diff --git a/.gitignore b/.gitignore
index 97ab6ac..6833589 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@
/result
/target
/out
+/initrd.gz
.*.swp
.*.swo
.nixos-test-history
diff --git a/pkgs/dbus-broker/default.nix b/dbus-broker/default.nix
similarity index 92%
rename from pkgs/dbus-broker/default.nix
rename to dbus-broker/default.nix
index 0002d9c..cad66af 100644
--- a/pkgs/dbus-broker/default.nix
+++ b/dbus-broker/default.nix
@@ -100,9 +100,14 @@ in
stdenv.mkDerivation (finalAttrs: {
pname = "dbus-broker";
- version = pkgs.dbus-broker.version;
+ version = "36";
- src = pkgs.dbus-broker.src;
+ src = fetchFromGitHub {
+ owner = "bus1";
+ repo = "dbus-broker";
+ rev = "v${finalAttrs.version}";
+ hash = "sha256-5dAMKjybqrHG57vArbtWEPR/svSj2ION75JrjvnnpVM=";
+ };
nativeBuildInputs = with pkgs; [
docutils
@@ -145,13 +150,9 @@ stdenv.mkDerivation (finalAttrs: {
mkdir -p $out/usr/share
cp -Pr ${pkgs.dbus.out}/share/* $out/usr/share/
cp ${pkgs.dbus.out}/etc/systemd/system/dbus.socket $out/usr/lib/systemd/system/
- mv $out/usr/lib/systemd/system/dbus-broker.service $out/usr/lib/systemd/system/dbus.service
find $out/usr/share/ -type d -exec chmod 755 {} \;
sed -i 's#/nix/store.*/share#/usr/share#' $out/usr/share/xml/dbus-1/catalog.xml
sed -i 's#/nix/store.*/libexec#/usr/bin#' $out/usr/share/dbus-1/system.conf
-
- mkdir -p $out/usr/lib/sysusers.d/
- echo 'u! messagebus - "DBus broker"' > $out/usr/lib/sysusers.d/dbus-broker.conf
'';
doCheck = false;
diff --git a/flake.lock b/flake.lock
index 3725da4..85be38f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1744932701,
- "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
+ "lastModified": 1739020877,
+ "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
+ "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index 99fce5b..221d203 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,69 +17,29 @@
let
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
- version = "0.0.1";
- secureBoot = "false";
- cpuArch = "intel";
- updateUrl = "http://10.0.2.2:8000/";
in
{
packages = {
- default = patosPkgs.image;
- image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; };
- rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
- initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
- kernel = pkgs.callPackage ./pkgs/kernel { };
- glibc = pkgs.callPackage ./pkgs/glibc { };
- busybox = pkgs.callPackage ./pkgs/busybox { };
- openssl = pkgs.callPackage ./pkgs/openssl { };
- cert = pkgs.callPackage ./pkgs/cert { };
- kexec = pkgs.callPackage ./pkgs/kexec-tools { };
- lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
- tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
- tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
- systemd = pkgs.callPackage ./pkgs/systemd { };
- dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
+ default = self.packages.${system}.image;
+ image = pkgs.writeShellScriptBin "image" ''
+ set -ex
+ echo "make UKI..."
+ mkdir -p patos/efi/boot
+ ${self.packages.${system}.systemd.out}/usr/bin/ukify build \
+ --linux ${self.packages.${system}.kernel.kernel}/bzImage \
+ --initrd ./initrd.gz \
+ --cmdline "console=ttyS0" \
+ -o patos/efi/boot/bootx64.efi
+ '';
+
+ kernel = pkgs.callPackage ./kernel { };
+ glibc = pkgs.callPackage ./glibc { };
+ systemd = pkgs.callPackage ./systemd { };
+ dbus-broker = pkgs.callPackage ./dbus-broker { };
+
+ mkinitrd = pkgs.callPackage ./utils/mkinitrd.nix { inherit patosPkgs; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
-
- debug-tools-sysext = pkgs.callPackage ./lib/make-sysext.nix {
- name = "debug-tools";
- version = "0.0.1";
- packages = [
- { drv = pkgs.curl; path = "bin/curl"; }
- { drv = pkgs.bash; path = "bin/bash"; }
- { drv = patosPkgs.glibc; path = "bin/ldd"; }
- { drv = pkgs.keyutils; path = "bin/keyctl"; }
- { drv = pkgs.gnutar; path = "bin/tar"; }
- { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
- { drv = pkgs.strace; path = "bin/strace"; }
- { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
- { drv = patosPkgs.openssl; path = "bin/openssl"; }
- { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
- { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
- { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
- # shared lib required for cryptsetup
- { drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
- { drv = pkgs.popt; path = "lib/libpopt.so.0"; }
- { drv = pkgs.popt; path = "lib/libpopt.so"; }
- # shared lib required for mkfs.erofs
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
- # shared lib required for binutils
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
- # shared lib required for strace
- { drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
- ];
- };
};
checks = {
@@ -93,10 +53,13 @@
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
+ erofs-utils
just
nixd
nixfmt-rfc-style
- patosPkgs.qemu-uefi-tpm
+ squashfs-tools-ng
+ self.packages.${system}.qemu-uefi-tpm
+ self.packages.${system}.mkinitrd
];
};
diff --git a/pkgs/glibc/default.nix b/glibc/default.nix
similarity index 100%
rename from pkgs/glibc/default.nix
rename to glibc/default.nix
diff --git a/kernel/default.nix b/kernel/default.nix
new file mode 100644
index 0000000..e10d25b
--- /dev/null
+++ b/kernel/default.nix
@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+let
+ version = "6.13.2";
+in
+pkgs.linuxPackagesFor (
+ pkgs.linuxManualConfig {
+ version = "${version}-patos1";
+ modDirVersion = version;
+ src = pkgs.fetchurl {
+ url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
+ hash = "sha256-zfYpgZBru+lwGutzxPn8yAegmEbCiHMWY9YnF+0a5wU=";
+ };
+ configfile = ./generic.config;
+ allowImportFromDerivation = true;
+ }
+)
diff --git a/pkgs/kernel/generic.config b/kernel/generic.config
similarity index 99%
rename from pkgs/kernel/generic.config
rename to kernel/generic.config
index 4c67b0a..7e0325c 100644
--- a/pkgs/kernel/generic.config
+++ b/kernel/generic.config
@@ -276,7 +276,7 @@ CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_BRIDGE=y
CONFIG_BSD_DISKLABEL=y
CONFIG_BSD_PROCESS_ACCT=y
-CONFIG_BTRFS_FS=y
+CONFIG_BTRFS_FS=m
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BUFFER_HEAD=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
@@ -426,7 +426,7 @@ CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y
CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
CONFIG_CRYPTO_AUTHENC=y
-CONFIG_CRYPTO_BLAKE2B=y
+CONFIG_CRYPTO_BLAKE2B=m
CONFIG_CRYPTO_BLAKE2S_X86=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CCM=y
@@ -522,7 +522,11 @@ CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_ENTRY=y
CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_DEBUG_FS=y
-CONFIG_DEBUG_INFO=n
+CONFIG_DEBUG_INFO_BTF_MODULES=y
+CONFIG_DEBUG_INFO_BTF=y
+CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_MISC=y
@@ -587,8 +591,7 @@ CONFIG_DM_SWITCH=m
CONFIG_DM_THIN_PROVISIONING=m
CONFIG_DM_UNSTRIPED=m
CONFIG_DM_VDO=m
-CONFIG_DM_VERITY=y
-CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
+CONFIG_DM_VERITY=m
CONFIG_DM_WRITECACHE=m
CONFIG_DM_ZERO=y
CONFIG_DM_ZONED=m
@@ -643,7 +646,7 @@ CONFIG_ELF_CORE=y
CONFIG_ELFCORE=y
CONFIG_ENA_ETHERNET=y
CONFIG_ENCLOSURE_SERVICES=y
-CONFIG_ENCRYPTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=m
CONFIG_ENIC=m
CONFIG_EPOLL=y
CONFIG_EROFS_FS_POSIX_ACL=y
@@ -1396,9 +1399,6 @@ CONFIG_MODULE_COMPRESS_ZSTD=y
CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_UNLOAD=y
-CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_FORCE=y
-CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_MODULES=y
@@ -1953,7 +1953,7 @@ CONFIG_QUOTA_TREE=y
CONFIG_QUOTA=y
CONFIG_R8169=m
CONFIG_RAID6_PQ_BENCHMARK=y
-CONFIG_RAID6_PQ=y
+CONFIG_RAID6_PQ=m
CONFIG_RAID_ATTRS=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
@@ -2213,7 +2213,6 @@ CONFIG_TCG_CRB=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TPM=y
-CONFIG_TCG_TPM2_HMAC=n
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BBR=y
CONFIG_TCP_CONG_CUBIC=y
@@ -2487,7 +2486,7 @@ CONFIG_XFS_QUOTA=y
CONFIG_XFS_RT=y
CONFIG_XFS_SUPPORT_ASCII_CI=y
CONFIG_XFS_SUPPORT_V4=y
-CONFIG_XOR_BLOCKS=y
+CONFIG_XOR_BLOCKS=m
CONFIG_XPS=y
CONFIG_XXHASH=y
CONFIG_XZ_DEC_ARMTHUMB=y
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
deleted file mode 100644
index 6de1e63..0000000
--- a/lib/make-sysext.nix
+++ /dev/null
@@ -1,91 +0,0 @@
-{
- lib,
- runCommand,
- pkgs,
-
- name,
- packages,
- osId ? "patos",
- version ? null,
-}:
-
-
-let
- metadata = {
- ID = osId;
- VERSION_ID = osId;
- IMAGE_ID = name;
- IMAGE_VERSION = version;
- };
-
- metadataFile = lib.concatStringsSep "\n" (
- lib.mapAttrsToList (k: v: "${k}=${v}") (lib.filterAttrs (_: v: v != null) metadata)
- );
-
- doCopy =
- {
- drv,
- prefix ? "usr",
- path,
- destpath ? null,
- }:
- "do_copy ${prefix} ${drv} ${path}" + lib.optionalString (destpath != null) " ${destpath}";
-
-in
-
-runCommand name
- {
- passthru.name = name;
- inherit metadataFile;
- passAsFile = [ "metadataFile" ];
-
- buildInputs = [
- pkgs.erofs-utils
- pkgs.cryptsetup
- ];
-
- }
- ''
- do_copy () {
- local prefix="$1"
- local drv="$2"
- local path="$3"
- local destpath="''${4:-$path}"
-
- local srcfile
- local destdir
- local destfile
- srcfile="$drv/$path"
- destfile="$out/tree/$prefix/$destpath"
- destdir="$(dirname -- "$destfile")"
-
- mkdir -pv "$destdir"
- cp -Pv "$srcfile" "$destfile"
-
- chmod 755 "$destfile"
- patchelf --set-rpath /usr/lib $destfile || true
- patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $destfile || true
- }
-
- mkdir -p $out/tree
-
- ${lib.concatStringsSep "\n" (map doCopy packages)}
-
- # bake metadata into the structure
- if ! [ -f $out/tree/usr/lib/extension-release.d/extension-release."${name}" ]; then
- mkdir -p $out/tree/usr/lib/extension-release.d
- cat "$metadataFilePath" > $out/tree/usr/lib/extension-release.d/extension-release."${name}"
- fi
-
- pushd $out
- find tree -type d -exec chmod 0755 {} \;
- mkfs.erofs --all-root $name.raw tree/
- veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
- # TODO: pcks7 signature
- # openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \
- # -inkey key.pem -signer cert.pem -outform der -out ${name}.roothash.p7s
- rm -rf tree
- sha256sum * > SHA256SUMS
- # TODO: add gpg signature
- popd
- ''
diff --git a/pkgs/busybox/clang-cross.patch b/pkgs/busybox/clang-cross.patch
deleted file mode 100644
index b2d696b..0000000
--- a/pkgs/busybox/clang-cross.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 6fedcffba..3385836c4 100644
---- a/Makefile
-+++ b/Makefile
-@@ -271,8 +271,8 @@ export quiet Q KBUILD_VERBOSE
- # Look for make include files relative to root of kernel src
- MAKEFLAGS += --include-dir=$(srctree)
-
--HOSTCC = gcc
--HOSTCXX = g++
-+HOSTCC = cc
-+HOSTCXX = c++
- HOSTCFLAGS :=
- HOSTCXXFLAGS :=
- # We need some generic definitions
-@@ -289,7 +289,7 @@ MAKEFLAGS += -rR
- # Make variables (CC, etc...)
