From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 459CF1E788; Thu, 13 Nov 2025 11:32:57 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id CA6EB1E6EC; Thu, 13 Nov 2025 11:32:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-b6-smtp.messagingengine.com (fhigh-b6-smtp.messagingengine.com [202.12.124.157]) by atuin.qyliss.net (Postfix) with ESMTPS id B7A251E70D for ; Thu, 13 Nov 2025 11:32:53 +0000 (UTC) Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42]) by mailfhigh.stl.internal (Postfix) with ESMTP id 4A68B7A0158; Thu, 13 Nov 2025 06:32:52 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-02.internal (MEProxy); Thu, 13 Nov 2025 06:32:52 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1763033572; x=1763119972; bh=EA7rc6jj9t pAR1adqt018xUJUZs72kzS3K9L1L96EXg=; b=l8aLo/CsmxQhgPPebgyxW6vKzv AcGSOtc/DhYmIS8epujAj5byyGUSicJ4ta/bC0b2YXMNYmn2T17loiBkgTOGKIRx a1fqGLDKx/QgbPPBwBOkmpp7o8ivPnYVaJH0AMj3Y+4sGIdg/5ffI9ykWOPYz5dN oiU+bzA9mbV3mYb2imMPDEfrD+JgidAa2Q8xv6+kXtGmqtDhFkajNL3cT27Qglm1 MFgXjQ/261YklV5Js+oopX6VR3Z0g/ToEJQ9aak/xPKO42M935kPgxnQ6bhHpulh V3KnSjKv/1Uirg+nhdv2CAXGSWJooWBBYK0bTTSCzz5giyi8iUh4M5QmGnTg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1763033572; x=1763119972; bh=EA7rc6jj9tpAR1adqt018xUJUZs72kzS3K9 L1L96EXg=; b=f/IeFjJrHDab11k9HGUzupsZL8ed3n0kIlwOLOf7rpOOsgA7uAU IscAKTSwUdGaPbUmSlmb03Ig1ghqNsjzPnsNckpfmpsfeNwEW/cY5WbrnY1DnLN8 HohJmVzdraGcyb90KzcGqlOyC8Uhfr7+09YYvnpWquyDJxmj72WFPO2dc19o2gXY jWIQ1jGkMdMYn2ybIR8rc3g7Z/HCHfqnI5kBBWNm3tqhEw1tBDh8i5HXsbIqCaqx rCy+HxUqRH5fMhn7uTFVqihOieiLLiEWwTbslDunKi59agobnY8SEi4wH4uMMgvy 5im0C5NxcbCM+cWeaIWLapC1pxYM/nCqL0A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvtdeikeefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeffffhke egvdfgffetgeevgfegtddutdeggfelvdelgeeghffhteehkeegueetleenucffohhmrghi nheplhhinhhugidqkhgvrhhnvghlrdhtrghrghgvthdpkhgvrhhnvghlrdguvghvnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhih shhsrgdrihhspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtph htthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggv vhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 13 Nov 2025 06:32:51 -0500 (EST) Received: by mbp.qyliss.net (Postfix, from userid 1000) id 6398A69664A0; Thu, 13 Nov 2025 12:32:50 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 1/2] Create Nix derivation for building verity images In-Reply-To: References: <20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com> <20251105-refactor-verity-v1-1-b8ba27dfdf06@gmail.com> <87jz03xy0t.fsf@alyssa.is> <778d0d12-ba7c-40b3-8c34-8335ee963813@gmail.com> <875xbnxu5c.fsf@alyssa.is> Date: Thu, 13 Nov 2025 12:32:49 +0100 Message-ID: <875xbei2vy.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: YWVBUKUPYRQGOMBV2C5NP7AQE7LX72RW X-Message-ID-Hash: YWVBUKUPYRQGOMBV2C5NP7AQE7LX72RW X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 11/6/25 06:44, Alyssa Ross wrote: >> Demi Marie Obenour writes: >>=20 >>> On 11/6/25 05:20, Alyssa Ross wrote: >>>> Demi Marie Obenour writes: >>>> >>>>> This gets rid of a lot of duplicated code and allows building the ver= ity >>>>> roothash and superblock only when needed. It also removes a hack used >>>>> to work around make limitations. Furthermore, >>>>> 'veritysetup --root-hash-file' is used to avoid an awk script. >>>>> >>>>> Signed-off-by: Demi Marie Obenour >>>>> --- >>>>> nix-shell --pure --run 'make run' in host/initramfs fails. This is a >>>>> preexisting bug and I will send a separate patch for it. >>>>> --- >>>>> host/initramfs/Makefile | 25 +++++-------------------- >>>>> host/initramfs/shell.nix | 4 +++- >>>>> host/rootfs/Makefile | 24 +++++------------------- >>>>> host/rootfs/shell.nix | 3 +++ >>>>> host/verity.nix | 19 +++++++++++++++++++ >>>>> lib/common.mk | 1 - >>>>> pkgs/default.nix | 1 + >>>>> release/live/Makefile | 26 +++++--------------------- >>>>> release/live/default.nix | 4 +++- >>>>> 9 files changed, 44 insertions(+), 63 deletions(-) >>>> >>>>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile >>>>> index 00d125774bb7b98736d0928c69cb307740cee034..bb602e2745fb5873204f4= 53b35fc529c5c96f64a 100644 >>>>> --- a/host/rootfs/Makefile >>>>> +++ b/host/rootfs/Makefile >>>>> @@ -82,25 +82,11 @@ clean: >>>>> rm -rf build >>>>> .PHONY: clean >>>>>=20=20 >>>>> -# veritysetup format produces two files, but Make only (portably) >>>>> -# supports one output per rule, so we combine the two outputs then >>>>> -# define two more rules to separate them again. >>>>> -build/rootfs.verity: $(dest) >>>>> - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ >>>>> - | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; ex= it}' \ >>>>> - > build/rootfs.verity.roothash.tmp >>>>> - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock= .tmp \ >>>>> - > $@ >>>>> - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.