treewide: format with nixpkgs-fmt
This commit is contained in:
parent
07fc31613e
commit
eb9b1bbbe3
163
flake.nix
163
flake.nix
|
@ -40,28 +40,32 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
# Build attributes for a Rust application.
|
# Build attributes for a Rust application.
|
||||||
buildRustApp = {
|
buildRustApp =
|
||||||
src, target ? null, doCheck ? true
|
{ src
|
||||||
}: let
|
, target ? null
|
||||||
cleanedSrc = craneLib.cleanCargoSource src;
|
, doCheck ? true
|
||||||
commonArgs = {
|
}:
|
||||||
src = cleanedSrc;
|
let
|
||||||
CARGO_BUILD_TARGET = target;
|
cleanedSrc = craneLib.cleanCargoSource src;
|
||||||
inherit doCheck;
|
commonArgs = {
|
||||||
|
src = cleanedSrc;
|
||||||
|
CARGO_BUILD_TARGET = target;
|
||||||
|
inherit doCheck;
|
||||||
|
};
|
||||||
|
|
||||||
|
cargoArtifacts = craneLib.buildDepsOnly commonArgs;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
package = craneLib.buildPackage (commonArgs // {
|
||||||
|
inherit cargoArtifacts;
|
||||||
|
});
|
||||||
|
|
||||||
|
clippy = craneLib.cargoClippy (commonArgs // {
|
||||||
|
inherit cargoArtifacts;
|
||||||
|
cargoClippyExtraArgs = "-- --deny warnings";
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
cargoArtifacts = craneLib.buildDepsOnly commonArgs;
|
|
||||||
in {
|
|
||||||
package = craneLib.buildPackage (commonArgs // {
|
|
||||||
inherit cargoArtifacts;
|
|
||||||
});
|
|
||||||
|
|
||||||
clippy = craneLib.cargoClippy (commonArgs // {
|
|
||||||
inherit cargoArtifacts;
|
|
||||||
cargoClippyExtraArgs = "-- --deny warnings";
|
|
||||||
});
|
|
||||||
};
|
|
||||||
|
|
||||||
lanzabooteCrane = buildRustApp {
|
lanzabooteCrane = buildRustApp {
|
||||||
src = ./rust/lanzaboote;
|
src = ./rust/lanzaboote;
|
||||||
target = "x86_64-unknown-uefi";
|
target = "x86_64-unknown-uefi";
|
||||||
|
@ -76,9 +80,10 @@
|
||||||
|
|
||||||
lanzatool-unwrapped = lanzatoolCrane.package;
|
lanzatool-unwrapped = lanzatoolCrane.package;
|
||||||
|
|
||||||
lanzatool = pkgs.runCommand "lanzatool" {
|
lanzatool = pkgs.runCommand "lanzatool"
|
||||||
nativeBuildInputs = [ pkgs.makeWrapper ];
|
{
|
||||||
} ''
|
nativeBuildInputs = [ pkgs.makeWrapper ];
|
||||||
|
} ''
|
||||||
mkdir -p $out/bin
|
mkdir -p $out/bin
|
||||||
|
|
||||||
# Clean PATH to only contain what we need to do objcopy. Also
|
# Clean PATH to only contain what we need to do objcopy. Also
|
||||||
|
@ -88,7 +93,8 @@
|
||||||
--set RUST_BACKTRACE full \
|
--set RUST_BACKTRACE full \
|
||||||
--set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi
|
--set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi
|
||||||
'';
|
'';
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
overlays.default = final: prev: {
|
overlays.default = final: prev: {
|
||||||
inherit lanzatool;
|
inherit lanzatool;
|
||||||
};
|
};
|
||||||
|
@ -122,65 +128,66 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
checks.x86_64-linux = let
|
checks.x86_64-linux =
|
||||||
mkSecureBootTest = { name, machine ? {}, testScript }: nixpkgs-test.legacyPackages.x86_64-linux.nixosTest {
|
let
|
||||||
inherit name testScript;
|
mkSecureBootTest = { name, machine ? { }, testScript }: nixpkgs-test.legacyPackages.x86_64-linux.nixosTest {
|
||||||
nodes.machine = { lib, ... }: {
|
inherit name testScript;
|
||||||
imports = [
|
nodes.machine = { lib, ... }: {
|
||||||
self.nixosModules.lanzaboote
|
imports = [
|
||||||
machine
|
self.nixosModules.lanzaboote
|
||||||
];
|
machine
|
||||||
|
];
|
||||||
|
|
