From c59ea2995770fce615f67033125b839cb6434a12 Mon Sep 17 00:00:00 2001 From: Daniel Lundin Date: Mon, 11 Nov 2024 23:02:38 +0100 Subject: [PATCH] Image building take 2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ --- flake.lock | 157 +- flake.nix | 191 +-- justfile | 8 +- modules/config/minimal-modules.nix | 15 + modules/config/minimal-system.nix | 26 + modules/default.nix | 6 + modules/filesystems.nix | 44 - modules/generic.nix | 71 - modules/image/disk/:w | 128 ++ modules/image/disk/builder.nix | 167 ++ modules/image/disk/default.nix | 128 ++ modules/image/disk/ssh.nix | 40 + modules/image/disk/updater.nix | 86 + modules/image/disk/veritysetup.nix | 39 + modules/kernel/default.nix | 24 - modules/kernel/generic.config | 2521 ---------------------------- modules/minimize.nix | 18 - modules/network.nix | 17 - modules/partitions.nix | 103 -- modules/patagia-agent.nix | 34 - modules/profiles/base.nix | 86 + modules/profiles/network.nix | 56 + modules/profiles/server.nix | 43 + modules/sysext.nix | 23 - modules/system_overrides.nix | 5 - modules/sysupdate.nix | 90 - modules/utils.nix | 29 - pkgs/composefs.nix | 5 + pkgs/linux-firmware.nix | 12 + pkgs/openssh.nix | 7 + pkgs/qemu.nix | 30 + pkgs/systemd-ukify.nix | 48 + pkgs/systemd.nix | 10 + tests/common.nix | 154 ++ tests/lib.nix | 9 + tests/podman.nix | 22 + tests/ssh-preseed.nix | 37 + tests/system-update.nix | 45 + utils/qemu-uefi-tpm.nix | 49 + 39 files changed, 1311 insertions(+), 3272 deletions(-) create mode 100644 modules/config/minimal-modules.nix create mode 100644 modules/config/minimal-system.nix create mode 100644 modules/default.nix delete mode 100644 modules/filesystems.nix delete mode 100644 modules/generic.nix create mode 100644 modules/image/disk/:w create mode 100644 modules/image/disk/builder.nix create mode 100644 modules/image/disk/default.nix create mode 100644 modules/image/disk/ssh.nix create mode 100644 modules/image/disk/updater.nix create mode 100644 modules/image/disk/veritysetup.nix delete mode 100644 modules/kernel/default.nix delete mode 100644 modules/kernel/generic.config delete mode 100644 modules/minimize.nix delete mode 100644 modules/network.nix delete mode 100644 modules/partitions.nix delete mode 100644 modules/patagia-agent.nix create mode 100644 modules/profiles/base.nix create mode 100644 modules/profiles/network.nix create mode 100644 modules/profiles/server.nix delete mode 100644 modules/sysext.nix delete mode 100644 modules/system_overrides.nix delete mode 100644 modules/sysupdate.nix delete mode 100644 modules/utils.nix create mode 100644 pkgs/composefs.nix create mode 100644 pkgs/linux-firmware.nix create mode 100644 pkgs/openssh.nix create mode 100644 pkgs/qemu.nix create mode 100644 pkgs/systemd-ukify.nix create mode 100644 pkgs/systemd.nix create mode 100644 tests/common.nix create mode 100644 tests/lib.nix create mode 100644 tests/podman.nix create mode 100644 tests/ssh-preseed.nix create mode 100644 tests/system-update.nix create mode 100644 utils/qemu-uefi-tpm.nix diff --git a/flake.lock b/flake.lock index e774dca..2f5f887 100644 --- a/flake.lock +++ b/flake.lock @@ -1,169 +1,24 @@ { "nodes": { - "advisory-db": { - "flake": false, - "locked": { - "lastModified": 1727353582, - "narHash": "sha256-2csMEEOZhvowVKZNBHk1kMJqk72ZMrPj9LQYCzP6EKs=", - "owner": "rustsec", - "repo": "advisory-db", - "rev": "cb905e6e405834bdff1eb1e20c9b10edb5403889", - "type": "github" - }, - "original": { - "owner": "rustsec", - "repo": "advisory-db", - "type": "github" - } - }, - "crane": { - "locked": { - "lastModified": 1727316705, - "narHash": "sha256-/mumx8AQ5xFuCJqxCIOFCHTVlxHkMT21idpbgbm/TIE=", - "owner": "ipetkov", - "repo": "crane", - "rev": "5b03654ce046b5167e7b0bccbd8244cb56c16f0e", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1730785428, - "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=", - "owner": "nixos", + "lastModified": 1731139594, + "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7", + "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "patagia-agent": { - "inputs": { - "advisory-db": "advisory-db", - "crane": "crane", - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1729636943, - "narHash": "sha256-uEvMiMcKyAZ30ZZZuirCu9jM6DwEbNV2olsmSwLkmtg=", - "ref": "main", - "rev": "9ec0cf1dd5dc1bd64073b58681a8637c21b979c3", - "revCount": 10, - "type": "git", - "url": "ssh://git@patagia.dev/patagia/patagia-agent" - }, - "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@patagia.dev/patagia/patagia-agent" - } - }, "root": { "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs", - "patagia-agent": "patagia-agent" - } - }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "patagia-agent", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1727490462, - "narHash": "sha256-OrrPiNBiikv9BR464XTT75FzOq7tKAvMbMi7YOKVIeg=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "11a13e50debafae4ae802f1d6b8585101516dd93", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" + "nixpkgs": "nixpkgs" } } }, diff --git a/flake.nix b/flake.nix index 429ff87..f616a01 100644 --- a/flake.nix +++ b/flake.nix @@ -2,151 +2,70 @@ description = "PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform."; inputs = { - flake-utils.url = "github:numtide/flake-utils"; - nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; - patagia-agent.url = "git+ssh://git@patagia.dev/patagia/patagia-agent?ref=main"; - patagia-agent.inputs.nixpkgs.follows = "nixpkgs"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; }; outputs = + { self, nixpkgs }: + let + releaseVersion = "0.0.1"; + system = "x86_64-linux"; + updateUrl = "https://images.dl.patagia.dev/patos/"; + pkgs = import nixpkgs { inherit system; }; + in { - self, - flake-utils, - nixpkgs, - patagia-agent, - }: - flake-utils.lib.eachDefaultSystem ( - system: - let + nixosModules.server.imports = [ + ./modules/profiles/server.nix + ]; - pkgs = import nixpkgs { - inherit system; - overlays = [ - (import ./overlays) - ]; - }; + nixosModules.image.imports = [ + ./modules + ./modules/profiles/base.nix + ./modules/image/disk + ]; - # Prepare an update package for the system. - mkUpdate = - nixos: - let - config = nixos.config; - in - pkgs.runCommand "update-${config.system.image.version}" - { - nativeBuildInputs = with pkgs; [ - erofs-utils - zstd - ]; - } - '' - mkdir -p $out - cp ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw $out/ - - zstd -9 ${config.system.build.uki}/${config.system.boot.loader.ukiFile} \ - -o $out/${config.system.boot.loader.ukiFile}.zst - - zstd -9 ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw \ - -o $out/${config.boot.uki.name}_${config.system.image.version}.img.zst - ''; - - # Prepare a ready-to-boot disk image. - mkInstallImage = - nixos: - let - config = nixos.config; - in - pkgs.runCommand "update-${config.system.image.version}" - { - nativeBuildInputs = with pkgs; [ - qemu - zstd - ]; - } - '' - mkdir -p $out - cp ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.raw $out/ - qemu-img convert -f raw -O qcow2 -C ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.raw $out/disk.qcow2 - - zstd -9 ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw \ - -o $out/${config.boot.uki.name}_${config.system.image.version}.img.zst - - zstd -9 ${config.system.build.uki}/${config.system.boot.loader.ukiFile} \ - -o $out/${config.system.boot.loader.ukiFile}.zst - ''; - in - { - devShells.${system}.default = pkgs.mkShell { - packages = with pkgs; [ - erofs-utils - just - self.packages.${system}.qemu-efi - squashfs-tools-ng - ]; - }; - - packages = { - default = self.packages.${system}.patos_image; - patos_image = mkInstallImage self.nixosConfigurations.${system}.patos; - patos_update = mkUpdate self.nixosConfigurations.${system}.patos; - - image = system.build; - - # FIXME: only do for x86_64 - # A helper script to run the disk images above. - qemu-efi = pkgs.writeShellApplication { - name = "qemu-efi"; - - runtimeInputs = [ pkgs.qemu_kvm ]; - - text = '' - set -ex - state="/tmp/qemu-$USER" - mkdir -p "$state" - chmod 700 "$state" - qemu-system-x86_64 \ - -cpu host \ - -machine q35,accel=kvm \ - -m 4G \ - -smp 8 \ - -display none \ - -chardev "stdio,id=char0,mux=on,logfile=$state/serial.log,signal=off" \ - -serial chardev:char0 \ - -mon chardev=char0 \ - -drive "if=pflash,format=raw,unit=0,readonly=on,file=${pkgs.OVMF.firmware}" \ - -drive "if=pflash,format=raw,unit=1,readonly=on,file=${pkgs.OVMF.variables}" \ - -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \ - -device virtio-net-pci,netdev=net00 \ - "$@" - ''; - }; - }; - - nixosConfigurations = rec { - patos = nixpkgs.lib.nixosSystem { - specialArgs.pkgs = pkgs; - system = system; + packages.${system} = { + patos = + (nixpkgs.lib.nixosSystem { modules = [ + ( + { lib, ... }: + { + nixpkgs.hostPlatform = system; + system.stateVersion = "24.05"; + } + ) { - _module.args = { - inherit patagia-agent; - }; + boot.kernelParams = [ + "console=ttyS0" + "systemd.journald.forward_to_console" + ]; + system.image.updates.url = "${updateUrl}"; + system.image.id = "patos"; + system.image.version = releaseVersion; } - ./modules/kernel - ./modules/filesystems.nix - ./modules/generic.nix - ./modules/minimize.nix - ./modules/network.nix - # ./modules/patagia-agent.nix - ./modules/partitions.nix - ./modules/system_overrides.nix - ./modules/sysext.nix - ./modules/sysupdate.nix - ./modules/utils.nix + self.nixosModules.image + self.nixosModules.server ]; - }; - }; + }).config.system.build.updatePackage; - } - ); + qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { inherit pkgs; }; + }; + + checks.${system} = { + ssh-preseed = import ./tests/ssh-preseed.nix { inherit pkgs self; }; + podman = import ./tests/podman.nix { inherit pkgs self; }; + system-update = import ./tests/system-update.nix { inherit pkgs self; }; + }; + + devShells.${system}.default = pkgs.mkShell { + buildInputs = with pkgs; [ + erofs-utils + just + self.packages.${system}.qemu-uefi-tpm + squashfs-tools-ng + ]; + }; + + }; } diff --git a/justfile b/justfile index 8f3d12b..dfb84a2 100644 --- a/justfile +++ b/justfile @@ -13,11 +13,7 @@ build: build-image # Build PatOS image build-image: - nix build .#patos_image - -# Build PatOS update image -build-update: - nix build .#patos_update + nix build .#patos run: build-image - qemu-efi -snapshot ./result/disk.qcow2 + qemu-uefi-tpm ./result/*.img diff --git a/modules/config/minimal-modules.nix b/modules/config/minimal-modules.nix new file mode 100644 index 0000000..45bdb1f --- /dev/null +++ b/modules/config/minimal-modules.nix @@ -0,0 +1,15 @@ +{ config, ... }: +{ + boot = { + bootspec.enable = false; + initrd.kernelModules = config.boot.kernelModules; + kernel.enable = false; # No kernel or modules in the rootfs + modprobeConfig.enable = false; + }; + + system.build = { + inherit (config.boot.kernelPackages) kernel; + }; + + system.modulesTree = [ config.boot.kernelPackages.kernel ] ++ config.boot.extraModulePackages; +} diff --git a/modules/config/minimal-system.nix b/modules/config/minimal-system.nix new file mode 100644 index 0000000..e77476b --- /dev/null +++ b/modules/config/minimal-system.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + + nixpkgs.overlays = [ + (final: prev: { + + composefs = final.callPackage ../../pkgs/composefs.nix { inherit prev; }; + qemu_tiny = final.callPackage ../../pkgs/qemu.nix { inherit prev; }; + systemdUkify = final.callPackage ../../pkgs/systemd-ukify.nix { inherit prev; }; + + # # FIXME: Revisit + refine these below in a future image minimization effort + # + # util-linux = prev.util-linux.override { + # ncursesSupport = false; + # nlsSupport = false; + # }; + # + # dbus = prev.dbus.override { + # enableSystemd = false; + # x11Support = false; + # }; + + }) + ]; + +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..0a1a5e0 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./config/minimal-modules.nix + ./config/minimal-system.nix + ]; +} diff --git a/modules/filesystems.nix b/modules/filesystems.nix deleted file mode 100644 index 01753be..0000000 --- a/modules/filesystems.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, ... }: { - - zramSwap = { - enable = true; - algorithm = "zstd"; - memoryPercent = 20; - }; - - fileSystems = { - "/" = { - fsType = "tmpfs"; - options = [ - "size=20%" - ]; - }; - - "/var" = - let - partConf = config.image.repart.partitions."var".repartConfig; - in - { - device = "/dev/disk/by-partuuid/${partConf.UUID}"; - fsType = partConf.Format; - }; - - "/boot" = - let - partConf = config.image.repart.partitions."esp".repartConfig; - in - { - device = "/dev/disk/by-partuuid/${partConf.UUID}"; - fsType = partConf.Format; - }; - - "/nix/store" = - let - partConf = config.image.repart.partitions."store".repartConfig; - in - { - device = "/dev/disk/by-partlabel/${partConf.Label}"; - fsType = partConf.Format; - }; - }; -} diff --git a/modules/generic.nix b/modules/generic.nix deleted file mode 100644 index 2214f00..0000000 --- a/modules/generic.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: -{ - - boot = { - enableContainers = false; - initrd.systemd.enable = true; - initrd.compressor = "zstd"; - - # FIXME: Add debug/devel option to switch default kernel params - kernelParams = [ - # "quiet" - "console=tty1" - "console=ttyS0,38400" - "systemd.log_level=info" - "systemd.log_target=console" - ]; - loader.efi.canTouchEfiVariables = true; - loader.grub.enable = false; - loader.systemd-boot.enable = true; - uki.name = "patos"; - }; - - system.image.version = "0.0.1"; # FIXME: Use epoch version. - - system.nixos = { - codeName = "Finn"; - distroId = "patos"; - distroName = "PatOS"; - release = "2024-09"; - }; - - system.switch.enable = false; - - # Make the current system version visible in the prompt. - programs.bash.promptInit = '' - export PS1="\u@\h (version ${config.system.image.version}) \w $ " - ''; - - # Not compatible with system.etc.overlay.enable yet. - # users.mutableUsers = false; - - services.getty.autologinUser = "root"; - - # Temporary files - boot.tmp.cleanOnBoot = true; - boot.tmp.useTmpfs = true; - systemd.services.nix-daemon = { - environment.TMPDIR = "/var/tmp"; - }; - - services.journald.extraConfig = '' - SystemMaxUse=10M - ''; - - services.fstrim.enable = true; - - # Debugging - environment.systemPackages = with pkgs; [ - (runCommand "systemd-sysupdate" { } '' - mkdir -p $out/bin - ln -s ${config.systemd.package}/lib/systemd/systemd-sysupdate $out/bin - '') - ]; - - system.stateVersion = "24.11"; -} diff --git a/modules/image/disk/:w b/modules/image/disk/:w new file mode 100644 index 0000000..2862e18 --- /dev/null +++ b/modules/image/disk/:w @@ -0,0 +1,128 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + + imports = [ + ./updater.nix + ./ssh.nix + ./builder.nix + ./veritysetup.nix + ]; + + system.build.updatePackage = pkgs.runCommand "update-package" { } '' + mkdir "$out" + cd "$out" + cp "${config.system.build.image}"/* . + ${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS + ''; + + boot.initrd.systemd.enable = true; + + boot.initrd.systemd.repart.enable = true; + systemd.repart.partitions = { + "10-esp" = { + Type = "esp"; + Format = "vfat"; + SizeMinBytes = "96M"; + SizeMaxBytes = "96M"; + }; + "20-root-verity-a" = { + Type = "root-verity"; + SizeMinBytes = "64M"; + SizeMaxBytes = "64M"; + }; + "22-root-a" = { + Type = "root"; + SizeMinBytes = "512M"; + SizeMaxBytes = "512M"; + }; + "30-root-verity-b" = { + Type = "root-verity"; + SizeMinBytes = "64M"; + SizeMaxBytes = "64M"; + Label = "_empty"; + ReadOnly = 1; + }; + "32-root-b" = { + Type = "root"; + SizeMinBytes = "512M"; + SizeMaxBytes = "512M"; + Label = "_empty"; + ReadOnly = 1; + }; + "40-home" = { + Type = "home"; + Format = "btrfs"; + SizeMinBytes = "512M"; + Encrypt = "tpm2"; + }; + }; + + boot.initrd.compressor = "zstd"; + boot.initrd.compressorArgs = [ "-8" ]; + + boot.loader.grub.enable = false; + + boot.initrd.luks.forceLuksSupportInInitrd = true; + boot.initrd.kernelModules = [ + "dm_mod" + "dm_crypt" + ] ++ config.boot.initrd.luks.cryptoModules; + + boot.initrd.supportedFilesystems = { + btrfs = true; + erofs = true; + }; + + system.etc.overlay.mutable = false; + users.mutableUsers = false; + + boot.initrd.systemd.services.systemd-repart.after = lib.mkForce [ "sysroot.mount" ]; + boot.initrd.systemd.services.systemd-repart.requires = [ "sysroot.mount" ]; + + boot.kernelParams = [ + "rootfstype=erofs" + "rootflags=ro" + "roothash=${config.system.build.verityRootHash}" + ]; + + fileSystems."