| blob | 0f7606c79b5320b7e4a0545c876f1db2fb571400 |
1 # WARNING/NOTE: whenever you want to add an option here you need to either
2 # * mark it as an optional one with `option`,
3 # * or make sure it works for all the versions in nixpkgs,
4 # * or check for which kernel versions it will work (using kernel
5 # changelog, google or whatever) and mark it with `whenOlder` or
6 # `whenAtLeast`.
7 # Then do test your change by building all the kernels (or at least
8 # their configs) in Nixpkgs or else you will guarantee lots and lots
9 # of pain to users trying to switch to an older kernel because of some
10 # hardware problems with a new one.
12 # Configuration
13 {
14 lib,
15 stdenv,
16 version,
17 rustAvailable,
19 features ? { },
20 }:
22 with lib.kernel;
23 with (lib.kernel.whenHelpers version);
25 let
26 # configuration items have to be part of a subattrs
27 flattenKConf =
28 nested:
29 lib.mapAttrs (
30 name: values:
31 if lib.length values == 1 then
32 lib.head values
33 else
34 throw "duplicate kernel configuration option: ${name}"
35 ) (lib.zipAttrs (lib.attrValues nested));
37 whenPlatformHasEBPFJit = lib.mkIf (
38 stdenv.hostPlatform.isAarch32
39 || stdenv.hostPlatform.isAarch64
40 || stdenv.hostPlatform.isx86_64
41 || (stdenv.hostPlatform.isPower && stdenv.hostPlatform.is64bit)
42 || (stdenv.hostPlatform.isMips && stdenv.hostPlatform.is64bit)
43 );
45 forceRust = features.rust or false;
46 kernelSupportsRust = lib.versionAtLeast version "6.7";
48 # Currently only enabling Rust by default on kernel 6.12+,
49 # which actually has features that use Rust that we want.
50 defaultRust = lib.versionAtLeast version "6.12" && rustAvailable;
51 withRust =
52 assert lib.assertMsg (!(forceRust && !kernelSupportsRust)) ''
53 Kernels below 6.7 (the kernel being built is ${version}) don't support Rust.
54 '';
55 (forceRust || defaultRust) && kernelSupportsRust;
57 options = {
59 debug = {
60 # Necessary for BTF and crashkernel
61 DEBUG_INFO = yes;
62 DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT = whenAtLeast "5.18" yes;
63 # Reduced debug info conflict with BTF and have been enabled in
64 # aarch64 defconfig since 5.13
65 DEBUG_INFO_REDUCED = whenAtLeast "5.13" (option no);
66 DEBUG_INFO_BTF = option yes;
67 # Allow loading modules with mismatched BTFs
68 # FIXME: figure out how to actually make BTFs reproducible instead
69 # See https://github.com/NixOS/nixpkgs/pull/181456 for details.
70 MODULE_ALLOW_BTF_MISMATCH = whenAtLeast "5.18" (option yes);
71 BPF_LSM = whenAtLeast "5.7" (option yes);
72 DEBUG_KERNEL = yes;
73 DEBUG_DEVRES = no;
74 DYNAMIC_DEBUG = yes;
75 DEBUG_STACK_USAGE = no;
76 RCU_TORTURE_TEST = no;
77 SCHEDSTATS = yes;
78 DETECT_HUNG_TASK = yes;
79 CRASH_DUMP = yes;
80 # Easier debugging of NFS issues.
81 SUNRPC_DEBUG = yes;
82 # Provide access to tunables like sched_migration_cost_ns
83 SCHED_DEBUG = yes;
85 # Count IRQ and steal CPU time separately
86 IRQ_TIME_ACCOUNTING = yes;
87 PARAVIRT_TIME_ACCOUNTING = yes;
89 # Enable CPU lockup detection
90 LOCKUP_DETECTOR = yes;
91 SOFTLOCKUP_DETECTOR = yes;
92 HARDLOCKUP_DETECTOR = lib.mkIf (
93 with stdenv.hostPlatform; isPower || isx86 || lib.versionAtLeast version "6.5"
94 ) yes;
96 # Enable streaming logs to a remote device over a network
97 NETCONSOLE = module;
98 NETCONSOLE_DYNAMIC = yes;
100 # Export known printks in debugfs
101 PRINTK_INDEX = whenAtLeast "5.15" yes;
103 # Enable crashkernel support
104 PROC_VMCORE = yes;
105 };
107 power-management =
108 {
109 CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
110 CPU_FREQ_GOV_SCHEDUTIL = yes;
111 PM_DEBUG = yes;
112 PM_ADVANCED_DEBUG = yes;
113 PM_WAKELOCKS = yes;
114 POWERCAP = yes;
115 # ACPI Firmware Performance Data Table Support
116 ACPI_FPDT = whenAtLeast "5.12" (option yes);
117 # ACPI Heterogeneous Memory Attribute Table Support
118 ACPI_HMAT = option yes;
119 # ACPI Platform Error Interface
120 ACPI_APEI = (option yes);
121 # APEI Generic Hardware Error Source
122 ACPI_APEI_GHES = (option yes);
124 # Enable lazy RCUs for power savings:
125 # https://lore.kernel.org/rcu/20221019225138.GA2499943@paulmck-ThinkPad-P17-Gen-1/
126 # RCU_LAZY depends on RCU_NOCB_CPU depends on NO_HZ_FULL
127 # depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT,
128 # so we can't force-enable this
129 RCU_LAZY = whenAtLeast "6.2" (option yes);
131 # Auto suspend Bluetooth devices at idle
132 BT_HCIBTUSB_AUTOSUSPEND = yes;
134 # Expose cpufreq stats in sysfs
135 CPU_FREQ_STAT = yes;
137 # Enable CPU energy model for scheduling
138 ENERGY_MODEL = whenAtLeast "5.0" yes;
140 # Enable thermal interface netlink API
141 THERMAL_NETLINK = whenAtLeast "5.9" yes;
143 # Prefer power-efficient workqueue implementation to per-CPU workqueues,
144 # which is slightly slower, but improves battery life.
145 # This is opt-in per workqueue, and can be disabled globally with a kernel command line option.
146 WQ_POWER_EFFICIENT_DEFAULT = yes;
148 # Default SATA link power management to "medium with device initiated PM"
149 # for some extra power savings.
150 SATA_MOBILE_LPM_POLICY = whenAtLeast "5.18" (freeform "3");
152 # GPIO power management
153 POWER_RESET_GPIO = option yes;
154 POWER_RESET_GPIO_RESTART = option yes;
156 # Enable Pulse-Width-Modulation support, commonly used for fan and backlight.
157 PWM = yes;
158 }
159 // lib.optionalAttrs (stdenv.hostPlatform.isx86) {
160 INTEL_IDLE = yes;
161 INTEL_RAPL = module;
162 X86_INTEL_LPSS = yes;
163 X86_INTEL_PSTATE = yes;
164 X86_AMD_PSTATE = whenAtLeast "5.17" yes;
165 # Intel DPTF (Dynamic Platform and Thermal Framework) Support
166 ACPI_DPTF = whenAtLeast "5.10" yes;
168 # Required to bring up some Bay Trail devices properly
169 I2C = yes;
170 I2C_DESIGNWARE_CORE = yes;
171 I2C_DESIGNWARE_PLATFORM = yes;
172 PMIC_OPREGION = whenAtLeast "5.10" yes;
173 INTEL_SOC_PMIC = whenAtLeast "5.10" yes;
174 BYTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes;
175 CHTCRC_PMIC_OPREGION = whenAtLeast "5.10" yes;
176 XPOWER_PMIC_OPREGION = whenAtLeast "5.10" yes;
177 BXT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes;
178 INTEL_SOC_PMIC_CHTWC = whenAtLeast "5.10" yes;
179 CHT_WC_PMIC_OPREGION = whenAtLeast "5.10" yes;
180 INTEL_SOC_PMIC_CHTDC_TI = whenAtLeast "5.10" yes;
181 CHT_DC_TI_PMIC_OPREGION = whenAtLeast "5.10" yes;
182 MFD_TPS68470 = whenBetween "5.10" "5.13" yes;
183 TPS68470_PMIC_OPREGION = whenAtLeast "5.10" yes;
185 # Enable Intel thermal hardware feedback
186 INTEL_HFI_THERMAL = whenAtLeast "5.18" yes;
187 };
189 external-firmware = {
190 # Support drivers that need external firmware.