-
- AS = $(CROSS_COMPILE)as
--CC = $(CROSS_COMPILE)gcc
-+CC = $(CROSS_COMPILE)cc
- LD = $(CC) -nostdlib
- CPP = $(CC) -E
- AR = $(CROSS_COMPILE)ar
-diff --git a/scripts/Makefile.IMA b/scripts/Makefile.IMA
-index f155108d7..185257064 100644
---- a/scripts/Makefile.IMA
-+++ b/scripts/Makefile.IMA
-@@ -39,7 +39,7 @@ ifndef HOSTCC
- HOSTCC = cc
- endif
- AS = $(CROSS_COMPILE)as
--CC = $(CROSS_COMPILE)gcc
-+CC = $(CROSS_COMPILE)cc
- LD = $(CC) -nostdlib
- CPP = $(CC) -E
- AR = $(CROSS_COMPILE)ar
diff --git a/pkgs/busybox/default.nix b/pkgs/busybox/default.nix
deleted file mode 100644
index 6f22641..0000000
--- a/pkgs/busybox/default.nix
+++ /dev/null
@@ -1,208 +0,0 @@
-{
- stdenv,
- lib,
- pkgs,
- buildPackages,
- fetchurl,
- fetchpatch,
- fetchFromGitLab,
- enableStatic ? stdenv.hostPlatform.isStatic,
- enableMinimal ? false,
- enableAppletSymlinks ? true,
- # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
- # nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
- useMusl ? stdenv.hostPlatform.libc == "musl",
- musl,
- extraConfig ? "",
-}:
-
-assert stdenv.hostPlatform.libc == "musl" -> useMusl;
-
-let
- configParser = ''
- function parseconfig {
- while read LINE; do
- NAME=`echo "$LINE" | cut -d \ -f 1`
- OPTION=`echo "$LINE" | cut -d \ -f 2`
-
- if ! [[ "$NAME" =~ ^CONFIG_ ]]; then continue; fi
-
- echo "parseconfig: removing $NAME"
- sed -i /$NAME'\(=\| \)'/d .config
-
- echo "parseconfig: setting $NAME=$OPTION"
- echo "$NAME=$OPTION" >> .config
- done
- }
- '';
-
- libcConfig = lib.optionalString useMusl ''
- CONFIG_FEATURE_UTMP n
- CONFIG_FEATURE_WTMP n
- '';
-
- # The debian version lags behind the upstream version and also contains
- # a debian-specific suffix. We only fetch the debian repository to get the
- # default.script
- debianVersion = "1.30.1-6";
- debianSource = fetchFromGitLab {
- domain = "salsa.debian.org";
- owner = "installer-team";
- repo = "busybox";
- rev = "debian/1%${debianVersion}";
- sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
- };
- debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
- outDispatchPath = "$out/default.script";
-in
-
-stdenv.mkDerivation rec {
- pname = "busybox";
- version = pkgs.busybox.version;
-
- # Note to whoever is updating busybox: please verify that:
- # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
- # still builds after the update.
- src = pkgs.busybox.src;
-
- hardeningDisable = [
- "format"
- "pie"
- ] ++ lib.optionals enableStatic [ "fortify" ];
-
- patches = [
- (fetchurl {
- name = "CVE-2022-28391.patch";
- url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
- sha256 = "sha256-yviw1GV+t9tbHbY7YNxEqPi7xEreiXVqbeRyf8c6Awo=";
- })
- (fetchurl {
- name = "CVE-2022-28391.patch";
- url = "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
- sha256 = "sha256-vl1wPbsHtXY9naajjnTicQ7Uj3N+EQ8pRNnrdsiow+w=";
- })
- (fetchpatch {
- name = "CVE-2022-48174.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15216
- url = "https://git.busybox.net/busybox/patch/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209";
- hash = "sha256-mpDEwYncpU6X6tmtj9xM2KCrB/v2ys5bYxmPPrhm6es=";
- })
- (fetchpatch {
- name = "CVE-2023-42366.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15874
- # This patch is also used by Alpine, see https://git.alpinelinux.org/aports/tree/main/busybox/0037-awk.c-fix-CVE-2023-42366-bug-15874.patch
- url = "https://bugs.busybox.net/attachment.cgi?id=9697";
- hash = "sha256-2eYfLZLjStea9apKXogff6sCAdG9yHx0ZsgUBaGfQIA=";
- })
- (fetchpatch {
- name = "CVE-2023-42363.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15865
- url = "https://git.launchpad.net/ubuntu/+source/busybox/plain/debian/patches/CVE-2023-42363.patch?id=c9d8a323b337d58e302717d41796aa0242963d5a";
- hash = "sha256-1W9Q8+yFkYQKzNTrvndie8QuaEbyAFL1ZASG2fPF+Z4=";
- })
- (fetchpatch {
- name = "CVE-2023-42364_CVE-2023-42365.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15871 https://bugs.busybox.net/show_bug.cgi?id=15868
- url = "https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2023-42364-CVE-2023-42365.patch?id=8a4bf5971168bf48201c05afda7bee0fbb188e13";
- hash = "sha256-nQPgT9eA1asCo38Z9X7LR9My0+Vz5YBPba3ARV3fWcc=";
- })
- ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
-
- separateDebugInfo = true;
-
- # postPatch = "patchShebangs .";
-
- configurePhase = ''
- export KCONFIG_NOTIMESTAMP=1
- make ${if enableMinimal then "allnoconfig" else "defconfig"}
-
- ${configParser}
-
- cat << EOF | parseconfig
-
- CONFIG_PREFIX "$out"
- CONFIG_INSTALL_NO_USR y
-
- CONFIG_LFS y
-
- # More features for modprobe.
- ${lib.optionalString (!enableMinimal) ''
- CONFIG_FEATURE_MODPROBE_BLACKLIST y
- CONFIG_FEATURE_MODUTILS_ALIAS y
- CONFIG_FEATURE_MODUTILS_SYMBOLS y
- CONFIG_MODPROBE_SMALL n
- ''}
-
- ${lib.optionalString enableStatic ''
- CONFIG_STATIC y
- ''}
-
- ${lib.optionalString (!enableAppletSymlinks) ''
- CONFIG_INSTALL_APPLET_DONT y
- CONFIG_INSTALL_APPLET_SYMLINKS n
- ''}
-
- # Use the external mount.cifs program.
- CONFIG_FEATURE_MOUNT_CIFS n
- CONFIG_FEATURE_MOUNT_HELPERS y
-
- # BB_SHADOW
- FEATURE_SHADOWPASSWDS y
- CONFIG_USE_BB_PWD_GRP y
- CONFIG_USE_BB_SHADOW y
- CONFIG_USE_BB_CRYPT y
- USE_BB_CRYPT_SHA y
- CONFIG_FEATURE_DEFAULT_PASSWD_ALGO "sha512"
-
- # Set paths for console fonts.
- CONFIG_DEFAULT_SETFONT_DIR "/etc/kbd"
-
- # Bump from 4KB, much faster I/O
- CONFIG_FEATURE_COPYBUF_KB 64
-
- # Doesn't build with current kernel headers.
