From 2894de6b457342e760c669b20462c017620b5f90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 28 Mar 2025 18:58:21 +0100
Subject: [PATCH 01/25] WIP: feat(linux-firmware): initial packaging of linux
firmware
---
flake.nix | 151 ++++++++++++++++++++++------
foo.sh | 22 ++++
pkgs/linux-firmware/default.nix | 38 +++++++
pkgs/linux-firmware/post-install.sh | 59 +++++++++++
4 files changed, 241 insertions(+), 29 deletions(-)
create mode 100755 foo.sh
create mode 100644 pkgs/linux-firmware/default.nix
create mode 100755 pkgs/linux-firmware/post-install.sh
diff --git a/flake.nix b/flake.nix
index 99fce5b..15a9152 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,10 +25,19 @@
{
packages = {
default = patosPkgs.image;
- image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; };
+ image = pkgs.callPackage ./pkgs/image {
+ inherit
+ patosPkgs
+ version
+ updateUrl
+ cpuArch
+ secureBoot
+ ;
+ };
rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
kernel = pkgs.callPackage ./pkgs/kernel { };
+ linux-firmware = pkgs.callPackage ./pkgs/linux-firmware { };
glibc = pkgs.callPackage ./pkgs/glibc { };
busybox = pkgs.callPackage ./pkgs/busybox { };
openssl = pkgs.callPackage ./pkgs/openssl { };
@@ -46,38 +55,122 @@
name = "debug-tools";
version = "0.0.1";
packages = [
- { drv = pkgs.curl; path = "bin/curl"; }
- { drv = pkgs.bash; path = "bin/bash"; }
- { drv = patosPkgs.glibc; path = "bin/ldd"; }
- { drv = pkgs.keyutils; path = "bin/keyctl"; }
- { drv = pkgs.gnutar; path = "bin/tar"; }
- { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
- { drv = pkgs.strace; path = "bin/strace"; }
- { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
- { drv = patosPkgs.openssl; path = "bin/openssl"; }
- { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
- { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
- { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
+ {
+ drv = pkgs.curl;
+ path = "bin/curl";
+ }
+ {
+ drv = pkgs.bash;
+ path = "bin/bash";
+ }
+ {
+ drv = patosPkgs.glibc;
+ path = "bin/ldd";
+ }
+ {
+ drv = pkgs.keyutils;
+ path = "bin/keyctl";
+ }
+ {
+ drv = pkgs.gnutar;
+ path = "bin/tar";
+ }
+ {
+ drv = pkgs.binutils-unwrapped;
+ path = "bin/strings";
+ }
+ {
+ drv = pkgs.strace;
+ path = "bin/strace";
+ }
+ {
+ drv = patosPkgs.tpm2-tools;
+ path = "bin/tpm2";
+ }
+ {
+ drv = patosPkgs.openssl;
+ path = "bin/openssl";
+ }
+ {
+ drv = pkgs.cryptsetup;
+ path = "bin/cryptsetup";
+ }
+ {
+ drv = pkgs.cryptsetup;
+ path = "bin/veritysetup";
+ }
+ {
+ drv = pkgs.erofs-utils;
+ path = "bin/mkfs.erofs";
+ }
# shared lib required for cryptsetup
- { drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
- { drv = pkgs.popt; path = "lib/libpopt.so.0"; }
- { drv = pkgs.popt; path = "lib/libpopt.so"; }
+ {
+ drv = pkgs.popt;
+ path = "lib/libpopt.so.0.0.2";
+ }
+ {
+ drv = pkgs.popt;
+ path = "lib/libpopt.so.0";
+ }
+ {
+ drv = pkgs.popt;
+ path = "lib/libpopt.so";
+ }
# shared lib required for mkfs.erofs
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
+ {
+ drv = pkgs.lz4.lib;
+ path = "lib/liblz4.so.1.10.0";
+ }
+ {
+ drv = pkgs.lz4.lib;
+ path = "lib/liblz4.so.1";
+ }
+ {
+ drv = pkgs.lz4.lib;
+ path = "lib/liblz4.so";
+ }
# shared lib required for binutils
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
+ {
+ drv = pkgs.binutils-unwrapped.lib;
+ path = "lib/libsframe.so.1.0.0";
+ }
+ {
+ drv = pkgs.binutils-unwrapped.lib;
+ path = "lib/libsframe.so.1";
+ }
+ {
+ drv = pkgs.binutils-unwrapped.lib;
+ path = "lib/libbfd-2.43.1.so";
+ }
+ {
+ drv = pkgs.binutils-unwrapped.lib;
+ path = "lib/libbfd.so";
+ }
# shared lib required for strace
- { drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
+ {
+ drv = pkgs.elfutils.out;
+ path = "lib/libdw-0.192.so";
+ }
+ {
+ drv = pkgs.elfutils.out;
+ path = "lib/libdw.so.1";
+ }
+ {
+ drv = pkgs.elfutils.out;
+ path = "lib/libdw.so";
+ }
+ {
+ drv = pkgs.elfutils.out;
+ path = "lib/libelf-0.192.so";
+ }
+ {
+ drv = pkgs.elfutils.out;
+ path = "lib/libelf.so.1";
+ }
+ {
+ drv = pkgs.elfutils.out;
+ path = "lib/libelf.so";
+ }
];
};
};
diff --git a/foo.sh b/foo.sh
new file mode 100755
index 0000000..aefb5d5
--- /dev/null
+++ b/foo.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+out=/tmp/build
+_pick() {
+ local p="$1" f d; shift
+ for f; do
+ d="$out/$p/${f#$out/}"
+ echo mkdir -p "$(dirname "$d")"
+ echo mv "$f" "$d"
+ echo rm -rf "$f"
+
+ echo mkfs.erofs --all-root -Efragments,dedupe,ztailpacking $out/$p.raw $p
+ echo veritysetup format --root-hash-file $out/$p.roothash $out/$p.raw $out/$p.verity
+ done
+}
+
+# _pick amd-ucode usr/lib/firmware/amd-ucode
+
+# _pick linux-firmware-nfp usr/lib/firmware/netronome
+# _pick linux-firmware-marvell usr/lib/firmware/{libertas,mwl8k,mwlwifi,mrvl}
+_pick linux-firmware-qlogic usr/lib/firmware/{qlogic,qed,ql2???_*,c{b,t,t2}fw-*}
+
+# _pick linux-firmware-base usr/lib/firmware
diff --git a/pkgs/linux-firmware/default.nix b/pkgs/linux-firmware/default.nix
new file mode 100644
index 0000000..161b2e4
--- /dev/null
+++ b/pkgs/linux-firmware/default.nix
@@ -0,0 +1,38 @@
+{
+ stdenv,
+ pkgs,
+}:
+
+stdenv.mkDerivation {
+ pname = pkgs.linux-firmware.name;
+ version = pkgs.linux-firmware.version;
+ src = pkgs.linux-firmware.src;
+
+ buildInputs = with pkgs; [
+ erofs-utils
+ cryptsetup
+ ];
+
+ nativeBuildInputs = with pkgs; [
+ python3
+ rdfind
+ which
+ zstd
+ ];
+
+ noBrokenSymlinks = true;
+
+ installTargets = [
+ "install-zst"
+ "dedup"
+ ];
+
