Merge pull request #218 from nix-community/get-crane-back

This commit is contained in:
Ryan Lahfa 2023-08-25 16:14:52 +02:00 committed by GitHub
commit 6d6cdf59b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 187 additions and 146 deletions

View File

@ -1,5 +1,34 @@
{ {
"nodes": { "nodes": {
"crane": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1688772518,
"narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=",
"owner": "ipetkov",
"repo": "crane",
"rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -77,11 +106,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1689846679, "lastModified": 1689951833,
"narHash": "sha256-89uOAMBZK4jooekzMZcm4sGxZp9kThMvJI6wVf00RfI=", "narHash": "sha256-wdpIgb5X0p85RRne74TeUOp9ti7a1k9KDSe4NzsaAGk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "17dd4c92ee12de80a1fe86ea30be723e4e06cd00", "rev": "ebf4e87429ce7faa51a86a36a7b2e615c8bcc735",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -137,11 +166,36 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"crane": "crane",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"pre-commit-hooks-nix": "pre-commit-hooks-nix" "pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1689906077,
"narHash": "sha256-2tjLXKoSK7O0LYHlA6GCWL0gy2kZZno4krg+KZpDh6U=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "c88b28944129eeff5e819bdc21248dc07eb0625d",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
} }
}, },
"systems": { "systems": {