/var" = { + fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; + + # Required to mount the efi partition + boot.kernelModules = [ + "vfat" + "nls_cp437" + "nls_iso8859-1" + ]; + + # Store SSH host keys on /home since /etc is read-only + services.openssh.hostKeys = [ + { + path = "/home/.ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + + environment.etc."machine-id" = { + text = ""; + mode = "0755"; + }; + + boot.initrd.systemd.services.systemd-repart.serviceConfig.Environment = [ + "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard" + ]; + + # Refuse to boot on mount failure + systemd.targets."sysinit".requires = [ "local-fs.target" ]; + + # Make sure home gets mounted + systemd.targets."local-fs".requires = [ "home.mount" ]; + +} diff --git a/modules/image/disk/builder.nix b/modules/image/disk/builder.nix new file mode 100644 index 0000000..39f321c --- /dev/null +++ b/modules/image/disk/builder.nix @@ -0,0 +1,167 @@ +{ + config, + lib, + pkgs, + ... +}: +let + inherit (pkgs.stdenv.hostPlatform) efiArch; + + initialPartitions = { + "10-root" = { + storePaths = [ config.system.build.toplevel ]; + repartConfig = { + Type = "root"; + Minimize = "best"; + Format = "erofs"; + MakeDirectories = "/home /root /etc /dev /sys /bin /var /proc /run /usr /srv /tmp /mnt /lib /efi"; + Verity = "data"; + VerityMatchKey = "root"; + SplitName = "root"; + }; + }; + + "20-root-verity" = { + repartConfig = { + Type = "root-verity"; + Minimize = "best"; + Verity = "hash"; + VerityMatchKey = "root"; + SplitName = "verity"; + }; + }; + }; + + # TODO: We don't need a combined image here - add dry-run flag to repart invocation + verityRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") { + inherit lib pkgs; + system = null; + modules = [ + ( + { modulesPath, ... }: + { + imports = [ (modulesPath + "/image/repart.nix") ]; + image.repart = { + name = "verity"; + split = true; + mkfsOptions = lib.mkIf config.image.compress { + erofs = [ + "-zlz4hc,level=12" + "-Efragments,dedupe,ztailpacking" + ]; + }; + partitions = initialPartitions; + }; + } + ) + ]; + }; + + rootPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw"; + verityPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw"; + + verityImgAttrs = builtins.fromJSON ( + builtins.readFile "${verityRepart.config.system.build.image}/repart-output.json" + ); + rootAttrs = builtins.elemAt verityImgAttrs 0; + verityAttrs = builtins.elemAt verityImgAttrs 1; + + rootUuid = rootAttrs.uuid; + verityUuid = verityAttrs.uuid; + verityRootHash = rootAttrs.roothash; + + finalPartitions = { + "10-esp" = { + contents = { + "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi"; + "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}"; + "/default-ssh-authorized-keys.txt" = lib.mkIf config.system.image.sshKeys.enable { + source = pkgs.writeText "ssh-keys" (lib.concatStringsSep "\n" config.system.image.sshKeys.keys); + }; + }; + repartConfig = { + Type = "esp"; + Format = "vfat"; + SizeMinBytes = "96M"; + SizeMaxBytes = "96M"; + SplitName = "-"; + }; + }; + "20-root-verity-a" = { + repartConfig = { + Type = "root-verity"; + Label = "verity-${config.system.image.version}"; + CopyBlocks = "${verityPart}"; + SplitName = "-"; + SizeMinBytes = "64M"; + SizeMaxBytes = "64M"; + UUID = "${verityUuid}"; + ReadOnly = 1; + }; + }; + # TODO: Add signature partition for systemd-nspawn + "22-root-a" = { + repartConfig = { + Type = "root"; + Label = "root-${config.system.image.version}"; + CopyBlocks = "${rootPart}"; + SplitName = "-"; + UUID = "${rootUuid}"; + ReadOnly = 1; + }; + }; + }; + + finalRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") { + inherit lib pkgs; + system = null; + modules = [ + ( + { modulesPath, ... }: + { + imports = [ (modulesPath + "/image/repart.nix") ]; + image.repart = { + name = "${config.system.image.id}"; + partitions = finalPartitions; + }; + } + ) + ]; + }; + +in +{ + + options.image.compress = lib.mkEnableOption "image compression" // { + default = true; + }; + + config.system.build = { + inherit verityRootHash; + + image = + (pkgs.linkFarm "image-release" [ + { + name = "${config.system.image.id}_${config.system.image.version}.efi"; + path = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}"; + } + { + name = "${config.system.image.id}_${config.system.image.version}_${verityUuid}.verity"; + path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw"; + } + { + name = "${config.system.image.id}_${config.system.image.version}_${rootUuid}.root"; + path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw"; + } + { + name = "${config.system.image.id}_${config.system.image.version}.img"; + path = "${finalRepart.config.system.build.image}/${finalRepart.config.image.repart.imageFileBasename}.raw"; + } + ]) + // { + imageFile = "${config.system.image.id}_${config.system.image.version}.img"; + }; + + }; + +} diff --git a/modules/image/disk/default.nix b/modules/image/disk/default.nix new file mode 100644 index 0000000..2862e18 --- /dev/null +++ b/modules/image/disk/default.nix @@ -0,0 +1,128 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + + imports = [ + ./updater.nix + ./ssh.nix + ./builder.nix + ./veritysetup.nix + ]; + + system.build.updatePackage = pkgs.runCommand "update-package" { } '' + mkdir "$out" + cd "$out" + cp "${config.system.build.image}"/* . + ${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS + ''; + + boot.initrd.systemd.enable = true; + + boot.initrd.systemd.repart.enable = true; + systemd.repart.partitions = { + "10-esp" = { + Type = "esp"; + Format = "vfat"; + SizeMinBytes = "96M"; + SizeMaxBytes = "96M"; + }; + "20-root-verity-a" = { + Type = "root-verity"; + SizeMinBytes = "64M"; + SizeMaxBytes = "64M"; + }; + "22-root-a" = { + Type = "root"; + SizeMinBytes = "512M"; + SizeMaxBytes = "512M"; + }; + "30-root-verity-b" = { + Type = "root-verity"; + SizeMinBytes = "64M"; + SizeMaxBytes = "64M"; + Label = "_empty"; + ReadOnly = 1; + }; + "32-root-b" = { + Type = "root"; + SizeMinBytes = "512M"; + SizeMaxBytes = "512M"; + Label = "_empty"; + ReadOnly = 1; + }; + "40-home" = { + Type = "home"; + Format = "btrfs"; + SizeMinBytes = "512M"; + Encrypt = "tpm2"; + }; + }; + + boot.initrd.compressor = "zstd"; + boot.initrd.compressorArgs = [ "-8" ]; + + boot.loader.grub.enable = false; + + boot.initrd.luks.forceLuksSupportInInitrd = true; + boot.initrd.kernelModules = [ + "dm_mod" + "dm_crypt" + ] ++ config.boot.initrd.luks.cryptoModules; + + boot.initrd.supportedFilesystems = { + btrfs = true; + erofs = true; + }; + + system.etc.overlay.mutable = false; + users.mutableUsers = false; + + boot.initrd.systemd.services.systemd-repart.after = lib.mkForce [ "sysroot.mount" ]; + boot.initrd.systemd.services.systemd-repart.requires = [ "sysroot.mount" ]; + + boot.kernelParams = [ + "rootfstype=erofs" + "rootflags=ro" + "roothash=${config.system.build.verityRootHash}" + ]; + + fileSystems."/var" = { + fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; + + # Required to mount the efi partition + boot.kernelModules = [ + "vfat" + "nls_cp437" + "nls_iso8859-1" + ]; + + # Store SSH host keys on /home since /etc is read-only + services.openssh.hostKeys = [ + { + path = "/home/.ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + + environment.etc."machine-id" = { + text = ""; + mode = "0755"; + }; + + boot.initrd.systemd.services.systemd-repart.serviceConfig.Environment = [ + "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard" + ]; + + # Refuse to boot on mount failure + systemd.targets."sysinit".requires = [ "local-fs.target" ]; + + # Make sure home gets mounted + systemd.targets."local-fs".requires = [ "home.mount" ]; + +} diff --git a/modules/image/disk/ssh.nix b/modules/image/disk/ssh.nix new file mode 100644 index 0000000..3f6b3c4 --- /dev/null +++ b/modules/image/disk/ssh.nix @@ -0,0 +1,40 @@ +{ config, lib, ... }: +{ + options.system.image.sshKeys = { + enable = lib.mkEnableOption "provisioning of default SSH keys from ESP"; + keys = lib.mkOption { + type = lib.types.listOf lib.types.singleLineStr; + default = [ ]; + }; + }; + + config = lib.mkIf config.system.image.sshKeys.enable { + + assertions = [ + { + assertion = config.services.openssh.enable; + message = "OpenSSH must be enabled to preseed authorized keys"; + } + ]; + + systemd.services."default-ssh-keys" = { + script = '' + mkdir -p /home/admin/.ssh/ + cat /efi/default-ssh-authorized-keys.txt >> /home/admin/.ssh/authorized_keys + ''; + wantedBy = [ + "sshd.service" + "sshd.socket" + ]; + unitConfig = { + ConditionPathExists = [ + "/home/admin" + "!/home/admin/.ssh/authorized_keys" + "/efi/default-ssh-authorized-keys.txt" + ]; + }; + }; + + }; + +} diff --git a/modules/image/disk/updater.nix b/modules/image/disk/updater.nix new file mode 100644 index 0000000..adce617 --- /dev/null +++ b/modules/image/disk/updater.nix @@ -0,0 +1,86 @@ +{ config, lib, ... }: { + + options.system.image.updates = { + enable = lib.mkEnableOption "system updates via systemd-sysupdate" // { + default = config.system.image.updates.url != null; + }; + url = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + + config = lib.mkIf config.system.image.updates.enable { + + assertions = [ + { assertion = config.system.image.updates.url != null; } + ]; + + systemd.sysupdate.enable = true; + systemd.sysupdate.reboot.enable = lib.mkDefault true; + + systemd.sysupdate.transfers = { + "10-uki" = { + Transfer = { + Verify = "no"; + }; + Source = { + Type = "url-file"; + Path = "${config.system.image.updates.url}"; + MatchPattern = "${config.boot.uki.name}_@v.efi"; + }; + Target = { + Type = "regular-file"; + Path = "/EFI/Linux"; + PathRelativeTo = "esp"; + MatchPattern = "${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi"; + Mode = "0444"; + TriesLeft = 3; + TriesDone = 0; + InstancesMax = 2; + }; + }; + "20-root-verity" = { + Transfer = { + Verify = "no"; + }; + Source = { + Type = "url-file"; + Path = "${config.system.image.updates.url}"; + MatchPattern = "${config.system.image.id}_@v_@u.verity"; + }; + Target = { + Type = "partition"; + Path = "auto"; + MatchPattern = "verity-@v"; + MatchPartitionType = "root-verity"; + ReadOnly = 1; + }; + }; + "22-root" = { + Transfer = { + Verify = "no"; + }; + Source = { + Type = "url-file"; + Path = "${config.system.image.updates.url}"; + MatchPattern = "${config.system.image.id}_@v_@u.root"; + }; + Target = { + Type = "partition"; + Path = "auto"; + MatchPattern = "root-@v"; + MatchPartitionType = "root"; + ReadOnly = 1; + }; + }; + }; + + systemd.additionalUpstreamSystemUnits = [ + "systemd-bless-boot.service" + "boot-complete.target" + ]; + + }; + +} diff --git a/modules/image/disk/veritysetup.nix b/modules/image/disk/veritysetup.nix new file mode 100644 index 0000000..1505b45 --- /dev/null +++ b/modules/image/disk/veritysetup.nix @@ -0,0 +1,39 @@ +{ config, lib, ... }: +{ + + options.boot.initrd.systemd.root = lib.mkOption { + type = lib.types.enum [ + "fstab" + "gpt-auto" + "" + ]; + }; + + config.boot.initrd = { + + kernelModules = [ + "dm_mod" + "dm_verity" + ]; + + systemd = { + + # Required to activate systemd-fstab-generator + root = ""; + + additionalUpstreamUnits = [ + "veritysetup-pre.target" + "veritysetup.target" + "remote-veritysetup.target" + ]; + + storePaths = [ + "${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup" + "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator" + ]; + + }; + + }; + +} diff --git a/modules/kernel/default.nix b/modules/kernel/default.nix deleted file mode 100644 index f41ee79..0000000 --- a/modules/kernel/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - boot.kernelPackages = - let - version = "6.11.2"; - in - pkgs.linuxPackagesFor ( - pkgs.linuxManualConfig { - version = "${version}-patos1"; - modDirVersion = version; - src = pkgs.fetchurl { - url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz"; - sha256 = "ec9ef7a0b9cebb55940e1ef87a1f9e1004b10456a119dc386bb3e565b0d39c42"; - }; - configfile = ./generic.config; - allowImportFromDerivation = true; - } - ); -} diff --git a/modules/kernel/generic.config b/modules/kernel/generic.config deleted file mode 100644 index 2073cdf..0000000 --- a/modules/kernel/generic.config +++ /dev/null @@ -1,2521 +0,0 @@ -CONFIG_64BIT=y -CONFIG_ACPI_AC=y -CONFIG_ACPI_BATTERY=y -CONFIG_ACPI_BUTTON=y -CONFIG_ACPI_CONTAINER=y -CONFIG_ACPI_CPPC_LIB=y -CONFIG_ACPI_CPU_FREQ_PSS=y -CONFIG_ACPI_FAN=y -CONFIG_ACPI_HOTPLUG_CPU=y -CONFIG_ACPI_HOTPLUG_IOAPIC=y -CONFIG_ACPI_I2C_OPREGION=y -CONFIG_ACPI_IPMI=y -CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y -CONFIG_ACPI_LPIT=y -CONFIG_ACPI_MDIO=y -CONFIG_ACPI_NUMA=y -CONFIG_ACPI_PCC=y -CONFIG_ACPI_PRMT=y -CONFIG_ACPI_PROCESSOR_CSTATE=y -CONFIG_ACPI_PROCESSOR_IDLE=y -CONFIG_ACPI_PROCESSOR=y -CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y -CONFIG_ACPI_SLEEP=y -CONFIG_ACPI_SPCR_TABLE=y -CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y -CONFIG_ACPI_TABLE_UPGRADE=y -CONFIG_ACPI_THERMAL=y -CONFIG_ACPI_VIDEO=y -CONFIG_ACPI_WATCHDOG=y -CONFIG_ACPI_WMI=y -CONFIG_ACPI=y -CONFIG_ADDRESS_MASKING=y -CONFIG_ADVISE_SYSCALLS=y -CONFIG_AF_UNIX_OOB=y -CONFIG_AIO=y -CONFIG_ALLOW_DEV_COREDUMP=y -CONFIG_ALX=m -CONFIG_AMD_IOMMU_V2=y -CONFIG_AMD_IOMMU=y -CONFIG_AMD_NB=y -CONFIG_AMD_NUMA=y -CONFIG_AMD_PMC=m -CONFIG_APERTURE_HELPERS=y -CONFIG_AQTION=m -CONFIG_ARCH_CLOCKSOURCE_INIT=y -CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y -CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE=y -CONFIG_ARCH_CPUIDLE_HALTPOLL=y -CONFIG_ARCH_DMA_ADDR_T_64BIT=y -CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y -CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y -CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y -CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y -CONFIG_ARCH_HAS_ADD_PAGES=y -CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y -CONFIG_ARCH_HAS_COPY_MC=y -CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION=y -CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y -CONFIG_ARCH_HAS_CPU_RELAX=y -CONFIG_ARCH_HAS_CURRENT_STACK_POINTER=y -CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y -CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y -CONFIG_ARCH_HAS_DEBUG_WX=y -CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y -CONFIG_ARCH_HAS_ELFCORE_COMPAT=y -CONFIG_ARCH_HAS_ELF_RANDOMIZE=y -CONFIG_ARCH_HAS_FAST_MULTIPLIER=y -CONFIG_ARCH_HAS_FORTIFY_SOURCE=y -CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y -CONFIG_ARCH_HAS_GIGANTIC_PAGE=y -CONFIG_ARCH_HAS_KCOV=y -CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y -CONFIG_ARCH_HAS_MEM_ENCRYPT=y -CONFIG_ARCH_HAS_NMI_SAFE_THIS_CPU_OPS=y -CONFIG_ARCH_HAS_NONLEAF_PMD_YOUNG=y -CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y -CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y -CONFIG_ARCH_HAS_PKEYS=y -CONFIG_ARCH_HAS_PMEM_API=y -CONFIG_ARCH_HAS_PTE_DEVMAP=y -CONFIG_ARCH_HAS_PTE_SPECIAL=y -CONFIG_ARCH_HAS_SET_DIRECT_MAP=y -CONFIG_ARCH_HAS_SET_MEMORY=y -CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y -CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y -CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y -CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y -CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y -CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y -CONFIG_ARCH_HAS_ZONE_DMA_SET=y -CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y -CONFIG_ARCH_HIBERNATION_POSSIBLE=y -CONFIG_ARCH_MAY_HAVE_PC_FDC=y -CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y -CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y -CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y -CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y -CONFIG_ARCH_MMAP_RND_BITS=28 -CONFIG_ARCH_MMAP_RND_BITS_MAX=32 -CONFIG_ARCH_MMAP_RND_BITS_MIN=28 -CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 -CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 -CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 -CONFIG_ARCH_SELECTS_KEXEC_FILE=y -CONFIG_ARCH_SPARSEMEM_DEFAULT=y -CONFIG_ARCH_SPARSEMEM_ENABLE=y -CONFIG_ARCH_STACKWALK=y -CONFIG_ARCH_SUPPORTS_ACPI=y -CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y -CONFIG_ARCH_SUPPORTS_CFI_CLANG=y -CONFIG_ARCH_SUPPORTS_CRASH_DUMP=y -CONFIG_ARCH_SUPPORTS_CRASH_HOTPLUG=y -CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y -CONFIG_ARCH_SUPPORTS_INT128=y -CONFIG_ARCH_SUPPORTS_KEXEC_BZIMAGE_VERIFY_SIG=y -CONFIG_ARCH_SUPPORTS_KEXEC_FILE=y -CONFIG_ARCH_SUPPORTS_KEXEC_JUMP=y -CONFIG_ARCH_SUPPORTS_KEXEC_PURGATORY=y -CONFIG_ARCH_SUPPORTS_KEXEC_SIG_FORCE=y -CONFIG_ARCH_SUPPORTS_KEXEC_SIG=y -CONFIG_ARCH_SUPPORTS_KEXEC=y -CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y -CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y -CONFIG_ARCH_SUPPORTS_LTO_CLANG=y -CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y -CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y -CONFIG_ARCH_SUPPORTS_PAGE_TABLE_CHECK=y -CONFIG_ARCH_SUPPORTS_PER_VMA_LOCK=y -CONFIG_ARCH_SUPPORTS_UPROBES=y -CONFIG_ARCH_SUSPEND_POSSIBLE=y -CONFIG_ARCH_USE_BUILTIN_BSWAP=y -CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y -CONFIG_ARCH_USE_MEMREMAP_PROT=y -CONFIG_ARCH_USE_MEMTEST=y -CONFIG_ARCH_USE_QUEUED_RWLOCKS=y -CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y -CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y -CONFIG_ARCH_USES_PG_UNCACHED=y -CONFIG_ARCH_USE_SYM_ANNOTATIONS=y -CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y -CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y -CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y -CONFIG_ARCH_WANT_GENERAL_HUGETLB=y -CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y -CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y -CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y -CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=y -CONFIG_ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP=y -CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y -CONFIG_ARCH_WANTS_NO_INSTR=y -CONFIG_ARCH_WANTS_THP_SWAP=y -CONFIG_AS_AVX512=y -CONFIG_AS_GFNI=y -CONFIG_AS_HAS_NON_CONST_LEB128=y -CONFIG_AS_IS_GNU=y -CONFIG_ASM_MODVERSIONS=y -CONFIG_ASN1=y -CONFIG_AS_SHA1_NI=y -CONFIG_AS_SHA256_NI=y -CONFIG_ASSOCIATIVE_ARRAY=y -CONFIG_AS_TPAUSE=y -CONFIG_AS_VERSION=24200 -CONFIG_AS_WRUSS=y -CONFIG_ASYMMETRIC_KEY_TYPE=y -CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y -CONFIG_ASYNC_CORE=m -CONFIG_ASYNC_MEMCPY=m -CONFIG_ASYNC_PQ=m -CONFIG_ASYNC_RAID6_RECOV=m -CONFIG_ASYNC_XOR=m -CONFIG_ATA_ACPI=y -CONFIG_ATA_BMDMA=y -CONFIG_ATA_FORCE=y -CONFIG_ATA_PIIX=y -CONFIG_ATA_SFF=y -CONFIG_ATA_VERBOSE_ERROR=y -CONFIG_ATA=y -CONFIG_ATM_DRIVERS=y -CONFIG_ATM=y -CONFIG_AUDIT_ARCH=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT=y -CONFIG_AUTOFS_FS=y -CONFIG_AUXILIARY_BUS=y -CONFIG_AX88796B_PHY=m -CONFIG_BACKLIGHT_CLASS_DEVICE=y -CONFIG_BALLOON_COMPACTION=y -CONFIG_BASE_FULL=y -CONFIG_BASE_SMALL=0 -CONFIG_BCMA_POSSIBLE=y -CONFIG_BE2NET_BE2=y -CONFIG_BE2NET_BE3=y -CONFIG_BE2NET_HWMON=y -CONFIG_BE2NET_LANCER=y -CONFIG_BE2NET=m -CONFIG_BE2NET_SKYHAWK=y -CONFIG_BFQ_GROUP_IOSCHED=y -CONFIG_BINARY_PRINTF=y -CONFIG_BINFMT_ELF=y -CONFIG_BINFMT_MISC=m -CONFIG_BINFMT_SCRIPT=y -CONFIG_BITREVERSE=y -CONFIG_BLK_CGROUP_PUNT_BIO=y -CONFIG_BLK_CGROUP_RWSTAT=y -CONFIG_BLK_CGROUP=y -CONFIG_BLK_DEBUG_FS=y -CONFIG_BLK_DEV_BSG_COMMON=y -CONFIG_BLK_DEV_BSGLIB=y -CONFIG_BLK_DEV_BSG=y -CONFIG_BLK_DEV_DM_BUILTIN=y -CONFIG_BLK_DEV_DM=y -CONFIG_BLK_DEV_INITRD=y -CONFIG_BLK_DEV_IO_TRACE=y -CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 -CONFIG_BLK_DEV_LOOP=y -CONFIG_BLK_DEV_MD=y -CONFIG_BLK_DEV_NBD=m -CONFIG_BLK_DEV_NVME=m -CONFIG_BLK_DEV_RBD=y -CONFIG_BLK_DEV_SD=y -CONFIG_BLK_DEV_SR=y -CONFIG_BLK_DEV_THROTTLING=y -CONFIG_BLK_DEV=y -CONFIG_BLK_ICQ=y -CONFIG_BLK_MQ_PCI=y -CONFIG_BLK_MQ_STACKING=y -CONFIG_BLK_MQ_VIRTIO=y -CONFIG_BLK_PM=y -CONFIG_BLOCK_HOLDER_DEPRECATED=y -CONFIG_BLOCK_LEGACY_AUTOLOAD=y -CONFIG_BLOCK=y -CONFIG_BNX2=m -CONFIG_BNX2X=m -CONFIG_BNX2X_SRIOV=y -CONFIG_BNXT_FLOWER_OFFLOAD=y -CONFIG_BNXT_HWMON=y -CONFIG_BNXT=m -CONFIG_BNXT_SRIOV=y -CONFIG_BONDING=y -CONFIG_BOOT_VESA_SUPPORT=y -CONFIG_BPF_EVENTS=y -CONFIG_BPF_JIT_ALWAYS_ON=y -CONFIG_BPF_JIT_DEFAULT_ON=y -CONFIG_BPF_JIT=y -CONFIG_BPF_LSM=y -CONFIG_BPF_STREAM_PARSER=y -CONFIG_BPF_SYSCALL=y -CONFIG_BPF_UNPRIV_DEFAULT_OFF=y -CONFIG_BPF=y -CONFIG_BQL=y -CONFIG_BRANCH_PROFILE_NONE=y -CONFIG_BRIDGE_EBT_802_3=y -CONFIG_BRIDGE_EBT_AMONG=y -CONFIG_BRIDGE_EBT_ARPREPLY=y -CONFIG_BRIDGE_EBT_ARP=y -CONFIG_BRIDGE_EBT_BROUTE=y -CONFIG_BRIDGE_EBT_DNAT=y -CONFIG_BRIDGE_EBT_IP6=y -CONFIG_BRIDGE_EBT_IP=y -CONFIG_BRIDGE_EBT_LIMIT=y -CONFIG_BRIDGE_EBT_LOG=y -CONFIG_BRIDGE_EBT_MARK_T=y -CONFIG_BRIDGE_EBT_MARK=y -CONFIG_BRIDGE_EBT_NFLOG=y -CONFIG_BRIDGE_EBT_PKTTYPE=y -CONFIG_BRIDGE_EBT_REDIRECT=y -CONFIG_BRIDGE_EBT_SNAT=y -CONFIG_BRIDGE_EBT_STP=y -CONFIG_BRIDGE_EBT_T_FILTER=y -CONFIG_BRIDGE_EBT_T_NAT=y -CONFIG_BRIDGE_EBT_VLAN=y -CONFIG_BRIDGE_IGMP_SNOOPING=y -CONFIG_BRIDGE_NETFILTER=y -CONFIG_BRIDGE_NF_EBTABLES=y -CONFIG_BRIDGE_VLAN_FILTERING=y -CONFIG_BRIDGE=y -CONFIG_BSD_DISKLABEL=y -CONFIG_BSD_PROCESS_ACCT=y -CONFIG_BTRFS_FS=m -CONFIG_BTRFS_FS_POSIX_ACL=y -CONFIG_BUFFER_HEAD=y -CONFIG_BUG_ON_DATA_CORRUPTION=y -CONFIG_BUG=y -CONFIG_BUILD_SALT="" -CONFIG_BUILDTIME_MCOUNT_SORT=y -CONFIG_BUILDTIME_TABLE_SORT=y -CONFIG_CACHESTAT_SYSCALL=y -CONFIG_CALL_DEPTH_TRACKING=y -CONFIG_CALL_PADDING=y -CONFIG_CALL_THUNKS=y -CONFIG_CAVIUM_PTP=m -CONFIG_CC10001_ADC=m -CONFIG_CC_CAN_LINK=y -CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y -CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y -CONFIG_CC_HAS_ASM_INLINE=y -CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y -CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_BARE=y -CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y -CONFIG_CC_HAS_ENTRY_PADDING=y -CONFIG_CC_HAS_IBT=y -CONFIG_CC_HAS_INT128=y -CONFIG_CC_HAS_KASAN_GENERIC=y -CONFIG_CC_HAS_NAMED_AS_FIXED_SANITIZERS=y -CONFIG_CC_HAS_NAMED_AS=y -CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y -CONFIG_CC_HAS_RETURN_THUNK=y -CONFIG_CC_HAS_SANCOV_TRACE_PC=y -CONFIG_CC_HAS_SANE_STACKPROTECTOR=y -CONFIG_CC_HAS_SLS=y -CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y -CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y -CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" -CONFIG_CC_IS_GCC=y -CONFIG_CC_NO_ARRAY_BOUNDS=y -CONFIG_CC_NO_STRINGOP_OVERFLOW=y -CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y -CONFIG_CCS811=m -CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.3.0" -CONFIG_CDROM=y -CONFIG_CEPH_FS_POSIX_ACL=y -CONFIG_CEPH_FS=y -CONFIG_CEPH_LIB=y -CONFIG_CFS_BANDWIDTH=y -CONFIG_CGROUP_BPF=y -CONFIG_CGROUP_CPUACCT=y -CONFIG_CGROUP_DEVICE=y -CONFIG_CGROUP_FREEZER=y -CONFIG_CGROUP_HUGETLB=y -CONFIG_CGROUP_MISC=y -CONFIG_CGROUP_NET_CLASSID=y -CONFIG_CGROUP_NET_PRIO=y -CONFIG_CGROUP_PERF=y -CONFIG_CGROUP_PIDS=y -CONFIG_CGROUP_SCHED=y -CONFIG_CGROUPS=y -CONFIG_CGROUP_WRITEBACK=y -CONFIG_CHECK_SIGNATURE=y -CONFIG_CHELSIO_INLINE_CRYPTO=y -CONFIG_CHELSIO_IPSEC_INLINE=m -CONFIG_CHELSIO_T1=m -CONFIG_CHELSIO_T3=m -CONFIG_CHELSIO_T4=m -CONFIG_CHELSIO_T4VF=m -CONFIG_CHR_DEV_SG=y -CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y -CONFIG_CIFS_DEBUG=y -CONFIG_CIFS_DFS_UPCALL=y -CONFIG_CIFS_UPCALL=y -CONFIG_CIFS_XATTR=y -CONFIG_CIFS=y -CONFIG_CLANG_VERSION=0 -CONFIG_CLKBLD_I8253=y -CONFIG_CLKEVT_I8253=y -CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y -CONFIG_CLOCKSOURCE_WATCHDOG_MAX_SKEW_US=100 -CONFIG_CLOCKSOURCE_WATCHDOG=y -CONFIG_CLZ_TAB=y -CONFIG_COMMON_CLK=y -CONFIG_COMPACTION=y -CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1 -CONFIG_COMPAT_32BIT_TIME=y -CONFIG_COMPAT_32=y -CONFIG_COMPAT_BINFMT_ELF=y -CONFIG_COMPAT_FOR_U64_ALIGNMENT=y -CONFIG_COMPAT_OLD_SIGACTION=y -CONFIG_COMPAT=y -CONFIG_CONFIGFS_FS=y -CONFIG_CONNECTOR=y -CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 -CONFIG_CONSOLE_LOGLEVEL_QUIET=4 -CONFIG_CONSOLE_TRANSLATIONS=y -CONFIG_CONTEXT_SWITCH_TRACER=y -CONFIG_CONTEXT_TRACKING_IDLE=y -CONFIG_CONTEXT_TRACKING=y -CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y -CONFIG_COREDUMP=y -CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL=y -CONFIG_CPU_FREQ_GOV_ATTR_SET=y -CONFIG_CPU_FREQ_GOV_COMMON=y -CONFIG_CPU_FREQ_GOV_ONDEMAND=y -CONFIG_CPU_FREQ_GOV_PERFORMANCE=y -CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y -CONFIG_CPU_FREQ_GOV_USERSPACE=y -CONFIG_CPU_FREQ=y -CONFIG_CPU_IBPB_ENTRY=y -CONFIG_CPU_IBRS_ENTRY=y -CONFIG_CPU_IDLE_GOV_HALTPOLL=y -CONFIG_CPU_IDLE_GOV_MENU=y -CONFIG_CPU_IDLE=y -CONFIG_CPU_ISOLATION=y -CONFIG_CPU_MITIGATIONS=y -CONFIG_CPU_RMAP=y -CONFIG_CPUSETS=y -CONFIG_CPU_SRSO=y -CONFIG_CPU_SUP_AMD=y -CONFIG_CPU_SUP_CENTAUR=y -CONFIG_CPU_SUP_HYGON=y -CONFIG_CPU_SUP_INTEL=y -CONFIG_CPU_SUP_ZHAOXIN=y -CONFIG_CPU_UNRET_ENTRY=y -CONFIG_CRASH_CORE=y -CONFIG_CRASH_DUMP=y -CONFIG_CRASH_HOTPLUG=y -CONFIG_CRASH_MAX_MEMORY_RANGES=8192 -CONFIG_CRC16=y -CONFIG_CRC32_SLICEBY8=y -CONFIG_CRC32=y -CONFIG_CRC8=y -CONFIG_CRC_CCITT=y -CONFIG_CRC_ITU_T=y -CONFIG_CROSS_MEMORY_ATTACH=y -CONFIG_CRYPTO_ACOMP2=y -CONFIG_CRYPTO_ADIANTUM=y -CONFIG_CRYPTO_AEAD2=y -CONFIG_CRYPTO_AEAD=y -CONFIG_CRYPTO_AES_NI_INTEL=y -CONFIG_CRYPTO_AES=y -CONFIG_CRYPTO_AKCIPHER2=y -CONFIG_CRYPTO_AKCIPHER=y -CONFIG_CRYPTO_ALGAPI2=y -CONFIG_CRYPTO_ALGAPI=y -CONFIG_CRYPTO_ARC4=y -CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y -CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y -CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y -CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y -CONFIG_CRYPTO_AUTHENC=y -CONFIG_CRYPTO_BLAKE2B=m -CONFIG_CRYPTO_BLAKE2S_X86=y -CONFIG_CRYPTO_CBC=y -CONFIG_CRYPTO_CCM=y -CONFIG_CRYPTO_CHACHA20_X86_64=y -CONFIG_CRYPTO_CHACHA20=y -CONFIG_CRYPTO_CMAC=y -CONFIG_CRYPTO_CRC32C=y -CONFIG_CRYPTO_CRC32C_INTEL=y -CONFIG_CRYPTO_CRC32=y -CONFIG_CRYPTO_CRYPTD=y -CONFIG_CRYPTO_CTR=y -CONFIG_CRYPTO_CURVE25519_X86=y -CONFIG_CRYPTO_DEFLATE=y -CONFIG_CRYPTO_DES=y -CONFIG_CRYPTO_DEV_VIRTIO=y -CONFIG_CRYPTO_DH_RFC7919_GROUPS=y -CONFIG_CRYPTO_DH=y -CONFIG_CRYPTO_DRBG_HMAC=y -CONFIG_CRYPTO_DRBG_MENU=y -CONFIG_CRYPTO_DRBG=y -CONFIG_CRYPTO_ECB=y -CONFIG_CRYPTO_ECHAINIV=y -CONFIG_CRYPTO_ENGINE=y -CONFIG_CRYPTO_ESSIV=y -CONFIG_CRYPTO_GCM=y -CONFIG_CRYPTO_GENIV=y -CONFIG_CRYPTO_GHASH=y -CONFIG_CRYPTO_HASH2=y -CONFIG_CRYPTO_HASH_INFO=y -CONFIG_CRYPTO_HASH=y -CONFIG_CRYPTO_HMAC=y -CONFIG_CRYPTO_HW=y -CONFIG_CRYPTO_JITTERENTROPY=y -CONFIG_CRYPTO_KPP2=y -CONFIG_CRYPTO_KPP=y -CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=y -CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y -CONFIG_CRYPTO_LIB_CHACHA20POLY1305=y -CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y -CONFIG_CRYPTO_LIB_CHACHA=y -CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=y -CONFIG_CRYPTO_LIB_CURVE25519=y -CONFIG_CRYPTO_LIB_DES=y -CONFIG_CRYPTO_LIB_GF128MUL=y -CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y -CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 -CONFIG_CRYPTO_LIB_POLY1305=y -CONFIG_CRYPTO_LIB_SHA1=y -CONFIG_CRYPTO_LIB_SHA256=y -CONFIG_CRYPTO_LIB_UTILS=y -CONFIG_CRYPTO_LZO=y -CONFIG_CRYPTO_MANAGER2=y -CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y -CONFIG_CRYPTO_MANAGER=y -CONFIG_CRYPTO_MD4=y -CONFIG_CRYPTO_MD5=y -CONFIG_CRYPTO_NHPOLY1305_AVX2=y -CONFIG_CRYPTO_NHPOLY1305_SSE2=y -CONFIG_CRYPTO_NHPOLY1305=y -CONFIG_CRYPTO_NULL2=y -CONFIG_CRYPTO_NULL=y -CONFIG_CRYPTO_POLY1305_X86_64=y -CONFIG_CRYPTO_RNG2=y -CONFIG_CRYPTO_RNG_DEFAULT=y -CONFIG_CRYPTO_RNG=y -CONFIG_CRYPTO_RSA=y -CONFIG_CRYPTO_SEQIV=y -CONFIG_CRYPTO_SHA1=y -CONFIG_CRYPTO_SHA256=y -CONFIG_CRYPTO_SHA3=y -CONFIG_CRYPTO_SHA512=y -CONFIG_CRYPTO_SIG2=y -CONFIG_CRYPTO_SIG=y -CONFIG_CRYPTO_SIMD=y -CONFIG_CRYPTO_SKCIPHER2=y -CONFIG_CRYPTO_SKCIPHER=y -CONFIG_CRYPTO_USER_API_AEAD=y -CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y -CONFIG_CRYPTO_USER_API_HASH=y -CONFIG_CRYPTO_USER_API_SKCIPHER=y -CONFIG_CRYPTO_USER_API=y -CONFIG_CRYPTO_XTS=y -CONFIG_CRYPTO_XXHASH=m -CONFIG_CRYPTO=y -CONFIG_CRYPTO_ZSTD=m -CONFIG_DAX=y -CONFIG_DCACHE_WORD_ACCESS=y -CONFIG_DCA=y -CONFIG_DCB=y -CONFIG_DEBUG_BOOT_PARAMS=y -CONFIG_DEBUG_BUGVERBOSE=y -CONFIG_DEBUG_ENTRY=y -CONFIG_DEBUG_FS_ALLOW_ALL=y -CONFIG_DEBUG_FS=y -CONFIG_DEBUG_INFO_BTF_MODULES=y -CONFIG_DEBUG_INFO_BTF=y -CONFIG_DEBUG_INFO_COMPRESSED_NONE=y -CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y -CONFIG_DEBUG_INFO=y -CONFIG_DEBUG_KERNEL=y -CONFIG_DEBUG_LIST=y -CONFIG_DEBUG_MISC=y -CONFIG_DEBUG_WX=y -CONFIG_DECOMPRESS_BZIP2=y -CONFIG_DECOMPRESS_GZIP=y -CONFIG_DECOMPRESS_LZ4=y -CONFIG_DECOMPRESS_LZMA=y -CONFIG_DECOMPRESS_LZO=y -CONFIG_DECOMPRESS_XZ=y -CONFIG_DECOMPRESS_ZSTD=y -CONFIG_DEFAULT_CUBIC=y -CONFIG_DEFAULT_FQ_CODEL=y -CONFIG_DEFAULT_HOSTNAME="(none)" -CONFIG_DEFAULT_INIT="" -CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 -CONFIG_DEFAULT_NET_SCH="fq_codel" -CONFIG_DEFAULT_PFIFO_FAST=y -CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -CONFIG_DEFAULT_TCP_CONG="cubic" -CONFIG_DEVPORT=y -CONFIG_DEVTMPFS=y -CONFIG_DEVTMPFS_MOUNT=y -CONFIG_DIMLIB=y -CONFIG_DMA_ACPI=y -CONFIG_DMADEVICES=y -CONFIG_DMA_ENGINE_RAID=y -CONFIG_DMA_ENGINE=y -CONFIG_DMA_OPS=y -CONFIG_DMAR_TABLE=y -CONFIG_DMA_SHARED_BUFFER=y -CONFIG_DM_AUDIT=y -CONFIG_DMA_VIRTUAL_CHANNELS=y -CONFIG_DM_BIO_PRISON=m -CONFIG_DM_BUFIO=y -CONFIG_DM_CACHE=m -CONFIG_DM_CACHE_SMQ=m -CONFIG_DM_CLONE=m -CONFIG_DM_CRYPT=y -CONFIG_DM_DELAY=m -CONFIG_DM_DUST=m -CONFIG_DM_EBS=m -CONFIG_DM_ERA=m -CONFIG_DM_FLAKEY=m -CONFIG_DMIID=y -CONFIG_DM_INTEGRITY=m -CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y -CONFIG_DMI=y -CONFIG_DM_LOG_USERSPACE=m -CONFIG_DM_LOG_WRITES=m -CONFIG_DM_MIRROR=y -CONFIG_DM_MULTIPATH_HST=m -CONFIG_DM_MULTIPATH_IOA=m -CONFIG_DM_MULTIPATH=m -CONFIG_DM_MULTIPATH_QL=m -CONFIG_DM_MULTIPATH_ST=m -CONFIG_DM_PERSISTENT_DATA=m -CONFIG_DM_RAID=m -CONFIG_DM_SNAPSHOT=y -CONFIG_DM_SWITCH=m -CONFIG_DM_THIN_PROVISIONING=m -CONFIG_DM_UNSTRIPED=m -CONFIG_DM_VDO=m -CONFIG_DM_VERITY=m -CONFIG_DM_WRITECACHE=m -CONFIG_DM_ZERO=y -CONFIG_DM_ZONED=m -CONFIG_DNOTIFY=y -CONFIG_DNS_RESOLVER=y -CONFIG_DQL=y -CONFIG_DST_CACHE=y -CONFIG_DUMMY_CONSOLE_COLUMNS=80 -CONFIG_DUMMY_CONSOLE_ROWS=25 -CONFIG_DUMMY_CONSOLE=y -CONFIG_DUMMY=y -CONFIG_DW_DMAC_CORE=y -CONFIG_DYNAMIC_EVENTS=y -CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y -CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_DYNAMIC_FTRACE=y -CONFIG_DYNAMIC_MEMORY_LAYOUT=y -CONFIG_DYNAMIC_SIGFRAME=y -CONFIG_E1000E_HWTS=y -CONFIG_E1000E=m -CONFIG_E1000=m -CONFIG_EARLY_PRINTK_DBGP=y -CONFIG_EARLY_PRINTK_USB=y -CONFIG_EARLY_PRINTK=y -CONFIG_ECRYPT_FS=m -CONFIG_EDAC_ATOMIC_SCRUB=y -CONFIG_EDAC_DECODE_MCE=y -CONFIG_EDAC_LEGACY_SYSFS=y -CONFIG_EDAC_SUPPORT=y -CONFIG_EDAC=y -CONFIG_EFI_BOOTLOADER_CONTROL=m -CONFIG_EFI_CAPSULE_LOADER=m -CONFIG_EFI_COCO_SECRET=y -CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y -CONFIG_EFI_DEV_PATH_PARSER=y -CONFIG_EFI_DXE_MEM_ATTRIBUTES=y -CONFIG_EFI_EARLYCON=y -CONFIG_EFI_ESRT=y -CONFIG_EFI_HANDOVER_PROTOCOL=y -CONFIG_EFI_MIXED=y -CONFIG_EFI_PARTITION=y -CONFIG_EFI_RUNTIME_MAP=y -CONFIG_EFI_RUNTIME_WRAPPERS=y -CONFIG_EFI_SECRET=m -CONFIG_EFI_SOFT_RESERVE=y -CONFIG_EFI_STUB=y -CONFIG_EFIVAR_FS=y -CONFIG_EFI_VARS_PSTORE=m -CONFIG_EFI=y -CONFIG_ELF_CORE=y -CONFIG_ELFCORE=y -CONFIG_ENA_ETHERNET=y -CONFIG_ENCLOSURE_SERVICES=y -CONFIG_ENCRYPTED_KEYS=m -CONFIG_ENIC=m -CONFIG_EPOLL=y -CONFIG_EROFS_FS_POSIX_ACL=y -CONFIG_EROFS_FS_SECURITY=y -CONFIG_EROFS_FS_XATTR=y -CONFIG_EROFS_FS=y -CONFIG_EROFS_FS_ZIP=y -CONFIG_EROFS_FS_ZIP_ZSTD=y -CONFIG_ETHERNET=y -CONFIG_ETHTOOL_NETLINK=y -CONFIG_EVENTFD=y -CONFIG_EVENT_TRACING=y -CONFIG_EXCLUSIVE_SYSTEM_RAM=y -CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" -CONFIG_EXFAT_FS=m -CONFIG_EXPERT=y -CONFIG_EXPORTFS=y -CONFIG_EXT4_FS_POSIX_ACL=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_EXT4_FS=y -CONFIG_EXT4_USE_FOR_EXT2=y -CONFIG_EXTRA_FIRMWARE="" -CONFIG_FAILOVER=y -CONFIG_FAIR_GROUP_SCHED=y -CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y -CONFIG_FANOTIFY=y -CONFIG_FAT_DEFAULT_CODEPAGE=437 -CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" -CONFIG_FAT_FS=y -CONFIG_FHANDLE=y -CONFIG_FIB_RULES=y -CONFIG_FILE_LOCKING=y -CONFIG_FIRMWARE_MEMMAP=y -CONFIG_FIX_EARLYCON_MEM=y -CONFIG_FIXED_PHY=y -CONFIG_FONT_8x16=y -CONFIG_FONT_SUPPORT=y -CONFIG_FONTS=y -CONFIG_FONT_TER16x32=y -CONFIG_FORCEDETH=y -CONFIG_FORTIFY_SOURCE=y -CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y -CONFIG_FRAMEBUFFER_CONSOLE=y -CONFIG_FRAME_WARN=2048 -CONFIG_FREEZER=y -CONFIG_FS_ENCRYPTION_ALGS=m -CONFIG_FS_ENCRYPTION=y -CONFIG_FS_IOMAP=y -CONFIG_FS_MBCACHE=y -CONFIG_FSNOTIFY=y -CONFIG_FS_POSIX_ACL=y -CONFIG_FTRACE_MCOUNT_RECORD=y -CONFIG_FTRACE_MCOUNT_USE_CC=y -CONFIG_FTRACE_SYSCALLS=y -CONFIG_FTRACE=y -CONFIG_FUNCTION_ALIGNMENT=16 -CONFIG_FUNCTION_ALIGNMENT_16B=y -CONFIG_FUNCTION_ALIGNMENT_4B=y -CONFIG_FUNCTION_ERROR_INJECTION=y -CONFIG_FUNCTION_GRAPH_TRACER=y -CONFIG_FUNCTION_PADDING_BYTES=16 -CONFIG_FUNCTION_PADDING_CFI=11 -CONFIG_FUNCTION_TRACER=y -CONFIG_FUSE_FS=y -CONFIG_FUTEX_PI=y -CONFIG_FUTEX=y -CONFIG_FW_ATTR_CLASS=m -CONFIG_FW_CACHE=y -CONFIG_FW_CFG_SYSFS=m -CONFIG_FW_CS_DSP=m -CONFIG_FW_LOADER_COMPRESS=y -CONFIG_FW_LOADER_COMPRESS_ZSTD=y -CONFIG_FW_LOADER_DEBUG=y -CONFIG_FW_LOADER_PAGED_BUF=y -CONFIG_FW_LOADER_SYSFS=y -CONFIG_FW_LOADER_USER_HELPER=y -CONFIG_FW_LOADER=y -CONFIG_FW_UPLOAD=y -CONFIG_FWNODE_MDIO=y -CONFIG_GCC10_NO_ARRAY_BOUNDS=y -CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND=y -CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y -CONFIG_GCC_PLUGIN_STACKLEAK=y -CONFIG_GCC_PLUGINS=y -CONFIG_GCC_VERSION=130200 -CONFIG_GENERIC_ALLOCATOR=y -CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y -CONFIG_GENERIC_BUG=y -CONFIG_GENERIC_CALIBRATE_DELAY=y -CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y -CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y -CONFIG_GENERIC_CLOCKEVENTS=y -CONFIG_GENERIC_CMOS_UPDATE=y -CONFIG_GENERIC_CPU_AUTOPROBE=y -CONFIG_GENERIC_CPU_VULNERABILITIES=y -CONFIG_GENERIC_CPU=y -CONFIG_GENERIC_EARLY_IOREMAP=y -CONFIG_GENERIC_ENTRY=y -CONFIG_GENERIC_GETTIMEOFDAY=y -CONFIG_GENERIC_IOMAP=y -CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK=y -CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y -CONFIG_GENERIC_IRQ_MIGRATION=y -CONFIG_GENERIC_IRQ_PROBE=y -CONFIG_GENERIC_IRQ_RESERVATION_MODE=y -CONFIG_GENERIC_IRQ_SHOW=y -CONFIG_GENERIC_ISA_DMA=y -CONFIG_GENERIC_MSI_IRQ=y -CONFIG_GENERIC_NET_UTILS=y -CONFIG_GENERIC_PCI_IOMAP=y -CONFIG_GENERIC_PENDING_IRQ=y -CONFIG_GENERIC_PTDUMP=y -CONFIG_GENERIC_SMP_IDLE_THREAD=y -CONFIG_GENERIC_STRNCPY_FROM_USER=y -CONFIG_GENERIC_STRNLEN_USER=y -CONFIG_GENERIC_TIME_VSYSCALL=y -CONFIG_GENERIC_TRACER=y -CONFIG_GENERIC_VDSO_TIME_NS=y -CONFIG_GENEVE=y -CONFIG_GLOB=y -CONFIG_GRACE_PERIOD=y -CONFIG_GRO_CELLS=y -CONFIG_GUEST_PERF_EVENTS=y -CONFIG_GVE=m -CONFIG_HALTPOLL_CPUIDLE=y -CONFIG_HARDENED_USERCOPY=y -CONFIG_HARDIRQS_SW_RESEND=y -CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y -CONFIG_HAS_DMA=y -CONFIG_HAS_IOMEM=y -CONFIG_HAS_IOPORT_MAP=y -CONFIG_HAS_IOPORT=y -CONFIG_HAVE_ACPI_APEI_NMI=y -CONFIG_HAVE_ACPI_APEI=y -CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y -CONFIG_HAVE_ARCH_AUDITSYSCALL=y -CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y -CONFIG_HAVE_ARCH_HUGE_VMALLOC=y -CONFIG_HAVE_ARCH_HUGE_VMAP=y -CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y -CONFIG_HAVE_ARCH_JUMP_LABEL=y -CONFIG_HAVE_ARCH_KASAN_VMALLOC=y -CONFIG_HAVE_ARCH_KASAN=y -CONFIG_HAVE_ARCH_KCSAN=y -CONFIG_HAVE_ARCH_KFENCE=y -CONFIG_HAVE_ARCH_KGDB=y -CONFIG_HAVE_ARCH_KMSAN=y -CONFIG_HAVE_ARCH_MMAP_RND_BITS=y -CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y -CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y -CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET=y -CONFIG_HAVE_ARCH_SECCOMP_FILTER=y -CONFIG_HAVE_ARCH_SECCOMP=y -CONFIG_HAVE_ARCH_SOFT_DIRTY=y -CONFIG_HAVE_ARCH_STACKLEAK=y -CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y -CONFIG_HAVE_ARCH_TRACEHOOK=y -CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y -CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y -CONFIG_HAVE_ARCH_VMAP_STACK=y -CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y -CONFIG_HAVE_ASM_MODVERSIONS=y -CONFIG_HAVE_BUILDTIME_MCOUNT_SORT=y -CONFIG_HAVE_CALL_THUNKS=y -CONFIG_HAVE_CLK_PREPARE=y -CONFIG_HAVE_CLK=y -CONFIG_HAVE_CMPXCHG_DOUBLE=y -CONFIG_HAVE_CMPXCHG_LOCAL=y -CONFIG_HAVE_CONTEXT_TRACKING_USER_OFFSTACK=y -CONFIG_HAVE_CONTEXT_TRACKING_USER=y -CONFIG_HAVE_C_RECORDMCOUNT=y -CONFIG_HAVE_DEBUG_KMEMLEAK=y -CONFIG_HAVE_DMA_CONTIGUOUS=y -CONFIG_HAVE_DYNAMIC_FTRACE_NO_PATCHABLE=y -CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y -CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y -CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y -CONFIG_HAVE_DYNAMIC_FTRACE=y -CONFIG_HAVE_EBPF_JIT=y -CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y -CONFIG_HAVE_EISA=y -CONFIG_HAVE_EXIT_THREAD=y -CONFIG_HAVE_FAST_GUP=y -CONFIG_HAVE_FENTRY=y -CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y -CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y -CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y -CONFIG_HAVE_FUNCTION_GRAPH_RETVAL=y -CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y -CONFIG_HAVE_FUNCTION_TRACER=y -CONFIG_HAVE_GCC_PLUGINS=y -CONFIG_HAVE_GENERIC_VDSO=y -CONFIG_HAVE_HARDLOCKUP_DETECTOR_BUDDY=y -CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y -CONFIG_HAVE_HW_BREAKPOINT=y -CONFIG_HAVE_IMA_KEXEC=y -CONFIG_HAVE_INTEL_TXT=y -CONFIG_HAVE_IOREMAP_PROT=y -CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y -CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y -CONFIG_HAVE_JUMP_LABEL_HACK=y -CONFIG_HAVE_KCSAN_COMPILER=y -CONFIG_HAVE_KERNEL_BZIP2=y -CONFIG_HAVE_KERNEL_GZIP=y -CONFIG_HAVE_KERNEL_LZ4=y -CONFIG_HAVE_KERNEL_LZMA=y -CONFIG_HAVE_KERNEL_LZO=y -CONFIG_HAVE_KERNEL_XZ=y -CONFIG_HAVE_KERNEL_ZSTD=y -CONFIG_HAVE_KPROBES_ON_FTRACE=y -CONFIG_HAVE_KPROBES=y -CONFIG_HAVE_KRETPROBES=y -CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y -CONFIG_HAVE_KVM_DIRTY_RING_ACQ_REL=y -CONFIG_HAVE_KVM_DIRTY_RING_TSO=y -CONFIG_HAVE_KVM_DIRTY_RING=y -CONFIG_HAVE_KVM_EVENTFD=y -CONFIG_HAVE_KVM_IRQ_BYPASS=y -CONFIG_HAVE_KVM_IRQCHIP=y -CONFIG_HAVE_KVM_IRQFD=y -CONFIG_HAVE_KVM_IRQ_ROUTING=y -CONFIG_HAVE_KVM_MSI=y -CONFIG_HAVE_KVM_NO_POLL=y -CONFIG_HAVE_KVM_PFNCACHE=y -CONFIG_HAVE_KVM_PM_NOTIFIER=y -CONFIG_HAVE_KVM=y -CONFIG_HAVE_LIVEPATCH=y -CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y -CONFIG_HAVE_MMIOTRACE_SUPPORT=y -CONFIG_HAVE_MOD_ARCH_SPECIFIC=y -CONFIG_HAVE_MOVE_PMD=y -CONFIG_HAVE_MOVE_PUD=y -CONFIG_HAVE_NMI=y -CONFIG_HAVE_NOINSTR_HACK=y -CONFIG_HAVE_NOINSTR_VALIDATION=y -CONFIG_HAVE_OBJTOOL_MCOUNT=y -CONFIG_HAVE_OBJTOOL_NOP_MCOUNT=y -CONFIG_HAVE_OBJTOOL=y -CONFIG_HAVE_OPTPROBES=y -CONFIG_HAVE_PCI=y -CONFIG_HAVE_PCSPKR_PLATFORM=y -CONFIG_HAVE_PERF_EVENTS_NMI=y -CONFIG_HAVE_PERF_EVENTS=y -CONFIG_HAVE_PERF_REGS=y -CONFIG_HAVE_PERF_USER_STACK_DUMP=y -CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y -CONFIG_HAVE_PREEMPT_DYNAMIC_CALL=y -CONFIG_HAVE_PREEMPT_DYNAMIC=y -CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y -CONFIG_HAVE_RELIABLE_STACKTRACE=y -CONFIG_HAVE_RETHOOK=y -CONFIG_HAVE_RSEQ=y -CONFIG_HAVE_RUST=y -CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y -CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y -CONFIG_HAVE_SETUP_PER_CPU_AREA=y -CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y -CONFIG_HAVE_STACKPROTECTOR=y -CONFIG_HAVE_STACK_VALIDATION=y -CONFIG_HAVE_STATIC_CALL_INLINE=y -CONFIG_HAVE_STATIC_CALL=y -CONFIG_HAVE_SYSCALL_TRACEPOINTS=y -CONFIG_HAVE_UACCESS_VALIDATION=y -CONFIG_HAVE_UID16=y -CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y -CONFIG_HAVE_USER_RETURN_NOTIFIER=y -CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y -CONFIG_HDMI=y -CONFIG_HIBERNATE_CALLBACKS=y -CONFIG_HID_A4TECH=m -CONFIG_HID_APPLE=m -CONFIG_HID_BELKIN=m -CONFIG_HID_CHERRY=m -CONFIG_HID_CHICONY=m -CONFIG_HID_CORSAIR=m -CONFIG_HID_CYPRESS=m -CONFIG_HID_EZKEY=m -CONFIG_HID_GENERIC=y -CONFIG_HID_GYRATION=m -CONFIG_HID_ITE=m -CONFIG_HID_KENSINGTON=m -CONFIG_HID_LENOVO=m -CONFIG_HID_LOGITECH_DJ=m -CONFIG_HID_LOGITECH_HIDPP=m -CONFIG_HID_LOGITECH=m -CONFIG_HID_MICROSOFT=m -CONFIG_HID_MONTEREY=m -CONFIG_HID_PANTHERLORD=m -CONFIG_HID_PETALYNX=m -CONFIG_HIDRAW=y -CONFIG_HID_REDRAGON=y -CONFIG_HID_ROCCAT=y -CONFIG_HID_SAMSUNG=m -CONFIG_HID_SUNPLUS=m -CONFIG_HID_SUPPORT=y -CONFIG_HID_TOPSEED=m -CONFIG_HID=y -CONFIG_HIGH_RES_TIMERS=y -CONFIG_HMM_MIRROR=y -CONFIG_HOTPLUG_CORE_SYNC_DEAD=y -CONFIG_HOTPLUG_CORE_SYNC_FULL=y -CONFIG_HOTPLUG_CORE_SYNC=y -CONFIG_HOTPLUG_CPU=y -CONFIG_HOTPLUG_PARALLEL=y -CONFIG_HOTPLUG_PCI_ACPI=y -CONFIG_HOTPLUG_PCI_PCIE=y -CONFIG_HOTPLUG_PCI=y -CONFIG_HOTPLUG_SMT=y -CONFIG_HOTPLUG_SPLIT_STARTUP=y -CONFIG_HPET_EMULATE_RTC=y -CONFIG_HPET_TIMER=y -CONFIG_HPET=y -CONFIG_HP_ILO=m -CONFIG_HSA_AMD=y -CONFIG_HSR=y -CONFIG_HSU_DMA=y -CONFIG_HUGETLBFS=y -CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y -CONFIG_HUGETLB_PAGE=y -CONFIG_HVC_DRIVER=y -CONFIG_HVC_IRQ=y -CONFIG_HVC_XEN_FRONTEND=y -CONFIG_HVC_XEN=y -CONFIG_HW_CONSOLE=y -CONFIG_HWMON=y -CONFIG_HW_RANDOM_TPM=y -CONFIG_HW_RANDOM_VIA=y -CONFIG_HW_RANDOM_VIRTIO=y -CONFIG_HW_RANDOM=y -CONFIG_HYPERV_BALLOON=y -CONFIG_HYPERV_IOMMU=y -CONFIG_HYPERVISOR_GUEST=y -CONFIG_HYPERV_KEYBOARD=y -CONFIG_HYPERV_NET=y -CONFIG_HYPERV_STORAGE=y -CONFIG_HYPERV_TIMER=y -CONFIG_HYPERV_UTILS=y -CONFIG_HYPERV_VSOCKETS=y -CONFIG_HYPERV=y -CONFIG_HZ=250 -CONFIG_HZ_250=y -CONFIG_I2C_ALGOBIT=m -CONFIG_I2C_BOARDINFO=y -CONFIG_I2C_COMPAT=y -CONFIG_I2C_HELPER_AUTO=y -CONFIG_I2C_HID=y -CONFIG_I2C_I801=m -CONFIG_I2C_SMBUS=m -CONFIG_I2C=y -CONFIG_I40E=m -CONFIG_I40EVF=m -CONFIG_I6300ESB_WDT=m -CONFIG_I8253_LOCK=y -CONFIG_IA32_EMULATION=y -CONFIG_IA32_FEAT_CTL=y -CONFIG_IAVF=m -CONFIG_ICE_HWTS=y -CONFIG_ICE=m -CONFIG_ICE_SWITCHDEV=y -CONFIG_IGB_DCA=y -CONFIG_IGB_HWMON=y -CONFIG_IGB=m -CONFIG_IGBVF=m -CONFIG_IGC=m -CONFIG_IKCONFIG_PROC=y -CONFIG_IKCONFIG=y -CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 -CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_ARCH_POLICY=y -CONFIG_IMA_DEFAULT_HASH="sha512" -CONFIG_IMA_DEFAULT_HASH_SHA512=y -CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" -CONFIG_IMA_LSM_RULES=y -CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_NG_TEMPLATE=y -CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA=y -CONFIG_INET6_AH=y -CONFIG_INET6_ESP_OFFLOAD=y -CONFIG_INET6_ESP=y -CONFIG_INET6_IPCOMP=y -CONFIG_INET6_TUNNEL=y -CONFIG_INET6_XFRM_TUNNEL=y -CONFIG_INET_AH=y -CONFIG_INET_ESP=y -CONFIG_INET_IPCOMP=y -CONFIG_INET_TABLE_PERTURB_ORDER=16 -CONFIG_INET_TUNNEL=y -CONFIG_INET_XFRM_TUNNEL=y -CONFIG_INET=y -CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y -CONFIG_INFINIBAND_ADDR_TRANS=y -CONFIG_INFINIBAND_IPOIB_DEBUG=y -CONFIG_INFINIBAND_IPOIB=y -CONFIG_INFINIBAND_VIRT_DMA=y -CONFIG_INFINIBAND=y -CONFIG_INIT_ENV_ARG_LIMIT=32 -CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y -CONFIG_INITRAMFS_PRESERVE_MTIME=y -CONFIG_INITRAMFS_SOURCE="" -CONFIG_INIT_STACK_ALL_ZERO=y -CONFIG_INLINE_READ_UNLOCK_IRQ=y -CONFIG_INLINE_READ_UNLOCK=y -CONFIG_INLINE_SPIN_UNLOCK_IRQ=y -CONFIG_INLINE_WRITE_UNLOCK_IRQ=y -CONFIG_INLINE_WRITE_UNLOCK=y -CONFIG_INOTIFY_USER=y -CONFIG_INPUT_EVDEV=y -CONFIG_INPUT_FF_MEMLESS=y -CONFIG_INPUT_JOYSTICK=y -CONFIG_INPUT_KEYBOARD=y -CONFIG_INPUT_LEDS=y -CONFIG_INPUT_MISC=y -CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 -CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 -CONFIG_INPUT_MOUSEDEV=y -CONFIG_INPUT_MOUSE=y -CONFIG_INPUT_SPARSEKMAP=y -CONFIG_INPUT_TABLET=y -CONFIG_INPUT_TOUCHSCREEN=y -CONFIG_INPUT_VIVALDIFMAP=y -CONFIG_INPUT_XEN_KBDDEV_FRONTEND=y -CONFIG_INPUT=y -CONFIG_INSTRUCTION_DECODER=y -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -CONFIG_INTEGRITY_AUDIT=y -CONFIG_INTEGRITY_PLATFORM_KEYRING=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_INTEGRITY_TRUSTED_KEYRING=y -CONFIG_INTEGRITY=y -CONFIG_INTEL_GTT=y -CONFIG_INTEL_IDLE=y -CONFIG_INTEL_IOATDMA=y -CONFIG_INTEL_IOMMU_DEFAULT_ON=y -CONFIG_INTEL_IOMMU_FLOPPY_WA=y -CONFIG_INTEL_IOMMU_PERF_EVENTS=y -CONFIG_INTEL_IOMMU_SVM=y -CONFIG_INTEL_IOMMU=y -CONFIG_INTEL_PMC_CORE=m -CONFIG_INTEL_TCC=y -CONFIG_INTERVAL_TREE=y -CONFIG_IO_DELAY_0X80=y -CONFIG_IOMMU_API=y -CONFIG_IOMMU_DEFAULT_DMA_STRICT=y -CONFIG_IOMMU_DMA=y -CONFIG_IOMMU_IO_PGTABLE=y -CONFIG_IOMMU_IOVA=y -CONFIG_IOMMU_SUPPORT=y -CONFIG_IOMMU_SVA=y -CONFIG_IOSCHED_BFQ=y -CONFIG_IOSF_MBI=y -CONFIG_IO_URING=y -CONFIG_IO_WQ=y -CONFIG_IP6_NF_FILTER=y -CONFIG_IP6_NF_IPTABLES=y -CONFIG_IP6_NF_MANGLE=y -CONFIG_IP6_NF_MATCH_AH=y -CONFIG_IP6_NF_MATCH_EUI64=y -CONFIG_IP6_NF_MATCH_FRAG=y -CONFIG_IP6_NF_MATCH_HL=y -CONFIG_IP6_NF_MATCH_IPV6HEADER=y -CONFIG_IP6_NF_MATCH_MH=y -CONFIG_IP6_NF_MATCH_OPTS=y -CONFIG_IP6_NF_MATCH_RPFILTER=y -CONFIG_IP6_NF_MATCH_RT=y -CONFIG_IP6_NF_NAT=y -CONFIG_IP6_NF_RAW=y -CONFIG_IP6_NF_SECURITY=y -CONFIG_IP6_NF_TARGET_HL=y -CONFIG_IP6_NF_TARGET_REJECT=y -CONFIG_IP6_NF_TARGET_SYNPROXY=y -CONFIG_IP_ADVANCED_ROUTER=y -CONFIG_IPC_NS=y -CONFIG_IP_DCCP_CCID3=y -CONFIG_IP_DCCP_TFRC_LIB=y -CONFIG_IP_DCCP=y -CONFIG_IPMI_DEVICE_INTERFACE=y -CONFIG_IPMI_DMI_DECODE=y -CONFIG_IPMI_HANDLER=y -CONFIG_IPMI_PLAT_DATA=y -CONFIG_IPMI_POWEROFF=y -CONFIG_IPMI_SI=y -CONFIG_IPMI_WATCHDOG=m -CONFIG_IP_MROUTE_COMMON=y -CONFIG_IP_MROUTE=y -CONFIG_IP_MULTICAST=y -CONFIG_IP_MULTIPLE_TABLES=y -CONFIG_IP_NF_FILTER=y -CONFIG_IP_NF_IPTABLES=y -CONFIG_IP_NF_MANGLE=y -CONFIG_IP_NF_MATCH_RPFILTER=y -CONFIG_IP_NF_NAT=y -CONFIG_IP_NF_RAW=y -CONFIG_IP_NF_TARGET_MASQUERADE=y -CONFIG_IP_NF_TARGET_NETMAP=y -CONFIG_IP_NF_TARGET_REDIRECT=y -CONFIG_IP_NF_TARGET_REJECT=y -CONFIG_IP_PIMSM_V1=y -CONFIG_IP_PIMSM_V2=y -CONFIG_IP_PNP_BOOTP=y -CONFIG_IP_PNP_DHCP=y -CONFIG_IP_PNP_RARP=y -CONFIG_IP_PNP=y -CONFIG_IP_ROUTE_CLASSID=y -CONFIG_IP_ROUTE_MULTIPATH=y -CONFIG_IP_ROUTE_VERBOSE=y -CONFIG_IP_SCTP=y -CONFIG_IP_SET_BITMAP_IPMAC=y -CONFIG_IP_SET_BITMAP_IP=y -CONFIG_IP_SET_BITMAP_PORT=y -CONFIG_IP_SET_HASH_IPMAC=y -CONFIG_IP_SET_HASH_IPMARK=y -CONFIG_IP_SET_HASH_IPPORTIP=y -CONFIG_IP_SET_HASH_IPPORTNET=y -CONFIG_IP_SET_HASH_IPPORT=y -CONFIG_IP_SET_HASH_IP=y -CONFIG_IP_SET_HASH_MAC=y -CONFIG_IP_SET_HASH_NETIFACE=y -CONFIG_IP_SET_HASH_NETNET=y -CONFIG_IP_SET_HASH_NETPORTNET=y -CONFIG_IP_SET_HASH_NETPORT=y -CONFIG_IP_SET_HASH_NET=y -CONFIG_IP_SET_LIST_SET=y -CONFIG_IP_SET_MAX=256 -CONFIG_IP_SET=y -CONFIG_IPV6_FOU_TUNNEL=y -CONFIG_IPV6_FOU=y -CONFIG_IPV6_ILA=y -CONFIG_IPV6_MIP6=y -CONFIG_IPV6_MULTIPLE_TABLES=y -CONFIG_IPV6_NDISC_NODETYPE=y -CONFIG_IPV6_ROUTE_INFO=y -CONFIG_IPV6_ROUTER_PREF=y -CONFIG_IPV6_SIT=y -CONFIG_IPV6_TUNNEL=y -CONFIG_IPV6=y -CONFIG_IPVLAN_L3S=y -CONFIG_IPVLAN=y -CONFIG_IP_VS_IPV6=y -CONFIG_IP_VS_LC=y -CONFIG_IP_VS_MH_TAB_INDEX=12 -CONFIG_IP_VS_NFCT=y -CONFIG_IP_VS_PROTO_TCP=y -CONFIG_IP_VS_PROTO_UDP=y -CONFIG_IP_VS_RR=y -CONFIG_IP_VS_SH_TAB_BITS=8 -CONFIG_IP_VS_SH=y -CONFIG_IP_VS_TAB_BITS=12 -CONFIG_IP_VS_WRR=y -CONFIG_IP_VS=y -CONFIG_IRQ_BYPASS_MANAGER=y -CONFIG_IRQ_DOMAIN_HIERARCHY=y -CONFIG_IRQ_DOMAIN=y -CONFIG_IRQ_FORCED_THREADING=y -CONFIG_IRQ_MSI_IOMMU=y -CONFIG_IRQ_POLL=y -CONFIG_IRQ_REMAP=y -CONFIG_IRQ_WORK=y -CONFIG_ISA_DMA_API=y -CONFIG_ISCSI_TCP=y -CONFIG_ISO9660_FS=y -CONFIG_ITCO_VENDOR_SUPPORT=y -CONFIG_ITCO_WDT=m -CONFIG_IXGBE_DCA=y -CONFIG_IXGBE_HWMON=y -CONFIG_IXGBE_IPSEC=y -CONFIG_IXGBE=m -CONFIG_IXGBEVF_IPSEC=y -CONFIG_IXGBEVF=m -CONFIG_JBD2=y -CONFIG_JOLIET=y -CONFIG_JUMP_LABEL=y -CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y -CONFIG_KALLSYMS_BASE_RELATIVE=y -CONFIG_KALLSYMS=y -CONFIG_KARMA_PARTITION=y -CONFIG_KCMP=y -CONFIG_KERNEL_ZSTD=y -CONFIG_KERNFS=y -CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y -CONFIG_KEXEC_CORE=y -CONFIG_KEXEC_FILE=y -CONFIG_KEXEC_SIG=y -CONFIG_KEYBOARD_ATKBD=y -CONFIG_KEYS=y -CONFIG_KFENCE_NUM_OBJECTS=255 -CONFIG_KFENCE_SAMPLE_INTERVAL=100 -CONFIG_KFENCE_STRESS_TEST_FAULTS=0 -CONFIG_KFENCE=y -CONFIG_KPROBE_EVENTS=y -CONFIG_KPROBES_ON_FTRACE=y -CONFIG_KPROBES=y -CONFIG_KRETPROBE_ON_RETHOOK=y -CONFIG_KRETPROBES=y -CONFIG_KVM_AMD=y -CONFIG_KVM_AMD_SEV=y -CONFIG_KVM_ASYNC_PF=y -CONFIG_KVM_COMPAT=y -CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y -CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y -CONFIG_KVM_GUEST=y -CONFIG_KVM_INTEL=y -CONFIG_KVM_MMIO=y -CONFIG_KVM_SMM=y -CONFIG_KVM_VFIO=y -CONFIG_KVM_WERROR=y -CONFIG_KVM_XFER_TO_GUEST_WORK=y -CONFIG_KVM=y -CONFIG_L2TP=y -CONFIG_LAPB=y -CONFIG_LD_IS_BFD=y -CONFIG_LD_ORPHAN_WARN_LEVEL="warn" -CONFIG_LD_ORPHAN_WARN=y -CONFIG_LD_VERSION=24200 -CONFIG_LEDS_CLASS=y -CONFIG_LEDS_TRIGGERS=y -CONFIG_LEGACY_DIRECT_IO=y -CONFIG_LEGACY_VSYSCALL_NONE=y -CONFIG_LIBCRC32C=y -CONFIG_LINEAR_RANGES=y -CONFIG_LIST_HARDENED=y -CONFIG_LLC2=y -CONFIG_LLC=y -CONFIG_LLD_VERSION=0 -CONFIG_LOAD_UEFI_KEYS=y -#CONFIG_LOCALVERSION="-patagia" -CONFIG_LOCK_DEBUGGING_SUPPORT=y -CONFIG_LOCKDEP_SUPPORT=y -CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y -CONFIG_LOCKD_V4=y -CONFIG_LOCKD=y -CONFIG_LOCK_MM_AND_FIND_VMA=y -CONFIG_LOCK_SPIN_ON_OWNER=y -CONFIG_LOG_BUF_SHIFT=18 -CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 -CONFIG_LOGITECH_FF=y -CONFIG_LOGIWHEELS_FF=y -CONFIG_LOGO_LINUX_CLUT224=y -CONFIG_LOGO=y -CONFIG_LPC_ICH=m -CONFIG_LRU_CACHE=m -CONFIG_LRU_GEN_ENABLED=y -CONFIG_LRU_GEN_WALKS_MMU=y -CONFIG_LRU_GEN=y -CONFIG_LSM="yama,loadpin,safesetid,integrity,bpf,apparmor" -CONFIG_LTO_NONE=y -CONFIG_LWTUNNEL_BPF=y -CONFIG_LWTUNNEL=y -CONFIG_LZ4_COMPRESS=m -CONFIG_LZ4_DECOMPRESS=y -CONFIG_LZ4HC_COMPRESS=m -CONFIG_LZO_COMPRESS=y -CONFIG_LZO_DECOMPRESS=y -CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 -CONFIG_MAC_PARTITION=y -CONFIG_MACVLAN=y -CONFIG_MACVTAP=y -CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0 -CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE="" -CONFIG_MAGIC_SYSRQ_SERIAL=y -CONFIG_MAGIC_SYSRQ=y -CONFIG_MAILBOX=y -CONFIG_MARVELL_10G_PHY=y -CONFIG_MARVELL_PHY=y -CONFIG_MAX_SKB_FRAGS=17 -CONFIG_MD_AUTODETECT=y -CONFIG_MD_BITMAP_FILE=y -CONFIG_MDIO_BUS=y -CONFIG_MDIO_DEVICE=y -CONFIG_MDIO_DEVRES=y -CONFIG_MDIO=m -CONFIG_MD_RAID0=y -CONFIG_MD_RAID10=y -CONFIG_MD_RAID1=y -CONFIG_MD_RAID456=m -CONFIG_MD=y -CONFIG_MEGARAID_SAS=m -CONFIG_MEMBARRIER=y -CONFIG_MEMCG_KMEM=y -CONFIG_MEMCG=y -CONFIG_MEMFD_CREATE=y -CONFIG_MEMORY_BALLOON=y -CONFIG_MEMORY_FAILURE=y -CONFIG_MEMORY_HOTPLUG=y -CONFIG_MEMORY_HOTREMOVE=y -CONFIG_MEMORY_ISOLATION=y -CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 -CONFIG_MFD_CORE=m -CONFIG_MFD_INTEL_PMC_BXT=m -CONFIG_MICROCODE=y -CONFIG_MIGRATION=y -CONFIG_MII=m -CONFIG_MINIX_SUBPARTITION=y -CONFIG_MISC_FILESYSTEMS=y -CONFIG_MITIGATION_RFDS=y -CONFIG_MITIGATION_SPECTRE_BHI=y -CONFIG_MLX4_CORE_GEN2=y -CONFIG_MLX4_CORE=m -CONFIG_MLX4_DEBUG=y -CONFIG_MLX4_EN_DCB=y -CONFIG_MLX4_EN=m -CONFIG_MLX4_INFINIBAND=m -CONFIG_MLX5_BRIDGE=y -CONFIG_MLX5_CORE_EN_DCB=y -CONFIG_MLX5_CORE_EN=y -CONFIG_MLX5_CORE_IPOIB=y -CONFIG_MLX5_CORE=m -CONFIG_MLX5_EN_ARFS=y -CONFIG_MLX5_EN_RXNFC=y -CONFIG_MLX5_ESWITCH=y -CONFIG_MLX5_FPGA=y -CONFIG_MLX5_INFINIBAND=m -CONFIG_MLX5_MPFS=y -CONFIG_MLX5_SW_STEERING=y -CONFIG_MLXFW=m -CONFIG_MLXSW_CORE_HWMON=y -CONFIG_MLXSW_CORE=m -CONFIG_MLXSW_CORE_THERMAL=y -CONFIG_MLXSW_I2C=m -CONFIG_MLXSW_MINIMAL=m -CONFIG_MLXSW_PCI=m -CONFIG_MLXSW_SPECTRUM_DCB=y -CONFIG_MLXSW_SPECTRUM=m -CONFIG_MMC_BLOCK_MINORS=32 -CONFIG_MMC_BLOCK=y -CONFIG_MMC_CQHCI=y -CONFIG_MMCONF_FAM10H=y -CONFIG_MMC_RICOH_MMC=y -CONFIG_MMC_SDHCI_ACPI=m -CONFIG_MMC_SDHCI_F_SDH30=m -CONFIG_MMC_SDHCI_IO_ACCESSORS=y -CONFIG_MMC_SDHCI_PCI=m -CONFIG_MMC_SDHCI_PLTFM=m -CONFIG_MMC_SDHCI_XENON=m -CONFIG_MMC_SDHCI=y -CONFIG_MMC=y -CONFIG_MMU_GATHER_MERGE_VMAS=y -CONFIG_MMU_GATHER_RCU_TABLE_FREE=y -CONFIG_MMU_GATHER_TABLE_FREE=y -CONFIG_MMU_LAZY_TLB_REFCOUNT=y -CONFIG_MMU_NOTIFIER=y -CONFIG_MMU=y -CONFIG_MODPROBE_PATH="/sbin/modprobe" -CONFIG_MODULE_COMPRESS_ZSTD=y -CONFIG_MODULE_FORCE_UNLOAD=y -CONFIG_MODULE_SIG_ALL=y -CONFIG_MODULE_SIG_FORCE=y -CONFIG_MODULE_SIG_FORMAT=y -CONFIG_MODULE_SIG_HASH="sha512" -CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" -CONFIG_MODULE_SIG_KEY_TYPE_RSA=y -CONFIG_MODULE_SIG_SHA512=y -CONFIG_MODULE_SIG=y -CONFIG_MODULE_SRCVERSION_ALL=y -CONFIG_MODULE_UNLOAD=y -CONFIG_MODULES_TREE_LOOKUP=y -CONFIG_MODULES_USE_ELF_RELA=y -CONFIG_MODULES=y -CONFIG_MODVERSIONS=y -CONFIG_MPILIB=y -CONFIG_MPLS=y -CONFIG_MQ_IOSCHED_DEADLINE=y -CONFIG_MQ_IOSCHED_KYBER=y -CONFIG_MSDOS_FS=y -CONFIG_MSDOS_PARTITION=y -CONFIG_MTRR=y -CONFIG_MULTIUSER=y -CONFIG_MUTEX_SPIN_ON_OWNER=y -CONFIG_NAMESPACES=y -CONFIG_NEED_DMA_MAP_STATE=y -CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y -CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y -CONFIG_NEED_SG_DMA_FLAGS=y -CONFIG_NEED_SG_DMA_LENGTH=y -CONFIG_NET_ACT_BPF=y -CONFIG_NET_ACT_CSUM=y -CONFIG_NET_ACT_GACT=y -CONFIG_NET_ACT_IFE=y -CONFIG_NET_ACT_IPT=y -CONFIG_NET_ACT_MIRRED=y -CONFIG_NET_ACT_NAT=y -CONFIG_NET_ACT_PEDIT=y -CONFIG_NET_ACT_POLICE=y -CONFIG_NET_ACT_SAMPLE=y -CONFIG_NET_ACT_SIMP=y -CONFIG_NET_ACT_SKBEDIT=y -CONFIG_NET_ACT_SKBMOD=y -CONFIG_NET_ACT_TUNNEL_KEY=y -CONFIG_NET_ACT_VLAN=y -CONFIG_NET_CLS_ACT=y -CONFIG_NET_CLS_BASIC=y -CONFIG_NET_CLS_BPF=y -CONFIG_NET_CLS_CGROUP=y -CONFIG_NET_CLS_FLOWER=y -CONFIG_NET_CLS_FLOW=y -CONFIG_NET_CLS_FW=y -CONFIG_NET_CLS_MATCHALL=y -CONFIG_NET_CLS_ROUTE4=y -CONFIG_NET_CLS_U32=y -CONFIG_NET_CLS=y -CONFIG_NETCONSOLE=y -CONFIG_NET_CORE=y -CONFIG_NETDEVICES=y -CONFIG_NET_DEVLINK=y -CONFIG_NET_DSA=y -CONFIG_NET_EGRESS=y -CONFIG_NET_EMATCH_CMP=y -CONFIG_NET_EMATCH_IPSET=y -CONFIG_NET_EMATCH_META=y -CONFIG_NET_EMATCH_NBYTE=y -CONFIG_NET_EMATCH_STACK=32 -CONFIG_NET_EMATCH_TEXT=y -CONFIG_NET_EMATCH_U32=y -CONFIG_NET_EMATCH=y -CONFIG_NET_FAILOVER=y -CONFIG_NETFILTER_ADVANCED=y -CONFIG_NETFILTER_BPF_LINK=y -CONFIG_NETFILTER_CONNCOUNT=y -CONFIG_NETFILTER_EGRESS=y -CONFIG_NETFILTER_FAMILY_BRIDGE=y -CONFIG_NETFILTER_INGRESS=y -CONFIG_NETFILTER_NETLINK_ACCT=y -CONFIG_NETFILTER_NETLINK_GLUE_CT=y -CONFIG_NETFILTER_NETLINK_LOG=y -CONFIG_NETFILTER_NETLINK_OSF=y -CONFIG_NETFILTER_NETLINK_QUEUE=y -CONFIG_NETFILTER_NETLINK=y -CONFIG_NETFILTER_SKIP_EGRESS=y -CONFIG_NETFILTER_SYNPROXY=y -CONFIG_NETFILTER_XTABLES_COMPAT=y -CONFIG_NETFILTER_XTABLES=y -CONFIG_NETFILTER_XT_CONNMARK=y -CONFIG_NETFILTER_XT_MARK=y -CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y -CONFIG_NETFILTER_XT_MATCH_BPF=y -CONFIG_NETFILTER_XT_MATCH_CGROUP=y -CONFIG_NETFILTER_XT_MATCH_CLUSTER=y -CONFIG_NETFILTER_XT_MATCH_COMMENT=y -CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y -CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y -CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y -CONFIG_NETFILTER_XT_MATCH_CONNMARK=y -CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y -CONFIG_NETFILTER_XT_MATCH_CPU=y -CONFIG_NETFILTER_XT_MATCH_DCCP=y -CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y -CONFIG_NETFILTER_XT_MATCH_DSCP=y -CONFIG_NETFILTER_XT_MATCH_ECN=y -CONFIG_NETFILTER_XT_MATCH_ESP=y -CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y -CONFIG_NETFILTER_XT_MATCH_HELPER=y -CONFIG_NETFILTER_XT_MATCH_HL=y -CONFIG_NETFILTER_XT_MATCH_IPCOMP=y -CONFIG_NETFILTER_XT_MATCH_IPRANGE=y -CONFIG_NETFILTER_XT_MATCH_IPVS=y -CONFIG_NETFILTER_XT_MATCH_L2TP=y -CONFIG_NETFILTER_XT_MATCH_LENGTH=y -CONFIG_NETFILTER_XT_MATCH_LIMIT=y -CONFIG_NETFILTER_XT_MATCH_MAC=y -CONFIG_NETFILTER_XT_MATCH_MARK=y -CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y -CONFIG_NETFILTER_XT_MATCH_NFACCT=y -CONFIG_NETFILTER_XT_MATCH_OSF=y -CONFIG_NETFILTER_XT_MATCH_OWNER=y -CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y -CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y -CONFIG_NETFILTER_XT_MATCH_POLICY=y -CONFIG_NETFILTER_XT_MATCH_QUOTA=y -CONFIG_NETFILTER_XT_MATCH_RATEEST=y -CONFIG_NETFILTER_XT_MATCH_REALM=y -CONFIG_NETFILTER_XT_MATCH_RECENT=y -CONFIG_NETFILTER_XT_MATCH_SCTP=y -CONFIG_NETFILTER_XT_MATCH_SOCKET=y -CONFIG_NETFILTER_XT_MATCH_STATE=y -CONFIG_NETFILTER_XT_MATCH_STATISTIC=y -CONFIG_NETFILTER_XT_MATCH_STRING=y -CONFIG_NETFILTER_XT_MATCH_TCPMSS=y -CONFIG_NETFILTER_XT_MATCH_TIME=y -CONFIG_NETFILTER_XT_MATCH_U32=y -CONFIG_NETFILTER_XT_NAT=y -CONFIG_NETFILTER_XT_SET=y -CONFIG_NETFILTER_XT_TARGET_AUDIT=y -CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y -CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y -CONFIG_NETFILTER_XT_TARGET_CONNMARK=y -CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y -CONFIG_NETFILTER_XT_TARGET_CT=y -CONFIG_NETFILTER_XT_TARGET_DSCP=y -CONFIG_NETFILTER_XT_TARGET_HL=y -CONFIG_NETFILTER_XT_TARGET_HMARK=y -CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y -CONFIG_NETFILTER_XT_TARGET_LED=y -CONFIG_NETFILTER_XT_TARGET_LOG=y -CONFIG_NETFILTER_XT_TARGET_MARK=y -CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y -CONFIG_NETFILTER_XT_TARGET_NETMAP=y -CONFIG_NETFILTER_XT_TARGET_NFLOG=y -CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y -CONFIG_NETFILTER_XT_TARGET_RATEEST=y -CONFIG_NETFILTER_XT_TARGET_REDIRECT=y -CONFIG_NETFILTER_XT_TARGET_SECMARK=y -CONFIG_NETFILTER_XT_TARGET_TCPMSS=y -CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y -CONFIG_NETFILTER_XT_TARGET_TEE=y -CONFIG_NETFILTER_XT_TARGET_TPROXY=y -CONFIG_NETFILTER=y -CONFIG_NET_FLOW_LIMIT=y -CONFIG_NET_FOU_IP_TUNNELS=y -CONFIG_NET_FOU=y -CONFIG_NETFS_SUPPORT=y -CONFIG_NET_HANDSHAKE=y -CONFIG_NET_IFE=y -CONFIG_NET_INGRESS=y -CONFIG_NET_IPGRE_DEMUX=y -CONFIG_NET_IPGRE=m -CONFIG_NET_IPIP=y -CONFIG_NET_IP_TUNNEL=y -CONFIG_NET_L3_MASTER_DEV=y -CONFIG_NETLABEL=y -CONFIG_NETLINK_DIAG=y -CONFIG_NET_MPLS_GSO=y -CONFIG_NET_NCSI=y -CONFIG_NET_NSH=y -CONFIG_NET_NS=y -CONFIG_NET_POLL_CONTROLLER=y -CONFIG_NETPOLL=y -CONFIG_NET_PTP_CLASSIFY=y -CONFIG_NET_RX_BUSY_POLL=y -CONFIG_NET_SCH_CHOKE=y -CONFIG_NET_SCH_CODEL=y -CONFIG_NET_SCH_DEFAULT=y -CONFIG_NET_SCH_DRR=y -CONFIG_NET_SCHED=y -CONFIG_NET_SCH_FIFO=y -CONFIG_NET_SCH_FQ_CODEL=y -CONFIG_NET_SCH_FQ=y -CONFIG_NET_SCH_GRED=y -CONFIG_NET_SCH_HFSC=y -CONFIG_NET_SCH_HHF=y -CONFIG_NET_SCH_HTB=y -CONFIG_NET_SCH_INGRESS=y -CONFIG_NET_SCH_MQPRIO_LIB=y -CONFIG_NET_SCH_MQPRIO=y -CONFIG_NET_SCH_MULTIQ=y -CONFIG_NET_SCH_NETEM=y -CONFIG_NET_SCH_PIE=y -CONFIG_NET_SCH_PLUG=y -CONFIG_NET_SCH_PRIO=y -CONFIG_NET_SCH_QFQ=y -CONFIG_NET_SCH_RED=y -CONFIG_NET_SCH_SFB=y -CONFIG_NET_SCH_SFQ=y -CONFIG_NET_SCH_TBF=y -CONFIG_NET_SCH_TEQL=y -CONFIG_NET_SELFTESTS=y -CONFIG_NET_SOCK_MSG=y -CONFIG_NET_SWITCHDEV=y -CONFIG_NET_TULIP=y -CONFIG_NET_UDP_TUNNEL=y -CONFIG_NET_VENDOR_3COM=y -CONFIG_NET_VENDOR_8390=y -CONFIG_NET_VENDOR_ADAPTEC=y -CONFIG_NET_VENDOR_AGERE=y -CONFIG_NET_VENDOR_ALACRITECH=y -CONFIG_NET_VENDOR_ALTEON=y -CONFIG_NET_VENDOR_AMAZON=y -CONFIG_NET_VENDOR_AMD=y -CONFIG_NET_VENDOR_AQUANTIA=y -CONFIG_NET_VENDOR_ARC=y -CONFIG_NET_VENDOR_ASIX=y -CONFIG_NET_VENDOR_ATHEROS=y -CONFIG_NET_VENDOR_BROADCOM=y -CONFIG_NET_VENDOR_BROCADE=y -CONFIG_NET_VENDOR_CADENCE=y -CONFIG_NET_VENDOR_CAVIUM=y -CONFIG_NET_VENDOR_CHELSIO=y -CONFIG_NET_VENDOR_CISCO=y -CONFIG_NET_VENDOR_CORTINA=y -CONFIG_NET_VENDOR_DAVICOM=y -CONFIG_NET_VENDOR_DEC=y -CONFIG_NET_VENDOR_DLINK=y -CONFIG_NET_VENDOR_EMULEX=y -CONFIG_NET_VENDOR_ENGLEDER=y -CONFIG_NET_VENDOR_EZCHIP=y -CONFIG_NET_VENDOR_FUNGIBLE=y -CONFIG_NET_VENDOR_GOOGLE=y -CONFIG_NET_VENDOR_HUAWEI=y -CONFIG_NET_VENDOR_I825XX=y -CONFIG_NET_VENDOR_INTEL=y -CONFIG_NET_VENDOR_LITEX=y -CONFIG_NET_VENDOR_MARVELL=y -CONFIG_NET_VENDOR_MELLANOX=y -CONFIG_NET_VENDOR_MICREL=y -CONFIG_NET_VENDOR_MICROCHIP=y -CONFIG_NET_VENDOR_MICROSEMI=y -CONFIG_NET_VENDOR_MICROSOFT=y -CONFIG_NET_VENDOR_MYRI=y -CONFIG_NET_VENDOR_NATSEMI=y -CONFIG_NET_VENDOR_NETERION=y -CONFIG_NET_VENDOR_NETRONOME=y -CONFIG_NET_VENDOR_NI=y -CONFIG_NET_VENDOR_NVIDIA=y -CONFIG_NET_VENDOR_OKI=y -CONFIG_NET_VENDOR_PACKET_ENGINES=y -CONFIG_NET_VENDOR_PENSANDO=y -CONFIG_NET_VENDOR_QLOGIC=y -CONFIG_NET_VENDOR_QUALCOMM=y -CONFIG_NET_VENDOR_RDC=y -CONFIG_NET_VENDOR_REALTEK=y -CONFIG_NET_VENDOR_RENESAS=y -CONFIG_NET_VENDOR_ROCKER=y -CONFIG_NET_VENDOR_SAMSUNG=y -CONFIG_NET_VENDOR_SEEQ=y -CONFIG_NET_VENDOR_SILAN=y -CONFIG_NET_VENDOR_SIS=y -CONFIG_NET_VENDOR_SMSC=y -CONFIG_NET_VENDOR_SOCIONEXT=y -CONFIG_NET_VENDOR_SOLARFLARE=y -CONFIG_NET_VENDOR_STMICRO=y -CONFIG_NET_VENDOR_SUN=y -CONFIG_NET_VENDOR_SYNOPSYS=y -CONFIG_NET_VENDOR_TEHUTI=y -CONFIG_NET_VENDOR_TI=y -CONFIG_NET_VENDOR_VERTEXCOM=y -CONFIG_NET_VENDOR_VIA=y -CONFIG_NET_VENDOR_WANGXUN=y -CONFIG_NET_VENDOR_WIZNET=y -CONFIG_NET_VENDOR_XILINX=y -CONFIG_NET_VRF=m -CONFIG_NETWORK_FILESYSTEMS=y -CONFIG_NETWORK_SECMARK=y -CONFIG_NETXEN_NIC=m -CONFIG_NET_XGRESS=y -CONFIG_NET=y -CONFIG_NEW_LEDS=y -CONFIG_NF_CONNTRACK_BROADCAST=y -CONFIG_NF_CONNTRACK_EVENTS=y -CONFIG_NF_CONNTRACK_FTP=y -CONFIG_NF_CONNTRACK_LABELS=y -CONFIG_NF_CONNTRACK_MARK=y -CONFIG_NF_CONNTRACK_NETBIOS_NS=y -CONFIG_NF_CONNTRACK_OVS=y -CONFIG_NF_CONNTRACK_PPTP=y -CONFIG_NF_CONNTRACK_PROCFS=y -CONFIG_NF_CONNTRACK_SANE=y -CONFIG_NF_CONNTRACK_SECMARK=y -CONFIG_NF_CONNTRACK_SIP=y -CONFIG_NF_CONNTRACK_SNMP=y -CONFIG_NF_CONNTRACK_TFTP=y -CONFIG_NF_CONNTRACK_TIMEOUT=y -CONFIG_NF_CONNTRACK_TIMESTAMP=y -CONFIG_NF_CONNTRACK=y -CONFIG_NF_CONNTRACK_ZONES=y -CONFIG_NF_CT_NETLINK=y -CONFIG_NF_CT_PROTO_GRE=y -CONFIG_NF_CT_PROTO_SCTP=y -CONFIG_NF_DEFRAG_IPV4=y -CONFIG_NF_DEFRAG_IPV6=y -CONFIG_NF_DUP_IPV4=y -CONFIG_NF_DUP_IPV6=y -CONFIG_NF_DUP_NETDEV=y -CONFIG_NF_LOG_ARP=y -CONFIG_NF_LOG_IPV4=y -CONFIG_NF_LOG_IPV6=y -CONFIG_NF_LOG_SYSLOG=y -CONFIG_NF_NAT_FTP=y -CONFIG_NF_NAT_MASQUERADE=y -CONFIG_NF_NAT_OVS=y -CONFIG_NF_NAT_PPTP=y -CONFIG_NF_NAT_REDIRECT=y -CONFIG_NF_NAT_SIP=y -CONFIG_NF_NAT_SNMP_BASIC=y -CONFIG_NF_NAT_TFTP=y -CONFIG_NF_NAT=y -CONFIG_NF_REJECT_IPV4=y -CONFIG_NF_REJECT_IPV6=y -CONFIG_NFS_ACL_SUPPORT=m -CONFIG_NFS_COMMON=y -CONFIG_NFS_DEBUG=y -CONFIG_NFS_DISABLE_UDP_SUPPORT=y -CONFIG_NFSD_LEGACY_CLIENT_TRACKING=y -CONFIG_NFSD=m -CONFIG_NFSD_V3_ACL=y -CONFIG_NFSD_V4_SECURITY_LABEL=y -CONFIG_NFSD_V4=y -CONFIG_NFS_FSCACHE=y -CONFIG_NFS_FS=m -CONFIG_NFS_USE_KERNEL_DNS=y -CONFIG_NFS_V2=m -CONFIG_NFS_V3_ACL=y -CONFIG_NFS_V3=m -CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" -CONFIG_NFS_V4_1=y -CONFIG_NFS_V4_2_READ_PLUS=y -CONFIG_NFS_V4_2_SSC_HELPER=y -CONFIG_NFS_V4_2=y -CONFIG_NFS_V4=m -CONFIG_NFS_V4_SECURITY_LABEL=y -CONFIG_NF_TABLES_INET=y -CONFIG_NF_TABLES_IPV4=y -CONFIG_NF_TABLES_IPV6=y -CONFIG_NF_TABLES_NETDEV=y -CONFIG_NF_TABLES=y -CONFIG_NFT_COMPAT=y -CONFIG_NFT_CT=y -CONFIG_NFT_DUP_NETDEV=y -CONFIG_NFT_FIB_INET=y -CONFIG_NFT_FIB_IPV4=y -CONFIG_NFT_FIB_IPV6=y -CONFIG_NFT_FIB=y -CONFIG_NFT_FWD_NETDEV=y -CONFIG_NFT_HASH=y -CONFIG_NFT_LIMIT=y -CONFIG_NFT_LOG=y -CONFIG_NFT_MASQ=y -CONFIG_NFT_NAT=y -CONFIG_NFT_NUMGEN=y -CONFIG_NF_TPROXY_IPV4=y -CONFIG_NF_TPROXY_IPV6=y -CONFIG_NFT_QUEUE=y -CONFIG_NFT_QUOTA=y -CONFIG_NFT_REDIR=y -CONFIG_NFT_REJECT_INET=y -CONFIG_NFT_REJECT_IPV4=y -CONFIG_NFT_REJECT_IPV6=y -CONFIG_NFT_REJECT=y -CONFIG_NFT_TPROXY=y -CONFIG_NITRO_ENCLAVES=y -CONFIG_NLATTR=y -CONFIG_NLS_ASCII=y -CONFIG_NLS_CODEPAGE_437=y -CONFIG_NLS_DEFAULT="utf8" -CONFIG_NLS_ISO8859_1=y -CONFIG_NLS_UCS2_UTILS=y -CONFIG_NLS_UTF8=y -CONFIG_NLS=y -CONFIG_NODES_SHIFT=6 -CONFIG_NO_HZ_COMMON=y -CONFIG_NO_HZ_IDLE=y -CONFIG_NO_HZ=y -CONFIG_NOP_TRACER=y -CONFIG_NR_CPUS=512 -CONFIG_NR_CPUS_DEFAULT=64 -CONFIG_NR_CPUS_RANGE_BEGIN=2 -CONFIG_NR_CPUS_RANGE_END=512 -CONFIG_NUMA=y -CONFIG_NVME_AUTH=y -CONFIG_NVME_COMMON=y -CONFIG_NVME_CORE=y -CONFIG_NVME_FABRICS=y -CONFIG_NVME_FC=y -CONFIG_NVME_HWMON=y -CONFIG_NVMEM_SYSFS=y -CONFIG_NVME_MULTIPATH=y -CONFIG_NVMEM=y -CONFIG_NVME_RDMA=m -CONFIG_NVME_TARGET_AUTH=y -CONFIG_NVME_TARGET_FC=m -CONFIG_NVME_TARGET_LOOP=m -CONFIG_NVME_TARGET=m -CONFIG_NVME_TARGET_PASSTHRU=y -CONFIG_NVME_TARGET_RDMA=m -CONFIG_NVME_TARGET_TCP=m -CONFIG_NVME_TCP=y -CONFIG_NVRAM=y -CONFIG_OBJAGG=m -CONFIG_OBJTOOL=y -CONFIG_OID_REGISTRY=y -CONFIG_OLD_SIGSUSPEND3=y -CONFIG_OPENVSWITCH_GENEVE=y -CONFIG_OPENVSWITCH_GRE=m -CONFIG_OPENVSWITCH_VXLAN=y -CONFIG_OPENVSWITCH=y -CONFIG_OPTPROBES=y -CONFIG_OSF_PARTITION=y -CONFIG_OUTPUT_FORMAT="elf64-x86-64" -CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y -CONFIG_OVERLAY_FS=y -CONFIG_P2SB=y -CONFIG_PACKET=y -CONFIG_PAGE_COUNTER=y -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POOL=y -CONFIG_PAGE_REPORTING=y -CONFIG_PAGE_SIZE_LESS_THAN_256KB=y -CONFIG_PAGE_SIZE_LESS_THAN_64KB=y -CONFIG_PAGE_TABLE_ISOLATION=y -CONFIG_PAHOLE_HAS_LANG_EXCLUDE=y -CONFIG_PAHOLE_HAS_SPLIT_BTF=y -CONFIG_PAHOLE_VERSION=126 -CONFIG_PANIC_ON_OOPS_VALUE=1 -CONFIG_PANIC_ON_OOPS=y -CONFIG_PANIC_TIMEOUT=-1 -CONFIG_PANTHERLORD_FF=y -CONFIG_PARAVIRT_CLOCK=y -CONFIG_PARAVIRT_XXL=y -CONFIG_PARAVIRT=y -CONFIG_PARMAN=m -CONFIG_PARTITION_ADVANCED=y -CONFIG_PATA_AMD=m -CONFIG_PATA_MARVELL=m -CONFIG_PATA_OLDPIIX=m -CONFIG_PATA_SCH=m -CONFIG_PATA_TIMINGS=y -CONFIG_PCC=y -CONFIG_PCI_ATS=y -CONFIG_PCI_DIRECT=y -CONFIG_PCI_DOMAINS=y -CONFIG_PCIEAER=y -CONFIG_PCIEASPM_DEFAULT=y -CONFIG_PCIEASPM=y -CONFIG_PCIE_BUS_DEFAULT=y -CONFIG_PCIE_PME=y -CONFIG_PCIEPORTBUS=y -CONFIG_PCI_HYPERV_INTERFACE=y -CONFIG_PCI_HYPERV=y -CONFIG_PCI_IOV=y -CONFIG_PCI_LABEL=y -CONFIG_PCI_LOCKLESS_CONFIG=y -CONFIG_PCI_MMCONFIG=y -CONFIG_PCI_MSI=y -CONFIG_PCI_PASID=y -CONFIG_PCI_PRI=y -CONFIG_PCI_QUIRKS=y -CONFIG_PCI_XEN=y -CONFIG_PCI=y -CONFIG_PCPU_DEV_REFCNT=y -CONFIG_PCSPKR_PLATFORM=y -CONFIG_PERF_EVENTS_AMD_UNCORE=y -CONFIG_PERF_EVENTS_INTEL_CSTATE=y -CONFIG_PERF_EVENTS_INTEL_RAPL=y -CONFIG_PERF_EVENTS_INTEL_UNCORE=y -CONFIG_PERF_EVENTS=y -CONFIG_PER_VMA_LOCK=y -CONFIG_PGTABLE_LEVELS=4 -CONFIG_PHONET=y -CONFIG_PHYLIB=y -CONFIG_PHYLINK=y -CONFIG_PHYS_ADDR_T_64BIT=y -CONFIG_PHYSICAL_ALIGN=0x200000 -CONFIG_PHYSICAL_START=0x1000000 -CONFIG_PID_NS=y -CONFIG_PKCS7_MESSAGE_PARSER=y -CONFIG_PLDMFW=y -CONFIG_PM_CLK=y -CONFIG_PM_DEBUG=y -CONFIG_PM_SLEEP_DEBUG=y -CONFIG_PM_SLEEP_SMP=y -CONFIG_PM_SLEEP=y -CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TRACE=y -CONFIG_PM=y -CONFIG_PNFS_BLOCK=y -CONFIG_PNFS_FILE_LAYOUT=y -CONFIG_PNFS_FLEXFILE_LAYOUT=y -CONFIG_PNPACPI=y -CONFIG_PNP_DEBUG_MESSAGES=y -CONFIG_PNP=y -CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y -CONFIG_POSIX_MQUEUE_SYSCTL=y -CONFIG_POSIX_MQUEUE=y -CONFIG_POSIX_TIMERS=y -CONFIG_POWER_SUPPLY_HWMON=y -CONFIG_POWER_SUPPLY=y -CONFIG_PPS=y -CONFIG_PREEMPT_NONE_BUILD=y -CONFIG_PREEMPT_NONE=y -CONFIG_PREEMPT_NOTIFIERS=y -CONFIG_PREFIX_SYMBOLS=y -CONFIG_PREVENT_FIRMWARE_BUILD=y -CONFIG_PRINTK_TIME=y -CONFIG_PRINTK=y -CONFIG_PROBE_EVENTS_BTF_ARGS=y -CONFIG_PROBE_EVENTS=y -CONFIG_PROC_CHILDREN=y -CONFIG_PROC_EVENTS=y -CONFIG_PROC_FS=y -CONFIG_PROC_KCORE=y -CONFIG_PROC_PAGE_MONITOR=y -CONFIG_PROC_PID_ARCH_STATUS=y -CONFIG_PROC_PID_CPUSET=y -CONFIG_PROC_SYSCTL=y -CONFIG_PROC_VMCORE=y -CONFIG_PROFILING=y -CONFIG_PROVIDE_OHCI1394_DMA_INIT=y -CONFIG_PSAMPLE=y -CONFIG_PSI=y -CONFIG_PTDUMP_CORE=y -CONFIG_PTP_1588_CLOCK_KVM=y -CONFIG_PTP_1588_CLOCK_OPTIONAL=y -CONFIG_PTP_1588_CLOCK=y -CONFIG_PWM_SYSFS=y -CONFIG_PWM=y -CONFIG_QEDE=m -CONFIG_QED=m -CONFIG_QED_SRIOV=y -CONFIG_QFMT_V2=y -CONFIG_QLCNIC_DCB=y -CONFIG_QLCNIC_HWMON=y -CONFIG_QLCNIC=m -CONFIG_QLCNIC_SRIOV=y -CONFIG_QUEUED_RWLOCKS=y -CONFIG_QUEUED_SPINLOCKS=y -CONFIG_QUOTACTL=y -CONFIG_QUOTA_NETLINK_INTERFACE=y -CONFIG_QUOTA_TREE=y -CONFIG_QUOTA=y -CONFIG_R8169=m -CONFIG_RAID6_PQ_BENCHMARK=y -CONFIG_RAID6_PQ=m -CONFIG_RAID_ATTRS=y -CONFIG_RANDOMIZE_BASE=y -CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y -CONFIG_RANDOMIZE_KSTACK_OFFSET=y -CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0x0 -CONFIG_RANDOMIZE_MEMORY=y -CONFIG_RANDSTRUCT_NONE=y -CONFIG_RAS=y -CONFIG_RATIONAL=y -CONFIG_RCU_CPU_STALL_TIMEOUT=21 -CONFIG_RCU_EXP_CPU_STALL_TIMEOUT=0 -CONFIG_RCU_NEED_SEGCBLIST=y -CONFIG_RCU_STALL_COMMON=y -CONFIG_RDMA_RXE=m -CONFIG_RDS=y -CONFIG_RD_XZ=y -CONFIG_RD_ZSTD=y -CONFIG_REALTEK_PHY=y -CONFIG_REGMAP_I2C=y -CONFIG_REGMAP=y -CONFIG_REGULATOR_FIXED_VOLTAGE=y -CONFIG_REGULATOR_MP8859=y -CONFIG_REGULATOR_PWM=y -CONFIG_REGULATOR=y -CONFIG_RELAY=y -CONFIG_RELOCATABLE=y -CONFIG_RESET_ATTACK_MITIGATION=y -CONFIG_RETHOOK=y -CONFIG_RETHUNK=y -CONFIG_RETPOLINE=y -CONFIG_RFS_ACCEL=y -CONFIG_RING_BUFFER=y -CONFIG_ROOT_NFS=y -CONFIG_RPCSEC_GSS_KRB5=y -CONFIG_RPMSG_NS=y -CONFIG_RPMSG_VIRTIO=y -CONFIG_RPMSG=y -CONFIG_RPS=y -CONFIG_RSEQ=y -CONFIG_RTC_CLASS=y -CONFIG_RTC_DRV_CMOS=y -CONFIG_RTC_I2C_AND_SPI=y -CONFIG_RTC_INTF_DEV=y -CONFIG_RTC_INTF_PROC=y -CONFIG_RTC_INTF_SYSFS=y -CONFIG_RTC_LIB=y -CONFIG_RTC_MC146818_LIB=y -CONFIG_RTC_NVMEM=y -CONFIG_RTC_SYSTOHC_DEVICE="rtc0" -CONFIG_RTC_SYSTOHC=y -CONFIG_RT_GROUP_SCHED=y -CONFIG_RT_MUTEXES=y -CONFIG_RUNTIME_TESTING_MENU=y -CONFIG_RWSEM_SPIN_ON_OWNER=y -CONFIG_SATA_AHCI=m -CONFIG_SATA_HOST=y -CONFIG_SATA_MOBILE_LPM_POLICY=0 -CONFIG_SATA_NV=m -CONFIG_SATA_PMP=y -CONFIG_SATA_SIS=y -CONFIG_SATA_SVW=m -CONFIG_SATA_ULI=m -CONFIG_SATA_VIA=m -CONFIG_SATA_VITESSE=m -CONFIG_SBITMAP=y -CONFIG_SCHED_CLUSTER=y -CONFIG_SCHED_CORE=y -CONFIG_SCHED_HRTICK=y -CONFIG_SCHED_INFO=y -CONFIG_SCHED_MC_PRIO=y -CONFIG_SCHED_MC=y -CONFIG_SCHED_MM_CID=y -CONFIG_SCHED_OMIT_FRAME_POINTER=y -CONFIG_SCHED_SMT=y -CONFIG_SCHED_STACK_END_CHECK=y -CONFIG_SCHEDSTATS=y -CONFIG_SCSI_AACRAID=m -CONFIG_SCSI_COMMON=y -CONFIG_SCSI_CONSTANTS=y -CONFIG_SCSI_DMA=y -CONFIG_SCSI_ENCLOSURE=y -CONFIG_SCSI_HPSA=m -CONFIG_SCSI_ISCI=m -CONFIG_SCSI_ISCSI_ATTRS=y -CONFIG_SCSI_LOWLEVEL=y -CONFIG_SCSI_MOD=y -CONFIG_SCSI_MPT2SAS_MAX_SGE=128 -CONFIG_SCSI_MPT3SAS=m -CONFIG_SCSI_MPT3SAS_MAX_SGE=128 -CONFIG_SCSI_PMCRAID=m -CONFIG_SCSI_PROC_FS=y -CONFIG_SCSI_SAS_ATA=y -CONFIG_SCSI_SAS_ATTRS=y -CONFIG_SCSI_SAS_HOST_SMP=y -CONFIG_SCSI_SAS_LIBSAS=y -CONFIG_SCSI_SMARTPQI=m -CONFIG_SCSI_SPI_ATTRS=y -CONFIG_SCSI_VIRTIO=y -CONFIG_SCSI=y -CONFIG_SCTP_COOKIE_HMAC_MD5=y -CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y -CONFIG_SECCOMP_FILTER=y -CONFIG_SECCOMP=y -CONFIG_SECRETMEM=y -CONFIG_SECTION_MISMATCH_WARN_ONLY=y -CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y -CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_DMESG_RESTRICT=y -CONFIG_SECURITYFS=y -CONFIG_SECURITY_LANDLOCK=y -CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -CONFIG_SECURITY_LOCKDOWN_LSM=y -CONFIG_SECURITY_NETWORK_XFRM=y -CONFIG_SECURITY_NETWORK=y -CONFIG_SECURITY_PATH=y -CONFIG_SECURITY=y -CONFIG_SECURITY_YAMA=y -CONFIG_SENSORS_ACPI_POWER=y -CONFIG_SENSORS_CORETEMP=y -CONFIG_SENSORS_DRIVETEMP=y -CONFIG_SENSORS_FAM15H_POWER=m -CONFIG_SENSORS_I5500=m -CONFIG_SENSORS_I5K_AMB=m -CONFIG_SENSORS_K10TEMP=m -CONFIG_SENSORS_K8TEMP=m -CONFIG_SENSORS_NCT6683=y -CONFIG_SERIAL_8250_CONSOLE=y -CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y -CONFIG_SERIAL_8250_DETECT_IRQ=y -CONFIG_SERIAL_8250_DMA=y -CONFIG_SERIAL_8250_DWLIB=y -CONFIG_SERIAL_8250_EXAR=y -CONFIG_SERIAL_8250_EXTENDED=y -CONFIG_SERIAL_8250_LPSS=y -CONFIG_SERIAL_8250_MANY_PORTS=y -CONFIG_SERIAL_8250_MID=y -CONFIG_SERIAL_8250_NR_UARTS=32 -CONFIG_SERIAL_8250_PCILIB=y -CONFIG_SERIAL_8250_PCI=y -CONFIG_SERIAL_8250_PERICOM=y -CONFIG_SERIAL_8250_PNP=y -CONFIG_SERIAL_8250_RSA=y -CONFIG_SERIAL_8250_RUNTIME_UARTS=4 -CONFIG_SERIAL_8250_SHARE_IRQ=y -CONFIG_SERIAL_8250=y -CONFIG_SERIAL_CORE_CONSOLE=y -CONFIG_SERIAL_CORE=y -CONFIG_SERIAL_EARLYCON=y -CONFIG_SERIAL_NONSTANDARD=y -CONFIG_SERIO_I8042=y -CONFIG_SERIO_LIBPS2=y -CONFIG_SERIO_PCIPS2=m -CONFIG_SERIO_SERPORT=y -CONFIG_SERIO=y -CONFIG_SFC=m -CONFIG_SFC_MCDI_LOGGING=y -CONFIG_SFC_MCDI_MON=y -CONFIG_SFC_SIENA=m -CONFIG_SFC_SIENA_MCDI_LOGGING=y -CONFIG_SFC_SIENA_MCDI_MON=y -CONFIG_SFC_SIENA_SRIOV=y -CONFIG_SFC_SRIOV=y -CONFIG_SGETMASK_SYSCALL=y -CONFIG_SGI_PARTITION=y -CONFIG_SGL_ALLOC=y -CONFIG_SG_POOL=y -CONFIG_SHMEM=y -CONFIG_SHUFFLE_PAGE_ALLOCATOR=y -CONFIG_SIGNALFD=y -CONFIG_SIGNATURE=y -CONFIG_SIGNED_PE_FILE_VERIFICATION=y -CONFIG_SKB_EXTENSIONS=y -CONFIG_SKY2=m -CONFIG_SLAB_FREELIST_HARDENED=y -CONFIG_SLAB_FREELIST_RANDOM=y -CONFIG_SLAB_MERGE_DEFAULT=y -CONFIG_SLS=y -CONFIG_SLUB_CPU_PARTIAL=y -CONFIG_SLUB_DEBUG=y -CONFIG_SLUB=y -CONFIG_SMBFS=y -CONFIG_SMP=y -CONFIG_SMSC_PHY=m -CONFIG_SOCK_CGROUP_DATA=y -CONFIG_SOCK_RX_QUEUE_MAPPING=y -CONFIG_SOFTIRQ_ON_OWN_STACK=y -CONFIG_SOLARIS_X86_PARTITION=y -CONFIG_SP5100_TCO=m -CONFIG_SPARSE_IRQ=y -CONFIG_SPARSEMEM_EXTREME=y -CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y -CONFIG_SPARSEMEM_VMEMMAP=y -CONFIG_SPARSEMEM=y -CONFIG_SPLIT_PTLOCK_CPUS=4 -CONFIG_SQUASHFS_COMPILE_DECOMP_SINGLE=y -CONFIG_SQUASHFS_DECOMP_SINGLE=y -CONFIG_SQUASHFS_FILE_DIRECT=y -CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3 -CONFIG_SQUASHFS_XATTR=y -CONFIG_SQUASHFS_XZ=y -CONFIG_SQUASHFS=y -CONFIG_SQUASHFS_ZSTD=y -CONFIG_SSB_POSSIBLE=y -CONFIG_STACKDEPOT=y -CONFIG_STACKLEAK_TRACK_MIN_SIZE=100 -CONFIG_STACKPROTECTOR_STRONG=y -CONFIG_STACKPROTECTOR=y -CONFIG_STACKTRACE_SUPPORT=y -CONFIG_STACKTRACE=y -CONFIG_STANDALONE=y -CONFIG_STP=y -CONFIG_STREAM_PARSER=y -CONFIG_STRICT_KERNEL_RWX=y -CONFIG_STRICT_MODULE_RWX=y -CONFIG_SUN_PARTITION=y -CONFIG_SUNRPC_BACKCHANNEL=y -CONFIG_SUNRPC_GSS=y -CONFIG_SUNRPC_XPRT_RDMA=y -CONFIG_SUNRPC=y -CONFIG_SURFACE_PLATFORMS=y -CONFIG_SUSPEND_FREEZER=y -CONFIG_SUSPEND=y -CONFIG_SWAP=y -CONFIG_SWIOTLB_XEN=y -CONFIG_SWIOTLB=y -CONFIG_SWPHY=y -CONFIG_SYMBOLIC_ERRNAME=y -CONFIG_SYNC_FILE=y -CONFIG_SYN_COOKIES=y -CONFIG_SYSCTL_EXCEPTION_TRACE=y -CONFIG_SYSCTL=y -CONFIG_SYSFB=y -CONFIG_SYSFS_SYSCALL=y -CONFIG_SYSFS=y -CONFIG_SYS_HYPERVISOR=y -CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" -CONFIG_SYSTEM_BLACKLIST_KEYRING=y -CONFIG_SYSTEM_DATA_VERIFICATION=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" -CONFIG_SYSVIPC_COMPAT=y -CONFIG_SYSVIPC_SYSCTL=y -CONFIG_SYSVIPC=y -CONFIG_TAP=y -CONFIG_TASK_DELAY_ACCT=y -CONFIG_TASK_IO_ACCOUNTING=y -CONFIG_TASKS_RCU_GENERIC=y -CONFIG_TASKS_RUDE_RCU=y -CONFIG_TASKSTATS=y -CONFIG_TASKS_TRACE_RCU=y -CONFIG_TASK_XACCT=y -CONFIG_TCG_CRB=y -CONFIG_TCG_TIS_CORE=y -CONFIG_TCG_TIS=y -CONFIG_TCG_TPM=y -CONFIG_TCP_CONG_ADVANCED=y -CONFIG_TCP_CONG_BBR=y -CONFIG_TCP_CONG_CUBIC=y -CONFIG_TCP_MD5SIG=y -CONFIG_TEXTSEARCH_BM=y -CONFIG_TEXTSEARCH_FSM=y -CONFIG_TEXTSEARCH_KMP=y -CONFIG_TEXTSEARCH=y -CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y -CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 -CONFIG_THERMAL_GOV_STEP_WISE=y -CONFIG_THERMAL_GOV_USER_SPACE=y -CONFIG_THERMAL_HWMON=y -CONFIG_THERMAL_WRITABLE_TRIPS=y -CONFIG_THERMAL=y -CONFIG_THREAD_INFO_IN_TASK=y -CONFIG_TICK_CPU_ACCOUNTING=y -CONFIG_TICK_ONESHOT=y -CONFIG_TIGON3_HWMON=y -CONFIG_TIGON3=m -CONFIG_TIME_NS=y -CONFIG_TIMERFD=y -CONFIG_TLS=m -CONFIG_TMPFS_POSIX_ACL=y -CONFIG_TMPFS_XATTR=y -CONFIG_TMPFS=y -CONFIG_TOOLS_SUPPORT_RELR=y -CONFIG_TRACE_CLOCK=y -CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y -CONFIG_TRACE_IRQFLAGS_SUPPORT=y -CONFIG_TRACEPOINTS=y -CONFIG_TRACING_SUPPORT=y -CONFIG_TRACING=y -CONFIG_TREE_RCU=y -CONFIG_TREE_SRCU=y -CONFIG_TTY=y -CONFIG_TTY_PRINTK_LEVEL=6 -CONFIG_TTY_PRINTK=m -CONFIG_TUN=y -CONFIG_UBSAN_BOOL=y -CONFIG_UBSAN_BOUNDS_STRICT=y -CONFIG_UBSAN_BOUNDS=y -CONFIG_UBSAN_ENUM=y -CONFIG_UBSAN_SANITIZE_ALL=y -CONFIG_UBSAN_SHIFT=y -CONFIG_UBSAN=y -CONFIG_UCS2_STRING=y -CONFIG_UDF_FS=y -CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" -CONFIG_UEVENT_HELPER=y -CONFIG_UID16=y -CONFIG_UNIX98_PTYS=y -CONFIG_UNIX_SCM=y -CONFIG_UNIXWARE_DISKLABEL=y -CONFIG_UNIX=y -CONFIG_UNWINDER_ORC=y -CONFIG_UPROBE_EVENTS=y -CONFIG_UPROBES=y -CONFIG_USB4=m -CONFIG_USB4_NET=m -CONFIG_USB_ACM=y -CONFIG_USB_ALI_M5632=y -CONFIG_USB_AN2720=y -CONFIG_USB_ARCH_HAS_HCD=y -CONFIG_USB_ARMLINUX=y -CONFIG_USB_AUTOSUSPEND_DELAY=2 -CONFIG_USB_BELKIN=y -CONFIG_USB_CDC_PHONET=m -CONFIG_USB_COMMON=y -CONFIG_USB_DEFAULT_PERSIST=y -CONFIG_USB_EHCI_HCD=y -CONFIG_USB_EHCI_PCI=y -CONFIG_USB_EHCI_TT_NEWSCHED=y -CONFIG_USB_HID=y -CONFIG_USB_KC2190=y -CONFIG_USB_NET_AQC111=m -CONFIG_USB_NET_AX88179_178A=m -CONFIG_USB_NET_AX8817X=m -CONFIG_USB_NET_CDC_EEM=m -CONFIG_USB_NET_CDCETHER=m -CONFIG_USB_NET_CDC_MBIM=m -CONFIG_USB_NET_CDC_NCM=m -CONFIG_USB_NET_CDC_SUBSET_ENABLE=m -CONFIG_USB_NET_CDC_SUBSET=m -CONFIG_USB_NET_CX82310_ETH=m -CONFIG_USB_NET_DM9601=m -CONFIG_USB_NET_DRIVERS=y -CONFIG_USB_NET_GL620A=m -CONFIG_USB_NET_HUAWEI_CDC_NCM=m -CONFIG_USB_NET_INT51X1=m -CONFIG_USB_NET_KALMIA=m -CONFIG_USB_NET_MCS7830=m -CONFIG_USB_NET_NET1080=m -CONFIG_USB_NET_PLUSB=m -CONFIG_USB_NET_QMI_WWAN=m -CONFIG_USB_NET_RNDIS_HOST=m -CONFIG_USB_NET_SMSC75XX=m -CONFIG_USB_NET_SMSC95XX=m -CONFIG_USB_NET_SR9700=m -CONFIG_USB_NET_SR9800=m -CONFIG_USB_NET_ZAURUS=m -CONFIG_USB_OHCI_HCD=m -CONFIG_USB_OHCI_HCD_PCI=m -CONFIG_USB_OHCI_HCD_PLATFORM=m -CONFIG_USB_OHCI_LITTLE_ENDIAN=y -CONFIG_USB_PCI=y -CONFIG_USB_RTL8152=m -CONFIG_USB_RTL8153_ECM=m -CONFIG_USB_SERIAL_CH341=m -CONFIG_USB_SERIAL_CONSOLE=y -CONFIG_USB_SERIAL_CP210X=m -CONFIG_USB_SERIAL_FTDI_SIO=m -CONFIG_USB_SERIAL_GENERIC=y -CONFIG_USB_SERIAL_OPTION=m -CONFIG_USB_SERIAL_PL2303=m -CONFIG_USB_SERIAL_WWAN=m -CONFIG_USB_SERIAL=y -CONFIG_USB_SIERRA_NET=m -CONFIG_USB_STORAGE=y -CONFIG_USB_SUPPORT=y -CONFIG_USB_UAS=y -CONFIG_USB_UHCI_HCD=m -CONFIG_USB_USBNET=m -CONFIG_USB_VL600=m -CONFIG_USB_WDM=m -CONFIG_USB_XHCI_HCD=y -CONFIG_USB_XHCI_PCI=y -CONFIG_USB_XHCI_PLATFORM=y -CONFIG_USB=y -CONFIG_USELIB=y -CONFIG_USE_PERCPU_NUMA_NODE_ID=y -CONFIG_USER_NS=y -CONFIG_USER_RETURN_NOTIFIER=y -CONFIG_USER_STACKTRACE_SUPPORT=y -CONFIG_UTS_NS=y -CONFIG_UVC_COMMON=m -CONFIG_VETH=y -CONFIG_VFAT_FS=y -CONFIG_VFIO_CONTAINER=y -CONFIG_VFIO_GROUP=y -CONFIG_VFIO_IOMMU_TYPE1=m -CONFIG_VFIO=m -CONFIG_VFIO_MDEV=m -CONFIG_VFIO_PCI_CORE=m -CONFIG_VFIO_PCI_IGD=y -CONFIG_VFIO_PCI_INTX=y -CONFIG_VFIO_PCI=m -CONFIG_VFIO_PCI_MMAP=y -CONFIG_VFIO_PCI_VGA=y -CONFIG_VFIO_VIRQFD=y -CONFIG_VGA_ARB_MAX_GPUS=16 -CONFIG_VGA_ARB=y -CONFIG_VGA_CONSOLE=y -CONFIG_VGASTATE=y -CONFIG_VHOST_IOTLB=y -CONFIG_VHOST_MENU=y -CONFIG_VHOST_NET=y -CONFIG_VHOST_TASK=y -CONFIG_VHOST_VSOCK=y -CONFIG_VHOST=y -CONFIG_VIRT_DRIVERS=y -CONFIG_VIRTIO_ANCHOR=y -CONFIG_VIRTIO_BALLOON=m -CONFIG_VIRTIO_BLK=y -CONFIG_VIRTIO_CONSOLE=y -CONFIG_VIRTIO_DMA_SHARED_BUFFER=y -CONFIG_VIRTIO_FS=y -CONFIG_VIRTIO_INPUT=m -CONFIG_VIRTIO_MENU=y -CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y -CONFIG_VIRTIO_MMIO=m -CONFIG_VIRTIO_NET=y -CONFIG_VIRTIO_PCI_LEGACY=y -CONFIG_VIRTIO_PCI_LIB_LEGACY=m -CONFIG_VIRTIO_PCI_LIB=m -CONFIG_VIRTIO_PCI=m -CONFIG_VIRTIO_VSOCKETS_COMMON=y -CONFIG_VIRTIO_VSOCKETS=y -CONFIG_VIRTIO=y -CONFIG_VIRTUALIZATION=y -CONFIG_VLAN_8021Q=y -CONFIG_VMAP_PFN=y -CONFIG_VMAP_STACK=y -CONFIG_VMD=y -CONFIG_VM_EVENT_COUNTERS=y -CONFIG_VMGENID=y -CONFIG_VSOCKETS_DIAG=y -CONFIG_VSOCKETS_LOOPBACK=y -CONFIG_VSOCKETS=y -CONFIG_VT_CONSOLE_SLEEP=y -CONFIG_VT_CONSOLE=y -CONFIG_VT_HW_CONSOLE_BINDING=y -CONFIG_VT=y -CONFIG_VXLAN=y -CONFIG_WATCHDOG_CORE=m -CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y -CONFIG_WATCHDOG_OPEN_TIMEOUT=0 -CONFIG_WATCHDOG_SYSFS=y -CONFIG_WATCHDOG=y -CONFIG_WDAT_WDT=m -CONFIG_WIREGUARD=y -CONFIG_WIRELESS=y -CONFIG_WMI_BMOF=y -CONFIG_X509_CERTIFICATE_PARSER=y -CONFIG_X86_64_ACPI_NUMA=y -CONFIG_X86_64_SMP=y -CONFIG_X86_64=y -CONFIG_X86_ACPI_CPUFREQ_CPB=y -CONFIG_X86_ACPI_CPUFREQ=y -CONFIG_X86_AMD_PSTATE_DEFAULT_MODE=3 -CONFIG_X86_AMD_PSTATE=y -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -CONFIG_X86_CET=y -CONFIG_X86_CHECK_BIOS_CORRUPTION=y -CONFIG_X86_CMOV=y -CONFIG_X86_CMPXCHG64=y -CONFIG_X86_CPUID=y -CONFIG_X86_DEBUGCTLMSR=y -CONFIG_X86_DEBUG_FPU=y -CONFIG_X86_DIRECT_GBPAGES=y -CONFIG_X86_EXTENDED_PLATFORM=y -CONFIG_X86_HV_CALLBACK_VECTOR=y -CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y -CONFIG_X86_INTEL_PSTATE=y -CONFIG_X86_INTEL_TSX_MODE_OFF=y -CONFIG_X86_INTERNODE_CACHE_SHIFT=6 -CONFIG_X86_IO_APIC=y -CONFIG_X86_IOPL_IOPERM=y -CONFIG_X86_KERNEL_IBT=y -CONFIG_X86_L1_CACHE_SHIFT=6 -CONFIG_X86_LOCAL_APIC=y -CONFIG_X86_MCE_AMD=y -CONFIG_X86_MCE_INTEL=y -CONFIG_X86_MCE_THRESHOLD=y -CONFIG_X86_MCE=y -CONFIG_X86_MEM_ENCRYPT=y -CONFIG_X86_MINIMUM_CPU_FAMILY=64 -CONFIG_X86_MPPARSE=y -CONFIG_X86_NEED_RELOCS=y -CONFIG_X86_PAT=y -CONFIG_X86_PCC_CPUFREQ=m -CONFIG_X86_PKG_TEMP_THERMAL=y -CONFIG_X86_PLATFORM_DEVICES=y -CONFIG_X86_PM_TIMER=y -CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y -CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y -CONFIG_X86_THERMAL_VECTOR=y -CONFIG_X86_TSC=y -CONFIG_X86_UMIP=y -CONFIG_X86_VERBOSE_BOOTUP=y -CONFIG_X86_VMX_FEATURE_NAMES=y -CONFIG_X86_VSYSCALL_EMULATION=y -CONFIG_X86_X2APIC=y -CONFIG_X86=y -CONFIG_XDP_SOCKETS=y -CONFIG_XFRM_AH=y -CONFIG_XFRM_ALGO=y -CONFIG_XFRM_ESP=y -CONFIG_XFRM_IPCOMP=y -CONFIG_XFRM_OFFLOAD=y -CONFIG_XFRM_USER=y -CONFIG_XFRM=y -CONFIG_XFS_DRAIN_INTENTS=y -CONFIG_XFS_FS=m -CONFIG_XFS_LIVE_HOOKS=y -CONFIG_XFS_MEMORY_BUFS=y -CONFIG_XFS_ONLINE_SCRUB_STATS=y -CONFIG_XFS_ONLINE_SCRUB=y -CONFIG_XFS_POSIX_ACL=y -CONFIG_XFS_QUOTA=y -CONFIG_XFS_RT=y -CONFIG_XFS_SUPPORT_ASCII_CI=y -CONFIG_XFS_SUPPORT_V4=y -CONFIG_XOR_BLOCKS=m -CONFIG_XPS=y -CONFIG_XXHASH=y -CONFIG_XZ_DEC_ARMTHUMB=y -CONFIG_XZ_DEC_ARM=y -CONFIG_XZ_DEC_BCJ=y -CONFIG_XZ_DEC_IA64=y -CONFIG_XZ_DEC_POWERPC=y -CONFIG_XZ_DEC_X86=y -CONFIG_XZ_DEC=y -CONFIG_ZISOFS=y -CONFIG_ZLIB_DEFLATE=y -CONFIG_ZLIB_INFLATE=y -CONFIG_ZONE_DEVICE=y -CONFIG_ZONE_DMA32=y -CONFIG_ZONE_DMA=y -CONFIG_ZONEFS_FS=m -CONFIG_ZRAM_DEF_COMP="zstd" -CONFIG_ZRAM_DEF_COMP_ZSTD=y -CONFIG_ZRAM=m -CONFIG_ZRAM_MULTI_COMP=y -CONFIG_ZRAM_WRITEBACK=y -CONFIG_ZSTD_COMMON=y -CONFIG_ZSTD_COMPRESS=y -CONFIG_ZSTD_DECOMPRESS=y diff --git a/modules/minimize.nix b/modules/minimize.nix deleted file mode 100644 index e679396..0000000 --- a/modules/minimize.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ modulesPath, ... }: -{ - imports = [ - "${modulesPath}/profiles/minimal.nix" - ]; - - nix.enable = false; - system.disableInstallerTools = true; - system.etc.overlay.enable = true; - systemd.sysusers.enable = true; - - programs.less.lessopen = null; - programs.command-not-found.enable = false; - - environment.defaultPackages = [ ]; - - security.sudo.enable = false; -} diff --git a/modules/network.nix b/modules/network.nix deleted file mode 100644 index 2c91f1a..0000000 --- a/modules/network.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, ... }: -{ - networking = { - useNetworkd = true; - hostName = ""; - - # Easy debugging. - firewall.enable = false; - }; - - services.resolved = { - fallbackDns = [ ]; # Disable fallback DNS. DNS will fail if resolvers are unconfigured - }; - - # Faster boot. - systemd.network.wait-online.enable = false; -} diff --git a/modules/partitions.nix b/modules/partitions.nix deleted file mode 100644 index b53513e..0000000 --- a/modules/partitions.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ - config, - pkgs, - lib, - modulesPath, - ... -}: -{ - - imports = [ - "${modulesPath}/image/repart.nix" - ]; - - image.repart = - let - efiArch = pkgs.stdenv.hostPlatform.efiArch; - in - { - name = config.boot.uki.name; - split = true; - - mkfsOptions = { - erofs = [ - # "-zzstd,6" # Zstd compression - # "-zlz4hc,12" - "-T0" # Fixed timestamp for all files - "-C262144" # 256 KiB cluster size - # "-C65536" # 64 KiB cluster size - # "-C1048576" # 1 MiB cluster size - "-Efragments,dedupe,ztailpacking" # Extra features - ]; - }; - - partitions = { - "esp" = { - contents = { - "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi"; - "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}"; - - # systemd-boot configuration - "/loader/loader.conf".source = ( - pkgs.writeText "$out" '' - timeout 0 - '' - # FIXME: should not be 0 in prod - ); - }; - repartConfig = { - Type = "esp"; - UUID = "c12a7328-f81f-11d2-ba4b-00a0c93ec93b"; # Well known - Format = "vfat"; - SizeMinBytes = "256M"; - SplitName = "-"; - }; - }; - "store" = { - storePaths = [ config.system.build.toplevel ]; - stripNixStorePrefix = true; - repartConfig = { - Type = "linux-generic"; - Label = "${config.boot.uki.name}_${config.system.image.version}"; - Format = "erofs"; - Minimize = "best"; - ReadOnly = "yes"; - SizeMinBytes = "1G"; - SizeMaxBytes = "1G"; - SplitName = "store"; - }; - }; - - # Placeholder for the second installed Nix store. - "store-empty" = { - repartConfig = { - Type = "linux-generic"; - Label = "_empty"; - Minimize = "off"; - SizeMinBytes = "1G"; - SizeMaxBytes = "1G"; - SplitName = "-"; - }; - }; - - # Persistent storage - "var" = { - repartConfig = { - Type = "var"; - UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known - Format = "xfs"; - Label = "nixos-persistent"; - Minimize = "off"; - - # Has to be large enough to hold update files. - SizeMinBytes = "2G"; - SizeMaxBytes = "2G"; - SplitName = "-"; - - # Wiping this gives us a clean state. - FactoryReset = "yes"; - }; - }; - }; - }; -} diff --git a/modules/patagia-agent.nix b/modules/patagia-agent.nix deleted file mode 100644 index 17d7a62..0000000 --- a/modules/patagia-agent.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - pkgs, - utils, - ... -}: - -{ - - environment.etc."sysupdate.patagia-agent.d".source = - let - format = pkgs.formats.ini { listToValue = toString; }; - in - utils.systemdUtils.lib.definitions "sysupdate.patagia-agent.d" format { - "10-image.conf" = { - Source = { - MatchPattern = "patagia-agent_@v.raw"; - Path = "https://images.dl.patagia.dev/patagia-agent/"; - Type = "url-file"; - }; - - Target = { - InstancesMax = 2; - Path = "/var/lib/extensions"; - CurrentSymlink = "/etc/systemd/extensions/patagia-agent.raw"; - Type = "regular-file"; - MatchPattern = "patagia-agent_@v.raw"; - }; - - Transfer = { - Verify = "no"; # FIXME: verify - }; - }; - }; -} diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix new file mode 100644 index 0000000..5cb46f5 --- /dev/null +++ b/modules/profiles/base.nix @@ -0,0 +1,86 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +{ + imports = [ + (modulesPath + "/profiles/image-based-appliance.nix") + (modulesPath + "/profiles/perlless.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + # system.forbiddenDependenciesRegexes = lib.mkForce [ ]; + + nixpkgs.flake.setNixPath = false; + nixpkgs.flake.setFlakeRegistry = false; + + networking.hostName = "patos"; + + boot.kernelModules = [ + "zram" + "usb_storage" + "uas" + "sd_mod" + "r8169" + "ehci-hcd" + "ehci-pci" + "xhci-hcd" + "xhci-pci" + "xhci-pci-renesas" + "nvme" + "virtio_net" + ]; + + system.etc.overlay.mutable = lib.mkDefault false; + users.mutableUsers = lib.mkDefault false; + + + systemd.watchdog = lib.mkDefault { + runtimeTime = "10s"; + rebootTime = "30s"; + }; + + zramSwap.enable = true; + + services.openssh.settings.PasswordAuthentication = lib.mkDefault false; + + users.allowNoPasswordLogin = true; + security.sudo.enable = lib.mkDefault false; + + security.polkit = { + enable = true; + extraConfig ='' + polkit.addRule(function(action, subject) { + if (subject.isInGroup("wheel")) { + return polkit.Result.YES; + } + }); + ''; + }; + + i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ]; + + systemd.enableEmergencyMode = false; + console.enable = false; + systemd.services."getty@tty1".enable = lib.mkDefault false; + systemd.services."autovt@".enable = lib.mkDefault false; + + boot.tmp.useTmpfs = true; + boot.consoleLogLevel = lib.mkDefault 1; + boot.kernelParams = [ + "panic=1" + "boot.panic_on_fail" + "nomodeset" + ]; + + # This is vi country + programs.nano.enable = false; + programs.vim.enable = true; + programs.vim.defaultEditor = lib.mkDefault true; + + # Logging + services.journald.storage = "volatile"; +} diff --git a/modules/profiles/network.nix b/modules/profiles/network.nix new file mode 100644 index 0000000..d090994 --- /dev/null +++ b/modules/profiles/network.nix @@ -0,0 +1,56 @@ +{ lib, ... }: +{ + # Use TCP BBR + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + + services.resolved.extraConfig = '' + DNSStubListener=no + ''; + + networking.firewall.enable = false; + + networking.nftables.enable = lib.mkDefault true; + + networking.useNetworkd = true; + systemd.network.wait-online.enable = true; + + # Explicitly load networking modules + boot.kernelModules = [ + "ip_tables" + "x_tables" + "nf_tables" + "nft_ct" + "nft_log" + "nf_log_syslog" + "nft_fib" + "nft_fib_inet" + "nft_compat" + "nft_nat" + "nft_chain_nat" + "nft_masq" + "nfnetlink" + "xt_conntrack" + "nf_conntrack" + "nf_log_syslog" + "nf_nat" + "af_packet" + "bridge" + "veth" + "tcp_bbr" + "sch_fq_codel" + "ipt_rpfilter" + "ip6t_rpfilter" + "sch_fq" + "tun" + "tap" + "xt_MASQUERADE" + "xt_mark" + "xt_comment" + "xt_multiport" + "xt_addrtype" + ]; + +} diff --git a/modules/profiles/server.nix b/modules/profiles/server.nix new file mode 100644 index 0000000..7a828f3 --- /dev/null +++ b/modules/profiles/server.nix @@ -0,0 +1,43 @@ +{ + modulesPath, + ... +}: +{ + + imports = [ + (modulesPath + "/profiles/minimal.nix") + ./network.nix + ]; + + boot.kernel.sysctl = { + "net.ipv4.ip_unprivileged_port_start" = 0; + }; + + users.users."admin" = { + isNormalUser = true; + linger = true; + extraGroups = [ "wheel" ]; + }; + + environment.etc = { + subuid = { + text = "admin:100000:65536"; + mode = "0644"; + }; + + subgid = { + text = "admin:100000:65536"; + mode = "0644"; + }; + }; + + services.openssh.enable = true; + system.image.sshKeys.enable = true; + system.image.sshKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIHMAEZx02kbHrEygyPQYStiXlrIe6EIqBCv7anIkL0pAAAABHNzaDo= dln1" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJNOBFoU7Cdsgi4KpYRcv7EhR/8kD4DYjEZnwk6urRx7AAAABHNzaDo= dln2" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDx+7ZEJi7lUCAtoHRRIduJzH3hrpx4YS1f0ZxrJ+uW dln3" + ]; + + virtualisation.podman.enable = true; +} diff --git a/modules/sysext.nix b/modules/sysext.nix deleted file mode 100644 index ce0e181..0000000 --- a/modules/sysext.