m
-CONFIG_EXPERT=y
-CONFIG_EXPORTFS=y
-CONFIG_EXT4_FS_POSIX_ACL=y
-CONFIG_EXT4_FS_SECURITY=y
-CONFIG_EXT4_FS=y
-CONFIG_EXT4_USE_FOR_EXT2=y
-CONFIG_EXTRA_FIRMWARE=""
-CONFIG_FAILOVER=y
-CONFIG_FAIR_GROUP_SCHED=y
-CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
-CONFIG_FANOTIFY=y
-CONFIG_FAT_DEFAULT_CODEPAGE=437
-CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
-CONFIG_FAT_FS=y
-CONFIG_FHANDLE=y
-CONFIG_FIB_RULES=y
-CONFIG_FILE_LOCKING=y
-CONFIG_FIRMWARE_MEMMAP=y
-CONFIG_FIX_EARLYCON_MEM=y
-CONFIG_FIXED_PHY=y
-CONFIG_FONT_8x16=y
-CONFIG_FONT_SUPPORT=y
-CONFIG_FONTS=y
-CONFIG_FONT_TER16x32=y
-CONFIG_FORCEDETH=y
-CONFIG_FORTIFY_SOURCE=y
-CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
-CONFIG_FRAMEBUFFER_CONSOLE=y
-CONFIG_FRAME_WARN=2048
-CONFIG_FREEZER=y
-CONFIG_FS_ENCRYPTION_ALGS=m
-CONFIG_FS_ENCRYPTION=y
-CONFIG_FS_IOMAP=y
-CONFIG_FS_MBCACHE=y
-CONFIG_FSNOTIFY=y
-CONFIG_FS_POSIX_ACL=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
-CONFIG_FTRACE_MCOUNT_USE_CC=y
-CONFIG_FTRACE_SYSCALLS=y
-CONFIG_FTRACE=y
-CONFIG_FUNCTION_ALIGNMENT=16
-CONFIG_FUNCTION_ALIGNMENT_16B=y
-CONFIG_FUNCTION_ALIGNMENT_4B=y
-CONFIG_FUNCTION_ERROR_INJECTION=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_FUNCTION_PADDING_BYTES=16
-CONFIG_FUNCTION_PADDING_CFI=11
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUSE_FS=y
-CONFIG_FUTEX_PI=y
-CONFIG_FUTEX=y
-CONFIG_FW_ATTR_CLASS=m
-CONFIG_FW_CACHE=y
-CONFIG_FW_CFG_SYSFS=m
-CONFIG_FW_CS_DSP=m
-CONFIG_FW_LOADER_COMPRESS=y
-CONFIG_FW_LOADER_COMPRESS_ZSTD=y
-CONFIG_FW_LOADER_DEBUG=y
-CONFIG_FW_LOADER_PAGED_BUF=y
-CONFIG_FW_LOADER_SYSFS=y
-CONFIG_FW_LOADER_USER_HELPER=y
-CONFIG_FW_LOADER=y
-CONFIG_FW_UPLOAD=y
-CONFIG_FWNODE_MDIO=y
-CONFIG_GCC10_NO_ARRAY_BOUNDS=y
-CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND=y
-CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
-CONFIG_GCC_PLUGIN_STACKLEAK=y
-CONFIG_GCC_PLUGINS=y
-CONFIG_GCC_VERSION=130200
-CONFIG_GENERIC_ALLOCATOR=y
-CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
-CONFIG_GENERIC_BUG=y
-CONFIG_GENERIC_CALIBRATE_DELAY=y
-CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
-CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
-CONFIG_GENERIC_CLOCKEVENTS=y
-CONFIG_GENERIC_CMOS_UPDATE=y
-CONFIG_GENERIC_CPU_AUTOPROBE=y
-CONFIG_GENERIC_CPU_VULNERABILITIES=y
-CONFIG_GENERIC_CPU=y
-CONFIG_GENERIC_EARLY_IOREMAP=y
-CONFIG_GENERIC_ENTRY=y
-CONFIG_GENERIC_GETTIMEOFDAY=y
-CONFIG_GENERIC_IOMAP=y
-CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK=y
-CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
-CONFIG_GENERIC_IRQ_MIGRATION=y
-CONFIG_GENERIC_IRQ_PROBE=y
-CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
-CONFIG_GENERIC_IRQ_SHOW=y
-CONFIG_GENERIC_ISA_DMA=y
-CONFIG_GENERIC_MSI_IRQ=y
-CONFIG_GENERIC_NET_UTILS=y
-CONFIG_GENERIC_PCI_IOMAP=y
-CONFIG_GENERIC_PENDING_IRQ=y
-CONFIG_GENERIC_PTDUMP=y
-CONFIG_GENERIC_SMP_IDLE_THREAD=y
-CONFIG_GENERIC_STRNCPY_FROM_USER=y
-CONFIG_GENERIC_STRNLEN_USER=y
-CONFIG_GENERIC_TIME_VSYSCALL=y
-CONFIG_GENERIC_TRACER=y
-CONFIG_GENERIC_VDSO_TIME_NS=y
-CONFIG_GENEVE=y
-CONFIG_GLOB=y
-CONFIG_GRACE_PERIOD=y
-CONFIG_GRO_CELLS=y
-CONFIG_GUEST_PERF_EVENTS=y
-CONFIG_GVE=m
-CONFIG_HALTPOLL_CPUIDLE=y
-CONFIG_HARDENED_USERCOPY=y
-CONFIG_HARDIRQS_SW_RESEND=y
-CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
-CONFIG_HAS_DMA=y
-CONFIG_HAS_IOMEM=y
-CONFIG_HAS_IOPORT_MAP=y
-CONFIG_HAS_IOPORT=y
-CONFIG_HAVE_ACPI_APEI_NMI=y
-CONFIG_HAVE_ACPI_APEI=y
-CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
-CONFIG_HAVE_ARCH_AUDITSYSCALL=y
-CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
-CONFIG_HAVE_ARCH_HUGE_VMALLOC=y
-CONFIG_HAVE_ARCH_HUGE_VMAP=y
-CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y
-CONFIG_HAVE_ARCH_JUMP_LABEL=y
-CONFIG_HAVE_ARCH_KASAN_VMALLOC=y
-CONFIG_HAVE_ARCH_KASAN=y
-CONFIG_HAVE_ARCH_KCSAN=y
-CONFIG_HAVE_ARCH_KFENCE=y
-CONFIG_HAVE_ARCH_KGDB=y
-CONFIG_HAVE_ARCH_KMSAN=y
-CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
-CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
-CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
-CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET=y
-CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
-CONFIG_HAVE_ARCH_SECCOMP=y
-CONFIG_HAVE_ARCH_SOFT_DIRTY=y
-CONFIG_HAVE_ARCH_STACKLEAK=y
-CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
-CONFIG_HAVE_ARCH_TRACEHOOK=y
-CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y
-CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
-CONFIG_HAVE_ARCH_VMAP_STACK=y
-CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
-CONFIG_HAVE_ASM_MODVERSIONS=y
-CONFIG_HAVE_BUILDTIME_MCOUNT_SORT=y
-CONFIG_HAVE_CALL_THUNKS=y
-CONFIG_HAVE_CLK_PREPARE=y
-CONFIG_HAVE_CLK=y
-CONFIG_HAVE_CMPXCHG_DOUBLE=y
-CONFIG_HAVE_CMPXCHG_LOCAL=y
-CONFIG_HAVE_CONTEXT_TRACKING_USER_OFFSTACK=y
-CONFIG_HAVE_CONTEXT_TRACKING_USER=y
-CONFIG_HAVE_C_RECORDMCOUNT=y
-CONFIG_HAVE_DEBUG_KMEMLEAK=y
-CONFIG_HAVE_DMA_CONTIGUOUS=y
-CONFIG_HAVE_DYNAMIC_FTRACE_NO_PATCHABLE=y
-CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y
-CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
-CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_HAVE_DYNAMIC_FTRACE=y
-CONFIG_HAVE_EBPF_JIT=y
-CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
-CONFIG_HAVE_EISA=y
-CONFIG_HAVE_EXIT_THREAD=y
-CONFIG_HAVE_FAST_GUP=y
-CONFIG_HAVE_FENTRY=y
-CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
-CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y
-CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y
-CONFIG_HAVE_FUNCTION_GRAPH_RETVAL=y
-CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
-CONFIG_HAVE_FUNCTION_TRACER=y
-CONFIG_HAVE_GCC_PLUGINS=y
-CONFIG_HAVE_GENERIC_VDSO=y
-CONFIG_HAVE_HARDLOCKUP_DETECTOR_BUDDY=y
-CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y
-CONFIG_HAVE_HW_BREAKPOINT=y
-CONFIG_HAVE_IMA_KEXEC=y
-CONFIG_HAVE_INTEL_TXT=y
-CONFIG_HAVE_IOREMAP_PROT=y
-CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
-CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
-CONFIG_HAVE_JUMP_LABEL_HACK=y
-CONFIG_HAVE_KCSAN_COMPILER=y
-CONFIG_HAVE_KERNEL_BZIP2=y
-CONFIG_HAVE_KERNEL_GZIP=y
-CONFIG_HAVE_KERNEL_LZ4=y
-CONFIG_HAVE_KERNEL_LZMA=y
-CONFIG_HAVE_KERNEL_LZO=y
-CONFIG_HAVE_KERNEL_XZ=y
-CONFIG_HAVE_KERNEL_ZSTD=y
-CONFIG_HAVE_KPROBES_ON_FTRACE=y
-CONFIG_HAVE_KPROBES=y
-CONFIG_HAVE_KRETPROBES=y
-CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
-CONFIG_HAVE_KVM_DIRTY_RING_ACQ_REL=y
-CONFIG_HAVE_KVM_DIRTY_RING_TSO=y
-CONFIG_HAVE_KVM_DIRTY_RING=y
-CONFIG_HAVE_KVM_EVENTFD=y
-CONFIG_HAVE_KVM_IRQ_BYPASS=y
-CONFIG_HAVE_KVM_IRQCHIP=y
-CONFIG_HAVE_KVM_IRQFD=y
-CONFIG_HAVE_KVM_IRQ_ROUTING=y
-CONFIG_HAVE_KVM_MSI=y
-CONFIG_HAVE_KVM_NO_POLL=y
-CONFIG_HAVE_KVM_PFNCACHE=y
-CONFIG_HAVE_KVM_PM_NOTIFIER=y
-CONFIG_HAVE_KVM=y
-CONFIG_HAVE_LIVEPATCH=y
-CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
-CONFIG_HAVE_MMIOTRACE_SUPPORT=y
-CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
-CONFIG_HAVE_MOVE_PMD=y
-CONFIG_HAVE_MOVE_PUD=y
-CONFIG_HAVE_NMI=y
-CONFIG_HAVE_NOINSTR_HACK=y
-CONFIG_HAVE_NOINSTR_VALIDATION=y
-CONFIG_HAVE_OBJTOOL_MCOUNT=y
-CONFIG_HAVE_OBJTOOL_NOP_MCOUNT=y
-CONFIG_HAVE_OBJTOOL=y
-CONFIG_HAVE_OPTPROBES=y
-CONFIG_HAVE_PCI=y
-CONFIG_HAVE_PCSPKR_PLATFORM=y
-CONFIG_HAVE_PERF_EVENTS_NMI=y
-CONFIG_HAVE_PERF_EVENTS=y
-CONFIG_HAVE_PERF_REGS=y
-CONFIG_HAVE_PERF_USER_STACK_DUMP=y
-CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y
-CONFIG_HAVE_PREEMPT_DYNAMIC_CALL=y
-CONFIG_HAVE_PREEMPT_DYNAMIC=y
-CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
-CONFIG_HAVE_RELIABLE_STACKTRACE=y
-CONFIG_HAVE_RETHOOK=y
-CONFIG_HAVE_RSEQ=y
-CONFIG_HAVE_RUST=y
-CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y
-CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y
-CONFIG_HAVE_SETUP_PER_CPU_AREA=y
-CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y
-CONFIG_HAVE_STACKPROTECTOR=y
-CONFIG_HAVE_STACK_VALIDATION=y
-CONFIG_HAVE_STATIC_CALL_INLINE=y
-CONFIG_HAVE_STATIC_CALL=y
-CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
-CONFIG_HAVE_UACCESS_VALIDATION=y
-CONFIG_HAVE_UID16=y
-CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
-CONFIG_HAVE_USER_RETURN_NOTIFIER=y
-CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
-CONFIG_HDMI=y
-CONFIG_HIBERNATE_CALLBACKS=y
-CONFIG_HID_A4TECH=m
-CONFIG_HID_APPLE=m
-CONFIG_HID_BELKIN=m
-CONFIG_HID_CHERRY=m
-CONFIG_HID_CHICONY=m
-CONFIG_HID_CORSAIR=m
-CONFIG_HID_CYPRESS=m
-CONFIG_HID_EZKEY=m
-CONFIG_HID_GENERIC=y
-CONFIG_HID_GYRATION=m
-CONFIG_HID_ITE=m
-CONFIG_HID_KENSINGTON=m
-CONFIG_HID_LENOVO=m
-CONFIG_HID_LOGITECH_DJ=m
-CONFIG_HID_LOGITECH_HIDPP=m
-CONFIG_HID_LOGITECH=m
-CONFIG_HID_MICROSOFT=m
-CONFIG_HID_MONTEREY=m
-CONFIG_HID_PANTHERLORD=m
-CONFIG_HID_PETALYNX=m
-CONFIG_HIDRAW=y
-CONFIG_HID_REDRAGON=y
-CONFIG_HID_ROCCAT=y
-CONFIG_HID_SAMSUNG=m
-CONFIG_HID_SUNPLUS=m
-CONFIG_HID_SUPPORT=y
-CONFIG_HID_TOPSEED=m
-CONFIG_HID=y
-CONFIG_HIGH_RES_TIMERS=y
-CONFIG_HMM_MIRROR=y
-CONFIG_HOTPLUG_CORE_SYNC_DEAD=y
-CONFIG_HOTPLUG_CORE_SYNC_FULL=y
-CONFIG_HOTPLUG_CORE_SYNC=y
-CONFIG_HOTPLUG_CPU=y
-CONFIG_HOTPLUG_PARALLEL=y
-CONFIG_HOTPLUG_PCI_ACPI=y
-CONFIG_HOTPLUG_PCI_PCIE=y
-CONFIG_HOTPLUG_PCI=y
-CONFIG_HOTPLUG_SMT=y
-CONFIG_HOTPLUG_SPLIT_STARTUP=y
-CONFIG_HPET_EMULATE_RTC=y
-CONFIG_HPET_TIMER=y
-CONFIG_HPET=y
-CONFIG_HP_ILO=m
-CONFIG_HSA_AMD=y
-CONFIG_HSR=y
-CONFIG_HSU_DMA=y
-CONFIG_HUGETLBFS=y
-CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y
-CONFIG_HUGETLB_PAGE=y
-CONFIG_HVC_DRIVER=y
-CONFIG_HVC_IRQ=y
-CONFIG_HVC_XEN_FRONTEND=y
-CONFIG_HVC_XEN=y
-CONFIG_HW_CONSOLE=y
-CONFIG_HWMON=y
-CONFIG_HW_RANDOM_TPM=y
-CONFIG_HW_RANDOM_VIA=y
-CONFIG_HW_RANDOM_VIRTIO=y
-CONFIG_HW_RANDOM=y
-CONFIG_HYPERV_BALLOON=y
-CONFIG_HYPERV_IOMMU=y
-CONFIG_HYPERVISOR_GUEST=y
-CONFIG_HYPERV_KEYBOARD=y
-CONFIG_HYPERV_NET=y
-CONFIG_HYPERV_STORAGE=y
-CONFIG_HYPERV_TIMER=y
-CONFIG_HYPERV_UTILS=y
-CONFIG_HYPERV_VSOCKETS=y
-CONFIG_HYPERV=y
-CONFIG_HZ=250
-CONFIG_HZ_250=y
-CONFIG_I2C_ALGOBIT=m
-CONFIG_I2C_BOARDINFO=y
-CONFIG_I2C_COMPAT=y
-CONFIG_I2C_HELPER_AUTO=y
-CONFIG_I2C_HID=y
-CONFIG_I2C_I801=m
-CONFIG_I2C_SMBUS=m
-CONFIG_I2C=y
-CONFIG_I40E=m
-CONFIG_I40EVF=m
-CONFIG_I6300ESB_WDT=m
-CONFIG_I8253_LOCK=y
-CONFIG_IA32_EMULATION=y
-CONFIG_IA32_FEAT_CTL=y
-CONFIG_IAVF=m
-CONFIG_ICE_HWTS=y
-CONFIG_ICE=m
-CONFIG_ICE_SWITCHDEV=y
-CONFIG_IGB_DCA=y
-CONFIG_IGB_HWMON=y
-CONFIG_IGB=m
-CONFIG_IGBVF=m
-CONFIG_IGC=m
-CONFIG_IKCONFIG_PROC=y
-CONFIG_IKCONFIG=y
-CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
-CONFIG_IMA_APPRAISE_BOOTPARAM=y
-CONFIG_IMA_APPRAISE=y
-CONFIG_IMA_ARCH_POLICY=y
-CONFIG_IMA_DEFAULT_HASH="sha512"
-CONFIG_IMA_DEFAULT_HASH_SHA512=y
-CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
-CONFIG_IMA_LSM_RULES=y
-CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
-CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_NG_TEMPLATE=y
-CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
-CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
-CONFIG_IMA_WRITE_POLICY=y
-CONFIG_IMA=y
-CONFIG_INET6_AH=y
-CONFIG_INET6_ESP_OFFLOAD=y
-CONFIG_INET6_ESP=y
-CONFIG_INET6_IPCOMP=y
-CONFIG_INET6_TUNNEL=y
-CONFIG_INET6_XFRM_TUNNEL=y
-CONFIG_INET_AH=y
-CONFIG_INET_ESP=y
-CONFIG_INET_IPCOMP=y
-CONFIG_INET_TABLE_PERTURB_ORDER=16
-CONFIG_INET_TUNNEL=y
-CONFIG_INET_XFRM_TUNNEL=y
-CONFIG_INET=y
-CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y
-CONFIG_INFINIBAND_ADDR_TRANS=y
-CONFIG_INFINIBAND_IPOIB_DEBUG=y
-CONFIG_INFINIBAND_IPOIB=y
-CONFIG_INFINIBAND_VIRT_DMA=y
-CONFIG_INFINIBAND=y
-CONFIG_INIT_ENV_ARG_LIMIT=32
-CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
-CONFIG_INITRAMFS_PRESERVE_MTIME=y
-CONFIG_INITRAMFS_SOURCE=""
-CONFIG_INIT_STACK_ALL_ZERO=y
-CONFIG_INLINE_READ_UNLOCK_IRQ=y
-CONFIG_INLINE_READ_UNLOCK=y
-CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
-CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
