Compare commits
15 commits
dln/push-k
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| df4c60d87c | |||
| c883ff1cb2 | |||
| d42406c6dc | |||
| 7c0d0a099d | |||
| 8ee40679fc | |||
| af2a063ff2 | |||
| b7e526454b | |||
| 15227256ec | |||
| 92c204231b | |||
| 58861e6de6 | |||
| d10bd7bb04 | |||
| c470bf6d59 | |||
| 242294eb8d | |||
| bb708e3e61 | |||
| 2841610f41 |
13 changed files with 256 additions and 296 deletions
flake.lockflake.nix
pkgs
busybox
dbus-broker
image
kernel
kexec-tools
lvm2
openssl
rootfs
systemd
tpm2-tools
tpm2-tss
6
flake.lock
generated
6
flake.lock
generated
|
|
@ -20,11 +20,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1739020877,
|
||||
"narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
|
||||
"lastModified": 1747542820,
|
||||
"narHash": "sha256-GaOZntlJ6gPPbbkTLjbd8BMWaDYafhuuYRNrxCGnPJw=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
|
||||
"rev": "292fa7d4f6519c074f0a50394dbbe69859bb6043",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
13
flake.nix
13
flake.nix
|
|
@ -18,12 +18,14 @@
|
|||
pkgs = import nixpkgs { inherit system; };
|
||||
patosPkgs = self.packages.${system};
|
||||
version = "0.0.1";
|
||||
secureBoot = "false";
|
||||
cpuArch = "intel";
|
||||
updateUrl = "http://10.0.2.2:8000/";
|
||||
in
|
||||
{
|
||||
packages = {
|
||||
default = patosPkgs.image;
|
||||
image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl; };
|
||||
image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; };
|
||||
rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
|
||||
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
|
||||
kernel = pkgs.callPackage ./pkgs/kernel { };
|
||||
|
|
@ -47,6 +49,13 @@
|
|||
{ drv = pkgs.curl; path = "bin/curl"; }
|
||||
{ drv = pkgs.bash; path = "bin/bash"; }
|
||||
{ drv = patosPkgs.glibc; path = "bin/ldd"; }
|
||||
{ drv = pkgs.util-linux; path = "bin/sfdisk"; }
|
||||
{ drv = pkgs.readline.out; path = "lib/libreadline.so.8.2"; }
|
||||
{ drv = pkgs.readline.out; path = "lib/libreadline.so.8"; }
|
||||
{ drv = pkgs.readline.out; path = "lib/libhistory.so.8.2"; }
|
||||
{ drv = pkgs.readline.out; path = "lib/libhistory.so.8"; }
|
||||
{ drv = pkgs.ncurses.out; path = "/lib/libncursesw.so.6.5"; }
|
||||
{ drv = pkgs.ncurses.out; path = "/lib/libncursesw.so.6"; }
|
||||
{ drv = pkgs.keyutils; path = "bin/keyctl"; }
|
||||
{ drv = pkgs.gnutar; path = "bin/tar"; }
|
||||
{ drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
|
||||
|
|
@ -67,7 +76,7 @@
|
|||
# shared lib required for binutils
|
||||
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
|
||||
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
|
||||
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
|
||||
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.44.so"; }
|
||||
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
|
||||
# shared lib required for strace
|
||||
{ drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
stdenv,
|
||||
lib,
|
||||
pkgs,
|
||||
buildPackages,
|
||||
fetchurl,
|
||||
fetchpatch,
|
||||
|
|
@ -57,15 +58,12 @@ in
|
|||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "busybox";
|
||||
version = "1.36.1";
|
||||
version = pkgs.busybox.version;
