From 4fb1e0d0dd501dea0d96bdf8a9c3030a91200ba0 Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Mon, 28 Nov 2022 13:15:59 +0100 Subject: [PATCH 1/3] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'crane': 'github:ipetkov/crane/c61d98aaea5667607a36bafe5a6fa87fe5bb2c7e' (2022-11-21) → 'github:ipetkov/crane/24591d5f8cc979f7b243b88a2d39da09976970ad' (2022-11-28) • Updated input 'naersk/nixpkgs': 'github:NixOS/nixpkgs/3ea5616c21dd186129f90a86c66352359a45cb07' (2022-11-23) → 'github:NixOS/nixpkgs/b45ec953794bb07922f0468152ad1ebaf8a084b3' (2022-11-27) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/3ea5616c21dd186129f90a86c66352359a45cb07' (2022-11-23) → 'github:NixOS/nixpkgs/b45ec953794bb07922f0468152ad1ebaf8a084b3' (2022-11-27) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/018df6d3f900fc53d567045bd86208f5c00d8956' (2022-11-24) → 'github:oxalica/rust-overlay/b9da8e68a08707115be750c0cf7ade33f49d8ec4' (2022-11-28) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 48448a1..a6a08a2 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1668993159, - "narHash": "sha256-9BVTtPFrHRh0HbeEm2bmXsoIWRj1tKM6Nvfl7VMK/X8=", + "lastModified": 1669605882, + "narHash": "sha256-TiQtL5sUI5rp28S63v+VX25qNjcrc8Xeu+shf3g7Tj4=", "owner": "ipetkov", "repo": "crane", - "rev": "c61d98aaea5667607a36bafe5a6fa87fe5bb2c7e", + "rev": "24591d5f8cc979f7b243b88a2d39da09976970ad", "type": "github" }, "original": { @@ -89,11 +89,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1669207345, - "narHash": "sha256-KwfRW0f70Y19EkbB6D9wy7AoYqCYPuIL/2taiJPvuxg=", + "lastModified": 1669535121, + "narHash": "sha256-koZLM7oWVGrjyHnYDo7/w5qlmUn9UZUKSFNfmIjueE8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3ea5616c21dd186129f90a86c66352359a45cb07", + "rev": "b45ec953794bb07922f0468152ad1ebaf8a084b3", "type": "github" }, "original": { @@ -119,11 +119,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1669207345, - "narHash": "sha256-KwfRW0f70Y19EkbB6D9wy7AoYqCYPuIL/2taiJPvuxg=", + "lastModified": 1669535121, + "narHash": "sha256-koZLM7oWVGrjyHnYDo7/w5qlmUn9UZUKSFNfmIjueE8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3ea5616c21dd186129f90a86c66352359a45cb07", + "rev": "b45ec953794bb07922f0468152ad1ebaf8a084b3", "type": "github" }, "original": { @@ -189,11 +189,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1669257187, - "narHash": "sha256-NURtNyepbHLrJs2kwsQ9u2SUKhuGU1T9mPkXasG9hpk=", + "lastModified": 1669602829, + "narHash": "sha256-I3LBvBiVui4Rf0iQvTqUIgBovaLDzpOzsoNEzCsDowg=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "018df6d3f900fc53d567045bd86208f5c00d8956", + "rev": "b9da8e68a08707115be750c0cf7ade33f49d8ec4", "type": "github" }, "original": { From 7926ab9e5edef9f06ca2c4270cec685b26f5c39f Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Mon, 28 Nov 2022 13:38:01 +0100 Subject: [PATCH 2/3] lanzaboote: fix clippy issues --- rust/lanzaboote/src/linux_loader.rs | 8 ++++---- rust/lanzaboote/src/pe_section.rs | 9 +++++++-- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/rust/lanzaboote/src/linux_loader.rs b/rust/lanzaboote/src/linux_loader.rs index 95f9922..46857ad 100644 --- a/rust/lanzaboote/src/linux_loader.rs +++ b/rust/lanzaboote/src/linux_loader.rs @@ -147,16 +147,16 @@ fn initrd_location(initrd_efi: &mut RegularFile) -> Result> { .sections .iter() .find(|s| s.name().unwrap() == ".initrd") - .and_then(|s| { + .map(|s| { let section_start: usize = s.pointer_to_raw_data.try_into().unwrap(); let section_size: usize = s.size_of_raw_data.try_into().unwrap(); - Some(Range { + Range { start: section_start, end: section_start + section_size, - }) + } }) - .ok_or(Status::END_OF_FILE.into()) + .ok_or_else(|| Status::END_OF_FILE.into()) } /// Check the signature of the initrd. diff --git a/rust/lanzaboote/src/pe_section.rs b/rust/lanzaboote/src/pe_section.rs index 4b6d178..0ef7cce 100644 --- a/rust/lanzaboote/src/pe_section.rs +++ b/rust/lanzaboote/src/pe_section.rs @@ -1,3 +1,9 @@ +// Clippy doesn't like the lifetimes, but rustc wants them. 🤷 +#![allow(clippy::needless_lifetimes)] +// Clippy doesn't understand that we exit with ? from the closure in +// and_then below and this can't be expressed with map. +#![allow(clippy::bind_instead_of_map)] + use alloc::{borrow::ToOwned, string::String}; /// Extracts the data of a section of a PE file. @@ -20,6 +26,5 @@ pub fn pe_section<'a>(file_data: &'a [u8], section_name: &str) -> Option<&'a [u8 /// Extracts the data of a section of a PE file and returns it as a string. pub fn pe_section_as_string<'a>(file_data: &'a [u8], section_name: &str) -> Option { - pe_section(file_data, section_name) - .and_then(|data| Some(core::str::from_utf8(data).unwrap().to_owned())) + pe_section(file_data, section_name).map(|data| core::str::from_utf8(data).unwrap().to_owned()) } From 28bb93c5f37c144d995366699bf51b5263b51d44 Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Mon, 28 Nov 2022 13:48:25 +0100 Subject: [PATCH 3/3] nix: switch everything to crane and drop naersk --- flake.lock | 45 ++++------------------------- flake.nix | 74 ++++++++++++++++++++++++++++-------------------- nix/uefi-run.nix | 12 +++++--- 3 files changed, 57 insertions(+), 74 deletions(-) diff --git a/flake.lock b/flake.lock index a6a08a2..3f8cce3 100644 --- a/flake.lock +++ b/flake.lock @@ -69,24 +69,6 @@ "type": "github" } }, - "naersk": { - "inputs": { - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1662220400, - "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=", - "owner": "nix-community", - "repo": "naersk", - "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "naersk", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1669535121, @@ -97,8 +79,10 @@ "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-test": { @@ -118,22 +102,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1669535121, - "narHash": "sha256-koZLM7oWVGrjyHnYDo7/w5qlmUn9UZUKSFNfmIjueE8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b45ec953794bb07922f0468152ad1ebaf8a084b3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1665296151, "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=", @@ -152,8 +120,7 @@ "root": { "inputs": { "crane": "crane", - "naersk": "naersk", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nixpkgs-test": "nixpkgs-test", "rust-overlay": "rust-overlay_2" } @@ -186,7 +153,7 @@ "rust-overlay_2": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1669602829, diff --git a/flake.nix b/flake.nix index bdb5e22..80912fe 100644 --- a/flake.nix +++ b/flake.nix @@ -11,10 +11,9 @@ nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/experimental-secureboot"; rust-overlay.url = "github:oxalica/rust-overlay"; - naersk.url = "github:nix-community/naersk"; }; - outputs = { self, nixpkgs, crane, nixpkgs-test, rust-overlay, naersk }: + outputs = { self, nixpkgs, crane, nixpkgs-test, rust-overlay }: let pkgs = import nixpkgs { system = "x86_64-linux"; @@ -28,40 +27,56 @@ rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml; craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly; - naersk-nightly = pkgs.callPackage naersk { - cargo = rust-nightly; - rustc = rust-nightly; - }; - uefi-run = pkgs.callPackage ./nix/uefi-run.nix { - naersk = naersk-nightly; + inherit craneLib; }; - buildRustEfiApp = src: naersk-nightly.buildPackage { - inherit src; - cargoBuildOptions = old: old ++ [ - "--target x86_64-unknown-uefi" - ]; - }; + # Build attributes for a Rust application. + buildRustApp = { + src, target ? null, doCheck ? true + }: let + cleanedSrc = craneLib.cleanCargoSource src; + commonArgs = { + src = cleanedSrc; + CARGO_BUILD_TARGET = target; + inherit doCheck; + }; - buildRustLinuxApp = src: naersk-nightly.buildPackage { - inherit src; + cargoArtifacts = craneLib.buildDepsOnly commonArgs; + in { + package = craneLib.buildPackage (commonArgs // { + inherit cargoArtifacts; + }); + + clippy = craneLib.cargoClippy (commonArgs // { + inherit cargoArtifacts; + cargoClippyExtraArgs = "-- --deny warnings"; + }); }; # This is basically an empty EFI application that we use as a # carrier for the initrd. - initrd-stub = buildRustEfiApp ./rust/initrd-stub; - - lanzaboote = buildRustEfiApp ./rust/lanzaboote; - - lanzatool-unwrapped-src = craneLib.cleanCargoSource ./rust/lanzatool; - lanzatool-unwrapped-deps = craneLib.buildDepsOnly { src = lanzatool-unwrapped-src; }; - - lanzatool-unwrapped = craneLib.buildPackage { - src = lanzatool-unwrapped-src; - cargoArtifacts = lanzatool-unwrapped-deps; + initrdStubCrane = buildRustApp { + src = ./rust/initrd-stub; + target = "x86_64-unknown-uefi"; + doCheck = false; }; + lanzabooteCrane = buildRustApp { + src = ./rust/lanzaboote; + target = "x86_64-unknown-uefi"; + doCheck = false; + }; + + initrd-stub = initrdStubCrane.package; + lanzaboote = lanzabooteCrane.package; + + lanzatoolCrane = buildRustApp { + src = ./rust/lanzatool; + }; + + lanzatool-unwrapped = lanzatoolCrane.package; + lanzatool = pkgs.runCommand "lanzatool" { nativeBuildInputs = [ pkgs.makeWrapper ]; } '' @@ -159,11 +174,8 @@ }; in { - lanzatool-unwrapped-clippy = craneLib.cargoClippy { - src = lanzatool-unwrapped-src; - cargoArtifacts = lanzatool-unwrapped-deps; - cargoClippyExtraArgs = "--all-targets -- --deny warnings"; - }; + lanzatool-clippy = lanzatoolCrane.clippy; + lanzaboote-clippy = lanzabooteCrane.clippy; # TODO: user mode: OK # TODO: how to get in: {deployed, audited} mode ? diff --git a/nix/uefi-run.nix b/nix/uefi-run.nix index f2ae3b6..4f13d6b 100644 --- a/nix/uefi-run.nix +++ b/nix/uefi-run.nix @@ -1,5 +1,5 @@ -{ fetchFromGitHub, naersk, makeWrapper, OVMF, qemu }: -naersk.buildPackage { +{ fetchFromGitHub, craneLib, makeWrapper, OVMF, qemu }: +craneLib.buildPackage { src = fetchFromGitHub { owner = "Richard-W"; repo = "uefi-run"; @@ -11,7 +11,11 @@ naersk.buildPackage { nativeBuildInputs = [ makeWrapper ]; postInstall = '' - wrapProgram "$out/bin/uefi-run" \ - --add-flags '--bios-path ${OVMF.fd}/FV/OVMF.fd --qemu-path ${qemu}/bin/qemu-system-x86_64' + # The hook runs for the dependency-only derivation where the binary is not + # produced. We need to skip it there. + if [ -f $out/bin/uefi-run ]; then + wrapProgram "$out/bin/uefi-run" \ + --add-flags '--bios-path ${OVMF.fd}/FV/OVMF.fd --qemu-path ${qemu}/bin/qemu-system-x86_64' + fi ''; }