+ # inspo: https://gitlab.archlinux.org/archlinux/packaging/packages/linux-firmware/-/blob/main/PKGBUILD?ref_type=heads#L93
+ makeFlags = [
+ "DESTDIR=$(out)"
+ "ZSTD_CLEVEL=19"
+ "FIRMWAREDIR=/usr/lib/firmware"
+ ];
+
+ postInstall = ./post-install.sh;
+}
diff --git a/pkgs/linux-firmware/post-install.sh b/pkgs/linux-firmware/post-install.sh
new file mode 100755
index 0000000..2dbe3ca
--- /dev/null
+++ b/pkgs/linux-firmware/post-install.sh
@@ -0,0 +1,59 @@
+set -ex -uo pipefail
+
+_pick() {
+ local p="$1" f d; shift
+ for f; do
+ d="$out/$p/${f#$out/}"
+ mkdir -p "$(dirname "$d")"
+ mv $out/"$f" "$d"
+ rm -rf $out/"$f"
+ done
+}
+
+_package() {
+ local p="$1"
+ mkdir -p $out/$p/usr/lib/extension-release.d
+ cat << EOF > $out/$p/usr/lib/extension-release.d/extension-release.$p
+ID=patos
+IMAGE_ID=$p
+IMAGE_VERSION=$version
+VERSION_ID=patos
+EOF
+
+ mkfs.erofs --all-root -Efragments,dedupe,ztailpacking $out/$p.raw $out/$p
+ veritysetup format --root-hash-file $out/$p.roothash $out/$p.raw $out/$p.verity
+}
+
+# remove arm64 firmware https://bugs.archlinux.org/task/76583
+rm $out/usr/lib/firmware/mrvl/prestera/mvsw_prestera_fw_arm64-v4.1.img.zst
+
+_pick amd-ucode usr/lib/firmware/amd-ucode
+_package amd-ucode
+
+_pick linux-firmware-nfp usr/lib/firmware/netronome
+_package linux-firmware-nfp
+
+_pick linux-firmware-mellanox usr/lib/firmware/mellanox
+_package linux-firmware-mellanox
+
+_pick linux-firmware-marvell usr/lib/firmware/{libertas,mwl8k,mwlwifi,mrvl}
+_package linux-firmware-marvell
+
+_pick linux-firmware-qcom usr/lib/firmware/qcom
+_package linux-firmware-qcom
+
+_pick linux-firmware-liquidio usr/lib/firmware/liquidio
+_package linux-firmware-liquidio
+
+# _pick linux-firmware-qlogic usr/lib/firmware/{qlogic,qed,ql2???_*,c{b,t,t2}fw-*}
+# _package linux-firmware-qlogic
+
+# _pick linux-firmware-bnx2x usr/lib/firmware/bnx2x*
+# _package linux-firmware-bnx2x
+
+# and the rest is base firmware
+_pick linux-firmware usr/lib/firmware
+_package linux-firmware
+
+# clean up
+# rm -rf $out/usr
From 58861e6de6c80d6b93609185048f2a98e515b444 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 17 Apr 2025 19:06:37 +0200
Subject: [PATCH 02/25] chore: upgrade systemd
---
pkgs/systemd/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index a1cb314..a93fd76 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -7,7 +7,7 @@
...
}:
let
- version = "257.4";
+ version = "257.5";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
From 92c204231b7cfaa9f3b880e8d3b27af2ad6474d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sat, 19 Apr 2025 22:56:00 +0200
Subject: [PATCH 03/25] chore: nix flake update
---
flake.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/flake.lock b/flake.lock
index 2272d3d..3725da4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1742669843,
- "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+ "lastModified": 1744932701,
+ "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+ "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
"type": "github"
},
"original": {
From 15227256ecf0e8aea67d3ebb21e2122a7b6a0f46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sat, 19 Apr 2025 23:06:44 +0200
Subject: [PATCH 04/25] chore: kernel upgrade
---
pkgs/kernel/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 51a05bf..1297825 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.13.8";
- hash = "sha256-JZr6Wdc9Z2vsKuib6s2UngjVTT9wp/iwp0IxUJV1Grs=";
+ version = "6.14.2";
+ hash = "sha256-xcaCo1TqMZATk1elfTSnnlw3IhrOgjqTjhARa1d6Lhs=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From b7e526454b66c1aca7875fcab107cc3fbb780099 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 6 May 2025 18:12:03 +0200
Subject: [PATCH 05/25] chore: nix update
---
flake.lock | 6 +++---
pkgs/kernel/default.nix | 4 ++--
pkgs/systemd/default.nix | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/flake.lock b/flake.lock
index 3725da4..bb33fd6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1744932701,
- "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
+ "lastModified": 1746328495,
+ "narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
+ "rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e",
"type": "github"
},
"original": {
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 1297825..dcd382d 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.2";
- hash = "sha256-xcaCo1TqMZATk1elfTSnnlw3IhrOgjqTjhARa1d6Lhs=";
+ version = "6.14.4";
+ hash = "sha256-lFLyjXoAUfukiGcSOVtITEx/z5+FlEpi/T2X3JI/Uzk=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index a93fd76..db0b64c 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "systemd";
repo = "systemd";
rev = "v${version}";
- hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
+ hash = "sha256-mn/JB/nrOz2TOobu2d+XBH2dVH3vn/HPvWN4Zz6s+SM=";
};
patches = [ ./skip-verify-esp.patch ];
From af2a063ff2dfed7b8270f72e1d4c6f856b8be7ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 7 May 2025 06:26:16 +0200
Subject: [PATCH 06/25] chore: kernel upgrade
---
pkgs/kernel/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index dcd382d..703b612 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.4";
- hash = "sha256-lFLyjXoAUfukiGcSOVtITEx/z5+FlEpi/T2X3JI/Uzk=";
+ version = "6.14.5";
+ hash = "sha256-KCB+xSu+qjUHAQrv+UT0QvfZ8isoa3nK9F7G3xsk9Ak=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From 8ee40679fc722db4cce24f7f0eb4a1bb159c2a0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 12 May 2025 19:40:51 +0200