|
||||
|
||||
# Note to whoever is updating busybox: please verify that:
|
||||
# nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
|
||||
# still builds after the update.
|
||||
src = fetchurl {
|
||||
url = "https://busybox.net/downloads/${pname}-${version}.tar.bz2";
|
||||
sha256 = "sha256-uMwkyVdNgJ5yecO+NJeVxdXOtv3xnKcJ+AzeUOR94xQ=";
|
||||
};
|
||||
src = pkgs.busybox.src;
|
||||
|
||||
hardeningDisable = [
|
||||
"format"
|
||||
|
|
|
|||
|
|
@ -100,14 +100,9 @@ in
|
|||
|
||||
stdenv.mkDerivation (finalAttrs: {
|
||||
pname = "dbus-broker";
|
||||
version = "36";
|
||||
version = pkgs.dbus-broker.version;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "bus1";
|
||||
repo = "dbus-broker";
|
||||
rev = "v${finalAttrs.version}";
|
||||
hash = "sha256-5dAMKjybqrHG57vArbtWEPR/svSj2ION75JrjvnnpVM=";
|
||||
};
|
||||
src = pkgs.dbus-broker.src;
|
||||
|
||||
nativeBuildInputs = with pkgs; [
|
||||
docutils
|
||||
|
|
|
|||
|
|
@ -5,282 +5,252 @@
|
|||
version,
|
||||
runCommand,
|
||||
updateUrl,
|
||||
cpuArch ? "",
|
||||
secureBoot ? "false"
|
||||
}:
|
||||
let
|
||||
pname = "patos-image";
|
||||
|
||||
writeConf =
|
||||
name: attrs:
|
||||
pkgs.writeTextFile {
|
||||
name = name;
|
||||
text = lib.generators.toINI {
|
||||
mkKeyValue = lib.generators.mkKeyValueDefault {
|
||||
mkValueString =
|
||||
v:
|
||||
if v == true then
|
||||
''"yes"''
|
||||
else if v == false then
|
||||
''"no"''
|
||||
else if lib.isString v then
|
||||
''"${v}"''
|
||||
else
|
||||
lib.generators.mkValueStringDefault { } v;
|
||||
} "=";
|
||||
} attrs;
|
||||
};
|
||||
|
||||
secureBootImportKeys = writeConf "secure-boot-import-keys.service" {
|
||||
Unit = {
|
||||
Description = "Import Secure Boot keys";
|
||||
DefaultDependencies = false;
|
||||
RequiresMountsFor = "/var/lib/sbctl /boot";
|
||||
ConditionPathExists = "/boot/sbctl/keys";
|
||||
After = "local-fs.target";
|
||||
};
|
||||
|
||||
Service = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "sbctl import-keys -d /boot/sbctl/keys";
|
||||
ExecStartPost = "rm -rf /boot/sbctl";
|
||||
};
|
||||
};
|
||||
|
||||
ukiTransfer = writeConf "10-uki.transfer" {
|
||||
Source = {
|
||||
Path = updateUrl;
|
||||
MatchPattern = "patos_@v.efi";
|
||||
Type = "url-file";
|
||||
};
|
||||
|
||||
Target = {
|
||||
InstancesMax = 2;
|
||||
MatchPattern = "patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi";
|
||||
Mode = "0444";
|
||||
Path = "/EFI/Linux";
|
||||
PathRelativeTo = "esp";
|
||||
TriesDone = 0;
|
||||
TriesLeft = 3;
|
||||
Type = "regular-file";
|
||||
};
|
||||
|
||||
Transfer = {
|
||||
Verify = false;
|
||||
};
|
||||
};
|
||||
|
||||
rootVerityTransfer = writeConf "22-root-verity.transfer" {
|
||||
Source = {
|
||||
Type = "url-file";
|
||||
Path = updateUrl;
|
||||
MatchPattern = "patos_@v_@u.verity";
|
||||
};
|
||||
|
||||
Target = {
|
||||
Type = "partition";
|
||||
Path = "auto";
|
||||
MatchPattern = "verity-@v";
|
||||
MatchPartitionType = "root-verity";
|
||||
ReadOnly = "1";
|
||||
};
|
||||
|
||||
Transfer = {
|
||||
Verify = false;
|
||||
};
|
||||
};
|
||||
|
||||
rootTransfer = writeConf "22-root.transfer" {
|
||||
Source = {
|
||||
Type = "url-file";
|
||||
Path = updateUrl;
|
||||
MatchPattern = "patos_@v_@u.root";
|
||||
};
|
||||
|
||||
Target = {
|
||||
Type = "partition";
|
||||
Path = "auto";
|
||||
MatchPattern = "root-@v";
|
||||
MatchPartitionType = "root";
|
||||
ReadOnly = 1;
|
||||
};
|
||||
Transfer = {
|
||||
Verify = false;
|
||||
};
|
||||
};
|
||||
in
|
||||
runCommand pname
|
||||
{
|
||||
inherit version;
|
||||
inherit updateUrl;
|
||||
runCommand pname {
|
||||
inherit version cpuArch updateUrl secureBoot;
|
||||
|
||||
buildInputs = with pkgs; [
|
||||
erofs-utils
|
||||
dosfstools
|
||||
mtools
|
||||
jq
|
||||
];
|
||||
microcode = lib.optionalString (cpuArch == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
|
||||
+ lib.optionalString (cpuArch == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
