From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id DD9A0AFA2; Wed, 26 Nov 2025 18:59:14 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id B2C25AEFA; Wed, 26 Nov 2025 18:59:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb12d.google.com (mail-yx1-xb12d.google.com [IPv6:2607:f8b0:4864:20::b12d]) by atuin.qyliss.net (Postfix) with ESMTPS id 0FB73AEF8 for ; Wed, 26 Nov 2025 18:59:10 +0000 (UTC) Received: by mail-yx1-xb12d.google.com with SMTP id 956f58d0204a3-640d0895d7cso162809d50.1 for ; Wed, 26 Nov 2025 10:59:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764183548; x=1764788348; darn=spectrum-os.org; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:from:to:cc:subject:date:message-id :reply-to; bh=JG0U/PprqsGlmZP+letj8ofrl/gKB3FWfYwkReivXjY=; b=Ew0dyMhrWxyUOGFg5AnGzg5iuXv23AV6mLxaS8ObptDBFWPE6/AAUmL8e3gGSbRzxc 7d7ZKcuCvl3wONRXQ8q2dHflkgSpvxB1BUWCUNPFszSjasG4nSRjMpni5qry/Z2inz6K K5KaPY6CmooBI8TbLBnzzHq6OsAPZaX01fa/qs6Y+k52wZ8Eyt637mlwoUlZKi2eCmIw 2uIX8D4ToF5nH7qdFuAQzzjzF+vUBoa1vb3QcozQK9STiPlYzThnJpLj3D4wJCeNKAku MfaOn1Z4HI+bBxYDZn7swQWtN9SPJ376u12UmHAdHacwnU8l50MrjH4xFOLpLgBFmK9U 0bDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764183548; x=1764788348; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JG0U/PprqsGlmZP+letj8ofrl/gKB3FWfYwkReivXjY=; b=CdfLKjiJKsw285NDKwq6g/ppG0yccdxX/5NSyw3tgiwvLZ1enYL+M+U6DlWy4m3wh6 TkS4B/681IPQEEviVmFyu1Qul/iCS8trT/ZasUz3nLiQtGJzCVG4hbMU0g0k1aeR5HYQ V2yhoDD8mwLqF0KPTEB3AREo0w3t3LbhHRBlmvbrub8C/PTw93S7rRaJuvnsjVnuYkrK mERfMKifQ1YUp3N/st1Gl1ifCutZ0zAFncQrrI9DdGW3LPNBuNWXbnn9uRjVrZTwyUya c8B4jqQrNzkMml+GgA0rZznZWcZ5w7PLjErQ75vVlN2LebiVISnog9F4oOkaPRFTXtuS 3+Qg== X-Gm-Message-State: AOJu0YyTjDPFDau9Rc7HDx/xLz2EyKbsh61yHxDq9L1cm+QhJwusSVI0 0TPbDwneqNx21CMZPTi3ldTopB2fyqX+Oq9W9FyDQdSnb5d+QjCMIKDOgPfgFA== X-Gm-Gg: ASbGnctQUKc4btwjkbu1sIw7gCQRZuGYenQvni/p/PzAdTUAsPUmBz0F/EWeWUsIOAX SSB5rhTW9CaUv1pmLTSV6MQQZYmnVmhWN02J0BJP0gWhtb4M8pAnsTgaz0f5X+BJO3DQE690TjI 6fvJiPJmU/HeifSu0lD+/qwxS39yD5LjdTOmTexgTxO/tb/AzNRSHiS9KV7RyKghLGTRKz+q21L TFRBDvc4HpmssuXAU107tVr4IyqolBWPF9cRa5k1RyB8OQsJ2XDE5rJiwhYDkN36nAgSiRmQgn+ sT1pYVVEl7EmmCK+SHxL3tLNx/zPp2Hpa+hES+EaSAXbv/aMaUlR6IoXit3ATFo5Ek30cnvRXqR q47tJnpRFUGqO1uTdbgXEWQLV2FvmA17W9bOIwp4Hb9uNWKI2sIWLOi0VEJQVnGyJ1Jp6CGm6Y5 izagk1UZvEYRvgOTINmJQb3rVJHbm7G6T2j2fOiUppUqZjzQAqyVvJFmhLlAr12YKvLJnjG5NUD P8Yua3lxAtrudxizzLnb4TFkuU0Q3UyiPdhEiiAje/FwA== X-Google-Smtp-Source: AGHT+IFGKBpvSwI6w9k2amMA2gABH/AxNhFylkxqkdkl8brp+2Sjzj+CzqIsZoIxHQG2EmXfcHa0/w== X-Received: by 2002:a53:accf:0:10b0:641:f5bc:6954 with SMTP id 956f58d0204a3-64302636b7amr12390523d50.37.1764183547571; Wed, 26 Nov 2025 10:59:07 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 956f58d0204a3-642f70a6c44sm7565632d50.10.2025.11.26.10.59.