fix: our own derivation for the kernel in order to be able to sign modules

flake.nix

@@ -59,7 +59,7 @@
                 { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
                 { drv = pkgs.strace; path = "bin/strace"; }
                 { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
-                { drv = patosPkgs.openssl; path = "usr/bin/openssl"; destpath = "bin/openssl"; }
+                { drv = patosPkgs.openssl; path = "bin/openssl"; }
                 { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
                 { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
                 { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }

pkgs/image/default.nix

@@ -7,12 +7,10 @@
 }:
 let
   pname = "patos-image";
-  defaultPassword = "patos";
 in
 stdenvNoCC.mkDerivation (finalAttrs: {
   inherit version;
   inherit pname;
-  inherit defaultPassword;
 
   buildInputs = with pkgs; [
     erofs-utils
@@ -29,7 +27,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   };
 
   systemd = patosPkgs.systemd.out;
-  kernel = patosPkgs.kernel.kernel;
+  kernel = patosPkgs.kernel;
   initrd = patosPkgs.initrd.out;
   rootfs = patosPkgs.rootfs.out;
 

pkgs/image/mkimage.sh

@@ -27,13 +27,6 @@ mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/sys
 ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
 ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
 
-# install sys users
-mkdir creds
-echo -n $defaultPassword > creds/passwd.plaintext-password.root
-CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=rootfs rootfs/usr/lib/sysusers.d/*.conf
-chmod 600 rootfs/etc/shadow
-rm -rf creds
-
 # Initial partitioning
 cat <<EOF > init.repart.d/10-root.conf
 [Partition]

pkgs/kernel/default.nix

@@ -1,9 +1,9 @@
-{ pkgs, ... }:
+{ pkgs, lib, stdenv, ... }:
 let
   version = "6.13.4";
 in
-pkgs.linuxPackagesFor (
-  pkgs.linuxManualConfig {
+  (pkgs.callPackage ./manual-config.nix { })  {
+    inherit lib stdenv;
     version = "${version}-patos1";
     modDirVersion = version;
     src = pkgs.fetchurl {
@@ -13,4 +13,3 @@ pkgs.linuxPackagesFor (
     configfile = ./generic.config;
     allowImportFromDerivation = true;
   }
-)

pkgs/kernel/generic.config

@@ -522,11 +522,11 @@ CONFIG_DEBUG_BUGVERBOSE=y
 CONFIG_DEBUG_ENTRY=y
 CONFIG_DEBUG_FS_ALLOW_ALL=y
 CONFIG_DEBUG_FS=y
-CONFIG_DEBUG_INFO_BTF_MODULES=y
-CONFIG_DEBUG_INFO_BTF=y
-CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
-CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
-CONFIG_DEBUG_INFO=y
+#CONFIG_DEBUG_INFO_BTF_MODULES=y
+#CONFIG_DEBUG_INFO_BTF=y
+#CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
+#CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+CONFIG_DEBUG_INFO=n
 CONFIG_DEBUG_KERNEL=y
 CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_MISC=y
@@ -1400,6 +1400,10 @@ CONFIG_MODULE_COMPRESS_ZSTD=y
 CONFIG_MODULE_FORCE_UNLOAD=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=n
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_MODULES_USE_ELF_RELA=y
 CONFIG_MODULES=y