|
||||
|
||||
env = {
|
||||
# vfat options won't efi won't find the fs otherwise.
|
||||
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
|
||||
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
|
||||
};
|
||||
buildInputs = with pkgs; [
|
||||
erofs-utils
|
||||
dosfstools
|
||||
mtools
|
||||
jq
|
||||
];
|
||||
|
||||
kernelCmdLine = "console=ttyS0 patos.secureboot=false";
|
||||
}
|
||||
''
|
||||
mkdir -p $out/init.repart.d $out/final.repart.d
|
||||
pushd $out
|
||||
env = {
|
||||
# vfat options won't efi won't find the fs otherwise.
|
||||
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
|
||||
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
|
||||
};
|
||||
|
||||
mkdir rootfs
|
||||
cp -prP ${patosPkgs.rootfs}/* rootfs/
|
||||
find rootfs/ -type d -exec chmod 755 {} \;
|
||||
kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
|
||||
}
|
||||
''
|
||||
mkdir -p $out/init.repart.d $out/final.repart.d
|
||||
pushd $out
|
||||
|
||||
# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
|
||||
mkdir rootfs/etc/extensions
|
||||
rm -rf rootfs/usr/lib/modules
|
||||
cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
|
||||
mkdir rootfs
|
||||
cp -prP ${patosPkgs.rootfs}/* rootfs/
|
||||
find rootfs/ -type d -exec chmod 755 {} \;
|
||||
|
||||
# set default target to multi-user
|
||||
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
|
||||
# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
|
||||
mkdir rootfs/etc/extensions
|
||||
rm -rf rootfs/usr/lib/modules
|
||||
cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
|
||||
|
||||
# enable dbus
|
||||
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
|
||||
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
|
||||
# set default target to multi-user
|
||||
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
|
||||
|
||||
# enable network services
|
||||
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
|
||||
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
|
||||
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
|
||||
# enable default network config
|
||||
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
|
||||
# enable dbus
|
||||
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
|
||||
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
|
||||
|
||||
# enable confext/sysext services
|
||||
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
|
||||
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
|
||||
# enable network services
|
||||
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
|
||||
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
|
||||
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
|
||||
# enable default network config
|
||||
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
|
||||
|
||||
cp ${secureBootImportKeys} rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
|
||||
ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
|
||||
# enable confext/sysext services
|
||||
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
|
||||
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
|
||||
|
||||
# sysupdate
|
||||
mkdir -p rootfs/etc/sysupdate.d
|
||||
cp ${rootTransfer} ${rootVerityTransfer} ${ukiTransfer} rootfs/etc/sysupdate.d/
