Merge pull request 'chore: rootfs pkg' (#18) from lsjostro/push-ptznrypypruv into main

Reviewed-on: #18

.gitignore

@@ -4,6 +4,8 @@
 .task
 /result
 /target
+/out
+/initrd.gz
 .*.swp
 .*.swo
 .nixos-test-history

dbus-broker/default.nix

@@ -0,0 +1,165 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  pkgs,
+  ...
+}:
+
+let
+  meta = {
+    maintainers = with lib.maintainers; [ peterhoeg ];
+    platforms = lib.platforms.linux;
+  };
+
+  dep =
+    {
+      pname,
+      version,
+      hash,
+      rev ? "v${version}",
+      buildInputs ? [ ],
+    }:
+    stdenv.mkDerivation {
+      inherit pname version;
+      src = fetchFromGitHub {
+        owner = "c-util";
+        repo = pname;
+        inherit hash rev;
+      };
+      nativeBuildInputs = with pkgs; [
+        meson
+        ninja
+        pkg-config
+      ];
+      inherit buildInputs;
+      meta = meta // {
+        description = "The C-Util Project is a collection of utility libraries for the C11 language.";
+        homepage = "https://c-util.github.io/";
+        license = [
+          lib.licenses.asl20
+          lib.licenses.lgpl21Plus
+        ];
+      };
+    };
+
+  # These libraries are not used outside of dbus-broker.
+  #
+  # If that changes, we can always break them out, but they are essentially
+  # part of the dbus-broker project, just in separate repositories.
+  c-dvar = dep {
+    pname = "c-dvar";
+    version = "1.1.0";
+    hash = "sha256-p/C+BktclVseCtZJ1Q/YK03vP2ClnYRLB1Vmj2OQJD4=";
+    buildInputs = [
+      c-stdaux
+      c-utf8
+    ];
+  };
+  c-ini = dep {
+    pname = "c-ini";
+    version = "1.1.0";
+    hash = "sha256-wa7aNl20hkb/83c4AkQ/0YFDdmBs4XGW+WLUtBWIC98=";
+    buildInputs = [
+      c-list
+      c-rbtree
+      c-stdaux
+      c-utf8
+    ];
+  };
+  c-list = dep {
+    pname = "c-list";
+    version = "3.1.0";
+    hash = "sha256-fp3EAqcbFCLaT2EstLSzwP2X13pi2EFpFAullhoCtpw=";
+  };
+  c-rbtree = dep {
+    pname = "c-rbtree";
+    version = "3.2.0";
+    hash = "sha256-dTMeawhPLRtHvMXfXCrT5iCdoh7qS3v+raC6c+t+X38=";
+    buildInputs = [ c-stdaux ];
+  };
+  c-shquote = dep {
+    pname = "c-shquote";
+    version = "1.1.0";
+    hash = "sha256-z6hpQ/kpCYAngMNfxLkfsxaGtvP4yBMigX1lGpIIzMQ=";
+    buildInputs = [ c-stdaux ];
+  };
+  c-stdaux = dep {
+    pname = "c-stdaux";
+    version = "1.5.0";
+    hash = "sha256-MsnuEyVCmOIr/q6I1qyPsNXp48jxIEcXoYLHbOAZtW0=";
+  };
+  c-utf8 = dep {
+    pname = "c-utf8";
+    version = "1.1.0";
+    hash = "sha256-9vBYylbt1ypJwIAQJd/oiAueh+4VYcn/KzofQuhUea0=";
+    buildInputs = [ c-stdaux ];
+  };
+
+in
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "dbus-broker";
+  version = "36";
+
+  src = fetchFromGitHub {
+    owner = "bus1";
+    repo = "dbus-broker";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-5dAMKjybqrHG57vArbtWEPR/svSj2ION75JrjvnnpVM=";
+  };
+
+  nativeBuildInputs = with pkgs; [
+    docutils
+    meson
+    ninja
+    pkg-config
+  ];
+
+  buildInputs = [
+    c-dvar
+    c-ini
+    c-list
+    c-rbtree
+    c-shquote
+    c-stdaux
+    c-utf8
+    pkgs.dbus
+    pkgs.linuxHeaders
+    pkgs.systemd
+  ];
+
+  mesonFlags = [
+    # while we technically support 4.9 and 4.14, the NixOS module will throw an
+    # error when using a kernel that's too old
+    "--prefix=/"
+    "--bindir=/usr/bin"
+    "-D=linux-4-17=true"
+    "-D=system-console-users=gdm,sddm,lightdm"
+  ];
+
+  PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "/usr/lib/systemd/system";
+  PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "/usr/lib/systemd/user";
+  PKG_CONFIG_SYSTEMD_CATALOGDIR = "/usr/lib/systemd/catalog";
+
+  preInstall = ''
+    export DESTDIR=${placeholder "out"}
+  '';
+
+  postInstall = ''
+    mkdir -p $out/usr/share
+    cp -Pr ${pkgs.dbus.out}/share/* $out/usr/share/
+    cp ${pkgs.dbus.out}/etc/systemd/system/dbus.socket $out/usr/lib/systemd/system/
+    find $out/usr/share/ -type d -exec chmod 755 {} \;
+    sed -i 's#/nix/store.*/share#/usr/share#' $out/usr/share/xml/dbus-1/catalog.xml
+    sed -i 's#/nix/store.*/libexec#/usr/bin#' $out/usr/share/dbus-1/system.conf
+  '';
+
+  doCheck = false;
+
+  meta = meta // {
+    description = "Linux D-Bus Message Broker";
+    homepage = "https://github.com/bus1/dbus-broker/wiki";
+    license = lib.licenses.asl20;
+  };
+})

