broadcom-wl: introduce common/broadcom-wifi.nix and import in Apple/Dell profiles

masrlinu · masrlinu · commit 494bc107fc9d · 2025-12-13T02:07:27.000+01:00
diff --git a/apple/imac/14-2/default.nix b/apple/imac/14-2/default.nix
@@ -11,27 +11,9 @@
     ../../../common/gpu/nvidia
     ../../../common/gpu/nvidia/kepler
     ../../../common/hidpi.nix
+    ../../../common/broadcom-wifi.nix
   ];
 
-  options = {
-    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
-
-        This driver is vulnerable to heap buffer overflows:
-        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
-        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
-
-        Attackers within WiFi range can exploit this vulnerability by sending crafted
-        WiFi packets, even without being connected to the same network. Simply having
-        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
-        Only enable if no alternative WiFi solution is available.
-      '';
-    };
-  };
-
   config = {
     boot = {
       initrd.kernelModules = [
@@ -49,15 +31,6 @@
         "bcma"
       ];
       kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest;
-      extraModulePackages =
-        lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
-          [
-            (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
-              meta = oldAttrs.meta // {
-                knownVulnerabilities = [ ];
-              };
-            }))
-          ];
     };
 
     hardware = {
diff --git a/apple/macbook-air/6/default.nix b/apple/macbook-air/6/default.nix
@@ -1,45 +1,17 @@
 { config, lib, ... }:
 
 {
-  imports = [ ../. ];
-
-  options = {
-    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
-
-        This driver is vulnerable to heap buffer overflows:
-        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
-        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
-
-        Attackers within WiFi range can exploit this vulnerability by sending crafted
-        WiFi packets, even without being connected to the same network. Simply having
-        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
-        Only enable if no alternative WiFi solution is available.
-      '';
-    };
-  };
+  imports = [ 
+    ../. 
+    ../../../common/broadcom-wifi.nix
+  ];
 
   config = {
     boot = {
       # Divides power consumption by two.
       kernelParams = [ "acpi_osi=" ];
 
       blacklistedKernelModules = [ "bcma" ];
-      kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [
-        "wl"
-      ];
-      extraModulePackages =
-        lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
-          [
-            (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
-              meta = oldAttrs.meta // {
-                knownVulnerabilities = [ ];
-              };
-            }))
-          ];
     };
 
     services.xserver.deviceSection = lib.mkDefault ''
diff --git a/apple/macbook-pro/11-1/default.nix b/apple/macbook-pro/11-1/default.nix
@@ -4,40 +4,10 @@
     ../.
     ../../../common/pc/ssd
     ../../../common/cpu/intel/haswell
+    ../../../common/broadcom-wifi.nix
   ];
 
-  options = {
-    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
-
-        This driver is vulnerable to heap buffer overflows:
-        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
-        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
-
-        Attackers within WiFi range can exploit this vulnerability by sending crafted
-        WiFi packets, even without being connected to the same network. Simply having
-        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
-        Only enable if no alternative WiFi solution is available.
-      '';
-    };
-  };
-
   config = {
     hardware.enableRedistributableFirmware = lib.mkDefault true; # broadcom-wl
-    boot.kernelModules =
-      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
-        [ "wl" ];
-    boot.extraModulePackages =
-      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
-        [
-          (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
-            meta = oldAttrs.meta // {
-              knownVulnerabilities = [ ];
-            };
-          }))
-        ];
   };
 }
diff --git a/common/broadcom-wifi.nix b/common/broadcom-wifi.nix
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
+  };
+
+  config = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities {
+    boot.kernelModules = [ "wl" ];
+    boot.extraModulePackages = [
+      (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+        meta = oldAttrs.meta // {
+          knownVulnerabilities = [ ];
+        };
+      }))
+    ];
+  };
+}
diff --git a/dell/inspiron/3442/default.nix b/dell/inspiron/3442/default.nix
@@ -4,41 +4,10 @@
   imports = [
     ../../../common/cpu/intel/haswell
     ../../../common/pc/laptop
+    ../../../common/broadcom-wifi.nix
   ];
 
-  options = {
-    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
-
-        This driver is vulnerable to heap buffer overflows:
-        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
-        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
-
-        Attackers within WiFi range can exploit this vulnerability by sending crafted
-        WiFi packets, even without being connected to the same network. Simply having
-        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
-        Only enable if no alternative WiFi solution is available.
-      '';
-    };
-  };
-
   config = {
-    boot.kernelModules =
-      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
-        [ "wl" ];
-    boot.extraModulePackages =
-      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
-        [
-          (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
-            meta = oldAttrs.meta // {
-              knownVulnerabilities = [ ];
-            };
-          }))
-        ];
-
     services = {
       fwupd.enable = lib.mkDefault true;
       thermald.enable = lib.mkDefault true;
diff --git a/dell/xps/13-9343/default.nix b/dell/xps/13-9343/default.nix
@@ -5,41 +5,13 @@
     ../../../common/cpu/intel
     ../../../common/pc/laptop
     ../../../common/pc/ssd
+    ../../../common/broadcom-wifi.nix
   ];
 
-  options = {
-    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
-
-        This driver is vulnerable to heap buffer overflows:
-        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
-        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
-
-        Attackers within WiFi range can exploit this vulnerability by sending crafted
-        WiFi packets, even without being connected to the same network. Simply having
-        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
-        Only enable if no alternative WiFi solution is available.
-      '';
-    };
-  };
-
   config = {
     boot.kernelModules = [
       "kvm-intel"
-    ]
-    ++ lib.optionals config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ "wl" ];
-    boot.extraModulePackages =
-      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
-        [
-          (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
-            meta = oldAttrs.meta // {
-              knownVulnerabilities = [ ];
-            };
-          }))
-        ];
+    ];
 
     services = {
       fwupd.enable = lib.mkDefault true;
