Patagia/patos
Patagia/patos
1
1
Code Issues4 Pull requests6 Activity

Compare commits

..

1 commit
main ... lsjostro/p

Author SHA1 Message Date
Lars Sjöström
2f347f097f
Fix status badge 2024-10-22 15:46:23 +02:00
43 changed files with 725 additions and 3164 deletions

2
.envrc.recommended
View file

@ -1,3 +1 @@
nix_direnv_manual_reload
use flake
dotenv_if_exists

6
.gitignore vendored
View file

@ -1,10 +1,6 @@
.env
.envrc
.direnv
.task
/result
/target
/out
result
.*.swp
.*.swo
.nixos-test-history

3
.rgignore
View file

@ -1,3 +0,0 @@
.direnv
/result
/target

24
.woodpecker/ci.yaml
View file

@ -6,6 +6,28 @@ when:
steps:
check:
image: docker.io/nixpkgs/nix-flakes:nixos-24.05
image: alpine
volumes:
- nix:/nix
commands:
# install nix
- |
test -f /nix/installer || wget -O /nix/installer https://github.com/DeterminateSystems/nix-installer/releases/download/v0.18.0/nix-installer-x86_64-linux
chmod +x /nix/installer
rm -f /nix/receipt.json /nix/nix-installer
/nix/installer install linux --init=none --no-confirm
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
# configure nix
- |
mkdir -p /etc/nix
cat <<EOF > /etc/nix/nix.conf
sandbox = false
experimental-features = nix-command flakes
EOF
# build
- nix build .#patos_image
# check
- nix flake check

373
LICENSE
View file

@ -1,373 +0,0 @@
Mozilla Public License Version 2.0
==================================
1. Definitions
--------------
1.1. "Contributor"
means each individual or legal entity that creates, contributes to
the creation of, or owns Covered Software.
1.2. "Contributor Version"
means the combination of the Contributions of others (if any) used
by a Contributor and that particular Contributor's Contribution.
1.3. "Contribution"
means Covered Software of a particular Contributor.
1.4. "Covered Software"
means Source Code Form to which the initial Contributor has attached
the notice in Exhibit A, the Executable Form of such Source Code
Form, and Modifications of such Source Code Form, in each case
including portions thereof.
1.5. "Incompatible With Secondary Licenses"
means
(a) that the initial Contributor has attached the notice described
in Exhibit B to the Covered Software; or
(b) that the Covered Software was made available under the terms of
version 1.1 or earlier of the License, but not also under the
terms of a Secondary License.
1.6. "Executable Form"
means any form of the work other than Source Code Form.
1.7. "Larger Work"
means a work that combines Covered Software with other material, in
a separate file or files, that is not Covered Software.
1.8. "License"
means this document.
1.9. "Licensable"
means having the right to grant, to the maximum extent possible,
whether at the time of the initial grant or subsequently, any and
all of the rights conveyed by this License.
1.10. "Modifications"
means any of the following:
(a) any file in Source Code Form that results from an addition to,
deletion from, or modification of the contents of Covered
Software; or
(b) any new file in Source Code Form that contains any Covered
Software.
1.11. "Patent Claims" of a Contributor
means any patent claim(s), including without limitation, method,
process, and apparatus claims, in any patent Licensable by such
Contributor that would be infringed, but for the grant of the
License, by the making, using, selling, offering for sale, having
made, import, or transfer of either its Contributions or its
Contributor Version.
1.12. "Secondary License"
means either the GNU General Public License, Version 2.0, the GNU
Lesser General Public License, Version 2.1, the GNU Affero General
Public License, Version 3.0, or any later versions of those
licenses.
1.13. "Source Code Form"
means the form of the work preferred for making modifications.
1.14. "You" (or "Your")
means an individual or a legal entity exercising rights under this
License. For legal entities, "You" includes any entity that
controls, is controlled by, or is under common control with You. For
purposes of this definition, "control" means (a) the power, direct
or indirect, to cause the direction or management of such entity,
whether by contract or otherwise, or (b) ownership of more than
fifty percent (50%) of the outstanding shares or beneficial
ownership of such entity.
2. License Grants and Conditions
--------------------------------
2.1. Grants
Each Contributor hereby grants You a world-wide, royalty-free,
non-exclusive license:
(a) under intellectual property rights (other than patent or trademark)
Licensable by such Contributor to use, reproduce, make available,
modify, display, perform, distribute, and otherwise exploit its
Contributions, either on an unmodified basis, with Modifications, or
as part of a Larger Work; and
(b) under Patent Claims of such Contributor to make, use, sell, offer
for sale, have made, import, and otherwise transfer either its
Contributions or its Contributor Version.
2.2. Effective Date
The licenses granted in Section 2.1 with respect to any Contribution
become effective for each Contribution on the date the Contributor first
distributes such Contribution.
2.3. Limitations on Grant Scope
The licenses granted in this Section 2 are the only rights granted under
this License. No additional rights or licenses will be implied from the
distribution or licensing of Covered Software under this License.
Notwithstanding Section 2.1(b) above, no patent license is granted by a
Contributor:
(a) for any code that a Contributor has removed from Covered Software;
or
(b) for infringements caused by: (i) Your and any other third party's
modifications of Covered Software, or (ii) the combination of its
Contributions with other software (except as part of its Contributor
Version); or
(c) under Patent Claims infringed by Covered Software in the absence of
its Contributions.
This License does not grant any rights in the trademarks, service marks,
or logos of any Contributor (except as may be necessary to comply with
the notice requirements in Section 3.4).
2.4. Subsequent Licenses
No Contributor makes additional grants as a result of Your choice to
distribute the Covered Software under a subsequent version of this
License (see Section 10.2) or under the terms of a Secondary License (if
permitted under the terms of Section 3.3).
2.5. Representation
Each Contributor represents that the Contributor believes its
Contributions are its original creation(s) or it has sufficient rights
to grant the rights to its Contributions conveyed by this License.
2.6. Fair Use
This License is not intended to limit any rights You have under
applicable copyright doctrines of fair use, fair dealing, or other
equivalents.
2.7. Conditions
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
in Section 2.1.
3. Responsibilities
-------------------
3.1. Distribution of Source Form
All distribution of Covered Software in Source Code Form, including any
Modifications that You create or to which You contribute, must be under
the terms of this License. You must inform recipients that the Source
Code Form of the Covered Software is governed by the terms of this
License, and how they can obtain a copy of this License. You may not
attempt to alter or restrict the recipients' rights in the Source Code
Form.
3.2. Distribution of Executable Form
If You distribute Covered Software in Executable Form then:
(a) such Covered Software must also be made available in Source Code
Form, as described in Section 3.1, and You must inform recipients of
the Executable Form how they can obtain a copy of such Source Code
Form by reasonable means in a timely manner, at a charge no more
than the cost of distribution to the recipient; and
(b) You may distribute such Executable Form under the terms of this
License, or sublicense it under different terms, provided that the
license for the Executable Form does not attempt to limit or alter
the recipients' rights in the Source Code Form under this License.
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice,
provided that You also comply with the requirements of this License for
the Covered Software. If the Larger Work is a combination of Covered
Software with a work governed by one or more Secondary Licenses, and the
Covered Software is not Incompatible With Secondary Licenses, this
License permits You to additionally distribute such Covered Software
under the terms of such Secondary License(s), so that the recipient of
the Larger Work may, at their option, further distribute the Covered
Software under the terms of either this License or such Secondary
License(s).
3.4. Notices
You may not remove or alter the substance of any license notices
(including copyright notices, patent notices, disclaimers of warranty,
or limitations of liability) contained within the Source Code Form of
the Covered Software, except that You may alter any license notices to
the extent required to remedy known factual inaccuracies.
3.5. Application of Additional Terms
You may choose to offer, and to charge a fee for, warranty, support,
indemnity or liability obligations to one or more recipients of Covered
Software. However, You may do so only on Your own behalf, and not on
behalf of any Contributor. You must make it absolutely clear that any
such warranty, support, indemnity, or liability obligation is offered by
You alone, and You hereby agree to indemnify every Contributor for any
liability incurred by such Contributor as a result of warranty, support,
indemnity or liability terms You offer. You may include additional
disclaimers of warranty and limitations of liability specific to any
jurisdiction.
4. Inability to Comply Due to Statute or Regulation
---------------------------------------------------
If it is impossible for You to comply with any of the terms of this
License with respect to some or all of the Covered Software due to
statute, judicial order, or regulation then You must: (a) comply with
the terms of this License to the maximum extent possible; and (b)
describe the limitations and the code they affect. Such description must
be placed in a text file included with all distributions of the Covered
Software under this License. Except to the extent prohibited by statute
or regulation, such description must be sufficiently detailed for a
recipient of ordinary skill to be able to understand it.
5. Termination
--------------
5.1. The rights granted under this License will terminate automatically
if You fail to comply with any of its terms. However, if You become
compliant, then the rights granted under this License from a particular
Contributor are reinstated (a) provisionally, unless and until such
Contributor explicitly and finally terminates Your grants, and (b) on an
ongoing basis, if such Contributor fails to notify You of the
non-compliance by some reasonable means prior to 60 days after You have
come back into compliance. Moreover, Your grants from a particular
Contributor are reinstated on an ongoing basis if such Contributor
notifies You of the non-compliance by some reasonable means, this is the
first time You have received notice of non-compliance with this License
from such Contributor, and You become compliant prior to 30 days after
Your receipt of the notice.
5.2. If You initiate litigation against any entity by asserting a patent
infringement claim (excluding declaratory judgment actions,
counter-claims, and cross-claims) alleging that a Contributor Version
directly or indirectly infringes any patent, then the rights granted to
You by any and all Contributors for the Covered Software under Section
2.1 of this License shall terminate.
5.3. In the event of termination under Sections 5.1 or 5.2 above, all
end user license agreements (excluding distributors and resellers) which
have been validly granted by You or Your distributors under this License
prior to termination shall survive termination.
************************************************************************
* *
* 6. Disclaimer of Warranty *
* ------------------------- *
* *
* Covered Software is provided under this License on an "as is" *
* basis, without warranty of any kind, either expressed, implied, or *
* statutory, including, without limitation, warranties that the *
* Covered Software is free of defects, merchantable, fit for a *
* particular purpose or non-infringing. The entire risk as to the *
* quality and performance of the Covered Software is with You. *
* Should any Covered Software prove defective in any respect, You *
* (not any Contributor) assume the cost of any necessary servicing, *
* repair, or correction. This disclaimer of warranty constitutes an *
* essential part of this License. No use of any Covered Software is *
* authorized under this License except under this disclaimer. *
* *
************************************************************************
************************************************************************
* *
* 7. Limitation of Liability *
* -------------------------- *
* *
* Under no circumstances and under no legal theory, whether tort *
* (including negligence), contract, or otherwise, shall any *
* Contributor, or anyone who distributes Covered Software as *
* permitted above, be liable to You for any direct, indirect, *
* special, incidental, or consequential damages of any character *
* including, without limitation, damages for lost profits, loss of *
* goodwill, work stoppage, computer failure or malfunction, or any *
* and all other commercial damages or losses, even if such party *
* shall have been informed of the possibility of such damages. This *
* limitation of liability shall not apply to liability for death or *
* personal injury resulting from such party's negligence to the *
* extent applicable law prohibits such limitation. Some *
* jurisdictions do not allow the exclusion or limitation of *
* incidental or consequential damages, so this exclusion and *
* limitation may not apply to You. *
* *
************************************************************************
8. Litigation
-------------
Any litigation relating to this License may be brought only in the
courts of a jurisdiction where the defendant maintains its principal
place of business and such litigation shall be governed by laws of that
jurisdiction, without reference to its conflict-of-law provisions.
Nothing in this Section shall prevent a party's ability to bring
cross-claims or counter-claims.
9. Miscellaneous
----------------
This License represents the complete agreement concerning the subject
matter hereof. If any provision of this License is held to be
unenforceable, such provision shall be reformed only to the extent
necessary to make it enforceable. Any law or regulation which provides
that the language of a contract shall be construed against the drafter
shall not be used to construe this License against a Contributor.
10. Versions of the License
---------------------------
10.1. New Versions
Mozilla Foundation is the license steward. Except as provided in Section
10.3, no one other than the license steward has the right to modify or
publish new versions of this License. Each version will be given a
distinguishing version number.
10.2. Effect of New Versions
You may distribute the Covered Software under the terms of the version
of the License under which You originally received the Covered Software,
or under the terms of any subsequent version published by the license
steward.
10.3. Modified Versions
If you create software not governed by this License, and you want to
create a new license for such software, you may create and use a
modified version of this License if you rename the license and remove
any references to the name of the license steward (except to note that
such modified license differs from this License).
10.4. Distributing Source Code Form that is Incompatible With Secondary
Licenses
If You choose to distribute Source Code Form that is Incompatible With
Secondary Licenses under the terms of this version of the License, the
notice described in Exhibit B of this License must be attached.
Exhibit A - Source Code Form License Notice
-------------------------------------------
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
If it is not possible or desirable to put the notice in a particular
file, then You may include the notice in a location (such as a LICENSE
file in a relevant directory) where a recipient would be likely to look
for such a notice.
You may add additional accurate notices of copyright ownership.
Exhibit B - "Incompatible With Secondary Licenses" Notice
---------------------------------------------------------
This Source Code Form is "Incompatible With Secondary Licenses", as
defined by the Mozilla Public License, v. 2.0.

