diff --git a/flake.nix b/flake.nix index 2655ff0..776919f 100644 --- a/flake.nix +++ b/flake.nix @@ -15,30 +15,44 @@ flake-utils.lib.eachDefaultSystem ( system: let - pkgs = import nixpkgs { inherit system; }; - patosPkgs = self.packages.${system}; version = "0.0.1"; secureBoot = "false"; cpuArch = "intel"; updateUrl = "http://10.0.2.2:8000/"; + + overlay = final: prev: { + patos = prev.lib.makeScope prev.newScope (self: { + kernel = final.callPackage ./pkgs/kernel { }; + glibc = final.callPackage ./pkgs/glibc { }; + busybox = final.callPackage ./pkgs/busybox { }; + openssl = final.callPackage ./pkgs/openssl { }; + kexec = final.callPackage ./pkgs/kexec-tools { }; + lvm2 = final.callPackage ./pkgs/lvm2 { }; + tpm2-tools = final.callPackage ./pkgs/tpm2-tools { }; + tpm2-tss = final.callPackage ./pkgs/tpm2-tss { }; + systemd = final.callPackage ./pkgs/systemd { }; + dbus-broker = final.callPackage ./pkgs/dbus-broker { }; + + rootfs = final.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit version; }; + initrd = final.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit version; }; + }); + }; + + pkgs = import nixpkgs { inherit system; overlays = [ overlay ]; }; + pkgsCross = import nixpkgs { + inherit system; + overlays = [ overlay ]; + crossSystem = { + config = "aarch64-unknown-linux-gnu"; + }; + }; in { packages = { - default = patosPkgs.image; - image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; }; - rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; }; - initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; }; - kernel = pkgs.callPackage ./pkgs/kernel { }; - glibc = pkgs.callPackage ./pkgs/glibc { }; - busybox = pkgs.callPackage ./pkgs/busybox { }; - openssl = pkgs.callPackage ./pkgs/openssl { }; - cert = pkgs.callPackage ./pkgs/cert { }; - kexec = pkgs.callPackage ./pkgs/kexec-tools { }; - lvm2 = pkgs.callPackage ./pkgs/lvm2 { }; - tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; }; - tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { }; - systemd = pkgs.callPackage ./pkgs/systemd { }; - dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { }; + default = self.packages.${system}.image; + + image = pkgs.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; }; + image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; }; qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { }; @@ -81,9 +95,9 @@ { drv = pkgs.util-linuxMinimal.mount; path = "bin/"; } { drv = pkgs.util-linuxMinimal.login; path = "bin/"; } { drv = pkgs.util-linuxMinimal.swap; path = "bin/"; } - { drv = patosPkgs.glibc; path = "bin/ldd"; } - { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; } - { drv = patosPkgs.openssl; path = "bin/openssl"; } + { drv = pkgs.patos.glibc; path = "bin/ldd"; } + { drv = pkgs.patos.tpm2-tools; path = "bin/tpm2"; } + { drv = pkgs.patos.openssl; path = "bin/openssl"; } # shared lib required for mkfs.erofs { drv = pkgs.lz4.lib; path = "lib/"; } # shared lib required for cryptsetup @@ -111,7 +125,7 @@ just nixd nixfmt-rfc-style - patosPkgs.qemu-uefi-tpm + self.packages.${system}.qemu-uefi-tpm ]; }; diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix index 86c3708..d9205f3 100644 --- a/pkgs/image/default.nix +++ b/pkgs/image/default.nix @@ -1,7 +1,6 @@ { lib, pkgs, - patosPkgs, version, runCommand, updateUrl, @@ -37,13 +36,13 @@ mkdir -p $out/init.repart.d $out/final.repart.d pushd $out mkdir rootfs -cp -prP ${patosPkgs.rootfs}/* rootfs/ +cp -prP ${pkgs.patos.rootfs}/* rootfs/ find rootfs/ -type d -exec chmod 755 {} \; # package kernel modules as sysext (will reduce the image size a little bit (~3MB)) mkdir rootfs/etc/extensions rm -rf rootfs/usr/lib/modules -cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/ +cp ${pkgs.patos.kernel}/patos-kernel-modules* rootfs/etc/extensions/ # set default target to multi-user ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target @@ -160,7 +159,7 @@ EOF #TODO: Add verity signature partition -${patosPkgs.systemd}/usr/bin/systemd-repart \ +${pkgs.patos.systemd}/usr/bin/systemd-repart \ --no-pager \ --empty=create \ --size=auto \ @@ -182,16 +181,16 @@ verityUuid=$(jq -r '.[1].uuid' init-repart-output.json) ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root -${patosPkgs.systemd}/usr/bin/ukify build \ - --linux ${patosPkgs.kernel}/bzImage \ - --initrd ${patosPkgs.initrd}/initrd.xz \ +${pkgs.patos.systemd}/usr/bin/ukify build \ + --linux ${pkgs.patos.kernel}/bzImage \ + --initrd ${pkgs.patos.initrd}/initrd.xz \ $microcode \ --os-release @rootfs/etc/os-release \ --cmdline "$kernelCmdLine roothash=$roothash" \ -o patos_${version}.efi # install ESP -SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot +SYSTEMD_RELAX_ESP_CHECKS=1 ${pkgs.patos.