pkgs/kernel/manual-config.nix

@@ -0,0 +1,465 @@
+{ lib, stdenv, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
+, cpio, elfutils, hexdump, zstd, python3Minimal, zlib, pahole, kmod, ubootTools
+, fetchpatch
+, rustc, rust-bindgen, rustPlatform
+}:
+
+let
+  lib_ = lib;
+  stdenv_ = stdenv;
+
+  readConfig = configfile: import (runCommand "config.nix" {} ''
+    echo "{" > "$out"
+    while IFS='=' read key val; do
+      [ "x''${key#CONFIG_}" != "x$key" ] || continue
+      no_firstquote="''${val#\"}";
+      echo '  "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
+    done < "${configfile}"
+    echo "}" >> $out
+  '').outPath;
+in lib.makeOverridable ({
+  # The kernel version
+  version,
+  # The kernel pname (should be set for variants)
+  pname ? "linux",
+  # Position of the Linux build expression
+  pos ? null,
+  # Additional kernel make flags
+  extraMakeFlags ? [],
+  # The name of the kernel module directory
+  # Needs to be X.Y.Z[-extra], so pad with zeros if needed.
+  modDirVersion ? null /* derive from version */,
+  # The kernel source (tarball, git checkout, etc.)
+  src,
+  # a list of { name=..., patch=..., extraConfig=...} patches
+  kernelPatches ? [],
+  # The kernel .config file
+  configfile,
+  # Manually specified nixexpr representing the config
+  # If unspecified, this will be autodetected from the .config
+  config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
+  # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+  # automatically extended with extra per-version and per-config values.
+  randstructSeed ? "",
+  # Extra meta attributes
+  extraMeta ? {},
+
+  # for module compatibility
+  isZen      ? false,
+  isLibre    ? false,
+  isHardened ? false,
+
+  # Whether to utilize the controversial import-from-derivation feature to parse the config
+  allowImportFromDerivation ? false,
+  # ignored
+  features ? null, lib ? lib_, stdenv ? stdenv_,
+}:
+
+let
+  # Provide defaults. Note that we support `null` so that callers don't need to use optionalAttrs,
+  # which can lead to unnecessary strictness and infinite recursions.
+  modDirVersion_ = if modDirVersion == null then lib.versions.pad 3 version else modDirVersion;
+in
+let
+  # Shadow the un-defaulted parameter; don't want null.
+  modDirVersion = modDirVersion_;
+  inherit (lib)
+    hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
+
+  drvAttrs = config_: kernelConf: kernelPatches: configfile:
+    let
+      # Folding in `ubootTools` in the default nativeBuildInputs is problematic, as
+      # it makes updating U-Boot cumbersome, since it will go above the current
+      # threshold of rebuilds
+      #
+      # To prevent these needless rounds of staging for U-Boot builds, we can
+      # limit the inclusion of ubootTools to target platforms where uImage *may*
+      # be produced.
+      #
+      # This command lists those (kernel-named) platforms:
+      #     .../linux $ grep -l uImage ./arch/*/Makefile | cut -d'/' -f3 | sort
+      #
+      # This is still a guesstimation, but since none of our cached platforms
+      # coincide in that list, this gives us "perfect" decoupling here.
+      linuxPlatformsUsingUImage = [
+        "arc"
+        "arm"
+        "csky"
+        "mips"
+        "powerpc"
+        "sh"
+        "sparc"
+        "xtensa"
+      ];
+      needsUbootTools =
+        lib.elem stdenv.hostPlatform.linuxArch linuxPlatformsUsingUImage
+      ;
+
+      config = let attrName = attr: "CONFIG_" + attr; in {
+        isSet = attr: hasAttr (attrName attr) config;
+
+        getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
+
+        isYes = attr: (config.getValue attr) == "y";
+
+        isNo = attr: (config.getValue attr) == "n";
+
+        isModule = attr: (config.getValue attr) == "m";
+
+        isEnabled = attr: (config.isModule attr) || (config.isYes attr);
+
+        isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
+      } // config_;
+
+      isModular = config.isYes "MODULES";
+      withRust = config.isYes "RUST";
+
+      buildDTBs = kernelConf.DTB or false;
+
+      # Dependencies that are required to build kernel modules
+      moduleBuildDependencies = [
+        pahole
+        perl
+        elfutils
+        # module makefiles often run uname commands to find out the kernel version
+        (buildPackages.deterministic-uname.override { inherit modDirVersion; })
+      ]
+      ++ optional (lib.versionAtLeast version "5.13") zstd
+      ++ optionals withRust [ rustc rust-bindgen ]
+      ;
+
+    in (optionalAttrs isModular { outputs = [ "out" "dev" ]; }) // {
