Demi Marie Obenour writes: > It will be used by the update code later. > > No functional change intended, other than a trivial shell script > refactoring. > > Signed-off-by: Demi Marie Obenour > --- > I kept release/live/default.nix using the UKI's systemd because the old > code did it that way. Changing this would be better in a separate > commit. > > Changes since v5: > > - Create a temporary symlink named build/spectrum.efi and then run > $(MCOPY) -i $@ build/spectrum.efi ::/EFI/Linux, rather than copying > the file with its original name. The latter results in an unbootable > image. I do not know the reason. > > Signed-off-by: Demi Marie Obenour > --- > host/efi.nix | 40 ++++++++++++++++++++++++++++++++++++++++ > release/live/Makefile | 17 ++++------------- > release/live/default.nix | 27 +++++++++++---------------- > release/live/shell.nix | 10 ++++++++-- > 4 files changed, 63 insertions(+), 31 deletions(-) > > diff --git a/host/efi.nix b/host/efi.nix > new file mode 100644 > index 0000000000000000000000000000000000000000..ecedb6bea6bf29c7a7303dc9062fe12b5c7a9fbd > --- /dev/null > +++ b/host/efi.nix > @@ -0,0 +1,40 @@ > +# SPDX-License-Identifier: MIT > +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour > + > +import ../lib/call-package.nix ( > +{ callSpectrumPackage, cryptsetup, rootfs > +, runCommand, stdenv, systemdUkify > +}: > +let > + initramfs = callSpectrumPackage ./initramfs {}; > + kernel = "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.target}"; > + systemd = systemdUkify.overrideAttrs ({ mesonFlags ? [], ... }: { > + # The default limit is too low to build a generic aarch64 distro image: > + # https://github.com/systemd/systemd/pull/37417 > + mesonFlags = mesonFlags ++ [ "-Defi-stub-extra-sections=3000" ]; > + }); > +in > + > +runCommand "spectrum-efi" { > + nativeBuildInputs = [ cryptsetup systemd ]; > + __structuredAttrs = true; > + unsafeDiscardReferences = { out = true; }; > + dontFixup = true; > + passthru = { inherit initramfs rootfs systemd; }; > +} '' > + read -r roothash < ${rootfs}/rootfs.verity.roothash > + { \ > + printf "[UKI]\nDeviceTreeAuto=" > + if [ -d ${rootfs.kernel}/dtbs ]; then > + find ${rootfs.kernel}/dtbs -name '*.dtb' -print0 | tr '\0' ' ' > + fi > + } | ukify build \ > + --output "$out" \ > + --config /dev/stdin \ > + --linux ${kernel} \ > + --initrd ${initramfs} \ > + --os-release $'NAME="Spectrum"\n' \ > + --cmdline "ro intel_iommu=on roothash=$roothash" > + '' > +) (_: {}) > diff --git a/release/live/Makefile b/release/live/Makefile > index ba81c7e679429e045b24c1591a9f0b72f016cfab..b37ccce42feb3ac7e8ce4faf96a67902b55be808 100644 > --- a/release/live/Makefile > +++ b/release/live/Makefile > @@ -19,22 +19,13 @@ $(dest): ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sf > build/empty: > mkdir -p $@ > > -build/spectrum.efi: $(DTBS) $(KERNEL) $(INITRAMFS) $(ROOT_FS_VERITY_ROOTHASH) > - { \ > - printf "[UKI]\nDeviceTreeAuto=" && \ > - find $(DTBS) -name '*.dtb' -print0 | tr '\0' ' ' ;\ > - } | $(UKIFY) build \ > - --output $@ \ > - --config /dev/stdin \ > - --linux $(KERNEL) \ > - --initrd $(INITRAMFS) \ > - --os-release $$'NAME="Spectrum"\n' \ > - --cmdline "ro intel_iommu=on roothash=$$(cat $(ROOT_FS_VERITY_ROOTHASH))" > - > -build/boot.fat: $(SYSTEMD_BOOT_EFI) build/spectrum.efi > +build/boot.fat: $(SYSTEMD_BOOT_EFI) $(EFI_IMAGE) build/empty Why add a build/empty dependency? It doesn't seem to be used for anything any more? (Neither does the DTBS variable, actually.) > $(TRUNCATE) -s 440401920 $@ > $(MKFS_FAT) $@ > $(MMD) -i $@ ::/EFI ::/EFI/BOOT ::/EFI/Linux > +# This symlink is necessary. Copying $(EFI_IMAGE) directly > +# results in an unbootable image. TODO: figure out why. > + ln -s $(EFI_IMAGE) build/spectrum.efi > $(MCOPY) -i $@ build/spectrum.efi ::/EFI/Linux > $(MCOPY) -i $@ $(SYSTEMD_BOOT_EFI) ::/EFI/BOOT/$(EFINAME) >