broadcom-wl: enable WiFi/Bluetooth driver as discussed in PR NixOS#1580

masrlinu · masrlinu · commit 868a9bcad178 · 2025-11-13T17:09:42.000+01:00
diff --git a/apple/imac/14-2/default.nix b/apple/imac/14-2/default.nix
@@ -13,25 +13,56 @@
     ../../../common/hidpi.nix
   ];
 
-  boot = {
-    initrd.kernelModules = [
-      "applesmc"
-      "applespi"
-      "intel_lpss_pci"
-      "spi_pxa2xx_platform"
-      "kvm-intel"
-    ];
-    blacklistedKernelModules = [
-      "b43"
-      "ssb"
-      "brcmfmac"
-      "brcmsmac"
-      "bcma"
-    ];
-    kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest;
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+        
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+        
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
   };
 
-  hardware = {
-    bluetooth.enable = lib.mkDefault true;
+  config = {
+    boot = {
+      initrd.kernelModules = [
+        "applesmc"
+        "applespi"
+        "intel_lpss_pci"
+        "spi_pxa2xx_platform"
+        "kvm-intel"
+      ];
+      blacklistedKernelModules = [
+        "b43"
+        "ssb"
+        "brcmfmac"
+        "brcmsmac"
+        "bcma"
+      ];
+      kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest;
+    };
+
+    extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [
+      (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+        meta =
+          oldAttrs.meta
+          // {
+            knownVulnerabilities = [];
+          };
+      }))
+    ];
+
+    hardware = {
+      bluetooth.enable = lib.mkDefault true;
+    };
   };
 }
diff --git a/apple/macbook-air/6/default.nix b/apple/macbook-air/6/default.nix
@@ -3,14 +3,45 @@
 {
   imports = [ ../. ];
 
-  boot.blacklistedKernelModules = [ "bcma" ];
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+        
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+        
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
+  };
 
-  boot = {
+  config = {
+    boot = {
     # Divides power consumption by two.
-    kernelParams = [ "acpi_osi=" ];
-  };
+      kernelParams = [ "acpi_osi=" ];
 
-  services.xserver.deviceSection = lib.mkDefault ''
-    Option "TearFree" "true"
-  '';
+      blacklistedKernelModules = [ "bcma" ];
+      kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"];
+      extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [
+        (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+          meta =
+            oldAttrs.meta
+            // {
+              knownVulnerabilities = [];
+            };
+        }))
+      ];
+    };
+
+    services.xserver.deviceSection = lib.mkDefault ''
+      Option "TearFree" "true"
+    '';
+  };
 }
diff --git a/apple/macbook-pro/11-1/default.nix b/apple/macbook-pro/11-1/default.nix
@@ -6,5 +6,36 @@
     ../../../common/cpu/intel/haswell
   ];
 
-  hardware.enableRedistributableFirmware = lib.mkDefault true;
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+        
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+        
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
+  };
+
+  config = {
+    hardware.enableRedistributableFirmware = lib.mkDefault true; # broadcom-wl
+    boot.kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"];
+    boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [
+      (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+        meta =
+          oldAttrs.meta
+          // {
+            knownVulnerabilities = [];
+          };
+      }))
+    ];
+  };
 }
diff --git a/dell/inspiron/3442/default.nix b/dell/inspiron/3442/default.nix
@@ -6,8 +6,40 @@
     ../../../common/pc/laptop
   ];
 
-  services = {
-    fwupd.enable = lib.mkDefault true;
-    thermald.enable = lib.mkDefault true;
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+        
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+        
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
+  };
+
+  config = {
+    boot.kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities ["wl"];
+    boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [
+      (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+        meta =
+          oldAttrs.meta
+          // {
+            knownVulnerabilities = [];
+          };
+      }))
+    ];
+
+    services = {
+      fwupd.enable = lib.mkDefault true;
+      thermald.enable = lib.mkDefault true;
+    };
   };
 }
diff --git a/dell/xps/13-9343/default.nix b/dell/xps/13-9343/default.nix
@@ -7,14 +7,40 @@
     ../../../common/pc/ssd
   ];
 
-  services = {
-    fwupd.enable = lib.mkDefault true;
-    thermald.enable = lib.mkDefault true;
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+        
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+        
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
   };
 
-  boot = {
-    kernelModules = [
-      "kvm-intel"
+  config = {
+    boot.kernelModules = [ "kvm-intel" ] ++ lib.optionals config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ "wl" ];
+    boot.extraModulePackages = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [
+      (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+        meta =
+          oldAttrs.meta
+          // {
+            knownVulnerabilities = [];
+          };
+      }))
     ];
+
+    services = {
+      fwupd.enable = lib.mkDefault true;
+      thermald.enable = lib.mkDefault true;
+    };
   };
 }