- # https://bugs.busybox.net/show_bug.cgi?id=15934
- CONFIG_TC n
-
- # Set the path for the udhcpc script
- CONFIG_UDHCPC_DEFAULT_SCRIPT "/usr/share/busybox/"
-
- ${extraConfig}
- CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
- ${libcConfig}
- EOF
-
- make oldconfig
-
- runHook postConfigure
- '';
-
- postConfigure = lib.optionalString (useMusl && stdenv.hostPlatform.libc != "musl") ''
- makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib")
- '';
-
- makeFlags = [ "SKIP_STRIP=y" ];
-
- strictDeps = true;
-
- depsBuildBuild = [ buildPackages.stdenv.cc ];
-
- buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [
- stdenv.cc.libc
- stdenv.cc.libc.static
- ];
-
- enableParallelBuilding = true;
-
- doCheck = false; # tries to access the net
-
- passthru.shellPath = "/bin/ash";
-
- meta = with lib; {
- description = "Tiny versions of common UNIX utilities in a single small executable";
- homepage = "https://busybox.net/";
- license = licenses.gpl2Only;
- maintainers = with maintainers; [
- TethysSvensson
- qyliss
- ];
- platforms = platforms.linux;
- priority = 15; # below systemd (halt, init, poweroff, reboot) and coreutils
- };
-}
diff --git a/pkgs/cert/default.nix b/pkgs/cert/default.nix
deleted file mode 100644
index f3237e9..0000000
--- a/pkgs/cert/default.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{
- runCommand,
- pkgs,
-
-}:
-
-runCommand "patagia-certs"
- {
- buildInputs = with pkgs; [
- openssl
- ];
-
- }
- ''
- mkdir -pv $out
- openssl req -new -x509 -days 365 -nodes -out $out/cert.pem -keyout $out/key.pem -subj "/CN=patagia-signing"
- ''
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
deleted file mode 100644
index 05d9c72..0000000
--- a/pkgs/image/default.nix
+++ /dev/null
@@ -1,256 +0,0 @@
-{
- lib,
- pkgs,
- patosPkgs,
- version,
- runCommand,
- updateUrl,
- cpuArch ? "",
- secureBoot ? "false"
-}:
-let
- pname = "patos-image";
-in
-runCommand pname {
- inherit version cpuArch updateUrl secureBoot;
-
- microcode = lib.optionalString (cpuArch == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
- + lib.optionalString (cpuArch == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
-
- buildInputs = with pkgs; [
- erofs-utils
- dosfstools
- mtools
- jq
- ];
-
- env = {
- # vfat options won't efi won't find the fs otherwise.
- SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
- SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
- };
-
- kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
-}
-''
-mkdir -p $out/init.repart.d $out/final.repart.d
-pushd $out
-
-mkdir rootfs
-cp -prP ${patosPkgs.rootfs}/* rootfs/
-find rootfs/ -type d -exec chmod 755 {} \;
-
-# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
-mkdir rootfs/etc/extensions
-rm -rf rootfs/usr/lib/modules
-cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
-
-# set default target to multi-user
-ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
-
-# enable dbus
-ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
-ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
-
-# enable network services
-ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
-ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
-ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
-# enable default network config
-mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
-
-# enable confext/sysext services
-ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
-ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
-
-cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
-[Unit]
-Description=Import Secure Boot keys
-DefaultDependencies=no
-RequiresMountsFor=/var/lib/sbctl /boot
-ConditionPathExists=/boot/sbctl/keys
-After=local-fs.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=sbctl import-keys -d /boot/sbctl/keys
-ExecStartPost=rm -rf /boot/sbctl
-EOF
-ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
-
-# sysupdate
-mkdir -p rootfs/etc/sysupdate.d
-cat <<EOF > rootfs/etc/sysupdate.d/10-uki.transfer
-[Source]
-Path=${updateUrl}
-MatchPattern=patos_@v.efi
-Type=url-file
-
-[Target]
-InstancesMax=2
-MatchPattern=patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi
-Mode=0444
-Path=/EFI/Linux
-PathRelativeTo=esp
-TriesDone=0
-TriesLeft=3
-Type=regular-file
-
-[Transfer]
-Verify=no
-EOF
-
-cat <<EOF > rootfs/etc/sysupdate.d/20-root-verity.transfer
-[Source]
-Type=url-file
-Path=${updateUrl}
-MatchPattern=patos_@v_@u.verity
-
-[Target]
-Type=partition
-Path=auto
-MatchPattern=verity-@v
-MatchPartitionType=root-verity
-ReadOnly=1
-
-[Transfer]
-Verify=no
-EOF
-
-cat <<EOF > rootfs/etc/sysupdate.d/22-root.transfer
-[Source]
-Type=url-file
-Path=${updateUrl}
-MatchPattern=patos_@v_@u.root
-
-[Target]
-Type=partition
-Path=auto
-MatchPattern=root-@v
-MatchPartitionType=root
-ReadOnly=1
-
-[Transfer]
-Verify=no
-EOF
-
-# Initial partitioning
-cat <<EOF > init.repart.d/10-root.conf
-[Partition]
-Type=root
-Format=erofs
-Minimize=best
-CopyFiles=/rootfs:/
-Verity=data
-VerityMatchKey=root
-SplitName=root
-EOF
-
-cat <<EOF > init.repart.d/20-root-verity.conf
-[Partition]
-Type=root-verity
-Verity=hash
-VerityMatchKey=root
-Minimize=best
-SplitName=verity
-EOF
-
-#TODO: Add verity signature partition
-
-${patosPkgs.systemd}/usr/bin/systemd-repart \
- --no-pager \
- --empty=create \
- --size=auto \
- --definitions=./init.repart.d \
- --split=true \
- --json=pretty \
- --root=$out \
- patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
-
-roothash=$(jq -r '.[0].roothash' init-repart-output.json)
-rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
-rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
-
-verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
-verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
-
-ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
-ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
-
-${patosPkgs.systemd}/usr/bin/ukify build \
- --linux ${patosPkgs.kernel}/bzImage \
- --initrd ${patosPkgs.initrd}/initrd.xz \
- $microcode \
- --os-release @rootfs/etc/os-release \
- --cmdline "$kernelCmdLine roothash=$roothash" \
- -o patos_${version}.efi
-
-# install ESP
-SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
-
-# setup factory reset
-mkdir -p rootfs/boot/EFI/tools
-cp ${pkgs.edk2-uefi-shell}/shell.efi rootfs/boot/EFI/tools/
-
-cat <<EOF > rootfs/boot/EFI/tools/factoryreset.nsh
-setvar FactoryReset -guid 8cf2644b-4b0b-428f-9387-6d876050dc67 -nv -rt =%1
-reset
-EOF
-
-cat <<EOF > rootfs/boot/loader/entries/factoryreset.conf
-title Enable Factory Reset
-options -nostartup -nomap
-options \EFI\tools\factoryreset.nsh L"t"
-efi EFI/tools/shell.efi
-EOF
-
-echo "timeout 2" > rootfs/boot/loader/loader.conf
-
-# install UKI
-cp patos_${version}.efi rootfs/boot/EFI/Linux
-
-# Final partitioning
-cat <<EOF > final.repart.d/10-esp.conf
-[Partition]
-Type=esp
-Format=vfat
-SizeMinBytes=128M
-SizeMaxBytes=128M
-CopyFiles=/rootfs/boot:/
-EOF
-
-cat <<EOF > final.repart.d/20-root.conf
-[Partition]
-Type=root
-Label=root-${version}
-CopyBlocks=/$rootPart
-UUID=$rootUuid
-SizeMinBytes=64M
-SizeMaxBytes=64M
-ReadOnly=1
-EOF
-
-cat <<EOF > final.repart.d/22-root-verity.conf
-[Partition]
-Type=root-verity
-Label=verity-${version}
-CopyBlocks=/$verityPart
-UUID=$verityUuid
-ReadOnly=1
-EOF
-
-# finalize image ready for boot
-${patosPkgs.systemd}/usr/bin/systemd-repart \
- --no-pager \
- --empty=create \
- --size=auto \
- --definitions=./final.repart.d \
- --root=$out \
- patos_${version}.img > final-repart-output.json
-
-rm -rf rootfs init.repart.d final.repart.d *.json
-sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
-
-popd
-''
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
deleted file mode 100644
index 1297825..0000000
--- a/pkgs/kernel/default.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ pkgs }:
-let
- version = "6.14.2";
- hash = "sha256-xcaCo1TqMZATk1elfTSnnlw3IhrOgjqTjhARa1d6Lhs=";
-in
-(pkgs.callPackage ./manual-config.nix { }) {
- version = "${version}-patos1";
- modDirVersion = version;
- src = pkgs.fetchurl {
- url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
- hash = hash;
- };
- configfile = ./generic.config;
- allowImportFromDerivation = true;
-}
diff --git a/pkgs/kernel/manual-config.nix b/pkgs/kernel/manual-config.nix
deleted file mode 100644
index 98b09f8..0000000
--- a/pkgs/kernel/manual-config.nix
+++ /dev/null
@@ -1,594 +0,0 @@
-{
- lib,
- stdenv,
- buildPackages,
- runCommand,
- nettools,
- bc,
- bison,
- flex,
- perl,
- rsync,
- gmp,
- libmpc,
- mpfr,
- openssl,
- cpio,
- elfutils,
- hexdump,
- zstd,
- python3Minimal,
- zlib,
- pahole,
- kmod,
- ubootTools,
- erofs-utils,
- cryptsetup,
- fetchpatch,
- rustc,
- rust-bindgen,
- rustPlatform,
-}:
-
-let
- lib_ = lib;
- stdenv_ = stdenv;
-
- readConfig =
- configfile:
- import
- (runCommand "config.nix" { } ''
- echo "{" > "$out"
- while IFS='=' read key val; do
- [ "x''${key#CONFIG_}" != "x$key" ] || continue
- no_firstquote="''${val#\"}";
- echo ' "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
- done < "${configfile}"
- echo "}" >> $out
- '').outPath;
-in
-lib.makeOverridable (
- {
- # The kernel version
- version,
- # The kernel pname (should be set for variants)
- pname ? "linux",
- # Position of the Linux build expression
- pos ? null,
- # Additional kernel make flags
- extraMakeFlags ? [ ],
- # The name of the kernel module directory
- # Needs to be X.Y.Z[-extra], so pad with zeros if needed.
- modDirVersion ? null, # derive from version
- # The kernel source (tarball, git checkout, etc.)
- src,
- # a list of { name=..., patch=..., extraConfig=...} patches
- kernelPatches ? [ ],
- # The kernel .config file
- configfile,
- # Manually specified nixexpr representing the config
- # If unspecified, this will be autodetected from the .config
- config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
- # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
- # automatically extended with extra per-version and per-config values.