191 STANDALONE = no;
192 };
194 proc-config-gz = {
195 # Make /proc/config.gz available
196 IKCONFIG = yes;
197 IKCONFIG_PROC = yes;
198 };
200 optimization = {
201 X86_GENERIC = lib.mkIf (stdenv.hostPlatform.system == "i686-linux") yes;
202 # Optimize with -O2, not -Os
203 CC_OPTIMIZE_FOR_SIZE = no;
204 };
206 memory =
207 {
208 DAMON = whenAtLeast "5.15" yes;
209 DAMON_VADDR = whenAtLeast "5.15" yes;
210 DAMON_PADDR = whenAtLeast "5.16" yes;
211 DAMON_SYSFS = whenAtLeast "5.18" yes;
212 DAMON_DBGFS = whenBetween "5.15" "6.9" yes;
213 DAMON_RECLAIM = whenAtLeast "5.16" yes;
214 DAMON_LRU_SORT = whenAtLeast "6.0" yes;
215 # Support recovering from memory failures on systems with ECC and MCA recovery.
216 MEMORY_FAILURE = yes;
218 # Collect ECC errors and retire pages that fail too often
219 RAS_CEC = lib.mkIf stdenv.hostPlatform.isx86 yes;
220 }
221 // lib.optionalAttrs (stdenv.hostPlatform.is32bit) {
222 # Enable access to the full memory range (aka PAE) on 32-bit architectures
223 # This check isn't super accurate but it's close enough
224 HIGHMEM = option yes;
225 BOUNCE = option yes;
226 };
228 memtest = {
229 MEMTEST = yes;
230 };
232 # Include the CFQ I/O scheduler in the kernel, rather than as a
233 # module, so that the initrd gets a good I/O scheduler.
234 scheduler = {
235 IOSCHED_CFQ = whenOlder "5.0" yes; # Removed in 5.0-RC1
236 BLK_CGROUP = yes; # required by CFQ"
237 BLK_CGROUP_IOLATENCY = yes;
238 BLK_CGROUP_IOCOST = yes;
239 IOSCHED_DEADLINE = whenOlder "5.0" yes; # Removed in 5.0-RC1
240 MQ_IOSCHED_DEADLINE = yes;
241 BFQ_GROUP_IOSCHED = yes;
242 MQ_IOSCHED_KYBER = yes;
243 IOSCHED_BFQ = module;
244 # Enable CPU utilization clamping for RT tasks
245 UCLAMP_TASK = yes;
246 UCLAMP_TASK_GROUP = yes;
247 };
249 timer = {
250 # Enable Full Dynticks System.
251 # NO_HZ_FULL depends on HAVE_VIRT_CPU_ACCOUNTING_GEN depends on 64BIT
252 NO_HZ_FULL = lib.mkIf stdenv.hostPlatform.is64bit yes;
253 };
255 # Enable NUMA.
256 numa = {
257 NUMA = option yes;
258 NUMA_BALANCING = option yes;
259 };
261 networking =
262 {
263 NET = yes;
264 IP_ADVANCED_ROUTER = yes;
265 IP_PNP = no;
266 IP_ROUTE_MULTIPATH = yes;
267 IP_VS_PROTO_TCP = yes;
268 IP_VS_PROTO_UDP = yes;
269 IP_VS_PROTO_ESP = yes;
270 IP_VS_PROTO_AH = yes;
271 IP_VS_IPV6 = yes;
272 IP_DCCP_CCID3 = no; # experimental
273 CLS_U32_PERF = yes;
274 CLS_U32_MARK = yes;
275 BPF_JIT = whenPlatformHasEBPFJit yes;
276 BPF_JIT_ALWAYS_ON = whenPlatformHasEBPFJit no; # whenPlatformHasEBPFJit yes; # see https://github.com/NixOS/nixpkgs/issues/79304
277 HAVE_EBPF_JIT = whenPlatformHasEBPFJit yes;
278 BPF_STREAM_PARSER = yes;
279 XDP_SOCKETS = yes;
280 XDP_SOCKETS_DIAG = yes;
281 WAN = yes;
282 TCP_CONG_ADVANCED = yes;
283 TCP_CONG_CUBIC = yes; # This is the default congestion control algorithm since 2.6.19
284 # Required by systemd per-cgroup firewalling
285 CGROUP_BPF = option yes;
286 CGROUP_NET_PRIO = yes; # Required by systemd
287 IP_ROUTE_VERBOSE = yes;
288 IP_MROUTE = yes;
289 IP_MROUTE_MULTIPLE_TABLES = yes;
290 IP_MULTICAST = yes;
291 IP_MULTIPLE_TABLES = yes;
292 IPV6 = yes;
293 IPV6_ROUTER_PREF = yes;
294 IPV6_ROUTE_INFO = yes;
295 IPV6_OPTIMISTIC_DAD = yes;
296 IPV6_MULTIPLE_TABLES = yes;
297 IPV6_SUBTREES = yes;
298 IPV6_MROUTE = yes;
299 IPV6_MROUTE_MULTIPLE_TABLES = yes;
300 IPV6_PIMSM_V2 = yes;
301 IPV6_FOU_TUNNEL = module;
302 IPV6_SEG6_LWTUNNEL = yes;
303 IPV6_SEG6_HMAC = yes;
304 IPV6_SEG6_BPF = yes;
305 NET_CLS_BPF = module;
306 NET_ACT_BPF = module;
307 NET_SCHED = yes;
308 L2TP_V3 = yes;
309 L2TP_IP = module;
310 L2TP_ETH = module;
311 BRIDGE_VLAN_FILTERING = yes;
312 BONDING = module;
313 NET_L3_MASTER_DEV = option yes;
314 NET_FOU_IP_TUNNELS = option yes;
315 IP_NF_TARGET_REDIRECT = module;
316 NETKIT = whenAtLeast "6.7" yes;
318 PPP_MULTILINK = yes; # PPP multilink support
319 PPP_FILTER = yes;
321 # needed for iwd WPS support (wpa_supplicant replacement)
322 KEY_DH_OPERATIONS = yes;
324 # needed for nftables
325 # Networking Options
326 NETFILTER = yes;
327 NETFILTER_ADVANCED = yes;
328 # Core Netfilter Configuration
329 NF_CONNTRACK_ZONES = yes;
330 NF_CONNTRACK_EVENTS = yes;
331 NF_CONNTRACK_TIMEOUT = yes;
332 NF_CONNTRACK_TIMESTAMP = yes;
333 NETFILTER_NETLINK_GLUE_CT = yes;
334 NF_TABLES_INET = yes;
335 NF_TABLES_NETDEV = yes;
336 NFT_REJECT_NETDEV = whenAtLeast "5.11" module;
338 # IP: Netfilter Configuration
339 NF_TABLES_IPV4 = yes;
340 NF_TABLES_ARP = yes;
341 # IPv6: Netfilter Configuration
342 NF_TABLES_IPV6 = yes;
343 # Bridge Netfilter Configuration
344 NF_TABLES_BRIDGE = module;
345 # Expose some debug info
346 NF_CONNTRACK_PROCFS = yes;
347 NF_FLOW_TABLE_PROCFS = whenAtLeast "6.0" yes;
349 # needed for `dropwatch`
350 # Builtin-only since https://github.com/torvalds/linux/commit/f4b6bcc7002f0e3a3428bac33cf1945abff95450
351 NET_DROP_MONITOR = yes;
353 # needed for ss
354 # Use a lower priority to allow these options to be overridden in hardened/config.nix
355 INET_DIAG = lib.mkDefault module;
356 INET_TCP_DIAG = lib.mkDefault module;
357 INET_UDP_DIAG = lib.mkDefault module;
358 INET_RAW_DIAG = lib.mkDefault module;
359 INET_DIAG_DESTROY = lib.mkDefault yes;
361 # IPsec over TCP
362 INET_ESPINTCP = whenAtLeast "5.8" yes;
363 INET6_ESPINTCP = whenAtLeast "5.8" yes;
365 # enable multipath-tcp
366 MPTCP = whenAtLeast "5.6" yes;
367 MPTCP_IPV6 = whenAtLeast "5.6" yes;
368 INET_MPTCP_DIAG = whenAtLeast "5.9" (lib.mkDefault module);
370 # Kernel TLS
371 TLS = module;
372 TLS_DEVICE = yes;
374 # infiniband
375 INFINIBAND = module;
376 INFINIBAND_IPOIB = module;
377 INFINIBAND_IPOIB_CM = yes;
379 # Enable debugfs for wireless drivers
380 CFG80211_DEBUGFS = yes;
381 MAC80211_DEBUGFS = yes;
382 }
383 // lib.optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
384 # Not enabled by default, hides modules behind it
385 NET_VENDOR_MEDIATEK = yes;
386 # Enable SoC interface for MT7915 module, required for MT798X.
