Patagia/patos
Patagia/patos
1
1
Code Issues4 Pull requests6 Activity

Compare commits

..

1 commit
main ... lsjostro/p

Author SHA1 Message Date
Lars Sjöstrom
2894de6b45
WIP: feat(linux-firmware): initial packaging of linux firmware 2025-03-28 18:59:21 +01:00
14 changed files with 328 additions and 241 deletions

6
flake.lock generated
View file

@ -20,11 +20,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1749285348,
"narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
"lastModified": 1742669843,
"narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
"rev": "1e5b653dff12029333a6546c11e108ede13052eb",
"type": "github"
},
"original": {

204
flake.nix
View file

@ -15,82 +15,162 @@
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs { inherit system; };
patosPkgs = self.packages.${system};
version = "0.0.1";
secureBoot = "false";
microcode = "intel";
cpuArch = "intel";
updateUrl = "http://10.0.2.2:8000/";
overlay = import ./overlays { inherit version; };
pkgs = import nixpkgs { inherit system; overlays = [ overlay ]; };
pkgsCross = import nixpkgs {
inherit system;
overlays = [ overlay ];
crossSystem = {
config = "aarch64-unknown-linux-gnu";
};
};
in
{
packages = {
default = self.packages.${system}.image;
image = pkgs.callPackage ./pkgs/image { inherit version updateUrl microcode secureBoot; };
image-aarch64 = pkgsCross.callPackage ./pkgs/image { inherit version updateUrl secureBoot; };
default = patosPkgs.image;
image = pkgs.callPackage ./pkgs/image {
inherit
patosPkgs
version
updateUrl
cpuArch
secureBoot
;
};
rootfs = pkgs.callPackage ./pkgs/rootfs/mkrootfs.nix { inherit patosPkgs version; };
initrd = pkgs.callPackage ./pkgs/rootfs/mkinitrd.nix { inherit patosPkgs version; };
kernel = pkgs.callPackage ./pkgs/kernel { };
linux-firmware = pkgs.callPackage ./pkgs/linux-firmware { };
glibc = pkgs.callPackage ./pkgs/glibc { };
busybox = pkgs.callPackage ./pkgs/busybox { };
openssl = pkgs.callPackage ./pkgs/openssl { };
cert = pkgs.callPackage ./pkgs/cert { };
kexec = pkgs.callPackage ./pkgs/kexec-tools { };
lvm2 = pkgs.callPackage ./pkgs/lvm2 { };
tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
systemd = pkgs.callPackage ./pkgs/systemd { };
dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
qemu-aarch64-uefi-tpm = pkgs.callPackage ./utils/qemu-aarch64-uefi-tpm.nix { };
firewall-sysext = pkgs.callPackage ./lib/make-sysext.nix {
name = "firewall-tools";
version = "0.0.1";
packages = [
# network/firewalling
{ drv = pkgs.iproute2; path = "bin/"; }
{ drv = pkgs.nftables; path = "bin/"; }
{ drv = pkgs.wireguard-tools; path = "bin/.wg-wrapped"; destpath = "bin/wg"; }
# deps
{ drv = pkgs.nftables; path = "lib/"; }
{ drv = pkgs.libnftnl; path = "lib/"; }
{ drv = pkgs.iptables; path = "lib/"; }
{ drv = pkgs.libgcc.lib; path = "lib/"; }
{ drv = pkgs.libgcc; path = "lib/"; }
{ drv = pkgs.libmnl; path = "lib/"; }
{ drv = pkgs.gmp; path = "lib/"; }
{ drv = pkgs.jansson.out; path = "lib/"; }
{ drv = pkgs.ncurses.out; path = "lib/"; }
{ drv = pkgs.libedit; path = "lib/"; }
];
};
debug-tools-sysext = pkgs.callPackage ./lib/make-sysext.nix {
name = "debug-tools";
version = "0.0.1";
packages = [
{ drv = pkgs.curl; path = "bin/"; }
{ drv = pkgs.bash; path = "bin/"; }
{ drv = pkgs.keyutils; path = "bin/"; }
{ drv = pkgs.gnutar; path = "bin/"; }