- randstructSeed ? "",
- # Extra meta attributes
- extraMeta ? { },
-
- # for module compatibility
- isZen ? false,
- isLibre ? false,
- isHardened ? false,
-
- # Whether to utilize the controversial import-from-derivation feature to parse the config
- allowImportFromDerivation ? false,
- # ignored
- features ? null,
- lib ? lib_,
- stdenv ? stdenv_,
- }:
-
- let
- # Provide defaults. Note that we support `null` so that callers don't need to use optionalAttrs,
- # which can lead to unnecessary strictness and infinite recursions.
- modDirVersion_ = if modDirVersion == null then lib.versions.pad 3 version else modDirVersion;
- in
- let
- # Shadow the un-defaulted parameter; don't want null.
- modDirVersion = modDirVersion_;
- inherit (lib)
- hasAttr
- getAttr
- optional
- optionals
- optionalString
- optionalAttrs
- maintainers
- platforms
- ;
-
- drvAttrs =
- config_: kernelConf: kernelPatches: configfile:
- let
- # Folding in `ubootTools` in the default nativeBuildInputs is problematic, as
- # it makes updating U-Boot cumbersome, since it will go above the current
- # threshold of rebuilds
- #
- # To prevent these needless rounds of staging for U-Boot builds, we can
- # limit the inclusion of ubootTools to target platforms where uImage *may*
- # be produced.
- #
- # This command lists those (kernel-named) platforms:
- # .../linux $ grep -l uImage ./arch/*/Makefile | cut -d'/' -f3 | sort
- #
- # This is still a guesstimation, but since none of our cached platforms
- # coincide in that list, this gives us "perfect" decoupling here.
- linuxPlatformsUsingUImage = [
- "arc"
- "arm"
- "csky"
- "mips"
- "powerpc"
- "sh"
- "sparc"
- "xtensa"
- ];
- needsUbootTools = lib.elem stdenv.hostPlatform.linuxArch linuxPlatformsUsingUImage;
-
- config =
- let
- attrName = attr: "CONFIG_" + attr;
- in
- {
- isSet = attr: hasAttr (attrName attr) config;
-
- getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
-
- isYes = attr: (config.getValue attr) == "y";
-
- isNo = attr: (config.getValue attr) == "n";
-
- isModule = attr: (config.getValue attr) == "m";
-
- isEnabled = attr: (config.isModule attr) || (config.isYes attr);
-
- isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
- }
- // config_;
-
- isModular = config.isYes "MODULES";
- withRust = config.isYes "RUST";
-
- buildDTBs = kernelConf.DTB or false;
-
- # Dependencies that are required to build kernel modules
- moduleBuildDependencies =
- [
- pahole
- perl
- elfutils
- # module makefiles often run uname commands to find out the kernel version
- (buildPackages.deterministic-uname.override { inherit modDirVersion; })
- ]
- ++ optional (lib.versionAtLeast version "5.13") zstd
- ++ optionals withRust [
- rustc
- rust-bindgen
- ];
-
- in
- (optionalAttrs isModular {
- outputs = [
- "out"
- "dev"
- ];
- })
- // {
- passthru = rec {
- inherit
- version
- modDirVersion
- config
- kernelPatches
- configfile
- moduleBuildDependencies
- stdenv
- ;
- inherit
- isZen
- isHardened
- isLibre
- withRust
- ;
- isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
- baseVersion = lib.head (lib.splitString "-rc" version);
- kernelOlder = lib.versionOlder baseVersion;
- kernelAtLeast = lib.versionAtLeast baseVersion;
- };
-
- inherit src;
-
- depsBuildBuild = [ buildPackages.stdenv.cc ];
- nativeBuildInputs =
- [
- bison
- flex
- perl
- bc
- nettools
- openssl
- rsync
- gmp
- libmpc
- mpfr
- elfutils
- zstd
- python3Minimal
- kmod
- hexdump
- erofs-utils
- cryptsetup
- ]
- ++ optional needsUbootTools ubootTools
- ++ optionals (lib.versionAtLeast version "5.2") [
- cpio
- pahole
- zlib
- ]
- ++ optionals withRust [
- rustc
- rust-bindgen
- ];
-
- RUST_LIB_SRC = lib.optionalString withRust rustPlatform.rustLibSrc;
-
- # avoid leaking Rust source file names into the final binary, which adds
- # a false dependency on rust-lib-src on targets with uncompressed kernels
- KRUSTFLAGS = lib.optionalString withRust "--remap-path-prefix ${rustPlatform.rustLibSrc}=/";
-
- # patches =
- # map (p: p.patch) kernelPatches
- # # Required for deterministic builds along with some postPatch magic.
- # ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
- # ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
- # # Linux 5.12 marked certain PowerPC-only symbols as GPL, which breaks
- # # OpenZFS; this was fixed in Linux 5.19 so we backport the fix
- # # https://github.com/openzfs/zfs/pull/13367
- # ++ optional (lib.versionAtLeast version "5.12" &&
- # lib.versionOlder version "5.19" &&
- # stdenv.hostPlatform.isPower)
- # (fetchpatch {
- # url = "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/patch/?id=d9e5c3e9e75162f845880535957b7fd0b4637d23";
- # hash = "sha256-bBOyJcP6jUvozFJU0SPTOf3cmnTQ6ZZ4PlHjiniHXLU=";
- # });
-
- postPatch = ''
- # Ensure that depmod gets resolved through PATH
- sed -i Makefile -e 's|= /sbin/depmod|= depmod|'
-
- # Some linux-hardened patches now remove certain files in the scripts directory, so the file may not exist.
- [[ -f scripts/ld-version.sh ]] && patchShebangs scripts/ld-version.sh
-
- # Set randstruct seed to a deterministic but diversified value. Note:
- # we could have instead patched gen-random-seed.sh to take input from
- # the buildFlags, but that would require also patching the kernel's
- # toplevel Makefile to add a variable export. This would be likely to
- # cause future patch conflicts.
- # for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do
- # if [ -f "$file" ]; then
- # substituteInPlace "$file" \
- # --replace NIXOS_RANDSTRUCT_SEED \
- # $(echo ${randstructSeed}${src} ${placeholder "configfile"} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
- # break
- # fi
- # done
-
- patchShebangs scripts
-
- # also patch arch-specific install scripts
- for i in $(find arch -name install.sh); do
- patchShebangs "$i"
- done
-
- # unset $src because the build system tries to use it and spams a bunch of warnings
- # see: https://github.com/torvalds/linux/commit/b1992c3772e69a6fd0e3fc81cd4d2820c8b6eca0
- unset src
- '';
-
- configurePhase = ''
- runHook preConfigure
-
- mkdir build
- export buildRoot="$(pwd)/build"
-
- echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
-
- if [ -f "$buildRoot/.config" ]; then
- echo "Could not link $buildRoot/.config : file exists"
- exit 1
- fi
- ln -sv ${configfile} $buildRoot/.config
-
- # reads the existing .config file and prompts the user for options in
- # the current kernel source that are not found in the file.
- make $makeFlags "''${makeFlagsArray[@]}" oldconfig
- runHook postConfigure
-
- make $makeFlags "''${makeFlagsArray[@]}" prepare
- actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
- if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
- echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
- exit 1
- fi
-
- buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
-
- cd $buildRoot
- '';
-
- buildFlags =
- [
- "KBUILD_BUILD_VERSION=1-PatOS"
- kernelConf.target
- "vmlinux" # for "perf" and things like that
- ]
- ++ optional isModular "modules"
- ++ optionals buildDTBs [
- "dtbs"
- "DTC_FLAGS=-@"
- ]
- ++ extraMakeFlags;
-
- installFlags =
- [
- "INSTALL_PATH=$(out)"
- ]
- ++ (optional isModular "INSTALL_MOD_PATH=$(out)")
- ++ optionals buildDTBs [
- "dtbs_install"
- "INSTALL_DTBS_PATH=$(out)/dtbs"
- ];
-
- dontStrip = true;
-
- preInstall =
- let
- # All we really need to do here is copy the final image and System.map to $out,
- # and use the kernel's modules_install, firmware_install, dtbs_install, etc. targets
- # for the rest. Easy, right?
- #
- # Unfortunately for us, the obvious way of getting the built image path,
- # make -s image_name, does not work correctly, because some architectures
- # (*cough* aarch64 *cough*) change KBUILD_IMAGE on the fly in their install targets,
- # so we end up attempting to install the thing we didn't actually build.
- #
- # Thankfully, there's a way out that doesn't involve just hardcoding everything.
- #
- # The kernel has an install target, which runs a pretty simple shell script
- # (located at scripts/install.sh or arch/$arch/boot/install.sh, depending on
- # which kernel version you're looking at) that tries to do something sensible.
- #
- # (it would be great to hijack this script immediately, as it has all the
- # information we need passed to it and we don't need it to try and be smart,
- # but unfortunately, the exact location of the scripts differs between kernel
- # versions, and they're seemingly not considered to be public API at all)
- #
- # One of the ways it tries to discover what "something sensible" actually is
- # is by delegating to what's supposed to be a user-provided install script
- # located at ~/bin/installkernel.
- #
- # (the other options are:
- # - a distribution-specific script at /sbin/installkernel,
- # which we can't really create in the sandbox easily
- # - an architecture-specific script at arch/$arch/boot/install.sh,
- # which attempts to guess _something_ and usually guesses very wrong)
- #
- # More specifically, the install script exec's into ~/bin/installkernel, if one
- # exists, with the following arguments:
- #
- # $1: $KERNELRELEASE - full kernel version string
- # $2: $KBUILD_IMAGE - the final image path
- # $3: System.map - path to System.map file, seemingly hardcoded everywhere
- # $4: $INSTALL_PATH - path to the destination directory as specified in installFlags
- #
- # $2 is exactly what we want, so hijack the script and use the knowledge given to it
- # by the makefile overlords for our own nefarious ends.
- #
- # Note that the makefiles specifically look in ~/bin/installkernel, and
- # writeShellScriptBin writes the script to <store path>/bin/installkernel,
- # so HOME needs to be set to just the store path.
- #
- # FIXME: figure out a less roundabout way of doing this.