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot # setup factory reset mkdir -p rootfs/boot/EFI/tools @@ -245,14 +244,14 @@ ReadOnly=1 EOF # finalize image ready for boot -${patosPkgs.systemd}/usr/bin/systemd-repart \ +${pkgs.patos.systemd}/usr/bin/systemd-repart \ --no-pager \ --empty=create \ --size=auto \ --definitions=./final.repart.d \ patos_${version}.img > final-repart-output.json -rm -rf rootfs init.repart.d final.repart.d *.json +rm -rf init.repart.d final.repart.d *.json sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS popd diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix index c46ed9d..cdbfe11 100644 --- a/pkgs/rootfs/mkinitrd.nix +++ b/pkgs/rootfs/mkinitrd.nix @@ -1,6 +1,5 @@ { pkgs, - patosPkgs, runCommand, ... }: @@ -21,7 +20,7 @@ mkdir -p $out/root pushd $out/root ### copy rootfs -cp -prP ${patosPkgs.rootfs}/* . +cp -prP ${pkgs.patos.rootfs}/* . find . -type d -exec chmod 755 {} \; mkdir sysroot diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix index 4818478..ed34662 100644 --- a/pkgs/rootfs/mkrootfs.nix +++ b/pkgs/rootfs/mkrootfs.nix @@ -1,6 +1,5 @@ { pkgs, - patosPkgs, version, runCommand, }: @@ -32,7 +31,7 @@ ln -sf /tmp $out/var/tmp ln -sf ../proc/self/mounts $out/etc/mtab ### install systemd -cp -Pr ${patosPkgs.systemd}/* $out/ +cp -Pr ${pkgs.patos.systemd}/* $out/ find $out -type d -exec chmod 755 {} \; rm -rf $out/usr/include rm -rf $out/usr/sbin @@ -137,33 +136,33 @@ ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTE EOF ### install PatOS glibc -cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/ +cp -P ${pkgs.patos.glibc}/lib/*.so* $out/usr/lib/ ### install openssl -cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/ -cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/ +cp -P ${pkgs.patos.openssl}/lib/*.so* $out/usr/lib/ +cp -Pr ${pkgs.patos.openssl}/etc/ssl $out/etc/ ### install busybox -cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/ +cp ${pkgs.patos.busybox}/bin/busybox $out/usr/bin/ $out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{} ### install dbus broker -cp -r ${patosPkgs.dbus-broker}/* $out/ +cp -r ${pkgs.patos.dbus-broker}/* $out/ ### install kexec -cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/ +cp -Pr ${pkgs.patos.kexec}/sbin/kexec $out/usr/bin/ ### install dmsetup udev rules -cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/ -cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/ -cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/ +cp -P ${pkgs.patos.lvm2}/usr/bin/dmsetup $out/usr/bin/ +cp -P ${pkgs.patos.lvm2}/lib/libdevmapper.so* $out/usr/lib/ +cp -P ${pkgs.patos.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/ ### install btrfs progs cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/ cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/ ### install tpm2 libs -cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/ +cp -P ${pkgs.patos.tpm2-tss}/lib/*.so* $out/usr/lib/ ### install lib kmod cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/ @@ -194,22 +193,22 @@ ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt rm -rf $out/usr/lib/pkgconfig # setup default files -${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update -${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create +${pkgs.patos.systemd}/usr/bin/systemd-hwdb --root=$out --usr update +${pkgs.patos.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/ cp $out/usr/share/factory/etc/locale.conf $out/etc/ cp $out/usr/share/factory/etc/vconsole.conf $out/etc/ # install sys users mkdir creds echo -n ${defaultPassword} > creds/passwd.plaintext-password.root -CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf +CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${pkgs.patos.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf chmod 600 $out/etc/shadow rm -rf creds # Ephemeral machine-id until registration # ln -sf /run/machine-id $out/etc/machine-id # FIXME: above line does not work in systemd > 257 -${patosPkgs.systemd}/usr/bin/systemd-machine-id-setup --root=$out +${pkgs.patos.systemd}/usr/bin/systemd-machine-id-setup --root=$out ### Find and install all shared libs find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \ @@ -219,15 +218,17 @@ find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \ find $out -type f -executable -exec chmod 755 {} \; # patch ELFs +interpreter=$(patchelf --print-interpreter $out/usr/bin/busybox) +ldLinux=$(basename $interpreter) find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \; -find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \; -patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2 +find $out -type f -executable -exec patchelf --set-interpreter /lib/$ldLinux {} \; +patchelf --remove-rpath $out/usr/lib/$ldLinux # strip binaries find $out -type f -executable -exec $STRIP {} \; find $out -type d -exec chmod 755 {} \; # install kernel modules -cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/ +cp -r ${pkgs.patos.kernel}/lib/modules $out/usr/lib/ find $out/usr/lib/modules -type d -exec chmod 755 {} \; ''