parent
bd002f2d25
commit
760c8fe637
4 changed files with 65 additions and 52 deletions
56
flake.nix
56
flake.nix
|
|
@ -15,30 +15,44 @@
|
|||
flake-utils.lib.eachDefaultSystem (
|
||||
system:
|
||||
let
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
patosPkgs = self.packages.${system};
|
||||
version = "0.0.1";
|
||||
secureBoot = "false";
|
||||
cpuArch = "intel";
|
||||
updateUrl = "http://10.0.2.2:8000/";
|
||||
|
||||
overlay = final: prev: {
|
||||
patos = prev.lib.makeScope prev.newScope (self: {
|
||||
kernel = final.callPackage ./pkgs/kernel { };
|
||||
glibc = final.callPackage ./pkgs/glibc { };
|
||||
busybox = final.callPackage ./pkgs/busybox { };
|
||||
openssl = final.callPackage ./pkgs/openssl { };
|
||||
kexec = final.callPackage ./pkgs/kexec-tools { };
|
||||
lvm2 = final.callPackage ./pkgs/lvm2 { };
|
||||
tpm2-tools = final.callPackage ./pkgs/tpm2-tools { };
|
||||
tpm2-tss = final.callPackage ./pkgs/tpm2-tss { };
|
||||
systemd = final.callPackage ./pkgs/systemd { };
|
||||
dbus-broker = final.callPackage ./pkgs/dbus-broker { };
|
||||
|
||||
rootfs = final.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit version; };
|
||||
initrd = final.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit version; };
|
||||
});
|
||||
};
|
||||
|
||||
pkgs = import nixpkgs { inherit system; overlays = [ overlay ]; };
|
||||
pkgsCross = import nixpkgs {
|
||||
inherit system;
|
||||
overlays = [ overlay ];
|
||||
crossSystem = {
|
||||
config = "aarch64-unknown-linux-gnu";
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
packages = {
|
||||
default = patosPkgs.image;
|
||||
image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; };
|
||||
rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
|
||||
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
|
||||
kernel = pkgs.callPackage ./pkgs/kernel { };
|
||||
glibc = pkgs.callPackage ./pkgs/glibc { };
|
||||
busybox = pkgs.callPackage ./pkgs/busybox { };
|
||||
openssl = pkgs.callPackage ./pkgs/openssl { };
|
||||
cert = pkgs.callPackage ./pkgs/cert { };
|
||||
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
|
||||
lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
|
||||
tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
|
||||
tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
|
||||
systemd = pkgs.callPackage ./pkgs/systemd { };
|
||||
dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
|
||||
default = self.packages.${system}.image;
|
||||
|
||||
image = pkgs.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; };
|
||||
image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; };
|
||||
|
||||
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
|
||||
|
||||
|
|
@ -81,9 +95,9 @@
|
|||
{ drv = pkgs.util-linuxMinimal.mount; path = "bin/"; }
|
||||
{ drv = pkgs.util-linuxMinimal.login; path = "bin/"; }
|
||||
{ drv = pkgs.util-linuxMinimal.swap; path = "bin/"; }
|
||||
{ drv = patosPkgs.glibc; path = "bin/ldd"; }
|
||||
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
|
||||
{ drv = patosPkgs.openssl; path = "bin/openssl"; }
|
||||
{ drv = pkgs.patos.glibc; path = "bin/ldd"; }
|
||||