- installkernel = buildPackages.writeShellScriptBin "installkernel" ''
- cp -av $2 $4
- cp -av $3 $4
- '';
- in
- ''
- installFlagsArray+=("-j$NIX_BUILD_CORES")
- export HOME=${installkernel}
- '';
-
- # Some image types need special install targets (e.g. uImage is installed with make uinstall on arm)
- installTargets = [
- (kernelConf.installTarget or (
- if kernelConf.target == "uImage" && stdenv.hostPlatform.linuxArch == "arm" then
- "uinstall"
- else if
- kernelConf.target == "zImage"
- || kernelConf.target == "Image.gz"
- || kernelConf.target == "vmlinuz.efi"
- then
- "zinstall"
- else
- "install"
- )
- )
- ];
-
- # We remove a bunch of stuff that is symlinked from other places to save space,
- # which trips the broken symlink check. So, just skip it. We'll know if it explodes.
- dontCheckForBrokenSymlinks = true;
-
- postInstall = optionalString isModular ''
- mkdir -p $dev
- cp vmlinux $dev/
- # if [ -z "''${dontStrip-}" ]; then
- # installFlagsArray+=("INSTALL_MOD_STRIP=1")
- # fi
- make modules_install $makeFlags "''${makeFlagsArray[@]}" \
- $installFlags "''${installFlagsArray[@]}"
- unlink $out/lib/modules/${modDirVersion}/build
- rm -f $out/lib/modules/${modDirVersion}/source
-
- mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
-
- # To save space, exclude a bunch of unneeded stuff when copying.
- (cd .. && rsync --archive --prune-empty-dirs \
- --exclude='/build/' \
- * $dev/lib/modules/${modDirVersion}/source/)
-
- cd $dev/lib/modules/${modDirVersion}/source
-
- cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
- make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
-
- # For reproducibility, removes accidental leftovers from a `cc1` call
- # from a `try-run` call from the Makefile
- rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
-
- # Keep some extra files on some arches (powerpc, aarch64)
- for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
- if [ -f "$buildRoot/$f" ]; then
- cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
- fi
- done
-
- # !!! No documentation on how much of the source tree must be kept
- # If/when kernel builds fail due to missing files, you can add
- # them here. Note that we may see packages requiring headers
- # from drivers/ in the future; it adds 50M to keep all of its
- # headers on 3.10 though.
-
- chmod u+w -R ..
- arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
-
- # Remove unused arches
- for d in $(cd arch/; ls); do
- if [ "$d" = "$arch" ]; then continue; fi
- if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
- rm -rf arch/$d
- done
-
- # Remove all driver-specific code (50M of which is headers)
- rm -fR drivers
-
- # Keep all headers
- find . -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
-
- # Keep linker scripts (they are required for out-of-tree modules on aarch64)
- find . -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
-
- # Keep root and arch-specific Makefiles
- chmod u-w Makefile arch/"$arch"/Makefile*
-
- # Keep whole scripts dir
- chmod u-w -R scripts
-
- # Delete everything not kept
- find . -type f -perm -u=w -print0 | xargs -0 -r rm
-
- # Delete empty directories
- find -empty -type d -delete
-
- pkgName="patos-kernel-modules"
- mkdir -p $out/tree/usr/lib/extension-release.d
- cat << EOF > $out/tree/usr/lib/extension-release.d/extension-release.$pkgName
- ID=patos
- IMAGE_ID=$pkgName
- IMAGE_VERSION=${version}
- VERSION_ID=patos
- EOF
- cp -Prp $out/lib/modules $out/tree/usr/lib/modules
- find $out/tree -type d -exec chmod 0755 {} \;
- mkfs.erofs --all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking $out/$pkgName.raw $out/tree/
- veritysetup format --root-hash-file $out/$pkgName.roothash $out/$pkgName.raw $out/$pkgName.verity
- chmod -R 755 $out/tree && rm -rf $out/tree
- '';
-
- requiredSystemFeatures = [ "big-parallel" ];
-
- meta = {
- # https://github.com/NixOS/nixpkgs/pull/345534#issuecomment-2391238381
- broken = withRust && lib.versionOlder version "6.12";
-
- description =
- "The Linux kernel"
- + (
- if kernelPatches == [ ] then
- ""
- else
- " (with patches: " + lib.concatStringsSep ", " (map (x: x.name) kernelPatches) + ")"
- );
- license = lib.licenses.gpl2Only;
- homepage = "https://www.kernel.org/";
- maintainers = lib.teams.linux-kernel.members ++ [
- maintainers.thoughtpolice
- ];
- platforms = platforms.linux;
- badPlatforms =
- lib.optionals (lib.versionOlder version "4.15") [
- "riscv32-linux"
- "riscv64-linux"
- ]
- ++ lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
- timeout = 14400; # 4 hours
- } // extraMeta;
- };
-
- # Absolute paths for compilers avoid any PATH-clobbering issues.
- commonMakeFlags =
- [
- "ARCH=${stdenv.hostPlatform.linuxArch}"
- "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
- ]
- ++ lib.optionals (stdenv.isx86_64 && stdenv.cc.bintools.isLLVM) [
- # The wrapper for ld.lld breaks linking the kernel. We use the
- # unwrapped linker as workaround. See:
- #
- # https://github.com/NixOS/nixpkgs/issues/321667
- "LD=${stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ld"
- ]
- ++ (stdenv.hostPlatform.linux-kernel.makeFlags or [ ])
- ++ extraMakeFlags;
- in
-
- stdenv.mkDerivation (
- builtins.foldl' lib.recursiveUpdate { } [
- (drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile)
- {
- inherit pname version;
-
- enableParallelBuilding = true;
-
- hardeningDisable = [
- "bindnow"
- "format"
- "fortify"
- "stackprotector"
- "pic"
- "pie"
- ];
-
- makeFlags = [
- "O=$(buildRoot)"
- ] ++ commonMakeFlags;
-
- passthru = { inherit commonMakeFlags; };
-
- karch = stdenv.hostPlatform.linuxArch;
- }
- (optionalAttrs (pos != null) { inherit pos; })
- ]
- )
-)
diff --git a/pkgs/kexec-tools/default.nix b/pkgs/kexec-tools/default.nix
deleted file mode 100644
index 4ba15ba..0000000
--- a/pkgs/kexec-tools/default.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{
- lib,
- stdenv,
- buildPackages,
- fetchFromGitHub,
- autoconf,
- zlib,
-}:
-
-stdenv.mkDerivation {
- pname = "kexec-tools";
- version = "main";
-
- src = fetchFromGitHub {
- owner = "horms";
- repo = "kexec-tools";
- rev = "a7fcd424c4c80dea5a2fd5ffa274ffeb8129c790";
- hash = "sha256-QKE+KCkueA21zNunTMidP9OuZaw0IG5tFDF4UJITTTQ=";
- };
-
- dontPatchShebangs = true;
-
- hardeningDisable = [
- "format"
- "pic"
- "relro"
- "pie"
- ];
-
- buildCommand = ''
- unpackPhase
- mkdir -p $out
- cd source
- ./bootstrap
- ./configure --prefix=/
- make DESTDIR=$out install
- '';
-
- depsBuildBuild = [ buildPackages.stdenv.cc ];
-
- buildInputs = [
- zlib
- autoconf
- ];
-
- enableParallelBuilding = true;
-
- meta = with lib; {
- homepage = "http://horms.net/projects/kexec/kexec-tools";
- description = "Tools related to the kexec Linux feature";
- platforms = platforms.linux;
- badPlatforms = [
- "microblaze-linux"
- "microblazeel-linux"
- "riscv64-linux"
- "riscv32-linux"
- "sparc-linux"
- "sparc64-linux"
- ];
- license = licenses.gpl2Only;
- };
-}
diff --git a/pkgs/lvm2/default.nix b/pkgs/lvm2/default.nix
deleted file mode 100644
index 8d18663..0000000
--- a/pkgs/lvm2/default.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-{
- stdenv,
- pkgs,
- fetchurl,
- lib,
- pkg-config,
- libaio,
- udev,
-}:
-
-stdenv.mkDerivation {
- pname = "lvm2";
- version = pkgs.lvm2.version;
-
- src = pkgs.lvm2.src;
-
- nativeBuildInputs = [
- pkg-config
- ];
- buildInputs = [
- libaio
- udev
- ];
-
- configureFlags = [
- "--prefix=/"
- "--sbindir=/usr/bin"
- "--sysconfdir=/etc"
- "--localstatedir=/var"
- "--enable-cmdlib"
- "--enable-dmeventd"
- "--enable-lvmpolld"
- "--enable-pkgconfig"
- "--enable-udev_rules"
- "--enable-udev_sync"
- "--enable-write_install"
- "--with-cache=internal"
- "--with-thin=internal"
- ];
-
- preInstall = ''
- mkdir -p $out
- export DESTDIR=$out
- '';
- doCheck = false;
-
- meta = with lib; {
- homepage = "http://sourceware.org/lvm2/";
- description = "Tools to support Logical Volume Management (LVM) on Linux";
- platforms = platforms.linux;
- license = with licenses; [
- gpl2Only
- bsd2
- lgpl21
- ];
- maintainers = with maintainers; [
- raskin
- ajs124
- ];
- };
-}
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
deleted file mode 100644
index 08c1309..0000000
--- a/pkgs/openssl/default.nix
+++ /dev/null
@@ -1,164 +0,0 @@
-{
- lib,
- pkgs,
- stdenv,
- fetchurl,
- perl,
- makeBinaryWrapper,
- withCryptodev ? false,
- cryptodev,
- withZlib ? false,
- zlib,
- enableSSL2 ? false,
- enableSSL3 ? false,
- enableMD2 ? false,
- enableKTLS ? stdenv.hostPlatform.isLinux,
- static ? stdenv.hostPlatform.isStatic,
- removeReferencesTo,
-}:
-
-stdenv.mkDerivation rec {
- pname = "openssl";
- version = pkgs.openssl.version;
-
- src = pkgs.openssl.src;
-
- outputs = [ "out" ];
-
- nativeBuildInputs =
- lib.optional (!stdenv.hostPlatform.isWindows) makeBinaryWrapper
- ++ [ perl ]
- ++ lib.optionals static [ removeReferencesTo ];
- buildInputs = lib.optional withCryptodev cryptodev ++ lib.optional withZlib zlib;
-
- # TODO(@Ericson2314): Improve with mass rebuild
- configurePlatforms = [ ];
- configureScript =
- {
- armv5tel-linux = "./Configure linux-armv4 -march=armv5te";
- armv6l-linux = "./Configure linux-armv4 -march=armv6";
- armv7l-linux = "./Configure linux-armv4 -march=armv7-a";
- x86_64-darwin = "./Configure darwin64-x86_64-cc";
- aarch64-darwin = "./Configure darwin64-arm64-cc";
- x86_64-linux = "./Configure linux-x86_64";
- x86_64-solaris = "./Configure solaris64-x86_64-gcc";
- powerpc64-linux = "./Configure linux-ppc64";
- riscv32-linux = "./Configure ${
- if lib.versionAtLeast version "3.2" then "linux32-riscv32" else "linux-latomic"
- }";
- riscv64-linux = "./Configure linux64-riscv64";
- }
- .${stdenv.hostPlatform.system} or (
- if stdenv.hostPlatform == stdenv.buildPlatform then
- "./config"
- else if stdenv.hostPlatform.isBSD then
- if stdenv.hostPlatform.isx86_64 then
- "./Configure BSD-x86_64"
- else if stdenv.hostPlatform.isx86_32 then
- "./Configure BSD-x86" + lib.optionalString stdenv.hostPlatform.isElf "-elf"
- else
- "./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
- else if stdenv.hostPlatform.isMinGW then
- "./Configure mingw${
- lib.optionalString (stdenv.hostPlatform.parsed.cpu.bits != 32) (
- toString stdenv.hostPlatform.parsed.cpu.bits
- )
- }"
- else if stdenv.hostPlatform.isLinux then
- if stdenv.hostPlatform.isx86_64 then
- "./Configure linux-x86_64"
- else if stdenv.hostPlatform.isMicroBlaze then
- "./Configure linux-latomic"
- else if stdenv.hostPlatform.isMips32 then
- "./Configure linux-mips32"
- else if stdenv.hostPlatform.isMips64n32 then
- "./Configure linux-mips64"
- else if stdenv.hostPlatform.isMips64n64 then
- "./Configure linux64-mips64"
- else
- "./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
- else if stdenv.hostPlatform.isiOS then
- "./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross"
- else
- throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}"
- );
-
- # OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags.