387 MT7986_WMAC = whenBetween "5.18" "6.6" yes;
388 MT798X_WMAC = whenAtLeast "6.6" yes;
389 };
391 wireless = {
392 CFG80211_WEXT = option yes; # Without it, ipw2200 drivers don't build
393 IPW2100_MONITOR = option yes; # support promiscuous mode
394 IPW2200_MONITOR = option yes; # support promiscuous mode
395 HOSTAP_FIRMWARE = whenOlder "6.8" (option yes); # Support downloading firmware images with Host AP driver
396 HOSTAP_FIRMWARE_NVRAM = whenOlder "6.8" (option yes);
397 MAC80211_MESH = option yes; # Enable 802.11s (mesh networking) support
398 ATH9K_PCI = option yes; # Detect Atheros AR9xxx cards on PCI(e) bus
399 ATH9K_AHB = option yes; # Ditto, AHB bus
400 # The description of this option makes it sound dangerous or even illegal
401 # But OpenWRT enables it by default: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/Makefile#L55
402 # At the time of writing (25-06-2023): this is only used in a "correct" way by ath drivers for initiating DFS radiation
403 # for "certified devices"
404 EXPERT = option yes; # this is needed for offering the certification option
405 RFKILL_INPUT = option yes; # counteract an undesired effect of setting EXPERT
406 CFG80211_CERTIFICATION_ONUS = option yes;
407 # DFS: "Dynamic Frequency Selection" is a spectrum-sharing mechanism that allows
408 # you to use certain interesting frequency when your local regulatory domain mandates it.
409 # ATH drivers hides the feature behind this option and makes hostapd works with DFS frequencies.
410 # OpenWRT enables it too: https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/ath.mk#L42
411 ATH9K_DFS_CERTIFIED = option yes;
412 ATH10K_DFS_CERTIFIED = option yes;
413 B43_PHY_HT = option yes;
414 BCMA_HOST_PCI = option yes;
415 RTW88 = module;
416 RTW88_8822BE = lib.mkMerge [
417 (whenOlder "5.8" yes)
418 (whenAtLeast "5.8" module)
419 ];
420 RTW88_8822CE = lib.mkMerge [
421 (whenOlder "5.8" yes)
422 (whenAtLeast "5.8" module)
423 ];
424 };
426 fb = {
427 FB = yes;
428 FB_EFI = yes;
429 FB_NVIDIA_I2C = yes; # Enable DDC Support
430 FB_RIVA_I2C = yes;
431 FB_ATY_CT = yes; # Mach64 CT/VT/GT/LT (incl. 3D RAGE) support
432 FB_ATY_GX = yes; # Mach64 GX support
433 FB_SAVAGE_I2C = yes;
434 FB_SAVAGE_ACCEL = yes;
435 FB_SIS_300 = yes;
436 FB_SIS_315 = yes;
437 FB_3DFX_ACCEL = yes;
438 FB_VESA = lib.mkIf stdenv.hostPlatform.isx86 yes;
439 FRAMEBUFFER_CONSOLE = yes;
440 FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = yes;
441 FRAMEBUFFER_CONSOLE_ROTATION = yes;
442 FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = yes;
443 FB_GEODE = lib.mkIf (stdenv.hostPlatform.system == "i686-linux") yes;
444 # Use simplefb on older kernels where we don't have simpledrm (enabled below)
445 FB_SIMPLE = whenOlder "5.15" yes;
446 DRM_FBDEV_EMULATION = yes;
447 };
449 fonts = {
450 FONTS = yes;
451 # Default fonts enabled if FONTS is not set
452 FONT_8x8 = yes;
453 FONT_8x16 = yes;
454 # High DPI font
455 FONT_TER16x32 = whenAtLeast "5.0" yes;
456 };
458 video =
459 let
460 whenHasDevicePrivate = lib.mkIf (!stdenv.hostPlatform.isx86_32);
461 in
462 {
463 # compile in DRM so simpledrm can load before initrd if necessary
464 AGP = lib.mkIf (with stdenv.hostPlatform; isPower || isx86) yes;
465 DRM = yes;
467 DRM_LEGACY = whenOlder "6.8" no;
469 # Must be the same as CONFIG_DRM
470 BACKLIGHT_CLASS_DEVICE = yes;
472 NOUVEAU_LEGACY_CTX_SUPPORT = whenOlder "6.3" no;
474 # Enable simpledrm and use it for generic framebuffer
475 # Technically added in 5.14, but adding more complex configuration is not worth it
476 DRM_SIMPLEDRM = whenAtLeast "5.15" yes;
477 SYSFB_SIMPLEFB = whenAtLeast "5.15" yes;
479 # Allow specifying custom EDID on the kernel command line
480 DRM_LOAD_EDID_FIRMWARE = yes;
481 VGA_SWITCHEROO = lib.mkIf stdenv.hostPlatform.isx86 yes; # Hybrid graphics support
482 DRM_GMA500 = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "5.12" module);
483 DRM_GMA600 = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "5.13" yes);
484 DRM_GMA3600 = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "5.12" yes);
485 DRM_VMWGFX_FBCON = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.1" yes);
486 # (experimental) amdgpu support for verde and newer chipsets
487 DRM_AMDGPU_SI = yes;
488 # (stable) amdgpu support for bonaire and newer chipsets
489 DRM_AMDGPU_CIK = yes;
490 # Allow device firmware updates
491 DRM_DP_AUX_CHARDEV = whenOlder "6.10" yes;
492 DRM_DISPLAY_DP_AUX_CHARDEV = whenAtLeast "6.10" yes;
493 # amdgpu display core (DC) support
494 DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes;
495 DRM_AMD_DC_DCN2_0 = whenOlder "5.6" yes;
496 DRM_AMD_DC_DCN2_1 = whenOlder "5.6" yes;
497 DRM_AMD_DC_DCN3_0 = lib.mkIf (with stdenv.hostPlatform; isx86) (whenBetween "5.9" "5.11" yes);
498 DRM_AMD_DC_DCN = lib.mkIf (with stdenv.hostPlatform; isx86 || isPower64) (
499 whenBetween "5.11" "6.4" yes
500 );
501 DRM_AMD_DC_FP = whenAtLeast "6.4" yes;
502 DRM_AMD_DC_HDCP = whenBetween "5.5" "6.4" yes;
503 DRM_AMD_DC_SI = whenAtLeast "5.10" yes;
505 # Enable AMD Audio Coprocessor support for HDMI outputs
506 DRM_AMD_ACP = yes;
508 # Enable AMD secure display when available
509 DRM_AMD_SECURE_DISPLAY = lib.mkIf (
510 with stdenv.hostPlatform;
511 (lib.versionAtLeast version "5.13" && (isx86 || isPower64))
512 || (lib.versionAtLeast version "6.2" && isAarch64 && !stdenv.cc.isClang)
513 || (lib.versionAtLeast version "6.5" && isLoongArch64 && !stdenv.cc.isClang)
514 || (lib.versionAtLeast version "6.10" && isRiscV64 && !stdenv.cc.isClang)
515 ) yes;
517 # Enable AMD image signal processor
518 DRM_AMD_ISP = whenAtLeast "6.11" yes;
520 # Enable new firmware (and by extension NVK) for compatible hardware on Nouveau
521 DRM_NOUVEAU_GSP_DEFAULT = whenAtLeast "6.8" yes;
523 # Enable Nouveau shared virtual memory (used by OpenCL)
524 DEVICE_PRIVATE = whenHasDevicePrivate yes;
525 DRM_NOUVEAU_SVM = whenHasDevicePrivate yes;
527 # Enable HDMI-CEC receiver support
528 RC_CORE = yes;
529 MEDIA_CEC_RC = whenAtLeast "5.10" yes;
531 # Enable CEC over DisplayPort
532 DRM_DP_CEC = whenOlder "6.10" yes;
533 DRM_DISPLAY_DP_AUX_CEC = whenAtLeast "6.10" yes;
534 }
535 // lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
536 # Intel GVT-g graphics virtualization supports 64-bit only
537 DRM_I915_GVT = yes;
538 DRM_I915_GVT_KVMGT = module;
539 # Enable Hyper-V Synthetic DRM Driver
540 DRM_HYPERV = whenAtLeast "5.14" module;
541 # And disable the legacy framebuffer driver when we have the new one
542 FB_HYPERV = whenAtLeast "5.14" no;
543 }
544 // lib.optionalAttrs (stdenv.hostPlatform.system == "aarch64-linux") {
545 # enable HDMI-CEC on RPi boards
546 DRM_VC4_HDMI_CEC = yes;
547 # Enable HDMI out on platforms using the RK3588 lineup of SoCs.