+      passthru = rec {
+        inherit version modDirVersion config kernelPatches configfile
+          moduleBuildDependencies stdenv;
+        inherit isZen isHardened isLibre withRust;
+        isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+        baseVersion = lib.head (lib.splitString "-rc" version);
+        kernelOlder = lib.versionOlder baseVersion;
+        kernelAtLeast = lib.versionAtLeast baseVersion;
+      };
+
+      inherit src;
+
+      depsBuildBuild = [ buildPackages.stdenv.cc ];
+      nativeBuildInputs = [
+        bison
+        flex
+        perl
+        bc
+        nettools
+        openssl
+        rsync
+        gmp
+        libmpc
+        mpfr
+        elfutils
+        zstd
+        python3Minimal
+        kmod
+        hexdump
+      ] ++ optional  needsUbootTools ubootTools
+        ++ optionals (lib.versionAtLeast version "5.2")  [ cpio pahole zlib ]
+        ++ optionals withRust [ rustc rust-bindgen ];
+
+      RUST_LIB_SRC = lib.optionalString withRust rustPlatform.rustLibSrc;
+
+      # avoid leaking Rust source file names into the final binary, which adds
+      # a false dependency on rust-lib-src on targets with uncompressed kernels
+      KRUSTFLAGS = lib.optionalString withRust "--remap-path-prefix ${rustPlatform.rustLibSrc}=/";
+
+      # patches =
+      #   map (p: p.patch) kernelPatches
+      #   # Required for deterministic builds along with some postPatch magic.
+      #   ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
+      #   ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
+      #   # Linux 5.12 marked certain PowerPC-only symbols as GPL, which breaks
+      #   # OpenZFS; this was fixed in Linux 5.19 so we backport the fix
+      #   # https://github.com/openzfs/zfs/pull/13367
+      #   ++ optional (lib.versionAtLeast version "5.12" &&
+      #                lib.versionOlder version "5.19" &&
+      #                stdenv.hostPlatform.isPower)
+      #     (fetchpatch {
+      #       url = "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/patch/?id=d9e5c3e9e75162f845880535957b7fd0b4637d23";
+      #       hash = "sha256-bBOyJcP6jUvozFJU0SPTOf3cmnTQ6ZZ4PlHjiniHXLU=";
+      #     });
+
+      postPatch = ''
+        # Ensure that depmod gets resolved through PATH
+        sed -i Makefile -e 's|= /sbin/depmod|= depmod|'
+
+        # Some linux-hardened patches now remove certain files in the scripts directory, so the file may not exist.
+        [[ -f scripts/ld-version.sh ]] && patchShebangs scripts/ld-version.sh
+
+        # Set randstruct seed to a deterministic but diversified value. Note:
+        # we could have instead patched gen-random-seed.sh to take input from
+        # the buildFlags, but that would require also patching the kernel's
+        # toplevel Makefile to add a variable export. This would be likely to
+        # cause future patch conflicts.
+        for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do
+          if [ -f "$file" ]; then
+            substituteInPlace "$file" \
+              --replace NIXOS_RANDSTRUCT_SEED \
+              $(echo ${randstructSeed}${src} ${placeholder "configfile"} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
+            break
+          fi
+        done
+
+        patchShebangs scripts
+
+        # also patch arch-specific install scripts
+        for i in $(find arch -name install.sh); do
+            patchShebangs "$i"
+        done
+
+        # unset $src because the build system tries to use it and spams a bunch of warnings
+        # see: https://github.com/torvalds/linux/commit/b1992c3772e69a6fd0e3fc81cd4d2820c8b6eca0
+        unset src
+      '';
+
+      configurePhase = ''
+        runHook preConfigure
+
+        mkdir build
+        export buildRoot="$(pwd)/build"
+
+        echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
+
+        if [ -f "$buildRoot/.config" ]; then
+          echo "Could not link $buildRoot/.config : file exists"
+          exit 1
+        fi
+        ln -sv ${configfile} $buildRoot/.config
+
+        # reads the existing .config file and prompts the user for options in
+        # the current kernel source that are not found in the file.
+        make $makeFlags "''${makeFlagsArray[@]}" oldconfig
+        runHook postConfigure
+
+        make $makeFlags "''${makeFlagsArray[@]}" prepare
+        actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
+        if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
+          echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
