From 46cad549ef5b1de40dd36c61b824735d4217f8a1 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 2 May 2024 14:57:05 -0400 Subject: [PATCH] WiP flake.nix: make docker image usable for testing as well, target: qemu-coreboot-whiptail-tpm2 with swtpm and canokey for smartcard - include nix tools inside of the docker to be able to call the garbage collector prior of creating docker. - protect roots from garbage collection (WiP) - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now. - CircleCI bumped to use v0.0.9 version including this - CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now. That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there TODO: - make docker creating nicer in the Nix way. - Add canokey support under targets/qemu.mk - add canokey board version At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9) - And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here. Signed-off-by: Thierry Laurion --- .circleci/config.yml | 14 +-- NIX_REPRO_NOTES | 19 ++++ flake.lock | 6 +- flake.nix | 228 ++++++++++++++++++++++++------------------- targets/qemu.mk | 2 +- 5 files changed, 160 insertions(+), 109 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 327574ca..1e2af08b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -45,7 +45,7 @@ commands: jobs: prep_env: docker: - - image: tlaurion/heads-dev-env:v0.0.8 + - image: tlaurion/heads-dev-env:v0.0.9 resource_class: large working_directory: ~/heads steps: @@ -61,15 +61,15 @@ jobs: - run: name: Creating all modules and patches digest (All modules cache digest) command: | - find ./Makefile ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > ./tmpDir/all_modules_and_patches.sha256sums + find ./Makefile ./flake.lock ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > ./tmpDir/all_modules_and_patches.sha256sums - run: name: Creating coreboot (and associated patches) and musl-cross-make modules digest (musl-cross-make and coreboot cache digest) command: | - find ./Makefile ./modules/coreboot ./modules/musl-cross* ./patches/coreboot* -type f | sort -h | xargs sha256sum > ./tmpDir/coreboot_musl-cross.sha256sums + find ./Makefile ./flake.lock ./modules/coreboot ./modules/musl-cross* ./patches/coreboot* -type f | sort -h | xargs sha256sum > ./tmpDir/coreboot_musl-cross.sha256sums - run: name: Creating musl-cross-make and musl-cross-make patches digest (musl-cross-make cache digest) command: | - find ./Makefile modules/musl-cross* -type f | sort -h | xargs sha256sum > ./tmpDir/musl-cross.sha256sums + find ./Makefile ./flake.lock modules/musl-cross* -type f | sort -h | xargs sha256sum > ./tmpDir/musl-cross.sha256sums - restore_cache: # First matched/found key wins and following keys are not tried keys: @@ -111,7 +111,7 @@ jobs: build_and_persist: docker: - - image: tlaurion/heads-dev-env:v0.0.8 + - image: tlaurion/heads-dev-env:v0.0.9 resource_class: large working_directory: ~/heads parameters: @@ -139,7 +139,7 @@ jobs: build: docker: - - image: tlaurion/heads-dev-env:v0.0.8 + - image: tlaurion/heads-dev-env:v0.0.9 resource_class: large working_directory: ~/heads parameters: @@ -160,7 +160,7 @@ jobs: save_cache: docker: - - image: tlaurion/heads-dev-env:v0.0.8 + - image: tlaurion/heads-dev-env:v0.0.9 resource_class: large working_directory: ~/heads steps: diff --git a/NIX_REPRO_NOTES b/NIX_REPRO_NOTES index bf9af50b..7b7b9b0c 100644 --- a/NIX_REPRO_NOTES +++ b/NIX_REPRO_NOTES @@ -56,3 +56,22 @@ Some raw and incomplete notes on how to push that docker to dockerhub docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.0.3 docker push tlaurion/heads-dev-env:v0.0.3 (to be continued) + +------------------- + +#To create the docker image, I was not able to set gcroot dynamically, so here are the manual steps so nix is not wiped per garbage collector +mkdir -p /nix/var/nix/gcroots/per-user/$(whoami) +ln -sfn $(readlink -f $HOME/.nix-profile) /nix/var/nix/gcroots/per-user/$(whoami)/profile + +#And then build derivates and cal garbarrge collection (not yet successfull since docker build fails now) +nix build .