From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id A7F0115577; Wed, 12 Nov 2025 01:00:49 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 3CD0F154DE; Wed, 12 Nov 2025 01:00:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) by atuin.qyliss.net (Postfix) with ESMTPS id 769C9154CE for ; Wed, 12 Nov 2025 01:00:25 +0000 (UTC) Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-71d71bcac45so2851877b3.0 for ; Tue, 11 Nov 2025 17:00:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762909221; x=1763514021; darn=spectrum-os.org; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:from:to:cc:subject:date:message-id :reply-to; bh=LJSIVYezI6HyfRGXHUZJ3y+WTOJYi9FOqgpM+HqWlbo=; b=VZlcgI7C87InOABpEScA1UYxssTTaUTRB3xbdG+Sv6g1vT6Suo5xM6oebQO941fTct pqU6mCIfGmAotGbDGPVAuWiCAmkINrTHdKkTf1gIRQ3ExL/xc/4p1VG+n5G7fqu1DZDt wOXakrFFDvCqi9Fx78ETjQtOjRgE4trscUGXOfWIBCG6f5Al2+WzfHlv+MW/Uwbk8/ui MHhLNp8/yuHBAUEMcBKWk3UK13bBKB2MgoFHz4+M2i3mlm3S5ThSLGriGx1Iw6sBItrA 8FKNsUR3qKavjSfdo9agQfeEVZSsknJrOEN4mWv1JcHwRXjF4LaelY8OawB99uGX3jop I03g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762909221; x=1763514021; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LJSIVYezI6HyfRGXHUZJ3y+WTOJYi9FOqgpM+HqWlbo=; b=FFMh4T4bjxmTvZqDlt37FSCAy3IQGfFf/6WYclCVk2Plbaku0d3WkrMA2KoucBLCtV q5QVM+raIOLzS3llGAIq3jJE8XrlGdNOaEUT/4FwORSEwNs9oxD2CCpqVhDi9s45dh9q wP+uwp0+sqpMr0gJ9lC5JsOrlmjbG8Ap+IcdrpFKW3b2FjwlEgRjwQqsGTLz/c+rVNsd 6xNLkU6WEfBgtTNJ37mySV050yNvc2SVEPG6kAJkxtAUfjJ47LjOEOXsRvGBOCxNRf+6 xChyqj8qDPMOOYgyRCeSDLrh+CNms5dlYyD8TGneB5u2kfC5fLYUfmgmqen/o21jZPyQ 2mzQ== X-Gm-Message-State: AOJu0YwZZRJ/SCJVaPqHUSECK7xIa668VrckSOb5gr0kU8gbqTniw5et 3l3MFBhG5zr6NDRtrHHDBP2xEOtsWQjWKzwdicifxEeKhIlsL8orb5cxKSWyJB9J X-Gm-Gg: ASbGncuGMqSFulvuAe/xz4d67QVtJnkMc8t4kNN2+B85Ne/aBBoCFMy9Owzg3G8kNz5 PqcGfDGJoDw61tJIiomWEdcezhzn+LxHcbZ0p/4i6KRn+GNJYlXacjteE3iMB7d/VURBU690PwI SR2buewgCVeVwuJI+mA8EkTRNbpSONpT7vg6aX5cp/bMbwjqlGY/4V90vNi/ICCj2gvW4sImkSA v6vnVGgiF/evgr+eMre+jF3wOHz5bcWBa3qUS3m5NbD7kNSm2drz7cYz5m21L4efcV56cZg9yAL X6UtjYc2+gKde1mjli6DCLM98U3IPGvD3pj5cijYsaeOCeQNzx3IvKfUBFow/guxj8wsnYwm4gp Js9iilnrhRZNO02jvkf039q95NESzpV/TPRI1nE+tEl43LQ2LI8vbYuG1EY5UOc25jIQTutFE0t QDXhBN1s7cYWG1emy4jQWj/n8MJqCKiQzGyNH6mRhJOizxQYyYDTnKg/FxJ7H5m66U47IZpGDtD ffi9jitfJtrwGHqB7Yj8pMx X-Google-Smtp-Source: AGHT+IGxCjORgwUlul55w360vc81HafQ03Cj1mub2g0ZHZNc4Lk1xlXrbs7nkAMKnXrPuSJ7G+nDZg== X-Received: by 2002:a05:690c:6011:b0:788:e74:b262 with SMTP id 00721157ae682-78813612ceamr9285577b3.1.1762909220873; Tue, 11 Nov 2025 17:00:20 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 00721157ae682-787d6a13f29sm37740817b3.50.2025.11.11.17.00.