diff --git a/flake.nix b/flake.nix index 071ae56..5c76b2f 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,7 @@ kernel = pkgs.callPackage ./pkgs/kernel { }; glibc = pkgs.callPackage ./pkgs/glibc { }; kexec = pkgs.callPackage ./pkgs/kexec-tools { }; + lvm2 = pkgs.callPackage ./pkgs/lvm2 { }; tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; }; tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { }; systemd = pkgs.callPackage ./pkgs/systemd { }; diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config index c717915..0220e23 100644 --- a/pkgs/kernel/generic.config +++ b/pkgs/kernel/generic.config @@ -2213,7 +2213,7 @@ CONFIG_TCG_CRB=y CONFIG_TCG_TIS_CORE=y CONFIG_TCG_TIS=y CONFIG_TCG_TPM=y -CONFIG_TCG_TPM2_HMAC=y +CONFIG_TCG_TPM2_HMAC=n CONFIG_TCP_CONG_ADVANCED=y CONFIG_TCP_CONG_BBR=y CONFIG_TCP_CONG_CUBIC=y diff --git a/pkgs/lvm2/default.nix b/pkgs/lvm2/default.nix new file mode 100644 index 0000000..f211e26 --- /dev/null +++ b/pkgs/lvm2/default.nix @@ -0,0 +1,66 @@ +{ + stdenv, + fetchurl, + lib, + pkg-config, + libaio, + udev, +}: + +stdenv.mkDerivation rec { + pname = "lvm2"; + version = "2.03.30"; + + src = fetchurl { + urls = [ + "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz" + "ftp://sourceware.org/pub/lvm2/LVM2.${version}.tgz" + ]; + hash = "sha256-rXar7LjciHcz4GxEnLmt0Eo1BvnweAwSiBem4aF87AU="; + }; + + nativeBuildInputs = [ + pkg-config + ]; + buildInputs = [ + libaio + udev + ]; + + configureFlags = [ + "--prefix=/" + "--sbindir=/usr/bin" + "--sysconfdir=/etc" + "--localstatedir=/var" + "--enable-cmdlib" + "--enable-dmeventd" + "--enable-lvmpolld" + "--enable-pkgconfig" + "--enable-udev_rules" + "--enable-udev_sync" + "--enable-write_install" + "--with-cache=internal" + "--with-thin=internal" + ]; + + preInstall = '' + mkdir -p $out + export DESTDIR=$out + ''; + doCheck = false; + + meta = with lib; { + homepage = "http://sourceware.org/lvm2/"; + description = "Tools to support Logical Volume Management (LVM) on Linux"; + platforms = platforms.linux; + license = with licenses; [ + gpl2Only + bsd2 + lgpl21 + ]; + maintainers = with maintainers; [ + raskin + ajs124 + ]; + }; +} diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix index 4d7768b..20fe642 100644 --- a/pkgs/rootfs/default.nix +++ b/pkgs/rootfs/default.nix @@ -29,6 +29,8 @@ stdenvNoCC.mkDerivation (finalAttrs: { tpm2Libs = patosPkgs.tpm2-tss.out; tpm2Tools = patosPkgs.tpm2-tools.out; kexec = patosPkgs.kexec.out; + lvm2 = patosPkgs.lvm2.out; + cryptsetup = pkgs.cryptsetup.bin; builder = ./mkrootfs.sh; }) diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh index 7d94052..538a7c9 100644 --- a/pkgs/rootfs/mkrootfs.sh +++ b/pkgs/rootfs/mkrootfs.sh @@ -15,6 +15,7 @@ cp -Pr $systemd/* $out/ find $out -type d -exec chmod 755 {} \; rm -rf $out/usr/include rm -rf $out/usr/sbin +ln -sf /usr/bin $out/usr/sbin rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service rm -f $out/usr/lib/systemd/ukify rm -f $out/usr/bin/ukify @@ -52,6 +53,13 @@ cat < $out/etc/repart.d/22-root.conf Type=root EOF +mkdir $out/usr/lib/systemd/system/systemd-repart.service.d +cat < $out/usr/lib/systemd/system/systemd-repart.service.d/override.conf +[Service] +ExecStart= +ExecStart=systemd-repart --dry-run=no --generate-crypttab=/etc/crypttab +EOF + cat < $out/etc/repart.d/40-var.conf [Partition] Type=var @@ -59,26 +67,28 @@ UUID=4d21b016-b534-45c2-a9fb-5c16e091fd2d Format=btrfs Label=patos-state Minimize=off +Encrypt=tpm2 +EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard FactoryReset=yes SizeMinBytes=1G SplitName=- EOF -cat < $out/usr/lib/systemd/system/var.mount -[Unit] -Description=Mount for /var -Before=local-fs.target -After=systemd-repart.service - -[Mount] -What=/dev/disk/by-label/patos-state -Where=/var -Type=btrfs -Options=defaults - -[Install] -WantedBy=multi-user.target -EOF +# cat < $out/usr/lib/systemd/system/var.mount +# [Unit] +# Description=Mount for /var +# Before=local-fs.target +# After=systemd-repart.service +# +# [Mount] +# What=/dev/mapper/patos-state +# Where=/var +# Type=btrfs +# Options=defaults +# +# [Install] +# WantedBy=multi-user.target +# EOF cat < $out/usr/lib/systemd/system/etc.mount [Unit] @@ -112,6 +122,11 @@ cp -r $dbusBroker/* $out/ ### install kexec cp -Pr ${kexec}/sbin/kexec $out/usr/bin/ +### install dmsetup udev rules +cp -P ${lvm2}/usr/bin/dmsetup $out/usr/bin/ +cp -P ${lvm2}/lib/libdevmapper.so* $out/usr/lib/ +cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/ + ### install btrfs progs cp -Pr ${btrfs}/bin/* $out/usr/bin/ cp -Pr ${btrfs}/lib/* $out/usr/lib/ @@ -120,6 +135,9 @@ cp -Pr ${btrfs}/lib/* $out/usr/lib/ cp -P ${tpm2Tools}/bin/* $out/usr/bin/ cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/ +### install cryptsetup tools +cp -P $cryptsetup/bin/* $out/usr/bin/ + ### install lib kmod cp -P $kmodLibs/lib/* $out/usr/lib cp -P $kmodBin/bin/* $out/usr/bin @@ -193,11 +211,11 @@ EOF chmod 644 $out/etc/group ### Find and install all shared libs -find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | sort -u | xargs cp -t $out/usr/lib +find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/ find $out -type f -executable -exec chmod 755 {} \; # FIXME: ELF patching. Is there a better way? -find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \; +find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \; find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \; patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2 diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix index bb151c5..0193a27 100644 --- a/utils/qemu-uefi-tpm.nix +++ b/utils/qemu-uefi-tpm.nix @@ -24,7 +24,7 @@ pkgs.writeShellApplication { swtpm socket -d --tpmstate dir="$state" \ --ctrl type=unixio,path="$state/swtpm-sock" \ --tpm2 \ - --log level=20 + --log file="$state/swtpm.log",level=20 qemu-system-x86_64 \ -enable-kvm \