- dontAddStaticConfigureFlags = true;
-
- configureFlags =
- [
- "shared" # "shared" builds both shared and static libraries
- "--prefix=/"
- "--libdir=lib"
- "--openssldir=/etc/ssl"
- ]
- ++ lib.optionals withCryptodev [
- "-DHAVE_CRYPTODEV"
- "-DUSE_CRYPTODEV_DIGESTS"
- ]
- ++ lib.optional enableMD2 "enable-md2"
- ++ lib.optional enableSSL2 "enable-ssl2"
- ++ lib.optional enableSSL3 "enable-ssl3"
- # We select KTLS here instead of the configure-time detection (which we patch out).
- # KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it.
- ++ lib.optional (lib.versionAtLeast version "3.0.0" && enableKTLS) "enable-ktls"
- ++ lib.optional (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
- # OpenSSL needs a specific `no-shared` configure flag.
- # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
- # for a comprehensive list of configuration options.
- ++ lib.optional (lib.versionAtLeast version "1.1.1" && static) "no-shared"
- ++ lib.optional (lib.versionAtLeast version "3.0.0" && static) "no-module"
- # This introduces a reference to the CTLOG_FILE which is undesired when
- # trying to build binaries statically.
- ++ lib.optional static "no-ct"
- ++ lib.optional withZlib "zlib"
- # /dev/crypto support has been dropped in OpenBSD 5.7.
- #
- # OpenBSD's ports does this too,
- # https://github.com/openbsd/ports/blob/a1147500c76970fea22947648fb92a093a529d7c/security/openssl/3.3/Makefile#L25.
- #
- # https://github.com/openssl/openssl/pull/10565 indicated the
- # intent was that this would be configured properly automatically,
- # but that doesn't appear to be the case.
- ++ lib.optional stdenv.hostPlatform.isOpenBSD "no-devcryptoeng"
- ++ lib.optionals (stdenv.hostPlatform.isMips && stdenv.hostPlatform ? gcc.arch) [
- # This is necessary in order to avoid openssl adding -march
- # flags which ultimately conflict with those added by
- # cc-wrapper. Openssl assumes that it can scan CFLAGS to
- # detect any -march flags, using this perl code:
- #
- # && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})
- #
- # The following bogus CFLAGS environment variable triggers the
- # the code above, inhibiting `./Configure` from adding the
- # conflicting flags.
- "CFLAGS=-march=${stdenv.hostPlatform.gcc.arch}"
- ];
-
- postPatch = ''
- patchShebangs Configure
- '';
-
- installPhase = ''
- make DESTDIR=$out install
- rm -rf $out/etc/ssl/*.dist $out/etc/ssl/misc
- '';
-
- enableParallelBuilding = true;
-
- meta = {
- homepage = "https://www.openssl.org/";
- changelog = "https://github.com/openssl/openssl/blob/openssl-${version}/CHANGES.md";
- description = "Cryptographic library that implements the SSL and TLS protocols";
- license = lib.licenses.openssl;
- mainProgram = "openssl";
- maintainers = with lib.maintainers; [ thillux ] ++ lib.teams.stridtech.members;
- pkgConfigModules = [
- "libcrypto"
- "libssl"
- "openssl"
- ];
- platforms = lib.platforms.all;
- };
-}
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
deleted file mode 100644
index c46ed9d..0000000
--- a/pkgs/rootfs/mkinitrd.nix
+++ /dev/null
@@ -1,93 +0,0 @@
-{
- pkgs,
- patosPkgs,
- runCommand,
- ...
-}:
-let
- secureBootEnroll = ./secure-boot-enroll.sh;
-in
-runCommand "patos-initrd" {
- inherit secureBootEnroll;
-
- buildInputs = with pkgs; [
- cpio
- xz
- ];
-}
-''
-echo "Building initram disk"
-mkdir -p $out/root
-pushd $out/root
-
-### copy rootfs
-cp -prP ${patosPkgs.rootfs}/* .
-find . -type d -exec chmod 755 {} \;
-mkdir sysroot
-
-### create directories
-ln -sf ../usr/lib/systemd/systemd init
-
-### Create needed files
-echo patos > ./etc/hostname
-
-ln -sf /etc/os-release ./etc/initrd-release
-
-# set default target to initrd inside initrd
-ln -sf initrd.target ./usr/lib/systemd/system/default.target
-
-# setup secure boot
-cat $secureBootEnroll > ./usr/bin/secure-boot-enroll
-chmod +x ./usr/bin/secure-boot-enroll
-
-cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
-[Unit]
-Description=Enroll Secure Boot
-DefaultDependencies=false
-After=sysroot-run.mount
-Requires=sysroot-run.mount
-Before=systemd-repart.service initrd.target shutdown.target sysinit.target
-ConditionKernelCommandLine=patos.secureboot=true
-ConditionPathExists=|!/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/secure-boot-enroll
-RemainAfterExit=yes
-EOF
-ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
-
-# bind mount /run to /sysroot/run
-cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
-[Unit]
-Before=initrd-fs.target
-DefaultDependencies=false
-
-[Mount]
-Options=bind
-What=/run
-Where=/sysroot/run
-EOF
-mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
-ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
-
-# repart: generate crypttab and fstab under /run
-mkdir ./usr/lib/systemd/system/systemd-repart.service.d
-cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
-[Unit]
-After=sysroot-run.mount
-Requires=sysroot-run.mount
-
-[Service]
-Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
-ExecStart=
-ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
-EOF
-ln -sf ../systemd-repart.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
-
-# gen initrd
-find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
-
-popd
-rm -rf $out/root
-''
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
deleted file mode 100644
index bda4c7d..0000000
--- a/pkgs/rootfs/mkrootfs.nix
+++ /dev/null
@@ -1,230 +0,0 @@
-{
- pkgs,
- patosPkgs,
- version,
- runCommand,
-}:
-let
- defaultPassword = "patos";
-in
-
-runCommand "patos-rootfs"
-{
- inherit version;
-
- buildInputs = with pkgs;[
- glibc
- binutils
- ];
-
-}
-''
-### create directory structure
-mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
- $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var
-ln -sf /usr/bin $out/bin
-ln -sf /usr/bin $out/sbin
-ln -sf /usr/lib $out/lib
-ln -sf /usr/lib $out/lib64
-ln -sf /tmp $out/var/tmp
-ln -sf ../proc/self/mounts $out/etc/mtab
-
-### install systemd
-cp -Pr ${patosPkgs.systemd}/* $out/
-find $out -type d -exec chmod 755 {} \;
-rm -rf $out/usr/include
-rm -rf $out/usr/sbin
-ln -sf /usr/bin $out/usr/sbin
-rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
-# enable in ramdisk instead
-rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-repart.service
-rm -f $out/usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
-
-rm -f $out/usr/lib/systemd/ukify
-rm -f $out/usr/bin/ukify
-rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
-ln -s /run/systemd/resolve/stub-resolv.conf $out/etc/resolv.conf
-
-cat <<EOF > $out/etc/os-release
-NAME=PatOS
-PRETTY_NAME=PatOS v${version} (Pre-Alpha)
-IMAGE_ID=patos
-ID=patos
-IMAGE_VERSION=${version}
-VERSION=${version}
-VERSION_ID=patos
-BUILD_ID=somehash
-EOF
-
-cat <<EOF > $out/etc/issue
-<<< Welcome to PatOS v${version} (Pre-Alpha) (\m) - \l >>>
-
-EOF
-
-# replace agetty with busybox getty (optionally autologin)
-mkdir $out/usr/lib/systemd/system/serial-getty@.service.d
-cat <<EOF > $out/usr/lib/systemd/system/serial-getty@.service.d/override.conf
-[Service]
-ExecStart=
-ExecStart=-/bin/login -f root
-EOF
-# ExecStart=-/sbin/getty -L %I 115200 vt100
-
-# Configure systemd-repart
-cat <<EOF > $out/etc/repart.d/10-esp.conf
-[Partition]
-Type=esp
-Format=vfat
-SizeMaxBytes=128M
-SizeMinBytes=128M
-EOF
-
-cat <<EOF > $out/etc/repart.d/20-root-a.conf
-[Partition]
-Type=root
-SizeMaxBytes=64M
-SizeMinBytes=64M
-EOF
-
-cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
-[Partition]
-Type=root-verity
-EOF
-
-cat <<EOF > $out/etc/repart.d/30-root-b.conf
-[Partition]
-Type=root
-Label=_empty
-SizeMaxBytes=64M
-SizeMinBytes=64M
-ReadOnly=1
-EOF
-
-cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
-[Partition]
-Type=root-verity
-Label=_empty
-ReadOnly=1
-EOF
-
-cat <<EOF > $out/etc/repart.d/40-var.conf
-[Partition]
-Type=var
-Format=btrfs
-MakeDirectories=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
-MountPoint=/var
-Label=patos-state
-Encrypt=tpm2
-EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
-Subvolumes=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
-MountPoint=/var/lib/confexts:subvol=/var/lib/confexts
-MountPoint=/var/lib/extensions:subvol=/var/lib/extensions
-MountPoint=/var/lib/portables:subvol=/var/lib/portables
-MountPoint=/var/.snapshots:subvol=/var/.snapshots
-SizeMinBytes=1G
-Minimize=off
-FactoryReset=yes
-EOF
-
-# as rootfs is read-only we need to configure the fstab and cryptsetup generators to look
-# for config under /run (which are generated by systemd-repart in initrd)
-rm -f $out/etc/systemd/system.conf
-cat <<EOF > $out/etc/systemd/system.conf
-[Manager]
-DefaultEnvironment=PATH=/bin:/sbin:/usr/bin
-ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTEMD_SYSROOT_FSTAB=/run/fstab SYSTEMD_FSTAB=/run/fstab
-EOF
-
-### install PatOS glibc
-cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
-
-### install openssl
-cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
-cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
-
-### install busybox
-cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
-$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
-
-### install dbus broker
-cp -r ${patosPkgs.dbus-broker}/* $out/
-
-### install kexec
-cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
-
-### install dmsetup udev rules
-cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
-cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
-cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
-
-### install btrfs progs
-cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
-cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
-
-### install tpm2 libs
-cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
-
-### install lib kmod
-cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
-cp -P ${pkgs.kmod}/bin/* $out/usr/bin
-
-### install libbpf
-cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
-
-### install secure boot tools
-cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
-rm -f $out/usr/bin/tar
-rm -f $out/usr/bin/blkid
-cp -P ${pkgs.gnutar}/bin/tar $out/usr/bin/
-cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
-cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
-
-### install xq (jq clone)
-cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
-ln -sf /usr/bin/xq $out/usr/bin/jq
-
-### install ca cert bundle
-chmod 755 $out/etc/ssl $out/etc/ssl/certs
-cp -P ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
-ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
-ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
-
-# no need for pkgconfig, removing..
-rm -rf $out/usr/lib/pkgconfig
-
-# setup default files
-${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
-${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
-cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
-cp $out/usr/share/factory/etc/locale.conf $out/etc/
-cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
-# install sys users
-mkdir creds
-echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
-CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
-chmod 600 $out/etc/shadow
-rm -rf creds
-
-# Ephemeral machine-id until registration
-ln -sf /run/machine-id $out/etc/machine-id
-
-### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
- grep -vE "(systemd|glibc|openssl|tpm2|devmapper)" | \
- sort -u | xargs -I {} cp {} $out/usr/lib/
-
-find $out -type f -executable -exec chmod 755 {} \;
-
-# patch ELFs
-find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
-find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
-patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
-
-# strip binaries
-find $out -type f -executable -exec strip {} \;
-find $out -type d -exec chmod 755 {} \;
-
-# install kernel modules
-cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
-find $out/usr/lib/modules -type d -exec chmod 755 {} \;
-''
diff --git a/pkgs/rootfs/secure-boot-enroll.sh b/pkgs/rootfs/secure-boot-enroll.sh
deleted file mode 100644
index 2588baf..0000000
--- a/pkgs/rootfs/secure-boot-enroll.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/sh
-set -ex -uo pipefail
-
-SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
-
-[ "$SETUP_MODE" = "false" ] && exit 0
-
-cat <<EOL> /run/sbctl.yml
----
-keydir: /sysroot/boot/sbctl/keys
-guid: /sysroot/boot/sbctl/GUID
-EOL
-
-ESP=$(blkid --label ESP)
-
-mount $ESP /sysroot/boot && \
- sbctl --config /run/sbctl.yml create-keys && \
- sbctl --config /run/sbctl.yml enroll-keys --yolo && \
- # Sign EFIs
- find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
-
-umount /sysroot/boot && \
- systemctl reboot -f
diff --git a/pkgs/systemd/skip-verify-esp.patch b/pkgs/systemd/skip-verify-esp.patch
deleted file mode 100644
index 2cb9505..0000000
--- a/pkgs/systemd/skip-verify-esp.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c
-index f830d6dfe3..7ad2a8cd1d 100644
---- a/src/shared/find-esp.c
-+++ b/src/shared/find-esp.c
-@@ -403,15 +403,15 @@ static int verify_esp(
- "File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
- }
-
-- r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
-- if (r < 0)
-- return r;
--
- /* In a container we don't have access to block devices, skip this part of the verification, we trust
- * the container manager set everything up correctly on its own. */
- if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK))
- goto finish;
-
-+ r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
-+ if (r < 0)
-+ return r;
-+
- if (devnum_is_zero(devid))
- return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
- SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
diff --git a/pkgs/tpm2-tools/default.nix b/pkgs/tpm2-tools/default.nix
deleted file mode 100644
index 4bb14c1..0000000
--- a/pkgs/tpm2-tools/default.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{
- stdenv,
- pkgs,
- fetchurl,
- lib,
- pandoc,
- pkg-config,
- curl,
- openssl,
- patosPkgs,
- libuuid,
-}:
-
-stdenv.mkDerivation {
- pname = "tpm2-tools";
- version = pkgs.tpm2-tools.version;
-
- src = pkgs.tpm2-tools.src;
-
- nativeBuildInputs = [
- pandoc
- pkg-config
- ];
-
- buildInputs = [
- curl
- openssl
- patosPkgs.tpm2-tss
- libuuid
- ];
-
- # Unit tests disabled, as they rely on a dbus session
- configureFlags = [ "--prefix=/" ];
- preInstall = ''
- mkdir -p $out
- export DESTDIR=$out
- '';
- doCheck = false;
-
- meta = with lib; {
- description = "Command line tools that provide access to a TPM 2.0 compatible device";
- homepage = "https://github.com/tpm2-software/tpm2-tools";
- license = licenses.bsd3;
- platforms = platforms.linux;
- maintainers = with maintainers; [ tomfitzhenry ];
- };
-}
diff --git a/pkgs/tpm2-tss/default.nix b/pkgs/tpm2-tss/default.nix
deleted file mode 100644
index 5a6477a..0000000
--- a/pkgs/tpm2-tss/default.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{
- stdenv,
- pkgs,
- lib,
- fetchFromGitHub,
- autoreconfHook,
- autoconf-archive,
- pkg-config,
- doxygen,
- perl,
- openssl,
- json_c,
- curl,
- libgcrypt,
- uthash,
- git,
- libuuid,
- libtpms,
-}:
-
-stdenv.mkDerivation rec {
- pname = "tpm2-tss";
- version = pkgs.tpm2-tss.version;
-
- src = pkgs.tpm2-tss.src;
-
- patches = [
- ./no-shadow.patch
- ];
-
- postPatch = ''
- substituteInPlace ./bootstrap \
- --replace-fail 'git describe --tags --always --dirty' 'echo "${version}"'
- '';
-
- outputs = [
- "out"
- ];
-
- nativeBuildInputs = [
- autoreconfHook
- autoconf-archive
- pkg-config
- doxygen
- perl
- git
- ];
-
- buildInputs = [
- openssl
- json_c
- curl
- libgcrypt
- uthash
- libuuid
- libtpms
- ];
-
- strictDeps = true;
- preAutoreconf = "./bootstrap";
-
- enableParallelBuilding = true;
-
- configureFlags = [
- "--prefix=/"
- ];
-
- preInstall = ''
- mkdir -p $out
- export DESTDIR=$out
- '';
-
- doCheck = false;
-
- meta = with lib; {
- description = "OSS implementation of the TCG TPM2 Software Stack (TSS2)";
- homepage = "https://github.com/tpm2-software/tpm2-tss";
- license = licenses.bsd2;
- platforms = platforms.unix;
- maintainers = with maintainers; [ baloo ];
- };
-}
diff --git a/pkgs/tpm2-tss/no-shadow.patch b/pkgs/tpm2-tss/no-shadow.patch
deleted file mode 100644
index a42bf06..0000000
--- a/pkgs/tpm2-tss/no-shadow.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index e2d579b8..0eac4ff3 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -672,9 +672,9 @@ AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
- AC_CHECK_PROG(adduser, adduser, yes)
- AC_CHECK_PROG(addgroup, addgroup, yes)
- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
-- [AC_MSG_ERROR([addgroup or groupadd are needed.])])
-+ [AC_MSG_WARN([addgroup or groupadd are needed.])])
- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
-- [AC_MSG_ERROR([adduser or useradd are needed.])])])
-+ [AC_MSG_WARN([adduser or useradd are needed.])])])
-
- AC_SUBST([PATH])
-
diff --git a/systemd/0017-meson.build-do-not-create-systemdstatedir.patch b/systemd/0017-meson.build-do-not-create-systemdstatedir.patch
new file mode 100644
index 0000000..debcaab
--- /dev/null
+++ b/systemd/0017-meson.build-do-not-create-systemdstatedir.patch
@@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: nikstur <nikstur@outlook.com>
+Date: Mon, 6 Nov 2023 22:51:38 +0100
+Subject: [PATCH] meson.build: do not create systemdstatedir
+
+---
+ meson.build | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index bffda86845..cb5dcec0f9 100644
+--- a/meson.build
++++ b/meson.build
+@@ -2781,7 +2781,6 @@ install_data('LICENSE.GPL2',
+ install_subdir('LICENSES',
+ install_dir : docdir)
+
+-install_emptydir(systemdstatedir)
+
+ #####################################################################
+
diff --git a/pkgs/systemd/default.nix b/systemd/default.nix
similarity index 96%
rename from pkgs/systemd/default.nix
rename to systemd/default.nix
index a93fd76..3174f0f 100644
--- a/pkgs/systemd/default.nix
+++ b/systemd/default.nix
@@ -7,7 +7,7 @@
...
