From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 177B21240E;
	Thu, 06 Nov 2025 11:44:43 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 709AE12377; Thu, 06 Nov 2025 11:44:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a8-smtp.messagingengine.com
 (fout-a8-smtp.messagingengine.com [103.168.172.151])
	by atuin.qyliss.net (Postfix) with ESMTPS id 2353D12376
	for <devel@spectrum-os.org>; Thu, 06 Nov 2025 11:44:36 +0000 (UTC)
Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42])
	by mailfout.phl.internal (Postfix) with ESMTP id A085CEC01E4;
	Thu,  6 Nov 2025 06:44:33 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-02.internal (MEProxy); Thu, 06 Nov 2025 06:44:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm2; t=1762429473; x=1762515873; bh=C2d0Rx672i
	bdJebACWa59vlAAJmWcxI2BTWS+mW4UPo=; b=Mw8fCkcyard8MvCCnJkL03R5qJ
	jmMicewGRh1Anq93Sq7VCOpwZ6Y/oDuwE+duVwSN9s/Tx5e6gFJZG0y6w2o0cvqc
	XQK+mS7WIUXxpeNNgq8qrRq1ZmuzwlLUBZYPk/+BJed2k/YFS7JFVJUuIQzOx/2f
	KHxtuStVt+7f4cIrRg7oMoOQeEfSmKTN0YSqpizkfXdQ30aAT6/3PP9o7pPLPdji
	IuRk9jz5SIl3SPxpOL+CQIbqV4zh/ULxsYBixEaEIsgiY1yEgHsE8m1OGJ5dgK9x
	6RG/0RMVHMyYFMpPcdOnYBmX4hu+y4mycenfCKQQGBmLhFEPfrLTE4Af5wHg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
	1762429473; x=1762515873; bh=C2d0Rx672ibdJebACWa59vlAAJmWcxI2BTW
	S+mW4UPo=; b=g7HDc4sTvSbFFsu6R4kOcxQNJ4PzqBBH1xZjpAuc5oxMn8rQ681
	kmgtIPEqkaN/KTIDdC7hxdtl7nsLczzxJlS7R41TZe5x3JnzxXXcTRI56CGC1kTV
	sjLQvumUludLDL/IgnTMKEA8C64VtuY5+ibPZl7TdgFygj6SH/siuJP4HI9mLFKW
	Y/RsLXpAvjd6iPH1HqpU7Xcr/lkkR++tEPuiwZTprhcPLCuoyr85TZEjZVEzmHjA
	GA8gl/w9byPrkbZ8U6i5gf7/+7wQbDWTh0CPK8++lejy3FKUs+RggSbNQDWLNErv
	Wc2bxLsfcwEE4gmsrE8tmEe6pj9myELS7TQ==
X-ME-Sender: <xms:IYoMaZvrksbswG7Lju4zrELYGV_P8B0pG2BsQ60GqiVdaQAjXO5WJw>
    <xme:IYoMaex_yupRlS0UqYznNAS9-q3ydyYtUcaSGUQmCMHkrmpnswDZp6sNbS7JMmGwp
    ZxyNs77dMq7bHWrR4V1MwPNijtT-1zCBPy-TV6aLhVclMxBz9L_eg>
X-ME-Received: 
 <xmr:IYoMafiItYu9uD4uQrvxiZbh2fYLEiewbRW4MX5n4h9Csilf_n2NiltrFZ7o83rHiFjkTjACCj-bI4sgG7jtlIzK2wkjf3aZqmaVwtNy>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddukeeiieelucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu
    tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeffffhke
    egvdfgffetgeevgfegtddutdeggfelvdelgeeghffhteehkeegueetleenucffohhmrghi
    nheplhhinhhugidqkhgvrhhnvghlrdhtrghrghgvthdpkhgvrhhnvghlrdguvghvnecuve
    hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhih
    shhsrgdrihhspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtph
    htthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggv
    vhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh
X-ME-Proxy: <xmx:IYoMaSDBjcK78ChXFewjEpvTL2mnB13Xnq0Z2J_LlnQHC6e-NEEvgw>
    <xmx:IYoMacvwpi9EpdX0NPds3LJgKo8CStTxaGlZxPubG45TrXboZTWh4g>
    <xmx:IYoMaXYxaXNYuIyw9UhS5VLQ6QnV8MJOztmSQrUeePDrCrBKijZv3g>
