From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 46CBE11E47; Thu, 06 Nov 2025 10:20:59 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 8187211DEE; Thu, 06 Nov 2025 10:20:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a7-smtp.messagingengine.com (fout-a7-smtp.messagingengine.com [103.168.172.150]) by atuin.qyliss.net (Postfix) with ESMTPS id 11E0311DEC for ; Thu, 06 Nov 2025 10:20:54 +0000 (UTC) Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfout.phl.internal (Postfix) with ESMTP id C657EEC00B8; Thu, 6 Nov 2025 05:20:52 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-03.internal (MEProxy); Thu, 06 Nov 2025 05:20:52 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1762424452; x=1762510852; bh=JIK5hLJRtR QrGjFgbn99GE6ZdIUYtoK3166Iv5M9R8w=; b=okjpkyNb78XwSoyZMzOZCmJTR2 2eQ5Ijv/9/iJ8ypSZq5fAuJ5q3kZ79URGsHlEwZNiLxaudrYmCf1Ql3No4EIwT0t dsRYJZqb49//rihrXthZwf7i42/9TyUvFywQR7zynVd5n/Ahx0pus/k1p7z4Xalj DoHcaZ4rrHUOcThppMhvbSDuXK48X2Erhi5smH19sayQWsBZeLbrnjSPqQELovkV u2/fWoai7vyN6tDgkX+UFZpXMVpa+YkXkeA5ay3lHjlbXXpMSIO2usNofFWke+Wx sA3WzedC1Wr+AaQdOxpN7RborYBHaU1ApnH5WK60nbQ+cz6ZLjvXsMUGhAqA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1762424452; x=1762510852; bh=JIK5hLJRtRQrGjFgbn99GE6ZdIUYtoK3166 Iv5M9R8w=; b=fEgBVSkmwkgVafGRMj0kkxMR2xcnYqFeI2aMgLqZLsVP44wawBs ADz7MaEkNz9zRh6GIsDMpCAw/E6RX6IFRuMXxxQ1Kfv8Nos6WAhhmaxdcnSVs3Wi DbzzuqrG2/Yo4HS1qZhN7uLHSFUCAiL/eqpUpUjdzdbGtHXRS6P7I5PXhziZD48J BE8lHI5Bqp9wiQn896+6w9Rkpkltimppia9ufOLRUPWjNHQl4qWtdmo9ooY/u3L7 43xAFZ6cKFA24TwZij05K0RdGGmNX8GakTuxqHGDdAO+D/WXL0ET1k7T6HwOrYhg RhLXZCTURXciTyBH+pl17EpgI2ZKqBFuJ0Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddukeeiheefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeffffhke egvdfgffetgeevgfegtddutdeggfelvdelgeeghffhteehkeegueetleenucffohhmrghi nheplhhinhhugidqkhgvrhhnvghlrdhtrghrghgvthdpkhgvrhhnvghlrdguvghvnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhih shhsrgdrihhspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtph htthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggv vhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 6 Nov 2025 05:20:52 -0500 (EST) Received: by mbp.qyliss.net (Postfix, from userid 1000) id 3DA5A673B4E8; Thu, 06 Nov 2025 11:20:51 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 1/2] Create Nix derivation for building verity images In-Reply-To: <20251105-refactor-verity-v1-1-b8ba27dfdf06@gmail.com> References: <20251105-refactor-verity-v1-0-b8ba27dfdf06@gmail.com> <20251105-refactor-verity-v1-1-b8ba27dfdf06@gmail.com> Date: Thu, 06 Nov 2025 11:20:50 +0100 Message-ID: <87jz03xy0t.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: NX77TY6POE73MVE5WFHTWP3NLS3Q4OZD X-Message-ID-Hash: NX77TY6POE73MVE5WFHTWP3NLS3Q4OZD X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > This gets rid of a lot of duplicated code and allows building the verity > roothash and superblock only when needed. It also removes a hack used > to work around make limitations. Furthermore, > 'veritysetup --root-hash-file' is used to avoid an awk script. > > Signed-off-by: Demi Marie Obenour > --- > nix-shell --pure --run 'make run' in host/initramfs fails. This is a > preexisting bug and I will send a separate patch for it. > --- > host/initramfs/Makefile | 25 +++++-------------------- > host/initramfs/shell.nix | 4 +++- > host/rootfs/Makefile | 24 +++++------------------- > host/rootfs/shell.nix | 3 +++ > host/verity.nix | 19 +++++++++++++++++++ > lib/common.mk | 1 - > pkgs/default.nix | 1 + > release/live/Makefile | 26 +++++--------------------- > release/live/default.nix | 4 +++- > 9 files changed, 44 insertions(+), 63 deletions(-) > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index 00d125774bb7b98736d0928c69cb307740cee034..bb602e2745fb5873204f453b3= 5fc529c5c96f64a 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -82,25 +82,11 @@ clean: > rm -rf build > .PHONY: clean >=20=20 > -# veritysetup format produces two files, but Make only (portably) > -# supports one output per rule, so we combine the two outputs then > -# define two more rules to separate them again. > -build/rootfs.verity: $(dest) > - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ > - | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit}'= \ > - > build/rootfs.verity.roothash.tmp > - cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp= \ > - > $@ > - rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp > -build/rootfs.verity.roothash: build/rootfs.verity > - head -n 1 build/rootfs.verity > $@ > -build/rootfs.verity.superblock: build/rootfs.verity > - tail -n +2 build/rootfs.verity > $@ >=20=20 > -build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs.v= erity.roothash $(dest) > +build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh .= ./../scripts/sfdisk-field.awk $(ROOT_FS_VERITY) $(ROOT_FS_VERITY_ROOTHASH) = $(dest) > ../../scripts/make-gpt.sh $@.tmp \ > - build/rootfs.verity.superblock:verity:$$(../../scripts/format-uuid.= sh "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 stat= us=3Dnone)") \ > - $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 build/r= ootfs.verity.roothash)") > + "$$ROOT_FS_VERITY:verity:$$(../../scripts/format-uuid.sh "$$(dd "if=3D$= $ROOT_FS_VERITY_ROOTHASH" bs=3D32 skip=3D1 count=3D1 status=3Dnone)")" \ > + $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 "$$ROOT= _FS_VERITY_ROOTHASH")") > mv $@.tmp $@ >=20=20 > debug: > @@ -110,7 +96,7 @@ debug: > $(VMLINUX) > .PHONY: debug >=20=20 > -run: build/live.img $(EXT_FS) build/rootfs.verity.roothash > +run: build/live.img $(EXT_FS) $(ROOT_FS_VERITY_ROOTHASH) > @set -x && \ > ext=3D"$$(mktemp build/spectrum-rootfs-extfs.XXXXXXXXXX.img)" && \ > truncate -s 10G "$$ext" && \ > @@ -131,7 +117,7 @@ run: build/live.img $(EXT_FS) build/rootfs.verity.roo= thash > -device virtconsole,chardev=3Dvirtiocon0 \ > -drive file=3Dbuild/live.img,if=3Dvirtio,format=3Draw,readonly=3Don= \ > -drive file=3D/proc/self/fd/3,if=3Dvirtio,format=3Draw \ > - -append "earlycon console=3Dhvc0 roothash=3D$$(< build/rootfs.verit= y.roothash) intel_iommu=3Don nokaslr" \ > + -append "earlycon console=3Dhvc0 roothash=3D$$(< "$$ROOT_FS_VERITY_= ROOTHASH") intel_iommu=3Don nokaslr" \ > -device virtio-keyboard \ > -device virtio-mouse \ > -device virtio-gpu \ > diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix > index 1bf61bebf418333624e799cc8ca231f5783206f4..f16e4905adfbc8faebde19d0a= 1364ad9df90219b 100644 > --- a/host/rootfs/shell.nix > +++ b/host/rootfs/shell.nix > @@ -5,6 +5,7 @@ > import ../../lib/call-package.nix ( > { callSpectrumPackage, rootfs, pkgsStatic, srcOnly, stdenv > , btrfs-progs, cryptsetup, jq, netcat, qemu_kvm, reuse, util-linux > +, verity > }: >=20=20 > rootfs.overrideAttrs ( > @@ -20,5 +21,7 @@ rootfs.overrideAttrs ( > KERNEL =3D "${passthru.kernel}/${stdenv.hostPlatform.linux-kernel.ta= rget}"; > LINUX_SRC =3D srcOnly passthru.kernel.configfile; > VMLINUX =3D "${passthru.kernel.dev}/vmlinux"; > + ROOT_FS_VERITY =3D "${verity}/rootfs.verity.superblock"; > + ROOT_FS_VERITY_ROOTHASH =3D "${verity}/rootfs.verity.roothash"; > }; > })) (_: {}) Surely this would break interactive development of the rootfs? If I'm in a Nix shell, and make a change to any part of the rootfs, the verity data in the environment will be out of date. I'd have to leave and re-enter the Nix shell after /any/ change, waiting for an evaluation each time, as opposed to the current situation where that's only necessary when modifying Nix code or other Spectrum components. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaQx2ggAKCRBbRZGEIw/w omSSAP9YRicSvdRt+NtRxN6gau1AOlC5qnPMvijt+o5yLJalCQD/ef1zoCXvn4ie rBpWh44Nm45boh1U9Exf36ZLmkXG4gA= =YBWf -----END PGP SIGNATURE----- --=-=-=--