= tmp >>>>> -build/rootfs.verity.roothash: build/rootfs.verity >>>>> - head -n 1 build/rootfs.verity > $@ >>>>> -build/rootfs.verity.superblock: build/rootfs.verity >>>>> - tail -n +2 build/rootfs.verity > $@ >>>>>=20=20 >>>>> -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.= sh ../../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/root= fs.verity.roothash $(dest) >>>>> +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.= sh ../../scripts/sfdisk-field.awk $(ROOT_FS_VERITY) $(ROOT_FS_VERITY_ROOTHA= SH) $(dest) >>>>> ../../scripts/make-gpt.sh $@.tmp \ >>>>> - build/rootfs.verity.superblock:verity:$$(../../scripts/format-u= uid.sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 = status=3Dnone)") \ >>>>> - $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 bui= ld/rootfs.verity.roothash)") >>>>> + "$$ROOT_FS_VERITY:verity:$$(../../scripts/format-uuid.sh "$$(dd "if= =3D$$ROOT_FS_VERITY_ROOTHASH" bs=3D32 skip=3D1 count=3D1 status=3Dnone)")" \ >>>>> + $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 "$$= ROOT_FS_VERITY_ROOTHASH")") >>>>> mv $@.tmp $@ >>>>>=20=20 >>>>> debug: >>>>> @@ -110,7 +96,7 @@ debug: >>>>> $(VMLINUX) >>>>> .PHONY: debug >>>>>=20=20 >>>>> -run: build/live.img $(EXT_FS) build/rootfs.verity.roothash >>>>> +run: build/live.img $(EXT_FS) $(ROOT_FS_VERITY_ROOTHASH) >>>>> @set -x && \ >>>>> ext=3D"$$(mktemp build/spectrum-rootfs-extfs.XXXXXXXXXX.img)" && \ >>>>> truncate -s 10G "$$ext" && \ >>>>> @@ -131,7 +117,7 @@ run: build/live.img $(EXT_FS) build/rootfs.verity= .roothash >>>>> -device virtconsole,chardev=3Dvirtiocon0 \ >>>>> -drive file=3Dbuild/live.img,if=3Dvirtio,format=3Draw,readonly= =3Don \ >>>>> -drive file=3D/proc/self/fd/3,if=3Dvirtio,format=3Draw \ >>>>> - -append "earlycon console=3Dhvc0 roothash=3D$$(< build/rootfs.v= erity.roothash) intel_iommu=3Don nokaslr" \ >>>>> + -append "earlycon console=3Dhvc0 roothash=3D$$(< "$$ROOT_FS_VER= ITY_ROOTHASH") intel_iommu=3Don nokaslr" \ >>>>> -device virtio-keyboard \ >>>>> -device virtio-mouse \ >>>>> -device virtio-gpu \ >>>>> diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix >>>>> index 1bf61bebf418333624e799cc8ca231f5783206f4..f16e4905adfbc8faebde1= 9d0a1364ad9df90219b 100644 >>>>> --- a/host/rootfs/shell.nix >>>>> +++ b/host/rootfs/shell.nix >>>>> @@ -5,6 +5,7 @@ >>>>> import ../../lib/call-package.nix ( >>>>> { callSpectrumPackage, rootfs, pkgsStatic, srcOnly, stdenv >>>>> , btrfs-progs, cryptsetup, jq, netcat, qemu_kvm, reuse, util-linux >>>>> +, verity >>>>> }: >>>>>=20=20 >>>>> rootfs.overrideAttrs ( >>>>> @@ -20,5 +21,7 @@ rootfs.overrideAttrs ( >>>>> KERNEL =3D "${passthru.kernel}/${stdenv.hostPlatform.linux-kerne= l.target}"; >>>>> LINUX_SRC =3D srcOnly passthru.kernel.configfile; >>>>> VMLINUX =3D "${passthru.kernel.dev}/vmlinux"; >>>>> + ROOT_FS_VERITY =3D "${verity}/rootfs.verity.superblock"; >>>>> + ROOT_FS_VERITY_ROOTHASH =3D "${verity}/rootfs.verity.roothash"; >>>>> }; >>>>> })) (_: {}) >>>> >>>> Surely this would break interactive development of the rootfs? >>>> If I'm in a Nix shell, and make a change to any part of the rootfs, the >>>> verity data in the environment will be out of date. I'd have to leave >>>> and re-enter the Nix shell after /any/ change, waiting for an evaluati= on >>>> each time, as opposed to the current situation where that's only >>>> necessary when modifying Nix code or other Spectrum components. >>> >>> It would. Are there alternatives you can recommend? I don't want the >>> updater and the installer to have to use two different copies. >>=20 >> Have the host/rootfs derivation install the verity files alongside the >> rootfs image. Then host/rootfs/Makefile is the single place we generate >> the verity images, and it will still be regenerated by make when in a >> Nix shell. > > Is it okay to instead remove dm-verity protection for the verity images? > Given that we discussed using virtiofs for live development, I don't think > the verity protection is necessary. It also slows down live development. If you can do it in a way that doesn't require modifying the rootfs image. I don't want it to have to do anything special to support development builds that don't work like the real thing. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaRXB4QAKCRBbRZGEIw/w ondxAP9qFtDFOTLE2z0x2lfPKTA5lkfaSlDvtZZVUpZrxZe/7AD/fI8SJP2qchnB i9SncPQAjRqE1ngi7iCWAfIyfkrWcA4= =BbcX -----END PGP SIGNATURE----- --=-=-=--