60
README.adoc
View file

@ -1,60 +0,0 @@
:showtitle:
:toc: left
:icons: font
= PatOS - Patagia OS
[link=https://ci.patagia.dev/repos/2,window=_blank]
image::https://ci.patagia.dev/api/badges/2/status.svg[Build Status]
PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.
== Features
* Immutable read-only system
* Trust chain verification using secure boot and dm-verity
* Automatic updates and unattended rollbacks
* Host/TPM bound data encryption by default
== Roadmap and status
[cols="3,1",options="header"]
|===
|Feature |Status
| A/B root partitions with discoverable partitions
| ✅
| Verity protection of root partitions
| ✅
| Encrypted state partition with tpm2 host binding
| ✅
| Factory reset / clearing of state partition
| ✅
| Automatic updates
| ⚠️
| Installer
| ❌
| Machine registration and provisioning
| ❌
| Boot assessment w/automatic rollback
| ❌
|===
== Community
* Source code: https://patagia.dev/Patagia/patos
== License
Copyright (C) 2024 Patagia AB
Unless otherwise noted, all components are licenced under the Mozilla Public License Version 2.0.

5
README.md Normal file
View file

@ -0,0 +1,5 @@
# PatOS - Patagia OS
[![status-badge](https://ci.patagia.dev/api/badges/2/status.svg)](https://ci.patagia.dev/repos/2)
PatOS is a minimal, immutable Linux distribution specialized for the Patagia Platform.

129
flake.lock generated
View file

@ -1,15 +1,64 @@
{
"nodes": {
"advisory-db": {
"flake": false,
"locked": {
"lastModified": 1727353582,
"narHash": "sha256-2csMEEOZhvowVKZNBHk1kMJqk72ZMrPj9LQYCzP6EKs=",
"owner": "rustsec",
"repo": "advisory-db",
"rev": "cb905e6e405834bdff1eb1e20c9b10edb5403889",
"type": "github"
},
"original": {
"owner": "rustsec",
"repo": "advisory-db",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1727316705,
"narHash": "sha256-/mumx8AQ5xFuCJqxCIOFCHTVlxHkMT21idpbgbm/TIE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "5b03654ce046b5167e7b0bccbd8244cb56c16f0e",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
@ -20,24 +69,71 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1744932701,
"narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
"owner": "NixOS",
"lastModified": 1728888510,
"narHash": "sha256-nsNdSldaAyu6PE3YUA+YQLqUDJh+gRbBooMMekZJwvI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
"rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c",
"type": "github"
},
"original": {
"owner": "NixOS",
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"patagia-agent": {
"inputs": {
"advisory-db": "advisory-db",
"crane": "crane",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1728144622,
"narHash": "sha256-EWH6pJE0HfHdIaelizOWqArgXZ2KJo0tb4EUCnUYQrY=",
"ref": "main",
"rev": "853f7f81b60ca687685cec3c817b75abbab86077",
"revCount": 8,
"type": "git",
"url": "ssh://git@patagia.dev/patagia/patagia-agent"
},
"original": {
"ref": "main",
"type": "git",
"url": "ssh://git@patagia.dev/patagia/patagia-agent"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"patagia-agent": "patagia-agent"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"patagia-agent",
"nixpkgs"
]
},
"locked": {
"lastModified": 1727490462,
"narHash": "sha256-OrrPiNBiikv9BR464XTT75FzOq7tKAvMbMi7YOKVIeg=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "11a13e50debafae4ae802f1d6b8585101516dd93",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
@ -54,6 +150,21 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

185
flake.nix
View file

@ -3,7 +3,9 @@
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
patagia-agent.url = "git+ssh://git@patagia.dev/patagia/patagia-agent?ref=main";
patagia-agent.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
@ -11,93 +13,124 @@
self,
flake-utils,
nixpkgs,
patagia-agent,
}:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
version = "0.0.1";
secureBoot = "false";
cpuArch = "intel";
updateUrl = "http://10.0.2.2:8000/";
pkgs = import nixpkgs {
inherit system;
overlays = [
(import ./overlays)
];
};
# Prepare an update package for the system.
mkUpdate =
nixos:
let
config = nixos.config;
in
pkgs.runCommand "update-${config.system.image.version}"
{
nativeBuildInputs = with pkgs; [
erofs-utils
zstd
];
}
''
mkdir -p $out
cp ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw $out/
zstd -9 ${config.system.build.uki}/${config.system.boot.loader.ukiFile} \
-o $out/${config.system.boot.loader.ukiFile}.zst
zstd -9 ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw \
-o $out/${config.boot.uki.name}_${config.system.image.version}.img.zst
'';
# Prepare a ready-to-boot disk image.
mkInstallImage =
nixos:
let
config = nixos.config;
in
pkgs.runCommand "update-${config.system.image.version}"
{
nativeBuildInputs = with pkgs; [
qemu
zstd
];
}
''
mkdir -p $out
cp ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.raw $out/
qemu-img convert -f raw -O qcow2 -C ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.raw $out/disk.qcow2
zstd -9 ${config.system.build.image}/${config.boot.uki.name}_${config.system.image.version}.store.raw \
-o $out/${config.boot.uki.name}_${config.system.image.version}.img.zst
zstd -9 ${config.system.build.uki}/${config.system.boot.loader.ukiFile} \
-o $out/${config.system.boot.loader.ukiFile}.zst
'';
in
{
devShell = pkgs.mkShell {
packages = with pkgs; [
erofs-utils
just
self.packages.${system}.qemu-efi
];
};
packages = {
default = patosPkgs.image;
image = pkgs.callPackage ./pkgs/image { inherit patosPkgs version updateUrl cpuArch secureBoot; };
rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
kernel = pkgs.callPackage ./pkgs/kernel { };
glibc = pkgs.callPackage ./pkgs/glibc { };
busybox = pkgs.callPackage ./pkgs/busybox { };
openssl = pkgs.callPackage ./pkgs/openssl { };
cert = pkgs.callPackage ./pkgs/cert { };
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
systemd = pkgs.callPackage ./pkgs/systemd { };
dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
default = self.packages.${system}.patos_image;
patos_image = mkInstallImage self.nixosConfigurations.${system}.patos;
patos_update = mkUpdate self.nixosConfigurations.${system}.patos;
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
image = system.build;
debug-tools-sysext = pkgs.callPackage ./lib/make-sysext.nix {
name = "debug-tools";
version = "0.0.1";
packages = [
{ drv = pkgs.curl; path = "bin/curl"; }
{ drv = pkgs.bash; path = "bin/bash"; }
{ drv = patosPkgs.glibc; path = "bin/ldd"; }
{ drv = pkgs.keyutils; path = "bin/keyctl"; }
{ drv = pkgs.gnutar; path = "bin/tar"; }
{ drv = pkgs.binutils-unwrapped; path = "bin/strings"; }
{ drv = pkgs.strace; path = "bin/strace"; }
{ drv = patosPkgs.tpm2-tools; path = "bin/tpm2"; }
{ drv = patosPkgs.openssl; path = "bin/openssl"; }
{ drv = pkgs.cryptsetup; path = "bin/cryptsetup"; }
{ drv = pkgs.cryptsetup; path = "bin/veritysetup"; }
{ drv = pkgs.erofs-utils; path = "bin/mkfs.erofs"; }
# shared lib required for cryptsetup
{ drv = pkgs.popt; path = "lib/libpopt.so.0.0.2"; }
{ drv = pkgs.popt; path = "lib/libpopt.so.0"; }
{ drv = pkgs.popt; path = "lib/libpopt.so"; }
# shared lib required for mkfs.erofs
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so.1.10.0"; }
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so.1"; }
{ drv = pkgs.lz4.lib; path = "lib/liblz4.so"; }
# shared lib required for binutils
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1.0.0"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libsframe.so.1"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd-2.43.1.so"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/libbfd.so"; }
# shared lib required for strace
{ drv = pkgs.elfutils.out; path = "lib/libdw-0.192.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libdw.so.1"; }
{ drv = pkgs.elfutils.out; path = "lib/libdw.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf-0.192.so"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf.so.1"; }
{ drv = pkgs.elfutils.out; path = "lib/libelf.so"; }
];
# FIXME: only do for x86_64
# A helper script to run the disk images above.
qemu-efi = pkgs.writeShellApplication {
name = "qemu-efi";
runtimeInputs = [ pkgs.qemu_kvm ];
text = ''
qemu-system-x86_64 \
-smp 4 -m 2048 -machine q35,accel=kvm \
-bios ${pkgs.OVMF.fd}/FV/OVMF.fd \
-snapshot \
-display none \
-serial stdio "$@"
'';
};
};
checks = {
simple-test = pkgs.runCommand "simple-test" { } ''
${self.packages.${system}.default}/bin/my-program
touch $out
'';
};
formatter = pkgs.nixpkgs-fmt;
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
just
nixd
nixfmt-rfc-style
patosPkgs.qemu-uefi-tpm
];
nixosConfigurations = rec {
patos = nixpkgs.lib.nixosSystem {
specialArgs.pkgs = pkgs;
system = system;
modules = [
{
_module.args = {
inherit patagia-agent;
};
}
./modules/kernel
./modules/filesystems.nix
./modules/generic.nix
./modules/minimize.nix
./modules/network.nix
# ./modules/patagia-agent.nix
./modules/partitions.nix
./modules/system_overrides.nix
./modules/sysupdate.nix
./modules/utils.nix
];
};
};
}

15
justfile
View file

@ -13,15 +13,12 @@ build: build-image
# Build PatOS image
build-image:
nix build .#patos
nix build .#patos_image
# Build PatOS image (developer mode)
build-devel-image:
nix build .#devel
# Build PatOS update image
build-update:
nix build .#patos_update
run: build-image
qemu-uefi-tpm ./result/*.img
run-devel: build-devel-image
qemu-uefi-tpm ./result/*.img
qemu-efi -hda ./result/disk.qcow2

91
lib/make-sysext.nix
View file

@ -1,91 +0,0 @@
{
lib,
runCommand,
pkgs,
name,
packages,
osId ? "patos",
version ? null,
}:
let
metadata = {
ID = osId;
VERSION_ID = osId;
IMAGE_ID = name;
IMAGE_VERSION = version;
};
metadataFile = lib.concatStringsSep "\n" (
lib.mapAttrsToList (k: v: "${k}=${v}") (lib.filterAttrs (_: v: v != null) metadata)
);
doCopy =
{
drv,
prefix ? "usr",
path,
destpath ? null,
}:
"do_copy ${prefix} ${drv} ${path}" + lib.optionalString (destpath != null) " ${destpath}";
in
runCommand name
{
passthru.name = name;
inherit metadataFile;
passAsFile = [ "metadataFile" ];
buildInputs = [
pkgs.erofs-utils
pkgs.cryptsetup
];
}
''
do_copy () {
local prefix="$1"
local drv="$2"
local path="$3"
local destpath="''${4:-$path}"
local srcfile
local destdir
local destfile
srcfile="$drv/$path"
destfile="$out/tree/$prefix/$destpath"
destdir="$(dirname -- "$destfile")"
mkdir -pv "$destdir"
cp -Pv "$srcfile" "$destfile"
chmod 755 "$destfile"
patchelf --set-rpath /usr/lib $destfile || true
patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $destfile || true
}
mkdir -p $out/tree
${lib.concatStringsSep "\n" (map doCopy packages)}
# bake metadata into the structure
if ! [ -f $out/tree/usr/lib/extension-release.d/extension-release."${name}" ]; then
mkdir -p $out/tree/usr/lib/extension-release.d
cat "$metadataFilePath" > $out/tree/usr/lib/extension-release.d/extension-release."${name}"
fi
pushd $out
find tree -type d -exec chmod 0755 {} \;
mkfs.erofs --all-root $name.raw tree/
veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
# TODO: pcks7 signature
# openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \
# -inkey key.pem -signer cert.pem -outform der -out ${name}.roothash.p7s
rm -rf tree
sha256sum * > SHA256SUMS
# TODO: add gpg signature
popd
''

44
modules/filesystems.nix Normal file
View file

@ -0,0 +1,44 @@
{ config, ... }: {
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 20;
};
fileSystems = {
"/" = {
fsType = "tmpfs";
options = [
"size=20%"
];
};
"/var" =
let
partConf = config.image.repart.partitions."var".repartConfig;
in
{
device = "/dev/disk/by-partuuid/${partConf.UUID}";
fsType = partConf.Format;
};
"/boot" =
let
partConf = config.image.repart.partitions."esp".repartConfig;
in
{
device = "/dev/disk/by-partuuid/${partConf.UUID}";
fsType = partConf.Format;
};
"/nix/store" =
let
partConf = config.image.repart.partitions."store".repartConfig;
in
{
device = "/dev/disk/by-partlabel/${partConf.Label}";
fsType = partConf.Format;
};
};
}

65
modules/generic.nix Normal file
View file

@ -0,0 +1,65 @@
{
pkgs,
config,
lib,
...
}:
{
boot = {
enableContainers = false;
initrd.systemd.enable = true;
initrd.compressor = "zstd";
kernelParams = [
"console=ttyS0"
];
loader.efi.canTouchEfiVariables = true;
loader.grub.enable = false;
loader.systemd-boot.enable = true;
uki.name = "patos";
};
system.image.version = "0.0.1"; # FIXME: Use epoch version.
system.nixos = {
codeName = "Finn";
distroId = "patos";
distroName = "PatOS";
release = "2024-09";
};
system.switch.enable = false;
# Make the current system version visible in the prompt.
programs.bash.promptInit = ''
export PS1="\u@\h (version ${config.system.image.version}) \w $ "
'';
# Not compatible with system.etc.overlay.enable yet.
# users.mutableUsers = false;
services.getty.autologinUser = "root";
# Temporary files
boot.tmp.cleanOnBoot = true;
boot.tmp.useTmpfs = true;
systemd.services.nix-daemon = {
environment.TMPDIR = "/var/tmp";
};
services.journald.extraConfig = ''
SystemMaxUse=10M
'';
services.fstrim.enable = true;
# Debugging
environment.systemPackages = with pkgs; [
(runCommand "systemd-sysupdate" { } ''
mkdir -p $out/bin
ln -s ${config.systemd.package}/lib/systemd/systemd-sysupdate $out/bin
'')
];
system.stateVersion = "24.11";
}