+          exit 1
+        fi
+
+        buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
+
+        cd $buildRoot
+      '';
+
+      buildFlags = [
+        "KBUILD_BUILD_VERSION=1-PatOS"
+        kernelConf.target
+        "vmlinux"  # for "perf" and things like that
+      ] ++ optional isModular "modules"
+        ++ optionals buildDTBs ["dtbs" "DTC_FLAGS=-@"]
+      ++ extraMakeFlags;
+
+      installFlags = [
+        "INSTALL_PATH=$(out)"
+      ] ++ (optional isModular "INSTALL_MOD_PATH=$(out)")
+      ++ optionals buildDTBs ["dtbs_install" "INSTALL_DTBS_PATH=$(out)/dtbs"];
+
+      dontStrip = true;
+
+      preInstall = let
+        # All we really need to do here is copy the final image and System.map to $out,
+        # and use the kernel's modules_install, firmware_install, dtbs_install, etc. targets
+        # for the rest. Easy, right?
+        #
+        # Unfortunately for us, the obvious way of getting the built image path,
+        # make -s image_name, does not work correctly, because some architectures
+        # (*cough* aarch64 *cough*) change KBUILD_IMAGE on the fly in their install targets,
+        # so we end up attempting to install the thing we didn't actually build.
+        #
+        # Thankfully, there's a way out that doesn't involve just hardcoding everything.
+        #
+        # The kernel has an install target, which runs a pretty simple shell script
+        # (located at scripts/install.sh or arch/$arch/boot/install.sh, depending on
+        # which kernel version you're looking at) that tries to do something sensible.
+        #
+        # (it would be great to hijack this script immediately, as it has all the
+        #   information we need passed to it and we don't need it to try and be smart,
+        #   but unfortunately, the exact location of the scripts differs between kernel
+        #   versions, and they're seemingly not considered to be public API at all)
+        #
+        # One of the ways it tries to discover what "something sensible" actually is
+        # is by delegating to what's supposed to be a user-provided install script
+        # located at ~/bin/installkernel.
+        #
+        # (the other options are:
+        #   - a distribution-specific script at /sbin/installkernel,
+        #        which we can't really create in the sandbox easily
+        #   - an architecture-specific script at arch/$arch/boot/install.sh,
+        #        which attempts to guess _something_ and usually guesses very wrong)
+        #
+        # More specifically, the install script exec's into ~/bin/installkernel, if one
+        # exists, with the following arguments:
+        #
+        # $1: $KERNELRELEASE - full kernel version string
+        # $2: $KBUILD_IMAGE - the final image path
+        # $3: System.map - path to System.map file, seemingly hardcoded everywhere
+        # $4: $INSTALL_PATH - path to the destination directory as specified in installFlags
+        #
+        # $2 is exactly what we want, so hijack the script and use the knowledge given to it
+        # by the makefile overlords for our own nefarious ends.
+        #
+        # Note that the makefiles specifically look in ~/bin/installkernel, and
+        # writeShellScriptBin writes the script to <store path>/bin/installkernel,
+        # so HOME needs to be set to just the store path.
+        #
+        # FIXME: figure out a less roundabout way of doing this.
+        installkernel = buildPackages.writeShellScriptBin "installkernel" ''
+          cp -av $2 $4
+          cp -av $3 $4
+        '';
+      in ''
+        installFlagsArray+=("-j$NIX_BUILD_CORES")
+        export HOME=${installkernel}
+      '';
+
+      # Some image types need special install targets (e.g. uImage is installed with make uinstall on arm)
+      installTargets = [
+        (kernelConf.installTarget or (
+          /**/ if kernelConf.target == "uImage" && stdenv.hostPlatform.linuxArch == "arm" then "uinstall"
+          else if kernelConf.target == "zImage" || kernelConf.target == "Image.gz" || kernelConf.target == "vmlinuz.efi" then "zinstall"
+          else "install"))
+      ];
+
+      # We remove a bunch of stuff that is symlinked from other places to save space,
+      # which trips the broken symlink check. So, just skip it. We'll know if it explodes.
+      dontCheckForBrokenSymlinks = true;
+
+      postInstall = optionalString isModular ''
+        mkdir -p $dev
+        cp vmlinux $dev/
+        if [ -z "''${dontStrip-}" ]; then
+          installFlagsArray+=("INSTALL_MOD_STRIP=1")
+        fi
