From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 9D7C81E93C; Thu, 13 Nov 2025 11:58:00 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 30A4F1E8F4; Thu, 13 Nov 2025 11:57:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-b6-smtp.messagingengine.com (fout-b6-smtp.messagingengine.com [202.12.124.149]) by atuin.qyliss.net (Postfix) with ESMTPS id 7B02B1E8EF for ; Thu, 13 Nov 2025 11:57:56 +0000 (UTC) Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfout.stl.internal (Postfix) with ESMTP id 1ADC01D00124; Thu, 13 Nov 2025 06:57:55 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Thu, 13 Nov 2025 06:57:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1763035074; x=1763121474; bh=b8T2cwh0Xt 9ajO3MgJsTyYzhNX8qgKZua7DbRh/e5e4=; b=W9RRR77tq12aeGfszVKpv3qMTZ l6GzRfOA0+jWv7QgsOs6iheBCOu+MrANcUbv9yHIcyp0osc/xo+fLpTT/d2Cy/Tp M/UiMXSDG9oxYB4kjNYou3BsWa4KCq8t4CBtKWsbt+j7Res6zKMNVCDn3IOSqiIF ztz0LSEf2sLnG9dbtlI8JuYBhepcSSex6pcBOi0PJ5ikihKsMrJp6WKgDmLBzNqO iXvmxJ/KyvJN7npEEeqwlGJ+EuW54hOALCy9msmtE5NA86KHjNxgu/4mX0HrTj8s TPibrbp2+qBqb5P/m/Aix5jTanBPJQf6VxQJnO+Ibmj6AGmtXRQdsUpb/DYQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1763035074; x=1763121474; bh=b8T2cwh0Xt9ajO3MgJsTyYzhNX8qgKZua7D bRh/e5e4=; b=dfNO+i/B9c9swQ1cS8TEtxaaVIAR42x1qSIYsdJVLIuvIpCskuZ EmJFBPlHyQGBzklvJhOd0Hiukh4Nt8Duq6gAdsfozIoWISzNuYkL4UmRPZPIC6Px y+BAQ2ojIVHZV3notttb2ercAD6hZtUgsjsN322FzChWaNIkzbgxtoSRX9bimgz+ Z4hkDB77nLHzTSTGjs27hOXNUwJ3v2TxYmq570kBllCytAvn4u/NDjcXRq3fGsRg AgOIDeZp2fs/fi1WPaDjueiNAHLh0OE5mCy62Zxp4KDvoTb7Cz25StjIF3vq3ULf PNeAipKljts51+F/huN02R0P5416S5kfSVw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvtdeikeekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeffeffhf fhffehkedtffeikefhieegueetkeelueetgfetveefieehgeejtdefleenucffohhmrghi nheplhhinhhugidqkhgvrhhnvghlrdhtrghrghgvthdpghhithhhuhgsrdgtohhmnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhih shhsrgdrihhspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtph htthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggv vhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 13 Nov 2025 06:57:54 -0500 (EST) Received: by mbp.qyliss.net (Postfix, from userid 1000) id 806426966654; Thu, 13 Nov 2025 12:57:53 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v3 2/2] Move UKI creation to a separate derivation In-Reply-To: <20251111-refactor-verity-v3-2-575726639f9e@gmail.com> References: <20251111-refactor-verity-v3-0-575726639f9e@gmail.com> <20251111-refactor-verity-v3-2-575726639f9e@gmail.com> Date: Thu, 13 Nov 2025 12:57:51 +0100 Message-ID: <87y0oagn5s.