    <xmx:IYoMafWQyHxu56E7X1A_0mPWzACAQCUyK_FwEGcDZhfYt2O0KpuX8Q>
    <xmx:IYoMaX4MJh4_fvCH6UlNGfFtraYF8FdET2Tf5K5bosRIV3v8hNqKoZby>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 6 Nov 2025 06:44:33 -0500 (EST)
Received: by mbp.qyliss.net (Postfix, from userid 1000)
	id 4F408673C7CC; Thu, 06 Nov 2025 12:44:32 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: Demi Marie Obenour <demiobenour@gmail.com>
Subject: Re: [PATCH 1/2] Create Nix derivation for building verity images
In-Reply-To: <778d0d12-ba7c-40b3-8c34-8335ee963813@gmail.com>
References: <20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com>
 <20251105-refactor-verity-v1-1-b8ba27dfdf06@gmail.com>
 <87jz03xy0t.fsf@alyssa.is>
 <778d0d12-ba7c-40b3-8c34-8335ee963813@gmail.com>
Date: Thu, 06 Nov 2025 12:44:31 +0100
Message-ID: <875xbnxu5c.fsf@alyssa.is>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Message-ID-Hash: WMBB6CH5NPR6IXOT3EVOP2CKITMXRQOK
X-Message-ID-Hash: WMBB6CH5NPR6IXOT3EVOP2CKITMXRQOK
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Spectrum OS Development <devel@spectrum-os.org>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/WMBB6CH5NPR6IXOT3EVOP2CKITMXRQOK/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 11/6/25 05:20, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>=20
>>> This gets rid of a lot of duplicated code and allows building the verity
>>> roothash and superblock only when needed.  It also removes a hack used
>>> to work around make limitations.  Furthermore,
>>> 'veritysetup --root-hash-file' is used to avoid an awk script.
>>>
>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>> ---
>>> nix-shell --pure --run 'make run' in host/initramfs fails.  This is a
>>> preexisting bug and I will send a separate patch for it.
>>> ---
>>>  host/initramfs/Makefile  | 25 +++++--------------------
>>>  host/initramfs/shell.nix |  4 +++-
>>>  host/rootfs/Makefile     | 24 +++++-------------------
>>>  host/rootfs/shell.nix    |  3 +++
>>>  host/verity.nix          | 19 +++++++++++++++++++
>>>  lib/common.mk            |  1 -
>>>  pkgs/default.nix         |  1 +
>>>  release/live/Makefile    | 26 +++++---------------------
>>>  release/live/default.nix |  4 +++-
>>>  9 files changed, 44 insertions(+), 63 deletions(-)
>>=20
>>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
>>> index 00d125774bb7b98736d0928c69cb307740cee034..bb602e2745fb5873204f453=
b35fc529c5c96f64a 100644
>>> --- a/host/rootfs/Makefile
>>> +++ b/host/rootfs/Makefile
>>> @@ -82,25 +82,11 @@ clean:
>>>  	rm -rf build
>>>  .PHONY: clean
>>>=20=20
>>> -# veritysetup format produces two files, but Make only (portably)
>>> -# supports one output per rule, so we combine the two outputs then
>>> -# define two more rules to separate them again.
