min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #22 from nix-community/crane 

Drop Naersk and Enable Clippy for lanzaboote
This commit is contained in:
Ryan Lahfa 2022-11-29 22:42:13 +01:00 committed by GitHub
parent c3e0e73b82 28bb93c5f3
commit e496b60be1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 77 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
flake.lock
View File

@ -10,11 +10,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1668993159, "lastModified": 1669605882,
"narHash": "sha256-9BVTtPFrHRh0HbeEm2bmXsoIWRj1tKM6Nvfl7VMK/X8=", "narHash": "sha256-TiQtL5sUI5rp28S63v+VX25qNjcrc8Xeu+shf3g7Tj4=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "c61d98aaea5667607a36bafe5a6fa87fe5bb2c7e", "rev": "24591d5f8cc979f7b243b88a2d39da09976970ad",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -69,36 +69,20 @@
"type": "github" "type": "github"
} }
}, },
"naersk": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1662220400,
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
"owner": "nix-community",
"repo": "naersk",
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1669207345, "lastModified": 1669535121,
"narHash": "sha256-KwfRW0f70Y19EkbB6D9wy7AoYqCYPuIL/2taiJPvuxg=", "narHash": "sha256-koZLM7oWVGrjyHnYDo7/w5qlmUn9UZUKSFNfmIjueE8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3ea5616c21dd186129f90a86c66352359a45cb07", "rev": "b45ec953794bb07922f0468152ad1ebaf8a084b3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"type": "indirect" "ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-test": { "nixpkgs-test": {
@ -118,22 +102,6 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1669207345,
"narHash": "sha256-KwfRW0f70Y19EkbB6D9wy7AoYqCYPuIL/2taiJPvuxg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3ea5616c21dd186129f90a86c66352359a45cb07",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1665296151, "lastModified": 1665296151,
"narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=", "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=",
@ -152,8 +120,7 @@
"root": { "root": {
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
"naersk": "naersk", "nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nixpkgs-test": "nixpkgs-test", "nixpkgs-test": "nixpkgs-test",
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay_2"
} }
@ -186,14 +153,14 @@
"rust-overlay_2": { "rust-overlay_2": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1669257187, "lastModified": 1669602829,
"narHash": "sha256-NURtNyepbHLrJs2kwsQ9u2SUKhuGU1T9mPkXasG9hpk=", "narHash": "sha256-I3LBvBiVui4Rf0iQvTqUIgBovaLDzpOzsoNEzCsDowg=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "018df6d3f900fc53d567045bd86208f5c00d8956", "rev": "b9da8e68a08707115be750c0cf7ade33f49d8ec4",
"type": "github" "type": "github"
}, },
"original": { "original": {

74
flake.nix
View File

@ -11,10 +11,9 @@
nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/experimental-secureboot"; nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/experimental-secureboot";
rust-overlay.url = "github:oxalica/rust-overlay"; rust-overlay.url = "github:oxalica/rust-overlay";
naersk.url = "github:nix-community/naersk";
}; };
outputs = { self, nixpkgs, crane, nixpkgs-test, rust-overlay, naersk }: outputs = { self, nixpkgs, crane, nixpkgs-test, rust-overlay }:
let let
pkgs = import nixpkgs { pkgs = import nixpkgs {
system = "x86_64-linux"; system = "x86_64-linux";
@ -28,40 +27,56 @@
rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml; rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml;
craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly; craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly;
naersk-nightly = pkgs.callPackage naersk {
cargo = rust-nightly;
rustc = rust-nightly;
};
uefi-run = pkgs.callPackage ./nix/uefi-run.nix { uefi-run = pkgs.callPackage ./nix/uefi-run.nix {
naersk = naersk-nightly; inherit craneLib;
}; };
buildRustEfiApp = src: naersk-nightly.buildPackage { # Build attributes for a Rust application.
inherit src; buildRustApp = {
cargoBuildOptions = old: old ++ [ src, target ? null, doCheck ? true
"--target x86_64-unknown-uefi" }: let
]; cleanedSrc = craneLib.cleanCargoSource src;
}; commonArgs = {
src = cleanedSrc;
CARGO_BUILD_TARGET = target;
inherit doCheck;
};
buildRustLinuxApp = src: naersk-nightly.buildPackage { cargoArtifacts = craneLib.buildDepsOnly commonArgs;
inherit src; in {
package = craneLib.buildPackage (commonArgs // {
inherit cargoArtifacts;
});
clippy = craneLib.cargoClippy (commonArgs // {
inherit cargoArtifacts;
cargoClippyExtraArgs = "-- --deny warnings";
});
}; };
# This is basically an empty EFI application that we use as a # This is basically an empty EFI application that we use as a
# carrier for the initrd. # carrier for the initrd.
initrd-stub = buildRustEfiApp ./rust/initrd-stub; initrdStubCrane = buildRustApp {
src = ./rust/initrd-stub;
lanzaboote = buildRustEfiApp ./rust/lanzaboote; target = "x86_64-unknown-uefi";
doCheck = false;
lanzatool-unwrapped-src = craneLib.cleanCargoSource ./rust/lanzatool;
lanzatool-unwrapped-deps = craneLib.buildDepsOnly { src = lanzatool-unwrapped-src; };
lanzatool-unwrapped = craneLib.buildPackage {
src = lanzatool-unwrapped-src;
cargoArtifacts = lanzatool-unwrapped-deps;
}; };
lanzabooteCrane = buildRustApp {
src = ./rust/lanzaboote;
target = "x86_64-unknown-uefi";
doCheck = false;
};
initrd-stub = initrdStubCrane.package;
lanzaboote = lanzabooteCrane.package;
lanzatoolCrane = buildRustApp {
src = ./rust/lanzatool;
};
lanzatool-unwrapped = lanzatoolCrane.package;
lanzatool = pkgs.runCommand "lanzatool" { lanzatool = pkgs.runCommand "lanzatool" {
nativeBuildInputs = [ pkgs.makeWrapper ]; nativeBuildInputs = [ pkgs.makeWrapper ];
} '' } ''
@ -159,11 +174,8 @@
}; };
in in
{ {
lanzatool-unwrapped-clippy = craneLib.cargoClippy { lanzatool-clippy = lanzatoolCrane.clippy;
src = lanzatool-unwrapped-src; lanzaboote-clippy = lanzabooteCrane.clippy;
cargoArtifacts = lanzatool-unwrapped-deps;
cargoClippyExtraArgs = "--all-targets -- --deny warnings";
};
# TODO: user mode: OK # TODO: user mode: OK
# TODO: how to get in: {deployed, audited} mode ? # TODO: how to get in: {deployed, audited} mode ?