{ drv = pkgs.strace; path = "bin/"; }
{ drv = pkgs.cryptsetup; path = "bin/"; }
{ drv = pkgs.erofs-utils; path = "bin/"; }
{ drv = pkgs.binutils-unwrapped; path = "bin/"; }
{ drv = pkgs.binutils-unwrapped.lib; path = "lib/"; }
{ drv = pkgs.util-linuxMinimal; path = "bin/"; }
{ drv = pkgs.util-linuxMinimal.mount; path = "bin/"; }
{ drv = pkgs.util-linuxMinimal.login; path = "bin/"; }
{ drv = pkgs.util-linuxMinimal.swap; path = "bin/"; }
{ drv = pkgs.patos.glibc; path = "bin/ldd"; }
{ drv = pkgs.patos.tpm2-tools; path = "bin/tpm2"; }
{ drv = pkgs.patos.openssl; path = "bin/openssl"; }
# shared lib required for mkfs.erofs
{ drv = pkgs.lz4.lib; path = "lib/"; }
{
drv = pkgs.curl;
path = "bin/curl";
}
{
drv = pkgs.bash;
path = "bin/bash";
}
{
drv = patosPkgs.glibc;
path = "bin/ldd";
}
{
drv = pkgs.keyutils;
path = "bin/keyctl";
}
{
drv = pkgs.gnutar;
path = "bin/tar";
}
{
drv = pkgs.binutils-unwrapped;
path = "bin/strings";
}
{
drv = pkgs.strace;
path = "bin/strace";
}
{
drv = patosPkgs.tpm2-tools;
path = "bin/tpm2";
}
{
drv = patosPkgs.openssl;
path = "bin/openssl";
}
{
drv = pkgs.cryptsetup;
path = "bin/cryptsetup";
}
{
drv = pkgs.cryptsetup;
path = "bin/veritysetup";
}
{
drv = pkgs.erofs-utils;
path = "bin/mkfs.erofs";
}
# shared lib required for cryptsetup
{ drv = pkgs.popt; path = "lib/"; }
{
drv = pkgs.popt;
path = "lib/libpopt.so.0.0.2";
}
{
drv = pkgs.popt;
path = "lib/libpopt.so.0";
}
{
drv = pkgs.popt;
path = "lib/libpopt.so";
}
# shared lib required for mkfs.erofs
{
drv = pkgs.lz4.lib;
path = "lib/liblz4.so.1.10.0";
}
{
drv = pkgs.lz4.lib;
path = "lib/liblz4.so.1";
}
{
drv = pkgs.lz4.lib;
path = "lib/liblz4.so";
}
# shared lib required for binutils
{
drv = pkgs.binutils-unwrapped.lib;
path = "lib/libsframe.so.1.0.0";
}
{
drv = pkgs.binutils-unwrapped.lib;
path = "lib/libsframe.so.1";
}
{
drv = pkgs.binutils-unwrapped.lib;
path = "lib/libbfd-2.43.1.so";
}
{
drv = pkgs.binutils-unwrapped.lib;
path = "lib/libbfd.so";
}
# shared lib required for strace
{ drv = pkgs.elfutils.out; path = "lib/"; }
# shared lib required for bash
{ drv = pkgs.readline.out; path = "lib/"; }
{ drv = pkgs.ncurses.out; path = "lib/"; }
{
drv = pkgs.elfutils.out;
path = "lib/libdw-0.192.so";
}
{
drv = pkgs.elfutils.out;
path = "lib/libdw.so.1";
}
{
drv = pkgs.elfutils.out;
path = "lib/libdw.so";
}
{
drv = pkgs.elfutils.out;
path = "lib/libelf-0.192.so";
}
{
drv = pkgs.elfutils.out;
path = "lib/libelf.so.1";
}
{
drv = pkgs.elfutils.out;
path = "lib/libelf.so";
}
];
};
};
@ -109,7 +189,7 @@
just
nixd
nixfmt-rfc-style
self.packages.${system}.qemu-uefi-tpm
patosPkgs.qemu-uefi-tpm
];
};

22
foo.sh Executable file
View file

@ -0,0 +1,22 @@
#!/usr/bin/env bash
out=/tmp/build
_pick() {
local p="$1" f d; shift
for f; do
d="$out/$p/${f#$out/}"
echo mkdir -p "$(dirname "$d")"
echo mv "$f" "$d"
echo rm -rf "$f"
echo mkfs.erofs --all-root -Efragments,dedupe,ztailpacking $out/$p.raw $p
echo veritysetup format --root-hash-file $out/$p.roothash $out/$p.raw $out/$p.verity
done
}
# _pick amd-ucode usr/lib/firmware/amd-ucode
# _pick linux-firmware-nfp usr/lib/firmware/netronome
# _pick linux-firmware-marvell usr/lib/firmware/{libertas,mwl8k,mwlwifi,mrvl}
_pick linux-firmware-qlogic usr/lib/firmware/{qlogic,qed,ql2???_*,c{b,t,t2}fw-*}
# _pick linux-firmware-base usr/lib/firmware