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Nov 2025 17:00:20 -0800 (PST) From: Demi Marie Obenour Subject: [PATCH v3 0/2] Move verity and EFI creation to separate Nix derivations Date: Tue, 11 Nov 2025 19:59:07 -0500 Message-Id: <20251111-refactor-verity-v3-0-575726639f9e@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIANvbE2kC/3WNQQ6CMBBFr0K6tqYdxFZX3sO4GEoLk4iYljQSw t0dWJEYl2/y35tZJB/JJ3EtZhF9pkTDi6E8FMJ1+Gq9pIZZgIJKa1XJ6AO6cYgyszhO8uKsw9J 4BRoFW28e0Gcr3h/MHSVeT9uDrNfr/1bWUsna1gimCU1Q51vbIz2PbujF2sqw982vD+wDhsrWG k9ozd5fluUL0NNABe4AAAA= X-Change-ID: 20251105-refactor-verity-9c8ca37e021a In-Reply-To: <20251107-refactor-verity-v2-0-2af58b1a4a87@gmail.com> References: <20251107-refactor-verity-v2-0-2af58b1a4a87@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1762909147; l=1715; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=aQ+Rxg/wer/vtgoPeHWlaEWlTeSRioRkfOkpN1CpT40=; b=cChSOwZDo0x0kjHb1uTn873saolPTkMpCE7Cd/j4k9/QWCPTrioWOJ3DCTXvHkzWcDKrnQiTD S5CTEGZUbMtAsz9zb4P+CNII+jkytKe6+pF1CERIMyXL+dYABr+QLBF X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: GQAQTK6OSN4H2CMVEOKY5YLMXA66YFXH X-Message-ID-Hash: GQAQTK6OSN4H2CMVEOKY5YLMXA66YFXH X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This doesn't have any functional change, other than to use the read builtin instead of a cat command in a shell script. However, it does make the code much cleaner and more reusable. For instance, one can easily build just the verity image or just the UKI. This will be used by the Nix code that generates an update package. The update package needs the root filesystem, the verity superblock, and the UKI. It doesn't need the installer or the live image. Signed-off-by: Demi Marie Obenour --- Changes in v3: - Rebase on main - Link to v2: https://spectrum-os.org/lists/archives/spectrum-devel/20251107-refactor-verity-v2-0-2af58b1a4a87@gmail.com Changes in v2: - Do not break interactive rootfs development. - Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com --- Demi Marie Obenour (2): Build verity images in rootfs Nix derivation Move UKI creation to a separate derivation host/efi.nix | 46 ++++++++++++++++++++++++++++++++++++++++++++++ host/initramfs/Makefile | 26 +++++--------------------- host/initramfs/shell.nix | 4 +++- host/rootfs/Makefile | 45 +++++++++++++++++++++------------------------ host/rootfs/default.nix | 2 +- host/rootfs/shell.nix | 2 +- pkgs/default.nix | 1 + release/live/Makefile | 37 +++++-------------------------------- release/live/default.nix | 23 ++++++++--------------- 9 files changed, 91 insertions(+), 95 deletions(-) --- base-commit: 50f8db9cec022a60ea978bfdde0904a18718d161 change-id: 20251105-refactor-verity-9c8ca37e021a -- Sincerely, Demi Marie Obenour (she/her/hers)