Subject: [PATCH 07/25] chore: os update
---
flake.lock | 6 +++---
pkgs/kernel/default.nix | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/flake.lock b/flake.lock
index bb33fd6..affeabc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1746328495,
- "narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=",
+ "lastModified": 1746904237,
+ "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e",
+ "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
"type": "github"
},
"original": {
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 703b612..6b8bb21 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.5";
- hash = "sha256-KCB+xSu+qjUHAQrv+UT0QvfZ8isoa3nK9F7G3xsk9Ak=";
+ version = "6.14.6";
+ hash = "sha256-IYF/GZjiIw+B9+T2Bfpv3LBA4U+ifZnCfdsWznSXl6k=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From 7c0d0a099dda8d253b0cefc031a6774fa3877301 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 20 May 2025 21:05:10 +0200
Subject: [PATCH 08/25] chore: nix flake update
---
flake.lock | 6 +++---
pkgs/kernel/default.nix | 4 ++--
pkgs/kexec-tools/default.nix | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/flake.lock b/flake.lock
index affeabc..bac1c51 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1746904237,
- "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
+ "lastModified": 1747542820,
+ "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
+ "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
"type": "github"
},
"original": {
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 6b8bb21..fcc8066 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.6";
- hash = "sha256-IYF/GZjiIw+B9+T2Bfpv3LBA4U+ifZnCfdsWznSXl6k=";
+ version = "6.14.7";
+ hash = "sha256-gRIgK8JtCGlXqU0hCabc1EeMW6GNDwpeHF3+6gH1SXI=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
diff --git a/pkgs/kexec-tools/default.nix b/pkgs/kexec-tools/default.nix
index 4ba15ba..7454821 100644
--- a/pkgs/kexec-tools/default.nix
+++ b/pkgs/kexec-tools/default.nix
@@ -14,8 +14,8 @@ stdenv.mkDerivation {
src = fetchFromGitHub {
owner = "horms";
repo = "kexec-tools";
- rev = "a7fcd424c4c80dea5a2fd5ffa274ffeb8129c790";
- hash = "sha256-QKE+KCkueA21zNunTMidP9OuZaw0IG5tFDF4UJITTTQ=";
+ rev = "v2.0.31";
+ hash = "sha256-Tgmc8mFlmzzRj7tEaBes7Udw4fRl6cSfe76iPNa3Ffs=";
};
dontPatchShebangs = true;
From d42406c6dc611a0618c3eb5089ed72c1dfd94a63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 21 May 2025 12:43:41 +0200
Subject: [PATCH 09/25] fix: sysupdate wont work with out systemd.volatile set
to overlay
---
flake.nix | 9 ++++++++-
pkgs/image/default.nix | 2 +-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/flake.nix b/flake.nix
index 99fce5b..3567477 100644
--- a/flake.nix
+++ b/flake.nix
@@ -49,6 +49,13 @@
{ drv = pkgs.curl; path = "bin/curl"; }
{ drv = pkgs.bash; path = "bin/bash"; }
{ drv = patosPkgs.glibc; path = "bin/ldd"; }
+ { drv = pkgs.util-linux; path = "bin/sfdisk"; }
+ { drv = pkgs.readline.out; path = "lib/libreadline.so.8.2"; }
+ { drv = pkgs.readline.out; path = "lib/libreadline.so.8"; }
+ { drv = pkgs.readline.out; path = "lib/libhistory.so.8.2"; }
+ { drv = pkgs.readline.out; path = "lib/libhistory.so.8"; }
+ { drv = pkgs.ncurses.out; path = "/lib/libncursesw.so.6.5"; }
+ { drv = pkgs.ncurses.out; path = "/lib/libncursesw.so.6"; }
{ drv = pkgs.keyutils; path = "bin/keyctl"; }
{ drv = pkgs.gnutar; path = "bin/tar"; }
{ drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
@@ -69,7 +76,7 @@
# shared lib required for binutils
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.44.so"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
# shared lib required for strace
{ drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 05d9c72..f42e95d 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -30,7 +30,7 @@ runCommand pname {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
- kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
+ kernelCmdLine = "console=ttyS0 systemd.volatile=overlay patos.secureboot=${secureBoot}";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d
From c883ff1cb2da53be1bc99ccd95021fd2b28e4e52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 23 May 2025 13:14:12 +0200
Subject: [PATCH 10/25] Revert sysupdate fix due to a bug in systemd.
sysext need to be unmerged before sysupdate can be used.
https://github.com/systemd/systemd/pull/36617/
fix in main but not backported to stable yet.
---
pkgs/image/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index f42e95d..05d9c72 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -30,7 +30,7 @@ runCommand pname {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
- kernelCmdLine = "console=ttyS0 systemd.volatile=overlay patos.secureboot=${secureBoot}";
+ kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d
From df4c60d87c5c3860556a9f51db4073541aeb689f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sat, 24 May 2025 19:19:12 +0200
Subject: [PATCH 11/25] chore: kernel and systemd update
---
pkgs/kernel/default.nix | 4 ++--
pkgs/systemd/default.nix | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index fcc8066..27e4055 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.7";
- hash = "sha256-gRIgK8JtCGlXqU0hCabc1EeMW6GNDwpeHF3+6gH1SXI=";
+ version = "6.14.8";
+ hash = "sha256-YrEuzTB1o1frMgk1ZX3oTgFVKANxfa04P6fMOqSqKQU=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index db0b64c..fea417a 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -7,7 +7,7 @@
...