+        make modules_install $makeFlags "''${makeFlagsArray[@]}" \
+          $installFlags "''${installFlagsArray[@]}"
+        unlink $out/lib/modules/${modDirVersion}/build
+        rm -f $out/lib/modules/${modDirVersion}/source
+
+        mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
+
+        # To save space, exclude a bunch of unneeded stuff when copying.
+        (cd .. && rsync --archive --prune-empty-dirs \
+            --exclude='/build/' \
+            * $dev/lib/modules/${modDirVersion}/source/)
+
+        cd $dev/lib/modules/${modDirVersion}/source
+
+        cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
+        make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
+
+        # For reproducibility, removes accidental leftovers from a `cc1` call
+        # from a `try-run` call from the Makefile
+        rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
+
+        # Keep some extra files on some arches (powerpc, aarch64)
+        for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
+          if [ -f "$buildRoot/$f" ]; then
+            cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
+          fi
+        done
+
+        # !!! No documentation on how much of the source tree must be kept
+        # If/when kernel builds fail due to missing files, you can add
+        # them here. Note that we may see packages requiring headers
+        # from drivers/ in the future; it adds 50M to keep all of its
+        # headers on 3.10 though.
+
+        chmod u+w -R ..
+        arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
+
+        # Remove unused arches
+        for d in $(cd arch/; ls); do
+          if [ "$d" = "$arch" ]; then continue; fi
+          if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
+          rm -rf arch/$d
+        done
+
+        # Remove all driver-specific code (50M of which is headers)
+        rm -fR drivers
+
+        # Keep all headers
+        find .  -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
+
+        # Keep linker scripts (they are required for out-of-tree modules on aarch64)
+        find .  -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
+
+        # Keep root and arch-specific Makefiles
+        chmod u-w Makefile arch/"$arch"/Makefile*
+
+        # Keep whole scripts dir
+        chmod u-w -R scripts
+
+        # Delete everything not kept
+        find . -type f -perm -u=w -print0 | xargs -0 -r rm
+
+        # Delete empty directories
+        find -empty -type d -delete
+      '';
+
+      requiredSystemFeatures = [ "big-parallel" ];
+
+      meta = {
+        # https://github.com/NixOS/nixpkgs/pull/345534#issuecomment-2391238381
+        broken = withRust && lib.versionOlder version "6.12";
+
+        description =
+          "The Linux kernel" +
+          (if kernelPatches == [] then "" else
+            " (with patches: "
+            + lib.concatStringsSep ", " (map (x: x.name) kernelPatches)
+            + ")");
+        license = lib.licenses.gpl2Only;
+        homepage = "https://www.kernel.org/";
+        maintainers = lib.teams.linux-kernel.members ++ [
+          maintainers.thoughtpolice
+        ];
+        platforms = platforms.linux;
+        badPlatforms =
+          lib.optionals (lib.versionOlder version "4.15") [ "riscv32-linux" "riscv64-linux" ] ++
+          lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
+        timeout = 14400; # 4 hours
+      } // extraMeta;
+    };
+
+  # Absolute paths for compilers avoid any PATH-clobbering issues.
+  commonMakeFlags = [
+    "ARCH=${stdenv.hostPlatform.linuxArch}"
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ] ++ lib.optionals (stdenv.isx86_64 && stdenv.cc.bintools.isLLVM) [
+    # The wrapper for ld.lld breaks linking the kernel. We use the
+    # unwrapped linker as workaround. See:
+    #
+    # https://github.com/NixOS/nixpkgs/issues/321667
+    "LD=${stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ld"
+  ] ++ (stdenv.hostPlatform.linux-kernel.makeFlags or [])
+    ++ extraMakeFlags;
+in
+
+stdenv.mkDerivation (
+  builtins.foldl' lib.recursiveUpdate {} [
+    (drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile)
+    {
+      inherit pname version;
+
+      enableParallelBuilding = true;
+
+      hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ];
+
+      makeFlags = [
+        "O=$(buildRoot)"
+      ] ++ commonMakeFlags;
+
+      passthru = { inherit commonMakeFlags; };
+
+      karch = stdenv.hostPlatform.linuxArch;
+    }
+    (optionalAttrs (pos != null) { inherit pos; })
+  ]
+))

