From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 3914FCB94; Sat, 22 Nov 2025 01:22:39 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id C0736CB24; Sat, 22 Nov 2025 01:22:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb133.google.com (mail-yx1-xb133.google.com [IPv6:2607:f8b0:4864:20::b133]) by atuin.qyliss.net (Postfix) with ESMTPS id 13A8BCAFA for ; Sat, 22 Nov 2025 01:22:34 +0000 (UTC) Received: by mail-yx1-xb133.google.com with SMTP id 956f58d0204a3-64308342458so374332d50.0 for ; Fri, 21 Nov 2025 17:22:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763774550; x=1764379350; darn=spectrum-os.org; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:from:to:cc:subject:date:message-id :reply-to; bh=ajjBfytslcp6ct6Xz/ny7G5ZQVn0MhgjqIm/11X2IPM=; b=WIiSgu0N4KUZh+3kYkREH3sIwlUZhQXgWFgt/H6qO46SpgIJ30DXlCrxhjB9oXWSYM y/ZZrafhw1N0qg7IVL/Ya6xMHqik3M/SZDvaXf1WqaGj2pkV1b0JNMOmCncP2qAjtrMj Zp2qqKlaUn0h4/sxD1epaIJ3CejvnxdExl0z9O1JFedVjRwKHDVRVnXdK+BUtOvrZh5H AQZpXb1bNcuNWil7MUBg7G2XY03WjKCXAJOydWzu+m2TM6jaPpJDMxBy4bzqtMtn//0+ fv0o2eunjTUZ4aqJOvUeAc+XNXZDBShY5HhtMdixRShRkLnpsOwTCMboNNk+35j/Hw9/ Yu8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763774550; x=1764379350; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ajjBfytslcp6ct6Xz/ny7G5ZQVn0MhgjqIm/11X2IPM=; b=W4Fg+990LpHAgM4u8Si0qaGlffs6bbj0vlHJcfFyByen+eZ7Tkswq5rMsfztq2Wh7L RS9Mq2gdz9hNXoyvm8crT7Ji3QhtVhpOkNfsnMEHUAh2QMwvYGh6Jq1ohjDAzRmBAHNs SjeDBX5UbhaU1PFUWKd3MXmAys52F2QY7d5CaG8YSxIXclos6t4Ve984yv01oct121Po bJ8frer6FB9NW29qSUJgr1XcB+J515BlnfDki2KIsRseIhPpFxiSvv9GK/8w2rF0nIt2 rV+QomF3zFsbTfuhTlWmq1OFWtVRHMrcqwV4pFgoS0jeTDmrCdjI7t7jhgG/cfnni2II ukzA== X-Gm-Message-State: AOJu0Yxkw+sRW9XSr3dr467uk5jF6zWTjUe5QG2iRdIA31TXCudlSoGv mvYAAurTHoLVxiGKdnb7fTxSAsOSTedt53qK0/vR0wLA4Oxuohd3+ukHQ9Dptw== X-Gm-Gg: ASbGncuiICIet1nSWJOS/N2ZlKg7mSt4RtEevVg23hdHqCWkAwuIFAf3KRDe24nt8t+ p0Qamd6DDTc7kPuFvLPyJUgm0G38QxUQjNFh6FIILbCsY09A+Zy3Gcw4SNVzFBinyMs7yClHIcN GBZzYqBCK7B20dQqTPBvAViTwSZ0Ke/yFSP0pVn+K6dcGLHt20/a0LIJIUPAsGUGaOFyu205w8D /v13ksvMq+Rg3GLXUFFo+bis0FWUVGSZC0yBm3nFNBXvzfLTuZ9wvJFZz0TQZW6h8sWnMv6xlKh fhAWLPS0WMVaaxPZQAozN0bM2Kx7hRziFtQSCI7z/5ldFt1ulMQ/8K7VQMTwqFhUWtkRcmbbOD3 pwG+hiIwXlu1lkPZRnbvnU3Tnx/2j/xXwplHJy82WwUWY6ExNLb/IFWpKRbGuNFn1/Rh/kz+pZ2 MImt8k9ggpRkiVjtBAVleE1c7OCN8kz6jLqBI1AUOGq+M0th1lP226CK3PDny6zr19Fii8Fc9Ev Fjbu/xrQDgxLOQadrE9YOWi61AxJCFRoa4nDvcCAdz/Wg== X-Google-Smtp-Source: AGHT+IFvEJ/jH8Gzha/JIkUinnOqjcuXFtDPijrBlHOKj5DoQTu2dY2azh8QGoNbZpbtI0dWahF0Hg== X-Received: by 2002:a05:690e:11c6:b0:63f:a0ac:67bd with SMTP id 956f58d0204a3-64302b2c8d0mr3179451d50.60.1763774549769; Fri, 21 Nov 2025 17:22:29 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 956f58d0204a3-642f71ae728sm2204213d50.24.2025.11.21.17.22.