-CONFIG_INLINE_WRITE_UNLOCK=y
-CONFIG_INOTIFY_USER=y
-CONFIG_INPUT_EVDEV=y
-CONFIG_INPUT_FF_MEMLESS=y
-CONFIG_INPUT_JOYSTICK=y
-CONFIG_INPUT_KEYBOARD=y
-CONFIG_INPUT_LEDS=y
-CONFIG_INPUT_MISC=y
-CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
-CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
-CONFIG_INPUT_MOUSEDEV=y
-CONFIG_INPUT_MOUSE=y
-CONFIG_INPUT_SPARSEKMAP=y
-CONFIG_INPUT_TABLET=y
-CONFIG_INPUT_TOUCHSCREEN=y
-CONFIG_INPUT_VIVALDIFMAP=y
-CONFIG_INPUT_XEN_KBDDEV_FRONTEND=y
-CONFIG_INPUT=y
-CONFIG_INSTRUCTION_DECODER=y
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-CONFIG_INTEGRITY_AUDIT=y
-CONFIG_INTEGRITY_PLATFORM_KEYRING=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_TRUSTED_KEYRING=y
-CONFIG_INTEGRITY=y
-CONFIG_INTEL_GTT=y
-CONFIG_INTEL_IDLE=y
-CONFIG_INTEL_IOATDMA=y
-CONFIG_INTEL_IOMMU_DEFAULT_ON=y
-CONFIG_INTEL_IOMMU_FLOPPY_WA=y
-CONFIG_INTEL_IOMMU_PERF_EVENTS=y
-CONFIG_INTEL_IOMMU_SVM=y
-CONFIG_INTEL_IOMMU=y
-CONFIG_INTEL_PMC_CORE=m
-CONFIG_INTEL_TCC=y
-CONFIG_INTERVAL_TREE=y
-CONFIG_IO_DELAY_0X80=y
-CONFIG_IOMMU_API=y
-CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
-CONFIG_IOMMU_DMA=y
-CONFIG_IOMMU_IO_PGTABLE=y
-CONFIG_IOMMU_IOVA=y
-CONFIG_IOMMU_SUPPORT=y
-CONFIG_IOMMU_SVA=y
-CONFIG_IOSCHED_BFQ=y
-CONFIG_IOSF_MBI=y
-CONFIG_IO_URING=y
-CONFIG_IO_WQ=y
-CONFIG_IP6_NF_FILTER=y
-CONFIG_IP6_NF_IPTABLES=y
-CONFIG_IP6_NF_MANGLE=y
-CONFIG_IP6_NF_MATCH_AH=y
-CONFIG_IP6_NF_MATCH_EUI64=y
-CONFIG_IP6_NF_MATCH_FRAG=y
-CONFIG_IP6_NF_MATCH_HL=y
-CONFIG_IP6_NF_MATCH_IPV6HEADER=y
-CONFIG_IP6_NF_MATCH_MH=y
-CONFIG_IP6_NF_MATCH_OPTS=y
-CONFIG_IP6_NF_MATCH_RPFILTER=y
-CONFIG_IP6_NF_MATCH_RT=y
-CONFIG_IP6_NF_NAT=y
-CONFIG_IP6_NF_RAW=y
-CONFIG_IP6_NF_SECURITY=y
-CONFIG_IP6_NF_TARGET_HL=y
-CONFIG_IP6_NF_TARGET_REJECT=y
-CONFIG_IP6_NF_TARGET_SYNPROXY=y
-CONFIG_IP_ADVANCED_ROUTER=y
-CONFIG_IPC_NS=y
-CONFIG_IP_DCCP_CCID3=y
-CONFIG_IP_DCCP_TFRC_LIB=y
-CONFIG_IP_DCCP=y
-CONFIG_IPMI_DEVICE_INTERFACE=y
-CONFIG_IPMI_DMI_DECODE=y
-CONFIG_IPMI_HANDLER=y
-CONFIG_IPMI_PLAT_DATA=y
-CONFIG_IPMI_POWEROFF=y
-CONFIG_IPMI_SI=y
-CONFIG_IPMI_WATCHDOG=m
-CONFIG_IP_MROUTE_COMMON=y
-CONFIG_IP_MROUTE=y
-CONFIG_IP_MULTICAST=y
-CONFIG_IP_MULTIPLE_TABLES=y
-CONFIG_IP_NF_FILTER=y
-CONFIG_IP_NF_IPTABLES=y
-CONFIG_IP_NF_MANGLE=y
-CONFIG_IP_NF_MATCH_RPFILTER=y
-CONFIG_IP_NF_NAT=y
-CONFIG_IP_NF_RAW=y
-CONFIG_IP_NF_TARGET_MASQUERADE=y
-CONFIG_IP_NF_TARGET_NETMAP=y
-CONFIG_IP_NF_TARGET_REDIRECT=y
-CONFIG_IP_NF_TARGET_REJECT=y
-CONFIG_IP_PIMSM_V1=y
-CONFIG_IP_PIMSM_V2=y
-CONFIG_IP_PNP_BOOTP=y
-CONFIG_IP_PNP_DHCP=y
-CONFIG_IP_PNP_RARP=y
-CONFIG_IP_PNP=y
-CONFIG_IP_ROUTE_CLASSID=y
-CONFIG_IP_ROUTE_MULTIPATH=y
-CONFIG_IP_ROUTE_VERBOSE=y
-CONFIG_IP_SCTP=y
-CONFIG_IP_SET_BITMAP_IPMAC=y
-CONFIG_IP_SET_BITMAP_IP=y
-CONFIG_IP_SET_BITMAP_PORT=y
-CONFIG_IP_SET_HASH_IPMAC=y
-CONFIG_IP_SET_HASH_IPMARK=y
-CONFIG_IP_SET_HASH_IPPORTIP=y
-CONFIG_IP_SET_HASH_IPPORTNET=y
-CONFIG_IP_SET_HASH_IPPORT=y
-CONFIG_IP_SET_HASH_IP=y
-CONFIG_IP_SET_HASH_MAC=y
-CONFIG_IP_SET_HASH_NETIFACE=y
-CONFIG_IP_SET_HASH_NETNET=y
-CONFIG_IP_SET_HASH_NETPORTNET=y
-CONFIG_IP_SET_HASH_NETPORT=y
-CONFIG_IP_SET_HASH_NET=y
-CONFIG_IP_SET_LIST_SET=y
-CONFIG_IP_SET_MAX=256
-CONFIG_IP_SET=y
-CONFIG_IPV6_FOU_TUNNEL=y
-CONFIG_IPV6_FOU=y
-CONFIG_IPV6_ILA=y
-CONFIG_IPV6_MIP6=y
-CONFIG_IPV6_MULTIPLE_TABLES=y
-CONFIG_IPV6_NDISC_NODETYPE=y
-CONFIG_IPV6_ROUTE_INFO=y
-CONFIG_IPV6_ROUTER_PREF=y
-CONFIG_IPV6_SIT=y
-CONFIG_IPV6_TUNNEL=y
-CONFIG_IPV6=y
-CONFIG_IPVLAN_L3S=y
-CONFIG_IPVLAN=y
-CONFIG_IP_VS_IPV6=y
-CONFIG_IP_VS_LC=y
-CONFIG_IP_VS_MH_TAB_INDEX=12
-CONFIG_IP_VS_NFCT=y
-CONFIG_IP_VS_PROTO_TCP=y
-CONFIG_IP_VS_PROTO_UDP=y
-CONFIG_IP_VS_RR=y
-CONFIG_IP_VS_SH_TAB_BITS=8
-CONFIG_IP_VS_SH=y
-CONFIG_IP_VS_TAB_BITS=12
-CONFIG_IP_VS_WRR=y
-CONFIG_IP_VS=y
-CONFIG_IRQ_BYPASS_MANAGER=y
-CONFIG_IRQ_DOMAIN_HIERARCHY=y
-CONFIG_IRQ_DOMAIN=y
-CONFIG_IRQ_FORCED_THREADING=y
-CONFIG_IRQ_MSI_IOMMU=y
-CONFIG_IRQ_POLL=y
-CONFIG_IRQ_REMAP=y
-CONFIG_IRQ_WORK=y
-CONFIG_ISA_DMA_API=y
-CONFIG_ISCSI_TCP=y
-CONFIG_ISO9660_FS=y
-CONFIG_ITCO_VENDOR_SUPPORT=y
-CONFIG_ITCO_WDT=m
-CONFIG_IXGBE_DCA=y
-CONFIG_IXGBE_HWMON=y
-CONFIG_IXGBE_IPSEC=y
-CONFIG_IXGBE=m
-CONFIG_IXGBEVF_IPSEC=y
-CONFIG_IXGBEVF=m
-CONFIG_JBD2=y
-CONFIG_JOLIET=y
-CONFIG_JUMP_LABEL=y
-CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y
-CONFIG_KALLSYMS_BASE_RELATIVE=y
-CONFIG_KALLSYMS=y
-CONFIG_KARMA_PARTITION=y
-CONFIG_KCMP=y
-CONFIG_KERNEL_ZSTD=y
-CONFIG_KERNFS=y
-CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
-CONFIG_KEXEC_CORE=y
-CONFIG_KEXEC_FILE=y
-CONFIG_KEXEC_SIG=y
-CONFIG_KEYBOARD_ATKBD=y
-CONFIG_KEYS=y
-CONFIG_KFENCE_NUM_OBJECTS=255
-CONFIG_KFENCE_SAMPLE_INTERVAL=100
-CONFIG_KFENCE_STRESS_TEST_FAULTS=0
-CONFIG_KFENCE=y
-CONFIG_KPROBE_EVENTS=y
-CONFIG_KPROBES_ON_FTRACE=y
-CONFIG_KPROBES=y
-CONFIG_KRETPROBE_ON_RETHOOK=y
-CONFIG_KRETPROBES=y
-CONFIG_KVM_AMD=y
-CONFIG_KVM_AMD_SEV=y
-CONFIG_KVM_ASYNC_PF=y
-CONFIG_KVM_COMPAT=y
-CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
-CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y
-CONFIG_KVM_GUEST=y
-CONFIG_KVM_INTEL=y
-CONFIG_KVM_MMIO=y
-CONFIG_KVM_SMM=y
-CONFIG_KVM_VFIO=y
-CONFIG_KVM_WERROR=y
-CONFIG_KVM_XFER_TO_GUEST_WORK=y
-CONFIG_KVM=y
-CONFIG_L2TP=y
-CONFIG_LAPB=y
-CONFIG_LD_IS_BFD=y
-CONFIG_LD_ORPHAN_WARN_LEVEL="warn"
-CONFIG_LD_ORPHAN_WARN=y
-CONFIG_LD_VERSION=24200
-CONFIG_LEDS_CLASS=y
-CONFIG_LEDS_TRIGGERS=y
-CONFIG_LEGACY_DIRECT_IO=y
-CONFIG_LEGACY_VSYSCALL_NONE=y
-CONFIG_LIBCRC32C=y
-CONFIG_LINEAR_RANGES=y
-CONFIG_LIST_HARDENED=y
-CONFIG_LLC2=y
-CONFIG_LLC=y
-CONFIG_LLD_VERSION=0
-CONFIG_LOAD_UEFI_KEYS=y
-#CONFIG_LOCALVERSION="-patagia"
-CONFIG_LOCK_DEBUGGING_SUPPORT=y
-CONFIG_LOCKDEP_SUPPORT=y
-CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
-CONFIG_LOCKD_V4=y
-CONFIG_LOCKD=y
-CONFIG_LOCK_MM_AND_FIND_VMA=y
-CONFIG_LOCK_SPIN_ON_OWNER=y
-CONFIG_LOG_BUF_SHIFT=18
-CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
-CONFIG_LOGITECH_FF=y
-CONFIG_LOGIWHEELS_FF=y
-CONFIG_LOGO_LINUX_CLUT224=y
-CONFIG_LOGO=y
-CONFIG_LPC_ICH=m
-CONFIG_LRU_CACHE=m
-CONFIG_LRU_GEN_ENABLED=y
-CONFIG_LRU_GEN_WALKS_MMU=y
-CONFIG_LRU_GEN=y
-CONFIG_LSM="yama,loadpin,safesetid,integrity,bpf,apparmor"
-CONFIG_LTO_NONE=y
-CONFIG_LWTUNNEL_BPF=y
-CONFIG_LWTUNNEL=y
-CONFIG_LZ4_COMPRESS=m
-CONFIG_LZ4_DECOMPRESS=y
-CONFIG_LZ4HC_COMPRESS=m
-CONFIG_LZO_COMPRESS=y
-CONFIG_LZO_DECOMPRESS=y
-CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
-CONFIG_MAC_PARTITION=y
-CONFIG_MACVLAN=y
-CONFIG_MACVTAP=y
-CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0
-CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE=""
-CONFIG_MAGIC_SYSRQ_SERIAL=y
-CONFIG_MAGIC_SYSRQ=y
-CONFIG_MAILBOX=y
-CONFIG_MARVELL_10G_PHY=y
-CONFIG_MARVELL_PHY=y
-CONFIG_MAX_SKB_FRAGS=17
-CONFIG_MD_AUTODETECT=y
-CONFIG_MD_BITMAP_FILE=y
-CONFIG_MDIO_BUS=y
-CONFIG_MDIO_DEVICE=y
-CONFIG_MDIO_DEVRES=y
-CONFIG_MDIO=m
-CONFIG_MD_RAID0=y
-CONFIG_MD_RAID10=y
-CONFIG_MD_RAID1=y
-CONFIG_MD_RAID456=m
-CONFIG_MD=y
-CONFIG_MEGARAID_SAS=m
-CONFIG_MEMBARRIER=y
-CONFIG_MEMCG_KMEM=y
-CONFIG_MEMCG=y
-CONFIG_MEMFD_CREATE=y
-CONFIG_MEMORY_BALLOON=y
-CONFIG_MEMORY_FAILURE=y
-CONFIG_MEMORY_HOTPLUG=y
-CONFIG_MEMORY_HOTREMOVE=y
-CONFIG_MEMORY_ISOLATION=y
-CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
-CONFIG_MFD_CORE=m
-CONFIG_MFD_INTEL_PMC_BXT=m
-CONFIG_MICROCODE=y
-CONFIG_MIGRATION=y
-CONFIG_MII=m
-CONFIG_MINIX_SUBPARTITION=y
-CONFIG_MISC_FILESYSTEMS=y
-CONFIG_MITIGATION_RFDS=y
-CONFIG_MITIGATION_SPECTRE_BHI=y
-CONFIG_MLX4_CORE_GEN2=y
-CONFIG_MLX4_CORE=m
-CONFIG_MLX4_DEBUG=y
-CONFIG_MLX4_EN_DCB=y
-CONFIG_MLX4_EN=m
-CONFIG_MLX4_INFINIBAND=m
-CONFIG_MLX5_BRIDGE=y
-CONFIG_MLX5_CORE_EN_DCB=y
-CONFIG_MLX5_CORE_EN=y
-CONFIG_MLX5_CORE_IPOIB=y
-CONFIG_MLX5_CORE=m
-CONFIG_MLX5_EN_ARFS=y
-CONFIG_MLX5_EN_RXNFC=y
-CONFIG_MLX5_ESWITCH=y
-CONFIG_MLX5_FPGA=y
-CONFIG_MLX5_INFINIBAND=m
-CONFIG_MLX5_MPFS=y
-CONFIG_MLX5_SW_STEERING=y
-CONFIG_MLXFW=m
-CONFIG_MLXSW_CORE_HWMON=y
-CONFIG_MLXSW_CORE=m
-CONFIG_MLXSW_CORE_THERMAL=y
-CONFIG_MLXSW_I2C=m
-CONFIG_MLXSW_MINIMAL=m
-CONFIG_MLXSW_PCI=m
-CONFIG_MLXSW_SPECTRUM_DCB=y
-CONFIG_MLXSW_SPECTRUM=m
-CONFIG_MMC_BLOCK_MINORS=32
-CONFIG_MMC_BLOCK=y
-CONFIG_MMC_CQHCI=y
-CONFIG_MMCONF_FAM10H=y
-CONFIG_MMC_RICOH_MMC=y
-CONFIG_MMC_SDHCI_ACPI=m
-CONFIG_MMC_SDHCI_F_SDH30=m
-CONFIG_MMC_SDHCI_IO_ACCESSORS=y
-CONFIG_MMC_SDHCI_PCI=m
-CONFIG_MMC_SDHCI_PLTFM=m
-CONFIG_MMC_SDHCI_XENON=m
-CONFIG_MMC_SDHCI=y
-CONFIG_MMC=y
-CONFIG_MMU_GATHER_MERGE_VMAS=y
-CONFIG_MMU_GATHER_RCU_TABLE_FREE=y
-CONFIG_MMU_GATHER_TABLE_FREE=y
-CONFIG_MMU_LAZY_TLB_REFCOUNT=y
-CONFIG_MMU_NOTIFIER=y
-CONFIG_MMU=y
-CONFIG_MODPROBE_PATH="/sbin/modprobe"
-CONFIG_MODULE_COMPRESS_ZSTD=y
-CONFIG_MODULE_FORCE_UNLOAD=y
-CONFIG_MODULE_SRCVERSION_ALL=y
-CONFIG_MODULE_UNLOAD=y
-CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_FORCE=y
-CONFIG_MODULE_SIG_ALL=y
-CONFIG_MODULES_TREE_LOOKUP=y
-CONFIG_MODULES_USE_ELF_RELA=y
-CONFIG_MODULES=y
-CONFIG_MODVERSIONS=y
-CONFIG_MPILIB=y
-CONFIG_MPLS=y
-CONFIG_MQ_IOSCHED_DEADLINE=y
-CONFIG_MQ_IOSCHED_KYBER=y
-CONFIG_MSDOS_FS=y
-CONFIG_MSDOS_PARTITION=y
-CONFIG_MTRR=y
-CONFIG_MULTIUSER=y
-CONFIG_MUTEX_SPIN_ON_OWNER=y
-CONFIG_NAMESPACES=y
-CONFIG_NEED_DMA_MAP_STATE=y
-CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
-CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
-CONFIG_NEED_SG_DMA_FLAGS=y
-CONFIG_NEED_SG_DMA_LENGTH=y
-CONFIG_NET_ACT_BPF=y
-CONFIG_NET_ACT_CSUM=y
-CONFIG_NET_ACT_GACT=y
-CONFIG_NET_ACT_IFE=y
-CONFIG_NET_ACT_IPT=y
-CONFIG_NET_ACT_MIRRED=y
-CONFIG_NET_ACT_NAT=y
-CONFIG_NET_ACT_PEDIT=y
-CONFIG_NET_ACT_POLICE=y
-CONFIG_NET_ACT_SAMPLE=y
-CONFIG_NET_ACT_SIMP=y
-CONFIG_NET_ACT_SKBEDIT=y
-CONFIG_NET_ACT_SKBMOD=y
-CONFIG_NET_ACT_TUNNEL_KEY=y
-CONFIG_NET_ACT_VLAN=y
-CONFIG_NET_CLS_ACT=y
-CONFIG_NET_CLS_BASIC=y
-CONFIG_NET_CLS_BPF=y
-CONFIG_NET_CLS_CGROUP=y
-CONFIG_NET_CLS_FLOWER=y
-CONFIG_NET_CLS_FLOW=y
-CONFIG_NET_CLS_FW=y
-CONFIG_NET_CLS_MATCHALL=y
-CONFIG_NET_CLS_ROUTE4=y
-CONFIG_NET_CLS_U32=y
-CONFIG_NET_CLS=y
-CONFIG_NETCONSOLE=y
-CONFIG_NET_CORE=y
-CONFIG_NETDEVICES=y
-CONFIG_NET_DEVLINK=y
-CONFIG_NET_DSA=y
-CONFIG_NET_EGRESS=y
-CONFIG_NET_EMATCH_CMP=y
-CONFIG_NET_EMATCH_IPSET=y
-CONFIG_NET_EMATCH_META=y
-CONFIG_NET_EMATCH_NBYTE=y
-CONFIG_NET_EMATCH_STACK=32
-CONFIG_NET_EMATCH_TEXT=y
-CONFIG_NET_EMATCH_U32=y
-CONFIG_NET_EMATCH=y
-CONFIG_NET_FAILOVER=y
-CONFIG_NETFILTER_ADVANCED=y
-CONFIG_NETFILTER_BPF_LINK=y
-CONFIG_NETFILTER_CONNCOUNT=y
-CONFIG_NETFILTER_EGRESS=y
-CONFIG_NETFILTER_FAMILY_BRIDGE=y
-CONFIG_NETFILTER_INGRESS=y
-CONFIG_NETFILTER_NETLINK_ACCT=y
-CONFIG_NETFILTER_NETLINK_GLUE_CT=y
-CONFIG_NETFILTER_NETLINK_LOG=y
-CONFIG_NETFILTER_NETLINK_OSF=y
-CONFIG_NETFILTER_NETLINK_QUEUE=y
-CONFIG_NETFILTER_NETLINK=y
-CONFIG_NETFILTER_SKIP_EGRESS=y
-CONFIG_NETFILTER_SYNPROXY=y
-CONFIG_NETFILTER_XTABLES_COMPAT=y
-CONFIG_NETFILTER_XTABLES=y
-CONFIG_NETFILTER_XT_CONNMARK=y
-CONFIG_NETFILTER_XT_MARK=y
-CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
-CONFIG_NETFILTER_XT_MATCH_BPF=y
-CONFIG_NETFILTER_XT_MATCH_CGROUP=y
-CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
-CONFIG_NETFILTER_XT_MATCH_COMMENT=y
-CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
-CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y
-CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
-CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
-CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
-CONFIG_NETFILTER_XT_MATCH_CPU=y
-CONFIG_NETFILTER_XT_MATCH_DCCP=y
-CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
-CONFIG_NETFILTER_XT_MATCH_DSCP=y
-CONFIG_NETFILTER_XT_MATCH_ECN=y
-CONFIG_NETFILTER_XT_MATCH_ESP=y
-CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
-CONFIG_NETFILTER_XT_MATCH_HELPER=y
-CONFIG_NETFILTER_XT_MATCH_HL=y
-CONFIG_NETFILTER_XT_MATCH_IPCOMP=y
-CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
-CONFIG_NETFILTER_XT_MATCH_IPVS=y