|
||||
cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
|
||||
[Unit]
|
||||
Description=Import Secure Boot keys
|
||||
DefaultDependencies=no
|
||||
RequiresMountsFor=/var/lib/sbctl /boot
|
||||
ConditionPathExists=/boot/sbctl/keys
|
||||
After=local-fs.target
|
||||
|
||||
# Initial partitioning
|
||||
cat <<EOF > init.repart.d/10-root.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
Format=erofs
|
||||
Minimize=best
|
||||
CopyFiles=/rootfs:/
|
||||
Verity=data
|
||||
VerityMatchKey=root
|
||||
SplitName=root
|
||||
EOF
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=sbctl import-keys -d /boot/sbctl/keys
|
||||
ExecStartPost=rm -rf /boot/sbctl
|
||||
EOF
|
||||
ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
|
||||
|
||||
cat <<EOF > init.repart.d/20-root-verity.conf
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
Verity=hash
|
||||
VerityMatchKey=root
|
||||
Minimize=best
|
||||
SplitName=verity
|
||||
EOF
|
||||
# sysupdate
|
||||
mkdir -p rootfs/etc/sysupdate.d
|
||||
cat <<EOF > rootfs/etc/sysupdate.d/10-uki.transfer
|
||||
[Source]
|
||||
Path=${updateUrl}
|
||||
MatchPattern=patos_@v.efi
|
||||
Type=url-file
|
||||
|
||||
#TODO: Add verity signature partition
|
||||
[Target]
|
||||
InstancesMax=2
|
||||
MatchPattern=patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi
|
||||
Mode=0444
|
||||
Path=/EFI/Linux
|
||||
PathRelativeTo=esp
|
||||
TriesDone=0
|
||||
TriesLeft=3
|
||||
Type=regular-file
|
||||
|
||||
${patosPkgs.systemd}/usr/bin/systemd-repart \
|
||||
--no-pager \
|
||||
--empty=create \
|
||||
--size=auto \
|
||||
--definitions=./init.repart.d \
|
||||
--split=true \
|
||||
--json=pretty \
|
||||
--root=$out \
|
||||
patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
|
||||
[Transfer]
|
||||
Verify=no
|
||||
EOF
|
||||
|
||||
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
|
||||
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
|
||||
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
|
||||
cat <<EOF > rootfs/etc/sysupdate.d/20-root-verity.transfer
|
||||
[Source]
|
||||
Type=url-file
|
||||
Path=${updateUrl}
|
||||
MatchPattern=patos_@v_@u.verity
|
||||
|
||||
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
|
||||
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
|
||||
[Target]
|
||||
Type=partition
|
||||
Path=auto
|
||||
MatchPattern=verity-@v
|
||||
MatchPartitionType=root-verity
|
||||
ReadOnly=1
|
||||
|
||||
ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
|
||||
ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
|
||||
[Transfer]
|
||||
Verify=no
|
||||
EOF
|
||||
|
||||
${patosPkgs.systemd}/usr/bin/ukify build \
|
||||
--linux ${patosPkgs.kernel}/bzImage \
|
||||
--initrd ${patosPkgs.initrd}/initrd.xz \
|
||||
--os-release @rootfs/etc/os-release \
|
||||
--cmdline "$kernelCmdLine roothash=$roothash" \
|
||||
-o patos_${version}.efi
|
||||
cat <<EOF > rootfs/etc/sysupdate.d/22-root.transfer
|
||||
[Source]
|
||||
Type=url-file
|
||||
Path=${updateUrl}
|
||||
MatchPattern=patos_@v_@u.root
|
||||
|
||||
# install ESP
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
|
||||
[Target]
|
||||
Type=partition
|
||||
Path=auto
|
||||
MatchPattern=root-@v
|
||||
MatchPartitionType=root
