From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <discuss-bounces@spectrum-os.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-4.6 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 98D922FB27;
	Wed, 17 Aug 2022 13:39:44 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id 6A5452FB88; Wed, 17 Aug 2022 13:39:42 +0000 (UTC)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com
 [66.111.4.29])
	by atuin.qyliss.net (Postfix) with ESMTPS id 9E6A32FB1D
	for <discuss@spectrum-os.org>; Wed, 17 Aug 2022 13:39:38 +0000 (UTC)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	by mailout.nyi.internal (Postfix) with ESMTP id 6215C5C0193;
	Wed, 17 Aug 2022 09:39:37 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute1.internal (MEProxy); Wed, 17 Aug 2022 09:39:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-type:date:date:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to; s=fm3; t=1660743577; x=1660829977; bh=oZVZMX8p17
	0kHVHAas606U8gUB7acJnU/E0o3kbYWHI=; b=HPq7gG7PZhdZ7mrkT0wZyUbxvQ
	MrQbFtQfH33522VRHZO8ascghasSuWkjeWzATE61iNmVLzdpTwh7e0JK6SKB4VCo
	jY2JUHUUpNCHMUxv08QUZTl/Bp40fE9kb1GWgwfepnomONt0EoeaE7aGJB5PtyRo
	HldJrMDsbGuauM4OAYdy8QIlCqHOVvCSDEch5Lj/X24Dv1xbqS+vzcsNNHMqD/J2
	h9OZsOTTbUfXzDyvJdSV7C09ND1uDDzeFwSBzNk6EOFowYyQuT9agsJR01CPEKZ4
	GjHLUwud/c1b2ukjD91bpBqhh14WQ0/4nkG8reyNFrtkVIB+jJmkmUt1ezhQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:date:date:feedback-id
	:feedback-id:from:from:in-reply-to:in-reply-to:message-id
	:mime-version:references:reply-to:sender:subject:subject:to:to
	:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm1; t=1660743577; x=1660829977; bh=oZVZMX8p170kHVHAas606U8gUB7a
	cJnU/E0o3kbYWHI=; b=mC60W0EErUDPW+RyASgyi46387kj12ORujzntvmU+3dW
	6lyZbhnso3aZEviplrL51SZ746+1S7GskZwVhGTCMG0VFXd1UyD6dkyt2KQG7nZn
	eChibVxTrZ6K6FsctrIJ+yODLTu+sa2ZD0BaZb0fvur362MDl6L8u7165OdsfyYi
	zoSzubw0E8cl9bhslBILTLI3kog2a47ncj/UjUGCe/ssSFycTsaKrFfwZjnEXxRY
	OjGMRxOS2WWqmd7e5FKrnpFqTu+cI6bVRe0pmTYmdLD/izl5dJJFa8+wrWftN2bL
	GbFHZ8inoggj2IZQxRs15QoL+kUwdz2dSXIpXdI3zw==
X-ME-Sender: <xms:me_8YqUjO_IB3upT_InZ1Ya7RKgH7nwWjPb5MO2Xks4iEq2AXICgvQ>
    <xme:me_8YmmHRn-2LYSVohBkfZVqDIndPxWl_izXRV3GCls97hMps2rhALDncPG0woDjk
    tk1k7fGSq23M-GDAQ>
X-ME-Received: 
 <xmr:me_8YuZV3GhVMneQf9TgUgZVcf5bXjprjisLH4CS9juOsI9W3N1e1520oBMj71gC2QPaFpqk-yK7KLVEfhsl4RpxHWIDtVo>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvfedrvdehiedgieeiucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepfffhvfevuffkfhggtggujgesghdtreertddtjeenucfhrhhomheptehlhihs
    shgrucftohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepge
    ejieegjefhgfffheeuleduvefhiefffedugedvgeduhfdujeehfefhuefggefhnecuvehl
    uhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepqhihlhhishhsse
    gvvhgvrdhqhihlihhsshdrnhgvth
X-ME-Proxy: <xmx:me_8YhWj6IM7RQkc_bzaB9WxT0AulhNHKmgv5jfmyoCMWttM_HC0wg>
    <xmx:me_8YkkSMvZ-FyoruiWt3keXeSB_N_X9ICqOt-vy1Nc2GIlasMY7Jw>
    <xmx:me_8Ymf78XlBR7khEraSIKg2lHOIKqjpt60q1fGJkJELrakLKaB20g>
    <xmx:me_8YrsJTMqL7K-1WCD0yQKowAM733AujmEdgIdXJUdK07paA9aqwQ>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 17 Aug 2022 09:39:37 -0400 (EDT)
Received: by eve.qyliss.net (Postfix, from userid 1000)
	id 31428568; Wed, 17 Aug 2022 13:39:35 +0000 (UTC)
Date: Wed, 17 Aug 2022 13:39:35 +0000
From: Alyssa Ross <hi@alyssa.is>
To: Ville Ilvonen <ville.ilvonen@unikie.com>
Subject: Re: HW identification and configuration on Spectrum
Message-ID: <20220817133935.js4f6ypqrgsov7m5@eve>
References: 
 <CAP-nJwHTmROzMbyYNtrTrOdXGV-iJvwPuJ3FSZb3gLy5R3z80Q@mail.gmail.com>
 <20220817075255.wjw24mzuyyl3lhgz@eve>
 <CAP-nJwFVcWS_ng43nuUsL7H4CA+uhVZmz+ynWPJPyMVy2URvcQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="n5ocfx4zxap5hrfa"
Content-Disposition: inline
In-Reply-To: 
 <CAP-nJwFVcWS_ng43nuUsL7H4CA+uhVZmz+ynWPJPyMVy2URvcQ@mail.gmail.com>
Message-ID-Hash: VZP3JHDIQFD3ZS67DP57RALPEGRG7UV7
X-Message-ID-Hash: VZP3JHDIQFD3ZS67DP57RALPEGRG7UV7
X-MailFrom: qyliss@eve.qyliss.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-discuss.spectrum-os.org-0;
 header-match-discuss.spectrum-os.org-1; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: discuss@spectrum-os.org
X-Mailman-Version: 3.3.5
Precedence: list
List-Id: General high-level discussion about Spectrum
 <discuss.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/discuss@spectrum-os.org/message/VZP3JHDIQFD3ZS67DP57RALPEGRG7UV7/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/discuss@spectrum-os.org/>
List-Help: <mailto:discuss-request@spectrum-os.org?subject=help>
List-Owner: <mailto:discuss-owner@spectrum-os.org>
List-Post: <mailto:discuss@spectrum-os.org>
List-Subscribe: <mailto:discuss-join@spectrum-os.org>
List-Unsubscribe: <mailto:discuss-leave@spectrum-os.org>