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Nov 2025 10:59:06 -0800 (PST) From: Demi Marie Obenour Subject: [PATCH v5 0/2] Move verity and EFI creation to separate Nix derivations Date: Wed, 26 Nov 2025 13:58:22 -0500 Message-Id: <20251126-refactor-verity-v5-0-0aa3d8bd180d@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIAM5NJ2kC/3XNQQ6CMBAF0KuYrq3pDLSlrryHcTGUVpsIGDCNx nB3R1YE4vJP/vvzEWMYUhjFcfcRQ8hpTH3HQe93wt+ouwaZGs4CFWoApeUQIvlnP8jM8PmWzle eChsUAglWDy6k17x4vnC+pZHb7/lBht/1/1YGqWRd1YS2iU1U5nRtKd0Pvm/Fbyvj0tutR/ZIU Vc1UEmVXfti4QG2vmCvrbZoTOGiC2tfLr3b+pK9q702jUYwXi39NE1fCIibPW4BAAA= X-Change-ID: 20251105-refactor-verity-9c8ca37e021a In-Reply-To: <20251119-refactor-verity-v4-0-9bc56d5216c0@gmail.com> References: <20251119-refactor-verity-v4-0-9bc56d5216c0@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1764183502; l=2157; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=wGz4q4j/O7Q6h6WOEbUppoLUfktl1wrd/MQYq96BThE=; b=v+cVWID8qHVVi0VVRIssM3oS/egK8Nq4Qc8Gvcptxpwr1c1rysGJEANDh1j1UT52NTdLo2J9Q gC8f8/Mco7mCr/lv0RTspW4T+1IxTfrR9eIzC6kyi2wZkAWu3XKOO9p X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: ST2K3VQPNJF43Z5WKMDNWLJ5KL2T7KMT X-Message-ID-Hash: ST2K3VQPNJF43Z5WKMDNWLJ5KL2T7KMT X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This doesn't have any functional change, other than to use the read builtin instead of a cat command in a shell script. However, it does make the code much cleaner and more reusable. For instance, one can easily build just the verity image or just the UKI. This will be used by the Nix code that generates an update package. The update package needs the root filesystem, the verity superblock, and the UKI. It doesn't need the installer or the live image. Signed-off-by: Demi Marie Obenour --- Changes in v5: - Rebase - Fix shell.nix files - Link to v4: https://spectrum-os.org/lists/archives/spectrum-devel/20251119-refactor-verity-v4-0-9bc56d5216c0@gmail.com Changes in v4: - Many cleanups. - Respond to suggestions from code review. - Link to v3: https://spectrum-os.org/lists/archives/spectrum-devel/20251111-refactor-verity-v3-0-575726639f9e@gmail.com Changes in v3: - Rebase on main - Link to v2: https://spectrum-os.org/lists/archives/spectrum-devel/20251107-refactor-verity-v2-0-2af58b1a4a87@gmail.com Changes in v2: - Do not break interactive rootfs development. - Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com --- Demi Marie Obenour (2): Build verity images in rootfs Nix derivation Move UKI creation to a separate derivation host/efi.nix | 40 ++++++++++++++++++++++++++++++++++++++++ host/initramfs/Makefile | 26 +++++--------------------- host/initramfs/default.nix | 1 + host/rootfs/Makefile | 44 ++++++++++++++++++++++---------------------- host/rootfs/default.nix | 6 ++++-- host/rootfs/shell.nix | 2 +- lib/common.mk | 4 ++++ release/live/Makefile | 39 +++++++-------------------------------- release/live/default.nix | 27 +++++++++++---------------- release/live/shell.nix | 9 ++++++++- 10 files changed, 103 insertions(+), 95 deletions(-) --- base-commit: c3d53b92c32636736c6585cd934210e29613e38e change-id: 20251105-refactor-verity-9c8ca37e021a -- Sincerely, Demi Marie Obenour (she/her/hers)