165
flake.nix
View File

@ -25,13 +25,27 @@
# avoid having multiple versions in our dependencies. # avoid having multiple versions in our dependencies.
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
crane = {
url = "github:ipetkov/crane";
inputs.nixpkgs.follows = "nixpkgs";
inputs.rust-overlay.follows = "rust-overlay";
inputs.flake-utils.follows = "flake-utils";
inputs.flake-compat.follows = "flake-compat";
};
rust-overlay = {
url = "github:oxalica/rust-overlay";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
flake-compat = { flake-compat = {
url = "github:edolstra/flake-compat"; url = "github:edolstra/flake-compat";
flake = false; flake = false;
}; };
}; };
outputs = inputs@{ self, nixpkgs, flake-parts, ... }: outputs = inputs@{ self, nixpkgs, crane, rust-overlay, flake-parts, ... }:
flake-parts.lib.mkFlake { inherit inputs; } ({ moduleWithSystem, ... }: { flake-parts.lib.mkFlake { inherit inputs; } ({ moduleWithSystem, ... }: {
imports = [ imports = [
# Derive the output overlay automatically from all packages that we define. # Derive the output overlay automatically from all packages that we define.
@ -41,20 +55,27 @@
inputs.pre-commit-hooks-nix.flakeModule inputs.pre-commit-hooks-nix.flakeModule
]; ];
flake.nixosModules.lanzaboote = moduleWithSystem (perSystem@{ config }: flake.nixosModules.lanzaboote = moduleWithSystem (
perSystem@{ config }:
{ ... }: { { ... }: {
imports = [ ./nix/modules/lanzaboote.nix ]; imports = [
./nix/modules/lanzaboote.nix
];
boot.lanzaboote.package = perSystem.config.packages.tool; boot.lanzaboote.package = perSystem.config.packages.tool;
}); }
);
flake.nixosModules.uki = moduleWithSystem (perSystem@{ config }: flake.nixosModules.uki = moduleWithSystem (
perSystem@{ config }:
{ lib, ... }: { { lib, ... }: {
imports = [ ./nix/modules/uki.nix ]; imports = [
./nix/modules/uki.nix
];
boot.loader.uki.stub = lib.mkDefault boot.loader.uki.stub = lib.mkDefault "${perSystem.config.packages.fatStub}/bin/lanzaboote_stub.efi";
"${perSystem.config.packages.fatStub}/bin/lanzaboote_stub.efi"; }
}); );
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
@ -65,32 +86,94 @@
perSystem = { config, system, pkgs, ... }: perSystem = { config, system, pkgs, ... }:
let let
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs {
uefiPkgs = import nixpkgs { system = system;
inherit system; overlays = [
crossSystem = { rust-overlay.overlays.default
# linuxArch is wrong here, it will yield arm64 instead of aarch64. ];
config = "${pkgs.stdenv.hostPlatform.qemuArch}-windows";
rustc.config = "${pkgs.stdenv.hostPlatform.qemuArch}-unknown-uefi";
libc = null;
useLLVM = true;
}; };
};
utils = import ./nix/packages/utils.nix;
inherit (pkgs) lib; inherit (pkgs) lib;
stub = uefiPkgs.callPackage ./nix/packages/stub.nix { uefi-rust-stable = pkgs.rust-bin.fromRustupToolchainFile ./rust/stub/rust-toolchain.toml;
# cargo-auditable fails to build with: could not execute process .... No such file or directory (os error 2) craneLib = crane.lib.x86_64-linux.overrideToolchain uefi-rust-stable;
rustPlatform = uefiPkgs.makeRustPlatform {
inherit (uefiPkgs.buildPackages) rustc; # Build attributes for a Rust application.
cargo = uefiPkgs.buildPackages.cargo.override { buildRustApp = lib.makeOverridable (
auditable = false; { src
, target ? null
, doCheck ? true
, extraArgs ? { }
}:
let
commonArgs = {
inherit src;
CARGO_BUILD_TARGET = target;
inherit doCheck;
# Workaround for https://github.com/ipetkov/crane/issues/262.
dummyrs = pkgs.writeText "dummy.rs" ''
#![allow(unused)]
#![cfg_attr(
any(target_os = "none", target_os = "uefi"),
no_std,
no_main,
)]
#[cfg_attr(any(target_os = "none", target_os = "uefi"), panic_handler)]
fn panic(_info: &::core::panic::PanicInfo<'_>) -> ! {
loop {}
}
#[cfg_attr(any(target_os = "none", target_os = "uefi"), export_name = "efi_main")]
fn main() {}
'';
} // extraArgs;
cargoArtifacts = craneLib.buildDepsOnly commonArgs;
in
{
package = craneLib.buildPackage (commonArgs // {
inherit cargoArtifacts;
});
clippy = craneLib.cargoClippy (commonArgs // {
inherit cargoArtifacts;
cargoClippyExtraArgs = "-- --deny warnings";
});
rustfmt = craneLib.cargoFmt (commonArgs // { inherit cargoArtifacts; });
}
);
stubCrane = buildRustApp {
src = craneLib.cleanCargoSource ./rust/stub;
target = "x86_64-unknown-uefi";
doCheck = false;
};
fatStubCrane = stubCrane.override {
extraArgs = {
cargoExtraArgs = "--no-default-features --features fat";
}; };
}; };
stub = stubCrane.package;
fatStub = fatStubCrane.package;
toolCrane = buildRustApp {
src = ./rust/tool;
extraArgs = {
TEST_SYSTEMD = pkgs.systemd;
nativeCheckInputs = with pkgs; [
binutils-unwrapped
sbsigntool
];
}; };
fatStub = stub.override { fatVariant = true; }; };
tool = pkgs.callPackage ./nix/packages/tool.nix { };
tool = toolCrane.package;
wrappedTool = pkgs.runCommand "lzbt" wrappedTool = pkgs.runCommand "lzbt"
{ {
@ -101,9 +184,7 @@
# Clean PATH to only contain what we need to do objcopy. Also # Clean PATH to only contain what we need to do objcopy. Also
# tell lanzatool where to find our UEFI binaries. # tell lanzatool where to find our UEFI binaries.
makeWrapper ${tool}/bin/lzbt $out/bin/lzbt \ makeWrapper ${tool}/bin/lzbt $out/bin/lzbt \
--set PATH ${ --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \
lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]
} \
--set LANZABOOTE_STUB ${stub}/bin/lanzaboote_stub.efi --set LANZABOOTE_STUB ${stub}/bin/lanzaboote_stub.efi
''; '';
in in
@ -114,23 +195,24 @@
lzbt = wrappedTool; lzbt = wrappedTool;
}; };
overlayAttrs = { inherit (config.packages) tool; }; overlayAttrs = {
inherit (config.packages) tool;
};
checks = checks =
let let
nixosLib = import (pkgs.path + "/nixos/lib") { }; nixosLib = import (pkgs.path + "/nixos/lib") { };
runTest = module: runTest = module: nixosLib.runTest {
nixosLib.runTest {
imports = [ module ]; imports = [ module ];
hostPkgs = pkgs; hostPkgs = pkgs;
}; };
in in
{ {
stubFmt = uefiPkgs.callPackage (utils.rustfmt stub) { }; toolClippy = toolCrane.clippy;
toolFmt = pkgs.callPackage (utils.rustfmt tool) { }; stubClippy = stubCrane.clippy;
toolClippy = pkgs.callPackage (utils.clippy tool) { }; fatStubClippy = fatStubCrane.clippy;
stubClippy = uefiPkgs.callPackage (utils.clippy stub) { }; toolFmt = toolCrane.rustfmt;
fatStubClippy = uefiPkgs.callPackage (utils.clippy fatStub) { }; stubFmt = stubCrane.rustfmt;
} // (import ./nix/tests/lanzaboote.nix { } // (import ./nix/tests/lanzaboote.nix {
inherit pkgs; inherit pkgs;
lanzabooteModule = self.nixosModules.lanzaboote; lanzabooteModule = self.nixosModules.lanzaboote;
@ -174,7 +256,10 @@
pkgs.cargo-release pkgs.cargo-release
]; ];
inputsFrom = [ config.packages.stub config.packages.tool ]; inputsFrom = [
config.packages.stub
config.packages.tool
];
TEST_SYSTEMD = pkgs.systemd; TEST_SYSTEMD = pkgs.systemd;
}; };

