From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 5231621E74; Thu, 13 Nov 2025 22:42:56 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id A64E321DF3; Thu, 13 Nov 2025 22:42:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb132.google.com (mail-yx1-xb132.google.com [IPv6:2607:f8b0:4864:20::b132]) by atuin.qyliss.net (Postfix) with ESMTPS id EFE9521DF0 for ; Thu, 13 Nov 2025 22:42:50 +0000 (UTC) Received: by mail-yx1-xb132.google.com with SMTP id 956f58d0204a3-63fca769163so1272429d50.2 for ; Thu, 13 Nov 2025 14:42:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763073769; x=1763678569; darn=spectrum-os.org; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=b+x/7t0tSN9phWcYP1CFyyG/bi6laAEMLau21MMGqa8=; b=Hrr/LRNb+Fng/5LLBqQQvhWkTEg4KJq5fVuF1R7RZoDrBaIS4FbEDN9WNbVUj30G7e VGer4fjtMUDDn+rYO/eNLbM6i/b9NFSksD06NwZlmfyUDUJVJ3wDcPi3oNz+cg56V+P/ bnVd55QWMuMf45FURcd2dDjmVs2Xs3PaClDHrSrccRAe8PwKaYAKDHYeOXea3vgX8rEw JJeoeVyzW3Hc5cTiAWIC0LFMVBEmLzWEfom5OQ9QGff94eSbfIvcFe2Qr9E+R5XcKoUg KNObAAsLPUaOKfuXC551tfBgz2elKNzwmAouvLKTilQRjsk23DJMfwY+leHdD7qKKd+I 0+Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763073769; x=1763678569; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=b+x/7t0tSN9phWcYP1CFyyG/bi6laAEMLau21MMGqa8=; b=bhnLXuRjRsHlQ4vHGhJDOnw6G7q6I3Dro2iuujmE401ZHq9zTCzy3R07yWkB596F5o xziC/jtsbBVP6wGAC4NsASlpQK9NgNJxuLf02bh0RLY6eudYiaQf0SB8W2OcxoU71CZF ds4KXqwT4+F6MfYAD1/TZypV2Ml0ymk2vn2HYFC+Lq1Zcb303yNIHhFL3TLqqBV8TkCP tzNgMgvflfY1vSjmHV0rsJ/BNlxnfxtdpQo0wR8C9Y292p+3LbTj4G3MYwpo+JVL9FdW RKwZFaeqRGvnEH41kCRNIh4j5dNCQN+Q5L/sMI1UK7ZC1+cSc2JT7uF859iHWPpQ+53I uLSA== X-Gm-Message-State: AOJu0YwnnBw+vPty5ThoPl4i/a58WHpRH2gsUBwZSMUkDHRzycYI4q/q /64t6+aDV4PwFL9fe4aDi+o4Zo0wl52A9iKj2DJy/nkk12++UPKSzCnM X-Gm-Gg: ASbGnctewcrGib3jPks9H+p9bCbSB327fnw7ECCZghRQpRRDdZxktpN0OVz1hULsTjs qS5jwYC9ICQgUX/CiKqZHV2PhOXy7K1WMGwQNTqf6Z4RjyMFUvf0Q0IF5wLsjPu5i5bkkLZJF9M EgcCLi393ctpeBX5sZAd0FB8s4RBbHqcB2QWKEosUiHYmpE/g5VuSh6DyLR15SLKyjPoJCh+k5T 8f0GR1PLcKO2bUPIgRzeA5qdk+P0A5OXHYlx1KTQ8zkJP0AawsdVO60YOVpoUqlYXiiDLbu0a4u XK/7txgaPtGqcwZzZ2K7RGp7lz3WK5o3w+uYfOyZnd2UuEdE00l90itgI4RAwBZcJFc0r1mbyoJ 0+1CJ7fi85Vm3GpICVoLgLjxBbJgYlU60LztrX1ShopXoQzsnN64ra49JLonT1/vMyxh/RuKR8M 27R3RSio+k9zZUU3NQ7ZqbUrbC5nOPHsfgHnTb2+Q/JEeskcDyICBzJ/E7hhi9pnUCj77tkk3a1 tghK9tWRZ9EydVi2zn7vSQ0Pn8= X-Google-Smtp-Source: AGHT+IFay16pmV9pgahZfj8hxh+js8mXOsLwOOOfcfg9bacB+PfVqa42YR7pPJKsMO8sp5lbwiwRAQ== X-Received: by 2002:a05:690e:d8a:b0:63f:bb1b:b63c with SMTP id 956f58d0204a3-641e74a4aa8mr914990d50.2.1763073768927; Thu, 13 Nov 2025 14:42:48 -0800 (PST) Received: from [10.138.34.110] (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7882214c4c1sm10428847b3.43.2025.11.13.14.42.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 13 Nov 2025 14:42:48 -0800 (PST) Message-ID: Date: Thu, 13 Nov 2025 17:42:44 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 2/2] Move UKI creation to a separate derivation To: Alyssa Ross References: <20251111-refactor-verity-v3-0-575726639f9e@gmail.com> <20251111-refactor-verity-v3-2-575726639f9e@gmail.com> <87y0oagn5s.fsf@alyssa.is> Content-Language: en-US From: Demi Marie Obenour Autocrypt: addr=demiobenour@gmail.com; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT In-Reply-To: <87y0oagn5s.fsf@alyssa.is> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------BVexdhXMIde5b7wY7Wkqxl2o" Message-ID-Hash: KXZCLJG55MAEEDMKVFIIVL54CSRVGH5L X-Message-ID-Hash: KXZCLJG55MAEEDMKVFIIVL54CSRVGH5L X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------BVexdhXMIde5b7wY7Wkqxl2o Content-Type: multipart/mixed; boundary="------------tFW8hQHUGuUJYgEFShkNVW29"; protected-headers="v1" From: Demi Marie Obenour To: Alyssa Ross Cc: Spectrum OS Development Message-ID: Subject: Re: [PATCH v3 2/2] Move UKI creation to a separate derivation References: <20251111-refactor-verity-v3-0-575726639f9e@gmail.com> <20251111-refactor-verity-v3-2-575726639f9e@gmail.com> <87y0oagn5s.fsf@alyssa.is> In-Reply-To: <87y0oagn5s.fsf@alyssa.is> Autocrypt-Gossip: addr=hi@alyssa.is; keydata= xsFNBFpSgoYBEAC4xkCYidG2JlRWulUkTWcx0pHFDf3oSbb6Q872Kb3iDChWgluNVz43hva1 3xfDo9foV0GoyfGl/ycSCkXX5hlQr7ir/5FN38E7H/yY6tH8+l68iDgIOcb1qY0OYaxyg+Lz WesfFQedrmwNTbF4L1BtWzrTR5PflDdhDo5VWSguHGJFSclchcr/6UmMb/gOUN+2ElBC2TE2 EKY099phZ6DJZ2aZCsclwKIdCpZzXlEmXPAeaH5om6xo90JYv5+sFji40R0Plqec3WC+jTxy lGca6IbPdOminuUF+GvsR86eVsgh/0XNK7/zus7gyc4PuMUA1rCoeHcWOBDPgmelgCQyJGXd /bXeKuUsGoge58uc7/YNvOh1vfpD3AaEMqAyXfmmUwBnIicml74+2eOpH3Oljfs01g+DhkOB MtpVSZSgaIDvP0WG6cbAxImoUasnmNxEDNskfVmI8bsajPW9bt4z5hiP5Q9G3vE0D5HcIFdM adOz81PpOwNiUXcjtYV1PWZQ56jbSTOf8EBvsB71WwB+XgVWcPzIlY8hAykiHIO87oV3o71U JTAn1Foj7mjSADnY0deleOmar/K5jrK3wvKKM1XlB7PXcGBdkorJC+cbxVsw0ADzMw0c7bVc wEE7OFvHjQiIK1lO+lb1cvGBBY3IZxjsjZdA/VsFHFdAeYlzNQARAQABzRpBbHlzc2EgUm9z cyA8aGlAYWx5c3NhLmlzPsLBlwQTAQgAQQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZ ARYhBHVzVtd5u7iIdz5BXnNszfnvUb2XBQJpALHXBQkPJNZRAAoJEHNszfnvUb2X2jEP/AqQ aafKiC7ormevgoCH4QinAKJoXAqiwOIdRK55HOvyhGWjnlzqoK4JTUFVRMR4Vat/APlkjOUk LPXKk+DCn4loFyl7BCLvsk4Xwy7WmXyfSPqjdik8/cjTv/Q4AHTYTpnx7GMC5eTS7ULmUvcf mD/JRr7NM2273Z7dkL3gOeZdnXYOQaGAIIox91qCtmnQhn+V7s3uxvcRl8I2/Qnn3S2veV03 LXSugAXSTdKRa7LBrcSm9TtC/D3qY9kStHiaiB/eAJsOQ0l5yRfax5INorE2DQgBKjbiBcnQ mTX7Rl9LW+U0ibHmKOFG8Zs+zKlmItek49cmqoGOv66RAY6dGUOHoEQgP0EUDJ8xGwActToC lOGZrzcXfrfx0CYlgqYE1VEWgSmtbTW1DBXiZIPKUMLJGhgaIHSKEjYujHd+vGytAMGKQsVQ OwgOMHYWyzAIB/Y6hZGNK8y5fxr468zX876mDdXhYo4dKA7UEOeQOlAIGobTXDRFEC7B/UAj qYbP+qmnyUohCy/Pf04cF0ucpWW2Z00sBL83lauhyQHiLze5OznvOeEkEeXQ6DsJOY0dmrsi 