548 ROCKCHIP_DW_HDMI_QP = whenAtLeast "6.13" yes;
549 };
551 # Enable Rust and features that depend on it
552 # Use a lower priority to allow these options to be overridden in hardened/config.nix
553 rust = lib.optionalAttrs withRust {
554 RUST = yes;
556 # These don't technically require Rust but we probably want to get some more testing
557 # on the whole DRM panic setup before shipping it by default.
558 DRM_PANIC = whenAtLeast "6.12" yes;
559 DRM_PANIC_SCREEN = whenAtLeast "6.12" (freeform "kmsg");
561 DRM_PANIC_SCREEN_QR_CODE = whenAtLeast "6.12" yes;
562 };
564 sound =
565 {
566 SND_DYNAMIC_MINORS = yes;
567 SND_AC97_POWER_SAVE = yes; # AC97 Power-Saving Mode
568 # 10s for the idle timeout, Fedora does 1, Arch does 10.
569 # The kernel says we should do 10.
570 # Read: https://docs.kernel.org/sound/designs/powersave.html
571 SND_AC97_POWER_SAVE_DEFAULT = freeform "10";
572 SND_HDA_POWER_SAVE_DEFAULT = freeform "10";
573 SND_HDA_INPUT_BEEP = yes; # Support digital beep via input layer
574 SND_HDA_RECONFIG = yes; # Support reconfiguration of jack functions
575 # Support configuring jack functions via fw mechanism at boot
576 SND_HDA_PATCH_LOADER = yes;
577 SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon
578 SND_HDA_CODEC_CS8409 = whenAtLeast "6.6" module; # Cirrus Logic HDA Bridge CS8409
579 SND_OSSEMUL = yes;
580 SND_USB_CAIAQ_INPUT = yes;
581 SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes;
582 # Enable Sound Open Firmware support
583 }
584 // lib.optionalAttrs
585 (stdenv.hostPlatform.system == "x86_64-linux" && lib.versionAtLeast version "5.5")
586 {
587 SND_SOC_INTEL_SOUNDWIRE_SOF_MACH = whenAtLeast "5.10" module;
588 SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES = whenAtLeast "5.10" yes; # dep of SOF_MACH
589 SND_SOC_SOF_INTEL_SOUNDWIRE_LINK = whenBetween "5.10" "5.11" yes; # dep of SOF_MACH
590 SND_SOC_SOF_TOPLEVEL = yes;
591 SND_SOC_SOF_ACPI = module;
592 SND_SOC_SOF_PCI = module;
593 SND_SOC_SOF_APOLLOLAKE = whenAtLeast "5.12" module;
594 SND_SOC_SOF_APOLLOLAKE_SUPPORT = whenOlder "5.12" yes;
595 SND_SOC_SOF_CANNONLAKE = whenAtLeast "5.12" module;
596 SND_SOC_SOF_CANNONLAKE_SUPPORT = whenOlder "5.12" yes;
597 SND_SOC_SOF_COFFEELAKE = whenAtLeast "5.12" module;
598 SND_SOC_SOF_COFFEELAKE_SUPPORT = whenOlder "5.12" yes;
599 SND_SOC_SOF_COMETLAKE = whenAtLeast "5.12" module;
600 SND_SOC_SOF_COMETLAKE_H_SUPPORT = whenOlder "5.8" yes;
601 SND_SOC_SOF_COMETLAKE_LP_SUPPORT = whenOlder "5.12" yes;
602 SND_SOC_SOF_ELKHARTLAKE = whenAtLeast "5.12" module;
603 SND_SOC_SOF_ELKHARTLAKE_SUPPORT = whenOlder "5.12" yes;
604 SND_SOC_SOF_GEMINILAKE = whenAtLeast "5.12" module;
605 SND_SOC_SOF_GEMINILAKE_SUPPORT = whenOlder "5.12" yes;
606 SND_SOC_SOF_HDA_AUDIO_CODEC = yes;
607 SND_SOC_SOF_HDA_COMMON_HDMI_CODEC = whenOlder "5.7" yes;
608 SND_SOC_SOF_HDA_LINK = yes;
609 SND_SOC_SOF_ICELAKE = whenAtLeast "5.12" module;
610 SND_SOC_SOF_ICELAKE_SUPPORT = whenOlder "5.12" yes;
611 SND_SOC_SOF_INTEL_TOPLEVEL = yes;
612 SND_SOC_SOF_JASPERLAKE = whenAtLeast "5.12" module;
613 SND_SOC_SOF_JASPERLAKE_SUPPORT = whenOlder "5.12" yes;
614 SND_SOC_SOF_MERRIFIELD = whenAtLeast "5.12" module;
615 SND_SOC_SOF_MERRIFIELD_SUPPORT = whenOlder "5.12" yes;
616 SND_SOC_SOF_TIGERLAKE = whenAtLeast "5.12" module;
617 SND_SOC_SOF_TIGERLAKE_SUPPORT = whenOlder "5.12" yes;
618 };
620 usb = {
621 USB = yes; # compile USB core into kernel, so we can use USB_SERIAL_CONSOLE before modules
623 USB_EHCI_ROOT_HUB_TT = yes; # Root Hub Transaction Translators
624 USB_EHCI_TT_NEWSCHED = yes; # Improved transaction translator scheduling
625 USB_HIDDEV = yes; # USB Raw HID Devices (like monitor controls and Uninterruptable Power Supplies)
627 # default to dual role mode
628 USB_DWC2_DUAL_ROLE = yes;
629 USB_DWC3_DUAL_ROLE = yes;
630 };
632 usb-serial = {
633 USB_SERIAL = yes;
634 USB_SERIAL_GENERIC = yes; # USB Generic Serial Driver
635 USB_SERIAL_CONSOLE = yes; # Allow using USB serial adapter as console
636 U_SERIAL_CONSOLE = whenAtLeast "5.10" yes; # Allow using USB gadget as console
637 };
639 # Filesystem options - in particular, enable extended attributes and
640 # ACLs for all filesystems that support them.
641 filesystem = {
642 FANOTIFY = yes;
643 FANOTIFY_ACCESS_PERMISSIONS = yes;
645 TMPFS = yes;
646 TMPFS_POSIX_ACL = yes;
647 FS_ENCRYPTION = yes;
649 EXT2_FS_XATTR = yes;
650 EXT2_FS_POSIX_ACL = yes;
651 EXT2_FS_SECURITY = yes;
653 EXT3_FS_POSIX_ACL = yes;
654 EXT3_FS_SECURITY = yes;
656 EXT4_FS_POSIX_ACL = yes;
657 EXT4_FS_SECURITY = yes;
659 NTFS_FS = whenBetween "5.15" "6.9" no;
660 NTFS3_LZX_XPRESS = whenAtLeast "5.15" yes;
661 NTFS3_FS_POSIX_ACL = whenAtLeast "5.15" yes;
663 REISERFS_FS_XATTR = option yes;
664 REISERFS_FS_POSIX_ACL = option yes;
665 REISERFS_FS_SECURITY = option yes;
667 JFS_POSIX_ACL = option yes;
668 JFS_SECURITY = option yes;
670 XFS_QUOTA = option yes;
671 XFS_POSIX_ACL = option yes;
672 XFS_RT = option yes; # XFS Realtime subvolume support
673 XFS_ONLINE_SCRUB = option yes;
675 OCFS2_DEBUG_MASKLOG = option no;
677 BTRFS_FS_POSIX_ACL = yes;
679 BCACHEFS_QUOTA = whenAtLeast "6.7" (option yes);
680 BCACHEFS_POSIX_ACL = whenAtLeast "6.7" (option yes);
682 UBIFS_FS_ADVANCED_COMPR = option yes;
684 F2FS_FS = module;
685 F2FS_FS_SECURITY = option yes;
686 F2FS_FS_COMPRESSION = whenAtLeast "5.6" yes;
687 UDF_FS = module;
689 NFSD_V2_ACL = whenOlder "5.10" yes;
690 NFSD_V3 = whenOlder "5.10" yes;
691 NFSD_V3_ACL = yes;
692 NFSD_V4 = yes;
693 NFSD_V4_SECURITY_LABEL = yes;
695 NFS_FS = module;
696 NFS_FSCACHE = yes;
697 NFS_SWAP = yes;
698 NFS_V3_ACL = yes;
699 NFS_V4_1 = yes; # NFSv4.1 client support
700 NFS_V4_2 = yes;
701 NFS_V4_SECURITY_LABEL = yes;
702 NFS_LOCALIO = whenAtLeast "6.12" yes;
704 CIFS_XATTR = yes;
705 CIFS_POSIX = option yes;
706 CIFS_FSCACHE = yes;
707 CIFS_WEAK_PW_HASH = whenOlder "5.15" yes;
708 CIFS_UPCALL = yes;
709 CIFS_DFS_UPCALL = yes;
711 CEPH_FSCACHE = yes;
712 CEPH_FS_POSIX_ACL = yes;
714 SQUASHFS_FILE_DIRECT = yes;
715 SQUASHFS_DECOMP_MULTI_PERCPU = whenOlder "6.2" yes;
716 SQUASHFS_CHOICE_DECOMP_BY_MOUNT = whenAtLeast "6.2" yes;
717 SQUASHFS_XATTR = yes;
718 SQUASHFS_ZLIB = yes;
719 SQUASHFS_LZO = yes;
720 SQUASHFS_XZ = yes;
721 SQUASHFS_LZ4 = yes;
722 SQUASHFS_ZSTD = yes;
724 # Native Language Support modules, needed by some filesystems
725 NLS = yes;
726 NLS_DEFAULT = freeform "utf8";
727 NLS_UTF8 = module;
728 NLS_CODEPAGE_437 = module; # VFAT default for the codepage= mount option
729 NLS_ISO8859_1 = module; # VFAT default for the iocharset= mount option
731 # Needed to use the installation iso image. Not included in all defconfigs (e.g. arm64)
732 ISO9660_FS = module;
734 DEVTMPFS = yes;
736 UNICODE = yes; # Casefolding support for filesystems
737 };
739 security =
740 {
741 # Report BUG() conditions and kill the offending process.
742 BUG = yes;
743 BUG_ON_DATA_CORRUPTION = yes;
745 FORTIFY_SOURCE = option yes;
747 # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
748 DEBUG_LIST = yes;
750 HARDENED_USERCOPY = yes;
751 RANDOMIZE_BASE = option yes;
752 STRICT_KERNEL_RWX = yes;
753 STRICT_MODULE_RWX = yes;
754 STRICT_DEVMEM = lib.mkDefault yes; # Filter access to /dev/mem
755 IO_STRICT_DEVMEM = lib.mkDefault yes;
757 # Prevent processes from ptracing non-children processes
758 SECURITY_YAMA = option yes;
759 # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
760 # This does not have any effect if a program does not support it
761 SECURITY_LANDLOCK = whenAtLeast "5.13" yes;
763 DEVKMEM = lib.mkIf (!stdenv.hostPlatform.isAarch64) (whenOlder "5.13" no); # Disable /dev/kmem
765 USER_NS = yes; # Support for user namespaces
767 SECURITY_APPARMOR = yes;
768 DEFAULT_SECURITY_APPARMOR = yes;
770 SECURITY_DMESG_RESTRICT = yes;
772 RANDOM_TRUST_CPU = whenOlder "6.2" yes; # allow RDRAND to seed the RNG
773 RANDOM_TRUST_BOOTLOADER = whenOlder "6.2" yes; # allow the bootloader to seed the RNG
775 MODULE_SIG = no; # r13y, generates a random key during build and bakes it in
776 # Depends on MODULE_SIG and only really helps when you sign your modules
777 # and enforce signatures which we don't do by default.
778 SECURITY_LOCKDOWN_LSM = no;
780 # provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis
781 PERSISTENT_KEYRINGS = yes;
782 # enable temporary caching of the last request_key() result
783 KEYS_REQUEST_CACHE = yes;
784 # randomized slab caches
785 RANDOM_KMALLOC_CACHES = whenAtLeast "6.6" yes;
787 # NIST SP800-90A DRBG modes - enabled by most distributions
788 # and required by some out-of-tree modules (ShuffleCake)
789 # This does not include the NSA-backdoored Dual-EC mode from the same NIST publication.
790 CRYPTO_DRBG_HASH = yes;
791 CRYPTO_DRBG_CTR = yes;
793 # Enable KFENCE
794 # See: https://docs.kernel.org/dev-tools/kfence.html
795 KFENCE = whenAtLeast "5.12" yes;
797 # Enable support for page poisoning. Still needs to be enabled on the command line to actually work.
798 PAGE_POISONING = yes;
799 # Randomize page allocator when page_alloc.shuffle=1
800 SHUFFLE_PAGE_ALLOCATOR = yes;
802 INIT_ON_ALLOC_DEFAULT_ON = yes;
804 # Enable stack smashing protections in schedule()
805 # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
806 SCHED_STACK_END_CHECK = yes;
808 # Enable separate slab buckets for user controlled allocations
809 # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f2df3b82d091ed095d0e47e1f3a9d3e18e4e41
810 SLAB_BUCKETS = whenAtLeast "6.11" yes;
811 }
812 // lib.optionalAttrs stdenv.hostPlatform.isx86_64 {
813 # Enable Intel SGX
814 X86_SGX = whenAtLeast "5.11" yes;
815 # Allow KVM guests to load SGX enclaves
816 X86_SGX_KVM = whenAtLeast "5.13" yes;
818 # AMD Cryptographic Coprocessor (CCP)
819 CRYPTO_DEV_CCP = yes;
820 # AMD SME
821 AMD_MEM_ENCRYPT = yes;
822 # AMD SEV and AMD SEV-SE
823 KVM_AMD_SEV = yes;
824 # AMD SEV-SNP
825 SEV_GUEST = whenAtLeast "5.19" module;
826 # Shadow stacks
827 X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes;
829 # Enable support for Intel Trust Domain Extensions (TDX)
830 INTEL_TDX_GUEST = whenAtLeast "5.19" yes;
831 TDX_GUEST_DRIVER = whenAtLeast "6.2" module;
833 # Mitigate straight line speculation at the cost of some file size
834 SLS = whenBetween "5.17" "6.9" yes;
835 MITIGATION_SLS = whenAtLeast "6.9" yes;
837 DEFAULT_MMAP_MIN_ADDR = freeform "65536";
838 }
839 // lib.optionalAttrs stdenv.hostPlatform.isAarch64 {
840 DEFAULT_MMAP_MIN_ADDR = freeform "32768";
841 };
843 microcode = {
844 MICROCODE = lib.mkIf stdenv.hostPlatform.isx86 yes;
845 MICROCODE_INTEL = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.6" yes);
846 MICROCODE_AMD = lib.mkIf stdenv.hostPlatform.isx86 (whenOlder "6.6" yes);
847 # Write Back Throttling
848 # https://lwn.net/Articles/682582/
849 # https://bugzilla.kernel.org/show_bug.cgi?id=12309#c655
850 BLK_WBT = yes;
851 BLK_WBT_SQ = whenOlder "5.0" yes; # Removed in 5.0-RC1
852 BLK_WBT_MQ = yes;
853 };
855 container = {
856 NAMESPACES = yes; # Required by 'unshare' used by 'nixos-install'
857 RT_GROUP_SCHED = no;
858 CGROUP_DEVICE = yes;
859 CGROUP_HUGETLB = yes;
860 CGROUP_PERF = yes;
861 CGROUP_RDMA = yes;
863 MEMCG = yes;
864 MEMCG_SWAP = whenOlder "6.1" yes;
866 BLK_DEV_THROTTLING = yes;
867 CFQ_GROUP_IOSCHED = whenOlder "5.0" yes; # Removed in 5.0-RC1
868 CGROUP_PIDS = yes;
869 };
871 staging = {
872 # Enable staging drivers. These are somewhat experimental, but
873 # they generally don't hurt.
874 STAGING = yes;
875 };
877 proc-events = {
878 # PROC_EVENTS requires that the netlink connector is not built
879 # as a module. This is required by libcgroup's cgrulesengd.
