diff --git a/flake.lock b/flake.lock
index e0246ab..85be38f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1749285348,
- "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
+ "lastModified": 1739020877,
+ "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
+ "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index 884349e..9e92cc8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,82 +15,67 @@
flake-utils.lib.eachDefaultSystem (
system:
let
+ pkgs = import nixpkgs { inherit system; };
+ patosPkgs = self.packages.${system};
version = "0.0.1";
- secureBoot = "false";
- microcode = "intel";
updateUrl = "http://10.0.2.2:8000/";
-
- overlay = import ./overlays { inherit version; };
- pkgs = import nixpkgs { inherit system; overlays = [ overlay ]; };
- pkgsCross = import nixpkgs {
- inherit system;
- overlays = [ overlay ];
- crossSystem = {
- config = "aarch64-unknown-linux-gnu";
- };
- };
in
{
packages = {
- default = self.packages.${system}.image;
-
- image = pkgs.callPackage ./pkgs/image { inherit version updateUrl microcode secureBoot; };
- image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl secureBoot; };
+ default = patosPkgs.image;
+ image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl; };
+ rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
+ initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
+ kernel = pkgs.callPackage ./pkgs/kernel { };
+ glibc = pkgs.callPackage ./pkgs/glibc { };
+ busybox = pkgs.callPackage ./pkgs/busybox { };
+ openssl = pkgs.callPackage ./pkgs/openssl { };
+ cert = pkgs.callPackage ./pkgs/cert { };
+ kexec = pkgs.callPackage ./pkgs/kexec-tools { };
+ lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
+ tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
+ tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
+ systemd = pkgs.callPackage ./pkgs/systemd { };
+ dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
- qemu-aarch64-uefi-tpm = pkgs.callPackage ./utils/qemu-aarch64-uefi-tpm.nix { };
-
- firewall-sysext = pkgs.callPackage ./lib/make-sysext.nix {
- name = "firewall-tools";
- version = "0.0.1";
- packages = [
- # network/firewalling
- { drv = pkgs.iproute2; path = "bin/"; }
- { drv = pkgs.nftables; path = "bin/"; }
- { drv = pkgs.wireguard-tools; path = "bin/.wg-wrapped"; destpath = "bin/wg"; }
- # deps
- { drv = pkgs.nftables; path = "lib/"; }
- { drv = pkgs.libnftnl; path = "lib/"; }
- { drv = pkgs.iptables; path = "lib/"; }
- { drv = pkgs.libgcc.lib; path = "lib/"; }
- { drv = pkgs.libgcc; path = "lib/"; }
- { drv = pkgs.libmnl; path = "lib/"; }
- { drv = pkgs.gmp; path = "lib/"; }
- { drv = pkgs.jansson.out; path = "lib/"; }
- { drv = pkgs.ncurses.out; path = "lib/"; }
- { drv = pkgs.libedit; path = "lib/"; }
- ];
- };
debug-tools-sysext = pkgs.callPackage ./lib/make-sysext.nix {
name = "debug-tools";
version = "0.0.1";
packages = [
- { drv = pkgs.curl; path = "bin/"; }
- { drv = pkgs.bash; path = "bin/"; }
- { drv = pkgs.keyutils; path = "bin/"; }
- { drv = pkgs.gnutar; path = "bin/"; }
- { drv = pkgs.strace; path = "bin/"; }
- { drv = pkgs.cryptsetup; path = "bin/"; }
- { drv = pkgs.erofs-utils; path = "bin/"; }
- { drv = pkgs.binutils-unwrapped; path = "bin/"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/"; }
- { drv = pkgs.util-linuxMinimal; path = "bin/"; }
- { drv = pkgs.util-linuxMinimal.mount; path = "bin/"; }
- { drv = pkgs.util-linuxMinimal.login; path = "bin/"; }
- { drv = pkgs.util-linuxMinimal.swap; path = "bin/"; }
- { drv = pkgs.patos.glibc; path = "bin/ldd"; }
- { drv = pkgs.patos.tpm2-tools; path = "bin/tpm2"; }
- { drv = pkgs.patos.openssl; path = "bin/openssl"; }
- # shared lib required for mkfs.erofs
- { drv = pkgs.lz4.lib; path = "lib/"; }
+ { drv = pkgs.curl; path = "bin/curl"; }
+ { drv = pkgs.bash; path = "bin/bash"; }
+ { drv = patosPkgs.glibc; path = "bin/ldd"; }