}:
let
- version = "257.5";
+ version = "257.6";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
From 2729e079960c5d07ff6155b8a967f03f056e941e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 3 Jun 2025 08:16:50 +0200
Subject: [PATCH 12/25] chore: kernel update
---
pkgs/kernel/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 27e4055..06c14cd 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.8";
- hash = "sha256-YrEuzTB1o1frMgk1ZX3oTgFVKANxfa04P6fMOqSqKQU=";
+ version = "6.14.9";
+ hash = "sha256-OQzd4DJxmSWghCcnAZfvVdtOkMCdRU6cNVQVcpLJ82E=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From 827b2c3d0f1b5c6cc3cabffc4a811a35b456ddf9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 4 Jun 2025 09:59:41 +0200
Subject: [PATCH 13/25] feat: start using systemd from main line
---
pkgs/image/default.nix | 17 ++++++++++-------
pkgs/rootfs/mkrootfs.nix | 5 +++--
pkgs/systemd/default.nix | 10 +++++++---
3 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 05d9c72..86c3708 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -30,7 +30,7 @@ runCommand pname {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
- kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
+ kernelCmdLine = "systemd.journald.forward_to_console=1 console=ttyS0 patos.secureboot=${secureBoot}";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d
@@ -141,6 +141,7 @@ cat <<EOF > init.repart.d/10-root.conf
Type=root
Format=erofs
Minimize=best
+AddValidateFS=false
CopyFiles=/rootfs:/
Verity=data
VerityMatchKey=root
@@ -152,6 +153,7 @@ cat <<EOF > init.repart.d/20-root-verity.conf
Type=root-verity
Verity=hash
VerityMatchKey=root
+AddValidateFS=false
Minimize=best
SplitName=verity
EOF
@@ -162,11 +164,13 @@ ${patosPkgs.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
- --definitions=./init.repart.d \
+ --definitions=$out/init.repart.d \
--split=true \
--json=pretty \
--root=$out \
- patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
+ patos_$version.raw > init-repart-output.json
+
+rm -f patos_$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
@@ -217,14 +221,14 @@ Type=esp
Format=vfat
SizeMinBytes=128M
SizeMaxBytes=128M
-CopyFiles=/rootfs/boot:/
+CopyFiles=$out/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
Label=root-${version}
-CopyBlocks=/$rootPart
+CopyBlocks=$out/$rootPart
UUID=$rootUuid
SizeMinBytes=64M
SizeMaxBytes=64M
@@ -235,7 +239,7 @@ cat <<EOF > final.repart.d/22-root-verity.conf
[Partition]
Type=root-verity
Label=verity-${version}
-CopyBlocks=/$verityPart
+CopyBlocks=$out/$verityPart
UUID=$verityUuid
ReadOnly=1
EOF
@@ -246,7 +250,6 @@ ${patosPkgs.systemd}/usr/bin/systemd-repart \
--empty=create \
--size=auto \
--definitions=./final.repart.d \
- --root=$out \
patos_${version}.img > final-repart-output.json
rm -rf rootfs init.repart.d final.repart.d *.json
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index bda4c7d..bdc0ba1 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -35,7 +35,6 @@ find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
ln -sf /usr/bin $out/usr/sbin
-rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
# enable in ramdisk instead
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-repart.service
rm -f $out/usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
@@ -206,7 +205,9 @@ chmod 600 $out/etc/shadow
rm -rf creds
# Ephemeral machine-id until registration
-ln -sf /run/machine-id $out/etc/machine-id
+# ln -sf /run/machine-id $out/etc/machine-id
+# FIXME: above line does not work in systemd > 257
+${patosPkgs.systemd}/usr/bin/systemd-machine-id-setup --root=$out
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index fea417a..dfe506c 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -7,7 +7,7 @@
...
}:
let
- version = "257.6";
+ version = "devel";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
@@ -26,8 +26,8 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchFromGitHub {
owner = "systemd";
repo = "systemd";
- rev = "v${version}";
- hash = "sha256-mn/JB/nrOz2TOobu2d+XBH2dVH3vn/HPvWN4Zz6s+SM=";
+ rev = "959d7f1759d67994e3bed7b9d2f23e063475a872"; # main
+ hash = "sha256-IxGg0t/0GEllU4EPHqY2bwMDYwrQ5KWyE2QhwhTxqGs=";
};
patches = [ ./skip-verify-esp.patch ];
@@ -137,6 +137,10 @@ stdenv.mkDerivation (finalAttrs: {
''
substituteInPlace meson.build \
--replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
+ '' +
+ ''
+ substituteInPlace src/test/meson.build \
+ --replace "test_env.set('SYSTEMD_LANGUAGE_FALLBACK_MAP', language_fallback_map)" ""
''
+ ''
substituteInPlace src/ukify/ukify.py \
From 6361308cd0c7b968afde4524c9e0fedefcf7dee8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 9 Jun 2025 12:35:50 +0200
Subject: [PATCH 14/25] chore: nix flake update and kernel upgrade
---
flake.lock | 6 +++---
pkgs/kernel/default.nix | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/flake.lock b/flake.lock
index bac1c51..e0246ab 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1747542820,
- "narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=",
+ "lastModified": 1749285348,
+ "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
+ "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
"type": "github"
},
"original": {
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 06c14cd..69edc22 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.9";
- hash = "sha256-OQzd4DJxmSWghCcnAZfvVdtOkMCdRU6cNVQVcpLJ82E=";
+ version = "6.15.1";
+ hash = "sha256-RPG7hP5RLnuv4ObchdOOwcbI/L6XzLUdjBmTC3mfDWQ=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From e85353bc3532bc5fbe01c292204cc633c22a2f1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 11 Jun 2025 11:07:55 +0200
Subject: [PATCH 15/25] chore: better compression for sysext images
---
flake.nix | 54 +++++++++++++++++----------------------------
lib/make-sysext.nix | 22 +++++++++++++++++-
2 files changed, 41 insertions(+), 35 deletions(-)
diff --git a/flake.nix b/flake.nix
index 3567477..cfbd77c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -46,45 +46,31 @@
name = "debug-tools";
version = "0.0.1";
packages = [
- { drv = pkgs.curl; path = "bin/curl"; }
- { drv = pkgs.bash; path = "bin/bash"; }
+ { drv = pkgs.curl; path = "bin/"; }
+ { drv = pkgs.bash; path = "bin/"; }
+ { drv = pkgs.keyutils; path = "bin/"; }
+ { drv = pkgs.gnutar; path = "bin/"; }
+ { drv = pkgs.strace; path = "bin/"; }
