WiP flake.nix: make docker image usable for testing as well, target: qemu-coreboot-whiptail-tpm2 with swtpm and canokey for smartcard

- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker. - protect roots from garbage collection (WiP) - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now. - CircleCI bumped to use v0.0.9 version including this - CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now. That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there TODO: - make docker creating nicer in the Nix way. - Add canokey support under targets/qemu.mk - add canokey board version At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9) - And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-18 20:47:55 +00:00 · 2024-05-02 14:57:05 -04:00 · 2024-05-02 14:57:05 -04:00 · 46cad549ef
commit 46cad549ef
parent 6070d8f6f0
5 changed files with 160 additions and 109 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -45,7 +45,7 @@ commands:
 jobs:
  prep_env:
    docker:
-      - image: tlaurion/heads-dev-env:v0.0.8
+      - image: tlaurion/heads-dev-env:v0.0.9
    resource_class: large
    working_directory: ~/heads
    steps:
@ -61,15 +61,15 @@ jobs:
      - run:
          name: Creating all modules and patches digest (All modules cache digest)
          command: |
-            find ./Makefile ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > ./tmpDir/all_modules_and_patches.sha256sums
+            find ./Makefile ./flake.lock ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > ./tmpDir/all_modules_and_patches.sha256sums
      - run:
          name: Creating coreboot (and associated patches) and musl-cross-make modules digest (musl-cross-make and coreboot cache digest)
          command: |
-            find ./Makefile ./modules/coreboot ./modules/musl-cross* ./patches/coreboot* -type f | sort -h | xargs sha256sum > ./tmpDir/coreboot_musl-cross.sha256sums
+            find ./Makefile ./flake.lock ./modules/coreboot ./modules/musl-cross* ./patches/coreboot* -type f | sort -h | xargs sha256sum > ./tmpDir/coreboot_musl-cross.sha256sums
      - run:
          name: Creating musl-cross-make and musl-cross-make patches digest (musl-cross-make cache digest)
          command: |
-            find ./Makefile modules/musl-cross* -type f | sort -h | xargs sha256sum > ./tmpDir/musl-cross.sha256sums
+            find ./Makefile ./flake.lock modules/musl-cross* -type f | sort -h | xargs sha256sum > ./tmpDir/musl-cross.sha256sums
      - restore_cache:
          # First matched/found key wins and following keys are not tried
          keys:
@ -111,7 +111,7 @@ jobs:

  build_and_persist:
    docker:
-      - image: tlaurion/heads-dev-env:v0.0.8
+      - image: tlaurion/heads-dev-env:v0.0.9
    resource_class: large
    working_directory: ~/heads
    parameters:
@ -139,7 +139,7 @@ jobs:

  build:
    docker:
-      - image: tlaurion/heads-dev-env:v0.0.8
+      - image: tlaurion/heads-dev-env:v0.0.9
    resource_class: large
    working_directory: ~/heads
    parameters:
@ -160,7 +160,7 @@ jobs:

  save_cache:
    docker:
-      - image: tlaurion/heads-dev-env:v0.0.8
+      - image: tlaurion/heads-dev-env:v0.0.9
    resource_class: large
    working_directory: ~/heads
    steps:
--- a/19
+++ b/19
@ -56,3 +56,22 @@ Some raw and incomplete notes on how to push that docker to dockerhub
 docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.0.3
 docker push tlaurion/heads-dev-env:v0.0.3
 (to be continued)
+
+-------------------
+
+#To create the docker image, I was not able to set gcroot dynamically, so here are the manual steps so nix is not wiped per garbage collector
+mkdir -p /nix/var/nix/gcroots/per-user/$(whoami)
+ln -sfn $(readlink -f $HOME/.nix-profile) /nix/var/nix/gcroots/per-user/$(whoami)/profile
+
+#And then build derivates and cal garbarrge collection (not yet successfull since docker build fails now)
+nix build .#dockerImage && docker load < result && docker run --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env
+
+#Use it
+docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm2
+docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm2 run
+
+#push it
+docker login
+docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.0.9
+docker push tlaurion/heads-dev-env:v0.0.9
+
--- a/flake.lock
+++ b/flake.lock
@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1711703276,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "lastModified": 1714253743,
+        "narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,87 +1,111 @@
 {
-  description = "heads flake, mostly for devshell for now";
+  description = "Optimized heads flake for Docker image with garbage collection protection";