22
lib/make-sysext.nix
View file

@ -46,7 +46,6 @@ runCommand name
}
''
set -ex -o pipefail
do_copy () {
local prefix="$1"
local drv="$2"
@ -61,25 +60,6 @@ runCommand name
destdir="$(dirname -- "$destfile")"
mkdir -pv "$destdir"
# recursively copy if ending with /
if [[ "$destfile" =~ /$ ]]; then
basedir="$(dirname -- "$destfile")"
chmod -R 755 "$basedir"
# remove if exists
for f in $srcfile/*; do
basename="$(basename -- "$f")"
rm -rf "$destfile/$basename"
done
cp -rPv "$srcfile" "$basedir"
chmod -R 755 "$basedir"
for f in $destfile/*; do
patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 $f || true
patchelf --set-rpath /usr/lib $f || true
done
return
fi
cp -Pv "$srcfile" "$destfile"
chmod 755 "$destfile"
@ -99,7 +79,7 @@ runCommand name
pushd $out
find tree -type d -exec chmod 0755 {} \;
mkfs.erofs -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking --all-root $name.raw tree/
mkfs.erofs --all-root $name.raw tree/
veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
# TODO: pcks7 signature
# openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \

21
overlays/default.nix
View file

@ -1,21 +0,0 @@
{
version
}:
final: prev: {
patos = prev.lib.makeScope prev.newScope (self: {
kernel = final.callPackage ../pkgs/kernel { };
glibc = final.callPackage ../pkgs/glibc { };
busybox = final.callPackage ../pkgs/busybox { };
openssl = final.callPackage ../pkgs/openssl { };
kexec = final.callPackage ../pkgs/kexec-tools { };
lvm2 = final.callPackage ../pkgs/lvm2 { };
tpm2-tools = final.callPackage ../pkgs/tpm2-tools { };
tpm2-tss = final.callPackage ../pkgs/tpm2-tss { };
systemd = final.callPackage ../pkgs/systemd { };
dbus-broker = final.callPackage ../pkgs/dbus-broker { };
rootfs = final.callPackage ../pkgs/rootfs/mkrootfs.nix { inherit version; };
initrd = final.callPackage ../pkgs/rootfs/mkinitrd.nix { inherit version; };
});
}