880 CONNECTOR = yes;
881 PROC_EVENTS = yes;
882 };
884 tracing = {
885 FTRACE = yes;
886 KPROBES = yes;
887 FUNCTION_TRACER = yes;
888 FTRACE_SYSCALLS = yes;
889 SCHED_TRACER = yes;
890 STACK_TRACER = yes;
891 UPROBE_EVENTS = option yes;
892 BPF_SYSCALL = yes;
893 BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.16" yes;
894 BPF_EVENTS = yes;
895 FUNCTION_PROFILER = yes;
896 RING_BUFFER_BENCHMARK = no;
897 };
899 perf = {
900 # enable AMD Zen branch sampling if available
901 PERF_EVENTS_AMD_BRS = whenAtLeast "5.19" (option yes);
902 };
904 virtualisation = {
905 PARAVIRT = option yes;
907 HYPERVISOR_GUEST = lib.mkIf stdenv.hostPlatform.isx86 yes;
908 PARAVIRT_SPINLOCKS = option yes;
910 KVM_ASYNC_PF = lib.mkIf (with stdenv.hostPlatform; isS390 || isx86) yes;
911 KVM_GENERIC_DIRTYLOG_READ_PROTECT = yes;
912 KVM_GUEST = lib.mkIf (with stdenv.hostPlatform; isPower || isx86) yes;
913 KVM_MMIO = yes;
914 KVM_VFIO = yes;
915 KSM = yes;
916 VIRT_DRIVERS = yes;
917 # We need 64 GB (PAE) support for Xen guest support
918 HIGHMEM64G = {
919 optional = true;
920 tristate = lib.mkIf (!stdenv.hostPlatform.is64bit) "y";
921 };
923 VFIO_PCI_VGA = lib.mkIf stdenv.hostPlatform.isx86_64 yes;
925 UDMABUF = yes;
927 # VirtualBox guest drivers in the kernel conflict with the ones in the
928 # official additions package and prevent the vboxsf module from loading,
929 # so disable them for now.
930 VBOXGUEST = option no;
931 DRM_VBOXVIDEO = option no;
933 XEN = option yes;
934 XEN_DOM0 = option yes;
935 PCI_XEN = option yes;
936 HVC_XEN = option yes;
937 HVC_XEN_FRONTEND = option yes;
938 XEN_SYS_HYPERVISOR = option yes;
939 SWIOTLB_XEN = option yes;
940 XEN_BACKEND = option yes;
941 XEN_BALLOON = option yes;
942 XEN_BALLOON_MEMORY_HOTPLUG = option yes;
943 XEN_EFI = option yes;
944 XEN_HAVE_PVMMU = option yes;
945 XEN_MCE_LOG = option yes;
946 XEN_PVH = option yes;
947 XEN_PVHVM = option yes;
948 XEN_SAVE_RESTORE = option yes;
950 # Enable device detection on virtio-mmio hypervisors
951 VIRTIO_MMIO_CMDLINE_DEVICES = yes;
952 };
954 media = {
955 MEDIA_DIGITAL_TV_SUPPORT = yes;
956 MEDIA_CAMERA_SUPPORT = yes;
957 MEDIA_CONTROLLER = yes;
958 MEDIA_PCI_SUPPORT = yes;
959 MEDIA_USB_SUPPORT = yes;
960 MEDIA_ANALOG_TV_SUPPORT = yes;
961 VIDEO_STK1160_COMMON = whenOlder "6.5" module;
962 };
964 "9p" = {
965 # Enable the 9P cache to speed up NixOS VM tests.
966 "9P_FSCACHE" = option yes;
967 "9P_FS_POSIX_ACL" = option yes;
968 };
970 huge-page = {
971 TRANSPARENT_HUGEPAGE = option yes;
972 TRANSPARENT_HUGEPAGE_ALWAYS = option no;
973 TRANSPARENT_HUGEPAGE_MADVISE = option yes;
974 };
976 zram = {
977 ZRAM = module;
978 ZRAM_WRITEBACK = option yes;
979 ZRAM_MULTI_COMP = whenAtLeast "6.2" yes;
980 ZRAM_BACKEND_842 = whenAtLeast "6.12" yes;
981 ZRAM_BACKEND_DEFLATE = whenAtLeast "6.12" yes;
982 ZRAM_BACKEND_LZ4 = whenAtLeast "6.12" yes;
983 ZRAM_BACKEND_LZ4HC = whenAtLeast "6.12" yes;
984 ZRAM_BACKEND_LZO = whenAtLeast "6.12" yes;
985 ZRAM_BACKEND_ZSTD = whenAtLeast "6.12" yes;
986 ZRAM_DEF_COMP_ZSTD = whenAtLeast "5.11" yes;
987 ZSWAP = option yes;
988 ZSWAP_COMPRESSOR_DEFAULT_ZSTD = whenAtLeast "5.7" (lib.mkOptionDefault yes);
989 ZPOOL = yes;
990 ZSMALLOC = option yes;
991 };
993 brcmfmac = {
994 # Enable PCIe and USB for the brcmfmac driver
995 BRCMFMAC_USB = option yes;
996 BRCMFMAC_PCIE = option yes;
997 };
999 # Support x2APIC (which requires IRQ remapping)
1000 x2apic = lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
1001 X86_X2APIC = yes;
1002 IRQ_REMAP = yes;
1003 };
1005 # Disable various self-test modules that have no use in a production system
1006 tests =
1007 {
1008 # This menu disables all/most of them on >= 4.16
1009 RUNTIME_TESTING_MENU = option no;
1010 }
1011 // {
1012 CRC32_SELFTEST = option no;
1013 CRYPTO_TEST = option no;
1014 EFI_TEST = option no;
1015 GLOB_SELFTEST = option no;
1016 LOCK_TORTURE_TEST = option no;
1017 MTD_TESTS = option no;
1018 NOTIFIER_ERROR_INJECTION = option no;
1019 RCU_PERF_TEST = whenOlder "5.9" no;
1020 RCU_SCALE_TEST = whenAtLeast "5.10" no;
1021 TEST_ASYNC_DRIVER_PROBE = option no;
1022 WW_MUTEX_SELFTEST = option no;
1023 XZ_DEC_TEST = option no;
1024 };
1026 criu = {
1027 # Unconditionally enabled, because it is required for CRIU and
1028 # it provides the kcmp() system call that Mesa depends on.
1029 CHECKPOINT_RESTORE = yes;
1031 # Allows soft-dirty tracking on pages, used by CRIU.
1032 # See https://docs.kernel.org/admin-guide/mm/soft-dirty.html
1033 MEM_SOFT_DIRTY = lib.mkIf (with stdenv.hostPlatform; isS390 || isPower64 || isx86_64) yes;
1034 };
1036 misc =
1037 let
1038 # Use zstd for kernel compression if 64-bit and newer than 5.9, otherwise xz.
1039 # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375
1040 useZstd = stdenv.buildPlatform.is64bit && lib.versionAtLeast version "5.9";
1041 in
1042 {
1043 # stdenv.hostPlatform.linux-kernel.target assumes uncompressed on RISC-V.
1044 KERNEL_UNCOMPRESSED = lib.mkIf stdenv.hostPlatform.isRiscV yes;
1045 KERNEL_XZ = lib.mkIf (!stdenv.hostPlatform.isRiscV && !useZstd) yes;
1046 KERNEL_ZSTD = lib.mkIf (
1047 with stdenv.hostPlatform;
1048 (isMips || isS390 || isx86 || (lib.versionAtLeast version "6.1" && isAarch64 || isLoongArch64))
1049 && useZstd
1050 ) yes;
1052 HID_BATTERY_STRENGTH = yes;
1053 # enabled by default in x86_64 but not arm64, so we do that here
1054 HIDRAW = yes;
1056 # Enable loading HID fixups as eBPF from userspace
1057 HID_BPF = whenAtLeast "6.3" yes;
1059 HID_ACRUX_FF = yes;
1060 DRAGONRISE_FF = yes;
1061 GREENASIA_FF = yes;
1062 HOLTEK_FF = yes;
1063 INPUT_JOYSTICK = yes;
1064 JOYSTICK_PSXPAD_SPI_FF = yes;
1065 LOGIG940_FF = yes;
1066 NINTENDO_FF = whenAtLeast "5.16" yes;
1067 NVIDIA_SHIELD_FF = whenAtLeast "6.5" yes;
1068 PLAYSTATION_FF = whenAtLeast "5.12" yes;
1069 SONY_FF = yes;
1070 SMARTJOYPLUS_FF = yes;
1071 THRUSTMASTER_FF = yes;
1072 ZEROPLUS_FF = yes;
1074 MODULE_COMPRESS = lib.mkMerge [
1075 (whenOlder "5.13" yes)
1076 (whenAtLeast "6.12" yes)
1077 ];
1078 MODULE_COMPRESS_ALL = whenAtLeast "6.12" yes;
1079 MODULE_COMPRESS_XZ = yes;
1081 SYSVIPC = yes; # System-V IPC
1083 AIO = yes; # POSIX asynchronous I/O
1085 UNIX = yes; # Unix domain sockets.
1087 MD = yes; # Device mapper (RAID, LVM, etc.)
1089 # Enable initrd support.