+ { drv = pkgs.cryptsetup; path = "bin/"; }
+ { drv = pkgs.erofs-utils; path = "bin/"; }
+ { drv = pkgs.binutils-unwrapped; path = "bin/"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/"; }
+ { drv = pkgs.util-linuxMinimal; path = "bin/"; }
+ { drv = pkgs.util-linuxMinimal.mount; path = "bin/"; }
+ { drv = pkgs.util-linuxMinimal.login; path = "bin/"; }
+ { drv = pkgs.util-linuxMinimal.swap; path = "bin/"; }
{ drv = patosPkgs.glibc; path = "bin/ldd"; }
- { drv = pkgs.util-linux; path = "bin/sfdisk"; }
- { drv = pkgs.readline.out; path = "lib/libreadline.so.8.2"; }
- { drv = pkgs.readline.out; path = "lib/libreadline.so.8"; }
- { drv = pkgs.readline.out; path = "lib/libhistory.so.8.2"; }
- { drv = pkgs.readline.out; path = "lib/libhistory.so.8"; }
- { drv = pkgs.ncurses.out; path = "/lib/libncursesw.so.6.5"; }
- { drv = pkgs.ncurses.out; path = "/lib/libncursesw.so.6"; }
- { drv = pkgs.keyutils; path = "bin/keyctl"; }
- { drv = pkgs.gnutar; path = "bin/tar"; }
- { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
- { drv = pkgs.strace; path = "bin/strace"; }
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
{ drv = patosPkgs.openssl; path = "bin/openssl"; }
- { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
- { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
- { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
- # shared lib required for cryptsetup
- { drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
- { drv = pkgs.popt; path = "lib/libpopt.so.0"; }
- { drv = pkgs.popt; path = "lib/libpopt.so"; }
# shared lib required for mkfs.erofs
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
- # shared lib required for binutils
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.44.so"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
+ { drv = pkgs.lz4.lib; path = "lib/"; }
+ # shared lib required for cryptsetup
+ { drv = pkgs.popt; path = "lib/"; }
# shared lib required for strace
- { drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/"; }
+ # shared lib required for bash
+ { drv = pkgs.readline.out; path = "lib/"; }
+ { drv = pkgs.ncurses.out; path = "lib/"; }
];
};
};
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index 6de1e63..59b04cf 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -46,6 +46,7 @@ runCommand name
}
''
+ set -ex -o pipefail
do_copy () {
local prefix="$1"
local drv="$2"
@@ -60,6 +61,25 @@ runCommand name
destdir="$(dirname -- "$destfile")"
mkdir -pv "$destdir"
+
+ # recursively copy if ending with /
+ if [[ "$destfile" =~ /$ ]]; then
+ basedir="$(dirname -- "$destfile")"
+ chmod -R 755 "$basedir"
+ # remove if exists
+ for f in $srcfile/*; do
+ basename="$(basename -- "$f")"
+ rm -f "$destfile/$basename"
+ done
+ cp -rPv "$srcfile" "$basedir"
+ chmod -R 755 "$basedir"
+ for f in $destfile/*; do
+ patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $f || true
+ patchelf --set-rpath /usr/lib $f || true
+ done
+ return
+ fi
+
cp -Pv "$srcfile" "$destfile"
chmod 755 "$destfile"
@@ -79,7 +99,7 @@ runCommand name
pushd $out
find tree -type d -exec chmod 0755 {} \;
- mkfs.erofs --all-root $name.raw tree/
+ mkfs.erofs -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking --all-root $name.raw tree/
veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
# TODO: pcks7 signature
# openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \
From 6f84c2c41d18546ff0d62efa1d6e10f2ef671b27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 11 Jun 2025 15:27:09 +0200
Subject: [PATCH 16/25] feat: add firewall tools as sysext
---
flake.nix | 22 ++++++++++++++++++++++
lib/make-sysext.nix | 2 +-
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/flake.nix b/flake.nix
index cfbd77c..2655ff0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -42,6 +42,28 @@
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
+ firewall-sysext = pkgs.callPackage ./lib/make-sysext.nix {
+ name = "firewall-tools";
+ version = "0.0.1";
+ packages = [
+ # network/firewalling
+ { drv = pkgs.iproute2; path = "bin/"; }
+ { drv = pkgs.nftables; path = "bin/"; }
+ { drv = pkgs.wireguard-tools; path = "bin/.wg-wrapped"; destpath = "bin/wg"; }
+ # deps
+ { drv = pkgs.nftables; path = "lib/"; }
+ { drv = pkgs.libnftnl; path = "lib/"; }
+ { drv = pkgs.iptables; path = "lib/"; }
+ { drv = pkgs.libgcc.lib; path = "lib/"; }
+ { drv = pkgs.libgcc; path = "lib/"; }
+ { drv = pkgs.libmnl; path = "lib/"; }
+ { drv = pkgs.gmp; path = "lib/"; }
+ { drv = pkgs.jansson.out; path = "lib/"; }
+ { drv = pkgs.ncurses.out; path = "lib/"; }
+ { drv = pkgs.libedit; path = "lib/"; }
+ ];
+ };
+
debug-tools-sysext = pkgs.callPackage ./lib/make-sysext.nix {
name = "debug-tools";
version = "0.0.1";
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index 59b04cf..70ed570 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -69,7 +69,7 @@ runCommand name
# remove if exists
for f in $srcfile/*; do
basename="$(basename -- "$f")"
- rm -f "$destfile/$basename"
+ rm -rf "$destfile/$basename"
done
cp -rPv "$srcfile" "$basedir"
chmod -R 755 "$basedir"
From 34c83b7c3b178091078253b7ef580b7255eef441 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 11 Jun 2025 22:24:38 +0200
Subject: [PATCH 17/25] fix(kexec-tools): build using autoconf
---
pkgs/kexec-tools/default.nix | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/pkgs/kexec-tools/default.nix b/pkgs/kexec-tools/default.nix
index 7454821..b83a6a6 100644
--- a/pkgs/kexec-tools/default.nix
+++ b/pkgs/kexec-tools/default.nix
@@ -4,6 +4,7 @@
buildPackages,
fetchFromGitHub,
autoconf,
+ autoreconfHook,
zlib,
}:
@@ -27,20 +28,27 @@ stdenv.mkDerivation {
"pie"
];
- buildCommand = ''
- unpackPhase
- mkdir -p $out
- cd source
- ./bootstrap
- ./configure --prefix=/
- make DESTDIR=$out install
+ preAutoreconf = "./bootstrap";
+
+ configurePlatforms = [
+ "build"
+ "host"
+ ];
+
+ configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" "--prefix=/"];
+ depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+ installPhase = ''
+ make DESTDIR=$out install
'';
- depsBuildBuild = [ buildPackages.stdenv.cc ];
+ nativeBuildInputs = [
+ autoconf
+ autoreconfHook
+ ];
buildInputs = [
zlib
- autoconf
];
enableParallelBuilding = true;
From bd002f2d25aacfe61eec16f4a9ca42ede60f06f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 11 Jun 2025 22:24:38 +0200