+  # Inputs define external dependencies and their sources.
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    flake-utils.url = "github:numtide/flake-utils";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Using the unstable channel for the latest packages, while flake.lock fixates the commit reused until changed.
+    flake-utils.url = "github:numtide/flake-utils"; # Utilities for flake functionality.
  };

-  outputs = {
-    self,
-    flake-utils,
-    nixpkgs,
-    ...
-  }:
+  # Outputs are the result of the flake, including the development environment and Docker image.
+  outputs = { self, nixpkgs, flake-utils, ... }:
    flake-utils.lib.eachDefaultSystem (system: let
-      pkgs = nixpkgs.legacyPackages.${system};
-      lib = pkgs.lib;
-      deps = with pkgs;
-        [
-          autoconf
-          automake
-          bashInteractive
-          coreutils
-          bc
-          bison # Generate flashmap descriptor parser
-          bzip2
-          cacert
-          ccache
-          cmake
-          cpio
-          curl
-          diffutils
-          dtc
-          e2fsprogs
-          elfutils
-          findutils
-          flex
-          gawk
-          git
-          gnat
-          gnugrep
-          gnumake
-          gnused
-          gnutar
-          gzip
-          imagemagick
-          innoextract
-          libtool
-          m4
-          ncurses5 # make menuconfig and slang
-          openssl #needed for talos-2 kernel build
-          parted
-          patch
-          perl
-          pkg-config
-          python3
-          rsync
-          sharutils
-          texinfo
-          unzip
-          wget
-          which
-          xz
-          zip
-          zlib
-          zlib.dev
-        ]
-        ++ [
-          # blobs/xx30/vbios_[tw]530.sh
-          bundler
-          p7zip
-          ruby
-          sudo # ( °-° )
-          upx
-        ]
-        ++ [
-          # debugging/fixing/testing
-          qemu
-          vim
-        ];
+      pkgs = nixpkgs.legacyPackages.${system}; # Accessing the legacy package set.
+      lib = pkgs.lib; # The standard Nix packages library.
+
+      # Dependencies are the packages required for the Heads project.
+      # Organized into subsets for clarity and maintainability.
+      deps = with pkgs; [
+        # Core build utilities
+        autoconf
+        automake
+        bashInteractive
+        coreutils
+        bc
+        bison
+        bzip2
+        cacert
+        ccache
+        cmake
+        cpio
+        curl
+        diffutils
+        dtc
+        e2fsprogs
+        elfutils
+        findutils
+        flex
+        gawk
+        git
+        gnat
+        gnugrep
+        gnumake
+        gnused
+        gnutar
+        gzip
+        imagemagick # For bootsplash manipulation.
+        innoextract # ROM extraction for dGPU.
+        libtool
+        m4
+        ncurses5
+        openssl
+        parted
+        patch
+        perl
+        pkg-config
+        python3 # me_cleaner, coreboot.
+        rsync # coreboot.
+        sharutils
+        texinfo
+        unzip
+        wget
+        which
+        xz
+        zip
+        zlib
+        zlib.dev
+      ] ++ [
+        # Packages for qemu support with Canokey integration.
+        qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement (RTFM).
+        canokey-qemu # Canokey lib for qemu build-time compilation.
+        (qemu.override {
+          canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available.
+        })
+      ] ++ [
+        # Additional tools for editing and testing.
+        vim # Mostly used amongst us, sorry if you'd like something else, open issue.
+        swtpm # QEMU requirement to emulate tpm1/tpm2.
+        dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support).
+      ] ++ [
+        # Tools for handling binary blobs and compression.
+        bundler
+        p7zip
+        ruby
+        sudo
+        upx
+      ];
+
+      # Stripping binaries to reduce size, while ensuring functionality is not affected.
+      stripBinaries = map (pkg: if pkg?isDerivation then pkg.overrideAttrs (oldAttrs: {
+        postInstall = oldAttrs.postInstall or "" + ''
+          strip $out/bin/* || true
+        '';
+      }) else pkg) deps;
+
    in {
+      # The development shell includes all the dependencies.
      devShell = pkgs.mkShellNoCC {
-        buildInputs = deps;
+        buildInputs = stripBinaries ++ [ pkgs.nix ]; # Include the Nix package to provide nix-collect-garbage.
+        shellHook = ''
+          # Create a garbage collection root for the Nix profile
+          mkdir -p /nix/var/nix/gcroots/per-user/$(whoami)
+          echo $(readlink -f $HOME/.nix-profile) > /nix/var/nix/gcroots/per-user/$(whoami)/profile
+          # Perform garbage collection to clean up any unnecessary files.
+          nix-collect-garbage -d
+        '';
      };
+
+      # myDevShell outputs environment variables necessary for development.
      packages.myDevShell =
        pkgs.runCommand "my-dev-shell" {}
        #bash
@ -95,35 +119,43 @@
            -e ACLOCAL_PATH \
            ${self.devShell.${system}} >$out
        '';
+
+      # Docker image configuration for the Heads project.
      packages.dockerImage = pkgs.dockerTools.buildLayeredImage {
-        name = "linuxboot/heads";
-        tag = "dev-env";
-        config.Entrypoint = ["bash" "-c" ''source /devenv.sh; if (( $# == 0 )); then exec bash; else exec "$0" "$@"; fi''];
-        contents =
-          deps
-          ++ [
-            pkgs.dockerTools.binSh
-            pkgs.dockerTools.caCertificates
-            pkgs.dockerTools.usrBinEnv
-          ];
-        enableFakechroot = true;
+        name = "linuxboot/heads"; # Image name.
+        tag = "dev-env"; # Image tag.
+        config.Entrypoint = ["bash" "-c" ''source /devenv.sh; if (( $# == 0 )); then exec bash; else exec "$@"; fi'']; # Entrypoint configuration.
+        
+        # Contents of the Docker image, including stripped binaries for size optimization.
+        contents = stripBinaries ++ [
+          pkgs.dockerTools.binSh
+          pkgs.dockerTools.caCertificates
+          pkgs.dockerTools.usrBinEnv
+        ];
+        
+        enableFakechroot = true; # Enable fakechroot for compatibility.
+        
+        # Fake root commands to set up the environment inside the Docker image.
        fakeRootCommands =
          #bash
          ''
-            set -e
+          set -e

