New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kernel hardening checker update #479
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Alexander Nikolaev <alexander.nikolaev@unikie.com>
c88d8ee
to
51bb206
Compare
In general, this is a good idea. I propose we look at this again after #439 is merged and extend the hardened kernel module tests here to cover also the |
@@ -141,6 +141,11 @@ | |||
flake-compat.follows = "flake-compat"; | |||
}; | |||
}; | |||
|
|||
kernel-hardening-checker = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion for a future PR: Could be also integrated into the CI/flake.nix like this:
{
checks.kernel-hardening-check = runCommand "kernel-hardening-check" {} ''
${lib.getExe pkgs.kernel-hardening-checker} -c ${pkgs.hardened-kernel.configfile}
'';
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where the hardened-kernel is the attribute of this PR: #439
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have plan for it -- make json report from KHC, then use custom script to assert checks (because KHC asserts on too much things, we need to ignore some checks like CONFIG_MODULE)
Couldn't you simply make some script/tool to update the hash in the package file? I know there are even ready-made ones |
That would also works. Shameless self-plug: https://github.com/Mic92/nix-update/ has support for flakes... Someone also made a github action: https://github.com/marketplace/actions/nix-update-action |
Description of changes
KHC tool is fast evolving, and bumping hash manually each time is inconvenient.
I propose using flake.nix/lock for managing kernel-hardening-checker version pinning.
Checklist for things done
x86_64
aarch64
riscv64
nix flake check --accept-flake-config
and it passesTesting
kernel-hardening-checker --version
show newer version, also checker works on our baseline config