From 1a76ee21ce5119d182464d35aef21c815df7f5bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 23 Jan 2025 12:11:57 +0100
Subject: [PATCH 01/78] feat: initial secure boot
---
.woodpecker/ci.yaml | 13 +++-
flake.nix | 3 +
keys/DB.auth | Bin 0 -> 2092 bytes
keys/KEK.auth | Bin 0 -> 2091 bytes
keys/PK.auth | Bin 0 -> 2089 bytes
modules/image/builder.nix | 1 +
scripts/sbkeys | 154 ++++++++++++++++++++++++++++++++++++++
scripts/sign-release.sh | 19 +++++
8 files changed, 189 insertions(+), 1 deletion(-)
create mode 100644 keys/DB.auth
create mode 100644 keys/KEK.auth
create mode 100644 keys/PK.auth
create mode 100755 scripts/sbkeys
create mode 100755 scripts/sign-release.sh
diff --git a/.woodpecker/ci.yaml b/.woodpecker/ci.yaml
index 3099d84..606a477 100644
--- a/.woodpecker/ci.yaml
+++ b/.woodpecker/ci.yaml
@@ -6,6 +6,17 @@ when:
steps:
check:
- image: docker.io/nixpkgs/nix-flakes:nixos-24.05
+ image: docker.io/nixpkgs/nix-flakes:nixos-25.05
commands:
- nix flake check
+
+ sign:
+ image: docker.io/nixpkgs/nix-flakes:nixos-25.05
+ environment:
+ DB_KEY:
+ from_secret: secure_boot_key
+ DB_CRT:
+ from_secret: secure_boot_crt
+ commands:
+ - ./scripts/sign-release.sh
+
diff --git a/flake.nix b/flake.nix
index 7648b8b..e5f4787 100644
--- a/flake.nix
+++ b/flake.nix
@@ -80,8 +80,11 @@
devShells.${system}.default = pkgs.mkShell {
buildInputs = with pkgs; [
+ efitools
erofs-utils
just
+ openssl
+ sbsigntool
self.packages.${system}.qemu-uefi-tpm
squashfs-tools-ng
];
diff --git a/keys/DB.auth b/keys/DB.auth
new file mode 100644
index 0000000000000000000000000000000000000000..d8ce304ab5dcd9eccabe35c4093e7498daa916b0
GIT binary patch
literal 2092
zcmaFK&M3yuWXb>oXIU5+7??it&AqhV>wd;N&#sjwwdP@|%MF@XHZn0X8uA<PvT-J~
zc`&9jvoJBTG8k~PacZ@Bw0-AgWM^E^#H?!2#H?u0#KgIPnTe5!NyO)m#Z3XT_qKkf
z+fOh|++ca=ZBswU2&f)LZdL{Z1w%Ol88+rn7G@sNfW#92V1?k+<kF&41*iP{5(RHp
zZv#1TUL#WjLn9+Y69XetqbPA+V-VK>$|b^tCPpP>YZ+M?n41{+84Q{jxtN+585uU&
zJAIgPe~J0?6)P(JFWidXc=%ZMGL8QWw9?N=gf6PJ{1fs__e;6HxXaT!r7B<TS2{^H
ziI&Ts-(&b@s$u8G0D(<%4QJo4ORF_KEx@PC%R9$ZS!tcqx2t6zM7IgenfyWE-fw>u
z-xBu9m*!Jf@yy>Kd7*8)tMHo#9s3M|yv*nC*ne2uN%bg0cw-OGkG%Z+R);Gww~ZFd
zeUcCQIQ{gB<#%->R<nPxx_o2J)JcZN*H2qrtY9pgoWi#7UZ%yNk5|@B%73y*<CN3;
zy?sxMFLnu;%-c3=>%$`}_NOtWJ&TrT{P*yKcEEep1ztKf3m0+y&*Mv3ck0I6%k|<K
zwSM2!_8!XK`<{uJk%4h>utA`KEE{vEEFX&)i^xmH&OT#jj-xZ@3bx+b8FTU3@$|(8
z@*rtt76}8f2J8y>K?;N!8UM4e8Za|5{zndWZg8+OGEAGFam;CB*O}kK)px9P<BQJ!
zkZ$<6Y|_tJF#@JLgREG#8awQ(jtQ$Ox9RUHTQ0W#<DLU&>RUX2Da$)(>Db*B?d>^G
zk`sLW(Qn-X@#FucMCbBlaoe2vZNzXeeTLS)#O3q;{Ak%cHEssi$vN-e@q2AJ|9tAM
zh2Ez^l4Gl$KKr-QQ!{*8czGAcfx}lkQvRP2iPxCWwDeY`!*<QbZ8sj&K8uJ9D&mtD
z{8?afZhyk!C6oDQbyWPEx{EtI<Ee_&<+XQa+a_w<SuB0YnOny`EN(^gg!xV!+b`bj
z-YfHH*7x-tqHMk@-U6F~j&8m8d*g9Kft%6Ko_a{H6=Mp`mkNutnG*cQu!%9*pouY_
ziILI3f^h1^osE!lA}>5AGBUC<urx6;7$0U}KNoA3`r(42<)?602bS~VKJuUZrkz$e
z!lhtYp!PQAWXZX<i&iYD&GSqi2G8GL^r}a2N@DWvnI0j5eOvw&eV4QS&HL%_{xC(Z
zw6qS%J*+*mbENgcC#jU12)<z~a!M5V@qI$Z%@5LE#w)^#Hf-I_#1^+_>7&O?3nzPX
z3Mrl|ve;Gf?cR@n2_oN^qRJZ=<t(*ppF4Z*kqZ}EH-&46WEns4lWJGL`2N6LC$sz+
zzuf}={c7K~$#aGF*0rgBGUg>Ji=Op!n_WA{$)d+_Q{b9sJJ_0cn={4VEX-QYD(}%;
z{BV=lM4hFxj~lVyZ2x%Cr1_Hi+Kzqik7#S9ZmD|8=CCmGz|tpEmV32tT`d};{h`R8
z8B)v{Gczy<{tjK1Y~|;?JYR|X(4&-ggC=HqgC-_+Xu0K3#wsMaJ9~YH>W1Tdo7j)X
zJv+^gmXZzR4P_0aA?20`X1V3!M6lQ*XaJ#7YxD6dm0IOxI_z49&!3Aq$!hr6f%WRP
zyBn{z9dCW{C@ZpFPUg>7<HZpUHmn`W#`E6o+QY=f7nLt9v?-!d^>^wQQy<gw`75pW
zYD(-~FP)cqt?z-3#G9L+HeLR3DI)Gp;k%F9j@}pO@NcYTdGD?N;MChErpz1fIT_?k
zpI!J(zn4qus{FL9=RR68<|=Y22c&df$Xc@q9G=ksH?2!Vb*_l?hluoomurfIu6&+)
zr*mRz@!}QAX5HS$e+W!-pS>~B>6OB)rJ7ggI~|o&;(fvV^8W3X(@m#;9Gzd7Qxl$@
z9rk=*%7M7AmHRI6Mm^cUkzaSbyY3A0`TO7ZzkJ#~!*OPnx_<QfmSGai1Ns*_##k
zB6Q|ttaf*L6Y7gnYGGACOsU2D<^)TlE7xMfDV=P#Z6b%h|8w6Or6x1&%jBL3A6)F#
zPdYh8MB^hT7e|i#Z%OsTDjx0k#Q1fDvlr&7zRT5L^Kr>-!H?BjkFKA&FT*!*QsJo!
z8z-kaZ#F5{SDRThH!o81<SlE_1>#`~e@*A`o-K3d<X`P|eCu{@wRyI2X+UV~FJ_Ct
z(=t1QD<yPQSak1a*==2}D7Vid>EB|Z(zj<O*QD9pSSZZ$CT{cWP^Yimm3wD}=uWtM
zT~<EPwd0**Nthb@#3>(nR<A8)iC{QzOEviO+`xZP9|Vpk&OJQIsnL6N-p6xk&YivP
h>)lPV7PIdAenjzhhNqdB=-<tK&yGnc2tB#m0RWhLMPdK|
literal 0
HcmV?d00001
diff --git a/keys/KEK.auth b/keys/KEK.auth
new file mode 100644
index 0000000000000000000000000000000000000000..1e01cd38364e5af65e068ae38f9f71bc8975cc28
GIT binary patch
literal 2091
zcmaFK&M3yuWXb>or&t&m7??it&AqhV>wd;N&#sjwwdP@|%MF@X)-f?M8uA<PvT-J~
zc`&9jvoJBTG8k~PacZ@Bw0-AgWM^E^#H?)4#4K;n#KgXUnTe5!NhI~;iPure=W7ze
z#U~xse{#6Z;PYmX5l}sh+^h@+@`kbo(rnD3EX+J20f{C4!3x2t$)!c93Qqa?B?<xF
z26E!OMy3XaMn;Av21cevQR2MDAg%$FOW1%WMkQoR8Ce;an;7{S44N3Zn3@<F8P?U^
zF&9uul+4)J6u+T&TfocklM5~DVotN3UGs|RcX4Lp_5&B6M@dI++0hXzb?F4>#j9(#
zABx;^WX_aXrx<OXMyy)0rqb_I<+ZCS-ySZyd?HK1^32|sEFv>?&bIAadEn!B-@d*u
z`8YB8Jdv14d3C3k7Hfph$D9vYUmp3>qW`dDmtTgh-Kre|i!Q&Ew_wgFkBR;lbJa9F
zO<JOCNzt{`mOhaw{h{Yw;+GVCSe4HFV8W3V`|K`!s#?!6>C@|9b)Rl@AMjys77I}n
z;@R+vr|!kitqEJKE0+8}xNGrIcejVjPcX)n>)7Y!KaGDEFhy%!o%@l0DmnWs+Z7dJ
zi_*DU4`$~wF*7nSE)F&bG>~Ou4wdC&5n~b2*l=<4O!<3rcQGvzo+;fladD{sZUcFc
zv@(l?fmj1}1^gfd!i<dnSy&C285#d02Rk=7*cln-y|~6Q^WgWsbtju%yyEloI2Zf1
zP&@f^r7ZIfRi2`W?zRHP@?S3boVI^=MRmr*<3^|V&z-ZRJI`R<buV=T##=gPl264Y
zu3%MqyIB6zgY8et3fJc^TDK&<OyJAM2_Nl$f1Yh;dM|&@l<#FW7tSc1?|8km-;UAv
zZvE~0xwAb|vy%Qsm$q%a^}?}!cg0clioors?`ZPQDJ#BvboZT`ch20{6Yl6@@j2(y
zj2Y#84_xo>v?&$4zbs8o;npfnqqcd`9}Kt7l#!S#{-fQ*pJD2p3f4Efu00B9o4Dq0
z&z!7>?|<bB6c>Hy^I6mTMJ2}Pu0Y2=!NNOVSMhbSu9zQLGdrxNrccqZi80Bbi7}3e
zk<q}MVB*D{hmf-&FFYGEGO{wTG%+#+t3TiMWW`I7w7X$DuO%3yRvE3)zq{nQ=7LXg
zPoCX7bCjuV_WkZ_bN^+{UM?5>Vzv*%vD4>QpUimuVaxeziw?c&x%boPluV_gFwa`%
z#DW!1<-_Ds6^dM@vvi%zH4V1i-X_W8^ftXxF<<@Ce!cDW7am2dxKWy}{$|t4pl!Bq
zj$~~POxnp`@o=A?sl0UFt;K<Bx%@v(_|;^vD=SoTlGBz|w;nzH>iOi&?)&HJpY5u<
z_vuT&k6ZGl$FJt<x>~sI`I*yRIQiSR?Q7KnIQL9kU;35xvXlLL5$i{}tTtbz_gn3p
zp=4Dtd*(g!RSosIY6^~i@0MSlvdjG8<-?n!ukBPb)d=3RF!I3CCsUStwQpT58l(N8
zD3BRa#+foRFbMt*U6yR+=e#^$iTlu_ly-wAW<`T0CQfLf<@3klrhwUdTR+q7Cm1Gf
zusrm(sUIyN8z>mc8OT5iEm6!u%iEQ3sYTcXLdDi5d#4Xm?k_QazG6kC|Akxe8xJ4L
zUZ(MXfmZq%iO@y0mVZK?>3%8K7k7Djr&Q&u{YodvCed>F^Lq^6Of~G>7$C4ouHo$a
zb!oMxrv><Qd3ooUDl4sX`gXPKgXlJ)Ig>vK-23gX;#<OA`O<vqDxUcpBrmjWcNKo~
zpktpwkeB)V9s3W9JE<OJ2yg7+`H`2O-|BEB=C;vdxli&zAE%#QvHY%X#A^00R+n$A
znL5ev`1)z9ixrGzlT+9h-pjN&^zq8NN%>C}X`FI;zqjvc@x?A7lX=@_ZGCuT#r`y=
zv}e&0jsG5g&<=R7y1+}vX5k{P|9N~V>rUO6d%0d*qt@@6+TKIid*5R#wq7!J_8B{K
z9Gy8=u=Uo?n2XPjr!Ph+wy-K7rr4S`KjWCw#;!BJg{$va>BbkG{~_J*aoMDwvtk5H
zcLrIpY&CY+R~-{pRc_PYRkmDg{l`5A&eXSf{!*5A(9*HHE85$0pd=^w`lH{v1>(p5
zONq|q%i^{<^V^8wVEPQLeTmEG{rS<dd1~AYu9I`#zvK7XaQ^w!T?@TWg(SyTJ$?3X
zrKe{2wD9sSjsu6Uc%=M4BNDGMp=s%@N{8*5kK1lMsC^a@8C1k4FZi>-<lO#*#Y-mh
z&+4f7IdvCzcE(c`smp8c%(hL`xU*RLk~6oCeOTOz=n3<kIJRHB+r3xj(X8+5J4D%h
lRlEf@1s&ab@At;zh5|REpFQ=EUMt2FnlBX=X)`7G4FK$eYQO*h
literal 0
HcmV?d00001
diff --git a/keys/PK.auth b/keys/PK.auth
new file mode 100644
index 0000000000000000000000000000000000000000..77ce10ffeb80f9ff109269b36782368b8064f20d
GIT binary patch
literal 2089
zcmaFK&M3yuWXb>or&t&m7??it&AqhV>wd;N&#sjwwdP@|%MF@X)-f?M8uA<PvT-J~
zc`&9jvoJBTG8k~PacZ@Bw0-AgWM^E^#H?)4#4K;n#KgXUnTe5!NhI~;iPure=W7ze
z#U~xse{#6Z;PYmX5l}sh+^h@+@`kbo(rnD3EX+J20f{C4!3x2t$)!c93Qqa?B?<xF
z26E!OMy3XaMn;Av21cevQR2MDAg%$FOW1%WMkQoR8Ce;an;7{S44N3Zn3@<F8P?U^
zF&9uul+4)J6u+T&TfocklM5~DVotN3UGs|RcX4Lp_5&B6M@dI++0hXzb?F4>#j9(#
zABx;^WX_aXrx<OXMyy)0rqb_I<+ZCS-ySZyd?HK1^32|sEFv>?&bIAadEn!B-@d*u
z`8YB8Jdv14d3C3k7Hfph$D9vYUmp3>qW`dDmtTgh-Kre|i!Q&Ew_wgFkBR;lbJa9F
zO<JOCNzt{`mOhaw{h{Yw;+GVCSe4HFV8W3V`|K`!s#?!6>C@|9b)Rl@AMjys77I}n
z;@R+vr|!kitqEJKE0+8}xNGrIcejVjPcX)n>)7Y!KaGDEFhy%!o%@l0DmnWs+Z7dJ
zi_*DU4`$~wF*7nSE)F&bG>~Ou4wdC&5n~b2*l=<4O!<3rcQGvzo+;fladD{sZUcFc
zv@(l?fmj1}1^gfd!i<dnSy&C285#d02Rk=7*cln-y|~6Q^WgWsbtju%yyEloI2Zf1
zP&@f^r7ZIfRi2`W?zRHP@?S3boVI^=MRmr*<3^|V&z-ZRJI`R<buV=T##=gPl264Y
zu3%MqyIB6zgY8et3fJc^TDK&<OyJAM2_Nl$f1Yh;dM|&@l<#FW7tSc1?|8km-;UAv
zZvE~0xwAb|vy%Qsm$q%a^}?}!cg0clioors?`ZPQDJ#BvboZT`ch20{6Yl6@@j2(y
zj2Y#84_xo>v?&$4zbs8o;npfnqqcd`9}Kt7l#!S#{-fQ*pJD2p3f4Efu00B9o4Dq0
z&z!7>?|<bB6c>Hy^I6mTMJ2}Pu0Y2=!NNOVSMhbSu9zQLGdrxNrccqZi80Bbi7}3e
zk<q}MVB*D{hmf-&FFYGEGO{wTG%+$T-P*d;TKrI$+R{&NJ+kh+wPxY}Z!T=prOcxK
zvRU(X1LMu?t%ufy1PD#IbM0Zz$I_1qhhp=(B$VrI@>a8{E{)gJVTrvc#x_qj{G6!;
z|Dx8XQ(p=kTRHdNu}I@hT&gEN8YsJ`nroaCc(F>zI8&u~rDA*Rl<)_u#hUDVR>?Tn
zM{-KCtUuFv`2JJ1{}G$~Zz<guY+A7S{sD&E=|A51%k2M?aXqqOBX9rSeTHGFmz}+q
zZ#e%T{I+F8(`+LJS*@8zQ#84~G^(xD@18#SR!KVYs=y`JxL@HOKkhs2;|g5w;#TQg
zV4#?u(RAF&{KJ<y;ct)J6KJ<7;1j$ptnc2kQMNo_VdR0OPo^yQYTvqAG)DVFkv}t}
lj5B6tU=aKrx-8ks&v|*i68E7;Dea?$)@Y$MT4>=dv;bYNUCjUh
literal 0
HcmV?d00001
diff --git a/modules/image/builder.nix b/modules/image/builder.nix
index f510fe7..65dc08a 100644
--- a/modules/image/builder.nix
+++ b/modules/image/builder.nix
@@ -76,6 +76,7 @@ let
contents = {
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
+ "/EFI/loader/keys/patos".source = ../../keys;
"/EFI/memtest86/memtest86.efi".source = "${pkgs.memtest86plus}/memtest.efi";
"/loader/entries/patos-factory-reset.conf".source = pkgs.writeText "patos-factory-reset.conf" ''
title Patos Factory Reset
diff --git a/scripts/sbkeys b/scripts/sbkeys
new file mode 100755
index 0000000..a24e215
--- /dev/null
+++ b/scripts/sbkeys
@@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+# Copyright (c) 2015 by Roderick W. Smith
+# Copyright (c) 2020 Corey Hinshaw
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+[ -n "${DEBUG}" ] && set -x
+set -e
+
+usage() {
+ cat <<EOF
+Usage: sbkeys [OPTION]...
+Generate secure boot keys
+
+Options:
+ -h Print this help text
+ -m Generate signature database entries for Microsoft certificates
+EOF
+}
+
+generate_keys() {
+ # Do not create new keys if key files already exist
+ KEYS=(
+ PK.key PK.crt PK.cer PK.esl PK.auth
+ KEK.key KEK.crt KEK.cer KEK.esl KEK.auth
+ DB.key DB.crt DB.cer DB.esl DB.auth
+ noPK.esl noPK.auth
+ myGUID.txt
+ )
+ for file in ${KEYS[@]}; do
+ if [ -f ${file} ]; then
+ echo "Skipping key generation: keys already exist in $(pwd)"
+ return
+ fi
+ done
+
+ echo -n "Enter a Common Name to embed in the keys: "
+ read NAME
+
+ # Platform key
+ openssl req -new -x509 \
+ -subj "/CN=${NAME} PK/" -days 3650 -nodes \
+ -newkey rsa:2048 -sha256 \
+ -keyout PK.key -out PK.crt
+ openssl x509 -in PK.crt -out PK.cer -outform DER
+
+ # Key exchange key
+ openssl req -new -x509 \
+ -subj "/CN=${NAME} KEK/" -days 3650 -nodes \
+ -newkey rsa:2048 -sha256 \
+ -keyout KEK.key -out KEK.crt
+ openssl x509 -in KEK.crt -out KEK.cer -outform DER
+
+ # Signature database
+ openssl req -new -x509 \
+ -subj "/CN=${NAME} DB/" -days 3650 -nodes \
+ -newkey rsa:2048 -sha256 \
+ -keyout DB.key -out DB.crt
+ openssl x509 -in DB.crt -out DB.cer -outform DER
+
+ GUID="$(uuidgen -r)"
+ echo ${GUID} > myGUID.txt
+
+ cert-to-efi-sig-list -g ${GUID} PK.crt PK.esl
+ cert-to-efi-sig-list -g ${GUID} KEK.crt KEK.esl
+ cert-to-efi-sig-list -g ${GUID} DB.crt DB.esl
+ rm -f noPK.esl
+ touch noPK.esl
+
+ sign-efi-sig-list \
+ -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt \
+ PK PK.esl PK.auth
+ sign-efi-sig-list \
+ -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt \
+ PK noPK.esl noPK.auth
+ sign-efi-sig-list \
+ -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt \
+ KEK KEK.esl KEK.auth
+ sign-efi-sig-list \
+ -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k KEK.key -c KEK.crt \
+ DB DB.esl DB.auth
+
+ chmod 0600 *.key
+}
+
+generate_ms_db() {
+ msguid=77fa9abd-0359-4d32-bd60-28f4e78f784b
+
+ msdb="MS_db.esl add_MS_db.auth"
+ for file in $msdb; do
+ if [ -f $file ]; then
+ echo "Microsoft signature lists already exist in $(pwd)"
+ return
+ fi
+ done
+
+ wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
+ wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
+
+ sbsiglist --owner "$msguid" --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
+ sbsiglist --owner "$msguid" --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
+ cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
+ sign-efi-sig-list -a -g "$msguid" -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth
+
+ rm MS_Win_db.esl MS_UEFI_db.esl MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt
+}
+
+mskeys=0
+
+while getopts ":hm" opt; do
+ case $opt in
+ h)
+ usage
+ cat <<EOF
+
+For use with KeyTool, copy the *.auth and *.esl files to a FAT USB
+flash drive or to your EFI System Partition (ESP).
+For use with most UEFIs' built-in key managers, copy the *.cer files.
+
+To add Microsoft's certificates use KeyTool or UEFI to append
+add_MS_db.auth to the signature database.
+EOF
+ exit 0
+ ;;
+ m)
+ mskeys=1
+ ;;
+ \?)
+ echo "Invalid option: -$OPTARG" >&2
+ usage >&2
+ exit 1
+ ;;
+ esac
+done
+
+generate_keys
+if [ $mskeys -eq 1 ]; then
+ generate_ms_db
+fi
diff --git a/scripts/sign-release.sh b/scripts/sign-release.sh
new file mode 100755
index 0000000..0de9aed
--- /dev/null
+++ b/scripts/sign-release.sh
@@ -0,0 +1,19 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p efitools
+
+set -eux
+
+mkdir signed
+cp -L result/* signed/
+
+loopdev=$(sudo losetup -f)
+sudo losetup -P "$loopdev" signed/*.img
+sudo mount "${loopdev}p1" /mnt -t vfat
+
+sudo find signed/ /mnt/ -name "*.efi" -type f -exec sbsign --key <(echo "$DB_KEY") --cert <(echo "$DB_CRT") --output {} {} \;
+
+sudo mkdir -p /mnt/loader/keys/patos
+sudo cp keys/*.auth /mnt/loader/keys/patos/
+
+sudo umount /mnt
+sudo losetup -d "$loopdev"
From 02ae3e58139fd0e5c5e5fd122f8a39f43f6b1de4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 23 Jan 2025 12:11:57 +0100
Subject: [PATCH 02/78] fix: mount ESP onboot
---
modules/image/builder.nix | 2 +-
modules/image/default.nix | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/image/builder.nix b/modules/image/builder.nix
index f510fe7..4f194d8 100644
--- a/modules/image/builder.nix
+++ b/modules/image/builder.nix
@@ -15,7 +15,7 @@ let
Type = "root";
Minimize = "best";
Format = "erofs";
- MakeDirectories = "/home /root /etc /dev /sys /bin /var /proc /run /usr /usr/bin /srv /tmp /mnt /lib /efi";
+ MakeDirectories = "/home /root /etc /dev /sys /bin /var /proc /run /usr /usr/bin /srv /tmp /mnt /lib /boot";
Verity = "data";
VerityMatchKey = "root";
SplitName = "root";
diff --git a/modules/image/default.nix b/modules/image/default.nix
index dc705e9..20d7fa7 100644
--- a/modules/image/default.nix
+++ b/modules/image/default.nix
@@ -22,6 +22,7 @@
systemd.repart.partitions = {
"10-esp" = {
Type = "esp";
+ UUID = "c12a7328-f81f-11d2-ba4b-00a0c93ec93b"; # Well known
Format = "vfat";
SizeMinBytes = "96M";
SizeMaxBytes = "96M";
From da048fc28d37a9b50b0ca79223bb571ccacf1a5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 10 Feb 2025 10:49:11 +0100
Subject: [PATCH 03/78] feat: add support for 9p virtfs
---
modules/profiles/base.nix | 2 ++
utils/qemu-uefi-tpm.nix | 1 +
2 files changed, 3 insertions(+)
diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix
index 419c55d..bb6b37b 100644
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@@ -31,6 +31,8 @@
"xhci-pci-renesas"
"nvme"
"virtio_net"
+ "9p"
+ "9pnet_virtio"
];
system.etc.overlay.mutable = lib.mkDefault false;
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index 7cc36c7..bde07ab 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -34,6 +34,7 @@ pkgs.writeShellApplication {
-smp 8 \
-m 4G \
-display none \
+ -virtfs "local,path=/tmp,security_model=mapped,mount_tag=shared" \
-chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
-serial chardev:char0 \
-mon chardev=char0 \
From 4702e0dddb86e576a404f384937e41df08acd01e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 10 Feb 2025 10:49:11 +0100
Subject: [PATCH 04/78] feat(systemd): enabled sysupdated
---
flake.lock | 6 +-
modules/config/minimal-system.nix | 23 +++---
modules/image/updater.nix | 122 +++++++++++++++---------------
pkgs/systemd.nix | 10 ---
4 files changed, 76 insertions(+), 85 deletions(-)
delete mode 100644 pkgs/systemd.nix
diff --git a/flake.lock b/flake.lock
index 2cb3583..6ca2bd0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
"nodes": {
"nixpkgs": {
"locked": {
- "lastModified": 1737469691,
- "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
+ "lastModified": 1739020877,
+ "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
+ "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
"type": "github"
},
"original": {
diff --git a/modules/config/minimal-system.nix b/modules/config/minimal-system.nix
index e77476b..c81d7d4 100644
--- a/modules/config/minimal-system.nix
+++ b/modules/config/minimal-system.nix
@@ -6,19 +6,18 @@
composefs = final.callPackage ../../pkgs/composefs.nix { inherit prev; };
qemu_tiny = final.callPackage ../../pkgs/qemu.nix { inherit prev; };
- systemdUkify = final.callPackage ../../pkgs/systemd-ukify.nix { inherit prev; };
- # # FIXME: Revisit + refine these below in a future image minimization effort
- #
- # util-linux = prev.util-linux.override {
- # ncursesSupport = false;
- # nlsSupport = false;
- # };
- #
- # dbus = prev.dbus.override {
- # enableSystemd = false;
- # x11Support = false;
- # };
+ systemd = prev.systemd.overrideAttrs (oldAttrs: {
+ mesonFlags = oldAttrs.mesonFlags ++ [
+ "-Dsysupdated=enabled"
+ ];
+ });
+ ## minimal inherit from systemd pkg, need to explicitly disable sysupdated
+ systemdMinimal = prev.systemdMinimal.overrideAttrs (oldAttrs: {
+ mesonFlags = oldAttrs.mesonFlags ++ [
+ "-Dsysupdated=disabled"
+ ];
+ });
})
];
diff --git a/modules/image/updater.nix b/modules/image/updater.nix
index f3c1226..7602cdc 100644
--- a/modules/image/updater.nix
+++ b/modules/image/updater.nix
@@ -17,71 +17,73 @@
{ assertion = config.system.image.updates.url != null; }
];
- systemd.sysupdate.enable = true;
- systemd.sysupdate.reboot.enable = lib.mkDefault true;
-
- systemd.sysupdate.transfers = {
- "10-uki" = {
- Transfer = {
- Verify = "no";
- };
- Source = {
- Type = "url-file";
- Path = "${config.system.image.updates.url}";
- MatchPattern = "${config.boot.uki.name}_@v.efi";
- };
- Target = {
- Type = "regular-file";
- Path = "/EFI/Linux";
- PathRelativeTo = "esp";
- MatchPattern = "${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi";
- Mode = "0444";
- TriesLeft = 3;
- TriesDone = 0;
- InstancesMax = 2;
- };
- };
- "20-root-verity" = {
- Transfer = {
- Verify = "no";
- };
- Source = {
- Type = "url-file";
- Path = "${config.system.image.updates.url}";
- MatchPattern = "${config.system.image.id}_@v_@u.verity";
- };
- Target = {
- Type = "partition";
- Path = "auto";
- MatchPattern = "verity-@v";
- MatchPartitionType = "root-verity";
- ReadOnly = 1;
- };
- };
- "22-root" = {
- Transfer = {
- Verify = "no";
- };
- Source = {
- Type = "url-file";
- Path = "${config.system.image.updates.url}";
- MatchPattern = "${config.system.image.id}_@v_@u.root";
- };
- Target = {
- Type = "partition";
- Path = "auto";
- MatchPattern = "root-@v";
- MatchPartitionType = "root";
- ReadOnly = 1;
- };
- };
- };
-
systemd.additionalUpstreamSystemUnits = [
"systemd-bless-boot.service"
"boot-complete.target"
+ "dbus-org.freedesktop.sysupdate1.service"
+ "systemd-sysupdated.service"
];
+ environment.etc."sysupdate.d/10-uki.transfer" = {
+ text = ''
+ [Source]
+ Path=${config.system.image.updates.url}
+ MatchPattern=${config.boot.uki.name}_@v.efi
+ Type=url-file
+
+ [Target]
+ InstancesMax=2
+ MatchPattern=${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi
+ Mode=0444
+ Path=/EFI/Linux
+ PathRelativeTo=esp
+ TriesDone=0
+ TriesLeft=3
+ Type=regular-file
+
+ [Transfer]
+ Verify=no
+ '';
+ };
+
+ environment.etc."sysupdate.d/20-root.transfer" = {
+ text = ''
+ [Source]
+ Type=url-file
+ Path=${config.system.image.updates.url}
+ MatchPattern=${config.system.image.id}_@v_@u.verity
+
+ [Target]
+ Type=partition
+ Path=auto
+ MatchPattern=verity-@v
+ MatchPartitionType=root-verity
+ ReadOnly=1
+
+ [Transfer]
+ Verify=no
+ '';
+ };
+
+ environment.etc."sysupdate.d/22-root.transfer" = {
+ text = ''
+ [Source]
+ Type=url-file
+ Path=${config.system.image.updates.url}
+ MatchPattern=${config.system.image.id}_@v_@u.root
+
+ [Target]
+ Type=partition
+ Path=auto
+ MatchPattern=root-@v
+ MatchPartitionType=root
+ ReadOnly=1
+
+ [Transfer]
+ Verify=no
+ '';
+ };
+
};
}
diff --git a/pkgs/systemd.nix b/pkgs/systemd.nix
deleted file mode 100644
index 2d52e9a..0000000
--- a/pkgs/systemd.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ prev, ... }:
-
-prev.systemd.override {
- withAcl = false;
- withApparmor = false;
- withDocumentation = false;
- withRemote = false;
- withShellCompletions = false;
- withVmspawn = false;
-}
From b784c94d420a2287901117eefe9b1538fb8bdd86 Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Thu, 13 Feb 2025 09:28:16 +0100
Subject: [PATCH 05/78] WIP: Build image from scratch / without NixOS.
An experiment to see if we can minimize the PatOS project even further,
and not have to adapt NixOS packages and config for our needs.
---
.envrc.recommended | 2 +
flake.lock | 34 +
flake.nix | 113 +-
kernel/default.nix | 16 +
kernel/generic.config | 2521 +++++++++++++++++
modules/config/minimal-modules.nix | 15 -
modules/config/minimal-system.nix | 25 -
modules/default.nix | 6 -
modules/image/builder.nix | 196 --
modules/image/default.nix | 137 -
modules/image/updater.nix | 89 -
modules/image/veritysetup.nix | 39 -
modules/profiles/base.nix | 97 -
modules/profiles/devel.nix | 39 -
modules/profiles/network.nix | 65 -
modules/profiles/server.nix | 18 -
modules/profiles/sysext.nix | 23 -
pkgs/composefs.nix | 5 -
pkgs/linux-firmware.nix | 12 -
pkgs/qemu.nix | 30 -
pkgs/systemd-ukify.nix | 48 -
....build-do-not-create-systemdstatedir.patch | 21 +
systemd/default.nix | 315 ++
systemd/result | 1 +
tests/common.nix | 155 -
tests/lib.nix | 9 -
tests/podman.nix | 22 -
tests/system-update.nix | 45 -
utils/qemu-uefi-tpm.nix | 50 -
29 files changed, 2947 insertions(+), 1201 deletions(-)
create mode 100644 kernel/default.nix
create mode 100644 kernel/generic.config
delete mode 100644 modules/config/minimal-modules.nix
delete mode 100644 modules/config/minimal-system.nix
delete mode 100644 modules/default.nix
delete mode 100644 modules/image/builder.nix
delete mode 100644 modules/image/default.nix
delete mode 100644 modules/image/updater.nix
delete mode 100644 modules/image/veritysetup.nix
delete mode 100644 modules/profiles/base.nix
delete mode 100644 modules/profiles/devel.nix
delete mode 100644 modules/profiles/network.nix
delete mode 100644 modules/profiles/server.nix
delete mode 100644 modules/profiles/sysext.nix
delete mode 100644 pkgs/composefs.nix
delete mode 100644 pkgs/linux-firmware.nix
delete mode 100644 pkgs/qemu.nix
delete mode 100644 pkgs/systemd-ukify.nix
create mode 100644 systemd/0017-meson.build-do-not-create-systemdstatedir.patch
create mode 100644 systemd/default.nix
create mode 120000 systemd/result
delete mode 100644 tests/common.nix
delete mode 100644 tests/lib.nix
delete mode 100644 tests/podman.nix
delete mode 100644 tests/system-update.nix
delete mode 100644 utils/qemu-uefi-tpm.nix
diff --git a/.envrc.recommended b/.envrc.recommended
index 3550a30..3e08e17 100644
--- a/.envrc.recommended
+++ b/.envrc.recommended
@@ -1 +1,3 @@
+nix_direnv_manual_reload
use flake
+dotenv_if_exists
diff --git a/flake.lock b/flake.lock
index 6ca2bd0..85be38f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,23 @@
{
"nodes": {
+ "flake-utils": {
+ "inputs": {
+ "systems": "systems"
+ },
+ "locked": {
+ "lastModified": 1731533236,
+ "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
"nixpkgs": {
"locked": {
"lastModified": 1739020877,
@@ -18,8 +36,24 @@
},
"root": {
"inputs": {
+ "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
+ },
+ "systems": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
}
},
"root": "root",
diff --git a/flake.nix b/flake.nix
index 7648b8b..6a4e60f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,90 +2,51 @@
description = "PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.";
inputs = {
+ flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs =
- { self, nixpkgs }:
- let
- releaseVersion = "0.0.1";
- system = "x86_64-linux";
- updateUrl = "https://images.dl.patagia.dev/patos/";
- pkgs = import nixpkgs { inherit system; };
- in
{
- nixosModules.devel.imports = [
- ./modules/profiles/devel.nix
- ];
+ self,
+ flake-utils,
+ nixpkgs,
+ }:
+ flake-utils.lib.eachDefaultSystem (
+ system:
+ let
+ pkgs = import nixpkgs { inherit system; };
+ in
+ {
+ packages = {
+ default = self.packages.${system}.image;
+ image = pkgs.writeShellScriptBin "image" ''
+ echo "make image here..."
+ '';
- nixosModules.server.imports = [
- ./modules/profiles/server.nix
- ];
+ kernel = pkgs.callPackage ./kernel { };
+ systemd = pkgs.callPackage ./systemd { };
+ };
- nixosModules.image.imports = [
- ./modules
- ./modules/profiles/base.nix
- ./modules/image
- ];
+ checks = {
+ simple-test = pkgs.runCommand "simple-test" { } ''
+ ${self.packages.${system}.default}/bin/my-program
+ touch $out
+ '';
+ };
- packages.${system} = {
- devel =
- (nixpkgs.lib.nixosSystem {
- modules = [
- (
- { ... }:
- {
- nixpkgs.hostPlatform = system;
- system.stateVersion = "25.05";
- }
- )
- {
- system.image.updates.url = "${updateUrl}";
- system.image.id = "patos";
- system.image.version = releaseVersion;
- image.compress = false;
- }
- self.nixosModules.image
- self.nixosModules.devel
- ];
- }).config.system.build.updatePackage;
+ formatter = pkgs.nixpkgs-fmt;
- patos =
- (nixpkgs.lib.nixosSystem {
- modules = [
- (
- { ... }:
- {
- nixpkgs.hostPlatform = system;
- system.stateVersion = "25.05";
- }
- )
- {
- system.image.updates.url = "${updateUrl}";
- system.image.id = "patos";
- system.image.version = releaseVersion;
- }
- self.nixosModules.image
- self.nixosModules.server
- ];
- }).config.system.build.updatePackage;
+ devShells.default = pkgs.mkShell {
+ buildInputs = with pkgs; [
+ erofs-utils
+ just
+ nixd
+ nixfmt-rfc-style
+ squashfs-tools-ng
+ ];
+ };
- qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { inherit pkgs; };
- };
-
- checks.${system} = {
- podman = import ./tests/podman.nix { inherit pkgs self; };
- system-update = import ./tests/system-update.nix { inherit pkgs self; };
- };
-
- devShells.${system}.default = pkgs.mkShell {
- buildInputs = with pkgs; [
- erofs-utils
- just
- self.packages.${system}.qemu-uefi-tpm
- squashfs-tools-ng
- ];
- };
-
- };
+ }
+ );
}
diff --git a/kernel/default.nix b/kernel/default.nix
new file mode 100644
index 0000000..e10d25b
--- /dev/null
+++ b/kernel/default.nix
@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+let
+ version = "6.13.2";
+in
+pkgs.linuxPackagesFor (
+ pkgs.linuxManualConfig {
+ version = "${version}-patos1";
+ modDirVersion = version;
+ src = pkgs.fetchurl {
+ url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
+ hash = "sha256-zfYpgZBru+lwGutzxPn8yAegmEbCiHMWY9YnF+0a5wU=";
+ };
+ configfile = ./generic.config;
+ allowImportFromDerivation = true;
+ }
+)
diff --git a/kernel/generic.config b/kernel/generic.config
new file mode 100644
index 0000000..2073cdf
--- /dev/null
+++ b/kernel/generic.config
@@ -0,0 +1,2521 @@
+CONFIG_64BIT=y
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_CONTAINER=y
+CONFIG_ACPI_CPPC_LIB=y
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_FAN=y
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+CONFIG_ACPI_I2C_OPREGION=y
+CONFIG_ACPI_IPMI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ACPI_LPIT=y
+CONFIG_ACPI_MDIO=y
+CONFIG_ACPI_NUMA=y
+CONFIG_ACPI_PCC=y
+CONFIG_ACPI_PRMT=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+CONFIG_ACPI_SLEEP=y
+CONFIG_ACPI_SPCR_TABLE=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+CONFIG_ACPI_TABLE_UPGRADE=y
+CONFIG_ACPI_THERMAL=y
+CONFIG_ACPI_VIDEO=y
+CONFIG_ACPI_WATCHDOG=y
+CONFIG_ACPI_WMI=y
+CONFIG_ACPI=y
+CONFIG_ADDRESS_MASKING=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_AF_UNIX_OOB=y
+CONFIG_AIO=y
+CONFIG_ALLOW_DEV_COREDUMP=y
+CONFIG_ALX=m
+CONFIG_AMD_IOMMU_V2=y
+CONFIG_AMD_IOMMU=y
+CONFIG_AMD_NB=y
+CONFIG_AMD_NUMA=y
+CONFIG_AMD_PMC=m
+CONFIG_APERTURE_HELPERS=y
+CONFIG_AQTION=m
+CONFIG_ARCH_CLOCKSOURCE_INIT=y
+CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y
+CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE=y
+CONFIG_ARCH_CPUIDLE_HALTPOLL=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+CONFIG_ARCH_HAS_ADD_PAGES=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_ARCH_HAS_COPY_MC=y
+CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION=y
+CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CURRENT_STACK_POINTER=y
+CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y
+CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y
+CONFIG_ARCH_HAS_DEBUG_WX=y
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+CONFIG_ARCH_HAS_ELFCORE_COMPAT=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
+CONFIG_ARCH_HAS_KCOV=y
+CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
+CONFIG_ARCH_HAS_MEM_ENCRYPT=y
+CONFIG_ARCH_HAS_NMI_SAFE_THIS_CPU_OPS=y
+CONFIG_ARCH_HAS_NONLEAF_PMD_YOUNG=y
+CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y
+CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y
+CONFIG_ARCH_HAS_PKEYS=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_PTE_DEVMAP=y
+CONFIG_ARCH_HAS_PTE_SPECIAL=y
+CONFIG_ARCH_HAS_SET_DIRECT_MAP=y
+CONFIG_ARCH_HAS_SET_MEMORY=y
+CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
+CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
+CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y
+CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y
+CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+CONFIG_ARCH_HAS_ZONE_DMA_SET=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_SELECTS_KEXEC_FILE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_STACKWALK=y
+CONFIG_ARCH_SUPPORTS_ACPI=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_SUPPORTS_CFI_CLANG=y
+CONFIG_ARCH_SUPPORTS_CRASH_DUMP=y
+CONFIG_ARCH_SUPPORTS_CRASH_HOTPLUG=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_ARCH_SUPPORTS_KEXEC_BZIMAGE_VERIFY_SIG=y
+CONFIG_ARCH_SUPPORTS_KEXEC_FILE=y
+CONFIG_ARCH_SUPPORTS_KEXEC_JUMP=y
+CONFIG_ARCH_SUPPORTS_KEXEC_PURGATORY=y
+CONFIG_ARCH_SUPPORTS_KEXEC_SIG_FORCE=y
+CONFIG_ARCH_SUPPORTS_KEXEC_SIG=y
+CONFIG_ARCH_SUPPORTS_KEXEC=y
+CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y
+CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y
+CONFIG_ARCH_SUPPORTS_LTO_CLANG=y
+CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_PAGE_TABLE_CHECK=y
+CONFIG_ARCH_SUPPORTS_PER_VMA_LOCK=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_USE_MEMREMAP_PROT=y
+CONFIG_ARCH_USE_MEMTEST=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_USE_SYM_ANNOTATIONS=y
+CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
+CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
+CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y
+CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
+CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=y
+CONFIG_ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP=y
+CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_ARCH_WANTS_NO_INSTR=y
+CONFIG_ARCH_WANTS_THP_SWAP=y
+CONFIG_AS_AVX512=y
+CONFIG_AS_GFNI=y
+CONFIG_AS_HAS_NON_CONST_LEB128=y
+CONFIG_AS_IS_GNU=y
+CONFIG_ASM_MODVERSIONS=y
+CONFIG_ASN1=y
+CONFIG_AS_SHA1_NI=y
+CONFIG_AS_SHA256_NI=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_AS_TPAUSE=y
+CONFIG_AS_VERSION=24200
+CONFIG_AS_WRUSS=y
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_ASYNC_CORE=m
+CONFIG_ASYNC_MEMCPY=m
+CONFIG_ASYNC_PQ=m
+CONFIG_ASYNC_RAID6_RECOV=m
+CONFIG_ASYNC_XOR=m
+CONFIG_ATA_ACPI=y
+CONFIG_ATA_BMDMA=y
+CONFIG_ATA_FORCE=y
+CONFIG_ATA_PIIX=y
+CONFIG_ATA_SFF=y
+CONFIG_ATA_VERBOSE_ERROR=y
+CONFIG_ATA=y
+CONFIG_ATM_DRIVERS=y
+CONFIG_ATM=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_AUDIT=y
+CONFIG_AUTOFS_FS=y
+CONFIG_AUXILIARY_BUS=y
+CONFIG_AX88796B_PHY=m
+CONFIG_BACKLIGHT_CLASS_DEVICE=y
+CONFIG_BALLOON_COMPACTION=y
+CONFIG_BASE_FULL=y
+CONFIG_BASE_SMALL=0
+CONFIG_BCMA_POSSIBLE=y
+CONFIG_BE2NET_BE2=y
+CONFIG_BE2NET_BE3=y
+CONFIG_BE2NET_HWMON=y
+CONFIG_BE2NET_LANCER=y
+CONFIG_BE2NET=m
+CONFIG_BE2NET_SKYHAWK=y
+CONFIG_BFQ_GROUP_IOSCHED=y
+CONFIG_BINARY_PRINTF=y
+CONFIG_BINFMT_ELF=y
+CONFIG_BINFMT_MISC=m
+CONFIG_BINFMT_SCRIPT=y
+CONFIG_BITREVERSE=y
+CONFIG_BLK_CGROUP_PUNT_BIO=y
+CONFIG_BLK_CGROUP_RWSTAT=y
+CONFIG_BLK_CGROUP=y
+CONFIG_BLK_DEBUG_FS=y
+CONFIG_BLK_DEV_BSG_COMMON=y
+CONFIG_BLK_DEV_BSGLIB=y
+CONFIG_BLK_DEV_BSG=y
+CONFIG_BLK_DEV_DM_BUILTIN=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_BLK_DEV_IO_TRACE=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_MD=y
+CONFIG_BLK_DEV_NBD=m
+CONFIG_BLK_DEV_NVME=m
+CONFIG_BLK_DEV_RBD=y
+CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_BLK_DEV_THROTTLING=y
+CONFIG_BLK_DEV=y
+CONFIG_BLK_ICQ=y
+CONFIG_BLK_MQ_PCI=y
+CONFIG_BLK_MQ_STACKING=y
+CONFIG_BLK_MQ_VIRTIO=y
+CONFIG_BLK_PM=y
+CONFIG_BLOCK_HOLDER_DEPRECATED=y
+CONFIG_BLOCK_LEGACY_AUTOLOAD=y
+CONFIG_BLOCK=y
+CONFIG_BNX2=m
+CONFIG_BNX2X=m
+CONFIG_BNX2X_SRIOV=y
+CONFIG_BNXT_FLOWER_OFFLOAD=y
+CONFIG_BNXT_HWMON=y
+CONFIG_BNXT=m
+CONFIG_BNXT_SRIOV=y
+CONFIG_BONDING=y
+CONFIG_BOOT_VESA_SUPPORT=y
+CONFIG_BPF_EVENTS=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
+CONFIG_BPF_JIT_DEFAULT_ON=y
+CONFIG_BPF_JIT=y
+CONFIG_BPF_LSM=y
+CONFIG_BPF_STREAM_PARSER=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+CONFIG_BPF=y
+CONFIG_BQL=y
+CONFIG_BRANCH_PROFILE_NONE=y
+CONFIG_BRIDGE_EBT_802_3=y
+CONFIG_BRIDGE_EBT_AMONG=y
+CONFIG_BRIDGE_EBT_ARPREPLY=y
+CONFIG_BRIDGE_EBT_ARP=y
+CONFIG_BRIDGE_EBT_BROUTE=y
+CONFIG_BRIDGE_EBT_DNAT=y
+CONFIG_BRIDGE_EBT_IP6=y
+CONFIG_BRIDGE_EBT_IP=y
+CONFIG_BRIDGE_EBT_LIMIT=y
+CONFIG_BRIDGE_EBT_LOG=y
+CONFIG_BRIDGE_EBT_MARK_T=y
+CONFIG_BRIDGE_EBT_MARK=y
+CONFIG_BRIDGE_EBT_NFLOG=y
+CONFIG_BRIDGE_EBT_PKTTYPE=y
+CONFIG_BRIDGE_EBT_REDIRECT=y
+CONFIG_BRIDGE_EBT_SNAT=y
+CONFIG_BRIDGE_EBT_STP=y
+CONFIG_BRIDGE_EBT_T_FILTER=y
+CONFIG_BRIDGE_EBT_T_NAT=y
+CONFIG_BRIDGE_EBT_VLAN=y
+CONFIG_BRIDGE_IGMP_SNOOPING=y
+CONFIG_BRIDGE_NETFILTER=y
+CONFIG_BRIDGE_NF_EBTABLES=y
+CONFIG_BRIDGE_VLAN_FILTERING=y
+CONFIG_BRIDGE=y
+CONFIG_BSD_DISKLABEL=y
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_BTRFS_FS=m
+CONFIG_BTRFS_FS_POSIX_ACL=y
+CONFIG_BUFFER_HEAD=y
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_BUG=y
+CONFIG_BUILD_SALT=""
+CONFIG_BUILDTIME_MCOUNT_SORT=y
+CONFIG_BUILDTIME_TABLE_SORT=y
+CONFIG_CACHESTAT_SYSCALL=y
+CONFIG_CALL_DEPTH_TRACKING=y
+CONFIG_CALL_PADDING=y
+CONFIG_CALL_THUNKS=y
+CONFIG_CAVIUM_PTP=m
+CONFIG_CC10001_ADC=m
+CONFIG_CC_CAN_LINK=y
+CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
+CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
+CONFIG_CC_HAS_ASM_INLINE=y
+CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y
+CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_BARE=y
+CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y
+CONFIG_CC_HAS_ENTRY_PADDING=y
+CONFIG_CC_HAS_IBT=y
+CONFIG_CC_HAS_INT128=y
+CONFIG_CC_HAS_KASAN_GENERIC=y
+CONFIG_CC_HAS_NAMED_AS_FIXED_SANITIZERS=y
+CONFIG_CC_HAS_NAMED_AS=y
+CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
+CONFIG_CC_HAS_RETURN_THUNK=y
+CONFIG_CC_HAS_SANCOV_TRACE_PC=y
+CONFIG_CC_HAS_SANE_STACKPROTECTOR=y
+CONFIG_CC_HAS_SLS=y
+CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y
+CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y
+CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
+CONFIG_CC_IS_GCC=y
+CONFIG_CC_NO_ARRAY_BOUNDS=y
+CONFIG_CC_NO_STRINGOP_OVERFLOW=y
+CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
+CONFIG_CCS811=m
+CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.3.0"
+CONFIG_CDROM=y
+CONFIG_CEPH_FS_POSIX_ACL=y
+CONFIG_CEPH_FS=y
+CONFIG_CEPH_LIB=y
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_CGROUP_BPF=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_HUGETLB=y
+CONFIG_CGROUP_MISC=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CHECK_SIGNATURE=y
+CONFIG_CHELSIO_INLINE_CRYPTO=y
+CONFIG_CHELSIO_IPSEC_INLINE=m
+CONFIG_CHELSIO_T1=m
+CONFIG_CHELSIO_T3=m
+CONFIG_CHELSIO_T4=m
+CONFIG_CHELSIO_T4VF=m
+CONFIG_CHR_DEV_SG=y
+CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y
+CONFIG_CIFS_DEBUG=y
+CONFIG_CIFS_DFS_UPCALL=y
+CONFIG_CIFS_UPCALL=y
+CONFIG_CIFS_XATTR=y
+CONFIG_CIFS=y
+CONFIG_CLANG_VERSION=0
+CONFIG_CLKBLD_I8253=y
+CONFIG_CLKEVT_I8253=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_CLOCKSOURCE_WATCHDOG_MAX_SKEW_US=100
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_CLZ_TAB=y
+CONFIG_COMMON_CLK=y
+CONFIG_COMPACTION=y
+CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1
+CONFIG_COMPAT_32BIT_TIME=y
+CONFIG_COMPAT_32=y
+CONFIG_COMPAT_BINFMT_ELF=y
+CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
+CONFIG_COMPAT_OLD_SIGACTION=y
+CONFIG_COMPAT=y
+CONFIG_CONFIGFS_FS=y
+CONFIG_CONNECTOR=y
+CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
+CONFIG_CONSOLE_LOGLEVEL_QUIET=4
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_CONTEXT_SWITCH_TRACER=y
+CONFIG_CONTEXT_TRACKING_IDLE=y
+CONFIG_CONTEXT_TRACKING=y
+CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
+CONFIG_COREDUMP=y
+CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL=y
+CONFIG_CPU_FREQ_GOV_ATTR_SET=y
+CONFIG_CPU_FREQ_GOV_COMMON=y
+CONFIG_CPU_FREQ_GOV_ONDEMAND=y
+CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
+CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y
+CONFIG_CPU_FREQ_GOV_USERSPACE=y
+CONFIG_CPU_FREQ=y
+CONFIG_CPU_IBPB_ENTRY=y
+CONFIG_CPU_IBRS_ENTRY=y
+CONFIG_CPU_IDLE_GOV_HALTPOLL=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_ISOLATION=y
+CONFIG_CPU_MITIGATIONS=y
+CONFIG_CPU_RMAP=y
+CONFIG_CPUSETS=y
+CONFIG_CPU_SRSO=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_CPU_SUP_HYGON=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_ZHAOXIN=y
+CONFIG_CPU_UNRET_ENTRY=y
+CONFIG_CRASH_CORE=y
+CONFIG_CRASH_DUMP=y
+CONFIG_CRASH_HOTPLUG=y
+CONFIG_CRASH_MAX_MEMORY_RANGES=8192
+CONFIG_CRC16=y
+CONFIG_CRC32_SLICEBY8=y
+CONFIG_CRC32=y
+CONFIG_CRC8=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC_ITU_T=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_CRYPTO_ACOMP2=y
+CONFIG_CRYPTO_ADIANTUM=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y
+CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
+CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y
+CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_BLAKE2B=m
+CONFIG_CRYPTO_BLAKE2S_X86=y
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_CRC32C=y
+CONFIG_CRYPTO_CRC32C_INTEL=y
+CONFIG_CRYPTO_CRC32=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_CTR=y
+CONFIG_CRYPTO_CURVE25519_X86=y
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_DEV_VIRTIO=y
+CONFIG_CRYPTO_DH_RFC7919_GROUPS=y
+CONFIG_CRYPTO_DH=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_ECHAINIV=y
+CONFIG_CRYPTO_ENGINE=y
+CONFIG_CRYPTO_ESSIV=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_GENIV=y
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_HASH_INFO=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_HW=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=y
+CONFIG_CRYPTO_LIB_AES=y
+CONFIG_CRYPTO_LIB_ARC4=y
+CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y
+CONFIG_CRYPTO_LIB_CHACHA20POLY1305=y
+CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y
+CONFIG_CRYPTO_LIB_CHACHA=y
+CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=y
+CONFIG_CRYPTO_LIB_CURVE25519=y
+CONFIG_CRYPTO_LIB_DES=y
+CONFIG_CRYPTO_LIB_GF128MUL=y
+CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y
+CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
+CONFIG_CRYPTO_LIB_POLY1305=y
+CONFIG_CRYPTO_LIB_SHA1=y
+CONFIG_CRYPTO_LIB_SHA256=y
+CONFIG_CRYPTO_LIB_UTILS=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_NHPOLY1305_AVX2=y
+CONFIG_CRYPTO_NHPOLY1305_SSE2=y
+CONFIG_CRYPTO_NHPOLY1305=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RSA=y
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_SHA1=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA3=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SIG2=y
+CONFIG_CRYPTO_SIG=y
+CONFIG_CRYPTO_SIMD=y
+CONFIG_CRYPTO_SKCIPHER2=y
+CONFIG_CRYPTO_SKCIPHER=y
+CONFIG_CRYPTO_USER_API_AEAD=y
+CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_XXHASH=m
+CONFIG_CRYPTO=y
+CONFIG_CRYPTO_ZSTD=m
+CONFIG_DAX=y
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_DCA=y
+CONFIG_DCB=y
+CONFIG_DEBUG_BOOT_PARAMS=y
+CONFIG_DEBUG_BUGVERBOSE=y
+CONFIG_DEBUG_ENTRY=y
+CONFIG_DEBUG_FS_ALLOW_ALL=y
+CONFIG_DEBUG_FS=y
+CONFIG_DEBUG_INFO_BTF_MODULES=y
+CONFIG_DEBUG_INFO_BTF=y
+CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_KERNEL=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_MISC=y
+CONFIG_DEBUG_WX=y
+CONFIG_DECOMPRESS_BZIP2=y
+CONFIG_DECOMPRESS_GZIP=y
+CONFIG_DECOMPRESS_LZ4=y
+CONFIG_DECOMPRESS_LZMA=y
+CONFIG_DECOMPRESS_LZO=y
+CONFIG_DECOMPRESS_XZ=y
+CONFIG_DECOMPRESS_ZSTD=y
+CONFIG_DEFAULT_CUBIC=y
+CONFIG_DEFAULT_FQ_CODEL=y
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_DEFAULT_INIT=""
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
+CONFIG_DEFAULT_NET_SCH="fq_codel"
+CONFIG_DEFAULT_PFIFO_FAST=y
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+CONFIG_DEVPORT=y
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DIMLIB=y
+CONFIG_DMA_ACPI=y
+CONFIG_DMADEVICES=y
+CONFIG_DMA_ENGINE_RAID=y
+CONFIG_DMA_ENGINE=y
+CONFIG_DMA_OPS=y
+CONFIG_DMAR_TABLE=y
+CONFIG_DMA_SHARED_BUFFER=y
+CONFIG_DM_AUDIT=y
+CONFIG_DMA_VIRTUAL_CHANNELS=y
+CONFIG_DM_BIO_PRISON=m
+CONFIG_DM_BUFIO=y
+CONFIG_DM_CACHE=m
+CONFIG_DM_CACHE_SMQ=m
+CONFIG_DM_CLONE=m
+CONFIG_DM_CRYPT=y
+CONFIG_DM_DELAY=m
+CONFIG_DM_DUST=m
+CONFIG_DM_EBS=m
+CONFIG_DM_ERA=m
+CONFIG_DM_FLAKEY=m
+CONFIG_DMIID=y
+CONFIG_DM_INTEGRITY=m
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+CONFIG_DMI=y
+CONFIG_DM_LOG_USERSPACE=m
+CONFIG_DM_LOG_WRITES=m
+CONFIG_DM_MIRROR=y
+CONFIG_DM_MULTIPATH_HST=m
+CONFIG_DM_MULTIPATH_IOA=m
+CONFIG_DM_MULTIPATH=m
+CONFIG_DM_MULTIPATH_QL=m
+CONFIG_DM_MULTIPATH_ST=m
+CONFIG_DM_PERSISTENT_DATA=m
+CONFIG_DM_RAID=m
+CONFIG_DM_SNAPSHOT=y
+CONFIG_DM_SWITCH=m
+CONFIG_DM_THIN_PROVISIONING=m
+CONFIG_DM_UNSTRIPED=m
+CONFIG_DM_VDO=m
+CONFIG_DM_VERITY=m
+CONFIG_DM_WRITECACHE=m
+CONFIG_DM_ZERO=y
+CONFIG_DM_ZONED=m
+CONFIG_DNOTIFY=y
+CONFIG_DNS_RESOLVER=y
+CONFIG_DQL=y
+CONFIG_DST_CACHE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY=y
+CONFIG_DW_DMAC_CORE=y
+CONFIG_DYNAMIC_EVENTS=y
+CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
+CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
+CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_DYNAMIC_FTRACE=y
+CONFIG_DYNAMIC_MEMORY_LAYOUT=y
+CONFIG_DYNAMIC_SIGFRAME=y
+CONFIG_E1000E_HWTS=y
+CONFIG_E1000E=m
+CONFIG_E1000=m
+CONFIG_EARLY_PRINTK_DBGP=y
+CONFIG_EARLY_PRINTK_USB=y
+CONFIG_EARLY_PRINTK=y
+CONFIG_ECRYPT_FS=m
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_DECODE_MCE=y
+CONFIG_EDAC_LEGACY_SYSFS=y
+CONFIG_EDAC_SUPPORT=y
+CONFIG_EDAC=y
+CONFIG_EFI_BOOTLOADER_CONTROL=m
+CONFIG_EFI_CAPSULE_LOADER=m
+CONFIG_EFI_COCO_SECRET=y
+CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
+CONFIG_EFI_DEV_PATH_PARSER=y
+CONFIG_EFI_DXE_MEM_ATTRIBUTES=y
+CONFIG_EFI_EARLYCON=y
+CONFIG_EFI_ESRT=y
+CONFIG_EFI_HANDOVER_PROTOCOL=y
+CONFIG_EFI_MIXED=y
+CONFIG_EFI_PARTITION=y
+CONFIG_EFI_RUNTIME_MAP=y
+CONFIG_EFI_RUNTIME_WRAPPERS=y
+CONFIG_EFI_SECRET=m
+CONFIG_EFI_SOFT_RESERVE=y
+CONFIG_EFI_STUB=y
+CONFIG_EFIVAR_FS=y
+CONFIG_EFI_VARS_PSTORE=m
+CONFIG_EFI=y
+CONFIG_ELF_CORE=y
+CONFIG_ELFCORE=y
+CONFIG_ENA_ETHERNET=y
+CONFIG_ENCLOSURE_SERVICES=y
+CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENIC=m
+CONFIG_EPOLL=y
+CONFIG_EROFS_FS_POSIX_ACL=y
+CONFIG_EROFS_FS_SECURITY=y
+CONFIG_EROFS_FS_XATTR=y
+CONFIG_EROFS_FS=y
+CONFIG_EROFS_FS_ZIP=y
+CONFIG_EROFS_FS_ZIP_ZSTD=y
+CONFIG_ETHERNET=y
+CONFIG_ETHTOOL_NETLINK=y
+CONFIG_EVENTFD=y
+CONFIG_EVENT_TRACING=y
+CONFIG_EXCLUSIVE_SYSTEM_RAM=y
+CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
+CONFIG_EXFAT_FS=m
+CONFIG_EXPERT=y
+CONFIG_EXPORTFS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_USE_FOR_EXT2=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FAILOVER=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
+CONFIG_FANOTIFY=y
+CONFIG_FAT_DEFAULT_CODEPAGE=437
+CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
+CONFIG_FAT_FS=y
+CONFIG_FHANDLE=y
+CONFIG_FIB_RULES=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FIRMWARE_MEMMAP=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_FIXED_PHY=y
+CONFIG_FONT_8x16=y
+CONFIG_FONT_SUPPORT=y
+CONFIG_FONTS=y
+CONFIG_FONT_TER16x32=y
+CONFIG_FORCEDETH=y
+CONFIG_FORTIFY_SOURCE=y
+CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_FRAME_WARN=2048
+CONFIG_FREEZER=y
+CONFIG_FS_ENCRYPTION_ALGS=m
+CONFIG_FS_ENCRYPTION=y
+CONFIG_FS_IOMAP=y
+CONFIG_FS_MBCACHE=y
+CONFIG_FSNOTIFY=y
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FTRACE_MCOUNT_RECORD=y
+CONFIG_FTRACE_MCOUNT_USE_CC=y
+CONFIG_FTRACE_SYSCALLS=y
+CONFIG_FTRACE=y
+CONFIG_FUNCTION_ALIGNMENT=16
+CONFIG_FUNCTION_ALIGNMENT_16B=y
+CONFIG_FUNCTION_ALIGNMENT_4B=y
