From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 51D72B135; Wed, 26 Nov 2025 19:11:38 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 9EE58B117; Wed, 26 Nov 2025 19:11:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb12a.google.com (mail-yx1-xb12a.google.com [IPv6:2607:f8b0:4864:20::b12a]) by atuin.qyliss.net (Postfix) with ESMTPS id E1D9CB116 for ; Wed, 26 Nov 2025 19:11:34 +0000 (UTC) Received: by mail-yx1-xb12a.google.com with SMTP id 956f58d0204a3-6432842cafdso103683d50.2 for ; Wed, 26 Nov 2025 11:11:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764184292; x=1764789092; darn=spectrum-os.org; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:from:to:cc:subject:date:message-id :reply-to; bh=jAwRDVzrw8oA9xpVNiBG4o1fEzC3axyG6I2IhXrnHp4=; b=OLYgn1oVgGs6VsOXp2WO6CHc/tlFnIE7nY4/cTQrb5V5hxZc+k7ptw55dwXM8sIvAS sJTza4AUXz8RLASTixKOrYFB8Ne5+qzZ2kDalBy+8RsqINgFPfJ9X522wANs6EpA6Onf lriM782JCRQhh/AacGFRgzeGi4CMoQfn0iHUZwyfGF1/xIjJuI4z9Ap1zi21O/vSyJOb GH4piZrSXmA69/uInR9/kb2ejT6gU5bDl80IFXp+WvnlwTB00/OPr0wkiytyZ7RABuct oFltXC+xyAhMZOEGWvig5betY/JjtBdadfOBd8MhF684peXx1cC5Q3hOiq72iOe2AG9v ecDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764184292; x=1764789092; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jAwRDVzrw8oA9xpVNiBG4o1fEzC3axyG6I2IhXrnHp4=; b=Znm75Y34ALo/d2W1y73ZT++ROSDrI1X872aHqZ8NfXOjMRrp9qOWuSyYU/+4vqbo/s QvJSUA4uvuXz6SWXMQyN0Kxpi4D1lojwDOxVtqFqOnRkw4bxIgKhNttB6HtiolaBy4G+ 4u8NKA2hkE51gtbYoXBKS5eGcEa2rem+6d0kX+OEcWmj9kbClSKd0Dff3xmsRTZEyeIZ n23GZVQKuolHD54+KyjzImy/pqc1yAhtfPrI9u0JTslT+YZGYvkMc5Up+Qmphh0Rx9B7 6n2i/Z9zLDqo3dsXxOXli5jq4RS9vi+wMIt0+/OIsArIdPDYpvRQApLYuY6ZcXTKhGuH YBKw== X-Gm-Message-State: AOJu0Yxf8u/4KhYTXXJ2LsGNt/TGTsLWAsorgNI0ycBdLqhp9Na1f97S EPMWyN8m/n86f5x1tGDmphxgRCDajgCYqaDoNbm3Jf9dNJGwbWdcZGmaW0DojQ== X-Gm-Gg: ASbGncvDA6VMkH2UxBIygkokDUH26miQKtYnJPsYIL7soP7kw8Rxyr8wFpmmYsIKyG6 67gYax9FN1HDoWRDAIWT8o4y+NIqSU0lul98+Dcv/LXYG0eG8cPW+qYepULO276tcxOAS22aTmL faLZvdUOU+OU/GaufE/1f1m1nRC4nUimWF31nLJFLk4s4ZVjDsgkGC8zBV+dTzZRFs4Ky1pktin w6B4dL+To9ledcTeibyD3wL/r9deV9V4SjChKV4VdSXjhBMYqy0asacDFjw05yxOh35YekkUTs7 p0x2XKmTFi0wss21Ggw39ku++uj/IZE3H3VyIjH9SRBJXShMkTl+xziwqv9MbElpZXVXLa/5mtP YDGMKFK4Q/pD1q5hzcopLU6FV+Vhh8OWrV7Tw2ObpplIyUeOvcvWc/ldDHmatVq5AZ4Qp/7iwgA qniqW+e7+rxT6rWAJUSVtvbRC0Muc2aodcqHuTH+B7k9uQJRtZz9TgXy+TPah0LpN6Sb6expzbA XuL+qUWnJq6bi2p5h7KIPAl9pIrrkBvVOg= X-Google-Smtp-Source: AGHT+IGLPNDv7L2YTinsHis3JxUgjSEbwXVGlAqv7Syew1I51XmnsATne0xjFa45ojszEPJEwm+26w== X-Received: by 2002:a05:690e:1588:10b0:63f:a6c4:fed6 with SMTP id 956f58d0204a3-64302a8f2fcmr12333561d50.4.1764184292309; Wed, 26 Nov 2025 11:11:32 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 956f58d0204a3-642f7178641sm7655804d50.12.2025.11.26.11.11.