On 11/28/25 06:02, Alyssa Ross wrote: > Demi Marie Obenour writes: > >> It will be used by the update code later. >> >> No functional change intended, other than a trivial shell script >> refactoring. >> >> Signed-off-by: Demi Marie Obenour >> --- >> I kept release/live/default.nix using the UKI's systemd because the old >> code did it that way. Changing this would be better in a separate >> commit. >> >> Changes since v5: >> >> - Create a temporary symlink named build/spectrum.efi and then run >> $(MCOPY) -i $@ build/spectrum.efi ::/EFI/Linux, rather than copying >> the file with its original name. The latter results in an unbootable >> image. I do not know the reason. >> >> Signed-off-by: Demi Marie Obenour >> --- >> host/efi.nix | 40 ++++++++++++++++++++++++++++++++++++++++ >> release/live/Makefile | 17 ++++------------- >> release/live/default.nix | 27 +++++++++++---------------- >> release/live/shell.nix | 10 ++++++++-- >> 4 files changed, 63 insertions(+), 31 deletions(-) >> >> diff --git a/host/efi.nix b/host/efi.nix >> new file mode 100644 >> index 0000000000000000000000000000000000000000..ecedb6bea6bf29c7a7303dc9062fe12b5c7a9fbd >> --- /dev/null >> +++ b/host/efi.nix >> @@ -0,0 +1,40 @@ >> +# SPDX-License-Identifier: MIT >> +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> + >> +import ../lib/call-package.nix ( >> +{ callSpectrumPackage, cryptsetup, rootfs >> +, runCommand, stdenv, systemdUkify >> +}: >> +let >> + initramfs = callSpectrumPackage ./initramfs {}; >> + kernel = "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.target}"; >> + systemd = systemdUkify.overrideAttrs ({ mesonFlags ? [], ... }: { >> + # The default limit is too low to build a generic aarch64 distro image: >> + # https://github.com/systemd/systemd/pull/37417 >> + mesonFlags = mesonFlags ++ [ "-Defi-stub-extra-sections=3000" ]; >> + }); >> +in >> + >> +runCommand "spectrum-efi" { >> + nativeBuildInputs = [ cryptsetup systemd ]; >> + __structuredAttrs = true; >> + unsafeDiscardReferences = { out = true; }; >> + dontFixup = true; >> + passthru = { inherit initramfs rootfs systemd; }; >> +} '' >> + read -r roothash < ${rootfs}/rootfs.verity.roothash >> + { \ >> + printf "[UKI]\nDeviceTreeAuto=" >> + if [ -d ${rootfs.kernel}/dtbs ]; then >> + find ${rootfs.kernel}/dtbs -name '*.dtb' -print0 | tr '\0' ' ' >> + fi >> + } | ukify build \ >> + --output "$out" \ >> + --config /dev/stdin \ >> + --linux ${kernel} \ >> + --initrd ${initramfs} \ >> + --os-release $'NAME="Spectrum"\n' \ >> + --cmdline "ro intel_iommu=on roothash=$roothash" >> + '' >> +) (_: {}) >> diff --git a/release/live/Makefile b/release/live/Makefile >> index ba81c7e679429e045b24c1591a9f0b72f016cfab..b37ccce42feb3ac7e8ce4faf96a67902b55be808 100644 >> --- a/release/live/Makefile >> +++ b/release/live/Makefile >> @@ -19,22 +19,13 @@ $(dest): ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sf >> build/empty: >> mkdir -p $@ >> >> -build/spectrum.efi: $(DTBS) $(KERNEL) $(INITRAMFS) $(ROOT_FS_VERITY_ROOTHASH) >> - { \ >> - printf "[UKI]\nDeviceTreeAuto=" && \ >> - find $(DTBS) -name '*.dtb' -print0 | tr '\0' ' ' ;\ >> - } | $(UKIFY) build \ >> - --output $@ \ >> - --config /dev/stdin \ >> - --linux $(KERNEL) \ >> - --initrd $(INITRAMFS) \ >> - --os-release $$'NAME="Spectrum"\n' \ >> - --cmdline "ro intel_iommu=on roothash=$$(cat $(ROOT_FS_VERITY_ROOTHASH))" >> - >> -build/boot.fat: $(SYSTEMD_BOOT_EFI) build/spectrum.efi >> +build/boot.fat: $(SYSTEMD_BOOT_EFI) $(EFI_IMAGE) build/empty > > Why add a build/empty dependency? It doesn't seem to be used for > anything any more? (Neither does the DTBS variable, actually.) The temporary symlink bodge below. build/empty isn't needed, but build is. DTBS can just be deleted. >> $(TRUNCATE) -s 440401920 $@ >> $(MKFS_FAT) $@ >> $(MMD) -i $@ ::/EFI ::/EFI/BOOT ::/EFI/Linux >> +# This symlink is necessary. Copying $(EFI_IMAGE) directly >> +# results in an unbootable image. TODO: figure out why. >> + ln -s $(EFI_IMAGE) build/spectrum.efi >> $(MCOPY) -i $@ build/spectrum.efi ::/EFI/Linux >> $(MCOPY) -i $@ $(SYSTEMD_BOOT_EFI) ::/EFI/BOOT/$(EFINAME) >> -- Sincerely, Demi Marie Obenour (she/her/hers)