From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id A6FE2EC33;
	Wed, 05 Nov 2025 22:34:36 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id C271BEBF8; Wed, 05 Nov 2025 22:34:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com
 [IPv6:2607:f8b0:4864:20::1134])
	by atuin.qyliss.net (Postfix) with ESMTPS id 6D82CEB64
	for <devel@spectrum-os.org>; Wed, 05 Nov 2025 22:34:33 +0000 (UTC)
Received: by mail-yw1-x1134.google.com with SMTP id
 00721157ae682-7866375e943so2844727b3.0
        for <devel@spectrum-os.org>; Wed, 05 Nov 2025 14:34:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1762382071; x=1762986871;
 darn=spectrum-os.org;
        h=cc:to:content-transfer-encoding:mime-version:message-id:date
         :subject:from:from:to:cc:subject:date:message-id:reply-to;
        bh=vU3JhvcahLkaSjOwPvWk771XIlchj8f/fYWOwwJhSQU=;
        b=koEhCRr6C2Ge39NkWLHjtyDE/QXKhqHKio3ulS/7Eojcy3TjOd/+lkfpsVaH2PYSjc
         Gdbof2XGtgi6qlYqFXRFqhdgFjoE4WPij1NJG2KW+Uk2BC4uHMsCCU4sSbsz0LyjRU0R
         3PMDjNvupOKcxVeCN3oYYkLiG+GQ+IY6oc0dh9Ni1AL+QQfpB4ji/uKxNynlLloiNrVR
         ariDJ/fnx376iizK1JWJaNtYeukpm9MD39ff3611Nxklgvz5TPXGsQM9a7XoiGsLP+kN
         M5JGfagPcBSV9hUr8OK+SsSFoJDDLgMAjTQN6zofYjC1wWZPqvtXL/VR0w3NsQtw3Bwo
         s0Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762382071; x=1762986871;
        h=cc:to:content-transfer-encoding:mime-version:message-id:date
         :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vU3JhvcahLkaSjOwPvWk771XIlchj8f/fYWOwwJhSQU=;
        b=u6PlrddhxtaDU6ZgWVmpgPXAxUJqNVGR3+nULnoiREYo53DbYXEPfsSQmwoLtmByti
         +WjyKXISfUivPPJslSne8Y845iZMrfAHYeWUn8ON6JJSPDdQGlyy3259eDU8/9Py8XZp
         ZB6sPtPH6ss5GFEgBs/C9/iqXALfjenpZWX3dX4bOlBeV6bm+Mt5uVLNxh4EjwatBBI1
         MwyaR1e7MHDwpBqkbKXA9nUKuD/vQRWB2uieoMDyrRsf2FR0KETH02+v9/ec6EyfvhzI
         lsCVqqekmLo74Vfx5yb8ppGjPNAec7rh5wOiwkeWhq0zp57hwv2PLRLdCd50ItwSe2QX
         maPA==
X-Gm-Message-State: AOJu0YyHceQgaAqGOMZWDapv54HVK04+VsOLMtJdX5pNK0ltTmZdYUa+
	wedsBgLfV1Al/lAZMeKNYsBAR30cZQd1NSA9ADjEpoEyXT3Fr1DO3lXxqyCanEtj
X-Gm-Gg: ASbGncs+wBOs4zagjFPB4W8DOfjQaHsDtLWaITR/CNT5NDpCQUNxhYLaQDacjMGSlEo
	u8xzHWPwYZsyVKrJ1CmK8tgx3PDURpIA7t6D8B7dlNgSJhlXD3rzaz4qOsVdANnXP9a1sN/7O6W
	B9ul7NhsFCAm1sZBwTTXj1fzGrJgr0c0iPz4r3dAN71Aezot8tTSApMn6gK3hFOXDekgL/e152w
	daCANZk7etN+v1/jr1+Lyb3jYHWYHXCNKZoTmFOcXRWrO93TCI6jGQc+MutAgJ23Kz05Tjww1oz
	qatTPrYWmKj4S8FYoqB1M70o1hJO7qNdab5K2bJyuf9DriEZ+jpDgsZo5U1t0qCjni3hj4GJeKx
	t5BoxCrpmenK9Gg0Dp83+aPfh6VQrXreeH8SdX5m2O4xMzj+G2pyMgrNY2IC/rNL8OLE+nGrr+9
	F6wB6StojgtoaHgpsPwW0qzodWYXxDEDRDimry2kOcDvmtLHWVY249sSIB8mgaJVkOWjm10ehFm
	jIbvGbFboibHmM4TPVALoeX1B+UAJrwEoI=
X-Google-Smtp-Source: 
 AGHT+IHEv5I2yAAKxHYL1mzLUchPVsNC7/MTEvqV/7KlvwO0ifDZbIqv5M1K7oB7rEZn3DhSOzkHOw==