46
pkgs/image/default.nix
View file

@ -1,22 +1,23 @@
{
lib,
pkgs,
patosPkgs,
version,
runCommand,
updateUrl,
microcode ? "",
cpuArch ? "",
secureBoot ? "false"
}:
let
pname = "patos-image";
in
runCommand pname {
inherit version microcode updateUrl secureBoot;
inherit version cpuArch updateUrl secureBoot;
mcode = lib.optionalString (microcode == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
+ lib.optionalString (microcode == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
microcode = lib.optionalString (cpuArch == "amd") "--microcode ${pkgs.microcode-amd}/amd-ucode.img"
+ lib.optionalString (cpuArch == "intel") "--microcode ${pkgs.microcode-intel}/intel-ucode.img";
nativeBuildInputs = with pkgs; [
buildInputs = with pkgs; [
erofs-utils
dosfstools
mtools
@ -29,20 +30,20 @@ runCommand pname {
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
kernelCmdLine = "systemd.journald.forward_to_console=1 console=ttyS0 patos.secureboot=${secureBoot}";
kernelCmdLine = "console=ttyS0 patos.secureboot=${secureBoot}";
}
''
mkdir -p $out/init.repart.d $out/final.repart.d
pushd $out
mkdir rootfs
cp -prP ${pkgs.patos.rootfs}/* rootfs/
cp -prP ${patosPkgs.rootfs}/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;
# package kernel modules as sysext (will reduce the image size a little bit (~3MB))
mkdir rootfs/etc/extensions
rm -rf rootfs/usr/lib/modules
cp ${pkgs.patos.kernel}/patos-kernel-modules* rootfs/etc/extensions/
cp ${patosPkgs.kernel}/patos-kernel-modules* rootfs/etc/extensions/
# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
@ -140,7 +141,6 @@ cat <<EOF > init.repart.d/10-root.conf
Type=root
Format=erofs
Minimize=best
AddValidateFS=false
CopyFiles=/rootfs:/
Verity=data
VerityMatchKey=root
@ -152,24 +152,21 @@ cat <<EOF > init.repart.d/20-root-verity.conf
Type=root-verity
Verity=hash
VerityMatchKey=root
AddValidateFS=false
Minimize=best
SplitName=verity
EOF
#TODO: Add verity signature partition
${pkgs.patos.systemd}/usr/bin/systemd-repart \
${patosPkgs.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=$out/init.repart.d \
--definitions=./init.repart.d \
--split=true \
--json=pretty \
--root=$out \
patos_$version.raw > init-repart-output.json
rm -f patos_$version.raw
patos_$version.raw > init-repart-output.json && rm -f patos_$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
@ -181,16 +178,16 @@ verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)
ln -sf patos_$version.verity.raw patos_${version}_$verityUuid.verity
ln -sf patos_$version.root.raw patos_${version}_$rootUuid.root
${pkgs.patos.systemd}/usr/bin/ukify build \
--linux ${pkgs.patos.kernel}/bzImage \
--initrd ${pkgs.patos.initrd}/initrd.xz \
$mcode \
${patosPkgs.systemd}/usr/bin/ukify build \
--linux ${patosPkgs.kernel}/bzImage \
--initrd ${patosPkgs.initrd}/initrd.xz \
$microcode \
--os-release @rootfs/etc/os-release \
--cmdline "$kernelCmdLine roothash=$roothash" \
-o patos_${version}.efi
# install ESP
SYSTEMD_RELAX_ESP_CHECKS=1 ${pkgs.patos.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
# setup factory reset
mkdir -p rootfs/boot/EFI/tools
@ -220,14 +217,14 @@ Type=esp
Format=vfat
SizeMinBytes=128M
SizeMaxBytes=128M
CopyFiles=$out/rootfs/boot:/
CopyFiles=/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
Label=root-${version}
CopyBlocks=$out/$rootPart
CopyBlocks=/$rootPart
UUID=$rootUuid
SizeMinBytes=64M
SizeMaxBytes=64M
@ -238,17 +235,18 @@ cat <<EOF > final.repart.d/22-root-verity.conf
[Partition]
Type=root-verity
Label=verity-${version}
CopyBlocks=$out/$verityPart
CopyBlocks=/$verityPart
UUID=$verityUuid
ReadOnly=1
EOF
# finalize image ready for boot
${pkgs.patos.systemd}/usr/bin/systemd-repart \
${patosPkgs.systemd}/usr/bin/systemd-repart \
--no-pager \
--empty=create \
--size=auto \
--definitions=./final.repart.d \
--root=$out \
patos_${version}.img > final-repart-output.json
rm -rf rootfs init.repart.d final.repart.d *.json

4
pkgs/kernel/default.nix
View file

@ -1,7 +1,7 @@
{ pkgs }:
let
version = "6.15.2";
hash = "sha256-NFjNamxQjhYdvFQG5yuZ1dvfkp+vcEpn25ukbQdRSFg=";
version = "6.13.8";
hash = "sha256-JZr6Wdc9Z2vsKuib6s2UngjVTT9wp/iwp0IxUJV1Grs=";
in
(pkgs.callPackage ./manual-config.nix { }) {
version = "${version}-patos1";

30
pkgs/kexec-tools/default.nix
View file

@ -4,7 +4,6 @@
buildPackages,
fetchFromGitHub,
autoconf,
autoreconfHook,
zlib,
}:
@ -15,8 +14,8 @@ stdenv.mkDerivation {
src = fetchFromGitHub {
owner = "horms";
repo = "kexec-tools";
rev = "v2.0.31";
hash = "sha256-Tgmc8mFlmzzRj7tEaBes7Udw4fRl6cSfe76iPNa3Ffs=";
rev = "a7fcd424c4c80dea5a2fd5ffa274ffeb8129c790";
hash = "sha256-QKE+KCkueA21zNunTMidP9OuZaw0IG5tFDF4UJITTTQ=";
};
dontPatchShebangs = true;
@ -28,27 +27,20 @@ stdenv.mkDerivation {
"pie"
];
preAutoreconf = "./bootstrap";
configurePlatforms = [
"build"
"host"
];
configureFlags = [ "BUILD_CC=${buildPackages.stdenv.cc.targetPrefix}cc" "--prefix=/"];
depsBuildBuild = [ buildPackages.stdenv.cc ];
installPhase = ''
make DESTDIR=$out install
buildCommand = ''
unpackPhase
mkdir -p $out
cd source
./bootstrap
./configure --prefix=/
make DESTDIR=$out install
'';
nativeBuildInputs = [
autoconf
autoreconfHook
];
depsBuildBuild = [ buildPackages.stdenv.cc ];
buildInputs = [
zlib
autoconf
];
enableParallelBuilding = true;