Subject: [PATCH 18/25] fix: explict use nativeBuildInputs
---
pkgs/rootfs/mkrootfs.nix | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index bdc0ba1..4818478 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -12,7 +12,9 @@ runCommand "patos-rootfs"
{
inherit version;
- buildInputs = with pkgs;[
+ nativeBuildInputs = with pkgs; [
+ stdenv.cc
+ patchelf
glibc
binutils
];
@@ -222,7 +224,7 @@ find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86
patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
# strip binaries
-find $out -type f -executable -exec strip {} \;
+find $out -type f -executable -exec $STRIP {} \;
find $out -type d -exec chmod 755 {} \;
# install kernel modules
From 760c8fe6370e2399abacf66920800ac567b4dc7f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 11 Jun 2025 22:24:38 +0200
Subject: [PATCH 19/25] feat: support cross compile to aarch64
---
flake.nix | 56 +++++++++++++++++++++++++---------------
pkgs/image/default.nix | 19 +++++++-------
pkgs/rootfs/mkinitrd.nix | 3 +--
pkgs/rootfs/mkrootfs.nix | 39 ++++++++++++++--------------
4 files changed, 65 insertions(+), 52 deletions(-)
diff --git a/flake.nix b/flake.nix
index 2655ff0..776919f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,30 +15,44 @@
flake-utils.lib.eachDefaultSystem (
system:
let
- pkgs = import nixpkgs { inherit system; };
- patosPkgs = self.packages.${system};
version = "0.0.1";
secureBoot = "false";
cpuArch = "intel";
updateUrl = "http://10.0.2.2:8000/";
+
+ overlay = final: prev: {
+ patos = prev.lib.makeScope prev.newScope (self: {
+ kernel = final.callPackage ./pkgs/kernel { };
+ glibc = final.callPackage ./pkgs/glibc { };
+ busybox = final.callPackage ./pkgs/busybox { };
+ openssl = final.callPackage ./pkgs/openssl { };
+ kexec = final.callPackage ./pkgs/kexec-tools { };
+ lvm2 = final.callPackage ./pkgs/lvm2 { };
+ tpm2-tools = final.callPackage ./pkgs/tpm2-tools { };
+ tpm2-tss = final.callPackage ./pkgs/tpm2-tss { };
+ systemd = final.callPackage ./pkgs/systemd { };
+ dbus-broker = final.callPackage ./pkgs/dbus-broker { };
+
+ rootfs = final.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit version; };
+ initrd = final.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit version; };
+ });
+ };
+
+ pkgs = import nixpkgs { inherit system; overlays = [ overlay ]; };
+ pkgsCross = import nixpkgs {
+ inherit system;
+ overlays = [ overlay ];
+ crossSystem = {
+ config = "aarch64-unknown-linux-gnu";
+ };
+ };
in
{
packages = {
- default = patosPkgs.image;
- image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; };
- rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
- initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
- kernel = pkgs.callPackage ./pkgs/kernel { };
- glibc = pkgs.callPackage ./pkgs/glibc { };
- busybox = pkgs.callPackage ./pkgs/busybox { };
- openssl = pkgs.callPackage ./pkgs/openssl { };
- cert = pkgs.callPackage ./pkgs/cert { };
- kexec = pkgs.callPackage ./pkgs/kexec-tools { };
- lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
- tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
- tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
- systemd = pkgs.callPackage ./pkgs/systemd { };
- dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
+ default = self.packages.${system}.image;
+
+ image = pkgs.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; };
+ image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
@@ -81,9 +95,9 @@
{ drv = pkgs.util-linuxMinimal.mount; path = "bin/"; }
{ drv = pkgs.util-linuxMinimal.login; path = "bin/"; }
{ drv = pkgs.util-linuxMinimal.swap; path = "bin/"; }
- { drv = patosPkgs.glibc; path = "bin/ldd"; }
- { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
- { drv = patosPkgs.openssl; path = "bin/openssl"; }
+ { drv = pkgs.patos.glibc; path = "bin/ldd"; }
+ { drv = pkgs.patos.tpm2-tools; path = "bin/tpm2"; }
+ { drv = pkgs.patos.openssl; path = "bin/openssl"; }
# shared lib required for mkfs.erofs
{ drv = pkgs.lz4.lib; path = "lib/"; }
# shared lib required for cryptsetup
@@ -111,7 +125,7 @@
just
nixd
nixfmt-rfc-style
- patosPkgs.qemu-uefi-tpm
+ self.packages.${system}.qemu-uefi-tpm
];
};
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 86c3708..d9205f3 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -1,7 +1,6 @@
{
lib,
pkgs,
- patosPkgs,
version,
runCommand,
updateUrl,
@@ -37,13 +36,13 @@ mkdir -p $out/init.repart.d $out/final.repart.d
pushd $out
mkdir rootfs
-cp -prP ${patosPkgs.rootfs}/* rootfs/
+cp -prP ${pkgs.patos.rootfs}/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
mkdir rootfs/etc/extensions
rm -rf rootfs/usr/lib/modules
-cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
+cp ${pkgs.patos.kernel}/patos-kernel-modules* rootfs/etc/extensions/
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
@@ -160,7 +159,7 @@ EOF
#TODO: Add verity signature partition
-${patosPkgs.systemd}/usr/bin/systemd-repart \
+${pkgs.patos.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
@@ -182,16 +181,16 @@ verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
-${patosPkgs.systemd}/usr/bin/ukify build \
- --linux ${patosPkgs.kernel}/bzImage \
- --initrd ${patosPkgs.initrd}/initrd.xz \
+${pkgs.patos.systemd}/usr/bin/ukify build \
+ --linux ${pkgs.patos.kernel}/bzImage \
+ --initrd ${pkgs.patos.initrd}/initrd.xz \
$microcode \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
# install ESP
-SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
+SYSTEMD_RELAX_ESP_CHECKS=1 ${pkgs.patos.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
# setup factory reset
mkdir -p rootfs/boot/EFI/tools
@@ -245,14 +244,14 @@ ReadOnly=1
EOF
# finalize image ready for boot
-${patosPkgs.systemd}/usr/bin/systemd-repart \
+${pkgs.patos.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./final.repart.d \
patos_${version}.img > final-repart-output.json
-rm -rf rootfs init.repart.d final.repart.d *.json
+rm -rf init.repart.d final.repart.d *.json
sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
popd
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index c46ed9d..cdbfe11 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -1,6 +1,5 @@
{
pkgs,
- patosPkgs,
runCommand,
...
}:
@@ -21,7 +20,7 @@ mkdir -p $out/root
pushd $out/root
### copy rootfs
-cp -prP ${patosPkgs.rootfs}/* .
+cp -prP ${pkgs.patos.rootfs}/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index 4818478..ed34662 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -1,6 +1,5 @@
{
pkgs,
- patosPkgs,
version,
runCommand,
}:
@@ -32,7 +31,7 @@ ln -sf /tmp $out/var/tmp
ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
-cp -Pr ${patosPkgs.systemd}/* $out/
+cp -Pr ${pkgs.patos.systemd}/* $out/
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
@@ -137,33 +136,33 @@ ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTE
EOF
### install PatOS glibc
-cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
+cp -P ${pkgs.patos.glibc}/lib/*.so* $out/usr/lib/
### install openssl
-cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
-cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
+cp -P ${pkgs.patos.openssl}/lib/*.so* $out/usr/lib/
+cp -Pr ${pkgs.patos.openssl}/etc/ssl $out/etc/
### install busybox
-cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
+cp ${pkgs.patos.busybox}/bin/busybox $out/usr/bin/
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
-cp -r ${patosPkgs.dbus-broker}/* $out/
+cp -r ${pkgs.patos.dbus-broker}/* $out/
### install kexec
-cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
+cp -Pr ${pkgs.patos.kexec}/sbin/kexec $out/usr/bin/
### install dmsetup udev rules
-cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
-cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
-cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
+cp -P ${pkgs.patos.lvm2}/usr/bin/dmsetup $out/usr/bin/
+cp -P ${pkgs.patos.lvm2}/lib/libdevmapper.so* $out/usr/lib/
+cp -P ${pkgs.patos.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
### install btrfs progs
cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
### install tpm2 libs
-cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
+cp -P ${pkgs.patos.tpm2-tss}/lib/*.so* $out/usr/lib/
### install lib kmod
cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
@@ -194,22 +193,22 @@ ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
rm -rf $out/usr/lib/pkgconfig
# setup default files
-${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
-${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
+${pkgs.patos.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
+${pkgs.patos.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
# install sys users
mkdir creds
echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
-CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
+CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${pkgs.patos.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
chmod 600 $out/etc/shadow
rm -rf creds
# Ephemeral machine-id until registration
# ln -sf /run/machine-id $out/etc/machine-id
# FIXME: above line does not work in systemd > 257
-${patosPkgs.systemd}/usr/bin/systemd-machine-id-setup --root=$out
+${pkgs.patos.systemd}/usr/bin/systemd-machine-id-setup --root=$out
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
@@ -219,15 +218,17 @@ find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
find $out -type f -executable -exec chmod 755 {} \;
# patch ELFs
+interpreter=$(patchelf --print-interpreter $out/usr/bin/busybox)
+ldLinux=$(basename $interpreter)
find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
-find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
-patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
+find $out -type f -executable -exec patchelf --set-interpreter /lib/$ldLinux {} \;
+patchelf --remove-rpath $out/usr/lib/$ldLinux
# strip binaries
find $out -type f -executable -exec $STRIP {} \;
find $out -type d -exec chmod 755 {} \;
# install kernel modules
-cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
+cp -r ${pkgs.patos.kernel}/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
''
From d745cbe1c2c31c803b07676735eb8dcc0b688477 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 12 Jun 2025 16:50:07 +0200
Subject: [PATCH 20/25] fix: aarch64 builds needs nativeBuildInputs
---
flake.nix | 2 +-
pkgs/image/default.nix | 4 ++--
pkgs/rootfs/mkinitrd.nix | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/flake.nix b/flake.nix
index 776919f..496393c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -52,7 +52,7 @@
default = self.packages.${system}.image;
image = pkgs.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; };
- image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; };
+ image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl secureBoot; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index d9205f3..6af3c14 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -16,7 +16,7 @@ runCommand pname {
microcode = lib.optionalString (cpuArch == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
+ lib.optionalString (cpuArch == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
- buildInputs = with pkgs; [
+ nativeBuildInputs = with pkgs; [
erofs-utils
dosfstools
mtools
@@ -251,7 +251,7 @@ ${pkgs.patos.systemd}/usr/bin/systemd-repart \
--definitions=./final.repart.d \
patos_${version}.img > final-repart-output.json
-rm -rf init.repart.d final.repart.d *.json
+rm -rf rootfs init.repart.d final.repart.d *.json
sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
popd
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index cdbfe11..0691e7b 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -9,7 +9,7 @@ in
runCommand "patos-initrd" {
inherit secureBootEnroll;
- buildInputs = with pkgs; [
+ nativeBuildInputs = with pkgs; [
cpio
xz
];
From 19c91e16ab8176a91c5f536cabe680c3ba912915 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 12 Jun 2025 19:37:01 +0200
Subject: [PATCH 21/25] chore: s/cpuArch/microcode
---
flake.nix | 4 ++--
pkgs/image/default.nix | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/flake.nix b/flake.nix
index 496393c..66b86c8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,7 +17,7 @@
let
version = "0.0.1";
secureBoot = "false";
- cpuArch = "intel";
+ microcode = "intel";
updateUrl = "http://10.0.2.2:8000/";
overlay = final: prev: {
@@ -51,7 +51,7 @@
packages = {
default = self.packages.${system}.image;
- image = pkgs.callPackage ./pkgs/image { inherit version updateUrl cpuArch secureBoot; };
+ image = pkgs.callPackage ./pkgs/image { inherit version updateUrl microcode secureBoot; };
image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl secureBoot; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 6af3c14..863c795 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -4,17 +4,17 @@
version,
runCommand,
updateUrl,
- cpuArch ? "",
+ microcode ? "",
secureBoot ? "false"
}:
let
pname = "patos-image";
in
runCommand pname {