-            grep \
-              -e NIX_CC_WRAPPER_TARGET_TARGET \
-              -e NIX_CFLAGS_COMPILE_FOR_TARGET \
-              -e NIX_LDFLAGS_FOR_TARGET \
-              -e NIX_PKG_CONFIG_WRAPPER_TARGET \
-              -e PKG_CONFIG_PATH_FOR_TARGET \
-              -e ACLOCAL_PATH \
-              ${self.devShell.${system}} >/devenv.sh
+          # Environment setup for the development shell.
+          grep \
+            -e NIX_CC_WRAPPER_TARGET_TARGET \
+            -e NIX_CFLAGS_COMPILE_FOR_TARGET \
+            -e NIX_LDFLAGS_FOR_TARGET \
+            -e NIX_PKG_CONFIG_WRAPPER_TARGET \
+            -e PKG_CONFIG_PATH_FOR_TARGET \
+            -e ACLOCAL_PATH \
+            ${self.devShell.${system}} >/devenv.sh

-            printf '[safe]\n\tdirectory = *\n' >/.gitconfig
-            mkdir /tmp;
-          '';
+            # Git configuration for safe directory access.
+          printf '[safe]\n\tdirectory = *\n' >/.gitconfig
+            mkdir /tmp; # Temporary directory for various operations.
+        '';
      };
    });
 }
+
--- a/targets/qemu.mk
+++ b/targets/qemu.mk
@ -16,7 +16,7 @@ endif

 ifeq "$(CONFIG_TPM2_TSS)" "y"
 SWTPM_TPMVER := --tpm2
-SWTPM_PRESETUP := swtpm_setup --create-config-files skip-if-exist
+SWTPM_PRESETUP := swtpm_setup --create-config-files root skip-if-exist
 else
 # TPM1 is the default
 SWTPM_TPMVER :=