|
||||
ReadOnly=1
|
||||
|
||||
# setup factory reset
|
||||
mkdir -p rootfs/boot/EFI/tools
|
||||
cp ${pkgs.edk2-uefi-shell}/shell.efi rootfs/boot/EFI/tools/
|
||||
[Transfer]
|
||||
Verify=no
|
||||
EOF
|
||||
|
||||
cat <<EOF > rootfs/boot/EFI/tools/factoryreset.nsh
|
||||
setvar FactoryReset -guid 8cf2644b-4b0b-428f-9387-6d876050dc67 -nv -rt =%1
|
||||
reset
|
||||
EOF
|
||||
# Initial partitioning
|
||||
cat <<EOF > init.repart.d/10-root.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
Format=erofs
|
||||
Minimize=best
|
||||
CopyFiles=/rootfs:/
|
||||
Verity=data
|
||||
VerityMatchKey=root
|
||||
SplitName=root
|
||||
EOF
|
||||
|
||||
cat <<EOF > rootfs/boot/loader/entries/factoryreset.conf
|
||||
title Enable Factory Reset
|
||||
options -nostartup -nomap
|
||||
options \EFI\tools\factoryreset.nsh L"t"
|
||||
efi EFI/tools/shell.efi
|
||||
EOF
|
||||
cat <<EOF > init.repart.d/20-root-verity.conf
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
Verity=hash
|
||||
VerityMatchKey=root
|
||||
Minimize=best
|
||||
SplitName=verity
|
||||
EOF
|
||||
|
||||
echo "timeout 2" > rootfs/boot/loader/loader.conf
|
||||
#TODO: Add verity signature partition
|
||||
|
||||
# install UKI
|
||||
cp patos_${version}.efi rootfs/boot/EFI/Linux
|
||||
${patosPkgs.systemd}/usr/bin/systemd-repart \
|
||||
--no-pager \
|
||||
--empty=create \
|
||||
--size=auto \
|
||||
--definitions=./init.repart.d \
|
||||
--split=true \
|
||||
--json=pretty \
|
||||
--root=$out \
|
||||
patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
|
||||
|
||||
# Final partitioning
|
||||
cat <<EOF > final.repart.d/10-esp.conf
|
||||
[Partition]
|
||||
Type=esp
|
||||
Format=vfat
|
||||
SizeMinBytes=128M
|
||||
SizeMaxBytes=128M
|
||||
CopyFiles=/rootfs/boot:/
|
||||
EOF
|
||||
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
|
||||
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
|
||||
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
|
||||
|
||||
cat <<EOF > final.repart.d/20-root.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
Label=root-${version}
|
||||
CopyBlocks=/$rootPart
|
||||
UUID=$rootUuid
|
||||
SizeMinBytes=64M
|
||||
SizeMaxBytes=64M
|
||||
ReadOnly=1
|
||||
EOF
|
||||
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
|
||||
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
|
||||
|
||||
cat <<EOF > final.repart.d/22-root-verity.conf
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
Label=verity-${version}
|
||||
CopyBlocks=/$verityPart
|
||||
UUID=$verityUuid
|
||||
ReadOnly=1
|
||||
EOF
|
||||
ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
|
||||
ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
|
||||
|
||||
# finalize image ready for boot
|
||||
${patosPkgs.systemd}/usr/bin/systemd-repart \
|
||||
--no-pager \
|
||||
--empty=create \
|
||||
--size=auto \
|
||||
--definitions=./final.repart.d \
|
||||
--root=$out \
|
||||
patos_${version}.img > final-repart-output.json
|
||||
${patosPkgs.systemd}/usr/bin/ukify build \
|
||||
--linux ${patosPkgs.kernel}/bzImage \
|
||||
--initrd ${patosPkgs.initrd}/initrd.xz \
|
||||
$microcode \
|
||||
--os-release @rootfs/etc/os-release \
|
||||
--cmdline "$kernelCmdLine roothash=$roothash" \
|
||||
-o patos_${version}.efi
