From b09586b1011846db568c11f41c37c9b375321934 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 30 Oct 2025 13:03:59 +0100
Subject: [PATCH] Remove insecure broadcom-sta driver from hardware profiles

The broadcom-sta driver package is marked as insecure due to CVE-2019-9501
and CVE-2019-9502 (heap buffer overflow vulnerabilities allowing remote code
execution). The driver is also unmaintained and incompatible with modern
Linux kernel security mitigations.

Removed broadcom_sta from extraModulePackages and the corresponding "wl" kernel module.

This resolves test failures where Nixpkgs refuses to evaluate configurations
containing this insecure package.
---
 apple/imac/14-2/default.nix        | 1 -
 apple/macbook-air/6/default.nix    | 2 --
 apple/macbook-pro/11-1/default.nix | 4 ----
 dell/inspiron/3442/default.nix     | 6 ------
 dell/xps/13-9343/default.nix       | 3 ---
 5 files changed, 16 deletions(-)

diff --git a/apple/imac/14-2/default.nix b/apple/imac/14-2/default.nix
index c20acfd7..5dd218c5 100644
--- a/apple/imac/14-2/default.nix
+++ b/apple/imac/14-2/default.nix
@@ -29,7 +29,6 @@
       "bcma"
     ];
     kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest;
-    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
   };
 
   hardware = {
diff --git a/apple/macbook-air/6/default.nix b/apple/macbook-air/6/default.nix
index 3e927352..67f3a706 100644
--- a/apple/macbook-air/6/default.nix
+++ b/apple/macbook-air/6/default.nix
@@ -3,8 +3,6 @@
 {
   imports = [ ../. ];
 
-  boot.kernelModules = [ "wl" ];
-  boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
   boot.blacklistedKernelModules = [ "bcma" ];
 
   boot = {
diff --git a/apple/macbook-pro/11-1/default.nix b/apple/macbook-pro/11-1/default.nix
index 6c9509b2..95f8c289 100644
--- a/apple/macbook-pro/11-1/default.nix
+++ b/apple/macbook-pro/11-1/default.nix
@@ -6,9 +6,5 @@
     ../../../common/cpu/intel/haswell
   ];
 
-  # broadcom-wl
   hardware.enableRedistributableFirmware = lib.mkDefault true;
-  # nixos-generate-config doesn't detect this automatically.
-  boot.extraModulePackages = with config.boot.kernelPackages; [ broadcom_sta ];
-  boot.kernelModules = [ "wl" ];
 }
diff --git a/dell/inspiron/3442/default.nix b/dell/inspiron/3442/default.nix
index 0d298ff3..6aefb56e 100644
--- a/dell/inspiron/3442/default.nix
+++ b/dell/inspiron/3442/default.nix
@@ -12,10 +12,4 @@
     fwupd.enable = lib.mkDefault true;
     thermald.enable = lib.mkDefault true;
   };
-
-  boot = {
-    # needs to be explicitly loaded or else bluetooth/wifi won't work.
-    kernelModules = [ "wl" ];
-    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
-  };
 }
diff --git a/dell/xps/13-9343/default.nix b/dell/xps/13-9343/default.nix
index e98bb09b..28d6e22f 100644
--- a/dell/xps/13-9343/default.nix
+++ b/dell/xps/13-9343/default.nix
@@ -13,11 +13,8 @@
   };
 
   boot = {
-    # needs to be explicitly loaded or else bluetooth/wifi won't work
     kernelModules = [
       "kvm-intel"
-      "wl"
     ];
-    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
   };
 }