From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id AED4315F70; Fri, 28 Nov 2025 11:02:50 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 059F415F6D; Fri, 28 Nov 2025 11:02:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-b3-smtp.messagingengine.com (fhigh-b3-smtp.messagingengine.com [202.12.124.154]) by atuin.qyliss.net (Postfix) with ESMTPS id 2967B15F6C for ; Fri, 28 Nov 2025 11:02:47 +0000 (UTC) Received: from phl-compute-07.internal (phl-compute-07.internal [10.202.2.47]) by mailfhigh.stl.internal (Postfix) with ESMTP id 0F4537A007A; Fri, 28 Nov 2025 06:02:45 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-07.internal (MEProxy); Fri, 28 Nov 2025 06:02:45 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1764327764; x=1764414164; bh=zvpFopB/k0 pJibYj1GwGzJQ9jDTwEiBfupE14eGQ5AU=; b=lagMw10xzOYowSfjBZrjfRjVgt iOelZmsPVFfAGTYgrS+WRJuo+iy87sFVZxkvBybUmO8acx01kc5/DCOK7ehJo7tx C4n3D1T7b1TBILnL102IUN14IHyxPipOEoNbVWkFKueAIrbso/TrNtXXseYB5Ki9 l0jpVgwPI3TtEpRIw4j3qqV2Qmx47yrqyFGrlTUDG1N6QnQLuLe/9MAbRBymygCQ wVxKZPYNQFboQtdok7sdJBqYaLrKHQ07wlt2VOpuIdNltIS5Yqq7bK59rPIUcLb4 5zweB/F5eTOeJd05kV3c1a1y4cR8GGkzWePouLR1jrv3WkXBGvau457FAakA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1764327764; x=1764414164; bh=zvpFopB/k0pJibYj1GwGzJQ9jDTwEiBfupE 14eGQ5AU=; b=kLtJ0D0JtGS17kPYEh/8w8N9ohT70TtBCajVuge1+1JsQtBP70U T5uea9NbxXjKlu61oGiNnAzkaC/XKDTKSzb/TthMwG+nDC5RzP3aeIN9dL4+moUR gzB6Jy3Bvyz+vctF1HeaJ0FphGV9DilSwy9Vuav790TntgRvDK2zFitHCaPCDBSr JADAG9AIYxIJh7J10U/vg1b1yS3eUutVLG+/9/kuuw1n5vFe/OOoPhkchMR5riEQ poF28g13u1N2NyYKmLNxGbenwsBp36EsmXFbg3dQQXSiWEvlj23GRQSG/hbKYRwf 8LRPXeW8O14fpA2dTGfrRCXeHFih9yldE0Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvgeeljeduucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeffeffhf fhffehkedtffeikefhieegueetkeelueetgfetveefieehgeejtdefleenucffohhmrghi nheplhhinhhugidqkhgvrhhnvghlrdhtrghrghgvthdpghhithhhuhgsrdgtohhmnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhih shhsrgdrihhspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtph htthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggv vhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 28 Nov 2025 06:02:44 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 9CABF2BE2FC2; Fri, 28 Nov 2025 12:02:33 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v6 2/2] Move UKI creation to a separate derivation In-Reply-To: <20251126-refactor-verity-v6-2-f09555546a85@gmail.com> References: <20251126-refactor-verity-v6-0-f09555546a85@gmail.com> <20251126-refactor-verity-v6-2-f09555546a85@gmail.com> Date: Fri, 28 Nov 2025 12:02:32 +0100 Message-ID: <87bjkmpghj.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: FLD7V3SVNVI3FLSWZKMWTB6YZTXH2TF6 X-Message-ID-Hash: FLD7V3SVNVI3FLSWZKMWTB6YZTXH2TF6 X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > It will be used by the update code later. > > No functional change intended, other than a trivial shell script > refactoring. > > Signed-off-by: Demi Marie Obenour > --- > I kept release/live/default.nix using the UKI's systemd because the old > code did it that way. Changing this would be better in a separate > commit. > > Changes since v5: > > - Create a temporary symlink named build/spectrum.efi and then run > $(MCOPY) -i $@ build/spectrum.efi ::/EFI/Linux, rather than copying > the file with its original name. The latter results in an unbootable > image. I do not know the reason. > > Signed-off-by: Demi Marie Obenour > --- > host/efi.nix | 40 ++++++++++++++++++++++++++++++++++++++++ > release/live/Makefile | 17 ++++------------- > release/live/default.nix | 27 +++++++++++---------------- > release/live/shell.nix | 10 ++++++++-- > 4 files changed, 63 insertions(+), 31 deletions(-) > > diff --git a/host/efi.nix b/host/efi.nix > new file mode 100644 > index 0000000000000000000000000000000000000000..ecedb6bea6bf29c7a7303dc90= 62fe12b5c7a9fbd > --- /dev/null > +++ b/host/efi.nix > @@ -0,0 +1,40 @@ > +# SPDX-License-Identifier: MIT > +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour > + > +import ../lib/call-package.nix ( > +{ callSpectrumPackage, cryptsetup, rootfs > +, runCommand, stdenv, systemdUkify > +}: > +let > + initramfs =3D callSpectrumPackage ./initramfs {}; > + kernel =3D "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.target= }"; > + systemd =3D systemdUkify.overrideAttrs ({ mesonFlags ? [], ... }: { > + # The default limit is too low to build a generic aarch64 distro ima= ge: > + # https://github.com/systemd/systemd/pull/37417 > + mesonFlags =3D mesonFlags ++ [ "-Defi-stub-extra-sections=3D3000" ]; > + }); > +in > + > +runCommand "spectrum-efi" { > + nativeBuildInputs =3D [ cryptsetup systemd ]; > + __structuredAttrs =3D true; > + unsafeDiscardReferences =3D { out =3D true; }; > + dontFixup =3D true; > + passthru =3D { inherit initramfs rootfs systemd; }; > +} '' > + read -r roothash < ${rootfs}/rootfs.verity.roothash > + { \ > + printf "[UKI]\nDeviceTreeAuto=3D" > + if [ -d ${rootfs.kernel}/dtbs ]; then > + find ${rootfs.kernel}/dtbs -name '*.dtb' -print0 | tr '\0' ' ' > + fi > + } | ukify build \ > + --output "$out" \ > + --config /dev/stdin \ > + --linux ${kernel} \ > + --initrd ${initramfs} \ > + --os-release $'NAME=3D"Spectrum"\n' \ > + --cmdline "ro intel_iommu=3Don roothash=3D$roothash" > + '' > +) (_: {}) > diff --git a/release/live/Makefile b/release/live/Makefile > index ba81c7e679429e045b24c1591a9f0b72f016cfab..b37ccce42feb3ac7e8ce4faf9= 6a67902b55be808 100644 > --- a/release/live/Makefile > +++ b/release/live/Makefile > @@ -19,22 +19,13 @@ $(dest): ../../scripts/format-uuid.sh ../../scripts/m= ake-gpt.sh ../../scripts/sf > build/empty: > mkdir -p $@ >=20=20 > -build/spectrum.efi: $(DTBS) $(KERNEL) $(INITRAMFS) $(ROOT_FS_VERITY_ROOT= HASH) > - { \ > - printf "[UKI]\nDeviceTreeAuto=3D" && \ > - find $(DTBS) -name '*.dtb' -print0 | tr '\0' ' ' ;\ > - } | $(UKIFY) build \ > - --output $@ \ > - --config /dev/stdin \ > - --linux $(KERNEL) \ > - --initrd $(INITRAMFS) \ > - --os-release $$'NAME=3D"Spectrum"\n' \ > - --cmdline "ro intel_iommu=3Don roothash=3D$$(cat $(ROOT_FS_VERITY_R= OOTHASH))" > - > -build/boot.fat: $(SYSTEMD_BOOT_EFI) build/spectrum.efi > +build/boot.fat: $(SYSTEMD_BOOT_EFI) $(EFI_IMAGE) build/empty Why add a build/empty dependency? It doesn't seem to be used for anything any more? (Neither does the DTBS variable, actually.) > $(TRUNCATE) -s 440401920 $@ > $(MKFS_FAT) $@ > $(MMD) -i $@ ::/EFI ::/EFI/BOOT ::/EFI/Linux > +# This symlink is necessary. Copying $(EFI_IMAGE) directly > +# results in an unbootable image. TODO: figure out why. > + ln -s $(EFI_IMAGE) build/spectrum.efi > $(MCOPY) -i $@ build/spectrum.efi ::/EFI/Linux > $(MCOPY) -i $@ $(SYSTEMD_BOOT_EFI) ::/EFI/BOOT/$(EFINAME) >=20=20 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaSmBSAAKCRCZddwkt31p FT5RAQC2wwPWJUQ5a7kxFar2iSpS6MTcwFfMchfwJo4EsqXkOwD8D2wMV69NZijz AK/xXFx1mBIbxEt7NBii+mlNP2ipSQQ= =qneF -----END PGP SIGNATURE----- --=-=-=--