From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 87A472A08; Tue, 25 Nov 2025 12:28:23 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 230EC2979; Tue, 25 Nov 2025 12:28:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-a2-smtp.messagingengine.com (fhigh-a2-smtp.messagingengine.com [103.168.172.153]) by atuin.qyliss.net (Postfix) with ESMTPS id BFAEE28FC for ; Tue, 25 Nov 2025 12:28:19 +0000 (UTC) Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfhigh.phl.internal (Postfix) with ESMTP id DB877140015F; Tue, 25 Nov 2025 07:28:17 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Tue, 25 Nov 2025 07:28:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1764073697; x=1764160097; bh=Cg0ZvcQ1uQ amFe+DvPxscyu/TJ3QqUbdF40n7yB1seI=; b=AoRUGDZtiwjOKMxfFoKQ0QIC9v ZQU1C3KDB33MzAGDyeh9CGNiAIPwcYzABtCuXRosq+wBf8Qpl43aBN98hxYXX1OJ GgRYjjzJIBLKRBVg81z4KNmNgJWV/hpb9LAcL+PhAPT5Tu6snFKMKnqAcoImkrtG p3mCCSXfhofm9DQbEDPKYjyHbWsyGT8cgR6BOPjVsM4V0QEzldn2HsYFOOKy3/kg fA40RGFMc5ERboJe+izZXV7y8RUSb+SE7ZvbAdta/IFLgdb73iTKBSq7H+T/zYwi hJdJB1kNgjRmI51B9o2Hpiv++3ADiYPcd9zy5KkA0wO1omgl7Y8/zSpuwqUg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1764073697; x=1764160097; bh=Cg0ZvcQ1uQamFe+DvPxscyu/TJ3QqUbdF40 n7yB1seI=; b=BwN4NPcSNq6t9l+zQgVvZy0erFkwsW44PUlCqT8nIFYkjUVWGw1 8gyb2GDhDDFehcuM4972J77TxfqAZRUCG2oFwT71RoZEUIrH46kX9ZMs95DQ8bqP XE35Ht/a79rnrXWqeHJuYnVQ+5VI8634VYvzmhTV7oFmm2BZGxJRJjB6wz+z8S20 0EcK/8ztsRrQOFhiVQXcCnLWE4BnSUJF0CbDbpFc98VPZ0zuJBMCiq9tSswbPUjT DLchMSm9ZoGnKwAwcXt8nmjf8AxfHzHKvg2WUq1dwqSXZm3dgWa1XeyeAnH2AOvd voufpFWZiDTmRZuKZlR7pKZGE8C1v4xTLwQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvgedugeejucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeiudffue eilefgtefgtddttdekkeehkefgheekudefveetgeefiefftedvteeuveenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrd hishdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohep uggvmhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlse hsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 25 Nov 2025 07:28:17 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 57E8A25FC591; Tue, 25 Nov 2025 13:28:06 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v4 1/2] Build verity images in rootfs Nix derivation In-Reply-To: <20251119-refactor-verity-v4-1-9bc56d5216c0@gmail.com> References: <20251119-refactor-verity-v4-0-9bc56d5216c0@gmail.com> <20251119-refactor-verity-v4-1-9bc56d5216c0@gmail.com> Date: Tue, 25 Nov 2025 13:27:55 +0100 Message-ID: <87h5ui2t6c.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: ZQUHZ5T7NHUJQVN6H6SK4XJCXXKESKJO X-Message-ID-Hash: ZQUHZ5T7NHUJQVN6H6SK4XJCXXKESKJO X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index 27a7c689c39bf9bc93b5ba33ce661be7e47b67f1..055185064d84d9450c2076fde= b410b21d00f1d40 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -1,12 +1,12 @@ > # SPDX-License-Identifier: EUPL-1.2+ > # SPDX-FileCopyrightText: 2021-2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >=20=20 > .POSIX: >=20=20 > include ../../lib/common.mk > include file-list.mk > - > -dest =3D build/rootfs.erofs > +ROOT_FS_DIR =3D build >=20=20 > DIRS =3D \ > dev \ > @@ -46,15 +46,27 @@ FIFOS =3D etc/s6-linux-init/run-image/service/s6-svsc= an-log/fifo >=20=20 > BUILD_FILES =3D build/etc/s6-rc >=20=20 > -$(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_F= ILES) build/empty build/fifo file-list.mk > - set -euo pipefail; \ > +build/verity-timestamp: $(ROOT_FS) > + $(VERITYSETUP) format \ > + --root-hash-file $(ROOT_FS_VERITY_ROOTHASH) \ > + -- $(ROOT_FS) $(ROOT_FS_VERITY) > + # Add trailing newline > + echo >> $(ROOT_FS_VERITY_ROOTHASH) Why do we need to do this? (Emacs would also rather your comments were not indented, so they're interpreted by Make as comments rather than being passed on to the shell.) > + touch -- $(ROOT_FS_DIR)/verity-timestamp This should be build/verity-timestamp (like the rule), or even better $@. > + > +# This rule produces three files but Make only (portably) > +# supports one output per rule. Instead of resorting to temporary > +# files, a timestamp file is created as the last step. The actual > +# outputs are produced as side-effects. Is this comment supposed to be on the previous rule? > +$(ROOT_FS): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUIL= D_FILES) build/empty build/fifo file-list.mk > + mkdir -p $(ROOT_FS_DIR) && \ > { \ > cat $(PACKAGES_FILE) ;\ > for file in $(FILES) $(LINKS); do printf '%s\n%s\n' $$file "$${file= #image/}"; done ;\ > for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#bui= ld/}; done ;\ > printf 'build/empty\n%s\n' $(DIRS) ;\ > printf 'build/fifo\n%s\n' $(FIFOS) ;\ > - } | ../../scripts/make-erofs.sh $@ > + } | ../../scripts/make-erofs.sh $(ROOT_FS) Why change this? >=20=20 > build/fifo: > mkdir -p build > @@ -83,25 +95,10 @@ clean: > rm -rf build > .PHONY: clean >=20=20 > -# veritysetup format produces two files, but Make only (portably) > -# supports one output per rule, so we combine the two outputs then > -# define two more rules to separate them again. > -build/rootfs.verity: $(dest) > - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ > - | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit}'= \ > - > build/rootfs.verity.roothash.tmp > - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp= \ > - > $@ > - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp > -build/rootfs.verity.roothash: build/rootfs.verity > - head -n 1 build/rootfs.verity > $@ > -build/rootfs.verity.superblock: build/rootfs.verity > - tail -n +2 build/rootfs.verity > $@ > - > -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs.v= erity.roothash $(dest) > +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk $(ROOT_FS_DIR)/verity-timestamp $(ROOT_FS) Here you're also still referring to $(ROOT_FS_DIR)/verity-timestamp rather than build/verity-timestamp. > ../../scripts/make-gpt.sh $@.tmp \ > - build/rootfs.verity.superblock:verity:$$(../../scripts/format-uuid.= sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 stat= us=3Dnone)") \ > - $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 build/r= ootfs.verity.roothash)") > + $(ROOT_FS)/rootfs.verity.superblock:verity:$$(../../scripts/format-= uuid.sh "$$(dd if=3D$(ROOT_FS_VERITY_ROOTHASH) bs=3D32 skip=3D1 count=3D1 s= tatus=3Dnone)") \ > + $(ROOT_FS)/rootfs:root:$$(../../scripts/format-uuid.sh "$$(head -c = 32 $(ROOT_FS_VERITY_ROOTHASH)") This can't be right, can it? $(ROOT_FS) is a file. > mv $@.tmp $@ >=20=20 > debug: > @@ -111,7 +108,7 @@ debug: > $(VMLINUX) > .PHONY: debug >=20=20 > -run: build/live.img build/rootfs.verity.roothash > +run: build/live.img I'd still prefer we kept the explicit dependency, even though we will get it via build/live.img as well. > @set -x && \ > ext=3D"$$(mktemp build/spectrum-rootfs-extfs.XXXXXXXXXX.img)" && \ > truncate -s 10G "$$ext" && \ > @@ -132,7 +129,7 @@ run: build/live.img build/rootfs.verity.roothash > -device virtconsole,chardev=3Dvirtiocon0 \ > -drive file=3Dbuild/live.img,if=3Dvirtio,format=3Draw,readonly=3Don= \ > -drive file=3D/proc/self/fd/3,if=3Dvirtio,format=3Draw \ > - -append "earlycon console=3Dhvc0 roothash=3D$$(< build/rootfs.verit= y.roothash) intel_iommu=3Don nokaslr" \ > + -append "earlycon console=3Dhvc0 roothash=3D$$(< $(ROOT_FS_VERITY_R= OOTHASH)) intel_iommu=3Don nokaslr" \ > -device virtio-keyboard \ > -device virtio-mouse \ > -device virtio-gpu \ > diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix > index 0ac70c7c077c0656c5820a5d8b3c7ce0e7c78e54..1578155fa0fb9a4df3fb4884e= 21ed7d8d8f821dc 100644 > --- a/host/rootfs/default.nix > +++ b/host/rootfs/default.nix > @@ -138,7 +138,7 @@ stdenvNoCC.mkDerivation { > }; > sourceRoot =3D "source/host/rootfs"; >=20=20 > - nativeBuildInputs =3D [ erofs-utils spectrum-build-tools s6-rc ]; > + nativeBuildInputs =3D [ cryptsetup erofs-utils spectrum-build-tools s6= -rc ]; >=20=20 > env =3D { > PACKAGES =3D runCommand "packages" {} '' > @@ -147,7 +147,9 @@ stdenvNoCC.mkDerivation { > ''; > }; >=20=20 > - makeFlags =3D [ "dest=3D$(out)" ]; > + # The Makefile uses $(ROOT_FS_DIR), not $(dest), so it can share code > + # with other Makefiles that also use this variable. > + makeFlags =3D [ "ROOT_FS_DIR=3D$(out)" ]; >=20=20 > dontInstall =3D true; >=20=20 > diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix > index 1bf61bebf418333624e799cc8ca231f5783206f4..6df2f575fdfc7cdf8067ccfdb= 5fecaad9f6ea5e6 100644 > --- a/host/rootfs/shell.nix > +++ b/host/rootfs/shell.nix > @@ -12,7 +12,7 @@ rootfs.overrideAttrs ( >=20=20 > { > nativeBuildInputs =3D nativeBuildInputs ++ [ > - btrfs-progs cryptsetup jq netcat qemu_kvm reuse util-linux > + btrfs-progs jq netcat qemu_kvm reuse util-linux > ]; >=20=20 > env =3D env // { > diff --git a/lib/common.mk b/lib/common.mk > index 277c3544036d9a9057f8ba4ad37fe2207548cc59..d1cc4d0514070cc3f418c4d1b= 7e929abd40d985c 100644 > --- a/lib/common.mk > +++ b/lib/common.mk > @@ -11,6 +11,10 @@ GDB =3D gdb > MCOPY =3D mcopy > MKFS_FAT =3D mkfs.fat > MMD =3D mmd > +ROOT_FS =3D $(ROOT_FS_DIR)/rootfs Would be nice for this to keep its file extension. > +ROOT_FS_IMAGES =3D $(ROOT_FS) $(ROOT_FS_VERITY_ROOTHASH) $(ROOT_FS_VERIT= Y) I'm not sure "IMAGES" makes sense as a name for this. A verity roothash is not an image. ROOT_FS_FILES? Alternative naming scheme idea, that avoids mistaking ROOT_FS for the directory like has happened above: ROOT_FS (for the directory), ROOT_FS_IMAGE, ROOT_FS_VERITY, ROOT_FS_VERITY_ROOTHASH. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaSWgywAKCRCZddwkt31p FS6uAQDscg/DzMM2E2ZPn9yWI1iGE2hVeAMwZ13BwpIxSUBLBwD9FOkw1RxHLNYW 7WOgQxN9zBq4twJb9WROYorPHtyudgM= =P1fz -----END PGP SIGNATURE----- --=-=-=--