From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 3A5F6252CE; Fri, 14 Nov 2025 11:58:37 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 95D4225231; Fri, 14 Nov 2025 11:58:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-b5-smtp.messagingengine.com (fout-b5-smtp.messagingengine.com [202.12.124.148]) by atuin.qyliss.net (Postfix) with ESMTPS id 261D12522F for ; Fri, 14 Nov 2025 11:58:32 +0000 (UTC) Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42]) by mailfout.stl.internal (Postfix) with ESMTP id 9D9C11D00195; Fri, 14 Nov 2025 06:58:30 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-02.internal (MEProxy); Fri, 14 Nov 2025 06:58:30 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1763121510; x=1763207910; bh=oBSmkyBtiw fmruBaJrV2sIrAANyz0gO1NJFFc+oMDvM=; b=VAFD069NovDLOBIVKLh8mumf9J QbXH2rPhkdpHtiFtTO1UAtD0GDxmrAIKjl3W8AYxRiUXorFFJ+kwrFO3iZ4tWcWg 263BFkLXKrRT6Jr9KdTOuciPh8OIhK69dsAA7UBxO3nfuA0mzkozsnn1fYCienmZ Sj2SLIQxJwPH4N+wyk45BZwLvYJY05tBdLGLgFYdf9tsMQOyCc003TelCnYxGW1o +DDsCzcJDdKbrTePrTmIWLDO7Z6ZEyFAEldmUxjlHl+GAs8dE1UW0VnPjqJ2++GT p9tDkK1XagMPOfANqp04RQmAeRm/Xc31yoJGAh9FgP7bahVLUINUcXGbWlzw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1763121510; x=1763207910; bh=oBSmkyBtiwfmruBaJrV2sIrAANyz0gO1NJF Fc+oMDvM=; b=hIy7B7ROE/htetU9awukHh5pote5w3qnsRVR0ptx5NPI7dTNdcM NxrQ2Hpk+PULEdnBTYtd/h5nTcNBkqjBi/7M+Ds22G/81TVsKXKeiDbnIKaLWpeN FDR/5abSaHvnyx59es+aOmGMQ8ZgoIFSMNO+7a0W/joo8CH0U2lQgHdS6VXQEna0 70/prsJ7Xt1HmxwyS7mCsh9WC4WSH1N7sfPx5E1GIA4GzV4gXbDyd9sBsQk51GPX +LeyfNr2YavdFmAfun5IthITXOfOmxdMKqrwGsV5dV9LIy9SpOJme2VzYvLQw2JC 9cL4i1Ik5x/9g4MrNvI3DGcgkhh3w+tqBWA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvtdeljeeiucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpefgffegud dvjeffieeufffhffelhfeikeeukeehiedvkeegffefteehteefffejveenucffohhmrghi nhepnhhigidrihgunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhephhhisegrlhihshhsrgdrihhspdhnsggprhgtphhtthhopedvpdhmohguvgep shhmthhpohhuthdprhgtphhtthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtoh hmpdhrtghpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 14 Nov 2025 06:58:30 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 40ECC19CE1C6; Fri, 14 Nov 2025 12:58:29 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v3 2/2] Move UKI creation to a separate derivation In-Reply-To: References: <20251111-refactor-verity-v3-0-575726639f9e@gmail.com> <20251111-refactor-verity-v3-2-575726639f9e@gmail.com> <87y0oagn5s.fsf@alyssa.is> Date: Fri, 14 Nov 2025 12:58:28 +0100 Message-ID: <87cy5kltaz.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: HYJ3OUARYRAOXRJX3BYRZCRQA35ZRXEY X-Message-ID-Hash: HYJ3OUARYRAOXRJX3BYRZCRQA35ZRXEY X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 11/13/25 06:57, Alyssa Ross wrote: >> Demi Marie Obenour writes: >>=20 >>> It will be used by the update code later. >>> >>> No functional change intended, other than a trivial shell script >>> refactoring. >>> >>> Signed-off-by: Demi Marie Obenour >>> --- >>> host/efi.nix | 46 ++++++++++++++++++++++++++++++++++++++++= ++++++ >>> pkgs/default.nix | 1 + >>> release/live/Makefile | 15 ++------------- >>> release/live/default.nix | 19 +++++-------------- >>> 4 files changed, 54 insertions(+), 27 deletions(-) >>> >>> diff --git a/host/efi.nix b/host/efi.nix >>> new file mode 100644 >>> index 0000000000000000000000000000000000000000..a2b47fd050fbf00050473a0= d5a1373eb96c341b5 >>> --- /dev/null >>> +++ b/host/efi.nix >>> @@ -0,0 +1,46 @@ >>> +# SPDX-License-Identifier: EUPL-1.2+ >>=20 >> MIT for Nix files please. (Fine to take my stuff from the EUPL-1.2+ >> Makefile and use it in a MIT-licensed Nix file.) > > I think it would be best to relicense the Makefiles under MIT if we can, > so that we can move code back and forth even after neither of us knows ev= ery > single copyright holder. Feel free to relicense my contributions to them. Yes, perhaps worth considering. I'll think about it. >>> + __structuredAttrs =3D true; >>> + unsafeDiscardReferences =3D { out =3D true; }; >>> + dontFixup =3D true; >>> + passthru =3D { inherit systemd; }; >>> + env =3D { >>> + DTBS =3D "${rootfs.kernel}/dtbs"; >>> + KERNEL =3D kernel; >>> + INITRAMFS =3D initramfs; >>> + ROOTFS =3D rootfs; >>> + }; >>=20 >> Usually we'd just inline these via string interpolation, rather than >> passing them through as environment variables. > > Done, except for DTBS which is used more than once. Even so it's very short. >>> diff --git a/pkgs/default.nix b/pkgs/default.nix >>> index cc60228a10cddcb70e5ab9faa1bab7d74f3ebb35..c9f6dcfad9369567468b30d= 1c5697e3551a7b236 100644 >>> --- a/pkgs/default.nix >>> +++ b/pkgs/default.nix >>> @@ -36,6 +36,7 @@ let >>> path: (import path { inherit (self) callPackage; }).override; >>>=20=20 >>> rootfs =3D self.callSpectrumPackage ../host/rootfs {}; >>> + efi =3D self.callSpectrumPackage ../host/efi.nix {}; >>> spectrum-build-tools =3D self.callSpectrumPackage ../tools { >>> appSupport =3D false; >>> buildSupport =3D true; >>=20 >> Generally images don't need entries here, and can just be loaded by >> callSpectrumPackage. There was a specific reason to make an exception >> for rootfs (which I've now forgotten). > > What is the general rule for what should go in pkgs/default.nix? > If you could add it to the docs that would be great. Uh, "packages" should go in pkgs/default.nix. I'd need to remember the rationale for rootfs being in there to say more, and I don't right now. >>> diff --git a/release/live/Makefile b/release/live/Makefile >>> index 191b44944af0adf965e1d5f2785719b236bfd99c..4de8743f42dec65aa863c30= 20cd70124316a6118 100644 >>> --- a/release/live/Makefile >>> +++ b/release/live/Makefile >>> @@ -19,19 +19,8 @@ $(dest): ../../scripts/format-uuid.sh ../../scripts/= make-gpt.sh ../../scripts/sf >>> build/empty: >>> mkdir -p $@ >>>=20=20 >>> -build/spectrum.efi: $(DTBS) $(KERNEL) $(INITRAMFS) $(ROOT_FS_VERITY_RO= OTHASH) >>> - { \ >>> - printf "[UKI]\nDeviceTreeAuto=3D" && \ >>> - find $(DTBS) -name '*.dtb' -print0 | tr '\0' ' ' ;\ >>> - } | $(UKIFY) build \ >>> - --output $@ \ >>> - --config /dev/stdin \ >>> - --linux $(KERNEL) \ >>> - --initrd $(INITRAMFS) \ >>> - --os-release $$'NAME=3D"Spectrum"\n' \ >>> - --cmdline "ro intel_iommu=3Don roothash=3D$$(cat "$$ROOT_FS_VERIT= Y_ROOTHASH")" >>> - >>> -build/boot.fat: $(SYSTEMD_BOOT_EFI) build/spectrum.efi >>> +build/boot.fat: $(SYSTEMD_BOOT_EFI) $(EFI_IMAGE) build/empty >>> + ln -sf -- "$$EFI_IMAGE" build/spectrum.efi >>> $(TRUNCATE) -s 440401920 $@ >>> $(MKFS_FAT) $@ >>> $(MMD) -i $@ ::/EFI ::/EFI/BOOT ::/EFI/Linux >>=20 >> Why a symlink? Why not just replace the path we copy from? > > The basename of the path is actually important. I tried using > $(EFI_IMAGE) and the system didn't boot. So this doesn't work? $(MCOPY) -i $@ $(EFI_IMAGE) ::/EFI/Linux/spectrum.efi I'd be very curious to see the diff between that and a working image. >>> - SYSTEMD_BOOT_EFI =3D "${systemd}/lib/systemd/boot/efi/systemd-boot= ${efiArch}.efi"; >>> + SYSTEMD_BOOT_EFI =3D "${efi.systemd}/lib/systemd/boot/efi/systemd-= boot${efiArch}.efi"; >>=20 >> We can just get this from the default systemd package. Doesn't need to >> be efi's special overridden one. > > Would it be better to have the override in a Spectrum-wide overlay? You'd end up doing a lot of rebuilding for everything that depends on systemd. We could also have it so that Spectrum's "systemd" in pkgs/default.nix differs from the systemd used inside Nixpkgs and available as pkgs.systemd, but that would get /extremely/ confusing. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaRcZZAAKCRCZddwkt31p FcDOAP9VDq2xxf4q/e/NMNnc3PzH8DXaLXJCCMMU3JDqLa71SwEAoGrNzTt7wCuC kXnkMcJcGLk5e0MhaRWy7PoMiVnCYg8= =d/Qu -----END PGP SIGNATURE----- --=-=-=--