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: MVYKVVWB5X76WZJ6WHP2TJ2JGVKLHFYY X-Message-ID-Hash: MVYKVVWB5X76WZJ6WHP2TJ2JGVKLHFYY X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > It will be used by the update code later. > > No functional change intended, other than a trivial shell script > refactoring. > > Signed-off-by: Demi Marie Obenour > --- > host/efi.nix | 46 ++++++++++++++++++++++++++++++++++++++++++= ++++ > pkgs/default.nix | 1 + > release/live/Makefile | 15 ++------------- > release/live/default.nix | 19 +++++-------------- > 4 files changed, 54 insertions(+), 27 deletions(-) > > diff --git a/host/efi.nix b/host/efi.nix > new file mode 100644 > index 0000000000000000000000000000000000000000..a2b47fd050fbf00050473a0d5= a1373eb96c341b5 > --- /dev/null > +++ b/host/efi.nix > @@ -0,0 +1,46 @@ > +# SPDX-License-Identifier: EUPL-1.2+ MIT for Nix files please. (Fine to take my stuff from the EUPL-1.2+ Makefile and use it in a MIT-licensed Nix file.) > +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour > + > +import ../lib/call-package.nix ( > +{ bash, callSpectrumPackage, cryptsetup, runCommand > +, stdenv, systemdUkify, rootfs > +}: > +let > + initramfs =3D callSpectrumPackage ./initramfs {}; > + kernel =3D "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.target= }"; > + systemd =3D systemdUkify.overrideAttrs ({ mesonFlags ? [], ... }: { > + # The default limit is too low to build a generic aarch64 distro ima= ge: > + # https://github.com/systemd/systemd/pull/37417 > + mesonFlags =3D mesonFlags ++ [ "-Defi-stub-extra-sections=3D3000" ]; > + }); > +in > + > +runCommand "spectrum-efi" { > + nativeBuildInputs =3D [ cryptsetup systemd bash ]; bash? > + __structuredAttrs =3D true; > + unsafeDiscardReferences =3D { out =3D true; }; > + dontFixup =3D true; > + passthru =3D { inherit systemd; }; > + env =3D { > + DTBS =3D "${rootfs.kernel}/dtbs"; > + KERNEL =3D kernel; > + INITRAMFS =3D initramfs; > + ROOTFS =3D rootfs; > + }; Usually we'd just inline these via string interpolation, rather than passing them through as environment variables. > diff --git a/pkgs/default.nix b/pkgs/default.nix > index cc60228a10cddcb70e5ab9faa1bab7d74f3ebb35..c9f6dcfad9369567468b30d1c= 5697e3551a7b236 100644 > --- a/pkgs/default.nix > +++ b/pkgs/default.nix > @@ -36,6 +36,7 @@ let > path: (import path { inherit (self) callPackage; }).override; >=20=20 > rootfs =3D self.callSpectrumPackage ../host/rootfs {}; > + efi =3D self.callSpectrumPackage ../host/efi.nix {}; > spectrum-build-tools =3D self.callSpectrumPackage ../tools { > appSupport =3D false; > buildSupport =3D true; Generally images don't need entries here, and can just be loaded by callSpectrumPackage. There was a specific reason to make an exception for rootfs (which I've now forgotten). > diff --git a/release/live/Makefile b/release/live/Makefile > index 191b44944af0adf965e1d5f2785719b236bfd99c..4de8743f42dec65aa863c3020= cd70124316a6118 100644 > --- a/release/live/Makefile > +++ b/release/live/Makefile > @@ -19,19 +19,8 @@ $(dest): ../../scripts/format-uuid.sh ../../scripts/ma= ke-gpt.sh ../../scripts/sf > build/empty: > mkdir -p $@ >=20=20 > -build/spectrum.efi: $(DTBS) $(KERNEL) $(INITRAMFS) $(ROOT_FS_VERITY_ROOT= HASH) > - { \ > - printf "[UKI]\nDeviceTreeAuto=3D" && \ > - find $(DTBS) -name '*.dtb' -print0 | tr '\0' ' ' ;\ > - } | $(UKIFY) build \ > - --output $@ \ > - --config /dev/stdin \ > - --linux $(KERNEL) \ > - --initrd $(INITRAMFS) \ > - --os-release $$'NAME=3D"Spectrum"\n' \ > - --cmdline "ro intel_iommu=3Don roothash=3D$$(cat "$$ROOT_FS_VERITY_= ROOTHASH")" > - > -build/boot.fat: $(SYSTEMD_BOOT_EFI) build/spectrum.efi > +build/boot.fat: $(SYSTEMD_BOOT_EFI) $(EFI_IMAGE) build/empty > + ln -sf -- "$$EFI_IMAGE" build/spectrum.efi > $(TRUNCATE) -s 440401920 $@ > $(MKFS_FAT) $@ > $(MMD) -i $@ ::/EFI ::/EFI/BOOT ::/EFI/Linux Why a symlink? Why not just replace the path we copy from? > diff --git a/release/live/default.nix b/release/live/default.nix > index 9a62d4da9cfea11d94d2a1d5764d41587efd5ad5..c234d87e62cc9ae65ba60f94b= ab6e58b43beddbc 100644 > --- a/release/live/default.nix > +++ b/release/live/default.nix > @@ -6,7 +6,7 @@ import ../../lib/call-package.nix ( > { callSpectrumPackage, spectrum-build-tools, rootfs, src > , lib, pkgsStatic, stdenvNoCC > , cryptsetup, dosfstools, jq, mtools, util-linux > -, systemdUkify > +, systemdUkify, efi > }: >=20=20 > let > @@ -14,13 +14,6 @@ let >=20=20 > stdenv =3D stdenvNoCC; >=20=20 > - systemd =3D systemdUkify.overrideAttrs ({ mesonFlags ? [], ... }: { > - # The default limit is too low to build a generic aarch64 distro ima= ge: > - # https://github.com/systemd/systemd/pull/37417 > - mesonFlags =3D mesonFlags ++ [ "-Defi-stub-extra-sections=3D3000" ]; > - }); > - > - initramfs =3D callSpectrumPackage ../../host/initramfs {}; > efiArch =3D stdenv.hostPlatform.efiArch; > in >=20=20 > @@ -40,19 +33,17 @@ stdenv.mkDerivation { > sourceRoot =3D "source/release/live"; >=20=20 > nativeBuildInputs =3D [ > - cryptsetup dosfstools jq spectrum-build-tools mtools systemd util-li= nux > + cryptsetup dosfstools jq spectrum-build-tools mtools util-linux > ]; >=20=20 > env =3D { > - INITRAMFS =3D initramfs; > KERNEL =3D "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.targ= et}"; > ROOT_FS =3D "${rootfs}/rootfs"; > ROOT_FS_VERITY =3D "${rootfs}/rootfs.verity.superblock"; > ROOT_FS_VERITY_ROOTHASH =3D "${rootfs}/rootfs.verity.roothash"; Since efi is tied to a specific rootfs, maybe it would be nice to use efi.rootfs here? > - SYSTEMD_BOOT_EFI =3D "${systemd}/lib/systemd/boot/efi/systemd-boot${= efiArch}.efi"; > + SYSTEMD_BOOT_EFI =3D "${efi.systemd}/lib/systemd/boot/efi/systemd-bo= ot${efiArch}.efi"; We can just get this from the default systemd package. Doesn't need to be efi's special overridden one. > + EFI_IMAGE =3D efi; > EFINAME =3D "BOOT${toUpper efiArch}.EFI"; > - } // lib.optionalAttrs stdenv.hostPlatform.linux-kernel.DTB or false { > - DTBS =3D "${rootfs.kernel}/dtbs"; > }; >=20=20 > buildFlags =3D [ "dest=3D$(out)" ]; > @@ -65,6 +56,6 @@ stdenv.mkDerivation { > unsafeDiscardReferences =3D { out =3D true; }; > dontFixup =3D true; >=20=20 > - passthru =3D { inherit initramfs rootfs; }; > + passthru =3D { inherit rootfs; }; > } > ) (_: {}) > > --=20 > 2.51.2 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaRXHvwAKCRBbRZGEIw/w oqp+AQCA6ZwG21b2ug0pPQgy+igQO1uXjT43SDSmWJLWYxT6HAD/aKphNBIqs9QD Is/DrdqYstZAjlrYN1X02TI3qwiVmwQ= =QeW8 -----END PGP SIGNATURE----- --=-=-=--