24
modules/kernel/default.nix Normal file
View file

@ -0,0 +1,24 @@
{
config,
lib,
pkgs,
...
}:
{
boot.kernelPackages =
let
version = "6.11.2";
in
pkgs.linuxPackagesFor (
pkgs.linuxManualConfig {
version = "${version}-patos1";
modDirVersion = version;
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
sha256 = "ec9ef7a0b9cebb55940e1ef87a1f9e1004b10456a119dc386bb3e565b0d39c42";
};
configfile = ./generic.config;
allowImportFromDerivation = true;
}
);
}

31
pkgs/kernel/generic.config → modules/kernel/generic.config
View file

@ -276,7 +276,7 @@ CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_BRIDGE=y
CONFIG_BSD_DISKLABEL=y
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS=m
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BUFFER_HEAD=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
@ -426,7 +426,7 @@ CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y
CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_BLAKE2B=y
CONFIG_CRYPTO_BLAKE2B=m
CONFIG_CRYPTO_BLAKE2S_X86=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CCM=y
@ -522,7 +522,11 @@ CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_ENTRY=y
CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_DEBUG_FS=y
CONFIG_DEBUG_INFO=n
CONFIG_DEBUG_INFO_BTF_MODULES=y
CONFIG_DEBUG_INFO_BTF=y
CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_MISC=y
@ -587,8 +591,7 @@ CONFIG_DM_SWITCH=m
CONFIG_DM_THIN_PROVISIONING=m
CONFIG_DM_UNSTRIPED=m
CONFIG_DM_VDO=m
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_DM_VERITY=m
CONFIG_DM_WRITECACHE=m
CONFIG_DM_ZERO=y
CONFIG_DM_ZONED=m
@ -643,7 +646,7 @@ CONFIG_ELF_CORE=y
CONFIG_ELFCORE=y
CONFIG_ENA_ETHERNET=y
CONFIG_ENCLOSURE_SERVICES=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=m
CONFIG_ENIC=m
CONFIG_EPOLL=y
CONFIG_EROFS_FS_POSIX_ACL=y
@ -1394,11 +1397,16 @@ CONFIG_MMU=y
CONFIG_MODPROBE_PATH="/sbin/modprobe"
CONFIG_MODULE_COMPRESS_ZSTD=y
CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_MODULES=y
@ -1953,7 +1961,7 @@ CONFIG_QUOTA_TREE=y
CONFIG_QUOTA=y
CONFIG_R8169=m
CONFIG_RAID6_PQ_BENCHMARK=y
CONFIG_RAID6_PQ=y
CONFIG_RAID6_PQ=m
CONFIG_RAID_ATTRS=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
@ -2213,7 +2221,6 @@ CONFIG_TCG_CRB=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TPM=y
CONFIG_TCG_TPM2_HMAC=n
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BBR=y
CONFIG_TCP_CONG_CUBIC=y
@ -2487,7 +2494,7 @@ CONFIG_XFS_QUOTA=y
CONFIG_XFS_RT=y
CONFIG_XFS_SUPPORT_ASCII_CI=y
CONFIG_XFS_SUPPORT_V4=y
CONFIG_XOR_BLOCKS=y
CONFIG_XOR_BLOCKS=m
CONFIG_XPS=y
CONFIG_XXHASH=y
CONFIG_XZ_DEC_ARMTHUMB=y

18
modules/minimize.nix Normal file
View file

@ -0,0 +1,18 @@
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/profiles/minimal.nix"
];
nix.enable = false;
system.disableInstallerTools = true;
system.etc.overlay.enable = true;
systemd.sysusers.enable = true;
programs.less.lessopen = null;
programs.command-not-found.enable = false;
environment.defaultPackages = [ ];
security.sudo.enable = false;
}

11
modules/network.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, ... }: {
networking = {
useNetworkd = true;
# Easy debugging.
firewall.enable = false;
};
# Faster boot.
systemd.network.wait-online.enable = false;
}

103
modules/partitions.nix Normal file
View file

@ -0,0 +1,103 @@
{
config,
pkgs,
lib,
modulesPath,
...
}:
{
imports = [
"${modulesPath}/image/repart.nix"
];
image.repart =
let
efiArch = pkgs.stdenv.hostPlatform.efiArch;
in
{
name = config.boot.uki.name;
split = true;
mkfsOptions = {
erofs = [
# "-zzstd,6" # Zstd compression
# "-zlz4hc,12"
"-T0" # Fixed timestamp for all files
"-C262144" # 256 KiB cluster size
# "-C65536" # 64 KiB cluster size
# "-C1048576" # 1 MiB cluster size
"-Efragments,dedupe,ztailpacking" # Extra features
];
};
partitions = {
"esp" = {
contents = {
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
# systemd-boot configuration
"/loader/loader.conf".source = (
pkgs.writeText "$out" ''
timeout 0
''
# FIXME: should not be 0 in prod
);
};
repartConfig = {
Type = "esp";
UUID = "c12a7328-f81f-11d2-ba4b-00a0c93ec93b"; # Well known
Format = "vfat";
SizeMinBytes = "256M";
SplitName = "-";
};
};
"store" = {
storePaths = [ config.system.build.toplevel ];
stripNixStorePrefix = true;
repartConfig = {
Type = "linux-generic";
Label = "${config.boot.uki.name}_${config.system.image.version}";
Format = "erofs";
Minimize = "best";
ReadOnly = "yes";
SizeMinBytes = "1G";
SizeMaxBytes = "1G";
SplitName = "store";
};
};
# Placeholder for the second installed Nix store.
"store-empty" = {
repartConfig = {
Type = "linux-generic";
Label = "_empty";
Minimize = "off";
SizeMinBytes = "1G";
SizeMaxBytes = "1G";
SplitName = "-";
};
};
# Persistent storage
"var" = {
repartConfig = {
Type = "var";
UUID = "4d21b016-b534-45c2-a9fb-5c16e091fd2d"; # Well known
Format = "xfs";
Label = "nixos-persistent";
Minimize = "off";
# Has to be large enough to hold update files.
SizeMinBytes = "2G";
SizeMaxBytes = "2G";
SplitName = "-";
# Wiping this gives us a clean state.
FactoryReset = "yes";
};
};
};
};
}

39
modules/patagia-agent.nix Normal file
View file

@ -0,0 +1,39 @@
{
pkgs,
utils,
...
}:
{
system.activationScripts.patagia-agent = ''
mkdir -p /var/lib/extensions
mkdir -p /etc/systemd/extensions
'';
environment.etc."sysupdate.patagia-agent.d".source =
let
format = pkgs.formats.ini { listToValue = toString; };
in
utils.systemdUtils.lib.definitions "sysupdate.patagia-agent.d" format {
"10-image.conf" = {
Source = {
MatchPattern = "patagia-agent_@v.raw";
Path = "https://images.dl.patagia.dev/patagia-agent/";
Type = "url-file";
};
Target = {
InstancesMax = 2;
Path = "/var/lib/extensions";
CurrentSymlink = "/etc/systemd/extensions/patagia-agent.raw";
Type = "regular-file";
MatchPattern = "patagia-agent_@v.raw";
};
Transfer = {
Verify = "no"; # FIXME: verify
};
};
};
}

5
modules/system_overrides.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, options, ... }: {
# This fields is immutable by default, but can be overridden.
options.system.nixos.codeName = lib.mkOption { readOnly = false; };
options.system.nixos.release = lib.mkOption { readOnly = false; };
}

96
modules/sysupdate.nix Normal file
View file

@ -0,0 +1,96 @@
{ config, pkgs, ... }:
let
gpgPubKeyStaging = ''
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm
zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu
aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa
gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux
OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG
H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe
GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4
DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA
+0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps
e5UE
=m2st
-----END PGP PUBLIC KEY BLOCK-----
'';
gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } ''
mkdir -p $out
export GNUPGHOME=$out
gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint
gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}'
rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.*
'';
in
{
environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg";
systemd.additionalUpstreamSystemUnits = [
"systemd-sysext.service"
];
systemd.services."systemd-sysext.service".enable = true;
systemd.sysupdate = {
enable = true;
transfers = {
"10-uki" = {
Source = {
MatchPattern = [
"${config.boot.uki.name}_@v.efi.xz"
];
Path = "https://images.dl.patagia.dev/patos/";
Type = "url-file";
};
Target = {
InstancesMax = 2;
MatchPattern = [
"${config.boot.uki.name}_@v.efi"
];
Mode = "0444";
Path = "/EFI/Linux";
PathRelativeTo = "boot";
Type = "regular-file";
};
Transfer = {
ProtectVersion = "%A";
Verify = "no";
};
};
"20-store" = {
Source = {
MatchPattern = [
"${config.boot.uki.name}_@v.img.xz"
];
Path = "https://images.dl.patagia.dev/patos/";
Type = "url-file";
};
Target = {
InstancesMax = 2;
# This doesn't work, because / is a tmpfs and the heuristic is not that smart.
#
# Path = "auto";
Path = "/dev/sda";
MatchPattern = "${config.boot.uki.name}_@v";
Type = "partition";
ReadOnly = "yes";
};
Transfer = {
Verify = "no";
};
};
};
};
}

18
modules/utils.nix Normal file
View file

@ -0,0 +1,18 @@
{
config,
pkgs,
lib,
...
}:
let
script = pkgs.writeShellScriptBin "patos-upgrade.sh" ''
systemd-sysupdate --verify=no
systemd-sysupdate --verify=no update --reboot
'';
in
{
environment.systemPackages = [
# pkgs.ncdu
script
];
}

19
overlays/default.nix Normal file
View file

@ -0,0 +1,19 @@
final: prev: {
# Build mkfs.erofs with zstd support
erofs-utils = prev.erofs-utils.overrideAttrs (old: {
buildInputs = old.buildInputs ++ [ prev.zstd ];
configureFlags = old.configureFlags ++ [
"--enable-multithreading"
"--enable-zstd"
];
});
util-linux = prev.util-linux.override {
ncursesSupport = false;
nlsSupport = false;
};
dbus = prev.dbus.override {
x11Support = false;
};
}

37
pkgs/busybox/clang-cross.patch
View file

@ -1,37 +0,0 @@
diff --git a/Makefile b/Makefile
index 6fedcffba..3385836c4 100644
--- a/Makefile
+++ b/Makefile
@@ -271,8 +271,8 @@ export quiet Q KBUILD_VERBOSE
# Look for make include files relative to root of kernel src
MAKEFLAGS += --include-dir=$(srctree)
-HOSTCC = gcc
-HOSTCXX = g++
+HOSTCC = cc
+HOSTCXX = c++
HOSTCFLAGS :=
HOSTCXXFLAGS :=
# We need some generic definitions
@@ -289,7 +289,7 @@ MAKEFLAGS += -rR
# Make variables (CC, etc...)
AS = $(CROSS_COMPILE)as
-CC = $(CROSS_COMPILE)gcc
+CC = $(CROSS_COMPILE)cc
LD = $(CC) -nostdlib
CPP = $(CC) -E
AR = $(CROSS_COMPILE)ar
diff --git a/scripts/Makefile.IMA b/scripts/Makefile.IMA
index f155108d7..185257064 100644
--- a/scripts/Makefile.IMA
+++ b/scripts/Makefile.IMA
@@ -39,7 +39,7 @@ ifndef HOSTCC
HOSTCC = cc
endif
AS = $(CROSS_COMPILE)as
-CC = $(CROSS_COMPILE)gcc
+CC = $(CROSS_COMPILE)cc
LD = $(CC) -nostdlib
CPP = $(CC) -E
AR = $(CROSS_COMPILE)ar

208
pkgs/busybox/default.nix
View file

@ -1,208 +0,0 @@
{
stdenv,
lib,
pkgs,
buildPackages,
fetchurl,
fetchpatch,
fetchFromGitLab,
enableStatic ? stdenv.hostPlatform.isStatic,
enableMinimal ? false,
enableAppletSymlinks ? true,
# Allow forcing musl without switching stdenv itself, e.g. for our bootstrapping:
# nix build -f pkgs/top-level/release.nix stdenvBootstrapTools.x86_64-linux.dist
useMusl ? stdenv.hostPlatform.libc == "musl",
musl,
extraConfig ? "",
}:
assert stdenv.hostPlatform.libc == "musl" -> useMusl;
let
configParser = ''
function parseconfig {
while read LINE; do
NAME=`echo "$LINE" | cut -d \ -f 1`
OPTION=`echo "$LINE" | cut -d \ -f 2`
if ! [[ "$NAME" =~ ^CONFIG_ ]]; then continue; fi
echo "parseconfig: removing $NAME"
sed -i /$NAME'\(=\| \)'/d .config
echo "parseconfig: setting $NAME=$OPTION"
echo "$NAME=$OPTION" >> .config
done
}
'';
libcConfig = lib.optionalString useMusl ''
CONFIG_FEATURE_UTMP n
CONFIG_FEATURE_WTMP n
'';
# The debian version lags behind the upstream version and also contains
# a debian-specific suffix. We only fetch the debian repository to get the
# default.script
debianVersion = "1.30.1-6";
debianSource = fetchFromGitLab {
domain = "salsa.debian.org";
owner = "installer-team";
repo = "busybox";
rev = "debian/1%${debianVersion}";
sha256 = "sha256-6r0RXtmqGXtJbvLSD1Ma1xpqR8oXL2bBKaUE/cSENL8=";
};
debianDispatcherScript = "${debianSource}/debian/tree/udhcpc/etc/udhcpc/default.script";
outDispatchPath = "$out/default.script";
in
stdenv.mkDerivation rec {
pname = "busybox";
version = pkgs.busybox.version;
# Note to whoever is updating busybox: please verify that:
# nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
# still builds after the update.
src = pkgs.busybox.src;
hardeningDisable = [
"format"
"pie"
] ++ lib.optionals enableStatic [ "fortify" ];
patches = [
(fetchurl {
name = "CVE-2022-28391.patch";
url = "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
sha256 = "sha256-yviw1GV+t9tbHbY7YNxEqPi7xEreiXVqbeRyf8c6Awo=";
})
(fetchurl {
name = "CVE-2022-28391.patch";
url = "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch?id=ed92963eb55bbc8d938097b9ccb3e221a94653f4";
sha256 = "sha256-vl1wPbsHtXY9naajjnTicQ7Uj3N+EQ8pRNnrdsiow+w=";
})
(fetchpatch {
name = "CVE-2022-48174.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15216
url = "https://git.busybox.net/busybox/patch/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209";
hash = "sha256-mpDEwYncpU6X6tmtj9xM2KCrB/v2ys5bYxmPPrhm6es=";
})
(fetchpatch {
name = "CVE-2023-42366.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15874
# This patch is also used by Alpine, see https://git.alpinelinux.org/aports/tree/main/busybox/0037-awk.c-fix-CVE-2023-42366-bug-15874.patch
url = "https://bugs.busybox.net/attachment.cgi?id=9697";
hash = "sha256-2eYfLZLjStea9apKXogff6sCAdG9yHx0ZsgUBaGfQIA=";
})
(fetchpatch {
name = "CVE-2023-42363.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15865
url = "https://git.launchpad.net/ubuntu/+source/busybox/plain/debian/patches/CVE-2023-42363.patch?id=c9d8a323b337d58e302717d41796aa0242963d5a";
hash = "sha256-1W9Q8+yFkYQKzNTrvndie8QuaEbyAFL1ZASG2fPF+Z4=";
})
(fetchpatch {
name = "CVE-2023-42364_CVE-2023-42365.patch"; # https://bugs.busybox.net/show_bug.cgi?id=15871 https://bugs.busybox.net/show_bug.cgi?id=15868
url = "https://git.alpinelinux.org/aports/plain/main/busybox/CVE-2023-42364-CVE-2023-42365.patch?id=8a4bf5971168bf48201c05afda7bee0fbb188e13";
hash = "sha256-nQPgT9eA1asCo38Z9X7LR9My0+Vz5YBPba3ARV3fWcc=";
})
] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch;
separateDebugInfo = true;
# postPatch = "patchShebangs .";
configurePhase = ''
export KCONFIG_NOTIMESTAMP=1
make ${if enableMinimal then "allnoconfig" else "defconfig"}
${configParser}
cat << EOF | parseconfig
CONFIG_PREFIX "$out"
CONFIG_INSTALL_NO_USR y
CONFIG_LFS y
# More features for modprobe.
${lib.optionalString (!enableMinimal) ''
CONFIG_FEATURE_MODPROBE_BLACKLIST y
CONFIG_FEATURE_MODUTILS_ALIAS y
CONFIG_FEATURE_MODUTILS_SYMBOLS y
CONFIG_MODPROBE_SMALL n
''}
${lib.optionalString enableStatic ''
CONFIG_STATIC y
''}
${lib.optionalString (!enableAppletSymlinks) ''
CONFIG_INSTALL_APPLET_DONT y
CONFIG_INSTALL_APPLET_SYMLINKS n
''}
# Use the external mount.cifs program.
CONFIG_FEATURE_MOUNT_CIFS n
CONFIG_FEATURE_MOUNT_HELPERS y
# BB_SHADOW
FEATURE_SHADOWPASSWDS y
CONFIG_USE_BB_PWD_GRP y
CONFIG_USE_BB_SHADOW y
CONFIG_USE_BB_CRYPT y
USE_BB_CRYPT_SHA y
CONFIG_FEATURE_DEFAULT_PASSWD_ALGO "sha512"
# Set paths for console fonts.
CONFIG_DEFAULT_SETFONT_DIR "/etc/kbd"
# Bump from 4KB, much faster I/O
CONFIG_FEATURE_COPYBUF_KB 64
# Doesn't build with current kernel headers.
# https://bugs.busybox.net/show_bug.cgi?id=15934
CONFIG_TC n
# Set the path for the udhcpc script
CONFIG_UDHCPC_DEFAULT_SCRIPT "/usr/share/busybox/"
${extraConfig}
CONFIG_CROSS_COMPILER_PREFIX "${stdenv.cc.targetPrefix}"
${libcConfig}
EOF
make oldconfig
runHook postConfigure
'';
postConfigure = lib.optionalString (useMusl && stdenv.hostPlatform.libc != "musl") ''
makeFlagsArray+=("CC=${stdenv.cc.targetPrefix}cc -isystem ${musl.dev}/include -B${musl}/lib -L${musl}/lib")
'';
makeFlags = [ "SKIP_STRIP=y" ];
strictDeps = true;
depsBuildBuild = [ buildPackages.stdenv.cc ];
buildInputs = lib.optionals (enableStatic && !useMusl && stdenv.cc.libc ? static) [
stdenv.cc.libc
stdenv.cc.libc.static
];
enableParallelBuilding = true;
doCheck = false; # tries to access the net
passthru.shellPath = "/bin/ash";
meta = with lib; {
description = "Tiny versions of common UNIX utilities in a single small executable";
homepage = "https://busybox.net/";
license = licenses.gpl2Only;
maintainers = with maintainers; [
TethysSvensson
qyliss
];
platforms = platforms.linux;
priority = 15; # below systemd (halt, init, poweroff, reboot) and coreutils
};
}

17
pkgs/cert/default.nix
View file

@ -1,17 +0,0 @@
{
runCommand,
pkgs,
}:
runCommand "patagia-certs"
{
buildInputs = with pkgs; [
openssl
];
}
''
mkdir -pv $out
openssl req -new -x509 -days 365 -nodes -out $out/cert.pem -keyout $out/key.pem -subj "/CN=patagia-signing"
''

164
pkgs/dbus-broker/default.nix
View file

@ -1,164 +0,0 @@
{
lib,
stdenv,
fetchFromGitHub,
pkgs,
...
}:
let
meta = {
maintainers = with lib.maintainers; [ peterhoeg ];
platforms = lib.platforms.linux;
};
dep =
{
pname,
version,
hash,
rev ? "v${version}",
buildInputs ? [ ],
}:
stdenv.mkDerivation {
inherit pname version;
src = fetchFromGitHub {
owner = "c-util";
repo = pname;
inherit hash rev;
};
nativeBuildInputs = with pkgs; [
meson
ninja
pkg-config
];
inherit buildInputs;
meta = meta // {
description = "The C-Util Project is a collection of utility libraries for the C11 language.";
homepage = "https://c-util.github.io/";
license = [
lib.licenses.asl20
lib.licenses.lgpl21Plus
];
};
};
# These libraries are not used outside of dbus-broker.
#
# If that changes, we can always break them out, but they are essentially
# part of the dbus-broker project, just in separate repositories.
c-dvar = dep {
pname = "c-dvar";
version = "1.1.0";
hash = "sha256-p/C+BktclVseCtZJ1Q/YK03vP2ClnYRLB1Vmj2OQJD4=";
buildInputs = [
c-stdaux
c-utf8
];
};
c-ini = dep {
pname = "c-ini";
version = "1.1.0";
hash = "sha256-wa7aNl20hkb/83c4AkQ/0YFDdmBs4XGW+WLUtBWIC98=";
buildInputs = [
c-list
c-rbtree
c-stdaux
c-utf8
];
};
c-list = dep {
pname = "c-list";
version = "3.1.0";
hash = "sha256-fp3EAqcbFCLaT2EstLSzwP2X13pi2EFpFAullhoCtpw=";
};
c-rbtree = dep {
pname = "c-rbtree";
version = "3.2.0";
hash = "sha256-dTMeawhPLRtHvMXfXCrT5iCdoh7qS3v+raC6c+t+X38=";
buildInputs = [ c-stdaux ];
};
c-shquote = dep {
pname = "c-shquote";
version = "1.1.0";
hash = "sha256-z6hpQ/kpCYAngMNfxLkfsxaGtvP4yBMigX1lGpIIzMQ=";
buildInputs = [ c-stdaux ];
};
c-stdaux = dep {
pname = "c-stdaux";
version = "1.5.0";
hash = "sha256-MsnuEyVCmOIr/q6I1qyPsNXp48jxIEcXoYLHbOAZtW0=";
};
c-utf8 = dep {
pname = "c-utf8";
version = "1.1.0";
hash = "sha256-9vBYylbt1ypJwIAQJd/oiAueh+4VYcn/KzofQuhUea0=";
buildInputs = [ c-stdaux ];
};
in
stdenv.mkDerivation (finalAttrs: {
pname = "dbus-broker";
version = pkgs.dbus-broker.version;
src = pkgs.dbus-broker.src;
nativeBuildInputs = with pkgs; [
docutils
meson
ninja
pkg-config
];
buildInputs = [
c-dvar
c-ini
c-list
c-rbtree
c-shquote
c-stdaux
c-utf8
pkgs.dbus
pkgs.linuxHeaders
pkgs.systemd
];
mesonFlags = [
# while we technically support 4.9 and 4.14, the NixOS module will throw an
# error when using a kernel that's too old
"--prefix=/"
"--bindir=/usr/bin"
"-D=linux-4-17=true"
"-D=system-console-users=gdm,sddm,lightdm"
];
PKG_CONFIG_SYSTEMD_SYSTEMDSYSTEMUNITDIR = "/usr/lib/systemd/system";
PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "/usr/lib/systemd/user";
PKG_CONFIG_SYSTEMD_CATALOGDIR = "/usr/lib/systemd/catalog";
preInstall = ''
export DESTDIR=${placeholder "out"}
'';
postInstall = ''
mkdir -p $out/usr/share
cp -Pr ${pkgs.dbus.out}/share/* $out/usr/share/
cp ${pkgs.dbus.out}/etc/systemd/system/dbus.socket $out/usr/lib/systemd/system/
mv $out/usr/lib/systemd/system/dbus-broker.service $out/usr/lib/systemd/system/dbus.service
find $out/usr/share/ -type d -exec chmod 755 {} \;
sed -i 's#/nix/store.*/share#/usr/share#' $out/usr/share/xml/dbus-1/catalog.xml
sed -i 's#/nix/store.*/libexec#/usr/bin#' $out/usr/share/dbus-1/system.conf
mkdir -p $out/usr/lib/sysusers.d/
echo 'u! messagebus - "DBus broker"' > $out/usr/lib/sysusers.d/dbus-broker.conf
'';
doCheck = false;
meta = meta // {
description = "Linux D-Bus Message Broker";
homepage = "https://github.com/bus1/dbus-broker/wiki";
license = lib.licenses.asl20;
};
})

53
pkgs/glibc/default.nix
View file

@ -1,53 +0,0 @@
{
pkgs,
stdenv,
...
}:
let
version = pkgs.glibc.version;
src = pkgs.glibc.src;
pname = "glibcPatos";
in
stdenv.mkDerivation (finalAttrs: {
inherit version;
inherit src;
inherit pname;
enableParallelBuilding = true;
dontPatchShebangs = true;
configureFlags = [
"--prefix=/"
"--libdir=/lib"
"--bindir=/bin"
"--sysconfdir=/etc"
];
preConfigure =
''
export PWD_P=$(type -tP pwd)
for i in configure io/ftwtest-sh; do
sed -i "$i" -e "s^/bin/pwd^$PWD_P^g"
done
mkdir ../build
cd ../build
configureScript="`pwd`/../$sourceRoot/configure"
'';
nativeBuildInputs = with pkgs; [
bison
python3Minimal
];
outputs = [
"out"
];
preInstall = ''
export DESTDIR=${placeholder "out"}
'';
})