}:
let
- version = "257.5";
+ version = "257.3";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
@@ -27,13 +27,15 @@ stdenv.mkDerivation (finalAttrs: {
owner = "systemd";
repo = "systemd";
rev = "v${version}";
- hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
+ hash = "sha256-GvRn55grHWR6M+tA86RMzqinuXNpPZzRB4ApuGN/ZvU=";
};
- patches = [ ./skip-verify-esp.patch ];
-
dontCheckForBrokenSymlinks = true;
+ patches = [
+ ./0017-meson.build-do-not-create-systemdstatedir.patch
+ ];
+
nativeBuildInputs = with pkgs; [
bash
pkg-config
@@ -186,7 +188,6 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
(lib.mesonOption "kmod-path" "/usr/bin/kmod")
- (lib.mesonOption "kexec-path" "/usr/bin/kexec")
(lib.mesonOption "debug-shell" "/usr/bin/sh")
(lib.mesonOption "pamconfdir" "/etc/pam.d")
(lib.mesonOption "shellprofiledir" "/etc/profile.d")
@@ -195,7 +196,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonOption "dbussystemservicedir" "/usr/share/dbus-1/system-services")
(lib.mesonOption "setfont-path" "/usr/bin/setfont")
(lib.mesonOption "loadkeys-path" "/usr/bin/loadkeys")
- (lib.mesonOption "sulogin-path" "/usr/bin/sulogin")
+ (lib.mesonOption "sulogin-path" "/usr/bin/sulogin")
(lib.mesonOption "nologin-path" "/usr/bin/nologin")
(lib.mesonOption "mount-path" "/usr/bin/mount")
(lib.mesonOption "umount-path" "/usr/bin/umount")
@@ -289,7 +290,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonEnable "man" false)
(lib.mesonBool "analyze" true)
- (lib.mesonBool "logind" false)
+ (lib.mesonBool "logind" true)
(lib.mesonBool "localed" false)
(lib.mesonBool "hostnamed" true)
(lib.mesonBool "machined" true)
@@ -308,7 +309,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonBool "utmp" true)
(lib.mesonBool "log-trace" true)
- (lib.mesonBool "kernel-install" false)
+ (lib.mesonBool "kernel-install" true)
(lib.mesonBool "quotacheck" false)
(lib.mesonBool "ldconfig" false)
(lib.mesonBool "install-sysconfdir" true)
diff --git a/utils/mkinitrd.nix b/utils/mkinitrd.nix
new file mode 100644
index 0000000..0bd234c
--- /dev/null
+++ b/utils/mkinitrd.nix
@@ -0,0 +1,170 @@
+{
+ pkgs,
+ patosPkgs,
+ ...
+}:
+pkgs.writeShellApplication {
+ name = "mkinitrd";
+
+ runtimeInputs = with pkgs; [
+ patchelf
+ cpio
+ gzip
+ ];
+
+ text = ''
+ echo "Building initram disk"
+ mkdir -p root
+ pushd root
+
+ ### create directories
+ mkdir -p etc dev proc sys tmp root
+ ln -sf usr/bin bin
+ ln -sf usr/bin sbin
+ ln -sf usr/lib lib
+ ln -sf usr/lib lib64
+ ln -sf ../proc/self/mounts etc/mtab
+ ln -sf ../usr/lib/systemd/systemd init
+
+ ### install systemd
+ cp -Pr ${patosPkgs.systemd.out}/* ./
+ find . -type d -exec chmod 755 {} \;
+ rm -rf ./usr/include
+ rm -rf ./usr/sbin
+ # set default target to basic
+ mkdir usr/lib/systemd/system/basic.target.wants
+ ln -sf basic.target usr/lib/systemd/system/default.target
+ # remove first boot
+ rm -f usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
+ # remove vconsole setup
+ rm -f usr/lib/udev/rules.d/90-vconsole.rules
+
+ ### install PatOS glibc
+ cp -Pr ${patosPkgs.glibc.out}/lib/*.so* ./usr/lib/
+
+ ### install kernel modules
+ cp -Pr ${patosPkgs.kernel.kernel}/lib/modules ./usr/lib/
+ find usr/lib/modules -type d -exec chmod 755 {} \;
+
+ ### install busybox
+ cp ${pkgs.busybox.out}/bin/busybox ./usr/bin/
+ usr/bin/busybox --list | xargs -I {} ln -sf busybox usr/bin/{}
+
+ ### install dbus broker
+ cp -r ${patosPkgs.dbus-broker.out}/* ./
+ ln -sf ../dbus-broker.service usr/lib/systemd/system/basic.target.wants/dbus.service
+ ln -sf ../dbus.socket usr/lib/systemd/system/sockets.target.wants/dbus.socket
+
+ ### install lib kmod
+ cp -P ${pkgs.kmod.lib}/lib/* ./usr/lib
+ cp -P ${pkgs.kmod.out}/bin/* ./usr/bin
+
+ ### install libbpf
+ cp -P ${pkgs.libbpf.out}/lib/libbpf* ./usr/lib
+
+ ### Find and install all shared libs
+ find . -type f -executable -exec ldd {} \; 2> /dev/null | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t usr/lib
+ find . -type f -executable -exec chmod 755 {} \;
+
+
+ ### Create needed files
+ echo patos > ./etc/hostname
+ cat <<EOF > ./etc/os-release
+ NAME="PatOS"
+ PRETTY_NAME="PatOS Platform"
+ ID=patos
+ EOF
+
+ cat <<EOF > ./etc/passwd
+ root::0:0:root:/root:/bin/sh
+ bin:x:1:1:bin:/bin:/usr/bin/nologin
+ daemon:x:2:2:daemon:/:/usr/bin/nologin
+ mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
+ ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
+ http:x:33:33:http:/srv/http:/usr/bin/nologin
+ uuidd:x:68:68:uuidd:/:/usr/bin/nologin
+ messagebus:x:81:81:messagebus:/:/usr/bin/nologin
+ nobody:x:99:99:nobody:/:/usr/bin/nologin
+ EOF
+ chmod 644 ./etc/passwd
+
+ cat <<EOF > ./etc/group
+ root:x:0:root
+ bin:x:1:root,bin,daemon
+ daemon:x:2:root,bin,daemon
+ sys:x:3:root,bin
+ adm:x:4:root,daemon
+ tty:x:5:
+ disk:x:6:root
+ lp:x:7:daemon
+ mem:x:8:
+ kmem:x:9:
+ wheel:x:10:root
+ ftp:x:11:
+ mail:x:12:
+ uucp:x:14:
+ log:x:19:root
+ utmp:x:20:
+ locate:x:21:
+ rfkill:x:24:
+ smmsp:x:25:
+ proc:x:26:
+ http:x:33:
+ games:x:50:
+ lock:x:54:
+ uuidd:x:68:
+ messagebus:x:81:
+ network:x:90:
+ video:x:91:
+ audio:x:92:
+ optical:x:93:
+ floppy:x:94:
+ storage:x:95:
+ scanner:x:96:
+ input:x:97:
+ power:x:98:
+ nobody:x:99:
+ EOF
+ chmod 644 ./etc/group
+
+ # FIXME: remove this later (just to get a shell in the initramfs)
+ cat <<EOF > usr/lib/systemd/system/demo.service
+ [Unit]
+ Description=Debug Shell (/bin/sulogin)
+ Conflicts=shutdown.target
+ Before=shutdown.target
+
+ [Service]
+ Environment=HOME=/root
+ WorkingDirectory=/root
+ ExecStart=/bin/sulogin
+ Type=idle
+ StandardInput=tty-force
+ StandardOutput=inherit
+ StandardError=inherit
+ KillMode=process
+ IgnoreSIGPIPE=no
+ SendSIGHUP=yes
+ Restart=always
+
+ [Install]
+ WantedBy=basic.target
+ EOF
+ ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
+
+ # FIXME: ELF patching. Is there a better way?
+ find . -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \; 2> /dev/null
+ find . -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \; 2> /dev/null
+ patchelf --remove-rpath ./usr/lib/ld-linux-x86-64.so.2
+
+ # strip binaries
+ find . -type f -executable -exec strip {} \; 2> /dev/null
+ find . -type d -exec chmod 755 {} \;
+
+ # gen initrd
+ find . -print0 | cpio --null --owner=root:root -o --format=newc | gzip -9 > ../initrd.gz
+
+ popd
+ rm -rf root
+ '';
+}
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index 7d51868..e6a27f9 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -12,25 +12,19 @@ pkgs.writeShellApplication {
text =
let
- tpmOVMF = pkgs.OVMF.override {
- tpmSupport = true;
- secureBoot = true;
- };
+ tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
in
''
set -ex
state="/tmp/patos-qemu-$USER"
rm -rf "$state"
mkdir -m 700 "$state"
- qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G
+ truncate -s 1G "$state/disk.raw"
swtpm socket -d --tpmstate dir="$state" \
--ctrl type=unixio,path="$state/swtpm-sock" \
--tpm2 \
- --log file="$state/swtpm.log",level=20
-
- cp ${tpmOVMF.variables} "$state"
- chmod 700 "$state/OVMF_VARS.fd"
+ --log level=20
qemu-system-x86_64 \
-enable-kvm \
@@ -39,16 +33,18 @@ pkgs.writeShellApplication {
-smp 8 \
-m 4G \
-display none \
+ -nographic \
-chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
-serial chardev:char0 \
-mon chardev=char0 \
-drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
- -drive "if=pflash,format=raw,unit=1,file=$state/OVMF_VARS.fd" \
+ -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
-chardev socket,id=chrtpm,path="$state/swtpm-sock" \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0 \
- -netdev id=net00,type=user \
+ -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
-device virtio-net-pci,netdev=net00 \
- -drive "format=qcow2,file=$state/disk.qcow2"
+ -drive "file=fat:rw:patos/,format=raw" \
+ -drive "format=raw,file=$state/disk.raw"
'';
}