1090 BLK_DEV_INITRD = yes;
1092 # Allows debugging systems that get stuck during suspend/resume
1093 PM_TRACE_RTC = lib.mkIf stdenv.hostPlatform.isx86 yes;
1095 ACCESSIBILITY = yes; # Accessibility support
1096 AUXDISPLAY = yes; # Auxiliary Display support
1097 HIPPI = yes;
1098 MTD_COMPLEX_MAPPINGS = yes; # needed for many devices
1100 SCSI_LOWLEVEL = yes; # enable lots of SCSI devices
1101 SCSI_LOWLEVEL_PCMCIA = yes;
1102 SCSI_SAS_ATA = yes; # added to enable detection of hard drive
1104 SPI = yes; # needed for many devices
1105 SPI_MASTER = yes;
1107 "8139TOO_8129" = yes;
1108 "8139TOO_PIO" = no; # PIO is slower
1110 AIC79XX_DEBUG_ENABLE = no;
1111 AIC7XXX_DEBUG_ENABLE = no;
1112 AIC94XX_DEBUG = no;
1114 BLK_DEV_INTEGRITY = yes;
1115 BLK_DEV_ZONED = yes;
1117 BLK_SED_OPAL = yes;
1119 # Enable support for block layer inline encryption
1120 BLK_INLINE_ENCRYPTION = whenAtLeast "5.8" yes;
1121 # ...but fall back to CPU encryption if unavailable
1122 BLK_INLINE_ENCRYPTION_FALLBACK = whenAtLeast "5.8" yes;
1124 BSD_PROCESS_ACCT_V3 = yes;
1126 SERIAL_DEV_BUS = yes; # enables support for serial devices
1127 SERIAL_DEV_CTRL_TTYPORT = yes; # enables support for TTY serial devices
1129 BT_HCIBTUSB_MTK = yes; # MediaTek protocol support
1131 BT_HCIUART = module; # required for BT devices with serial port interface (QCA6390)
1132 BT_HCIUART_BCM = option yes; # Broadcom Bluetooth support
1133 BT_HCIUART_BCSP = option yes; # CSR BlueCore support
1134 BT_HCIUART_H4 = option yes; # UART (H4) protocol support
1135 BT_HCIUART_LL = option yes; # Texas Instruments BRF
1136 BT_HCIUART_QCA = yes; # Qualcomm Atheros support
1137 BT_HCIUART_SERDEV = yes; # required by BT_HCIUART_QCA
1139 BT_RFCOMM_TTY = option yes; # RFCOMM TTY support
1140 BT_QCA = module; # enables QCA6390 bluetooth
1142 # Removed on 5.17 as it was unused
1143 # upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a4ee518185e902758191d968600399f3bc2be31
1144 CLEANCACHE = whenOlder "5.17" (option yes);
1146 FSCACHE_STATS = yes;
1148 DVB_DYNAMIC_MINORS = option yes; # we use udev
1150 EFI_STUB = yes; # EFI bootloader in the bzImage itself
1151 EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER = whenOlder "6.2" (whenAtLeast "5.8" yes); # initrd kernel parameter for EFI
1153 # Generic compression support for EFI payloads
1154 # Add new platforms only after they have been verified to build and boot.
1155 # This is unsupported on x86 due to a custom decompression mechanism.
1156 EFI_ZBOOT = lib.mkIf stdenv.hostPlatform.isAarch64 (whenAtLeast "6.1" yes);
1158 CGROUPS = yes; # used by systemd
1159 FHANDLE = yes; # used by systemd
1160 SECCOMP = yes; # used by systemd >= 231
1161 SECCOMP_FILTER = yes; # ditto
1162 POSIX_MQUEUE = yes;
1163 FRONTSWAP = whenOlder "6.6" yes;
1164 FUSION = yes; # Fusion MPT device support
1165 IDE = lib.mkIf (with stdenv.hostPlatform; isAarch32 || isM68k || isMips || isPower || isx86) (
1166 whenOlder "5.14" no
1167 ); # deprecated IDE support, removed in 5.14
1168 IDLE_PAGE_TRACKING = yes;
1170 JOYSTICK_XPAD_FF = option yes; # X-Box gamepad rumble support
1171 JOYSTICK_XPAD_LEDS = option yes; # LED Support for Xbox360 controller 'BigX' LED
1173 KEYBOARD_APPLESPI = lib.mkIf stdenv.hostPlatform.isx86 module;
1175 KEXEC_FILE = option yes;
1176 KEXEC_JUMP = option yes;
1178 PARTITION_ADVANCED = yes; # Needed for LDM_PARTITION
1179 # Windows Logical Disk Manager (Dynamic Disk) support
1180 LDM_PARTITION = yes;
1181 LOGIRUMBLEPAD2_FF = yes; # Logitech Rumblepad 2 force feedback
1182 LOGO = no; # not needed
1183 MEDIA_ATTACH = yes;
1184 MEGARAID_NEWGEN = yes;
1186 MLX5_CORE_EN = option yes;
1188 NVME_MULTIPATH = yes;
1190 NVME_AUTH = lib.mkMerge [
1191 (whenBetween "6.0" "6.7" yes)
1192 (whenAtLeast "6.7" module)
1193 ];
1195 NVME_HOST_AUTH = whenAtLeast "6.7" yes;
1196 NVME_TCP_TLS = whenAtLeast "6.7" yes;
1198 NVME_TARGET = module;
1199 NVME_TARGET_PASSTHRU = whenAtLeast "5.9" yes;
1200 NVME_TARGET_AUTH = whenAtLeast "6.0" yes;
1201 NVME_TARGET_TCP_TLS = whenAtLeast "6.7" yes;
1203 PCI_P2PDMA = lib.mkIf (stdenv.hostPlatform.is64bit) yes;
1205 PSI = yes;
1207 MOUSE_ELAN_I2C_SMBUS = yes;
1208 MOUSE_PS2_ELANTECH = yes; # Elantech PS/2 protocol extension
1209 MOUSE_PS2_VMMOUSE = lib.mkIf stdenv.hostPlatform.isx86 yes;
1210 MTRR_SANITIZER = lib.mkIf stdenv.hostPlatform.isx86 yes;
1211 NET_FC = yes; # Fibre Channel driver support
1212 # Needed for touchpads to work on some AMD laptops
1213 PINCTRL_AMD = whenAtLeast "5.19" yes;
1214 # GPIO on Intel Bay Trail, for some Chromebook internal eMMC disks
1215 PINCTRL_BAYTRAIL = lib.mkIf stdenv.hostPlatform.isx86 yes;
1216 # GPIO for Braswell and Cherryview devices
1217 # Needs to be built-in to for integrated keyboards to function properly
1218 PINCTRL_CHERRYVIEW = lib.mkIf stdenv.hostPlatform.isx86 yes;
1219 # 8 is default. Modern gpt tables on eMMC may go far beyond 8.
1220 MMC_BLOCK_MINORS = freeform "32";
1222 REGULATOR = yes; # Voltage and Current Regulator Support
1223 RC_DEVICES = option yes; # Enable IR devices
1224 RC_DECODERS = option yes; # Required for IR devices to work
1226 RT2800USB_RT53XX = yes;
1227 RT2800USB_RT55XX = yes;
1229 SCHED_AUTOGROUP = yes;
1230 CFS_BANDWIDTH = yes;
1232 SCSI_LOGGING = yes; # SCSI logging facility
1233 SERIAL_8250 = yes; # 8250/16550 and compatible serial support
1235 SLAB_FREELIST_HARDENED = yes;
1236 SLAB_FREELIST_RANDOM = yes;
1238 SLIP_COMPRESSED = yes; # CSLIP compressed headers
1239 SLIP_SMART = yes;
1241 HWMON = yes;
1242 THERMAL_HWMON = yes; # Hardware monitoring support
1243 NVME_HWMON = whenAtLeast "5.5" yes; # NVMe drives temperature reporting
1244 UEVENT_HELPER = no;
1246 USERFAULTFD = yes;
1247 X86_CHECK_BIOS_CORRUPTION = lib.mkIf stdenv.hostPlatform.isx86 yes;
1248 X86_MCE = lib.mkIf stdenv.hostPlatform.isx86 yes;
1250 RAS = yes; # Needed for EDAC support
1252 # Our initrd init uses shebang scripts, so can't be modular.