flake.nix

@@ -16,16 +16,31 @@
       system:
       let
         pkgs = import nixpkgs { inherit system; };
+        patosPkgs = self.packages.${system};
       in
       {
         packages = {
           default = self.packages.${system}.image;
           image = pkgs.writeShellScriptBin "image" ''
-            echo "make image here..."
+            set -ex
+            echo "make UKI..."
+
+            mkdir -p patos/efi/boot
+            ${self.packages.${system}.systemd.out}/usr/bin/ukify build \
+            --linux ${self.packages.${system}.kernel.kernel}/bzImage \
+            --initrd ./initrd.gz \
+            --cmdline "console=ttyS0" \
+            -o patos/efi/boot/bootx64.efi
           '';
 
           kernel = pkgs.callPackage ./kernel { };
+          glibc = pkgs.callPackage ./glibc { };
           systemd = pkgs.callPackage ./systemd { };
+          dbus-broker = pkgs.callPackage ./dbus-broker { };
+          rootfs = pkgs.callPackage ./rootfs { inherit patosPkgs; };
+
+          mkinitrd = pkgs.callPackage ./utils/mkinitrd.nix { inherit patosPkgs; };
+          qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
         };
 
         checks = {
@@ -44,6 +59,8 @@
             nixd
             nixfmt-rfc-style
             squashfs-tools-ng
+            self.packages.${system}.qemu-uefi-tpm
+            self.packages.${system}.mkinitrd
           ];
         };
 

glibc/default.nix

@@ -0,0 +1,53 @@
+{
+  pkgs,
+  stdenv,
+
+  ...
+}:
+let
+  version = pkgs.glibc.version;
+  src = pkgs.glibc.src;
+  pname = "glibcPatos";
+in
+stdenv.mkDerivation (finalAttrs: {
+  inherit version;
+  inherit src;
+  inherit pname;
+
+  enableParallelBuilding = true;
+  dontPatchShebangs = true;
+
+  configureFlags = [
+    "--prefix=/"
+    "--libdir=/lib"
+    "--bindir=/bin"
+    "--sysconfdir=/etc"
+  ];
+
+  preConfigure =
+    ''
+      export PWD_P=$(type -tP pwd)
+      for i in configure io/ftwtest-sh; do
+          sed -i "$i" -e "s^/bin/pwd^$PWD_P^g"
+      done
+
+      mkdir ../build
+      cd ../build
+
+      configureScript="`pwd`/../$sourceRoot/configure"
+    '';
+
+  nativeBuildInputs = with pkgs; [
+      bison
+      python3Minimal
+  ];
+
+  outputs = [
+    "out"
+  ];
+
+  preInstall = ''
+    export DESTDIR=${placeholder "out"}
+  '';
+
+})