>>> -build/rootfs.verity: $(dest)
>>> -	$(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \
>>> -	    | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit=
}' \
>>> -	    > build/rootfs.verity.roothash.tmp
>>> -	cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.t=
mp \
>>> -	    > $@
>>> -	rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp
>>> -build/rootfs.verity.roothash: build/rootfs.verity
>>> -	head -n 1 build/rootfs.verity > $@
>>> -build/rootfs.verity.superblock: build/rootfs.verity
>>> -	tail -n +2 build/rootfs.verity > $@
>>>=20=20
>>> -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh=
 ../../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs=
.verity.roothash $(dest)
>>> +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh=
 ../../scripts/sfdisk-field.awk $(ROOT_FS_VERITY) $(ROOT_FS_VERITY_ROOTHASH=
) $(dest)
>>>  	../../scripts/make-gpt.sh $@.tmp \
>>> -	    build/rootfs.verity.superblock:verity:$$(../../scripts/format-uui=
d.sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 st=
atus=3Dnone)") \
>>> -	    $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 build=
/rootfs.verity.roothash)")
>>> +	"$$ROOT_FS_VERITY:verity:$$(../../scripts/format-uuid.sh "$$(dd "if=
=3D$$ROOT_FS_VERITY_ROOTHASH" bs=3D32 skip=3D1 count=3D1 status=3Dnone)")" \
>>> +	    $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 "$$RO=
OT_FS_VERITY_ROOTHASH")")
>>>  	mv $@.tmp $@
>>>=20=20
>>>  debug:
>>> @@ -110,7 +96,7 @@ debug:
>>>  	    $(VMLINUX)
>>>  .PHONY: debug
>>>=20=20
>>> -run: build/live.img $(EXT_FS) build/rootfs.verity.roothash
>>> +run: build/live.img $(EXT_FS) $(ROOT_FS_VERITY_ROOTHASH)
>>>  	@set -x && \
>>>  	ext=3D"$$(mktemp build/spectrum-rootfs-extfs.XXXXXXXXXX.img)" && \
>>>  	truncate -s 10G "$$ext" && \
>>> @@ -131,7 +117,7 @@ run: build/live.img $(EXT_FS) build/rootfs.verity.r=
oothash
>>>  	    -device virtconsole,chardev=3Dvirtiocon0 \
>>>  	    -drive file=3Dbuild/live.img,if=3Dvirtio,format=3Draw,readonly=3D=
on \
>>>  	    -drive file=3D/proc/self/fd/3,if=3Dvirtio,format=3Draw \
>>> -	    -append "earlycon console=3Dhvc0 roothash=3D$$(< build/rootfs.ver=
ity.roothash) intel_iommu=3Don nokaslr" \
>>> +	    -append "earlycon console=3Dhvc0 roothash=3D$$(< "$$ROOT_FS_VERIT=
Y_ROOTHASH") intel_iommu=3Don nokaslr" \
>>>  	    -device virtio-keyboard \
>>>  	    -device virtio-mouse \
>>>  	    -device virtio-gpu \
>>> diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix
>>> index 1bf61bebf418333624e799cc8ca231f5783206f4..f16e4905adfbc8faebde19d=
0a1364ad9df90219b 100644
>>> --- a/host/rootfs/shell.nix
>>> +++ b/host/rootfs/shell.nix
>>> @@ -5,6 +5,7 @@
>>>  import ../../lib/call-package.nix (
>>>  { callSpectrumPackage, rootfs, pkgsStatic, srcOnly, stdenv
>>>  , btrfs-progs, cryptsetup, jq, netcat, qemu_kvm, reuse, util-linux
>>> +, verity
>>>  }:
>>>=20=20
>>>  rootfs.overrideAttrs (
>>> @@ -20,5 +21,7 @@ rootfs.overrideAttrs (
>>>      KERNEL =3D "${passthru.kernel}/${stdenv.hostPlatform.linux-kernel.=
target}";
>>>      LINUX_SRC =3D srcOnly passthru.kernel.configfile;
>>>      VMLINUX =3D "${passthru.kernel.dev}/vmlinux";
>>> +    ROOT_FS_VERITY =3D "${verity}/rootfs.verity.superblock";
>>> +    ROOT_FS_VERITY_ROOTHASH =3D "${verity}/rootfs.verity.roothash";
>>>    };
>>>  })) (_: {})
>>=20
>> Surely this would break interactive development of the rootfs?
>> If I'm in a Nix shell, and make a change to any part of the rootfs, the
>> verity data in the environment will be out of date.  I'd have to leave
>> and re-enter the Nix shell after /any/ change, waiting for an evaluation
>> each time, as opposed to the current situation where that's only
>> necessary when modifying Nix code or other Spectrum components.
>
> It would.  Are there alternatives you can recommend?  I don't want the
> updater and the installer to have to use two different copies.

Have the host/rootfs derivation install the verity files alongside the
rootfs image.  Then host/rootfs/Makefile is the single place we generate
the verity images, and it will still be regenerated by make when in a
Nix shell.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaQyKHwAKCRBbRZGEIw/w
or2eAQCh151qu9sMvzZmWBGS2Xtxr+UkQ5utZRzhizoLf+7XAAEA7DPIKJGIV5EF
j9V2IIIXKBS3BrHFonW4+roDe5CbqQ8=
=qdLI
-----END PGP SIGNATURE-----
--=-=-=--