-CONFIG_NETFILTER_XT_MATCH_L2TP=y
-CONFIG_NETFILTER_XT_MATCH_LENGTH=y
-CONFIG_NETFILTER_XT_MATCH_LIMIT=y
-CONFIG_NETFILTER_XT_MATCH_MAC=y
-CONFIG_NETFILTER_XT_MATCH_MARK=y
-CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
-CONFIG_NETFILTER_XT_MATCH_NFACCT=y
-CONFIG_NETFILTER_XT_MATCH_OSF=y
-CONFIG_NETFILTER_XT_MATCH_OWNER=y
-CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y
-CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
-CONFIG_NETFILTER_XT_MATCH_POLICY=y
-CONFIG_NETFILTER_XT_MATCH_QUOTA=y
-CONFIG_NETFILTER_XT_MATCH_RATEEST=y
-CONFIG_NETFILTER_XT_MATCH_REALM=y
-CONFIG_NETFILTER_XT_MATCH_RECENT=y
-CONFIG_NETFILTER_XT_MATCH_SCTP=y
-CONFIG_NETFILTER_XT_MATCH_SOCKET=y
-CONFIG_NETFILTER_XT_MATCH_STATE=y
-CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
-CONFIG_NETFILTER_XT_MATCH_STRING=y
-CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
-CONFIG_NETFILTER_XT_MATCH_TIME=y
-CONFIG_NETFILTER_XT_MATCH_U32=y
-CONFIG_NETFILTER_XT_NAT=y
-CONFIG_NETFILTER_XT_SET=y
-CONFIG_NETFILTER_XT_TARGET_AUDIT=y
-CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
-CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
-CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
-CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
-CONFIG_NETFILTER_XT_TARGET_CT=y
-CONFIG_NETFILTER_XT_TARGET_DSCP=y
-CONFIG_NETFILTER_XT_TARGET_HL=y
-CONFIG_NETFILTER_XT_TARGET_HMARK=y
-CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y
-CONFIG_NETFILTER_XT_TARGET_LED=y
-CONFIG_NETFILTER_XT_TARGET_LOG=y
-CONFIG_NETFILTER_XT_TARGET_MARK=y
-CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y
-CONFIG_NETFILTER_XT_TARGET_NETMAP=y
-CONFIG_NETFILTER_XT_TARGET_NFLOG=y
-CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
-CONFIG_NETFILTER_XT_TARGET_RATEEST=y
-CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
-CONFIG_NETFILTER_XT_TARGET_SECMARK=y
-CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
-CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
-CONFIG_NETFILTER_XT_TARGET_TEE=y
-CONFIG_NETFILTER_XT_TARGET_TPROXY=y
-CONFIG_NETFILTER=y
-CONFIG_NET_FLOW_LIMIT=y
-CONFIG_NET_FOU_IP_TUNNELS=y
-CONFIG_NET_FOU=y
-CONFIG_NETFS_SUPPORT=y
-CONFIG_NET_HANDSHAKE=y
-CONFIG_NET_IFE=y
-CONFIG_NET_INGRESS=y
-CONFIG_NET_IPGRE_DEMUX=y
-CONFIG_NET_IPGRE=m
-CONFIG_NET_IPIP=y
-CONFIG_NET_IP_TUNNEL=y
-CONFIG_NET_L3_MASTER_DEV=y
-CONFIG_NETLABEL=y
-CONFIG_NETLINK_DIAG=y
-CONFIG_NET_MPLS_GSO=y
-CONFIG_NET_NCSI=y
-CONFIG_NET_NSH=y
-CONFIG_NET_NS=y
-CONFIG_NET_POLL_CONTROLLER=y
-CONFIG_NETPOLL=y
-CONFIG_NET_PTP_CLASSIFY=y
-CONFIG_NET_RX_BUSY_POLL=y
-CONFIG_NET_SCH_CHOKE=y
-CONFIG_NET_SCH_CODEL=y
-CONFIG_NET_SCH_DEFAULT=y
-CONFIG_NET_SCH_DRR=y
-CONFIG_NET_SCHED=y
-CONFIG_NET_SCH_FIFO=y
-CONFIG_NET_SCH_FQ_CODEL=y
-CONFIG_NET_SCH_FQ=y
-CONFIG_NET_SCH_GRED=y
-CONFIG_NET_SCH_HFSC=y
-CONFIG_NET_SCH_HHF=y
-CONFIG_NET_SCH_HTB=y
-CONFIG_NET_SCH_INGRESS=y
-CONFIG_NET_SCH_MQPRIO_LIB=y
-CONFIG_NET_SCH_MQPRIO=y
-CONFIG_NET_SCH_MULTIQ=y
-CONFIG_NET_SCH_NETEM=y
-CONFIG_NET_SCH_PIE=y
-CONFIG_NET_SCH_PLUG=y
-CONFIG_NET_SCH_PRIO=y
-CONFIG_NET_SCH_QFQ=y
-CONFIG_NET_SCH_RED=y
-CONFIG_NET_SCH_SFB=y
-CONFIG_NET_SCH_SFQ=y
-CONFIG_NET_SCH_TBF=y
-CONFIG_NET_SCH_TEQL=y
-CONFIG_NET_SELFTESTS=y
-CONFIG_NET_SOCK_MSG=y
-CONFIG_NET_SWITCHDEV=y
-CONFIG_NET_TULIP=y
-CONFIG_NET_UDP_TUNNEL=y
-CONFIG_NET_VENDOR_3COM=y
-CONFIG_NET_VENDOR_8390=y
-CONFIG_NET_VENDOR_ADAPTEC=y
-CONFIG_NET_VENDOR_AGERE=y
-CONFIG_NET_VENDOR_ALACRITECH=y
-CONFIG_NET_VENDOR_ALTEON=y
-CONFIG_NET_VENDOR_AMAZON=y
-CONFIG_NET_VENDOR_AMD=y
-CONFIG_NET_VENDOR_AQUANTIA=y
-CONFIG_NET_VENDOR_ARC=y
-CONFIG_NET_VENDOR_ASIX=y
-CONFIG_NET_VENDOR_ATHEROS=y
-CONFIG_NET_VENDOR_BROADCOM=y
-CONFIG_NET_VENDOR_BROCADE=y
-CONFIG_NET_VENDOR_CADENCE=y
-CONFIG_NET_VENDOR_CAVIUM=y
-CONFIG_NET_VENDOR_CHELSIO=y
-CONFIG_NET_VENDOR_CISCO=y
-CONFIG_NET_VENDOR_CORTINA=y
-CONFIG_NET_VENDOR_DAVICOM=y
-CONFIG_NET_VENDOR_DEC=y
-CONFIG_NET_VENDOR_DLINK=y
-CONFIG_NET_VENDOR_EMULEX=y
-CONFIG_NET_VENDOR_ENGLEDER=y
-CONFIG_NET_VENDOR_EZCHIP=y
-CONFIG_NET_VENDOR_FUNGIBLE=y
-CONFIG_NET_VENDOR_GOOGLE=y
-CONFIG_NET_VENDOR_HUAWEI=y
-CONFIG_NET_VENDOR_I825XX=y
-CONFIG_NET_VENDOR_INTEL=y
-CONFIG_NET_VENDOR_LITEX=y
-CONFIG_NET_VENDOR_MARVELL=y
-CONFIG_NET_VENDOR_MELLANOX=y
-CONFIG_NET_VENDOR_MICREL=y
-CONFIG_NET_VENDOR_MICROCHIP=y
-CONFIG_NET_VENDOR_MICROSEMI=y
-CONFIG_NET_VENDOR_MICROSOFT=y
-CONFIG_NET_VENDOR_MYRI=y
-CONFIG_NET_VENDOR_NATSEMI=y
-CONFIG_NET_VENDOR_NETERION=y
-CONFIG_NET_VENDOR_NETRONOME=y
-CONFIG_NET_VENDOR_NI=y
-CONFIG_NET_VENDOR_NVIDIA=y
-CONFIG_NET_VENDOR_OKI=y
-CONFIG_NET_VENDOR_PACKET_ENGINES=y
-CONFIG_NET_VENDOR_PENSANDO=y
-CONFIG_NET_VENDOR_QLOGIC=y
-CONFIG_NET_VENDOR_QUALCOMM=y
-CONFIG_NET_VENDOR_RDC=y
-CONFIG_NET_VENDOR_REALTEK=y
-CONFIG_NET_VENDOR_RENESAS=y
-CONFIG_NET_VENDOR_ROCKER=y
-CONFIG_NET_VENDOR_SAMSUNG=y
-CONFIG_NET_VENDOR_SEEQ=y
-CONFIG_NET_VENDOR_SILAN=y
-CONFIG_NET_VENDOR_SIS=y
-CONFIG_NET_VENDOR_SMSC=y
-CONFIG_NET_VENDOR_SOCIONEXT=y
-CONFIG_NET_VENDOR_SOLARFLARE=y
-CONFIG_NET_VENDOR_STMICRO=y
-CONFIG_NET_VENDOR_SUN=y
-CONFIG_NET_VENDOR_SYNOPSYS=y
-CONFIG_NET_VENDOR_TEHUTI=y
-CONFIG_NET_VENDOR_TI=y
-CONFIG_NET_VENDOR_VERTEXCOM=y
-CONFIG_NET_VENDOR_VIA=y
-CONFIG_NET_VENDOR_WANGXUN=y
-CONFIG_NET_VENDOR_WIZNET=y
-CONFIG_NET_VENDOR_XILINX=y
-CONFIG_NET_VRF=m
-CONFIG_NETWORK_FILESYSTEMS=y
-CONFIG_NETWORK_SECMARK=y
-CONFIG_NETXEN_NIC=m
-CONFIG_NET_XGRESS=y
-CONFIG_NET=y
-CONFIG_NEW_LEDS=y
-CONFIG_NF_CONNTRACK_BROADCAST=y
-CONFIG_NF_CONNTRACK_EVENTS=y
-CONFIG_NF_CONNTRACK_FTP=y
-CONFIG_NF_CONNTRACK_LABELS=y
-CONFIG_NF_CONNTRACK_MARK=y
-CONFIG_NF_CONNTRACK_NETBIOS_NS=y
-CONFIG_NF_CONNTRACK_OVS=y
-CONFIG_NF_CONNTRACK_PPTP=y
-CONFIG_NF_CONNTRACK_PROCFS=y
-CONFIG_NF_CONNTRACK_SANE=y
-CONFIG_NF_CONNTRACK_SECMARK=y
-CONFIG_NF_CONNTRACK_SIP=y
-CONFIG_NF_CONNTRACK_SNMP=y
-CONFIG_NF_CONNTRACK_TFTP=y
-CONFIG_NF_CONNTRACK_TIMEOUT=y
-CONFIG_NF_CONNTRACK_TIMESTAMP=y
-CONFIG_NF_CONNTRACK=y
-CONFIG_NF_CONNTRACK_ZONES=y
-CONFIG_NF_CT_NETLINK=y
-CONFIG_NF_CT_PROTO_GRE=y
-CONFIG_NF_CT_PROTO_SCTP=y
-CONFIG_NF_DEFRAG_IPV4=y
-CONFIG_NF_DEFRAG_IPV6=y
-CONFIG_NF_DUP_IPV4=y
-CONFIG_NF_DUP_IPV6=y
-CONFIG_NF_DUP_NETDEV=y
-CONFIG_NF_LOG_ARP=y
-CONFIG_NF_LOG_IPV4=y
-CONFIG_NF_LOG_IPV6=y
-CONFIG_NF_LOG_SYSLOG=y
-CONFIG_NF_NAT_FTP=y
-CONFIG_NF_NAT_MASQUERADE=y
-CONFIG_NF_NAT_OVS=y
-CONFIG_NF_NAT_PPTP=y
-CONFIG_NF_NAT_REDIRECT=y
-CONFIG_NF_NAT_SIP=y
-CONFIG_NF_NAT_SNMP_BASIC=y
-CONFIG_NF_NAT_TFTP=y
-CONFIG_NF_NAT=y
-CONFIG_NF_REJECT_IPV4=y
-CONFIG_NF_REJECT_IPV6=y
-CONFIG_NFS_ACL_SUPPORT=m
-CONFIG_NFS_COMMON=y
-CONFIG_NFS_DEBUG=y
-CONFIG_NFS_DISABLE_UDP_SUPPORT=y
-CONFIG_NFSD_LEGACY_CLIENT_TRACKING=y
-CONFIG_NFSD=m
-CONFIG_NFSD_V3_ACL=y
-CONFIG_NFSD_V4_SECURITY_LABEL=y
-CONFIG_NFSD_V4=y
-CONFIG_NFS_FSCACHE=y
-CONFIG_NFS_FS=m
-CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_V2=m
-CONFIG_NFS_V3_ACL=y
-CONFIG_NFS_V3=m
-CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
-CONFIG_NFS_V4_1=y
-CONFIG_NFS_V4_2_READ_PLUS=y
-CONFIG_NFS_V4_2_SSC_HELPER=y
-CONFIG_NFS_V4_2=y
-CONFIG_NFS_V4=m
-CONFIG_NFS_V4_SECURITY_LABEL=y
-CONFIG_NF_TABLES_INET=y
-CONFIG_NF_TABLES_IPV4=y
-CONFIG_NF_TABLES_IPV6=y
-CONFIG_NF_TABLES_NETDEV=y
-CONFIG_NF_TABLES=y
-CONFIG_NFT_COMPAT=y
-CONFIG_NFT_CT=y
-CONFIG_NFT_DUP_NETDEV=y
-CONFIG_NFT_FIB_INET=y
-CONFIG_NFT_FIB_IPV4=y
-CONFIG_NFT_FIB_IPV6=y
-CONFIG_NFT_FIB=y
-CONFIG_NFT_FWD_NETDEV=y
-CONFIG_NFT_HASH=y
-CONFIG_NFT_LIMIT=y
-CONFIG_NFT_LOG=y
-CONFIG_NFT_MASQ=y
-CONFIG_NFT_NAT=y
-CONFIG_NFT_NUMGEN=y
-CONFIG_NF_TPROXY_IPV4=y
-CONFIG_NF_TPROXY_IPV6=y
-CONFIG_NFT_QUEUE=y
-CONFIG_NFT_QUOTA=y
-CONFIG_NFT_REDIR=y
-CONFIG_NFT_REJECT_INET=y
-CONFIG_NFT_REJECT_IPV4=y
-CONFIG_NFT_REJECT_IPV6=y
-CONFIG_NFT_REJECT=y
-CONFIG_NFT_TPROXY=y
-CONFIG_NITRO_ENCLAVES=y
-CONFIG_NLATTR=y
-CONFIG_NLS_ASCII=y
-CONFIG_NLS_CODEPAGE_437=y
-CONFIG_NLS_DEFAULT="utf8"
-CONFIG_NLS_ISO8859_1=y
-CONFIG_NLS_UCS2_UTILS=y
-CONFIG_NLS_UTF8=y
-CONFIG_NLS=y
-CONFIG_NODES_SHIFT=6
-CONFIG_NO_HZ_COMMON=y
-CONFIG_NO_HZ_IDLE=y
-CONFIG_NO_HZ=y
-CONFIG_NOP_TRACER=y
-CONFIG_NR_CPUS=512
-CONFIG_NR_CPUS_DEFAULT=64
-CONFIG_NR_CPUS_RANGE_BEGIN=2
-CONFIG_NR_CPUS_RANGE_END=512
-CONFIG_NUMA=y
-CONFIG_NVME_AUTH=y
-CONFIG_NVME_COMMON=y
-CONFIG_NVME_CORE=y
-CONFIG_NVME_FABRICS=y
-CONFIG_NVME_FC=y
-CONFIG_NVME_HWMON=y
-CONFIG_NVMEM_SYSFS=y
-CONFIG_NVME_MULTIPATH=y
-CONFIG_NVMEM=y
-CONFIG_NVME_RDMA=m
-CONFIG_NVME_TARGET_AUTH=y
-CONFIG_NVME_TARGET_FC=m
-CONFIG_NVME_TARGET_LOOP=m
-CONFIG_NVME_TARGET=m
-CONFIG_NVME_TARGET_PASSTHRU=y
-CONFIG_NVME_TARGET_RDMA=m
-CONFIG_NVME_TARGET_TCP=m
-CONFIG_NVME_TCP=y
-CONFIG_NVRAM=y
-CONFIG_OBJAGG=m
-CONFIG_OBJTOOL=y
-CONFIG_OID_REGISTRY=y
-CONFIG_OLD_SIGSUSPEND3=y
-CONFIG_OPENVSWITCH_GENEVE=y
-CONFIG_OPENVSWITCH_GRE=m
-CONFIG_OPENVSWITCH_VXLAN=y
-CONFIG_OPENVSWITCH=y
-CONFIG_OPTPROBES=y
-CONFIG_OSF_PARTITION=y
-CONFIG_OUTPUT_FORMAT="elf64-x86-64"
-CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y
-CONFIG_OVERLAY_FS=y
-CONFIG_P2SB=y
-CONFIG_PACKET=y
-CONFIG_PAGE_COUNTER=y
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POOL=y
-CONFIG_PAGE_REPORTING=y
-CONFIG_PAGE_SIZE_LESS_THAN_256KB=y
-CONFIG_PAGE_SIZE_LESS_THAN_64KB=y
-CONFIG_PAGE_TABLE_ISOLATION=y
-CONFIG_PAHOLE_HAS_LANG_EXCLUDE=y
-CONFIG_PAHOLE_HAS_SPLIT_BTF=y
-CONFIG_PAHOLE_VERSION=126
-CONFIG_PANIC_ON_OOPS_VALUE=1
-CONFIG_PANIC_ON_OOPS=y
-CONFIG_PANIC_TIMEOUT=-1
-CONFIG_PANTHERLORD_FF=y
-CONFIG_PARAVIRT_CLOCK=y
-CONFIG_PARAVIRT_XXL=y
-CONFIG_PARAVIRT=y
-CONFIG_PARMAN=m
-CONFIG_PARTITION_ADVANCED=y
-CONFIG_PATA_AMD=m
-CONFIG_PATA_MARVELL=m
-CONFIG_PATA_OLDPIIX=m
-CONFIG_PATA_SCH=m
-CONFIG_PATA_TIMINGS=y
-CONFIG_PCC=y
-CONFIG_PCI_ATS=y
-CONFIG_PCI_DIRECT=y
-CONFIG_PCI_DOMAINS=y
-CONFIG_PCIEAER=y
-CONFIG_PCIEASPM_DEFAULT=y
-CONFIG_PCIEASPM=y
-CONFIG_PCIE_BUS_DEFAULT=y
-CONFIG_PCIE_PME=y
-CONFIG_PCIEPORTBUS=y
-CONFIG_PCI_HYPERV_INTERFACE=y
-CONFIG_PCI_HYPERV=y
-CONFIG_PCI_IOV=y
-CONFIG_PCI_LABEL=y
-CONFIG_PCI_LOCKLESS_CONFIG=y
-CONFIG_PCI_MMCONFIG=y
-CONFIG_PCI_MSI=y
-CONFIG_PCI_PASID=y
-CONFIG_PCI_PRI=y
-CONFIG_PCI_QUIRKS=y
-CONFIG_PCI_XEN=y
-CONFIG_PCI=y
-CONFIG_PCPU_DEV_REFCNT=y
-CONFIG_PCSPKR_PLATFORM=y
-CONFIG_PERF_EVENTS_AMD_UNCORE=y
-CONFIG_PERF_EVENTS_INTEL_CSTATE=y
-CONFIG_PERF_EVENTS_INTEL_RAPL=y
-CONFIG_PERF_EVENTS_INTEL_UNCORE=y
-CONFIG_PERF_EVENTS=y
-CONFIG_PER_VMA_LOCK=y
-CONFIG_PGTABLE_LEVELS=4
-CONFIG_PHONET=y
-CONFIG_PHYLIB=y
-CONFIG_PHYLINK=y
-CONFIG_PHYS_ADDR_T_64BIT=y
-CONFIG_PHYSICAL_ALIGN=0x200000
-CONFIG_PHYSICAL_START=0x1000000
-CONFIG_PID_NS=y
-CONFIG_PKCS7_MESSAGE_PARSER=y
-CONFIG_PLDMFW=y
-CONFIG_PM_CLK=y
-CONFIG_PM_DEBUG=y
-CONFIG_PM_SLEEP_DEBUG=y
-CONFIG_PM_SLEEP_SMP=y
-CONFIG_PM_SLEEP=y
-CONFIG_PM_TRACE_RTC=y
-CONFIG_PM_TRACE=y
-CONFIG_PM=y
-CONFIG_PNFS_BLOCK=y
-CONFIG_PNFS_FILE_LAYOUT=y
-CONFIG_PNFS_FLEXFILE_LAYOUT=y
-CONFIG_PNPACPI=y
-CONFIG_PNP_DEBUG_MESSAGES=y
-CONFIG_PNP=y
-CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y
-CONFIG_POSIX_MQUEUE_SYSCTL=y
-CONFIG_POSIX_MQUEUE=y
-CONFIG_POSIX_TIMERS=y
-CONFIG_POWER_SUPPLY_HWMON=y
-CONFIG_POWER_SUPPLY=y
-CONFIG_PPS=y
-CONFIG_PREEMPT_NONE_BUILD=y
-CONFIG_PREEMPT_NONE=y
-CONFIG_PREEMPT_NOTIFIERS=y
-CONFIG_PREFIX_SYMBOLS=y
-CONFIG_PREVENT_FIRMWARE_BUILD=y
-CONFIG_PRINTK_TIME=y
-CONFIG_PRINTK=y
-CONFIG_PROBE_EVENTS_BTF_ARGS=y
-CONFIG_PROBE_EVENTS=y
-CONFIG_PROC_CHILDREN=y
-CONFIG_PROC_EVENTS=y
-CONFIG_PROC_FS=y
-CONFIG_PROC_KCORE=y
-CONFIG_PROC_PAGE_MONITOR=y
-CONFIG_PROC_PID_ARCH_STATUS=y
-CONFIG_PROC_PID_CPUSET=y
-CONFIG_PROC_SYSCTL=y
-CONFIG_PROC_VMCORE=y
-CONFIG_PROFILING=y
-CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
-CONFIG_PSAMPLE=y
-CONFIG_PSI=y
-CONFIG_PTDUMP_CORE=y
-CONFIG_PTP_1588_CLOCK_KVM=y
-CONFIG_PTP_1588_CLOCK_OPTIONAL=y
-CONFIG_PTP_1588_CLOCK=y
-CONFIG_PWM_SYSFS=y
-CONFIG_PWM=y
-CONFIG_QEDE=m
-CONFIG_QED=m
-CONFIG_QED_SRIOV=y
-CONFIG_QFMT_V2=y
-CONFIG_QLCNIC_DCB=y
-CONFIG_QLCNIC_HWMON=y
-CONFIG_QLCNIC=m
-CONFIG_QLCNIC_SRIOV=y
-CONFIG_QUEUED_RWLOCKS=y