256
pkgs/image/default.nix
View file

@ -1,256 +0,0 @@
{
lib,
pkgs,
patosPkgs,
version,
runCommand,
updateUrl,
cpuArch ? "",
secureBoot ? "false"
}:
let
pname = "patos-image";
in
runCommand pname {
inherit version cpuArch updateUrl secureBoot;
microcode = lib.optionalString (cpuArch == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
+ lib.optionalString (cpuArch == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
buildInputs = with pkgs; [
erofs-utils
dosfstools
mtools
jq
];
env = {
# vfat options won't efi won't find the fs otherwise.
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d
pushd $out
mkdir rootfs
cp -prP ${patosPkgs.rootfs}/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
mkdir rootfs/etc/extensions
rm -rf rootfs/usr/lib/modules
cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
# enable network services
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
# enable confext/sysext services
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
[Unit]
Description=Import Secure Boot keys
DefaultDependencies=no
RequiresMountsFor=/var/lib/sbctl /boot
ConditionPathExists=/boot/sbctl/keys
After=local-fs.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=sbctl import-keys -d /boot/sbctl/keys
ExecStartPost=rm -rf /boot/sbctl
EOF
ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
# sysupdate
mkdir -p rootfs/etc/sysupdate.d
cat <<EOF > rootfs/etc/sysupdate.d/10-uki.transfer
[Source]
Path=${updateUrl}
MatchPattern=patos_@v.efi
Type=url-file
[Target]
InstancesMax=2
MatchPattern=patos_@v+@l-@d.efi patos_@v+@l.efi patos_@v.efi
Mode=0444
Path=/EFI/Linux
PathRelativeTo=esp
TriesDone=0
TriesLeft=3
Type=regular-file
[Transfer]
Verify=no
EOF
cat <<EOF > rootfs/etc/sysupdate.d/20-root-verity.transfer
[Source]
Type=url-file
Path=${updateUrl}
MatchPattern=patos_@v_@u.verity
[Target]
Type=partition
Path=auto
MatchPattern=verity-@v
MatchPartitionType=root-verity
ReadOnly=1
[Transfer]
Verify=no
EOF
cat <<EOF > rootfs/etc/sysupdate.d/22-root.transfer
[Source]
Type=url-file
Path=${updateUrl}
MatchPattern=patos_@v_@u.root
[Target]
Type=partition
Path=auto
MatchPattern=root-@v
MatchPartitionType=root
ReadOnly=1
[Transfer]
Verify=no
EOF
# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
Type=root
Format=erofs
Minimize=best
CopyFiles=/rootfs:/
Verity=data
VerityMatchKey=root
SplitName=root
EOF
cat <<EOF > init.repart.d/20-root-verity.conf
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
Minimize=best
SplitName=verity
EOF
#TODO: Add verity signature partition
${patosPkgs.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./init.repart.d \
--split=true \
--json=pretty \
--root=$out \
patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)
verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
${patosPkgs.systemd}/usr/bin/ukify build \
--linux ${patosPkgs.kernel}/bzImage \
--initrd ${patosPkgs.initrd}/initrd.xz \
$microcode \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
# install ESP
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
# setup factory reset
mkdir -p rootfs/boot/EFI/tools
cp ${pkgs.edk2-uefi-shell}/shell.efi rootfs/boot/EFI/tools/
cat <<EOF > rootfs/boot/EFI/tools/factoryreset.nsh
setvar FactoryReset -guid 8cf2644b-4b0b-428f-9387-6d876050dc67 -nv -rt =%1
reset
EOF
cat <<EOF > rootfs/boot/loader/entries/factoryreset.conf
title Enable Factory Reset
options -nostartup -nomap
options \EFI\tools\factoryreset.nsh L"t"
efi EFI/tools/shell.efi
EOF
echo "timeout 2" > rootfs/boot/loader/loader.conf
# install UKI
cp patos_${version}.efi rootfs/boot/EFI/Linux
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMinBytes=128M
SizeMaxBytes=128M
CopyFiles=/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
Label=root-${version}
CopyBlocks=/$rootPart
UUID=$rootUuid
SizeMinBytes=64M
SizeMaxBytes=64M
ReadOnly=1
EOF
cat <<EOF > final.repart.d/22-root-verity.conf
[Partition]
Type=root-verity
Label=verity-${version}
CopyBlocks=/$verityPart
UUID=$verityUuid
ReadOnly=1
EOF
# finalize image ready for boot
${patosPkgs.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./final.repart.d \
--root=$out \
patos_${version}.img > final-repart-output.json
rm -rf rootfs init.repart.d final.repart.d *.json
sha256sum *.root *.verity *.efi *.tar.xz > SHA256SUMS
popd
''

15
pkgs/kernel/default.nix
View file

@ -1,15 +0,0 @@
{ pkgs }:
let
version = "6.14.2";
hash = "sha256-xcaCo1TqMZATk1elfTSnnlw3IhrOgjqTjhARa1d6Lhs=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";
modDirVersion = version;
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
hash = hash;
};
configfile = ./generic.config;
allowImportFromDerivation = true;
}

594
pkgs/kernel/manual-config.nix
View file

@ -1,594 +0,0 @@
{
lib,
stdenv,
buildPackages,
runCommand,
nettools,
bc,
bison,
flex,
perl,
rsync,
gmp,
libmpc,
mpfr,
openssl,
cpio,
elfutils,
hexdump,
zstd,
python3Minimal,
zlib,
pahole,
kmod,
ubootTools,
erofs-utils,
cryptsetup,
fetchpatch,
rustc,
rust-bindgen,
rustPlatform,
}:
let
lib_ = lib;
stdenv_ = stdenv;
readConfig =
configfile:
import
(runCommand "config.nix" { } ''
echo "{" > "$out"
while IFS='=' read key val; do
[ "x''${key#CONFIG_}" != "x$key" ] || continue
no_firstquote="''${val#\"}";
echo ' "'"$key"'" = "'"''${no_firstquote%\"}"'";' >> "$out"
done < "${configfile}"
echo "}" >> $out
'').outPath;
in
lib.makeOverridable (
{
# The kernel version
version,
# The kernel pname (should be set for variants)
pname ? "linux",
# Position of the Linux build expression
pos ? null,
# Additional kernel make flags
extraMakeFlags ? [ ],
# The name of the kernel module directory
# Needs to be X.Y.Z[-extra], so pad with zeros if needed.
modDirVersion ? null, # derive from version
# The kernel source (tarball, git checkout, etc.)
src,
# a list of { name=..., patch=..., extraConfig=...} patches
kernelPatches ? [ ],
# The kernel .config file
configfile,
# Manually specified nixexpr representing the config
# If unspecified, this will be autodetected from the .config
config ? lib.optionalAttrs allowImportFromDerivation (readConfig configfile),
# Custom seed used for CONFIG_GCC_PLUGIN_RANDSTRUCT if enabled. This is
# automatically extended with extra per-version and per-config values.
randstructSeed ? "",
# Extra meta attributes
extraMeta ? { },
# for module compatibility
isZen ? false,
isLibre ? false,
isHardened ? false,
# Whether to utilize the controversial import-from-derivation feature to parse the config
allowImportFromDerivation ? false,
# ignored
features ? null,
lib ? lib_,
stdenv ? stdenv_,
}:
let
# Provide defaults. Note that we support `null` so that callers don't need to use optionalAttrs,
# which can lead to unnecessary strictness and infinite recursions.
modDirVersion_ = if modDirVersion == null then lib.versions.pad 3 version else modDirVersion;
in
let
# Shadow the un-defaulted parameter; don't want null.
modDirVersion = modDirVersion_;
inherit (lib)
hasAttr
getAttr
optional
optionals
optionalString
optionalAttrs
maintainers
platforms
;
drvAttrs =
config_: kernelConf: kernelPatches: configfile:
let
# Folding in `ubootTools` in the default nativeBuildInputs is problematic, as
# it makes updating U-Boot cumbersome, since it will go above the current
# threshold of rebuilds
#
# To prevent these needless rounds of staging for U-Boot builds, we can
# limit the inclusion of ubootTools to target platforms where uImage *may*
# be produced.
#
# This command lists those (kernel-named) platforms:
# .../linux $ grep -l uImage ./arch/*/Makefile | cut -d'/' -f3 | sort
#
# This is still a guesstimation, but since none of our cached platforms
# coincide in that list, this gives us "perfect" decoupling here.
linuxPlatformsUsingUImage = [
"arc"
"arm"
"csky"
"mips"
"powerpc"
"sh"
"sparc"
"xtensa"
];
needsUbootTools = lib.elem stdenv.hostPlatform.linuxArch linuxPlatformsUsingUImage;
config =
let
attrName = attr: "CONFIG_" + attr;
in
{
isSet = attr: hasAttr (attrName attr) config;
getValue = attr: if config.isSet attr then getAttr (attrName attr) config else null;
isYes = attr: (config.getValue attr) == "y";
isNo = attr: (config.getValue attr) == "n";
isModule = attr: (config.getValue attr) == "m";
isEnabled = attr: (config.isModule attr) || (config.isYes attr);
isDisabled = attr: (!(config.isSet attr)) || (config.isNo attr);
}
// config_;
isModular = config.isYes "MODULES";
withRust = config.isYes "RUST";
buildDTBs = kernelConf.DTB or false;
# Dependencies that are required to build kernel modules
moduleBuildDependencies =
[
pahole
perl
elfutils
# module makefiles often run uname commands to find out the kernel version
(buildPackages.deterministic-uname.override { inherit modDirVersion; })
]
++ optional (lib.versionAtLeast version "5.13") zstd
++ optionals withRust [
rustc
rust-bindgen
];
in
(optionalAttrs isModular {
outputs = [
"out"
"dev"
];
})
// {
passthru = rec {
inherit
version
modDirVersion
config
kernelPatches
configfile
moduleBuildDependencies
stdenv
;
inherit
isZen
isHardened
isLibre
withRust
;
isXen = lib.warn "The isXen attribute is deprecated. All Nixpkgs kernels that support it now have Xen enabled." true;
baseVersion = lib.head (lib.splitString "-rc" version);
kernelOlder = lib.versionOlder baseVersion;
kernelAtLeast = lib.versionAtLeast baseVersion;
};
inherit src;
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs =
[
bison
flex
perl
bc
nettools
openssl
rsync
gmp
libmpc
mpfr
elfutils
zstd
python3Minimal
kmod
hexdump
erofs-utils
cryptsetup
]
++ optional needsUbootTools ubootTools
++ optionals (lib.versionAtLeast version "5.2") [
cpio
pahole
zlib
]
++ optionals withRust [
rustc
rust-bindgen
];
RUST_LIB_SRC = lib.optionalString withRust rustPlatform.rustLibSrc;
# avoid leaking Rust source file names into the final binary, which adds
# a false dependency on rust-lib-src on targets with uncompressed kernels
KRUSTFLAGS = lib.optionalString withRust "--remap-path-prefix ${rustPlatform.rustLibSrc}=/";
# patches =
# map (p: p.patch) kernelPatches
# # Required for deterministic builds along with some postPatch magic.
# ++ optional (lib.versionOlder version "5.19") ./randstruct-provide-seed.patch
# ++ optional (lib.versionAtLeast version "5.19") ./randstruct-provide-seed-5.19.patch
# # Linux 5.12 marked certain PowerPC-only symbols as GPL, which breaks
# # OpenZFS; this was fixed in Linux 5.19 so we backport the fix
# # https://github.com/openzfs/zfs/pull/13367
# ++ optional (lib.versionAtLeast version "5.12" &&
# lib.versionOlder version "5.19" &&
# stdenv.hostPlatform.isPower)
# (fetchpatch {
# url = "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/patch/?id=d9e5c3e9e75162f845880535957b7fd0b4637d23";
# hash = "sha256-bBOyJcP6jUvozFJU0SPTOf3cmnTQ6ZZ4PlHjiniHXLU=";
# });
postPatch = ''
# Ensure that depmod gets resolved through PATH
sed -i Makefile -e 's|= /sbin/depmod|= depmod|'
# Some linux-hardened patches now remove certain files in the scripts directory, so the file may not exist.
[[ -f scripts/ld-version.sh ]] && patchShebangs scripts/ld-version.sh
# Set randstruct seed to a deterministic but diversified value. Note:
# we could have instead patched gen-random-seed.sh to take input from
# the buildFlags, but that would require also patching the kernel's
# toplevel Makefile to add a variable export. This would be likely to
# cause future patch conflicts.
# for file in scripts/gen-randstruct-seed.sh scripts/gcc-plugins/gen-random-seed.sh; do
# if [ -f "$file" ]; then
# substituteInPlace "$file" \
# --replace NIXOS_RANDSTRUCT_SEED \
# $(echo ${randstructSeed}${src} ${placeholder "configfile"} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
# break
# fi
# done
patchShebangs scripts
# also patch arch-specific install scripts
for i in $(find arch -name install.sh); do
patchShebangs "$i"
done
# unset $src because the build system tries to use it and spams a bunch of warnings
# see: https://github.com/torvalds/linux/commit/b1992c3772e69a6fd0e3fc81cd4d2820c8b6eca0
unset src
'';
configurePhase = ''
runHook preConfigure
mkdir build
export buildRoot="$(pwd)/build"
echo "manual-config configurePhase buildRoot=$buildRoot pwd=$PWD"
if [ -f "$buildRoot/.config" ]; then
echo "Could not link $buildRoot/.config : file exists"
exit 1
fi
ln -sv ${configfile} $buildRoot/.config
# reads the existing .config file and prompts the user for options in
# the current kernel source that are not found in the file.
make $makeFlags "''${makeFlagsArray[@]}" oldconfig
runHook postConfigure
make $makeFlags "''${makeFlagsArray[@]}" prepare
actualModDirVersion="$(cat $buildRoot/include/config/kernel.release)"
if [ "$actualModDirVersion" != "${modDirVersion}" ]; then
echo "Error: modDirVersion ${modDirVersion} specified in the Nix expression is wrong, it should be: $actualModDirVersion"
exit 1
fi
buildFlagsArray+=("KBUILD_BUILD_TIMESTAMP=$(date -u -d @$SOURCE_DATE_EPOCH)")
cd $buildRoot
'';
buildFlags =
[
"KBUILD_BUILD_VERSION=1-PatOS"
kernelConf.target
"vmlinux" # for "perf" and things like that
]
++ optional isModular "modules"
++ optionals buildDTBs [
"dtbs"
"DTC_FLAGS=-@"
]
++ extraMakeFlags;
installFlags =
[
"INSTALL_PATH=$(out)"
]
++ (optional isModular "INSTALL_MOD_PATH=$(out)")
++ optionals buildDTBs [
"dtbs_install"
"INSTALL_DTBS_PATH=$(out)/dtbs"
];
dontStrip = true;
preInstall =
let
# All we really need to do here is copy the final image and System.map to $out,
# and use the kernel's modules_install, firmware_install, dtbs_install, etc. targets
# for the rest. Easy, right?
#
# Unfortunately for us, the obvious way of getting the built image path,
# make -s image_name, does not work correctly, because some architectures
# (*cough* aarch64 *cough*) change KBUILD_IMAGE on the fly in their install targets,
# so we end up attempting to install the thing we didn't actually build.
#
# Thankfully, there's a way out that doesn't involve just hardcoding everything.
#
# The kernel has an install target, which runs a pretty simple shell script
# (located at scripts/install.sh or arch/$arch/boot/install.sh, depending on
# which kernel version you're looking at) that tries to do something sensible.
#
# (it would be great to hijack this script immediately, as it has all the
# information we need passed to it and we don't need it to try and be smart,
# but unfortunately, the exact location of the scripts differs between kernel
# versions, and they're seemingly not considered to be public API at all)
#
# One of the ways it tries to discover what "something sensible" actually is
# is by delegating to what's supposed to be a user-provided install script
# located at ~/bin/installkernel.
#
# (the other options are:
# - a distribution-specific script at /sbin/installkernel,
# which we can't really create in the sandbox easily
# - an architecture-specific script at arch/$arch/boot/install.sh,
# which attempts to guess _something_ and usually guesses very wrong)
#
# More specifically, the install script exec's into ~/bin/installkernel, if one
# exists, with the following arguments:
#
# $1: $KERNELRELEASE - full kernel version string
# $2: $KBUILD_IMAGE - the final image path
# $3: System.map - path to System.map file, seemingly hardcoded everywhere
# $4: $INSTALL_PATH - path to the destination directory as specified in installFlags
#
# $2 is exactly what we want, so hijack the script and use the knowledge given to it
# by the makefile overlords for our own nefarious ends.
#
# Note that the makefiles specifically look in ~/bin/installkernel, and
# writeShellScriptBin writes the script to <store path>/bin/installkernel,
# so HOME needs to be set to just the store path.
#
# FIXME: figure out a less roundabout way of doing this.
installkernel = buildPackages.writeShellScriptBin "installkernel" ''
cp -av $2 $4
cp -av $3 $4
'';
in
''
installFlagsArray+=("-j$NIX_BUILD_CORES")
export HOME=${installkernel}
'';
# Some image types need special install targets (e.g. uImage is installed with make uinstall on arm)
installTargets = [
(kernelConf.installTarget or (
if kernelConf.target == "uImage" && stdenv.hostPlatform.linuxArch == "arm" then
"uinstall"
else if
kernelConf.target == "zImage"
|| kernelConf.target == "Image.gz"
|| kernelConf.target == "vmlinuz.efi"
then
"zinstall"
else
"install"
)
)
];
# We remove a bunch of stuff that is symlinked from other places to save space,
# which trips the broken symlink check. So, just skip it. We'll know if it explodes.
dontCheckForBrokenSymlinks = true;
postInstall = optionalString isModular ''
mkdir -p $dev
cp vmlinux $dev/
# if [ -z "''${dontStrip-}" ]; then
# installFlagsArray+=("INSTALL_MOD_STRIP=1")
# fi
make modules_install $makeFlags "''${makeFlagsArray[@]}" \
$installFlags "''${installFlagsArray[@]}"
unlink $out/lib/modules/${modDirVersion}/build
rm -f $out/lib/modules/${modDirVersion}/source
mkdir -p $dev/lib/modules/${modDirVersion}/{build,source}
# To save space, exclude a bunch of unneeded stuff when copying.
(cd .. && rsync --archive --prune-empty-dirs \
--exclude='/build/' \
* $dev/lib/modules/${modDirVersion}/source/)
cd $dev/lib/modules/${modDirVersion}/source
cp $buildRoot/{.config,Module.symvers} $dev/lib/modules/${modDirVersion}/build
make modules_prepare $makeFlags "''${makeFlagsArray[@]}" O=$dev/lib/modules/${modDirVersion}/build
# For reproducibility, removes accidental leftovers from a `cc1` call
# from a `try-run` call from the Makefile
rm -f $dev/lib/modules/${modDirVersion}/build/.[0-9]*.d
# Keep some extra files on some arches (powerpc, aarch64)
for f in arch/powerpc/lib/crtsavres.o arch/arm64/kernel/ftrace-mod.o; do
if [ -f "$buildRoot/$f" ]; then
cp $buildRoot/$f $dev/lib/modules/${modDirVersion}/build/$f
fi
done
# !!! No documentation on how much of the source tree must be kept
# If/when kernel builds fail due to missing files, you can add
# them here. Note that we may see packages requiring headers
# from drivers/ in the future; it adds 50M to keep all of its
# headers on 3.10 though.
chmod u+w -R ..
arch=$(cd $dev/lib/modules/${modDirVersion}/build/arch; ls)
# Remove unused arches
for d in $(cd arch/; ls); do
if [ "$d" = "$arch" ]; then continue; fi
if [ "$arch" = arm64 ] && [ "$d" = arm ]; then continue; fi
rm -rf arch/$d
done
# Remove all driver-specific code (50M of which is headers)
rm -fR drivers
# Keep all headers
find . -type f -name '*.h' -print0 | xargs -0 -r chmod u-w
# Keep linker scripts (they are required for out-of-tree modules on aarch64)
find . -type f -name '*.lds' -print0 | xargs -0 -r chmod u-w
# Keep root and arch-specific Makefiles
chmod u-w Makefile arch/"$arch"/Makefile*
# Keep whole scripts dir
chmod u-w -R scripts
# Delete everything not kept
find . -type f -perm -u=w -print0 | xargs -0 -r rm
# Delete empty directories
find -empty -type d -delete
pkgName="patos-kernel-modules"
mkdir -p $out/tree/usr/lib/extension-release.d
cat << EOF > $out/tree/usr/lib/extension-release.d/extension-release.$pkgName
ID=patos
IMAGE_ID=$pkgName
IMAGE_VERSION=${version}
VERSION_ID=patos
EOF
cp -Prp $out/lib/modules $out/tree/usr/lib/modules
find $out/tree -type d -exec chmod 0755 {} \;
mkfs.erofs --all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking $out/$pkgName.raw $out/tree/
veritysetup format --root-hash-file $out/$pkgName.roothash $out/$pkgName.raw $out/$pkgName.verity
chmod -R 755 $out/tree && rm -rf $out/tree
'';
requiredSystemFeatures = [ "big-parallel" ];
meta = {
# https://github.com/NixOS/nixpkgs/pull/345534#issuecomment-2391238381
broken = withRust && lib.versionOlder version "6.12";
description =
"The Linux kernel"
+ (
if kernelPatches == [ ] then
""
else
" (with patches: " + lib.concatStringsSep ", " (map (x: x.name) kernelPatches) + ")"
);
license = lib.licenses.gpl2Only;
homepage = "https://www.kernel.org/";
maintainers = lib.teams.linux-kernel.members ++ [
maintainers.thoughtpolice
];
platforms = platforms.linux;
badPlatforms =
lib.optionals (lib.versionOlder version "4.15") [
"riscv32-linux"
"riscv64-linux"
]
++ lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
timeout = 14400; # 4 hours
} // extraMeta;
};
# Absolute paths for compilers avoid any PATH-clobbering issues.
commonMakeFlags =
[
"ARCH=${stdenv.hostPlatform.linuxArch}"
"CROSS_COMPILE=${stdenv.cc.targetPrefix}"
]
++ lib.optionals (stdenv.isx86_64 && stdenv.cc.bintools.isLLVM) [
# The wrapper for ld.lld breaks linking the kernel. We use the
# unwrapped linker as workaround. See:
#
# https://github.com/NixOS/nixpkgs/issues/321667
"LD=${stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ld"
]
++ (stdenv.hostPlatform.linux-kernel.makeFlags or [ ])
++ extraMakeFlags;
in
stdenv.mkDerivation (
builtins.foldl' lib.recursiveUpdate { } [
(drvAttrs config stdenv.hostPlatform.linux-kernel kernelPatches configfile)
{
inherit pname version;
enableParallelBuilding = true;
hardeningDisable = [
"bindnow"
"format"
"fortify"
"stackprotector"
"pic"
"pie"
];
makeFlags = [
"O=$(buildRoot)"
] ++ commonMakeFlags;
passthru = { inherit commonMakeFlags; };
karch = stdenv.hostPlatform.linuxArch;
}
(optionalAttrs (pos != null) { inherit pos; })
]
)
)

