fix(image): image need to include devicemapper setup tools and udev rules

flake.nix

@@ -37,6 +37,7 @@
           kernel = pkgs.callPackage ./pkgs/kernel { };
           glibc = pkgs.callPackage ./pkgs/glibc { };
           kexec = pkgs.callPackage ./pkgs/kexec-tools { };
+          lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
           tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
           tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
           systemd = pkgs.callPackage ./pkgs/systemd { };

pkgs/kernel/generic.config

@@ -2213,7 +2213,7 @@ CONFIG_TCG_CRB=y
 CONFIG_TCG_TIS_CORE=y
 CONFIG_TCG_TIS=y
 CONFIG_TCG_TPM=y
-CONFIG_TCG_TPM2_HMAC=y
+CONFIG_TCG_TPM2_HMAC=n
 CONFIG_TCP_CONG_ADVANCED=y
 CONFIG_TCP_CONG_BBR=y
 CONFIG_TCP_CONG_CUBIC=y

pkgs/lvm2/default.nix

@@ -0,0 +1,66 @@
+{
+  stdenv,
+  fetchurl,
+  lib,
+  pkg-config,
+  libaio,
+  udev,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "lvm2";
+  version = "2.03.30";
+
+  src = fetchurl {
+    urls = [
+      "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz"
+      "ftp://sourceware.org/pub/lvm2/LVM2.${version}.tgz"
+    ];
+    hash = "sha256-rXar7LjciHcz4GxEnLmt0Eo1BvnweAwSiBem4aF87AU=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+  buildInputs = [
+      libaio
+      udev
+  ];
+
+  configureFlags = [
+    "--prefix=/"
+    "--sbindir=/usr/bin"
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+    "--enable-cmdlib"
+    "--enable-dmeventd"
+    "--enable-lvmpolld"
+    "--enable-pkgconfig"
+    "--enable-udev_rules"
+    "--enable-udev_sync"
+    "--enable-write_install"
+    "--with-cache=internal"
+    "--with-thin=internal"
+  ];
+
+  preInstall = ''
+    mkdir -p $out
+    export DESTDIR=$out
+  '';
+  doCheck = false;
+
+  meta = with lib; {
+    homepage = "http://sourceware.org/lvm2/";
+    description = "Tools to support Logical Volume Management (LVM) on Linux";
+    platforms = platforms.linux;
+    license = with licenses; [
+      gpl2Only
+      bsd2
+      lgpl21
+    ];
+    maintainers = with maintainers; [
+      raskin
+      ajs124
+    ];
+  };
+}

pkgs/rootfs/default.nix

@@ -29,6 +29,8 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   tpm2Libs = patosPkgs.tpm2-tss.out;
   tpm2Tools = patosPkgs.tpm2-tools.out;
   kexec = patosPkgs.kexec.out;
+  lvm2 = patosPkgs.lvm2.out;
+  cryptsetup = pkgs.cryptsetup.bin;
 
   builder = ./mkrootfs.sh;
 })

pkgs/rootfs/mkrootfs.sh

@@ -15,6 +15,7 @@ cp -Pr $systemd/* $out/
 find $out -type d -exec chmod 755 {} \;
 rm -rf $out/usr/include
 rm -rf $out/usr/sbin
+ln -sf /usr/bin $out/usr/sbin
 rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
 rm -f $out/usr/lib/systemd/ukify
 rm -f $out/usr/bin/ukify
@@ -52,6 +53,13 @@ cat <<EOF > $out/etc/repart.d/22-root.conf
 Type=root
 EOF
 
+mkdir $out/usr/lib/systemd/system/systemd-repart.service.d
+cat <<EOF > $out/usr/lib/systemd/system/systemd-repart.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=systemd-repart --dry-run=no --generate-crypttab=/etc/crypttab
+EOF
+
 cat <<EOF > $out/etc/repart.d/40-var.conf
 [Partition]
 Type=var
@@ -59,26 +67,28 @@ UUID=4d21b016-b534-45c2-a9fb-5c16e091fd2d
 Format=btrfs
 Label=patos-state
 Minimize=off
+Encrypt=tpm2
+EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
 FactoryReset=yes
 SizeMinBytes=1G
 SplitName=-
 EOF
 
-cat <<EOF > $out/usr/lib/systemd/system/var.mount
-[Unit]
-Description=Mount for /var
-Before=local-fs.target
-After=systemd-repart.service
-
-[Mount]
-What=/dev/disk/by-label/patos-state
-Where=/var
-Type=btrfs
-Options=defaults
-
-[Install]
-WantedBy=multi-user.target
-EOF
+# cat <<EOF > $out/usr/lib/systemd/system/var.mount
+# [Unit]
+# Description=Mount for /var
+# Before=local-fs.target
+# After=systemd-repart.service
+#
+# [Mount]
+# What=/dev/mapper/patos-state
+# Where=/var
+# Type=btrfs
+# Options=defaults
+#
+# [Install]
+# WantedBy=multi-user.target
+# EOF
 
 cat <<EOF > $out/usr/lib/systemd/system/etc.mount
 [Unit]
@@ -112,6 +122,11 @@ cp -r $dbusBroker/* $out/
 ### install kexec
 cp -Pr ${kexec}/sbin/kexec $out/usr/bin/
 
+### install dmsetup udev rules
+cp -P ${lvm2}/usr/bin/dmsetup $out/usr/bin/
+cp -P ${lvm2}/lib/libdevmapper.so* $out/usr/lib/
+cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
+
 ### install btrfs progs
 cp -Pr ${btrfs}/bin/* $out/usr/bin/
 cp -Pr ${btrfs}/lib/* $out/usr/lib/
@@ -120,6 +135,9 @@ cp -Pr ${btrfs}/lib/* $out/usr/lib/
 cp -P ${tpm2Tools}/bin/* $out/usr/bin/
 cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
 
+### install cryptsetup tools
+cp -P $cryptsetup/bin/* $out/usr/bin/
+
 ### install lib kmod
 cp -P $kmodLibs/lib/* $out/usr/lib
 cp -P $kmodBin/bin/* $out/usr/bin
@@ -193,11 +211,11 @@ EOF
 chmod 644 $out/etc/group
 
 ### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | sort -u | xargs cp -t $out/usr/lib
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/
 find $out -type f -executable -exec chmod 755 {} \;
 
 # FIXME: ELF patching. Is there a better way?
-find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \;
+find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
 find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
 patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
 

utils/qemu-uefi-tpm.nix

@@ -24,7 +24,7 @@ pkgs.writeShellApplication {
       swtpm socket -d --tpmstate dir="$state" \
         --ctrl type=unixio,path="$state/swtpm-sock" \
         --tpm2 \
-        --log level=20
+        --log file="$state/swtpm.log",level=20
 
       qemu-system-x86_64 \
         -enable-kvm \