From 2c19ef2209667bb01c5ae6ecf226a97752d55c52 Mon Sep 17 00:00:00 2001
From: Atemu <atemu.main@gmail.com>
Date: Wed, 23 Dec 2020 07:33:25 +0100
Subject: [PATCH] linux: disable module signing

Without this, the kernel would generate a random one for us which obviously
isn't reproducible.

`nix-build -A linux --check` succeeds now!
(Tested at different times with different kernel)
---
 pkgs/os-specific/linux/kernel/common-config.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 47e49dbe01d7..da719c9de50b 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -416,7 +416,10 @@ let
       SECURITY_APPARMOR                = yes;
       DEFAULT_SECURITY_APPARMOR        = yes;
 
-      SECURITY_LOCKDOWN_LSM            = whenAtLeast "5.4" yes;
+      MODULE_SIG            = no; # r13y, generates a random key during build and bakes it in
+      # Depends on MODULE_SIG and only really helps when you sign your modules
+      # and enforce signatures which we don't do by default.
+      SECURITY_LOCKDOWN_LSM = no;
     } // optionalAttrs (!stdenv.hostPlatform.isAarch32) {
 
       # Detect buffer overflows on the stack