{ drv = pkgs.patos.tpm2-tools; path = "bin/tpm2"; }
|
||||
{ drv = pkgs.patos.openssl; path = "bin/openssl"; }
|
||||
# shared lib required for mkfs.erofs
|
||||
{ drv = pkgs.lz4.lib; path = "lib/"; }
|
||||
# shared lib required for cryptsetup
|
||||
|
|
@ -111,7 +125,7 @@
|
|||
just
|
||||
nixd
|
||||
nixfmt-rfc-style
|
||||
patosPkgs.qemu-uefi-tpm
|
||||
self.packages.${system}.qemu-uefi-tpm
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
patosPkgs,
|
||||
version,
|
||||
runCommand,
|
||||
updateUrl,
|
||||
|
|
@ -37,13 +36,13 @@ mkdir -p $out/init.repart.d $out/final.repart.d
|
|||
pushd $out
|
||||
|
||||
mkdir rootfs
|
||||
cp -prP ${patosPkgs.rootfs}/* rootfs/
|
||||
cp -prP ${pkgs.patos.rootfs}/* rootfs/
|
||||
find rootfs/ -type d -exec chmod 755 {} \;
|
||||
|
||||
# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
|
||||
mkdir rootfs/etc/extensions
|
||||
rm -rf rootfs/usr/lib/modules
|
||||
cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
|
||||
cp ${pkgs.patos.kernel}/patos-kernel-modules* rootfs/etc/extensions/
|
||||
|
||||
# set default target to multi-user
|
||||
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
|
||||
|
|
@ -160,7 +159,7 @@ EOF
|
|||
|
||||
#TODO: Add verity signature partition
|
||||
|
||||
${patosPkgs.systemd}/usr/bin/systemd-repart \
|
||||
${pkgs.patos.systemd}/usr/bin/systemd-repart \
|
||||
--no-pager \
|
||||
--empty=create \
|
||||
--size=auto \
|
||||
|
|
@ -182,16 +181,16 @@ verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
|
|||
ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
|
||||
ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
|
||||
|
||||
${patosPkgs.systemd}/usr/bin/ukify build \
|
||||
--linux ${patosPkgs.kernel}/bzImage \
|
||||
--initrd ${patosPkgs.initrd}/initrd.xz \
|
||||
${pkgs.patos.systemd}/usr/bin/ukify build \
|
||||
--linux ${pkgs.patos.kernel}/bzImage \
|
||||
--initrd ${pkgs.patos.initrd}/initrd.xz \
|
||||
$microcode \
|
||||
--os-release @rootfs/etc/os-release \
|
||||
--cmdline "$kernelCmdLine roothash=$roothash" \
|
||||
-o patos_${version}.efi
|
||||
|
||||
# install ESP
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 ${pkgs.patos.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
|
||||
|
||||
# setup factory reset
|
||||
mkdir -p rootfs/boot/EFI/tools
|
||||
|
|
@ -245,14 +244,14 @@ ReadOnly=1
|
|||
EOF
|
||||
|
||||
# finalize image ready for boot
|
||||
${patosPkgs.systemd}/usr/bin/systemd-repart \
|
||||
${pkgs.patos.systemd}/usr/bin/systemd-repart \
|
||||
--no-pager \
|
||||
--empty=create \
|
||||
--size=auto \
|
||||
--definitions=./final.repart.d \
|
||||
patos_${version}.img > final-repart-output.json
|
||||
|
||||
rm -rf rootfs init.repart.d final.repart.d *.json
|
||||
rm -rf init.repart.d final.repart.d *.json
|
||||
sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
|
||||
|
||||
popd
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
pkgs,
|
||||
patosPkgs,
|
||||
runCommand,
|
||||
...
|
||||
}:
|
||||
|
|
@ -21,7 +20,7 @@ mkdir -p $out/root
|
|||
pushd $out/root
|
||||
|
||||
### copy rootfs
|
||||
cp -prP ${patosPkgs.rootfs}/* .
|
||||
cp -prP ${pkgs.patos.rootfs}/* .