+ { drv = pkgs.keyutils; path = "bin/keyctl"; }
+ { drv = pkgs.gnutar; path = "bin/tar"; }
+ { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
+ { drv = pkgs.strace; path = "bin/strace"; }
+ { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
+ { drv = patosPkgs.openssl; path = "bin/openssl"; }
+ { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
+ { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
+ { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
# shared lib required for cryptsetup
- { drv = pkgs.popt; path = "lib/"; }
+ { drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
+ { drv = pkgs.popt; path = "lib/libpopt.so.0"; }
+ { drv = pkgs.popt; path = "lib/libpopt.so"; }
+ # shared lib required for mkfs.erofs
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
+ # shared lib required for binutils
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
# shared lib required for strace
- { drv = pkgs.elfutils.out; path = "lib/"; }
- # shared lib required for bash
- { drv = pkgs.readline.out; path = "lib/"; }
- { drv = pkgs.ncurses.out; path = "lib/"; }
+ { drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
+ { drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
];
};
};
@@ -109,7 +94,7 @@
just
nixd
nixfmt-rfc-style
- self.packages.${system}.qemu-uefi-tpm
+ patosPkgs.qemu-uefi-tpm
];
};
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index 70ed570..6de1e63 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -46,7 +46,6 @@ runCommand name
}
''
- set -ex -o pipefail
do_copy () {
local prefix="$1"
local drv="$2"
@@ -61,25 +60,6 @@ runCommand name
destdir="$(dirname -- "$destfile")"
mkdir -pv "$destdir"
-
- # recursively copy if ending with /
- if [[ "$destfile" =~ /$ ]]; then
- basedir="$(dirname -- "$destfile")"
- chmod -R 755 "$basedir"
- # remove if exists
- for f in $srcfile/*; do
- basename="$(basename -- "$f")"
- rm -rf "$destfile/$basename"
- done
- cp -rPv "$srcfile" "$basedir"
- chmod -R 755 "$basedir"
- for f in $destfile/*; do
- patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $f || true
- patchelf --set-rpath /usr/lib $f || true
- done
- return
- fi
-
cp -Pv "$srcfile" "$destfile"
chmod 755 "$destfile"
@@ -99,7 +79,7 @@ runCommand name
pushd $out
find tree -type d -exec chmod 0755 {} \;
- mkfs.erofs -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking --all-root $name.raw tree/
+ mkfs.erofs --all-root $name.raw tree/
veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
# TODO: pcks7 signature
# openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \
diff --git a/overlays/default.nix b/overlays/default.nix
deleted file mode 100644
index 2c2cdce..0000000
--- a/overlays/default.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{
- version
-}:
-
-final: prev: {
- patos = prev.lib.makeScope prev.newScope (self: {
- kernel = final.callPackage ../pkgs/kernel { };
- glibc = final.callPackage ../pkgs/glibc { };
- busybox = final.callPackage ../pkgs/busybox { };
- openssl = final.callPackage ../pkgs/openssl { };
- kexec = final.callPackage ../pkgs/kexec-tools { };
- lvm2 = final.callPackage ../pkgs/lvm2 { };
- tpm2-tools = final.callPackage ../pkgs/tpm2-tools { };
- tpm2-tss = final.callPackage ../pkgs/tpm2-tss { };
- systemd = final.callPackage ../pkgs/systemd { };
- dbus-broker = final.callPackage ../pkgs/dbus-broker { };
-
- rootfs = final.callPackage ../pkgs/rootfs/mkrootfs.nix { inherit version; };
- initrd = final.callPackage ../pkgs/rootfs/mkinitrd.nix { inherit version; };
- });
-}
diff --git a/pkgs/busybox/default.nix b/pkgs/busybox/default.nix
index 6f22641..e318d8a 100644
--- a/pkgs/busybox/default.nix
+++ b/pkgs/busybox/default.nix
@@ -1,7 +1,6 @@
{
stdenv,
lib,
- pkgs,
buildPackages,
fetchurl,
fetchpatch,
@@ -58,12 +57,15 @@ in
stdenv.mkDerivation rec {
pname = "busybox";
- version = pkgs.busybox.version;
+ version = "1.36.1";