-CONFIG_QUEUED_SPINLOCKS=y
-CONFIG_QUOTACTL=y
-CONFIG_QUOTA_NETLINK_INTERFACE=y
-CONFIG_QUOTA_TREE=y
-CONFIG_QUOTA=y
-CONFIG_R8169=m
-CONFIG_RAID6_PQ_BENCHMARK=y
-CONFIG_RAID6_PQ=y
-CONFIG_RAID_ATTRS=y
-CONFIG_RANDOMIZE_BASE=y
-CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
-CONFIG_RANDOMIZE_KSTACK_OFFSET=y
-CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0x0
-CONFIG_RANDOMIZE_MEMORY=y
-CONFIG_RANDSTRUCT_NONE=y
-CONFIG_RAS=y
-CONFIG_RATIONAL=y
-CONFIG_RCU_CPU_STALL_TIMEOUT=21
-CONFIG_RCU_EXP_CPU_STALL_TIMEOUT=0
-CONFIG_RCU_NEED_SEGCBLIST=y
-CONFIG_RCU_STALL_COMMON=y
-CONFIG_RDMA_RXE=m
-CONFIG_RDS=y
-CONFIG_RD_XZ=y
-CONFIG_RD_ZSTD=y
-CONFIG_REALTEK_PHY=y
-CONFIG_REGMAP_I2C=y
-CONFIG_REGMAP=y
-CONFIG_REGULATOR_FIXED_VOLTAGE=y
-CONFIG_REGULATOR_MP8859=y
-CONFIG_REGULATOR_PWM=y
-CONFIG_REGULATOR=y
-CONFIG_RELAY=y
-CONFIG_RELOCATABLE=y
-CONFIG_RESET_ATTACK_MITIGATION=y
-CONFIG_RETHOOK=y
-CONFIG_RETHUNK=y
-CONFIG_RETPOLINE=y
-CONFIG_RFS_ACCEL=y
-CONFIG_RING_BUFFER=y
-CONFIG_ROOT_NFS=y
-CONFIG_RPCSEC_GSS_KRB5=y
-CONFIG_RPMSG_NS=y
-CONFIG_RPMSG_VIRTIO=y
-CONFIG_RPMSG=y
-CONFIG_RPS=y
-CONFIG_RSEQ=y
-CONFIG_RTC_CLASS=y
-CONFIG_RTC_DRV_CMOS=y
-CONFIG_RTC_I2C_AND_SPI=y
-CONFIG_RTC_INTF_DEV=y
-CONFIG_RTC_INTF_PROC=y
-CONFIG_RTC_INTF_SYSFS=y
-CONFIG_RTC_LIB=y
-CONFIG_RTC_MC146818_LIB=y
-CONFIG_RTC_NVMEM=y
-CONFIG_RTC_SYSTOHC_DEVICE="rtc0"
-CONFIG_RTC_SYSTOHC=y
-CONFIG_RT_GROUP_SCHED=y
-CONFIG_RT_MUTEXES=y
-CONFIG_RUNTIME_TESTING_MENU=y
-CONFIG_RWSEM_SPIN_ON_OWNER=y
-CONFIG_SATA_AHCI=m
-CONFIG_SATA_HOST=y
-CONFIG_SATA_MOBILE_LPM_POLICY=0
-CONFIG_SATA_NV=m
-CONFIG_SATA_PMP=y
-CONFIG_SATA_SIS=y
-CONFIG_SATA_SVW=m
-CONFIG_SATA_ULI=m
-CONFIG_SATA_VIA=m
-CONFIG_SATA_VITESSE=m
-CONFIG_SBITMAP=y
-CONFIG_SCHED_CLUSTER=y
-CONFIG_SCHED_CORE=y
-CONFIG_SCHED_HRTICK=y
-CONFIG_SCHED_INFO=y
-CONFIG_SCHED_MC_PRIO=y
-CONFIG_SCHED_MC=y
-CONFIG_SCHED_MM_CID=y
-CONFIG_SCHED_OMIT_FRAME_POINTER=y
-CONFIG_SCHED_SMT=y
-CONFIG_SCHED_STACK_END_CHECK=y
-CONFIG_SCHEDSTATS=y
-CONFIG_SCSI_AACRAID=m
-CONFIG_SCSI_COMMON=y
-CONFIG_SCSI_CONSTANTS=y
-CONFIG_SCSI_DMA=y
-CONFIG_SCSI_ENCLOSURE=y
-CONFIG_SCSI_HPSA=m
-CONFIG_SCSI_ISCI=m
-CONFIG_SCSI_ISCSI_ATTRS=y
-CONFIG_SCSI_LOWLEVEL=y
-CONFIG_SCSI_MOD=y
-CONFIG_SCSI_MPT2SAS_MAX_SGE=128
-CONFIG_SCSI_MPT3SAS=m
-CONFIG_SCSI_MPT3SAS_MAX_SGE=128
-CONFIG_SCSI_PMCRAID=m
-CONFIG_SCSI_PROC_FS=y
-CONFIG_SCSI_SAS_ATA=y
-CONFIG_SCSI_SAS_ATTRS=y
-CONFIG_SCSI_SAS_HOST_SMP=y
-CONFIG_SCSI_SAS_LIBSAS=y
-CONFIG_SCSI_SMARTPQI=m
-CONFIG_SCSI_SPI_ATTRS=y
-CONFIG_SCSI_VIRTIO=y
-CONFIG_SCSI=y
-CONFIG_SCTP_COOKIE_HMAC_MD5=y
-CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
-CONFIG_SECCOMP_FILTER=y
-CONFIG_SECCOMP=y
-CONFIG_SECRETMEM=y
-CONFIG_SECTION_MISMATCH_WARN_ONLY=y
-CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y
-CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
-CONFIG_SECURITY_APPARMOR_HASH=y
-CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y
-CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y
-CONFIG_SECURITY_APPARMOR=y
-CONFIG_SECURITY_DMESG_RESTRICT=y
-CONFIG_SECURITYFS=y
-CONFIG_SECURITY_LANDLOCK=y
-CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-CONFIG_SECURITY_LOCKDOWN_LSM=y
-CONFIG_SECURITY_NETWORK_XFRM=y
-CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_PATH=y
-CONFIG_SECURITY=y
-CONFIG_SECURITY_YAMA=y
-CONFIG_SENSORS_ACPI_POWER=y
-CONFIG_SENSORS_CORETEMP=y
-CONFIG_SENSORS_DRIVETEMP=y
-CONFIG_SENSORS_FAM15H_POWER=m
-CONFIG_SENSORS_I5500=m
-CONFIG_SENSORS_I5K_AMB=m
-CONFIG_SENSORS_K10TEMP=m
-CONFIG_SENSORS_K8TEMP=m
-CONFIG_SENSORS_NCT6683=y
-CONFIG_SERIAL_8250_CONSOLE=y
-CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y
-CONFIG_SERIAL_8250_DETECT_IRQ=y
-CONFIG_SERIAL_8250_DMA=y
-CONFIG_SERIAL_8250_DWLIB=y
-CONFIG_SERIAL_8250_EXAR=y
-CONFIG_SERIAL_8250_EXTENDED=y
-CONFIG_SERIAL_8250_LPSS=y
-CONFIG_SERIAL_8250_MANY_PORTS=y
-CONFIG_SERIAL_8250_MID=y
-CONFIG_SERIAL_8250_NR_UARTS=32
-CONFIG_SERIAL_8250_PCILIB=y
-CONFIG_SERIAL_8250_PCI=y
-CONFIG_SERIAL_8250_PERICOM=y
-CONFIG_SERIAL_8250_PNP=y
-CONFIG_SERIAL_8250_RSA=y
-CONFIG_SERIAL_8250_RUNTIME_UARTS=4
-CONFIG_SERIAL_8250_SHARE_IRQ=y
-CONFIG_SERIAL_8250=y
-CONFIG_SERIAL_CORE_CONSOLE=y
-CONFIG_SERIAL_CORE=y
-CONFIG_SERIAL_EARLYCON=y
-CONFIG_SERIAL_NONSTANDARD=y
-CONFIG_SERIO_I8042=y
-CONFIG_SERIO_LIBPS2=y
-CONFIG_SERIO_PCIPS2=m
-CONFIG_SERIO_SERPORT=y
-CONFIG_SERIO=y
-CONFIG_SFC=m
-CONFIG_SFC_MCDI_LOGGING=y
-CONFIG_SFC_MCDI_MON=y
-CONFIG_SFC_SIENA=m
-CONFIG_SFC_SIENA_MCDI_LOGGING=y
-CONFIG_SFC_SIENA_MCDI_MON=y
-CONFIG_SFC_SIENA_SRIOV=y
-CONFIG_SFC_SRIOV=y
-CONFIG_SGETMASK_SYSCALL=y
-CONFIG_SGI_PARTITION=y
-CONFIG_SGL_ALLOC=y
-CONFIG_SG_POOL=y
-CONFIG_SHMEM=y
-CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
-CONFIG_SIGNALFD=y
-CONFIG_SIGNATURE=y
-CONFIG_SIGNED_PE_FILE_VERIFICATION=y
-CONFIG_SKB_EXTENSIONS=y
-CONFIG_SKY2=m
-CONFIG_SLAB_FREELIST_HARDENED=y
-CONFIG_SLAB_FREELIST_RANDOM=y
-CONFIG_SLAB_MERGE_DEFAULT=y
-CONFIG_SLS=y
-CONFIG_SLUB_CPU_PARTIAL=y
-CONFIG_SLUB_DEBUG=y
-CONFIG_SLUB=y
-CONFIG_SMBFS=y
-CONFIG_SMP=y
-CONFIG_SMSC_PHY=m
-CONFIG_SOCK_CGROUP_DATA=y
-CONFIG_SOCK_RX_QUEUE_MAPPING=y
-CONFIG_SOFTIRQ_ON_OWN_STACK=y
-CONFIG_SOLARIS_X86_PARTITION=y
-CONFIG_SP5100_TCO=m
-CONFIG_SPARSE_IRQ=y
-CONFIG_SPARSEMEM_EXTREME=y
-CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
-CONFIG_SPARSEMEM_VMEMMAP=y
-CONFIG_SPARSEMEM=y
-CONFIG_SPLIT_PTLOCK_CPUS=4
-CONFIG_SQUASHFS_COMPILE_DECOMP_SINGLE=y
-CONFIG_SQUASHFS_DECOMP_SINGLE=y
-CONFIG_SQUASHFS_FILE_DIRECT=y
-CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
-CONFIG_SQUASHFS_XATTR=y
-CONFIG_SQUASHFS_XZ=y
-CONFIG_SQUASHFS=y
-CONFIG_SQUASHFS_ZSTD=y
-CONFIG_SSB_POSSIBLE=y
-CONFIG_STACKDEPOT=y
-CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
-CONFIG_STACKPROTECTOR_STRONG=y
-CONFIG_STACKPROTECTOR=y
-CONFIG_STACKTRACE_SUPPORT=y
-CONFIG_STACKTRACE=y
-CONFIG_STANDALONE=y
-CONFIG_STP=y
-CONFIG_STREAM_PARSER=y
-CONFIG_STRICT_KERNEL_RWX=y
-CONFIG_STRICT_MODULE_RWX=y
-CONFIG_SUN_PARTITION=y
-CONFIG_SUNRPC_BACKCHANNEL=y
-CONFIG_SUNRPC_GSS=y
-CONFIG_SUNRPC_XPRT_RDMA=y
-CONFIG_SUNRPC=y
-CONFIG_SURFACE_PLATFORMS=y
-CONFIG_SUSPEND_FREEZER=y
-CONFIG_SUSPEND=y
-CONFIG_SWAP=y
-CONFIG_SWIOTLB_XEN=y
-CONFIG_SWIOTLB=y
-CONFIG_SWPHY=y
-CONFIG_SYMBOLIC_ERRNAME=y
-CONFIG_SYNC_FILE=y
-CONFIG_SYN_COOKIES=y
-CONFIG_SYSCTL_EXCEPTION_TRACE=y
-CONFIG_SYSCTL=y
-CONFIG_SYSFB=y
-CONFIG_SYSFS_SYSCALL=y
-CONFIG_SYSFS=y
-CONFIG_SYS_HYPERVISOR=y
-CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
-CONFIG_SYSTEM_BLACKLIST_KEYRING=y
-CONFIG_SYSTEM_DATA_VERIFICATION=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
-CONFIG_SYSVIPC_COMPAT=y
-CONFIG_SYSVIPC_SYSCTL=y
-CONFIG_SYSVIPC=y
-CONFIG_TAP=y
-CONFIG_TASK_DELAY_ACCT=y
-CONFIG_TASK_IO_ACCOUNTING=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
-CONFIG_TASKSTATS=y
-CONFIG_TASKS_TRACE_RCU=y
-CONFIG_TASK_XACCT=y
-CONFIG_TCG_CRB=y
-CONFIG_TCG_TIS_CORE=y
-CONFIG_TCG_TIS=y
-CONFIG_TCG_TPM=y
-CONFIG_TCG_TPM2_HMAC=n
-CONFIG_TCP_CONG_ADVANCED=y
-CONFIG_TCP_CONG_BBR=y
-CONFIG_TCP_CONG_CUBIC=y
-CONFIG_TCP_MD5SIG=y
-CONFIG_TEXTSEARCH_BM=y
-CONFIG_TEXTSEARCH_FSM=y
-CONFIG_TEXTSEARCH_KMP=y
-CONFIG_TEXTSEARCH=y
-CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
-CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0
-CONFIG_THERMAL_GOV_STEP_WISE=y
-CONFIG_THERMAL_GOV_USER_SPACE=y
-CONFIG_THERMAL_HWMON=y
-CONFIG_THERMAL_WRITABLE_TRIPS=y
-CONFIG_THERMAL=y
-CONFIG_THREAD_INFO_IN_TASK=y
-CONFIG_TICK_CPU_ACCOUNTING=y
-CONFIG_TICK_ONESHOT=y
-CONFIG_TIGON3_HWMON=y
-CONFIG_TIGON3=m
-CONFIG_TIME_NS=y
-CONFIG_TIMERFD=y
-CONFIG_TLS=m
-CONFIG_TMPFS_POSIX_ACL=y
-CONFIG_TMPFS_XATTR=y
-CONFIG_TMPFS=y
-CONFIG_TOOLS_SUPPORT_RELR=y
-CONFIG_TRACE_CLOCK=y
-CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y
-CONFIG_TRACE_IRQFLAGS_SUPPORT=y
-CONFIG_TRACEPOINTS=y
-CONFIG_TRACING_SUPPORT=y
-CONFIG_TRACING=y
-CONFIG_TREE_RCU=y
-CONFIG_TREE_SRCU=y
-CONFIG_TTY=y
-CONFIG_TTY_PRINTK_LEVEL=6
-CONFIG_TTY_PRINTK=m
-CONFIG_TUN=y
-CONFIG_UBSAN_BOOL=y
-CONFIG_UBSAN_BOUNDS_STRICT=y
-CONFIG_UBSAN_BOUNDS=y
-CONFIG_UBSAN_ENUM=y
-CONFIG_UBSAN_SANITIZE_ALL=y
-CONFIG_UBSAN_SHIFT=y
-CONFIG_UBSAN=y
-CONFIG_UCS2_STRING=y
-CONFIG_UDF_FS=y
-CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
-CONFIG_UEVENT_HELPER=y
-CONFIG_UID16=y
-CONFIG_UNIX98_PTYS=y
-CONFIG_UNIX_SCM=y
-CONFIG_UNIXWARE_DISKLABEL=y
-CONFIG_UNIX=y
-CONFIG_UNWINDER_ORC=y
-CONFIG_UPROBE_EVENTS=y
-CONFIG_UPROBES=y
-CONFIG_USB4=m
-CONFIG_USB4_NET=m
-CONFIG_USB_ACM=y
-CONFIG_USB_ALI_M5632=y
-CONFIG_USB_AN2720=y
-CONFIG_USB_ARCH_HAS_HCD=y
-CONFIG_USB_ARMLINUX=y
-CONFIG_USB_AUTOSUSPEND_DELAY=2
-CONFIG_USB_BELKIN=y
-CONFIG_USB_CDC_PHONET=m
-CONFIG_USB_COMMON=y
-CONFIG_USB_DEFAULT_PERSIST=y
-CONFIG_USB_EHCI_HCD=y
-CONFIG_USB_EHCI_PCI=y
-CONFIG_USB_EHCI_TT_NEWSCHED=y
-CONFIG_USB_HID=y
-CONFIG_USB_KC2190=y
-CONFIG_USB_NET_AQC111=m
-CONFIG_USB_NET_AX88179_178A=m
-CONFIG_USB_NET_AX8817X=m
-CONFIG_USB_NET_CDC_EEM=m
-CONFIG_USB_NET_CDCETHER=m
-CONFIG_USB_NET_CDC_MBIM=m
-CONFIG_USB_NET_CDC_NCM=m
-CONFIG_USB_NET_CDC_SUBSET_ENABLE=m
-CONFIG_USB_NET_CDC_SUBSET=m
-CONFIG_USB_NET_CX82310_ETH=m
-CONFIG_USB_NET_DM9601=m
-CONFIG_USB_NET_DRIVERS=y
-CONFIG_USB_NET_GL620A=m
-CONFIG_USB_NET_HUAWEI_CDC_NCM=m
-CONFIG_USB_NET_INT51X1=m
-CONFIG_USB_NET_KALMIA=m
-CONFIG_USB_NET_MCS7830=m
-CONFIG_USB_NET_NET1080=m
-CONFIG_USB_NET_PLUSB=m
-CONFIG_USB_NET_QMI_WWAN=m
-CONFIG_USB_NET_RNDIS_HOST=m
-CONFIG_USB_NET_SMSC75XX=m
-CONFIG_USB_NET_SMSC95XX=m
-CONFIG_USB_NET_SR9700=m
-CONFIG_USB_NET_SR9800=m
-CONFIG_USB_NET_ZAURUS=m
-CONFIG_USB_OHCI_HCD=m
-CONFIG_USB_OHCI_HCD_PCI=m
-CONFIG_USB_OHCI_HCD_PLATFORM=m
-CONFIG_USB_OHCI_LITTLE_ENDIAN=y
-CONFIG_USB_PCI=y
-CONFIG_USB_RTL8152=m
-CONFIG_USB_RTL8153_ECM=m
-CONFIG_USB_SERIAL_CH341=m
-CONFIG_USB_SERIAL_CONSOLE=y
-CONFIG_USB_SERIAL_CP210X=m
-CONFIG_USB_SERIAL_FTDI_SIO=m
-CONFIG_USB_SERIAL_GENERIC=y
-CONFIG_USB_SERIAL_OPTION=m
-CONFIG_USB_SERIAL_PL2303=m
-CONFIG_USB_SERIAL_WWAN=m
-CONFIG_USB_SERIAL=y
-CONFIG_USB_SIERRA_NET=m
-CONFIG_USB_STORAGE=y
-CONFIG_USB_SUPPORT=y
-CONFIG_USB_UAS=y
-CONFIG_USB_UHCI_HCD=m
-CONFIG_USB_USBNET=m
-CONFIG_USB_VL600=m
-CONFIG_USB_WDM=m
-CONFIG_USB_XHCI_HCD=y
-CONFIG_USB_XHCI_PCI=y
-CONFIG_USB_XHCI_PLATFORM=y
-CONFIG_USB=y
-CONFIG_USELIB=y
-CONFIG_USE_PERCPU_NUMA_NODE_ID=y
-CONFIG_USER_NS=y
-CONFIG_USER_RETURN_NOTIFIER=y
-CONFIG_USER_STACKTRACE_SUPPORT=y
-CONFIG_UTS_NS=y
-CONFIG_UVC_COMMON=m
-CONFIG_VETH=y
-CONFIG_VFAT_FS=y
-CONFIG_VFIO_CONTAINER=y
-CONFIG_VFIO_GROUP=y
-CONFIG_VFIO_IOMMU_TYPE1=m
-CONFIG_VFIO=m
-CONFIG_VFIO_MDEV=m
-CONFIG_VFIO_PCI_CORE=m
-CONFIG_VFIO_PCI_IGD=y
-CONFIG_VFIO_PCI_INTX=y
-CONFIG_VFIO_PCI=m
-CONFIG_VFIO_PCI_MMAP=y
-CONFIG_VFIO_PCI_VGA=y
-CONFIG_VFIO_VIRQFD=y
-CONFIG_VGA_ARB_MAX_GPUS=16
-CONFIG_VGA_ARB=y
-CONFIG_VGA_CONSOLE=y
-CONFIG_VGASTATE=y
-CONFIG_VHOST_IOTLB=y
-CONFIG_VHOST_MENU=y
-CONFIG_VHOST_NET=y
-CONFIG_VHOST_TASK=y
-CONFIG_VHOST_VSOCK=y
-CONFIG_VHOST=y
-CONFIG_VIRT_DRIVERS=y
-CONFIG_VIRTIO_ANCHOR=y
-CONFIG_VIRTIO_BALLOON=m
-CONFIG_VIRTIO_BLK=y
-CONFIG_VIRTIO_CONSOLE=y
-CONFIG_VIRTIO_DMA_SHARED_BUFFER=y
-CONFIG_VIRTIO_FS=y
-CONFIG_VIRTIO_INPUT=m
-CONFIG_VIRTIO_MENU=y
-CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
-CONFIG_VIRTIO_MMIO=m
-CONFIG_VIRTIO_NET=y
-CONFIG_VIRTIO_PCI_LEGACY=y
-CONFIG_VIRTIO_PCI_LIB_LEGACY=m
-CONFIG_VIRTIO_PCI_LIB=m
-CONFIG_VIRTIO_PCI=m
-CONFIG_VIRTIO_VSOCKETS_COMMON=y
-CONFIG_VIRTIO_VSOCKETS=y
-CONFIG_VIRTIO=y
-CONFIG_VIRTUALIZATION=y
-CONFIG_VLAN_8021Q=y
-CONFIG_VMAP_PFN=y
-CONFIG_VMAP_STACK=y
-CONFIG_VMD=y
-CONFIG_VM_EVENT_COUNTERS=y
-CONFIG_VMGENID=y
-CONFIG_VSOCKETS_DIAG=y
-CONFIG_VSOCKETS_LOOPBACK=y
-CONFIG_VSOCKETS=y
-CONFIG_VT_CONSOLE_SLEEP=y
-CONFIG_VT_CONSOLE=y
-CONFIG_VT_HW_CONSOLE_BINDING=y
-CONFIG_VT=y
-CONFIG_VXLAN=y
-CONFIG_WATCHDOG_CORE=m
-CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y
-CONFIG_WATCHDOG_OPEN_TIMEOUT=0
-CONFIG_WATCHDOG_SYSFS=y
-CONFIG_WATCHDOG=y
