From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 2E2D11D2AB;
	Sat, 08 Nov 2025 04:49:09 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 5AE9B1D294; Sat, 08 Nov 2025 04:49:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com
 [IPv6:2607:f8b0:4864:20::1131])
	by atuin.qyliss.net (Postfix) with ESMTPS id E83141D1D9
	for <devel@spectrum-os.org>; Sat, 08 Nov 2025 04:48:56 +0000 (UTC)
Received: by mail-yw1-x1131.google.com with SMTP id
 00721157ae682-7868b7b90b8so13950717b3.1
        for <devel@spectrum-os.org>; Fri, 07 Nov 2025 20:48:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1762577327; x=1763182127;
 darn=spectrum-os.org;
        h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version
         :message-id:date:subject:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=VbWvBNFcVGqUbSRAp/rv62jL9l1Jtp5WQfY8p9CD4dM=;
        b=c6xGDa2EaNPInfGop4ugqQiCSiNvrUYFvd/O97irLpFwE2JazR+YhHmL3Dy4DanVh2
         UA/vFSddYOdg5iltNpRfIEfFVz8/hZsE1AVVXzbTidUT3rHsRi4JC+8hIIKqVCYRYaCR
         s3jVeqxw08rQ+WU7IVmslJ459AJDWDhkTwVo+xYWjzaHWB9RdD/Pab/fHkgzJ10CdVKF
         GtN/cvaoVUArgKeIHP5JiDAc5Qj1pdjbHTizsBe6viz0yHJHdifG8bTTqHeUlNBy9Up9
         2C79F2p9nlhF6c562MLXXLCwJdWvg5BFndgAPRr2+sxrgMg17iRscWmQyrnWff00nt8c
         +uMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1762577327; x=1763182127;
        h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version
         :message-id:date:subject:from:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=VbWvBNFcVGqUbSRAp/rv62jL9l1Jtp5WQfY8p9CD4dM=;
        b=erI8ny/U/Js92EPE2Ugc/6ElpYxnvP8+CA7yZTsYuBAD8omjeColzV5sLnkAPyrNIu
         2rgImt9Mov+p4r1o+nWWSNDCXUufO6EPFsvEA4lpnnrSJL1qNhYZm/ynTSTomh674UpB
         1rCqclzi459EOv4iB2Et8rsRSECYcqUBVQxK/dW6+ZVHyVnywiTLvu9snc4fR4fCWQeG
         K/6VzHhoezOpXlvm37zDQjVTr3QR/PQlqxtAgJwXa0wMREwf57dm5iHAy9sht8DbPcC1
         Drd/dGOriOSmVCUMlPd4A/KnYADIAcLAM4GEMCKJB+3jD1LxcdlPSe0nig4p9FA3UdkQ
         0xow==
X-Gm-Message-State: AOJu0YxmKcZo054XN+Qc2Abl+q1mNy+2en1wGFPJOWzc8aR9Lk6AiCHP
	/+ubSPQqQ7bX/PRY0OL6aqlazOrhA1WKyz8Hg/KPhwX5RdDhuNfAREUKIVX9Ig==
X-Gm-Gg: ASbGncvYE/ZmEgg+8XIXPFDS8MnwlLvCveArhf5qNPFroOJsyJ9JwHfloWjDZdyfZM3
	tND+S01Cx0y8ZilYx3PdcrX0RSHLN8QCD6DZvflAcqVSVwrDR4QdaRIY+DDvhvTY5eRVOO0oRJI
	NdjLfOZYyNXxRyVXm5oBYg0rRUFUmX3q7aKZ8kTntP/YYB6iR0mlkl5MgAHr3rw+nBSedh7fqij
	XkyuLdRJgM03yTCx+GZvTnp051R+uofu7QQgjTeW+/vm2BiTUMP/+vJ/4F/15KlKqIVMkMX3NzJ
	v4Tbk5ZTTGQSLlt5E3rftGR/XCF9mSxA9HZrlCUXprJaVVSSCHQTI8fqKnHFxh+5Tm+5a8l6vZ7
	yuy/pypVH91SG6LL7iLg/AnK0BbzWsh9upYXxY4qFnZGxdDo8tax2j0HNMfnkfV2chWNOyuHMMu
	FO1BmeiGLUkljSFT+7S7VA3hR+DWqQAHiMHGZs2pRul7myvIsFciEoJ84Wy0kCNxhS8XXD160M1
	nECaJ2ZwTF+smjDMOk/mJCGdQWfonliJA0nde/wWFZujw==
X-Google-Smtp-Source: 
 AGHT+IHbfEdk2CzNwlQ1q6pspzTuJFfgA1ac7yX2jMezQwk2ciH8eHhRJbUO6wxZLRKSOhjvNWHUVw==
X-Received: by 2002:a05:690c:a0a7:20b0:784:9d76:140d with SMTP id
 00721157ae682-787d5476cb5mr13780977b3.59.1762577326979;