# Note to whoever is updating busybox: please verify that:
# nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
# still builds after the update.
- src = pkgs.busybox.src;
+ src = fetchurl {
+ url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
+ sha256 = "sha256-uMwkyVdNgJ5yecO+NJeVxdXOtv3xnKcJ+AzeUOR94xQ=";
+ };
hardeningDisable = [
"format"
diff --git a/pkgs/dbus-broker/default.nix b/pkgs/dbus-broker/default.nix
index 0002d9c..809f3ce 100644
--- a/pkgs/dbus-broker/default.nix
+++ b/pkgs/dbus-broker/default.nix
@@ -100,9 +100,14 @@ in
stdenv.mkDerivation (finalAttrs: {
pname = "dbus-broker";
- version = pkgs.dbus-broker.version;
+ version = "36";
- src = pkgs.dbus-broker.src;
+ src = fetchFromGitHub {
+ owner = "bus1";
+ repo = "dbus-broker";
+ rev = "v${finalAttrs.version}";
+ hash = "sha256-5dAMKjybqrHG57vArbtWEPR/svSj2ION75JrjvnnpVM=";
+ };
nativeBuildInputs = with pkgs; [
docutils
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 863c795..7407df1 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -1,258 +1,286 @@
{
lib,
pkgs,
+ patosPkgs,
version,
runCommand,
updateUrl,
- microcode ? "",
- secureBoot ? "false"
}:
let
pname = "patos-image";
-in
-runCommand pname {
- inherit version microcode updateUrl secureBoot;
- mcode = lib.optionalString (microcode == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
- + lib.optionalString (microcode == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
+ writeConf =
+ name: attrs:
+ pkgs.writeTextFile {
+ name = name;
+ text = lib.generators.toINI {
+ mkKeyValue = lib.generators.mkKeyValueDefault {
+ mkValueString =
+ v:
+ if v == true then
+ ''"yes"''
+ else if v == false then
+ ''"no"''
+ else if lib.isString v then
+ ''"${v}"''
+ else
+ lib.generators.mkValueStringDefault { } v;
+ } "=";
+ } attrs;
+ };
- nativeBuildInputs = with pkgs; [
- erofs-utils
- dosfstools
- mtools
- jq
- ];
+ secureBootImportKeys = writeConf "secure-boot-import-keys.service" {
+ Unit = {
+ Description = "Import Secure Boot keys";
+ DefaultDependencies = false;
+ RequiresMountsFor = "/var/lib/sbctl /boot";
+ ConditionPathExists = "/boot/sbctl/keys";
+ After = "local-fs.target";
+ };
- env = {
- # vfat options won't efi won't find the fs otherwise.
- SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
- SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
+ Service = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ ExecStart = "sbctl import-keys -d /boot/sbctl/keys";
+ ExecStartPost = "rm -rf /boot/sbctl";
+ };
};
- kernelCmdLine = "systemd.journald.forward_to_console=1 console=ttyS0 patos.secureboot=${secureBoot}";
-}
-''
-mkdir -p $out/init.repart.d $out/final.repart.d
-pushd $out
+ ukiTransfer = writeConf "10-uki.transfer" {
+ Source = {
+ Path = updateUrl;
+ MatchPattern = "patos_@v.efi";
+ Type = "url-file";
+ };
-mkdir rootfs
-cp -prP ${pkgs.patos.rootfs}/* rootfs/
-find rootfs/ -type d -exec chmod 755 {} \;
+ Target = {
+ InstancesMax = 2;
+ MatchPattern = "patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi";
+ Mode = "0444";
+ Path = "/EFI/Linux";
+ PathRelativeTo = "esp";
+ TriesDone = 0;
+ TriesLeft = 3;
+ Type = "regular-file";
+ };
-# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
-mkdir rootfs/etc/extensions
-rm -rf rootfs/usr/lib/modules
-cp ${pkgs.patos.kernel}/patos-kernel-modules* rootfs/etc/extensions/
+ Transfer = {
+ Verify = false;
+ };
+ };
-# set default target to multi-user
-ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
+ rootVerityTransfer = writeConf "22-root-verity.transfer" {
+ Source = {
+ Type = "url-file";
+ Path = updateUrl;
+ MatchPattern = "patos_@v_@u.verity";
+ };
-# enable dbus
-ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
-ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
+ Target = {
+ Type = "partition";
+ Path = "auto";
+ MatchPattern = "verity-@v";
+ MatchPartitionType = "root-verity";
+ ReadOnly = "1";
+ };
-# enable network services
-ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
-ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
-ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
-# enable default network config
-mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
+ Transfer = {
+ Verify = false;
+ };
+ };
-# enable confext/sysext services
-ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
-ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
+ rootTransfer = writeConf "22-root.transfer" {
+ Source = {
+ Type = "url-file";
+ Path = updateUrl;
+ MatchPattern = "patos_@v_@u.root";
+ };
-cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
-[Unit]
-Description=Import Secure Boot keys
-DefaultDependencies=no
-RequiresMountsFor=/var/lib/sbctl /boot
-ConditionPathExists=/boot/sbctl/keys
-After=local-fs.target
+ Target = {
+ Type = "partition";
+ Path = "auto";
+ MatchPattern = "root-@v";
+ MatchPartitionType = "root";
+ ReadOnly = 1;
+ };
+ Transfer = {
+ Verify = false;
+ };
+ };
+in
+runCommand pname
+ {
+ inherit version;
+ inherit updateUrl;
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=sbctl import-keys -d /boot/sbctl/keys
-ExecStartPost=rm -rf /boot/sbctl
-EOF
-ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
+ buildInputs = with pkgs; [
+ erofs-utils
+ dosfstools
+ mtools
+ jq
+ ];
-# sysupdate
-mkdir -p rootfs/etc/sysupdate.d
-cat <<EOF > rootfs/etc/sysupdate.d/10-uki.transfer
-[Source]
-Path=${updateUrl}
-MatchPattern=patos_@v.efi
-Type=url-file
+ env = {
+ # vfat options won't efi won't find the fs otherwise.
+ SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
+ SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
+ };
-[Target]
-InstancesMax=2
-MatchPattern=patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi
-Mode=0444
-Path=/EFI/Linux
-PathRelativeTo=esp
-TriesDone=0
-TriesLeft=3
-Type=regular-file
+ kernelCmdLine = "console=ttyS0 patos.secureboot=false";
+ }
+ ''
+ mkdir -p $out/init.repart.d $out/final.repart.d
+ pushd $out
-[Transfer]
-Verify=no
-EOF
+ mkdir rootfs
+ cp -prP ${patosPkgs.rootfs}/* rootfs/
+ find rootfs/ -type d -exec chmod 755 {} \;
-cat <<EOF > rootfs/etc/sysupdate.d/20-root-verity.transfer
-[Source]
-Type=url-file
-Path=${updateUrl}
-MatchPattern=patos_@v_@u.verity
+ # package kernel modules as sysext (will reduce the image size a little bit (~3MB))
+ mkdir rootfs/etc/extensions
+ rm -rf rootfs/usr/lib/modules
+ cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
-[Target]
-Type=partition
-Path=auto
-MatchPattern=verity-@v
-MatchPartitionType=root-verity
-ReadOnly=1
+ # set default target to multi-user
+ ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
-[Transfer]
-Verify=no
-EOF
+ # enable dbus
+ ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
+ ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
-cat <<EOF > rootfs/etc/sysupdate.d/22-root.transfer
-[Source]
-Type=url-file
-Path=${updateUrl}
-MatchPattern=patos_@v_@u.root
+ # enable network services
+ ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
+ ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
+ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
+ # enable default network config
+ mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
-[Target]
-Type=partition
-Path=auto
-MatchPattern=root-@v
-MatchPartitionType=root
-ReadOnly=1
+ # enable confext/sysext services
+ ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
+ ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
-[Transfer]
-Verify=no
-EOF
+ cp ${secureBootImportKeys} rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
+ ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
-# Initial partitioning
-cat <<EOF > init.repart.d/10-root.conf
-[Partition]
-Type=root
-Format=erofs
-Minimize=best
-AddValidateFS=false
-CopyFiles=/rootfs:/
-Verity=data
-VerityMatchKey=root
-SplitName=root
-EOF
+ # sysupdate
+ mkdir -p rootfs/etc/sysupdate.d
+ cp ${rootTransfer} ${rootVerityTransfer} ${ukiTransfer} rootfs/etc/sysupdate.d/
-cat <<EOF > init.repart.d/20-root-verity.conf
-[Partition]
-Type=root-verity
-Verity=hash
-VerityMatchKey=root
-AddValidateFS=false
-Minimize=best
-SplitName=verity
-EOF
+ # Initial partitioning
+ cat <<EOF > init.repart.d/10-root.conf
+ [Partition]
+ Type=root
+ Format=erofs
+ Minimize=best
+ CopyFiles=/rootfs:/
+ Verity=data
+ VerityMatchKey=root
+ SplitName=root
+ EOF
-#TODO: Add verity signature partition
+ cat <<EOF > init.repart.d/20-root-verity.conf
+ [Partition]
+ Type=root-verity
+ Verity=hash
+ VerityMatchKey=root
+ Minimize=best
+ SplitName=verity
+ EOF
-${pkgs.patos.systemd}/usr/bin/systemd-repart \
- --no-pager \
- --empty=create \
- --size=auto \
- --definitions=$out/init.repart.d \
- --split=true \
- --json=pretty \
- --root=$out \
- patos_$version.raw > init-repart-output.json
+ #TODO: Add verity signature partition
-rm -f patos_$version.raw
+ ${patosPkgs.systemd}/usr/bin/systemd-repart \
+ --no-pager \
+ --empty=create \
+ --size=auto \
+ --definitions=./init.repart.d \
+ --split=true \
+ --json=pretty \
+ --root=$out \
+ patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
-roothash=$(jq -r '.[0].roothash' init-repart-output.json)
-rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
-rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
+ roothash=$(jq -r '.[0].roothash' init-repart-output.json)
+ rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
+ rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
-verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
-verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
+ verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
+ verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
-ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
-ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
+ ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
+ ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
-${pkgs.patos.systemd}/usr/bin/ukify build \
- --linux ${pkgs.patos.kernel}/bzImage \
- --initrd ${pkgs.patos.initrd}/initrd.xz \
- $mcode \
- --os-release @rootfs/etc/os-release \
- --cmdline "$kernelCmdLine roothash=$roothash" \
- -o patos_${version}.efi
+ ${patosPkgs.systemd}/usr/bin/ukify build \
+ --linux ${patosPkgs.kernel}/bzImage \
+ --initrd ${patosPkgs.initrd}/initrd.xz \
+ --os-release @rootfs/etc/os-release \
+ --cmdline "$kernelCmdLine roothash=$roothash" \
+ -o patos_${version}.efi
-# install ESP
-SYSTEMD_RELAX_ESP_CHECKS=1 ${pkgs.patos.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
+ # install ESP
+ SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
-# setup factory reset
-mkdir -p rootfs/boot/EFI/tools
-cp ${pkgs.edk2-uefi-shell}/shell.efi rootfs/boot/EFI/tools/
+ # setup factory reset
+ mkdir -p rootfs/boot/EFI/tools
+ cp ${pkgs.edk2-uefi-shell}/shell.efi rootfs/boot/EFI/tools/
-cat <<EOF > rootfs/boot/EFI/tools/factoryreset.nsh
-setvar FactoryReset -guid 8cf2644b-4b0b-428f-9387-6d876050dc67 -nv -rt =%1
-reset
-EOF
+ cat <<EOF > rootfs/boot/EFI/tools/factoryreset.nsh
+ setvar FactoryReset -guid 8cf2644b-4b0b-428f-9387-6d876050dc67 -nv -rt =%1
+ reset
+ EOF
-cat <<EOF > rootfs/boot/loader/entries/factoryreset.conf
-title Enable Factory Reset
-options -nostartup -nomap
-options \EFI\tools\factoryreset.nsh L"t"
-efi EFI/tools/shell.efi
-EOF
+ cat <<EOF > rootfs/boot/loader/entries/factoryreset.conf
+ title Enable Factory Reset
+ options -nostartup -nomap
+ options \EFI\tools\factoryreset.nsh L"t"
+ efi EFI/tools/shell.efi
+ EOF
-echo "timeout 2" > rootfs/boot/loader/loader.conf
+ echo "timeout 2" > rootfs/boot/loader/loader.conf
-# install UKI
-cp patos_${version}.efi rootfs/boot/EFI/Linux
+ # install UKI
+ cp patos_${version}.efi rootfs/boot/EFI/Linux
-# Final partitioning
-cat <<EOF > final.repart.d/10-esp.conf
-[Partition]
-Type=esp
-Format=vfat
-SizeMinBytes=128M
-SizeMaxBytes=128M
-CopyFiles=$out/rootfs/boot:/
-EOF
+ # Final partitioning
+ cat <<EOF > final.repart.d/10-esp.conf
+ [Partition]
+ Type=esp
+ Format=vfat
+ SizeMinBytes=128M
+ SizeMaxBytes=128M
+ CopyFiles=/rootfs/boot:/
+ EOF
-cat <<EOF > final.repart.d/20-root.conf
-[Partition]
-Type=root
-Label=root-${version}
-CopyBlocks=$out/$rootPart
-UUID=$rootUuid
-SizeMinBytes=64M
-SizeMaxBytes=64M
-ReadOnly=1
-EOF
+ cat <<EOF > final.repart.d/20-root.conf
+ [Partition]
+ Type=root
+ Label=root-${version}
+ CopyBlocks=/$rootPart
+ UUID=$rootUuid
+ SizeMinBytes=64M
+ SizeMaxBytes=64M
+ ReadOnly=1
+ EOF
-cat <<EOF > final.repart.d/22-root-verity.conf
-[Partition]
-Type=root-verity
-Label=verity-${version}
-CopyBlocks=$out/$verityPart
-UUID=$verityUuid
-ReadOnly=1
-EOF
+ cat <<EOF > final.repart.d/22-root-verity.conf
+ [Partition]
+ Type=root-verity
+ Label=verity-${version}
+ CopyBlocks=/$verityPart
+ UUID=$verityUuid