|
||||
|
||||
rm -rf rootfs init.repart.d final.repart.d *.json
|
||||
sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
|
||||
# install ESP
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
|
||||
|
||||
popd
|
||||
''
|
||||
# setup factory reset
|
||||
mkdir -p rootfs/boot/EFI/tools
|
||||
cp ${pkgs.edk2-uefi-shell}/shell.efi rootfs/boot/EFI/tools/
|
||||
|
||||
cat <<EOF > rootfs/boot/EFI/tools/factoryreset.nsh
|
||||
setvar FactoryReset -guid 8cf2644b-4b0b-428f-9387-6d876050dc67 -nv -rt =%1
|
||||
reset
|
||||
EOF
|
||||
|
||||
cat <<EOF > rootfs/boot/loader/entries/factoryreset.conf
|
||||
title Enable Factory Reset
|
||||
options -nostartup -nomap
|
||||
options \EFI\tools\factoryreset.nsh L"t"
|
||||
efi EFI/tools/shell.efi
|
||||
EOF
|
||||
|
||||
echo "timeout 2" > rootfs/boot/loader/loader.conf
|
||||
|
||||
# install UKI
|
||||
cp patos_${version}.efi rootfs/boot/EFI/Linux
|
||||
|
||||
# Final partitioning
|
||||
cat <<EOF > final.repart.d/10-esp.conf
|
||||
[Partition]
|
||||
Type=esp
|
||||
Format=vfat
|
||||
SizeMinBytes=128M
|
||||
SizeMaxBytes=128M
|
||||
CopyFiles=/rootfs/boot:/
|
||||
EOF
|
||||
|
||||
cat <<EOF > final.repart.d/20-root.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
Label=root-${version}
|
||||
CopyBlocks=/$rootPart
|
||||
UUID=$rootUuid
|
||||
SizeMinBytes=64M
|
||||
SizeMaxBytes=64M
|
||||
ReadOnly=1
|
||||
EOF
|
||||
|
||||
cat <<EOF > final.repart.d/22-root-verity.conf
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
Label=verity-${version}
|
||||
CopyBlocks=/$verityPart
|
||||
UUID=$verityUuid
|
||||
ReadOnly=1
|
||||
EOF
|
||||
|
||||
# finalize image ready for boot
|
||||
${patosPkgs.systemd}/usr/bin/systemd-repart \
|
||||
--no-pager \
|
||||
--empty=create \
|
||||
--size=auto \
|
||||
--definitions=./final.repart.d \
|
||||
--root=$out \
|
||||
patos_${version}.img > final-repart-output.json
|
||||
|
||||
rm -rf rootfs init.repart.d final.repart.d *.json
|
||||
sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
|
||||
|
||||
popd
|
||||
''
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ pkgs }:
|
||||
let
|
||||
version = "6.13.7";
|
||||
hash = "sha256-Ojm2IDi3rC9D0mofhLQoPhl4BOHoF61jfpo9h0xHgB0=";
|
||||
version = "6.14.8";
|
||||
hash = "sha256-YrEuzTB1o1frMgk1ZX3oTgFVKANxfa04P6fMOqSqKQU=";
|
||||
in
|
||||
(pkgs.callPackage ./manual-config.nix { }) {
|
||||
version = "${version}-patos1";
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ stdenv.mkDerivation {
|
|||
src = fetchFromGitHub {
|
||||
owner = "horms";
|
||||
repo = "kexec-tools";
|
||||
rev = "a7fcd424c4c80dea5a2fd5ffa274ffeb8129c790";
|
||||
hash = "sha256-QKE+KCkueA21zNunTMidP9OuZaw0IG5tFDF4UJITTTQ=";
|
||||
rev = "v2.0.31";
|
||||
hash = "sha256-Tgmc8mFlmzzRj7tEaBes7Udw4fRl6cSfe76iPNa3Ffs=";
|
||||
};
|
||||
|
||||
dontPatchShebangs = true;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
stdenv,
|
||||
pkgs,
|
||||
fetchurl,
|
||||
lib,
|
||||
pkg-config,
|
||||
|
|
@ -7,17 +8,11 @@
|
|||
udev,
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
stdenv.mkDerivation {
|
||||
pname = "lvm2";
|
||||
version = "2.03.30";
|
||||
version = pkgs.lvm2.version;
|
||||
|
||||
src = fetchurl {
|
||||
urls = [
|
||||