        Fri, 07 Nov 2025 20:48:46 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-787d6841eb8sm4003647b3.16.2025.11.07.20.48.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 07 Nov 2025 20:48:45 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Subject: [PATCH v2 0/2] Move verity and EFI creation to separate Nix
 derivations
Date: Fri, 07 Nov 2025 23:47:10 -0500
Message-Id: <20251107-refactor-verity-v2-0-2af58b1a4a87@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-B4-Tracking: v=1; b=H4sIAE/LDmkC/3WNzQ6CMBCEX4Xs2TVtDYKefA/DYekPbCJgWtJIS
 N/dlbvHbzLfzA7JR/YJ7tUO0WdOvMwC5lSBHWkePLITBqNMrbWqMfpAdl0iZhHXDW+2tXRpvDK
 aQKy3FPhzLD474ZGTtLfjIOtf+n8ra1TYtz2ZxgUX1PUxTMSvs10m6EopX1Bw/2+uAAAA
X-Change-ID: 20251105-refactor-verity-9c8ca37e021a
In-Reply-To: <20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com>
References: <20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1762577231; l=1556;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=K+bB0Y2TxP2OqA9GeVDJd9qtMedSGFm7GKcOdtBJojw=;
 b=/d09ESJSLTXXvv/fdOBIG3Eo4xrzm3uhMHZkzVUiaCiUBMTxMzc9W3E2CF7pVXYz8dy4dwpI2
 f6N6EJWJfdXB/t/yjIfcuX615hqsC7v+XI7x5HpmKZJdtaOLILCvIwb
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: XUKRTEHSFWKW6X6N3SMIDKJCTM5NPSBA
X-Message-ID-Hash: XUKRTEHSFWKW6X6N3SMIDKJCTM5NPSBA
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/XUKRTEHSFWKW6X6N3SMIDKJCTM5NPSBA/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This doesn't have any functional change, other than to use the read
builtin instead of a cat command in a shell script.  However, it does
make the code much cleaner and more reusable.  For instance, one can
easily build just the verity image or just the UKI.

This will be used by the Nix code that generates an update package.  The
update package needs the root filesystem, the verity superblock, and the
UKI.  It doesn't need the installer or the live image.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
Changes in v2:
- Do not break interactive rootfs development.
- Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com

---
Demi Marie Obenour (2):
      Build verity images in rootfs Nix derivation
      Move UKI creation to a separate derivation

 host/efi.nix             | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 host/initramfs/Makefile  | 26 +++++---------------------
 host/initramfs/shell.nix |  4 +++-
 host/rootfs/Makefile     | 44 +++++++++++++++++++++-----------------------
 host/rootfs/default.nix  |  2 +-
 host/rootfs/shell.nix    |  2 +-
 pkgs/default.nix         |  1 +
 release/live/Makefile    | 37 +++++--------------------------------
 release/live/default.nix | 23 ++++++++---------------
 9 files changed, 91 insertions(+), 94 deletions(-)
---
base-commit: 464d69599922a2b233804559c93ccea10fa3dc44
change-id: 20251105-refactor-verity-9c8ca37e021a

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)