+ ReadOnly=1
+ EOF
-# finalize image ready for boot
-${pkgs.patos.systemd}/usr/bin/systemd-repart \
- --no-pager \
- --empty=create \
- --size=auto \
- --definitions=./final.repart.d \
- patos_${version}.img > final-repart-output.json
+ # finalize image ready for boot
+ ${patosPkgs.systemd}/usr/bin/systemd-repart \
+ --no-pager \
+ --empty=create \
+ --size=auto \
+ --definitions=./final.repart.d \
+ --root=$out \
+ patos_${version}.img > final-repart-output.json
-rm -rf rootfs init.repart.d final.repart.d *.json
-sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
+ rm -rf rootfs init.repart.d final.repart.d *.json
+ sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
-popd
-''
+ popd
+ ''
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 2a86881..a5f24db 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.15.2";
- hash = "sha256-NFjNamxQjhYdvFQG5yuZ1dvfkp+vcEpn25ukbQdRSFg=";
+ version = "6.13.7";
+ hash = "sha256-Ojm2IDi3rC9D0mofhLQoPhl4BOHoF61jfpo9h0xHgB0=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
diff --git a/pkgs/kexec-tools/default.nix b/pkgs/kexec-tools/default.nix
index b83a6a6..4ba15ba 100644
--- a/pkgs/kexec-tools/default.nix
+++ b/pkgs/kexec-tools/default.nix
@@ -4,7 +4,6 @@
buildPackages,
fetchFromGitHub,
autoconf,
- autoreconfHook,
zlib,
}:
@@ -15,8 +14,8 @@ stdenv.mkDerivation {
src = fetchFromGitHub {
owner = "horms";
repo = "kexec-tools";
- rev = "v2.0.31";
- hash = "sha256-Tgmc8mFlmzzRj7tEaBes7Udw4fRl6cSfe76iPNa3Ffs=";
+ rev = "a7fcd424c4c80dea5a2fd5ffa274ffeb8129c790";
+ hash = "sha256-QKE+KCkueA21zNunTMidP9OuZaw0IG5tFDF4UJITTTQ=";
};
dontPatchShebangs = true;
@@ -28,27 +27,20 @@ stdenv.mkDerivation {
"pie"
];
- preAutoreconf = "./bootstrap";
-
- configurePlatforms = [
- "build"
- "host"
- ];
-
- configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" "--prefix=/"];
- depsBuildBuild = [ buildPackages.stdenv.cc ];
-
- installPhase = ''
- make DESTDIR=$out install
+ buildCommand = ''
+ unpackPhase
+ mkdir -p $out
+ cd source
+ ./bootstrap
+ ./configure --prefix=/
+ make DESTDIR=$out install
'';
- nativeBuildInputs = [
- autoconf
- autoreconfHook
- ];
+ depsBuildBuild = [ buildPackages.stdenv.cc ];
buildInputs = [
zlib
+ autoconf
];
enableParallelBuilding = true;
diff --git a/pkgs/lvm2/default.nix b/pkgs/lvm2/default.nix
index 8d18663..f211e26 100644
--- a/pkgs/lvm2/default.nix
+++ b/pkgs/lvm2/default.nix
@@ -1,6 +1,5 @@
{
stdenv,
- pkgs,
fetchurl,
lib,
pkg-config,
@@ -8,11 +7,17 @@
udev,
}:
-stdenv.mkDerivation {
+stdenv.mkDerivation rec {
pname = "lvm2";
- version = pkgs.lvm2.version;
+ version = "2.03.30";
- src = pkgs.lvm2.src;
+ src = fetchurl {
+ urls = [
+ "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz"
+ "ftp://sourceware.org/pub/lvm2/LVM2.${version}.tgz"
+ ];
+ hash = "sha256-rXar7LjciHcz4GxEnLmt0Eo1BvnweAwSiBem4aF87AU=";
+ };
nativeBuildInputs = [
pkg-config
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
index 08c1309..bc833cc 100644
--- a/pkgs/openssl/default.nix
+++ b/pkgs/openssl/default.nix
@@ -1,6 +1,5 @@
{
lib,
- pkgs,
stdenv,
fetchurl,
perl,
@@ -19,9 +18,13 @@
stdenv.mkDerivation rec {
pname = "openssl";
- version = pkgs.openssl.version;
+ version = "3.4.1";
+ hash = "sha256-ACotazC1i/S+pGxDvdljZar42qbEKHgqpP7uBtoZffM=";
- src = pkgs.openssl.src;
+ src = fetchurl {
+ url = "https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz";
+ hash = hash;
+ };
outputs = [ "out" ];
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index 0691e7b..c46ed9d 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -1,5 +1,6 @@
{
pkgs,
+ patosPkgs,
runCommand,
...