1253 BINFMT_SCRIPT = yes;
1254 # For systemd-binfmt
1255 BINFMT_MISC = option yes;
1257 # Required for EDID overriding
1258 FW_LOADER = yes;
1259 # Disable the firmware helper fallback, udev doesn't implement it any more
1260 FW_LOADER_USER_HELPER_FALLBACK = option no;
1262 FW_LOADER_COMPRESS = yes;
1263 FW_LOADER_COMPRESS_ZSTD = whenAtLeast "5.19" yes;
1265 HOTPLUG_PCI_ACPI = yes; # PCI hotplug using ACPI
1266 HOTPLUG_PCI_PCIE = yes; # PCI-Expresscard hotplug support
1268 # Enable AMD's ROCm GPU compute stack
1269 HSA_AMD = lib.mkIf stdenv.hostPlatform.is64bit (yes);
1270 ZONE_DEVICE = lib.mkIf stdenv.hostPlatform.is64bit (yes);
1271 HMM_MIRROR = yes;
1272 DRM_AMDGPU_USERPTR = yes;
1274 PREEMPT = no;
1275 PREEMPT_VOLUNTARY = yes;
1277 X86_AMD_PLATFORM_DEVICE = lib.mkIf stdenv.hostPlatform.isx86 yes;
1278 X86_PLATFORM_DRIVERS_DELL = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "5.12" yes);
1279 X86_PLATFORM_DRIVERS_HP = lib.mkIf stdenv.hostPlatform.isx86 (whenAtLeast "6.1" yes);
1281 LIRC = yes;
1283 SCHED_CORE = whenAtLeast "5.14" yes;
1284 SCHED_CLASS_EXT = whenAtLeast "6.12" yes;
1286 LRU_GEN = whenAtLeast "6.1" yes;
1287 LRU_GEN_ENABLED = whenAtLeast "6.1" yes;
1289 FSL_MC_UAPI_SUPPORT = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") (
1290 whenAtLeast "5.12" yes
1291 );
1293 ASHMEM = {
1294 optional = true;
1295 tristate = whenBetween "5.0" "5.18" "y";
1296 };
1297 ANDROID = {
1298 optional = true;
1299 tristate = whenBetween "5.0" "5.19" "y";
1300 };
1301 ANDROID_BINDER_IPC = {
1302 optional = true;
1303 tristate = whenAtLeast "5.0" "y";
1304 };
1305 ANDROID_BINDERFS = {
1306 optional = true;
1307 tristate = whenAtLeast "5.0" "y";
1308 };
1309 ANDROID_BINDER_DEVICES = {
1310 optional = true;
1311 freeform = whenAtLeast "5.0" "binder,hwbinder,vndbinder";
1312 };
1314 TASKSTATS = yes;
1315 TASK_DELAY_ACCT = yes;
1316 TASK_XACCT = yes;
1317 TASK_IO_ACCOUNTING = yes;
1319 # Fresh toolchains frequently break -Werror build for minor issues.
1320 WERROR = whenAtLeast "5.15" no;
1322 # > CONFIG_KUNIT should not be enabled in a production environment. Enabling KUnit disables Kernel Address-Space Layout Randomization (KASLR), and tests may affect the state of the kernel in ways not suitable for production.
1323 # https://www.kernel.org/doc/html/latest/dev-tools/kunit/start.html
1324 KUNIT = whenAtLeast "5.5" no;
1326 # Set system time from RTC on startup and resume
1327 RTC_HCTOSYS = option yes;
1329 # Expose watchdog information in sysfs
1330 WATCHDOG_SYSFS = yes;
1332 # Enable generic kernel watch queues
1333 # See https://docs.kernel.org/core-api/watch_queue.html
1334 WATCH_QUEUE = whenAtLeast "5.8" yes;
1335 }
1336 //
1337 lib.optionalAttrs
1338 (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux")
1339 {
1340 # Enable CPU/memory hotplug support
1341 # Allows you to dynamically add & remove CPUs/memory to a VM client running NixOS without requiring a reboot
1342 ACPI_HOTPLUG_CPU = yes;
1343 ACPI_HOTPLUG_MEMORY = yes;
1344 MEMORY_HOTPLUG = yes;
1345 MEMORY_HOTPLUG_DEFAULT_ONLINE = whenOlder "6.14" yes;
1346 MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO = whenAtLeast "6.14" yes;
1347 MEMORY_HOTREMOVE = yes;
1348 HOTPLUG_CPU = yes;
1349 MIGRATION = yes;
1350 SPARSEMEM = yes;
1352 # Bump the maximum number of CPUs to support systems like EC2 x1.*
1353 # instances and Xeon Phi.
1354 NR_CPUS = freeform "384";
1356 # Enable LEDS to display link-state status of PHY devices (i.e. eth lan/wan interfaces)
1357 LED_TRIGGER_PHY = yes;
1359 # Required for various hardware features on Chrome OS devices
1360 CHROME_PLATFORMS = yes;
1361 CHROMEOS_TBMC = module;
1362 CROS_EC = module;
1363 CROS_EC_I2C = module;
1364 CROS_EC_SPI = module;
1365 CROS_KBD_LED_BACKLIGHT = module;
1366 TCG_TIS_SPI_CR50 = whenAtLeast "5.5" yes;
1367 }
1368 //
1369 lib.optionalAttrs
1370 (stdenv.hostPlatform.system == "armv7l-linux" || stdenv.hostPlatform.system == "aarch64-linux")
1371 {
1372 # Enables support for the Allwinner Display Engine 2.0
1373 SUN8I_DE2_CCU = yes;
1375 # See comments on https://github.com/NixOS/nixpkgs/commit/9b67ea9106102d882f53d62890468071900b9647
1376 CRYPTO_AEGIS128_SIMD = no;
1378 # Distros should configure the default as a kernel option.
1379 # We previously defined it on the kernel command line as cma=
1380 # The kernel command line will override a platform-specific configuration from its device tree.
1381 # https://github.com/torvalds/linux/blob/856deb866d16e29bd65952e0289066f6078af773/kernel/dma/contiguous.c#L35-L44
1382 CMA_SIZE_MBYTES = freeform "32";
1384 # Add debug interfaces for CMA
1385 CMA_DEBUGFS = yes;
1386 CMA_SYSFS = whenAtLeast "5.13" yes;
1388 # https://docs.kernel.org/arch/arm/mem_alignment.html
1389 # tldr:
1390 # when buggy userspace code emits illegal misaligned LDM, STM,
1391 # LDRD and STRDs, the instructions trap, are caught, and then
1392 # are emulated by the kernel.
1393 #
1394 # This is the default on armv7l, anyway, but it is explicitly
1395 # enabled here for the sake of providing context for the
1396 # aarch64 compat option which follows.
1397 ALIGNMENT_TRAP = lib.mkIf (stdenv.hostPlatform.system == "armv7l-linux") yes;
1399 # https://patchwork.kernel.org/project/linux-arm-kernel/patch/20220701135322.3025321-1-ardb@kernel.org/
1400 # tldr:
1401 # when encountering alignment faults under aarch64, this option
1402 # makes the kernel attempt to handle the fault by doing the
1403 # same style of misaligned emulation that is performed under
1404 # armv7l (see above option).
1405 #
1406 # This minimizes the potential for aarch32 userspace to behave
1407 # differently when run under aarch64 kernels compared to when
1408 # it is run under an aarch32 kernel.
1409 COMPAT_ALIGNMENT_FIXUPS = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") (
1410 whenAtLeast "6.1" yes
1411 );
1413 # requirement for CP15_BARRIER_EMULATION
1414 ARMV8_DEPRECATED = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") yes;
1415 # emulate a specific armv7 instruction that was removed from armv8
1416 # this instruction is required to build a native armv7 nodejs on an
1417 # aarch64-linux builder, for example
1418 CP15_BARRIER_EMULATION = lib.mkIf (stdenv.hostPlatform.system == "aarch64-linux") yes;
1419 }
1420 // lib.optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
1421 CROS_EC_LPC = module;
1422 CROS_EC_ISHTP = module;
1424 CHROMEOS_LAPTOP = module;
1425 CHROMEOS_PSTORE = module;
1427 # Enable x86 resource control
1428 X86_CPU_RESCTRL = whenAtLeast "5.0" yes;
1430 # Enable TSX on CPUs where it's not vulnerable
1431 X86_INTEL_TSX_MODE_AUTO = yes;
1433 # Enable AMD Wi-Fi RF band mitigations
1434 # See https://cateee.net/lkddb/web-lkddb/AMD_WBRF.html
1435 AMD_WBRF = whenAtLeast "6.8" yes;
1437 # Enable Intel Turbo Boost Max 3.0
1438 INTEL_TURBO_MAX_3 = yes;
1439 };
1441 accel = {
1442 # Build DRM accelerator devices
1443 DRM_ACCEL = whenAtLeast "6.2" yes;
1444 };
1445 };
1446 in
1447 flattenKConf options