+CONFIG_FUNCTION_ERROR_INJECTION=y
+CONFIG_FUNCTION_GRAPH_TRACER=y
+CONFIG_FUNCTION_PADDING_BYTES=16
+CONFIG_FUNCTION_PADDING_CFI=11
+CONFIG_FUNCTION_TRACER=y
+CONFIG_FUSE_FS=y
+CONFIG_FUTEX_PI=y
+CONFIG_FUTEX=y
+CONFIG_FW_ATTR_CLASS=m
+CONFIG_FW_CACHE=y
+CONFIG_FW_CFG_SYSFS=m
+CONFIG_FW_CS_DSP=m
+CONFIG_FW_LOADER_COMPRESS=y
+CONFIG_FW_LOADER_COMPRESS_ZSTD=y
+CONFIG_FW_LOADER_DEBUG=y
+CONFIG_FW_LOADER_PAGED_BUF=y
+CONFIG_FW_LOADER_SYSFS=y
+CONFIG_FW_LOADER_USER_HELPER=y
+CONFIG_FW_LOADER=y
+CONFIG_FW_UPLOAD=y
+CONFIG_FWNODE_MDIO=y
+CONFIG_GCC10_NO_ARRAY_BOUNDS=y
+CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND=y
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
+CONFIG_GCC_PLUGIN_STACKLEAK=y
+CONFIG_GCC_PLUGINS=y
+CONFIG_GCC_VERSION=130200
+CONFIG_GENERIC_ALLOCATOR=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+CONFIG_GENERIC_CPU_VULNERABILITIES=y
+CONFIG_GENERIC_CPU=y
+CONFIG_GENERIC_EARLY_IOREMAP=y
+CONFIG_GENERIC_ENTRY=y
+CONFIG_GENERIC_GETTIMEOFDAY=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK=y
+CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y
+CONFIG_GENERIC_IRQ_MIGRATION=y
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_RESERVATION_MODE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_PENDING_IRQ=y
+CONFIG_GENERIC_PTDUMP=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_TRACER=y
+CONFIG_GENERIC_VDSO_TIME_NS=y
+CONFIG_GENEVE=y
+CONFIG_GLOB=y
+CONFIG_GRACE_PERIOD=y
+CONFIG_GRO_CELLS=y
+CONFIG_GUEST_PERF_EVENTS=y
+CONFIG_GVE=m
+CONFIG_HALTPOLL_CPUIDLE=y
+CONFIG_HARDENED_USERCOPY=y
+CONFIG_HARDIRQS_SW_RESEND=y
+CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
+CONFIG_HAS_DMA=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_IOPORT=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
+CONFIG_HAVE_ARCH_HUGE_VMALLOC=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_HAVE_ARCH_KASAN_VMALLOC=y
+CONFIG_HAVE_ARCH_KASAN=y
+CONFIG_HAVE_ARCH_KCSAN=y
+CONFIG_HAVE_ARCH_KFENCE=y
+CONFIG_HAVE_ARCH_KGDB=y
+CONFIG_HAVE_ARCH_KMSAN=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
+CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
+CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_HAVE_ARCH_SECCOMP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_HAVE_ARCH_STACKLEAK=y
+CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_VMAP_STACK=y
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
+CONFIG_HAVE_ASM_MODVERSIONS=y
+CONFIG_HAVE_BUILDTIME_MCOUNT_SORT=y
+CONFIG_HAVE_CALL_THUNKS=y
+CONFIG_HAVE_CLK_PREPARE=y
+CONFIG_HAVE_CLK=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CONTEXT_TRACKING_USER_OFFSTACK=y
+CONFIG_HAVE_CONTEXT_TRACKING_USER=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_HAVE_DYNAMIC_FTRACE_NO_PATCHABLE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_EBPF_JIT=y
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_HAVE_EISA=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_HAVE_FAST_GUP=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y
+CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y
+CONFIG_HAVE_FUNCTION_GRAPH_RETVAL=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_GCC_PLUGINS=y
+CONFIG_HAVE_GENERIC_VDSO=y
+CONFIG_HAVE_HARDLOCKUP_DETECTOR_BUDDY=y
+CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_IMA_KEXEC=y
+CONFIG_HAVE_INTEL_TXT=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_JUMP_LABEL_HACK=y
+CONFIG_HAVE_KCSAN_COMPILER=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_ZSTD=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
+CONFIG_HAVE_KVM_DIRTY_RING_ACQ_REL=y
+CONFIG_HAVE_KVM_DIRTY_RING_TSO=y
+CONFIG_HAVE_KVM_DIRTY_RING=y
+CONFIG_HAVE_KVM_EVENTFD=y
+CONFIG_HAVE_KVM_IRQ_BYPASS=y
+CONFIG_HAVE_KVM_IRQCHIP=y
+CONFIG_HAVE_KVM_IRQFD=y
+CONFIG_HAVE_KVM_IRQ_ROUTING=y
+CONFIG_HAVE_KVM_MSI=y
+CONFIG_HAVE_KVM_NO_POLL=y
+CONFIG_HAVE_KVM_PFNCACHE=y
+CONFIG_HAVE_KVM_PM_NOTIFIER=y
+CONFIG_HAVE_KVM=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
+CONFIG_HAVE_MOVE_PMD=y
+CONFIG_HAVE_MOVE_PUD=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_NOINSTR_HACK=y
+CONFIG_HAVE_NOINSTR_VALIDATION=y
+CONFIG_HAVE_OBJTOOL_MCOUNT=y
+CONFIG_HAVE_OBJTOOL_NOP_MCOUNT=y
+CONFIG_HAVE_OBJTOOL=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_PCI=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_EVENTS=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y
+CONFIG_HAVE_PREEMPT_DYNAMIC_CALL=y
+CONFIG_HAVE_PREEMPT_DYNAMIC=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_RELIABLE_STACKTRACE=y
+CONFIG_HAVE_RETHOOK=y
+CONFIG_HAVE_RSEQ=y
+CONFIG_HAVE_RUST=y
+CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y
+CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y
+CONFIG_HAVE_STACKPROTECTOR=y
+CONFIG_HAVE_STACK_VALIDATION=y
+CONFIG_HAVE_STATIC_CALL_INLINE=y
+CONFIG_HAVE_STATIC_CALL=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_UACCESS_VALIDATION=y
+CONFIG_HAVE_UID16=y
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HDMI=y
+CONFIG_HIBERNATE_CALLBACKS=y
+CONFIG_HID_A4TECH=m
+CONFIG_HID_APPLE=m
+CONFIG_HID_BELKIN=m
+CONFIG_HID_CHERRY=m
+CONFIG_HID_CHICONY=m
+CONFIG_HID_CORSAIR=m
+CONFIG_HID_CYPRESS=m
+CONFIG_HID_EZKEY=m
+CONFIG_HID_GENERIC=y
+CONFIG_HID_GYRATION=m
+CONFIG_HID_ITE=m
+CONFIG_HID_KENSINGTON=m
+CONFIG_HID_LENOVO=m
+CONFIG_HID_LOGITECH_DJ=m
+CONFIG_HID_LOGITECH_HIDPP=m
+CONFIG_HID_LOGITECH=m
+CONFIG_HID_MICROSOFT=m
+CONFIG_HID_MONTEREY=m
+CONFIG_HID_PANTHERLORD=m
+CONFIG_HID_PETALYNX=m
+CONFIG_HIDRAW=y
+CONFIG_HID_REDRAGON=y
+CONFIG_HID_ROCCAT=y
+CONFIG_HID_SAMSUNG=m
+CONFIG_HID_SUNPLUS=m
+CONFIG_HID_SUPPORT=y
+CONFIG_HID_TOPSEED=m
+CONFIG_HID=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_HMM_MIRROR=y
+CONFIG_HOTPLUG_CORE_SYNC_DEAD=y
+CONFIG_HOTPLUG_CORE_SYNC_FULL=y
+CONFIG_HOTPLUG_CORE_SYNC=y
+CONFIG_HOTPLUG_CPU=y
+CONFIG_HOTPLUG_PARALLEL=y
+CONFIG_HOTPLUG_PCI_ACPI=y
+CONFIG_HOTPLUG_PCI_PCIE=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_HOTPLUG_SMT=y
+CONFIG_HOTPLUG_SPLIT_STARTUP=y
+CONFIG_HPET_EMULATE_RTC=y
+CONFIG_HPET_TIMER=y
+CONFIG_HPET=y
+CONFIG_HP_ILO=m
+CONFIG_HSA_AMD=y
+CONFIG_HSR=y
+CONFIG_HSU_DMA=y
+CONFIG_HUGETLBFS=y
+CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y
+CONFIG_HUGETLB_PAGE=y
+CONFIG_HVC_DRIVER=y
+CONFIG_HVC_IRQ=y
+CONFIG_HVC_XEN_FRONTEND=y
+CONFIG_HVC_XEN=y
+CONFIG_HW_CONSOLE=y
+CONFIG_HWMON=y
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_HW_RANDOM_VIA=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_HW_RANDOM=y
+CONFIG_HYPERV_BALLOON=y
+CONFIG_HYPERV_IOMMU=y
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_HYPERV_KEYBOARD=y
+CONFIG_HYPERV_NET=y
+CONFIG_HYPERV_STORAGE=y
+CONFIG_HYPERV_TIMER=y
+CONFIG_HYPERV_UTILS=y
+CONFIG_HYPERV_VSOCKETS=y
+CONFIG_HYPERV=y
+CONFIG_HZ=250
+CONFIG_HZ_250=y
+CONFIG_I2C_ALGOBIT=m
+CONFIG_I2C_BOARDINFO=y
+CONFIG_I2C_COMPAT=y
+CONFIG_I2C_HELPER_AUTO=y
+CONFIG_I2C_HID=y
+CONFIG_I2C_I801=m
+CONFIG_I2C_SMBUS=m
+CONFIG_I2C=y
+CONFIG_I40E=m
+CONFIG_I40EVF=m
+CONFIG_I6300ESB_WDT=m
+CONFIG_I8253_LOCK=y
+CONFIG_IA32_EMULATION=y
+CONFIG_IA32_FEAT_CTL=y
+CONFIG_IAVF=m
+CONFIG_ICE_HWTS=y
+CONFIG_ICE=m
+CONFIG_ICE_SWITCHDEV=y
+CONFIG_IGB_DCA=y
+CONFIG_IGB_HWMON=y
+CONFIG_IGB=m
+CONFIG_IGBVF=m
+CONFIG_IGC=m
+CONFIG_IKCONFIG_PROC=y
+CONFIG_IKCONFIG=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_DEFAULT_HASH="sha512"
+CONFIG_IMA_DEFAULT_HASH_SHA512=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_LSM_RULES=y
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_NG_TEMPLATE=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP_OFFLOAD=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_TABLE_PERTURB_ORDER=16
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET=y
+CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y
+CONFIG_INFINIBAND_ADDR_TRANS=y
+CONFIG_INFINIBAND_IPOIB_DEBUG=y
+CONFIG_INFINIBAND_IPOIB=y
+CONFIG_INFINIBAND_VIRT_DMA=y
+CONFIG_INFINIBAND=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
+CONFIG_INITRAMFS_PRESERVE_MTIME=y
+CONFIG_INITRAMFS_SOURCE=""
+CONFIG_INIT_STACK_ALL_ZERO=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INOTIFY_USER=y
+CONFIG_INPUT_EVDEV=y
+CONFIG_INPUT_FF_MEMLESS=y
+CONFIG_INPUT_JOYSTICK=y
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_INPUT_LEDS=y
+CONFIG_INPUT_MISC=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSE=y
+CONFIG_INPUT_SPARSEKMAP=y
+CONFIG_INPUT_TABLET=y
+CONFIG_INPUT_TOUCHSCREEN=y
+CONFIG_INPUT_VIVALDIFMAP=y
+CONFIG_INPUT_XEN_KBDDEV_FRONTEND=y
+CONFIG_INPUT=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEL_GTT=y
+CONFIG_INTEL_IDLE=y
+CONFIG_INTEL_IOATDMA=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+CONFIG_INTEL_IOMMU_FLOPPY_WA=y
+CONFIG_INTEL_IOMMU_PERF_EVENTS=y
+CONFIG_INTEL_IOMMU_SVM=y
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_PMC_CORE=m
+CONFIG_INTEL_TCC=y
+CONFIG_INTERVAL_TREE=y
+CONFIG_IO_DELAY_0X80=y
+CONFIG_IOMMU_API=y
+CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+CONFIG_IOMMU_DMA=y
+CONFIG_IOMMU_IO_PGTABLE=y
+CONFIG_IOMMU_IOVA=y
+CONFIG_IOMMU_SUPPORT=y
+CONFIG_IOMMU_SVA=y
+CONFIG_IOSCHED_BFQ=y
+CONFIG_IOSF_MBI=y
+CONFIG_IO_URING=y
+CONFIG_IO_WQ=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_RPFILTER=y
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_NAT=y
+CONFIG_IP6_NF_RAW=y
+CONFIG_IP6_NF_SECURITY=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+CONFIG_IP6_NF_TARGET_SYNPROXY=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IPC_NS=y
+CONFIG_IP_DCCP_CCID3=y
+CONFIG_IP_DCCP_TFRC_LIB=y
+CONFIG_IP_DCCP=y
+CONFIG_IPMI_DEVICE_INTERFACE=y
+CONFIG_IPMI_DMI_DECODE=y
+CONFIG_IPMI_HANDLER=y
+CONFIG_IPMI_PLAT_DATA=y
+CONFIG_IPMI_POWEROFF=y
+CONFIG_IPMI_SI=y
+CONFIG_IPMI_WATCHDOG=m
+CONFIG_IP_MROUTE_COMMON=y
+CONFIG_IP_MROUTE=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_MATCH_RPFILTER=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_PIMSM_V1=y
+CONFIG_IP_PIMSM_V2=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_RARP=y
+CONFIG_IP_PNP=y
+CONFIG_IP_ROUTE_CLASSID=y
+CONFIG_IP_ROUTE_MULTIPATH=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_IP_SCTP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IPMAC=y
+CONFIG_IP_SET_HASH_IPMARK=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_MAC=y
+CONFIG_IP_SET_HASH_NETIFACE=y
+CONFIG_IP_SET_HASH_NETNET=y
+CONFIG_IP_SET_HASH_NETPORTNET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_LIST_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET=y
+CONFIG_IPV6_FOU_TUNNEL=y
+CONFIG_IPV6_FOU=y
+CONFIG_IPV6_ILA=y
+CONFIG_IPV6_MIP6=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_NDISC_NODETYPE=y
+CONFIG_IPV6_ROUTE_INFO=y
+CONFIG_IPV6_ROUTER_PREF=y
+CONFIG_IPV6_SIT=y
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6=y
+CONFIG_IPVLAN_L3S=y
+CONFIG_IPVLAN=y
+CONFIG_IP_VS_IPV6=y
+CONFIG_IP_VS_LC=y
+CONFIG_IP_VS_MH_TAB_INDEX=12
+CONFIG_IP_VS_NFCT=y
+CONFIG_IP_VS_PROTO_TCP=y
+CONFIG_IP_VS_PROTO_UDP=y
+CONFIG_IP_VS_RR=y
+CONFIG_IP_VS_SH_TAB_BITS=8
+CONFIG_IP_VS_SH=y
+CONFIG_IP_VS_TAB_BITS=12
+CONFIG_IP_VS_WRR=y
+CONFIG_IP_VS=y
+CONFIG_IRQ_BYPASS_MANAGER=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_IRQ_MSI_IOMMU=y
+CONFIG_IRQ_POLL=y
+CONFIG_IRQ_REMAP=y
+CONFIG_IRQ_WORK=y
+CONFIG_ISA_DMA_API=y
+CONFIG_ISCSI_TCP=y
+CONFIG_ISO9660_FS=y
+CONFIG_ITCO_VENDOR_SUPPORT=y
+CONFIG_ITCO_WDT=m
+CONFIG_IXGBE_DCA=y
+CONFIG_IXGBE_HWMON=y
+CONFIG_IXGBE_IPSEC=y
+CONFIG_IXGBE=m
+CONFIG_IXGBEVF_IPSEC=y
+CONFIG_IXGBEVF=m
+CONFIG_JBD2=y
+CONFIG_JOLIET=y
+CONFIG_JUMP_LABEL=y
+CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+CONFIG_KALLSYMS=y
+CONFIG_KARMA_PARTITION=y
+CONFIG_KCMP=y
+CONFIG_KERNEL_ZSTD=y
+CONFIG_KERNFS=y
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
+CONFIG_KEXEC_CORE=y
+CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_SIG=y
+CONFIG_KEYBOARD_ATKBD=y
+CONFIG_KEYS=y
+CONFIG_KFENCE_NUM_OBJECTS=255
+CONFIG_KFENCE_SAMPLE_INTERVAL=100
+CONFIG_KFENCE_STRESS_TEST_FAULTS=0
+CONFIG_KFENCE=y
+CONFIG_KPROBE_EVENTS=y
+CONFIG_KPROBES_ON_FTRACE=y
+CONFIG_KPROBES=y
+CONFIG_KRETPROBE_ON_RETHOOK=y
+CONFIG_KRETPROBES=y
+CONFIG_KVM_AMD=y
+CONFIG_KVM_AMD_SEV=y
+CONFIG_KVM_ASYNC_PF=y
+CONFIG_KVM_COMPAT=y
+CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
+CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y
+CONFIG_KVM_GUEST=y
+CONFIG_KVM_INTEL=y
+CONFIG_KVM_MMIO=y
+CONFIG_KVM_SMM=y
+CONFIG_KVM_VFIO=y
+CONFIG_KVM_WERROR=y
+CONFIG_KVM_XFER_TO_GUEST_WORK=y
+CONFIG_KVM=y
+CONFIG_L2TP=y
+CONFIG_LAPB=y
+CONFIG_LD_IS_BFD=y
+CONFIG_LD_ORPHAN_WARN_LEVEL="warn"
+CONFIG_LD_ORPHAN_WARN=y
+CONFIG_LD_VERSION=24200
+CONFIG_LEDS_CLASS=y
+CONFIG_LEDS_TRIGGERS=y
+CONFIG_LEGACY_DIRECT_IO=y
+CONFIG_LEGACY_VSYSCALL_NONE=y
+CONFIG_LIBCRC32C=y
+CONFIG_LINEAR_RANGES=y
+CONFIG_LIST_HARDENED=y
+CONFIG_LLC2=y
+CONFIG_LLC=y
+CONFIG_LLD_VERSION=0
+CONFIG_LOAD_UEFI_KEYS=y
+#CONFIG_LOCALVERSION="-patagia"
+CONFIG_LOCK_DEBUGGING_SUPPORT=y
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+CONFIG_LOCKD_V4=y
+CONFIG_LOCKD=y
+CONFIG_LOCK_MM_AND_FIND_VMA=y
+CONFIG_LOCK_SPIN_ON_OWNER=y
+CONFIG_LOG_BUF_SHIFT=18
+CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
+CONFIG_LOGITECH_FF=y
+CONFIG_LOGIWHEELS_FF=y
+CONFIG_LOGO_LINUX_CLUT224=y
+CONFIG_LOGO=y
+CONFIG_LPC_ICH=m
+CONFIG_LRU_CACHE=m
+CONFIG_LRU_GEN_ENABLED=y
+CONFIG_LRU_GEN_WALKS_MMU=y
+CONFIG_LRU_GEN=y
+CONFIG_LSM="yama,loadpin,safesetid,integrity,bpf,apparmor"
+CONFIG_LTO_NONE=y
+CONFIG_LWTUNNEL_BPF=y
+CONFIG_LWTUNNEL=y
+CONFIG_LZ4_COMPRESS=m
+CONFIG_LZ4_DECOMPRESS=y
+CONFIG_LZ4HC_COMPRESS=m
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+CONFIG_MAC_PARTITION=y
+CONFIG_MACVLAN=y
+CONFIG_MACVTAP=y
+CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0
+CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE=""
+CONFIG_MAGIC_SYSRQ_SERIAL=y
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_MAILBOX=y
+CONFIG_MARVELL_10G_PHY=y
+CONFIG_MARVELL_PHY=y
+CONFIG_MAX_SKB_FRAGS=17
+CONFIG_MD_AUTODETECT=y
+CONFIG_MD_BITMAP_FILE=y
+CONFIG_MDIO_BUS=y
+CONFIG_MDIO_DEVICE=y
+CONFIG_MDIO_DEVRES=y
+CONFIG_MDIO=m
+CONFIG_MD_RAID0=y
+CONFIG_MD_RAID10=y
+CONFIG_MD_RAID1=y
+CONFIG_MD_RAID456=m
+CONFIG_MD=y
+CONFIG_MEGARAID_SAS=m
+CONFIG_MEMBARRIER=y
+CONFIG_MEMCG_KMEM=y
+CONFIG_MEMCG=y
+CONFIG_MEMFD_CREATE=y
+CONFIG_MEMORY_BALLOON=y
+CONFIG_MEMORY_FAILURE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+CONFIG_MFD_CORE=m
+CONFIG_MFD_INTEL_PMC_BXT=m
+CONFIG_MICROCODE=y
+CONFIG_MIGRATION=y
+CONFIG_MII=m
+CONFIG_MINIX_SUBPARTITION=y
+CONFIG_MISC_FILESYSTEMS=y
+CONFIG_MITIGATION_RFDS=y
+CONFIG_MITIGATION_SPECTRE_BHI=y
+CONFIG_MLX4_CORE_GEN2=y
+CONFIG_MLX4_CORE=m
+CONFIG_MLX4_DEBUG=y
+CONFIG_MLX4_EN_DCB=y
+CONFIG_MLX4_EN=m
+CONFIG_MLX4_INFINIBAND=m
+CONFIG_MLX5_BRIDGE=y
+CONFIG_MLX5_CORE_EN_DCB=y
+CONFIG_MLX5_CORE_EN=y
+CONFIG_MLX5_CORE_IPOIB=y
+CONFIG_MLX5_CORE=m
+CONFIG_MLX5_EN_ARFS=y
+CONFIG_MLX5_EN_RXNFC=y
+CONFIG_MLX5_ESWITCH=y
+CONFIG_MLX5_FPGA=y
+CONFIG_MLX5_INFINIBAND=m
+CONFIG_MLX5_MPFS=y
+CONFIG_MLX5_SW_STEERING=y
+CONFIG_MLXFW=m
+CONFIG_MLXSW_CORE_HWMON=y
+CONFIG_MLXSW_CORE=m
+CONFIG_MLXSW_CORE_THERMAL=y
+CONFIG_MLXSW_I2C=m
+CONFIG_MLXSW_MINIMAL=m
+CONFIG_MLXSW_PCI=m
+CONFIG_MLXSW_SPECTRUM_DCB=y
+CONFIG_MLXSW_SPECTRUM=m
+CONFIG_MMC_BLOCK_MINORS=32
+CONFIG_MMC_BLOCK=y
+CONFIG_MMC_CQHCI=y
+CONFIG_MMCONF_FAM10H=y
+CONFIG_MMC_RICOH_MMC=y
+CONFIG_MMC_SDHCI_ACPI=m
+CONFIG_MMC_SDHCI_F_SDH30=m
+CONFIG_MMC_SDHCI_IO_ACCESSORS=y
+CONFIG_MMC_SDHCI_PCI=m
+CONFIG_MMC_SDHCI_PLTFM=m
+CONFIG_MMC_SDHCI_XENON=m
+CONFIG_MMC_SDHCI=y
+CONFIG_MMC=y
+CONFIG_MMU_GATHER_MERGE_VMAS=y
+CONFIG_MMU_GATHER_RCU_TABLE_FREE=y
+CONFIG_MMU_GATHER_TABLE_FREE=y
+CONFIG_MMU_LAZY_TLB_REFCOUNT=y
+CONFIG_MMU_NOTIFIER=y
+CONFIG_MMU=y
+CONFIG_MODPROBE_PATH="/sbin/modprobe"
+CONFIG_MODULE_COMPRESS_ZSTD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_FORMAT=y
+CONFIG_MODULE_SIG_HASH="sha512"
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
+CONFIG_MODULE_SIG_SHA512=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SRCVERSION_ALL=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_MODULES=y
+CONFIG_MODVERSIONS=y
+CONFIG_MPILIB=y
+CONFIG_MPLS=y
+CONFIG_MQ_IOSCHED_DEADLINE=y
+CONFIG_MQ_IOSCHED_KYBER=y
+CONFIG_MSDOS_FS=y
+CONFIG_MSDOS_PARTITION=y
+CONFIG_MTRR=y
+CONFIG_MULTIUSER=y
+CONFIG_MUTEX_SPIN_ON_OWNER=y
+CONFIG_NAMESPACES=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_NEED_SG_DMA_FLAGS=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_NET_ACT_BPF=y
+CONFIG_NET_ACT_CSUM=y
+CONFIG_NET_ACT_GACT=y
+CONFIG_NET_ACT_IFE=y
+CONFIG_NET_ACT_IPT=y
+CONFIG_NET_ACT_MIRRED=y
+CONFIG_NET_ACT_NAT=y
+CONFIG_NET_ACT_PEDIT=y
+CONFIG_NET_ACT_POLICE=y
+CONFIG_NET_ACT_SAMPLE=y
+CONFIG_NET_ACT_SIMP=y
+CONFIG_NET_ACT_SKBEDIT=y
+CONFIG_NET_ACT_SKBMOD=y
+CONFIG_NET_ACT_TUNNEL_KEY=y
+CONFIG_NET_ACT_VLAN=y
+CONFIG_NET_CLS_ACT=y
+CONFIG_NET_CLS_BASIC=y
+CONFIG_NET_CLS_BPF=y
+CONFIG_NET_CLS_CGROUP=y
+CONFIG_NET_CLS_FLOWER=y
+CONFIG_NET_CLS_FLOW=y
+CONFIG_NET_CLS_FW=y
+CONFIG_NET_CLS_MATCHALL=y
+CONFIG_NET_CLS_ROUTE4=y
+CONFIG_NET_CLS_U32=y
+CONFIG_NET_CLS=y
+CONFIG_NETCONSOLE=y
+CONFIG_NET_CORE=y
+CONFIG_NETDEVICES=y
+CONFIG_NET_DEVLINK=y
+CONFIG_NET_DSA=y
+CONFIG_NET_EGRESS=y
+CONFIG_NET_EMATCH_CMP=y
+CONFIG_NET_EMATCH_IPSET=y
+CONFIG_NET_EMATCH_META=y
+CONFIG_NET_EMATCH_NBYTE=y
+CONFIG_NET_EMATCH_STACK=32
+CONFIG_NET_EMATCH_TEXT=y
+CONFIG_NET_EMATCH_U32=y
+CONFIG_NET_EMATCH=y
+CONFIG_NET_FAILOVER=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_NETFILTER_BPF_LINK=y
+CONFIG_NETFILTER_CONNCOUNT=y
+CONFIG_NETFILTER_EGRESS=y
+CONFIG_NETFILTER_FAMILY_BRIDGE=y
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK_ACCT=y
+CONFIG_NETFILTER_NETLINK_GLUE_CT=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NETFILTER_NETLINK_OSF=y
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_SKIP_EGRESS=y
+CONFIG_NETFILTER_SYNPROXY=y
+CONFIG_NETFILTER_XTABLES_COMPAT=y
+CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_BPF=y
+CONFIG_NETFILTER_XT_MATCH_CGROUP=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_CPU=y
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+CONFIG_NETFILTER_XT_MATCH_IPCOMP=y
+CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
+CONFIG_NETFILTER_XT_MATCH_IPVS=y
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+CONFIG_NETFILTER_XT_MATCH_NFACCT=y
+CONFIG_NETFILTER_XT_MATCH_OSF=y
+CONFIG_NETFILTER_XT_MATCH_OWNER=y
+CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+CONFIG_NETFILTER_XT_MATCH_RATEEST=y
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+CONFIG_NETFILTER_XT_MATCH_RECENT=y
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_SOCKET=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_TIME=y
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_SET=y
+CONFIG_NETFILTER_XT_TARGET_AUDIT=y
+CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+CONFIG_NETFILTER_XT_TARGET_HMARK=y
+CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y
+CONFIG_NETFILTER_XT_TARGET_LED=y
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_RATEEST=y
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
+CONFIG_NETFILTER_XT_TARGET_TEE=y
+CONFIG_NETFILTER_XT_TARGET_TPROXY=y
+CONFIG_NETFILTER=y
+CONFIG_NET_FLOW_LIMIT=y
+CONFIG_NET_FOU_IP_TUNNELS=y
+CONFIG_NET_FOU=y
+CONFIG_NETFS_SUPPORT=y
+CONFIG_NET_HANDSHAKE=y
+CONFIG_NET_IFE=y
+CONFIG_NET_INGRESS=y
+CONFIG_NET_IPGRE_DEMUX=y
+CONFIG_NET_IPGRE=m
+CONFIG_NET_IPIP=y
+CONFIG_NET_IP_TUNNEL=y
+CONFIG_NET_L3_MASTER_DEV=y
+CONFIG_NETLABEL=y
+CONFIG_NETLINK_DIAG=y
+CONFIG_NET_MPLS_GSO=y
+CONFIG_NET_NCSI=y
+CONFIG_NET_NSH=y
+CONFIG_NET_NS=y
+CONFIG_NET_POLL_CONTROLLER=y
+CONFIG_NETPOLL=y
+CONFIG_NET_PTP_CLASSIFY=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_NET_SCH_CHOKE=y
+CONFIG_NET_SCH_CODEL=y
+CONFIG_NET_SCH_DEFAULT=y
+CONFIG_NET_SCH_DRR=y
+CONFIG_NET_SCHED=y
+CONFIG_NET_SCH_FIFO=y
+CONFIG_NET_SCH_FQ_CODEL=y
+CONFIG_NET_SCH_FQ=y
+CONFIG_NET_SCH_GRED=y
+CONFIG_NET_SCH_HFSC=y
+CONFIG_NET_SCH_HHF=y
+CONFIG_NET_SCH_HTB=y
+CONFIG_NET_SCH_INGRESS=y
+CONFIG_NET_SCH_MQPRIO_LIB=y
+CONFIG_NET_SCH_MQPRIO=y
+CONFIG_NET_SCH_MULTIQ=y
+CONFIG_NET_SCH_NETEM=y
+CONFIG_NET_SCH_PIE=y
+CONFIG_NET_SCH_PLUG=y
+CONFIG_NET_SCH_PRIO=y
+CONFIG_NET_SCH_QFQ=y
+CONFIG_NET_SCH_RED=y
+CONFIG_NET_SCH_SFB=y
+CONFIG_NET_SCH_SFQ=y
+CONFIG_NET_SCH_TBF=y
+CONFIG_NET_SCH_TEQL=y
+CONFIG_NET_SELFTESTS=y
+CONFIG_NET_SOCK_MSG=y
+CONFIG_NET_SWITCHDEV=y
+CONFIG_NET_TULIP=y
+CONFIG_NET_UDP_TUNNEL=y
+CONFIG_NET_VENDOR_3COM=y
+CONFIG_NET_VENDOR_8390=y
+CONFIG_NET_VENDOR_ADAPTEC=y
+CONFIG_NET_VENDOR_AGERE=y
+CONFIG_NET_VENDOR_ALACRITECH=y
+CONFIG_NET_VENDOR_ALTEON=y
+CONFIG_NET_VENDOR_AMAZON=y
+CONFIG_NET_VENDOR_AMD=y
+CONFIG_NET_VENDOR_AQUANTIA=y
+CONFIG_NET_VENDOR_ARC=y
+CONFIG_NET_VENDOR_ASIX=y
+CONFIG_NET_VENDOR_ATHEROS=y
+CONFIG_NET_VENDOR_BROADCOM=y
+CONFIG_NET_VENDOR_BROCADE=y
+CONFIG_NET_VENDOR_CADENCE=y
+CONFIG_NET_VENDOR_CAVIUM=y
+CONFIG_NET_VENDOR_CHELSIO=y
+CONFIG_NET_VENDOR_CISCO=y
+CONFIG_NET_VENDOR_CORTINA=y
+CONFIG_NET_VENDOR_DAVICOM=y
+CONFIG_NET_VENDOR_DEC=y
+CONFIG_NET_VENDOR_DLINK=y
+CONFIG_NET_VENDOR_EMULEX=y
+CONFIG_NET_VENDOR_ENGLEDER=y
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_FUNGIBLE=y
+CONFIG_NET_VENDOR_GOOGLE=y
+CONFIG_NET_VENDOR_HUAWEI=y
+CONFIG_NET_VENDOR_I825XX=y
+CONFIG_NET_VENDOR_INTEL=y
+CONFIG_NET_VENDOR_LITEX=y
+CONFIG_NET_VENDOR_MARVELL=y
+CONFIG_NET_VENDOR_MELLANOX=y
+CONFIG_NET_VENDOR_MICREL=y
+CONFIG_NET_VENDOR_MICROCHIP=y
+CONFIG_NET_VENDOR_MICROSEMI=y
+CONFIG_NET_VENDOR_MICROSOFT=y
+CONFIG_NET_VENDOR_MYRI=y
+CONFIG_NET_VENDOR_NATSEMI=y
+CONFIG_NET_VENDOR_NETERION=y
+CONFIG_NET_VENDOR_NETRONOME=y
+CONFIG_NET_VENDOR_NI=y
+CONFIG_NET_VENDOR_NVIDIA=y
+CONFIG_NET_VENDOR_OKI=y
+CONFIG_NET_VENDOR_PACKET_ENGINES=y
+CONFIG_NET_VENDOR_PENSANDO=y
+CONFIG_NET_VENDOR_QLOGIC=y
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_RDC=y
+CONFIG_NET_VENDOR_REALTEK=y
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+CONFIG_NET_VENDOR_SIS=y
+CONFIG_NET_VENDOR_SMSC=y
+CONFIG_NET_VENDOR_SOCIONEXT=y
+CONFIG_NET_VENDOR_SOLARFLARE=y
+CONFIG_NET_VENDOR_STMICRO=y
+CONFIG_NET_VENDOR_SUN=y
+CONFIG_NET_VENDOR_SYNOPSYS=y
+CONFIG_NET_VENDOR_TEHUTI=y
+CONFIG_NET_VENDOR_TI=y
+CONFIG_NET_VENDOR_VERTEXCOM=y
+CONFIG_NET_VENDOR_VIA=y
+CONFIG_NET_VENDOR_WANGXUN=y
+CONFIG_NET_VENDOR_WIZNET=y
+CONFIG_NET_VENDOR_XILINX=y
+CONFIG_NET_VRF=m
+CONFIG_NETWORK_FILESYSTEMS=y
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NETXEN_NIC=m
+CONFIG_NET_XGRESS=y
+CONFIG_NET=y
+CONFIG_NEW_LEDS=y
+CONFIG_NF_CONNTRACK_BROADCAST=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_LABELS=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_NETBIOS_NS=y
+CONFIG_NF_CONNTRACK_OVS=y
+CONFIG_NF_CONNTRACK_PPTP=y
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_SANE=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CONNTRACK_SNMP=y
+CONFIG_NF_CONNTRACK_TFTP=y
+CONFIG_NF_CONNTRACK_TIMEOUT=y
+CONFIG_NF_CONNTRACK_TIMESTAMP=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_ZONES=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NF_CT_PROTO_GRE=y
+CONFIG_NF_CT_PROTO_SCTP=y
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_DUP_IPV4=y
+CONFIG_NF_DUP_IPV6=y
+CONFIG_NF_DUP_NETDEV=y
+CONFIG_NF_LOG_ARP=y
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_LOG_SYSLOG=y
+CONFIG_NF_NAT_FTP=y
+CONFIG_NF_NAT_MASQUERADE=y
+CONFIG_NF_NAT_OVS=y
+CONFIG_NF_NAT_PPTP=y
+CONFIG_NF_NAT_REDIRECT=y
+CONFIG_NF_NAT_SIP=y
+CONFIG_NF_NAT_SNMP_BASIC=y
+CONFIG_NF_NAT_TFTP=y
+CONFIG_NF_NAT=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NFS_ACL_SUPPORT=m
+CONFIG_NFS_COMMON=y
+CONFIG_NFS_DEBUG=y
+CONFIG_NFS_DISABLE_UDP_SUPPORT=y
+CONFIG_NFSD_LEGACY_CLIENT_TRACKING=y
+CONFIG_NFSD=m
+CONFIG_NFSD_V3_ACL=y
+CONFIG_NFSD_V4_SECURITY_LABEL=y
+CONFIG_NFSD_V4=y
+CONFIG_NFS_FSCACHE=y
+CONFIG_NFS_FS=m
+CONFIG_NFS_USE_KERNEL_DNS=y
+CONFIG_NFS_V2=m
+CONFIG_NFS_V3_ACL=y
+CONFIG_NFS_V3=m
+CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
+CONFIG_NFS_V4_1=y
+CONFIG_NFS_V4_2_READ_PLUS=y
+CONFIG_NFS_V4_2_SSC_HELPER=y
+CONFIG_NFS_V4_2=y
+CONFIG_NFS_V4=m
+CONFIG_NFS_V4_SECURITY_LABEL=y
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NF_TABLES_IPV6=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NF_TABLES=y
+CONFIG_NFT_COMPAT=y
+CONFIG_NFT_CT=y
+CONFIG_NFT_DUP_NETDEV=y
+CONFIG_NFT_FIB_INET=y
+CONFIG_NFT_FIB_IPV4=y
+CONFIG_NFT_FIB_IPV6=y
+CONFIG_NFT_FIB=y
+CONFIG_NFT_FWD_NETDEV=y
+CONFIG_NFT_HASH=y
+CONFIG_NFT_LIMIT=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_NUMGEN=y
+CONFIG_NF_TPROXY_IPV4=y
+CONFIG_NF_TPROXY_IPV6=y
+CONFIG_NFT_QUEUE=y
+CONFIG_NFT_QUOTA=y
+CONFIG_NFT_REDIR=y
+CONFIG_NFT_REJECT_INET=y
+CONFIG_NFT_REJECT_IPV4=y
+CONFIG_NFT_REJECT_IPV6=y
+CONFIG_NFT_REJECT=y
+CONFIG_NFT_TPROXY=y
+CONFIG_NITRO_ENCLAVES=y
+CONFIG_NLATTR=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UCS2_UTILS=y
+CONFIG_NLS_UTF8=y
+CONFIG_NLS=y
+CONFIG_NODES_SHIFT=6
+CONFIG_NO_HZ_COMMON=y
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_NOP_TRACER=y
+CONFIG_NR_CPUS=512
+CONFIG_NR_CPUS_DEFAULT=64
+CONFIG_NR_CPUS_RANGE_BEGIN=2
+CONFIG_NR_CPUS_RANGE_END=512
+CONFIG_NUMA=y
+CONFIG_NVME_AUTH=y
+CONFIG_NVME_COMMON=y
+CONFIG_NVME_CORE=y
+CONFIG_NVME_FABRICS=y
+CONFIG_NVME_FC=y
+CONFIG_NVME_HWMON=y
+CONFIG_NVMEM_SYSFS=y
+CONFIG_NVME_MULTIPATH=y
+CONFIG_NVMEM=y
+CONFIG_NVME_RDMA=m
+CONFIG_NVME_TARGET_AUTH=y
+CONFIG_NVME_TARGET_FC=m
+CONFIG_NVME_TARGET_LOOP=m
+CONFIG_NVME_TARGET=m
+CONFIG_NVME_TARGET_PASSTHRU=y
+CONFIG_NVME_TARGET_RDMA=m
+CONFIG_NVME_TARGET_TCP=m
+CONFIG_NVME_TCP=y
+CONFIG_NVRAM=y
+CONFIG_OBJAGG=m
+CONFIG_OBJTOOL=y
+CONFIG_OID_REGISTRY=y
+CONFIG_OLD_SIGSUSPEND3=y
+CONFIG_OPENVSWITCH_GENEVE=y
+CONFIG_OPENVSWITCH_GRE=m
+CONFIG_OPENVSWITCH_VXLAN=y
+CONFIG_OPENVSWITCH=y
+CONFIG_OPTPROBES=y
+CONFIG_OSF_PARTITION=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y
+CONFIG_OVERLAY_FS=y
+CONFIG_P2SB=y
+CONFIG_PACKET=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_PAGE_POISONING=y
+CONFIG_PAGE_POOL=y
+CONFIG_PAGE_REPORTING=y
+CONFIG_PAGE_SIZE_LESS_THAN_256KB=y
+CONFIG_PAGE_SIZE_LESS_THAN_64KB=y
+CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_PAHOLE_HAS_LANG_EXCLUDE=y
+CONFIG_PAHOLE_HAS_SPLIT_BTF=y
+CONFIG_PAHOLE_VERSION=126
+CONFIG_PANIC_ON_OOPS_VALUE=1
+CONFIG_PANIC_ON_OOPS=y
+CONFIG_PANIC_TIMEOUT=-1
+CONFIG_PANTHERLORD_FF=y
+CONFIG_PARAVIRT_CLOCK=y
+CONFIG_PARAVIRT_XXL=y
+CONFIG_PARAVIRT=y
+CONFIG_PARMAN=m
+CONFIG_PARTITION_ADVANCED=y
+CONFIG_PATA_AMD=m
+CONFIG_PATA_MARVELL=m
+CONFIG_PATA_OLDPIIX=m
+CONFIG_PATA_SCH=m
+CONFIG_PATA_TIMINGS=y
+CONFIG_PCC=y
+CONFIG_PCI_ATS=y
+CONFIG_PCI_DIRECT=y
+CONFIG_PCI_DOMAINS=y
+CONFIG_PCIEAER=y
+CONFIG_PCIEASPM_DEFAULT=y
+CONFIG_PCIEASPM=y
+CONFIG_PCIE_BUS_DEFAULT=y
+CONFIG_PCIE_PME=y
+CONFIG_PCIEPORTBUS=y
+CONFIG_PCI_HYPERV_INTERFACE=y
+CONFIG_PCI_HYPERV=y
+CONFIG_PCI_IOV=y
+CONFIG_PCI_LABEL=y
+CONFIG_PCI_LOCKLESS_CONFIG=y
+CONFIG_PCI_MMCONFIG=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_PASID=y
+CONFIG_PCI_PRI=y
+CONFIG_PCI_QUIRKS=y
+CONFIG_PCI_XEN=y
+CONFIG_PCI=y
+CONFIG_PCPU_DEV_REFCNT=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_PERF_EVENTS_AMD_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS=y
+CONFIG_PER_VMA_LOCK=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_PHONET=y
+CONFIG_PHYLIB=y
+CONFIG_PHYLINK=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_PHYSICAL_ALIGN=0x200000
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_PID_NS=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+CONFIG_PLDMFW=y
+CONFIG_PM_CLK=y
+CONFIG_PM_DEBUG=y
+CONFIG_PM_SLEEP_DEBUG=y
+CONFIG_PM_SLEEP_SMP=y
+CONFIG_PM_SLEEP=y
+CONFIG_PM_TRACE_RTC=y
+CONFIG_PM_TRACE=y
+CONFIG_PM=y
+CONFIG_PNFS_BLOCK=y
+CONFIG_PNFS_FILE_LAYOUT=y
+CONFIG_PNFS_FLEXFILE_LAYOUT=y
+CONFIG_PNPACPI=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+CONFIG_PNP=y
+CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_TIMERS=y
+CONFIG_POWER_SUPPLY_HWMON=y
+CONFIG_POWER_SUPPLY=y
+CONFIG_PPS=y
+CONFIG_PREEMPT_NONE_BUILD=y
+CONFIG_PREEMPT_NONE=y
+CONFIG_PREEMPT_NOTIFIERS=y
+CONFIG_PREFIX_SYMBOLS=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_PRINTK_TIME=y
+CONFIG_PRINTK=y
+CONFIG_PROBE_EVENTS_BTF_ARGS=y
+CONFIG_PROBE_EVENTS=y
+CONFIG_PROC_CHILDREN=y
+CONFIG_PROC_EVENTS=y
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_PROC_PID_ARCH_STATUS=y
+CONFIG_PROC_PID_CPUSET=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_VMCORE=y
+CONFIG_PROFILING=y
+CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
+CONFIG_PSAMPLE=y
+CONFIG_PSI=y
+CONFIG_PTDUMP_CORE=y
+CONFIG_PTP_1588_CLOCK_KVM=y
+CONFIG_PTP_1588_CLOCK_OPTIONAL=y
+CONFIG_PTP_1588_CLOCK=y
+CONFIG_PWM_SYSFS=y
+CONFIG_PWM=y
+CONFIG_QEDE=m
+CONFIG_QED=m
+CONFIG_QED_SRIOV=y
+CONFIG_QFMT_V2=y
+CONFIG_QLCNIC_DCB=y
+CONFIG_QLCNIC_HWMON=y
+CONFIG_QLCNIC=m
+CONFIG_QLCNIC_SRIOV=y
+CONFIG_QUEUED_RWLOCKS=y
+CONFIG_QUEUED_SPINLOCKS=y
+CONFIG_QUOTACTL=y
+CONFIG_QUOTA_NETLINK_INTERFACE=y
+CONFIG_QUOTA_TREE=y
+CONFIG_QUOTA=y
+CONFIG_R8169=m
+CONFIG_RAID6_PQ_BENCHMARK=y
+CONFIG_RAID6_PQ=m
+CONFIG_RAID_ATTRS=y
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+CONFIG_RANDOMIZE_KSTACK_OFFSET=y
+CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0x0
+CONFIG_RANDOMIZE_MEMORY=y
+CONFIG_RANDSTRUCT_NONE=y
+CONFIG_RAS=y
+CONFIG_RATIONAL=y
+CONFIG_RCU_CPU_STALL_TIMEOUT=21
+CONFIG_RCU_EXP_CPU_STALL_TIMEOUT=0
+CONFIG_RCU_NEED_SEGCBLIST=y
+CONFIG_RCU_STALL_COMMON=y
+CONFIG_RDMA_RXE=m
+CONFIG_RDS=y
+CONFIG_RD_XZ=y
+CONFIG_RD_ZSTD=y
+CONFIG_REALTEK_PHY=y
+CONFIG_REGMAP_I2C=y
+CONFIG_REGMAP=y
+CONFIG_REGULATOR_FIXED_VOLTAGE=y
+CONFIG_REGULATOR_MP8859=y
+CONFIG_REGULATOR_PWM=y
+CONFIG_REGULATOR=y
+CONFIG_RELAY=y
+CONFIG_RELOCATABLE=y
+CONFIG_RESET_ATTACK_MITIGATION=y
+CONFIG_RETHOOK=y
+CONFIG_RETHUNK=y
+CONFIG_RETPOLINE=y
+CONFIG_RFS_ACCEL=y
+CONFIG_RING_BUFFER=y
+CONFIG_ROOT_NFS=y
+CONFIG_RPCSEC_GSS_KRB5=y
+CONFIG_RPMSG_NS=y
+CONFIG_RPMSG_VIRTIO=y
+CONFIG_RPMSG=y
+CONFIG_RPS=y
+CONFIG_RSEQ=y
+CONFIG_RTC_CLASS=y
+CONFIG_RTC_DRV_CMOS=y
+CONFIG_RTC_I2C_AND_SPI=y
+CONFIG_RTC_INTF_DEV=y
+CONFIG_RTC_INTF_PROC=y
+CONFIG_RTC_INTF_SYSFS=y
+CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
+CONFIG_RTC_NVMEM=y
+CONFIG_RTC_SYSTOHC_DEVICE="rtc0"
+CONFIG_RTC_SYSTOHC=y
+CONFIG_RT_GROUP_SCHED=y
+CONFIG_RT_MUTEXES=y
+CONFIG_RUNTIME_TESTING_MENU=y
+CONFIG_RWSEM_SPIN_ON_OWNER=y
+CONFIG_SATA_AHCI=m
+CONFIG_SATA_HOST=y
+CONFIG_SATA_MOBILE_LPM_POLICY=0
+CONFIG_SATA_NV=m
+CONFIG_SATA_PMP=y
+CONFIG_SATA_SIS=y
+CONFIG_SATA_SVW=m
+CONFIG_SATA_ULI=m
+CONFIG_SATA_VIA=m
+CONFIG_SATA_VITESSE=m
+CONFIG_SBITMAP=y
+CONFIG_SCHED_CLUSTER=y
+CONFIG_SCHED_CORE=y
+CONFIG_SCHED_HRTICK=y
+CONFIG_SCHED_INFO=y
+CONFIG_SCHED_MC_PRIO=y
+CONFIG_SCHED_MC=y
+CONFIG_SCHED_MM_CID=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_SCHED_SMT=y
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_SCHEDSTATS=y
+CONFIG_SCSI_AACRAID=m
+CONFIG_SCSI_COMMON=y
+CONFIG_SCSI_CONSTANTS=y
+CONFIG_SCSI_DMA=y
+CONFIG_SCSI_ENCLOSURE=y
+CONFIG_SCSI_HPSA=m
+CONFIG_SCSI_ISCI=m
+CONFIG_SCSI_ISCSI_ATTRS=y
+CONFIG_SCSI_LOWLEVEL=y
+CONFIG_SCSI_MOD=y
+CONFIG_SCSI_MPT2SAS_MAX_SGE=128
+CONFIG_SCSI_MPT3SAS=m
+CONFIG_SCSI_MPT3SAS_MAX_SGE=128
+CONFIG_SCSI_PMCRAID=m
+CONFIG_SCSI_PROC_FS=y
+CONFIG_SCSI_SAS_ATA=y
+CONFIG_SCSI_SAS_ATTRS=y
+CONFIG_SCSI_SAS_HOST_SMP=y
+CONFIG_SCSI_SAS_LIBSAS=y
+CONFIG_SCSI_SMARTPQI=m
+CONFIG_SCSI_SPI_ATTRS=y
+CONFIG_SCSI_VIRTIO=y
+CONFIG_SCSI=y
+CONFIG_SCTP_COOKIE_HMAC_MD5=y
+CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_SECCOMP=y
+CONFIG_SECRETMEM=y
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y
+CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_DMESG_RESTRICT=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_LANDLOCK=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_NETWORK_XFRM=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_PATH=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_YAMA=y
+CONFIG_SENSORS_ACPI_POWER=y
+CONFIG_SENSORS_CORETEMP=y
+CONFIG_SENSORS_DRIVETEMP=y
+CONFIG_SENSORS_FAM15H_POWER=m
+CONFIG_SENSORS_I5500=m
+CONFIG_SENSORS_I5K_AMB=m
+CONFIG_SENSORS_K10TEMP=m
+CONFIG_SENSORS_K8TEMP=m
+CONFIG_SENSORS_NCT6683=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y
+CONFIG_SERIAL_8250_DETECT_IRQ=y
+CONFIG_SERIAL_8250_DMA=y
+CONFIG_SERIAL_8250_DWLIB=y
+CONFIG_SERIAL_8250_EXAR=y
+CONFIG_SERIAL_8250_EXTENDED=y
+CONFIG_SERIAL_8250_LPSS=y
+CONFIG_SERIAL_8250_MANY_PORTS=y
+CONFIG_SERIAL_8250_MID=y
+CONFIG_SERIAL_8250_NR_UARTS=32
+CONFIG_SERIAL_8250_PCILIB=y
+CONFIG_SERIAL_8250_PCI=y
+CONFIG_SERIAL_8250_PERICOM=y
+CONFIG_SERIAL_8250_PNP=y
+CONFIG_SERIAL_8250_RSA=y
+CONFIG_SERIAL_8250_RUNTIME_UARTS=4
+CONFIG_SERIAL_8250_SHARE_IRQ=y
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_CORE_CONSOLE=y
+CONFIG_SERIAL_CORE=y
+CONFIG_SERIAL_EARLYCON=y
+CONFIG_SERIAL_NONSTANDARD=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_LIBPS2=y
+CONFIG_SERIO_PCIPS2=m
+CONFIG_SERIO_SERPORT=y
+CONFIG_SERIO=y
+CONFIG_SFC=m
+CONFIG_SFC_MCDI_LOGGING=y
+CONFIG_SFC_MCDI_MON=y
+CONFIG_SFC_SIENA=m
+CONFIG_SFC_SIENA_MCDI_LOGGING=y
+CONFIG_SFC_SIENA_MCDI_MON=y
+CONFIG_SFC_SIENA_SRIOV=y
+CONFIG_SFC_SRIOV=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SGI_PARTITION=y
+CONFIG_SGL_ALLOC=y
+CONFIG_SG_POOL=y
+CONFIG_SHMEM=y
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
+CONFIG_SIGNALFD=y
+CONFIG_SIGNATURE=y
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
+CONFIG_SKB_EXTENSIONS=y
+CONFIG_SKY2=m
+CONFIG_SLAB_FREELIST_HARDENED=y
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_MERGE_DEFAULT=y
+CONFIG_SLS=y
+CONFIG_SLUB_CPU_PARTIAL=y
+CONFIG_SLUB_DEBUG=y
+CONFIG_SLUB=y
+CONFIG_SMBFS=y
+CONFIG_SMP=y
+CONFIG_SMSC_PHY=m
+CONFIG_SOCK_CGROUP_DATA=y
+CONFIG_SOCK_RX_QUEUE_MAPPING=y
+CONFIG_SOFTIRQ_ON_OWN_STACK=y
+CONFIG_SOLARIS_X86_PARTITION=y
+CONFIG_SP5100_TCO=m
+CONFIG_SPARSE_IRQ=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_SPARSEMEM=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_SQUASHFS_COMPILE_DECOMP_SINGLE=y
+CONFIG_SQUASHFS_DECOMP_SINGLE=y
+CONFIG_SQUASHFS_FILE_DIRECT=y
+CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
+CONFIG_SQUASHFS_XATTR=y
+CONFIG_SQUASHFS_XZ=y
+CONFIG_SQUASHFS=y
+CONFIG_SQUASHFS_ZSTD=y
+CONFIG_SSB_POSSIBLE=y
+CONFIG_STACKDEPOT=y
+CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
+CONFIG_STACKPROTECTOR_STRONG=y
+CONFIG_STACKPROTECTOR=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_STACKTRACE=y
+CONFIG_STANDALONE=y
+CONFIG_STP=y
+CONFIG_STREAM_PARSER=y
+CONFIG_STRICT_KERNEL_RWX=y
+CONFIG_STRICT_MODULE_RWX=y
+CONFIG_SUN_PARTITION=y
+CONFIG_SUNRPC_BACKCHANNEL=y
+CONFIG_SUNRPC_GSS=y
+CONFIG_SUNRPC_XPRT_RDMA=y
+CONFIG_SUNRPC=y
+CONFIG_SURFACE_PLATFORMS=y
+CONFIG_SUSPEND_FREEZER=y
+CONFIG_SUSPEND=y
+CONFIG_SWAP=y
+CONFIG_SWIOTLB_XEN=y
+CONFIG_SWIOTLB=y
+CONFIG_SWPHY=y
+CONFIG_SYMBOLIC_ERRNAME=y
+CONFIG_SYNC_FILE=y
+CONFIG_SYN_COOKIES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_SYSCTL=y
+CONFIG_SYSFB=y
+CONFIG_SYSFS_SYSCALL=y
+CONFIG_SYSFS=y
+CONFIG_SYS_HYPERVISOR=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_DATA_VERIFICATION=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSVIPC_COMPAT=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_SYSVIPC=y
+CONFIG_TAP=y
+CONFIG_TASK_DELAY_ACCT=y
+CONFIG_TASK_IO_ACCOUNTING=y
+CONFIG_TASKS_RCU_GENERIC=y
+CONFIG_TASKS_RUDE_RCU=y
+CONFIG_TASKSTATS=y
+CONFIG_TASKS_TRACE_RCU=y
+CONFIG_TASK_XACCT=y
+CONFIG_TCG_CRB=y
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
+CONFIG_TCG_TPM=y
+CONFIG_TCP_CONG_ADVANCED=y
+CONFIG_TCP_CONG_BBR=y
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_TCP_MD5SIG=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0
+CONFIG_THERMAL_GOV_STEP_WISE=y
+CONFIG_THERMAL_GOV_USER_SPACE=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_WRITABLE_TRIPS=y
+CONFIG_THERMAL=y
+CONFIG_THREAD_INFO_IN_TASK=y
+CONFIG_TICK_CPU_ACCOUNTING=y
+CONFIG_TICK_ONESHOT=y
+CONFIG_TIGON3_HWMON=y
+CONFIG_TIGON3=m
+CONFIG_TIME_NS=y
+CONFIG_TIMERFD=y
+CONFIG_TLS=m
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_TMPFS=y
+CONFIG_TOOLS_SUPPORT_RELR=y
+CONFIG_TRACE_CLOCK=y
+CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+CONFIG_TRACEPOINTS=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_TRACING=y
+CONFIG_TREE_RCU=y
+CONFIG_TREE_SRCU=y
+CONFIG_TTY=y
+CONFIG_TTY_PRINTK_LEVEL=6
+CONFIG_TTY_PRINTK=m
+CONFIG_TUN=y
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_BOUNDS_STRICT=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ENUM=y
+CONFIG_UBSAN_SANITIZE_ALL=y
+CONFIG_UBSAN_SHIFT=y
+CONFIG_UBSAN=y
+CONFIG_UCS2_STRING=y
+CONFIG_UDF_FS=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_UEVENT_HELPER=y
+CONFIG_UID16=y
+CONFIG_UNIX98_PTYS=y
+CONFIG_UNIX_SCM=y
+CONFIG_UNIXWARE_DISKLABEL=y
+CONFIG_UNIX=y
+CONFIG_UNWINDER_ORC=y
+CONFIG_UPROBE_EVENTS=y
+CONFIG_UPROBES=y
+CONFIG_USB4=m
+CONFIG_USB4_NET=m
+CONFIG_USB_ACM=y
+CONFIG_USB_ALI_M5632=y
+CONFIG_USB_AN2720=y
+CONFIG_USB_ARCH_HAS_HCD=y
+CONFIG_USB_ARMLINUX=y
+CONFIG_USB_AUTOSUSPEND_DELAY=2
+CONFIG_USB_BELKIN=y
+CONFIG_USB_CDC_PHONET=m
+CONFIG_USB_COMMON=y
+CONFIG_USB_DEFAULT_PERSIST=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_EHCI_PCI=y
+CONFIG_USB_EHCI_TT_NEWSCHED=y
+CONFIG_USB_HID=y
+CONFIG_USB_KC2190=y
+CONFIG_USB_NET_AQC111=m
+CONFIG_USB_NET_AX88179_178A=m
+CONFIG_USB_NET_AX8817X=m
+CONFIG_USB_NET_CDC_EEM=m
+CONFIG_USB_NET_CDCETHER=m
+CONFIG_USB_NET_CDC_MBIM=m
+CONFIG_USB_NET_CDC_NCM=m
+CONFIG_USB_NET_CDC_SUBSET_ENABLE=m
+CONFIG_USB_NET_CDC_SUBSET=m
+CONFIG_USB_NET_CX82310_ETH=m
+CONFIG_USB_NET_DM9601=m
+CONFIG_USB_NET_DRIVERS=y
+CONFIG_USB_NET_GL620A=m
+CONFIG_USB_NET_HUAWEI_CDC_NCM=m
+CONFIG_USB_NET_INT51X1=m
+CONFIG_USB_NET_KALMIA=m
+CONFIG_USB_NET_MCS7830=m
+CONFIG_USB_NET_NET1080=m
+CONFIG_USB_NET_PLUSB=m
+CONFIG_USB_NET_QMI_WWAN=m
+CONFIG_USB_NET_RNDIS_HOST=m
+CONFIG_USB_NET_SMSC75XX=m
+CONFIG_USB_NET_SMSC95XX=m
+CONFIG_USB_NET_SR9700=m
+CONFIG_USB_NET_SR9800=m
+CONFIG_USB_NET_ZAURUS=m
+CONFIG_USB_OHCI_HCD=m
+CONFIG_USB_OHCI_HCD_PCI=m
+CONFIG_USB_OHCI_HCD_PLATFORM=m
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_PCI=y
+CONFIG_USB_RTL8152=m
+CONFIG_USB_RTL8153_ECM=m
+CONFIG_USB_SERIAL_CH341=m
+CONFIG_USB_SERIAL_CONSOLE=y
+CONFIG_USB_SERIAL_CP210X=m
+CONFIG_USB_SERIAL_FTDI_SIO=m
+CONFIG_USB_SERIAL_GENERIC=y
+CONFIG_USB_SERIAL_OPTION=m
+CONFIG_USB_SERIAL_PL2303=m
+CONFIG_USB_SERIAL_WWAN=m
+CONFIG_USB_SERIAL=y
+CONFIG_USB_SIERRA_NET=m
+CONFIG_USB_STORAGE=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_UAS=y
+CONFIG_USB_UHCI_HCD=m
+CONFIG_USB_USBNET=m
+CONFIG_USB_VL600=m
+CONFIG_USB_WDM=m
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_PCI=y
+CONFIG_USB_XHCI_PLATFORM=y
+CONFIG_USB=y
+CONFIG_USELIB=y
+CONFIG_USE_PERCPU_NUMA_NODE_ID=y
+CONFIG_USER_NS=y
+CONFIG_USER_RETURN_NOTIFIER=y
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_UTS_NS=y
+CONFIG_UVC_COMMON=m
+CONFIG_VETH=y
+CONFIG_VFAT_FS=y
+CONFIG_VFIO_CONTAINER=y
+CONFIG_VFIO_GROUP=y
+CONFIG_VFIO_IOMMU_TYPE1=m
+CONFIG_VFIO=m
+CONFIG_VFIO_MDEV=m
+CONFIG_VFIO_PCI_CORE=m
+CONFIG_VFIO_PCI_IGD=y
+CONFIG_VFIO_PCI_INTX=y
+CONFIG_VFIO_PCI=m
+CONFIG_VFIO_PCI_MMAP=y
+CONFIG_VFIO_PCI_VGA=y
+CONFIG_VFIO_VIRQFD=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+CONFIG_VGA_ARB=y
+CONFIG_VGA_CONSOLE=y
+CONFIG_VGASTATE=y
+CONFIG_VHOST_IOTLB=y
+CONFIG_VHOST_MENU=y
+CONFIG_VHOST_NET=y
+CONFIG_VHOST_TASK=y
+CONFIG_VHOST_VSOCK=y
+CONFIG_VHOST=y
+CONFIG_VIRT_DRIVERS=y
+CONFIG_VIRTIO_ANCHOR=y
+CONFIG_VIRTIO_BALLOON=m
+CONFIG_VIRTIO_BLK=y
+CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_DMA_SHARED_BUFFER=y
+CONFIG_VIRTIO_FS=y
+CONFIG_VIRTIO_INPUT=m
+CONFIG_VIRTIO_MENU=y
+CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
+CONFIG_VIRTIO_MMIO=m
+CONFIG_VIRTIO_NET=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_PCI_LIB_LEGACY=m
+CONFIG_VIRTIO_PCI_LIB=m
+CONFIG_VIRTIO_PCI=m
+CONFIG_VIRTIO_VSOCKETS_COMMON=y
+CONFIG_VIRTIO_VSOCKETS=y
+CONFIG_VIRTIO=y
+CONFIG_VIRTUALIZATION=y
+CONFIG_VLAN_8021Q=y
+CONFIG_VMAP_PFN=y
+CONFIG_VMAP_STACK=y
+CONFIG_VMD=y
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_VMGENID=y
+CONFIG_VSOCKETS_DIAG=y
+CONFIG_VSOCKETS_LOOPBACK=y
+CONFIG_VSOCKETS=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_HW_CONSOLE_BINDING=y
+CONFIG_VT=y
+CONFIG_VXLAN=y
+CONFIG_WATCHDOG_CORE=m
+CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y
+CONFIG_WATCHDOG_OPEN_TIMEOUT=0
+CONFIG_WATCHDOG_SYSFS=y
+CONFIG_WATCHDOG=y
+CONFIG_WDAT_WDT=m
+CONFIG_WIREGUARD=y
+CONFIG_WIRELESS=y
+CONFIG_WMI_BMOF=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_X86_64_ACPI_NUMA=y
+CONFIG_X86_64_SMP=y
+CONFIG_X86_64=y
+CONFIG_X86_ACPI_CPUFREQ_CPB=y
+CONFIG_X86_ACPI_CPUFREQ=y
+CONFIG_X86_AMD_PSTATE_DEFAULT_MODE=3
+CONFIG_X86_AMD_PSTATE=y
+CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
+CONFIG_X86_CET=y
+CONFIG_X86_CHECK_BIOS_CORRUPTION=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CPUID=y
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_X86_DEBUG_FPU=y
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+CONFIG_X86_HV_CALLBACK_VECTOR=y
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+CONFIG_X86_INTEL_PSTATE=y
+CONFIG_X86_INTEL_TSX_MODE_OFF=y
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_IO_APIC=y
+CONFIG_X86_IOPL_IOPERM=y
+CONFIG_X86_KERNEL_IBT=y
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_MCE_AMD=y
+CONFIG_X86_MCE_INTEL=y
+CONFIG_X86_MCE_THRESHOLD=y
+CONFIG_X86_MCE=y
+CONFIG_X86_MEM_ENCRYPT=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_NEED_RELOCS=y
+CONFIG_X86_PAT=y
+CONFIG_X86_PCC_CPUFREQ=m
+CONFIG_X86_PKG_TEMP_THERMAL=y
+CONFIG_X86_PLATFORM_DEVICES=y
+CONFIG_X86_PM_TIMER=y
+CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
+CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
+CONFIG_X86_THERMAL_VECTOR=y
+CONFIG_X86_TSC=y
+CONFIG_X86_UMIP=y
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_X86_VMX_FEATURE_NAMES=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+CONFIG_X86_X2APIC=y
+CONFIG_X86=y
+CONFIG_XDP_SOCKETS=y
+CONFIG_XFRM_AH=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_ESP=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_XFRM_OFFLOAD=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM=y
+CONFIG_XFS_DRAIN_INTENTS=y
+CONFIG_XFS_FS=m
+CONFIG_XFS_LIVE_HOOKS=y
+CONFIG_XFS_MEMORY_BUFS=y
+CONFIG_XFS_ONLINE_SCRUB_STATS=y
+CONFIG_XFS_ONLINE_SCRUB=y
+CONFIG_XFS_POSIX_ACL=y
+CONFIG_XFS_QUOTA=y
+CONFIG_XFS_RT=y
+CONFIG_XFS_SUPPORT_ASCII_CI=y
+CONFIG_XFS_SUPPORT_V4=y
+CONFIG_XOR_BLOCKS=m
+CONFIG_XPS=y
+CONFIG_XXHASH=y
+CONFIG_XZ_DEC_ARMTHUMB=y
+CONFIG_XZ_DEC_ARM=y
+CONFIG_XZ_DEC_BCJ=y
+CONFIG_XZ_DEC_IA64=y
+CONFIG_XZ_DEC_POWERPC=y
+CONFIG_XZ_DEC_X86=y
+CONFIG_XZ_DEC=y
+CONFIG_ZISOFS=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZONE_DEVICE=y
+CONFIG_ZONE_DMA32=y
+CONFIG_ZONE_DMA=y
+CONFIG_ZONEFS_FS=m
+CONFIG_ZRAM_DEF_COMP="zstd"
+CONFIG_ZRAM_DEF_COMP_ZSTD=y
+CONFIG_ZRAM=m
+CONFIG_ZRAM_MULTI_COMP=y
+CONFIG_ZRAM_WRITEBACK=y
+CONFIG_ZSTD_COMMON=y
+CONFIG_ZSTD_COMPRESS=y
+CONFIG_ZSTD_DECOMPRESS=y
diff --git a/modules/config/minimal-modules.nix b/modules/config/minimal-modules.nix
deleted file mode 100644
index 45bdb1f..0000000
--- a/modules/config/minimal-modules.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ config, ... }:
-{
- boot = {
- bootspec.enable = false;
- initrd.kernelModules = config.boot.kernelModules;
- kernel.enable = false; # No kernel or modules in the rootfs
- modprobeConfig.enable = false;
- };
-
- system.build = {
- inherit (config.boot.kernelPackages) kernel;
- };
-
- system.modulesTree = [ config.boot.kernelPackages.kernel ] ++ config.boot.extraModulePackages;
-}
diff --git a/modules/config/minimal-system.nix b/modules/config/minimal-system.nix
deleted file mode 100644
index c81d7d4..0000000
--- a/modules/config/minimal-system.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ ... }:
-{
-
- nixpkgs.overlays = [
- (final: prev: {
-
- composefs = final.callPackage ../../pkgs/composefs.nix { inherit prev; };
- qemu_tiny = final.callPackage ../../pkgs/qemu.nix { inherit prev; };
-
- systemd = prev.systemd.overrideAttrs (oldAttrs: {
- mesonFlags = oldAttrs.mesonFlags ++ [
- "-Dsysupdated=enabled"
- ];
- });
- ## minimal inherit from systemd pkg, need to explicitly disable sysupdated
- systemdMinimal = prev.systemdMinimal.overrideAttrs (oldAttrs: {
- mesonFlags = oldAttrs.mesonFlags ++ [
- "-Dsysupdated=disabled"
- ];
- });
-
- })
- ];
-
-}
diff --git a/modules/default.nix b/modules/default.nix
deleted file mode 100644
index 0a1a5e0..0000000
--- a/modules/default.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- imports = [
- ./config/minimal-modules.nix
- ./config/minimal-system.nix
- ];
-}
diff --git a/modules/image/builder.nix b/modules/image/builder.nix
deleted file mode 100644
index 4f194d8..0000000
--- a/modules/image/builder.nix
+++ /dev/null
@@ -1,196 +0,0 @@
-{
- config,
- lib,
- options,
- pkgs,
- ...