#dockerImage && docker load < result && docker run --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env + +#Use it +docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm2 +docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm2 run + +#push it +docker login +docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.0.9 +docker push tlaurion/heads-dev-env:v0.0.9 + diff --git a/flake.lock b/flake.lock index 491e53f7..6fb25794 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1711703276, - "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "lastModified": 1714253743, + "narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index bd9a96f6..e8e9e396 100644 --- a/flake.nix +++ b/flake.nix @@ -1,87 +1,111 @@ { - description = "heads flake, mostly for devshell for now"; + description = "Optimized heads flake for Docker image with garbage collection protection"; + # Inputs define external dependencies and their sources. inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - flake-utils.url = "github:numtide/flake-utils"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Using the unstable channel for the latest packages, while flake.lock fixates the commit reused until changed. + flake-utils.url = "github:numtide/flake-utils"; # Utilities for flake functionality. }; - outputs = { - self, - flake-utils, - nixpkgs, - ... - }: + # Outputs are the result of the flake, including the development environment and Docker image. + outputs = { self, nixpkgs, flake-utils, ... }: flake-utils.lib.eachDefaultSystem (system: let - pkgs = nixpkgs.legacyPackages.${system}; - lib = pkgs.lib; - deps = with pkgs; - [ - autoconf - automake - bashInteractive - coreutils - bc - bison # Generate flashmap descriptor parser - bzip2 - cacert - ccache - cmake - cpio - curl - diffutils - dtc - e2fsprogs - elfutils - findutils - flex - gawk - git - gnat - gnugrep - gnumake - gnused - gnutar - gzip - imagemagick - innoextract - libtool - m4 - ncurses5 # make menuconfig and slang - openssl #needed for talos-2 kernel build - parted - patch - perl - pkg-config - python3 - rsync - sharutils - texinfo - unzip - wget - which - xz - zip - zlib - zlib.dev - ] - ++ [ - # blobs/xx30/vbios_[tw]530.sh - bundler - p7zip - ruby - sudo # ( °-° ) - upx - ] - ++ [ - # debugging/fixing/testing - qemu - vim - ]; + pkgs = nixpkgs.legacyPackages.${system}; # Accessing the legacy package set. + lib = pkgs.lib; # The standard Nix packages library. + + # Dependencies are the packages required for the Heads project. + # Organized into subsets for clarity and maintainability. + deps = with pkgs; [ + # Core build utilities + autoconf + automake + bashInteractive + coreutils + bc + bison + bzip2 + cacert + ccache + cmake + cpio + curl + diffutils + dtc + e2fsprogs + elfutils + findutils + flex + gawk + git + gnat + gnugrep + gnumake + gnused + gnutar + gzip + imagemagick # For bootsplash manipulation. + innoextract # ROM extraction for dGPU. + libtool + m4 + ncurses5 + openssl + parted + patch + perl + pkg-config + python3 # me_cleaner, coreboot. + rsync # coreboot. + sharutils + texinfo + unzip + wget + which + xz + zip + zlib + zlib.dev + ] ++ [ + # Packages for qemu support with Canokey