||||||
nixpkgs.overlays = [ self.overlays.default ];
|
nixpkgs.overlays = [ self.overlays.default ];
|
||||||
|
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
useBootLoader = true;
|
useBootLoader = true;
|
||||||
useEFIBoot = true;
|
useEFIBoot = true;
|
||||||
useSecureBoot = true;
|
useSecureBoot = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.loader.efi = {
|
boot.loader.efi = {
|
||||||
canTouchEfiVariables = true;
|
canTouchEfiVariables = true;
|
||||||
};
|
};
|
||||||
boot.lanzaboote = {
|
boot.lanzaboote = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enrollKeys = lib.mkDefault true;
|
enrollKeys = lib.mkDefault true;
|
||||||
pkiBundle = ./pki;
|
pkiBundle = ./pki;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
# Execute a boot test that is intended to fail.
|
# Execute a boot test that is intended to fail.
|
||||||
#
|
#
|
||||||
mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest {
|
mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest {
|
||||||
inherit name;
|
inherit name;
|
||||||
testScript = ''
|
testScript = ''
|
||||||
import json
|
import json
|
||||||
import os.path
|
import os.path
|
||||||
bootspec = None
|
bootspec = None
|
||||||
|
|
||||||
def convert_to_esp(store_file_path):
|
def convert_to_esp(store_file_path):
|
||||||
store_dir = os.path.basename(os.path.dirname(store_file_path))
|
store_dir = os.path.basename(os.path.dirname(store_file_path))
|
||||||
filename = os.path.basename(store_file_path)
|
filename = os.path.basename(store_file_path)
|
||||||
return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'
|
return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'
|
||||||
|
|
||||||
machine.start()
|
machine.start()
|
||||||
bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1')
|
bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1')
|
||||||
assert bootspec is not None, "Unsupported bootspec version!"
|
assert bootspec is not None, "Unsupported bootspec version!"
|
||||||
src_path = ${path.src}
|
src_path = ${path.src}
|
||||||
dst_path = ${path.dst}
|
dst_path = ${path.dst}
|
||||||
machine.succeed(f"cp -rf {src_path} {dst_path}")
|
machine.succeed(f"cp -rf {src_path} {dst_path}")
|
||||||
'' + lib.optionalString appendCrap ''
|
'' + lib.optionalString appendCrap ''
|
||||||
machine.succeed(f"echo Foo >> {dst_path}")
|
machine.succeed(f"echo Foo >> {dst_path}")
|
||||||
'' +
|
'' +
|
||||||
''
|
''
|
||||||
machine.succeed("sync")
|
machine.succeed("sync")
|
||||||
machine.crash()
|
machine.crash()
|
||||||
machine.start()
|
machine.start()
|
||||||
machine.wait_for_console_text("Hash mismatch")
|
machine.wait_for_console_text("Hash mismatch")
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
lanzatool-clippy = lanzatoolCrane.clippy;
|
lanzatool-clippy = lanzatoolCrane.clippy;
|
||||||
lanzaboote-clippy = lanzabooteCrane.clippy;
|
lanzaboote-clippy = lanzabooteCrane.clippy;
|
||||||
|
@ -225,9 +232,9 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
testScript = ''
|
testScript = ''
|
||||||
machine.start()
|
machine.start()
|
||||||
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# The initrd is not directly signed. Its hash is embedded
|
# The initrd is not directly signed. Its hash is embedded
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ lib, config, pkgs, ... }:
|
{ lib, config, pkgs, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.boot.lanzaboote;
|
cfg = config.boot.lanzaboote;
|
||||||
|
|
Loading…
Reference in New Issue