12
nix/uefi-run.nix
View File

@ -1,5 +1,5 @@
{ fetchFromGitHub, naersk, makeWrapper, OVMF, qemu }: { fetchFromGitHub, craneLib, makeWrapper, OVMF, qemu }:
naersk.buildPackage { craneLib.buildPackage {
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "Richard-W"; owner = "Richard-W";
repo = "uefi-run"; repo = "uefi-run";
@ -11,7 +11,11 @@ naersk.buildPackage {
nativeBuildInputs = [ makeWrapper ]; nativeBuildInputs = [ makeWrapper ];
postInstall = '' postInstall = ''
wrapProgram "$out/bin/uefi-run" \ # The hook runs for the dependency-only derivation where the binary is not
--add-flags '--bios-path ${OVMF.fd}/FV/OVMF.fd --qemu-path ${qemu}/bin/qemu-system-x86_64' # produced. We need to skip it there.
if [ -f $out/bin/uefi-run ]; then
wrapProgram "$out/bin/uefi-run" \
--add-flags '--bios-path ${OVMF.fd}/FV/OVMF.fd --qemu-path ${qemu}/bin/qemu-system-x86_64'
fi
''; '';
} }

8
rust/lanzaboote/src/linux_loader.rs
View File

@ -147,16 +147,16 @@ fn initrd_location(initrd_efi: &mut RegularFile) -> Result<Range<usize>> {
.sections .sections
.iter() .iter()
.find(|s| s.name().unwrap() == ".initrd") .find(|s| s.name().unwrap() == ".initrd")
.and_then(|s| { .map(|s| {
let section_start: usize = s.pointer_to_raw_data.try_into().unwrap(); let section_start: usize = s.pointer_to_raw_data.try_into().unwrap();
let section_size: usize = s.size_of_raw_data.try_into().unwrap(); let section_size: usize = s.size_of_raw_data.try_into().unwrap();
Some(Range { Range {
start: section_start, start: section_start,
end: section_start + section_size, end: section_start + section_size,
}) }
}) })
.ok_or(Status::END_OF_FILE.into()) .ok_or_else(|| Status::END_OF_FILE.into())
} }
/// Check the signature of the initrd. /// Check the signature of the initrd.

9
rust/lanzaboote/src/pe_section.rs
View File

@ -1,3 +1,9 @@
// Clippy doesn't like the lifetimes, but rustc wants them. 🤷
#![allow(clippy::needless_lifetimes)]
// Clippy doesn't understand that we exit with ? from the closure in
// and_then below and this can't be expressed with map.
#![allow(clippy::bind_instead_of_map)]
use alloc::{borrow::ToOwned, string::String}; use alloc::{borrow::ToOwned, string::String};
/// Extracts the data of a section of a PE file. /// Extracts the data of a section of a PE file.
@ -20,6 +26,5 @@ pub fn pe_section<'a>(file_data: &'a [u8], section_name: &str) -> Option<&'a [u8
/// Extracts the data of a section of a PE file and returns it as a string. /// Extracts the data of a section of a PE file and returns it as a string.
pub fn pe_section_as_string<'a>(file_data: &'a [u8], section_name: &str) -> Option<String> { pub fn pe_section_as_string<'a>(file_data: &'a [u8], section_name: &str) -> Option<String> {
pe_section(file_data, section_name) pe_section(file_data, section_name).map(|data| core::str::from_utf8(data).unwrap().to_owned())
.and_then(|data| Some(core::str::from_utf8(data).unwrap().to_owned()))
} }