-}:
-let
- inherit (pkgs.stdenv.hostPlatform) efiArch;
-
- initialPartitions = {
- "10-root" = {
- storePaths = [ config.system.build.toplevel ];
- repartConfig = {
- Type = "root";
- Minimize = "best";
- Format = "erofs";
- MakeDirectories = "/home /root /etc /dev /sys /bin /var /proc /run /usr /usr/bin /srv /tmp /mnt /lib /boot";
- Verity = "data";
- VerityMatchKey = "root";
- SplitName = "root";
- };
- };
-
- "20-root-verity" = {
- repartConfig = {
- Type = "root-verity";
- Minimize = "best";
- Verity = "hash";
- VerityMatchKey = "root";
- SplitName = "verity";
- };
- };
- };
-
- # TODO: We don't need a combined image here - add dry-run flag to repart invocation
- verityRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {
- inherit lib pkgs;
- system = null;
- modules = [
- (
- { modulesPath, ... }:
- {
- imports = [ (modulesPath + "/image/repart.nix") ];
- image.repart = {
- name = "verity";
- split = true;
- mkfsOptions = lib.mkIf config.image.compress {
- erofs = [
- "-zlz4hc,level=12"
- "-Efragments,dedupe,ztailpacking"
- ];
- };
- partitions = initialPartitions;
- };
- }
- )
- ];
- };
-
- rootPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";
- verityPart = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";
-
- verityImgAttrs = builtins.fromJSON (
- builtins.readFile "${verityRepart.config.system.build.image}/repart-output.json"
- );
- rootAttrs = builtins.elemAt verityImgAttrs 0;
- verityAttrs = builtins.elemAt verityImgAttrs 1;
-
- rootUuid = rootAttrs.uuid;
- verityUuid = verityAttrs.uuid;
- verityRootHash = rootAttrs.roothash;
-
- finalPartitions = {
- "10-esp" = {
- contents = {
- "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
- "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
- "/EFI/memtest86/memtest86.efi".source = "${pkgs.memtest86plus}/memtest.efi";
- "/loader/entries/patos-factory-reset.conf".source = pkgs.writeText "patos-factory-reset.conf" ''
- title Patos Factory Reset
- efi /EFI/Linux/${config.system.boot.loader.ukiFile}
- options ${toString config.boot.kernelParams} systemd.factory_reset=yes
- sort-key z_factory_reset
- '';
- "/loader/entries/memtest86.conf".source = pkgs.writeText "memtest86.conf" ''
- title Memtest86+
- efi /EFI/memtest86/memtest86.efi
- options console=ttyS0
- sort-key z_memtest
- '';
- "/loader/loader.conf".source = pkgs.writeText "loader.conf" ''
- timeout 2
- '';
- };
- repartConfig = {
- Type = "esp";
- Format = "vfat";
- SizeMinBytes = "96M";
- SizeMaxBytes = "96M";
- SplitName = "-";
- };
- };
- "20-root-verity-a" = {
- repartConfig = {
- Type = "root-verity";
- Label = "verity-${config.system.image.version}";
- CopyBlocks = "${verityPart}";
- SplitName = "-";
- SizeMinBytes = "64M";
- SizeMaxBytes = "64M";
- UUID = "${verityUuid}";
- ReadOnly = 1;
- };
- };
- # TODO: Add signature partition for systemd-nspawn
- "22-root-a" = {
- repartConfig = {
- Type = "root";
- Label = "root-${config.system.image.version}";
- CopyBlocks = "${rootPart}";
- SplitName = "-";
- UUID = "${rootUuid}";
- ReadOnly = 1;
- };
- };
- };
-
- finalRepart = import (pkgs.path + "/nixos/lib/eval-config.nix") {
- inherit lib pkgs;
- system = null;
- modules = [
- (
- { modulesPath, ... }:
- {
- imports = [ (modulesPath + "/image/repart.nix") ];
- image.repart = {
- name = "${config.system.image.id}";
- partitions = finalPartitions;
- };
- }
- )
- ];
- };
-
-in
-{
-
- # This fields is immutable by default, but can be overridden.
- options.system.nixos.codeName = lib.mkOption { readOnly = false; };
- options.system.nixos.release = lib.mkOption { readOnly = false; };
-
- # FIXME: Should be configured somehow
- config.system.nixos = {
- codeName = "Finn";
- distroId = "patos";
- distroName = "PatOS";
- release = "2024-11";
- variant_id = "server";
- variantName = "Server";
- vendorName = "PatOS";
- };
-
- options.image.compress = lib.mkEnableOption "image compression" // {
- default = true;
- };
-
- config.system.build = {
- inherit verityRootHash;
-
- image =
- (pkgs.linkFarm "image-release" [
- {
- name = "${config.system.image.id}_${config.system.image.version}.efi";
- path = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
- }
- {
- name = "${config.system.image.id}_${config.system.image.version}_${verityUuid}.verity";
- path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.verity.raw";
- }
- {
- name = "${config.system.image.id}_${config.system.image.version}_${rootUuid}.root";
- path = "${verityRepart.config.system.build.image}/${verityRepart.config.image.repart.imageFileBasename}.root.raw";
- }
- {
- name = "${config.system.image.id}_${config.system.image.version}.img";
- path = "${finalRepart.config.system.build.image}/${finalRepart.config.image.repart.imageFileBasename}.raw";
- }
- ])
- // {
- imageFile = "${config.system.image.id}_${config.system.image.version}.img";
- };
-
- };
-
-}
diff --git a/modules/image/default.nix b/modules/image/default.nix
deleted file mode 100644
index 20d7fa7..0000000
--- a/modules/image/default.nix
+++ /dev/null
@@ -1,137 +0,0 @@
-{
- config,
- lib,
- pkgs,
- ...
-}:
-{
-
- imports = [
- ./updater.nix
- ./builder.nix
- ./veritysetup.nix
- ];
-
- system.build.updatePackage = pkgs.runCommand "update-package" { } ''
- mkdir "$out"
- cd "$out"
- cp "${config.system.build.image}"/* .
- ${pkgs.coreutils}/bin/sha256sum * > SHA256SUMS
- '';
-
- systemd.repart.partitions = {
- "10-esp" = {
- Type = "esp";
- UUID = "c12a7328-f81f-11d2-ba4b-00a0c93ec93b"; # Well known
- Format = "vfat";
- SizeMinBytes = "96M";
- SizeMaxBytes = "96M";
- };
- "20-root-verity-a" = {
- Type = "root-verity";
- SizeMinBytes = "64M";
- SizeMaxBytes = "64M";
- };
- "22-root-a" = {
- Type = "root";
- SizeMinBytes = "512M";
- SizeMaxBytes = "512M";
- };
- "30-root-verity-b" = {
- Type = "root-verity";
- SizeMinBytes = "64M";
- SizeMaxBytes = "64M";
- Label = "_empty";
- ReadOnly = 1;
- };
- "32-root-b" = {
- Type = "root";
- SizeMinBytes = "512M";
- SizeMaxBytes = "512M";
- Label = "_empty";
- ReadOnly = 1;
- };
- "40-var" = {
- Type = "var";
- UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known
- Format = "btrfs";
- Label = "patos-state";
- Minimize = "off";
- FactoryReset = "yes";
- Encrypt = "tpm2";
- SizeMinBytes = "2G";
- SplitName = "-";
- };
- };
-
- boot.loader.grub.enable = false;
- boot.loader.efi.canTouchEfiVariables = true;
- boot.loader.systemd-boot.enable = true;
- boot.uki.name = "patos";
-
- boot.initrd = {
- compressor = "zstd";
- compressorArgs = [ "-8" ];
-
- luks.forceLuksSupportInInitrd = true;
- kernelModules = [
- "dm_mod"
- "dm_crypt"
- ] ++ config.boot.initrd.luks.cryptoModules;
-
- supportedFilesystems = {
- btrfs = true;
- erofs = true;
- };
-
- systemd.enable = true;
- systemd.repart.enable = true;
- systemd.services.systemd-repart = {
- after = lib.mkForce [ "sysroot.mount" ];
- requires = [ "sysroot.mount" ];
- serviceConfig.Environment = [
- "SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard"
- ];
- };
- };
-
- system.etc.overlay.mutable = false;
- users.mutableUsers = false;
-
- boot.kernelParams = [
- "rootfstype=erofs"
- "rootflags=ro"
- "roothash=${config.system.build.verityRootHash}"
- ];
-
- fileSystems =
- let
- parts = config.systemd.repart.partitions;
- in
- {
- "/var" = {
- fsType = parts."40-var".Format;
- device = "/dev/mapper/var";
- encrypted = {
- enable = true;
- blkDev = "/dev/disk/by-partuuid/${parts."40-var".UUID}";
- label = "var";
- };
- };
- };
-
- # Required to mount the efi partition
- boot.kernelModules = [
- "vfat"
- "nls_cp437"
- "nls_iso8859-1"
- ];
-
- environment.etc."machine-id" = {
- text = "";
- mode = "0755";
- };
-
- # Refuse to boot on mount failure
- systemd.targets."sysinit".requires = [ "local-fs.target" ];
-}
diff --git a/modules/image/updater.nix b/modules/image/updater.nix
deleted file mode 100644
index 7602cdc..0000000
--- a/modules/image/updater.nix
+++ /dev/null
@@ -1,89 +0,0 @@
-{ config, lib, ... }:
-{
-
- options.system.image.updates = {
- enable = lib.mkEnableOption "system updates via systemd-sysupdate" // {
- default = config.system.image.updates.url != null;
- };
- url = lib.mkOption {
- type = lib.types.nullOr lib.types.str;
- default = null;
- };
- };
-
- config = lib.mkIf config.system.image.updates.enable {
-
- assertions = [
- { assertion = config.system.image.updates.url != null; }
- ];
-
- systemd.additionalUpstreamSystemUnits = [
- "systemd-bless-boot.service"
- "boot-complete.target"
- "dbus-org.freedesktop.sysupdate1.service"
- "systemd-sysupdated.service"
- ];
-
- environment.etc."sysupdate.d/10-uki.transfer" = {
- text = ''
- [Source]
- Path=${config.system.image.updates.url}
- MatchPattern=${config.boot.uki.name}_@v.efi
- Type=url-file
-
- [Target]
- InstancesMax=2
- MatchPattern=${config.boot.uki.name}_@v+@l-@d.efi ${config.boot.uki.name}_@v+@l.efi ${config.boot.uki.name}_@v.efi
- Mode=0444
- Path=/EFI/Linux
- PathRelativeTo=esp
- TriesDone=0
- TriesLeft=3
- Type=regular-file
-
- [Transfer]
- Verify=no
- '';
- };
-
- environment.etc."sysupdate.d/20-root.transfer" = {
- text = ''
- [Source]
- Type=url-file
- Path=${config.system.image.updates.url}
- MatchPattern=${config.system.image.id}_@v_@u.verity
-
- [Target]
- Type=partition
- Path=auto
- MatchPattern=verity-@v
- MatchPartitionType=root-verity
- ReadOnly=1
-
- [Transfer]
- Verify=no
- '';
- };
-
- environment.etc."sysupdate.d/22-root.transfer" = {
- text = ''
- [Source]
- Type=url-file
- Path=${config.system.image.updates.url}
- MatchPattern=${config.system.image.id}_@v_@u.root
-
- [Target]
- Type=partition
- Path=auto
- MatchPattern=root-@v
- MatchPartitionType=root
- ReadOnly=1
-
- [Transfer]
- Verify=no
- '';
- };
-
- };
-
-}
diff --git a/modules/image/veritysetup.nix b/modules/image/veritysetup.nix
deleted file mode 100644
index 1505b45..0000000
--- a/modules/image/veritysetup.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{ config, lib, ... }:
-{
-
- options.boot.initrd.systemd.root = lib.mkOption {
- type = lib.types.enum [
- "fstab"
- "gpt-auto"
- ""
- ];
- };
-
- config.boot.initrd = {
-
- kernelModules = [
- "dm_mod"
- "dm_verity"
- ];
-
- systemd = {
-
- # Required to activate systemd-fstab-generator
- root = "";
-
- additionalUpstreamUnits = [
- "veritysetup-pre.target"
- "veritysetup.target"
- "remote-veritysetup.target"
- ];
-
- storePaths = [
- "${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
- "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
- ];
-
- };
-
- };
-
-}
diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix
deleted file mode 100644
index bb6b37b..0000000
--- a/modules/profiles/base.nix
+++ /dev/null
@@ -1,97 +0,0 @@
-{
- config,
- lib,
- pkgs,
- modulesPath,
- ...
-}:
-{
- imports = [
- (modulesPath + "/profiles/image-based-appliance.nix")
- (modulesPath + "/profiles/perlless.nix")
- (modulesPath + "/profiles/qemu-guest.nix")
- ];
-
- # system.forbiddenDependenciesRegexes = lib.mkForce [ ];
-
- nixpkgs.flake.setNixPath = false;
- nixpkgs.flake.setFlakeRegistry = false;
- boot.enableContainers = false;
-
- boot.kernelModules = [
- "zram"
- "usb_storage"
- "uas"
- "sd_mod"
- "r8169"
- "ehci-hcd"
- "ehci-pci"
- "xhci-hcd"
- "xhci-pci"
- "xhci-pci-renesas"
- "nvme"
- "virtio_net"
- "9p"
- "9pnet_virtio"
- ];
-
- system.etc.overlay.mutable = lib.mkDefault false;
-
- systemd.watchdog = lib.mkDefault {
- runtimeTime = "10s";
- rebootTime = "30s";
- };
-
- zramSwap.enable = true;
-
- # FIXME: fstrim should only be enabled for virtual machine images?
- services.fstrim.enable = true;
-
- users.allowNoPasswordLogin = true;
- users.users.root.home = lib.mkForce "/";
-
- security.sudo.enable = lib.mkDefault false;
-
- security.polkit = {
- enable = true;
- extraConfig = ''
- polkit.addRule(function(action, subject) {
- if (subject.isInGroup("wheel")) {
- return polkit.Result.YES;
- }
- });
- '';
- };
-
- i18n.supportedLocales = [ "en_US.UTF-8/UTF-8" ];
-
- # Console
-
- systemd.enableEmergencyMode = false;
- boot.consoleLogLevel = lib.mkDefault 1;
- boot.kernelParams = [
- "panic=1"
- "boot.panic_on_fail"
- # "nomodeset"
- "console=ttyS0,115200n8"
- "earlyprintk=ttyS0,115200n8"
- "systemd.mask=systemd-vconsole-setup.service" # FIXME: Figure out why vconsole-setup fails when loading keymap
- ];
-
- # This is vi country
- programs.nano.enable = false;
- programs.vim.enable = true;
- programs.vim.defaultEditor = lib.mkDefault true;
-
- # Temporary file
- boot.tmp.useTmpfs = true;
-
- # Logging
- services.journald = {
- storage = "volatile";
- extraConfig = ''
- SystemMaxUse=10M
- '';
- };
-
-}
diff --git a/modules/profiles/devel.nix b/modules/profiles/devel.nix
deleted file mode 100644
index 011f773..0000000
--- a/modules/profiles/devel.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{
- modulesPath,
- ...
-}:
-{
-
- imports = [ ./server.nix ];
-
- boot.kernel.sysctl = {
- "net.ipv4.ip_unprivileged_port_start" = 0;
- };
-
- boot.kernelParams = [
- "systemd.log_level=info"
- "systemd.log_target=console"
- "systemd.journald.forward_to_console"
- ];
-
- users.users."admin" = {
- isNormalUser = true;
- linger = true;
- extraGroups = [ "wheel" ];
- home = "/var/home/admin";
- };
-
- environment.etc = {
- subuid = {
- text = "admin:100000:65536";
- mode = "0644";
- };
-
- subgid = {
- text = "admin:100000:65536";
- mode = "0644";
- };
- };
-
- services.getty.autologinUser = "admin";
-}
diff --git a/modules/profiles/network.nix b/modules/profiles/network.nix
deleted file mode 100644
index ccc21cb..0000000
--- a/modules/profiles/network.nix
+++ /dev/null
@@ -1,65 +0,0 @@
-{ lib, ... }:
-{
- # Use networkd
- networking.useNetworkd = true;
- systemd.network.wait-online.enable = true;
-
- # Firewall
- networking.firewall.enable = false;
- networking.nftables.enable = lib.mkDefault true;
-
- # DNS
- services.resolved = {
- fallbackDns = [ ]; # Disable fallback DNS. DNS will fail if resolvers are unconfigured
- extraConfig = ''
- DNSStubListener=no
- '';
-
- };
-
- # Configuration
- networking.hostName = "";
-
- # Kernel
- boot.kernel.sysctl = {
- "net.core.default_qdisc" = "fq"; # FIXME: manage these with networkd?
- "net.ipv4.tcp_congestion_control" = "bbr";
- };
-
- # Modules
- boot.kernelModules = [
- "ip_tables"
- "x_tables"
- "nf_tables"
- "nft_ct"
- "nft_log"
- "nf_log_syslog"
- "nft_fib"
- "nft_fib_inet"
- "nft_compat"
- "nft_nat"
- "nft_chain_nat"
- "nft_masq"
- "nfnetlink"
- "xt_conntrack"
- "nf_conntrack"
- "nf_log_syslog"
- "nf_nat"
- "af_packet"
- "bridge"
- "veth"
- "tcp_bbr"
- "sch_fq_codel"
- "ipt_rpfilter"
- "ip6t_rpfilter"
- "sch_fq"
- "tun"
- "tap"
- "xt_MASQUERADE"
- "xt_mark"
- "xt_comment"
- "xt_multiport"
- "xt_addrtype"
- ];
-
-}
diff --git a/modules/profiles/server.nix b/modules/profiles/server.nix
deleted file mode 100644
index 830762e..0000000
--- a/modules/profiles/server.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{
- modulesPath,
- ...
-}:
-{
-
- imports = [
- (modulesPath + "/profiles/minimal.nix")
- ./network.nix
- ./sysext.nix
- ];
-
- boot.kernelParams = [
- "quiet"
- ];
-
- virtualisation.podman.enable = true;
-}
diff --git a/modules/profiles/sysext.nix b/modules/profiles/sysext.nix
deleted file mode 100644
index c356747..0000000
--- a/modules/profiles/sysext.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ ... }:
-{
- system.activationScripts.sysext = ''
- mkdir -p /var/lib/confexts
- mkdir -p /var/lib/extensions
- mkdir -p /etc/systemd/extensions
- '';
-
- systemd.additionalUpstreamSystemUnits = [
- "systemd-confext.service"
- "systemd-sysext.service"
- ];
-
- # systemd.services."systemd-confext" = {
- # enable = true;
- # wantedBy = [ "multi-user.target" ];
- # };
-
- # systemd.services."systemd-sysext.service" = {
- # enable = true;
- # wantedBy = [ "multi-user.target" ];
- # };
-}
diff --git a/pkgs/composefs.nix b/pkgs/composefs.nix
deleted file mode 100644
index 91e8443..0000000
--- a/pkgs/composefs.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ prev, ... }:
-
-prev.composefs.overrideAttrs (final: prev: {
- doCheck = false;
-})
diff --git a/pkgs/linux-firmware.nix b/pkgs/linux-firmware.nix
deleted file mode 100644
index 8f03d8c..0000000
--- a/pkgs/linux-firmware.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ stdenv, lib
-, linux-firmware
-, fwDirs
-}: stdenv.mkDerivation {
- pname = "linux-firmware-minimal";
- version = linux-firmware.version;
- buildCommand = lib.concatStringsSep "\n" (
- [''mkdir -p "$out/lib/firmware"'']
- ++ (map (name: ''
- cp -r "${linux-firmware}/lib/firmware/${name}" "$out/lib/firmware/${name}"
- '') fwDirs));
-}
diff --git a/pkgs/qemu.nix b/pkgs/qemu.nix
deleted file mode 100644
index 93e67dd..0000000
--- a/pkgs/qemu.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ prev, pkgs, ... }:
-
-(prev.qemu_test.override {
- enableDocs = false;
- capstoneSupport = false;
- guestAgentSupport = false;
- tpmSupport = false;
- libiscsiSupport = false;
- usbredirSupport = false;
- canokeySupport = false;
- hostCpuTargets = [ "x86_64-softmmu" ];
-}).overrideDerivation (old: {
- postFixup = ''
- rm -r "$out/share/icons"
- cp "${pkgs.OVMF.fd + "/FV/OVMF.fd"}" "$out/share/qemu/"
- '';
- configureFlags = old.configureFlags ++ [
- "--disable-tcg"
- "--disable-tcg-interpreter"
- "--disable-docs"
- "--disable-install-blobs"
- "--disable-slirp"
- "--disable-virtfs"
- "--disable-virtfs-proxy-helper"
- "--disable-vhost-user-blk-server"
- "--without-default-features"
- "--enable-kvm"
- "--disable-tools"
- ];
-})
diff --git a/pkgs/systemd-ukify.nix b/pkgs/systemd-ukify.nix
deleted file mode 100644
index b8e9d55..0000000
--- a/pkgs/systemd-ukify.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ prev, ... }:
-
-prev.systemd.override {
- withAcl = false;
- withAnalyze = false;
- withApparmor = false;
- withAudit = false;
- withEfi = true;
- withCompression = false;
- withCoredump = false;
- withCryptsetup = false;
- withRepart = false;
- withDocumentation = false;
- withFido2 = false;
- withFirstboot = false;
- withHomed = false;
- withHostnamed = false;
- withHwdb = false;
- withImportd = false;
- withIptables = false;
- withKmod = false;
- withLibBPF = false;
- withLibidn2 = false;
- withLocaled = false;
- withLogind = false;
- withMachined = false;
- withNetworkd = false;
- withNss = false;
- withOomd = false;
- withPam = false;
- withPasswordQuality = false;
- withPCRE2 = false;
- withPolkit = false;
- withPortabled = false;
- withQrencode = false;
- withRemote = false;
- withResolved = false;
- withShellCompletions = false;
- withSysusers = false;
- withSysupdate = false;
- withTimedated = false;
- withTimesyncd = false;
- withTpm2Tss = false;
- withUkify = true;
- withUserDb = false;
- withUtmp = false;
- withVmspawn = false;
-}
diff --git a/systemd/0017-meson.build-do-not-create-systemdstatedir.patch b/systemd/0017-meson.build-do-not-create-systemdstatedir.patch
new file mode 100644
index 0000000..debcaab
--- /dev/null
+++ b/systemd/0017-meson.build-do-not-create-systemdstatedir.patch
@@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: nikstur <nikstur@outlook.com>
+Date: Mon, 6 Nov 2023 22:51:38 +0100
+Subject: [PATCH] meson.build: do not create systemdstatedir
+
+---
+ meson.build | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index bffda86845..cb5dcec0f9 100644
+--- a/meson.build
++++ b/meson.build
+@@ -2781,7 +2781,6 @@ install_data('LICENSE.GPL2',
+ install_subdir('LICENSES',
+ install_dir : docdir)
+
+-install_emptydir(systemdstatedir)
+
+ #####################################################################
+
diff --git a/systemd/default.nix b/systemd/default.nix
new file mode 100644
index 0000000..653296d
--- /dev/null
+++ b/systemd/default.nix
@@ -0,0 +1,315 @@
+{
+ fetchFromGitHub,
+ lib,
+ pkgs,
+ stdenv,
+ targetPackages,
+ ...
+}:
+let
+ version = "257.3";
+
+ # Use the command below to update `releaseTimestamp` on every (major) version
+ # change. More details in the commentary at mesonFlags.
+ # command:
+ # $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
+ # jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
+ releaseTimestamp = "1734643670";
+
+ pname = "systemd";
+in
+stdenv.mkDerivation (finalAttrs: {
+ inherit version;
+
+ pname = pname;
+
+ src = fetchFromGitHub {
+ owner = "systemd";
+ repo = "systemd";
+ rev = "v${version}";
+ hash = "sha256-GvRn55grHWR6M+tA86RMzqinuXNpPZzRB4ApuGN/ZvU=";
+ };
+
+ patches = [
+ ./0017-meson.build-do-not-create-systemdstatedir.patch
+ ];
+
+ nativeBuildInputs = with pkgs; [
+ bash
+ pkg-config
+ makeBinaryWrapper
+ gperf
+ ninja
+ meson
+ glibcLocales
+ getent
+ m4
+ autoPatchelfHook
+
+ intltool
+ gettext
+
+ libxslt
+ docbook_xsl
+ docbook_xml_dtd_42
+ docbook_xml_dtd_45
+ bash
+ (buildPackages.python3Packages.python.withPackages (
+ ps: with ps; [
+ lxml
+ jinja2
+ ps.pyelftools
+ ]
+ ))
+
+ bpftools
+ buildPackages.llvmPackages.clang
+ buildPackages.llvmPackages.libllvm
+ ];
+
+ outputs = [
+ "out"
+ "dev"
+ ];
+
+ separateDebugInfo = true;
+
+ autoPatchelfFlags = [ "--keep-libc" ];
+
+ hardeningDisable = [
+ # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523
+ "trivialautovarinit"
+ # breaks clang -target bpf; should be fixed to filter target?
+ "zerocallusedregs"
+ "shadowstack"
+ ];
+
+ buildInputs = with pkgs; [
+ libxcrypt
+ libcap
+ libuuid
+ linuxHeaders
+ bashInteractive # for patch shebangs
+ libgcrypt
+ libgpg-error
+ openssl
+ acl
+ libapparmor
+ audit
+ zlib
+ bzip2
+ lz4
+ xz
+ zstd
+ elfutils
+ kexec-tools
+ kmod
+ libidn2
+ libseccomp
+ libselinux
+ iptables
+ p11-kit
+ libfido2
+ pam
+ pcre2
+ libbpf
+ tpm2-tss
+ qrencode
+ libarchive
+ (lib.getDev curl)
+ (lib.getDev cryptsetup.dev)
+ (python3Packages.python.withPackages (ps: with ps; [ pefile ]))
+ (llvmPackages.compiler-rt.override {
+ doFakeLibgcc = true;
+ })
+ ];
+
+ mesonBuildType = "release";
+
+ doCheck = false; # fails a bunch of tests
+
+ preConfigure = ''
+ mesonFlagsArray+=(-Dntp-servers="0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org")
+ export LC_ALL="en_US.UTF-8";
+ '';
+
+ postPatch =
+ ''
+ substituteInPlace src/basic/path-util.h --replace "@defaultPathNormal@" "${placeholder "out"}/bin/"
+ ''
+ + ''
+ substituteInPlace meson.build \
+ --replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
+ ''
+ + ''
+ substituteInPlace src/ukify/ukify.py \
+ --replace \
+ "'readelf'" \
+ "'${targetPackages.stdenv.cc.bintools.targetPrefix}readelf'" \
+ --replace \
+ "/usr/lib/systemd/boot/efi" \
+ "$out/lib/systemd/boot/efi"
+ ''
+ # Finally, patch shebangs in scripts used at build time. This must not patch
+ # scripts that will end up in the output, to avoid build platform references
+ # when cross-compiling.
+ + ''
+ shopt -s extglob
+ patchShebangs tools test src/!(rpm|kernel-install|ukify) src/kernel-install/test-kernel-install.sh
+ '';
+
+ # trigger the test -n "$DESTDIR" || mutate in upstreams build system
+ preInstall = ''
+ export DESTDIR=/
+ '';
+
+ mesonFlags = [
+
+ "--prefix=${placeholder "out"}"
+
+ # Options
+
+ # We bump this attribute on every (major) version change to ensure that we
+ # have known-good value for a timestamp that is in the (not so distant)
+ # past. This serves as a lower bound for valid system timestamps during
+ # startup. Systemd will reset the system timestamp if this date is +- 15
+ # years from the system time.
+ # See the systemd v250 release notes for further details:
+ # https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
+ (lib.mesonOption "time-epoch" releaseTimestamp)
+
+ (lib.mesonOption "version-tag" version)
+ (lib.mesonOption "mode" "release")
+ (lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
+
+ (lib.mesonOption "debug-shell" "${pkgs.bashInteractive}/bin/bash")
+ (lib.mesonOption "pamconfdir" "${placeholder "out"}/etc/pam.d")
+ (lib.mesonOption "shellprofiledir" "${placeholder "out"}/etc/profile.d")
+ (lib.mesonOption "kmod-path" "${pkgs.kmod}/bin/kmod")
+ (lib.mesonOption "dbuspolicydir" "${placeholder "out"}/share/dbus-1/system.d")
+ (lib.mesonOption "dbussessionservicedir" "${placeholder "out"}/share/dbus-1/services")
+ (lib.mesonOption "dbussystemservicedir" "${placeholder "out"}/share/dbus-1/system-services")
+ # pkgconfig
+ (lib.mesonOption "pkgconfiglibdir" "${placeholder "dev"}/lib/pkgconfig")
+ (lib.mesonOption "pkgconfigdatadir" "${placeholder "dev"}/share/pkgconfig")
+
+ # SBAT
+ (lib.mesonOption "sbat-distro" "patos")
+ (lib.mesonOption "sbat-distro-summary" "PatOS")
+ (lib.mesonOption "sbat-distro-url" "https://patagia.io/")
+ (lib.mesonOption "sbat-distro-pkgname" pname)
+ (lib.mesonOption "sbat-distro-version" version)
+
+ # Users
+ (lib.mesonOption "system-uid-max" "999")
+ (lib.mesonOption "system-gid-max" "999")
+
+ # SysVinit
+ (lib.mesonOption "sysvinit-path" "")
+ (lib.mesonOption "sysvrcnd-path" "")
+
+ # SSH
+ # Disabled for now until someone makes this work.
+ (lib.mesonOption "sshconfdir" "no")
+ (lib.mesonOption "sshdconfdir" "no")
+
+ # Features
+
+ # Tests
+ (lib.mesonBool "tests" false)
+ (lib.mesonEnable "glib" false)
+ (lib.mesonEnable "dbus" false)
+
+ # Compression
+ (lib.mesonEnable "bzip2" true)
+ (lib.mesonEnable "lz4" true)
+ (lib.mesonEnable "xz" true)
+ (lib.mesonEnable "zstd" true)
+ (lib.mesonEnable "zlib" true)
+
+ # NSS
+ (lib.mesonEnable "nss-resolve" true)
+ (lib.mesonBool "nss-myhostname" true)
+ (lib.mesonBool "nss-systemd" true)
+
+ # Cryptsetup
+ (lib.mesonEnable "libcryptsetup" true)
+ (lib.mesonEnable "libcryptsetup-plugins" true)
+ (lib.mesonEnable "p11kit" true)
+
+ # FIDO2
+ (lib.mesonEnable "libfido2" true)
+ (lib.mesonEnable "openssl" true)
+
+ # Password Quality
+ (lib.mesonEnable "pwquality" false)
+ (lib.mesonEnable "passwdqc" false)
+
+ # Remote
+ (lib.mesonEnable "remote" false)
+ (lib.mesonEnable "microhttpd" false)
+
+ (lib.mesonEnable "pam" true)
+ (lib.mesonEnable "acl" true)
+ (lib.mesonEnable "audit" true)
+ (lib.mesonEnable "apparmor" true)
+ (lib.mesonEnable "gcrypt" true)
+ (lib.mesonEnable "importd" true)
+ (lib.mesonEnable "homed" true)
+ (lib.mesonEnable "polkit" true)
+ (lib.mesonEnable "elfutils" true)
+ (lib.mesonEnable "libcurl" true)
+ (lib.mesonEnable "libidn" false)
+ (lib.mesonEnable "libidn2" true)
+ (lib.mesonEnable "libiptc" true)
+ (lib.mesonEnable "repart" true)
+ (lib.mesonEnable "sysupdate" true)
+ (lib.mesonEnable "seccomp" true)
+ (lib.mesonEnable "selinux" true)
+ (lib.mesonEnable "tpm2" true)
+ (lib.mesonEnable "pcre2" true)
+ (lib.mesonEnable "bpf-framework" true)
+ (lib.mesonEnable "bootloader" true)
+ (lib.mesonEnable "ukify" true)
+ (lib.mesonEnable "kmod" true)
+ (lib.mesonEnable "qrencode" true)
+ (lib.mesonEnable "vmspawn" true)
+ (lib.mesonEnable "libarchive" true)
+ (lib.mesonEnable "xenctrl" false)
+ (lib.mesonEnable "gnutls" false)
+ (lib.mesonEnable "xkbcommon" false)
+ (lib.mesonEnable "man" true)
+
+ (lib.mesonBool "analyze" true)
+ (lib.mesonBool "logind" true)
+ (lib.mesonBool "localed" true)
+ (lib.mesonBool "hostnamed" true)
+ (lib.mesonBool "machined" true)
+ (lib.mesonBool "networkd" true)
+ (lib.mesonBool "oomd" true)
+ (lib.mesonBool "portabled" true)
+ (lib.mesonBool "hwdb" true)
+ (lib.mesonBool "timedated" true)
+ (lib.mesonBool "timesyncd" true)
+ (lib.mesonBool "userdb" true)
+ (lib.mesonBool "coredump" true)
+ (lib.mesonBool "firstboot" true)
+ (lib.mesonBool "resolve" true)
+ (lib.mesonBool "sysusers" true)
+ (lib.mesonBool "efi" true)
+ (lib.mesonBool "utmp" true)
+ (lib.mesonBool "log-trace" true)
+
+ (lib.mesonBool "kernel-install" true)
+ (lib.mesonBool "quotacheck" false)
+ (lib.mesonBool "ldconfig" false)
+ (lib.mesonBool "install-sysconfdir" false)
+ (lib.mesonBool "create-log-dirs" false)
+ (lib.mesonBool "smack" true)
+ (lib.mesonBool "b_pie" true)
+
+ (lib.mesonOption "bashcompletiondir" "no")
+ (lib.mesonOption "zshcompletiondir" "no")
+ ];
+
+})
diff --git a/systemd/result b/systemd/result
new file mode 120000
index 0000000..f1d0e21
--- /dev/null
+++ b/systemd/result
@@ -0,0 +1 @@
+/nix/store/jw8923rfwly76yb8ynp5r65cvg4g9m0f-systemd-257.3
\ No newline at end of file
diff --git a/tests/common.nix b/tests/common.nix
deleted file mode 100644
index 8e1c9af..0000000
--- a/tests/common.nix
+++ /dev/null
@@ -1,155 +0,0 @@
-{
- self,
- lib,
- pkgs,
- ...
-}:
-
-with import (pkgs.path + "/nixos/lib/testing-python.nix") {
- inherit pkgs;
- inherit (pkgs.hostPlatform) system;
-};
-
-let
- qemu-common = import (pkgs.path + "/nixos/lib/qemu-common.nix") { inherit lib pkgs; };
-
-in
-rec {
-
- makeSystem =
- extraConfig:
- (import (pkgs.path + "/nixos/lib/eval-config.nix")) {
- inherit pkgs lib;
- system = null;
- modules = [
- {
- nixpkgs.hostPlatform = pkgs.hostPlatform;
- }
- {
- users.allowNoPasswordLogin = true;
- system.stateVersion = lib.versions.majorMinor lib.version;
- system.image.id = lib.mkDefault "test";
- system.image.version = lib.mkDefault "1";
- networking.hosts."10.0.2.1" = [ "server.test" ];
- }
- {
- boot.kernelParams = [
- "console=ttyS0,115200n8"
- "systemd.journald.forward_to_console=1"
- ];
- image.compress = false;
- boot.uki.name = lib.mkForce "test";
- boot.initrd.compressor = lib.mkForce "zstd";
- boot.initrd.compressorArgs = lib.mkForce [ "-8" ];
- }
- (pkgs.path + "/nixos/modules/testing/test-instrumentation.nix")
- self.nixosModules.devel
- self.nixosModules.image
- extraConfig
- ];
- };
-
- makeImage =
- extraConfig:
- let
- system = makeSystem extraConfig;
- in
- "${system.config.system.build.image}/${system.config.system.build.image.imageFile}";
-
- makeUpdatePackage =
- extraConfig:
- let
- system = makeSystem extraConfig;
- in
- "${system.config.system.build.updatePackage}";
-
- makeImageTest =
- {
- name,
- image,
- script,
- httpRoot ? null,
- }:
- let
- qemu = qemu-common.qemuBinary pkgs.qemu_test;
- flags = [
- "-m"
- "512M"
- "-drive"
- "if=pflash,format=raw,unit=0,readonly=on,file=${pkgs.OVMF.firmware}"
- "-drive"
- "if=pflash,format=raw,unit=1,readonly=on,file=${pkgs.OVMF.variables}"
- "-drive"
- "if=virtio,file=${mutableImage}"
- "-chardev"
- "socket,id=chrtpm,path=${tpmFolder}/swtpm-sock"
- "-tpmdev"
- "emulator,id=tpm0,chardev=chrtpm"
- "-device"
- "tpm-tis,tpmdev=tpm0"
- "-netdev"
- (
- "'user,id=net0"
- + (lib.optionalString (
- httpRoot != null
- ) ",guestfwd=tcp:10.0.2.1:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${httpRoot}")
- + "'"
- )
- "-device"
- "virtio-net-pci,netdev=net0"
- ];
- flagsStr = lib.concatStringsSep " " flags;
- startCommand = "${qemu} ${flagsStr}";
- mutableImage = "/tmp/linked-image.qcow2";
- tpmFolder = "/tmp/emulated_tpm";
- indentLines = str: lib.concatLines (map (s: " " + s) (lib.splitString "\n" str));
- in
- makeTest {
- inherit name;
- nodes = { };
- testScript =
- ''
- import os
- import subprocess
-
- subprocess.check_call(
- [
- "qemu-img",
- "create",
- "-f",
- "qcow2",
- "-F",
- "raw",
- "-b",
- "${image}",
- "${mutableImage}",
- ]
- )
- subprocess.check_call(["qemu-img", "resize", "${mutableImage}", "4G"])
-
- os.mkdir("${tpmFolder}")
- os.mkdir("${tpmFolder}/swtpm")
-
- def start_tpm():
- subprocess.Popen(
- [
- "${pkgs.swtpm}/bin/swtpm",
- "socket",
- "--tpmstate", "dir=${tpmFolder}/swtpm",
- "--ctrl", "type=unixio,path=${tpmFolder}/swtpm-sock",
- "--tpm2"
- ]
- )
-
- machine = create_machine("${startCommand}")
-
- try:
- ''
- + indentLines script
- + ''
- finally:
- machine.shutdown()
- '';
- };
-
-}
diff --git a/tests/lib.nix b/tests/lib.nix
deleted file mode 100644
index 4b905fa..0000000
--- a/tests/lib.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-test:
-{ pkgs, self }:
- let nixos-lib = import (pkgs.path + "/nixos/lib") {};
-in (nixos-lib.runTest {
- hostPkgs = pkgs;
- defaults.documentation.enable = false;
- node.specialArgs = { inherit self; };
- imports = [ test ];
-}).config.result
diff --git a/tests/podman.nix b/tests/podman.nix
deleted file mode 100644
index 0a3747f..0000000
--- a/tests/podman.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ pkgs, self }: let
-
- lib = pkgs.lib;
- test-common = import ./common.nix { inherit self lib pkgs; };
-
- image = test-common.makeImage { };
-
-in test-common.makeImageTest {
- name = "podman";
- inherit image;
- script = ''
- start_tpm()
- machine.start()
-
- machine.wait_for_unit("multi-user.target")
- machine.wait_for_unit("network-online.target")
-
- machine.succeed("tar cv --files-from /dev/null | su admin -l -c 'podman import - scratchimg'")
-
- machine.succeed("su admin -l -c 'podman run --rm -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg true'")
- '';
-}
diff --git a/tests/system-update.nix b/tests/system-update.nix
deleted file mode 100644
index 26f793e..0000000
--- a/tests/system-update.nix
+++ /dev/null
@@ -1,45 +0,0 @@
-{ pkgs, self }: let
-
- lib = pkgs.lib;
- test-common = import ./common.nix { inherit self lib pkgs; };
-
- initialImage = test-common.makeImage {
- system.image.version = "1";
- system.image.updates.url = "http://server.test/";
- # The default root-b is too small for uncompressed test images
- systemd.repart.partitions."32-root-b" = {
- SizeMinBytes = lib.mkForce "1G";
- SizeMaxBytes = lib.mkForce "1G";
- };
- };
-
- updatePackage = test-common.makeUpdatePackage {
- system.image.version = "2";
- system.image.updates.url = "http://server.test/";
- };
-
-in test-common.makeImageTest {
- name = "system-update";
- image = initialImage;
- httpRoot = updatePackage;
- script = ''
- start_tpm()
- machine.start()
-
- machine.wait_for_unit("multi-user.target")
- machine.wait_for_unit("network-online.target")
-
- machine.succeed("/run/current-system/sw/lib/systemd/systemd-sysupdate update")
-
- machine.shutdown()
-
- start_tpm()
- machine.start()
-
- machine.wait_for_unit("multi-user.target")
-
- machine.succeed('. /etc/os-release; [ "$IMAGE_VERSION" == "2" ]')
-
- machine.wait_for_unit("systemd-bless-boot.service")
- '';
-}
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
deleted file mode 100644
index bde07ab..0000000
--- a/utils/qemu-uefi-tpm.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{
- config,
- pkgs,
- ...
-}:
-pkgs.writeShellApplication {
- name = "qemu-uefi-tpm";
-
- runtimeInputs = with pkgs; [
- qemu
- swtpm
- ];
-
- text =
- let
- tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
- in
- ''
- set -ex
- state="/tmp/patos-qemu-$USER"
- rm -rf "$state"
- mkdir -m 700 "$state"
- qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 10G
-
- swtpm socket -d --tpmstate dir="$state" \
- --ctrl type=unixio,path="$state/swtpm-sock" \
- --tpm2 \
- --log level=20
-
- qemu-system-x86_64 \
- -enable-kvm \
- -machine q35,accel=kvm \
- -cpu host \
- -smp 8 \
- -m 4G \
- -display none \
- -virtfs "local,path=/tmp,security_model=mapped,mount_tag=shared" \
- -chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
- -serial chardev:char0 \
- -mon chardev=char0 \
- -drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
- -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
- -chardev socket,id=chrtpm,path="$state/swtpm-sock" \
- -tpmdev emulator,id=tpm0,chardev=chrtpm \
- -device tpm-tis,tpmdev=tpm0 \
- -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
- -device virtio-net-pci,netdev=net00 \
- -drive "format=qcow2,file=$state/disk.qcow2"
- '';
-}
From faf5fce8a407a0469ae475f773cba2e9e1145c3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 17 Feb 2025 09:17:58 +0100
Subject: [PATCH 06/78] chore(systemd): remove nix store ref and disable some
features
---
systemd/default.nix | 42 +++++++++++++++++++++---------------------
systemd/result | 1 -
2 files changed, 21 insertions(+), 22 deletions(-)
delete mode 120000 systemd/result
diff --git a/systemd/default.nix b/systemd/default.nix
index 653296d..99e4684 100644
--- a/systemd/default.nix
+++ b/systemd/default.nix
@@ -30,6 +30,8 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-GvRn55grHWR6M+tA86RMzqinuXNpPZzRB4ApuGN/ZvU=";
};
+ dontCheckForBrokenSymlinks = true;
+
patches = [
./0017-meson.build-do-not-create-systemdstatedir.patch
];
@@ -160,12 +162,18 @@ stdenv.mkDerivation (finalAttrs: {
# trigger the test -n "$DESTDIR" || mutate in upstreams build system
preInstall = ''
- export DESTDIR=/
+ export DESTDIR=${placeholder "out"}
'';
mesonFlags = [
- "--prefix=${placeholder "out"}"
+ "--prefix=/usr"
+ "--sysconfdir=/etc"
+ "--localstatedir=/var"
+ "--libdir=/usr/lib"
+ "--bindir=/bin"
+ "--includedir=/usr/include"
+ "--localedir=/usr/share/locale"
# Options
@@ -182,16 +190,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonOption "mode" "release")
(lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
- (lib.mesonOption "debug-shell" "${pkgs.bashInteractive}/bin/bash")
- (lib.mesonOption "pamconfdir" "${placeholder "out"}/etc/pam.d")
- (lib.mesonOption "shellprofiledir" "${placeholder "out"}/etc/profile.d")
- (lib.mesonOption "kmod-path" "${pkgs.kmod}/bin/kmod")
- (lib.mesonOption "dbuspolicydir" "${placeholder "out"}/share/dbus-1/system.d")
- (lib.mesonOption "dbussessionservicedir" "${placeholder "out"}/share/dbus-1/services")
- (lib.mesonOption "dbussystemservicedir" "${placeholder "out"}/share/dbus-1/system-services")
- # pkgconfig
- (lib.mesonOption "pkgconfiglibdir" "${placeholder "dev"}/lib/pkgconfig")
- (lib.mesonOption "pkgconfigdatadir" "${placeholder "dev"}/share/pkgconfig")
+ (lib.mesonOption "kmod-path" "/bin/kmod")
# SBAT
(lib.mesonOption "sbat-distro" "patos")
@@ -249,13 +248,13 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonEnable "remote" false)
(lib.mesonEnable "microhttpd" false)
- (lib.mesonEnable "pam" true)
+ (lib.mesonEnable "pam" false)
(lib.mesonEnable "acl" true)
(lib.mesonEnable "audit" true)
(lib.mesonEnable "apparmor" true)
(lib.mesonEnable "gcrypt" true)
(lib.mesonEnable "importd" true)
- (lib.mesonEnable "homed" true)
+ (lib.mesonEnable "homed" false)
(lib.mesonEnable "polkit" true)
(lib.mesonEnable "elfutils" true)
(lib.mesonEnable "libcurl" true)
@@ -264,6 +263,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonEnable "libiptc" true)
(lib.mesonEnable "repart" true)
(lib.mesonEnable "sysupdate" true)
+ (lib.mesonEnable "sysupdated" true)
(lib.mesonEnable "seccomp" true)
(lib.mesonEnable "selinux" true)
(lib.mesonEnable "tpm2" true)
@@ -273,16 +273,16 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonEnable "ukify" true)
(lib.mesonEnable "kmod" true)
(lib.mesonEnable "qrencode" true)
- (lib.mesonEnable "vmspawn" true)
+ (lib.mesonEnable "vmspawn" false)
(lib.mesonEnable "libarchive" true)
(lib.mesonEnable "xenctrl" false)
(lib.mesonEnable "gnutls" false)
(lib.mesonEnable "xkbcommon" false)
- (lib.mesonEnable "man" true)
+ (lib.mesonEnable "man" false)
(lib.mesonBool "analyze" true)
- (lib.mesonBool "logind" true)
- (lib.mesonBool "localed" true)
+ (lib.mesonBool "logind" false)
+ (lib.mesonBool "localed" false)
(lib.mesonBool "hostnamed" true)
(lib.mesonBool "machined" true)
(lib.mesonBool "networkd" true)
@@ -291,7 +291,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonBool "hwdb" true)
(lib.mesonBool "timedated" true)
(lib.mesonBool "timesyncd" true)
- (lib.mesonBool "userdb" true)
+ (lib.mesonBool "userdb" false)
(lib.mesonBool "coredump" true)
(lib.mesonBool "firstboot" true)
(lib.mesonBool "resolve" true)
@@ -303,8 +303,8 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonBool "kernel-install" true)
(lib.mesonBool "quotacheck" false)
(lib.mesonBool "ldconfig" false)
- (lib.mesonBool "install-sysconfdir" false)
- (lib.mesonBool "create-log-dirs" false)
+ (lib.mesonBool "install-sysconfdir" true)
+ (lib.mesonBool "create-log-dirs" true)
(lib.mesonBool "smack" true)
(lib.mesonBool "b_pie" true)
diff --git a/systemd/result b/systemd/result
deleted file mode 120000
index f1d0e21..0000000
--- a/systemd/result
+++ /dev/null
@@ -1 +0,0 @@
-/nix/store/jw8923rfwly76yb8ynp5r65cvg4g9m0f-systemd-257.3
\ No newline at end of file
From dbd4e729ded250d7ddb8993e6e2fd6486a3988ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 17 Feb 2025 15:15:24 +0100
Subject: [PATCH 07/78] silly uki image with the systemd-ukify tooling
---
.gitignore | 2 +
flake.nix | 151 +++++++++++++++++++++++++++++++++++++++++-
glibc/default.nix | 57 ++++++++++++++++
kernel/generic.config | 8 ---
systemd/default.nix | 23 +++++--
5 files changed, 225 insertions(+), 16 deletions(-)
create mode 100644 glibc/default.nix
diff --git a/.gitignore b/.gitignore
index 08acf41..6833589 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,8 @@
.task
/result
/target
+/out
+/initrd.gz
.*.swp
.*.swo
.nixos-test-history
diff --git a/flake.nix b/flake.nix
index 6a4e60f..866ed43 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,11 +21,160 @@
packages = {
default = self.packages.${system}.image;
image = pkgs.writeShellScriptBin "image" ''
- echo "make image here..."
+ echo "make UKI..."
+ echo ${self.packages.${system}.kernel.kernel}/bzImage
+ ${self.packages.${system}.systemd.out}/usr/bin/ukify build \
+ --linux ${self.packages.${system}.kernel.kernel}/bzImage \
+ --initrd ./initrd.gz \
+ --cmdline "console=ttyS0" \
+ -o patos.efi
'';
kernel = pkgs.callPackage ./kernel { };
+ glibc = pkgs.callPackage ./glibc { };
systemd = pkgs.callPackage ./systemd { };
+
+ mkinitrd = pkgs.writeShellScriptBin "mkinitrd" ''
+ echo "make initrd..."
+ mkdir -p out
+
+ # copy systemd
+ cp -Pr ${self.packages.${system}.systemd.out}/* out/
+ pushd out
+
+ find . -type d -exec chmod 755 {} \;
+
+ # Copy kernel modules
+ cp -Pr ${self.packages.${system}.kernel.kernel}/lib/modules ./usr/lib/
+ find usr/lib/modules -type d -exec chmod 755 {} \;
+
+ mkdir -p dev proc sys tmp root
+ ln -sf usr/bin bin
+ ln -sf usr/bin sbin
+ ln -sf usr/lib lib
+ ln -sf usr/lib lib64
+
+ ln -sf ../proc/self/mounts etc/mtab
+ ln -sf ../usr/lib/systemd/systemd init
+
+ echo patos > ./etc/hostname
+ cat <<EOF > ./etc/os-release
+ NAME="PatOS"
+ PRETTY_NAME="PatOS Platform"
+ ID=patos
+ EOF
+
+ cat <<EOF > ./etc/passwd
+ root::0:0:root:/root:/bin/sh
+ bin:x:1:1:bin:/bin:/usr/bin/nologin
+ daemon:x:2:2:daemon:/:/usr/bin/nologin
+ mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
+ ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
+ http:x:33:33:http:/srv/http:/usr/bin/nologin
+ uuidd:x:68:68:uuidd:/:/usr/bin/nologin
+ dbus:x:81:81:dbus:/:/usr/bin/nologin
+ nobody:x:99:99:nobody:/:/usr/bin/nologin
+ EOF
+ chmod 644 ./etc/passwd
+
+ cat <<EOF > ./etc/group
+ root:x:0:root
+ bin:x:1:root,bin,daemon
+ daemon:x:2:root,bin,daemon
+ sys:x:3:root,bin
+ adm:x:4:root,daemon
+ tty:x:5:
+ disk:x:6:root
+ lp:x:7:daemon
+ mem:x:8:
+ kmem:x:9:
+ wheel:x:10:root
+ ftp:x:11:
+ mail:x:12:
+ uucp:x:14:
+ log:x:19:root
+ utmp:x:20:
+ locate:x:21:
+ rfkill:x:24:
+ smmsp:x:25:
+ proc:x:26:
+ http:x:33:
+ games:x:50:
+ lock:x:54:
+ uuidd:x:68:
+ dbus:x:81:
+ network:x:90:
+ video:x:91:
+ audio:x:92:
+ optical:x:93:
+ floppy:x:94:
+ storage:x:95:
+ scanner:x:96:
+ input:x:97:
+ power:x:98:
+ nobody:x:99:
+ EOF
+ chmod 644 ./etc/group
+
+ # FIXME: remove this
+ cat <<EOF > usr/lib/systemd/system/demo.service
+ [Unit]
+ Description=Debug Shell (/bin/sulogin)
+ Conflicts=shutdown.target
+ Before=shutdown.target
+
+ [Service]
+ Environment=HOME=/root
+ WorkingDirectory=/root
+ ExecStart=/bin/sulogin
+ Type=idle
+ StandardInput=tty-force
+ StandardOutput=inherit
+ StandardError=inherit
+ KillMode=process
+ IgnoreSIGPIPE=no
+ SendSIGHUP=yes
+ Restart=always
+
+ [Install]
+ WantedBy=basic.target
+ EOF
+ mkdir usr/lib/systemd/system/basic.target.wants
+ ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
+
+ # set default target
+ ln -sf basic.target usr/lib/systemd/system/default.target
+ # remove first boot
+ rm -f usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
+ # remove vconsole setup
+ rm -f usr/lib/udev/rules.d/90-vconsole.rules
+
+ # install busybox
+ cp ${pkgs.busybox.out}/bin/busybox usr/bin/
+ usr/bin/busybox --list | xargs -I {} ln -sf busybox usr/bin/{}
+
+ # install lib kmod
+ cp -P ${pkgs.kmod.lib}/lib/* ./usr/lib
+ cp -P ${pkgs.kmod.out}/bin/* ./usr/bin
+ cp -P ${pkgs.libbpf.out}/lib/libbpf* ./usr/lib
+
+ # get shared libs
+ find . -type f -executable | xargs ldd 2> /dev/null | awk '{print $3}' | grep -v systemd | sort -u | xargs cp -t usr/lib
+ find . -type f -executable | xargs chmod 755
+
+ # FIXME: hacky(?) ELF patching. Is there a better way????????
+ find . -type f -executable -print | xargs -I {} ${pkgs.lib.getExe pkgs.patchelf} --set-rpath /lib:/usr/lib:/usr/lib/systemd {} 2> /dev/null
+ find . -type f -executable -print | xargs -I {} ${pkgs.lib.getExe pkgs.patchelf} --set-interpreter /lib/ld-linux-x86-64.so.2 {} 2> /dev/null
+ cp ${
+ self.packages.${system}.glibc.out
+ }/lib/ld-linux-x86-64.so.2 lib/ && ${pkgs.lib.getExe pkgs.patchelf} --remove-rpath lib/ld-linux-x86-64.so.2
+
+ # strip binaries
+ find . -type f -executable | xargs strip 2> /dev/null
+
+ # gen initrd
+ find . -print0 | ${pkgs.lib.getExe pkgs.cpio} --null --owner=root:root -o --format=newc | ${pkgs.lib.getExe pkgs.gzip} -9 > ../initrd.gz
+ '';
};
checks = {
diff --git a/glibc/default.nix b/glibc/default.nix
new file mode 100644
index 0000000..65bebc3
--- /dev/null
+++ b/glibc/default.nix
@@ -0,0 +1,57 @@
+{
+ fetchurl,
+ pkgs,
+ stdenv,
+
+ ...