--n5ocfx4zxap5hrfa
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 17, 2022 at 04:25:20PM +0300, Ville Ilvonen wrote:
> > > As of now, the spectrum fork for aarch64 just adds another config
> > > after rpi configs
> > > and replaces the default config to use that to build. With small
> > > changes this could
> > > be handled like rpi configs. In addition, cloud-hypervisor accepts
> > > kernel only in
> > > EFI format for aarch64[1]. Anyway, this would allow us to build an
> > > aarch64 Spectrum installer
> > > - even make it with a more generic kernel. That takes us to ARM
> > > vendor/device specific HW
> > > quirks which would need to be handled anyway. I'll intentionally leave
> > > device specific
> > > kernel hardening and disabling kernel module loading for security
> > > reasons for now.
> > > As of now the vendor/device specifics are not supported unless one bu=
ilds device
> > > specific Spectrum image with all configs build-time and skips
> > > installer altogether.
> > >
> > > The other option that I see. We discussed earlier nix-hardware and
> > > device specific modules.
> > > That would bring nixos configuration.nix and installation supporting
> > > scripts to Spectrum,
> > > though. Those could be called from the Spectrum installer but it would
> > > change the installer
> > > logic from writing an image to dynamically configuring the device
> > > during install based on user
> > > selections.
> >
> > I don't think the full NixOS module system, with rebuilds, etc. belongs
> > in Spectrum.  Being able to treat images as immutable makes it easier to
> > provide various strong security guarantees.  But not wanting to
>
> This was and still is one important design decision to build on Spectrum.
> Regardless, it makes development iterations on target HW more challenging
> than needed. Conceptually we've had discussions on separating concerns
> between "development system - writable, easily updatable" and
> "production system - immutable, updated as image". Latter could have more
> hardening, security policies etc. enabled which makes development more
> difficult by design. In practice, some developers have remounted the
> Spectrum file
> system as writable to make development iterations easier. In many cases,
> the development must be done on the target HW which brings us back to the=
 need
> for the "development system" configuration. Update image iteration
> cycle is too slow.