|
||||
find . -type d -exec chmod 755 {} \;
|
||||
mkdir sysroot
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
pkgs,
|
||||
patosPkgs,
|
||||
version,
|
||||
runCommand,
|
||||
}:
|
||||
|
|
@ -32,7 +31,7 @@ ln -sf /tmp $out/var/tmp
|
|||
ln -sf ../proc/self/mounts $out/etc/mtab
|
||||
|
||||
### install systemd
|
||||
cp -Pr ${patosPkgs.systemd}/* $out/
|
||||
cp -Pr ${pkgs.patos.systemd}/* $out/
|
||||
find $out -type d -exec chmod 755 {} \;
|
||||
rm -rf $out/usr/include
|
||||
rm -rf $out/usr/sbin
|
||||
|
|
@ -137,33 +136,33 @@ ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTE
|
|||
EOF
|
||||
|
||||
### install PatOS glibc
|
||||
cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
|
||||
cp -P ${pkgs.patos.glibc}/lib/*.so* $out/usr/lib/
|
||||
|
||||
### install openssl
|
||||
cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
|
||||
cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
|
||||
cp -P ${pkgs.patos.openssl}/lib/*.so* $out/usr/lib/
|
||||
cp -Pr ${pkgs.patos.openssl}/etc/ssl $out/etc/
|
||||
|
||||
### install busybox
|
||||
cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
|
||||
cp ${pkgs.patos.busybox}/bin/busybox $out/usr/bin/
|
||||
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
|
||||
|
||||
### install dbus broker
|
||||
cp -r ${patosPkgs.dbus-broker}/* $out/
|
||||
cp -r ${pkgs.patos.dbus-broker}/* $out/
|
||||
|
||||
### install kexec
|
||||
cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
|
||||
cp -Pr ${pkgs.patos.kexec}/sbin/kexec $out/usr/bin/
|
||||
|
||||
### install dmsetup udev rules
|
||||
cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
|
||||
cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
|
||||
cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
|
||||
cp -P ${pkgs.patos.lvm2}/usr/bin/dmsetup $out/usr/bin/
|
||||
cp -P ${pkgs.patos.lvm2}/lib/libdevmapper.so* $out/usr/lib/
|
||||
cp -P ${pkgs.patos.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
|
||||
|
||||
### install btrfs progs
|
||||
cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
|
||||
cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
|
||||
|
||||
### install tpm2 libs
|
||||
cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
|
||||
cp -P ${pkgs.patos.tpm2-tss}/lib/*.so* $out/usr/lib/
|
||||
|
||||
### install lib kmod
|
||||
cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
|
||||
|
|
@ -194,22 +193,22 @@ ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
|
|||
rm -rf $out/usr/lib/pkgconfig
|
||||
|
||||
# setup default files
|
||||
${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
|
||||
${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
|
||||
${pkgs.patos.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
|
||||
${pkgs.patos.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
|
||||
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
|
||||
cp $out/usr/share/factory/etc/locale.conf $out/etc/
|
||||
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
|
||||
# install sys users
|
||||
mkdir creds
|
||||
echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
|
||||
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
|
||||
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${pkgs.patos.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
|
||||
chmod 600 $out/etc/shadow
|
||||
rm -rf creds
|
||||
|
||||
# Ephemeral machine-id until registration
|
||||
# ln -sf /run/machine-id $out/etc/machine-id
|
||||
# FIXME: above line does not work in systemd > 257
|
||||
${patosPkgs.systemd}/usr/bin/systemd-machine-id-setup --root=$out
|
||||
${pkgs.patos.systemd}/usr/bin/systemd-machine-id-setup --root=$out
|
||||
|
||||
### Find and install all shared libs
|
||||
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
|
||||
|
|
@ -219,15 +218,17 @@ find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
|
|||
find $out -type f -executable -exec chmod 755 {} \;
|
||||
|
||||
# patch ELFs
|
||||
interpreter=$(patchelf --print-interpreter $out/usr/bin/busybox)
|
||||
ldLinux=$(basename $interpreter)
|
||||
find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
|
||||
find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
|
||||
patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
|
||||
find $out -type f -executable -exec patchelf --set-interpreter /lib/$ldLinux {} \;
|
||||
patchelf --remove-rpath $out/usr/lib/$ldLinux
|
||||
|
||||
# strip binaries
|
||||
find $out -type f -executable -exec $STRIP {} \;
|
||||
find $out -type d -exec chmod 755 {} \;
|
||||
|
||||
# install kernel modules
|
||||
cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
|
||||
cp -r ${pkgs.patos.kernel}/lib/modules $out/usr/lib/
|
||||
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
|
||||
''
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue