From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 589892B1F; Tue, 25 Nov 2025 12:35:16 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id DCDBC2B0E; Tue, 25 Nov 2025 12:35:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a8-smtp.messagingengine.com (fout-a8-smtp.messagingengine.com [103.168.172.151]) by atuin.qyliss.net (Postfix) with ESMTPS id 1C32D2AD1 for ; Tue, 25 Nov 2025 12:35:12 +0000 (UTC) Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfout.phl.internal (Postfix) with ESMTP id 75EDBEC03FA; Tue, 25 Nov 2025 07:35:10 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-06.internal (MEProxy); Tue, 25 Nov 2025 07:35:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1764074110; x=1764160510; bh=jLdst7+w1j hY4qUlSK9v32QOXKANSyDpbd0zSi5lR6g=; b=mvddazBEQIQml27bRwzScSxtbK zhcMzEhgWSNNlmaegrp8flmhOnYWdutdKs7SRZuuBJ25ZeMuYGLhIPCEZY4beC4t trF6LptK7QfknukpJxbX2+YhNWgoz0l4/KaMWMKRCNV4an9Ar/dcYJyAitIS8lL3 hudB0YRF84UddjyIHlDpmUQYqA21ax+UxokI1Iufv/9ArwqfeJYAuNidXe+PeMEF +LNewM9y1LTFV2b3n3CvBJ8guE/VFiD0nxWWgAw9EXGLzBJlD66K4hKCWKvOjwLK w2O5UBBizqO4i10B+WBAWORBHS8+oKuubQ3KS9bzVJHLx/8V3BXY2xbJNyvA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1764074110; x=1764160510; bh=jLdst7+w1jhY4qUlSK9v32QOXKANSyDpbd0 zSi5lR6g=; b=tjV9X44eP8wVHF6ugNxaDTLp2LP29Zh5nOinT+kvoBqOAIAE7ko JMWEMPnJT/UsFfHulmyH8TKGLJ5nP2eoJ2shW/cJHK6dRa+/Q3nGkb1dCRK6CP7D 6XscmaD//Whak393XB0EwG2IUhVfX7mqaypshcYM6TXeyhdvVypXD/2DQyW2C3fJ hSDhWmNb3hy+P+QOe/EqWe+DrIf48gQrqS3xo+qMI4gARF2vGp5yeiX/5kDSuy+1 NbUfhfYHU/6UBnj8+iOd60gs4cSKU001agF98i0qpV0RodQVdq0GvQ2iW4Mr+ZlR paW6laxmEEAWNA76o4zKm9roR6KO6UcQNmw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvgedugeekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeiudffue eilefgtefgtddttdekkeehkefgheekudefveetgeefiefftedvteeuveenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrd hishdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohep uggvmhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlse hsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 25 Nov 2025 07:35:09 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id D56B325FC658; Tue, 25 Nov 2025 13:34:58 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v5 1/2] Build verity images in rootfs Nix derivation In-Reply-To: <20251121-refactor-verity-v5-1-938fc95f9752@gmail.com> References: <20251121-refactor-verity-v5-0-938fc95f9752@gmail.com> <20251121-refactor-verity-v5-1-938fc95f9752@gmail.com> Date: Tue, 25 Nov 2025 13:34:53 +0100 Message-ID: <87bjkq2suq.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: HB3GNKUBQEYGH3SMFJNVC4QI4IOVM6LU X-Message-ID-Hash: HB3GNKUBQEYGH3SMFJNVC4QI4IOVM6LU X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Okay, resending relevant comments from my accidental review of v4: Demi Marie Obenour writes: > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index 4067be0c45cc83ce4670ed76e956db58f8e93e02..5e3c9238f0e00f86aa5943212= b8fc8fd896ce54a 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -1,12 +1,12 @@ > # SPDX-License-Identifier: EUPL-1.2+ > # SPDX-FileCopyrightText: 2021-2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >=20=20 > .POSIX: >=20=20 > include ../../lib/common.mk > include file-list.mk > - > -dest =3D build/rootfs.erofs > +ROOT_FS_DIR =3D build >=20=20 > DIRS =3D \ > dev \ > @@ -40,15 +40,27 @@ FIFOS =3D etc/s6-linux-init/run-image/service/s6-svsc= an-log/fifo >=20=20 > BUILD_FILES =3D build/etc/s6-rc >=20=20 > -$(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_F= ILES) build/empty build/fifo file-list.mk > - set -euo pipefail; \ > +build/verity-timestamp: $(ROOT_FS) > + $(VERITYSETUP) format \ > + --root-hash-file $(ROOT_FS_VERITY_ROOTHASH) \ > + -- $(ROOT_FS) $(ROOT_FS_VERITY) > + # Add trailing newline > + echo >> $(ROOT_FS_VERITY_ROOTHASH) Why do we need to do this? (Emacs would also rather your comments were not indented, so they're interpreted by Make as comments rather than being passed on to the shell.) > + touch -- $(ROOT_FS_DIR)/verity-timestamp This should be build/verity-timestamp (like the rule), or even better $@. > + > +# This rule produces three files but Make only (portably) > +# supports one output per rule. Instead of resorting to temporary > +# files, a timestamp file is created as the last step. The actual > +# outputs are produced as side-effects. Is this comment supposed to be on the previous rule? > +$(ROOT_FS): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUIL= D_FILES) build/empty build/fifo file-list.mk > + mkdir -p $(ROOT_FS_DIR) && \ > { \ > cat $(PACKAGES_FILE) ;\ > for file in $(FILES) $(LINKS); do printf '%s\n%s\n' $$file "$${file= #image/}"; done ;\ > for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#bui= ld/}; done ;\ > printf 'build/empty\n%s\n' $(DIRS) ;\ > printf 'build/fifo\n%s\n' $(FIFOS) ;\ > - } | ../../scripts/make-erofs.sh $@ > + } | ../../scripts/make-erofs.sh $(ROOT_FS) Why change this to something more likely to get out of sync? >=20=20 > build/fifo: > mkdir -p build > @@ -77,25 +89,10 @@ clean: > rm -rf build > .PHONY: clean >=20=20 > -# veritysetup format produces two files, but Make only (portably) > -# supports one output per rule, so we combine the two outputs then > -# define two more rules to separate them again. > -build/rootfs.verity: $(dest) > - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ > - | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit}'= \ > - > build/rootfs.verity.roothash.tmp > - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp= \ > - > $@ > - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp > -build/rootfs.verity.roothash: build/rootfs.verity > - head -n 1 build/rootfs.verity > $@ > -build/rootfs.verity.superblock: build/rootfs.verity > - tail -n +2 build/rootfs.verity > $@ > - > -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs.v= erity.roothash $(dest) > +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk $(ROOT_FS_DIR)/verity-timestamp $(ROOT_FS) Here you're also still referring to $(ROOT_FS_DIR)/verity-timestamp rather than build/verity-timestamp. > ../../scripts/make-gpt.sh $@.tmp \ > - build/rootfs.verity.superblock:verity:$$(../../scripts/format-uuid.= sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 stat= us=3Dnone)") \ > - $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 build/r= ootfs.verity.roothash)") > + $(ROOT_FS)/rootfs.verity.superblock:verity:$$(../../scripts/format-= uuid.sh "$$(dd if=3D$(ROOT_FS_VERITY_ROOTHASH) bs=3D32 skip=3D1 count=3D1 s= tatus=3Dnone)") \ > + $(ROOT_FS)/rootfs:root:$$(../../scripts/format-uuid.sh "$$(head -c = 32 $(ROOT_FS_VERITY_ROOTHASH)") This can't be right, can it? $(ROOT_FS) is a file. > mv $@.tmp $@ >=20=20 > debug: > @@ -105,7 +102,7 @@ debug: > $(VMLINUX) > .PHONY: debug >=20=20 > -run: build/live.img build/rootfs.verity.roothash > +run: build/live.img I'd still prefer we kept the explicit dependency, even though we will get it via build/live.img as well. > @set -x && \ > ext=3D"$$(mktemp build/spectrum-rootfs-extfs.XXXXXXXXXX.img)" && \ > truncate -s 10G "$$ext" && \ > @@ -126,7 +123,7 @@ run: build/live.img build/rootfs.verity.roothash > -device virtconsole,chardev=3Dvirtiocon0 \ > -drive file=3Dbuild/live.img,if=3Dvirtio,format=3Draw,readonly=3Don= \ > -drive file=3D/proc/self/fd/3,if=3Dvirtio,format=3Draw \ > - -append "earlycon console=3Dhvc0 roothash=3D$$(< build/rootfs.verit= y.roothash) intel_iommu=3Don nokaslr" \ > + -append "earlycon console=3Dhvc0 roothash=3D$$(< $(ROOT_FS_VERITY_R= OOTHASH)) intel_iommu=3Don nokaslr" \ > -device virtio-keyboard \ > -device virtio-mouse \ > -device virtio-gpu \ > diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix > index 0ac70c7c077c0656c5820a5d8b3c7ce0e7c78e54..1578155fa0fb9a4df3fb4884e= 21ed7d8d8f821dc 100644 > --- a/host/rootfs/default.nix > +++ b/host/rootfs/default.nix > @@ -138,7 +138,7 @@ stdenvNoCC.mkDerivation { > }; > sourceRoot =3D "source/host/rootfs"; >=20=20 > - nativeBuildInputs =3D [ erofs-utils spectrum-build-tools s6-rc ]; > + nativeBuildInputs =3D [ cryptsetup erofs-utils spectrum-build-tools s6= -rc ]; >=20=20 > env =3D { > PACKAGES =3D runCommand "packages" {} '' > @@ -147,7 +147,9 @@ stdenvNoCC.mkDerivation { > ''; > }; >=20=20 > - makeFlags =3D [ "dest=3D$(out)" ]; > + # The Makefile uses $(ROOT_FS_DIR), not $(dest), so it can share code > + # with other Makefiles that also use this variable. > + makeFlags =3D [ "ROOT_FS_DIR=3D$(out)" ]; >=20=20 > dontInstall =3D true; >=20=20 > diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix > index 1bf61bebf418333624e799cc8ca231f5783206f4..6df2f575fdfc7cdf8067ccfdb= 5fecaad9f6ea5e6 100644 > --- a/host/rootfs/shell.nix > +++ b/host/rootfs/shell.nix > @@ -12,7 +12,7 @@ rootfs.overrideAttrs ( >=20=20 > { > nativeBuildInputs =3D nativeBuildInputs ++ [ > - btrfs-progs cryptsetup jq netcat qemu_kvm reuse util-linux > + btrfs-progs jq netcat qemu_kvm reuse util-linux > ]; >=20=20 > env =3D env // { > diff --git a/lib/common.mk b/lib/common.mk > index 277c3544036d9a9057f8ba4ad37fe2207548cc59..d1cc4d0514070cc3f418c4d1b= 7e929abd40d985c 100644 > --- a/lib/common.mk > +++ b/lib/common.mk > @@ -11,6 +11,10 @@ GDB =3D gdb > MCOPY =3D mcopy > MKFS_FAT =3D mkfs.fat > MMD =3D mmd > +ROOT_FS =3D $(ROOT_FS_DIR)/rootfs Would be nice for this to keep its file extension. > +ROOT_FS_IMAGES =3D $(ROOT_FS) $(ROOT_FS_VERITY_ROOTHASH) $(ROOT_FS_VERIT= Y) I'm not sure "IMAGES" makes sense as a name for this. A verity roothash is not an image. ROOT_FS_FILES? Alternative naming scheme idea, that avoids mistaking ROOT_FS for the directory like has happened above: ROOT_FS (for the directory), ROOT_FS_IMAGE, ROOT_FS_VERITY, ROOT_FS_VERITY_ROOTHASH. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaSWibQAKCRCZddwkt31p FVbMAQCl9gp9QKRPsD/W3CxkY3b19l2wsGICsPhNZ0DQKI8CyAD9GxkVXZxixoe3 GkXG9gfSG8aynbuUYs+3PfRHd7uR7Q8= =uPI6 -----END PGP SIGNATURE----- --=-=-=--