Yeah, I agree something like this would be good.  Especially when
testing on hardware as you say.  I would like to think more about
exactly how this should work.  Do you think that, if you it were
possible to develop Spectrum on Spectrum, it would be acceptable to have
to reboot into a new configuration if the host system was changed?
(Assume that the process of actually building the new system is fast =E2=80=
=94
the reboot would be the main overhead.)

> > integrate the full module system doesn't prevent us taking advantage of
> > nixos-hardware.  It's possible to evaluate NixOS modules standalone in
> > a Spectrum build, in fact we already do that to reuse NixOS's list of
> > all redistributable firmware packages[3].  We could do a similar thing
> > to extract the kernel that nixos-hardware configures for a particular
> > device, something like this:
> >
> >   inherit (nixos {
> >     configuration =3D [ <nixos-hardware/pine64/pinebook-pro/default.nix=
> ];
> >   }.config.boot.kernelPackages) kernel;
> >
> > And naturally which device that's pulling from should be configurable =
=E2=80=94
> > we'll want to have a config file somewhere, just not a full NixOS one.
>
> This made me propose nix-hardware usage more and think if we could have
> what I called "development configuration". In essence, nix-hardware is
> NixOS channel and we could have a custom channel to support development
> as well (e.g. dev git repo(s)).

You mean set it to your own, custom version of nixos-hardware that
included WIP support for the board you were working on?  Yeah, that
wouldn't be a problem at all.

> > In the medium term, I'd like to decouple nixos-hardware's custom kernel
> > packages from NixOS configurations.  But that would require somebody
> > finding the time to sit down and make the change, and also convince
> > other nixos-hardware users that it's the way to go.  I don't think it
> > would be a problem though, especially if it meant nixos-hardware getting
> > more active maintenance, which it's lacking at the moment because it's
> > not too well advertised and so not enough people are using it.
>
> Ideally yes and I hope we could contribute to that effort. However, we ne=
ed
> to focus on getting Spectrum running on aarch64 with imx8 for now. For th=
at
> I'm reading that nixos-hardware approach is preferred.

Yeah, it's definitely the way to go.  And if we can make nixos-hardware
better in future, that would just be further progress on top of
integrating nixos-hardware as described above.

--n5ocfx4zxap5hrfa
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAmL8744ACgkQ+dvtSFmy
ccBd7Q//au7++MtPDJgg6dpFWL1wWqonkZoSk//iTcopDJPg6Igxtzk76vVlzCr6
O2hk1yYqH5sKQiM/Lby9m3p0nyezBm+7tgNhoQUgG4MSWJgwO8IKYBygJE9RDStS
IefOwSSake6uYCdGG6IDdH2nZjPdkXpSr54BYIuxbbIIHVSJ1FwQRNEcrc1/vX6J
bmRFXMBJo9XsVdbqwdBYfjx82nfqV/fHWo2j+7CLXcleUYviVC2IPr27oGVfCRsj
8mqif7qeb12sctTS+D+0mZSxSGYWeLHiJ3T3iCuyjcCxF8ddta2mWemyw9ukoWbB
5M2I3nDOrytN1aZDpwHsyZvomzHCM1Uaq+lJqQXHV66fJuyOC5TIYqBVoEa09wvb
rR+LU6QFKDogQi31Rbox/EA8XjO59LU+QfIH2B/kkXfAzFUw4eCtw1YSAK8VJ/CF
CZsuia8UEGzRQvb/zrxTqEYlUNh/+2gf2goL4ZfiIp8RhaJO/WIt5lAwOHT9ImUY
ecAAULyPkGV/A6+KmKRwE69dH6ZjwttDAvQEtMlpr46NLoxhKNUi9cTvitScwhEj
s1qoFcEaQsX4+0RVa+J8rhqtTiWf02a8oBA8oNvDCMipCK212gNp+PStlK6fWG2c
u+239zE9GRjgZmkA1gSrmauDhFa0ztfUID4OMTfJQaTmoKsZQx4=
=n6Co
-----END PGP SIGNATURE-----

--n5ocfx4zxap5hrfa--