View File

@ -1,29 +0,0 @@
{ rustPlatform, stdenv, lib, fatVariant ? false }:
rustPlatform.buildRustPackage
{
pname = "lanzaboote_stub";
version = "0.3.0";
src = lib.cleanSource ../../rust/stub;
# We don't want the thin code.
buildNoDefaultFeatures = true;
buildFeatures = if fatVariant then [ "fat" ] else [ "thin" ];
cargoLock = {
lockFile = ../../rust/stub/Cargo.lock;
};
# Necessary because our `cc-wrapper` doesn't understand MSVC link options.
RUSTFLAGS = "-Clinker=${stdenv.cc.bintools}/bin/${stdenv.cc.targetPrefix}ld.lld -Clinker-flavor=lld-link";
# Necessary because otherwise we will get (useless) hardening options in front of
# -flavor link which will break the whole command-line processing for the ld.lld linker.
hardeningDisable = [ "all" ];
meta = with lib; {
description = "Lanzaboote UEFI stub for SecureBoot enablement on NixOS systems";
homepage = "https://github.com/nix-community/lanzaboote";
license = licenses.mit;
platforms = [ "x86_64-windows" "aarch64-windows" "i686-windows" ];
};
}

View File

@ -1,30 +0,0 @@
{ systemd
, binutils-unwrapped
, sbsigntool
, rustPlatform
, lib
}:
rustPlatform.buildRustPackage
{
pname = "lanzaboote_tool";
version = "0.3.0";
src = lib.cleanSource ../../rust/tool;
TEST_SYSTEMD = systemd;
cargoLock = {
lockFile = ../../rust/tool/Cargo.lock;
};
nativeCheckInputs = [
binutils-unwrapped
sbsigntool
];
meta = with lib; {
description = "Lanzaboote UEFI tooling for SecureBoot enablement on NixOS systems";
homepage = "https://github.com/nix-community/lanzaboote";
license = licenses.mit;
};
}

View File

@ -1,39 +0,0 @@
{
clippy = rustPackage: { lib, rust, clippy }:
let
targetSpec = rust.toRustTargetSpec rustPackage.stdenv.hostPlatform;
inherit (lib) optionalString concatStringsSep;
in
rustPackage.overrideAttrs (old: {
nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ clippy ];
doCheck = false;
buildPhase = ''
echo "checking via clippy..."
cargo clippy --target ${targetSpec} ${optionalString (old.buildNoDefaultFeatures or false) "--no-default-features "}${optionalString ((old.buildFeatures or null) != null) ''--features="${concatStringsSep " " old.buildFeatures}" ''}-- -D warnings
if grep -R 'dbg!' ./src; then
echo "use of dbg macro found in code!"
false
fi
'';
installPhase = ''
touch $out
'';
});
rustfmt = rustPackage: { rustfmt }: rustPackage.overrideAttrs (old: {
nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ rustfmt ];
doCheck = false;
buildPhase = ''
echo "checking formatting..."
cargo fmt --all -- --check
'';
installPhase = ''
touch $out
'';
});
}