From 868a9bcad1782033c074276b9b5c6c722d2bf9cc Mon Sep 17 00:00:00 2001 From: masrlinu <5259918+masrlinu@users.noreply.github.com> Date: Thu, 13 Nov 2025 17:09:42 +0100 Subject: [PATCH 1/3] broadcom-wl: enable WiFi/Bluetooth driver as discussed in PR #1580 --- apple/imac/14-2/default.nix | 67 ++++++++++++++++++++++-------- apple/macbook-air/6/default.nix | 45 ++++++++++++++++---- apple/macbook-pro/11-1/default.nix | 33 ++++++++++++++- dell/inspiron/3442/default.nix | 38 +++++++++++++++-- dell/xps/13-9343/default.nix | 38 ++++++++++++++--- 5 files changed, 186 insertions(+), 35 deletions(-) diff --git a/apple/imac/14-2/default.nix b/apple/imac/14-2/default.nix index 5dd218c52..6a7a009bf 100644 --- a/apple/imac/14-2/default.nix +++ b/apple/imac/14-2/default.nix @@ -13,25 +13,56 @@ ../../../common/hidpi.nix ]; - boot = { - initrd.kernelModules = [ - "applesmc" - "applespi" - "intel_lpss_pci" - "spi_pxa2xx_platform" - "kvm-intel" - ]; - blacklistedKernelModules = [ - "b43" - "ssb" - "brcmfmac" - "brcmsmac" - "bcma" - ]; - kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest; + options = { + hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. + + This driver is vulnerable to heap buffer overflows: + - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) + - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) + + Attackers within WiFi range can exploit this vulnerability by sending crafted + WiFi packets, even without being connected to the same network. Simply having + WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. + Only enable if no alternative WiFi solution is available. + ''; + }; }; - hardware = { - bluetooth.enable = lib.mkDefault true; + config = { + boot = { + initrd.kernelModules = [ + "applesmc" + "applespi" + "intel_lpss_pci" + "spi_pxa2xx_platform" + "kvm-intel" + ]; + blacklistedKernelModules = [ + "b43" + "ssb" + "brcmfmac" + "brcmsmac" + "bcma" + ]; + kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest; + }; + + extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = + oldAttrs.meta + // { + knownVulnerabilities = []; + }; + })) + ]; + + hardware = { + bluetooth.enable = lib.mkDefault true; + }; }; } diff --git a/apple/macbook-air/6/default.nix b/apple/macbook-air/6/default.nix index 67f3a7062..6f3fbd903 100644 --- a/apple/macbook-air/6/default.nix +++ b/apple/macbook-air/6/default.nix @@ -3,14 +3,45 @@ { imports = [ ../. ]; - boot.blacklistedKernelModules = [ "bcma" ]; + options = { + hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. + + This driver is vulnerable to heap buffer overflows: + - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) + - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) + + Attackers within WiFi range can exploit this vulnerability by sending crafted + WiFi packets, even without being connected to the same network. Simply having + WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. + Only enable if no alternative WiFi solution is available. + ''; + }; + }; - boot = { + config = { + boot = { # Divides power consumption by two. - kernelParams = [ "acpi_osi=" ]; - }; + kernelParams = [ "acpi_osi=" ]; - services.xserver.deviceSection = lib.mkDefault '' - Option "TearFree" "true" - ''; + blacklistedKernelModules = [ "bcma" ]; + kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"]; + extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = + oldAttrs.meta + // { + knownVulnerabilities = []; + }; + })) + ]; + }; + + services.xserver.deviceSection = lib.mkDefault '' + Option "TearFree" "true" + ''; + }; } diff --git a/apple/macbook-pro/11-1/default.nix b/apple/macbook-pro/11-1/default.nix index 95f8c2899..9a06799a1 100644 --- a/apple/macbook-pro/11-1/default.nix +++ b/apple/macbook-pro/11-1/default.nix @@ -6,5 +6,36 @@ ../../../common/cpu/intel/haswell ]; - hardware.enableRedistributableFirmware = lib.mkDefault true; + options = { + hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. + + This driver is vulnerable to heap buffer overflows: + - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) + - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) + + Attackers within WiFi range can exploit this vulnerability by sending crafted + WiFi packets, even without being connected to the same network. Simply having + WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. + Only enable if no alternative WiFi solution is available. + ''; + }; + }; + + config = { + hardware.enableRedistributableFirmware = lib.mkDefault true; # broadcom-wl + boot.kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"]; + boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = + oldAttrs.meta + // { + knownVulnerabilities = []; + }; + })) + ]; + }; } diff --git a/dell/inspiron/3442/default.nix b/dell/inspiron/3442/default.nix index adbb0c164..b294f2c4d 100644 --- a/dell/inspiron/3442/default.nix +++ b/dell/inspiron/3442/default.nix @@ -6,8 +6,40 @@ ../../../common/pc/laptop ]; - services = { - fwupd.enable = lib.mkDefault true; - thermald.enable = lib.mkDefault true; + options = { + hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. + + This driver is vulnerable to heap buffer overflows: + - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) + - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) + + Attackers within WiFi range can exploit this vulnerability by sending crafted + WiFi packets, even without being connected to the same network. Simply having + WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. + Only enable if no alternative WiFi solution is available. + ''; + }; + }; + + config = { + boot.kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"]; + boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = + oldAttrs.meta + // { + knownVulnerabilities = []; + }; + })) + ]; + + services = { + fwupd.enable = lib.mkDefault true; + thermald.enable = lib.mkDefault true; + }; }; } diff --git a/dell/xps/13-9343/default.nix b/dell/xps/13-9343/default.nix index 28d6e22ff..2c7a78e0a 100644 --- a/dell/xps/13-9343/default.nix +++ b/dell/xps/13-9343/default.nix @@ -7,14 +7,40 @@ ../../../common/pc/ssd ]; - services = { - fwupd.enable = lib.mkDefault true; - thermald.enable = lib.mkDefault true; + options = { + hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. + + This driver is vulnerable to heap buffer overflows: + - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) + - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) + + Attackers within WiFi range can exploit this vulnerability by sending crafted + WiFi packets, even without being connected to the same network. Simply having + WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. + Only enable if no alternative WiFi solution is available. + ''; + }; }; - boot = { - kernelModules = [ - "kvm-intel" + config = { + boot.kernelModules = [ "kvm-intel" ] ++ lib.optionals config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ "wl" ]; + boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = + oldAttrs.meta + // { + knownVulnerabilities = []; + }; + })) ]; + + services = { + fwupd.enable = lib.mkDefault true; + thermald.enable = lib.mkDefault true; + }; }; } From c1e69477aab20c6bc011d7ac395b9df62e051087 Mon Sep 17 00:00:00 2001 From: masrlinu <5259918+masrlinu@users.noreply.github.com> Date: Thu, 13 Nov 2025 17:29:17 +0100 Subject: [PATCH 2/3] broadcom-wl: nixfmt ./. --- apple/imac/14-2/default.nix | 22 +++++++++++----------- apple/macbook-air/6/default.nix | 26 ++++++++++++++------------ apple/macbook-pro/11-1/default.nix | 26 ++++++++++++++------------ dell/inspiron/3442/default.nix | 26 ++++++++++++++------------ dell/xps/13-9343/default.nix | 27 +++++++++++++++------------ 5 files changed, 68 insertions(+), 59 deletions(-) diff --git a/apple/imac/14-2/default.nix b/apple/imac/14-2/default.nix index 6a7a009bf..9fde8b5a0 100644 --- a/apple/imac/14-2/default.nix +++ b/apple/imac/14-2/default.nix @@ -19,11 +19,11 @@ default = true; description = '' Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. - + This driver is vulnerable to heap buffer overflows: - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) - + Attackers within WiFi range can exploit this vulnerability by sending crafted WiFi packets, even without being connected to the same network. Simply having WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. @@ -51,15 +51,15 @@ kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest; }; - extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ - (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { - meta = - oldAttrs.meta - // { - knownVulnerabilities = []; - }; - })) - ]; + extraModulePackages = + lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities + [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = oldAttrs.meta // { + knownVulnerabilities = [ ]; + }; + })) + ]; hardware = { bluetooth.enable = lib.mkDefault true; diff --git a/apple/macbook-air/6/default.nix b/apple/macbook-air/6/default.nix index 6f3fbd903..a7d3d088c 100644 --- a/apple/macbook-air/6/default.nix +++ b/apple/macbook-air/6/default.nix @@ -9,11 +9,11 @@ default = true; description = '' Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. - + This driver is vulnerable to heap buffer overflows: - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) - + Attackers within WiFi range can exploit this vulnerability by sending crafted WiFi packets, even without being connected to the same network. Simply having WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. @@ -24,20 +24,22 @@ config = { boot = { - # Divides power consumption by two. + # Divides power consumption by two. kernelParams = [ "acpi_osi=" ]; blacklistedKernelModules = [ "bcma" ]; - kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"]; - extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ - (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { - meta = - oldAttrs.meta - // { - knownVulnerabilities = []; - }; - })) + kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ + "wl" ]; + extraModulePackages = + lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities + [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = oldAttrs.meta // { + knownVulnerabilities = [ ]; + }; + })) + ]; }; services.xserver.deviceSection = lib.mkDefault '' diff --git a/apple/macbook-pro/11-1/default.nix b/apple/macbook-pro/11-1/default.nix index 9a06799a1..5ed70ec07 100644 --- a/apple/macbook-pro/11-1/default.nix +++ b/apple/macbook-pro/11-1/default.nix @@ -12,11 +12,11 @@ default = true; description = '' Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. - + This driver is vulnerable to heap buffer overflows: - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) - + Attackers within WiFi range can exploit this vulnerability by sending crafted WiFi packets, even without being connected to the same network. Simply having WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. @@ -27,15 +27,17 @@ config = { hardware.enableRedistributableFirmware = lib.mkDefault true; # broadcom-wl - boot.kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"]; - boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ - (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { - meta = - oldAttrs.meta - // { - knownVulnerabilities = []; - }; - })) - ]; + boot.kernelModules = + lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities + [ "wl" ]; + boot.extraModulePackages = + lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities + [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = oldAttrs.meta // { + knownVulnerabilities = [ ]; + }; + })) + ]; }; } diff --git a/dell/inspiron/3442/default.nix b/dell/inspiron/3442/default.nix index b294f2c4d..7d56de67b 100644 --- a/dell/inspiron/3442/default.nix +++ b/dell/inspiron/3442/default.nix @@ -12,11 +12,11 @@ default = true; description = '' Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. - + This driver is vulnerable to heap buffer overflows: - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) - + Attackers within WiFi range can exploit this vulnerability by sending crafted WiFi packets, even without being connected to the same network. Simply having WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. @@ -26,16 +26,18 @@ }; config = { - boot.kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"]; - boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ - (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { - meta = - oldAttrs.meta - // { - knownVulnerabilities = []; - }; - })) - ]; + boot.kernelModules = + lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities + [ "wl" ]; + boot.extraModulePackages = + lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities + [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = oldAttrs.meta // { + knownVulnerabilities = [ ]; + }; + })) + ]; services = { fwupd.enable = lib.mkDefault true; diff --git a/dell/xps/13-9343/default.nix b/dell/xps/13-9343/default.nix index 2c7a78e0a..fa8154d12 100644 --- a/dell/xps/13-9343/default.nix +++ b/dell/xps/13-9343/default.nix @@ -13,11 +13,11 @@ default = true; description = '' Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities. - + This driver is vulnerable to heap buffer overflows: - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp) - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp) - + Attackers within WiFi range can exploit this vulnerability by sending crafted WiFi packets, even without being connected to the same network. Simply having WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service. @@ -27,16 +27,19 @@ }; config = { - boot.kernelModules = [ "kvm-intel" ] ++ lib.optionals config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ "wl" ]; - boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ - (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { - meta = - oldAttrs.meta - // { - knownVulnerabilities = []; - }; - })) - ]; + boot.kernelModules = [ + "kvm-intel" + ] + ++ lib.optionals config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ "wl" ]; + boot.extraModulePackages = + lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities + [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = oldAttrs.meta // { + knownVulnerabilities = [ ]; + }; + })) + ]; services = { fwupd.enable = lib.mkDefault true; From cbba9fee873cfdf20f4baa4c0a73c8f39f838395 Mon Sep 17 00:00:00 2001 From: masrlinu <5259918+masrlinu@users.noreply.github.com> Date: Thu, 13 Nov 2025 18:13:49 +0100 Subject: [PATCH 3/3] broadcom-wl: bugfix --- apple/imac/14-2/default.nix | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/apple/imac/14-2/default.nix b/apple/imac/14-2/default.nix index 9fde8b5a0..1117eb062 100644 --- a/apple/imac/14-2/default.nix +++ b/apple/imac/14-2/default.nix @@ -49,18 +49,17 @@ "bcma" ]; kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest; + extraModulePackages = + lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities + [ + (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { + meta = oldAttrs.meta // { + knownVulnerabilities = [ ]; + }; + })) + ]; }; - extraModulePackages = - lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities - [ - (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: { - meta = oldAttrs.meta // { - knownVulnerabilities = [ ]; - }; - })) - ]; - hardware = { bluetooth.enable = lib.mkDefault true; };