broadcom-wl: enable WiFi/Bluetooth driver as discussed in PR #1580

apple/imac/14-2/README.md

@@ -20,6 +20,12 @@
 
 ## Wifi
 - [x] ok
+> **Note:** Enabling WiFi and Bluetooth functionality on this hardware requires the proprietary Broadcom driver. Due to outstanding security issues, you need to explicitly opt-in by setting:
+>
+> ```nix
+> hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+> ```
+
 
 ## Graphics
 - [x] Latest unsupported Nvidia drivers available are 390.157, working with Kernel 6.10.6.

apple/imac/14-2/default.nix

@@ -11,27 +11,38 @@
     ../../../common/gpu/nvidia
     ../../../common/gpu/nvidia/kepler
     ../../../common/hidpi.nix
+    ../../../common/broadcom-wifi.nix
   ];
+  # ##############################################################################
+  # ATTENTION / IMPORTANT NOTE:
+  #
+  # Note: Enabling WiFi and Bluetooth functionality on this hardware requires
+  # the proprietary Broadcom driver. Due to outstanding security issues, you
+  # need to explicitly opt-in by setting:
+  #
+  # hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+  # ##############################################################################
+  config = {
+    boot = {
+      initrd.kernelModules = [
+        "applesmc"
+        "applespi"
+        "intel_lpss_pci"
+        "spi_pxa2xx_platform"
+        "kvm-intel"
+      ];
+      blacklistedKernelModules = [
+        "b43"
+        "ssb"
+        "brcmfmac"
+        "brcmsmac"
+        "bcma"
+      ];
+      kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest;
+    };
 
-  boot = {
-    initrd.kernelModules = [
-      "applesmc"
-      "applespi"
-      "intel_lpss_pci"
-      "spi_pxa2xx_platform"
-      "kvm-intel"
-    ];
-    blacklistedKernelModules = [
-      "b43"
-      "ssb"
-      "brcmfmac"
-      "brcmsmac"
-      "bcma"
-    ];
-    kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest;
-  };
-
-  hardware = {
-    bluetooth.enable = lib.mkDefault true;
+    hardware = {
+      bluetooth.enable = lib.mkDefault true;
+    };
   };
 }

apple/macbook-air/6/README.md

@@ -0,0 +1,9 @@
+# Apple MacBook Air 6,x
+
+## Wireless / Bluetooth
+
+> **Note:** Enabling WiFi and Bluetooth functionality on this hardware requires the proprietary Broadcom driver. Due to outstanding security issues, you need to explicitly opt-in by setting:
+>
+> ```nix
+> hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+> ```

apple/macbook-air/6/default.nix

@@ -1,16 +1,29 @@
 { config, lib, ... }:
 
 {
-  imports = [ ../. ];
+  imports = [
+    ../.
+    ../../../common/broadcom-wifi.nix
+  ];
+  # ##############################################################################
+  # ATTENTION / IMPORTANT NOTE:
+  #
+  # Note: Enabling WiFi and Bluetooth functionality on this hardware requires
+  # the proprietary Broadcom driver. Due to outstanding security issues, you
+  # need to explicitly opt-in by setting:
+  #
+  # hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+  # ##############################################################################
+  config = {
+    boot = {
+      # Divides power consumption by two.
+      kernelParams = [ "acpi_osi=" ];
 
-  boot.blacklistedKernelModules = [ "bcma" ];
+      blacklistedKernelModules = [ "bcma" ];
+    };
 
-  boot = {
-    # Divides power consumption by two.
-    kernelParams = [ "acpi_osi=" ];
+    services.xserver.deviceSection = lib.mkDefault ''
+      Option "TearFree" "true"
+    '';
   };
-
-  services.xserver.deviceSection = lib.mkDefault ''
-    Option "TearFree" "true"
-  '';
 }

apple/macbook-pro/11-1/README.md

@@ -4,6 +4,13 @@ This configuration is tested on my 13" *MacBook Pro (Retina, 13-inch, Late 2013)
 
 The 6.11.5 kernel appears to work well with only minor adjustments on this notebook. Note that my machine has a BCM4360 wireless card (PCI-ID `14e4:43a0`) which appears to only work with the nonfree `wl` driver.
 