X-Received: by 2002:a05:690c:a05c:b0:786:6529:549f with SMTP id
 00721157ae682-786a41e18cdmr39705327b3.64.1762382070769;
        Wed, 05 Nov 2025 14:34:30 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-787b159b659sm2680717b3.28.2025.11.05.14.34.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 05 Nov 2025 14:34:30 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Subject: [PATCH 0/2] Move verity and EFI creation to separate Nix
 derivations
Date: Wed, 05 Nov 2025 17:33:31 -0500
Message-Id: <20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-B4-Tracking: v=1; b=H4sIALzQC2kC/x2MywqAIBAAfyX2nKCG9PiV6CC21V40VKQQ/72l4
 8DMVEgYCRMsXYWIhRIFz6D6Dtxl/YmCdmbQUhulpBERD+tyiKJwmF8xu8nZYUSplQWubhbo+Y/
 r1toHXU6E7GEAAAA=
X-Change-ID: 20251105-refactor-verity-9c8ca37e021a
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1762382012; l=1399;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=KAoIk5Scxs4CLLmdcLGveXkkLmF/z9vubR/KKlC67gQ=;
 b=zOmP5d/KUpr+pxy5QyJrq7LphJROGn1DuNBCu4KJ1mqGfk7RSzOMfmaDgNrHYKxGAXZ6i7nxs
 PGm7vQYbWNRA2s0XKa7mr1QUekmMw88b/1NNYXuGswPhFQ7n/HWIK0J
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: HBXJPK2JX6OWMOGVFPVZCIUWDFVNSPPS
X-Message-ID-Hash: HBXJPK2JX6OWMOGVFPVZCIUWDFVNSPPS
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/HBXJPK2JX6OWMOGVFPVZCIUWDFVNSPPS/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This doesn't have any functional change, other than to use the read
builtin instead of a cat command in a shell script.  However, it does
make the code much cleaner and more reusable.  For instance, one can
easily build just the verity image or just the UKI.

This will be used by the Nix code that generates an update package.  The
update package needs the root filesystem, the verity superblock, and the
UKI.  It doesn't need the installer or the live image.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
Demi Marie Obenour (2):
      Create Nix derivation for building verity images
      Move UKI creation to a separate derivation

 host/efi.nix             | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 host/initramfs/Makefile  | 25 +++++--------------------
 host/initramfs/shell.nix |  4 +++-
 host/rootfs/Makefile     | 24 +++++-------------------
 host/rootfs/shell.nix    |  3 +++
 host/verity.nix          | 19 +++++++++++++++++++
 lib/common.mk            |  1 -
 pkgs/default.nix         |  2 ++
 release/live/Makefile    | 37 +++++--------------------------------
 release/live/default.nix | 22 +++++++---------------
 10 files changed, 95 insertions(+), 88 deletions(-)
---
base-commit: 43a8c81c58d73967635f57fdd84734d44120bc39
change-id: 20251105-refactor-verity-9c8ca37e021a

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)