+}:
+let
+ version = "2.40";
+ pname = "glibcStandalone";
+in
+stdenv.mkDerivation (finalAttrs: {
+ inherit version;
+
+ pname = pname;
+
+ src = fetchurl {
+ url = "mirror://gnu/glibc/glibc-${version}.tar.xz";
+ sha256 = "sha256-GaiQF16SY9dI9ieZPeb0sa+c0h4D8IDkv7Oh+sECBaI=";
+ };
+
+ enableParallelBuilding = true;
+
+ configureFlags = [
+ "--prefix=/"
+ "--libdir=/lib"
+ "--bindir=/bin"
+ "--sysconfdir=/etc"
+ ];
+
+ preConfigure =
+ ''
+ export PWD_P=$(type -tP pwd)
+ for i in configure io/ftwtest-sh; do
+ sed -i "$i" -e "s^/bin/pwd^$PWD_P^g"
+ done
+
+ mkdir ../build
+ cd ../build
+
+ configureScript="`pwd`/../$sourceRoot/configure"
+ '';
+
+ nativeBuildInputs = with pkgs; [
+ bison
+ python3Minimal
+ ];
+
+ outputs = [
+ "out"
+ ];
+
+ preInstall = ''
+ export DESTDIR=${placeholder "out"}
+ '';
+
+})
diff --git a/kernel/generic.config b/kernel/generic.config
index 2073cdf..7e0325c 100644
--- a/kernel/generic.config
+++ b/kernel/generic.config
@@ -1397,14 +1397,6 @@ CONFIG_MMU=y
CONFIG_MODPROBE_PATH="/sbin/modprobe"
CONFIG_MODULE_COMPRESS_ZSTD=y
CONFIG_MODULE_FORCE_UNLOAD=y
-CONFIG_MODULE_SIG_ALL=y
-CONFIG_MODULE_SIG_FORCE=y
-CONFIG_MODULE_SIG_FORMAT=y
-CONFIG_MODULE_SIG_HASH="sha512"
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
-CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
-CONFIG_MODULE_SIG_SHA512=y
-CONFIG_MODULE_SIG=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULES_TREE_LOOKUP=y
diff --git a/systemd/default.nix b/systemd/default.nix
index 99e4684..3174f0f 100644
--- a/systemd/default.nix
+++ b/systemd/default.nix
@@ -137,9 +137,6 @@ stdenv.mkDerivation (finalAttrs: {
postPatch =
''
- substituteInPlace src/basic/path-util.h --replace "@defaultPathNormal@" "${placeholder "out"}/bin/"
- ''
- + ''
substituteInPlace meson.build \
--replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
''
@@ -150,7 +147,7 @@ stdenv.mkDerivation (finalAttrs: {
"'${targetPackages.stdenv.cc.bintools.targetPrefix}readelf'" \
--replace \
"/usr/lib/systemd/boot/efi" \
- "$out/lib/systemd/boot/efi"
+ "$out/usr/lib/systemd/boot/efi"
''
# Finally, patch shebangs in scripts used at build time. This must not patch
# scripts that will end up in the output, to avoid build platform references
@@ -171,7 +168,7 @@ stdenv.mkDerivation (finalAttrs: {
"--sysconfdir=/etc"
"--localstatedir=/var"
"--libdir=/usr/lib"
- "--bindir=/bin"
+ "--bindir=/usr/bin"
"--includedir=/usr/include"
"--localedir=/usr/share/locale"
@@ -190,7 +187,19 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonOption "mode" "release")
(lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
- (lib.mesonOption "kmod-path" "/bin/kmod")
+ (lib.mesonOption "kmod-path" "/usr/bin/kmod")
+ (lib.mesonOption "debug-shell" "/usr/bin/sh")
+ (lib.mesonOption "pamconfdir" "/etc/pam.d")
+ (lib.mesonOption "shellprofiledir" "/etc/profile.d")
+ (lib.mesonOption "dbuspolicydir" "/usr/share/dbus-1/system.d")
+ (lib.mesonOption "dbussessionservicedir" "/usr/share/dbus-1/services")
+ (lib.mesonOption "dbussystemservicedir" "/usr/share/dbus-1/system-services")
+ (lib.mesonOption "setfont-path" "/usr/bin/setfont")
+ (lib.mesonOption "loadkeys-path" "/usr/bin/loadkeys")
+ (lib.mesonOption "sulogin-path" "/usr/bin/sulogin")
+ (lib.mesonOption "nologin-path" "/usr/bin/nologin")
+ (lib.mesonOption "mount-path" "/usr/bin/mount")
+ (lib.mesonOption "umount-path" "/usr/bin/umount")
# SBAT
(lib.mesonOption "sbat-distro" "patos")
@@ -281,7 +290,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonEnable "man" false)
(lib.mesonBool "analyze" true)
- (lib.mesonBool "logind" false)
+ (lib.mesonBool "logind" true)
(lib.mesonBool "localed" false)
(lib.mesonBool "hostnamed" true)
(lib.mesonBool "machined" true)
From 0dfda7560fe6c86cf1108f1751af5f1d337caf09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 20 Feb 2025 10:40:53 +0100
Subject: [PATCH 08/78] chore: add dbus-broker
---
dbus-broker/default.nix | 165 ++++++++++++++++++++++++++++++++++++++
flake.nix | 153 +++---------------------------------
glibc/default.nix | 16 ++--
utils/mkinitrd.nix | 170 ++++++++++++++++++++++++++++++++++++++++
utils/qemu-uefi-tpm.nix | 50 ++++++++++++
5 files changed, 401 insertions(+), 153 deletions(-)
create mode 100644 dbus-broker/default.nix
create mode 100644 utils/mkinitrd.nix
create mode 100644 utils/qemu-uefi-tpm.nix
diff --git a/dbus-broker/default.nix b/dbus-broker/default.nix
new file mode 100644
index 0000000..cad66af
--- /dev/null
+++ b/dbus-broker/default.nix
@@ -0,0 +1,165 @@
+{
+ lib,
+ stdenv,
+ fetchFromGitHub,
+ pkgs,
+ ...
+}:
+
+let
+ meta = {
+ maintainers = with lib.maintainers; [ peterhoeg ];
+ platforms = lib.platforms.linux;
+ };
+
+ dep =
+ {
+ pname,
+ version,
+ hash,
+ rev ? "v${version}",
+ buildInputs ? [ ],
+ }:
+ stdenv.mkDerivation {
+ inherit pname version;
+ src = fetchFromGitHub {
+ owner = "c-util";
+ repo = pname;
+ inherit hash rev;
+ };
+ nativeBuildInputs = with pkgs; [
+ meson
+ ninja
+ pkg-config
+ ];
+ inherit buildInputs;
+ meta = meta // {
+ description = "The C-Util Project is a collection of utility libraries for the C11 language.";
+ homepage = "https://c-util.github.io/";
+ license = [
+ lib.licenses.asl20
+ lib.licenses.lgpl21Plus
+ ];
+ };
+ };
+
+ # These libraries are not used outside of dbus-broker.
+ #
+ # If that changes, we can always break them out, but they are essentially
+ # part of the dbus-broker project, just in separate repositories.
+ c-dvar = dep {
+ pname = "c-dvar";
+ version = "1.1.0";
+ hash = "sha256-p/C+BktclVseCtZJ1Q/YK03vP2ClnYRLB1Vmj2OQJD4=";
+ buildInputs = [
+ c-stdaux
+ c-utf8
+ ];
+ };
+ c-ini = dep {
+ pname = "c-ini";
+ version = "1.1.0";
+ hash = "sha256-wa7aNl20hkb/83c4AkQ/0YFDdmBs4XGW+WLUtBWIC98=";
+ buildInputs = [
+ c-list
+ c-rbtree
+ c-stdaux
+ c-utf8
+ ];
+ };
+ c-list = dep {
+ pname = "c-list";
+ version = "3.1.0";
+ hash = "sha256-fp3EAqcbFCLaT2EstLSzwP2X13pi2EFpFAullhoCtpw=";
+ };
+ c-rbtree = dep {
+ pname = "c-rbtree";
+ version = "3.2.0";
+ hash = "sha256-dTMeawhPLRtHvMXfXCrT5iCdoh7qS3v+raC6c+t+X38=";
+ buildInputs = [ c-stdaux ];
+ };
+ c-shquote = dep {
+ pname = "c-shquote";
+ version = "1.1.0";
+ hash = "sha256-z6hpQ/kpCYAngMNfxLkfsxaGtvP4yBMigX1lGpIIzMQ=";
+ buildInputs = [ c-stdaux ];
+ };
+ c-stdaux = dep {
+ pname = "c-stdaux";
+ version = "1.5.0";
+ hash = "sha256-MsnuEyVCmOIr/q6I1qyPsNXp48jxIEcXoYLHbOAZtW0=";
+ };
+ c-utf8 = dep {
+ pname = "c-utf8";
+ version = "1.1.0";
+ hash = "sha256-9vBYylbt1ypJwIAQJd/oiAueh+4VYcn/KzofQuhUea0=";
+ buildInputs = [ c-stdaux ];
+ };
+
+in
+
+stdenv.mkDerivation (finalAttrs: {
+ pname = "dbus-broker";
+ version = "36";
+
+ src = fetchFromGitHub {
+ owner = "bus1";
+ repo = "dbus-broker";
+ rev = "v${finalAttrs.version}";
+ hash = "sha256-5dAMKjybqrHG57vArbtWEPR/svSj2ION75JrjvnnpVM=";
+ };
+
+ nativeBuildInputs = with pkgs; [
+ docutils
+ meson
+ ninja
+ pkg-config
+ ];
+
+ buildInputs = [
+ c-dvar
+ c-ini
+ c-list
+ c-rbtree
+ c-shquote
+ c-stdaux
+ c-utf8
+ pkgs.dbus
+ pkgs.linuxHeaders
+ pkgs.systemd
+ ];
+
+ mesonFlags = [
+ # while we technically support 4.9 and 4.14, the NixOS module will throw an
+ # error when using a kernel that's too old
+ "--prefix=/"
+ "--bindir=/usr/bin"
+ "-D=linux-4-17=true"
+ "-D=system-console-users=gdm,sddm,lightdm"
+ ];
+
+ PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "/usr/lib/systemd/system";
+ PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "/usr/lib/systemd/user";
+ PKG_CONFIG_SYSTEMD_CATALOGDIR = "/usr/lib/systemd/catalog";
+
+ preInstall = ''
+ export DESTDIR=${placeholder "out"}
+ '';
+
+ postInstall = ''
+ mkdir -p $out/usr/share
+ cp -Pr ${pkgs.dbus.out}/share/* $out/usr/share/
+ cp ${pkgs.dbus.out}/etc/systemd/system/dbus.socket $out/usr/lib/systemd/system/
+ find $out/usr/share/ -type d -exec chmod 755 {} \;
+ sed -i 's#/nix/store.*/share#/usr/share#' $out/usr/share/xml/dbus-1/catalog.xml
+ sed -i 's#/nix/store.*/libexec#/usr/bin#' $out/usr/share/dbus-1/system.conf
+ '';
+
+ doCheck = false;
+
+ meta = meta // {
+ description = "Linux D-Bus Message Broker";
+ homepage = "https://github.com/bus1/dbus-broker/wiki";
+ license = lib.licenses.asl20;
+ };
+})
diff --git a/flake.nix b/flake.nix
index 866ed43..221d203 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,165 +16,30 @@
system:
let
pkgs = import nixpkgs { inherit system; };
+ patosPkgs = self.packages.${system};
in
{
packages = {
default = self.packages.${system}.image;
image = pkgs.writeShellScriptBin "image" ''
+ set -ex
echo "make UKI..."
- echo ${self.packages.${system}.kernel.kernel}/bzImage
+
+ mkdir -p patos/efi/boot
${self.packages.${system}.systemd.out}/usr/bin/ukify build \
--linux ${self.packages.${system}.kernel.kernel}/bzImage \
--initrd ./initrd.gz \
--cmdline "console=ttyS0" \
- -o patos.efi
+ -o patos/efi/boot/bootx64.efi
'';
kernel = pkgs.callPackage ./kernel { };
glibc = pkgs.callPackage ./glibc { };
systemd = pkgs.callPackage ./systemd { };
+ dbus-broker = pkgs.callPackage ./dbus-broker { };
- mkinitrd = pkgs.writeShellScriptBin "mkinitrd" ''
- echo "make initrd..."
- mkdir -p out
-
- # copy systemd
- cp -Pr ${self.packages.${system}.systemd.out}/* out/
- pushd out
-
- find . -type d -exec chmod 755 {} \;
-
- # Copy kernel modules
- cp -Pr ${self.packages.${system}.kernel.kernel}/lib/modules ./usr/lib/
- find usr/lib/modules -type d -exec chmod 755 {} \;
-
- mkdir -p dev proc sys tmp root
- ln -sf usr/bin bin
- ln -sf usr/bin sbin
- ln -sf usr/lib lib
- ln -sf usr/lib lib64
-
- ln -sf ../proc/self/mounts etc/mtab
- ln -sf ../usr/lib/systemd/systemd init
-
- echo patos > ./etc/hostname
- cat <<EOF > ./etc/os-release
- NAME="PatOS"
- PRETTY_NAME="PatOS Platform"
- ID=patos
- EOF
-
- cat <<EOF > ./etc/passwd
- root::0:0:root:/root:/bin/sh
- bin:x:1:1:bin:/bin:/usr/bin/nologin
- daemon:x:2:2:daemon:/:/usr/bin/nologin
- mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
- ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
- http:x:33:33:http:/srv/http:/usr/bin/nologin
- uuidd:x:68:68:uuidd:/:/usr/bin/nologin
- dbus:x:81:81:dbus:/:/usr/bin/nologin
- nobody:x:99:99:nobody:/:/usr/bin/nologin
- EOF
- chmod 644 ./etc/passwd
-
- cat <<EOF > ./etc/group
- root:x:0:root
- bin:x:1:root,bin,daemon
- daemon:x:2:root,bin,daemon
- sys:x:3:root,bin
- adm:x:4:root,daemon
- tty:x:5:
- disk:x:6:root
- lp:x:7:daemon
- mem:x:8:
- kmem:x:9:
- wheel:x:10:root
- ftp:x:11:
- mail:x:12:
- uucp:x:14:
- log:x:19:root
- utmp:x:20:
- locate:x:21:
- rfkill:x:24:
- smmsp:x:25:
- proc:x:26:
- http:x:33:
- games:x:50:
- lock:x:54:
- uuidd:x:68:
- dbus:x:81:
- network:x:90:
- video:x:91:
- audio:x:92:
- optical:x:93:
- floppy:x:94:
- storage:x:95:
- scanner:x:96:
- input:x:97:
- power:x:98:
- nobody:x:99:
- EOF
- chmod 644 ./etc/group
-
- # FIXME: remove this
- cat <<EOF > usr/lib/systemd/system/demo.service
- [Unit]
- Description=Debug Shell (/bin/sulogin)
- Conflicts=shutdown.target
- Before=shutdown.target
-
- [Service]
- Environment=HOME=/root
- WorkingDirectory=/root
- ExecStart=/bin/sulogin
- Type=idle
- StandardInput=tty-force
- StandardOutput=inherit
- StandardError=inherit
- KillMode=process
- IgnoreSIGPIPE=no
- SendSIGHUP=yes
- Restart=always
-
- [Install]
- WantedBy=basic.target
- EOF
- mkdir usr/lib/systemd/system/basic.target.wants
- ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
-
- # set default target
- ln -sf basic.target usr/lib/systemd/system/default.target
- # remove first boot
- rm -f usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
- # remove vconsole setup
- rm -f usr/lib/udev/rules.d/90-vconsole.rules
-
- # install busybox
- cp ${pkgs.busybox.out}/bin/busybox usr/bin/
- usr/bin/busybox --list | xargs -I {} ln -sf busybox usr/bin/{}
-
- # install lib kmod
- cp -P ${pkgs.kmod.lib}/lib/* ./usr/lib
- cp -P ${pkgs.kmod.out}/bin/* ./usr/bin
- cp -P ${pkgs.libbpf.out}/lib/libbpf* ./usr/lib
-
- # get shared libs
- find . -type f -executable | xargs ldd 2> /dev/null | awk '{print $3}' | grep -v systemd | sort -u | xargs cp -t usr/lib
- find . -type f -executable | xargs chmod 755
-
- # FIXME: hacky(?) ELF patching. Is there a better way????????
- find . -type f -executable -print | xargs -I {} ${pkgs.lib.getExe pkgs.patchelf} --set-rpath /lib:/usr/lib:/usr/lib/systemd {} 2> /dev/null
- find . -type f -executable -print | xargs -I {} ${pkgs.lib.getExe pkgs.patchelf} --set-interpreter /lib/ld-linux-x86-64.so.2 {} 2> /dev/null
- cp ${
- self.packages.${system}.glibc.out
- }/lib/ld-linux-x86-64.so.2 lib/ && ${pkgs.lib.getExe pkgs.patchelf} --remove-rpath lib/ld-linux-x86-64.so.2
-
- # strip binaries
- find . -type f -executable | xargs strip 2> /dev/null
-
- # gen initrd
- find . -print0 | ${pkgs.lib.getExe pkgs.cpio} --null --owner=root:root -o --format=newc | ${pkgs.lib.getExe pkgs.gzip} -9 > ../initrd.gz
- '';
+ mkinitrd = pkgs.callPackage ./utils/mkinitrd.nix { inherit patosPkgs; };
+ qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
};
checks = {
@@ -193,6 +58,8 @@
nixd
nixfmt-rfc-style
squashfs-tools-ng
+ self.packages.${system}.qemu-uefi-tpm
+ self.packages.${system}.mkinitrd
];
};
diff --git a/glibc/default.nix b/glibc/default.nix
index 65bebc3..b5028c0 100644
--- a/glibc/default.nix
+++ b/glibc/default.nix
@@ -1,25 +1,21 @@
{
- fetchurl,
pkgs,
stdenv,
...
}:
let
- version = "2.40";
- pname = "glibcStandalone";
+ version = pkgs.glibc.version;
+ src = pkgs.glibc.src;
+ pname = "glibcPatos";
in
stdenv.mkDerivation (finalAttrs: {
inherit version;
-
- pname = pname;
-
- src = fetchurl {
- url = "mirror://gnu/glibc/glibc-${version}.tar.xz";
- sha256 = "sha256-GaiQF16SY9dI9ieZPeb0sa+c0h4D8IDkv7Oh+sECBaI=";
- };
+ inherit src;
+ inherit pname;
enableParallelBuilding = true;
+ dontPatchShebangs = true;
configureFlags = [
"--prefix=/"
diff --git a/utils/mkinitrd.nix b/utils/mkinitrd.nix
new file mode 100644
index 0000000..0bd234c
--- /dev/null
+++ b/utils/mkinitrd.nix
@@ -0,0 +1,170 @@
+{
+ pkgs,
+ patosPkgs,
+ ...
+}:
+pkgs.writeShellApplication {
+ name = "mkinitrd";
+
+ runtimeInputs = with pkgs; [
+ patchelf
+ cpio
+ gzip
+ ];
+
+ text = ''
+ echo "Building initram disk"
+ mkdir -p root
+ pushd root
+
+ ### create directories
+ mkdir -p etc dev proc sys tmp root
+ ln -sf usr/bin bin
+ ln -sf usr/bin sbin
+ ln -sf usr/lib lib
+ ln -sf usr/lib lib64
+ ln -sf ../proc/self/mounts etc/mtab
+ ln -sf ../usr/lib/systemd/systemd init
+
+ ### install systemd
+ cp -Pr ${patosPkgs.systemd.out}/* ./
+ find . -type d -exec chmod 755 {} \;
+ rm -rf ./usr/include
+ rm -rf ./usr/sbin
+ # set default target to basic
+ mkdir usr/lib/systemd/system/basic.target.wants
+ ln -sf basic.target usr/lib/systemd/system/default.target
+ # remove first boot
+ rm -f usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
+ # remove vconsole setup
+ rm -f usr/lib/udev/rules.d/90-vconsole.rules
+
+ ### install PatOS glibc
+ cp -Pr ${patosPkgs.glibc.out}/lib/*.so* ./usr/lib/
+
+ ### install kernel modules
+ cp -Pr ${patosPkgs.kernel.kernel}/lib/modules ./usr/lib/
+ find usr/lib/modules -type d -exec chmod 755 {} \;
+
+ ### install busybox
+ cp ${pkgs.busybox.out}/bin/busybox ./usr/bin/
+ usr/bin/busybox --list | xargs -I {} ln -sf busybox usr/bin/{}
+
+ ### install dbus broker
+ cp -r ${patosPkgs.dbus-broker.out}/* ./
+ ln -sf ../dbus-broker.service usr/lib/systemd/system/basic.target.wants/dbus.service
+ ln -sf ../dbus.socket usr/lib/systemd/system/sockets.target.wants/dbus.socket
+
+ ### install lib kmod
+ cp -P ${pkgs.kmod.lib}/lib/* ./usr/lib
+ cp -P ${pkgs.kmod.out}/bin/* ./usr/bin
+
+ ### install libbpf
+ cp -P ${pkgs.libbpf.out}/lib/libbpf* ./usr/lib
+
+ ### Find and install all shared libs
+ find . -type f -executable -exec ldd {} \; 2> /dev/null | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t usr/lib
+ find . -type f -executable -exec chmod 755 {} \;
+
+
+ ### Create needed files
+ echo patos > ./etc/hostname
+ cat <<EOF > ./etc/os-release
+ NAME="PatOS"
+ PRETTY_NAME="PatOS Platform"
+ ID=patos
+ EOF
+
+ cat <<EOF > ./etc/passwd
+ root::0:0:root:/root:/bin/sh
+ bin:x:1:1:bin:/bin:/usr/bin/nologin
+ daemon:x:2:2:daemon:/:/usr/bin/nologin
+ mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
+ ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
+ http:x:33:33:http:/srv/http:/usr/bin/nologin
+ uuidd:x:68:68:uuidd:/:/usr/bin/nologin
+ messagebus:x:81:81:messagebus:/:/usr/bin/nologin
+ nobody:x:99:99:nobody:/:/usr/bin/nologin
+ EOF
+ chmod 644 ./etc/passwd
+
+ cat <<EOF > ./etc/group
+ root:x:0:root
+ bin:x:1:root,bin,daemon
+ daemon:x:2:root,bin,daemon
+ sys:x:3:root,bin
+ adm:x:4:root,daemon
+ tty:x:5:
+ disk:x:6:root
+ lp:x:7:daemon
+ mem:x:8:
+ kmem:x:9:
+ wheel:x:10:root
+ ftp:x:11:
+ mail:x:12:
+ uucp:x:14:
+ log:x:19:root
+ utmp:x:20:
+ locate:x:21:
+ rfkill:x:24:
+ smmsp:x:25:
+ proc:x:26:
+ http:x:33:
+ games:x:50:
+ lock:x:54:
+ uuidd:x:68:
+ messagebus:x:81:
+ network:x:90:
+ video:x:91:
+ audio:x:92:
+ optical:x:93:
+ floppy:x:94:
+ storage:x:95:
+ scanner:x:96:
+ input:x:97:
+ power:x:98:
+ nobody:x:99:
+ EOF
+ chmod 644 ./etc/group
+
+ # FIXME: remove this later (just to get a shell in the initramfs)
+ cat <<EOF > usr/lib/systemd/system/demo.service
+ [Unit]
+ Description=Debug Shell (/bin/sulogin)
+ Conflicts=shutdown.target
+ Before=shutdown.target
+
+ [Service]
+ Environment=HOME=/root
+ WorkingDirectory=/root
+ ExecStart=/bin/sulogin
+ Type=idle
+ StandardInput=tty-force
+ StandardOutput=inherit
+ StandardError=inherit
+ KillMode=process
+ IgnoreSIGPIPE=no
+ SendSIGHUP=yes
+ Restart=always
+
+ [Install]
+ WantedBy=basic.target
+ EOF
+ ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
+
+ # FIXME: ELF patching. Is there a better way?
+ find . -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \; 2> /dev/null
+ find . -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \; 2> /dev/null
+ patchelf --remove-rpath ./usr/lib/ld-linux-x86-64.so.2
+
+ # strip binaries
+ find . -type f -executable -exec strip {} \; 2> /dev/null
+ find . -type d -exec chmod 755 {} \;
+
+ # gen initrd
+ find . -print0 | cpio --null --owner=root:root -o --format=newc | gzip -9 > ../initrd.gz
+
+ popd
+ rm -rf root
+ '';
+}
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
new file mode 100644
index 0000000..e6a27f9
--- /dev/null
+++ b/utils/qemu-uefi-tpm.nix
@@ -0,0 +1,50 @@
+{
+ pkgs,
+ ...
+}:
+pkgs.writeShellApplication {
+ name = "qemu-uefi-tpm";
+
+ runtimeInputs = with pkgs; [
+ qemu
+ swtpm
+ ];
+
+ text =
+ let
+ tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
+ in
+ ''
+ set -ex
+ state="/tmp/patos-qemu-$USER"
+ rm -rf "$state"
+ mkdir -m 700 "$state"
+ truncate -s 1G "$state/disk.raw"
+
+ swtpm socket -d --tpmstate dir="$state" \
+ --ctrl type=unixio,path="$state/swtpm-sock" \
+ --tpm2 \
+ --log level=20
+
+ qemu-system-x86_64 \
+ -enable-kvm \
+ -machine q35,accel=kvm \
+ -cpu host \
+ -smp 8 \
+ -m 4G \
+ -display none \
+ -nographic \
+ -chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
+ -serial chardev:char0 \
+ -mon chardev=char0 \
+ -drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
+ -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
+ -chardev socket,id=chrtpm,path="$state/swtpm-sock" \
+ -tpmdev emulator,id=tpm0,chardev=chrtpm \
+ -device tpm-tis,tpmdev=tpm0 \
+ -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
+ -device virtio-net-pci,netdev=net00 \
+ -drive "file=fat:rw:patos/,format=raw" \
+ -drive "format=raw,file=$state/disk.raw"
+ '';
+}
From a689fa9925e76da6000a171764c14f25a43cce60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 21 Feb 2025 12:22:21 +0100
Subject: [PATCH 09/78] chore: rootfs pkg
---
flake.nix | 1 +
rootfs/default.nix | 30 +++++++++++++++++++++++++
rootfs/mkrootfs.sh | 54 +++++++++++++++++++++++++++++++++++++++++++++
utils/mkinitrd.nix | 55 +++++-----------------------------------------
4 files changed, 90 insertions(+), 50 deletions(-)
create mode 100644 rootfs/default.nix
create mode 100644 rootfs/mkrootfs.sh
diff --git a/flake.nix b/flake.nix
index 221d203..90fe634 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,7 @@
glibc = pkgs.callPackage ./glibc { };
systemd = pkgs.callPackage ./systemd { };
dbus-broker = pkgs.callPackage ./dbus-broker { };
+ rootfs = pkgs.callPackage ./rootfs { inherit patosPkgs; };
mkinitrd = pkgs.callPackage ./utils/mkinitrd.nix { inherit patosPkgs; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
diff --git a/rootfs/default.nix b/rootfs/default.nix
new file mode 100644
index 0000000..755050f
--- /dev/null
+++ b/rootfs/default.nix
@@ -0,0 +1,30 @@
+{
+ pkgs,
+ stdenvNoCC,
+ patosPkgs,
+ ...
+}:
+let
+ version = "0.0.1";
+ pname = "patos-rootfs";
+in
+stdenvNoCC.mkDerivation (finalAttrs: {
+ inherit version;
+ inherit pname;
+
+ buildInputs = with pkgs; [
+ glibc
+ binutils
+ ];
+
+ glibcPatos = patosPkgs.glibc.out;
+ systemd = patosPkgs.systemd.out;
+ dbusBroker = patosPkgs.dbus-broker.out;
+ kernel = patosPkgs.kernel.kernel;
+ busybox = pkgs.busybox.out;
+ kmodLibs = pkgs.kmod.lib;
+ kmodBin = pkgs.kmod.out;
+ libbpf = pkgs.libbpf.out;
+
+ builder = ./mkrootfs.sh;
+})
diff --git a/rootfs/mkrootfs.sh b/rootfs/mkrootfs.sh
new file mode 100644
index 0000000..b850129
--- /dev/null
+++ b/rootfs/mkrootfs.sh
@@ -0,0 +1,54 @@
+set -ex -o pipefail
+
+mkdir -p $out
+mkdir -p $out/etc $out/dev $out/proc $out/sys $out/tmp $out/root
+ln -sf ../usr/bin $out/bin
+ln -sf ../usr/bin $out/sbin
+ln -sf ../usr/lib $out/lib
+ln -sf ../usr/lib $out/lib64
+ln -sf ../proc/self/mounts $out/etc/mtab
+
+### install systemd
+echo "Installing systemd"
+cp -Pr $systemd/* $out/
+find $out -type d -exec chmod 755 {} \;
+rm -rf $out/usr/include
+rm -rf $out/usr/sbin
+rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
+# remove vconsole setup
+rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
+
+### install PatOS glibc
+cp -P $glibcPatos/lib/*.so* $out/usr/lib/
+
+### install kernel modules
+cp -r $kernel/lib/modules $out/usr/lib/
+find $out/usr/lib/modules -type d -exec chmod 755 {} \;
+
+### install busybox
+cp $busybox/bin/busybox $out/usr/bin/
+$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
+
+### install dbus broker
+cp -r $dbusBroker/* $out/
+
+### install lib kmod
+cp -P $kmodLibs/lib/* $out/usr/lib
+cp -P $kmodBin/bin/* $out/usr/bin
+
+### install libbpf
+cp -P $libbpf/lib/libbpf* $out/usr/lib
+
+### Find and install all shared libs
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t $out/usr/lib
+find $out -type f -executable -exec chmod 755 {} \;
+
+# FIXME: ELF patching. Is there a better way?
+find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \;
+find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
+patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
+
+# strip binaries
+find $out -type f -executable -exec strip {} \;
+find $out -type d -exec chmod 755 {} \;
+
diff --git a/utils/mkinitrd.nix b/utils/mkinitrd.nix
index 0bd234c..47f7f30 100644
--- a/utils/mkinitrd.nix
+++ b/utils/mkinitrd.nix
@@ -7,7 +7,6 @@ pkgs.writeShellApplication {
name = "mkinitrd";
runtimeInputs = with pkgs; [
- patchelf
cpio
gzip
];
@@ -17,56 +16,21 @@ pkgs.writeShellApplication {
mkdir -p root
pushd root
+ ### copy rootfs
+ cp -prP ${patosPkgs.rootfs}/* .
+ find . -type d -exec chmod 755 {} \;
+
### create directories
- mkdir -p etc dev proc sys tmp root
- ln -sf usr/bin bin
- ln -sf usr/bin sbin
- ln -sf usr/lib lib
- ln -sf usr/lib lib64
- ln -sf ../proc/self/mounts etc/mtab
ln -sf ../usr/lib/systemd/systemd init
- ### install systemd
- cp -Pr ${patosPkgs.systemd.out}/* ./
- find . -type d -exec chmod 755 {} \;
- rm -rf ./usr/include
- rm -rf ./usr/sbin
# set default target to basic
mkdir usr/lib/systemd/system/basic.target.wants
ln -sf basic.target usr/lib/systemd/system/default.target
- # remove first boot
- rm -f usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
- # remove vconsole setup
- rm -f usr/lib/udev/rules.d/90-vconsole.rules
- ### install PatOS glibc
- cp -Pr ${patosPkgs.glibc.out}/lib/*.so* ./usr/lib/
-
- ### install kernel modules
- cp -Pr ${patosPkgs.kernel.kernel}/lib/modules ./usr/lib/
- find usr/lib/modules -type d -exec chmod 755 {} \;
-
- ### install busybox
- cp ${pkgs.busybox.out}/bin/busybox ./usr/bin/
- usr/bin/busybox --list | xargs -I {} ln -sf busybox usr/bin/{}
-
- ### install dbus broker
- cp -r ${patosPkgs.dbus-broker.out}/* ./
+ # enable dbus broker
ln -sf ../dbus-broker.service usr/lib/systemd/system/basic.target.wants/dbus.service
ln -sf ../dbus.socket usr/lib/systemd/system/sockets.target.wants/dbus.socket
- ### install lib kmod
- cp -P ${pkgs.kmod.lib}/lib/* ./usr/lib
- cp -P ${pkgs.kmod.out}/bin/* ./usr/bin
-
- ### install libbpf
- cp -P ${pkgs.libbpf.out}/lib/libbpf* ./usr/lib
-
- ### Find and install all shared libs
- find . -type f -executable -exec ldd {} \; 2> /dev/null | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t usr/lib
- find . -type f -executable -exec chmod 755 {} \;
-
-
### Create needed files
echo patos > ./etc/hostname
cat <<EOF > ./etc/os-release
@@ -152,15 +116,6 @@ pkgs.writeShellApplication {
EOF
ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
- # FIXME: ELF patching. Is there a better way?
- find . -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \; 2> /dev/null
- find . -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \; 2> /dev/null
- patchelf --remove-rpath ./usr/lib/ld-linux-x86-64.so.2
-
- # strip binaries
- find . -type f -executable -exec strip {} \; 2> /dev/null
- find . -type d -exec chmod 755 {} \;
-
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | gzip -9 > ../initrd.gz
From 9ff916d0a3fbdc615b4fc989da26b2b082992efe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 24 Feb 2025 09:14:11 +0100
Subject: [PATCH 10/78] chore: xz compressed initrd and remove systemd patch
---
.gitignore | 3 ++-
flake.nix | 2 +-
....build-do-not-create-systemdstatedir.patch | 21 -------------------
systemd/default.nix | 6 +-----
utils/mkinitrd.nix | 4 ++--
5 files changed, 6 insertions(+), 30 deletions(-)
delete mode 100644 systemd/0017-meson.build-do-not-create-systemdstatedir.patch
diff --git a/.gitignore b/.gitignore
index 6833589..8cfe0d4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,8 @@
/result
/target
/out
-/initrd.gz
+/initrd*
+/patos*
.*.swp
.*.swo
.nixos-test-history
diff --git a/flake.nix b/flake.nix
index 90fe634..9e95404 100644
--- a/flake.nix
+++ b/flake.nix
@@ -28,7 +28,7 @@
mkdir -p patos/efi/boot
${self.packages.${system}.systemd.out}/usr/bin/ukify build \
--linux ${self.packages.${system}.kernel.kernel}/bzImage \
- --initrd ./initrd.gz \
+ --initrd ./initrd.xz \
--cmdline "console=ttyS0" \
-o patos/efi/boot/bootx64.efi
'';
diff --git a/systemd/0017-meson.build-do-not-create-systemdstatedir.patch b/systemd/0017-meson.build-do-not-create-systemdstatedir.patch
deleted file mode 100644
index debcaab..0000000
--- a/systemd/0017-meson.build-do-not-create-systemdstatedir.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: nikstur <nikstur@outlook.com>
-Date: Mon, 6 Nov 2023 22:51:38 +0100
-Subject: [PATCH] meson.build: do not create systemdstatedir
-
----
- meson.build | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/meson.build b/meson.build
-index bffda86845..cb5dcec0f9 100644
---- a/meson.build
-+++ b/meson.build
-@@ -2781,7 +2781,6 @@ install_data('LICENSE.GPL2',
- install_subdir('LICENSES',
- install_dir : docdir)
-
--install_emptydir(systemdstatedir)
-
- #####################################################################
-
diff --git a/systemd/default.nix b/systemd/default.nix
index 3174f0f..4daf9ed 100644
--- a/systemd/default.nix
+++ b/systemd/default.nix
@@ -32,10 +32,6 @@ stdenv.mkDerivation (finalAttrs: {
dontCheckForBrokenSymlinks = true;
- patches = [
- ./0017-meson.build-do-not-create-systemdstatedir.patch
- ];
-
nativeBuildInputs = with pkgs; [
bash
pkg-config
@@ -196,7 +192,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonOption "dbussystemservicedir" "/usr/share/dbus-1/system-services")
(lib.mesonOption "setfont-path" "/usr/bin/setfont")
(lib.mesonOption "loadkeys-path" "/usr/bin/loadkeys")
- (lib.mesonOption "sulogin-path" "/usr/bin/sulogin")
+ (lib.mesonOption "sulogin-path" "/usr/bin/sulogin")
(lib.mesonOption "nologin-path" "/usr/bin/nologin")
(lib.mesonOption "mount-path" "/usr/bin/mount")
(lib.mesonOption "umount-path" "/usr/bin/umount")
diff --git a/utils/mkinitrd.nix b/utils/mkinitrd.nix
index 47f7f30..201d14c 100644
--- a/utils/mkinitrd.nix
+++ b/utils/mkinitrd.nix
@@ -8,7 +8,7 @@ pkgs.writeShellApplication {
runtimeInputs = with pkgs; [
cpio
- gzip
+ xz
];
text = ''
@@ -117,7 +117,7 @@ pkgs.writeShellApplication {
ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
# gen initrd
- find . -print0 | cpio --null --owner=root:root -o --format=newc | gzip -9 > ../initrd.gz
+ find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
popd
rm -rf root
From e7470498e5d109c044e52868c192076892cdb371 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 24 Feb 2025 15:01:03 +0100
Subject: [PATCH 11/78] fix: create derivation for initrd creation
---
flake.nix | 8 +--
rootfs/mkinitrd.nix | 23 ++++++++
rootfs/mkinitrd.sh | 110 ++++++++++++++++++++++++++++++++++++++
utils/mkinitrd.nix | 125 --------------------------------------------
4 files changed, 137 insertions(+), 129 deletions(-)
create mode 100644 rootfs/mkinitrd.nix
create mode 100644 rootfs/mkinitrd.sh
delete mode 100644 utils/mkinitrd.nix
diff --git a/flake.nix b/flake.nix
index 9e95404..146376c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,9 +26,9 @@
echo "make UKI..."
mkdir -p patos/efi/boot
- ${self.packages.${system}.systemd.out}/usr/bin/ukify build \
- --linux ${self.packages.${system}.kernel.kernel}/bzImage \
- --initrd ./initrd.xz \
+ ${patosPkgs.systemd.out}/usr/bin/ukify build \
+ --linux ${patosPkgs.kernel.kernel}/bzImage \
+ --initrd ${patosPkgs.initrd.out}/initrd.xz \
--cmdline "console=ttyS0" \
-o patos/efi/boot/bootx64.efi
'';
@@ -38,8 +38,8 @@
systemd = pkgs.callPackage ./systemd { };
dbus-broker = pkgs.callPackage ./dbus-broker { };
rootfs = pkgs.callPackage ./rootfs { inherit patosPkgs; };
+ initrd = pkgs.callPackage ./rootfs/mkinitrd.nix { inherit patosPkgs; };
- mkinitrd = pkgs.callPackage ./utils/mkinitrd.nix { inherit patosPkgs; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
};
diff --git a/rootfs/mkinitrd.nix b/rootfs/mkinitrd.nix
new file mode 100644
index 0000000..f564813
--- /dev/null
+++ b/rootfs/mkinitrd.nix
@@ -0,0 +1,23 @@
+{
+ pkgs,
+ stdenvNoCC,
+ patosPkgs,
+ ...
+}:
+let
+ version = "0.0.1";
+ pname = "patos-ramdisk";
+in
+stdenvNoCC.mkDerivation (finalAttrs: {
+ inherit version;
+ inherit pname;
+
+ buildInputs = with pkgs; [
+ cpio
+ xz
+ ];
+
+ rootfs = patosPkgs.rootfs.out;
+
+ builder = ./mkinitrd.sh;
+})
diff --git a/rootfs/mkinitrd.sh b/rootfs/mkinitrd.sh
new file mode 100644
index 0000000..2fe7770
--- /dev/null
+++ b/rootfs/mkinitrd.sh
@@ -0,0 +1,110 @@
+set -ex -p pipefail
+echo "Building initram disk"
+mkdir -p $out/root
+pushd $out/root
+
+### copy rootfs
+cp -prP $rootfs/* .
+find . -type d -exec chmod 755 {} \;
+
+### create directories
+ln -sf ../usr/lib/systemd/systemd init
+
+# set default target to basic
+mkdir usr/lib/systemd/system/basic.target.wants
+ln -sf basic.target usr/lib/systemd/system/default.target
+
+# enable dbus broker
+ln -sf ../dbus-broker.service usr/lib/systemd/system/basic.target.wants/dbus-broker.service
+ln -sf ../dbus.socket usr/lib/systemd/system/sockets.target.wants/dbus.socket
+
+### Create needed files
+echo patos > ./etc/hostname
+cat <<EOF > ./etc/os-release
+NAME="PatOS"
+PRETTY_NAME="PatOS Platform"
+ID=patos
+EOF
+
+cat <<EOF > ./etc/passwd
+root::0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/usr/bin/nologin
+daemon:x:2:2:daemon:/:/usr/bin/nologin
+mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
+ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
+http:x:33:33:http:/srv/http:/usr/bin/nologin
+uuidd:x:68:68:uuidd:/:/usr/bin/nologin
+messagebus:x:81:81:messagebus:/:/usr/bin/nologin
+nobody:x:99:99:nobody:/:/usr/bin/nologin
+EOF
+chmod 644 ./etc/passwd
+
+cat <<EOF > ./etc/group
+root:x:0:root
+bin:x:1:root,bin,daemon
+daemon:x:2:root,bin,daemon
+sys:x:3:root,bin
+adm:x:4:root,daemon
+tty:x:5:
+disk:x:6:root
+lp:x:7:daemon
+mem:x:8:
+kmem:x:9:
+wheel:x:10:root
+ftp:x:11:
+mail:x:12:
+uucp:x:14:
+log:x:19:root
+utmp:x:20:
+locate:x:21:
+rfkill:x:24:
+smmsp:x:25:
+proc:x:26:
+http:x:33:
+games:x:50:
+lock:x:54:
+uuidd:x:68:
+messagebus:x:81:
+network:x:90:
+video:x:91:
+audio:x:92:
+optical:x:93:
+floppy:x:94:
+storage:x:95:
+scanner:x:96:
+input:x:97:
+power:x:98:
+nobody:x:99:
+EOF
+chmod 644 ./etc/group
+
+# FIXME: remove this later (just to get a shell in the initramfs)
+cat <<EOF > usr/lib/systemd/system/demo.service
+[Unit]
+Description=Debug Shell (/bin/sulogin)
+Conflicts=shutdown.target
+Before=shutdown.target
+
+[Service]
+Environment=HOME=/root
+WorkingDirectory=/root
+ExecStart=/bin/sulogin
+Type=idle
+StandardInput=tty-force
+StandardOutput=inherit
+StandardError=inherit
+KillMode=process
+IgnoreSIGPIPE=no
+SendSIGHUP=yes
+Restart=always
+
+[Install]
+WantedBy=basic.target
+EOF
+ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
+
+# gen initrd
+find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
+
+popd
+rm -rf $out/root
diff --git a/utils/mkinitrd.nix b/utils/mkinitrd.nix
deleted file mode 100644
index 201d14c..0000000
--- a/utils/mkinitrd.nix
+++ /dev/null
@@ -1,125 +0,0 @@
-{
- pkgs,
- patosPkgs,
- ...
-}:
-pkgs.writeShellApplication {
- name = "mkinitrd";
-
- runtimeInputs = with pkgs; [
- cpio
- xz
- ];
-
- text = ''
- echo "Building initram disk"
- mkdir -p root
- pushd root
-
- ### copy rootfs
- cp -prP ${patosPkgs.rootfs}/* .
- find . -type d -exec chmod 755 {} \;
-
- ### create directories
- ln -sf ../usr/lib/systemd/systemd init
-
- # set default target to basic
- mkdir usr/lib/systemd/system/basic.target.wants
- ln -sf basic.target usr/lib/systemd/system/default.target
-
- # enable dbus broker
- ln -sf ../dbus-broker.service usr/lib/systemd/system/basic.target.wants/dbus.service
- ln -sf ../dbus.socket usr/lib/systemd/system/sockets.target.wants/dbus.socket
-
- ### Create needed files
- echo patos > ./etc/hostname
- cat <<EOF > ./etc/os-release
- NAME="PatOS"
- PRETTY_NAME="PatOS Platform"
- ID=patos
- EOF
-
- cat <<EOF > ./etc/passwd
- root::0:0:root:/root:/bin/sh
- bin:x:1:1:bin:/bin:/usr/bin/nologin
- daemon:x:2:2:daemon:/:/usr/bin/nologin
- mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
- ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
- http:x:33:33:http:/srv/http:/usr/bin/nologin
- uuidd:x:68:68:uuidd:/:/usr/bin/nologin
- messagebus:x:81:81:messagebus:/:/usr/bin/nologin
- nobody:x:99:99:nobody:/:/usr/bin/nologin
- EOF
- chmod 644 ./etc/passwd
-
- cat <<EOF > ./etc/group
- root:x:0:root
- bin:x:1:root,bin,daemon
- daemon:x:2:root,bin,daemon
- sys:x:3:root,bin
- adm:x:4:root,daemon
- tty:x:5:
- disk:x:6:root
- lp:x:7:daemon
- mem:x:8:
- kmem:x:9:
- wheel:x:10:root
- ftp:x:11:
- mail:x:12:
- uucp:x:14:
- log:x:19:root
- utmp:x:20:
- locate:x:21:
- rfkill:x:24:
- smmsp:x:25:
- proc:x:26:
- http:x:33:
- games:x:50:
- lock:x:54:
- uuidd:x:68:
- messagebus:x:81:
- network:x:90:
- video:x:91:
- audio:x:92:
- optical:x:93:
- floppy:x:94:
- storage:x:95:
- scanner:x:96:
- input:x:97:
- power:x:98:
- nobody:x:99:
- EOF
- chmod 644 ./etc/group
-
- # FIXME: remove this later (just to get a shell in the initramfs)
- cat <<EOF > usr/lib/systemd/system/demo.service
- [Unit]
- Description=Debug Shell (/bin/sulogin)
- Conflicts=shutdown.target
- Before=shutdown.target
-
- [Service]
- Environment=HOME=/root
- WorkingDirectory=/root
- ExecStart=/bin/sulogin
- Type=idle
- StandardInput=tty-force
- StandardOutput=inherit
- StandardError=inherit
- KillMode=process
- IgnoreSIGPIPE=no
- SendSIGHUP=yes
- Restart=always
-
- [Install]
- WantedBy=basic.target
- EOF
- ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
-
- # gen initrd
- find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
-
- popd
- rm -rf root
- '';
-}
From af78f1c930fa6788a81b229ddf608798a1594819 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 24 Feb 2025 16:13:43 +0100
Subject: [PATCH 12/78] feat(systemd-repart): build image
---
.gitignore | 2 --
flake.nix | 14 +----------
image/default.nix | 27 +++++++++++++++++++++
image/mkimage.sh | 52 +++++++++++++++++++++++++++++++++++++++++
utils/qemu-uefi-tpm.nix | 5 ++--
5 files changed, 82 insertions(+), 18 deletions(-)
create mode 100644 image/default.nix
create mode 100644 image/mkimage.sh
diff --git a/.gitignore b/.gitignore
index 8cfe0d4..97ab6ac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,8 +5,6 @@
/result
/target
/out
-/initrd*
-/patos*
.*.swp
.*.swo
.nixos-test-history
diff --git a/flake.nix b/flake.nix
index 146376c..2e4eafa 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,18 +21,7 @@
{
packages = {
default = self.packages.${system}.image;
- image = pkgs.writeShellScriptBin "image" ''
- set -ex
- echo "make UKI..."
-
- mkdir -p patos/efi/boot
- ${patosPkgs.systemd.out}/usr/bin/ukify build \
- --linux ${patosPkgs.kernel.kernel}/bzImage \
- --initrd ${patosPkgs.initrd.out}/initrd.xz \
- --cmdline "console=ttyS0" \
- -o patos/efi/boot/bootx64.efi
- '';
-
+ image = pkgs.callPackage ./image { inherit patosPkgs; };
kernel = pkgs.callPackage ./kernel { };
glibc = pkgs.callPackage ./glibc { };
systemd = pkgs.callPackage ./systemd { };
@@ -60,7 +49,6 @@
nixfmt-rfc-style
squashfs-tools-ng
self.packages.${system}.qemu-uefi-tpm
- self.packages.${system}.mkinitrd
];
};
diff --git a/image/default.nix b/image/default.nix
new file mode 100644
index 0000000..b4394c2
--- /dev/null
+++ b/image/default.nix
@@ -0,0 +1,27 @@
+{
+ pkgs,
+ stdenvNoCC,
+ patosPkgs,
+ ...
+}:
+let
+ version = "0.0.1";
+ pname = "patos-image";
+in
+stdenvNoCC.mkDerivation (finalAttrs: {
+ inherit version;
+ inherit pname;
+
+ buildInputs = with pkgs; [
+ erofs-utils
+ dosfstools
+ mtools
+ ];
+
+ systemd = patosPkgs.systemd.out;
+ kernel = patosPkgs.kernel.kernel;
+ initrd = patosPkgs.initrd.out;
+ rootfs = patosPkgs.rootfs.out;
+
+ builder = ./mkimage.sh;
+})
diff --git a/image/mkimage.sh b/image/mkimage.sh
new file mode 100644
index 0000000..c7473d7
--- /dev/null
+++ b/image/mkimage.sh
@@ -0,0 +1,52 @@
+set -ex -o pipefail
+
+mkdir -p $out/repart.d $out/boot
+pushd $out
+
+# Don't seem to work just to create a symlink to rootfs derivation?
+# ln -sf $rootfs rootfs
+mkdir rootfs
+cp -prP $rootfs/* rootfs/
+find rootfs/ -type d -exec chmod 755 {} \;
+
+$systemd/usr/bin/ukify build \
+ --os-release rootfs/etc/os-release \
+ --linux $kernel/bzImage \
+ --initrd $initrd/initrd.xz \
+ --cmdline "console=ttyS0" \
+ -o boot/patos-x64.efi
+
+cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
+
+cat <<EOF > repart.d/10-esp.conf
+[Partition]
+Type=esp
+Format=vfat
+SizeMinBytes=96M
+SizeMaxBytes=96M
+SplitName=-
+CopyFiles=/boot/patos-x64.efi:/EFI/Linux/patos-x64.efi
+CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
+EOF
+
+cat <<EOF > repart.d/10-root.conf
+[Partition]
+Type=root
+Format=erofs
+CopyFiles=/rootfs:/
+Minimize=best
+SplitName=root
+EOF
+
+$systemd/usr/bin/systemd-repart \
+ --no-pager \
+ --empty=create \
+ --size=1G \
+ --definitions=./repart.d \
+ --root=$out \
+ patos-$version.raw
+
+rm -rf rootfs
+rm -rf boot
+
+popd
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index e6a27f9..d05fbb2 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -19,7 +19,7 @@ pkgs.writeShellApplication {
state="/tmp/patos-qemu-$USER"
rm -rf "$state"
mkdir -m 700 "$state"
- truncate -s 1G "$state/disk.raw"
+ qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G
swtpm socket -d --tpmstate dir="$state" \
--ctrl type=unixio,path="$state/swtpm-sock" \
@@ -44,7 +44,6 @@ pkgs.writeShellApplication {
-device tpm-tis,tpmdev=tpm0 \
-netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
-device virtio-net-pci,netdev=net00 \
- -drive "file=fat:rw:patos/,format=raw" \
- -drive "format=raw,file=$state/disk.raw"
+ -drive "format=qcow2,file=$state/disk.qcow2"
'';
}
From 6899203860db2e2f24724089d74adde6a341aa74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 24 Feb 2025 23:51:46 +0100
Subject: [PATCH 13/78] feat(systemd-repart): fix ESP. now its booting
---
image/default.nix | 4 ++++
image/mkimage.sh | 10 +++++++---
utils/qemu-uefi-tpm.nix | 1 -
3 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/image/default.nix b/image/default.nix
index b4394c2..3d7049b 100644
--- a/image/default.nix
+++ b/image/default.nix
@@ -18,6 +18,10 @@ stdenvNoCC.mkDerivation (finalAttrs: {
mtools
];
+ env = {
+ SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
+ };
+
systemd = patosPkgs.systemd.out;
kernel = patosPkgs.kernel.kernel;
initrd = patosPkgs.initrd.out;
diff --git a/image/mkimage.sh b/image/mkimage.sh
index c7473d7..2ec259f 100644
--- a/image/mkimage.sh
+++ b/image/mkimage.sh
@@ -18,15 +18,19 @@ $systemd/usr/bin/ukify build \
cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
+echo "timeout 1" > boot/loader.conf
+echo -e "title PatOS Platform\nefi /EFI/Linux/patos-linux.efi" > boot/patos.conf
+
cat <<EOF > repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMinBytes=96M
SizeMaxBytes=96M
-SplitName=-
-CopyFiles=/boot/patos-x64.efi:/EFI/Linux/patos-x64.efi
CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
+CopyFiles=/boot/patos-x64.efi:/EFI/Linux/patos-linux.efi
+CopyFiles=/boot/loader.conf:/loader/loader.conf
+CopyFiles=/boot/patos.conf:/loader/entries/patos.conf
EOF
cat <<EOF > repart.d/10-root.conf
@@ -41,7 +45,7 @@ EOF
$systemd/usr/bin/systemd-repart \
--no-pager \
--empty=create \
- --size=1G \
+ --size=auto \
--definitions=./repart.d \
--root=$out \
patos-$version.raw
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index d05fbb2..bb151c5 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -33,7 +33,6 @@ pkgs.writeShellApplication {
-smp 8 \
-m 4G \
-display none \
- -nographic \
-chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
-serial chardev:char0 \
-mon chardev=char0 \
From e196cf729c066b585e0c89d4b29ec49e5507c219 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 25 Feb 2025 11:40:34 +0100
Subject: [PATCH 14/78] feat(image): switching root
---
dbus-broker/default.nix | 1 +
image/default.nix | 5 ++
image/mkimage.sh | 112 +++++++++++++++++++++++++++++++++++++---
rootfs/mkinitrd.sh | 50 +++++-------------
rootfs/mkrootfs.sh | 12 ++++-
5 files changed, 135 insertions(+), 45 deletions(-)
diff --git a/dbus-broker/default.nix b/dbus-broker/default.nix
index cad66af..156c490 100644
--- a/dbus-broker/default.nix
+++ b/dbus-broker/default.nix
@@ -150,6 +150,7 @@ stdenv.mkDerivation (finalAttrs: {
mkdir -p $out/usr/share
cp -Pr ${pkgs.dbus.out}/share/* $out/usr/share/
cp ${pkgs.dbus.out}/etc/systemd/system/dbus.socket $out/usr/lib/systemd/system/
+ mv $out/usr/lib/systemd/system/dbus-broker.service $out/usr/lib/systemd/system/dbus.service
find $out/usr/share/ -type d -exec chmod 755 {} \;
sed -i 's#/nix/store.*/share#/usr/share#' $out/usr/share/xml/dbus-1/catalog.xml
sed -i 's#/nix/store.*/libexec#/usr/bin#' $out/usr/share/dbus-1/system.conf
diff --git a/image/default.nix b/image/default.nix
index 3d7049b..e116625 100644
--- a/image/default.nix
+++ b/image/default.nix
@@ -16,9 +16,11 @@ stdenvNoCC.mkDerivation (finalAttrs: {
erofs-utils
dosfstools
mtools
+ e2fsprogs
];
env = {
+ # vfat options won't efi won't find the fs otherwise.
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
};
@@ -27,5 +29,8 @@ stdenvNoCC.mkDerivation (finalAttrs: {
initrd = patosPkgs.initrd.out;
rootfs = patosPkgs.rootfs.out;
+ #FIXME: use roothash instead of device.
+ kernelCmdLine = "root=/dev/sda2 console=ttyS0";
+
builder = ./mkimage.sh;
})
diff --git a/image/mkimage.sh b/image/mkimage.sh
index 2ec259f..fc80f9d 100644
--- a/image/mkimage.sh
+++ b/image/mkimage.sh
@@ -9,17 +9,117 @@ mkdir rootfs
cp -prP $rootfs/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
+# set default target to basic
+mkdir rootfs/usr/lib/systemd/system/basic.target.wants
+ln -sf basic.target rootfs/usr/lib/systemd/system/default.target
+
+# enable dbus
+ln -sf ../dbus.service rootfs/usr/lib/systemd/system/basic.target.wants/dbus.service
+ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
+
+# generate machine-id
+$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
+
+cat <<EOF > rootfs/etc/passwd
+root::0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/usr/bin/nologin
+daemon:x:2:2:daemon:/:/usr/bin/nologin
+mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
+ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
+http:x:33:33:http:/srv/http:/usr/bin/nologin
+uuidd:x:68:68:uuidd:/:/usr/bin/nologin
+messagebus:x:81:81:messagebus:/:/usr/bin/nologin
+nobody:x:99:99:nobody:/:/usr/bin/nologin
+systemd-coredump:x:151:992::/var/empty:/usr/bin/nologin
+systemd-network:x:152:152::/var/empty:/usr/bin/nologin
+systemd-resolve:x:153:153::/var/empty:/usr/bin/nologin
+systemd-timesync:x:154:154::/var/empty:/usr/bin/nologin
+EOF
+chmod 644 rootfs/etc/passwd
+
+cat <<EOF > rootfs/etc/group
+root:x:0:root
+bin:x:1:root,bin,daemon
+daemon:x:2:root,bin,daemon
+sys:x:3:root,bin
+adm:x:4:root,daemon
+tty:x:5:
+disk:x:6:root
+lp:x:7:daemon
+mem:x:8:
+kmem:x:9:
+wheel:x:10:root
+ftp:x:11:
+mail:x:12:
+uucp:x:14:
+log:x:19:root
+utmp:x:20:
+locate:x:21:
+rfkill:x:24:
+smmsp:x:25:
+proc:x:26:
+http:x:33:
+games:x:50:
+lock:x:54:
+uuidd:x:68:
+messagebus:x:81:
+systemd-journal:x:62:
+systemd-network:x:152:
+systemd-resolve:x:153:
+systemd-timesync:x:154:
+systemd-oom:x:991:
+systemd-coredump:x:992:
+network:x:90:
+video:x:91:
+audio:x:92:
+optical:x:93:
+floppy:x:94:
+storage:x:95:
+scanner:x:96:
+input:x:97:
+power:x:98:
+nobody:x:99:
+EOF
+chmod 644 rootfs/etc/group
+
+# FIXME: remove this later (just to get a shell in the initramfs)
+cat <<EOF > rootfs/usr/lib/systemd/system/demo.service
+[Unit]
+Description=Debug Shell (/bin/sulogin)
+Conflicts=shutdown.target
+Before=shutdown.target
+
+[Service]
+Environment=HOME=/root
+WorkingDirectory=/root
+ExecStart=/bin/sulogin
+Type=idle
+StandardInput=tty-force
+StandardOutput=inherit
+StandardError=inherit
+KillMode=process
+IgnoreSIGPIPE=no
+SendSIGHUP=yes
+Restart=always
+
+[Install]
+WantedBy=basic.target
+EOF
+ln -sf ../demo.service rootfs/usr/lib/systemd/system/basic.target.wants/demo.service
+
+
$systemd/usr/bin/ukify build \
- --os-release rootfs/etc/os-release \
--linux $kernel/bzImage \
--initrd $initrd/initrd.xz \
- --cmdline "console=ttyS0" \
- -o boot/patos-x64.efi
+ --os-release rootfs/etc/os-release \
+ --stub $systemd/usr/lib/systemd/boot/efi/linuxx64.efi.stub \
+ --cmdline "$kernelCmdLine" \
+ -o boot/patos.efi
cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
echo "timeout 1" > boot/loader.conf
-echo -e "title PatOS Platform\nefi /EFI/Linux/patos-linux.efi" > boot/patos.conf
+echo -e "title PatOS Platform\nefi /EFI/Linux/patos.efi" > boot/patos.conf
cat <<EOF > repart.d/10-esp.conf
[Partition]
@@ -28,7 +128,7 @@ Format=vfat
SizeMinBytes=96M
SizeMaxBytes=96M
CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
-CopyFiles=/boot/patos-x64.efi:/EFI/Linux/patos-linux.efi
+CopyFiles=/boot/patos.efi:/EFI/Linux/patos.efi
CopyFiles=/boot/loader.conf:/loader/loader.conf
CopyFiles=/boot/patos.conf:/loader/entries/patos.conf
EOF
@@ -37,8 +137,8 @@ cat <<EOF > repart.d/10-root.conf
[Partition]
Type=root
Format=erofs
-CopyFiles=/rootfs:/
Minimize=best
+CopyFiles=/rootfs:/
SplitName=root
EOF
diff --git a/rootfs/mkinitrd.sh b/rootfs/mkinitrd.sh
index 2fe7770..c634b73 100644
--- a/rootfs/mkinitrd.sh
+++ b/rootfs/mkinitrd.sh
@@ -10,21 +10,12 @@ find . -type d -exec chmod 755 {} \;
### create directories
ln -sf ../usr/lib/systemd/systemd init
-# set default target to basic
-mkdir usr/lib/systemd/system/basic.target.wants
-ln -sf basic.target usr/lib/systemd/system/default.target
-
-# enable dbus broker
-ln -sf ../dbus-broker.service usr/lib/systemd/system/basic.target.wants/dbus-broker.service
-ln -sf ../dbus.socket usr/lib/systemd/system/sockets.target.wants/dbus.socket
+mkdir sysroot
### Create needed files
echo patos > ./etc/hostname
-cat <<EOF > ./etc/os-release
-NAME="PatOS"
-PRETTY_NAME="PatOS Platform"
-ID=patos
-EOF
+
+ln -sf /etc/os-release ./etc/initrd-release
cat <<EOF > ./etc/passwd
root::0:0:root:/root:/bin/sh
@@ -36,6 +27,10 @@ http:x:33:33:http:/srv/http:/usr/bin/nologin
uuidd:x:68:68:uuidd:/:/usr/bin/nologin
messagebus:x:81:81:messagebus:/:/usr/bin/nologin
nobody:x:99:99:nobody:/:/usr/bin/nologin
+systemd-coredump:x:151:992::/var/empty:/usr/bin/nologin
+systemd-network:x:152:152::/var/empty:/usr/bin/nologin
+systemd-resolve:x:153:153::/var/empty:/usr/bin/nologin
+systemd-timesync:x:154:154::/var/empty:/usr/bin/nologin
EOF
chmod 644 ./etc/passwd
@@ -65,6 +60,12 @@ games:x:50:
lock:x:54:
uuidd:x:68:
messagebus:x:81:
+systemd-journal:x:62:
+systemd-network:x:152:
+systemd-resolve:x:153:
+systemd-timesync:x:154:
+systemd-oom:x:991:
+systemd-coredump:x:992:
network:x:90:
video:x:91:
audio:x:92:
@@ -78,31 +79,6 @@ nobody:x:99:
EOF
chmod 644 ./etc/group
-# FIXME: remove this later (just to get a shell in the initramfs)
-cat <<EOF > usr/lib/systemd/system/demo.service
-[Unit]
-Description=Debug Shell (/bin/sulogin)
-Conflicts=shutdown.target
-Before=shutdown.target
-
-[Service]
-Environment=HOME=/root
-WorkingDirectory=/root
-ExecStart=/bin/sulogin
-Type=idle
-StandardInput=tty-force
-StandardOutput=inherit
-StandardError=inherit
-KillMode=process
-IgnoreSIGPIPE=no
-SendSIGHUP=yes
-Restart=always
-
-[Install]
-WantedBy=basic.target
-EOF
-ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
-
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
diff --git a/rootfs/mkrootfs.sh b/rootfs/mkrootfs.sh
index b850129..68b6d44 100644
--- a/rootfs/mkrootfs.sh
+++ b/rootfs/mkrootfs.sh
@@ -1,7 +1,7 @@
set -ex -o pipefail
mkdir -p $out
-mkdir -p $out/etc $out/dev $out/proc $out/sys $out/tmp $out/root
+mkdir -p $out/etc $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot
ln -sf ../usr/bin $out/bin
ln -sf ../usr/bin $out/sbin
ln -sf ../usr/lib $out/lib
@@ -18,6 +18,15 @@ rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
# remove vconsole setup
rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
+cat <<EOF > $out/etc/os-release
+NAME="PatOS"
+PRETTY_NAME="PatOS 0.0.1 (pre-alpha)"
+ID=patos
+VERSION="0.0.1 (pre-alpha)"
+VERSION_CODENAME=pre-alpha
+VERSION_ID="0.0.1"
+EOF
+
### install PatOS glibc
cp -P $glibcPatos/lib/*.so* $out/usr/lib/
@@ -51,4 +60,3 @@ patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
# strip binaries
find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
-
From e4ebf7ea7ff4fbe4e0c0bef0d0cec2f661da3d8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 25 Feb 2025 13:39:02 +0100
Subject: [PATCH 15/78] feat(image): make /var stateful
---
image/mkimage.sh | 19 ++++++++++++++++++-
rootfs/mkrootfs.sh | 27 ++++++++++++++++++++++++++-
2 files changed, 44 insertions(+), 2 deletions(-)
diff --git a/image/mkimage.sh b/image/mkimage.sh
index fc80f9d..019aed2 100644
--- a/image/mkimage.sh
+++ b/image/mkimage.sh
@@ -13,11 +13,28 @@ find rootfs/ -type d -exec chmod 755 {} \;
mkdir rootfs/usr/lib/systemd/system/basic.target.wants
ln -sf basic.target rootfs/usr/lib/systemd/system/default.target
+# mount patos state
+cat <<EOF > rootfs/usr/lib/systemd/system/var.mount
+[Unit]
+Description=Mount for /var
+Before=local-fs.target
+
+[Mount]
+What=/dev/disk/by-label/patos-state
+Where=/var
+Type=ext2
+Options=defaults
+
+[Install]
+WantedBy=basic.target
+EOF
+ln -sf ../var.mount rootfs/usr/lib/systemd/system/basic.target.wants/var.mount
+
# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/basic.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
-# generate machine-id
+# generate a temporary machine id
$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
cat <<EOF > rootfs/etc/passwd
diff --git a/rootfs/mkrootfs.sh b/rootfs/mkrootfs.sh
index 68b6d44..3ee0ca3 100644
--- a/rootfs/mkrootfs.sh
+++ b/rootfs/mkrootfs.sh
@@ -1,7 +1,7 @@
set -ex -o pipefail
mkdir -p $out
-mkdir -p $out/etc $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot
+mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot
ln -sf ../usr/bin $out/bin
ln -sf ../usr/bin $out/sbin
ln -sf ../usr/lib $out/lib
@@ -27,6 +27,31 @@ VERSION_CODENAME=pre-alpha
VERSION_ID="0.0.1"
EOF
+sed -i 's#After=\(.*\)#After=sysroot.mount \1#' $out/usr/lib/systemd/system/systemd-repart.service
+cat <<EOF > $out/etc/repart.d/10-esp.conf
+[Partition]
+Type=esp
+Format=vfat
+EOF
+
+cat <<EOF > $out/etc/repart.d/22-root.conf
+[Partition]
+Type=root
+EOF
+
+#FIXME: use btrfs instead on ext2(busybox) but need the btrfs tools in rootfs.