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Nov 2025 11:11:31 -0800 (PST) From: Demi Marie Obenour Subject: [PATCH v6 0/2] Move verity and EFI creation to separate Nix derivations Date: Wed, 26 Nov 2025 14:10:55 -0500 Message-Id: <20251126-refactor-verity-v6-0-f09555546a85@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIAL9QJ2kC/3XNTWrDMBAF4KsErauiGXn001XvUbKQZSkRNHGxg 0gIvnvHWQm7Xb7hfW+eYk5TSbP4ODzFlGqZy3jlYN4OIp7D9ZRkGTgLVEgAiuSUcoi3cZKV4e0 hfXQxaJsUQhCsfrhQ7q/FryPnc5m5/Xg9qLBe/9+qIJXsXR/QDnnIynyeLqF8v8fxItatiq23e 4/sMWRyPYQuOLv1uvEAe6/ZkyWLxmiffdr6rvV+7zv2vo9kBkIwUW09NR7/+E+r1y5HT9lbwtY vy/ILXECmqq4BAAA= X-Change-ID: 20251105-refactor-verity-9c8ca37e021a In-Reply-To: <20251121-refactor-verity-v5-0-938fc95f9752@gmail.com> References: <20251121-refactor-verity-v5-0-938fc95f9752@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1764184255; l=2330; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=8yt5oLcZnKv7m/kZSepeKU5O42y7cUdotYFKjR3zZrg=; b=CXI2FNT6Xsys3eXDcgYe2DIHIdkAcfKeFLzKM0XGHTyg/ITLiiMoQDwUzU6YphNu1WTh7r1X4 san10+DNGmLDCcohgsiALIsLV50nqS2mu5+kkA1aLLrBhrZ9u//30Vv X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: 32EW4HEPQZJPB3354KA2MZWIUT2VS2JE X-Message-ID-Hash: 32EW4HEPQZJPB3354KA2MZWIUT2VS2JE X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This doesn't have any functional change, other than to use the read builtin instead of a cat command in a shell script. However, it does make the code much cleaner and more reusable. For instance, one can easily build just the verity image or just the UKI. This will be used by the Nix code that generates an update package. The update package needs the root filesystem, the verity superblock, and the UKI. It doesn't need the installer or the live image. Signed-off-by: Demi Marie Obenour --- Changes in v6: - Rebase - Fix shell.nix files - Link to v5: https://spectrum-os.org/lists/archives/spectrum-devel/20251121-refactor-verity-v5-0-938fc95f9752@gmail.com Changes in v5: - Rebase - Fix shell.nix files - Link to v4: https://spectrum-os.org/lists/archives/spectrum-devel/20251119-refactor-verity-v4-0-9bc56d5216c0@gmail.com Changes in v4: - Many cleanups. - Respond to suggestions from code review. - Link to v3: https://spectrum-os.org/lists/archives/spectrum-devel/20251111-refactor-verity-v3-0-575726639f9e@gmail.com Changes in v3: - Rebase on main - Link to v2: https://spectrum-os.org/lists/archives/spectrum-devel/20251107-refactor-verity-v2-0-2af58b1a4a87@gmail.com Changes in v2: - Do not break interactive rootfs development. - Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com --- Demi Marie Obenour (2): Build verity images in rootfs Nix derivation Move UKI creation to a separate derivation host/efi.nix | 40 ++++++++++++++++++++++++++++++++++++++++ host/initramfs/Makefile | 26 +++++--------------------- host/initramfs/default.nix | 1 + host/rootfs/Makefile | 44 ++++++++++++++++++++++---------------------- host/rootfs/default.nix | 6 ++++-- host/rootfs/shell.nix | 2 +- lib/common.mk | 4 ++++ release/live/Makefile | 39 +++++++-------------------------------- release/live/default.nix | 27 +++++++++++---------------- release/live/shell.nix | 9 ++++++++- 10 files changed, 103 insertions(+), 95 deletions(-) --- base-commit: c3d53b92c32636736c6585cd934210e29613e38e change-id: 20251105-refactor-verity-9c8ca37e021a -- Sincerely, Demi Marie Obenour (she/her/hers)