38
pkgs/linux-firmware/default.nix Normal file
View file

@ -0,0 +1,38 @@
{
stdenv,
pkgs,
}:
stdenv.mkDerivation {
pname = pkgs.linux-firmware.name;
version = pkgs.linux-firmware.version;
src = pkgs.linux-firmware.src;
buildInputs = with pkgs; [
erofs-utils
cryptsetup
];
nativeBuildInputs = with pkgs; [
python3
rdfind
which
zstd
];
noBrokenSymlinks = true;
installTargets = [
"install-zst"
"dedup"
];
# inspo: https://gitlab.archlinux.org/archlinux/packaging/packages/linux-firmware/-/blob/main/PKGBUILD?ref_type=heads#L93
makeFlags = [
"DESTDIR=$(out)"
"ZSTD_CLEVEL=19"
"FIRMWAREDIR=/usr/lib/firmware"
];
postInstall = ./post-install.sh;
}

59
pkgs/linux-firmware/post-install.sh Executable file
View file

@ -0,0 +1,59 @@
set -ex -uo pipefail
_pick() {
local p="$1" f d; shift
for f; do
d="$out/$p/${f#$out/}"
mkdir -p "$(dirname "$d")"
mv $out/"$f" "$d"
rm -rf $out/"$f"
done
}
_package() {
local p="$1"
mkdir -p $out/$p/usr/lib/extension-release.d
cat << EOF > $out/$p/usr/lib/extension-release.d/extension-release.$p
ID=patos
IMAGE_ID=$p
IMAGE_VERSION=$version
VERSION_ID=patos
EOF
mkfs.erofs --all-root -Efragments,dedupe,ztailpacking $out/$p.raw $out/$p
veritysetup format --root-hash-file $out/$p.roothash $out/$p.raw $out/$p.verity
}
# remove arm64 firmware https://bugs.archlinux.org/task/76583
rm $out/usr/lib/firmware/mrvl/prestera/mvsw_prestera_fw_arm64-v4.1.img.zst
_pick amd-ucode usr/lib/firmware/amd-ucode
_package amd-ucode
_pick linux-firmware-nfp usr/lib/firmware/netronome
_package linux-firmware-nfp
_pick linux-firmware-mellanox usr/lib/firmware/mellanox
_package linux-firmware-mellanox
_pick linux-firmware-marvell usr/lib/firmware/{libertas,mwl8k,mwlwifi,mrvl}
_package linux-firmware-marvell
_pick linux-firmware-qcom usr/lib/firmware/qcom
_package linux-firmware-qcom
_pick linux-firmware-liquidio usr/lib/firmware/liquidio
_package linux-firmware-liquidio
# _pick linux-firmware-qlogic usr/lib/firmware/{qlogic,qed,ql2???_*,c{b,t,t2}fw-*}
# _package linux-firmware-qlogic
# _pick linux-firmware-bnx2x usr/lib/firmware/bnx2x*
# _package linux-firmware-bnx2x
# and the rest is base firmware
_pick linux-firmware usr/lib/firmware
_package linux-firmware
# clean up
# rm -rf $out/usr

5
pkgs/rootfs/mkinitrd.nix
View file

@ -1,5 +1,6 @@
{
pkgs,
patosPkgs,
runCommand,
...
}:
@ -9,7 +10,7 @@ in
runCommand "patos-initrd" {
inherit secureBootEnroll;
nativeBuildInputs = with pkgs; [
buildInputs = with pkgs; [
cpio
xz
];
@ -20,7 +21,7 @@ mkdir -p $out/root
pushd $out/root
### copy rootfs
cp -prP ${pkgs.patos.rootfs}/* .
cp -prP ${patosPkgs.rootfs}/* .
find . -type d -exec chmod 755 {} \;
mkdir sysroot