kernel/generic.config

@@ -1397,14 +1397,6 @@ CONFIG_MMU=y
 CONFIG_MODPROBE_PATH="/sbin/modprobe"
 CONFIG_MODULE_COMPRESS_ZSTD=y
 CONFIG_MODULE_FORCE_UNLOAD=y
-CONFIG_MODULE_SIG_ALL=y
-CONFIG_MODULE_SIG_FORCE=y
-CONFIG_MODULE_SIG_FORMAT=y
-CONFIG_MODULE_SIG_HASH="sha512"
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
-CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
-CONFIG_MODULE_SIG_SHA512=y
-CONFIG_MODULE_SIG=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_UNLOAD=y
 CONFIG_MODULES_TREE_LOOKUP=y

rootfs/default.nix

@@ -0,0 +1,30 @@
+{
+  pkgs,
+  stdenvNoCC,
+  patosPkgs,
+  ...
+}:
+let
+  version = "0.0.1";
+  pname = "patos-rootfs";
+in
+stdenvNoCC.mkDerivation (finalAttrs: {
+  inherit version;
+  inherit pname;
+
+  buildInputs = with pkgs; [
+    glibc
+    binutils
+  ];
+
+  glibcPatos = patosPkgs.glibc.out;
+  systemd = patosPkgs.systemd.out;
+  dbusBroker = patosPkgs.dbus-broker.out;
+  kernel = patosPkgs.kernel.kernel;
+  busybox = pkgs.busybox.out;
+  kmodLibs = pkgs.kmod.lib;
+  kmodBin = pkgs.kmod.out;
+  libbpf = pkgs.libbpf.out;
+
+  builder = ./mkrootfs.sh;
+})

rootfs/mkrootfs.sh

@@ -0,0 +1,54 @@
+set -ex -o pipefail
+
+mkdir -p $out
+mkdir -p $out/etc $out/dev $out/proc $out/sys $out/tmp $out/root
+ln -sf ../usr/bin $out/bin
+ln -sf ../usr/bin $out/sbin
+ln -sf ../usr/lib $out/lib
+ln -sf ../usr/lib $out/lib64
+ln -sf ../proc/self/mounts $out/etc/mtab
+
+### install systemd
+echo "Installing systemd"
+cp -Pr $systemd/* $out/
+find $out -type d -exec chmod 755 {} \;
+rm -rf $out/usr/include
+rm -rf $out/usr/sbin
+rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
+# remove vconsole setup
+rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
+
+### install PatOS glibc
+cp -P $glibcPatos/lib/*.so* $out/usr/lib/
+
+### install kernel modules
+cp -r $kernel/lib/modules $out/usr/lib/
+find $out/usr/lib/modules -type d -exec chmod 755 {} \;
+
+### install busybox
+cp $busybox/bin/busybox $out/usr/bin/
+$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
+
+### install dbus broker
+cp -r $dbusBroker/* $out/
+
+### install lib kmod
+cp -P $kmodLibs/lib/* $out/usr/lib
+cp -P $kmodBin/bin/* $out/usr/bin
+
+### install libbpf
+cp -P $libbpf/lib/libbpf* $out/usr/lib
+
+### Find and install all shared libs
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t $out/usr/lib
+find $out -type f -executable -exec chmod 755 {} \;
+
+# FIXME: ELF patching. Is there a better way?
+find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd {} \;
+find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
+patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
+
+# strip binaries
+find $out -type f -executable -exec strip {} \;
+find $out -type d -exec chmod 755 {} \;
+