-CONFIG_WDAT_WDT=m
-CONFIG_WIREGUARD=y
-CONFIG_WIRELESS=y
-CONFIG_WMI_BMOF=y
-CONFIG_X509_CERTIFICATE_PARSER=y
-CONFIG_X86_64_ACPI_NUMA=y
-CONFIG_X86_64_SMP=y
-CONFIG_X86_64=y
-CONFIG_X86_ACPI_CPUFREQ_CPB=y
-CONFIG_X86_ACPI_CPUFREQ=y
-CONFIG_X86_AMD_PSTATE_DEFAULT_MODE=3
-CONFIG_X86_AMD_PSTATE=y
-CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
-CONFIG_X86_CET=y
-CONFIG_X86_CHECK_BIOS_CORRUPTION=y
-CONFIG_X86_CMOV=y
-CONFIG_X86_CMPXCHG64=y
-CONFIG_X86_CPUID=y
-CONFIG_X86_DEBUGCTLMSR=y
-CONFIG_X86_DEBUG_FPU=y
-CONFIG_X86_DIRECT_GBPAGES=y
-CONFIG_X86_EXTENDED_PLATFORM=y
-CONFIG_X86_HV_CALLBACK_VECTOR=y
-CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
-CONFIG_X86_INTEL_PSTATE=y
-CONFIG_X86_INTEL_TSX_MODE_OFF=y
-CONFIG_X86_INTERNODE_CACHE_SHIFT=6
-CONFIG_X86_IO_APIC=y
-CONFIG_X86_IOPL_IOPERM=y
-CONFIG_X86_KERNEL_IBT=y
-CONFIG_X86_L1_CACHE_SHIFT=6
-CONFIG_X86_LOCAL_APIC=y
-CONFIG_X86_MCE_AMD=y
-CONFIG_X86_MCE_INTEL=y
-CONFIG_X86_MCE_THRESHOLD=y
-CONFIG_X86_MCE=y
-CONFIG_X86_MEM_ENCRYPT=y
-CONFIG_X86_MINIMUM_CPU_FAMILY=64
-CONFIG_X86_MPPARSE=y
-CONFIG_X86_NEED_RELOCS=y
-CONFIG_X86_PAT=y
-CONFIG_X86_PCC_CPUFREQ=m
-CONFIG_X86_PKG_TEMP_THERMAL=y
-CONFIG_X86_PLATFORM_DEVICES=y
-CONFIG_X86_PM_TIMER=y
-CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
-CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
-CONFIG_X86_THERMAL_VECTOR=y
-CONFIG_X86_TSC=y
-CONFIG_X86_UMIP=y
-CONFIG_X86_VERBOSE_BOOTUP=y
-CONFIG_X86_VMX_FEATURE_NAMES=y
-CONFIG_X86_VSYSCALL_EMULATION=y
-CONFIG_X86_X2APIC=y
-CONFIG_X86=y
-CONFIG_XDP_SOCKETS=y
-CONFIG_XFRM_AH=y
-CONFIG_XFRM_ALGO=y
-CONFIG_XFRM_ESP=y
-CONFIG_XFRM_IPCOMP=y
-CONFIG_XFRM_OFFLOAD=y
-CONFIG_XFRM_USER=y
-CONFIG_XFRM=y
-CONFIG_XFS_DRAIN_INTENTS=y
-CONFIG_XFS_FS=m
-CONFIG_XFS_LIVE_HOOKS=y
-CONFIG_XFS_MEMORY_BUFS=y
-CONFIG_XFS_ONLINE_SCRUB_STATS=y
-CONFIG_XFS_ONLINE_SCRUB=y
-CONFIG_XFS_POSIX_ACL=y
-CONFIG_XFS_QUOTA=y
-CONFIG_XFS_RT=y
-CONFIG_XFS_SUPPORT_ASCII_CI=y
-CONFIG_XFS_SUPPORT_V4=y
-CONFIG_XOR_BLOCKS=y
-CONFIG_XPS=y
-CONFIG_XXHASH=y
-CONFIG_XZ_DEC_ARMTHUMB=y
-CONFIG_XZ_DEC_ARM=y
-CONFIG_XZ_DEC_BCJ=y
-CONFIG_XZ_DEC_IA64=y
-CONFIG_XZ_DEC_POWERPC=y
-CONFIG_XZ_DEC_X86=y
-CONFIG_XZ_DEC=y
-CONFIG_ZISOFS=y
-CONFIG_ZLIB_DEFLATE=y
-CONFIG_ZLIB_INFLATE=y
-CONFIG_ZONE_DEVICE=y
-CONFIG_ZONE_DMA32=y
-CONFIG_ZONE_DMA=y
-CONFIG_ZONEFS_FS=m
-CONFIG_ZRAM_DEF_COMP="zstd"
-CONFIG_ZRAM_DEF_COMP_ZSTD=y
-CONFIG_ZRAM=m
-CONFIG_ZRAM_MULTI_COMP=y
-CONFIG_ZRAM_WRITEBACK=y
-CONFIG_ZSTD_COMMON=y
-CONFIG_ZSTD_COMPRESS=y
-CONFIG_ZSTD_DECOMPRESS=y
diff --git a/pkgs/kernel/manual-config.nix b/pkgs/kernel/manual-config.nix
deleted file mode 100644
index 98b09f8..0000000
--- a/pkgs/kernel/manual-config.nix
+++ /dev/null
@@ -1,594 +0,0 @@
-{
- lib,
- stdenv,
- buildPackages,
- runCommand,
- nettools,
- bc,
- bison,
- flex,
- perl,
- rsync,
- gmp,
- libmpc,
- mpfr,
- openssl,
- cpio,
- elfutils,
- hexdump,
- zstd,
- python3Minimal,
- zlib,
- pahole,
- kmod,
- ubootTools,
- erofs-utils,
- cryptsetup,
- fetchpatch,
- rustc,
- rust-bindgen,
- rustPlatform,
-}:
-
-let
- lib_ = lib;
- stdenv_ = stdenv;
-
- readConfig =
- configfile:
- import
- (runCommand "config.nix" { } ''
- echo "{" > "$out"
- while IFS='=' read key val; do
- [ "x''${key#CONFIG_}" != "x$key" ] || continue
- no_firstquote="''${val#\"}";
- echo ' "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
- done < "${configfile}"
- echo "}" >> $out
- '').outPath;
-in
-lib.makeOverridable (
- {
- # The kernel version
- version,
- # The kernel pname (should be set for variants)
- pname ? "linux",
- # Position of the Linux build expression
- pos ? null,
- # Additional kernel make flags
- extraMakeFlags ? [ ],
- # The name of the kernel module directory
- # Needs to be X.Y.Z[-extra], so pad with zeros if needed.
- modDirVersion ? null, # derive from version
- # The kernel source (tarball, git checkout, etc.)
- src,
- # a list of { name=..., patch=..., extraConfig=...} patches
- kernelPatches ? [ ],
- # The kernel .config file
- configfile,
- # Manually specified nixexpr representing the config
- # If unspecified, this will be autodetected from the .config
- config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
- # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
- # automatically extended with extra per-version and per-config values.
- randstructSeed ? "",
- # Extra meta attributes
- extraMeta ? { },
-
- # for module compatibility
- isZen ? false,
- isLibre ? false,
- isHardened ? false,
-
- # Whether to utilize the controversial import-from-derivation feature to parse the config
- allowImportFromDerivation ? false,
- # ignored
- features ? null,
- lib ? lib_,
- stdenv ? stdenv_,
- }:
-
- let
- # Provide defaults. Note that we support `null` so that callers don't need to use optionalAttrs,
- # which can lead to unnecessary strictness and infinite recursions.
- modDirVersion_ = if modDirVersion == null then lib.versions.pad 3 version else modDirVersion;
- in
- let
- # Shadow the un-defaulted parameter; don't want null.
- modDirVersion = modDirVersion_;
- inherit (lib)
- hasAttr
- getAttr
- optional
- optionals
- optionalString
- optionalAttrs
- maintainers
- platforms
- ;
-
- drvAttrs =
- config_: kernelConf: kernelPatches: configfile:
- let
- # Folding in `ubootTools` in the default nativeBuildInputs is problematic, as
- # it makes updating U-Boot cumbersome, since it will go above the current
- # threshold of rebuilds
- #
- # To prevent these needless rounds of staging for U-Boot builds, we can
- # limit the inclusion of ubootTools to target platforms where uImage *may*
- # be produced.
- #
- # This command lists those (kernel-named) platforms:
- # .../linux $ grep -l uImage ./arch/*/Makefile | cut -d'/' -f3 | sort
- #
- # This is still a guesstimation, but since none of our cached platforms
- # coincide in that list, this gives us "perfect" decoupling here.
- linuxPlatformsUsingUImage = [
- "arc"
- "arm"
- "csky"
- "mips"
- "powerpc"
- "sh"
- "sparc"
- "xtensa"
- ];
- needsUbootTools = lib.elem stdenv.hostPlatform.linuxArch linuxPlatformsUsingUImage;
-
- config =
- let
- attrName = attr: "CONFIG_" + attr;
- in
- {
- isSet = attr: hasAttr (attrName attr) config;
-
- getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
-
- isYes = attr: (config.getValue attr) == "y";
-
- isNo = attr: (config.getValue attr) == "n";
-
- isModule = attr: (config.getValue attr) == "m";
-
- isEnabled = attr: (config.isModule attr) || (config.isYes attr);
-
- isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
- }
- // config_;
-
- isModular = config.isYes "MODULES";
- withRust = config.isYes "RUST";
-
- buildDTBs = kernelConf.DTB or false;
-
- # Dependencies that are required to build kernel modules
- moduleBuildDependencies =
- [
- pahole
- perl
- elfutils
- # module makefiles often run uname commands to find out the kernel version
- (buildPackages.deterministic-uname.override { inherit modDirVersion; })
- ]
- ++ optional (lib.versionAtLeast version "5.13") zstd
- ++ optionals withRust [
- rustc
- rust-bindgen
- ];
-
- in
- (optionalAttrs isModular {
- outputs = [
- "out"
- "dev"
- ];
- })
- // {
- passthru = rec {
- inherit
- version
- modDirVersion
- config
- kernelPatches
- configfile
- moduleBuildDependencies
- stdenv
- ;
- inherit
- isZen
- isHardened
- isLibre
- withRust
- ;
- isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
- baseVersion = lib.head (lib.splitString "-rc" version);
- kernelOlder = lib.versionOlder baseVersion;
- kernelAtLeast = lib.versionAtLeast baseVersion;
- };
-
- inherit src;
-
- depsBuildBuild = [ buildPackages.stdenv.cc ];
- nativeBuildInputs =
- [
- bison
- flex
- perl
- bc
- nettools
- openssl
- rsync
- gmp
- libmpc
- mpfr
- elfutils
- zstd
- python3Minimal
- kmod
- hexdump
- erofs-utils
- cryptsetup
- ]
- ++ optional needsUbootTools ubootTools
- ++ optionals (lib.versionAtLeast version "5.2") [
- cpio
- pahole
- zlib
- ]
- ++ optionals withRust [
- rustc
- rust-bindgen
- ];
-
- RUST_LIB_SRC = lib.optionalString withRust rustPlatform.rustLibSrc;
-
- # avoid leaking Rust source file names into the final binary, which adds
- # a false dependency on rust-lib-src on targets with uncompressed kernels
- KRUSTFLAGS = lib.optionalString withRust "--remap-path-prefix ${rustPlatform.rustLibSrc}=/";
-
- # patches =
- # map (p: p.patch) kernelPatches
- # # Required for deterministic builds along with some postPatch magic.
- # ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
- # ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
- # # Linux 5.12 marked certain PowerPC-only symbols as GPL, which breaks
- # # OpenZFS; this was fixed in Linux 5.19 so we backport the fix
- # # https://github.com/openzfs/zfs/pull/13367
- # ++ optional (lib.versionAtLeast version "5.12" &&
- # lib.versionOlder version "5.19" &&
- # stdenv.hostPlatform.isPower)
- # (fetchpatch {
- # url = "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/patch/?id=d9e5c3e9e75162f845880535957b7fd0b4637d23";
- # hash = "sha256-bBOyJcP6jUvozFJU0SPTOf3cmnTQ6ZZ4PlHjiniHXLU=";
- # });
-
- postPatch = ''
- # Ensure that depmod gets resolved through PATH
- sed -i Makefile -e 's|= /sbin/depmod|= depmod|'
-
- # Some linux-hardened patches now remove certain files in the scripts directory, so the file may not exist.
- [[ -f scripts/ld-version.sh ]] && patchShebangs scripts/ld-version.sh
-
- # Set randstruct seed to a deterministic but diversified value. Note:
- # we could have instead patched gen-random-seed.sh to take input from
- # the buildFlags, but that would require also patching the kernel's
- # toplevel Makefile to add a variable export. This would be likely to
- # cause future patch conflicts.
- # for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do
- # if [ -f "$file" ]; then
- # substituteInPlace "$file" \
- # --replace NIXOS_RANDSTRUCT_SEED \
- # $(echo ${randstructSeed}${src} ${placeholder "configfile"} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
- # break
- # fi
- # done
-
- patchShebangs scripts
-
- # also patch arch-specific install scripts
- for i in $(find arch -name install.sh); do
- patchShebangs "$i"
- done
-
- # unset $src because the build system tries to use it and spams a bunch of warnings
- # see: https://github.com/torvalds/linux/commit/b1992c3772e69a6fd0e3fc81cd4d2820c8b6eca0
- unset src
- '';
-
- configurePhase = ''
- runHook preConfigure
-
- mkdir build
- export buildRoot="$(pwd)/build"
-
- echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
-
- if [ -f "$buildRoot/.config" ]; then
- echo "Could not link $buildRoot/.config : file exists"
- exit 1
- fi
- ln -sv ${configfile} $buildRoot/.config
-
- # reads the existing .config file and prompts the user for options in
- # the current kernel source that are not found in the file.
- make $makeFlags "''${makeFlagsArray[@]}" oldconfig
- runHook postConfigure
-
- make $makeFlags "''${makeFlagsArray[@]}" prepare
- actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
- if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
- echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
- exit 1
- fi
-
- buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
-
- cd $buildRoot
- '';
-
- buildFlags =
- [
- "KBUILD_BUILD_VERSION=1-PatOS"
- kernelConf.target
- "vmlinux" # for "perf" and things like that
- ]
- ++ optional isModular "modules"
- ++ optionals buildDTBs [
- "dtbs"
- "DTC_FLAGS=-@"
- ]
- ++ extraMakeFlags;
-
- installFlags =
- [
- "INSTALL_PATH=$(out)"
- ]
- ++ (optional isModular "INSTALL_MOD_PATH=$(out)")
- ++ optionals buildDTBs [
- "dtbs_install"
- "INSTALL_DTBS_PATH=$(out)/dtbs"
- ];
-
- dontStrip = true;
-
- preInstall =
- let
- # All we really need to do here is copy the final image and System.map to $out,
- # and use the kernel's modules_install, firmware_install, dtbs_install, etc. targets
- # for the rest. Easy, right?
