Demi Marie Obenour writes: > On 11/6/25 06:44, Alyssa Ross wrote: >> Demi Marie Obenour writes: >> >>> On 11/6/25 05:20, Alyssa Ross wrote: >>>> Demi Marie Obenour writes: >>>> >>>>> This gets rid of a lot of duplicated code and allows building the verity >>>>> roothash and superblock only when needed. It also removes a hack used >>>>> to work around make limitations. Furthermore, >>>>> 'veritysetup --root-hash-file' is used to avoid an awk script. >>>>> >>>>> Signed-off-by: Demi Marie Obenour >>>>> --- >>>>> nix-shell --pure --run 'make run' in host/initramfs fails. This is a >>>>> preexisting bug and I will send a separate patch for it. >>>>> --- >>>>> host/initramfs/Makefile | 25 +++++-------------------- >>>>> host/initramfs/shell.nix | 4 +++- >>>>> host/rootfs/Makefile | 24 +++++------------------- >>>>> host/rootfs/shell.nix | 3 +++ >>>>> host/verity.nix | 19 +++++++++++++++++++ >>>>> lib/common.mk | 1 - >>>>> pkgs/default.nix | 1 + >>>>> release/live/Makefile | 26 +++++--------------------- >>>>> release/live/default.nix | 4 +++- >>>>> 9 files changed, 44 insertions(+), 63 deletions(-) >>>> >>>>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile >>>>> index 00d125774bb7b98736d0928c69cb307740cee034..bb602e2745fb5873204f453b35fc529c5c96f64a 100644 >>>>> --- a/host/rootfs/Makefile >>>>> +++ b/host/rootfs/Makefile >>>>> @@ -82,25 +82,11 @@ clean: >>>>> rm -rf build >>>>> .PHONY: clean >>>>> >>>>> -# veritysetup format produces two files, but Make only (portably) >>>>> -# supports one output per rule, so we combine the two outputs then >>>>> -# define two more rules to separate them again. >>>>> -build/rootfs.verity: $(dest) >>>>> - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ >>>>> - | awk -F ':[[:blank:]]*' '$$1 == "Root hash" {print $$2; exit}' \ >>>>> - > build/rootfs.verity.roothash.tmp >>>>> - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp \ >>>>> - > $@ >>>>> - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp >>>>> -build/rootfs.verity.roothash: build/rootfs.verity >>>>> - head -n 1 build/rootfs.verity > $@ >>>>> -build/rootfs.verity.superblock: build/rootfs.verity >>>>> - tail -n +2 build/rootfs.verity > $@ >>>>> >>>>> -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs.verity.roothash $(dest) >>>>> +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sfdisk-field.awk $(ROOT_FS_VERITY) $(ROOT_FS_VERITY_ROOTHASH) $(dest) >>>>> ../../scripts/make-gpt.sh $@.tmp \ >>>>> - build/rootfs.verity.superblock:verity:$$(../../scripts/format-uuid.sh "$$(dd if=build/rootfs.verity.roothash bs=32 skip=1 count=1 status=none)") \ >>>>> - $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 build/rootfs.verity.roothash)") >>>>> + "$$ROOT_FS_VERITY:verity:$$(../../scripts/format-uuid.sh "$$(dd "if=$$ROOT_FS_VERITY_ROOTHASH" bs=32 skip=1 count=1 status=none)")" \ >>>>> + $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 "$$ROOT_FS_VERITY_ROOTHASH")") >>>>> mv $@.tmp $@ >>>>> >>>>> debug: >>>>> @@ -110,7 +96,7 @@ debug: >>>>> $(VMLINUX) >>>>> .PHONY: debug >>>>> >>>>> -run: build/live.img $(EXT_FS) build/rootfs.verity.roothash >>>>> +run: build/live.img $(EXT_FS) $(ROOT_FS_VERITY_ROOTHASH) >>>>> @set -x && \ >>>>> ext="$$(mktemp build/spectrum-rootfs-extfs.XXXXXXXXXX.img)" && \ >>>>> truncate -s 10G "$$ext" && \ >>>>> @@ -131,7 +117,7 @@ run: build/live.img $(EXT_FS) build/rootfs.verity.roothash >>>>> -device virtconsole,chardev=virtiocon0 \ >>>>> -drive file=build/live.img,if=virtio,format=raw,readonly=on \ >>>>> -drive file=/proc/self/fd/3,if=virtio,format=raw \ >>>>> - -append "earlycon console=hvc0 roothash=$$(< build/rootfs.verity.roothash) intel_iommu=on nokaslr" \ >>>>> + -append "earlycon console=hvc0 roothash=$$(< "$$ROOT_FS_VERITY_ROOTHASH") intel_iommu=on nokaslr" \ >>>>> -device virtio-keyboard \ >>>>> -device virtio-mouse \ >>>>> -device virtio-gpu \ >>>>> diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix >>>>> index 1bf61bebf418333624e799cc8ca231f5783206f4..f16e4905adfbc8faebde19d0a1364ad9df90219b 100644 >>>>> --- a/host/rootfs/shell.nix >>>>> +++ b/host/rootfs/shell.nix >>>>> @@ -5,6 +5,7 @@ >>>>> import ../../lib/call-package.nix ( >>>>> { callSpectrumPackage, rootfs, pkgsStatic, srcOnly, stdenv >>>>> , btrfs-progs, cryptsetup, jq, netcat, qemu_kvm, reuse, util-linux >>>>> +, verity >>>>> }: >>>>> >>>>> rootfs.overrideAttrs ( >>>>> @@ -20,5 +21,7 @@ rootfs.overrideAttrs ( >>>>> KERNEL = "${passthru.kernel}/${stdenv.hostPlatform.linux-kernel.target}"; >>>>> LINUX_SRC = srcOnly passthru.kernel.configfile; >>>>> VMLINUX = "${passthru.kernel.dev}/vmlinux"; >>>>> + ROOT_FS_VERITY = "${verity}/rootfs.verity.superblock"; >>>>> + ROOT_FS_VERITY_ROOTHASH = "${verity}/rootfs.verity.roothash"; >>>>> }; >>>>> })) (_: {}) >>>> >>>> Surely this would break interactive development of the rootfs? >>>> If I'm in a Nix shell, and make a change to any part of the rootfs, the >>>> verity data in the environment will be out of date. I'd have to leave >>>> and re-enter the Nix shell after /any/ change, waiting for an evaluation >>>> each time, as opposed to the current situation where that's only >>>> necessary when modifying Nix code or other Spectrum components. >>> >>> It would. Are there alternatives you can recommend? I don't want the >>> updater and the installer to have to use two different copies. >> >> Have the host/rootfs derivation install the verity files alongside the >> rootfs image. Then host/rootfs/Makefile is the single place we generate >> the verity images, and it will still be regenerated by make when in a >> Nix shell. > > Is it okay to instead remove dm-verity protection for the verity images? > Given that we discussed using virtiofs for live development, I don't think > the verity protection is necessary. It also slows down live development. If you can do it in a way that doesn't require modifying the rootfs image. I don't want it to have to do anything special to support development builds that don't work like the real thing.