48
pkgs/rootfs/mkrootfs.nix
View file

@ -1,5 +1,6 @@
{
pkgs,
patosPkgs,
version,
runCommand,
}:
@ -11,9 +12,7 @@ runCommand "patos-rootfs"
{
inherit version;
nativeBuildInputs = with pkgs; [
stdenv.cc
patchelf
buildInputs = with pkgs;[
glibc
binutils
];
@ -31,11 +30,12 @@ ln -sf /tmp $out/var/tmp
ln -sf ../proc/self/mounts $out/etc/mtab
### install systemd
cp -Pr ${pkgs.patos.systemd}/* $out/
cp -Pr ${patosPkgs.systemd}/* $out/
find $out -type d -exec chmod 755 {} \;
rm -rf $out/usr/include
rm -rf $out/usr/sbin
ln -sf /usr/bin $out/usr/sbin
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service
# enable in ramdisk instead
rm -f $out/usr/lib/systemd/system/sysinit.target.wants/systemd-repart.service
rm -f $out/usr/lib/systemd/system/initrd-root-fs.target.wants/systemd-repart.service
@ -136,33 +136,33 @@ ManagerEnvironment=PATH=/bin:/sbin:/usr/bin SYSTEMD_CRYPTTAB=/run/crypttab SYSTE
EOF
### install PatOS glibc
cp -P ${pkgs.patos.glibc}/lib/*.so* $out/usr/lib/
cp -P ${patosPkgs.glibc}/lib/*.so* $out/usr/lib/
### install openssl
cp -P ${pkgs.patos.openssl}/lib/*.so* $out/usr/lib/
cp -Pr ${pkgs.patos.openssl}/etc/ssl $out/etc/
cp -P ${patosPkgs.openssl}/lib/*.so* $out/usr/lib/
cp -Pr ${patosPkgs.openssl}/etc/ssl $out/etc/
### install busybox
cp ${pkgs.patos.busybox}/bin/busybox $out/usr/bin/
cp ${patosPkgs.busybox}/bin/busybox $out/usr/bin/
$out/usr/bin/busybox --list | xargs -I {} ln -sf busybox $out/usr/bin/{}
### install dbus broker
cp -r ${pkgs.patos.dbus-broker}/* $out/
cp -r ${patosPkgs.dbus-broker}/* $out/
### install kexec
cp -Pr ${pkgs.patos.kexec}/sbin/kexec $out/usr/bin/
cp -Pr ${patosPkgs.kexec}/sbin/kexec $out/usr/bin/
### install dmsetup udev rules
cp -P ${pkgs.patos.lvm2}/usr/bin/dmsetup $out/usr/bin/
cp -P ${pkgs.patos.lvm2}/lib/libdevmapper.so* $out/usr/lib/
cp -P ${pkgs.patos.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
cp -P ${patosPkgs.lvm2}/usr/bin/dmsetup $out/usr/bin/
cp -P ${patosPkgs.lvm2}/lib/libdevmapper.so* $out/usr/lib/
cp -P ${patosPkgs.lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
### install btrfs progs
cp -Pr ${pkgs.btrfs-progs}/bin/* $out/usr/bin/
cp -Pr ${pkgs.btrfs-progs}/lib/* $out/usr/lib/
### install tpm2 libs
cp -P ${pkgs.patos.tpm2-tss}/lib/*.so* $out/usr/lib/
cp -P ${patosPkgs.tpm2-tss}/lib/*.so* $out/usr/lib/
### install lib kmod
cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
@ -193,22 +193,20 @@ ln -sf ../cert.pem $out/etc/ssl/certs/ca-bundle.crt
rm -rf $out/usr/lib/pkgconfig
# setup default files
${pkgs.patos.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
${pkgs.patos.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
${patosPkgs.systemd}/usr/bin/systemd-hwdb --root=$out --usr update
${patosPkgs.systemd}/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
cp $out/usr/share/factory/etc/locale.conf $out/etc/
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
# install sys users
mkdir creds
echo -n ${defaultPassword} > creds/passwd.plaintext-password.root
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${pkgs.patos.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
CREDENTIALS_DIRECTORY=$PWD/creds SYSTEMD_CRYPT_PREFIX='$6$' ${patosPkgs.systemd}/usr/bin/systemd-sysusers --root=$out rootfs/usr/lib/sysusers.d/*.conf
chmod 600 $out/etc/shadow
rm -rf creds
# Ephemeral machine-id until registration
# ln -sf /run/machine-id $out/etc/machine-id
# FIXME: above line does not work in systemd > 257
${pkgs.patos.systemd}/usr/bin/systemd-machine-id-setup --root=$out
ln -sf /run/machine-id $out/etc/machine-id
### Find and install all shared libs
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
@ -218,17 +216,15 @@ find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
find $out -type f -executable -exec chmod 755 {} \;
# patch ELFs
interpreter=$(patchelf --print-interpreter $out/usr/bin/busybox)
ldLinux=$(basename $interpreter)
find $out -type f -executable -exec patchelf --set-rpath /lib:/usr/lib:/usr/lib/systemd:/usr/lib/cryptsetup {} \;
find $out -type f -executable -exec patchelf --set-interpreter /lib/$ldLinux {} \;
patchelf --remove-rpath $out/usr/lib/$ldLinux
find $out -type f -executable -exec patchelf --set-interpreter /lib/ld-linux-x86-64.so.2 {} \;
patchelf --remove-rpath $out/usr/lib/ld-linux-x86-64.so.2
# strip binaries
find $out -type f -executable -exec $STRIP {} \;
find $out -type f -executable -exec strip {} \;
find $out -type d -exec chmod 755 {} \;
# install kernel modules
cp -r ${pkgs.patos.kernel}/lib/modules $out/usr/lib/
cp -r ${patosPkgs.kernel}/lib/modules $out/usr/lib/
find $out/usr/lib/modules -type d -exec chmod 755 {} \;
''