}:
@@ -9,7 +10,7 @@ in
runCommand "patos-initrd" {
inherit secureBootEnroll;
- nativeBuildInputs = with pkgs; [
+ buildInputs = with pkgs; [
cpio
xz
];
@@ -20,7 +21,7 @@ mkdir -p $out/root
pushd $out/root
### copy rootfs
-cp -prP ${pkgs.patos.rootfs}/* .
+cp -prP ${patosPkgs.rootfs}/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index ed34662..235a70a 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -1,5 +1,6 @@
{
pkgs,
+ patosPkgs,
version,
runCommand,
}:
@@ -11,9 +12,7 @@ runCommand "patos-rootfs"
{
inherit version;
- nativeBuildInputs = with pkgs; [
- stdenv.cc
- patchelf
+ buildInputs = with pkgs;[
glibc
binutils
];
@@ -22,20 +21,20 @@ runCommand "patos-rootfs"
''
### create directory structure
mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
- $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var
+ $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
ln -sf /usr/bin $out/bin
ln -sf /usr/bin $out/sbin
ln -sf /usr/lib $out/lib
ln -sf /usr/lib $out/lib64
-ln -sf /tmp $out/var/tmp
ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
-cp -Pr ${pkgs.patos.systemd}/* $out/
+cp -Pr ${patosPkgs.systemd}/* $out/
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
ln -sf /usr/bin $out/usr/sbin
+rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
# enable in ramdisk instead
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-repart.service
rm -f $out/usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
@@ -136,33 +135,33 @@ ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTE
EOF
### install PatOS glibc
-cp -P ${pkgs.patos.glibc}/lib/*.so* $out/usr/lib/
+cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
### install openssl
-cp -P ${pkgs.patos.openssl}/lib/*.so* $out/usr/lib/
-cp -Pr ${pkgs.patos.openssl}/etc/ssl $out/etc/
+cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
+cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
### install busybox
-cp ${pkgs.patos.busybox}/bin/busybox $out/usr/bin/
+cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
-cp -r ${pkgs.patos.dbus-broker}/* $out/
+cp -r ${patosPkgs.dbus-broker}/* $out/
### install kexec
-cp -Pr ${pkgs.patos.kexec}/sbin/kexec $out/usr/bin/
+cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
### install dmsetup udev rules
-cp -P ${pkgs.patos.lvm2}/usr/bin/dmsetup $out/usr/bin/
-cp -P ${pkgs.patos.lvm2}/lib/libdevmapper.so* $out/usr/lib/
-cp -P ${pkgs.patos.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
+cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
+cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
+cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
### install btrfs progs
cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
### install tpm2 libs
-cp -P ${pkgs.patos.tpm2-tss}/lib/*.so* $out/usr/lib/
+cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
### install lib kmod
cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
@@ -193,22 +192,20 @@ ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
rm -rf $out/usr/lib/pkgconfig
# setup default files
-${pkgs.patos.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
-${pkgs.patos.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
+${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
+${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
# install sys users
mkdir creds
echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
-CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${pkgs.patos.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
+CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
chmod 600 $out/etc/shadow
rm -rf creds
# Ephemeral machine-id until registration
-# ln -sf /run/machine-id $out/etc/machine-id
-# FIXME: above line does not work in systemd > 257
-${pkgs.patos.systemd}/usr/bin/systemd-machine-id-setup --root=$out
+ln -sf /run/machine-id $out/etc/machine-id
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
@@ -218,17 +215,15 @@ find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
find $out -type f -executable -exec chmod 755 {} \;
# patch ELFs
-interpreter=$(patchelf --print-interpreter $out/usr/bin/busybox)
-ldLinux=$(basename $interpreter)
find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
-find $out -type f -executable -exec patchelf --set-interpreter /lib/$ldLinux {} \;
-patchelf --remove-rpath $out/usr/lib/$ldLinux
+find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
+patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
# strip binaries
-find $out -type f -executable -exec $STRIP {} \;
+find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
# install kernel modules
-cp -r ${pkgs.patos.kernel}/lib/modules $out/usr/lib/
+cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
''
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index dfe506c..a1cb314 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -7,7 +7,7 @@
...