"https://mirrors.kernel.org/sourceware/lvm2/LVM2.${version}.tgz"
|
||||
"ftp://sourceware.org/pub/lvm2/LVM2.${version}.tgz"
|
||||
];
|
||||
hash = "sha256-rXar7LjciHcz4GxEnLmt0Eo1BvnweAwSiBem4aF87AU=";
|
||||
};
|
||||
src = pkgs.lvm2.src;
|
||||
|
||||
nativeBuildInputs = [
|
||||
pkg-config
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
stdenv,
|
||||
fetchurl,
|
||||
perl,
|
||||
|
|
@ -18,13 +19,9 @@
|
|||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "openssl";
|
||||
version = "3.4.1";
|
||||
hash = "sha256-ACotazC1i/S+pGxDvdljZar42qbEKHgqpP7uBtoZffM=";
|
||||
version = pkgs.openssl.version;
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz";
|
||||
hash = hash;
|
||||
};
|
||||
src = pkgs.openssl.src;
|
||||
|
||||
outputs = [ "out" ];
|
||||
|
||||
|
|
|
|||
|
|
@ -21,11 +21,12 @@ runCommand "patos-rootfs"
|
|||
''
|
||||
### create directory structure
|
||||
mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
|
||||
$out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var/tmp
|
||||
$out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var
|
||||
ln -sf /usr/bin $out/bin
|
||||
ln -sf /usr/bin $out/sbin
|
||||
ln -sf /usr/lib $out/lib
|
||||
ln -sf /usr/lib $out/lib64
|
||||
ln -sf /tmp $out/var/tmp
|
||||
ln -sf ../proc/self/mounts $out/etc/mtab
|
||||
|
||||
### install systemd
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
...
|
||||
}:
|
||||
let
|
||||
version = "257.4";
|
||||
version = "257.6";
|
||||
|
||||
# Use the command below to update `releaseTimestamp` on every (major) version
|
||||
# change. More details in the commentary at mesonFlags.
|
||||
|
|
@ -27,7 +27,7 @@ stdenv.mkDerivation (finalAttrs: {
|
|||
owner = "systemd";
|
||||
repo = "systemd";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
|
||||
hash = "sha256-mn/JB/nrOz2TOobu2d+XBH2dVH3vn/HPvWN4Zz6s+SM=";
|
||||
};
|
||||
|
||||
patches = [ ./skip-verify-esp.patch ];
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
stdenv,
|
||||
pkgs,
|
||||
fetchurl,
|
||||
lib,
|
||||
pandoc,
|
||||
|
|
@ -10,19 +11,17 @@
|
|||
libuuid,
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
stdenv.mkDerivation {
|
||||
pname = "tpm2-tools";
|
||||
version = "5.7";
|
||||
version = pkgs.tpm2-tools.version;
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/tpm2-software/${pname}/releases/download/${version}/${pname}-${version}.tar.gz";
|
||||
sha256 = "sha256-OBDTa1B5JW9PL3zlUuIiE9Q7EDHBMVON+KLbw8VwmDo=";
|
||||
};
|
||||
src = pkgs.tpm2-tools.src;
|
||||
|
||||
nativeBuildInputs = [
|
||||
pandoc
|
||||
pkg-config
|
||||
];
|
||||
|
||||
buildInputs = [
|
||||
curl
|
||||
openssl
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
stdenv,
|
||||
pkgs,
|
||||
lib,
|
||||
fetchFromGitHub,
|
||||
autoreconfHook,
|
||||
|
|
@ -19,14 +20,9 @@
|
|||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "tpm2-tss";
|
||||
version = "4.1.3";
|
||||
version = pkgs.tpm2-tss.version;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "tpm2-software";
|
||||
repo = pname;
|
||||
rev = version;
|
||||
hash = "sha256-BP28utEUI9g1VNv3lCXuiKrDtEImFQxxZfIjLiE3Wr8=";
|
||||
};
|
||||
src = pkgs.tpm2-tss.src;
|
||||
|
||||
patches = [
|
||||
./no-shadow.patch
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue