From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id C8B7E2BB6; Tue, 25 Nov 2025 12:41:30 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id E073A2BA9; Tue, 25 Nov 2025 12:41:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a8-smtp.messagingengine.com (fout-a8-smtp.messagingengine.com [103.168.172.151]) by atuin.qyliss.net (Postfix) with ESMTPS id 7FBB72B5E for ; Tue, 25 Nov 2025 12:41:27 +0000 (UTC) Received: from phl-compute-11.internal (phl-compute-11.internal [10.202.2.51]) by mailfout.phl.internal (Postfix) with ESMTP id C1457EC00C2; Tue, 25 Nov 2025 07:41:25 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-11.internal (MEProxy); Tue, 25 Nov 2025 07:41:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1764074485; x=1764160885; bh=jDAieXMM/c iUzkfpdlwdRCv6PN5URQSQmhRqN+t0p6M=; b=oQgF9Cto0utjOUCBVXtinBCkyC JAvlvJWZYEiJwB8l7zD/6Tf0DzRLiUZCgCeAPniUkiy9y31ozdemrlz7skS0XQiZ XVzlHngV0BRHVQDvTfY6NO0uNis0uu0tksApvxgalqDtjUdGi+Cl0YPCFGsBPpvX 5Q8fDHeb7x6K8+jGSTXsAqdhSY/betBmlFsc1snTYbghBfZpWeOch2UkfA4gzVUp zOYB6WVVYhq4dS4fO7AYx3zJa3fuA6Y7QQ64fdvx5WgLqJlfd+Yk3bdvD5yQuXuM 4Qyj7oftdF+9dI8P/v0TIRrlg8Kb+hMm0J3en/VLhFdO3l3Xo+o3Q8WqF6MQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1764074485; x=1764160885; bh=jDAieXMM/ciUzkfpdlwdRCv6PN5URQSQmhR qN+t0p6M=; b=NJ48gviOBzQqSURcinr6prCk4u6BHW3Pz0bSB/cpnZFJbGaninv vjREjy37KnKvbr2CTCDH8nvwldkfGx0x379LvceWbpzhSlw/wN1xvvubw5BhIJpr awNKmcqBsR+Fw1NuqdDmX873j6nb1u5fAkn71ply5I3CQfJjDB6NUb3m4dhO+YwF WYFggt4U4BOoBfi0FrlWIRC2MxuL9Lvh7WgkO185WXiQpQVWvQAYgEGgbu7i6KIg V/OvX4ht7hstk+7dx3cMvHHoTb2glw+bg9GJNnnnkja1uCgBSOU5hLuc5ZnM+/OD 0y9bxJU7tCxQP302ZhXzXJRW5IABAvZlaew== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvgeduhedtucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeejgfefgf dtgfdutdevveettddvheffieevfefgjeetledvveefiedutdfgiedtveenucffohhmrghi nhepshhiuggvqdgvfhhfvggtthhsrdgsuhhilhgupdhgihhthhhusgdrtghomhdplhhinh hugidqkhgvrhhnvghlrdhtrghrghgvthenucevlhhushhtvghrufhiiigvpedtnecurfgr rhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtoh epvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnohhurhes ghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdqohhsrd horhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 25 Nov 2025 07:41:25 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 8920125FC713; Tue, 25 Nov 2025 13:41:03 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v5 2/2] Move UKI creation to a separate derivation In-Reply-To: <20251121-refactor-verity-v5-2-938fc95f9752@gmail.com> References: <20251121-refactor-verity-v5-0-938fc95f9752@gmail.com> <20251121-refactor-verity-v5-2-938fc95f9752@gmail.com> Date: Tue, 25 Nov 2025 13:41:02 +0100 Message-ID: <877bve2skh.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: UCOVJ4UL7XULDYSKM4GPR2DAG5T3JUJL X-Message-ID-Hash: UCOVJ4UL7XULDYSKM4GPR2DAG5T3JUJL X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > It will be used by the update code later. > > No functional change intended, other than a trivial shell script > refactoring. > > Signed-off-by: Demi Marie Obenour > --- > I kept release/live/default.nix using the UKI's systemd because the old > code did it that way. Changing this would be better in a separate > commit. > --- > host/efi.nix | 40 ++++++++++++++++++++++++++++++++++++++++ > host/rootfs/Makefile | 8 ++++---- > release/live/Makefile | 16 ++-------------- > release/live/default.nix | 27 +++++++++++---------------- > release/live/shell.nix | 10 ++++++++-- > 5 files changed, 65 insertions(+), 36 deletions(-) Looking good. Just some style notes. > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index 5e3c9238f0e00f86aa5943212b8fc8fd896ce54a..aac915ffb2781aee0997c169e= 86e3fd1983aa3b3 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -40,6 +40,10 @@ FIFOS =3D etc/s6-linux-init/run-image/service/s6-svsca= n-log/fifo >=20=20 > BUILD_FILES =3D build/etc/s6-rc >=20=20 > +# This rule produces three files but Make only (portably) > +# supports one output per rule. Instead of resorting to temporary > +# files, a timestamp file is created as the last step. The actual > +# outputs are produced as side-effects. > build/verity-timestamp: $(ROOT_FS) > $(VERITYSETUP) format \ > --root-hash-file $(ROOT_FS_VERITY_ROOTHASH) \ > @@ -48,10 +52,6 @@ build/verity-timestamp: $(ROOT_FS) > echo >> $(ROOT_FS_VERITY_ROOTHASH) > touch -- $(ROOT_FS_DIR)/verity-timestamp >=20=20 > -# This rule produces three files but Make only (portably) > -# supports one output per rule. Instead of resorting to temporary > -# files, a timestamp file is created as the last step. The actual > -# outputs are produced as side-effects. > $(ROOT_FS): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUIL= D_FILES) build/empty build/fifo file-list.mk > mkdir -p $(ROOT_FS_DIR) && \ > { \ > diff --git a/release/live/Makefile b/release/live/Makefile > index 7372b41d94bfb10f7761955d9d1a246e9785b7f8..d61248e94599adc5229d0ad38= d54b9f649d66ca1 100644 > --- a/release/live/Makefile > +++ b/release/live/Makefile > @@ -19,23 +19,11 @@ $(dest): ../../scripts/format-uuid.sh ../../scripts/m= ake-gpt.sh ../../scripts/sf > build/empty: > mkdir -p $@ >=20=20 > -build/spectrum.efi: $(DTBS) $(KERNEL) $(INITRAMFS) $(ROOT_FS_VERITY_ROOT= HASH) > - { \ > - printf "[UKI]\nDeviceTreeAuto=3D" && \ > - find $(DTBS) -name '*.dtb' -print0 | tr '\0' ' ' ;\ > - } | $(UKIFY) build \ > - --output $@ \ > - --config /dev/stdin \ > - --linux $(KERNEL) \ > - --initrd $(INITRAMFS) \ > - --os-release $$'NAME=3D"Spectrum"\n' \ > - --cmdline "ro intel_iommu=3Don roothash=3D$$(cat $(ROOT_FS_VERITY_R= OOTHASH))" > - > -build/boot.fat: $(SYSTEMD_BOOT_EFI) build/spectrum.efi > +build/boot.fat: $(SYSTEMD_BOOT_EFI) $(EFI_IMAGE) build/empty I'd call "EFI_IMAGE" "SPECTRUM_EFI", so we aren't using two different naming schemes for the two different EFI executables. > $(TRUNCATE) -s 440401920 $@ > $(MKFS_FAT) $@ > $(MMD) -i $@ ::/EFI ::/EFI/BOOT ::/EFI/Linux > - $(MCOPY) -i $@ build/spectrum.efi ::/EFI/Linux > + $(MCOPY) -i $@ $(EFI_IMAGE) ::/EFI/Linux/spectrum.efi > $(MCOPY) -i $@ $(SYSTEMD_BOOT_EFI) ::/EFI/BOOT/$(EFINAME) >=20=20 > clean: > diff --git a/release/live/default.nix b/release/live/default.nix > index 7adaefef330daf11372cff0d2d04cca400efba1f..ac2d7a55fd4fe0c02108309ec= ea20e368000af0d 100644 > --- a/release/live/default.nix > +++ b/release/live/default.nix > @@ -3,10 +3,9 @@ > # SPDX-FileCopyrightText: 2022 Unikie >=20=20 > import ../../lib/call-package.nix ( > -{ callSpectrumPackage, spectrum-build-tools, rootfs, src > +{ callSpectrumPackage, spectrum-build-tools, src > , lib, pkgsStatic, stdenvNoCC > , cryptsetup, dosfstools, jq, mtools, util-linux > -, systemdUkify > }: >=20=20 > let > @@ -14,14 +13,12 @@ let >=20=20 > stdenv =3D stdenvNoCC; >=20=20 > - systemd =3D systemdUkify.overrideAttrs ({ mesonFlags ? [], ... }: { > - # The default limit is too low to build a generic aarch64 distro ima= ge: > - # https://github.com/systemd/systemd/pull/37417 > - mesonFlags =3D mesonFlags ++ [ "-Defi-stub-extra-sections=3D3000" ]; > - }); > - > - initramfs =3D callSpectrumPackage ../../host/initramfs {}; > efiArch =3D stdenv.hostPlatform.efiArch; > + > + efi =3D callSpectrumPackage ../../host/efi.nix {}; > + > + # The initramfs and rootfs must match those used to build the UKI. > + inherit (efi) initramfs rootfs systemd; > in >=20=20 > stdenv.mkDerivation { > @@ -40,17 +37,15 @@ stdenv.mkDerivation { > sourceRoot =3D "source/release/live"; >=20=20 > nativeBuildInputs =3D [ > - cryptsetup dosfstools jq spectrum-build-tools mtools systemd util-li= nux > + cryptsetup dosfstools jq spectrum-build-tools mtools util-linux > ]; >=20=20 > env =3D { > - INITRAMFS =3D initramfs; > - KERNEL =3D "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.targ= et}"; > - ROOT_FS_DIR =3D rootfs; > + KERNEL =3D "${efi.rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.= target}"; > + ROOT_FS_DIR =3D "${efi.rootfs}"; Why inherit these from efi above if you're going to refer to them through efi here anyway? > SYSTEMD_BOOT_EFI =3D "${systemd}/lib/systemd/boot/efi/systemd-boot${= efiArch}.efi"; > + EFI_IMAGE =3D efi; > EFINAME =3D "BOOT${toUpper efiArch}.EFI"; > - } // lib.optionalAttrs stdenv.hostPlatform.linux-kernel.DTB or false { > - DTBS =3D "${rootfs.kernel}/dtbs"; > }; >=20=20 > buildFlags =3D [ "dest=3D$(out)" ]; > @@ -63,6 +58,6 @@ stdenv.mkDerivation { > unsafeDiscardReferences =3D { out =3D true; }; > dontFixup =3D true; >=20=20 > - passthru =3D { inherit initramfs rootfs; }; > + passthru =3D { inherit efi initramfs rootfs; }; > } > ) (_: {}) > diff --git a/release/live/shell.nix b/release/live/shell.nix > index c5db7b732ef048b4c0cb87a4c5ea614e993db516..ffaa9a571c662810348822a59= 52d479d251a25e5 100644 > --- a/release/live/shell.nix > +++ b/release/live/shell.nix > @@ -1,7 +1,12 @@ > # SPDX-License-Identifier: MIT > # SPDX-FileCopyrightText: 2021-2024 Alyssa Ross >=20=20 > -import ../../lib/call-package.nix ({ callSpectrumPackage, stdenv, qemu_k= vm, rootfs }: > +import ../../lib/call-package.nix ( > +{ callSpectrumPackage, stdenv, qemu_kvm }: This has reduced in length, so it doesn't need to be broken on to a separate line. > + > +let > + efi =3D callSpectrumPackage ../../host/efi.nix {}; > +in >=20=20 > (callSpectrumPackage ./. {}).overrideAttrs ( > { nativeBuildInputs ? [], env ? {}, ... }: > @@ -10,7 +15,8 @@ import ../../lib/call-package.nix ({ callSpectrumPackag= e, stdenv, qemu_kvm, root >=20=20 > env =3D env // { > OVMF_CODE =3D "${qemu_kvm}/share/qemu/edk2-${stdenv.hostPlatform.q= emuArch}-code.fd"; > - ROOT_FS_DIR =3D rootfs; > + ROOT_FS_DIR =3D efi.rootfs; > + EFI_IMAGE =3D efi; > }; > } > )) (_: {}) > > --=20 > 2.52.0 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaSWj3gAKCRCZddwkt31p FWiuAP4jlf/DOXglFZoV/dUUon+wcipmJHqWWEhwG4QqS77NqgD/XHOxgx8Z5TqO D1bbLFeeFViwNLQhTyuOSiUHd32Ihwg= =iJJy -----END PGP SIGNATURE----- --=-=-=--