systemd/default.nix

@@ -137,9 +137,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   postPatch =
     ''
-      substituteInPlace src/basic/path-util.h --replace "@defaultPathNormal@" "${placeholder "out"}/bin/"
-    ''
-    + ''
       substituteInPlace meson.build \
         --replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
     ''
@@ -150,7 +147,7 @@ stdenv.mkDerivation (finalAttrs: {
         "'${targetPackages.stdenv.cc.bintools.targetPrefix}readelf'" \
         --replace \
         "/usr/lib/systemd/boot/efi" \
-        "$out/lib/systemd/boot/efi"
+        "$out/usr/lib/systemd/boot/efi"
     ''
     # Finally, patch shebangs in scripts used at build time. This must not patch
     # scripts that will end up in the output, to avoid build platform references
@@ -171,7 +168,7 @@ stdenv.mkDerivation (finalAttrs: {
     "--sysconfdir=/etc"
     "--localstatedir=/var"
     "--libdir=/usr/lib"
-    "--bindir=/bin"
+    "--bindir=/usr/bin"
     "--includedir=/usr/include"
     "--localedir=/usr/share/locale"
 
@@ -190,7 +187,19 @@ stdenv.mkDerivation (finalAttrs: {
     (lib.mesonOption "mode" "release")
     (lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
 
-    (lib.mesonOption "kmod-path" "/bin/kmod")
+    (lib.mesonOption "kmod-path" "/usr/bin/kmod")
+    (lib.mesonOption "debug-shell" "/usr/bin/sh")
+    (lib.mesonOption "pamconfdir" "/etc/pam.d")
+    (lib.mesonOption "shellprofiledir" "/etc/profile.d")
+    (lib.mesonOption "dbuspolicydir" "/usr/share/dbus-1/system.d")
+    (lib.mesonOption "dbussessionservicedir" "/usr/share/dbus-1/services")
+    (lib.mesonOption "dbussystemservicedir" "/usr/share/dbus-1/system-services")
+    (lib.mesonOption "setfont-path" "/usr/bin/setfont")
+    (lib.mesonOption "loadkeys-path" "/usr/bin/loadkeys")
+    (lib.mesonOption "sulogin-path"  "/usr/bin/sulogin")
+    (lib.mesonOption "nologin-path" "/usr/bin/nologin")
+    (lib.mesonOption "mount-path" "/usr/bin/mount")
+    (lib.mesonOption "umount-path" "/usr/bin/umount")
 
     # SBAT
     (lib.mesonOption "sbat-distro" "patos")
@@ -281,7 +290,7 @@ stdenv.mkDerivation (finalAttrs: {
     (lib.mesonEnable "man" false)
 
     (lib.mesonBool "analyze" true)
-    (lib.mesonBool "logind" false)
+    (lib.mesonBool "logind" true)
     (lib.mesonBool "localed" false)
     (lib.mesonBool "hostnamed" true)
     (lib.mesonBool "machined" true)