+cat <<EOF > $out/etc/repart.d/40-var.conf
+[Partition]
+Type=var
+UUID=4d21b016-b534-45c2-a9fb-5c16e091fd2d
+Format=ext2
+Label=patos-state
+Minimize=off
+FactoryReset=yes
+SizeMinBytes=1G
+SplitName=-
+EOF
+
### install PatOS glibc
cp -P $glibcPatos/lib/*.so* $out/usr/lib/
From b3ad9f9962c53fde9303d62c6facb32102b92672 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 25 Feb 2025 18:01:44 +0100
Subject: [PATCH 16/78] feat(image): fix osrel in uki
---
image/mkimage.sh | 5 +----
rootfs/mkrootfs.sh | 12 +++++++-----
2 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/image/mkimage.sh b/image/mkimage.sh
index 019aed2..4ad147b 100644
--- a/image/mkimage.sh
+++ b/image/mkimage.sh
@@ -128,15 +128,13 @@ ln -sf ../demo.service rootfs/usr/lib/systemd/system/basic.target.wants/demo.ser
$systemd/usr/bin/ukify build \
--linux $kernel/bzImage \
--initrd $initrd/initrd.xz \
- --os-release rootfs/etc/os-release \
- --stub $systemd/usr/lib/systemd/boot/efi/linuxx64.efi.stub \
+ --os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine" \
-o boot/patos.efi
cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
echo "timeout 1" > boot/loader.conf
-echo -e "title PatOS Platform\nefi /EFI/Linux/patos.efi" > boot/patos.conf
cat <<EOF > repart.d/10-esp.conf
[Partition]
@@ -147,7 +145,6 @@ SizeMaxBytes=96M
CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
CopyFiles=/boot/patos.efi:/EFI/Linux/patos.efi
CopyFiles=/boot/loader.conf:/loader/loader.conf
-CopyFiles=/boot/patos.conf:/loader/entries/patos.conf
EOF
cat <<EOF > repart.d/10-root.conf
diff --git a/rootfs/mkrootfs.sh b/rootfs/mkrootfs.sh
index 3ee0ca3..e60e028 100644
--- a/rootfs/mkrootfs.sh
+++ b/rootfs/mkrootfs.sh
@@ -19,12 +19,14 @@ rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
cat <<EOF > $out/etc/os-release
-NAME="PatOS"
-PRETTY_NAME="PatOS 0.0.1 (pre-alpha)"
+NAME=PatOS
+PRETTY_NAME=PatOS 0.0.1 (pre-alpha)
+IMAGE_ID=patos
ID=patos
-VERSION="0.0.1 (pre-alpha)"
-VERSION_CODENAME=pre-alpha
-VERSION_ID="0.0.1"
+IMAGE_VERSION=0.0.1
+VERSION=0.0.1
+VERSION_ID=0.0.1
+BUILD_ID=0.0.1
EOF
sed -i 's#After=\(.*\)#After=sysroot.mount \1#' $out/usr/lib/systemd/system/systemd-repart.service
From 3374541b3a14baa03887c2db4b4f669ed77aec58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 25 Feb 2025 21:02:35 +0100
Subject: [PATCH 17/78] feat(image): switch to btrfs for patos-state
---
image/mkimage.sh | 92 +++++-------------------------------------
rootfs/default.nix | 1 +
rootfs/mkinitrd.sh | 65 +-----------------------------
rootfs/mkrootfs.sh | 99 ++++++++++++++++++++++++++++++++++++++++++----
4 files changed, 102 insertions(+), 155 deletions(-)
diff --git a/image/mkimage.sh b/image/mkimage.sh
index 4ad147b..721c26e 100644
--- a/image/mkimage.sh
+++ b/image/mkimage.sh
@@ -9,96 +9,22 @@ mkdir rootfs
cp -prP $rootfs/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
-# set default target to basic
-mkdir rootfs/usr/lib/systemd/system/basic.target.wants
-ln -sf basic.target rootfs/usr/lib/systemd/system/default.target
+# set default target to multi-user
+ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
# mount patos state
-cat <<EOF > rootfs/usr/lib/systemd/system/var.mount
-[Unit]
-Description=Mount for /var
-Before=local-fs.target
-
-[Mount]
-What=/dev/disk/by-label/patos-state
-Where=/var
-Type=ext2
-Options=defaults
-
-[Install]
-WantedBy=basic.target
-EOF
-ln -sf ../var.mount rootfs/usr/lib/systemd/system/basic.target.wants/var.mount
+ln -sf ../var.mount rootfs/usr/lib/systemd/system/sysinit.target.wants/var.mount
# enable dbus
-ln -sf ../dbus.service rootfs/usr/lib/systemd/system/basic.target.wants/dbus.service
+ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
+# enable systemd-networkd
+ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
+
# generate a temporary machine id
$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
-cat <<EOF > rootfs/etc/passwd
-root::0:0:root:/root:/bin/sh
-bin:x:1:1:bin:/bin:/usr/bin/nologin
-daemon:x:2:2:daemon:/:/usr/bin/nologin
-mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
-ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
-http:x:33:33:http:/srv/http:/usr/bin/nologin
-uuidd:x:68:68:uuidd:/:/usr/bin/nologin
-messagebus:x:81:81:messagebus:/:/usr/bin/nologin
-nobody:x:99:99:nobody:/:/usr/bin/nologin
-systemd-coredump:x:151:992::/var/empty:/usr/bin/nologin
-systemd-network:x:152:152::/var/empty:/usr/bin/nologin
-systemd-resolve:x:153:153::/var/empty:/usr/bin/nologin
-systemd-timesync:x:154:154::/var/empty:/usr/bin/nologin
-EOF
-chmod 644 rootfs/etc/passwd
-
-cat <<EOF > rootfs/etc/group
-root:x:0:root
-bin:x:1:root,bin,daemon
-daemon:x:2:root,bin,daemon
-sys:x:3:root,bin
-adm:x:4:root,daemon
-tty:x:5:
-disk:x:6:root
-lp:x:7:daemon
-mem:x:8:
-kmem:x:9:
-wheel:x:10:root
-ftp:x:11:
-mail:x:12:
-uucp:x:14:
-log:x:19:root
-utmp:x:20:
-locate:x:21:
-rfkill:x:24:
-smmsp:x:25:
-proc:x:26:
-http:x:33:
-games:x:50:
-lock:x:54:
-uuidd:x:68:
-messagebus:x:81:
-systemd-journal:x:62:
-systemd-network:x:152:
-systemd-resolve:x:153:
-systemd-timesync:x:154:
-systemd-oom:x:991:
-systemd-coredump:x:992:
-network:x:90:
-video:x:91:
-audio:x:92:
-optical:x:93:
-floppy:x:94:
-storage:x:95:
-scanner:x:96:
-input:x:97:
-power:x:98:
-nobody:x:99:
-EOF
-chmod 644 rootfs/etc/group
-
# FIXME: remove this later (just to get a shell in the initramfs)
cat <<EOF > rootfs/usr/lib/systemd/system/demo.service
[Unit]
@@ -120,9 +46,9 @@ SendSIGHUP=yes
Restart=always
[Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
EOF
-ln -sf ../demo.service rootfs/usr/lib/systemd/system/basic.target.wants/demo.service
+ln -sf ../demo.service rootfs/usr/lib/systemd/system/multi-user.target.wants/demo.service
$systemd/usr/bin/ukify build \
diff --git a/rootfs/default.nix b/rootfs/default.nix
index 755050f..a180f8e 100644
--- a/rootfs/default.nix
+++ b/rootfs/default.nix
@@ -25,6 +25,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
kmodLibs = pkgs.kmod.lib;
kmodBin = pkgs.kmod.out;
libbpf = pkgs.libbpf.out;
+ btrfs = pkgs.btrfs-progs.out;
builder = ./mkrootfs.sh;
})
diff --git a/rootfs/mkinitrd.sh b/rootfs/mkinitrd.sh
index c634b73..c735448 100644
--- a/rootfs/mkinitrd.sh
+++ b/rootfs/mkinitrd.sh
@@ -6,79 +6,16 @@ pushd $out/root
### copy rootfs
cp -prP $rootfs/* .
find . -type d -exec chmod 755 {} \;
+mkdir sysroot
### create directories
ln -sf ../usr/lib/systemd/systemd init
-mkdir sysroot
-
### Create needed files
echo patos > ./etc/hostname
ln -sf /etc/os-release ./etc/initrd-release
-cat <<EOF > ./etc/passwd
-root::0:0:root:/root:/bin/sh
-bin:x:1:1:bin:/bin:/usr/bin/nologin
-daemon:x:2:2:daemon:/:/usr/bin/nologin
-mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
-ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
-http:x:33:33:http:/srv/http:/usr/bin/nologin
-uuidd:x:68:68:uuidd:/:/usr/bin/nologin
-messagebus:x:81:81:messagebus:/:/usr/bin/nologin
-nobody:x:99:99:nobody:/:/usr/bin/nologin
-systemd-coredump:x:151:992::/var/empty:/usr/bin/nologin
-systemd-network:x:152:152::/var/empty:/usr/bin/nologin
-systemd-resolve:x:153:153::/var/empty:/usr/bin/nologin
-systemd-timesync:x:154:154::/var/empty:/usr/bin/nologin
-EOF
-chmod 644 ./etc/passwd
-
-cat <<EOF > ./etc/group
-root:x:0:root
-bin:x:1:root,bin,daemon
-daemon:x:2:root,bin,daemon
-sys:x:3:root,bin
-adm:x:4:root,daemon
-tty:x:5:
-disk:x:6:root
-lp:x:7:daemon
-mem:x:8:
-kmem:x:9:
-wheel:x:10:root
-ftp:x:11:
-mail:x:12:
-uucp:x:14:
-log:x:19:root
-utmp:x:20:
-locate:x:21:
-rfkill:x:24:
-smmsp:x:25:
-proc:x:26:
-http:x:33:
-games:x:50:
-lock:x:54:
-uuidd:x:68:
-messagebus:x:81:
-systemd-journal:x:62:
-systemd-network:x:152:
-systemd-resolve:x:153:
-systemd-timesync:x:154:
-systemd-oom:x:991:
-systemd-coredump:x:992:
-network:x:90:
-video:x:91:
-audio:x:92:
-optical:x:93:
-floppy:x:94:
-storage:x:95:
-scanner:x:96:
-input:x:97:
-power:x:98:
-nobody:x:99:
-EOF
-chmod 644 ./etc/group
-
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
diff --git a/rootfs/mkrootfs.sh b/rootfs/mkrootfs.sh
index e60e028..c7460e6 100644
--- a/rootfs/mkrootfs.sh
+++ b/rootfs/mkrootfs.sh
@@ -1,7 +1,7 @@
set -ex -o pipefail
mkdir -p $out
-mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot
+mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot $out/mnt
ln -sf ../usr/bin $out/bin
ln -sf ../usr/bin $out/sbin
ln -sf ../usr/lib $out/lib
@@ -20,13 +20,13 @@ rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
cat <<EOF > $out/etc/os-release
NAME=PatOS
-PRETTY_NAME=PatOS 0.0.1 (pre-alpha)
+PRETTY_NAME=PatOS v${version} (Pre-Alpha)
IMAGE_ID=patos
ID=patos
-IMAGE_VERSION=0.0.1
-VERSION=0.0.1
-VERSION_ID=0.0.1
-BUILD_ID=0.0.1
+IMAGE_VERSION=${version}
+VERSION=${version}
+VERSION_ID={version}
+BUILD_ID={version}
EOF
sed -i 's#After=\(.*\)#After=sysroot.mount \1#' $out/usr/lib/systemd/system/systemd-repart.service
@@ -41,12 +41,11 @@ cat <<EOF > $out/etc/repart.d/22-root.conf
Type=root
EOF
-#FIXME: use btrfs instead on ext2(busybox) but need the btrfs tools in rootfs.
cat <<EOF > $out/etc/repart.d/40-var.conf
[Partition]
Type=var
UUID=4d21b016-b534-45c2-a9fb-5c16e091fd2d
-Format=ext2
+Format=btrfs
Label=patos-state
Minimize=off
FactoryReset=yes
@@ -54,6 +53,21 @@ SizeMinBytes=1G
SplitName=-
EOF
+cat <<EOF > $out/usr/lib/systemd/system/var.mount
+[Unit]
+Description=Mount for /var
+Before=local-fs.target
+
+[Mount]
+What=/dev/disk/by-label/patos-state
+Where=/var
+Type=btrfs
+Options=defaults
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
### install PatOS glibc
cp -P $glibcPatos/lib/*.so* $out/usr/lib/
@@ -68,6 +82,10 @@ $out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
cp -r $dbusBroker/* $out/
+### install btrfs progs
+cp -Pr ${btrfs}/bin/* $out/usr/bin/
+cp -Pr ${btrfs}/lib/* $out/usr/lib/
+
### install lib kmod
cp -P $kmodLibs/lib/* $out/usr/lib
cp -P $kmodBin/bin/* $out/usr/bin
@@ -75,6 +93,71 @@ cp -P $kmodBin/bin/* $out/usr/bin
### install libbpf
cp -P $libbpf/lib/libbpf* $out/usr/lib
+# remove pkgconfig
+rm -rf $out/usr/lib/pkgconfig
+
+cat <<EOF > $out/etc/passwd
+root::0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/usr/bin/nologin
+daemon:x:2:2:daemon:/:/usr/bin/nologin
+mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
+ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
+http:x:33:33:http:/srv/http:/usr/bin/nologin
+uuidd:x:68:68:uuidd:/:/usr/bin/nologin
+messagebus:x:81:81:messagebus:/:/usr/bin/nologin
+nobody:x:99:99:nobody:/:/usr/bin/nologin
+systemd-coredump:x:151:992::/var/empty:/usr/bin/nologin
+systemd-network:x:152:152::/var/empty:/usr/bin/nologin
+systemd-resolve:x:153:153::/var/empty:/usr/bin/nologin
+systemd-timesync:x:154:154::/var/empty:/usr/bin/nologin
+EOF
+chmod 644 $out/etc/passwd
+
+cat <<EOF > $out/etc/group
+root:x:0:root
+bin:x:1:root,bin,daemon
+daemon:x:2:root,bin,daemon
+sys:x:3:root,bin
+adm:x:4:root,daemon
+tty:x:5:
+disk:x:6:root
+lp:x:7:daemon
+mem:x:8:
+kmem:x:9:
+wheel:x:10:root
+ftp:x:11:
+mail:x:12:
+uucp:x:14:
+log:x:19:root
+utmp:x:20:
+locate:x:21:
+rfkill:x:24:
+smmsp:x:25:
+proc:x:26:
+http:x:33:
+games:x:50:
+lock:x:54:
+uuidd:x:68:
+messagebus:x:81:
+systemd-journal:x:62:
+systemd-network:x:152:
+systemd-resolve:x:153:
+systemd-timesync:x:154:
+systemd-oom:x:991:
+systemd-coredump:x:992:
+network:x:90:
+video:x:91:
+audio:x:92:
+optical:x:93:
+floppy:x:94:
+storage:x:95:
+scanner:x:96:
+input:x:97:
+power:x:98:
+nobody:x:99:
+EOF
+chmod 644 $out/etc/group
+
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t $out/usr/lib
find $out -type f -executable -exec chmod 755 {} \;
From 0ed83a6d27d8aae1142a9814d0ae303825b079b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 25 Feb 2025 21:54:42 +0100
Subject: [PATCH 18/78] feat(image): add overlay to /etc and use busybox getty
for login prompt
---
image/mkimage.sh | 27 +--------------------------
rootfs/mkrootfs.sh | 20 +++++++++++++++++++-
2 files changed, 20 insertions(+), 27 deletions(-)
diff --git a/image/mkimage.sh b/image/mkimage.sh
index 721c26e..7a76dd9 100644
--- a/image/mkimage.sh
+++ b/image/mkimage.sh
@@ -13,6 +13,7 @@ find rootfs/ -type d -exec chmod 755 {} \;
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
# mount patos state
+ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
ln -sf ../var.mount rootfs/usr/lib/systemd/system/sysinit.target.wants/var.mount
# enable dbus
@@ -25,32 +26,6 @@ ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.
# generate a temporary machine id
$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
-# FIXME: remove this later (just to get a shell in the initramfs)
-cat <<EOF > rootfs/usr/lib/systemd/system/demo.service
-[Unit]
-Description=Debug Shell (/bin/sulogin)
-Conflicts=shutdown.target
-Before=shutdown.target
-
-[Service]
-Environment=HOME=/root
-WorkingDirectory=/root
-ExecStart=/bin/sulogin
-Type=idle
-StandardInput=tty-force
-StandardOutput=inherit
-StandardError=inherit
-KillMode=process
-IgnoreSIGPIPE=no
-SendSIGHUP=yes
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
-EOF
-ln -sf ../demo.service rootfs/usr/lib/systemd/system/multi-user.target.wants/demo.service
-
-
$systemd/usr/bin/ukify build \
--linux $kernel/bzImage \
--initrd $initrd/initrd.xz \
diff --git a/rootfs/mkrootfs.sh b/rootfs/mkrootfs.sh
index c7460e6..75ba2a6 100644
--- a/rootfs/mkrootfs.sh
+++ b/rootfs/mkrootfs.sh
@@ -1,7 +1,7 @@
set -ex -o pipefail
mkdir -p $out
-mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot $out/mnt
+mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv
ln -sf ../usr/bin $out/bin
ln -sf ../usr/bin $out/sbin
ln -sf ../usr/lib $out/lib
@@ -29,6 +29,9 @@ VERSION_ID={version}
BUILD_ID={version}
EOF
+# replace agetty with busybox getty
+sed -i 's#ExecStart=.*#ExecStart=-/sbin/getty -L %I 115200 vt100#' $out/usr/lib/systemd/system/serial-getty@.service
+
sed -i 's#After=\(.*\)#After=sysroot.mount \1#' $out/usr/lib/systemd/system/systemd-repart.service
cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
@@ -68,6 +71,21 @@ Options=defaults
WantedBy=multi-user.target
EOF
+cat <<EOF > $out/usr/lib/systemd/system/etc.mount
+[Unit]
+Description=Overlay mount for /etc
+Before=local-fs.target
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work
+
+[Install]
+WantedBy=local-fs.target
+EOF
+
### install PatOS glibc
cp -P $glibcPatos/lib/*.so* $out/usr/lib/
From a3aab1ea5cb98dfcf0093a2df1f6290e6aa34faa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 25 Feb 2025 23:08:42 +0100
Subject: [PATCH 19/78] chore: flake nix cleanup
---
flake.nix | 22 +++++++++++++++-------
image/default.nix | 2 +-
rootfs/default.nix | 2 +-
rootfs/mkinitrd.nix | 2 +-
4 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/flake.nix b/flake.nix
index 2e4eafa..9e612b4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,17 +17,27 @@
let
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
+ version = "0.0.1";
in
{
packages = {
- default = self.packages.${system}.image;
- image = pkgs.callPackage ./image { inherit patosPkgs; };
+ default = patosPkgs.image;
+ image = pkgs.callPackage ./image {
+ inherit patosPkgs;
+ inherit version;
+ };
+ rootfs = pkgs.callPackage ./rootfs {
+ inherit patosPkgs;
+ inherit version;
+ };
+ initrd = pkgs.callPackage ./rootfs/mkinitrd.nix {
+ inherit patosPkgs;
+ inherit version;
+ };
kernel = pkgs.callPackage ./kernel { };
glibc = pkgs.callPackage ./glibc { };
systemd = pkgs.callPackage ./systemd { };
dbus-broker = pkgs.callPackage ./dbus-broker { };
- rootfs = pkgs.callPackage ./rootfs { inherit patosPkgs; };
- initrd = pkgs.callPackage ./rootfs/mkinitrd.nix { inherit patosPkgs; };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
};
@@ -43,12 +53,10 @@
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
- erofs-utils
just
nixd
nixfmt-rfc-style
- squashfs-tools-ng
- self.packages.${system}.qemu-uefi-tpm
+ patosPkgs.qemu-uefi-tpm
];
};
diff --git a/image/default.nix b/image/default.nix
index e116625..553d87f 100644
--- a/image/default.nix
+++ b/image/default.nix
@@ -2,10 +2,10 @@
pkgs,
stdenvNoCC,
patosPkgs,
+ version,
...
}:
let
- version = "0.0.1";
pname = "patos-image";
in
stdenvNoCC.mkDerivation (finalAttrs: {
diff --git a/rootfs/default.nix b/rootfs/default.nix
index a180f8e..b206a0c 100644
--- a/rootfs/default.nix
+++ b/rootfs/default.nix
@@ -2,10 +2,10 @@
pkgs,
stdenvNoCC,
patosPkgs,
+ version,
...
}:
let
- version = "0.0.1";
pname = "patos-rootfs";
in
stdenvNoCC.mkDerivation (finalAttrs: {
diff --git a/rootfs/mkinitrd.nix b/rootfs/mkinitrd.nix
index f564813..3708483 100644
--- a/rootfs/mkinitrd.nix
+++ b/rootfs/mkinitrd.nix
@@ -2,10 +2,10 @@
pkgs,
stdenvNoCC,
patosPkgs,
+ version,
...
}:
let
- version = "0.0.1";
pname = "patos-ramdisk";
in
stdenvNoCC.mkDerivation (finalAttrs: {
From ca54cefe36dae77b60cdc4c49569f573d6eb32f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 26 Feb 2025 10:21:56 +0100
Subject: [PATCH 20/78] fix: mount race condition of patos-state
---
image/mkimage.sh | 8 +++++---
rootfs/mkrootfs.sh | 16 +++++++++++-----
systemd/default.nix | 2 +-
3 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/image/mkimage.sh b/image/mkimage.sh
index 7a76dd9..0a7ca0b 100644
--- a/image/mkimage.sh
+++ b/image/mkimage.sh
@@ -12,7 +12,7 @@ find rootfs/ -type d -exec chmod 755 {} \;
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
-# mount patos state
+# mount /etc overlay and patos state
ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
ln -sf ../var.mount rootfs/usr/lib/systemd/system/sysinit.target.wants/var.mount
@@ -20,10 +20,12 @@ ln -sf ../var.mount rootfs/usr/lib/systemd/system/sysinit.target.wants/var.mount
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
-# enable systemd-networkd
+# enable network services
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
+ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
+ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
-# generate a temporary machine id
+# generate a temporary machine id (replace with overlay later)
$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
$systemd/usr/bin/ukify build \
diff --git a/rootfs/mkrootfs.sh b/rootfs/mkrootfs.sh
index 75ba2a6..5fba8c5 100644
--- a/rootfs/mkrootfs.sh
+++ b/rootfs/mkrootfs.sh
@@ -1,11 +1,11 @@
set -ex -o pipefail
mkdir -p $out
-mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv
-ln -sf ../usr/bin $out/bin
-ln -sf ../usr/bin $out/sbin
-ln -sf ../usr/lib $out/lib
-ln -sf ../usr/lib $out/lib64
+mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
+ln -sf /usr/bin $out/bin
+ln -sf /usr/bin $out/sbin
+ln -sf /usr/lib $out/lib
+ln -sf /usr/lib $out/lib64
ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
@@ -29,6 +29,11 @@ VERSION_ID={version}
BUILD_ID={version}
EOF
+cat <<EOF > $out/etc/issue
+<<< Welcome to PatOS v${version} (Pre-Alpha) (\m) - \l >>>
+
+EOF
+
# replace agetty with busybox getty
sed -i 's#ExecStart=.*#ExecStart=-/sbin/getty -L %I 115200 vt100#' $out/usr/lib/systemd/system/serial-getty@.service
@@ -60,6 +65,7 @@ cat <<EOF > $out/usr/lib/systemd/system/var.mount
[Unit]
Description=Mount for /var
Before=local-fs.target
+After=systemd-repart.service
[Mount]
What=/dev/disk/by-label/patos-state
diff --git a/systemd/default.nix b/systemd/default.nix
index 4daf9ed..130cf42 100644
--- a/systemd/default.nix
+++ b/systemd/default.nix
@@ -305,7 +305,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonBool "utmp" true)
(lib.mesonBool "log-trace" true)
- (lib.mesonBool "kernel-install" true)
+ (lib.mesonBool "kernel-install" false)
(lib.mesonBool "quotacheck" false)
(lib.mesonBool "ldconfig" false)
(lib.mesonBool "install-sysconfdir" true)
From 0a0e9127e0b60bfe59c39159f20790e7d277cdf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 26 Feb 2025 10:44:36 +0100
Subject: [PATCH 21/78] fix(systemd): set path to kexec
---
rootfs/mkrootfs.sh | 5 +++--
systemd/default.nix | 1 +
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/rootfs/mkrootfs.sh b/rootfs/mkrootfs.sh
index 5fba8c5..ff19902 100644
--- a/rootfs/mkrootfs.sh
+++ b/rootfs/mkrootfs.sh
@@ -1,6 +1,6 @@
set -ex -o pipefail
-mkdir -p $out
+### create directory structure
mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
ln -sf /usr/bin $out/bin
ln -sf /usr/bin $out/sbin
@@ -15,7 +15,8 @@ find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
-# remove vconsole setup
+rm -f $out/usr/lib/systemd/ukify
+rm -f $out/usr/bin/ukify
rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
cat <<EOF > $out/etc/os-release
diff --git a/systemd/default.nix b/systemd/default.nix
index 130cf42..6f5c6c9 100644
--- a/systemd/default.nix
+++ b/systemd/default.nix
@@ -184,6 +184,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
(lib.mesonOption "kmod-path" "/usr/bin/kmod")
+ (lib.mesonOption "kexec-path" "/usr/bin/kexec")
(lib.mesonOption "debug-shell" "/usr/bin/sh")
(lib.mesonOption "pamconfdir" "/etc/pam.d")
(lib.mesonOption "shellprofiledir" "/etc/profile.d")
From 7365ef8918dacc9c26f9d94bd71078cf62652d27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 26 Feb 2025 14:35:58 +0100
Subject: [PATCH 22/78] feat(image): install upstream kexec which now have
support for UKIs
---
flake.nix | 15 ++---
{dbus-broker => pkgs/dbus-broker}/default.nix | 0
{glibc => pkgs/glibc}/default.nix | 0
{image => pkgs/image}/default.nix | 0
{image => pkgs/image}/mkimage.sh | 0
{kernel => pkgs/kernel}/default.nix | 0
{kernel => pkgs/kernel}/generic.config | 0
pkgs/kexec-tools/default.nix | 62 +++++++++++++++++++
{rootfs => pkgs/rootfs}/default.nix | 1 +
{rootfs => pkgs/rootfs}/mkinitrd.nix | 0
{rootfs => pkgs/rootfs}/mkinitrd.sh | 0
{rootfs => pkgs/rootfs}/mkrootfs.sh | 3 +
{systemd => pkgs/systemd}/default.nix | 0
13 files changed, 74 insertions(+), 7 deletions(-)
rename {dbus-broker => pkgs/dbus-broker}/default.nix (100%)
rename {glibc => pkgs/glibc}/default.nix (100%)
rename {image => pkgs/image}/default.nix (100%)
rename {image => pkgs/image}/mkimage.sh (100%)
rename {kernel => pkgs/kernel}/default.nix (100%)
rename {kernel => pkgs/kernel}/generic.config (100%)
create mode 100644 pkgs/kexec-tools/default.nix
rename {rootfs => pkgs/rootfs}/default.nix (94%)
rename {rootfs => pkgs/rootfs}/mkinitrd.nix (100%)
rename {rootfs => pkgs/rootfs}/mkinitrd.sh (100%)
rename {rootfs => pkgs/rootfs}/mkrootfs.sh (98%)
rename {systemd => pkgs/systemd}/default.nix (100%)
diff --git a/flake.nix b/flake.nix
index 9e612b4..32097ba 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,22 +22,23 @@
{
packages = {
default = patosPkgs.image;
- image = pkgs.callPackage ./image {
+ image = pkgs.callPackage ./pkgs/image {
inherit patosPkgs;
inherit version;
};
- rootfs = pkgs.callPackage ./rootfs {
+ rootfs = pkgs.callPackage ./pkgs/rootfs {
inherit patosPkgs;
inherit version;
};
- initrd = pkgs.callPackage ./rootfs/mkinitrd.nix {
+ initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix {
inherit patosPkgs;
inherit version;
};
- kernel = pkgs.callPackage ./kernel { };
- glibc = pkgs.callPackage ./glibc { };
- systemd = pkgs.callPackage ./systemd { };
- dbus-broker = pkgs.callPackage ./dbus-broker { };
+ kernel = pkgs.callPackage ./pkgs/kernel { };
+ glibc = pkgs.callPackage ./pkgs/glibc { };
+ kexec = pkgs.callPackage ./pkgs/kexec-tools { };
+ systemd = pkgs.callPackage ./pkgs/systemd { };
+ dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
};
diff --git a/dbus-broker/default.nix b/pkgs/dbus-broker/default.nix
similarity index 100%
rename from dbus-broker/default.nix
rename to pkgs/dbus-broker/default.nix
diff --git a/glibc/default.nix b/pkgs/glibc/default.nix
similarity index 100%
rename from glibc/default.nix
rename to pkgs/glibc/default.nix
diff --git a/image/default.nix b/pkgs/image/default.nix
similarity index 100%
rename from image/default.nix
rename to pkgs/image/default.nix
diff --git a/image/mkimage.sh b/pkgs/image/mkimage.sh
similarity index 100%
rename from image/mkimage.sh
rename to pkgs/image/mkimage.sh
diff --git a/kernel/default.nix b/pkgs/kernel/default.nix
similarity index 100%
rename from kernel/default.nix
rename to pkgs/kernel/default.nix
diff --git a/kernel/generic.config b/pkgs/kernel/generic.config
similarity index 100%
rename from kernel/generic.config
rename to pkgs/kernel/generic.config
diff --git a/pkgs/kexec-tools/default.nix b/pkgs/kexec-tools/default.nix
new file mode 100644
index 0000000..4ba15ba
--- /dev/null
+++ b/pkgs/kexec-tools/default.nix
@@ -0,0 +1,62 @@
+{
+ lib,
+ stdenv,
+ buildPackages,
+ fetchFromGitHub,
+ autoconf,
+ zlib,
+}:
+
+stdenv.mkDerivation {
+ pname = "kexec-tools";
+ version = "main";
+
+ src = fetchFromGitHub {
+ owner = "horms";
+ repo = "kexec-tools";
+ rev = "a7fcd424c4c80dea5a2fd5ffa274ffeb8129c790";
+ hash = "sha256-QKE+KCkueA21zNunTMidP9OuZaw0IG5tFDF4UJITTTQ=";
+ };
+
+ dontPatchShebangs = true;
+
+ hardeningDisable = [
+ "format"
+ "pic"
+ "relro"
+ "pie"
+ ];
+
+ buildCommand = ''
+ unpackPhase
+ mkdir -p $out
+ cd source
+ ./bootstrap
+ ./configure --prefix=/
+ make DESTDIR=$out install
+ '';
+
+ depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+ buildInputs = [
+ zlib
+ autoconf
+ ];
+
+ enableParallelBuilding = true;
+
+ meta = with lib; {
+ homepage = "http://horms.net/projects/kexec/kexec-tools";
+ description = "Tools related to the kexec Linux feature";
+ platforms = platforms.linux;
+ badPlatforms = [
+ "microblaze-linux"
+ "microblazeel-linux"
+ "riscv64-linux"
+ "riscv32-linux"
+ "sparc-linux"
+ "sparc64-linux"
+ ];
+ license = licenses.gpl2Only;
+ };
+}
diff --git a/rootfs/default.nix b/pkgs/rootfs/default.nix
similarity index 94%
rename from rootfs/default.nix
rename to pkgs/rootfs/default.nix
index b206a0c..c6f6fa1 100644
--- a/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -26,6 +26,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
kmodBin = pkgs.kmod.out;
libbpf = pkgs.libbpf.out;
btrfs = pkgs.btrfs-progs.out;
+ kexec = patosPkgs.kexec.out;
builder = ./mkrootfs.sh;
})
diff --git a/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
similarity index 100%
rename from rootfs/mkinitrd.nix
rename to pkgs/rootfs/mkinitrd.nix
diff --git a/rootfs/mkinitrd.sh b/pkgs/rootfs/mkinitrd.sh
similarity index 100%
rename from rootfs/mkinitrd.sh
rename to pkgs/rootfs/mkinitrd.sh
diff --git a/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
similarity index 98%
rename from rootfs/mkrootfs.sh
rename to pkgs/rootfs/mkrootfs.sh
index ff19902..fb9efe8 100644
--- a/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -107,6 +107,9 @@ $out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
cp -r $dbusBroker/* $out/
+### install kexec
+cp -Pr ${kexec}/sbin/kexec $out/usr/bin/
+
### install btrfs progs
cp -Pr ${btrfs}/bin/* $out/usr/bin/
cp -Pr ${btrfs}/lib/* $out/usr/lib/
diff --git a/systemd/default.nix b/pkgs/systemd/default.nix
similarity index 100%
rename from systemd/default.nix
rename to pkgs/systemd/default.nix
From 57f83bd4ac0c951e0b432de07e14031bf5c41d03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 27 Feb 2025 00:02:22 +0100
Subject: [PATCH 23/78] chore: make erofs with --all-root flag
---
pkgs/image/default.nix | 1 +
pkgs/rootfs/mkrootfs.sh | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 553d87f..8348db4 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -22,6 +22,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
env = {
# vfat options won't efi won't find the fs otherwise.
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
+ SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root";
};
systemd = patosPkgs.systemd.out;
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index fb9efe8..078c011 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -1,7 +1,8 @@
set -ex -o pipefail
### create directory structure
-mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
+mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
+ $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
ln -sf /usr/bin $out/bin
ln -sf /usr/bin $out/sbin
ln -sf /usr/lib $out/lib
@@ -18,6 +19,7 @@ rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
rm -f $out/usr/lib/systemd/ukify
rm -f $out/usr/bin/ukify
rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
+ln -s /run/systemd/resolve/stub-resolv.conf $out/etc/resolv.conf
cat <<EOF > $out/etc/os-release
NAME=PatOS
From aa4f69d8919d94fa304d6fc20011a07f00c39c1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 27 Feb 2025 08:59:01 +0100
Subject: [PATCH 24/78] fix: we need to roll our own versions of tpm2-tools and
tpm2-tss
---
flake.nix | 2 +
pkgs/kernel/default.nix | 4 +-
pkgs/kernel/generic.config | 1 +
pkgs/rootfs/default.nix | 2 +
pkgs/rootfs/mkrootfs.sh | 6 ++-
pkgs/tpm2-tools/default.nix | 48 +++++++++++++++++++
pkgs/tpm2-tss/default.nix | 86 +++++++++++++++++++++++++++++++++++
pkgs/tpm2-tss/no-shadow.patch | 16 +++++++
8 files changed, 162 insertions(+), 3 deletions(-)
create mode 100644 pkgs/tpm2-tools/default.nix
create mode 100644 pkgs/tpm2-tss/default.nix
create mode 100644 pkgs/tpm2-tss/no-shadow.patch
diff --git a/flake.nix b/flake.nix
index 32097ba..071ae56 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,8 @@
kernel = pkgs.callPackage ./pkgs/kernel { };
glibc = pkgs.callPackage ./pkgs/glibc { };
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
+ tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
+ tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
systemd = pkgs.callPackage ./pkgs/systemd { };
dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index e10d25b..73ecd1f 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,6 +1,6 @@
{ pkgs, ... }:
let
- version = "6.13.2";
+ version = "6.13.4";
in
pkgs.linuxPackagesFor (
pkgs.linuxManualConfig {
@@ -8,7 +8,7 @@ pkgs.linuxPackagesFor (
modDirVersion = version;
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
- hash = "sha256-zfYpgZBru+lwGutzxPn8yAegmEbCiHMWY9YnF+0a5wU=";
+ hash = "sha256-uA4LyO+8MenOWoTRCE3Mz6QOAb6ozCWv0GZIuT1hM54=";
};
configfile = ./generic.config;
allowImportFromDerivation = true;
diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config
index 7e0325c..c717915 100644
--- a/pkgs/kernel/generic.config
+++ b/pkgs/kernel/generic.config
@@ -2213,6 +2213,7 @@ CONFIG_TCG_CRB=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TPM=y
+CONFIG_TCG_TPM2_HMAC=y
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BBR=y
CONFIG_TCP_CONG_CUBIC=y
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index c6f6fa1..4d7768b 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -26,6 +26,8 @@ stdenvNoCC.mkDerivation (finalAttrs: {
kmodBin = pkgs.kmod.out;
libbpf = pkgs.libbpf.out;
btrfs = pkgs.btrfs-progs.out;
+ tpm2Libs = patosPkgs.tpm2-tss.out;
+ tpm2Tools = patosPkgs.tpm2-tools.out;
kexec = patosPkgs.kexec.out;
builder = ./mkrootfs.sh;
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 078c011..7d94052 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -116,6 +116,10 @@ cp -Pr ${kexec}/sbin/kexec $out/usr/bin/
cp -Pr ${btrfs}/bin/* $out/usr/bin/
cp -Pr ${btrfs}/lib/* $out/usr/lib/
+### install tpm2 tools
+cp -P ${tpm2Tools}/bin/* $out/usr/bin/
+cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
+
### install lib kmod
cp -P $kmodLibs/lib/* $out/usr/lib
cp -P $kmodBin/bin/* $out/usr/bin
@@ -189,7 +193,7 @@ EOF
chmod 644 $out/etc/group
### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t $out/usr/lib
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | sort -u | xargs cp -t $out/usr/lib
find $out -type f -executable -exec chmod 755 {} \;
# FIXME: ELF patching. Is there a better way?
diff --git a/pkgs/tpm2-tools/default.nix b/pkgs/tpm2-tools/default.nix
new file mode 100644
index 0000000..f447fe6
--- /dev/null
+++ b/pkgs/tpm2-tools/default.nix
@@ -0,0 +1,48 @@
+{
+ stdenv,
+ fetchurl,
+ lib,
+ pandoc,
+ pkg-config,
+ curl,
+ openssl,
+ patosPkgs,
+ libuuid,
+}:
+
+stdenv.mkDerivation rec {
+ pname = "tpm2-tools";
+ version = "5.7";
+
+ src = fetchurl {
+ url = "https://github.com/tpm2-software/${pname}/releases/download/${version}/${pname}-${version}.tar.gz";
+ sha256 = "sha256-OBDTa1B5JW9PL3zlUuIiE9Q7EDHBMVON+KLbw8VwmDo=";
+ };
+
+ nativeBuildInputs = [
+ pandoc
+ pkg-config
+ ];
+ buildInputs = [
+ curl
+ openssl
+ patosPkgs.tpm2-tss
+ libuuid
+ ];
+
+ # Unit tests disabled, as they rely on a dbus session
+ configureFlags = [ "--prefix=/" ];
+ preInstall = ''
+ mkdir -p $out
+ export DESTDIR=$out
+ '';
+ doCheck = false;
+
+ meta = with lib; {
+ description = "Command line tools that provide access to a TPM 2.0 compatible device";
+ homepage = "https://github.com/tpm2-software/tpm2-tools";
+ license = licenses.bsd3;
+ platforms = platforms.linux;
+ maintainers = with maintainers; [ tomfitzhenry ];
+ };
+}
diff --git a/pkgs/tpm2-tss/default.nix b/pkgs/tpm2-tss/default.nix
new file mode 100644
index 0000000..5e23100
--- /dev/null
+++ b/pkgs/tpm2-tss/default.nix
@@ -0,0 +1,86 @@
+{
+ stdenv,
+ lib,
+ fetchFromGitHub,
+ autoreconfHook,
+ autoconf-archive,
+ pkg-config,
+ doxygen,
+ perl,
+ openssl,
+ json_c,
+ curl,
+ libgcrypt,
+ uthash,
+ git,
+ libuuid,
+ libtpms,
+}:
+
+stdenv.mkDerivation rec {
+ pname = "tpm2-tss";
+ version = "4.1.3";
+
+ src = fetchFromGitHub {
+ owner = "tpm2-software";
+ repo = pname;
+ rev = version;
+ hash = "sha256-BP28utEUI9g1VNv3lCXuiKrDtEImFQxxZfIjLiE3Wr8=";
+ };
+
+ patches = [
+ ./no-shadow.patch
+ ];
+
+ postPatch = ''
+ substituteInPlace ./bootstrap \
+ --replace-fail 'git describe --tags --always --dirty' 'echo "${version}"'
+ '';
+
+ outputs = [
+ "out"
+ ];
+
+ nativeBuildInputs = [
+ autoreconfHook
+ autoconf-archive
+ pkg-config
+ doxygen
+ perl
+ git
+ ];
+
+ buildInputs = [
+ openssl
+ json_c
+ curl
+ libgcrypt
+ uthash
+ libuuid
+ libtpms
+ ];
+
+ strictDeps = true;
+ preAutoreconf = "./bootstrap";
+
+ enableParallelBuilding = true;
+
+ configureFlags = [
+ "--prefix=/"
+ ];
+
+ preInstall = ''
+ mkdir -p $out
+ export DESTDIR=$out
+ '';
+
+ doCheck = false;
+
+ meta = with lib; {
+ description = "OSS implementation of the TCG TPM2 Software Stack (TSS2)";
+ homepage = "https://github.com/tpm2-software/tpm2-tss";
+ license = licenses.bsd2;
+ platforms = platforms.unix;
+ maintainers = with maintainers; [ baloo ];
+ };
+}
diff --git a/pkgs/tpm2-tss/no-shadow.patch b/pkgs/tpm2-tss/no-shadow.patch
new file mode 100644
index 0000000..a42bf06
--- /dev/null
+++ b/pkgs/tpm2-tss/no-shadow.patch
@@ -0,0 +1,16 @@
+diff --git a/configure.ac b/configure.ac
+index e2d579b8..0eac4ff3 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -672,9 +672,9 @@ AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
+ AC_CHECK_PROG(adduser, adduser, yes)
+ AC_CHECK_PROG(addgroup, addgroup, yes)
+ AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
+- [AC_MSG_ERROR([addgroup or groupadd are needed.])])
++ [AC_MSG_WARN([addgroup or groupadd are needed.])])
+ AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
+- [AC_MSG_ERROR([adduser or useradd are needed.])])])
++ [AC_MSG_WARN([adduser or useradd are needed.])])])
+
+ AC_SUBST([PATH])
+
From 0a6fc3af49b1d05134a9bfd5c1941f7de71826b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 27 Feb 2025 08:59:01 +0100
Subject: [PATCH 25/78] chore: enable default networking and make root own
erofs files
---
pkgs/image/default.nix | 2 +-
pkgs/image/mkimage.sh | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 8348db4..c8b7749 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -22,7 +22,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
env = {
# vfat options won't efi won't find the fs otherwise.
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
- SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root";
+ SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,level=12 -Efragments,dedupe,ztailpacking";
};
systemd = patosPkgs.systemd.out;
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index 0a7ca0b..21dbe5f 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -24,6 +24,8 @@ ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.so
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
+# enable default network config
+mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
# generate a temporary machine id (replace with overlay later)
$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
From adb2e90c13b98c6709066ac4ff2aa020a5e9774f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 3 Mar 2025 13:52:52 +0100
Subject: [PATCH 26/78] fix(image): image need to include devicemapper setup
tools and udev rules
---
flake.nix | 1 +
pkgs/kernel/generic.config | 2 +-
pkgs/lvm2/default.nix | 66 ++++++++++++++++++++++++++++++++++++++
pkgs/rootfs/default.nix | 2 ++
pkgs/rootfs/mkrootfs.sh | 52 ++++++++++++++++++++----------
utils/qemu-uefi-tpm.nix | 2 +-
6 files changed, 106 insertions(+), 19 deletions(-)
create mode 100644 pkgs/lvm2/default.nix
diff --git a/flake.nix b/flake.nix
index 071ae56..5c76b2f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,7 @@
kernel = pkgs.callPackage ./pkgs/kernel { };
glibc = pkgs.callPackage ./pkgs/glibc { };
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
+ lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
systemd = pkgs.callPackage ./pkgs/systemd { };
diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config
index c717915..0220e23 100644
--- a/pkgs/kernel/generic.config
+++ b/pkgs/kernel/generic.config
@@ -2213,7 +2213,7 @@ CONFIG_TCG_CRB=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TPM=y
-CONFIG_TCG_TPM2_HMAC=y
+CONFIG_TCG_TPM2_HMAC=n
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BBR=y
CONFIG_TCP_CONG_CUBIC=y
diff --git a/pkgs/lvm2/default.nix b/pkgs/lvm2/default.nix
new file mode 100644
index 0000000..f211e26
--- /dev/null
+++ b/pkgs/lvm2/default.nix
@@ -0,0 +1,66 @@
+{
+ stdenv,
+ fetchurl,
+ lib,
+ pkg-config,
+ libaio,
+ udev,
+}:
+
+stdenv.mkDerivation rec {
+ pname = "lvm2";
+ version = "2.03.30";
+
+ src = fetchurl {
+ urls = [
+ "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz"
+ "ftp://sourceware.org/pub/lvm2/LVM2.${version}.tgz"
+ ];
+ hash = "sha256-rXar7LjciHcz4GxEnLmt0Eo1BvnweAwSiBem4aF87AU=";
+ };
+
+ nativeBuildInputs = [
+ pkg-config
+ ];
+ buildInputs = [
+ libaio
+ udev
+ ];
+
+ configureFlags = [
+ "--prefix=/"
+ "--sbindir=/usr/bin"
+ "--sysconfdir=/etc"
+ "--localstatedir=/var"
+ "--enable-cmdlib"
+ "--enable-dmeventd"
+ "--enable-lvmpolld"
+ "--enable-pkgconfig"
+ "--enable-udev_rules"
+ "--enable-udev_sync"
+ "--enable-write_install"
+ "--with-cache=internal"
+ "--with-thin=internal"
+ ];
+
+ preInstall = ''
+ mkdir -p $out
+ export DESTDIR=$out
+ '';
+ doCheck = false;
+
+ meta = with lib; {
+ homepage = "http://sourceware.org/lvm2/";
+ description = "Tools to support Logical Volume Management (LVM) on Linux";
+ platforms = platforms.linux;
+ license = with licenses; [
+ gpl2Only
+ bsd2
+ lgpl21
+ ];
+ maintainers = with maintainers; [
+ raskin
+ ajs124
+ ];
+ };
+}
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index 4d7768b..20fe642 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -29,6 +29,8 @@ stdenvNoCC.mkDerivation (finalAttrs: {
tpm2Libs = patosPkgs.tpm2-tss.out;
tpm2Tools = patosPkgs.tpm2-tools.out;
kexec = patosPkgs.kexec.out;
+ lvm2 = patosPkgs.lvm2.out;
+ cryptsetup = pkgs.cryptsetup.bin;
builder = ./mkrootfs.sh;
})
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 7d94052..538a7c9 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -15,6 +15,7 @@ cp -Pr $systemd/* $out/
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
+ln -sf /usr/bin $out/usr/sbin
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
rm -f $out/usr/lib/systemd/ukify
rm -f $out/usr/bin/ukify
@@ -52,6 +53,13 @@ cat <<EOF > $out/etc/repart.d/22-root.conf
Type=root
EOF
+mkdir $out/usr/lib/systemd/system/systemd-repart.service.d
+cat <<EOF > $out/usr/lib/systemd/system/systemd-repart.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=systemd-repart --dry-run=no --generate-crypttab=/etc/crypttab
+EOF
+
cat <<EOF > $out/etc/repart.d/40-var.conf
[Partition]
Type=var
@@ -59,26 +67,28 @@ UUID=4d21b016-b534-45c2-a9fb-5c16e091fd2d
Format=btrfs
Label=patos-state
Minimize=off
+Encrypt=tpm2
+EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
FactoryReset=yes
SizeMinBytes=1G
SplitName=-
EOF
-cat <<EOF > $out/usr/lib/systemd/system/var.mount
-[Unit]
-Description=Mount for /var
-Before=local-fs.target
-After=systemd-repart.service
-
-[Mount]
-What=/dev/disk/by-label/patos-state
-Where=/var
-Type=btrfs
-Options=defaults
-
-[Install]
-WantedBy=multi-user.target
-EOF
+# cat <<EOF > $out/usr/lib/systemd/system/var.mount
+# [Unit]
+# Description=Mount for /var
+# Before=local-fs.target
+# After=systemd-repart.service
+#
+# [Mount]
+# What=/dev/mapper/patos-state
+# Where=/var
+# Type=btrfs
+# Options=defaults
+#
+# [Install]
+# WantedBy=multi-user.target
+# EOF
cat <<EOF > $out/usr/lib/systemd/system/etc.mount
[Unit]
@@ -112,6 +122,11 @@ cp -r $dbusBroker/* $out/
### install kexec
cp -Pr ${kexec}/sbin/kexec $out/usr/bin/
+### install dmsetup udev rules
+cp -P ${lvm2}/usr/bin/dmsetup $out/usr/bin/
+cp -P ${lvm2}/lib/libdevmapper.so* $out/usr/lib/
+cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
+
### install btrfs progs
cp -Pr ${btrfs}/bin/* $out/usr/bin/
cp -Pr ${btrfs}/lib/* $out/usr/lib/
@@ -120,6 +135,9 @@ cp -Pr ${btrfs}/lib/* $out/usr/lib/
cp -P ${tpm2Tools}/bin/* $out/usr/bin/
cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
+### install cryptsetup tools
+cp -P $cryptsetup/bin/* $out/usr/bin/
+
### install lib kmod
cp -P $kmodLibs/lib/* $out/usr/lib
cp -P $kmodBin/bin/* $out/usr/bin
@@ -193,11 +211,11 @@ EOF
chmod 644 $out/etc/group
### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | sort -u | xargs cp -t $out/usr/lib
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/
find $out -type f -executable -exec chmod 755 {} \;
# FIXME: ELF patching. Is there a better way?
-find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \;
+find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index bb151c5..0193a27 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -24,7 +24,7 @@ pkgs.writeShellApplication {
swtpm socket -d --tpmstate dir="$state" \
--ctrl type=unixio,path="$state/swtpm-sock" \
--tpm2 \
- --log level=20
+ --log file="$state/swtpm.log",level=20
qemu-system-x86_64 \
-enable-kvm \
From 10090a75b0f5d7fd116a6656562c22879448f090 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 4 Mar 2025 12:09:03 +0100
Subject: [PATCH 27/78] fix(image): finally have working mount of encrypted
volumes!
---
pkgs/image/mkimage.sh | 1 -
pkgs/rootfs/mkinitrd.sh | 23 +++++++++++++++++++++++
pkgs/rootfs/mkrootfs.sh | 29 +++++++----------------------
3 files changed, 30 insertions(+), 23 deletions(-)
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index 21dbe5f..ce33fb7 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -14,7 +14,6 @@ ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
# mount /etc overlay and patos state
ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
-ln -sf ../var.mount rootfs/usr/lib/systemd/system/sysinit.target.wants/var.mount
# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
diff --git a/pkgs/rootfs/mkinitrd.sh b/pkgs/rootfs/mkinitrd.sh
index c735448..e707f25 100644
--- a/pkgs/rootfs/mkinitrd.sh
+++ b/pkgs/rootfs/mkinitrd.sh
@@ -16,6 +16,29 @@ echo patos > ./etc/hostname
ln -sf /etc/os-release ./etc/initrd-release
+# set default target to initrd inside initrd
+ln -sf initrd.target ./usr/lib/systemd/system/default.target
+
+mkdir ./usr/lib/systemd/system/systemd-repart.service.d
+cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
+[Service]
+ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
+EOF
+
+cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
+[Unit]
+Before=initrd-fs.target
+DefaultDependencies=false
+
+[Mount]
+Options=bind
+What=/run
+Where=/sysroot/run
+EOF
+# bind mount /run to /sysroot/run
+mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
+ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
+
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 538a7c9..8429cf0 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -53,13 +53,6 @@ cat <<EOF > $out/etc/repart.d/22-root.conf
Type=root
EOF
-mkdir $out/usr/lib/systemd/system/systemd-repart.service.d
-cat <<EOF > $out/usr/lib/systemd/system/systemd-repart.service.d/override.conf
-[Service]
-ExecStart=
-ExecStart=systemd-repart --dry-run=no --generate-crypttab=/etc/crypttab
-EOF
-
cat <<EOF > $out/etc/repart.d/40-var.conf
[Partition]
Type=var
@@ -69,26 +62,18 @@ Label=patos-state
Minimize=off
Encrypt=tpm2
EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
+MountPoint=/var
FactoryReset=yes
SizeMinBytes=1G
SplitName=-
EOF
-# cat <<EOF > $out/usr/lib/systemd/system/var.mount
-# [Unit]
-# Description=Mount for /var
-# Before=local-fs.target
-# After=systemd-repart.service
-#
-# [Mount]
-# What=/dev/mapper/patos-state
-# Where=/var
-# Type=btrfs
-# Options=defaults
-#
-# [Install]
-# WantedBy=multi-user.target
-# EOF
+rm -f $out/etc/systemd/system.conf
+cat <<EOF > $out/etc/systemd/system.conf
+[Manager]
+DefaultEnvironment=PATH=/bin:/sbin:/usr/bin
+ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTEMD_SYSROOT_FSTAB=/run/fstab SYSTEMD_FSTAB=/run/fstab
+EOF
cat <<EOF > $out/usr/lib/systemd/system/etc.mount
[Unit]
From 83bb3599a4e8d3bbb7b443d6d69cab6d38dfb4ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 4 Mar 2025 12:16:49 +0100
Subject: [PATCH 28/78] fix(repart): depend on sysroot-run mount
---
pkgs/image/mkimage.sh | 2 +-
pkgs/rootfs/mkinitrd.sh | 4 ++++
pkgs/rootfs/mkrootfs.sh | 8 ++++++--
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index ce33fb7..0c6fad0 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -12,7 +12,7 @@ find rootfs/ -type d -exec chmod 755 {} \;
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
-# mount /etc overlay and patos state
+# mount /etc overlay
ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
# enable dbus
diff --git a/pkgs/rootfs/mkinitrd.sh b/pkgs/rootfs/mkinitrd.sh
index e707f25..c35b516 100644
--- a/pkgs/rootfs/mkinitrd.sh
+++ b/pkgs/rootfs/mkinitrd.sh
@@ -21,6 +21,10 @@ ln -sf initrd.target ./usr/lib/systemd/system/default.target
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
+[Unit]
+After=sysroot-run.mount
+Requires=sysroot-run.mount
+
[Service]
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 8429cf0..cdc43d5 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -39,9 +39,13 @@ cat <<EOF > $out/etc/issue
EOF
# replace agetty with busybox getty
-sed -i 's#ExecStart=.*#ExecStart=-/sbin/getty -L %I 115200 vt100#' $out/usr/lib/systemd/system/serial-getty@.service
+mkdir $out/usr/lib/systemd/system/serial-getty@.service.d
+cat <<EOF > $out/usr/lib/systemd/system/serial-getty@.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=-/sbin/getty -L %I 115200 vt100
+EOF
-sed -i 's#After=\(.*\)#After=sysroot.mount \1#' $out/usr/lib/systemd/system/systemd-repart.service
cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
Type=esp
From 529061df5eb80f1451d9672dacf3d1a7bec480c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 4 Mar 2025 14:08:13 +0100
Subject: [PATCH 29/78] chore: clean up comments
---
pkgs/rootfs/mkinitrd.sh | 3 ++-
pkgs/rootfs/mkrootfs.sh | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/pkgs/rootfs/mkinitrd.sh b/pkgs/rootfs/mkinitrd.sh
index c35b516..7f948f7 100644
--- a/pkgs/rootfs/mkinitrd.sh
+++ b/pkgs/rootfs/mkinitrd.sh
@@ -19,6 +19,7 @@ ln -sf /etc/os-release ./etc/initrd-release
# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target
+# generate crypttab and fstab under /run
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
[Unit]
@@ -29,6 +30,7 @@ Requires=sysroot-run.mount
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
+# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
Before=initrd-fs.target
@@ -39,7 +41,6 @@ Options=bind
What=/run
Where=/sysroot/run
EOF
-# bind mount /run to /sysroot/run
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index cdc43d5..aedcf6a 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -72,6 +72,8 @@ SizeMinBytes=1G
SplitName=-
EOF
+# as rootfs is read-only we need to configure the fstab and cryptsetup generators to look
+# for config under /run (which are generated by systemd-repart)
rm -f $out/etc/systemd/system.conf
cat <<EOF > $out/etc/systemd/system.conf
[Manager]
From e5367bac84f0a5535761d8d581c783aab5b2fdca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 4 Mar 2025 14:20:13 +0100
Subject: [PATCH 30/78] chore: more clean up
---
pkgs/rootfs/mkinitrd.sh | 24 +++++++++++++-----------
pkgs/rootfs/mkrootfs.sh | 4 +++-
2 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/pkgs/rootfs/mkinitrd.sh b/pkgs/rootfs/mkinitrd.sh
index 7f948f7..43708d0 100644
--- a/pkgs/rootfs/mkinitrd.sh
+++ b/pkgs/rootfs/mkinitrd.sh
@@ -19,17 +19,6 @@ ln -sf /etc/os-release ./etc/initrd-release
# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target
-# generate crypttab and fstab under /run
-mkdir ./usr/lib/systemd/system/systemd-repart.service.d
-cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
-[Unit]
-After=sysroot-run.mount
-Requires=sysroot-run.mount
-
-[Service]
-ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
-EOF
-
# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
@@ -44,6 +33,19 @@ EOF
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
+# repart: generate crypttab and fstab under /run
+mkdir ./usr/lib/systemd/system/systemd-repart.service.d
+cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
+[Unit]
+After=sysroot-run.mount
+Requires=sysroot-run.mount
+
+[Service]
+Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
+ExecStart=
+ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
+EOF
+
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index aedcf6a..8fdda39 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -46,6 +46,7 @@ ExecStart=
ExecStart=-/sbin/getty -L %I 115200 vt100
EOF
+# Configure systemd-repart
cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
Type=esp
@@ -73,7 +74,7 @@ SplitName=-
EOF
# as rootfs is read-only we need to configure the fstab and cryptsetup generators to look
-# for config under /run (which are generated by systemd-repart)
+# for config under /run (which are generated by systemd-repart in initrd)
rm -f $out/etc/systemd/system.conf
cat <<EOF > $out/etc/systemd/system.conf
[Manager]
@@ -81,6 +82,7 @@ DefaultEnvironment=PATH=/bin:/sbin:/usr/bin
ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTEMD_SYSROOT_FSTAB=/run/fstab SYSTEMD_FSTAB=/run/fstab
EOF
+# Overlay mount for /etc which makes it read-write in runtime
cat <<EOF > $out/usr/lib/systemd/system/etc.mount
[Unit]
Description=Overlay mount for /etc
From 8e61f85f725985a7f5ef278a51fc9d6c0989f340 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 4 Mar 2025 15:31:03 +0100
Subject: [PATCH 31/78] chore: clean up var-repart config
---
pkgs/rootfs/mkrootfs.sh | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 8fdda39..31fc347 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -61,16 +61,14 @@ EOF
cat <<EOF > $out/etc/repart.d/40-var.conf
[Partition]
Type=var
-UUID=4d21b016-b534-45c2-a9fb-5c16e091fd2d
Format=btrfs
+MountPoint=/var
Label=patos-state
-Minimize=off
Encrypt=tpm2
EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
-MountPoint=/var
-FactoryReset=yes
SizeMinBytes=1G
-SplitName=-
+Minimize=off
+FactoryReset=yes
EOF
# as rootfs is read-only we need to configure the fstab and cryptsetup generators to look
From 12bacf271db414e1f94de8e9dcda8b497df3f9dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 4 Mar 2025 21:47:19 +0100
Subject: [PATCH 32/78] feat: generate passwd/group with systemd-sysusers
---
flake.nix | 1 +
pkgs/busybox/clang-cross.patch | 37 ++++++
pkgs/busybox/default.nix | 219 +++++++++++++++++++++++++++++++++
pkgs/rootfs/default.nix | 2 +-
pkgs/rootfs/mkrootfs.sh | 65 +---------
5 files changed, 262 insertions(+), 62 deletions(-)
create mode 100644 pkgs/busybox/clang-cross.patch
create mode 100644 pkgs/busybox/default.nix
diff --git a/flake.nix b/flake.nix
index 5c76b2f..97a1f97 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,6 +36,7 @@
};
kernel = pkgs.callPackage ./pkgs/kernel { };
glibc = pkgs.callPackage ./pkgs/glibc { };
+ busybox = pkgs.callPackage ./pkgs/busybox { };
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
diff --git a/pkgs/busybox/clang-cross.patch b/pkgs/busybox/clang-cross.patch
new file mode 100644
index 0000000..b2d696b
--- /dev/null
+++ b/pkgs/busybox/clang-cross.patch
@@ -0,0 +1,37 @@
+diff --git a/Makefile b/Makefile
+index 6fedcffba..3385836c4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -271,8 +271,8 @@ export quiet Q KBUILD_VERBOSE
+ # Look for make include files relative to root of kernel src
+ MAKEFLAGS += --include-dir=$(srctree)
+
+-HOSTCC = gcc
+-HOSTCXX = g++
++HOSTCC = cc
++HOSTCXX = c++
+ HOSTCFLAGS :=
+ HOSTCXXFLAGS :=
+ # We need some generic definitions
+@@ -289,7 +289,7 @@ MAKEFLAGS += -rR
+ # Make variables (CC, etc...)
+
+ AS = $(CROSS_COMPILE)as
+-CC = $(CROSS_COMPILE)gcc
++CC = $(CROSS_COMPILE)cc
+ LD = $(CC) -nostdlib
+ CPP = $(CC) -E
+ AR = $(CROSS_COMPILE)ar
+diff --git a/scripts/Makefile.IMA b/scripts/Makefile.IMA
+index f155108d7..185257064 100644
+--- a/scripts/Makefile.IMA
++++ b/scripts/Makefile.IMA
+@@ -39,7 +39,7 @@ ifndef HOSTCC
+ HOSTCC = cc
+ endif
+ AS = $(CROSS_COMPILE)as
+-CC = $(CROSS_COMPILE)gcc
++CC = $(CROSS_COMPILE)cc
+ LD = $(CC) -nostdlib
+ CPP = $(CC) -E
+ AR = $(CROSS_COMPILE)ar
diff --git a/pkgs/busybox/default.nix b/pkgs/busybox/default.nix
new file mode 100644
index 0000000..571d0cf
--- /dev/null
+++ b/pkgs/busybox/default.nix
@@ -0,0 +1,219 @@
+{
+ stdenv,
+ lib,
+ buildPackages,
+ fetchurl,
+ fetchpatch,
+ fetchFromGitLab,
+ enableStatic ? stdenv.hostPlatform.isStatic,
+ enableMinimal ? false,
+ enableAppletSymlinks ? true,
+ # Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
+ # nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
+ useMusl ? stdenv.hostPlatform.libc == "musl",
+ musl,
+ extraConfig ? "",
+}:
+
+assert stdenv.hostPlatform.libc == "musl" -> useMusl;
+
+let
+ configParser = ''
+ function parseconfig {
+ while read LINE; do
+ NAME=`echo "$LINE" | cut -d \ -f 1`
+ OPTION=`echo "$LINE" | cut -d \ -f 2`
+
+ if ! [[ "$NAME" =~ ^CONFIG_ ]]; then continue; fi
+
+ echo "parseconfig: removing $NAME"
+ sed -i /$NAME'\(=\| \)'/d .config
+
+ echo "parseconfig: setting $NAME=$OPTION"
+ echo "$NAME=$OPTION" >> .config
+ done
+ }
+ '';
+
+ libcConfig = lib.optionalString useMusl ''
+ CONFIG_FEATURE_UTMP n
+ CONFIG_FEATURE_WTMP n
+ '';
+
+ # The debian version lags behind the upstream version and also contains
+ # a debian-specific suffix. We only fetch the debian repository to get the
+ # default.script
+ debianVersion = "1.30.1-6";
+ debianSource = fetchFromGitLab {
+ domain = "salsa.debian.org";
+ owner = "installer-team";
+ repo = "busybox";
+ rev = "debian/1%${debianVersion}";
+ sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
+ };
+ debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
+ outDispatchPath = "$out/default.script";
+in
+
+stdenv.mkDerivation rec {
+ pname = "busybox";
+ version = "1.36.1";
+
+ # Note to whoever is updating busybox: please verify that:
+ # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
+ # still builds after the update.
+ src = fetchurl {
+ url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
+ sha256 = "sha256-uMwkyVdNgJ5yecO+NJeVxdXOtv3xnKcJ+AzeUOR94xQ=";
+ };
+
+ hardeningDisable = [
+ "format"
+ "pie"
+ ] ++ lib.optionals enableStatic [ "fortify" ];
+
+ patches = [
+ (fetchurl {
+ name = "CVE-2022-28391.patch";
+ url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
+ sha256 = "sha256-yviw1GV+t9tbHbY7YNxEqPi7xEreiXVqbeRyf8c6Awo=";
+ })
+ (fetchurl {
+ name = "CVE-2022-28391.patch";
+ url = "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
+ sha256 = "sha256-vl1wPbsHtXY9naajjnTicQ7Uj3N+EQ8pRNnrdsiow+w=";
+ })
+ (fetchpatch {
+ name = "CVE-2022-48174.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15216
+ url = "https://git.busybox.net/busybox/patch/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209";
+ hash = "sha256-mpDEwYncpU6X6tmtj9xM2KCrB/v2ys5bYxmPPrhm6es=";
+ })
+ (fetchpatch {
+ name = "CVE-2023-42366.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15874
+ # This patch is also used by Alpine, see https://git.alpinelinux.org/aports/tree/main/busybox/0037-awk.c-fix-CVE-2023-42366-bug-15874.patch
+ url = "https://bugs.busybox.net/attachment.cgi?id=9697";
+ hash = "sha256-2eYfLZLjStea9apKXogff6sCAdG9yHx0ZsgUBaGfQIA=";
+ })
+ (fetchpatch {
+ name = "CVE-2023-42363.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15865
+ url = "https://git.launchpad.net/ubuntu/+source/busybox/plain/debian/patches/CVE-2023-42363.patch?id=c9d8a323b337d58e302717d41796aa0242963d5a";
+ hash = "sha256-1W9Q8+yFkYQKzNTrvndie8QuaEbyAFL1ZASG2fPF+Z4=";
+ })
+ (fetchpatch {
+ name = "CVE-2023-42364_CVE-2023-42365.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15871 https://bugs.busybox.net/show_bug.cgi?id=15868
+ url = "https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2023-42364-CVE-2023-42365.patch?id=8a4bf5971168bf48201c05afda7bee0fbb188e13";
+ hash = "sha256-nQPgT9eA1asCo38Z9X7LR9My0+Vz5YBPba3ARV3fWcc=";
+ })
+ ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
+
+ separateDebugInfo = true;
+
+ # postPatch = "patchShebangs .";
+
+ configurePhase = ''
+ export KCONFIG_NOTIMESTAMP=1
+ make ${if enableMinimal then "allnoconfig" else "defconfig"}
+
+ ${configParser}
+
+ cat << EOF | parseconfig
+
+ CONFIG_PREFIX "$out"
+ CONFIG_INSTALL_NO_USR y
+
+ CONFIG_LFS y
+
+ # More features for modprobe.
+ ${lib.optionalString (!enableMinimal) ''
+ CONFIG_FEATURE_MODPROBE_BLACKLIST y
+ CONFIG_FEATURE_MODUTILS_ALIAS y
+ CONFIG_FEATURE_MODUTILS_SYMBOLS y
+ CONFIG_MODPROBE_SMALL n
+ ''}
+
+ ${lib.optionalString enableStatic ''
+ CONFIG_STATIC y
+ ''}
+
+ ${lib.optionalString (!enableAppletSymlinks) ''
+ CONFIG_INSTALL_APPLET_DONT y
+ CONFIG_INSTALL_APPLET_SYMLINKS n
+ ''}
+
+ # Use the external mount.cifs program.
+ CONFIG_FEATURE_MOUNT_CIFS n
+ CONFIG_FEATURE_MOUNT_HELPERS y
+
+ # BB_SHADOW
+ FEATURE_SHADOWPASSWDS y
+ CONFIG_USE_BB_PWD_GRP y
+ CONFIG_USE_BB_SHADOW y
+ CONFIG_USE_BB_CRYPT y
+ USE_BB_CRYPT_SHA y
+ CONFIG_FEATURE_DEFAULT_PASSWD_ALGO "sha512"
+
+ # Set paths for console fonts.
+ CONFIG_DEFAULT_SETFONT_DIR "/etc/kbd"
+
+ # Bump from 4KB, much faster I/O
+ CONFIG_FEATURE_COPYBUF_KB 64
+
+ # Doesn't build with current kernel headers.
+ # https://bugs.busybox.net/show_bug.cgi?id=15934
+ CONFIG_TC n
+
+ # Set the path for the udhcpc script
+ CONFIG_UDHCPC_DEFAULT_SCRIPT "${outDispatchPath}"
+
+ ${extraConfig}
+ CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
+ ${libcConfig}
+ EOF
+
+ make oldconfig
+
+ runHook postConfigure
+ '';
+
+ postConfigure = lib.optionalString (useMusl && stdenv.hostPlatform.libc != "musl") ''
+ makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib")
+ '';
+
+ makeFlags = [ "SKIP_STRIP=y" ];
+
+ postInstall = ''
+ sed -e '
+ 1 a busybox() { '$out'/bin/busybox "$@"; }\
+ logger() { '$out'/bin/logger "$@"; }\
+ ' ${debianDispatcherScript} > ${outDispatchPath}
+ chmod 555 ${outDispatchPath}
+ HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
+ '';
+
+ strictDeps = true;
+
+ depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+ buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [
+ stdenv.cc.libc
+ stdenv.cc.libc.static
+ ];
+
+ enableParallelBuilding = true;
+
+ doCheck = false; # tries to access the net
+
+ passthru.shellPath = "/bin/ash";
+
+ meta = with lib; {
+ description = "Tiny versions of common UNIX utilities in a single small executable";
+ homepage = "https://busybox.net/";
+ license = licenses.gpl2Only;
+ maintainers = with maintainers; [
+ TethysSvensson
+ qyliss
+ ];
+ platforms = platforms.linux;
+ priority = 15; # below systemd (halt, init, poweroff, reboot) and coreutils
+ };
+}
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index 20fe642..dd0e2a7 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -21,7 +21,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
systemd = patosPkgs.systemd.out;
dbusBroker = patosPkgs.dbus-broker.out;
kernel = patosPkgs.kernel.kernel;
- busybox = pkgs.busybox.out;
+ busybox = patosPkgs.busybox.out;
kmodLibs = pkgs.kmod.lib;
kmodBin = pkgs.kmod.out;
libbpf = pkgs.libbpf.out;
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 31fc347..d86ae78 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -139,67 +139,10 @@ cp -P $libbpf/lib/libbpf* $out/usr/lib
# remove pkgconfig
rm -rf $out/usr/lib/pkgconfig
-cat <<EOF > $out/etc/passwd
-root::0:0:root:/root:/bin/sh
-bin:x:1:1:bin:/bin:/usr/bin/nologin
-daemon:x:2:2:daemon:/:/usr/bin/nologin
-mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
-ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
-http:x:33:33:http:/srv/http:/usr/bin/nologin
-uuidd:x:68:68:uuidd:/:/usr/bin/nologin
-messagebus:x:81:81:messagebus:/:/usr/bin/nologin
-nobody:x:99:99:nobody:/:/usr/bin/nologin
-systemd-coredump:x:151:992::/var/empty:/usr/bin/nologin
-systemd-network:x:152:152::/var/empty:/usr/bin/nologin
-systemd-resolve:x:153:153::/var/empty:/usr/bin/nologin
-systemd-timesync:x:154:154::/var/empty:/usr/bin/nologin
-EOF
-chmod 644 $out/etc/passwd
-
-cat <<EOF > $out/etc/group
-root:x:0:root
-bin:x:1:root,bin,daemon
-daemon:x:2:root,bin,daemon
-sys:x:3:root,bin
-adm:x:4:root,daemon
-tty:x:5:
-disk:x:6:root
-lp:x:7:daemon
-mem:x:8:
-kmem:x:9:
-wheel:x:10:root
-ftp:x:11:
-mail:x:12:
-uucp:x:14:
-log:x:19:root
-utmp:x:20:
-locate:x:21:
-rfkill:x:24:
-smmsp:x:25:
-proc:x:26:
-http:x:33:
-games:x:50:
-lock:x:54:
-uuidd:x:68:
-messagebus:x:81:
-systemd-journal:x:62:
-systemd-network:x:152:
-systemd-resolve:x:153:
-systemd-timesync:x:154:
-systemd-oom:x:991:
-systemd-coredump:x:992:
-network:x:90:
-video:x:91:
-audio:x:92:
-optical:x:93:
-floppy:x:94:
-storage:x:95:
-scanner:x:96:
-input:x:97:
-power:x:98:
-nobody:x:99:
-EOF
-chmod 644 $out/etc/group
+### install sys users (default password is patos)
+mkdir creds
+echo -n patos > creds/passwd.plaintext-password.root
+CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=$out $out/usr/lib/sysusers.d/*.conf
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/
From 879f74befab0a2517b0d9586636967cf84b3cab6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 5 Mar 2025 08:24:54 +0100
Subject: [PATCH 33/78] chore: remove unused logind and sysuser for dbus svc
---
pkgs/dbus-broker/default.nix | 3 +++
pkgs/image/mkimage.sh | 7 +++++++
pkgs/rootfs/mkrootfs.sh | 5 -----
pkgs/systemd/default.nix | 2 +-
4 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/pkgs/dbus-broker/default.nix b/pkgs/dbus-broker/default.nix
index 156c490..809f3ce 100644
--- a/pkgs/dbus-broker/default.nix
+++ b/pkgs/dbus-broker/default.nix
@@ -154,6 +154,9 @@ stdenv.mkDerivation (finalAttrs: {
find $out/usr/share/ -type d -exec chmod 755 {} \;
sed -i 's#/nix/store.*/share#/usr/share#' $out/usr/share/xml/dbus-1/catalog.xml
sed -i 's#/nix/store.*/libexec#/usr/bin#' $out/usr/share/dbus-1/system.conf
+
+ mkdir -p $out/usr/lib/sysusers.d/
+ echo 'u! messagebus - "DBus broker"' > $out/usr/lib/sysusers.d/dbus-broker.conf
'';
doCheck = false;
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index 0c6fad0..b104525 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -26,6 +26,13 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
+### install sys users (default password is patos)
+mkdir creds
+echo -n patos > creds/passwd.plaintext-password.root
+CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=rootfs rootfs/usr/lib/sysusers.d/*.conf
+chmod 600 rootfs/etc/shadow
+cat rootfs/etc/shadow
+
# generate a temporary machine id (replace with overlay later)
$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index d86ae78..62bfe56 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -139,11 +139,6 @@ cp -P $libbpf/lib/libbpf* $out/usr/lib
# remove pkgconfig
rm -rf $out/usr/lib/pkgconfig
-### install sys users (default password is patos)
-mkdir creds
-echo -n patos > creds/passwd.plaintext-password.root
-CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=$out $out/usr/lib/sysusers.d/*.conf
-
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/
find $out -type f -executable -exec chmod 755 {} \;
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index 6f5c6c9..db53c60 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -287,7 +287,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.mesonEnable "man" false)
(lib.mesonBool "analyze" true)
- (lib.mesonBool "logind" true)
+ (lib.mesonBool "logind" false)
(lib.mesonBool "localed" false)
(lib.mesonBool "hostnamed" true)
(lib.mesonBool "machined" true)
From 0a129b548927958925fe7f4aec962874c2ec573f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 5 Mar 2025 08:45:34 +0100
Subject: [PATCH 34/78] chore: clean up
---
pkgs/image/default.nix | 2 ++
pkgs/image/mkimage.sh | 20 +++++++++++++++++---
pkgs/rootfs/mkrootfs.sh | 23 +++--------------------
3 files changed, 22 insertions(+), 23 deletions(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index c8b7749..ba783f7 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -7,10 +7,12 @@
}:
let
pname = "patos-image";
+ defaultPassword = "patos";
in
stdenvNoCC.mkDerivation (finalAttrs: {
inherit version;
inherit pname;
+ inherit defaultPassword;
buildInputs = with pkgs; [
erofs-utils
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index b104525..d4975ab 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -12,7 +12,21 @@ find rootfs/ -type d -exec chmod 755 {} \;
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
-# mount /etc overlay
+# Overlay mount for /etc which makes it read-write in runtime
+cat <<EOF > rootfs/usr/lib/systemd/system/etc.mount
+[Unit]
+Description=Overlay mount for /etc
+Before=local-fs.target
+
+[Mount]
+What=overlay
+Where=/etc
+Type=overlay
+Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work
+
+[Install]
+WantedBy=local-fs.target
+EOF
ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
# enable dbus
@@ -26,9 +40,9 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
-### install sys users (default password is patos)
+# install sys users
mkdir creds
-echo -n patos > creds/passwd.plaintext-password.root
+echo -n $defaultPassword > creds/passwd.plaintext-password.root
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=rootfs rootfs/usr/lib/sysusers.d/*.conf
chmod 600 rootfs/etc/shadow
cat rootfs/etc/shadow
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 62bfe56..110b1e4 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -80,22 +80,6 @@ DefaultEnvironment=PATH=/bin:/sbin:/usr/bin
ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTEMD_SYSROOT_FSTAB=/run/fstab SYSTEMD_FSTAB=/run/fstab
EOF
-# Overlay mount for /etc which makes it read-write in runtime
-cat <<EOF > $out/usr/lib/systemd/system/etc.mount
-[Unit]
-Description=Overlay mount for /etc
-Before=local-fs.target
-
-[Mount]
-What=overlay
-Where=/etc
-Type=overlay
-Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work
-
-[Install]
-WantedBy=local-fs.target
-EOF
-
### install PatOS glibc
cp -P $glibcPatos/lib/*.so* $out/usr/lib/
@@ -123,12 +107,11 @@ cp -Pr ${btrfs}/bin/* $out/usr/bin/
cp -Pr ${btrfs}/lib/* $out/usr/lib/
### install tpm2 tools
-cp -P ${tpm2Tools}/bin/* $out/usr/bin/
+# For TPM debugging
+# cp -P ${tpm2Tools}/bin/* $out/usr/bin/
+# cp -P $cryptsetup/bin/* $out/usr/bin/
cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
-### install cryptsetup tools
-cp -P $cryptsetup/bin/* $out/usr/bin/
-
### install lib kmod
cp -P $kmodLibs/lib/* $out/usr/lib
cp -P $kmodBin/bin/* $out/usr/bin
From be4efca9a55ce89447c9e75bb134be5b37899637 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 5 Mar 2025 09:46:28 +0100
Subject: [PATCH 35/78] chore: temporary generate machine-id on boot until we
have a confext
---
pkgs/image/mkimage.sh | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index d4975ab..52a3b60 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -40,15 +40,23 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
+# FIXME: remove this! machine id should be setup by a confext instead?
+mkdir rootfs/usr/lib/systemd/system/systemd-machine-id-commit.service.d
+cat <<EOF > rootfs/usr/lib/systemd/system/systemd-machine-id-commit.service.d/override.conf
+[Unit]
+After=local-fs.target sysroot-etc.mount
+ConditionPathIsMountPoint=
+[Service]
+ExecStart=
+ExecStart=systemd-machine-id-setup
+EOF
+
# install sys users
mkdir creds
echo -n $defaultPassword > creds/passwd.plaintext-password.root
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=rootfs rootfs/usr/lib/sysusers.d/*.conf
chmod 600 rootfs/etc/shadow
-cat rootfs/etc/shadow
-
-# generate a temporary machine id (replace with overlay later)
-$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
+rm -rf creds
$systemd/usr/bin/ukify build \
--linux $kernel/bzImage \
From 18c8e76850d44c5218f24427b1a0c18ceb56079b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 5 Mar 2025 10:08:12 +0100
Subject: [PATCH 36/78] revert to static machine id for now
---
pkgs/image/mkimage.sh | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index 52a3b60..ad7d57d 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -40,16 +40,8 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
-# FIXME: remove this! machine id should be setup by a confext instead?
-mkdir rootfs/usr/lib/systemd/system/systemd-machine-id-commit.service.d
-cat <<EOF > rootfs/usr/lib/systemd/system/systemd-machine-id-commit.service.d/override.conf
-[Unit]
-After=local-fs.target sysroot-etc.mount
-ConditionPathIsMountPoint=
-[Service]
-ExecStart=
-ExecStart=systemd-machine-id-setup
-EOF
+#FIXME: generate a temporary machine id (replace with overlay/confext later?)
+$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
# install sys users
mkdir creds
From 62dd1ca5bfcee730f0e8738513cdf89bb8790ab6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 5 Mar 2025 16:24:34 +0100
Subject: [PATCH 37/78] feat: enable conf/sys ext services and make /etc
read-only without overlay
---
pkgs/image/mkimage.sh | 22 +++-------------------
pkgs/kernel/generic.config | 3 ++-
pkgs/rootfs/default.nix | 4 +++-
pkgs/rootfs/mkrootfs.sh | 21 ++++++++++++++++++---
4 files changed, 26 insertions(+), 24 deletions(-)
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index ad7d57d..c08f0d8 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -12,23 +12,6 @@ find rootfs/ -type d -exec chmod 755 {} \;
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
-# Overlay mount for /etc which makes it read-write in runtime
-cat <<EOF > rootfs/usr/lib/systemd/system/etc.mount
-[Unit]
-Description=Overlay mount for /etc
-Before=local-fs.target
-
-[Mount]
-What=overlay
-Where=/etc
-Type=overlay
-Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work
-
-[Install]
-WantedBy=local-fs.target
-EOF
-ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
-
# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
@@ -40,8 +23,9 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
-#FIXME: generate a temporary machine id (replace with overlay/confext later?)
-$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
+# enable confext/sysext services
+ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
+ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
# install sys users
mkdir creds
diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config
index 0220e23..209e026 100644
--- a/pkgs/kernel/generic.config
+++ b/pkgs/kernel/generic.config
@@ -591,7 +591,8 @@ CONFIG_DM_SWITCH=m
CONFIG_DM_THIN_PROVISIONING=m
CONFIG_DM_UNSTRIPED=m
CONFIG_DM_VDO=m
-CONFIG_DM_VERITY=m
+CONFIG_DM_VERITY=y
+CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_DM_WRITECACHE=m
CONFIG_DM_ZERO=y
CONFIG_DM_ZONED=m
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index dd0e2a7..5ac9c6a 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -27,10 +27,12 @@ stdenvNoCC.mkDerivation (finalAttrs: {
libbpf = pkgs.libbpf.out;
btrfs = pkgs.btrfs-progs.out;
tpm2Libs = patosPkgs.tpm2-tss.out;
- tpm2Tools = patosPkgs.tpm2-tools.out;
kexec = patosPkgs.kexec.out;
lvm2 = patosPkgs.lvm2.out;
+ # FIXME: remove later:
+ tpm2Tools = patosPkgs.tpm2-tools.out;
cryptsetup = pkgs.cryptsetup.bin;
+ erofsUtils = pkgs.erofs-utils.out;
builder = ./mkrootfs.sh;
})
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 110b1e4..78d14d3 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -29,8 +29,8 @@ IMAGE_ID=patos
ID=patos
IMAGE_VERSION=${version}
VERSION=${version}
-VERSION_ID={version}
-BUILD_ID={version}
+VERSION_ID=patos
+BUILD_ID=somehash
EOF
cat <<EOF > $out/etc/issue
@@ -106,6 +106,9 @@ cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
cp -Pr ${btrfs}/bin/* $out/usr/bin/
cp -Pr ${btrfs}/lib/* $out/usr/lib/
+##FIXME(remove later): install mkfs.erofs bin
+cp -P ${erofsUtils}/bin/mkfs.erofs $out/usr/bin/
+
### install tpm2 tools
# For TPM debugging
# cp -P ${tpm2Tools}/bin/* $out/usr/bin/
@@ -119,11 +122,23 @@ cp -P $kmodBin/bin/* $out/usr/bin
### install libbpf
cp -P $libbpf/lib/libbpf* $out/usr/lib
+# setup default files
+$systemd/usr/bin/systemd-hwdb --root=$out --usr update
+$systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
+cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
+cp $out/usr/share/factory/etc/locale.conf $out/etc/
+cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
+#Ephemeral machine-id until registration
+ln -sf /run/machine-id $out/etc/machine-id
+
+
# remove pkgconfig
rm -rf $out/usr/lib/pkgconfig
### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
+ grep -v util-linux-2 | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \
+ sort -u | xargs -I {} cp {} $out/usr/lib/
find $out -type f -executable -exec chmod 755 {} \;
# FIXME: ELF patching. Is there a better way?
From 658b5af153d4d64369a3fcb4877598380cb8f4d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 6 Mar 2025 16:15:29 +0100
Subject: [PATCH 38/78] chore: even better erofs compression
---
pkgs/image/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index ba783f7..4da5187 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -24,7 +24,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
env = {
# vfat options won't efi won't find the fs otherwise.
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
- SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,level=12 -Efragments,dedupe,ztailpacking";
+ SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
systemd = patosPkgs.systemd.out;
From d1e25bdddf5ea012ffa94e5fbc84151583cb9edd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 6 Mar 2025 16:26:13 +0100
Subject: [PATCH 39/78] chore: upgrade systemd to latest stable
---
pkgs/systemd/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index db53c60..b22d243 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -7,7 +7,7 @@
...
}:
let
- version = "257.3";
+ version = "257.4";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
@@ -27,7 +27,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "systemd";
repo = "systemd";
rev = "v${version}";
- hash = "sha256-GvRn55grHWR6M+tA86RMzqinuXNpPZzRB4ApuGN/ZvU=";
+ hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
};
dontCheckForBrokenSymlinks = true;
From 3f443a9e9bd1c801d31d896b59dcd718e11a0ed1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 6 Mar 2025 17:17:53 +0100
Subject: [PATCH 40/78] chore: autologin as root for now
---
pkgs/rootfs/mkrootfs.sh | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 78d14d3..a9f16d9 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -38,13 +38,14 @@ cat <<EOF > $out/etc/issue
EOF
-# replace agetty with busybox getty
+# replace agetty with busybox getty (optionally autologin)
mkdir $out/usr/lib/systemd/system/serial-getty@.service.d
cat <<EOF > $out/usr/lib/systemd/system/serial-getty@.service.d/override.conf
[Service]
ExecStart=
-ExecStart=-/sbin/getty -L %I 115200 vt100
+ExecStart=-/bin/login -f root
EOF
+# ExecStart=-/sbin/getty -L %I 115200 vt100
# Configure systemd-repart
cat <<EOF > $out/etc/repart.d/10-esp.conf
From e907d0d3d35c08b4ba4353f1f3a788feddd2ad99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 7 Mar 2025 15:18:51 +0100
Subject: [PATCH 41/78] fix: rootfs now with verity and A/B prep
---
pkgs/image/default.nix | 4 +-
pkgs/image/mkimage.sh | 84 ++++++++++++++++++++++++++++++++++-------
pkgs/rootfs/mkrootfs.sh | 29 +++++++++++++-
3 files changed, 100 insertions(+), 17 deletions(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 4da5187..0fcaf3f 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -19,6 +19,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
dosfstools
mtools
e2fsprogs
+ jq
];
env = {
@@ -32,8 +33,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
initrd = patosPkgs.initrd.out;
rootfs = patosPkgs.rootfs.out;
- #FIXME: use roothash instead of device.
- kernelCmdLine = "root=/dev/sda2 console=ttyS0";
+ kernelCmdLine = "console=ttyS0";
builder = ./mkimage.sh;
})
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index c08f0d8..78e55f8 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -1,6 +1,6 @@
set -ex -o pipefail
-mkdir -p $out/repart.d $out/boot
+mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
pushd $out
# Don't seem to work just to create a symlink to rootfs derivation?
@@ -34,46 +34,102 @@ CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/sys
chmod 600 rootfs/etc/shadow
rm -rf creds
+# Initial partitioning
+cat <<EOF > init.repart.d/10-root.conf
+[Partition]
+Type=root
+Format=erofs
+Minimize=best
+CopyFiles=/rootfs:/
+Verity=data
+VerityMatchKey=root
+SplitName=root
+EOF
+
+cat <<EOF > init.repart.d/20-root-verity.conf
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+Minimize=best
+SplitName=verity
+EOF
+
+#TODO: Add verity signature partition
+
+$systemd/usr/bin/systemd-repart \
+ --no-pager \
+ --empty=create \
+ --size=auto \
+ --definitions=./init.repart.d \
+ --split=true \
+ --json=pretty \
+ --root=$out \
+ patos-$version.raw > init-repart-output.json
+rm -f patos-$version.raw
+
+roothash=$(jq -r '.[0].roothash' init-repart-output.json)
+rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
+rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
+
+verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
+verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
+
$systemd/usr/bin/ukify build \
--linux $kernel/bzImage \
--initrd $initrd/initrd.xz \
--os-release @rootfs/etc/os-release \
- --cmdline "$kernelCmdLine" \
- -o boot/patos.efi
+ --cmdline "$kernelCmdLine roothash=$roothash" \
+ -o patos_${version}.efi
+rm -rf rootfs
+cp patos_${version}.efi boot/
cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
-
echo "timeout 1" > boot/loader.conf
-cat <<EOF > repart.d/10-esp.conf
+# Final partitioning
+cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMinBytes=96M
SizeMaxBytes=96M
CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
-CopyFiles=/boot/patos.efi:/EFI/Linux/patos.efi
+CopyFiles=/boot/patos_${version}.efi:/EFI/Linux/patos_${version}.efi
CopyFiles=/boot/loader.conf:/loader/loader.conf
EOF
-cat <<EOF > repart.d/10-root.conf
+cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
-Format=erofs
-Minimize=best
-CopyFiles=/rootfs:/
-SplitName=root
+Label=root-${version}
+CopyBlocks=/${rootPart}
+UUID=${rootUuid}
+SizeMinBytes=256M
+SizeMaxBytes=256M
+ReadOnly=1
EOF
+cat <<EOF > final.repart.d/22-root-verity.conf
+[Partition]
+Type=root-verity
+Label=verity-${version}
+CopyBlocks=/${verityPart}
+UUID=${verityUuid}
+SizeMinBytes=10M
+SizeMaxBytes=10M
+ReadOnly=1
+EOF
+
+# finalize image ready for boot
$systemd/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
- --definitions=./repart.d \
+ --definitions=./final.repart.d \
--root=$out \
- patos-$version.raw
+ patos-$version.raw > final-repart-output.json
-rm -rf rootfs
rm -rf boot
popd
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index a9f16d9..05a613b 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -52,11 +52,38 @@ cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
+SizeMaxBytes=96M
+SizeMinBytes=96M
EOF
-cat <<EOF > $out/etc/repart.d/22-root.conf
+cat <<EOF > $out/etc/repart.d/20-root-a.conf
[Partition]
Type=root
+SizeMaxBytes=256M
+SizeMinBytes=256M
+EOF
+cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
+[Partition]
+Type=root-verity
+SizeMaxBytes=10M
+SizeMinBytes=10M
+EOF
+
+cat <<EOF > $out/etc/repart.d/30-root-b.conf
+[Partition]
+Type=root
+Label=_empty
+SizeMaxBytes=256M
+SizeMinBytes=256M
+ReadOnly=1
+EOF
+cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
+[Partition]
+Type=root-verity
+Label=_empty
+SizeMaxBytes=10M
+SizeMinBytes=10M
+ReadOnly=1
EOF
cat <<EOF > $out/etc/repart.d/40-var.conf
From 55ac59e2b3a9aa89ed497dd6eae6626d58a0582c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sun, 9 Mar 2025 14:42:28 +0100
Subject: [PATCH 42/78] chore: add subvolumes state partition
---
pkgs/rootfs/mkrootfs.sh | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 05a613b..9d1e621 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -90,10 +90,14 @@ cat <<EOF > $out/etc/repart.d/40-var.conf
[Partition]
Type=var
Format=btrfs
+MakeDirectories=/var/lib/confexts /var/.snapshots
MountPoint=/var
Label=patos-state
Encrypt=tpm2
EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
+Subvolumes=/var/lib/confexts /var/.snapshots
+MountPoint=/var/lib/confexts:subvol=/var/lib/confexts
+MountPoint=/var/.snapshots:subvol=/var/.snapshots
SizeMinBytes=1G
Minimize=off
FactoryReset=yes
@@ -134,9 +138,6 @@ cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
cp -Pr ${btrfs}/bin/* $out/usr/bin/
cp -Pr ${btrfs}/lib/* $out/usr/lib/
-##FIXME(remove later): install mkfs.erofs bin
-cp -P ${erofsUtils}/bin/mkfs.erofs $out/usr/bin/
-
### install tpm2 tools
# For TPM debugging
# cp -P ${tpm2Tools}/bin/* $out/usr/bin/
@@ -159,13 +160,12 @@ cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
#Ephemeral machine-id until registration
ln -sf /run/machine-id $out/etc/machine-id
-
# remove pkgconfig
rm -rf $out/usr/lib/pkgconfig
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
- grep -v util-linux-2 | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \
+ grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \
sort -u | xargs -I {} cp {} $out/usr/lib/
find $out -type f -executable -exec chmod 755 {} \;
From e49c2b22b54bd8c7c25ae9635944c4139ca70494 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sun, 9 Mar 2025 21:10:05 +0100
Subject: [PATCH 43/78] chore: install ca cert bundle
---
pkgs/busybox/default.nix | 11 +----------
pkgs/rootfs/default.nix | 5 +----
pkgs/rootfs/mkrootfs.sh | 14 ++++++++------
3 files changed, 10 insertions(+), 20 deletions(-)
diff --git a/pkgs/busybox/default.nix b/pkgs/busybox/default.nix
index 571d0cf..e318d8a 100644
--- a/pkgs/busybox/default.nix
+++ b/pkgs/busybox/default.nix
@@ -163,7 +163,7 @@ stdenv.mkDerivation rec {
CONFIG_TC n
# Set the path for the udhcpc script
- CONFIG_UDHCPC_DEFAULT_SCRIPT "${outDispatchPath}"
+ CONFIG_UDHCPC_DEFAULT_SCRIPT "/usr/share/busybox/"
${extraConfig}
CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
@@ -181,15 +181,6 @@ stdenv.mkDerivation rec {
makeFlags = [ "SKIP_STRIP=y" ];
- postInstall = ''
- sed -e '
- 1 a busybox() { '$out'/bin/busybox "$@"; }\
- logger() { '$out'/bin/logger "$@"; }\
- ' ${debianDispatcherScript} > ${outDispatchPath}
- chmod 555 ${outDispatchPath}
- HOST_PATH=$out/bin patchShebangs --host ${outDispatchPath}
- '';
-
strictDeps = true;
depsBuildBuild = [ buildPackages.stdenv.cc ];
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index 5ac9c6a..4e64ddd 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -24,15 +24,12 @@ stdenvNoCC.mkDerivation (finalAttrs: {
busybox = patosPkgs.busybox.out;
kmodLibs = pkgs.kmod.lib;
kmodBin = pkgs.kmod.out;
+ cacert = pkgs.cacert.out;
libbpf = pkgs.libbpf.out;
btrfs = pkgs.btrfs-progs.out;
tpm2Libs = patosPkgs.tpm2-tss.out;
kexec = patosPkgs.kexec.out;
lvm2 = patosPkgs.lvm2.out;
- # FIXME: remove later:
- tpm2Tools = patosPkgs.tpm2-tools.out;
- cryptsetup = pkgs.cryptsetup.bin;
- erofsUtils = pkgs.erofs-utils.out;
builder = ./mkrootfs.sh;
})
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 9d1e621..ad227ad 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -138,26 +138,27 @@ cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
cp -Pr ${btrfs}/bin/* $out/usr/bin/
cp -Pr ${btrfs}/lib/* $out/usr/lib/
-### install tpm2 tools
-# For TPM debugging
-# cp -P ${tpm2Tools}/bin/* $out/usr/bin/
-# cp -P $cryptsetup/bin/* $out/usr/bin/
+### install tpm2 libs
cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
### install lib kmod
-cp -P $kmodLibs/lib/* $out/usr/lib
+cp -P $kmodLibs/lib/*.so* $out/usr/lib/
cp -P $kmodBin/bin/* $out/usr/bin
### install libbpf
cp -P $libbpf/lib/libbpf* $out/usr/lib
+### install ca cert bundle
+cp -Pr $cacert/etc/ssl $out/etc/
+
# setup default files
$systemd/usr/bin/systemd-hwdb --root=$out --usr update
$systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
-#Ephemeral machine-id until registration
+
+# Ephemeral machine-id until registration
ln -sf /run/machine-id $out/etc/machine-id
# remove pkgconfig
@@ -167,6 +168,7 @@ rm -rf $out/usr/lib/pkgconfig
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \
sort -u | xargs -I {} cp {} $out/usr/lib/
+
find $out -type f -executable -exec chmod 755 {} \;
# FIXME: ELF patching. Is there a better way?
From 4ecf8ead2addd9568154ca979d8c465439125113 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 12 Mar 2025 10:39:39 +0100
Subject: [PATCH 44/78] chore: add lib for making systemd sysexts
---
flake.nix | 15 ++++++++
lib/make-sysext.nix | 87 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+)
create mode 100644 lib/make-sysext.nix
diff --git a/flake.nix b/flake.nix
index 97a1f97..ed6a3e5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -45,6 +45,21 @@
dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
+
+ debug-tools-sysext = pkgs.callPackage ./lib/make-sysext.nix {
+ name = "debug-tools";
+ version = "0.0.1";
+ packages = [
+ { drv = pkgs.curl; path = "bin/curl"; }
+ { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
+ { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
+ { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
+ # shared lib required for cryptsetup
+ { drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
+ { drv = pkgs.popt; path = "lib/libpopt.so.0"; }
+ { drv = pkgs.popt; path = "lib/libpopt.so"; }
+ ];
+ };
};
checks = {
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
new file mode 100644
index 0000000..fb1a8f0
--- /dev/null
+++ b/lib/make-sysext.nix
@@ -0,0 +1,87 @@
+{
+ lib,
+ runCommand,
+ pkgs,
+
+ name,
+ packages,
+ osId ? "patos",
+ version ? null,
+}:
+
+
+let
+ metadata = {
+ ID = osId;
+ VERSION_ID = osId;
+ IMAGE_ID = name;
+ IMAGE_VERSION = version;
+ };
+
+ metadataFile = lib.concatStringsSep "\n" (
+ lib.mapAttrsToList (k: v: "${k}=${v}") (lib.filterAttrs (_: v: v != null) metadata)
+ );
+
+ doCopy =
+ {
+ drv,
+ prefix ? "usr",
+ path,
+ destpath ? null,
+ }:
+ "do_copy ${prefix} ${drv} ${path}" + lib.optionalString (destpath != null) " ${destpath}";
+
+in
+
+runCommand name
+ {
+ passthru.name = name;
+ inherit metadataFile;
+ passAsFile = [ "metadataFile" ];
+
+ buildInputs = [
+ pkgs.erofs-utils
+ pkgs.cryptsetup
+ ];
+
+ }
+ ''
+ do_copy () {
+ local prefix="$1"
+ local drv="$2"
+ local path="$3"
+ local destpath="''${4:-$path}"
+
+ local srcfile
+ local destdir
+ local destfile
+ srcfile="$drv/$path"
+ destfile="$out/tree/$prefix/$destpath"
+ destdir="$(dirname -- "$destfile")"
+
+ mkdir -pv "$destdir"
+ cp -Pv "$srcfile" "$destfile"
+
+ chmod 755 "$destfile"
+ patchelf --set-rpath /lib:/usr/lib:/ $destfile
+ patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $destfile || true
+ }
+
+ mkdir -p $out/tree
+
+ ${lib.concatStringsSep "\n" (map doCopy packages)}
+
+ # bake metadata into the structure
+ if ! [ -f $out/tree/usr/lib/extension-release.d/extension-release."${name}" ]; then
+ mkdir -p $out/tree/usr/lib/extension-release.d
+ cat "$metadataFilePath" > $out/tree/usr/lib/extension-release.d/extension-release."${name}"
+ fi
+
+ pushd $out
+ find tree -type d -exec chmod 0755 {} \;
+ mkfs.erofs --all-root $name.raw tree/
+ veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
+ #TODO: pcks7 signature?
+ rm -rf tree
+ popd
+ ''
From 5ecfd546f66d4a68bd68537cc7efa9f174a24470 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 12 Mar 2025 12:47:56 +0100
Subject: [PATCH 45/78] fix: we have to build our own openssl to use standard
paths
---
flake.nix | 1 +
lib/make-sysext.nix | 2 +-
pkgs/openssl/default.nix | 166 +++++++++++++++++++++++++++++++++++++++
pkgs/rootfs/default.nix | 1 +
pkgs/rootfs/mkrootfs.sh | 9 ++-
5 files changed, 176 insertions(+), 3 deletions(-)
create mode 100644 pkgs/openssl/default.nix
diff --git a/flake.nix b/flake.nix
index ed6a3e5..fc453e8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,7 @@
kernel = pkgs.callPackage ./pkgs/kernel { };
glibc = pkgs.callPackage ./pkgs/glibc { };
busybox = pkgs.callPackage ./pkgs/busybox { };
+ openssl = pkgs.callPackage ./pkgs/openssl { };
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index fb1a8f0..2541e3d 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -63,7 +63,7 @@ runCommand name
cp -Pv "$srcfile" "$destfile"
chmod 755 "$destfile"
- patchelf --set-rpath /lib:/usr/lib:/ $destfile
+ patchelf --set-rpath /usr/lib $destfile
patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $destfile || true
}
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
new file mode 100644
index 0000000..137176d
--- /dev/null
+++ b/pkgs/openssl/default.nix
@@ -0,0 +1,166 @@
+{
+ lib,
+ stdenv,
+ fetchurl,
+ perl,
+ makeBinaryWrapper,
+ withCryptodev ? false,
+ cryptodev,
+ withZlib ? false,
+ zlib,
+ enableSSL2 ? false,
+ enableSSL3 ? false,
+ enableMD2 ? false,
+ enableKTLS ? stdenv.hostPlatform.isLinux,
+ static ? stdenv.hostPlatform.isStatic,
+ removeReferencesTo,
+}:
+
+stdenv.mkDerivation rec {
+ pname = "openssl";
+ version = "3.4.1";
+ hash = "sha256-ACotazC1i/S+pGxDvdljZar42qbEKHgqpP7uBtoZffM=";
+
+ src = fetchurl {
+ url = "https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz";
+ hash = hash;
+ };
+
+ outputs = [ "out" ];
+
+ nativeBuildInputs =
+ lib.optional (!stdenv.hostPlatform.isWindows) makeBinaryWrapper
+ ++ [ perl ]
+ ++ lib.optionals static [ removeReferencesTo ];
+ buildInputs = lib.optional withCryptodev cryptodev ++ lib.optional withZlib zlib;
+
+ # TODO(@Ericson2314): Improve with mass rebuild
+ configurePlatforms = [ ];
+ configureScript =
+ {
+ armv5tel-linux = "./Configure linux-armv4 -march=armv5te";
+ armv6l-linux = "./Configure linux-armv4 -march=armv6";
+ armv7l-linux = "./Configure linux-armv4 -march=armv7-a";
+ x86_64-darwin = "./Configure darwin64-x86_64-cc";
+ aarch64-darwin = "./Configure darwin64-arm64-cc";
+ x86_64-linux = "./Configure linux-x86_64";
+ x86_64-solaris = "./Configure solaris64-x86_64-gcc";
+ powerpc64-linux = "./Configure linux-ppc64";
+ riscv32-linux = "./Configure ${
+ if lib.versionAtLeast version "3.2" then "linux32-riscv32" else "linux-latomic"
+ }";
+ riscv64-linux = "./Configure linux64-riscv64";
+ }
+ .${stdenv.hostPlatform.system} or (
+ if stdenv.hostPlatform == stdenv.buildPlatform then
+ "./config"
+ else if stdenv.hostPlatform.isBSD then
+ if stdenv.hostPlatform.isx86_64 then
+ "./Configure BSD-x86_64"
+ else if stdenv.hostPlatform.isx86_32 then
+ "./Configure BSD-x86" + lib.optionalString stdenv.hostPlatform.isElf "-elf"
+ else
+ "./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
+ else if stdenv.hostPlatform.isMinGW then
+ "./Configure mingw${
+ lib.optionalString (stdenv.hostPlatform.parsed.cpu.bits != 32) (
+ toString stdenv.hostPlatform.parsed.cpu.bits
+ )
+ }"
+ else if stdenv.hostPlatform.isLinux then
+ if stdenv.hostPlatform.isx86_64 then
+ "./Configure linux-x86_64"
+ else if stdenv.hostPlatform.isMicroBlaze then
+ "./Configure linux-latomic"
+ else if stdenv.hostPlatform.isMips32 then
+ "./Configure linux-mips32"
+ else if stdenv.hostPlatform.isMips64n32 then
+ "./Configure linux-mips64"
+ else if stdenv.hostPlatform.isMips64n64 then
+ "./Configure linux64-mips64"
+ else
+ "./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
+ else if stdenv.hostPlatform.isiOS then
+ "./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross"
+ else
+ throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}"
+ );
+
+ # OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags.
+ dontAddStaticConfigureFlags = true;
+
+ configureFlags =
+ [
+ "shared" # "shared" builds both shared and static libraries
+ "--prefix=/usr"
+ "--libdir=lib"
+ "--openssldir=/etc/ssl"
+ ]
+ ++ lib.optionals withCryptodev [
+ "-DHAVE_CRYPTODEV"
+ "-DUSE_CRYPTODEV_DIGESTS"
+ ]
+ ++ lib.optional enableMD2 "enable-md2"
+ ++ lib.optional enableSSL2 "enable-ssl2"
+ ++ lib.optional enableSSL3 "enable-ssl3"
+ # We select KTLS here instead of the configure-time detection (which we patch out).
+ # KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it.
+ ++ lib.optional (lib.versionAtLeast version "3.0.0" && enableKTLS) "enable-ktls"
+ ++ lib.optional (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
+ # OpenSSL needs a specific `no-shared` configure flag.
+ # See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
+ # for a comprehensive list of configuration options.
+ ++ lib.optional (lib.versionAtLeast version "1.1.1" && static) "no-shared"
+ ++ lib.optional (lib.versionAtLeast version "3.0.0" && static) "no-module"
+ # This introduces a reference to the CTLOG_FILE which is undesired when
+ # trying to build binaries statically.
+ ++ lib.optional static "no-ct"
+ ++ lib.optional withZlib "zlib"
+ # /dev/crypto support has been dropped in OpenBSD 5.7.
+ #
+ # OpenBSD's ports does this too,
+ # https://github.com/openbsd/ports/blob/a1147500c76970fea22947648fb92a093a529d7c/security/openssl/3.3/Makefile#L25.
+ #
+ # https://github.com/openssl/openssl/pull/10565 indicated the
+ # intent was that this would be configured properly automatically,
+ # but that doesn't appear to be the case.
+ ++ lib.optional stdenv.hostPlatform.isOpenBSD "no-devcryptoeng"
+ ++ lib.optionals (stdenv.hostPlatform.isMips && stdenv.hostPlatform ? gcc.arch) [
+ # This is necessary in order to avoid openssl adding -march
+ # flags which ultimately conflict with those added by
+ # cc-wrapper. Openssl assumes that it can scan CFLAGS to
+ # detect any -march flags, using this perl code:
+ #
+ # && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})
+ #
+ # The following bogus CFLAGS environment variable triggers the
+ # the code above, inhibiting `./Configure` from adding the
+ # conflicting flags.
+ "CFLAGS=-march=${stdenv.hostPlatform.gcc.arch}"
+ ];
+
+ postPatch = ''
+ patchShebangs Configure
+ '';
+
+ installPhase = ''
+ make DESTDIR=$out install
+ '';
+
+ enableParallelBuilding = true;
+
+ meta = {
+ homepage = "https://www.openssl.org/";
+ changelog = "https://github.com/openssl/openssl/blob/openssl-${version}/CHANGES.md";
+ description = "Cryptographic library that implements the SSL and TLS protocols";
+ license = lib.licenses.openssl;
+ mainProgram = "openssl";
+ maintainers = with lib.maintainers; [ thillux ] ++ lib.teams.stridtech.members;
+ pkgConfigModules = [
+ "libcrypto"
+ "libssl"
+ "openssl"
+ ];
+ platforms = lib.platforms.all;
+ };
+}
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index 4e64ddd..c7f0dba 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -30,6 +30,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
tpm2Libs = patosPkgs.tpm2-tss.out;
kexec = patosPkgs.kexec.out;
lvm2 = patosPkgs.lvm2.out;
+ openssl = patosPkgs.openssl.out;
builder = ./mkrootfs.sh;
})
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index ad227ad..14f4dac 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -115,6 +115,10 @@ EOF
### install PatOS glibc
cp -P $glibcPatos/lib/*.so* $out/usr/lib/
+### install openssl
+cp -P $openssl/usr/lib/*.so* $out/usr/lib/
+cp -Pr $openssl/etc/ssl $out/etc/
+
### install kernel modules
cp -r $kernel/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
@@ -149,7 +153,8 @@ cp -P $kmodBin/bin/* $out/usr/bin
cp -P $libbpf/lib/libbpf* $out/usr/lib
### install ca cert bundle
-cp -Pr $cacert/etc/ssl $out/etc/
+chmod 755 $out/etc/ssl
+cp -P $cacert/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
# setup default files
$systemd/usr/bin/systemd-hwdb --root=$out --usr update
@@ -166,7 +171,7 @@ rm -rf $out/usr/lib/pkgconfig
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
- grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \
+ grep -v systemd | grep -v glibc | grep -v openssl | grep -v tpm2 | grep -v devmapper | grep -v not | \
sort -u | xargs -I {} cp {} $out/usr/lib/
find $out -type f -executable -exec chmod 755 {} \;
From 4c0ae9086ba93aec9985c85df9d689c2350270b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 12 Mar 2025 13:37:59 +0100
Subject: [PATCH 46/78] chore(openssl): remove dist files from ssldir
---
lib/make-sysext.nix | 6 +++++-
pkgs/openssl/default.nix | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index 2541e3d..c94227b 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -81,7 +81,11 @@ runCommand name
find tree -type d -exec chmod 0755 {} \;
mkfs.erofs --all-root $name.raw tree/
veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
- #TODO: pcks7 signature?
+ # TODO: pcks7 signature
+ # openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \
+ # -inkey key.pem -signer cert.pem -outform der -out ${name}.roothash.p7s
rm -rf tree
+ sha256sum * > SHA256SUMS
+ # TODO: add gpg signature
popd
''
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
index 137176d..0e1f742 100644
--- a/pkgs/openssl/default.nix
+++ b/pkgs/openssl/default.nix
@@ -145,6 +145,7 @@ stdenv.mkDerivation rec {
installPhase = ''
make DESTDIR=$out install
+ rm -rf $out/etc/ssl/*.dist $out/etc/ssl/misc
'';
enableParallelBuilding = true;
From 865d73abab7b0c8d6ad44f890351ff1ff158dc13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 12 Mar 2025 14:12:38 +0100
Subject: [PATCH 47/78] chore(debug-tools): add a couple of useful tools
---
flake.nix | 4 ++++
lib/make-sysext.nix | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/flake.nix b/flake.nix
index fc453e8..1276c0c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -52,6 +52,10 @@
version = "0.0.1";
packages = [
{ drv = pkgs.curl; path = "bin/curl"; }
+ { drv = pkgs.bash; path = "bin/bash"; }
+ { drv = patosPkgs.glibc; path = "bin/ldd"; }
+ { drv = pkgs.keyutils; path = "bin/keyctl"; }
+ { drv = pkgs.gnutar; path = "bin/tar"; }
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
{ drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
{ drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index c94227b..6de1e63 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -63,7 +63,7 @@ runCommand name
cp -Pv "$srcfile" "$destfile"
chmod 755 "$destfile"
- patchelf --set-rpath /usr/lib $destfile
+ patchelf --set-rpath /usr/lib $destfile || true
patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $destfile || true
}
From 723c7efa327dbaeece28a7e001034f76bc50d5f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 12 Mar 2025 14:38:01 +0100
Subject: [PATCH 48/78] chore(debug-tools): more tools for the people :rocket:
---
flake.nix | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/flake.nix b/flake.nix
index 1276c0c..ed21385 100644
--- a/flake.nix
+++ b/flake.nix
@@ -57,12 +57,18 @@
{ drv = pkgs.keyutils; path = "bin/keyctl"; }
{ drv = pkgs.gnutar; path = "bin/tar"; }
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
+ { drv = patosPkgs.openssl; path = "usr/bin/openssl"; destpath = "bin/openssl"; }
{ drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
{ drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
+ { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
# shared lib required for cryptsetup
{ drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
{ drv = pkgs.popt; path = "lib/libpopt.so.0"; }
{ drv = pkgs.popt; path = "lib/libpopt.so"; }
+ # shared lib required for mkfs.erofs
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
];
};
};
From 1fcccfcd7c3837bdb2aa4cd846e58e295b803b73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 12 Mar 2025 15:38:40 +0100
Subject: [PATCH 49/78] chore(debug-tools): add strace and binutils
---
flake.nix | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/flake.nix b/flake.nix
index ed21385..f1005dc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -56,6 +56,8 @@
{ drv = patosPkgs.glibc; path = "bin/ldd"; }
{ drv = pkgs.keyutils; path = "bin/keyctl"; }
{ drv = pkgs.gnutar; path = "bin/tar"; }
+ { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
+ { drv = pkgs.strace; path = "bin/strace"; }
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
{ drv = patosPkgs.openssl; path = "usr/bin/openssl"; destpath = "bin/openssl"; }
{ drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
@@ -69,6 +71,18 @@
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
+ # shared lib required for binutils
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
+ # shared lib required for strace
+ { drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
+ { drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
];
};
};
From 3dec49b2e4205eddd53475cf4047ba74393aa3c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 13 Mar 2025 09:36:42 +0100
Subject: [PATCH 50/78] chore(qemu): enable secure boot
---
utils/qemu-uefi-tpm.nix | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index 0193a27..4fcadfd 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -12,7 +12,7 @@ pkgs.writeShellApplication {
text =
let
- tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
+ tpmOVMF = pkgs.OVMF.override { tpmSupport = true; secureBoot = true; };
in
''
set -ex
@@ -26,6 +26,9 @@ pkgs.writeShellApplication {
--tpm2 \
--log file="$state/swtpm.log",level=20
+ cp ${tpmOVMF.variables} "$state"
+ chmod 700 "$state/OVMF_VARS.fd"
+
qemu-system-x86_64 \
-enable-kvm \
-machine q35,accel=kvm \
@@ -37,7 +40,7 @@ pkgs.writeShellApplication {
-serial chardev:char0 \
-mon chardev=char0 \
-drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
- -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
+ -drive "if=pflash,format=raw,unit=1,file=$state/OVMF_VARS.fd" \
-chardev socket,id=chrtpm,path="$state/swtpm-sock" \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0 \
From 2c2d212e250eceed41f3fbd5b7b14898d4a89540 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 13 Mar 2025 09:36:42 +0100
Subject: [PATCH 51/78] fix: our own derivation for the kernel in order to be
able to sign modules
---
flake.nix | 2 +-
pkgs/image/default.nix | 4 +-
pkgs/image/mkimage.sh | 7 -
pkgs/kernel/default.nix | 7 +-
pkgs/kernel/generic.config | 14 +-
pkgs/kernel/manual-config.nix | 465 ++++++++++++++++++++++++++++++++++
pkgs/kernel/result | 1 +
pkgs/openssl/default.nix | 2 +-
pkgs/rootfs/default.nix | 4 +-
pkgs/rootfs/mkrootfs.sh | 34 ++-
10 files changed, 508 insertions(+), 32 deletions(-)
create mode 100644 pkgs/kernel/manual-config.nix
create mode 120000 pkgs/kernel/result
diff --git a/flake.nix b/flake.nix
index f1005dc..5b1774f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -59,7 +59,7 @@
{ drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
{ drv = pkgs.strace; path = "bin/strace"; }
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
- { drv = patosPkgs.openssl; path = "usr/bin/openssl"; destpath = "bin/openssl"; }
+ { drv = patosPkgs.openssl; path = "bin/openssl"; }
{ drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
{ drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
{ drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 0fcaf3f..74e0931 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -7,12 +7,10 @@
}:
let
pname = "patos-image";
- defaultPassword = "patos";
in
stdenvNoCC.mkDerivation (finalAttrs: {
inherit version;
inherit pname;
- inherit defaultPassword;
buildInputs = with pkgs; [
erofs-utils
@@ -29,7 +27,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
};
systemd = patosPkgs.systemd.out;
- kernel = patosPkgs.kernel.kernel;
+ kernel = patosPkgs.kernel;
initrd = patosPkgs.initrd.out;
rootfs = patosPkgs.rootfs.out;
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index 78e55f8..df56849 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -27,13 +27,6 @@ mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/sys
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
-# install sys users
-mkdir creds
-echo -n $defaultPassword > creds/passwd.plaintext-password.root
-CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=rootfs rootfs/usr/lib/sysusers.d/*.conf
-chmod 600 rootfs/etc/shadow
-rm -rf creds
-
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 73ecd1f..c5dabce 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,9 +1,9 @@
-{ pkgs, ... }:
+{ pkgs, lib, stdenv, ... }:
let
version = "6.13.4";
in
-pkgs.linuxPackagesFor (
- pkgs.linuxManualConfig {
+ (pkgs.callPackage ./manual-config.nix { }) {
+ inherit lib stdenv;
version = "${version}-patos1";
modDirVersion = version;
src = pkgs.fetchurl {
@@ -13,4 +13,3 @@ pkgs.linuxPackagesFor (
configfile = ./generic.config;
allowImportFromDerivation = true;
}
-)
diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config
index 209e026..647bf91 100644
--- a/pkgs/kernel/generic.config
+++ b/pkgs/kernel/generic.config
@@ -522,11 +522,11 @@ CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_ENTRY=y
CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_DEBUG_FS=y
-CONFIG_DEBUG_INFO_BTF_MODULES=y
-CONFIG_DEBUG_INFO_BTF=y
-CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
-CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
-CONFIG_DEBUG_INFO=y
+#CONFIG_DEBUG_INFO_BTF_MODULES=y
+#CONFIG_DEBUG_INFO_BTF=y
+#CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
+#CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+CONFIG_DEBUG_INFO=n
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_MISC=y
@@ -1400,6 +1400,10 @@ CONFIG_MODULE_COMPRESS_ZSTD=y
CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=n
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_MODULES=y
diff --git a/pkgs/kernel/manual-config.nix b/pkgs/kernel/manual-config.nix
new file mode 100644
index 0000000..ffcf758
--- /dev/null
+++ b/pkgs/kernel/manual-config.nix
@@ -0,0 +1,465 @@
+{ lib, stdenv, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
+, cpio, elfutils, hexdump, zstd, python3Minimal, zlib, pahole, kmod, ubootTools
+, fetchpatch
+, rustc, rust-bindgen, rustPlatform
+}:
+
+let
+ lib_ = lib;
+ stdenv_ = stdenv;
+
+ readConfig = configfile: import (runCommand "config.nix" {} ''
+ echo "{" > "$out"
+ while IFS='=' read key val; do
+ [ "x''${key#CONFIG_}" != "x$key" ] || continue
+ no_firstquote="''${val#\"}";
+ echo ' "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
+ done < "${configfile}"
+ echo "}" >> $out
+ '').outPath;
+in lib.makeOverridable ({
+ # The kernel version
+ version,
+ # The kernel pname (should be set for variants)
+ pname ? "linux",
+ # Position of the Linux build expression
+ pos ? null,
+ # Additional kernel make flags
+ extraMakeFlags ? [],
+ # The name of the kernel module directory
+ # Needs to be X.Y.Z[-extra], so pad with zeros if needed.
+ modDirVersion ? null /* derive from version */,
+ # The kernel source (tarball, git checkout, etc.)
+ src,
+ # a list of { name=..., patch=..., extraConfig=...} patches
+ kernelPatches ? [],
+ # The kernel .config file
+ configfile,
+ # Manually specified nixexpr representing the config
+ # If unspecified, this will be autodetected from the .config
+ config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
+ # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+ # automatically extended with extra per-version and per-config values.
+ randstructSeed ? "",
+ # Extra meta attributes
+ extraMeta ? {},
+
+ # for module compatibility
+ isZen ? false,
+ isLibre ? false,
+ isHardened ? false,
+
+ # Whether to utilize the controversial import-from-derivation feature to parse the config
+ allowImportFromDerivation ? false,
+ # ignored
+ features ? null, lib ? lib_, stdenv ? stdenv_,
+}:
+
+let
+ # Provide defaults. Note that we support `null` so that callers don't need to use optionalAttrs,
+ # which can lead to unnecessary strictness and infinite recursions.
+ modDirVersion_ = if modDirVersion == null then lib.versions.pad 3 version else modDirVersion;
+in
+let
+ # Shadow the un-defaulted parameter; don't want null.
+ modDirVersion = modDirVersion_;
+ inherit (lib)
+ hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
+
+ drvAttrs = config_: kernelConf: kernelPatches: configfile:
+ let
+ # Folding in `ubootTools` in the default nativeBuildInputs is problematic, as
+ # it makes updating U-Boot cumbersome, since it will go above the current
+ # threshold of rebuilds
+ #
+ # To prevent these needless rounds of staging for U-Boot builds, we can
+ # limit the inclusion of ubootTools to target platforms where uImage *may*
+ # be produced.
+ #
+ # This command lists those (kernel-named) platforms:
+ # .../linux $ grep -l uImage ./arch/*/Makefile | cut -d'/' -f3 | sort
+ #
+ # This is still a guesstimation, but since none of our cached platforms
+ # coincide in that list, this gives us "perfect" decoupling here.