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Nov 2025 17:22:29 -0800 (PST) From: Demi Marie Obenour Subject: [PATCH v5 0/2] Move verity and EFI creation to separate Nix derivations Date: Fri, 21 Nov 2025 20:21:50 -0500 Message-Id: <20251121-refactor-verity-v5-0-938fc95f9752@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIAC4QIWkC/3XNQQ6CMBAF0KuYrq3pDLSlrryHcTGUVpsIGDCNx nB3R1YE4vJP/vvzEWMYUhjFcfcRQ8hpTH3HQe93wt+ouwaZGs4CFWoApeUQIvlnP8jM8PmWzle eChsUAglWDy6k17x4vnC+pZHb7/lBht/1/1YGqWRd1YS2iU1U5nRtKd0Pvm/Fbyvj0tutR/ZIU Vc1UEmVXfti4QG2vmCvrbZoTOGiC2tfLr3b+pK9q702jUYwXi39NE1fCIibPW4BAAA= X-Change-ID: 20251105-refactor-verity-9c8ca37e021a In-Reply-To: <20251119-refactor-verity-v4-0-9bc56d5216c0@gmail.com> References: <20251119-refactor-verity-v4-0-9bc56d5216c0@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1763774510; l=2169; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=JNo0s4WCiYygQ+OpFiKlE/5Klir2bi7B0XgBbqb0i7E=; b=CvcfputLuUUQzubYKbu6iK3V+ay89+CwLEO9NLNYuaCT1VjBOM0PPNyzp9yrtWXd59yZAtFCz ZP8zq1/ygbOCtK9pzs4xAtsF89N63EK4CmBn2pM72o/mQIDkJkqH/VG X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: 67RSW7UO6VWBOU45B46BOAUSJDWTR2EH X-Message-ID-Hash: 67RSW7UO6VWBOU45B46BOAUSJDWTR2EH X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This doesn't have any functional change, other than to use the read builtin instead of a cat command in a shell script. However, it does make the code much cleaner and more reusable. For instance, one can easily build just the verity image or just the UKI. This will be used by the Nix code that generates an update package. The update package needs the root filesystem, the verity superblock, and the UKI. It doesn't need the installer or the live image. Signed-off-by: Demi Marie Obenour --- Changes in v5: - Rebase - Link to v4: https://spectrum-os.org/lists/archives/spectrum-devel/20251119-refactor-verity-v4-0-9bc56d5216c0@gmail.com Changes in v4: - Many cleanups. - Respond to suggestions from code review. - Link to v3: https://spectrum-os.org/lists/archives/spectrum-devel/20251111-refactor-verity-v3-0-575726639f9e@gmail.com Changes in v3: - Rebase on main - Link to v2: https://spectrum-os.org/lists/archives/spectrum-devel/20251107-refactor-verity-v2-0-2af58b1a4a87@gmail.com Changes in v2: - Do not break interactive rootfs development. - Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com --- Demi Marie Obenour (2): Build verity images in rootfs Nix derivation Move UKI creation to a separate derivation host/efi.nix | 40 +++++++++++++++++++++++++++++++++++++++ host/initramfs/Makefile | 26 +++++-------------------- host/initramfs/default.nix | 1 + host/initramfs/shell.nix | 2 +- host/rootfs/Makefile | 47 ++++++++++++++++++++++------------------------ host/rootfs/default.nix | 6 ++++-- host/rootfs/shell.nix | 2 +- lib/common.mk | 4 ++++ release/live/Makefile | 38 +++++-------------------------------- release/live/default.nix | 27 +++++++++++--------------- release/live/shell.nix | 9 ++++++++- 11 files changed, 102 insertions(+), 100 deletions(-) --- base-commit: f41b4ab1e6dace7ee3c184f3154cda76f34be7db change-id: 20251105-refactor-verity-9c8ca37e021a -- Sincerely, Demi Marie Obenour (she/her/hers)