62
pkgs/kexec-tools/default.nix
View file

@ -1,62 +0,0 @@
{
lib,
stdenv,
buildPackages,
fetchFromGitHub,
autoconf,
zlib,
}:
stdenv.mkDerivation {
pname = "kexec-tools";
version = "main";
src = fetchFromGitHub {
owner = "horms";
repo = "kexec-tools";
rev = "a7fcd424c4c80dea5a2fd5ffa274ffeb8129c790";
hash = "sha256-QKE+KCkueA21zNunTMidP9OuZaw0IG5tFDF4UJITTTQ=";
};
dontPatchShebangs = true;
hardeningDisable = [
"format"
"pic"
"relro"
"pie"
];
buildCommand = ''
unpackPhase
mkdir -p $out
cd source
./bootstrap
./configure --prefix=/
make DESTDIR=$out install
'';
depsBuildBuild = [ buildPackages.stdenv.cc ];
buildInputs = [
zlib
autoconf
];
enableParallelBuilding = true;
meta = with lib; {
homepage = "http://horms.net/projects/kexec/kexec-tools";
description = "Tools related to the kexec Linux feature";
platforms = platforms.linux;
badPlatforms = [
"microblaze-linux"
"microblazeel-linux"
"riscv64-linux"
"riscv32-linux"
"sparc-linux"
"sparc64-linux"
];
license = licenses.gpl2Only;
};
}

61
pkgs/lvm2/default.nix
View file

@ -1,61 +0,0 @@
{
stdenv,
pkgs,
fetchurl,
lib,
pkg-config,
libaio,
udev,
}:
stdenv.mkDerivation {
pname = "lvm2";
version = pkgs.lvm2.version;
src = pkgs.lvm2.src;
nativeBuildInputs = [
pkg-config
];
buildInputs = [
libaio
udev
];
configureFlags = [
"--prefix=/"
"--sbindir=/usr/bin"
"--sysconfdir=/etc"
"--localstatedir=/var"
"--enable-cmdlib"
"--enable-dmeventd"
"--enable-lvmpolld"
"--enable-pkgconfig"
"--enable-udev_rules"
"--enable-udev_sync"
"--enable-write_install"
"--with-cache=internal"
"--with-thin=internal"
];
preInstall = ''
mkdir -p $out
export DESTDIR=$out
'';
doCheck = false;
meta = with lib; {
homepage = "http://sourceware.org/lvm2/";
description = "Tools to support Logical Volume Management (LVM) on Linux";
platforms = platforms.linux;
license = with licenses; [
gpl2Only
bsd2
lgpl21
];
maintainers = with maintainers; [
raskin
ajs124
];
};
}