}:
let
- version = "devel";
+ version = "257.4";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
@@ -26,8 +26,8 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchFromGitHub {
owner = "systemd";
repo = "systemd";
- rev = "959d7f1759d67994e3bed7b9d2f23e063475a872"; # main
- hash = "sha256-IxGg0t/0GEllU4EPHqY2bwMDYwrQ5KWyE2QhwhTxqGs=";
+ rev = "v${version}";
+ hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
};
patches = [ ./skip-verify-esp.patch ];
@@ -137,10 +137,6 @@ stdenv.mkDerivation (finalAttrs: {
''
substituteInPlace meson.build \
--replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
- '' +
- ''
- substituteInPlace src/test/meson.build \
- --replace "test_env.set('SYSTEMD_LANGUAGE_FALLBACK_MAP', language_fallback_map)" ""
''
+ ''
substituteInPlace src/ukify/ukify.py \
diff --git a/pkgs/tpm2-tools/default.nix b/pkgs/tpm2-tools/default.nix
index 4bb14c1..f447fe6 100644
--- a/pkgs/tpm2-tools/default.nix
+++ b/pkgs/tpm2-tools/default.nix
@@ -1,6 +1,5 @@
{
stdenv,
- pkgs,
fetchurl,
lib,
pandoc,
@@ -11,17 +10,19 @@
libuuid,
}:
-stdenv.mkDerivation {
+stdenv.mkDerivation rec {
pname = "tpm2-tools";
- version = pkgs.tpm2-tools.version;
+ version = "5.7";
- src = pkgs.tpm2-tools.src;
+ src = fetchurl {
+ url = "https://github.com/tpm2-software/${pname}/releases/download/${version}/${pname}-${version}.tar.gz";
+ sha256 = "sha256-OBDTa1B5JW9PL3zlUuIiE9Q7EDHBMVON+KLbw8VwmDo=";
+ };
nativeBuildInputs = [
pandoc
pkg-config
];
-
buildInputs = [
curl
openssl
diff --git a/pkgs/tpm2-tss/default.nix b/pkgs/tpm2-tss/default.nix
index 5a6477a..5e23100 100644
--- a/pkgs/tpm2-tss/default.nix
+++ b/pkgs/tpm2-tss/default.nix
@@ -1,6 +1,5 @@
{
stdenv,
- pkgs,
lib,
fetchFromGitHub,
autoreconfHook,
@@ -20,9 +19,14 @@
stdenv.mkDerivation rec {
pname = "tpm2-tss";
- version = pkgs.tpm2-tss.version;
+ version = "4.1.3";
- src = pkgs.tpm2-tss.src;
+ src = fetchFromGitHub {
+ owner = "tpm2-software";
+ repo = pname;
+ rev = version;
+ hash = "sha256-BP28utEUI9g1VNv3lCXuiKrDtEImFQxxZfIjLiE3Wr8=";
+ };
patches = [
./no-shadow.patch
diff --git a/utils/qemu-aarch64-uefi-tpm.nix b/utils/qemu-aarch64-uefi-tpm.nix
deleted file mode 100644
index 87c9d69..0000000
--- a/utils/qemu-aarch64-uefi-tpm.nix
+++ /dev/null
@@ -1,54 +0,0 @@
-{
- pkgs,
- ...
-}:
-pkgs.writeShellApplication {
- name = "qemu-aarch64-uefi-tpm";
-
- runtimeInputs = with pkgs; [
- qemu
- swtpm
- ];
-
- text =
- let
- tpmOVMF = pkgs.OVMF.override {
- tpmSupport = true;
- secureBoot = true;
- };
- in
- ''
- set -ex
- state="/tmp/patos-qemu-$USER"
- rm -rf "$state"
- mkdir -m 700 "$state"
- qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G
-
- OVMF_FD=$(nix-build '<nixpkgs>' --no-out-link -A OVMF.fd --system aarch64-linux)
- cp "$OVMF_FD/AAVMF/vars-template-pflash.raw" "$state/vars-pflash.raw"
- chmod u+w "$state/vars-pflash.raw"
-
- # swtpm socket -d --tpmstate dir="$state" \
- # --ctrl type=unixio,path="$state/swtpm-sock" \
- # --tpm2 \
- # --log file="$state/swtpm.log",level=20
-
- qemu-system-aarch64 \
- -machine virt,gic-version=max \
- -cpu max \
- -smp 8 \
- -m 4G \
- -display none \
- -serial stdio \
- -drive "if=pflash,format=raw,unit=0,readonly=on,file=$OVMF_FD/AAVMF/QEMU_EFI-pflash.raw" \
- -drive "if=pflash,format=raw,unit=1,file=$state/vars-pflash.raw" \
- -device virtio-scsi-pci \
- -device virtio-gpu-pci \
- -device virtio-net-pci,netdev=wan \
- -netdev user,id=wan \
- -device virtio-rng-pci,rng=rng0 \
- -object rng-random,filename=/dev/urandom,id=rng0 \
- -device virtio-serial-pci \
- -drive "format=qcow2,file=$state/disk.qcow2"
- '';
-}