0NJZ1QoyYewXOPmPBNc7IesY1MjrpAnHgeAt1rgEPwTkt4NrRASsPe5JowJcc7CpIdR8eOrG hrw+bEMyoyjk7fN6Hs6MK+hVihMNhUwMzjgEZyd/yxIKKwYBBAGXVQEFAQEHQCVxoiHOlsEo NDKGCbxg4nL3E1CV0MRQCU1hPowd77h3AwEIB8LBfAQYAQoAJgIbDBYhBHVzVtd5u7iIdz5B XnNszfnvUb2XBQJpALHQBQkCT9j5AAoJEHNszfnvUb2XhSMP/0gStw42LjpjVLh+0HKWafs3 T9NJxtefYRbyu4wkkO0dss2pkl9gekZnvgktD0SzIe8AiMszs1rUWMG8zPXVWdMi7tSNm/IR WPa0XZDIoDwJY4T342nCvHeDsfoJnGg8o0nreI2djwO8sc9aeSevm60MQ9AouFBpS6Qw7f/Z LalXH4aWCCtvAO1o95lQXEoH4Lg4qnS6GxYMYi1u3IzrYdUu0By/Ccc5+AOOICgbJnpOoYQI bVDbdjMkj18JxxmpN5amOkPdiDndpzWkWm+oNhGUITYp6EuP1esRb35MgOmFGouvt5UdKpEl Egs2y5h9oR+kiiu9DhrC0UFL2CQ/HdiukCAxADKX3RE9m+mprSbvw7CsYmXUTH6WzPpvxpGx wQq7m2O7uy85u0HyVYkiWQiAfwCbEr1vrFU7gscBW+FcrLIODauovA9eZgA4d+cHRXfzsdKW u/QuVHsABh78LLIq008GcqJChSe4KHrJ5PUjkLnyp/Sshrmuyoy+DwqYky0KK4NtkaWa2o0B TFp+Kk2VCxWA8i/azPvTMzXOWNwqogISp5SwljiEx0hkyf0HvSb3gHfuGbZ+eGfWB+qy2pTD x/YriV5EfqkP+4+1cqXjasrQxyZUW0ULRke0j92Cgt+J722PIcOAb8vdSGF4AXczO+KMtNn9 wGxvGU7TX5ou --------------tFW8hQHUGuUJYgEFShkNVW29 Content-Type: multipart/mixed; boundary="------------ppnem3PhdrJQE0ClMnwERKfE" --------------ppnem3PhdrJQE0ClMnwERKfE Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/13/25 06:57, Alyssa Ross wrote: > Demi Marie Obenour writes: >=20 >> It will be used by the update code later. >> >> No functional change intended, other than a trivial shell script >> refactoring. >> >> Signed-off-by: Demi Marie Obenour >> --- >> host/efi.nix | 46 +++++++++++++++++++++++++++++++++++++++= +++++++ >> pkgs/default.nix | 1 + >> release/live/Makefile | 15 ++------------- >> release/live/default.nix | 19 +++++-------------- >> 4 files changed, 54 insertions(+), 27 deletions(-) >> >> diff --git a/host/efi.nix b/host/efi.nix >> new file mode 100644 >> index 0000000000000000000000000000000000000000..a2b47fd050fbf00050473a= 0d5a1373eb96c341b5 >> --- /dev/null >> +++ b/host/efi.nix >> @@ -0,0 +1,46 @@ >> +# SPDX-License-Identifier: EUPL-1.2+ >=20 > MIT for Nix files please. (Fine to take my stuff from the EUPL-1.2+ > Makefile and use it in a MIT-licensed Nix file.) I think it would be best to relicense the Makefiles under MIT if we can, so that we can move code back and forth even after neither of us knows ev= ery single copyright holder. Feel free to relicense my contributions to them= =2E >> +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> + >> +import ../lib/call-package.nix ( >> +{ bash, callSpectrumPackage, cryptsetup, runCommand >> +, stdenv, systemdUkify, rootfs >> +}: >> +let >> + initramfs =3D callSpectrumPackage ./initramfs {}; >> + kernel =3D "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.tar= get}"; >> + systemd =3D systemdUkify.overrideAttrs ({ mesonFlags ? [], ... }: {= >> + # The default limit is too low to build a generic aarch64 distro = image: >> + # https://github.com/systemd/systemd/pull/37417 >> + mesonFlags =3D mesonFlags ++ [ "-Defi-stub-extra-sections=3D3000"= ]; >> + }); >> +in >> + >> +runCommand "spectrum-efi" { >> + nativeBuildInputs =3D [ cryptsetup systemd bash ]; >=20 > bash? Will remove. >> + __structuredAttrs =3D true; >> + unsafeDiscardReferences =3D { out =3D true; }; >> + dontFixup =3D true; >> + passthru =3D { inherit systemd; }; >> + env =3D { >> + DTBS =3D "${rootfs.kernel}/dtbs"; >> + KERNEL =3D kernel; >> + INITRAMFS =3D initramfs; >> + ROOTFS =3D rootfs; >> + }; >=20 > Usually we'd just inline these via string interpolation, rather than > passing them through as environment variables. Done, except for DTBS which is used more than once. >> diff --git a/pkgs/default.nix b/pkgs/default.nix >> index cc60228a10cddcb70e5ab9faa1bab7d74f3ebb35..c9f6dcfad9369567468b30= d1c5697e3551a7b236 100644 >> --- a/pkgs/default.nix >> +++ b/pkgs/default.nix >> @@ -36,6 +36,7 @@ let >> path: (import path { inherit (self) callPackage; }).override; >> =20 >> rootfs =3D self.callSpectrumPackage ../host/rootfs {}; >> + efi =3D self.callSpectrumPackage ../host/efi.nix {}; >> spectrum-build-tools =3D self.callSpectrumPackage ../tools { >> appSupport =3D false; >> buildSupport =3D true; >=20 > Generally images don't need entries here, and can just be loaded by > callSpectrumPackage. There was a specific reason to make an exception > for rootfs (which I've now forgotten). What is the general rule for what should go in pkgs/default.nix? If you could add it to the docs that would be great. >> diff --git a/release/live/Makefile b/release/live/Makefile >> index 191b44944af0adf965e1d5f2785719b236bfd99c..4de8743f42dec65aa863c3= 020cd70124316a6118 100644 >> --- a/release/live/Makefile >> +++ b/release/live/Makefile >> @@ -19,19 +19,8 @@ $(dest): ../../scripts/format-uuid.sh ../../scripts= /make-gpt.sh ../../scripts/sf >> build/empty: >> mkdir -p $@ >> =20 >> -build/spectrum.efi: $(DTBS) $(KERNEL) $(INITRAMFS) $(ROOT_FS_VERITY_R= OOTHASH) >> - { \ >> - printf "[UKI]\nDeviceTreeAuto=3D" && \ >> - find $(DTBS) -name '*.dtb' -print0 | tr '\0' ' ' ;\ >> - } | $(UKIFY) build \ >> - --output $@ \ >> - --config /dev/stdin \ >> - --linux $(KERNEL) \ >> - --initrd $(INITRAMFS) \ >> - --os-release $$'NAME=3D"Spectrum"\n' \ >> - --cmdline "ro intel_iommu=3Don roothash=3D$$(cat "$$ROOT_FS_VERI= TY_ROOTHASH")" >> - >> -build/boot.fat: $(SYSTEMD_BOOT_EFI) build/spectrum.efi >> +build/boot.fat: $(SYSTEMD_BOOT_EFI) $(EFI_IMAGE) build/empty >> + ln -sf -- "$$EFI_IMAGE" build/spectrum.efi >> $(TRUNCATE) -s 440401920 $@ >> $(MKFS_FAT) $@ >> $(MMD) -i $@ ::/EFI ::/EFI/BOOT ::/EFI/Linux >=20 > Why a symlink? Why not just replace the path we copy from? The