- #
- # Unfortunately for us, the obvious way of getting the built image path,
- # make -s image_name, does not work correctly, because some architectures
- # (*cough* aarch64 *cough*) change KBUILD_IMAGE on the fly in their install targets,
- # so we end up attempting to install the thing we didn't actually build.
- #
- # Thankfully, there's a way out that doesn't involve just hardcoding everything.
- #
- # The kernel has an install target, which runs a pretty simple shell script
- # (located at scripts/install.sh or arch/$arch/boot/install.sh, depending on
- # which kernel version you're looking at) that tries to do something sensible.
- #
- # (it would be great to hijack this script immediately, as it has all the
- # information we need passed to it and we don't need it to try and be smart,
- # but unfortunately, the exact location of the scripts differs between kernel
- # versions, and they're seemingly not considered to be public API at all)
- #
- # One of the ways it tries to discover what "something sensible" actually is
- # is by delegating to what's supposed to be a user-provided install script
- # located at ~/bin/installkernel.
- #
- # (the other options are:
- # - a distribution-specific script at /sbin/installkernel,
- # which we can't really create in the sandbox easily
- # - an architecture-specific script at arch/$arch/boot/install.sh,
- # which attempts to guess _something_ and usually guesses very wrong)
- #
- # More specifically, the install script exec's into ~/bin/installkernel, if one
- # exists, with the following arguments:
- #
- # $1: $KERNELRELEASE - full kernel version string
- # $2: $KBUILD_IMAGE - the final image path
- # $3: System.map - path to System.map file, seemingly hardcoded everywhere
- # $4: $INSTALL_PATH - path to the destination directory as specified in installFlags
- #
- # $2 is exactly what we want, so hijack the script and use the knowledge given to it
- # by the makefile overlords for our own nefarious ends.
- #
- # Note that the makefiles specifically look in ~/bin/installkernel, and
- # writeShellScriptBin writes the script to <store path>/bin/installkernel,
- # so HOME needs to be set to just the store path.
- #
- # FIXME: figure out a less roundabout way of doing this.
- installkernel = buildPackages.writeShellScriptBin "installkernel" ''
- cp -av $2 $4
- cp -av $3 $4
- '';
- in
- ''
- installFlagsArray+=("-j$NIX_BUILD_CORES")
- export HOME=${installkernel}
- '';
-
- # Some image types need special install targets (e.g. uImage is installed with make uinstall on arm)
- installTargets = [
- (kernelConf.installTarget or (
- if kernelConf.target == "uImage" && stdenv.hostPlatform.linuxArch == "arm" then
- "uinstall"
- else if
- kernelConf.target == "zImage"
- || kernelConf.target == "Image.gz"
- || kernelConf.target == "vmlinuz.efi"
- then
- "zinstall"
- else
- "install"
- )
- )
- ];
-
- # We remove a bunch of stuff that is symlinked from other places to save space,
- # which trips the broken symlink check. So, just skip it. We'll know if it explodes.
- dontCheckForBrokenSymlinks = true;
-
- postInstall = optionalString isModular ''
- mkdir -p $dev
- cp vmlinux $dev/
- # if [ -z "''${dontStrip-}" ]; then
- # installFlagsArray+=("INSTALL_MOD_STRIP=1")
- # fi
- make modules_install $makeFlags "''${makeFlagsArray[@]}" \
- $installFlags "''${installFlagsArray[@]}"
- unlink $out/lib/modules/${modDirVersion}/build
- rm -f $out/lib/modules/${modDirVersion}/source
-
- mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
-
- # To save space, exclude a bunch of unneeded stuff when copying.
- (cd .. && rsync --archive --prune-empty-dirs \
- --exclude='/build/' \
- * $dev/lib/modules/${modDirVersion}/source/)
-
- cd $dev/lib/modules/${modDirVersion}/source
-
- cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
- make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
-
- # For reproducibility, removes accidental leftovers from a `cc1` call
- # from a `try-run` call from the Makefile
- rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
-
- # Keep some extra files on some arches (powerpc, aarch64)
- for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
- if [ -f "$buildRoot/$f" ]; then
- cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
- fi
- done
-
- # !!! No documentation on how much of the source tree must be kept
- # If/when kernel builds fail due to missing files, you can add
- # them here. Note that we may see packages requiring headers
- # from drivers/ in the future; it adds 50M to keep all of its
- # headers on 3.10 though.
-
- chmod u+w -R ..
- arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
-
- # Remove unused arches
- for d in $(cd arch/; ls); do
- if [ "$d" = "$arch" ]; then continue; fi
- if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
- rm -rf arch/$d
- done
-
- # Remove all driver-specific code (50M of which is headers)
- rm -fR drivers
-
- # Keep all headers
- find . -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
-
- # Keep linker scripts (they are required for out-of-tree modules on aarch64)
- find . -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
-
- # Keep root and arch-specific Makefiles
- chmod u-w Makefile arch/"$arch"/Makefile*
-
- # Keep whole scripts dir
- chmod u-w -R scripts
-
- # Delete everything not kept
- find . -type f -perm -u=w -print0 | xargs -0 -r rm
-
- # Delete empty directories
- find -empty -type d -delete
-
- pkgName="patos-kernel-modules"
- mkdir -p $out/tree/usr/lib/extension-release.d
- cat << EOF > $out/tree/usr/lib/extension-release.d/extension-release.$pkgName
- ID=patos
- IMAGE_ID=$pkgName
- IMAGE_VERSION=${version}
- VERSION_ID=patos
- EOF
- cp -Prp $out/lib/modules $out/tree/usr/lib/modules
- find $out/tree -type d -exec chmod 0755 {} \;
- mkfs.erofs --all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking $out/$pkgName.raw $out/tree/
- veritysetup format --root-hash-file $out/$pkgName.roothash $out/$pkgName.raw $out/$pkgName.verity
- chmod -R 755 $out/tree && rm -rf $out/tree
- '';
-
- requiredSystemFeatures = [ "big-parallel" ];
-
- meta = {
- # https://github.com/NixOS/nixpkgs/pull/345534#issuecomment-2391238381
- broken = withRust && lib.versionOlder version "6.12";
-
- description =
- "The Linux kernel"
- + (
- if kernelPatches == [ ] then
- ""
- else
- " (with patches: " + lib.concatStringsSep ", " (map (x: x.name) kernelPatches) + ")"
- );
- license = lib.licenses.gpl2Only;
- homepage = "https://www.kernel.org/";
- maintainers = lib.teams.linux-kernel.members ++ [
- maintainers.thoughtpolice
- ];
- platforms = platforms.linux;
- badPlatforms =
- lib.optionals (lib.versionOlder version "4.15") [
- "riscv32-linux"
- "riscv64-linux"
- ]
- ++ lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
- timeout = 14400; # 4 hours
- } // extraMeta;
- };
-
- # Absolute paths for compilers avoid any PATH-clobbering issues.
- commonMakeFlags =
- [
- "ARCH=${stdenv.hostPlatform.linuxArch}"
- "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
- ]
- ++ lib.optionals (stdenv.isx86_64 && stdenv.cc.bintools.isLLVM) [
- # The wrapper for ld.lld breaks linking the kernel. We use the
- # unwrapped linker as workaround. See:
- #
- # https://github.com/NixOS/nixpkgs/issues/321667
- "LD=${stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ld"
- ]
- ++ (stdenv.hostPlatform.linux-kernel.makeFlags or [ ])
- ++ extraMakeFlags;
- in
-
- stdenv.mkDerivation (
- builtins.foldl' lib.recursiveUpdate { } [
- (drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile)
- {
- inherit pname version;
-
- enableParallelBuilding = true;
-
- hardeningDisable = [
- "bindnow"
- "format"
- "fortify"
- "stackprotector"
- "pic"
- "pie"
- ];
-
- makeFlags = [
- "O=$(buildRoot)"
- ] ++ commonMakeFlags;
-
- passthru = { inherit commonMakeFlags; };
-
- karch = stdenv.hostPlatform.linuxArch;
- }
- (optionalAttrs (pos != null) { inherit pos; })
- ]
- )
-)
diff --git a/pkgs/kexec-tools/default.nix b/pkgs/kexec-tools/default.nix
deleted file mode 100644
index 4ba15ba..0000000
--- a/pkgs/kexec-tools/default.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{
- lib,
- stdenv,
- buildPackages,
- fetchFromGitHub,
- autoconf,
- zlib,
-}:
-
-stdenv.mkDerivation {
- pname = "kexec-tools";
- version = "main";
-
- src = fetchFromGitHub {
- owner = "horms";
- repo = "kexec-tools";
- rev = "a7fcd424c4c80dea5a2fd5ffa274ffeb8129c790";
- hash = "sha256-QKE+KCkueA21zNunTMidP9OuZaw0IG5tFDF4UJITTTQ=";
- };
-
- dontPatchShebangs = true;
-
- hardeningDisable = [
- "format"
- "pic"
- "relro"
- "pie"
- ];
-
- buildCommand = ''
- unpackPhase
- mkdir -p $out
- cd source
- ./bootstrap
- ./configure --prefix=/
- make DESTDIR=$out install
- '';
-
- depsBuildBuild = [ buildPackages.stdenv.cc ];
-
- buildInputs = [
- zlib
- autoconf
- ];
-
- enableParallelBuilding = true;
-
- meta = with lib; {
- homepage = "http://horms.net/projects/kexec/kexec-tools";
- description = "Tools related to the kexec Linux feature";
- platforms = platforms.linux;
- badPlatforms = [
- "microblaze-linux"
- "microblazeel-linux"
- "riscv64-linux"
- "riscv32-linux"
- "sparc-linux"
- "sparc64-linux"
- ];
- license = licenses.gpl2Only;
- };
-}
diff --git a/pkgs/linux-firmware.nix b/pkgs/linux-firmware.nix
new file mode 100644
index 0000000..8f03d8c
--- /dev/null
+++ b/pkgs/linux-firmware.nix
@@ -0,0 +1,12 @@
+{ stdenv, lib
+, linux-firmware
+, fwDirs
+}: stdenv.mkDerivation {
+ pname = "linux-firmware-minimal";
+ version = linux-firmware.version;
+ buildCommand = lib.concatStringsSep "\n" (
+ [''mkdir -p "$out/lib/firmware"'']
+ ++ (map (name: ''
+ cp -r "${linux-firmware}/lib/firmware/${name}" "$out/lib/firmware/${name}"
+ '') fwDirs));
+}
diff --git a/pkgs/lvm2/default.nix b/pkgs/lvm2/default.nix
deleted file mode 100644
index 8d18663..0000000
--- a/pkgs/lvm2/default.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-{
- stdenv,
- pkgs,
- fetchurl,
- lib,
- pkg-config,
- libaio,
- udev,
-}:
-
-stdenv.mkDerivation {
- pname = "lvm2";
- version = pkgs.lvm2.version;
-
- src = pkgs.lvm2.src;
-
- nativeBuildInputs = [
- pkg-config
- ];
- buildInputs = [
- libaio
- udev
- ];
-
- configureFlags = [
- "--prefix=/"
- "--sbindir=/usr/bin"
- "--sysconfdir=/etc"
- "--localstatedir=/var"
- "--enable-cmdlib"
- "--enable-dmeventd"
- "--enable-lvmpolld"
- "--enable-pkgconfig"
- "--enable-udev_rules"
- "--enable-udev_sync"
- "--enable-write_install"
- "--with-cache=internal"
- "--with-thin=internal"
- ];
-
- preInstall = ''
- mkdir -p $out
- export DESTDIR=$out
- '';
- doCheck = false;
-
- meta = with lib; {
- homepage = "http://sourceware.org/lvm2/";
- description = "Tools to support Logical Volume Management (LVM) on Linux";
- platforms = platforms.linux;
- license = with licenses; [
- gpl2Only
- bsd2
- lgpl21
- ];
- maintainers = with maintainers; [
- raskin
- ajs124
- ];
- };
-}
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
deleted file mode 100644
index 08c1309..0000000
--- a/pkgs/openssl/default.nix
+++ /dev/null
@@ -1,164 +0,0 @@
-{
- lib,
- pkgs,
- stdenv,
- fetchurl,
- perl,
- makeBinaryWrapper,
- withCryptodev ? false,
- cryptodev,
- withZlib ? false,
- zlib,
- enableSSL2 ? false,
- enableSSL3 ? false,
- enableMD2 ? false,
- enableKTLS ? stdenv.hostPlatform.isLinux,
- static ? stdenv.hostPlatform.isStatic,
- removeReferencesTo,
-}:
-
-stdenv.mkDerivation rec {
- pname = "openssl";
- version = pkgs.openssl.version;
-
- src = pkgs.openssl.src;
-
- outputs = [ "out" ];
-
- nativeBuildInputs =
- lib.optional (!stdenv.hostPlatform.isWindows) makeBinaryWrapper
- ++ [ perl ]
- ++ lib.optionals static [ removeReferencesTo ];
- buildInputs = lib.optional withCryptodev cryptodev ++ lib.optional withZlib zlib;
-
- # TODO(@Ericson2314): Improve with mass rebuild
- configurePlatforms = [ ];
- configureScript =
- {
- armv5tel-linux = "./Configure linux-armv4 -march=armv5te";
- armv6l-linux = "./Configure linux-armv4 -march=armv6";
- armv7l-linux = "./Configure linux-armv4 -march=armv7-a";
- x86_64-darwin = "./Configure darwin64-x86_64-cc";
- aarch64-darwin = "./Configure darwin64-arm64-cc";
- x86_64-linux = "./Configure linux-x86_64";
- x86_64-solaris = "./Configure solaris64-x86_64-gcc";
- powerpc64-linux = "./Configure linux-ppc64";
- riscv32-linux = "./Configure ${
- if lib.versionAtLeast version "3.2" then "linux32-riscv32" else "linux-latomic"
- }";
- riscv64-linux = "./Configure linux64-riscv64";
- }
- .${stdenv.hostPlatform.system} or (
- if stdenv.hostPlatform == stdenv.buildPlatform then
- "./config"
- else if stdenv.hostPlatform.isBSD then
- if stdenv.hostPlatform.isx86_64 then
- "./Configure BSD-x86_64"
- else if stdenv.hostPlatform.isx86_32 then
- "./Configure BSD-x86" + lib.optionalString stdenv.hostPlatform.isElf "-elf"
- else
- "./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
- else if stdenv.hostPlatform.isMinGW then
- "./Configure mingw${
- lib.optionalString (stdenv.hostPlatform.parsed.cpu.bits != 32) (
- toString stdenv.hostPlatform.parsed.cpu.bits
- )
- }"
- else if stdenv.hostPlatform.isLinux then
- if stdenv.hostPlatform.isx86_64 then
- "./Configure linux-x86_64"
- else if stdenv.hostPlatform.isMicroBlaze then
- "./Configure linux-latomic"
- else if stdenv.hostPlatform.isMips32 then
- "./Configure linux-mips32"
- else if stdenv.hostPlatform.isMips64n32 then
- "./Configure linux-mips64"
- else if stdenv.hostPlatform.isMips64n64 then
- "./Configure linux64-mips64"
- else
- "./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
- else if stdenv.hostPlatform.isiOS then
- "./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross"
- else
- throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}"
- );
-
- # OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags.
- dontAddStaticConfigureFlags = true;
-
- configureFlags =
- [
- "shared" # "shared" builds both shared and static libraries
- "--prefix=/"
- "--libdir=lib"
- "--openssldir=/etc/ssl"
- ]
- ++ lib.optionals withCryptodev [
- "-DHAVE_CRYPTODEV"
- "-DUSE_CRYPTODEV_DIGESTS"
- ]
- ++ lib.optional enableMD2 "enable-md2"
- ++ lib.optional enableSSL2 "enable-ssl2"
- ++ lib.optional enableSSL3 "enable-ssl3"
- # We select KTLS here instead of the configure-time detection (which we patch out).
- # KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it.
- ++ lib.optional (lib.versionAtLeast version "3.0.0" && enableKTLS) "enable-ktls"
- ++ lib.optional (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
- # OpenSSL needs a specific `no-shared` configure flag.
- # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
- # for a comprehensive list of configuration options.
- ++ lib.optional (lib.versionAtLeast version "1.1.1" && static) "no-shared"
- ++ lib.optional (lib.versionAtLeast version "3.0.0" && static) "no-module"
- # This introduces a reference to the CTLOG_FILE which is undesired when
- # trying to build binaries statically.
- ++ lib.optional static "no-ct"
- ++ lib.optional withZlib "zlib"
- # /dev/crypto support has been dropped in OpenBSD 5.7.
- #
- # OpenBSD's ports does this too,
- # https://github.com/openbsd/ports/blob/a1147500c76970fea22947648fb92a093a529d7c/security/openssl/3.3/Makefile#L25.
- #
- # https://github.com/openssl/openssl/pull/10565 indicated the
- # intent was that this would be configured properly automatically,
- # but that doesn't appear to be the case.
- ++ lib.optional stdenv.hostPlatform.isOpenBSD "no-devcryptoeng"
- ++ lib.optionals (stdenv.hostPlatform.isMips && stdenv.hostPlatform ? gcc.arch) [
- # This is necessary in order to avoid openssl adding -march
- # flags which ultimately conflict with those added by
- # cc-wrapper. Openssl assumes that it can scan CFLAGS to
- # detect any -march flags, using this perl code:
- #
- # && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})
- #
- # The following bogus CFLAGS environment variable triggers the
- # the code above, inhibiting `./Configure` from adding the
- # conflicting flags.
- "CFLAGS=-march=${stdenv.hostPlatform.gcc.arch}"
- ];
-
- postPatch = ''
- patchShebangs Configure
- '';
-
- installPhase = ''
- make DESTDIR=$out install
- rm -rf $out/etc/ssl/*.dist $out/etc/ssl/misc
- '';
-
- enableParallelBuilding = true;
-
- meta = {
- homepage = "https://www.openssl.org/";
- changelog = "https://github.com/openssl/openssl/blob/openssl-${version}/CHANGES.md";
- description = "Cryptographic library that implements the SSL and TLS protocols";
- license = lib.licenses.openssl;
- mainProgram = "openssl";
- maintainers = with lib.maintainers; [ thillux ] ++ lib.teams.stridtech.members;
- pkgConfigModules = [
- "libcrypto"
- "libssl"
- "openssl"
- ];
- platforms = lib.platforms.all;
- };
-}
diff --git a/pkgs/qemu.nix b/pkgs/qemu.nix
new file mode 100644
index 0000000..93e67dd
--- /dev/null
+++ b/pkgs/qemu.nix
@@ -0,0 +1,30 @@
+{ prev, pkgs, ... }:
+
+(prev.qemu_test.override {
+ enableDocs = false;
+ capstoneSupport = false;
+ guestAgentSupport = false;
+ tpmSupport = false;
+ libiscsiSupport = false;
+ usbredirSupport = false;
+ canokeySupport = false;
+ hostCpuTargets = [ "x86_64-softmmu" ];
+}).overrideDerivation (old: {
+ postFixup = ''
+ rm -r "$out/share/icons"
+ cp "${pkgs.OVMF.fd + "/FV/OVMF.fd"}" "$out/share/qemu/"
+ '';
+ configureFlags = old.configureFlags ++ [
+ "--disable-tcg"
+ "--disable-tcg-interpreter"
+ "--disable-docs"
+ "--disable-install-blobs"
+ "--disable-slirp"
+ "--disable-virtfs"
+ "--disable-virtfs-proxy-helper"
+ "--disable-vhost-user-blk-server"
+ "--without-default-features"
+ "--enable-kvm"
+ "--disable-tools"
+ ];
+})
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
deleted file mode 100644
index c46ed9d..0000000
--- a/pkgs/rootfs/mkinitrd.nix
+++ /dev/null
@@ -1,93 +0,0 @@
-{
- pkgs,
- patosPkgs,
- runCommand,
- ...
-}:
-let
- secureBootEnroll = ./secure-boot-enroll.sh;
-in
-runCommand "patos-initrd" {
- inherit secureBootEnroll;
-
- buildInputs = with pkgs; [
- cpio
- xz
- ];
-}
-''
-echo "Building initram disk"
-mkdir -p $out/root
-pushd $out/root
-
-### copy rootfs
-cp -prP ${patosPkgs.rootfs}/* .
-find . -type d -exec chmod 755 {} \;
-mkdir sysroot
-
-### create directories
-ln -sf ../usr/lib/systemd/systemd init
-
-### Create needed files
-echo patos > ./etc/hostname
-
-ln -sf /etc/os-release ./etc/initrd-release
-
-# set default target to initrd inside initrd
-ln -sf initrd.target ./usr/lib/systemd/system/default.target
-
-# setup secure boot
-cat $secureBootEnroll > ./usr/bin/secure-boot-enroll
-chmod +x ./usr/bin/secure-boot-enroll
-
-cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
-[Unit]
-Description=Enroll Secure Boot
-DefaultDependencies=false
-After=sysroot-run.mount
-Requires=sysroot-run.mount
-Before=systemd-repart.service initrd.target shutdown.target sysinit.target
-ConditionKernelCommandLine=patos.secureboot=true
-ConditionPathExists=|!/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/secure-boot-enroll
-RemainAfterExit=yes
-EOF
-ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
-
-# bind mount /run to /sysroot/run
-cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
-[Unit]
-Before=initrd-fs.target
-DefaultDependencies=false
-
-[Mount]
-Options=bind
-What=/run
-Where=/sysroot/run
-EOF
-mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
-ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
-
-# repart: generate crypttab and fstab under /run
-mkdir ./usr/lib/systemd/system/systemd-repart.service.d
-cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
-[Unit]
-After=sysroot-run.mount
-Requires=sysroot-run.mount
-
-[Service]
-Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
-ExecStart=
-ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
-EOF
-ln -sf ../systemd-repart.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
-
-# gen initrd
-find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
-
-popd
-rm -rf $out/root
-''
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
deleted file mode 100644
index bda4c7d..0000000
--- a/pkgs/rootfs/mkrootfs.nix
+++ /dev/null
@@ -1,230 +0,0 @@
-{
- pkgs,
- patosPkgs,
- version,
- runCommand,
-}:
-let
- defaultPassword = "patos";
-in
-
-runCommand "patos-rootfs"
-{
- inherit version;
-
- buildInputs = with pkgs;[
- glibc
- binutils
- ];
-
-}
-''
-### create directory structure
-mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
- $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var
-ln -sf /usr/bin $out/bin
-ln -sf /usr/bin $out/sbin
-ln -sf /usr/lib $out/lib
-ln -sf /usr/lib $out/lib64
-ln -sf /tmp $out/var/tmp
-ln -sf ../proc/self/mounts $out/etc/mtab
-
-### install systemd
-cp -Pr ${patosPkgs.systemd}/* $out/
-find $out -type d -exec chmod 755 {} \;
-rm -rf $out/usr/include
-rm -rf $out/usr/sbin
-ln -sf /usr/bin $out/usr/sbin
-rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
-# enable in ramdisk instead
-rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-repart.service
-rm -f $out/usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
-
-rm -f $out/usr/lib/systemd/ukify
-rm -f $out/usr/bin/ukify
-rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
-ln -s /run/systemd/resolve/stub-resolv.conf $out/etc/resolv.conf
-
-cat <<EOF > $out/etc/os-release
-NAME=PatOS
-PRETTY_NAME=PatOS v${version} (Pre-Alpha)
-IMAGE_ID=patos
-ID=patos
-IMAGE_VERSION=${version}
-VERSION=${version}
-VERSION_ID=patos
-BUILD_ID=somehash
-EOF
-
-cat <<EOF > $out/etc/issue
-<<< Welcome to PatOS v${version} (Pre-Alpha) (\m) - \l >>>
-
-EOF
-
-# replace agetty with busybox getty (optionally autologin)
-mkdir $out/usr/lib/systemd/system/serial-getty@.service.d
-cat <<EOF > $out/usr/lib/systemd/system/serial-getty@.service.d/override.conf
-[Service]
-ExecStart=
-ExecStart=-/bin/login -f root
-EOF
-# ExecStart=-/sbin/getty -L %I 115200 vt100
-
-# Configure systemd-repart
-cat <<EOF > $out/etc/repart.d/10-esp.conf
-[Partition]
-Type=esp
-Format=vfat
-SizeMaxBytes=128M
-SizeMinBytes=128M
-EOF
-
-cat <<EOF > $out/etc/repart.d/20-root-a.conf
-[Partition]
-Type=root
-SizeMaxBytes=64M
-SizeMinBytes=64M
-EOF
-
-cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
-[Partition]
-Type=root-verity
-EOF
-
-cat <<EOF > $out/etc/repart.d/30-root-b.conf
-[Partition]
-Type=root
-Label=_empty
-SizeMaxBytes=64M
-SizeMinBytes=64M
-ReadOnly=1
-EOF
-
-cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
-[Partition]
-Type=root-verity
-Label=_empty
-ReadOnly=1
-EOF
-
-cat <<EOF > $out/etc/repart.d/40-var.conf
-[Partition]
-Type=var
-Format=btrfs
-MakeDirectories=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
-MountPoint=/var
-Label=patos-state
-Encrypt=tpm2
-EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
-Subvolumes=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
-MountPoint=/var/lib/confexts:subvol=/var/lib/confexts
-MountPoint=/var/lib/extensions:subvol=/var/lib/extensions
-MountPoint=/var/lib/portables:subvol=/var/lib/portables
-MountPoint=/var/.snapshots:subvol=/var/.snapshots
-SizeMinBytes=1G
-Minimize=off
-FactoryReset=yes
-EOF
-
-# as rootfs is read-only we need to configure the fstab and cryptsetup generators to look
-# for config under /run (which are generated by systemd-repart in initrd)
-rm -f $out/etc/systemd/system.conf
-cat <<EOF > $out/etc/systemd/system.conf
-[Manager]
-DefaultEnvironment=PATH=/bin:/sbin:/usr/bin
-ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTEMD_SYSROOT_FSTAB=/run/fstab SYSTEMD_FSTAB=/run/fstab
-EOF
-
-### install PatOS glibc
-cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
-
-### install openssl
-cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
-cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
-
-### install busybox
-cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
-$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
-
-### install dbus broker
-cp -r ${patosPkgs.dbus-broker}/* $out/
-
-### install kexec
-cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
-
-### install dmsetup udev rules
-cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
-cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
-cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
-
-### install btrfs progs
-cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
-cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
-
-### install tpm2 libs
-cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
-
-### install lib kmod
-cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
-cp -P ${pkgs.kmod}/bin/* $out/usr/bin
-
-### install libbpf
-cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
-
-### install secure boot tools
-cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
-rm -f $out/usr/bin/tar
-rm -f $out/usr/bin/blkid
-cp -P ${pkgs.gnutar}/bin/tar $out/usr/bin/
-cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
-cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
-
-### install xq (jq clone)
-cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
-ln -sf /usr/bin/xq $out/usr/bin/jq
-
-### install ca cert bundle
-chmod 755 $out/etc/ssl $out/etc/ssl/certs
-cp -P ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
-ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
-ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
-
-# no need for pkgconfig, removing..
-rm -rf $out/usr/lib/pkgconfig
-
-# setup default files
-${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
-${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
-cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
-cp $out/usr/share/factory/etc/locale.conf $out/etc/
-cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
-# install sys users
-mkdir creds
-echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
-CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
-chmod 600 $out/etc/shadow
-rm -rf creds
-
-# Ephemeral machine-id until registration
-ln -sf /run/machine-id $out/etc/machine-id
-
-### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
- grep -vE "(systemd|glibc|openssl|tpm2|devmapper)" | \
- sort -u | xargs -I {} cp {} $out/usr/lib/
-
-find $out -type f -executable -exec chmod 755 {} \;
-
-# patch ELFs
-find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
-find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
-patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
-
-# strip binaries
-find $out -type f -executable -exec strip {} \;
-find $out -type d -exec chmod 755 {} \;
-
-# install kernel modules
-cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
-find $out/usr/lib/modules -type d -exec chmod 755 {} \;
-''
diff --git a/pkgs/rootfs/secure-boot-enroll.sh b/pkgs/rootfs/secure-boot-enroll.sh
deleted file mode 100644
index 2588baf..0000000
--- a/pkgs/rootfs/secure-boot-enroll.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/sh
-set -ex -uo pipefail
-
-SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
-
-[ "$SETUP_MODE" = "false" ] && exit 0
-
-cat <<EOL> /run/sbctl.yml
----
-keydir: /sysroot/boot/sbctl/keys
-guid: /sysroot/boot/sbctl/GUID
-EOL
-
-ESP=$(blkid --label ESP)
-
-mount $ESP /sysroot/boot && \
- sbctl --config /run/sbctl.yml create-keys && \
- sbctl --config /run/sbctl.yml enroll-keys --yolo && \
- # Sign EFIs
- find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
-
-umount /sysroot/boot && \
- systemctl reboot -f
diff --git a/pkgs/systemd-ukify.nix b/pkgs/systemd-ukify.nix
new file mode 100644
index 0000000..b8e9d55
--- /dev/null
+++ b/pkgs/systemd-ukify.nix
@@ -0,0 +1,48 @@
+{ prev, ... }:
+
+prev.systemd.override {
+ withAcl = false;
+ withAnalyze = false;
+ withApparmor = false;
+ withAudit = false;
+ withEfi = true;
+ withCompression = false;
+ withCoredump = false;
+ withCryptsetup = false;
+ withRepart = false;
+ withDocumentation = false;
+ withFido2 = false;
+ withFirstboot = false;
+ withHomed = false;
+ withHostnamed = false;
+ withHwdb = false;
+ withImportd = false;
+ withIptables = false;
+ withKmod = false;
+ withLibBPF = false;
+ withLibidn2 = false;
+ withLocaled = false;
+ withLogind = false;
+ withMachined = false;
+ withNetworkd = false;
+ withNss = false;
+ withOomd = false;
+ withPam = false;
+ withPasswordQuality = false;
+ withPCRE2 = false;
+ withPolkit = false;
+ withPortabled = false;
+ withQrencode = false;
+ withRemote = false;
+ withResolved = false;
+ withShellCompletions = false;
+ withSysusers = false;
+ withSysupdate = false;
+ withTimedated = false;
+ withTimesyncd = false;
+ withTpm2Tss = false;
+ withUkify = true;
+ withUserDb = false;
+ withUtmp = false;
+ withVmspawn = false;
+}
diff --git a/pkgs/systemd.nix b/pkgs/systemd.nix
new file mode 100644
index 0000000..2d52e9a
--- /dev/null
+++ b/pkgs/systemd.nix
@@ -0,0 +1,10 @@
+{ prev, ... }:
+
+prev.systemd.override {
+ withAcl = false;
+ withApparmor = false;
+ withDocumentation = false;
+ withRemote = false;
+ withShellCompletions = false;
+ withVmspawn = false;
+}
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
deleted file mode 100644
index db0b64c..0000000
--- a/pkgs/systemd/default.nix
+++ /dev/null
@@ -1,323 +0,0 @@
-{
- fetchFromGitHub,
- lib,
- pkgs,
- stdenv,
- targetPackages,
- ...
-}:
-let
- version = "257.5";
-
- # Use the command below to update `releaseTimestamp` on every (major) version
- # change. More details in the commentary at mesonFlags.
- # command:
- # $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
- # jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
- releaseTimestamp = "1734643670";
-
- pname = "systemd";
-in
-stdenv.mkDerivation (finalAttrs: {
- inherit version;
-
- pname = pname;
-
- src = fetchFromGitHub {
- owner = "systemd";
- repo = "systemd";
- rev = "v${version}";
- hash = "sha256-mn/JB/nrOz2TOobu2d+XBH2dVH3vn/HPvWN4Zz6s+SM=";
- };
-
- patches = [ ./skip-verify-esp.patch ];
-
- dontCheckForBrokenSymlinks = true;
-
- nativeBuildInputs = with pkgs; [
- bash
- pkg-config
- makeBinaryWrapper
- gperf
- ninja
- meson
- glibcLocales
- getent
- m4
- autoPatchelfHook
-
- intltool
- gettext
-
- libxslt
- docbook_xsl
- docbook_xml_dtd_42
- docbook_xml_dtd_45
- bash
- (buildPackages.python3Packages.python.withPackages (
- ps: with ps; [
- lxml
- jinja2
- ps.pyelftools
- ]
- ))
-
- bpftools
- buildPackages.llvmPackages.clang
- buildPackages.llvmPackages.libllvm
- ];
-
- outputs = [
- "out"
- "dev"
- ];
-
- separateDebugInfo = true;
-
- autoPatchelfFlags = [ "--keep-libc" ];
-
- hardeningDisable = [
- # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523
- "trivialautovarinit"
- # breaks clang -target bpf; should be fixed to filter target?
- "zerocallusedregs"
- "shadowstack"
- ];
-
- buildInputs = with pkgs; [
- libxcrypt
- libcap
- libuuid
- linuxHeaders
- bashInteractive # for patch shebangs
- libgcrypt
- libgpg-error
- openssl
- acl
- libapparmor
- audit
- zlib
- bzip2
- lz4
- xz
- zstd
- elfutils
- kexec-tools
- kmod
- libidn2
- libseccomp
- libselinux
- iptables
- p11-kit
- libfido2
- pam
- pcre2
- libbpf
- tpm2-tss
- qrencode
- libarchive
- (lib.getDev curl)
- (lib.getDev cryptsetup.dev)
- (python3Packages.python.withPackages (ps: with ps; [ pefile ]))
- (llvmPackages.compiler-rt.override {
- doFakeLibgcc = true;
- })
- ];
-
- mesonBuildType = "release";
-
- doCheck = false; # fails a bunch of tests
-
- preConfigure = ''
- mesonFlagsArray+=(-Dntp-servers="0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org")
- export LC_ALL="en_US.UTF-8";
- '';
-
- postPatch =
- ''
- substituteInPlace meson.build \
- --replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
- ''
- + ''
- substituteInPlace src/ukify/ukify.py \
- --replace \
- "'readelf'" \
- "'${targetPackages.stdenv.cc.bintools.targetPrefix}readelf'" \
- --replace \
- "/usr/lib/systemd/boot/efi" \
- "$out/usr/lib/systemd/boot/efi"
- ''
- # Finally, patch shebangs in scripts used at build time. This must not patch
- # scripts that will end up in the output, to avoid build platform references
- # when cross-compiling.
- + ''
- shopt -s extglob
- patchShebangs tools test src/!(rpm|kernel-install|ukify) src/kernel-install/test-kernel-install.sh
- '';
-
- # trigger the test -n "$DESTDIR" || mutate in upstreams build system
- preInstall = ''
- export DESTDIR=${placeholder "out"}
- '';
-
- mesonFlags = [
-
- "--prefix=/usr"
- "--sysconfdir=/etc"
- "--localstatedir=/var"
- "--libdir=/usr/lib"
- "--bindir=/usr/bin"
- "--includedir=/usr/include"
- "--localedir=/usr/share/locale"
-
- # Options
-
- # We bump this attribute on every (major) version change to ensure that we
- # have known-good value for a timestamp that is in the (not so distant)
- # past. This serves as a lower bound for valid system timestamps during
- # startup. Systemd will reset the system timestamp if this date is +- 15
- # years from the system time.
- # See the systemd v250 release notes for further details:
- # https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
- (lib.mesonOption "time-epoch" releaseTimestamp)
-
- (lib.mesonOption "version-tag" version)
- (lib.mesonOption "mode" "release")
- (lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
-
- (lib.mesonOption "kmod-path" "/usr/bin/kmod")
- (lib.mesonOption "kexec-path" "/usr/bin/kexec")
- (lib.mesonOption "debug-shell" "/usr/bin/sh")
- (lib.mesonOption "pamconfdir" "/etc/pam.d")
- (lib.mesonOption "shellprofiledir" "/etc/profile.d")
- (lib.mesonOption "dbuspolicydir" "/usr/share/dbus-1/system.d")
- (lib.mesonOption "dbussessionservicedir" "/usr/share/dbus-1/services")
- (lib.mesonOption "dbussystemservicedir" "/usr/share/dbus-1/system-services")
- (lib.mesonOption "setfont-path" "/usr/bin/setfont")
- (lib.mesonOption "loadkeys-path" "/usr/bin/loadkeys")
- (lib.mesonOption "sulogin-path" "/usr/bin/sulogin")
- (lib.mesonOption "nologin-path" "/usr/bin/nologin")
- (lib.mesonOption "mount-path" "/usr/bin/mount")
- (lib.mesonOption "umount-path" "/usr/bin/umount")
-
- # SBAT
- (lib.mesonOption "sbat-distro" "patos")
- (lib.mesonOption "sbat-distro-summary" "PatOS")
- (lib.mesonOption "sbat-distro-url" "https://patagia.io/")
- (lib.mesonOption "sbat-distro-pkgname" pname)
- (lib.mesonOption "sbat-distro-version" version)
-
- # Users
- (lib.mesonOption "system-uid-max" "999")
- (lib.mesonOption "system-gid-max" "999")
-
- # SysVinit
- (lib.mesonOption "sysvinit-path" "")
- (lib.mesonOption "sysvrcnd-path" "")
-
- # SSH
- # Disabled for now until someone makes this work.