utils/mkinitrd.nix

@@ -0,0 +1,125 @@
+{
+  pkgs,
+  patosPkgs,
+  ...
+}:
+pkgs.writeShellApplication {
+  name = "mkinitrd";
+
+  runtimeInputs = with pkgs; [
+    cpio
+    gzip
+  ];
+
+  text = ''
+    echo "Building initram disk"
+    mkdir -p root
+    pushd root
+
+    ### copy rootfs
+    cp -prP ${patosPkgs.rootfs}/* .
+    find . -type d -exec chmod 755 {} \;
+
+    ### create directories
+    ln -sf ../usr/lib/systemd/systemd init
+
+    # set default target to basic
+    mkdir usr/lib/systemd/system/basic.target.wants
+    ln -sf basic.target usr/lib/systemd/system/default.target
+
+    # enable dbus broker
+    ln -sf ../dbus-broker.service usr/lib/systemd/system/basic.target.wants/dbus.service
+    ln -sf ../dbus.socket usr/lib/systemd/system/sockets.target.wants/dbus.socket
+
+    ### Create needed files
+    echo patos > ./etc/hostname
+    cat <<EOF > ./etc/os-release
+    NAME="PatOS"
+    PRETTY_NAME="PatOS Platform"
+    ID=patos
+    EOF
+
+    cat <<EOF > ./etc/passwd
+    root::0:0:root:/root:/bin/sh
+    bin:x:1:1:bin:/bin:/usr/bin/nologin
+    daemon:x:2:2:daemon:/:/usr/bin/nologin
+    mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin
+    ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin
+    http:x:33:33:http:/srv/http:/usr/bin/nologin
+    uuidd:x:68:68:uuidd:/:/usr/bin/nologin
+    messagebus:x:81:81:messagebus:/:/usr/bin/nologin
+    nobody:x:99:99:nobody:/:/usr/bin/nologin
+    EOF
+    chmod 644 ./etc/passwd
+
+    cat <<EOF > ./etc/group
+    root:x:0:root
+    bin:x:1:root,bin,daemon
+    daemon:x:2:root,bin,daemon
+    sys:x:3:root,bin
+    adm:x:4:root,daemon
+    tty:x:5:
+    disk:x:6:root
+    lp:x:7:daemon
+    mem:x:8:
+    kmem:x:9:
+    wheel:x:10:root
+    ftp:x:11:
+    mail:x:12:
+    uucp:x:14:
+    log:x:19:root
+    utmp:x:20:
+    locate:x:21:
+    rfkill:x:24:
+    smmsp:x:25:
+    proc:x:26:
+    http:x:33:
+    games:x:50:
+    lock:x:54:
+    uuidd:x:68:
+    messagebus:x:81:
+    network:x:90:
+    video:x:91:
+    audio:x:92:
+    optical:x:93:
+    floppy:x:94:
+    storage:x:95:
+    scanner:x:96:
+    input:x:97:
+    power:x:98:
+    nobody:x:99:
+    EOF
+    chmod 644 ./etc/group
+
+    # FIXME: remove this later (just to get a shell in the initramfs)
+    cat <<EOF > usr/lib/systemd/system/demo.service
+    [Unit]
+    Description=Debug Shell (/bin/sulogin)
+    Conflicts=shutdown.target
+    Before=shutdown.target
+
+    [Service]
+    Environment=HOME=/root
+    WorkingDirectory=/root
+    ExecStart=/bin/sulogin
+    Type=idle
+    StandardInput=tty-force
+    StandardOutput=inherit
+    StandardError=inherit
+    KillMode=process
+    IgnoreSIGPIPE=no
+    SendSIGHUP=yes
+    Restart=always
+
+    [Install]
+    WantedBy=basic.target
+    EOF
+    ln -sf ../demo.service usr/lib/systemd/system/basic.target.wants/demo.service
+
+    # gen initrd
+    find . -print0 | cpio --null --owner=root:root -o --format=newc | gzip -9 > ../initrd.gz
+
+    popd
+    rm -rf root
+  '';
+}

utils/qemu-uefi-tpm.nix

@@ -0,0 +1,50 @@
+{
+  pkgs,
+  ...
+}:
+pkgs.writeShellApplication {
+  name = "qemu-uefi-tpm";
+
+  runtimeInputs = with pkgs; [
+    qemu
+    swtpm
+  ];
+
+  text =
+    let
+      tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
+    in
+    ''
+      set -ex
+      state="/tmp/patos-qemu-$USER"
+      rm -rf "$state"
+      mkdir -m 700 "$state"
+      truncate -s 1G "$state/disk.raw"
+
+      swtpm socket -d --tpmstate dir="$state" \
+        --ctrl type=unixio,path="$state/swtpm-sock" \
+        --tpm2 \
+        --log level=20
+
+      qemu-system-x86_64 \
+        -enable-kvm \
+        -machine q35,accel=kvm \
+        -cpu host \
+        -smp 8 \
+        -m 4G \
+        -display none \
+        -nographic \
+        -chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
+        -serial chardev:char0 \
+        -mon chardev=char0 \
+        -drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
+        -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
+        -chardev socket,id=chrtpm,path="$state/swtpm-sock" \
+        -tpmdev emulator,id=tpm0,chardev=chrtpm \
+        -device tpm-tis,tpmdev=tpm0 \
+        -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
+        -device virtio-net-pci,netdev=net00 \
+        -drive "file=fat:rw:patos/,format=raw" \
+        -drive "format=raw,file=$state/disk.raw"
+    '';
+}