basename of the path is actually important. I tried using $(EFI_IMAGE) and the system didn't boot. >> diff --git a/release/live/default.nix b/release/live/default.nix >> index 9a62d4da9cfea11d94d2a1d5764d41587efd5ad5..c234d87e62cc9ae65ba60f= 94bab6e58b43beddbc 100644 >> --- a/release/live/default.nix >> +++ b/release/live/default.nix >> @@ -6,7 +6,7 @@ import ../../lib/call-package.nix ( >> { callSpectrumPackage, spectrum-build-tools, rootfs, src >> , lib, pkgsStatic, stdenvNoCC >> , cryptsetup, dosfstools, jq, mtools, util-linux >> -, systemdUkify >> +, systemdUkify, efi >> }: >> =20 >> let >> @@ -14,13 +14,6 @@ let >> =20 >> stdenv =3D stdenvNoCC; >> =20 >> - systemd =3D systemdUkify.overrideAttrs ({ mesonFlags ? [], ... }: {= >> - # The default limit is too low to build a generic aarch64 distro = image: >> - # https://github.com/systemd/systemd/pull/37417 >> - mesonFlags =3D mesonFlags ++ [ "-Defi-stub-extra-sections=3D3000"= ]; >> - }); >> - >> - initramfs =3D callSpectrumPackage ../../host/initramfs {}; >> efiArch =3D stdenv.hostPlatform.efiArch; >> in >> =20 >> @@ -40,19 +33,17 @@ stdenv.mkDerivation { >> sourceRoot =3D "source/release/live"; >> =20 >> nativeBuildInputs =3D [ >> - cryptsetup dosfstools jq spectrum-build-tools mtools systemd util= -linux >> + cryptsetup dosfstools jq spectrum-build-tools mtools util-linux >> ]; >> =20 >> env =3D { >> - INITRAMFS =3D initramfs; >> KERNEL =3D "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.t= arget}"; >> ROOT_FS =3D "${rootfs}/rootfs"; >> ROOT_FS_VERITY =3D "${rootfs}/rootfs.verity.superblock"; >> ROOT_FS_VERITY_ROOTHASH =3D "${rootfs}/rootfs.verity.roothash"; >=20 > Since efi is tied to a specific rootfs, maybe it would be nice to use > efi.rootfs here? Will change in v4. >> - SYSTEMD_BOOT_EFI =3D "${systemd}/lib/systemd/boot/efi/systemd-boo= t${efiArch}.efi"; >> + SYSTEMD_BOOT_EFI =3D "${efi.systemd}/lib/systemd/boot/efi/systemd= -boot${efiArch}.efi"; >=20 > We can just get this from the default systemd package. Doesn't need to= > be efi's special overridden one. Would it be better to have the override in a Spectrum-wide overlay? >> + EFI_IMAGE =3D efi; >> EFINAME =3D "BOOT${toUpper efiArch}.EFI"; >> - } // lib.optionalAttrs stdenv.hostPlatform.linux-kernel.DTB or fals= e { >> - DTBS =3D "${rootfs.kernel}/dtbs"; >> }; >> =20 >> buildFlags =3D [ "dest=3D$(out)" ]; >> @@ -65,6 +56,6 @@ stdenv.mkDerivation { >> unsafeDiscardReferences =3D { out =3D true; }; >> dontFixup =3D true; >> =20 >> - passthru =3D { inherit initramfs rootfs; }; >> + passthru =3D { inherit rootfs; }; >> } >> ) (_: {}) >> >> --=20 >> 2.51.2 --=20 Sincerely, Demi Marie Obenour (she/her/hers) --------------ppnem3PhdrJQE0ClMnwERKfE Content-Type: application/pgp-keys; name="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Disposition: attachment; filename="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49y B+l2nipdaq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYf bWpr/si88QKgyGSVZ7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/ UorR+FaSuVwT7rqzGrTlscnTDlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7M MPCJwI8JpPlBedRpe9tfVyfu3euTPLPxwcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9H zx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR6h3nBc3eyuZ+q62HS1pJ5EvU T1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl5FMWo8TCniHynNXs BtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2Bkg1b//r 6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nS m9BBff0Nm0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQAB zTxEZW1pIE9iZW5vdXIgKElUTCBFbWFpbCBLZXkpIDxhdGhlbmFAaW52aXNpYmxl dGhpbmdzbGFiLmNvbT7CwY4EEwEIADgWIQR2h02fEza6IlkHHHGyiLVf/5wiwQUC X6YJvQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCyiLVf/5wiwWRhD/0Y R+YYC5Kduv/2LBgQJIygMsFiRHbR4+tWXuTFqgrxxFSlMktZ6gQrQCWe38WnOXkB oY6n/5lSJdfnuGd2UagZ/9dkaGMUkqt+5WshLFly4BnP7pSsWReKgMP7etRTwn3S zk1OwFx2lzY1EnnconPLfPBc6rWG2moA6l0WX+3WNR1B1ndqpl2hPSjT2jUCBWDV rGOUSX7r5f1WgtBeNYnEXPBCUUM51pFGESmfHIXQrqFDA7nBNiIVFDJTmQzuEqIy Jl67pKNgooij5mKzRhFKHfjLRAH4mmWZlB9UjDStAfFBAoDFHwd1HL5VQCNQdqEc /9lZDApqWuCPadZN+pGouqLysesIYsNxUhJ7dtWOWHl0vs7/3qkWmWun/2uOJMQh ra2u8nA9g91FbOobWqjrDd6x3ZJoGQf4zLqjmn/P514gb697788e573WN/MpQ5XI Fl7aM2d6/GJiq6LC9T2gSUW4rbPBiqOCeiUx7Kd/sVm41p9TOA7fEG4bYddCfDsN xaQJH6VRK3NOuBUGeL+iQEVF5Xs6Yp+U+jwvv2M5Lel3EqAYo5xXTx4ls0xaxDCu fudcAh8CMMqx3fguSb7Mi31WlnZpk0fDuWQVNKyDP7lYpwc4nCCGNKCj622ZSocH AcQmX28L8pJdLYacv9pU3jPy4fHcQYvmTavTqowGnM08RGVtaSBNYXJpZSBPYmVu b3VyIChsb3ZlciBvZiBjb2RpbmcpIDxkZW1pb2Jlbm91ckBnbWFpbC5jb20+wsF4 BBMBAgAiBQJafgNKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCyiLVf /5wiwYa/EACv8a2+MMou9cSCNoZBQaU+fTmyzft9hUE+0d5W2UY1RY3OsjFIzm9R /4SVccfsqOYLEo+S0vQMIIIqFEq3FCpXXwPzyimotps05VA8U3Bd7yseojFygOgK sAMOAee2RCaDDOnoJue01dfZMzzHPO/TVdp3OvnpWipfv5G1Xg96rwbhMLE3tg6N xwAHa31Bv4/Xq8CJOoIWvx6fcmZQpz01/lSvsYn0KrfEbTKkuUf0vM9JrCTCP2oz VNN5BYzqaq2M4r+jmSyeXLim922VOWqGkUEQ85BSEemqrRS06IU6NtEMsF8EWt/b hWjk/9GDKTcnpdJHTrMxTspExBiNrvpI2t+YPU5B/dJJAUxvmhFrbSIbdB8umBZs I3AMYrEmpAbh5x7jEjoskUC7uN3o9vpg1oCLS2ePDLtAtyBtbHnkA4xGD7ar8mem xpH9lY/i+sC6CyyIUWcUDnnagKyJP0m9ks0GLsTeOCA0bft2XA6rD6aaCnMUsndT ctrab42CV5XypjmC4U1rPJ8JQJUh1/3P48/8sMH+3krxpJ06KNWNFaUbaMTGiltZ 7x9DngklSYrX0T+2G4kVXNmjaljwkoLahwLla2gUWwBSyofXdqyhQdwZsp01KXNQ UCyT/Pg+aDcm/E7OMV3d4lf7g/CSxiX2GSEe6BlhSz+Lmd7ZJ3g32M1ARGVtaSBN YXJpZSBPYmVub3VyIChJVEwgRW1haWwgS2V5KSA8ZGVtaUBpbnZpc2libGV0aGlu Z3NsYWIuY29tPsLBjgQTAQgAOBYhBHaHTZ8TNroiWQcccbKItV//nCLBBQJgOEV+ AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELKItV//nCLBKwoP/1WSnFdv SAD0g7fD0WlF+oi7ISFT7oqJnchFLOwVHK4Jg0e4hGn1ekWsF3Ha5tFLh4V/7UUu obYJpTfBAA2CckspYBqLtKGjFxcaqjjpO1I2W/jeNELVtSYuCOZICjdNGw2Hl9yH KRZiBkqc9u8lQcHDZKq4LIpVJj6ZQV/nxttDX90ax2No1nLLQXFbr5wb465LAPpU lXwunYDij7xJGye+VUASQh9datye6orZYuJvNo8Tr3mAQxxkfR46LzWgxFCPEAZJ 5P56Nc0IMHdJZj0Uc9+1jxERhOGppp5jlLgYGK7faGB/jTV6LaRQ4Ad+xiqokDWp mUOZsmA+bMbtPfYjDZBz5mlyHcIRKIFpE1l3Y8F7PhJuzzMUKkJi90CYakCV4x/a Zs4pzk5E96c2VQx01RIEJ7fzHF7lwFdtfTS4YsLtAbQFsKayqwkGcVv2B1AHeqdo TMX+cgDvjd1ZganGlWA8Sv9RkNSMchn1hMuTwERTyFTr2dKPnQdA1F480+jUap41 ClXgn227WkCIMrNhQGNyJsnwyzi5wS8rBVRQ3BOTMyvGM07j3axUOYaejEpg7wKi wTPZGLGH1sz5GljD/916v5+v2xLbOo5606j9dWf5/tAhbPuqrQgWv41wuKDi+dDD EKkODF7DHes8No+QcHTDyETMn1RYm7t0RKR4zsFNBFp+A0oBEAC9ynZI9LU+uJkM eEJeJyQ/8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd 8xD57ue0eB47bcJvVqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPp I4gfUbVEIEQuqdqQyO4GAe+MkD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalq l1/iSyv1WYeC1OAs+2BLOAT2NEggSiVOtxEfgewsQtCWi8H1SoirakIfo45Hz0tk /Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJriwoaRIS8N2C8/nEM53jb1sH 0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcNfRAIUrNlatj9Txwi vQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6dCxN0GNA ORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog 2LNtcyCjkTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZA grrnNz0iZG2DVx46x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJ ELKItV//nCLBwNIP/AiIHE8boIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwj jVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGjgn0TPtsGzelyQHipaUzEyrsceUGWYoKX YyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8frRHnJdBcjf112PzQSdKC6kqU0 Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2E0rW4tBtDAn2HkT9 uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHMOBvy3Ehz fAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVss Z/rYZ9+51yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aW emLLszcYz/u3XnbOvUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPt hZlDnTnOT+C+OTsh8+m5tos8HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj 6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E+MYSfkEjBz0E8CLOcAw7JIwAaeBTzsFN BGbyLVgBEACqClxh50hmBepTSVlan6EBq3OAoxhrAhWZYEwN78k+ENhK68KhqC5R IsHzlL7QHW1gmfVBQZ63GnWiraM6wOJqFTL4ZWvRslga9u28FJ5XyK860mZLgYhK 9BzoUk4s+dat9jVUbq6LpQ1Ot5I9vrdzo2p1jtQ8h9WCIiFxSYy8s8pZ3hHh5T64 GIj1m/kY7lG3VIdUgoNiREGf/iOMjUFjwwE9ZoJ26j9p7p1U+TkKeF6wgswEB1T3 J8KCAtvmRtqJDq558IU5jhg5fgN+xHB8cgvUWulgK9FIF9oFxcuxtaf/juhHWKMO RtL0bHfNdXoBdpUDZE+mLBUAxF6KSsRrvx6AQyJs7VjgXJDtQVWvH0PUmTrEswgb 49nNU+dLLZQAZagxqnZ9Dp5l6GqaGZCHERJcLmdY/EmMzSf5YazJ6c0vO8rdW27M kn73qcWAplQn5mOXaqbfzWkAUPyUXppuRHfrjxTDz3GyJJVOeMmMrTxH4uCaGpOX Z8tN6829J1roGw4oKDRUQsaBAeEDqizXMPRc+6U9vI5FXzbAsb+8lKW65G7JWHym YPOGUt2hK4DdTA1PmVo0DxH00eWWeKxqvmGyX+Dhcg+5e191rPsMRGsDlH6KihI6 +3JIuc0y6ngdjcp6aalbuvPIGFrCRx3tnRtNc7He6cBWQoH9RPwluwARAQABwsOs BBgBCgAgFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmbyLVgCGwICQAkQsoi1X/+c IsHBdCAEGQEKAB0WIQSilC2pUlbVp66j3+yzNoc6synyUwUCZvItWAAKCRCzNoc6 synyU85gD/0T1QDtPhovkGwoqv4jUbEMMvpeYQf+oWgm/TjWPeLwdjl7AtY0G9Ml ZoyGniYkoHi37Gnn/ShLT3B5vtyI58ap2+SSa8SnGftdAKRLiWFWCiAEklm9FRk8 N3hwxhmSFF1KR/AIDS4g+HIsZn7YEMubBSgLlZZ9zHl4O4vwuXlREBEW97iL/FSt VownU2V39t7PtFvGZNk+DJH7eLO3jmNRYB0PL4JOyyda3NH/J92iwrFmjFWWmmWb /Xz8l9DIs+Z59pRCVTTwbBEZhcUc7rVMCcIYL+q1WxBG2e6lMn15OQJ5WfiE6E0I sGirAEDnXWx92JNGx5l+mMpdpsWhBZ5iGTtttZesibNkQfd48/eCgFi4cxJUC4PT UQwfD9AMgzwSTGJrkI5XGy+XqxwOjL8UA0iIrtTpMh49zw46uV6kwFQCgkf32jZM OLwLTNSzclbnA7GRd8tKwezQ/XqeK3dal2n+cOr+o+Eka7yGmGWNUqFbIe8cjj9T JeF3mgOCmZOwMI+wIcQYRSf+e5VTMO6TNWH5BI3vqeHSt7HkYuPlHT0pGum88d4a pWqhulH4rUhEMtirX1hYx8Q4HlUOQqLtxzmwOYWkhl1C+yPObAvUDNiHCLf9w28n uihgEkzHt9J4VKYulyJM9fe3ENcyU6rpXD7iANQqcr87ogKXFxknZ97uEACvSucc RbnnAgRqZ7GDzgoBerJ2zrmhLkeREZ08iz1zze1JgyW3HEwdr2UbyAuqvSADCSUU GN0vtQHsPzWl8onRc7lOPqPDF8OO+UfN9NAfA4wl3QyChD1GXl9rwKQOkbvdlYFV UFx9u86LNi4ssTmU8p9NtHIGpz1SYMVYNoYy9NU7EVqypGMguDCL7gJt6GUmA0sw p+YCroXiwL2BJ7RwRqTpgQuFL1gShkA17D5jK4mDPEetq1d8kz9rQYvAR/sTKBsR ImC3xSfn8zpWoNTTB6lnwyP5Ng1bu6esS7+SpYprFTe7ZqGZF6xhvBPf1Ldi9UAm U2xPN1/eeWxEa2kusidmFKPmN8lcT4miiAvwGxEnY7Oww9CgZlUB+LP4dl5VPjEt sFeAhrgxLdpVTjPRRwTd9VQF3/XYl83j5wySIQKIPXgT3sG3ngAhDhC8I8GpM36r 8WJJ3x2yVzyJUbBPO0GBhWE2xPNIfhxVoU4cGGhpFqz7dPKSTRDGq++MrFgKKGpI ZwT3CPTSSKc7ySndEXWkOYArDIdtyxdE1p5/c3aoz4utzUU7NDHQ+vVIwlnZSMiZ jek2IJP3SZ+COOIHCVxpUaZ4lnzWT4eDqABhMLpIzw6NmGfg+kLBJhouqz81WITr EtJuZYM5blWncBOJCoWMnBEcTEo/viU3GgcVRw=3D=3D =3Dx94R -----END PGP PUBLIC KEY BLOCK----- --------------ppnem3PhdrJQE0ClMnwERKfE-- --------------tFW8hQHUGuUJYgEFShkNVW29-- --------------BVexdhXMIde5b7wY7Wkqxl2o Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEopQtqVJW1aeuo9/sszaHOrMp8lMFAmkWXuUACgkQszaHOrMp 8lO9+g//Q7xrEcCjpwD399R3n4MPIGcaLYRnoifI6qLnwxIGAivhaeoUS4JvB4bY UZ+S70FT2hj1GptkmkhFJI9uRz/RmxsSnybxyHcEmyo2N/fFR4ZblveTh3JCaI4+ Sww6DSeK8rsFO1wGTKHLCYeOv6wTIrKtcyDQIZPBHIKF7jhRrX3Y61jIWa4WxUBT +gNh0ZcZoEuD85OD2tD9T248clzZIyTnIL/LdQFjIZACPedvvb3CnvRkFyBz2e2j UqHG60avpGorEWi0w19osXWj2HDZZKWfLpbOwUmBT4UIi+auL4muKAhJSQ60wxKu oxqtGHySlkSWvzGrdQSjZhk8At50+lEbbtEMA6GU0Ebb15IysylipLdGYUSy3+rj q0tkePMil0aZhsH79c2WS1TtAApB6KQuo7gosSp1DMaAhu1jfNhTmPc/YfXmG2ix /Uor1ws454tbEcasSvKuaUiJG6TjRmBgl8/TWqYypomsShPQwKU/AeyxrvFDEAMJ CYsw4TtvDdj3Y68VyCh8z3Z2cu5g2gmSWkuCtBHx4OdiU8nlveCx46O8IiJdjKOu TGigLmG8zxvLL5Z2pL8QN1EIRNarRm8URkQRmoYnsb3NxhJLm9ChU8GJzR1knI39 3dvBKOORVKCGwFHaoxK4Oh/je3SYa4tQILszCvnpk0LJLAsW6ak= =S7bm -----END PGP SIGNATURE----- --------------BVexdhXMIde5b7wY7Wkqxl2o--