- (lib.mesonOption "sshconfdir" "no")
- (lib.mesonOption "sshdconfdir" "no")
-
- # Features
-
- # Tests
- (lib.mesonBool "tests" false)
- (lib.mesonEnable "glib" false)
- (lib.mesonEnable "dbus" false)
-
- # Compression
- (lib.mesonEnable "bzip2" true)
- (lib.mesonEnable "lz4" true)
- (lib.mesonEnable "xz" true)
- (lib.mesonEnable "zstd" true)
- (lib.mesonEnable "zlib" true)
-
- # NSS
- (lib.mesonEnable "nss-resolve" true)
- (lib.mesonBool "nss-myhostname" true)
- (lib.mesonBool "nss-systemd" true)
-
- # Cryptsetup
- (lib.mesonEnable "libcryptsetup" true)
- (lib.mesonEnable "libcryptsetup-plugins" true)
- (lib.mesonEnable "p11kit" true)
-
- # FIDO2
- (lib.mesonEnable "libfido2" true)
- (lib.mesonEnable "openssl" true)
-
- # Password Quality
- (lib.mesonEnable "pwquality" false)
- (lib.mesonEnable "passwdqc" false)
-
- # Remote
- (lib.mesonEnable "remote" false)
- (lib.mesonEnable "microhttpd" false)
-
- (lib.mesonEnable "pam" false)
- (lib.mesonEnable "acl" true)
- (lib.mesonEnable "audit" true)
- (lib.mesonEnable "apparmor" true)
- (lib.mesonEnable "gcrypt" true)
- (lib.mesonEnable "importd" true)
- (lib.mesonEnable "homed" false)
- (lib.mesonEnable "polkit" true)
- (lib.mesonEnable "elfutils" true)
- (lib.mesonEnable "libcurl" true)
- (lib.mesonEnable "libidn" false)
- (lib.mesonEnable "libidn2" true)
- (lib.mesonEnable "libiptc" true)
- (lib.mesonEnable "repart" true)
- (lib.mesonEnable "sysupdate" true)
- (lib.mesonEnable "sysupdated" true)
- (lib.mesonEnable "seccomp" true)
- (lib.mesonEnable "selinux" true)
- (lib.mesonEnable "tpm2" true)
- (lib.mesonEnable "pcre2" true)
- (lib.mesonEnable "bpf-framework" true)
- (lib.mesonEnable "bootloader" true)
- (lib.mesonEnable "ukify" true)
- (lib.mesonEnable "kmod" true)
- (lib.mesonEnable "qrencode" true)
- (lib.mesonEnable "vmspawn" false)
- (lib.mesonEnable "libarchive" true)
- (lib.mesonEnable "xenctrl" false)
- (lib.mesonEnable "gnutls" false)
- (lib.mesonEnable "xkbcommon" false)
- (lib.mesonEnable "man" false)
-
- (lib.mesonBool "analyze" true)
- (lib.mesonBool "logind" false)
- (lib.mesonBool "localed" false)
- (lib.mesonBool "hostnamed" true)
- (lib.mesonBool "machined" true)
- (lib.mesonBool "networkd" true)
- (lib.mesonBool "oomd" true)
- (lib.mesonBool "portabled" true)
- (lib.mesonBool "hwdb" true)
- (lib.mesonBool "timedated" true)
- (lib.mesonBool "timesyncd" true)
- (lib.mesonBool "userdb" false)
- (lib.mesonBool "coredump" true)
- (lib.mesonBool "firstboot" true)
- (lib.mesonBool "resolve" true)
- (lib.mesonBool "sysusers" true)
- (lib.mesonBool "efi" true)
- (lib.mesonBool "utmp" true)
- (lib.mesonBool "log-trace" true)
-
- (lib.mesonBool "kernel-install" false)
- (lib.mesonBool "quotacheck" false)
- (lib.mesonBool "ldconfig" false)
- (lib.mesonBool "install-sysconfdir" true)
- (lib.mesonBool "create-log-dirs" true)
- (lib.mesonBool "smack" true)
- (lib.mesonBool "b_pie" true)
-
- (lib.mesonOption "bashcompletiondir" "no")
- (lib.mesonOption "zshcompletiondir" "no")
- ];
-
-})
diff --git a/pkgs/systemd/skip-verify-esp.patch b/pkgs/systemd/skip-verify-esp.patch
deleted file mode 100644
index 2cb9505..0000000
--- a/pkgs/systemd/skip-verify-esp.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c
-index f830d6dfe3..7ad2a8cd1d 100644
---- a/src/shared/find-esp.c
-+++ b/src/shared/find-esp.c
-@@ -403,15 +403,15 @@ static int verify_esp(
- "File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
- }
-
-- r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
-- if (r < 0)
-- return r;
--
- /* In a container we don't have access to block devices, skip this part of the verification, we trust
- * the container manager set everything up correctly on its own. */
- if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK))
- goto finish;
-
-+ r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
-+ if (r < 0)
-+ return r;
-+
- if (devnum_is_zero(devid))
- return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
- SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
diff --git a/pkgs/tpm2-tools/default.nix b/pkgs/tpm2-tools/default.nix
deleted file mode 100644
index 4bb14c1..0000000
--- a/pkgs/tpm2-tools/default.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{
- stdenv,
- pkgs,
- fetchurl,
- lib,
- pandoc,
- pkg-config,
- curl,
- openssl,
- patosPkgs,
- libuuid,
-}:
-
-stdenv.mkDerivation {
- pname = "tpm2-tools";
- version = pkgs.tpm2-tools.version;
-
- src = pkgs.tpm2-tools.src;
-
- nativeBuildInputs = [
- pandoc
- pkg-config
- ];
-
- buildInputs = [
- curl
- openssl
- patosPkgs.tpm2-tss
- libuuid
- ];
-
- # Unit tests disabled, as they rely on a dbus session
- configureFlags = [ "--prefix=/" ];
- preInstall = ''
- mkdir -p $out
- export DESTDIR=$out
- '';
- doCheck = false;
-
- meta = with lib; {
- description = "Command line tools that provide access to a TPM 2.0 compatible device";
- homepage = "https://github.com/tpm2-software/tpm2-tools";
- license = licenses.bsd3;
- platforms = platforms.linux;
- maintainers = with maintainers; [ tomfitzhenry ];
- };
-}
diff --git a/pkgs/tpm2-tss/default.nix b/pkgs/tpm2-tss/default.nix
deleted file mode 100644
index 5a6477a..0000000
--- a/pkgs/tpm2-tss/default.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{
- stdenv,
- pkgs,
- lib,
- fetchFromGitHub,
- autoreconfHook,
- autoconf-archive,
- pkg-config,
- doxygen,
- perl,
- openssl,
- json_c,
- curl,
- libgcrypt,
- uthash,
- git,
- libuuid,
- libtpms,
-}:
-
-stdenv.mkDerivation rec {
- pname = "tpm2-tss";
- version = pkgs.tpm2-tss.version;
-
- src = pkgs.tpm2-tss.src;
-
- patches = [
- ./no-shadow.patch
- ];
-
- postPatch = ''
- substituteInPlace ./bootstrap \
- --replace-fail 'git describe --tags --always --dirty' 'echo "${version}"'
- '';
-
- outputs = [
- "out"
- ];
-
- nativeBuildInputs = [
- autoreconfHook
- autoconf-archive
- pkg-config
- doxygen
- perl
- git
- ];
-
- buildInputs = [
- openssl
- json_c
- curl
- libgcrypt
- uthash
- libuuid
- libtpms
- ];
-
- strictDeps = true;
- preAutoreconf = "./bootstrap";
-
- enableParallelBuilding = true;
-
- configureFlags = [
- "--prefix=/"
- ];
-
- preInstall = ''
- mkdir -p $out
- export DESTDIR=$out
- '';
-
- doCheck = false;
-
- meta = with lib; {
- description = "OSS implementation of the TCG TPM2 Software Stack (TSS2)";
- homepage = "https://github.com/tpm2-software/tpm2-tss";
- license = licenses.bsd2;
- platforms = platforms.unix;
- maintainers = with maintainers; [ baloo ];
- };
-}
diff --git a/pkgs/tpm2-tss/no-shadow.patch b/pkgs/tpm2-tss/no-shadow.patch
deleted file mode 100644
index a42bf06..0000000
--- a/pkgs/tpm2-tss/no-shadow.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index e2d579b8..0eac4ff3 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -672,9 +672,9 @@ AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
- AC_CHECK_PROG(adduser, adduser, yes)
- AC_CHECK_PROG(addgroup, addgroup, yes)
- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
-- [AC_MSG_ERROR([addgroup or groupadd are needed.])])
-+ [AC_MSG_WARN([addgroup or groupadd are needed.])])
- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
-- [AC_MSG_ERROR([adduser or useradd are needed.])])])
-+ [AC_MSG_WARN([adduser or useradd are needed.])])])
-
- AC_SUBST([PATH])
-
diff --git a/scripts/sbkeys b/scripts/sbkeys
new file mode 100755
index 0000000..a24e215
--- /dev/null
+++ b/scripts/sbkeys
@@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+# Copyright (c) 2015 by Roderick W. Smith
+# Copyright (c) 2020 Corey Hinshaw
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+[ -n "${DEBUG}" ] && set -x
+set -e
+
+usage() {
+ cat <<EOF
+Usage: sbkeys [OPTION]...
+Generate secure boot keys
+
+Options:
+ -h Print this help text
+ -m Generate signature database entries for Microsoft certificates
+EOF
+}
+
+generate_keys() {
+ # Do not create new keys if key files already exist
+ KEYS=(
+ PK.key PK.crt PK.cer PK.esl PK.auth
+ KEK.key KEK.crt KEK.cer KEK.esl KEK.auth
+ DB.key DB.crt DB.cer DB.esl DB.auth
+ noPK.esl noPK.auth
+ myGUID.txt
+ )
+ for file in ${KEYS[@]}; do
+ if [ -f ${file} ]; then
+ echo "Skipping key generation: keys already exist in $(pwd)"
+ return
+ fi
+ done
+
+ echo -n "Enter a Common Name to embed in the keys: "
+ read NAME
+
+ # Platform key
+ openssl req -new -x509 \
+ -subj "/CN=${NAME} PK/" -days 3650 -nodes \
+ -newkey rsa:2048 -sha256 \
+ -keyout PK.key -out PK.crt
+ openssl x509 -in PK.crt -out PK.cer -outform DER
+
+ # Key exchange key
+ openssl req -new -x509 \
+ -subj "/CN=${NAME} KEK/" -days 3650 -nodes \
+ -newkey rsa:2048 -sha256 \
+ -keyout KEK.key -out KEK.crt
+ openssl x509 -in KEK.crt -out KEK.cer -outform DER
+
+ # Signature database
+ openssl req -new -x509 \
+ -subj "/CN=${NAME} DB/" -days 3650 -nodes \
+ -newkey rsa:2048 -sha256 \
+ -keyout DB.key -out DB.crt
+ openssl x509 -in DB.crt -out DB.cer -outform DER
+
+ GUID="$(uuidgen -r)"
+ echo ${GUID} > myGUID.txt
+
+ cert-to-efi-sig-list -g ${GUID} PK.crt PK.esl
+ cert-to-efi-sig-list -g ${GUID} KEK.crt KEK.esl
+ cert-to-efi-sig-list -g ${GUID} DB.crt DB.esl
+ rm -f noPK.esl
+ touch noPK.esl
+
+ sign-efi-sig-list \
+ -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt \
+ PK PK.esl PK.auth
+ sign-efi-sig-list \
+ -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt \
+ PK noPK.esl noPK.auth
+ sign-efi-sig-list \
+ -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt \
+ KEK KEK.esl KEK.auth
+ sign-efi-sig-list \
+ -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k KEK.key -c KEK.crt \
+ DB DB.esl DB.auth
+
+ chmod 0600 *.key
+}
+
+generate_ms_db() {
+ msguid=77fa9abd-0359-4d32-bd60-28f4e78f784b
+
+ msdb="MS_db.esl add_MS_db.auth"
+ for file in $msdb; do
+ if [ -f $file ]; then
+ echo "Microsoft signature lists already exist in $(pwd)"
+ return
+ fi
+ done
+
+ wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
+ wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
+
+ sbsiglist --owner "$msguid" --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
+ sbsiglist --owner "$msguid" --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
+ cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
+ sign-efi-sig-list -a -g "$msguid" -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth
+
+ rm MS_Win_db.esl MS_UEFI_db.esl MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt
+}
+
+mskeys=0
+
+while getopts ":hm" opt; do
+ case $opt in
+ h)
+ usage
+ cat <<EOF
+
+For use with KeyTool, copy the *.auth and *.esl files to a FAT USB
+flash drive or to your EFI System Partition (ESP).
+For use with most UEFIs' built-in key managers, copy the *.cer files.
+
+To add Microsoft's certificates use KeyTool or UEFI to append
+add_MS_db.auth to the signature database.
+EOF
+ exit 0
+ ;;
+ m)
+ mskeys=1
+ ;;
+ \?)
+ echo "Invalid option: -$OPTARG" >&2
+ usage >&2
+ exit 1
+ ;;
+ esac
+done
+
+generate_keys
+if [ $mskeys -eq 1 ]; then
+ generate_ms_db
+fi
diff --git a/scripts/sign-release.sh b/scripts/sign-release.sh
new file mode 100755
index 0000000..0de9aed
--- /dev/null
+++ b/scripts/sign-release.sh
@@ -0,0 +1,19 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p efitools
+
+set -eux
+
+mkdir signed
+cp -L result/* signed/
+
+loopdev=$(sudo losetup -f)
+sudo losetup -P "$loopdev" signed/*.img
+sudo mount "${loopdev}p1" /mnt -t vfat
+
+sudo find signed/ /mnt/ -name "*.efi" -type f -exec sbsign --key <(echo "$DB_KEY") --cert <(echo "$DB_CRT") --output {} {} \;
+
+sudo mkdir -p /mnt/loader/keys/patos
+sudo cp keys/*.auth /mnt/loader/keys/patos/
+
+sudo umount /mnt
+sudo losetup -d "$loopdev"
diff --git a/tests/common.nix b/tests/common.nix
new file mode 100644
index 0000000..8e1c9af
--- /dev/null
+++ b/tests/common.nix
@@ -0,0 +1,155 @@
+{
+ self,
+ lib,
+ pkgs,
+ ...
+}:
+
+with import (pkgs.path + "/nixos/lib/testing-python.nix") {
+ inherit pkgs;
+ inherit (pkgs.hostPlatform) system;
+};
+
+let
+ qemu-common = import (pkgs.path + "/nixos/lib/qemu-common.nix") { inherit lib pkgs; };
+
+in
+rec {
+
+ makeSystem =
+ extraConfig:
+ (import (pkgs.path + "/nixos/lib/eval-config.nix")) {
+ inherit pkgs lib;
+ system = null;
+ modules = [
+ {
+ nixpkgs.hostPlatform = pkgs.hostPlatform;
+ }
+ {
+ users.allowNoPasswordLogin = true;
+ system.stateVersion = lib.versions.majorMinor lib.version;
+ system.image.id = lib.mkDefault "test";
+ system.image.version = lib.mkDefault "1";
+ networking.hosts."10.0.2.1" = [ "server.test" ];
+ }
+ {
+ boot.kernelParams = [
+ "console=ttyS0,115200n8"
+ "systemd.journald.forward_to_console=1"
+ ];
+ image.compress = false;
+ boot.uki.name = lib.mkForce "test";
+ boot.initrd.compressor = lib.mkForce "zstd";
+ boot.initrd.compressorArgs = lib.mkForce [ "-8" ];
+ }
+ (pkgs.path + "/nixos/modules/testing/test-instrumentation.nix")
+ self.nixosModules.devel
+ self.nixosModules.image
+ extraConfig
+ ];
+ };
+
+ makeImage =
+ extraConfig:
+ let
+ system = makeSystem extraConfig;
+ in
+ "${system.config.system.build.image}/${system.config.system.build.image.imageFile}";
+
+ makeUpdatePackage =
+ extraConfig:
+ let
+ system = makeSystem extraConfig;
+ in
+ "${system.config.system.build.updatePackage}";
+
+ makeImageTest =
+ {
+ name,
+ image,
+ script,
+ httpRoot ? null,
+ }:
+ let
+ qemu = qemu-common.qemuBinary pkgs.qemu_test;
+ flags = [
+ "-m"
+ "512M"
+ "-drive"
+ "if=pflash,format=raw,unit=0,readonly=on,file=${pkgs.OVMF.firmware}"
+ "-drive"
+ "if=pflash,format=raw,unit=1,readonly=on,file=${pkgs.OVMF.variables}"
+ "-drive"
+ "if=virtio,file=${mutableImage}"
+ "-chardev"
+ "socket,id=chrtpm,path=${tpmFolder}/swtpm-sock"
+ "-tpmdev"
+ "emulator,id=tpm0,chardev=chrtpm"
+ "-device"
+ "tpm-tis,tpmdev=tpm0"
+ "-netdev"
+ (
+ "'user,id=net0"
+ + (lib.optionalString (
+ httpRoot != null
+ ) ",guestfwd=tcp:10.0.2.1:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${httpRoot}")
+ + "'"
+ )
+ "-device"
+ "virtio-net-pci,netdev=net0"
+ ];
+ flagsStr = lib.concatStringsSep " " flags;
+ startCommand = "${qemu} ${flagsStr}";
+ mutableImage = "/tmp/linked-image.qcow2";
+ tpmFolder = "/tmp/emulated_tpm";
+ indentLines = str: lib.concatLines (map (s: " " + s) (lib.splitString "\n" str));
+ in
+ makeTest {
+ inherit name;
+ nodes = { };
+ testScript =
+ ''
+ import os
+ import subprocess
+
+ subprocess.check_call(
+ [
+ "qemu-img",
+ "create",
+ "-f",
+ "qcow2",
+ "-F",
+ "raw",
+ "-b",
+ "${image}",
+ "${mutableImage}",
+ ]
+ )
+ subprocess.check_call(["qemu-img", "resize", "${mutableImage}", "4G"])
+
+ os.mkdir("${tpmFolder}")
+ os.mkdir("${tpmFolder}/swtpm")
+
+ def start_tpm():
+ subprocess.Popen(
+ [
+ "${pkgs.swtpm}/bin/swtpm",
+ "socket",
+ "--tpmstate", "dir=${tpmFolder}/swtpm",
+ "--ctrl", "type=unixio,path=${tpmFolder}/swtpm-sock",
+ "--tpm2"
+ ]
+ )
+
+ machine = create_machine("${startCommand}")
+
+ try:
+ ''
+ + indentLines script
+ + ''
+ finally:
+ machine.shutdown()
+ '';
+ };
+
+}
diff --git a/tests/lib.nix b/tests/lib.nix
new file mode 100644
index 0000000..4b905fa
--- /dev/null
+++ b/tests/lib.nix
@@ -0,0 +1,9 @@
+test:
+{ pkgs, self }:
+ let nixos-lib = import (pkgs.path + "/nixos/lib") {};
+in (nixos-lib.runTest {
+ hostPkgs = pkgs;
+ defaults.documentation.enable = false;
+ node.specialArgs = { inherit self; };
+ imports = [ test ];
+}).config.result
diff --git a/tests/podman.nix b/tests/podman.nix
new file mode 100644
index 0000000..0a3747f
--- /dev/null
+++ b/tests/podman.nix
@@ -0,0 +1,22 @@
+{ pkgs, self }: let
+
+ lib = pkgs.lib;
+ test-common = import ./common.nix { inherit self lib pkgs; };
+
+ image = test-common.makeImage { };
+
+in test-common.makeImageTest {
+ name = "podman";
+ inherit image;
+ script = ''
+ start_tpm()
+ machine.start()
+
+ machine.wait_for_unit("multi-user.target")
+ machine.wait_for_unit("network-online.target")
+
+ machine.succeed("tar cv --files-from /dev/null | su admin -l -c 'podman import - scratchimg'")
+
+ machine.succeed("su admin -l -c 'podman run --rm -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg true'")
+ '';
+}
diff --git a/tests/system-update.nix b/tests/system-update.nix
new file mode 100644
index 0000000..26f793e
--- /dev/null
+++ b/tests/system-update.nix
@@ -0,0 +1,45 @@
+{ pkgs, self }: let
+
+ lib = pkgs.lib;
+ test-common = import ./common.nix { inherit self lib pkgs; };
+
+ initialImage = test-common.makeImage {
+ system.image.version = "1";
+ system.image.updates.url = "http://server.test/";
+ # The default root-b is too small for uncompressed test images
+ systemd.repart.partitions."32-root-b" = {
+ SizeMinBytes = lib.mkForce "1G";
+ SizeMaxBytes = lib.mkForce "1G";
+ };
+ };
+
+ updatePackage = test-common.makeUpdatePackage {
+ system.image.version = "2";
+ system.image.updates.url = "http://server.test/";
+ };
+
+in test-common.makeImageTest {
+ name = "system-update";
+ image = initialImage;
+ httpRoot = updatePackage;
+ script = ''
+ start_tpm()
+ machine.start()
+
+ machine.wait_for_unit("multi-user.target")
+ machine.wait_for_unit("network-online.target")
+
+ machine.succeed("/run/current-system/sw/lib/systemd/systemd-sysupdate update")
+
+ machine.shutdown()
+
+ start_tpm()
+ machine.start()
+
+ machine.wait_for_unit("multi-user.target")
+
+ machine.succeed('. /etc/os-release; [ "$IMAGE_VERSION" == "2" ]')
+
+ machine.wait_for_unit("systemd-bless-boot.service")
+ '';
+}
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index 7d51868..7cc36c7 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -1,4 +1,5 @@
{
+ config,
pkgs,
...
}:
@@ -12,25 +13,19 @@ pkgs.writeShellApplication {
text =
let
- tpmOVMF = pkgs.OVMF.override {
- tpmSupport = true;
- secureBoot = true;
- };
+ tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
in
''
set -ex
state="/tmp/patos-qemu-$USER"
rm -rf "$state"
mkdir -m 700 "$state"
- qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G
+ qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 10G
swtpm socket -d --tpmstate dir="$state" \
--ctrl type=unixio,path="$state/swtpm-sock" \
--tpm2 \
- --log file="$state/swtpm.log",level=20
-
- cp ${tpmOVMF.variables} "$state"
- chmod 700 "$state/OVMF_VARS.fd"
+ --log level=20
qemu-system-x86_64 \
-enable-kvm \
@@ -43,11 +38,11 @@ pkgs.writeShellApplication {
-serial chardev:char0 \
-mon chardev=char0 \
-drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
- -drive "if=pflash,format=raw,unit=1,file=$state/OVMF_VARS.fd" \
+ -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
-chardev socket,id=chrtpm,path="$state/swtpm-sock" \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0 \
- -netdev id=net00,type=user \
+ -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
-device virtio-net-pci,netdev=net00 \
-drive "format=qcow2,file=$state/disk.qcow2"
'';