kernel hardening checker update #479
Conversation
avnik
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
Signed-off-by: Alexander Nikolaev <alexander.nikolaev@unikie.com>
avnik
force-pushed
the
avnik/khc-update
branch
from
c88d8ee
to
51bb206
Compare
avnik
temporarily deployed
to
internal-build-workflow
GitHub Actions
Inactive
|
In general, this is a good idea. I propose we look at this again after #439 is merged and extend the hardened kernel module tests here to cover also the |
| @@ -141,6 +141,11 @@ | |||
| flake-compat.follows = "flake-compat"; | |||
| }; | |||
| }; | |||
|
|
|||
| kernel-hardening-checker = { | |||
There was a problem hiding this comment.
Suggestion for a future PR: Could be also integrated into the CI/flake.nix like this:
{
checks.kernel-hardening-check = runCommand "kernel-hardening-check" {} ''
${lib.getExe pkgs.kernel-hardening-checker} -c ${pkgs.hardened-kernel.configfile}
'';
}There was a problem hiding this comment.
Where the hardened-kernel is the attribute of this PR: #439
There was a problem hiding this comment.
We have plan for it -- make json report from KHC, then use custom script to assert checks (because KHC asserts on too much things, we need to ignore some checks like CONFIG_MODULE)
|
Couldn't you simply make some script/tool to update the hash in the package file? I know there are even ready-made ones |
|
That would also works. Shameless self-plug: https://github.com/Mic92/nix-update/ has support for flakes... Someone also made a github action: https://github.com/marketplace/actions/nix-update-action |
Description of changes
KHC tool is fast evolving, and bumping hash manually each time is inconvenient.
I propose using flake.nix/lock for managing kernel-hardening-checker version pinning.
Checklist for things done
x86_64aarch64riscv64nix flake check --accept-flake-configand it passesTesting
kernel-hardening-checker --versionshow newer version, also checker works on our baseline config