164
pkgs/openssl/default.nix
View file

@ -1,164 +0,0 @@
{
lib,
pkgs,
stdenv,
fetchurl,
perl,
makeBinaryWrapper,
withCryptodev ? false,
cryptodev,
withZlib ? false,
zlib,
enableSSL2 ? false,
enableSSL3 ? false,
enableMD2 ? false,
enableKTLS ? stdenv.hostPlatform.isLinux,
static ? stdenv.hostPlatform.isStatic,
removeReferencesTo,
}:
stdenv.mkDerivation rec {
pname = "openssl";
version = pkgs.openssl.version;
src = pkgs.openssl.src;
outputs = [ "out" ];
nativeBuildInputs =
lib.optional (!stdenv.hostPlatform.isWindows) makeBinaryWrapper
++ [ perl ]
++ lib.optionals static [ removeReferencesTo ];
buildInputs = lib.optional withCryptodev cryptodev ++ lib.optional withZlib zlib;
# TODO(@Ericson2314): Improve with mass rebuild
configurePlatforms = [ ];
configureScript =
{
armv5tel-linux = "./Configure linux-armv4 -march=armv5te";
armv6l-linux = "./Configure linux-armv4 -march=armv6";
armv7l-linux = "./Configure linux-armv4 -march=armv7-a";
x86_64-darwin = "./Configure darwin64-x86_64-cc";
aarch64-darwin = "./Configure darwin64-arm64-cc";
x86_64-linux = "./Configure linux-x86_64";
x86_64-solaris = "./Configure solaris64-x86_64-gcc";
powerpc64-linux = "./Configure linux-ppc64";
riscv32-linux = "./Configure ${
if lib.versionAtLeast version "3.2" then "linux32-riscv32" else "linux-latomic"
}";
riscv64-linux = "./Configure linux64-riscv64";
}
.${stdenv.hostPlatform.system} or (
if stdenv.hostPlatform == stdenv.buildPlatform then
"./config"
else if stdenv.hostPlatform.isBSD then
if stdenv.hostPlatform.isx86_64 then
"./Configure BSD-x86_64"
else if stdenv.hostPlatform.isx86_32 then
"./Configure BSD-x86" + lib.optionalString stdenv.hostPlatform.isElf "-elf"
else
"./Configure BSD-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
else if stdenv.hostPlatform.isMinGW then
"./Configure mingw${
lib.optionalString (stdenv.hostPlatform.parsed.cpu.bits != 32) (
toString stdenv.hostPlatform.parsed.cpu.bits
)
}"
else if stdenv.hostPlatform.isLinux then
if stdenv.hostPlatform.isx86_64 then
"./Configure linux-x86_64"
else if stdenv.hostPlatform.isMicroBlaze then
"./Configure linux-latomic"
else if stdenv.hostPlatform.isMips32 then
"./Configure linux-mips32"
else if stdenv.hostPlatform.isMips64n32 then
"./Configure linux-mips64"
else if stdenv.hostPlatform.isMips64n64 then
"./Configure linux64-mips64"
else
"./Configure linux-generic${toString stdenv.hostPlatform.parsed.cpu.bits}"
else if stdenv.hostPlatform.isiOS then
"./Configure ios${toString stdenv.hostPlatform.parsed.cpu.bits}-cross"
else
throw "Not sure what configuration to use for ${stdenv.hostPlatform.config}"
);
# OpenSSL doesn't like the `--enable-static` / `--disable-shared` flags.
dontAddStaticConfigureFlags = true;
configureFlags =
[
"shared" # "shared" builds both shared and static libraries
"--prefix=/"
"--libdir=lib"
"--openssldir=/etc/ssl"
]
++ lib.optionals withCryptodev [
"-DHAVE_CRYPTODEV"
"-DUSE_CRYPTODEV_DIGESTS"
]
++ lib.optional enableMD2 "enable-md2"
++ lib.optional enableSSL2 "enable-ssl2"
++ lib.optional enableSSL3 "enable-ssl3"
# We select KTLS here instead of the configure-time detection (which we patch out).
# KTLS should work on FreeBSD 13+ as well, so we could enable it if someone tests it.
++ lib.optional (lib.versionAtLeast version "3.0.0" && enableKTLS) "enable-ktls"
++ lib.optional (lib.versionAtLeast version "1.1.1" && stdenv.hostPlatform.isAarch64) "no-afalgeng"
# OpenSSL needs a specific `no-shared` configure flag.
# See https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options
# for a comprehensive list of configuration options.
++ lib.optional (lib.versionAtLeast version "1.1.1" && static) "no-shared"
++ lib.optional (lib.versionAtLeast version "3.0.0" && static) "no-module"
# This introduces a reference to the CTLOG_FILE which is undesired when
# trying to build binaries statically.
++ lib.optional static "no-ct"
++ lib.optional withZlib "zlib"
# /dev/crypto support has been dropped in OpenBSD 5.7.
#
# OpenBSD's ports does this too,
# https://github.com/openbsd/ports/blob/a1147500c76970fea22947648fb92a093a529d7c/security/openssl/3.3/Makefile#L25.
#
# https://github.com/openssl/openssl/pull/10565 indicated the
# intent was that this would be configured properly automatically,
# but that doesn't appear to be the case.
++ lib.optional stdenv.hostPlatform.isOpenBSD "no-devcryptoeng"
++ lib.optionals (stdenv.hostPlatform.isMips && stdenv.hostPlatform ? gcc.arch) [
# This is necessary in order to avoid openssl adding -march
# flags which ultimately conflict with those added by
# cc-wrapper. Openssl assumes that it can scan CFLAGS to
# detect any -march flags, using this perl code:
#
# && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})
#
# The following bogus CFLAGS environment variable triggers the
# the code above, inhibiting `./Configure` from adding the
# conflicting flags.
"CFLAGS=-march=${stdenv.hostPlatform.gcc.arch}"
];
postPatch = ''
patchShebangs Configure
'';
installPhase = ''
make DESTDIR=$out install
rm -rf $out/etc/ssl/*.dist $out/etc/ssl/misc
'';
enableParallelBuilding = true;
meta = {
homepage = "https://www.openssl.org/";
changelog = "https://github.com/openssl/openssl/blob/openssl-${version}/CHANGES.md";
description = "Cryptographic library that implements the SSL and TLS protocols";
license = lib.licenses.openssl;
mainProgram = "openssl";
maintainers = with lib.maintainers; [ thillux ] ++ lib.teams.stridtech.members;
pkgConfigModules = [
"libcrypto"
"libssl"
"openssl"
];
platforms = lib.platforms.all;
};
}

93
pkgs/rootfs/mkinitrd.nix
View file

@ -1,93 +0,0 @@
{
pkgs,
patosPkgs,
runCommand,
...
}:
let
secureBootEnroll = ./secure-boot-enroll.sh;
in
runCommand "patos-initrd" {
inherit secureBootEnroll;
buildInputs = with pkgs; [
cpio
xz
];
}
''
echo "Building initram disk"
mkdir -p $out/root
pushd $out/root
### copy rootfs
cp -prP ${patosPkgs.rootfs}/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot
### create directories
ln -sf ../usr/lib/systemd/systemd init
### Create needed files
echo patos > ./etc/hostname
ln -sf /etc/os-release ./etc/initrd-release
# set default target to initrd inside initrd
ln -sf initrd.target ./usr/lib/systemd/system/default.target
# setup secure boot
cat $secureBootEnroll > ./usr/bin/secure-boot-enroll
chmod +x ./usr/bin/secure-boot-enroll
cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
[Unit]
Description=Enroll Secure Boot
DefaultDependencies=false
After=sysroot-run.mount
Requires=sysroot-run.mount
Before=systemd-repart.service initrd.target shutdown.target sysinit.target
ConditionKernelCommandLine=patos.secureboot=true
ConditionPathExists=|!/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
[Service]
Type=oneshot
ExecStart=/usr/bin/secure-boot-enroll
RemainAfterExit=yes
EOF
ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
# bind mount /run to /sysroot/run
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
[Unit]
Before=initrd-fs.target
DefaultDependencies=false
[Mount]
Options=bind
What=/run
Where=/sysroot/run
EOF
mkdir ./usr/lib/systemd/system/initrd-fs.target.requires/
ln -sf ../sysroot-run.mount ./usr/lib/systemd/system/initrd-fs.target.requires/sysroot-run.mount
# repart: generate crypttab and fstab under /run
mkdir ./usr/lib/systemd/system/systemd-repart.service.d
cat <<EOF > ./usr/lib/systemd/system/systemd-repart.service.d/override.conf
[Unit]
After=sysroot-run.mount
Requires=sysroot-run.mount
[Service]
Environment=SYSTEMD_REPART_MKFS_OPTIONS_BTRFS=--nodiscard
ExecStart=
ExecStart=systemd-repart --dry-run=no --generate-crypttab=/run/crypttab --generate-fstab=/run/fstab
EOF
ln -sf ../systemd-repart.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
# gen initrd
find . -print0 | cpio --null --owner=root:root -o --format=newc | xz -9 --check=crc32 > ../initrd.xz
popd
rm -rf $out/root
''

230
pkgs/rootfs/mkrootfs.nix
View file

@ -1,230 +0,0 @@
{
pkgs,
patosPkgs,
version,
runCommand,
}:
let
defaultPassword = "patos";
in
runCommand "patos-rootfs"
{
inherit version;
buildInputs = with pkgs;[
glibc
binutils
];
}
''
### create directory structure
mkdir -p $out/etc/repart.d $out/dev $out/proc $out/sys \
$out/tmp $out/root $out/run $out/boot $out/mnt $out/home $out/srv $out/var
ln -sf /usr/bin $out/bin
ln -sf /usr/bin $out/sbin
ln -sf /usr/lib $out/lib
ln -sf /usr/lib $out/lib64
ln -sf /tmp $out/var/tmp
ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
cp -Pr ${patosPkgs.systemd}/* $out/
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
ln -sf /usr/bin $out/usr/sbin
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
# enable in ramdisk instead
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-repart.service
rm -f $out/usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
rm -f $out/usr/lib/systemd/ukify
rm -f $out/usr/bin/ukify
rm -f $out/usr/lib/udev/rules.d/90-vconsole.rules
ln -s /run/systemd/resolve/stub-resolv.conf $out/etc/resolv.conf
cat <<EOF > $out/etc/os-release
NAME=PatOS
PRETTY_NAME=PatOS v${version} (Pre-Alpha)
IMAGE_ID=patos
ID=patos
IMAGE_VERSION=${version}
VERSION=${version}
VERSION_ID=patos
BUILD_ID=somehash
EOF
cat <<EOF > $out/etc/issue
<<< Welcome to PatOS v${version} (Pre-Alpha) (\m) - \l >>>
EOF
# replace agetty with busybox getty (optionally autologin)
mkdir $out/usr/lib/systemd/system/serial-getty@.service.d
cat <<EOF > $out/usr/lib/systemd/system/serial-getty@.service.d/override.conf
[Service]
ExecStart=
ExecStart=-/bin/login -f root
EOF
# ExecStart=-/sbin/getty -L %I 115200 vt100
# Configure systemd-repart
cat <<EOF > $out/etc/repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMaxBytes=128M
SizeMinBytes=128M
EOF
cat <<EOF > $out/etc/repart.d/20-root-a.conf
[Partition]
Type=root
SizeMaxBytes=64M
SizeMinBytes=64M
EOF
cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
[Partition]
Type=root-verity
EOF
cat <<EOF > $out/etc/repart.d/30-root-b.conf
[Partition]
Type=root
Label=_empty
SizeMaxBytes=64M
SizeMinBytes=64M
ReadOnly=1
EOF
cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
[Partition]
Type=root-verity
Label=_empty
ReadOnly=1
EOF
cat <<EOF > $out/etc/repart.d/40-var.conf
[Partition]
Type=var
Format=btrfs
MakeDirectories=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
MountPoint=/var
Label=patos-state
Encrypt=tpm2
EncryptedVolume=patos-state:none:tpm2-device=auto,luks,discard
Subvolumes=/var/lib/confexts /var/lib/extensions /var/lib/portables /var/.snapshots
MountPoint=/var/lib/confexts:subvol=/var/lib/confexts
MountPoint=/var/lib/extensions:subvol=/var/lib/extensions
MountPoint=/var/lib/portables:subvol=/var/lib/portables
MountPoint=/var/.snapshots:subvol=/var/.snapshots
SizeMinBytes=1G
Minimize=off
FactoryReset=yes
EOF
# as rootfs is read-only we need to configure the fstab and cryptsetup generators to look
# for config under /run (which are generated by systemd-repart in initrd)
rm -f $out/etc/systemd/system.conf
cat <<EOF > $out/etc/systemd/system.conf
[Manager]
DefaultEnvironment=PATH=/bin:/sbin:/usr/bin
ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTEMD_SYSROOT_FSTAB=/run/fstab SYSTEMD_FSTAB=/run/fstab
EOF
### install PatOS glibc
cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
### install openssl
cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
### install busybox
cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
cp -r ${patosPkgs.dbus-broker}/* $out/
### install kexec
cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
### install dmsetup udev rules
cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
### install btrfs progs
cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
### install tpm2 libs
cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
### install lib kmod
cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
cp -P ${pkgs.kmod}/bin/* $out/usr/bin
### install libbpf
cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
### install secure boot tools
cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
rm -f $out/usr/bin/tar
rm -f $out/usr/bin/blkid
cp -P ${pkgs.gnutar}/bin/tar $out/usr/bin/
cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
### install xq (jq clone)
cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
ln -sf /usr/bin/xq $out/usr/bin/jq
### install ca cert bundle
chmod 755 $out/etc/ssl $out/etc/ssl/certs
cp -P ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/cert.pem
ln -sf ../cert.pem $out/etc/ssl/certs/ca-certificates.crt
ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
# no need for pkgconfig, removing..
rm -rf $out/usr/lib/pkgconfig
# setup default files
${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
# install sys users
mkdir creds
echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
chmod 600 $out/etc/shadow
rm -rf creds
# Ephemeral machine-id until registration
ln -sf /run/machine-id $out/etc/machine-id
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
grep -vE "(systemd|glibc|openssl|tpm2|devmapper)" | \
sort -u | xargs -I {} cp {} $out/usr/lib/
find $out -type f -executable -exec chmod 755 {} \;
# patch ELFs
find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
# strip binaries
find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
# install kernel modules
cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
''

23
pkgs/rootfs/secure-boot-enroll.sh
View file

@ -1,23 +0,0 @@
#!/bin/sh
set -ex -uo pipefail
SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
[ "$SETUP_MODE" = "false" ] && exit 0
cat <<EOL> /run/sbctl.yml
---
keydir: /sysroot/boot/sbctl/keys
guid: /sysroot/boot/sbctl/GUID
EOL
ESP=$(blkid --label ESP)
mount $ESP /sysroot/boot && \
sbctl --config /run/sbctl.yml create-keys && \
sbctl --config /run/sbctl.yml enroll-keys --yolo && \
# Sign EFIs
find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
umount /sysroot/boot && \
systemctl reboot -f