+ linuxPlatformsUsingUImage = [
+ "arc"
+ "arm"
+ "csky"
+ "mips"
+ "powerpc"
+ "sh"
+ "sparc"
+ "xtensa"
+ ];
+ needsUbootTools =
+ lib.elem stdenv.hostPlatform.linuxArch linuxPlatformsUsingUImage
+ ;
+
+ config = let attrName = attr: "CONFIG_" + attr; in {
+ isSet = attr: hasAttr (attrName attr) config;
+
+ getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
+
+ isYes = attr: (config.getValue attr) == "y";
+
+ isNo = attr: (config.getValue attr) == "n";
+
+ isModule = attr: (config.getValue attr) == "m";
+
+ isEnabled = attr: (config.isModule attr) || (config.isYes attr);
+
+ isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
+ } // config_;
+
+ isModular = config.isYes "MODULES";
+ withRust = config.isYes "RUST";
+
+ buildDTBs = kernelConf.DTB or false;
+
+ # Dependencies that are required to build kernel modules
+ moduleBuildDependencies = [
+ pahole
+ perl
+ elfutils
+ # module makefiles often run uname commands to find out the kernel version
+ (buildPackages.deterministic-uname.override { inherit modDirVersion; })
+ ]
+ ++ optional (lib.versionAtLeast version "5.13") zstd
+ ++ optionals withRust [ rustc rust-bindgen ]
+ ;
+
+ in (optionalAttrs isModular { outputs = [ "out" "dev" ]; }) // {
+ passthru = rec {
+ inherit version modDirVersion config kernelPatches configfile
+ moduleBuildDependencies stdenv;
+ inherit isZen isHardened isLibre withRust;
+ isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+ baseVersion = lib.head (lib.splitString "-rc" version);
+ kernelOlder = lib.versionOlder baseVersion;
+ kernelAtLeast = lib.versionAtLeast baseVersion;
+ };
+
+ inherit src;
+
+ depsBuildBuild = [ buildPackages.stdenv.cc ];
+ nativeBuildInputs = [
+ bison
+ flex
+ perl
+ bc
+ nettools
+ openssl
+ rsync
+ gmp
+ libmpc
+ mpfr
+ elfutils
+ zstd
+ python3Minimal
+ kmod
+ hexdump
+ ] ++ optional needsUbootTools ubootTools
+ ++ optionals (lib.versionAtLeast version "5.2") [ cpio pahole zlib ]
+ ++ optionals withRust [ rustc rust-bindgen ];
+
+ RUST_LIB_SRC = lib.optionalString withRust rustPlatform.rustLibSrc;
+
+ # avoid leaking Rust source file names into the final binary, which adds
+ # a false dependency on rust-lib-src on targets with uncompressed kernels
+ KRUSTFLAGS = lib.optionalString withRust "--remap-path-prefix ${rustPlatform.rustLibSrc}=/";
+
+ # patches =
+ # map (p: p.patch) kernelPatches
+ # # Required for deterministic builds along with some postPatch magic.
+ # ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
+ # ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
+ # # Linux 5.12 marked certain PowerPC-only symbols as GPL, which breaks
+ # # OpenZFS; this was fixed in Linux 5.19 so we backport the fix
+ # # https://github.com/openzfs/zfs/pull/13367
+ # ++ optional (lib.versionAtLeast version "5.12" &&
+ # lib.versionOlder version "5.19" &&
+ # stdenv.hostPlatform.isPower)
+ # (fetchpatch {
+ # url = "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/patch/?id=d9e5c3e9e75162f845880535957b7fd0b4637d23";
+ # hash = "sha256-bBOyJcP6jUvozFJU0SPTOf3cmnTQ6ZZ4PlHjiniHXLU=";
+ # });
+
+ postPatch = ''
+ # Ensure that depmod gets resolved through PATH
+ sed -i Makefile -e 's|= /sbin/depmod|= depmod|'
+
+ # Some linux-hardened patches now remove certain files in the scripts directory, so the file may not exist.
+ [[ -f scripts/ld-version.sh ]] && patchShebangs scripts/ld-version.sh
+
+ # Set randstruct seed to a deterministic but diversified value. Note:
+ # we could have instead patched gen-random-seed.sh to take input from
+ # the buildFlags, but that would require also patching the kernel's
+ # toplevel Makefile to add a variable export. This would be likely to
+ # cause future patch conflicts.
+ for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do
+ if [ -f "$file" ]; then
+ substituteInPlace "$file" \
+ --replace NIXOS_RANDSTRUCT_SEED \
+ $(echo ${randstructSeed}${src} ${placeholder "configfile"} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
+ break
+ fi
+ done
+
+ patchShebangs scripts
+
+ # also patch arch-specific install scripts
+ for i in $(find arch -name install.sh); do
+ patchShebangs "$i"
+ done
+
+ # unset $src because the build system tries to use it and spams a bunch of warnings
+ # see: https://github.com/torvalds/linux/commit/b1992c3772e69a6fd0e3fc81cd4d2820c8b6eca0
+ unset src
+ '';
+
+ configurePhase = ''
+ runHook preConfigure
+
+ mkdir build
+ export buildRoot="$(pwd)/build"
+
+ echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
+
+ if [ -f "$buildRoot/.config" ]; then
+ echo "Could not link $buildRoot/.config : file exists"
+ exit 1
+ fi
+ ln -sv ${configfile} $buildRoot/.config
+
+ # reads the existing .config file and prompts the user for options in
+ # the current kernel source that are not found in the file.
+ make $makeFlags "''${makeFlagsArray[@]}" oldconfig
+ runHook postConfigure
+
+ make $makeFlags "''${makeFlagsArray[@]}" prepare
+ actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
+ if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
+ echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
+ exit 1
+ fi
+
+ buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
+
+ cd $buildRoot
+ '';
+
+ buildFlags = [
+ "KBUILD_BUILD_VERSION=1-PatOS"
+ kernelConf.target
+ "vmlinux" # for "perf" and things like that
+ ] ++ optional isModular "modules"
+ ++ optionals buildDTBs ["dtbs" "DTC_FLAGS=-@"]
+ ++ extraMakeFlags;
+
+ installFlags = [
+ "INSTALL_PATH=$(out)"
+ ] ++ (optional isModular "INSTALL_MOD_PATH=$(out)")
+ ++ optionals buildDTBs ["dtbs_install" "INSTALL_DTBS_PATH=$(out)/dtbs"];
+
+ dontStrip = true;
+
+ preInstall = let
+ # All we really need to do here is copy the final image and System.map to $out,
+ # and use the kernel's modules_install, firmware_install, dtbs_install, etc. targets
+ # for the rest. Easy, right?
+ #
+ # Unfortunately for us, the obvious way of getting the built image path,
+ # make -s image_name, does not work correctly, because some architectures
+ # (*cough* aarch64 *cough*) change KBUILD_IMAGE on the fly in their install targets,
+ # so we end up attempting to install the thing we didn't actually build.
+ #
+ # Thankfully, there's a way out that doesn't involve just hardcoding everything.
+ #
+ # The kernel has an install target, which runs a pretty simple shell script
+ # (located at scripts/install.sh or arch/$arch/boot/install.sh, depending on
+ # which kernel version you're looking at) that tries to do something sensible.
+ #
+ # (it would be great to hijack this script immediately, as it has all the
+ # information we need passed to it and we don't need it to try and be smart,
+ # but unfortunately, the exact location of the scripts differs between kernel
+ # versions, and they're seemingly not considered to be public API at all)
+ #
+ # One of the ways it tries to discover what "something sensible" actually is
+ # is by delegating to what's supposed to be a user-provided install script
+ # located at ~/bin/installkernel.
+ #
+ # (the other options are:
+ # - a distribution-specific script at /sbin/installkernel,
+ # which we can't really create in the sandbox easily
+ # - an architecture-specific script at arch/$arch/boot/install.sh,
+ # which attempts to guess _something_ and usually guesses very wrong)
+ #
+ # More specifically, the install script exec's into ~/bin/installkernel, if one
+ # exists, with the following arguments:
+ #
+ # $1: $KERNELRELEASE - full kernel version string
+ # $2: $KBUILD_IMAGE - the final image path
+ # $3: System.map - path to System.map file, seemingly hardcoded everywhere
+ # $4: $INSTALL_PATH - path to the destination directory as specified in installFlags
+ #
+ # $2 is exactly what we want, so hijack the script and use the knowledge given to it
+ # by the makefile overlords for our own nefarious ends.
+ #
+ # Note that the makefiles specifically look in ~/bin/installkernel, and
+ # writeShellScriptBin writes the script to <store path>/bin/installkernel,
+ # so HOME needs to be set to just the store path.
+ #
+ # FIXME: figure out a less roundabout way of doing this.
+ installkernel = buildPackages.writeShellScriptBin "installkernel" ''
+ cp -av $2 $4
+ cp -av $3 $4
+ '';
+ in ''
+ installFlagsArray+=("-j$NIX_BUILD_CORES")
+ export HOME=${installkernel}
+ '';
+
+ # Some image types need special install targets (e.g. uImage is installed with make uinstall on arm)
+ installTargets = [
+ (kernelConf.installTarget or (
+ /**/ if kernelConf.target == "uImage" && stdenv.hostPlatform.linuxArch == "arm" then "uinstall"
+ else if kernelConf.target == "zImage" || kernelConf.target == "Image.gz" || kernelConf.target == "vmlinuz.efi" then "zinstall"
+ else "install"))
+ ];
+
+ # We remove a bunch of stuff that is symlinked from other places to save space,
+ # which trips the broken symlink check. So, just skip it. We'll know if it explodes.
+ dontCheckForBrokenSymlinks = true;
+
+ postInstall = optionalString isModular ''
+ mkdir -p $dev
+ cp vmlinux $dev/
+ if [ -z "''${dontStrip-}" ]; then
+ installFlagsArray+=("INSTALL_MOD_STRIP=1")
+ fi
+ make modules_install $makeFlags "''${makeFlagsArray[@]}" \
+ $installFlags "''${installFlagsArray[@]}"
+ unlink $out/lib/modules/${modDirVersion}/build
+ rm -f $out/lib/modules/${modDirVersion}/source
+
+ mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
+
+ # To save space, exclude a bunch of unneeded stuff when copying.
+ (cd .. && rsync --archive --prune-empty-dirs \
+ --exclude='/build/' \
+ * $dev/lib/modules/${modDirVersion}/source/)
+
+ cd $dev/lib/modules/${modDirVersion}/source
+
+ cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
+ make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
+
+ # For reproducibility, removes accidental leftovers from a `cc1` call
+ # from a `try-run` call from the Makefile
+ rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
+
+ # Keep some extra files on some arches (powerpc, aarch64)
+ for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
+ if [ -f "$buildRoot/$f" ]; then
+ cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
+ fi
+ done
+
+ # !!! No documentation on how much of the source tree must be kept
+ # If/when kernel builds fail due to missing files, you can add
+ # them here. Note that we may see packages requiring headers
+ # from drivers/ in the future; it adds 50M to keep all of its
+ # headers on 3.10 though.
+
+ chmod u+w -R ..
+ arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
+
+ # Remove unused arches
+ for d in $(cd arch/; ls); do
+ if [ "$d" = "$arch" ]; then continue; fi
+ if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
+ rm -rf arch/$d
+ done
+
+ # Remove all driver-specific code (50M of which is headers)
+ rm -fR drivers
+
+ # Keep all headers
+ find . -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
+
+ # Keep linker scripts (they are required for out-of-tree modules on aarch64)
+ find . -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
+
+ # Keep root and arch-specific Makefiles
+ chmod u-w Makefile arch/"$arch"/Makefile*
+
+ # Keep whole scripts dir
+ chmod u-w -R scripts
+
+ # Delete everything not kept
+ find . -type f -perm -u=w -print0 | xargs -0 -r rm
+
+ # Delete empty directories
+ find -empty -type d -delete
+ '';
+
+ requiredSystemFeatures = [ "big-parallel" ];
+
+ meta = {
+ # https://github.com/NixOS/nixpkgs/pull/345534#issuecomment-2391238381
+ broken = withRust && lib.versionOlder version "6.12";
+
+ description =
+ "The Linux kernel" +
+ (if kernelPatches == [] then "" else
+ " (with patches: "
+ + lib.concatStringsSep ", " (map (x: x.name) kernelPatches)
+ + ")");
+ license = lib.licenses.gpl2Only;
+ homepage = "https://www.kernel.org/";
+ maintainers = lib.teams.linux-kernel.members ++ [
+ maintainers.thoughtpolice
+ ];
+ platforms = platforms.linux;
+ badPlatforms =
+ lib.optionals (lib.versionOlder version "4.15") [ "riscv32-linux" "riscv64-linux" ] ++
+ lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
+ timeout = 14400; # 4 hours
+ } // extraMeta;
+ };
+
+ # Absolute paths for compilers avoid any PATH-clobbering issues.
+ commonMakeFlags = [
+ "ARCH=${stdenv.hostPlatform.linuxArch}"
+ "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+ ] ++ lib.optionals (stdenv.isx86_64 && stdenv.cc.bintools.isLLVM) [
+ # The wrapper for ld.lld breaks linking the kernel. We use the
+ # unwrapped linker as workaround. See:
+ #
+ # https://github.com/NixOS/nixpkgs/issues/321667
+ "LD=${stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ld"
+ ] ++ (stdenv.hostPlatform.linux-kernel.makeFlags or [])
+ ++ extraMakeFlags;
+in
+
+stdenv.mkDerivation (
+ builtins.foldl' lib.recursiveUpdate {} [
+ (drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile)
+ {
+ inherit pname version;
+
+ enableParallelBuilding = true;
+
+ hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ];
+
+ makeFlags = [
+ "O=$(buildRoot)"
+ ] ++ commonMakeFlags;
+
+ passthru = { inherit commonMakeFlags; };
+
+ karch = stdenv.hostPlatform.linuxArch;
+ }
+ (optionalAttrs (pos != null) { inherit pos; })
+ ]
+))
diff --git a/pkgs/kernel/result b/pkgs/kernel/result
new file mode 120000
index 0000000..adacbb4
--- /dev/null
+++ b/pkgs/kernel/result
@@ -0,0 +1 @@
+/nix/store/kwigngi2rkbhd5qmhjaxla2wh3adm4ph-linux-6.13.4-patos1
\ No newline at end of file
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
index 0e1f742..bc833cc 100644
--- a/pkgs/openssl/default.nix
+++ b/pkgs/openssl/default.nix
@@ -92,7 +92,7 @@ stdenv.mkDerivation rec {
configureFlags =
[
"shared" # "shared" builds both shared and static libraries
- "--prefix=/usr"
+ "--prefix=/"
"--libdir=lib"
"--openssldir=/etc/ssl"
]
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index c7f0dba..d3c39c3 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -7,10 +7,12 @@
}:
let
pname = "patos-rootfs";
+ defaultPassword = "patos";
in
stdenvNoCC.mkDerivation (finalAttrs: {
inherit version;
inherit pname;
+ inherit defaultPassword;
buildInputs = with pkgs; [
glibc
@@ -20,7 +22,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
glibcPatos = patosPkgs.glibc.out;
systemd = patosPkgs.systemd.out;
dbusBroker = patosPkgs.dbus-broker.out;
- kernel = patosPkgs.kernel.kernel;
+ kernel = patosPkgs.kernel;
busybox = patosPkgs.busybox.out;
kmodLibs = pkgs.kmod.lib;
kmodBin = pkgs.kmod.out;
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 14f4dac..7e8df9e 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -62,6 +62,7 @@ Type=root
SizeMaxBytes=256M
SizeMinBytes=256M
EOF
+
cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
[Partition]
Type=root-verity
@@ -77,6 +78,7 @@ SizeMaxBytes=256M
SizeMinBytes=256M
ReadOnly=1
EOF
+
cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
[Partition]
Type=root-verity
@@ -90,13 +92,15 @@ cat <<EOF > $out/etc/repart.d/40-var.conf
[Partition]
Type=var
Format=btrfs
-MakeDirectories=/var/lib/confexts /var/.snapshots
+MakeDirectories=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
MountPoint=/var
Label=patos-state
Encrypt=tpm2
EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
-Subvolumes=/var/lib/confexts /var/.snapshots
+Subvolumes=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
MountPoint=/var/lib/confexts:subvol=/var/lib/confexts
+MountPoint=/var/lib/extensions:subvol=/var/lib/extensions
+MountPoint=/var/lib/portables:subvol=/var/lib/portables
MountPoint=/var/.snapshots:subvol=/var/.snapshots
SizeMinBytes=1G
Minimize=off
@@ -116,13 +120,9 @@ EOF
cp -P $glibcPatos/lib/*.so* $out/usr/lib/
### install openssl
-cp -P $openssl/usr/lib/*.so* $out/usr/lib/
+cp -P $openssl/lib/*.so* $out/usr/lib/
cp -Pr $openssl/etc/ssl $out/etc/
-### install kernel modules
-cp -r $kernel/lib/modules $out/usr/lib/
-find $out/usr/lib/modules -type d -exec chmod 755 {} \;
-
### install busybox
cp $busybox/bin/busybox $out/usr/bin/
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
@@ -150,11 +150,13 @@ cp -P $kmodLibs/lib/*.so* $out/usr/lib/
cp -P $kmodBin/bin/* $out/usr/bin
### install libbpf
-cp -P $libbpf/lib/libbpf* $out/usr/lib
+cp -P $libbpf/lib/libbpf*.so* $out/usr/lib
### install ca cert bundle
-chmod 755 $out/etc/ssl
+chmod 755 $out/etc/ssl $out/etc/ssl/certs
cp -P $cacert/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
+ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
+ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
# setup default files
$systemd/usr/bin/systemd-hwdb --root=$out --usr update
@@ -162,6 +164,13 @@ $systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf -
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
+# install sys users
+mkdir creds
+echo -n $defaultPassword > creds/passwd.plaintext-password.root
+CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
+chmod 600 $out/etc/shadow
+rm -rf creds
+
# Ephemeral machine-id until registration
ln -sf /run/machine-id $out/etc/machine-id
@@ -171,7 +180,7 @@ rm -rf $out/usr/lib/pkgconfig
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
- grep -v systemd | grep -v glibc | grep -v openssl | grep -v tpm2 | grep -v devmapper | grep -v not | \
+ grep -vE "(systemd|glibc|openssl|tpm2|devmapper)" | \
sort -u | xargs -I {} cp {} $out/usr/lib/
find $out -type f -executable -exec chmod 755 {} \;
@@ -184,3 +193,8 @@ patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
# strip binaries
find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
+
+### install kernel modules
+cp -r $kernel/lib/modules $out/usr/lib/
+find $out/usr/lib/modules -type d -exec chmod 755 {} \;
+
From 1fcc45dd321e75e130a6048f1cacaad33d94890c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 14 Mar 2025 07:52:35 +0100
Subject: [PATCH 52/78] feat: add factory reset UKI
---
pkgs/image/mkimage.sh | 25 ++++++++++++++++++++++---
pkgs/rootfs/mkrootfs.sh | 4 ++--
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index df56849..8c94348 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -74,21 +74,40 @@ $systemd/usr/bin/ukify build \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
+
+cat <<EOF > reset-os-release
+NAME=PatOS
+PRETTY_NAME=PatOS Factory Reset
+IMAGE_ID=patos
+ID=patos
+IMAGE_VERSION=${version}
+VERSION=${version}
+VERSION_ID=patos
+EOF
+
+$systemd/usr/bin/ukify build \
+ --linux $kernel/bzImage \
+ --initrd $initrd/initrd.xz \
+ --os-release @./reset-os-release \
+ --cmdline "$kernelCmdLine roothash=$roothash systemd.factory_reset=yes" \
+ -o patos_factory_reset.efi
rm -rf rootfs
cp patos_${version}.efi boot/
+cp patos_factory_reset.efi boot/
cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
-echo "timeout 1" > boot/loader.conf
+echo "timeout 2" > boot/loader.conf
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
-SizeMinBytes=96M
-SizeMaxBytes=96M
+SizeMinBytes=160M
+SizeMaxBytes=160M
CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
CopyFiles=/boot/patos_${version}.efi:/EFI/Linux/patos_${version}.efi
+CopyFiles=/boot/patos_factory_reset.efi:/EFI/Linux/patos_factory_reset.efi
CopyFiles=/boot/loader.conf:/loader/loader.conf
EOF
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 7e8df9e..3ccc93c 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -52,8 +52,8 @@ cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
-SizeMaxBytes=96M
-SizeMinBytes=96M
+SizeMaxBytes=160M
+SizeMinBytes=160M
EOF
cat <<EOF > $out/etc/repart.d/20-root-a.conf
From 1f1c93b775b3ef6d2b25fad3f475cb28b5be0783 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 14 Mar 2025 10:45:39 +0100
Subject: [PATCH 53/78] feat: enable secure boot
---
pkgs/image/default.nix | 1 +
pkgs/image/mkimage.sh | 37 ++++++++++++++++++++----------
pkgs/systemd/default.nix | 2 ++
pkgs/systemd/skip-verify-esp.patch | 24 +++++++++++++++++++
4 files changed, 52 insertions(+), 12 deletions(-)
create mode 100644 pkgs/systemd/skip-verify-esp.patch
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 74e0931..5612185 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -18,6 +18,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
mtools
e2fsprogs
jq
+ openssl
];
env = {
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index 8c94348..3e6ed9e 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -58,8 +58,7 @@ $systemd/usr/bin/systemd-repart \
--split=true \
--json=pretty \
--root=$out \
- patos-$version.raw > init-repart-output.json
-rm -f patos-$version.raw
+ patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
@@ -91,12 +90,29 @@ $systemd/usr/bin/ukify build \
--os-release @./reset-os-release \
--cmdline "$kernelCmdLine roothash=$roothash systemd.factory_reset=yes" \
-o patos_factory_reset.efi
-rm -rf rootfs
-cp patos_${version}.efi boot/
-cp patos_factory_reset.efi boot/
-cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
-echo "timeout 2" > boot/loader.conf
+# Secure boot
+openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"
+
+SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
+ --secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem
+
+# install UKIs
+cp patos_${version}.efi rootfs/boot/EFI/Linux
+cp patos_factory_reset.efi rootfs/boot/EFI/Linux
+
+# sign EFIs
+$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
+ rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
+
+$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
+ rootfs/boot/EFI/Linux/patos_0.0.1.efi --output=rootfs/boot/EFI/Linux/patos_0.0.1.efi
+
+$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
+ rootfs/boot/EFI/Linux/patos_factory_reset.efi --output=rootfs/boot/EFI/Linux/patos_factory_reset.efi
+
+echo "timeout 2" > rootfs/boot/loader/loader.conf
+echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
@@ -105,10 +121,7 @@ Type=esp
Format=vfat
SizeMinBytes=160M
SizeMaxBytes=160M
-CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
-CopyFiles=/boot/patos_${version}.efi:/EFI/Linux/patos_${version}.efi
-CopyFiles=/boot/patos_factory_reset.efi:/EFI/Linux/patos_factory_reset.efi
-CopyFiles=/boot/loader.conf:/loader/loader.conf
+CopyFiles=/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
@@ -142,6 +155,6 @@ $systemd/usr/bin/systemd-repart \
--root=$out \
patos-$version.raw > final-repart-output.json
-rm -rf boot
+rm -rf rootfs
popd
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index b22d243..a1cb314 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -30,6 +30,8 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
};
+ patches = [ ./skip-verify-esp.patch ];
+
dontCheckForBrokenSymlinks = true;
nativeBuildInputs = with pkgs; [
diff --git a/pkgs/systemd/skip-verify-esp.patch b/pkgs/systemd/skip-verify-esp.patch
new file mode 100644
index 0000000..2cb9505
--- /dev/null
+++ b/pkgs/systemd/skip-verify-esp.patch
@@ -0,0 +1,24 @@
+diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c
+index f830d6dfe3..7ad2a8cd1d 100644
+--- a/src/shared/find-esp.c
++++ b/src/shared/find-esp.c
+@@ -403,15 +403,15 @@ static int verify_esp(
+ "File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
+ }
+
+- r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
+- if (r < 0)
+- return r;
+-
+ /* In a container we don't have access to block devices, skip this part of the verification, we trust
+ * the container manager set everything up correctly on its own. */
+ if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK))
+ goto finish;
+
++ r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
++ if (r < 0)
++ return r;
++
+ if (devnum_is_zero(devid))
+ return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
+ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
From 7376743266d48b3c3db49c9c6fdb711a25b660c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Fri, 14 Mar 2025 15:13:31 +0100
Subject: [PATCH 54/78] chore: clean up
---
pkgs/image/mkimage.sh | 30 +++++-------------------------
1 file changed, 5 insertions(+), 25 deletions(-)
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index 3e6ed9e..1d14349 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -74,44 +74,24 @@ $systemd/usr/bin/ukify build \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
-cat <<EOF > reset-os-release
-NAME=PatOS
-PRETTY_NAME=PatOS Factory Reset
-IMAGE_ID=patos
-ID=patos
-IMAGE_VERSION=${version}
-VERSION=${version}
-VERSION_ID=patos
-EOF
-
-$systemd/usr/bin/ukify build \
- --linux $kernel/bzImage \
- --initrd $initrd/initrd.xz \
- --os-release @./reset-os-release \
- --cmdline "$kernelCmdLine roothash=$roothash systemd.factory_reset=yes" \
- -o patos_factory_reset.efi
-
# Secure boot
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"
+# install ESP
SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
--secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem
-
-# install UKIs
-cp patos_${version}.efi rootfs/boot/EFI/Linux
-cp patos_factory_reset.efi rootfs/boot/EFI/Linux
+echo "timeout 2" > rootfs/boot/loader/loader.conf
# sign EFIs
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
- rootfs/boot/EFI/Linux/patos_0.0.1.efi --output=rootfs/boot/EFI/Linux/patos_0.0.1.efi
+ patos_${version}.efi --output=patos_${version}.efi
-$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
- rootfs/boot/EFI/Linux/patos_factory_reset.efi --output=rootfs/boot/EFI/Linux/patos_factory_reset.efi
+# install UKI
+cp patos_${version}.efi rootfs/boot/EFI/Linux
-echo "timeout 2" > rootfs/boot/loader/loader.conf
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
# Final partitioning
From b619c6f01d9d91e86e32fe5415bfd2ffe7094c4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sat, 15 Mar 2025 18:26:28 +0100
Subject: [PATCH 55/78] chore: remove result symlink
---
pkgs/kernel/result | 1 -
1 file changed, 1 deletion(-)
delete mode 120000 pkgs/kernel/result
diff --git a/pkgs/kernel/result b/pkgs/kernel/result
deleted file mode 120000
index adacbb4..0000000
--- a/pkgs/kernel/result
+++ /dev/null
@@ -1 +0,0 @@
-/nix/store/kwigngi2rkbhd5qmhjaxla2wh3adm4ph-linux-6.13.4-patos1
\ No newline at end of file
From 1725120a49ac03c29562c085984c880441843a9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sat, 15 Mar 2025 18:49:38 +0100
Subject: [PATCH 56/78] chore: upgrade kernel
---
pkgs/kernel/default.nix | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index c5dabce..edbfb65 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,14 +1,14 @@
-{ pkgs, lib, stdenv, ... }:
+{ pkgs }:
let
- version = "6.13.4";
+ version = "6.13.7";
+ hash = "sha256-Ojm2IDi3rC9D0mofhLQoPhl4BOHoF61jfpo9h0xHgB0=";
in
- (pkgs.callPackage ./manual-config.nix { }) {
- inherit lib stdenv;
+ (pkgs.callPackage ./manual-config.nix {}) {
version = "${version}-patos1";
modDirVersion = version;
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
- hash = "sha256-uA4LyO+8MenOWoTRCE3Mz6QOAb6ozCWv0GZIuT1hM54=";
+ hash = hash;
};
configfile = ./generic.config;
allowImportFromDerivation = true;
From a3e2a970f896821f75c9f57962953d77c4c5a39a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 17 Mar 2025 10:18:30 +0100
Subject: [PATCH 57/78] chore: clean up
---
flake.nix | 80 +-
pkgs/cert/default.nix | 17 +
pkgs/image/default.nix | 149 +++-
pkgs/image/mkimage.sh | 140 ---
pkgs/kernel/default.nix | 20 +-
pkgs/kernel/generic.config | 7 +-
pkgs/kernel/manual-config.nix | 981 ++++++++++++----------
pkgs/rootfs/default.nix | 38 -
pkgs/rootfs/mkinitrd.nix | 67 +-
pkgs/rootfs/mkinitrd.sh | 53 --
pkgs/rootfs/{mkrootfs.sh => mkrootfs.nix} | 65 +-
11 files changed, 845 insertions(+), 772 deletions(-)
create mode 100644 pkgs/cert/default.nix
delete mode 100644 pkgs/image/mkimage.sh
delete mode 100644 pkgs/rootfs/default.nix
delete mode 100644 pkgs/rootfs/mkinitrd.sh
rename pkgs/rootfs/{mkrootfs.sh => mkrootfs.nix} (75%)
diff --git a/flake.nix b/flake.nix
index 5b1774f..2358ab1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,22 +22,14 @@
{
packages = {
default = patosPkgs.image;
- image = pkgs.callPackage ./pkgs/image {
- inherit patosPkgs;
- inherit version;
- };
- rootfs = pkgs.callPackage ./pkgs/rootfs {
- inherit patosPkgs;
- inherit version;
- };
- initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix {
- inherit patosPkgs;
- inherit version;
- };
+ image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version; };
+ rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
+ initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
kernel = pkgs.callPackage ./pkgs/kernel { };
glibc = pkgs.callPackage ./pkgs/glibc { };
busybox = pkgs.callPackage ./pkgs/busybox { };
openssl = pkgs.callPackage ./pkgs/openssl { };
+ cert = pkgs.callPackage ./pkgs/cert { };
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
@@ -51,38 +43,38 @@
name = "debug-tools";
version = "0.0.1";
packages = [
- { drv = pkgs.curl; path = "bin/curl"; }
- { drv = pkgs.bash; path = "bin/bash"; }
- { drv = patosPkgs.glibc; path = "bin/ldd"; }
- { drv = pkgs.keyutils; path = "bin/keyctl"; }
- { drv = pkgs.gnutar; path = "bin/tar"; }
- { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
- { drv = pkgs.strace; path = "bin/strace"; }
- { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
- { drv = patosPkgs.openssl; path = "bin/openssl"; }
- { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
- { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
- { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
- # shared lib required for cryptsetup
- { drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
- { drv = pkgs.popt; path = "lib/libpopt.so.0"; }
- { drv = pkgs.popt; path = "lib/libpopt.so"; }
- # shared lib required for mkfs.erofs
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
- { drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
- # shared lib required for binutils
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
- { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
- # shared lib required for strace
- { drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
- { drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
+ { drv = pkgs.curl; path = "bin/curl"; }
+ { drv = pkgs.bash; path = "bin/bash"; }
+ { drv = patosPkgs.glibc; path = "bin/ldd"; }
+ { drv = pkgs.keyutils; path = "bin/keyctl"; }
+ { drv = pkgs.gnutar; path = "bin/tar"; }
+ { drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
+ { drv = pkgs.strace; path = "bin/strace"; }
+ { drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
+ { drv = patosPkgs.openssl; path = "bin/openssl"; }
+ { drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
+ { drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
+ { drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
+ # shared lib required for cryptsetup
+ { drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
+ { drv = pkgs.popt; path = "lib/libpopt.so.0"; }
+ { drv = pkgs.popt; path = "lib/libpopt.so"; }
+ # shared lib required for mkfs.erofs
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
+ { drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
+ # shared lib required for binutils
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
+ { drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
+ # shared lib required for strace
+ { drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
+ { drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
+ { drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
];
};
};
diff --git a/pkgs/cert/default.nix b/pkgs/cert/default.nix
new file mode 100644
index 0000000..f3237e9
--- /dev/null
+++ b/pkgs/cert/default.nix
@@ -0,0 +1,17 @@
+{
+ runCommand,
+ pkgs,
+
+}:
+
+runCommand "patagia-certs"
+ {
+ buildInputs = with pkgs; [
+ openssl
+ ];
+
+ }
+ ''
+ mkdir -pv $out
+ openssl req -new -x509 -days 365 -nodes -out $out/cert.pem -keyout $out/key.pem -subj "/CN=patagia-signing"
+ ''
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 5612185..7d5f565 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -1,16 +1,15 @@
{
pkgs,
- stdenvNoCC,
patosPkgs,
version,
+ runCommand,
...
}:
let
pname = "patos-image";
in
-stdenvNoCC.mkDerivation (finalAttrs: {
+runCommand pname {
inherit version;
- inherit pname;
buildInputs = with pkgs; [
erofs-utils
@@ -27,12 +26,142 @@ stdenvNoCC.mkDerivation (finalAttrs: {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
- systemd = patosPkgs.systemd.out;
- kernel = patosPkgs.kernel;
- initrd = patosPkgs.initrd.out;
- rootfs = patosPkgs.rootfs.out;
-
kernelCmdLine = "console=ttyS0";
+}
+''
+mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
+pushd $out
- builder = ./mkimage.sh;
-})
+# Don't seem to work just to create a symlink to rootfs derivation?
+# ln -sf $rootfs rootfs
+mkdir rootfs
+cp -prP ${patosPkgs.rootfs}/* rootfs/
+find rootfs/ -type d -exec chmod 755 {} \;
+
+# set default target to multi-user
+ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
+
+# enable dbus
+ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
+ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
+
+# enable network services
+ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
+ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
+ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
+# enable default network config
+mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
+
+# enable confext/sysext services
+ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
+ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
+
+# Initial partitioning
+cat <<EOF > init.repart.d/10-root.conf
+[Partition]
+Type=root
+Format=erofs
+Minimize=best
+CopyFiles=/rootfs:/
+Verity=data
+VerityMatchKey=root
+SplitName=root
+EOF
+
+cat <<EOF > init.repart.d/20-root-verity.conf
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+Minimize=best
+SplitName=verity
+EOF
+
+#TODO: Add verity signature partition
+
+${patosPkgs.systemd}/usr/bin/systemd-repart \
+ --no-pager \
+ --empty=create \
+ --size=auto \
+ --definitions=./init.repart.d \
+ --split=true \
+ --json=pretty \
+ --root=$out \
+ patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
+
+roothash=$(jq -r '.[0].roothash' init-repart-output.json)
+rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
+rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
+
+verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
+verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
+
+${patosPkgs.systemd}/usr/bin/ukify build \
+ --linux ${patosPkgs.kernel}/bzImage \
+ --initrd ${patosPkgs.initrd}/initrd.xz \
+ --os-release @rootfs/etc/os-release \
+ --cmdline "$kernelCmdLine roothash=$roothash" \
+ -o patos_${version}.efi
+
+# install ESP
+SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
+ --secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
+echo "timeout 2" > rootfs/boot/loader/loader.conf
+
+# sign EFIs
+${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
+ rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
+
+${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
+ patos_${version}.efi --output=patos_${version}.efi
+
+# install UKI
+cp patos_${version}.efi rootfs/boot/EFI/Linux
+
+echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
+
+# Final partitioning
+cat <<EOF > final.repart.d/10-esp.conf
+[Partition]
+Type=esp
+Format=vfat
+SizeMinBytes=160M
+SizeMaxBytes=160M
+CopyFiles=/rootfs/boot:/
+EOF
+
+cat <<EOF > final.repart.d/20-root.conf
+[Partition]
+Type=root
+Label=root-${version}
+CopyBlocks=/$rootPart
+UUID=$rootUuid
+SizeMinBytes=256M
+SizeMaxBytes=256M
+ReadOnly=1
+EOF
+
+cat <<EOF > final.repart.d/22-root-verity.conf
+[Partition]
+Type=root-verity
+Label=verity-${version}
+CopyBlocks=/$verityPart
+UUID=$verityUuid
+SizeMinBytes=10M
+SizeMaxBytes=10M
+ReadOnly=1
+EOF
+
+# finalize image ready for boot
+${patosPkgs.systemd}/usr/bin/systemd-repart \
+ --no-pager \
+ --empty=create \
+ --size=auto \
+ --definitions=./final.repart.d \
+ --root=$out \
+ patos-$version.raw > final-repart-output.json
+
+rm -rf rootfs
+
+popd
+''
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
deleted file mode 100644
index 1d14349..0000000
--- a/pkgs/image/mkimage.sh
+++ /dev/null
@@ -1,140 +0,0 @@
-set -ex -o pipefail
-
-mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
-pushd $out
-
-# Don't seem to work just to create a symlink to rootfs derivation?
-# ln -sf $rootfs rootfs
-mkdir rootfs
-cp -prP $rootfs/* rootfs/
-find rootfs/ -type d -exec chmod 755 {} \;
-
-# set default target to multi-user
-ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
-
-# enable dbus
-ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
-ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
-
-# enable network services
-ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
-ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
-ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
-# enable default network config
-mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
-
-# enable confext/sysext services
-ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
-ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
-
-# Initial partitioning
-cat <<EOF > init.repart.d/10-root.conf
-[Partition]
-Type=root
-Format=erofs
-Minimize=best
-CopyFiles=/rootfs:/
-Verity=data
-VerityMatchKey=root
-SplitName=root
-EOF
-
-cat <<EOF > init.repart.d/20-root-verity.conf
-[Partition]
-Type=root-verity
-Verity=hash
-VerityMatchKey=root
-Minimize=best
-SplitName=verity
-EOF
-
-#TODO: Add verity signature partition
-
-$systemd/usr/bin/systemd-repart \
- --no-pager \
- --empty=create \
- --size=auto \
- --definitions=./init.repart.d \
- --split=true \
- --json=pretty \
- --root=$out \
- patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
-
-roothash=$(jq -r '.[0].roothash' init-repart-output.json)
-rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
-rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
-
-verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
-verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
-
-$systemd/usr/bin/ukify build \
- --linux $kernel/bzImage \
- --initrd $initrd/initrd.xz \
- --os-release @rootfs/etc/os-release \
- --cmdline "$kernelCmdLine roothash=$roothash" \
- -o patos_${version}.efi
-
-# Secure boot
-openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"
-
-# install ESP
-SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
- --secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem
-echo "timeout 2" > rootfs/boot/loader/loader.conf
-
-# sign EFIs
-$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
- rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
-
-$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
- patos_${version}.efi --output=patos_${version}.efi
-
-# install UKI
-cp patos_${version}.efi rootfs/boot/EFI/Linux
-
-echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
-
-# Final partitioning
-cat <<EOF > final.repart.d/10-esp.conf
-[Partition]
-Type=esp
-Format=vfat
-SizeMinBytes=160M
-SizeMaxBytes=160M
-CopyFiles=/rootfs/boot:/
-EOF
-
-cat <<EOF > final.repart.d/20-root.conf
-[Partition]
-Type=root
-Label=root-${version}
-CopyBlocks=/${rootPart}
-UUID=${rootUuid}
-SizeMinBytes=256M
-SizeMaxBytes=256M
-ReadOnly=1
-EOF
-
-cat <<EOF > final.repart.d/22-root-verity.conf
-[Partition]
-Type=root-verity
-Label=verity-${version}
-CopyBlocks=/${verityPart}
-UUID=${verityUuid}
-SizeMinBytes=10M
-SizeMaxBytes=10M
-ReadOnly=1
-EOF
-
-# finalize image ready for boot
-$systemd/usr/bin/systemd-repart \
- --no-pager \
- --empty=create \
- --size=auto \
- --definitions=./final.repart.d \
- --root=$out \
- patos-$version.raw > final-repart-output.json
-
-rm -rf rootfs
-
-popd
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index edbfb65..a5f24db 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -3,13 +3,13 @@ let
version = "6.13.7";
hash = "sha256-Ojm2IDi3rC9D0mofhLQoPhl4BOHoF61jfpo9h0xHgB0=";
in
- (pkgs.callPackage ./manual-config.nix {}) {
- version = "${version}-patos1";
- modDirVersion = version;
- src = pkgs.fetchurl {
- url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
- hash = hash;
- };
- configfile = ./generic.config;
- allowImportFromDerivation = true;
- }
+(pkgs.callPackage ./manual-config.nix { }) {
+ version = "${version}-patos1";
+ modDirVersion = version;
+ src = pkgs.fetchurl {
+ url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
+ hash = hash;
+ };
+ configfile = ./generic.config;
+ allowImportFromDerivation = true;
+}
diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config
index 647bf91..048421b 100644
--- a/pkgs/kernel/generic.config
+++ b/pkgs/kernel/generic.config
@@ -522,10 +522,6 @@ CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_ENTRY=y
CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_DEBUG_FS=y
-#CONFIG_DEBUG_INFO_BTF_MODULES=y
-#CONFIG_DEBUG_INFO_BTF=y
-#CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
-#CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
CONFIG_DEBUG_INFO=n
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_LIST=y
@@ -1401,9 +1397,8 @@ CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_FORCE=n
+CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_MODULES=y
diff --git a/pkgs/kernel/manual-config.nix b/pkgs/kernel/manual-config.nix
index ffcf758..9f1ba99 100644
--- a/pkgs/kernel/manual-config.nix
+++ b/pkgs/kernel/manual-config.nix
@@ -1,465 +1,576 @@
-{ lib, stdenv, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl
-, cpio, elfutils, hexdump, zstd, python3Minimal, zlib, pahole, kmod, ubootTools
-, fetchpatch
-, rustc, rust-bindgen, rustPlatform
+{
+ lib,
+ stdenv,
+ buildPackages,
+ runCommand,
+ nettools,
+ bc,
+ bison,
+ flex,
+ perl,
+ rsync,
+ gmp,
+ libmpc,
+ mpfr,
+ openssl,
+ cpio,
+ elfutils,
+ hexdump,
+ zstd,
+ python3Minimal,
+ zlib,
+ pahole,
+ kmod,
+ ubootTools,
+ fetchpatch,
+ rustc,
+ rust-bindgen,
+ rustPlatform,
}:
let
lib_ = lib;
stdenv_ = stdenv;
- readConfig = configfile: import (runCommand "config.nix" {} ''
- echo "{" > "$out"
- while IFS='=' read key val; do
- [ "x''${key#CONFIG_}" != "x$key" ] || continue
- no_firstquote="''${val#\"}";
- echo ' "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
- done < "${configfile}"
- echo "}" >> $out
- '').outPath;
-in lib.makeOverridable ({
- # The kernel version
- version,
- # The kernel pname (should be set for variants)
- pname ? "linux",
- # Position of the Linux build expression
- pos ? null,
- # Additional kernel make flags
- extraMakeFlags ? [],
- # The name of the kernel module directory
- # Needs to be X.Y.Z[-extra], so pad with zeros if needed.
- modDirVersion ? null /* derive from version */,
- # The kernel source (tarball, git checkout, etc.)
- src,
- # a list of { name=..., patch=..., extraConfig=...} patches
- kernelPatches ? [],
- # The kernel .config file
- configfile,
- # Manually specified nixexpr representing the config
- # If unspecified, this will be autodetected from the .config
- config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
- # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
- # automatically extended with extra per-version and per-config values.
- randstructSeed ? "",
- # Extra meta attributes
- extraMeta ? {},
-
- # for module compatibility
- isZen ? false,
- isLibre ? false,
- isHardened ? false,
-
- # Whether to utilize the controversial import-from-derivation feature to parse the config
- allowImportFromDerivation ? false,
- # ignored
- features ? null, lib ? lib_, stdenv ? stdenv_,
-}:
-
-let
- # Provide defaults. Note that we support `null` so that callers don't need to use optionalAttrs,
- # which can lead to unnecessary strictness and infinite recursions.
- modDirVersion_ = if modDirVersion == null then lib.versions.pad 3 version else modDirVersion;
+ readConfig =
+ configfile:
+ import
+ (runCommand "config.nix" { } ''
+ echo "{" > "$out"
+ while IFS='=' read key val; do
+ [ "x''${key#CONFIG_}" != "x$key" ] || continue
+ no_firstquote="''${val#\"}";
+ echo ' "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
+ done < "${configfile}"
+ echo "}" >> $out
+ '').outPath;
in
-let
- # Shadow the un-defaulted parameter; don't want null.
- modDirVersion = modDirVersion_;
- inherit (lib)
- hasAttr getAttr optional optionals optionalString optionalAttrs maintainers platforms;
+lib.makeOverridable (
+ {
+ # The kernel version
+ version,
+ # The kernel pname (should be set for variants)
+ pname ? "linux",
+ # Position of the Linux build expression
+ pos ? null,
+ # Additional kernel make flags
+ extraMakeFlags ? [ ],
+ # The name of the kernel module directory
+ # Needs to be X.Y.Z[-extra], so pad with zeros if needed.
+ modDirVersion ? null, # derive from version
+ # The kernel source (tarball, git checkout, etc.)
+ src,
+ # a list of { name=..., patch=..., extraConfig=...} patches
+ kernelPatches ? [ ],
+ # The kernel .config file
+ configfile,
+ # Manually specified nixexpr representing the config
+ # If unspecified, this will be autodetected from the .config
+ config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
+ # Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
+ # automatically extended with extra per-version and per-config values.
+ randstructSeed ? "",
+ # Extra meta attributes
+ extraMeta ? { },
- drvAttrs = config_: kernelConf: kernelPatches: configfile:
- let
- # Folding in `ubootTools` in the default nativeBuildInputs is problematic, as
- # it makes updating U-Boot cumbersome, since it will go above the current
- # threshold of rebuilds
- #
- # To prevent these needless rounds of staging for U-Boot builds, we can
- # limit the inclusion of ubootTools to target platforms where uImage *may*
- # be produced.
- #
- # This command lists those (kernel-named) platforms:
- # .../linux $ grep -l uImage ./arch/*/Makefile | cut -d'/' -f3 | sort
- #
- # This is still a guesstimation, but since none of our cached platforms
- # coincide in that list, this gives us "perfect" decoupling here.
- linuxPlatformsUsingUImage = [
- "arc"
- "arm"
- "csky"
- "mips"
- "powerpc"
- "sh"
- "sparc"
- "xtensa"
- ];
- needsUbootTools =
- lib.elem stdenv.hostPlatform.linuxArch linuxPlatformsUsingUImage
+ # for module compatibility
+ isZen ? false,
+ isLibre ? false,
+ isHardened ? false,
+
+ # Whether to utilize the controversial import-from-derivation feature to parse the config
+ allowImportFromDerivation ? false,
+ # ignored
+ features ? null,
+ lib ? lib_,
+ stdenv ? stdenv_,
+ }:
+
+ let
+ # Provide defaults. Note that we support `null` so that callers don't need to use optionalAttrs,
+ # which can lead to unnecessary strictness and infinite recursions.
+ modDirVersion_ = if modDirVersion == null then lib.versions.pad 3 version else modDirVersion;
+ in
+ let
+ # Shadow the un-defaulted parameter; don't want null.
+ modDirVersion = modDirVersion_;
+ inherit (lib)
+ hasAttr
+ getAttr
+ optional
+ optionals
+ optionalString
+ optionalAttrs
+ maintainers
+ platforms
;
- config = let attrName = attr: "CONFIG_" + attr; in {
- isSet = attr: hasAttr (attrName attr) config;
+ drvAttrs =
+ config_: kernelConf: kernelPatches: configfile:
+ let
+ # Folding in `ubootTools` in the default nativeBuildInputs is problematic, as
+ # it makes updating U-Boot cumbersome, since it will go above the current
+ # threshold of rebuilds
+ #
+ # To prevent these needless rounds of staging for U-Boot builds, we can
+ # limit the inclusion of ubootTools to target platforms where uImage *may*
+ # be produced.
+ #
+ # This command lists those (kernel-named) platforms:
+ # .../linux $ grep -l uImage ./arch/*/Makefile | cut -d'/' -f3 | sort
+ #
+ # This is still a guesstimation, but since none of our cached platforms
+ # coincide in that list, this gives us "perfect" decoupling here.
+ linuxPlatformsUsingUImage = [
+ "arc"
+ "arm"
+ "csky"
+ "mips"
+ "powerpc"
+ "sh"
+ "sparc"
+ "xtensa"
+ ];
+ needsUbootTools = lib.elem stdenv.hostPlatform.linuxArch linuxPlatformsUsingUImage;
- getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
+ config =
+ let
+ attrName = attr: "CONFIG_" + attr;
+ in
+ {
+ isSet = attr: hasAttr (attrName attr) config;
- isYes = attr: (config.getValue attr) == "y";
+ getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
- isNo = attr: (config.getValue attr) == "n";
+ isYes = attr: (config.getValue attr) == "y";
- isModule = attr: (config.getValue attr) == "m";
+ isNo = attr: (config.getValue attr) == "n";
- isEnabled = attr: (config.isModule attr) || (config.isYes attr);
+ isModule = attr: (config.getValue attr) == "m";
- isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
- } // config_;
+ isEnabled = attr: (config.isModule attr) || (config.isYes attr);
- isModular = config.isYes "MODULES";
- withRust = config.isYes "RUST";
+ isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
+ }
+ // config_;
- buildDTBs = kernelConf.DTB or false;
+ isModular = config.isYes "MODULES";
+ withRust = config.isYes "RUST";
- # Dependencies that are required to build kernel modules
- moduleBuildDependencies = [
- pahole
- perl
- elfutils
- # module makefiles often run uname commands to find out the kernel version
- (buildPackages.deterministic-uname.override { inherit modDirVersion; })
- ]
- ++ optional (lib.versionAtLeast version "5.13") zstd
- ++ optionals withRust [ rustc rust-bindgen ]
- ;
+ buildDTBs = kernelConf.DTB or false;
- in (optionalAttrs isModular { outputs = [ "out" "dev" ]; }) // {
- passthru = rec {
- inherit version modDirVersion config kernelPatches configfile
- moduleBuildDependencies stdenv;
- inherit isZen isHardened isLibre withRust;
- isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
- baseVersion = lib.head (lib.splitString "-rc" version);
- kernelOlder = lib.versionOlder baseVersion;
- kernelAtLeast = lib.versionAtLeast baseVersion;
+ # Dependencies that are required to build kernel modules
+ moduleBuildDependencies =
+ [
+ pahole
+ perl
+ elfutils
+ # module makefiles often run uname commands to find out the kernel version
+ (buildPackages.deterministic-uname.override { inherit modDirVersion; })
+ ]
+ ++ optional (lib.versionAtLeast version "5.13") zstd
+ ++ optionals withRust [
+ rustc
+ rust-bindgen
+ ];
+
+ in
+ (optionalAttrs isModular {
+ outputs = [
+ "out"
+ "dev"
+ ];
+ })
+ // {
+ passthru = rec {
+ inherit
+ version
+ modDirVersion
+ config
+ kernelPatches
+ configfile
+ moduleBuildDependencies
+ stdenv
+ ;
+ inherit
+ isZen
+ isHardened
+ isLibre
+ withRust
+ ;
+ isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
+ baseVersion = lib.head (lib.splitString "-rc" version);
+ kernelOlder = lib.versionOlder baseVersion;
+ kernelAtLeast = lib.versionAtLeast baseVersion;
+ };
+
+ inherit src;
+
+ depsBuildBuild = [ buildPackages.stdenv.cc ];
+ nativeBuildInputs =
+ [
+ bison
+ flex
+ perl
+ bc
+ nettools
+ openssl
+ rsync
+ gmp
+ libmpc
+ mpfr
+ elfutils
+ zstd
+ python3Minimal
+ kmod
+ hexdump
+ ]
+ ++ optional needsUbootTools ubootTools
+ ++ optionals (lib.versionAtLeast version "5.2") [
+ cpio
+ pahole
+ zlib
+ ]
+ ++ optionals withRust [
+ rustc
+ rust-bindgen
+ ];
+
+ RUST_LIB_SRC = lib.optionalString withRust rustPlatform.rustLibSrc;
+
+ # avoid leaking Rust source file names into the final binary, which adds
+ # a false dependency on rust-lib-src on targets with uncompressed kernels
+ KRUSTFLAGS = lib.optionalString withRust "--remap-path-prefix ${rustPlatform.rustLibSrc}=/";
+
+ # patches =
+ # map (p: p.patch) kernelPatches
+ # # Required for deterministic builds along with some postPatch magic.
+ # ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
+ # ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
+ # # Linux 5.12 marked certain PowerPC-only symbols as GPL, which breaks
+ # # OpenZFS; this was fixed in Linux 5.19 so we backport the fix
+ # # https://github.com/openzfs/zfs/pull/13367
+ # ++ optional (lib.versionAtLeast version "5.12" &&
+ # lib.versionOlder version "5.19" &&
+ # stdenv.hostPlatform.isPower)
+ # (fetchpatch {
+ # url = "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/patch/?id=d9e5c3e9e75162f845880535957b7fd0b4637d23";
+ # hash = "sha256-bBOyJcP6jUvozFJU0SPTOf3cmnTQ6ZZ4PlHjiniHXLU=";
+ # });
+
+ postPatch = ''
+ # Ensure that depmod gets resolved through PATH
+ sed -i Makefile -e 's|= /sbin/depmod|= depmod|'
+
+ # Some linux-hardened patches now remove certain files in the scripts directory, so the file may not exist.
+ [[ -f scripts/ld-version.sh ]] && patchShebangs scripts/ld-version.sh
+
+ # Set randstruct seed to a deterministic but diversified value. Note:
+ # we could have instead patched gen-random-seed.sh to take input from
+ # the buildFlags, but that would require also patching the kernel's
+ # toplevel Makefile to add a variable export. This would be likely to
+ # cause future patch conflicts.
+ # for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do
+ # if [ -f "$file" ]; then
+ # substituteInPlace "$file" \
+ # --replace NIXOS_RANDSTRUCT_SEED \
+ # $(echo ${randstructSeed}${src} ${placeholder "configfile"} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
+ # break
+ # fi
+ # done
+
+ patchShebangs scripts
+
+ # also patch arch-specific install scripts
+ for i in $(find arch -name install.sh); do
+ patchShebangs "$i"
+ done
+
+ # unset $src because the build system tries to use it and spams a bunch of warnings
+ # see: https://github.com/torvalds/linux/commit/b1992c3772e69a6fd0e3fc81cd4d2820c8b6eca0
+ unset src
+ '';
+
+ configurePhase = ''
+ runHook preConfigure
+
+ mkdir build
+ export buildRoot="$(pwd)/build"
+
+ echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
+
+ if [ -f "$buildRoot/.config" ]; then
+ echo "Could not link $buildRoot/.config : file exists"
+ exit 1
+ fi
+ ln -sv ${configfile} $buildRoot/.config
+
+ # reads the existing .config file and prompts the user for options in
+ # the current kernel source that are not found in the file.
+ make $makeFlags "''${makeFlagsArray[@]}" oldconfig
+ runHook postConfigure
+
+ make $makeFlags "''${makeFlagsArray[@]}" prepare
+ actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
+ if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
+ echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
+ exit 1
+ fi
+
+ buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
+
+ cd $buildRoot
+ '';
+
+ buildFlags =
+ [
+ "KBUILD_BUILD_VERSION=1-PatOS"
+ kernelConf.target
+ "vmlinux" # for "perf" and things like that
+ ]
+ ++ optional isModular "modules"
+ ++ optionals buildDTBs [
+ "dtbs"
+ "DTC_FLAGS=-@"
+ ]
+ ++ extraMakeFlags;
+
+ installFlags =
+ [
+ "INSTALL_PATH=$(out)"
+ ]
+ ++ (optional isModular "INSTALL_MOD_PATH=$(out)")
+ ++ optionals buildDTBs [
+ "dtbs_install"
+ "INSTALL_DTBS_PATH=$(out)/dtbs"
+ ];
+
+ dontStrip = true;
+
+ preInstall =
+ let
+ # All we really need to do here is copy the final image and System.map to $out,
+ # and use the kernel's modules_install, firmware_install, dtbs_install, etc. targets
+ # for the rest. Easy, right?
+ #
+ # Unfortunately for us, the obvious way of getting the built image path,
+ # make -s image_name, does not work correctly, because some architectures
+ # (*cough* aarch64 *cough*) change KBUILD_IMAGE on the fly in their install targets,
+ # so we end up attempting to install the thing we didn't actually build.
+ #
+ # Thankfully, there's a way out that doesn't involve just hardcoding everything.
+ #
+ # The kernel has an install target, which runs a pretty simple shell script
+ # (located at scripts/install.sh or arch/$arch/boot/install.sh, depending on
+ # which kernel version you're looking at) that tries to do something sensible.
+ #
+ # (it would be great to hijack this script immediately, as it has all the
+ # information we need passed to it and we don't need it to try and be smart,
+ # but unfortunately, the exact location of the scripts differs between kernel
+ # versions, and they're seemingly not considered to be public API at all)
+ #
+ # One of the ways it tries to discover what "something sensible" actually is
+ # is by delegating to what's supposed to be a user-provided install script
+ # located at ~/bin/installkernel.
+ #
+ # (the other options are:
+ # - a distribution-specific script at /sbin/installkernel,
+ # which we can't really create in the sandbox easily
+ # - an architecture-specific script at arch/$arch/boot/install.sh,
+ # which attempts to guess _something_ and usually guesses very wrong)
+ #
+ # More specifically, the install script exec's into ~/bin/installkernel, if one
+ # exists, with the following arguments:
+ #
+ # $1: $KERNELRELEASE - full kernel version string
+ # $2: $KBUILD_IMAGE - the final image path
+ # $3: System.map - path to System.map file, seemingly hardcoded everywhere
+ # $4: $INSTALL_PATH - path to the destination directory as specified in installFlags
+ #
+ # $2 is exactly what we want, so hijack the script and use the knowledge given to it
+ # by the makefile overlords for our own nefarious ends.
+ #
+ # Note that the makefiles specifically look in ~/bin/installkernel, and
+ # writeShellScriptBin writes the script to <store path>/bin/installkernel,
+ # so HOME needs to be set to just the store path.
+ #
+ # FIXME: figure out a less roundabout way of doing this.
+ installkernel = buildPackages.writeShellScriptBin "installkernel" ''
+ cp -av $2 $4
+ cp -av $3 $4
+ '';
+ in
+ ''
+ installFlagsArray+=("-j$NIX_BUILD_CORES")
+ export HOME=${installkernel}
+ '';
+
+ # Some image types need special install targets (e.g. uImage is installed with make uinstall on arm)
+ installTargets = [
+ (kernelConf.installTarget or (
+ if kernelConf.target == "uImage" && stdenv.hostPlatform.linuxArch == "arm" then
+ "uinstall"
+ else if
+ kernelConf.target == "zImage"
+ || kernelConf.target == "Image.gz"
+ || kernelConf.target == "vmlinuz.efi"
+ then
+ "zinstall"
+ else
+ "install"
+ )
+ )
+ ];
+
+ # We remove a bunch of stuff that is symlinked from other places to save space,
+ # which trips the broken symlink check. So, just skip it. We'll know if it explodes.
+ dontCheckForBrokenSymlinks = true;
+
+ postInstall = optionalString isModular ''
+ mkdir -p $dev
+ cp vmlinux $dev/
+ # if [ -z "''${dontStrip-}" ]; then
+ # installFlagsArray+=("INSTALL_MOD_STRIP=1")
+ # fi
+ make modules_install $makeFlags "''${makeFlagsArray[@]}" \
+ $installFlags "''${installFlagsArray[@]}"
+ unlink $out/lib/modules/${modDirVersion}/build
+ rm -f $out/lib/modules/${modDirVersion}/source
+
+ mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
+
+ # To save space, exclude a bunch of unneeded stuff when copying.
+ (cd .. && rsync --archive --prune-empty-dirs \
+ --exclude='/build/' \
+ * $dev/lib/modules/${modDirVersion}/source/)
+
+ cd $dev/lib/modules/${modDirVersion}/source
+
+ cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
+ make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
+
+ # For reproducibility, removes accidental leftovers from a `cc1` call
+ # from a `try-run` call from the Makefile
+ rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
+
+ # Keep some extra files on some arches (powerpc, aarch64)
+ for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
+ if [ -f "$buildRoot/$f" ]; then
+ cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
+ fi
+ done
+
+ # !!! No documentation on how much of the source tree must be kept
+ # If/when kernel builds fail due to missing files, you can add
+ # them here. Note that we may see packages requiring headers
+ # from drivers/ in the future; it adds 50M to keep all of its
+ # headers on 3.10 though.
+
+ chmod u+w -R ..
+ arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
+
+ # Remove unused arches
+ for d in $(cd arch/; ls); do
+ if [ "$d" = "$arch" ]; then continue; fi
+ if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
+ rm -rf arch/$d
+ done
+
+ # Remove all driver-specific code (50M of which is headers)
+ rm -fR drivers
+
+ # Keep all headers
+ find . -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
+
+ # Keep linker scripts (they are required for out-of-tree modules on aarch64)
+ find . -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
+
+ # Keep root and arch-specific Makefiles
+ chmod u-w Makefile arch/"$arch"/Makefile*
+
+ # Keep whole scripts dir
+ chmod u-w -R scripts
+
+ # Delete everything not kept
+ find . -type f -perm -u=w -print0 | xargs -0 -r rm
+
+ # Delete empty directories
+ find -empty -type d -delete
+ '';
+
+ requiredSystemFeatures = [ "big-parallel" ];
+
+ meta = {
+ # https://github.com/NixOS/nixpkgs/pull/345534#issuecomment-2391238381
+ broken = withRust && lib.versionOlder version "6.12";
+
+ description =
+ "The Linux kernel"
+ + (
+ if kernelPatches == [ ] then
+ ""
+ else
+ " (with patches: " + lib.concatStringsSep ", " (map (x: x.name) kernelPatches) + ")"
+ );
+ license = lib.licenses.gpl2Only;
+ homepage = "https://www.kernel.org/";
+ maintainers = lib.teams.linux-kernel.members ++ [
+ maintainers.thoughtpolice
+ ];
+ platforms = platforms.linux;
+ badPlatforms =
+ lib.optionals (lib.versionOlder version "4.15") [
+ "riscv32-linux"
+ "riscv64-linux"
+ ]
+ ++ lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
+ timeout = 14400; # 4 hours
+ } // extraMeta;
};
- inherit src;
-
- depsBuildBuild = [ buildPackages.stdenv.cc ];
- nativeBuildInputs = [
- bison
- flex
- perl
- bc
- nettools
- openssl
- rsync
- gmp
- libmpc
- mpfr
- elfutils
- zstd
- python3Minimal
- kmod
- hexdump
- ] ++ optional needsUbootTools ubootTools
- ++ optionals (lib.versionAtLeast version "5.2") [ cpio pahole zlib ]
- ++ optionals withRust [ rustc rust-bindgen ];
-
- RUST_LIB_SRC = lib.optionalString withRust rustPlatform.rustLibSrc;
-
- # avoid leaking Rust source file names into the final binary, which adds
- # a false dependency on rust-lib-src on targets with uncompressed kernels
- KRUSTFLAGS = lib.optionalString withRust "--remap-path-prefix ${rustPlatform.rustLibSrc}=/";
-
- # patches =
- # map (p: p.patch) kernelPatches
- # # Required for deterministic builds along with some postPatch magic.
- # ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
- # ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
- # # Linux 5.12 marked certain PowerPC-only symbols as GPL, which breaks
- # # OpenZFS; this was fixed in Linux 5.19 so we backport the fix
- # # https://github.com/openzfs/zfs/pull/13367
- # ++ optional (lib.versionAtLeast version "5.12" &&
- # lib.versionOlder version "5.19" &&
- # stdenv.hostPlatform.isPower)
- # (fetchpatch {
- # url = "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/patch/?id=d9e5c3e9e75162f845880535957b7fd0b4637d23";
- # hash = "sha256-bBOyJcP6jUvozFJU0SPTOf3cmnTQ6ZZ4PlHjiniHXLU=";
- # });
-
- postPatch = ''
- # Ensure that depmod gets resolved through PATH
- sed -i Makefile -e 's|= /sbin/depmod|= depmod|'
-
- # Some linux-hardened patches now remove certain files in the scripts directory, so the file may not exist.
- [[ -f scripts/ld-version.sh ]] && patchShebangs scripts/ld-version.sh
-
- # Set randstruct seed to a deterministic but diversified value. Note:
- # we could have instead patched gen-random-seed.sh to take input from
- # the buildFlags, but that would require also patching the kernel's
- # toplevel Makefile to add a variable export. This would be likely to
- # cause future patch conflicts.
- for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do
- if [ -f "$file" ]; then
- substituteInPlace "$file" \
- --replace NIXOS_RANDSTRUCT_SEED \
- $(echo ${randstructSeed}${src} ${placeholder "configfile"} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
- break
- fi
- done
-
- patchShebangs scripts
-
- # also patch arch-specific install scripts
- for i in $(find arch -name install.sh); do
- patchShebangs "$i"
- done
-
- # unset $src because the build system tries to use it and spams a bunch of warnings
- # see: https://github.com/torvalds/linux/commit/b1992c3772e69a6fd0e3fc81cd4d2820c8b6eca0
- unset src
- '';
-
- configurePhase = ''
- runHook preConfigure
-
- mkdir build
- export buildRoot="$(pwd)/build"
-
- echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
-
- if [ -f "$buildRoot/.config" ]; then
- echo "Could not link $buildRoot/.config : file exists"
- exit 1
- fi
- ln -sv ${configfile} $buildRoot/.config
-
- # reads the existing .config file and prompts the user for options in
- # the current kernel source that are not found in the file.
- make $makeFlags "''${makeFlagsArray[@]}" oldconfig
- runHook postConfigure
-
- make $makeFlags "''${makeFlagsArray[@]}" prepare
- actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
- if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
- echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
- exit 1
- fi
-
- buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
-
- cd $buildRoot
- '';
-
- buildFlags = [
- "KBUILD_BUILD_VERSION=1-PatOS"
- kernelConf.target
- "vmlinux" # for "perf" and things like that
- ] ++ optional isModular "modules"
- ++ optionals buildDTBs ["dtbs" "DTC_FLAGS=-@"]
+ # Absolute paths for compilers avoid any PATH-clobbering issues.
+ commonMakeFlags =
+ [
+ "ARCH=${stdenv.hostPlatform.linuxArch}"
+ "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+ ]
+ ++ lib.optionals (stdenv.isx86_64 && stdenv.cc.bintools.isLLVM) [
+ # The wrapper for ld.lld breaks linking the kernel. We use the
+ # unwrapped linker as workaround. See:
+ #
+ # https://github.com/NixOS/nixpkgs/issues/321667
+ "LD=${stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ld"
+ ]
+ ++ (stdenv.hostPlatform.linux-kernel.makeFlags or [ ])
++ extraMakeFlags;
+ in
- installFlags = [
- "INSTALL_PATH=$(out)"
- ] ++ (optional isModular "INSTALL_MOD_PATH=$(out)")
- ++ optionals buildDTBs ["dtbs_install" "INSTALL_DTBS_PATH=$(out)/dtbs"];
+ stdenv.mkDerivation (
+ builtins.foldl' lib.recursiveUpdate { } [
+ (drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile)
+ {
+ inherit pname version;
- dontStrip = true;
+ enableParallelBuilding = true;
- preInstall = let
- # All we really need to do here is copy the final image and System.map to $out,
- # and use the kernel's modules_install, firmware_install, dtbs_install, etc. targets
- # for the rest. Easy, right?
- #
- # Unfortunately for us, the obvious way of getting the built image path,
- # make -s image_name, does not work correctly, because some architectures
- # (*cough* aarch64 *cough*) change KBUILD_IMAGE on the fly in their install targets,
- # so we end up attempting to install the thing we didn't actually build.
- #
- # Thankfully, there's a way out that doesn't involve just hardcoding everything.
- #
- # The kernel has an install target, which runs a pretty simple shell script
- # (located at scripts/install.sh or arch/$arch/boot/install.sh, depending on
- # which kernel version you're looking at) that tries to do something sensible.
- #
- # (it would be great to hijack this script immediately, as it has all the
- # information we need passed to it and we don't need it to try and be smart,
- # but unfortunately, the exact location of the scripts differs between kernel
- # versions, and they're seemingly not considered to be public API at all)
- #
- # One of the ways it tries to discover what "something sensible" actually is
- # is by delegating to what's supposed to be a user-provided install script
- # located at ~/bin/installkernel.
- #
- # (the other options are:
- # - a distribution-specific script at /sbin/installkernel,
- # which we can't really create in the sandbox easily
- # - an architecture-specific script at arch/$arch/boot/install.sh,
- # which attempts to guess _something_ and usually guesses very wrong)
- #
- # More specifically, the install script exec's into ~/bin/installkernel, if one
- # exists, with the following arguments:
- #
- # $1: $KERNELRELEASE - full kernel version string
- # $2: $KBUILD_IMAGE - the final image path
- # $3: System.map - path to System.map file, seemingly hardcoded everywhere
- # $4: $INSTALL_PATH - path to the destination directory as specified in installFlags
- #
- # $2 is exactly what we want, so hijack the script and use the knowledge given to it
- # by the makefile overlords for our own nefarious ends.
- #
- # Note that the makefiles specifically look in ~/bin/installkernel, and
- # writeShellScriptBin writes the script to <store path>/bin/installkernel,
- # so HOME needs to be set to just the store path.
- #
- # FIXME: figure out a less roundabout way of doing this.
- installkernel = buildPackages.writeShellScriptBin "installkernel" ''
- cp -av $2 $4
- cp -av $3 $4
- '';
- in ''
- installFlagsArray+=("-j$NIX_BUILD_CORES")
- export HOME=${installkernel}
- '';
-
- # Some image types need special install targets (e.g. uImage is installed with make uinstall on arm)
- installTargets = [
- (kernelConf.installTarget or (
- /**/ if kernelConf.target == "uImage" && stdenv.hostPlatform.linuxArch == "arm" then "uinstall"
- else if kernelConf.target == "zImage" || kernelConf.target == "Image.gz" || kernelConf.target == "vmlinuz.efi" then "zinstall"
- else "install"))
- ];
-
- # We remove a bunch of stuff that is symlinked from other places to save space,
- # which trips the broken symlink check. So, just skip it. We'll know if it explodes.
- dontCheckForBrokenSymlinks = true;
-
- postInstall = optionalString isModular ''
- mkdir -p $dev
- cp vmlinux $dev/
- if [ -z "''${dontStrip-}" ]; then
- installFlagsArray+=("INSTALL_MOD_STRIP=1")
- fi
- make modules_install $makeFlags "''${makeFlagsArray[@]}" \
- $installFlags "''${installFlagsArray[@]}"
- unlink $out/lib/modules/${modDirVersion}/build
- rm -f $out/lib/modules/${modDirVersion}/source
-
- mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
-
- # To save space, exclude a bunch of unneeded stuff when copying.
- (cd .. && rsync --archive --prune-empty-dirs \
- --exclude='/build/' \
- * $dev/lib/modules/${modDirVersion}/source/)
-
- cd $dev/lib/modules/${modDirVersion}/source
-
- cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
- make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
-
- # For reproducibility, removes accidental leftovers from a `cc1` call
- # from a `try-run` call from the Makefile
- rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
-
- # Keep some extra files on some arches (powerpc, aarch64)
- for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
- if [ -f "$buildRoot/$f" ]; then
- cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
- fi
- done
-
- # !!! No documentation on how much of the source tree must be kept
- # If/when kernel builds fail due to missing files, you can add
- # them here. Note that we may see packages requiring headers
- # from drivers/ in the future; it adds 50M to keep all of its
- # headers on 3.10 though.
-
- chmod u+w -R ..
- arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
-
- # Remove unused arches
- for d in $(cd arch/; ls); do
- if [ "$d" = "$arch" ]; then continue; fi
- if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
- rm -rf arch/$d
- done
-
- # Remove all driver-specific code (50M of which is headers)
- rm -fR drivers
-
- # Keep all headers
- find . -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
-
- # Keep linker scripts (they are required for out-of-tree modules on aarch64)
- find . -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
-
- # Keep root and arch-specific Makefiles
- chmod u-w Makefile arch/"$arch"/Makefile*
-
- # Keep whole scripts dir
- chmod u-w -R scripts
-
- # Delete everything not kept
- find . -type f -perm -u=w -print0 | xargs -0 -r rm
-
- # Delete empty directories
- find -empty -type d -delete
- '';
-
- requiredSystemFeatures = [ "big-parallel" ];
-
- meta = {
- # https://github.com/NixOS/nixpkgs/pull/345534#issuecomment-2391238381
- broken = withRust && lib.versionOlder version "6.12";
-
- description =
- "The Linux kernel" +
- (if kernelPatches == [] then "" else
- " (with patches: "
- + lib.concatStringsSep ", " (map (x: x.name) kernelPatches)
- + ")");
- license = lib.licenses.gpl2Only;
- homepage = "https://www.kernel.org/";
- maintainers = lib.teams.linux-kernel.members ++ [
- maintainers.thoughtpolice
+ hardeningDisable = [
+ "bindnow"
+ "format"
+ "fortify"
+ "stackprotector"
+ "pic"
+ "pie"
];
- platforms = platforms.linux;
- badPlatforms =
- lib.optionals (lib.versionOlder version "4.15") [ "riscv32-linux" "riscv64-linux" ] ++
- lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
- timeout = 14400; # 4 hours
- } // extraMeta;
- };
- # Absolute paths for compilers avoid any PATH-clobbering issues.
- commonMakeFlags = [
- "ARCH=${stdenv.hostPlatform.linuxArch}"
- "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
- ] ++ lib.optionals (stdenv.isx86_64 && stdenv.cc.bintools.isLLVM) [
- # The wrapper for ld.lld breaks linking the kernel. We use the
- # unwrapped linker as workaround. See:
- #
- # https://github.com/NixOS/nixpkgs/issues/321667
- "LD=${stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ld"
- ] ++ (stdenv.hostPlatform.linux-kernel.makeFlags or [])
- ++ extraMakeFlags;
-in
+ makeFlags = [
+ "O=$(buildRoot)"
+ ] ++ commonMakeFlags;
-stdenv.mkDerivation (
- builtins.foldl' lib.recursiveUpdate {} [
- (drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile)
- {
- inherit pname version;
+ passthru = { inherit commonMakeFlags; };
- enableParallelBuilding = true;
-
- hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" "pie" ];
-
- makeFlags = [
- "O=$(buildRoot)"
- ] ++ commonMakeFlags;
-
- passthru = { inherit commonMakeFlags; };
-
- karch = stdenv.hostPlatform.linuxArch;
- }
- (optionalAttrs (pos != null) { inherit pos; })
- ]
-))
+ karch = stdenv.hostPlatform.linuxArch;
+ }
+ (optionalAttrs (pos != null) { inherit pos; })
+ ]
+ )
+)
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
deleted file mode 100644
index d3c39c3..0000000
--- a/pkgs/rootfs/default.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{
- pkgs,
- stdenvNoCC,
- patosPkgs,
- version,
- ...
-}:
-let
- pname = "patos-rootfs";
- defaultPassword = "patos";
-in
-stdenvNoCC.mkDerivation (finalAttrs: {
- inherit version;
- inherit pname;
- inherit defaultPassword;
-
- buildInputs = with pkgs; [
- glibc
- binutils
- ];
-
- glibcPatos = patosPkgs.glibc.out;
- systemd = patosPkgs.systemd.out;
- dbusBroker = patosPkgs.dbus-broker.out;
- kernel = patosPkgs.kernel;
- busybox = patosPkgs.busybox.out;
- kmodLibs = pkgs.kmod.lib;
- kmodBin = pkgs.kmod.out;
- cacert = pkgs.cacert.out;
- libbpf = pkgs.libbpf.out;
- btrfs = pkgs.btrfs-progs.out;
- tpm2Libs = patosPkgs.tpm2-tss.out;
- kexec = patosPkgs.kexec.out;
- lvm2 = patosPkgs.lvm2.out;
- openssl = patosPkgs.openssl.out;
-
- builder = ./mkrootfs.sh;
-})
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index 3708483..8eb721e 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -1,23 +1,66 @@
{
pkgs,
- stdenvNoCC,
patosPkgs,
- version,
+ runCommand,
...
}:
-let
- pname = "patos-ramdisk";
-in
-stdenvNoCC.mkDerivation (finalAttrs: {
- inherit version;
- inherit pname;
-
+runCommand "patos-initrd" {
buildInputs = with pkgs; [
cpio
xz
];
+}
+''
+echo "Building initram disk"
+mkdir -p $out/root
+pushd $out/root
- rootfs = patosPkgs.rootfs.out;
+### copy rootfs
+cp -prP ${patosPkgs.rootfs}/* .
+find . -type d -exec chmod 755 {} \;
+mkdir sysroot
- builder = ./mkinitrd.sh;
-})
+### create directories
+ln -sf ../usr/lib/systemd/systemd init
+
+### Create needed files
+echo patos > ./etc/hostname
+
+ln -sf /etc/os-release ./etc/initrd-release
+
+# set default target to initrd inside initrd
+ln -sf initrd.target ./usr/lib/systemd/system/default.target
+
+# bind mount /run to /sysroot/run
+cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
+[Unit]
+Before=initrd-fs.target
+DefaultDependencies=false
+
+[Mount]
+Options=bind
+What=/run
+Where=/sysroot/run
+EOF
+mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
+ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
+
+# repart: generate crypttab and fstab under /run
+mkdir ./usr/lib/systemd/system/systemd-repart.service.d
+cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
+[Unit]
+After=sysroot-run.mount
+Requires=sysroot-run.mount
+
+[Service]
+Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
+ExecStart=
+ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
+EOF
+
+# gen initrd
+find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
+
+popd
+rm -rf $out/root
+''
diff --git a/pkgs/rootfs/mkinitrd.sh b/pkgs/rootfs/mkinitrd.sh
deleted file mode 100644
index 43708d0..0000000
--- a/pkgs/rootfs/mkinitrd.sh
+++ /dev/null
@@ -1,53 +0,0 @@
-set -ex -p pipefail
-echo "Building initram disk"
-mkdir -p $out/root
-pushd $out/root
-
-### copy rootfs
-cp -prP $rootfs/* .
-find . -type d -exec chmod 755 {} \;
-mkdir sysroot
-
-### create directories
-ln -sf ../usr/lib/systemd/systemd init
-
-### Create needed files
-echo patos > ./etc/hostname
-
-ln -sf /etc/os-release ./etc/initrd-release
-
-# set default target to initrd inside initrd
-ln -sf initrd.target ./usr/lib/systemd/system/default.target
-
-# bind mount /run to /sysroot/run
-cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
-[Unit]
-Before=initrd-fs.target
-DefaultDependencies=false
-
-[Mount]
-Options=bind
-What=/run
-Where=/sysroot/run
-EOF
-mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
-ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
-
-# repart: generate crypttab and fstab under /run
-mkdir ./usr/lib/systemd/system/systemd-repart.service.d
-cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
-[Unit]
-After=sysroot-run.mount
-Requires=sysroot-run.mount
-
-[Service]
-Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
-ExecStart=
-ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
-EOF
-
-# gen initrd
-find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
-
-popd
-rm -rf $out/root
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.nix
similarity index 75%
rename from pkgs/rootfs/mkrootfs.sh
rename to pkgs/rootfs/mkrootfs.nix
index 3ccc93c..fb25c4d 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -1,5 +1,22 @@
-set -ex -o pipefail
+{
+ pkgs,
+ patosPkgs,
+ version,
+ runCommand,
+ ...
+}:
+let
+ defaultPassword = "patos";
+in
+runCommand "patos-rootfs"
+{
+ buildInputs = [
+ pkgs.glibc
+ pkgs.binutils
+ ];
+}
+''
### create directory structure
mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
$out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
@@ -11,7 +28,7 @@ ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
echo "Installing systemd"
-cp -Pr $systemd/* $out/
+cp -Pr ${patosPkgs.systemd}/* $out/
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
@@ -117,57 +134,57 @@ ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTE
EOF
### install PatOS glibc
-cp -P $glibcPatos/lib/*.so* $out/usr/lib/
+cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
### install openssl
-cp -P $openssl/lib/*.so* $out/usr/lib/
-cp -Pr $openssl/etc/ssl $out/etc/
+cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
+cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
### install busybox
-cp $busybox/bin/busybox $out/usr/bin/
+cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
-cp -r $dbusBroker/* $out/
+cp -r ${patosPkgs.dbus-broker}/* $out/
### install kexec
-cp -Pr ${kexec}/sbin/kexec $out/usr/bin/
+cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
### install dmsetup udev rules
-cp -P ${lvm2}/usr/bin/dmsetup $out/usr/bin/
-cp -P ${lvm2}/lib/libdevmapper.so* $out/usr/lib/
-cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
+cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
+cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
+cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
### install btrfs progs
-cp -Pr ${btrfs}/bin/* $out/usr/bin/
-cp -Pr ${btrfs}/lib/* $out/usr/lib/
+cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
+cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
### install tpm2 libs
-cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
+cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
### install lib kmod
-cp -P $kmodLibs/lib/*.so* $out/usr/lib/
-cp -P $kmodBin/bin/* $out/usr/bin
+cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
+cp -P ${pkgs.kmod}/bin/* $out/usr/bin
### install libbpf
-cp -P $libbpf/lib/libbpf*.so* $out/usr/lib
+cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib
### install ca cert bundle
chmod 755 $out/etc/ssl $out/etc/ssl/certs
-cp -P $cacert/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
+cp -P ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
# setup default files
-$systemd/usr/bin/systemd-hwdb --root=$out --usr update
-$systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
+${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
+${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
# install sys users
mkdir creds
-echo -n $defaultPassword > creds/passwd.plaintext-password.root
-CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' $systemd/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
+echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
+CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
chmod 600 $out/etc/shadow
rm -rf creds
@@ -195,6 +212,6 @@ find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
### install kernel modules
-cp -r $kernel/lib/modules $out/usr/lib/
+cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
-
+''
From df3a42da4be1a24bf96fee185483e3b49b75bb53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 17 Mar 2025 17:03:52 +0100
Subject: [PATCH 58/78] chore: more clean up
---
pkgs/image/default.nix | 4 +---
pkgs/rootfs/mkrootfs.nix | 13 +++++++------
2 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 7d5f565..e82b49a 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -15,9 +15,7 @@ runCommand pname {
erofs-utils
dosfstools
mtools
- e2fsprogs
jq
- openssl
];
env = {
@@ -159,7 +157,7 @@ ${patosPkgs.systemd}/usr/bin/systemd-repart \
--size=auto \
--definitions=./final.repart.d \
--root=$out \
- patos-$version.raw > final-repart-output.json
+ patos-${version}.raw > final-repart-output.json
rm -rf rootfs
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index fb25c4d..a40e17b 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -11,6 +11,8 @@ in
runCommand "patos-rootfs"
{
+ inherit version;
+
buildInputs = [
pkgs.glibc
pkgs.binutils
@@ -175,6 +177,9 @@ cp -P ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
+# no need for pkgconfig, removing..
+rm -rf $out/usr/lib/pkgconfig
+
# setup default files
${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
@@ -188,13 +193,9 @@ CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}
chmod 600 $out/etc/shadow
rm -rf creds
-
# Ephemeral machine-id until registration
ln -sf /run/machine-id $out/etc/machine-id
-# remove pkgconfig
-rm -rf $out/usr/lib/pkgconfig
-
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
grep -vE "(systemd|glibc|openssl|tpm2|devmapper)" | \
@@ -202,7 +203,7 @@ find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
find $out -type f -executable -exec chmod 755 {} \;
-# FIXME: ELF patching. Is there a better way?
+# patch ELFs
find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
@@ -211,7 +212,7 @@ patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
-### install kernel modules
+# install kernel modules
cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
''
From dc8ed2a7741810ab6806fb078eded015ef147e6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 17 Mar 2025 22:22:35 +0100
Subject: [PATCH 59/78] feat: enable factory reset
---
pkgs/image/default.nix | 27 +++++++++++++++++++++++----
pkgs/rootfs/mkinitrd.nix | 1 +
pkgs/rootfs/mkrootfs.nix | 17 ++++++++++-------
3 files changed, 34 insertions(+), 11 deletions(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index e82b49a..e82bc3d 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -27,7 +27,7 @@ runCommand pname {
kernelCmdLine = "console=ttyS0";
}
''
-mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
+mkdir -p $out/init.repart.d $out/final.repart.d
pushd $out
# Don't seem to work just to create a symlink to rootfs derivation?
@@ -106,9 +106,28 @@ SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root .
--secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
echo "timeout 2" > rootfs/boot/loader/loader.conf
+# setup factory reset
+mkdir -p rootfs/boot/EFI/tools
+cp ${pkgs.edk2-uefi-shell}/shell.efi rootfs/boot/EFI/tools/
+
+cat <<EOF > rootfs/boot/EFI/tools/factoryreset.nsh
+setvar FactoryReset -guid 8cf2644b-4b0b-428f-9387-6d876050dc67 -nv -rt =%1
+reset
+EOF
+
+cat <<EOF > rootfs/boot/loader/entries/factoryreset.conf
+title Enable Factory Reset
+options -nostartup -nomap
+options \EFI\tools\factoryreset.nsh L"t"
+efi EFI/tools/shell.efi
+EOF
+
# sign EFIs
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
- rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
+ rootfs/boot/EFI/tools/shell.efi --output=rootfs/boot/EFI/tools/shell.efi
+
+${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
+ rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
patos_${version}.efi --output=patos_${version}.efi
@@ -123,8 +142,8 @@ cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
-SizeMinBytes=160M
-SizeMaxBytes=160M
+SizeMinBytes=96M
+SizeMaxBytes=96M
CopyFiles=/rootfs/boot:/
EOF
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index 8eb721e..2187514 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -57,6 +57,7 @@ Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
ExecStart=
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
+ln -sf ../systemd-repart.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index a40e17b..ca449b3 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -3,7 +3,6 @@
patosPkgs,
version,
runCommand,
- ...
}:
let
defaultPassword = "patos";
@@ -13,10 +12,11 @@ runCommand "patos-rootfs"
{
inherit version;
- buildInputs = [
- pkgs.glibc
- pkgs.binutils
+ buildInputs = with pkgs;[
+ glibc
+ binutils
];
+
}
''
### create directory structure
@@ -29,13 +29,16 @@ ln -sf /usr/lib $out/lib64
ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
-echo "Installing systemd"
cp -Pr ${patosPkgs.systemd}/* $out/
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
ln -sf /usr/bin $out/usr/sbin
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
+# enable in ramdisk instead
+rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-repart.service
+rm -f $out/usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
+
rm -f $out/usr/lib/systemd/ukify
rm -f $out/usr/bin/ukify
rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
@@ -71,8 +74,8 @@ cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
-SizeMaxBytes=160M
-SizeMinBytes=160M
+SizeMaxBytes=96M
+SizeMinBytes=96M
EOF
cat <<EOF > $out/etc/repart.d/20-root-a.conf
From 8fb3174c7868f39470a0070462344f7e64a5d6b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 17 Mar 2025 22:22:35 +0100
Subject: [PATCH 60/78] feat: enroll secure boot at first boot
---
pkgs/image/default.nix | 32 +++++++++++++++++-------------
pkgs/rootfs/mkinitrd.nix | 43 ++++++++++++++++++++++++++++++++++++++++
pkgs/rootfs/mkrootfs.nix | 8 +++++++-
3 files changed, 68 insertions(+), 15 deletions(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index e82bc3d..2084901 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -54,6 +54,22 @@ mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/sys
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
+cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
+[Unit]
+Description=Import Secure Boot keys
+DefaultDependencies=no
+RequiresMountsFor=/var/lib/sbctl /boot
+ConditionPathExists=/boot/sbctl/keys
+After=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=sbctl import-keys -d /boot/sbctl/keys
+ExecStartPost=rm -rf /boot/sbctl
+EOF
+ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
+
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
@@ -102,9 +118,7 @@ ${patosPkgs.systemd}/usr/bin/ukify build \
-o patos_${version}.efi
# install ESP
-SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
- --secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
-echo "timeout 2" > rootfs/boot/loader/loader.conf
+SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
# setup factory reset
mkdir -p rootfs/boot/EFI/tools
@@ -122,21 +136,11 @@ options \EFI\tools\factoryreset.nsh L"t"
efi EFI/tools/shell.efi
EOF
-# sign EFIs
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
- rootfs/boot/EFI/tools/shell.efi --output=rootfs/boot/EFI/tools/shell.efi
-
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
- rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
-
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
- patos_${version}.efi --output=patos_${version}.efi
+echo "timeout 2" > rootfs/boot/loader/loader.conf
# install UKI
cp patos_${version}.efi rootfs/boot/EFI/Linux
-echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
-
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
[Partition]
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index 2187514..5cc6411 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -31,6 +31,49 @@ ln -sf /etc/os-release ./etc/initrd-release
# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target
+# setup secure boot
+cat <<EOF > ./usr/bin/secure-boot-enroll
+#!/bin/sh
+set -ex -o pipefail
+
+SETUP_MODE=\$(sbctl status --json | xq -r '.setup_mode')
+
+[ "\$SETUP_MODE" = "false" ] && exit 0
+
+cat <<EOL> /run/sbctl.yml
+---
+keydir: /sysroot/boot/sbctl/keys
+guid: /sysroot/boot/sbctl/GUID
+EOL
+
+ESP=\$(blkid --label ESP)
+
+mount \$ESP /sysroot/boot && \
+ sbctl --config /run/sbctl.yml create-keys && \
+ sbctl --config /run/sbctl.yml enroll-keys --yolo && \
+ # Sign EFIs
+ find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
+
+umount /sysroot/boot && \
+ systemctl reboot -f
+EOF
+chmod +x ./usr/bin/secure-boot-enroll
+
+cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
+[Unit]
+Description=Enroll Secure Boot
+DefaultDependencies=false
+After=sysroot-run.mount
+Requires=sysroot-run.mount
+Before=systemd-repart.service initrd.target shutdown.target sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/secure-boot-enroll
+RemainAfterExit=yes
+EOF
+ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
+
# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index ca449b3..f98a219 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -172,7 +172,13 @@ cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
cp -P ${pkgs.kmod}/bin/* $out/usr/bin
### install libbpf
-cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib
+cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
+
+### install secure boot tools
+cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
+rm -f $out/usr/bin/blkid
+cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
+cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
### install ca cert bundle
chmod 755 $out/etc/ssl $out/etc/ssl/certs
From a7b86fd03e26caf9429a12ac84dadaf9969aff5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 17 Mar 2025 22:22:35 +0100
Subject: [PATCH 61/78] feat: add sysupdate definitions
---
flake.nix | 3 +-
pkgs/image/default.nix | 66 +++++++++++++++++++++++++++++--
pkgs/rootfs/mkinitrd.nix | 31 +++------------
pkgs/rootfs/mkrootfs.nix | 9 ++++-
pkgs/rootfs/secure-boot-enroll.sh | 37 +++++++++++++++++
5 files changed, 114 insertions(+), 32 deletions(-)
create mode 100644 pkgs/rootfs/secure-boot-enroll.sh
diff --git a/flake.nix b/flake.nix
index 2358ab1..7c17fff 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,11 +18,12 @@
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
version = "0.0.1";
+ updateUrl = "http://10.0.2.2:8000";
in
{
packages = {
default = patosPkgs.image;
- image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version; };
+ image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl; };
rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
kernel = pkgs.callPackage ./pkgs/kernel { };
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 2084901..8f3acbf 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -3,13 +3,14 @@
patosPkgs,
version,
runCommand,
- ...
+ updateUrl
}:
let
pname = "patos-image";
in
runCommand pname {
inherit version;
+ inherit updateUrl;
buildInputs = with pkgs; [
erofs-utils
@@ -24,7 +25,7 @@ runCommand pname {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
- kernelCmdLine = "console=ttyS0";
+ kernelCmdLine = "console=ttyS0 patos.secureboot=true";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d
@@ -70,6 +71,63 @@ ExecStartPost=rm -rf /boot/sbctl
EOF
ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
+# sysupdate
+mkdir -p rootfs/etc/sysupdate.d
+cat <<EOF > rootfs/etc/sysupdate.d/10-uki.transfer
+[Source]
+Path=${updateUrl}
+MatchPattern=patos_@v.efi
+Type=url-file
+
+[Target]
+InstancesMax=2
+MatchPattern=patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi
+Mode=0444
+Path=/EFI/Linux
+PathRelativeTo=esp
+TriesDone=0
+TriesLeft=3
+Type=regular-file
+
+[Transfer]
+Verify=no
+EOF
+
+cat <<EOF > rootfs/etc/sysupdate.d/20-root.transfer
+[Source]
+Type=url-file
+Path=${updateUrl}
+MatchPattern=patos_@v_@u.verity
+
+[Target]
+Type=partition
+Path=auto
+MatchPattern=verity-@v
+MatchPartitionType=root-verity
+ReadOnly=1
+
+[Transfer]
+Verify=no
+EOF
+
+cat <<EOF > rootfs/etc/sysupdate.d/22-root.transfer
+[Source]
+Type=url-file
+Path=${updateUrl}
+MatchPattern=patos_@v_@u.root
+
+[Target]
+Type=partition
+Path=auto
+MatchPattern=root-@v
+MatchPartitionType=root
+ReadOnly=1
+
+[Transfer]
+Verify=no
+EOF
+
+
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
@@ -146,8 +204,8 @@ cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
-SizeMinBytes=96M
-SizeMaxBytes=96M
+SizeMinBytes=128M
+SizeMaxBytes=128M
CopyFiles=/rootfs/boot:/
EOF
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index 5cc6411..10399a6 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -4,7 +4,12 @@
runCommand,
...
}:
+let
+ secureBootEnroll = ./secure-boot-enroll.sh;
+in
runCommand "patos-initrd" {
+ inherit secureBootEnroll;
+
buildInputs = with pkgs; [
cpio
xz
@@ -32,31 +37,7 @@ ln -sf /etc/os-release ./etc/initrd-release
ln -sf initrd.target ./usr/lib/systemd/system/default.target
# setup secure boot
-cat <<EOF > ./usr/bin/secure-boot-enroll
-#!/bin/sh
-set -ex -o pipefail
-
-SETUP_MODE=\$(sbctl status --json | xq -r '.setup_mode')
-
-[ "\$SETUP_MODE" = "false" ] && exit 0
-
-cat <<EOL> /run/sbctl.yml
----
-keydir: /sysroot/boot/sbctl/keys
-guid: /sysroot/boot/sbctl/GUID
-EOL
-
-ESP=\$(blkid --label ESP)
-
-mount \$ESP /sysroot/boot && \
- sbctl --config /run/sbctl.yml create-keys && \
- sbctl --config /run/sbctl.yml enroll-keys --yolo && \
- # Sign EFIs
- find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
-
-umount /sysroot/boot && \
- systemctl reboot -f
-EOF
+cat $secureBootEnroll > ./usr/bin/secure-boot-enroll
chmod +x ./usr/bin/secure-boot-enroll
cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index f98a219..61e99d1 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -74,8 +74,8 @@ cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
-SizeMaxBytes=96M
-SizeMinBytes=96M
+SizeMaxBytes=128M
+SizeMinBytes=128M
EOF
cat <<EOF > $out/etc/repart.d/20-root-a.conf
@@ -178,7 +178,12 @@ cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
rm -f $out/usr/bin/blkid
cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
+cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
+cp -P ${pkgs.bash}/bin/bash $out/usr/bin/
+
+### install xq (jq clone)
cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
+ln -sf /usr/bin/xq $out/usr/bin/jq
### install ca cert bundle
chmod 755 $out/etc/ssl $out/etc/ssl/certs
diff --git a/pkgs/rootfs/secure-boot-enroll.sh b/pkgs/rootfs/secure-boot-enroll.sh
new file mode 100644
index 0000000..9546027
--- /dev/null
+++ b/pkgs/rootfs/secure-boot-enroll.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+set -ex -uo pipefail
+
+enroll=
+for o in $(< /proc/cmdline); do
+ case $o in
+ patos.secureboot=*)
+ enroll=${o#*=}
+ ;;
+ esac
+done
+
+if [ -z "$enroll" ]; then
+ echo 'No patos.secureboot= parameter on the kernel command line' >&2
+ exit 0
+fi
+
+SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
+
+[ "$SETUP_MODE" = "false" -o "$enroll" != "true" ] && exit 0
+
+cat <<EOL> /run/sbctl.yml
+---
+keydir: /sysroot/boot/sbctl/keys
+guid: /sysroot/boot/sbctl/GUID
+EOL
+
+ESP=$(blkid --label ESP)
+
+mount $ESP /sysroot/boot && \
+ sbctl --config /run/sbctl.yml create-keys && \
+ sbctl --config /run/sbctl.yml enroll-keys --yolo && \
+ # Sign EFIs
+ find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
+
+umount /sysroot/boot && \
+ systemctl reboot -f
From 91a5646555d4c9c2337d42d504c2a118a7591090 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 19 Mar 2025 13:21:52 +0100
Subject: [PATCH 62/78] fix: include uuid in sysupdate images
---
flake.nix | 2 +-
pkgs/image/default.nix | 10 +++++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/flake.nix b/flake.nix
index 7c17fff..9e92cc8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,7 +18,7 @@
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
version = "0.0.1";
- updateUrl = "http://10.0.2.2:8000";
+ updateUrl = "http://10.0.2.2:8000/";
in
{
packages = {
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 8f3acbf..e0a4a24 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -93,7 +93,7 @@ Type=regular-file
Verify=no
EOF
-cat <<EOF > rootfs/etc/sysupdate.d/20-root.transfer
+cat <<EOF > rootfs/etc/sysupdate.d/20-root-verity.transfer
[Source]
Type=url-file
Path=${updateUrl}
@@ -159,7 +159,7 @@ ${patosPkgs.systemd}/usr/bin/systemd-repart \
--split=true \
--json=pretty \
--root=$out \
- patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
+ patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
@@ -168,6 +168,9 @@ rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
+ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
+ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
+
${patosPkgs.systemd}/usr/bin/ukify build \
--linux ${patosPkgs.kernel}/bzImage \
--initrd ${patosPkgs.initrd}/initrd.xz \
@@ -238,9 +241,10 @@ ${patosPkgs.systemd}/usr/bin/systemd-repart \
--size=auto \
--definitions=./final.repart.d \
--root=$out \
- patos-${version}.raw > final-repart-output.json
+ patos_${version}.img > final-repart-output.json
rm -rf rootfs
+sha256sum *.root *.verity *.efi > SHA256SUMS
popd
''
From 6819565d790d5a6228161e9dd2b57f447566d5cc Mon Sep 17 00:00:00 2001
From: Daniel Lundin <dln@arity.se>
Date: Wed, 19 Mar 2025 19:50:39 +0100
Subject: [PATCH 63/78] qemu: remove unused ssh port forward
---
utils/qemu-uefi-tpm.nix | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index 4fcadfd..9087ada 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -12,7 +12,10 @@ pkgs.writeShellApplication {
text =
let
- tpmOVMF = pkgs.OVMF.override { tpmSupport = true; secureBoot = true; };
+ tpmOVMF = pkgs.OVMF.override {
+ tpmSupport = true;
+ secureBoot = true;
+ };
in
''
set -ex
@@ -44,7 +47,6 @@ pkgs.writeShellApplication {
-chardev socket,id=chrtpm,path="$state/swtpm-sock" \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0 \
- -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
-device virtio-net-pci,netdev=net00 \
-drive "format=qcow2,file=$state/disk.qcow2"
'';
From c748e172796965769cc28c63ae574f1da4f62a4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 19 Mar 2025 15:03:15 +0100
Subject: [PATCH 64/78] chore(sb): use systemd kernel cmdline condition
---
pkgs/image/default.nix | 8 +++-----
pkgs/rootfs/mkinitrd.nix | 2 ++
pkgs/rootfs/mkrootfs.nix | 13 ++++---------
pkgs/rootfs/secure-boot-enroll.sh | 18 ++----------------
4 files changed, 11 insertions(+), 30 deletions(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index e0a4a24..94748a3 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -22,7 +22,7 @@ runCommand pname {
env = {
# vfat options won't efi won't find the fs otherwise.
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
- SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
+ SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
kernelCmdLine = "console=ttyS0 patos.secureboot=true";
@@ -218,8 +218,8 @@ Type=root
Label=root-${version}
CopyBlocks=/$rootPart
UUID=$rootUuid
-SizeMinBytes=256M
-SizeMaxBytes=256M
+SizeMinBytes=64M
+SizeMaxBytes=64M
ReadOnly=1
EOF
@@ -229,8 +229,6 @@ Type=root-verity
Label=verity-${version}
CopyBlocks=/$verityPart
UUID=$verityUuid
-SizeMinBytes=10M
-SizeMaxBytes=10M
ReadOnly=1
EOF
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index 10399a6..c46ed9d 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -47,6 +47,8 @@ DefaultDependencies=false
After=sysroot-run.mount
Requires=sysroot-run.mount
Before=systemd-repart.service initrd.target shutdown.target sysinit.target
+ConditionKernelCommandLine=patos.secureboot=true
+ConditionPathExists=|!/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
[Service]
Type=oneshot
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index 61e99d1..257ffb6 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -81,23 +81,21 @@ EOF
cat <<EOF > $out/etc/repart.d/20-root-a.conf
[Partition]
Type=root
-SizeMaxBytes=256M
-SizeMinBytes=256M
+SizeMaxBytes=64M
+SizeMinBytes=64M
EOF
cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
[Partition]
Type=root-verity
-SizeMaxBytes=10M
-SizeMinBytes=10M
EOF
cat <<EOF > $out/etc/repart.d/30-root-b.conf
[Partition]
Type=root
Label=_empty
-SizeMaxBytes=256M
-SizeMinBytes=256M
+SizeMaxBytes=64M
+SizeMinBytes=64M
ReadOnly=1
EOF
@@ -105,8 +103,6 @@ cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
[Partition]
Type=root-verity
Label=_empty
-SizeMaxBytes=10M
-SizeMinBytes=10M
ReadOnly=1
EOF
@@ -179,7 +175,6 @@ cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
rm -f $out/usr/bin/blkid
cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
-cp -P ${pkgs.bash}/bin/bash $out/usr/bin/
### install xq (jq clone)
cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
diff --git a/pkgs/rootfs/secure-boot-enroll.sh b/pkgs/rootfs/secure-boot-enroll.sh
index 9546027..2588baf 100644
--- a/pkgs/rootfs/secure-boot-enroll.sh
+++ b/pkgs/rootfs/secure-boot-enroll.sh
@@ -1,23 +1,9 @@
-#!/bin/bash
+#!/bin/sh
set -ex -uo pipefail
-enroll=
-for o in $(< /proc/cmdline); do
- case $o in
- patos.secureboot=*)
- enroll=${o#*=}
- ;;
- esac
-done
-
-if [ -z "$enroll" ]; then
- echo 'No patos.secureboot= parameter on the kernel command line' >&2
- exit 0
-fi
-
SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
-[ "$SETUP_MODE" = "false" -o "$enroll" != "true" ] && exit 0
+[ "$SETUP_MODE" = "false" ] && exit 0
cat <<EOL> /run/sbctl.yml
---
From 4166b4c1fb0ba384d7f8de43b9517a9bfc0205be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 19 Mar 2025 15:03:15 +0100
Subject: [PATCH 65/78] feat: kernel modules as system extensions
---
flake.nix | 2 +-
pkgs/image/default.nix | 36 +++++++++++++++++++++++++++++++-----
pkgs/kernel/generic.config | 10 +++++-----
pkgs/rootfs/mkrootfs.nix | 2 ++
utils/qemu-uefi-tpm.nix | 1 +
5 files changed, 40 insertions(+), 11 deletions(-)
diff --git a/flake.nix b/flake.nix
index 9e92cc8..b4a7411 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,7 +17,7 @@
let
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
- version = "0.0.1";
+ version = "0.0.3";
updateUrl = "http://10.0.2.2:8000/";
in
{
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 94748a3..452bf1f 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -25,18 +25,28 @@ runCommand pname {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
- kernelCmdLine = "console=ttyS0 patos.secureboot=true";
+ kernelCmdLine = "console=ttyS0 patos.secureboot=false";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d
pushd $out
-# Don't seem to work just to create a symlink to rootfs derivation?
-# ln -sf $rootfs rootfs
mkdir rootfs
cp -prP ${patosPkgs.rootfs}/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
+# package kernel modules as sysext
+pkgName="patos-kernel-modules-${version}"
+mkdir -p ./tree/usr/lib/extension-release.d
+cat << EOF > ./tree/usr/lib/extension-release.d/extension-release.patos-kernel-modules
+ID=patos
+IMAGE_ID=patos-kernel-modules
+IMAGE_VERSION=${version}
+VERSION_ID=patos
+EOF
+cp -Prp rootfs/usr/lib/modules ./tree/usr/lib/modules && rm -rf rootfs/usr/lib/modules
+tar -cJf $pkgName.tar.xz -C ./tree . --owner=root:0 --group=root:0 && rm -rf tree
+
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
@@ -127,6 +137,22 @@ ReadOnly=1
Verify=no
EOF
+cat <<EOF > rootfs/etc/sysupdate.d/30-kernel-modules.transfer
+[Source]
+Type=url-tar
+Path=${updateUrl}
+MatchPattern=patos-kernel-modules-@v.tar.xz
+
+[Target]
+Type=subvolume
+Path=/var/lib/extensions
+MatchPattern=patos-kernel-modules-@v
+CurrentSymlink=patos-kernel-modules
+
+[Transfer]
+Verify=no
+EOF
+
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
@@ -241,8 +267,8 @@ ${patosPkgs.systemd}/usr/bin/systemd-repart \
--root=$out \
patos_${version}.img > final-repart-output.json
-rm -rf rootfs
-sha256sum *.root *.verity *.efi > SHA256SUMS
+rm -rf rootfs init.repart.d final.repart.d *.json
+sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
popd
''
diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config
index 048421b..4c67b0a 100644
--- a/pkgs/kernel/generic.config
+++ b/pkgs/kernel/generic.config
@@ -276,7 +276,7 @@ CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_BRIDGE=y
CONFIG_BSD_DISKLABEL=y
CONFIG_BSD_PROCESS_ACCT=y
-CONFIG_BTRFS_FS=m
+CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BUFFER_HEAD=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
@@ -426,7 +426,7 @@ CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y
CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
CONFIG_CRYPTO_AUTHENC=y
-CONFIG_CRYPTO_BLAKE2B=m
+CONFIG_CRYPTO_BLAKE2B=y
CONFIG_CRYPTO_BLAKE2S_X86=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CCM=y
@@ -643,7 +643,7 @@ CONFIG_ELF_CORE=y
CONFIG_ELFCORE=y
CONFIG_ENA_ETHERNET=y
CONFIG_ENCLOSURE_SERVICES=y
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
CONFIG_ENIC=m
CONFIG_EPOLL=y
CONFIG_EROFS_FS_POSIX_ACL=y
@@ -1953,7 +1953,7 @@ CONFIG_QUOTA_TREE=y
CONFIG_QUOTA=y
CONFIG_R8169=m
CONFIG_RAID6_PQ_BENCHMARK=y
-CONFIG_RAID6_PQ=m
+CONFIG_RAID6_PQ=y
CONFIG_RAID_ATTRS=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
@@ -2487,7 +2487,7 @@ CONFIG_XFS_QUOTA=y
CONFIG_XFS_RT=y
CONFIG_XFS_SUPPORT_ASCII_CI=y
CONFIG_XFS_SUPPORT_V4=y
-CONFIG_XOR_BLOCKS=m
+CONFIG_XOR_BLOCKS=y
CONFIG_XPS=y
CONFIG_XXHASH=y
CONFIG_XZ_DEC_ARMTHUMB=y
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index 257ffb6..235a70a 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -172,7 +172,9 @@ cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
### install secure boot tools
cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
+rm -f $out/usr/bin/tar
rm -f $out/usr/bin/blkid
+cp -P ${pkgs.gnutar}/bin/tar $out/usr/bin/
cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index 9087ada..7d51868 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -47,6 +47,7 @@ pkgs.writeShellApplication {
-chardev socket,id=chrtpm,path="$state/swtpm-sock" \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0 \
+ -netdev id=net00,type=user \
-device virtio-net-pci,netdev=net00 \
-drive "format=qcow2,file=$state/disk.qcow2"
'';
From 91191a29474d3b1a2aec4314c3ee8545b1339f03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 20 Mar 2025 14:01:50 +0100
Subject: [PATCH 66/78] revert version
---
flake.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/flake.nix b/flake.nix
index b4a7411..9e92cc8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,7 +17,7 @@
let
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
- version = "0.0.3";
+ version = "0.0.1";
updateUrl = "http://10.0.2.2:8000/";
in
{
From a7de3101a8184a8a885a2973756fffb2f50e3bcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 20 Mar 2025 16:06:31 +0100
Subject: [PATCH 67/78] chore: include kernel modules in rootfs as sysext
---
pkgs/image/default.nix | 32 ++++----------------------------
pkgs/kernel/manual-config.nix | 18 ++++++++++++++++++
2 files changed, 22 insertions(+), 28 deletions(-)
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 452bf1f..a248a09 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -35,17 +35,10 @@ mkdir rootfs
cp -prP ${patosPkgs.rootfs}/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
-# package kernel modules as sysext
-pkgName="patos-kernel-modules-${version}"
-mkdir -p ./tree/usr/lib/extension-release.d
-cat << EOF > ./tree/usr/lib/extension-release.d/extension-release.patos-kernel-modules
-ID=patos
-IMAGE_ID=patos-kernel-modules
-IMAGE_VERSION=${version}
-VERSION_ID=patos
-EOF
-cp -Prp rootfs/usr/lib/modules ./tree/usr/lib/modules && rm -rf rootfs/usr/lib/modules
-tar -cJf $pkgName.tar.xz -C ./tree . --owner=root:0 --group=root:0 && rm -rf tree
+# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
+mkdir rootfs/etc/extensions
+rm -rf rootfs/usr/lib/modules
+cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
@@ -137,23 +130,6 @@ ReadOnly=1
Verify=no
EOF
-cat <<EOF > rootfs/etc/sysupdate.d/30-kernel-modules.transfer
-[Source]
-Type=url-tar
-Path=${updateUrl}
-MatchPattern=patos-kernel-modules-@v.tar.xz
-
-[Target]
-Type=subvolume
-Path=/var/lib/extensions
-MatchPattern=patos-kernel-modules-@v
-CurrentSymlink=patos-kernel-modules
-
-[Transfer]
-Verify=no
-EOF
-
-
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
diff --git a/pkgs/kernel/manual-config.nix b/pkgs/kernel/manual-config.nix
index 9f1ba99..98b09f8 100644
--- a/pkgs/kernel/manual-config.nix
+++ b/pkgs/kernel/manual-config.nix
@@ -22,6 +22,8 @@
pahole,
kmod,
ubootTools,
+ erofs-utils,
+ cryptsetup,
fetchpatch,
rustc,
rust-bindgen,
@@ -224,6 +226,8 @@ lib.makeOverridable (
python3Minimal
kmod
hexdump
+ erofs-utils
+ cryptsetup
]
++ optional needsUbootTools ubootTools
++ optionals (lib.versionAtLeast version "5.2") [
@@ -496,6 +500,20 @@ lib.makeOverridable (
# Delete empty directories
find -empty -type d -delete
+
+ pkgName="patos-kernel-modules"
+ mkdir -p $out/tree/usr/lib/extension-release.d
+ cat << EOF > $out/tree/usr/lib/extension-release.d/extension-release.$pkgName
+ ID=patos
+ IMAGE_ID=$pkgName
+ IMAGE_VERSION=${version}
+ VERSION_ID=patos
+ EOF
+ cp -Prp $out/lib/modules $out/tree/usr/lib/modules
+ find $out/tree -type d -exec chmod 0755 {} \;
+ mkfs.erofs --all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking $out/$pkgName.raw $out/tree/
+ veritysetup format --root-hash-file $out/$pkgName.roothash $out/$pkgName.raw $out/$pkgName.verity
+ chmod -R 755 $out/tree && rm -rf $out/tree
'';
requiredSystemFeatures = [ "big-parallel" ];
From 2841610f418660be880ccfde482255b0de71394d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 26 Mar 2025 10:30:23 +0100
Subject: [PATCH 68/78] chore: bump kernel version
---
pkgs/kernel/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index a5f24db..51a05bf 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.13.7";
- hash = "sha256-Ojm2IDi3rC9D0mofhLQoPhl4BOHoF61jfpo9h0xHgB0=";
+ version = "6.13.8";
+ hash = "sha256-JZr6Wdc9Z2vsKuib6s2UngjVTT9wp/iwp0IxUJV1Grs=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From bb708e3e61102caef9337c45f29b033dfd2b4ebe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 26 Mar 2025 10:37:38 +0100
Subject: [PATCH 69/78] feat(image): parameter to include microcode and
secureboot
---
flake.nix | 4 +++-
pkgs/image/default.nix | 14 ++++++++++----
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/flake.nix b/flake.nix
index 9e92cc8..99fce5b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,12 +18,14 @@
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
version = "0.0.1";
+ secureBoot = "false";
+ cpuArch = "intel";
updateUrl = "http://10.0.2.2:8000/";
in
{
packages = {
default = patosPkgs.image;
- image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl; };
+ image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; };
rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
kernel = pkgs.callPackage ./pkgs/kernel { };
diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index a248a09..05d9c72 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -1,16 +1,21 @@
{
+ lib,
pkgs,
patosPkgs,
version,
runCommand,
- updateUrl
+ updateUrl,
+ cpuArch ? "",
+ secureBoot ? "false"
}:
let
pname = "patos-image";
in
runCommand pname {
- inherit version;
- inherit updateUrl;
+ inherit version cpuArch updateUrl secureBoot;
+
+ microcode = lib.optionalString (cpuArch == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
+ + lib.optionalString (cpuArch == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
buildInputs = with pkgs; [
erofs-utils
@@ -25,7 +30,7 @@ runCommand pname {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
- kernelCmdLine = "console=ttyS0 patos.secureboot=false";
+ kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d
@@ -176,6 +181,7 @@ ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
${patosPkgs.systemd}/usr/bin/ukify build \
--linux ${patosPkgs.kernel}/bzImage \
--initrd ${patosPkgs.initrd}/initrd.xz \
+ $microcode \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
From 242294eb8dba13d301acb2a5b463cf3648eb7df8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 26 Mar 2025 11:13:16 +0100
Subject: [PATCH 70/78] chore: nix flake update
---
flake.lock | 6 +++---
pkgs/busybox/default.nix | 8 +++-----
pkgs/openssl/default.nix | 9 +++------
3 files changed, 9 insertions(+), 14 deletions(-)
diff --git a/flake.lock b/flake.lock
index 85be38f..2272d3d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1739020877,
- "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
+ "lastModified": 1742669843,
+ "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
+ "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
"type": "github"
},
"original": {
diff --git a/pkgs/busybox/default.nix b/pkgs/busybox/default.nix
index e318d8a..6f22641 100644
--- a/pkgs/busybox/default.nix
+++ b/pkgs/busybox/default.nix
@@ -1,6 +1,7 @@
{
stdenv,
lib,
+ pkgs,
buildPackages,
fetchurl,
fetchpatch,
@@ -57,15 +58,12 @@ in
stdenv.mkDerivation rec {
pname = "busybox";
- version = "1.36.1";
+ version = pkgs.busybox.version;
# Note to whoever is updating busybox: please verify that:
# nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
# still builds after the update.
- src = fetchurl {
- url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
- sha256 = "sha256-uMwkyVdNgJ5yecO+NJeVxdXOtv3xnKcJ+AzeUOR94xQ=";
- };
+ src = pkgs.busybox.src;
hardeningDisable = [
"format"
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
index bc833cc..08c1309 100644
--- a/pkgs/openssl/default.nix
+++ b/pkgs/openssl/default.nix
@@ -1,5 +1,6 @@
{
lib,
+ pkgs,
stdenv,
fetchurl,
perl,
@@ -18,13 +19,9 @@
stdenv.mkDerivation rec {
pname = "openssl";
- version = "3.4.1";
- hash = "sha256-ACotazC1i/S+pGxDvdljZar42qbEKHgqpP7uBtoZffM=";
+ version = pkgs.openssl.version;
- src = fetchurl {
- url = "https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz";
- hash = hash;
- };
+ src = pkgs.openssl.src;
outputs = [ "out" ];
From c470bf6d595176023198e1164db01f00aa177c50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 26 Mar 2025 11:49:37 +0100
Subject: [PATCH 71/78] chore: track upstream nixpkgs for our forks
---
pkgs/dbus-broker/default.nix | 9 ++-------
pkgs/lvm2/default.nix | 13 ++++---------
pkgs/result | 1 +
pkgs/tpm2-tools/default.nix | 11 +++++------
pkgs/tpm2-tss/default.nix | 10 +++-------
5 files changed, 15 insertions(+), 29 deletions(-)
create mode 120000 pkgs/result
diff --git a/pkgs/dbus-broker/default.nix b/pkgs/dbus-broker/default.nix
index 809f3ce..0002d9c 100644
--- a/pkgs/dbus-broker/default.nix
+++ b/pkgs/dbus-broker/default.nix
@@ -100,14 +100,9 @@ in
stdenv.mkDerivation (finalAttrs: {
pname = "dbus-broker";
- version = "36";
+ version = pkgs.dbus-broker.version;
- src = fetchFromGitHub {
- owner = "bus1";
- repo = "dbus-broker";
- rev = "v${finalAttrs.version}";
- hash = "sha256-5dAMKjybqrHG57vArbtWEPR/svSj2ION75JrjvnnpVM=";
- };
+ src = pkgs.dbus-broker.src;
nativeBuildInputs = with pkgs; [
docutils
diff --git a/pkgs/lvm2/default.nix b/pkgs/lvm2/default.nix
index f211e26..8d18663 100644
--- a/pkgs/lvm2/default.nix
+++ b/pkgs/lvm2/default.nix
@@ -1,5 +1,6 @@
{
stdenv,
+ pkgs,
fetchurl,
lib,
pkg-config,
@@ -7,17 +8,11 @@
udev,
}:
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
pname = "lvm2";
- version = "2.03.30";
+ version = pkgs.lvm2.version;
- src = fetchurl {
- urls = [
- "https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz"
- "ftp://sourceware.org/pub/lvm2/LVM2.${version}.tgz"
- ];
- hash = "sha256-rXar7LjciHcz4GxEnLmt0Eo1BvnweAwSiBem4aF87AU=";
- };
+ src = pkgs.lvm2.src;
nativeBuildInputs = [
pkg-config
diff --git a/pkgs/result b/pkgs/result
new file mode 120000
index 0000000..301e3b1
--- /dev/null
+++ b/pkgs/result
@@ -0,0 +1 @@
+/nix/store/9m1cdv4fiky0mihfx3ck8vcknclcagn2-patos-image
\ No newline at end of file
diff --git a/pkgs/tpm2-tools/default.nix b/pkgs/tpm2-tools/default.nix
index f447fe6..4bb14c1 100644
--- a/pkgs/tpm2-tools/default.nix
+++ b/pkgs/tpm2-tools/default.nix
@@ -1,5 +1,6 @@
{
stdenv,
+ pkgs,
fetchurl,
lib,
pandoc,
@@ -10,19 +11,17 @@
libuuid,
}:
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
pname = "tpm2-tools";
- version = "5.7";
+ version = pkgs.tpm2-tools.version;
- src = fetchurl {
- url = "https://github.com/tpm2-software/${pname}/releases/download/${version}/${pname}-${version}.tar.gz";
- sha256 = "sha256-OBDTa1B5JW9PL3zlUuIiE9Q7EDHBMVON+KLbw8VwmDo=";
- };
+ src = pkgs.tpm2-tools.src;
nativeBuildInputs = [
pandoc
pkg-config
];
+
buildInputs = [
curl
openssl
diff --git a/pkgs/tpm2-tss/default.nix b/pkgs/tpm2-tss/default.nix
index 5e23100..5a6477a 100644
--- a/pkgs/tpm2-tss/default.nix
+++ b/pkgs/tpm2-tss/default.nix
@@ -1,5 +1,6 @@
{
stdenv,
+ pkgs,
lib,
fetchFromGitHub,
autoreconfHook,
@@ -19,14 +20,9 @@
stdenv.mkDerivation rec {
pname = "tpm2-tss";
- version = "4.1.3";
+ version = pkgs.tpm2-tss.version;
- src = fetchFromGitHub {
- owner = "tpm2-software";
- repo = pname;
- rev = version;
- hash = "sha256-BP28utEUI9g1VNv3lCXuiKrDtEImFQxxZfIjLiE3Wr8=";
- };
+ src = pkgs.tpm2-tss.src;
patches = [
./no-shadow.patch
From d10bd7bb04c494ef37096467d34135b4b447ca61 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 26 Mar 2025 11:57:03 +0100
Subject: [PATCH 72/78] fix(rootfs): symlink /var/tmp to /tmp if no state
partition available this enable systemd networkd and resolved to work
---
pkgs/result | 1 -
pkgs/rootfs/mkrootfs.nix | 3 ++-
2 files changed, 2 insertions(+), 2 deletions(-)
delete mode 120000 pkgs/result
diff --git a/pkgs/result b/pkgs/result
deleted file mode 120000
index 301e3b1..0000000
--- a/pkgs/result
+++ /dev/null
@@ -1 +0,0 @@
-/nix/store/9m1cdv4fiky0mihfx3ck8vcknclcagn2-patos-image
\ No newline at end of file
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index 235a70a..bda4c7d 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -21,11 +21,12 @@ runCommand "patos-rootfs"
''
### create directory structure
mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
- $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
+ $out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var
ln -sf /usr/bin $out/bin
ln -sf /usr/bin $out/sbin
ln -sf /usr/lib $out/lib
ln -sf /usr/lib $out/lib64
+ln -sf /tmp $out/var/tmp
ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
From 58861e6de6c80d6b93609185048f2a98e515b444 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 17 Apr 2025 19:06:37 +0200
Subject: [PATCH 73/78] chore: upgrade systemd
---
pkgs/systemd/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index a1cb314..a93fd76 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -7,7 +7,7 @@
...
}:
let
- version = "257.4";
+ version = "257.5";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
From 92c204231b7cfaa9f3b880e8d3b27af2ad6474d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sat, 19 Apr 2025 22:56:00 +0200
Subject: [PATCH 74/78] chore: nix flake update
---
flake.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/flake.lock b/flake.lock
index 2272d3d..3725da4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1742669843,
- "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+ "lastModified": 1744932701,
+ "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+ "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
"type": "github"
},
"original": {
From 15227256ecf0e8aea67d3ebb21e2122a7b6a0f46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Sat, 19 Apr 2025 23:06:44 +0200
Subject: [PATCH 75/78] chore: kernel upgrade
---
pkgs/kernel/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 51a05bf..1297825 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.13.8";
- hash = "sha256-JZr6Wdc9Z2vsKuib6s2UngjVTT9wp/iwp0IxUJV1Grs=";
+ version = "6.14.2";
+ hash = "sha256-xcaCo1TqMZATk1elfTSnnlw3IhrOgjqTjhARa1d6Lhs=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From b7e526454b66c1aca7875fcab107cc3fbb780099 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Tue, 6 May 2025 18:12:03 +0200
Subject: [PATCH 76/78] chore: nix update
---
flake.lock | 6 +++---
pkgs/kernel/default.nix | 4 ++--
pkgs/systemd/default.nix | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/flake.lock b/flake.lock
index 3725da4..bb33fd6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1744932701,
- "narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
+ "lastModified": 1746328495,
+ "narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
+ "rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e",
"type": "github"
},
"original": {
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 1297825..dcd382d 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.2";
- hash = "sha256-xcaCo1TqMZATk1elfTSnnlw3IhrOgjqTjhARa1d6Lhs=";
+ version = "6.14.4";
+ hash = "sha256-lFLyjXoAUfukiGcSOVtITEx/z5+FlEpi/T2X3JI/Uzk=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index a93fd76..db0b64c 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation (finalAttrs: {
owner = "systemd";
repo = "systemd";
rev = "v${version}";
- hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
+ hash = "sha256-mn/JB/nrOz2TOobu2d+XBH2dVH3vn/HPvWN4Zz6s+SM=";
};
patches = [ ./skip-verify-esp.patch ];
From af2a063ff2dfed7b8270f72e1d4c6f856b8be7ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Wed, 7 May 2025 06:26:16 +0200
Subject: [PATCH 77/78] chore: kernel upgrade
---
pkgs/kernel/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index dcd382d..703b612 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.4";
- hash = "sha256-lFLyjXoAUfukiGcSOVtITEx/z5+FlEpi/T2X3JI/Uzk=";
+ version = "6.14.5";
+ hash = "sha256-KCB+xSu+qjUHAQrv+UT0QvfZ8isoa3nK9F7G3xsk9Ak=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
From 8ee40679fc722db4cce24f7f0eb4a1bb159c2a0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 12 May 2025 19:40:51 +0200
Subject: [PATCH 78/78] chore: os update
---
flake.lock | 6 +++---
pkgs/kernel/default.nix | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/flake.lock b/flake.lock
index bb33fd6..affeabc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1746328495,
- "narHash": "sha256-uKCfuDs7ZM3QpCE/jnfubTg459CnKnJG/LwqEVEdEiw=",
+ "lastModified": 1746904237,
+ "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "979daf34c8cacebcd917d540070b52a3c2b9b16e",
+ "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
"type": "github"
},
"original": {
diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix
index 703b612..6b8bb21 100644
--- a/pkgs/kernel/default.nix
+++ b/pkgs/kernel/default.nix
@@ -1,7 +1,7 @@
{ pkgs }:
let
- version = "6.14.5";
- hash = "sha256-KCB+xSu+qjUHAQrv+UT0QvfZ8isoa3nK9F7G3xsk9Ak=";
+ version = "6.14.6";
+ hash = "sha256-IYF/GZjiIw+B9+T2Bfpv3LBA4U+ifZnCfdsWznSXl6k=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";