+> **Note:** Enabling WiFi and Bluetooth functionality on this hardware requires the proprietary Broadcom driver. Due to outstanding security issues, you need to explicitly opt-in by setting:
+>
+> ```nix
+> hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+> ```
+
+
 ## Additional resources
 
 * Linux Wireless Documentation: [List of hardware](https://wireless.docs.kernel.org/en/latest/en/users/drivers/b43.html#list-of-hardware)

apple/macbook-pro/11-1/default.nix

@@ -4,7 +4,18 @@
     ../.
     ../../../common/pc/ssd
     ../../../common/cpu/intel/haswell
+    ../../../common/broadcom-wifi.nix
   ];
-
-  hardware.enableRedistributableFirmware = lib.mkDefault true;
+  # ##############################################################################
+  # ATTENTION / IMPORTANT NOTE:
+  #
+  # Note: Enabling WiFi and Bluetooth functionality on this hardware requires
+  # the proprietary Broadcom driver. Due to outstanding security issues, you
+  # need to explicitly opt-in by setting:
+  #
+  # hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+  # ##############################################################################
+  config = {
+    hardware.enableRedistributableFirmware = lib.mkDefault true; # broadcom-wl
+  };
 }

common/broadcom-wifi.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
+  };
+
+  config = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities {
+    boot.kernelModules = [ "wl" ];
+    boot.extraModulePackages = [
+      (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+        meta = oldAttrs.meta // {
+          knownVulnerabilities = [ ];
+        };
+      }))
+    ];
+  };
+}

dell/inspiron/3442/README.md

@@ -25,6 +25,14 @@ $ lspci -nn
 
 ### Extra Configuration
 
+#### Broadcom WiFi/Bluetooth
+
+> **Note:** Enabling WiFi and Bluetooth functionality on this hardware requires the proprietary Broadcom driver. Due to outstanding security issues, you need to explicitly opt-in by setting:
+>
+> ```nix
+> hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+> ```
+
 #### Bluetooth
 
 To enable bluetooth support, set `hardware.bluetooth.enable = true;`.

dell/inspiron/3442/default.nix

@@ -4,10 +4,21 @@
   imports = [
     ../../../common/cpu/intel/haswell
     ../../../common/pc/laptop
+    ../../../common/broadcom-wifi.nix
   ];
-
-  services = {
-    fwupd.enable = lib.mkDefault true;
-    thermald.enable = lib.mkDefault true;
+  # ##############################################################################
+  # ATTENTION / IMPORTANT NOTE:
+  #
+  # Note: Enabling WiFi and Bluetooth functionality on this hardware requires
+  # the proprietary Broadcom driver. Due to outstanding security issues, you
+  # need to explicitly opt-in by setting:
+  #
+  # hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+  # ##############################################################################
+  config = {
+    services = {
+      fwupd.enable = lib.mkDefault true;
+      thermald.enable = lib.mkDefault true;
+    };
   };
 }

dell/xps/13-9343/README.md

@@ -0,0 +1,9 @@
+# Dell XPS 13 (9343)
+
+## Wireless / Bluetooth
+
+> **Note:** Enabling WiFi and Bluetooth functionality on this hardware requires the proprietary Broadcom driver. Due to outstanding security issues, you need to explicitly opt-in by setting:
+>
+> ```nix
+> hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+> ```

dell/xps/13-9343/default.nix

@@ -5,16 +5,25 @@
     ../../../common/cpu/intel
     ../../../common/pc/laptop
     ../../../common/pc/ssd
+    ../../../common/broadcom-wifi.nix
   ];
-
-  services = {
-    fwupd.enable = lib.mkDefault true;
-    thermald.enable = lib.mkDefault true;
-  };
-
-  boot = {
-    kernelModules = [
+  # ##############################################################################
+  # ATTENTION / IMPORTANT NOTE:
+  #
+  # Note: Enabling WiFi and Bluetooth functionality on this hardware requires
+  # the proprietary Broadcom driver. Due to outstanding security issues, you
+  # need to explicitly opt-in by setting:
+  #
+  # hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = true;
+  # ##############################################################################
+  config = {
+    boot.kernelModules = [
       "kvm-intel"
     ];
+
+    services = {
+      fwupd.enable = lib.mkDefault true;
+      thermald.enable = lib.mkDefault true;
+    };
   };
 }