pkgs/kernel/result

@@ -0,0 +1 @@
+/nix/store/kwigngi2rkbhd5qmhjaxla2wh3adm4ph-linux-6.13.4-patos1

pkgs/openssl/default.nix

@@ -92,7 +92,7 @@ stdenv.mkDerivation rec {
     configureFlags =
       [
         "shared" # "shared" builds both shared and static libraries
-        "--prefix=/usr"
+        "--prefix=/"
         "--libdir=lib"
         "--openssldir=/etc/ssl"
       ]

pkgs/rootfs/default.nix

@@ -7,10 +7,12 @@
 }:
 let
   pname = "patos-rootfs";
+  defaultPassword = "patos";
 in
 stdenvNoCC.mkDerivation (finalAttrs: {
   inherit version;
   inherit pname;
+  inherit defaultPassword;
 
   buildInputs = with pkgs; [
     glibc
@@ -20,7 +22,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   glibcPatos = patosPkgs.glibc.out;
   systemd = patosPkgs.systemd.out;
   dbusBroker = patosPkgs.dbus-broker.out;
-  kernel = patosPkgs.kernel.kernel;
+  kernel = patosPkgs.kernel;
   busybox = patosPkgs.busybox.out;
   kmodLibs = pkgs.kmod.lib;
   kmodBin = pkgs.kmod.out;

pkgs/rootfs/mkrootfs.sh

@@ -62,6 +62,7 @@ Type=root
 SizeMaxBytes=256M
 SizeMinBytes=256M
 EOF
+
 cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
 [Partition]
 Type=root-verity
@@ -77,6 +78,7 @@ SizeMaxBytes=256M
 SizeMinBytes=256M
 ReadOnly=1
 EOF
+
 cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
 [Partition]
 Type=root-verity
@@ -90,13 +92,15 @@ cat <<EOF > $out/etc/repart.d/40-var.conf
 [Partition]
 Type=var
 Format=btrfs
-MakeDirectories=/var/lib/confexts /var/.snapshots
+MakeDirectories=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
 MountPoint=/var
 Label=patos-state
 Encrypt=tpm2
 EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
-Subvolumes=/var/lib/confexts /var/.snapshots
+Subvolumes=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
 MountPoint=/var/lib/confexts:subvol=/var/lib/confexts
+MountPoint=/var/lib/extensions:subvol=/var/lib/extensions
+MountPoint=/var/lib/portables:subvol=/var/lib/portables
 MountPoint=/var/.snapshots:subvol=/var/.snapshots
 SizeMinBytes=1G
 Minimize=off
@@ -116,13 +120,9 @@ EOF
 cp -P $glibcPatos/lib/*.so* $out/usr/lib/
 
 ### install openssl
-cp -P $openssl/usr/lib/*.so* $out/usr/lib/
+cp -P $openssl/lib/*.so* $out/usr/lib/
 cp -Pr $openssl/etc/ssl $out/etc/
 
-### install kernel modules
-cp -r $kernel/lib/modules $out/usr/lib/
-find $out/usr/lib/modules -type d -exec chmod 755 {} \;
-
 ### install busybox
 cp $busybox/bin/busybox $out/usr/bin/
 $out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
@@ -150,11 +150,13 @@ cp -P $kmodLibs/lib/*.so* $out/usr/lib/
 cp -P $kmodBin/bin/* $out/usr/bin
 
 ### install libbpf
-cp -P $libbpf/lib/libbpf* $out/usr/lib
+cp -P $libbpf/lib/libbpf*.so* $out/usr/lib
 
 ### install ca cert bundle
-chmod 755 $out/etc/ssl
+chmod 755 $out/etc/ssl $out/etc/ssl/certs
 cp -P $cacert/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
+ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
+ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
 
 # setup default files
 $systemd/usr/bin/systemd-hwdb --root=$out --usr update
@@ -162,6 +164,13 @@ $systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf -
 cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
 cp $out/usr/share/factory/etc/locale.conf $out/etc/
 cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
+# install sys users
+mkdir creds
+echo -n $defaultPassword > creds/passwd.plaintext-password.root
+CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
+chmod 600 $out/etc/shadow
+rm -rf creds
+
 
 # Ephemeral machine-id until registration
 ln -sf /run/machine-id $out/etc/machine-id
@@ -171,7 +180,7 @@ rm -rf $out/usr/lib/pkgconfig
 
 ### Find and install all shared libs
 find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
-  grep -v systemd | grep -v glibc | grep -v openssl | grep -v tpm2 | grep -v devmapper | grep -v not | \
+  grep -vE "(systemd|glibc|openssl|tpm2|devmapper)" | \
   sort -u | xargs -I {} cp {} $out/usr/lib/
 
 find $out -type f -executable -exec chmod 755 {} \;
@@ -184,3 +193,8 @@ patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
 # strip binaries
 find $out -type f -executable -exec strip {} \;
 find $out -type d -exec chmod 755 {} \;
+
+### install kernel modules
+cp -r $kernel/lib/modules $out/usr/lib/
+find $out/usr/lib/modules -type d -exec chmod 755 {} \;
+