From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 557D41E825; Thu, 13 Nov 2025 11:46:23 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id A1B4D1E80D; Thu, 13 Nov 2025 11:46:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-b6-smtp.messagingengine.com (fout-b6-smtp.messagingengine.com [202.12.124.149]) by atuin.qyliss.net (Postfix) with ESMTPS id 0CC221E880 for ; Thu, 13 Nov 2025 11:46:18 +0000 (UTC) Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfout.stl.internal (Postfix) with ESMTP id 734381D00145; Thu, 13 Nov 2025 06:46:16 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-06.internal (MEProxy); Thu, 13 Nov 2025 06:46:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1763034376; x=1763120776; bh=/7yxPqmT9D ttQ4w2NMaMNEmovFygffwawHWD/A40/2U=; b=ThFSkOVBuQ6PukwCaDUCIbk7jf smnjiJYxRTdgZapz2QDuodP54pU/OH43lADo7wERQzBTfF+RMuh6AMRIxwMME8LM I/jbe9dCE9Tt8V7PmIoo5d9jlZx1k2VmIC3xHk5Dic7Z9G3YzhoaL9ylorURYLoj AyrBowAejYFWu2gs/2jHjcSkY4UgqYl6mVCsCRQA4ylIuPj1FmXWJ1MbnOYInmu5 z6ADPJTStrtdoYLF3nyAReZg1pq0bjP65DXVlLWbbk0sz5o7QCw6egH3sxOed/T+ 2qHP7tiuoSfWn95xAPFFLjf1lWvdps+0WZ+0jmfbZi3MImgizgKn4STa/7PQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1763034376; x=1763120776; bh=/7yxPqmT9DttQ4w2NMaMNEmovFygffwawHW D/A40/2U=; b=p19LJ4vnr9u8xahsCDLL7M7eIZwN5bQXixJ3RAPFrTGrGvVgd34 WCjrcV2WzQSJr/TILDTnJeEA+nwTU/Vjo382OLOlMuDdtVKs7maWxiYe+0SAXztX O53i9xM+wsHyprixdTb9c2yiwrGmm1C67/9zIxIv0tbFiEYtFRemg6+KM+8guXEl j3Ul1tzbsHJJMBFOfmNcVL7JEvqMNWWxdTftW1lwKbZXA32HMci84PcY9auTqi4e v6v2gqyg/dkFDER6oZqmdET8p9WoUlNnFi5bxFfMtRfzenj+vltTY4S53vRLOYD7 g5iy8UTyv6HIp0tWu5qqUsAAhAlDlAvcQrA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvtdeikeehucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpedvheevve dtjeffhefhgfelleffgfelleelffeijeevveehtdduhfegffehhfdtleenucffohhmrghi nhepthhhihhnghdrsghuihhlugenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtohepvddp mhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnohhurhesghhmrg hilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 13 Nov 2025 06:46:15 -0500 (EST) Received: by mbp.qyliss.net (Postfix, from userid 1000) id DCD8469665B6; Thu, 13 Nov 2025 12:46:14 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v3 1/2] Build verity images in rootfs Nix derivation In-Reply-To: <20251111-refactor-verity-v3-1-575726639f9e@gmail.com> References: <20251111-refactor-verity-v3-0-575726639f9e@gmail.com> <20251111-refactor-verity-v3-1-575726639f9e@gmail.com> Date: Thu, 13 Nov 2025 12:46:13 +0100 Message-ID: <87346ii29m.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: WF7DNQ57LUUFA735UK5HDZVWHZSP6EKI X-Message-ID-Hash: WF7DNQ57LUUFA735UK5HDZVWHZSP6EKI X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > Avoid redundant rebuilds of the rootfs verity superblock and roothash. > Remove duplicate code. Clean up Makefile to avoid temporary files. > > Signed-off-by: Demi Marie Obenour > --- > host/initramfs/Makefile | 26 +++++--------------------- > host/initramfs/shell.nix | 4 +++- > host/rootfs/Makefile | 45 +++++++++++++++++++++---------------------= --- > host/rootfs/default.nix | 2 +- > host/rootfs/shell.nix | 2 +- > release/live/Makefile | 26 +++++--------------------- > release/live/default.nix | 4 +++- > 7 files changed, 39 insertions(+), 70 deletions(-) Looking good! > diff --git a/host/initramfs/Makefile b/host/initramfs/Makefile > index cb13fbb35f065b67d291d4a35591d6f12720060c..102870ecba4456303414e2531= ea592473ddfc1cf 100644 > --- a/host/initramfs/Makefile > +++ b/host/initramfs/Makefile > @@ -35,26 +35,10 @@ build/mountpoints: > cd build/mountpoints && mkdir -p $(MOUNTPOINTS) > find build/mountpoints -mindepth 1 -exec touch -d @0 {} ';' >=20=20 > -# veritysetup format produces two files, but Make only (portably) > -# supports one output per rule, so we combine the two outputs then > -# define two more rules to separate them again. > -build/rootfs.verity: $(ROOT_FS) > - mkdir -p build > - $(VERITYSETUP) format $(ROOT_FS) build/rootfs.verity.superblock.tmp \ > - | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit}'= \ > - > build/rootfs.verity.roothash.tmp > - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp= \ > - > $@ > - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp > -build/rootfs.verity.roothash: build/rootfs.verity > - head -n 1 build/rootfs.verity > $@ > -build/rootfs.verity.superblock: build/rootfs.verity > - tail -n +2 build/rootfs.verity > $@ > - > -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs.v= erity.roothash $(ROOT_FS) > +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk $(ROOT_FS_VERITY) $(ROOT_FS_VERITY_ROOTHASH) = $(ROOT_FS) > ../../scripts/make-gpt.sh $@.tmp \ > - build/rootfs.verity.superblock:verity:$$(../../scripts/format-uuid.= sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 stat= us=3Dnone)") \ > - $(ROOT_FS):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 buil= d/rootfs.verity.roothash)") > + "$$ROOT_FS_VERITY:verity:$$(../../scripts/format-uuid.sh "$$(dd "if=3D$= $ROOT_FS_VERITY_ROOTHASH" bs=3D32 skip=3D1 count=3D1 status=3Dnone)")" \ Indentation got messed up here. Given rootfs has a well-defined output structure, maybe we could just write $(ROOT_FS)/rootfs.verity.roothash, so we don't need to define lots of different environment variables in each component that uses the verity data. I think we should consistently use Make variable expansion rather than shell variable expansion when we're using the variable in a Make dependency line too, to avoid the possibility of them being different. > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index f107ca44fcf1ad85af5788d87f6c772910d40072..d7764d9b796f1773b4bebd0d5= 0eec52b9be29e42 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -6,7 +6,7 @@ > include ../../lib/common.mk > include file-list.mk >=20=20 > -dest =3D build/rootfs.erofs > +dest =3D build >=20=20 > DIRS =3D \ > dev \ > @@ -46,15 +46,27 @@ FIFOS =3D etc/s6-linux-init/run-image/service/s6-svsc= an-log/fifo >=20=20 > BUILD_FILES =3D build/etc/s6-rc >=20=20 > -$(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_F= ILES) build/empty build/fifo file-list.mk > - set -euo pipefail; \ > +# This rule produces three files but Make only (portably) > +# supports one output per rule. Instead of resorting to temporary > +# files, a timestamp file is created as the last step. The actual > +# outputs are produced as side-effects. > +$(dest)/timestamp: ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES)= $(BUILD_FILES) build/empty build/fifo file-list.mk $(dest) Semes a bit odd to install the timestamp in $(dest). > { \ > cat $(PACKAGES_FILE) ;\ > for file in $(FILES) $(LINKS); do printf '%s\n%s\n' $$file "$${file= #image/}"; done ;\ > for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#bui= ld/}; done ;\ > printf 'build/empty\n%s\n' $(DIRS) ;\ > printf 'build/fifo\n%s\n' $(FIFOS) ;\ > - } | ../../scripts/make-erofs.sh $@ > + } | ../../scripts/make-erofs.sh $(dest)/rootfs > + $(VERITYSETUP) format \ > + --root-hash-file $(dest)/rootfs.verity.roothash \ > + -- $(dest)/rootfs $(dest)/rootfs.verity.superblock > + # Add trailing newline > + echo >> $(dest)/rootfs.verity.roothash > + touch -- $(dest)/timestamp I prefer smaller independent Make rules where possible. Can't the verity data stay in a separate rule from make-erofs.sh? Either way, change deserves a copyright header IMO. :) > + > +$(dest): > + mkdir -p $(dest) Would rather this was inlined into every target in $(dest), because directories can be a bit confusing to me as Make targets. "Does the target just create the directory, or does it create the directory and everything in it?" sort of thing. >=20=20 > build/fifo: > mkdir -p build > @@ -83,25 +95,10 @@ clean: > rm -rf build > .PHONY: clean >=20=20 > -# veritysetup format produces two files, but Make only (portably) > -# supports one output per rule, so we combine the two outputs then > -# define two more rules to separate them again. > -build/rootfs.verity: $(dest) > - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ > - | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit}'= \ > - > build/rootfs.verity.roothash.tmp > - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp= \ > - > $@ > - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp > -build/rootfs.verity.roothash: build/rootfs.verity > - head -n 1 build/rootfs.verity > $@ > -build/rootfs.verity.superblock: build/rootfs.verity > - tail -n +2 build/rootfs.verity > $@ > - > -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs.v= erity.roothash $(dest) > +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk $(dest)/timestamp > ../../scripts/make-gpt.sh $@.tmp \ > - build/rootfs.verity.superblock:verity:$$(../../scripts/format-uuid.= sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 stat= us=3Dnone)") \ > - $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 build/r= ootfs.verity.roothash)") > + $(dest)/rootfs.verity.superblock:verity:$$(../../scripts/format-uui= d.sh "$$(dd if=3D$(dest)/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 = status=3Dnone)") \ > + $(dest)/rootfs:root:$$(../../scripts/format-uuid.sh "$$(head -c 32 = $(dest)/rootfs.verity.roothash)") > mv $@.tmp $@ >=20=20 > debug: > @@ -111,7 +108,7 @@ debug: > $(VMLINUX) > .PHONY: debug >=20=20 > -run: build/live.img $(EXT_FS) build/rootfs.verity.roothash > +run: build/live.img What happened to $(EXT_FS)? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaRXFBQAKCRBbRZGEIw/w osZ9AP99kAmmxmfggAmW1EgXGdM4YsMA4cazD30HFhd9hU8Q4AD/QfBv+IBtOs5H bPZ1dtHW3YXNKpRlvDZyGvD4lTeK8gk= =XM5i -----END PGP SIGNATURE----- --=-=-=--