- inherit version cpuArch updateUrl secureBoot;
+ inherit version microcode updateUrl secureBoot;
- microcode = lib.optionalString (cpuArch == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
- + lib.optionalString (cpuArch == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
+ mcode = lib.optionalString (microcode == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
+ + lib.optionalString (microcode == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
nativeBuildInputs = with pkgs; [
erofs-utils
@@ -184,7 +184,7 @@ ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
${pkgs.patos.systemd}/usr/bin/ukify build \
--linux ${pkgs.patos.kernel}/bzImage \
--initrd ${pkgs.patos.initrd}/initrd.xz \
- $microcode \
+ $mcode \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
From 49c09d772dba5a7b487610f6856bf1fd0575a989 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 12 Jun 2025 21:48:08 +0200
Subject: [PATCH 22/25] chore: update kernel
---
pkgs/kernel/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 69edc22..2a86881 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.15.1";
- hash = "sha256-RPG7hP5RLnuv4ObchdOOwcbI/L6XzLUdjBmTC3mfDWQ=";
+ version = "6.15.2";
+ hash = "sha256-NFjNamxQjhYdvFQG5yuZ1dvfkp+vcEpn25ukbQdRSFg=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From f856983210b5901357f3e21a407034c101936be6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 13 Jun 2025 08:16:49 +0200
Subject: [PATCH 23/25] chore: move overlay to own file
---
flake.nix | 19 +------------------
overlays/default.nix | 21 +++++++++++++++++++++
2 files changed, 22 insertions(+), 18 deletions(-)
create mode 100644 overlays/default.nix
diff --git a/flake.nix b/flake.nix
index 66b86c8..58a8aab 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,24 +20,7 @@
microcode = "intel";
updateUrl = "http://10.0.2.2:8000/";
- overlay = final: prev: {
- patos = prev.lib.makeScope prev.newScope (self: {
- kernel = final.callPackage ./pkgs/kernel { };
- glibc = final.callPackage ./pkgs/glibc { };
- busybox = final.callPackage ./pkgs/busybox { };
- openssl = final.callPackage ./pkgs/openssl { };
- kexec = final.callPackage ./pkgs/kexec-tools { };
- lvm2 = final.callPackage ./pkgs/lvm2 { };
- tpm2-tools = final.callPackage ./pkgs/tpm2-tools { };
- tpm2-tss = final.callPackage ./pkgs/tpm2-tss { };
- systemd = final.callPackage ./pkgs/systemd { };
- dbus-broker = final.callPackage ./pkgs/dbus-broker { };
-
- rootfs = final.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit version; };
- initrd = final.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit version; };
- });
- };
-
+ overlay = import ./overlays { version = version; };
pkgs = import nixpkgs { inherit system; overlays = [ overlay ]; };
pkgsCross = import nixpkgs {
inherit system;
diff --git a/overlays/default.nix b/overlays/default.nix
new file mode 100644
index 0000000..2c2cdce
--- /dev/null
+++ b/overlays/default.nix
@@ -0,0 +1,21 @@
+{
+ version
+}:
+
+final: prev: {
+ patos = prev.lib.makeScope prev.newScope (self: {
+ kernel = final.callPackage ../pkgs/kernel { };
+ glibc = final.callPackage ../pkgs/glibc { };
+ busybox = final.callPackage ../pkgs/busybox { };
+ openssl = final.callPackage ../pkgs/openssl { };
+ kexec = final.callPackage ../pkgs/kexec-tools { };
+ lvm2 = final.callPackage ../pkgs/lvm2 { };
+ tpm2-tools = final.callPackage ../pkgs/tpm2-tools { };
+ tpm2-tss = final.callPackage ../pkgs/tpm2-tss { };
+ systemd = final.callPackage ../pkgs/systemd { };
+ dbus-broker = final.callPackage ../pkgs/dbus-broker { };
+
+ rootfs = final.callPackage ../pkgs/rootfs/mkrootfs.nix { inherit version; };
+ initrd = final.callPackage ../pkgs/rootfs/mkinitrd.nix { inherit version; };
+ });
+}
From 52a38d60c0ee8e0cc8855a39f6796882f76972a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 13 Jun 2025 08:33:09 +0200
Subject: [PATCH 24/25] chore(flake): use inherit
---
flake.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/flake.nix b/flake.nix
index 58a8aab..690b1ab 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,7 +20,7 @@
microcode = "intel";
updateUrl = "http://10.0.2.2:8000/";
- overlay = import ./overlays { version = version; };
+ overlay = import ./overlays { inherit version; };
pkgs = import nixpkgs { inherit system; overlays = [ overlay ]; };
pkgsCross = import nixpkgs {
inherit system;
From 217ff2d4a84cf34c8d31f57b2ab18340a8948a43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 13 Jun 2025 10:26:57 +0200
Subject: [PATCH 25/25] chore: add qemu script to launch aarch64 image
---
flake.nix | 1 +
utils/qemu-aarch64-uefi-tpm.nix | 54 +++++++++++++++++++++++++++++++++
2 files changed, 55 insertions(+)
create mode 100644 utils/qemu-aarch64-uefi-tpm.nix
diff --git a/flake.nix b/flake.nix
index 690b1ab..884349e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,6 +38,7 @@
image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl secureBoot; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
+ qemu-aarch64-uefi-tpm = pkgs.callPackage ./utils/qemu-aarch64-uefi-tpm.nix { };
firewall-sysext = pkgs.callPackage ./lib/make-sysext.nix {
name = "firewall-tools";
diff --git a/utils/qemu-aarch64-uefi-tpm.nix b/utils/qemu-aarch64-uefi-tpm.nix
new file mode 100644
index 0000000..87c9d69
--- /dev/null
+++ b/utils/qemu-aarch64-uefi-tpm.nix
@@ -0,0 +1,54 @@
+{
+ pkgs,
+ ...
+}:
+pkgs.writeShellApplication {
+ name = "qemu-aarch64-uefi-tpm";
+
+ runtimeInputs = with pkgs; [
+ qemu
+ swtpm
+ ];
+
+ text =
+ let
+ tpmOVMF = pkgs.OVMF.override {
+ tpmSupport = true;
+ secureBoot = true;
+ };
+ in
+ ''
+ set -ex
+ state="/tmp/patos-qemu-$USER"
+ rm -rf "$state"
+ mkdir -m 700 "$state"
+ qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G
+
+ OVMF_FD=$(nix-build '<nixpkgs>' --no-out-link -A OVMF.fd --system aarch64-linux)
+ cp "$OVMF_FD/AAVMF/vars-template-pflash.raw" "$state/vars-pflash.raw"
+ chmod u+w "$state/vars-pflash.raw"
+
+ # swtpm socket -d --tpmstate dir="$state" \
+ # --ctrl type=unixio,path="$state/swtpm-sock" \
+ # --tpm2 \
+ # --log file="$state/swtpm.log",level=20
+
+ qemu-system-aarch64 \
+ -machine virt,gic-version=max \
+ -cpu max \
+ -smp 8 \
+ -m 4G \
+ -display none \
+ -serial stdio \
+ -drive "if=pflash,format=raw,unit=0,readonly=on,file=$OVMF_FD/AAVMF/QEMU_EFI-pflash.raw" \
+ -drive "if=pflash,format=raw,unit=1,file=$state/vars-pflash.raw" \
+ -device virtio-scsi-pci \
+ -device virtio-gpu-pci \
+ -device virtio-net-pci,netdev=wan \
+ -netdev user,id=wan \
+ -device virtio-rng-pci,rng=rng0 \
+ -object rng-random,filename=/dev/urandom,id=rng0 \
+ -device virtio-serial-pci \
+ -drive "format=qcow2,file=$state/disk.qcow2"
+ '';
+}