10
pkgs/systemd/default.nix
View file

@ -7,7 +7,7 @@
...
}:
let
version = "devel";
version = "257.4";
# Use the command below to update `releaseTimestamp` on every (major) version
# change. More details in the commentary at mesonFlags.
@ -26,8 +26,8 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchFromGitHub {
owner = "systemd";
repo = "systemd";
rev = "959d7f1759d67994e3bed7b9d2f23e063475a872"; # main
hash = "sha256-IxGg0t/0GEllU4EPHqY2bwMDYwrQ5KWyE2QhwhTxqGs=";
rev = "v${version}";
hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
};
patches = [ ./skip-verify-esp.patch ];
@ -137,10 +137,6 @@ stdenv.mkDerivation (finalAttrs: {
''
substituteInPlace meson.build \
--replace "find_program('clang'" "find_program('${stdenv.cc.targetPrefix}clang'"
'' +
''
substituteInPlace src/test/meson.build \
--replace "test_env.set('SYSTEMD_LANGUAGE_FALLBACK_MAP', language_fallback_map)" ""
''
+ ''
substituteInPlace src/ukify/ukify.py \

54
utils/qemu-aarch64-uefi-tpm.nix
View file

@ -1,54 +0,0 @@
{
pkgs,
...
}:
pkgs.writeShellApplication {
name = "qemu-aarch64-uefi-tpm";
runtimeInputs = with pkgs; [
qemu
swtpm
];
text =
let
tpmOVMF = pkgs.OVMF.override {
tpmSupport = true;
secureBoot = true;
};
in
''
set -ex
state="/tmp/patos-qemu-$USER"
rm -rf "$state"
mkdir -m 700 "$state"
qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 2G
OVMF_FD=$(nix-build '<nixpkgs>' --no-out-link -A OVMF.fd --system aarch64-linux)
cp "$OVMF_FD/AAVMF/vars-template-pflash.raw" "$state/vars-pflash.raw"
chmod u+w "$state/vars-pflash.raw"
# swtpm socket -d --tpmstate dir="$state" \
# --ctrl type=unixio,path="$state/swtpm-sock" \
# --tpm2 \
# --log file="$state/swtpm.log",level=20
qemu-system-aarch64 \
-machine virt,gic-version=max \
-cpu max \
-smp 8 \
-m 4G \
-display none \
-serial stdio \
-drive "if=pflash,format=raw,unit=0,readonly=on,file=$OVMF_FD/AAVMF/QEMU_EFI-pflash.raw" \
-drive "if=pflash,format=raw,unit=1,file=$state/vars-pflash.raw" \
-device virtio-scsi-pci \
-device virtio-gpu-pci \
-device virtio-net-pci,netdev=wan \
-netdev user,id=wan \
-device virtio-rng-pci,rng=rng0 \
-object rng-random,filename=/dev/urandom,id=rng0 \
-device virtio-serial-pci \
-drive "format=qcow2,file=$state/disk.qcow2"
'';
}