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, ... }: -{ - system.activationScripts.sysext = '' - mkdir -p /var/lib/confexts - mkdir -p /var/lib/extensions - mkdir -p /etc/systemd/extensions - ''; - - systemd.additionalUpstreamSystemUnits = [ - "systemd-confext.service" - "systemd-sysext.service" - ]; - - systemd.services."systemd-confext" = { - enable = true; - wantedBy = [ "multi-user.target" ]; - }; - - systemd.services."systemd-sysext.service" = { - enable = true; - wantedBy = [ "multi-user.target" ]; - }; -} diff --git a/modules/system_overrides.nix b/modules/system_overrides.nix deleted file mode 100644 index 1627d28..0000000 --- a/modules/system_overrides.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ lib, options, ... }: { - # This fields is immutable by default, but can be overridden. - options.system.nixos.codeName = lib.mkOption { readOnly = false; }; - options.system.nixos.release = lib.mkOption { readOnly = false; }; -} diff --git a/modules/sysupdate.nix b/modules/sysupdate.nix deleted file mode 100644 index 8d05b14..0000000 --- a/modules/sysupdate.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ config, pkgs, ... }: -let - gpgPubKeyStaging = '' - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm - zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu - aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa - gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux - OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG - H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe - GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4 - DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA - +0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps - e5UE - =m2st - -----END PGP PUBLIC KEY BLOCK----- - ''; - gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } '' - mkdir -p $out - export GNUPGHOME=$out - gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint - gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}' - rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.* - ''; -in -{ - environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg"; - - systemd.sysupdate = { - enable = true; - - transfers = { - "10-uki" = { - Source = { - MatchPattern = [ - "${config.boot.uki.name}_@v.efi.xz" - ]; - - Path = "https://images.dl.patagia.dev/patos/"; - Type = "url-file"; - }; - Target = { - InstancesMax = 2; - MatchPattern = [ - "${config.boot.uki.name}_@v.efi" - ]; - - Mode = "0444"; - Path = "/EFI/Linux"; - PathRelativeTo = "boot"; - - Type = "regular-file"; - }; - Transfer = { - ProtectVersion = "%A"; - Verify = "no"; - }; - }; - - "20-store" = { - Source = { - MatchPattern = [ - "${config.boot.uki.name}_@v.img.xz" - ]; - Path = "https://images.dl.patagia.dev/patos/"; - Type = "url-file"; - }; - - Target = { - InstancesMax = 2; - - # This doesn't work, because / is a tmpfs and the heuristic is not that smart. - # - # Path = "auto"; - Path = "/dev/sda"; - - MatchPattern = "${config.boot.uki.name}_@v"; - - Type = "partition"; - ReadOnly = "yes"; - }; - Transfer = { - Verify = "no"; - }; - }; - - }; - }; -} diff --git a/modules/utils.nix b/modules/utils.nix deleted file mode 100644 index befd4bf..0000000 --- a/modules/utils.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -let - script = pkgs.writeShellScriptBin "patos-upgrade.sh" '' - systemd-sysupdate --verify=no - systemd-sysupdate --verify=no update --reboot - ''; - - patos-install = pkgs.writeShellApplication { - name = "patos-install"; - text = '' - set -xeuo pipefail - curl -s https://images.dl.patagia.dev/patos/patos_0.0.1.raw.zst | - zstdcat | - dd of=/dev/sdb status=progress bs=4M - ''; - }; -in -{ - environment.systemPackages = [ - # pkgs.ncdu - patos-install - script - ]; -} diff --git a/pkgs/composefs.nix b/pkgs/composefs.nix new file mode 100644 index 0000000..91e8443 --- /dev/null +++ b/pkgs/composefs.nix @@ -0,0 +1,5 @@ +{ prev, ... }: + +prev.composefs.overrideAttrs (final: prev: { + doCheck = false; +}) diff --git a/pkgs/linux-firmware.nix b/pkgs/linux-firmware.nix new file mode 100644 index 0000000..8f03d8c --- /dev/null +++ b/pkgs/linux-firmware.nix @@ -0,0 +1,12 @@ +{ stdenv, lib +, linux-firmware +, fwDirs +}: stdenv.mkDerivation { + pname = "linux-firmware-minimal"; + version = linux-firmware.version; + buildCommand = lib.concatStringsSep "\n" ( + [''mkdir -p "$out/lib/firmware"''] + ++ (map (name: '' + cp -r "${linux-firmware}/lib/firmware/${name}" "$out/lib/firmware/${name}" + '') fwDirs)); +} diff --git a/pkgs/openssh.nix b/pkgs/openssh.nix new file mode 100644 index 0000000..91de381 --- /dev/null +++ b/pkgs/openssh.nix @@ -0,0 +1,7 @@ +{ prev, ... }: + +prev.openssh.overrideAttrs (final: prev: { + doCheck = false; + doInstallCheck = false; + dontCheck = true; +}) diff --git a/pkgs/qemu.nix b/pkgs/qemu.nix new file mode 100644 index 0000000..93e67dd --- /dev/null +++ b/pkgs/qemu.nix @@ -0,0 +1,30 @@ +{ prev, pkgs, ... }: + +(prev.qemu_test.override { + enableDocs = false; + capstoneSupport = false; + guestAgentSupport = false; + tpmSupport = false; + libiscsiSupport = false; + usbredirSupport = false; + canokeySupport = false; + hostCpuTargets = [ "x86_64-softmmu" ]; +}).overrideDerivation (old: { + postFixup = '' + rm -r "$out/share/icons" + cp "${pkgs.OVMF.fd + "/FV/OVMF.fd"}" "$out/share/qemu/" + ''; + configureFlags = old.configureFlags ++ [ + "--disable-tcg" + "--disable-tcg-interpreter" + "--disable-docs" + "--disable-install-blobs" + "--disable-slirp" + "--disable-virtfs" + "--disable-virtfs-proxy-helper" + "--disable-vhost-user-blk-server" + "--without-default-features" + "--enable-kvm" + "--disable-tools" + ]; +}) diff --git a/pkgs/systemd-ukify.nix b/pkgs/systemd-ukify.nix new file mode 100644 index 0000000..b8e9d55 --- /dev/null +++ b/pkgs/systemd-ukify.nix @@ -0,0 +1,48 @@ +{ prev, ... }: + +prev.systemd.override { + withAcl = false; + withAnalyze = false; + withApparmor = false; + withAudit = false; + withEfi = true; + withCompression = false; + withCoredump = false; + withCryptsetup = false; + withRepart = false; + withDocumentation = false; + withFido2 = false; + withFirstboot = false; + withHomed = false; + withHostnamed = false; + withHwdb = false; + withImportd = false; + withIptables = false; + withKmod = false; + withLibBPF = false; + withLibidn2 = false; + withLocaled = false; + withLogind = false; + withMachined = false; + withNetworkd = false; + withNss = false; + withOomd = false; + withPam = false; + withPasswordQuality = false; + withPCRE2 = false; + withPolkit = false; + withPortabled = false; + withQrencode = false; + withRemote = false; + withResolved = false; + withShellCompletions = false; + withSysusers = false; + withSysupdate = false; + withTimedated = false; + withTimesyncd = false; + withTpm2Tss = false; + withUkify = true; + withUserDb = false; + withUtmp = false; + withVmspawn = false; +} diff --git a/pkgs/systemd.nix b/pkgs/systemd.nix new file mode 100644 index 0000000..2d52e9a --- /dev/null +++ b/pkgs/systemd.nix @@ -0,0 +1,10 @@ +{ prev, ... }: + +prev.systemd.override { + withAcl = false; + withApparmor = false; + withDocumentation = false; + withRemote = false; + withShellCompletions = false; + withVmspawn = false; +} diff --git a/tests/common.nix b/tests/common.nix new file mode 100644 index 0000000..23232be --- /dev/null +++ b/tests/common.nix @@ -0,0 +1,154 @@ +{ + self, + lib, + pkgs, + ... +}: + +with import (pkgs.path + "/nixos/lib/testing-python.nix") { + inherit pkgs; + inherit (pkgs.hostPlatform) system; +}; + +let + qemu-common = import (pkgs.path + "/nixos/lib/qemu-common.nix") { inherit lib pkgs; }; + +in +rec { + + makeSystem = + extraConfig: + (import (pkgs.path + "/nixos/lib/eval-config.nix")) { + inherit pkgs lib; + system = null; + modules = [ + { + nixpkgs.hostPlatform = pkgs.hostPlatform; + } + { + users.allowNoPasswordLogin = true; + system.stateVersion = lib.versions.majorMinor lib.version; + system.image.id = lib.mkDefault "test"; + system.image.version = lib.mkDefault "1"; + networking.hosts."10.0.2.1" = [ "server.test" ]; + } + { + boot.kernelParams = [ + "console=ttyS0,115200n8" + "systemd.journald.forward_to_console=1" + ]; + image.compress = false; + boot.initrd.compressor = lib.mkForce "zstd"; + boot.initrd.compressorArgs = lib.mkForce [ "-8" ]; + } + (pkgs.path + "/nixos/modules/testing/test-instrumentation.nix") + self.nixosModules.server + self.nixosModules.image + extraConfig + ]; + }; + + makeImage = + extraConfig: + let + system = makeSystem extraConfig; + in + "${system.config.system.build.image}/${system.config.system.build.image.imageFile}"; + + makeUpdatePackage = + extraConfig: + let + system = makeSystem extraConfig; + in + "${system.config.system.build.updatePackage}"; + + makeImageTest = + { + name, + image, + script, + httpRoot ? null, + }: + let + qemu = qemu-common.qemuBinary pkgs.qemu_test; + flags = [ + "-m" + "512M" + "-drive" + "if=pflash,format=raw,unit=0,readonly=on,file=${pkgs.OVMF.firmware}" + "-drive" + "if=pflash,format=raw,unit=1,readonly=on,file=${pkgs.OVMF.variables}" + "-drive" + "if=virtio,file=${mutableImage}" + "-chardev" + "socket,id=chrtpm,path=${tpmFolder}/swtpm-sock" + "-tpmdev" + "emulator,id=tpm0,chardev=chrtpm" + "-device" + "tpm-tis,tpmdev=tpm0" + "-netdev" + ( + "'user,id=net0" + + (lib.optionalString ( + httpRoot != null + ) ",guestfwd=tcp:10.0.2.1:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${httpRoot}") + + "'" + ) + "-device" + "virtio-net-pci,netdev=net0" + ]; + flagsStr = lib.concatStringsSep " " flags; + startCommand = "${qemu} ${flagsStr}"; + mutableImage = "/tmp/linked-image.qcow2"; + tpmFolder = "/tmp/emulated_tpm"; + indentLines = str: lib.concatLines (map (s: " " + s) (lib.splitString "\n" str)); + in + makeTest { + inherit name; + nodes = { }; + testScript = + '' + import os + import subprocess + + subprocess.check_call( + [ + "qemu-img", + "create", + "-f", + "qcow2", + "-F", + "raw", + "-b", + "${image}", + "${mutableImage}", + ] + ) + subprocess.check_call(["qemu-img", "resize", "${mutableImage}", "4G"]) + + os.mkdir("${tpmFolder}") + os.mkdir("${tpmFolder}/swtpm") + + def start_tpm(): + subprocess.Popen( + [ + "${pkgs.swtpm}/bin/swtpm", + "socket", + "--tpmstate", "dir=${tpmFolder}/swtpm", + "--ctrl", "type=unixio,path=${tpmFolder}/swtpm-sock", + "--tpm2" + ] + ) + + machine = create_machine("${startCommand}") + + try: + '' + + indentLines script + + '' + finally: + machine.shutdown() + ''; + }; + +} diff --git a/tests/lib.nix b/tests/lib.nix new file mode 100644 index 0000000..4b905fa --- /dev/null +++ b/tests/lib.nix @@ -0,0 +1,9 @@ +test: +{ pkgs, self }: + let nixos-lib = import (pkgs.path + "/nixos/lib") {}; +in (nixos-lib.runTest { + hostPkgs = pkgs; + defaults.documentation.enable = false; + node.specialArgs = { inherit self; }; + imports = [ test ]; +}).config.result diff --git a/tests/podman.nix b/tests/podman.nix new file mode 100644 index 0000000..0a3747f --- /dev/null +++ b/tests/podman.nix @@ -0,0 +1,22 @@ +{ pkgs, self }: let + + lib = pkgs.lib; + test-common = import ./common.nix { inherit self lib pkgs; }; + + image = test-common.makeImage { }; + +in test-common.makeImageTest { + name = "podman"; + inherit image; + script = '' + start_tpm() + machine.start() + + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("network-online.target") + + machine.succeed("tar cv --files-from /dev/null | su admin -l -c 'podman import - scratchimg'") + + machine.succeed("su admin -l -c 'podman run --rm -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg true'") + ''; +} diff --git a/tests/ssh-preseed.nix b/tests/ssh-preseed.nix new file mode 100644 index 0000000..b67681c --- /dev/null +++ b/tests/ssh-preseed.nix @@ -0,0 +1,37 @@ +{ pkgs, self }: +let + lib = pkgs.lib; + test-common = import ./common.nix { inherit self lib pkgs; }; + sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs; + + image = test-common.makeImage { + system.image.sshKeys.keys = [ sshKeys.snakeOilPublicKey ]; + system.extraDependencies = [ sshKeys.snakeOilPrivateKey ]; + }; + +in +test-common.makeImageTest { + name = "ssh-preseed"; + inherit image; + script = '' + start_tpm() + machine.start() + + machine.wait_for_unit("multi-user.target") + + machine.succeed("[ -e /efi/default-ssh-authorized-keys.txt ]") + machine.succeed("[ -e /home/admin/.ssh/authorized_keys ]") + + machine.wait_for_open_port(22) + + machine.succeed( + "cat ${sshKeys.snakeOilPrivateKey} > privkey.snakeoil" + ) + machine.succeed("chmod 600 privkey.snakeoil") + + machine.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil admin@127.0.0.1 true", + timeout=30 + ) + ''; +} diff --git a/tests/system-update.nix b/tests/system-update.nix new file mode 100644 index 0000000..26f793e --- /dev/null +++ b/tests/system-update.nix @@ -0,0 +1,45 @@ +{ pkgs, self }: let + + lib = pkgs.lib; + test-common = import ./common.nix { inherit self lib pkgs; }; + + initialImage = test-common.makeImage { + system.image.version = "1"; + system.image.updates.url = "http://server.test/"; + # The default root-b is too small for uncompressed test images + systemd.repart.partitions."32-root-b" = { + SizeMinBytes = lib.mkForce "1G"; + SizeMaxBytes = lib.mkForce "1G"; + }; + }; + + updatePackage = test-common.makeUpdatePackage { + system.image.version = "2"; + system.image.updates.url = "http://server.test/"; + }; + +in test-common.makeImageTest { + name = "system-update"; + image = initialImage; + httpRoot = updatePackage; + script = '' + start_tpm() + machine.start() + + machine.wait_for_unit("multi-user.target") + machine.wait_for_unit("network-online.target") + + machine.succeed("/run/current-system/sw/lib/systemd/systemd-sysupdate update") + + machine.shutdown() + + start_tpm() + machine.start() + + machine.wait_for_unit("multi-user.target") + + machine.succeed('. /etc/os-release; [ "$IMAGE_VERSION" == "2" ]') + + machine.wait_for_unit("systemd-bless-boot.service") + ''; +} diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix new file mode 100644 index 0000000..7cc36c7 --- /dev/null +++ b/utils/qemu-uefi-tpm.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + ... +}: +pkgs.writeShellApplication { + name = "qemu-uefi-tpm"; + + runtimeInputs = with pkgs; [ + qemu + swtpm + ]; + + text = + let + tpmOVMF = pkgs.OVMF.override { tpmSupport = true; }; + in + '' + set -ex + state="/tmp/patos-qemu-$USER" + rm -rf "$state" + mkdir -m 700 "$state" + qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 10G + + swtpm socket -d --tpmstate dir="$state" \ + --ctrl type=unixio,path="$state/swtpm-sock" \ + --tpm2 \ + --log level=20 + + qemu-system-x86_64 \ + -enable-kvm \ + -machine q35,accel=kvm \ + -cpu host \ + -smp 8 \ + -m 4G \ + -display none \ + -chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \ + -serial chardev:char0 \ + -mon chardev=char0 \ + -drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \ + -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \ + -chardev socket,id=chrtpm,path="$state/swtpm-sock" \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0 \ + -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \ + -device virtio-net-pci,netdev=net00 \ + -drive "format=qcow2,file=$state/disk.qcow2" + ''; +} -- 2.47.0