323
pkgs/systemd/default.nix
View file

@ -1,323 +0,0 @@
{
fetchFromGitHub,
lib,
pkgs,
stdenv,
targetPackages,
...
}:
let
version = "257.5";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
# command:
# $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
# jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
releaseTimestamp = "1734643670";
pname = "systemd";
in
stdenv.mkDerivation (finalAttrs: {
inherit version;
pname = pname;
src = fetchFromGitHub {
owner = "systemd";
repo = "systemd";
rev = "v${version}";
hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
};
patches = [ ./skip-verify-esp.patch ];
dontCheckForBrokenSymlinks = true;
nativeBuildInputs = with pkgs; [
bash
pkg-config
makeBinaryWrapper
gperf
ninja
meson
glibcLocales
getent
m4
autoPatchelfHook
intltool
gettext
libxslt
docbook_xsl
docbook_xml_dtd_42
docbook_xml_dtd_45
bash
(buildPackages.python3Packages.python.withPackages (
ps: with ps; [
lxml
jinja2
ps.pyelftools
]
))
bpftools
buildPackages.llvmPackages.clang
buildPackages.llvmPackages.libllvm
];
outputs = [
"out"
"dev"
];
separateDebugInfo = true;
autoPatchelfFlags = [ "--keep-libc" ];
hardeningDisable = [
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111523
"trivialautovarinit"
# breaks clang -target bpf; should be fixed to filter target?
"zerocallusedregs"
"shadowstack"
];
buildInputs = with pkgs; [
libxcrypt
libcap
libuuid
linuxHeaders
bashInteractive # for patch shebangs
libgcrypt
libgpg-error
openssl
acl
libapparmor
audit
zlib
bzip2
lz4
xz
zstd
elfutils
kexec-tools
kmod
libidn2
libseccomp
libselinux
iptables
p11-kit
libfido2
pam
pcre2
libbpf
tpm2-tss
qrencode
libarchive
(lib.getDev curl)
(lib.getDev cryptsetup.dev)
(python3Packages.python.withPackages (ps: with ps; [ pefile ]))
(llvmPackages.compiler-rt.override {
doFakeLibgcc = true;
})
];
mesonBuildType = "release";
doCheck = false; # fails a bunch of tests
preConfigure = ''
mesonFlagsArray+=(-Dntp-servers="0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org")
export LC_ALL="en_US.UTF-8";
'';
postPatch =
''
substituteInPlace meson.build \
--replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
''
+ ''
substituteInPlace src/ukify/ukify.py \
--replace \
"'readelf'" \
"'${targetPackages.stdenv.cc.bintools.targetPrefix}readelf'" \
--replace \
"/usr/lib/systemd/boot/efi" \
"$out/usr/lib/systemd/boot/efi"
''
# Finally, patch shebangs in scripts used at build time. This must not patch
# scripts that will end up in the output, to avoid build platform references
# when cross-compiling.
+ ''
shopt -s extglob
patchShebangs tools test src/!(rpm|kernel-install|ukify) src/kernel-install/test-kernel-install.sh
'';
# trigger the test -n "$DESTDIR" || mutate in upstreams build system
preInstall = ''
export DESTDIR=${placeholder "out"}
'';
mesonFlags = [
"--prefix=/usr"
"--sysconfdir=/etc"
"--localstatedir=/var"
"--libdir=/usr/lib"
"--bindir=/usr/bin"
"--includedir=/usr/include"
"--localedir=/usr/share/locale"
# Options
# We bump this attribute on every (major) version change to ensure that we
# have known-good value for a timestamp that is in the (not so distant)
# past. This serves as a lower bound for valid system timestamps during
# startup. Systemd will reset the system timestamp if this date is +- 15
# years from the system time.
# See the systemd v250 release notes for further details:
# https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
(lib.mesonOption "time-epoch" releaseTimestamp)
(lib.mesonOption "version-tag" version)
(lib.mesonOption "mode" "release")
(lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
(lib.mesonOption "kmod-path" "/usr/bin/kmod")
(lib.mesonOption "kexec-path" "/usr/bin/kexec")
(lib.mesonOption "debug-shell" "/usr/bin/sh")
(lib.mesonOption "pamconfdir" "/etc/pam.d")
(lib.mesonOption "shellprofiledir" "/etc/profile.d")
(lib.mesonOption "dbuspolicydir" "/usr/share/dbus-1/system.d")
(lib.mesonOption "dbussessionservicedir" "/usr/share/dbus-1/services")
(lib.mesonOption "dbussystemservicedir" "/usr/share/dbus-1/system-services")
(lib.mesonOption "setfont-path" "/usr/bin/setfont")
(lib.mesonOption "loadkeys-path" "/usr/bin/loadkeys")
(lib.mesonOption "sulogin-path" "/usr/bin/sulogin")
(lib.mesonOption "nologin-path" "/usr/bin/nologin")
(lib.mesonOption "mount-path" "/usr/bin/mount")
(lib.mesonOption "umount-path" "/usr/bin/umount")
# SBAT
(lib.mesonOption "sbat-distro" "patos")
(lib.mesonOption "sbat-distro-summary" "PatOS")
(lib.mesonOption "sbat-distro-url" "https://patagia.io/")
(lib.mesonOption "sbat-distro-pkgname" pname)
(lib.mesonOption "sbat-distro-version" version)
# Users
(lib.mesonOption "system-uid-max" "999")
(lib.mesonOption "system-gid-max" "999")
# SysVinit
(lib.mesonOption "sysvinit-path" "")
(lib.mesonOption "sysvrcnd-path" "")
# SSH
# Disabled for now until someone makes this work.
(lib.mesonOption "sshconfdir" "no")
(lib.mesonOption "sshdconfdir" "no")
# Features
# Tests
(lib.mesonBool "tests" false)
(lib.mesonEnable "glib" false)
(lib.mesonEnable "dbus" false)
# Compression
(lib.mesonEnable "bzip2" true)
(lib.mesonEnable "lz4" true)
(lib.mesonEnable "xz" true)
(lib.mesonEnable "zstd" true)
(lib.mesonEnable "zlib" true)
# NSS
(lib.mesonEnable "nss-resolve" true)
(lib.mesonBool "nss-myhostname" true)
(lib.mesonBool "nss-systemd" true)
# Cryptsetup
(lib.mesonEnable "libcryptsetup" true)
(lib.mesonEnable "libcryptsetup-plugins" true)
(lib.mesonEnable "p11kit" true)
# FIDO2
(lib.mesonEnable "libfido2" true)
(lib.mesonEnable "openssl" true)
# Password Quality
(lib.mesonEnable "pwquality" false)
(lib.mesonEnable "passwdqc" false)
# Remote
(lib.mesonEnable "remote" false)
(lib.mesonEnable "microhttpd" false)
(lib.mesonEnable "pam" false)
(lib.mesonEnable "acl" true)
(lib.mesonEnable "audit" true)
(lib.mesonEnable "apparmor" true)
(lib.mesonEnable "gcrypt" true)
(lib.mesonEnable "importd" true)
(lib.mesonEnable "homed" false)
(lib.mesonEnable "polkit" true)
(lib.mesonEnable "elfutils" true)
(lib.mesonEnable "libcurl" true)
(lib.mesonEnable "libidn" false)
(lib.mesonEnable "libidn2" true)
(lib.mesonEnable "libiptc" true)
(lib.mesonEnable "repart" true)
(lib.mesonEnable "sysupdate" true)
(lib.mesonEnable "sysupdated" true)
(lib.mesonEnable "seccomp" true)
(lib.mesonEnable "selinux" true)
(lib.mesonEnable "tpm2" true)
(lib.mesonEnable "pcre2" true)
(lib.mesonEnable "bpf-framework" true)
(lib.mesonEnable "bootloader" true)
(lib.mesonEnable "ukify" true)
(lib.mesonEnable "kmod" true)
(lib.mesonEnable "qrencode" true)
(lib.mesonEnable "vmspawn" false)
(lib.mesonEnable "libarchive" true)
(lib.mesonEnable "xenctrl" false)
(lib.mesonEnable "gnutls" false)
(lib.mesonEnable "xkbcommon" false)
(lib.mesonEnable "man" false)
(lib.mesonBool "analyze" true)
(lib.mesonBool "logind" false)
(lib.mesonBool "localed" false)
(lib.mesonBool "hostnamed" true)
(lib.mesonBool "machined" true)
(lib.mesonBool "networkd" true)
(lib.mesonBool "oomd" true)
(lib.mesonBool "portabled" true)
(lib.mesonBool "hwdb" true)
(lib.mesonBool "timedated" true)
(lib.mesonBool "timesyncd" true)
(lib.mesonBool "userdb" false)
(lib.mesonBool "coredump" true)
(lib.mesonBool "firstboot" true)
(lib.mesonBool "resolve" true)
(lib.mesonBool "sysusers" true)
(lib.mesonBool "efi" true)
(lib.mesonBool "utmp" true)
(lib.mesonBool "log-trace" true)
(lib.mesonBool "kernel-install" false)
(lib.mesonBool "quotacheck" false)
(lib.mesonBool "ldconfig" false)
(lib.mesonBool "install-sysconfdir" true)
(lib.mesonBool "create-log-dirs" true)
(lib.mesonBool "smack" true)
(lib.mesonBool "b_pie" true)
(lib.mesonOption "bashcompletiondir" "no")
(lib.mesonOption "zshcompletiondir" "no")
];
})

24
pkgs/systemd/skip-verify-esp.patch
View file

@ -1,24 +0,0 @@
diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c
index f830d6dfe3..7ad2a8cd1d 100644
--- a/src/shared/find-esp.c
+++ b/src/shared/find-esp.c
@@ -403,15 +403,15 @@ static int verify_esp(
"File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
}
- r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
- if (r < 0)
- return r;
-
/* In a container we don't have access to block devices, skip this part of the verification, we trust
* the container manager set everything up correctly on its own. */
if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK))
goto finish;
+ r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
+ if (r < 0)
+ return r;
+
if (devnum_is_zero(devid))
return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),

47
pkgs/tpm2-tools/default.nix
View file

@ -1,47 +0,0 @@
{
stdenv,
pkgs,
fetchurl,
lib,
pandoc,
pkg-config,
curl,
openssl,
patosPkgs,
libuuid,
}:
stdenv.mkDerivation {
pname = "tpm2-tools";
version = pkgs.tpm2-tools.version;
src = pkgs.tpm2-tools.src;
nativeBuildInputs = [
pandoc
pkg-config
];
buildInputs = [
curl
openssl
patosPkgs.tpm2-tss
libuuid
];
# Unit tests disabled, as they rely on a dbus session
configureFlags = [ "--prefix=/" ];
preInstall = ''
mkdir -p $out
export DESTDIR=$out
'';
doCheck = false;
meta = with lib; {
description = "Command line tools that provide access to a TPM 2.0 compatible device";
homepage = "https://github.com/tpm2-software/tpm2-tools";
license = licenses.bsd3;
platforms = platforms.linux;
maintainers = with maintainers; [ tomfitzhenry ];
};
}

82
pkgs/tpm2-tss/default.nix
View file

@ -1,82 +0,0 @@
{
stdenv,
pkgs,
lib,
fetchFromGitHub,
autoreconfHook,
autoconf-archive,
pkg-config,
doxygen,
perl,
openssl,
json_c,
curl,
libgcrypt,
uthash,
git,
libuuid,
libtpms,
}:
stdenv.mkDerivation rec {
pname = "tpm2-tss";
version = pkgs.tpm2-tss.version;
src = pkgs.tpm2-tss.src;
patches = [
./no-shadow.patch
];
postPatch = ''
substituteInPlace ./bootstrap \
--replace-fail 'git describe --tags --always --dirty' 'echo "${version}"'
'';
outputs = [
"out"
];
nativeBuildInputs = [
autoreconfHook
autoconf-archive
pkg-config
doxygen
perl
git
];
buildInputs = [
openssl
json_c
curl
libgcrypt
uthash
libuuid
libtpms
];
strictDeps = true;
preAutoreconf = "./bootstrap";
enableParallelBuilding = true;
configureFlags = [
"--prefix=/"
];
preInstall = ''
mkdir -p $out
export DESTDIR=$out
'';
doCheck = false;
meta = with lib; {
description = "OSS implementation of the TCG TPM2 Software Stack (TSS2)";
homepage = "https://github.com/tpm2-software/tpm2-tss";
license = licenses.bsd2;
platforms = platforms.unix;
maintainers = with maintainers; [ baloo ];
};
}

16
pkgs/tpm2-tss/no-shadow.patch
View file

@ -1,16 +0,0 @@
diff --git a/configure.ac b/configure.ac
index e2d579b8..0eac4ff3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -672,9 +672,9 @@ AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
AC_CHECK_PROG(adduser, adduser, yes)
AC_CHECK_PROG(addgroup, addgroup, yes)
AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
- [AC_MSG_ERROR([addgroup or groupadd are needed.])])
+ [AC_MSG_WARN([addgroup or groupadd are needed.])])
AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
- [AC_MSG_ERROR([adduser or useradd are needed.])])])
+ [AC_MSG_WARN([adduser or useradd are needed.])])])
AC_SUBST([PATH])

54
utils/qemu-uefi-tpm.nix
View file

@ -1,54 +0,0 @@
{
pkgs,
...
}:
pkgs.writeShellApplication {
name = "qemu-uefi-tpm";
runtimeInputs = with pkgs; [
qemu
swtpm
];
text =
let
tpmOVMF = pkgs.OVMF.override {
tpmSupport = true;
secureBoot = true;
};
in
''
set -ex
state="/tmp/patos-qemu-$USER"
rm -rf "$state"
mkdir -m 700 "$state"
qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G
swtpm socket -d --tpmstate dir="$state" \
--ctrl type=unixio,path="$state/swtpm-sock" \
--tpm2 \
--log file="$state/swtpm.log",level=20
cp ${tpmOVMF.variables} "$state"
chmod 700 "$state/OVMF_VARS.fd"
qemu-system-x86_64 \
-enable-kvm \
-machine q35,accel=kvm \
-cpu host \
-smp 8 \
-m 4G \
-display none \
-chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
-serial chardev:char0 \
-mon chardev=char0 \
-drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
-drive "if=pflash,format=raw,unit=1,file=$state/OVMF_VARS.fd" \
-chardev socket,id=chrtpm,path="$state/swtpm-sock" \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis,tpmdev=tpm0 \
-netdev id=net00,type=user \
-device virtio-net-pci,netdev=net00 \
-drive "format=qcow2,file=$state/disk.qcow2"
'';
}