From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 1BE50251F1; Fri, 14 Nov 2025 11:54:03 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 39F8A25212; Fri, 14 Nov 2025 11:53:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-b5-smtp.messagingengine.com (fhigh-b5-smtp.messagingengine.com [202.12.124.156]) by atuin.qyliss.net (Postfix) with ESMTPS id 0C49D2520F for ; Fri, 14 Nov 2025 11:53:57 +0000 (UTC) Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfhigh.stl.internal (Postfix) with ESMTP id 55CB97A01B4; Fri, 14 Nov 2025 06:53:55 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Fri, 14 Nov 2025 06:53:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1763121235; x=1763207635; bh=kxWq0cX/XY 4J6z4xiZxpLjM3q1g4ZO6f41jNAIejiAM=; b=M/G+w8hz8oWy5GfwOg5pSGIv30 dMFrWPmyyc2NxgpI34IH6b4alLNFPuxIzzjswLBirhdgm74uA2Jud7trZJD6oXSV GXF6MRSdU4xejy6oWHPrrKkex366Fa11sQsYMPNKXXaKUdWsIfTxwi4IbmiHsI2j VuVi8+GdbRLJJqyXzSym7F2vXYxRDXjeYuB3PTCwY/taZ5roXdo7XnSj2ZC9cLdJ DtS1I3rbW7PFMbWjfxULlY04a+GUyBkF4ZTIq1JZt6bP0zNMk/r54AQJmwglpwd/ hvPGTiRtuIrsWidfkO1nt+yuEdtdbFmgBFz/ADyBaxtv41KbrZlrvDfHNO2g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1763121235; x=1763207635; bh=kxWq0cX/XY4J6z4xiZxpLjM3q1g4ZO6f41j NAIejiAM=; b=Z78t4p3IvO1ESB13ryvu+BbaYrEc1sAFOdkSdEQvMBe7zqOWM7d kIfnOFc1YQ9xGXjm5oipSFocOZByk6qHuvPscgdsYAXzDhktdNRYSZHMNcyN1zax PVCmZwdpFXMQKA4vlO2tVbTxqr3nVRCZWiDlvXlFuxbDeH/WFqY1wqZEcByGNJBZ /spXDL/CZazm42MFEHw0egIUbqKV/CEbCJ/s7l++tkR3N6kSlMpkMnbiGMmwoCLr HxJGasA581AY0nxdMfxVNYq+DXK77TxnXK+T0MuDrzOVdOzZLiaPZhBq4z6qfQM7 GCC50zOh9mQ2+0wGfFviEwlr6xmilzApf8w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvtdeljeehucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeiudffue eilefgtefgtddttdekkeehkefgheekudefveetgeefiefftedvteeuveenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrd hishdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohep uggvmhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlse hsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 14 Nov 2025 06:53:54 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 027D719CE16C; Fri, 14 Nov 2025 12:53:53 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v3 1/2] Build verity images in rootfs Nix derivation In-Reply-To: References: <20251111-refactor-verity-v3-0-575726639f9e@gmail.com> <20251111-refactor-verity-v3-1-575726639f9e@gmail.com> <87346ii29m.fsf@alyssa.is> Date: Fri, 14 Nov 2025 12:53:52 +0100 Message-ID: <87fragltin.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: CBBYQJLWJIQN7YBQS2GVJQXDD343C5MJ X-Message-ID-Hash: CBBYQJLWJIQN7YBQS2GVJQXDD343C5MJ X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 11/13/25 06:46, Alyssa Ross wrote: >> Demi Marie Obenour writes: >>=20 >>> diff --git a/host/initramfs/Makefile b/host/initramfs/Makefile >>> index cb13fbb35f065b67d291d4a35591d6f12720060c..102870ecba4456303414e25= 31ea592473ddfc1cf 100644 >>> --- a/host/initramfs/Makefile >>> +++ b/host/initramfs/Makefile >>> @@ -35,26 +35,10 @@ build/mountpoints: >>> cd build/mountpoints && mkdir -p $(MOUNTPOINTS) >>> find build/mountpoints -mindepth 1 -exec touch -d @0 {} ';' >>>=20=20 >>> -# veritysetup format produces two files, but Make only (portably) >>> -# supports one output per rule, so we combine the two outputs then >>> -# define two more rules to separate them again. >>> -build/rootfs.verity: $(ROOT_FS) >>> - mkdir -p build >>> - $(VERITYSETUP) format $(ROOT_FS) build/rootfs.verity.superblock.tmp \ >>> - | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit= }' \ >>> - > build/rootfs.verity.roothash.tmp >>> - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.t= mp \ >>> - > $@ >>> - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp >>> -build/rootfs.verity.roothash: build/rootfs.verity >>> - head -n 1 build/rootfs.verity > $@ >>> -build/rootfs.verity.superblock: build/rootfs.verity >>> - tail -n +2 build/rootfs.verity > $@ >>> - >>> -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh= ../../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs= .verity.roothash $(ROOT_FS) >>> +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh= ../../scripts/sfdisk-field.awk $(ROOT_FS_VERITY) $(ROOT_FS_VERITY_ROOTHASH= ) $(ROOT_FS) >>> ../../scripts/make-gpt.sh $@.tmp \ >>> - build/rootfs.verity.superblock:verity:$$(../../scripts/format-uui= d.sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 st= atus=3Dnone)") \ >>> - $(ROOT_FS):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 bu= ild/rootfs.verity.roothash)") >>> + "$$ROOT_FS_VERITY:verity:$$(../../scripts/format-uuid.sh "$$(dd "if= =3D$$ROOT_FS_VERITY_ROOTHASH" bs=3D32 skip=3D1 count=3D1 status=3Dnone)")" \ >>=20 >> Indentation got messed up here. >>=20 >> Given rootfs has a well-defined output structure, maybe we could just >> write $(ROOT_FS)/rootfs.verity.roothash, so we don't need to define lots >> of different environment variables in each component that uses the >> verity data. >>=20 >> I think we should consistently use Make variable expansion rather than >> shell variable expansion when we're using the variable in a Make >> dependency line too, to avoid the possibility of them being different. > > Make expansion followed by shell expansion and just Make expansion aren't > even consistent with each other. Can you elaborate? > >> build/fifo: >>> mkdir -p build >>> @@ -83,25 +95,10 @@ clean: >>> rm -rf build >>> .PHONY: clean >>>=20=20 >>> -# veritysetup format produces two files, but Make only (portably) >>> -# supports one output per rule, so we combine the two outputs then >>> -# define two more rules to separate them again. >>> -build/rootfs.verity: $(dest) >>> - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ >>> - | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit= }' \ >>> - > build/rootfs.verity.roothash.tmp >>> - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.t= mp \ >>> - > $@ >>> - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp >>> -build/rootfs.verity.roothash: build/rootfs.verity >>> - head -n 1 build/rootfs.verity > $@ >>> -build/rootfs.verity.superblock: build/rootfs.verity >>> - tail -n +2 build/rootfs.verity > $@ >>> - >>> -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh= ../../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs= .verity.roothash $(dest) >>> +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh= ../../scripts/sfdisk-field.awk $(dest)/timestamp >>> ../../scripts/make-gpt.sh $@.tmp \ >>> - build/rootfs.verity.superblock:verity:$$(../../scripts/format-uui= d.sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 st= atus=3Dnone)") \ >>> - $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 build= /rootfs.verity.roothash)") >>> + $(dest)/rootfs.verity.superblock:verity:$$(../../scripts/format-u= uid.sh "$$(dd if=3D$(dest)/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D= 1 status=3Dnone)") \ >>> + $(dest)/rootfs:root:$$(../../scripts/format-uuid.sh "$$(head -c 3= 2 $(dest)/rootfs.verity.roothash)") >>> mv $@.tmp $@ >>>=20=20 >>> debug: >>> @@ -111,7 +108,7 @@ debug: >>> $(VMLINUX) >>> .PHONY: debug >>>=20=20 >>> -run: build/live.img $(EXT_FS) build/rootfs.verity.roothash >>> +run: build/live.img >>=20 >> What happened to $(EXT_FS)? > > Since commit 12b64009d9cde56b5629a832086d2c2311908ebe > ("host/initramfs/extfs.nix: remove") it has been unused. > I deleted it while changing other stuff in this line. Got it. I'll just push a drop of $(EXT_FS) now then. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaRcYUAAKCRCZddwkt31p FamWAQCfzutEHDvKY9SydzuZXelqbBGrSGX3xmE0xKmtcdYnCgD+LkwpGIVxesvh DAVzVOZB7aBRuGwZFlunrDVcbmnW8gk= =m9KP -----END PGP SIGNATURE----- --=-=-=--