integration. + qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement (RTFM). + canokey-qemu # Canokey lib for qemu build-time compilation. + (qemu.override { + canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available. + }) + ] ++ [ + # Additional tools for editing and testing. + vim # Mostly used amongst us, sorry if you'd like something else, open issue. + swtpm # QEMU requirement to emulate tpm1/tpm2. + dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support). + ] ++ [ + # Tools for handling binary blobs and compression. + bundler + p7zip + ruby + sudo + upx + ]; + + # Stripping binaries to reduce size, while ensuring functionality is not affected. + stripBinaries = map (pkg: if pkg?isDerivation then pkg.overrideAttrs (oldAttrs: { + postInstall = oldAttrs.postInstall or "" + '' + strip $out/bin/* || true + ''; + }) else pkg) deps; + in { + # The development shell includes all the dependencies. devShell = pkgs.mkShellNoCC { - buildInputs = deps; + buildInputs = stripBinaries ++ [ pkgs.nix ]; # Include the Nix package to provide nix-collect-garbage. + shellHook = '' + # Create a garbage collection root for the Nix profile + mkdir -p /nix/var/nix/gcroots/per-user/$(whoami) + echo $(readlink -f $HOME/.nix-profile) > /nix/var/nix/gcroots/per-user/$(whoami)/profile + # Perform garbage collection to clean up any unnecessary files. + nix-collect-garbage -d + ''; }; + + # myDevShell outputs environment variables necessary for development. packages.myDevShell = pkgs.runCommand "my-dev-shell" {} #bash @@ -95,35 +119,43 @@ -e ACLOCAL_PATH \ ${self.devShell.${system}} >$out ''; + + # Docker image configuration for the Heads project. packages.dockerImage = pkgs.dockerTools.buildLayeredImage { - name = "linuxboot/heads"; - tag = "dev-env"; - config.Entrypoint = ["bash" "-c" ''source /devenv.sh; if (( $# == 0 )); then exec bash; else exec "$0" "$@"; fi'']; - contents = - deps - ++ [ - pkgs.dockerTools.binSh - pkgs.dockerTools.caCertificates - pkgs.dockerTools.usrBinEnv - ]; - enableFakechroot = true; + name = "linuxboot/heads"; # Image name. + tag = "dev-env"; # Image tag. + config.Entrypoint = ["bash" "-c" ''source /devenv.sh; if (( $# == 0 )); then exec bash; else exec "$@"; fi'']; # Entrypoint configuration. + + # Contents of the Docker image, including stripped binaries for size optimization. + contents = stripBinaries ++ [ + pkgs.dockerTools.binSh + pkgs.dockerTools.caCertificates + pkgs.dockerTools.usrBinEnv + ]; + + enableFakechroot = true; # Enable fakechroot for compatibility. + + # Fake root commands to set up the environment inside the Docker image. fakeRootCommands = #bash '' - set -e + set -e - grep \ - -e NIX_CC_WRAPPER_TARGET_TARGET \ - -e NIX_CFLAGS_COMPILE_FOR_TARGET \ - -e NIX_LDFLAGS_FOR_TARGET \ - -e NIX_PKG_CONFIG_WRAPPER_TARGET \ - -e PKG_CONFIG_PATH_FOR_TARGET \ - -e ACLOCAL_PATH \ - ${self.devShell.${system}} >/devenv.sh + # Environment setup for the development shell. + grep \ + -e NIX_CC_WRAPPER_TARGET_TARGET \ + -e NIX_CFLAGS_COMPILE_FOR_TARGET \ + -e NIX_LDFLAGS_FOR_TARGET \ + -e NIX_PKG_CONFIG_WRAPPER_TARGET \ + -e PKG_CONFIG_PATH_FOR_TARGET \ + -e ACLOCAL_PATH \ + ${self.devShell.${system}} >/devenv.sh - printf '[safe]\n\tdirectory = *\n' >/.gitconfig - mkdir /tmp; - ''; + # Git configuration for safe directory access. + printf '[safe]\n\tdirectory = *\n' >/.gitconfig + mkdir /tmp; # Temporary directory for various operations. + ''; }; }); } + diff --git a/targets/qemu.mk b/targets/qemu.mk index 59286a3e..05136122 100644 --- a/targets/qemu.mk +++ b/targets/qemu.mk @@ -16,7 +16,7 @@ endif ifeq "$(CONFIG_TPM2_TSS)" "y" SWTPM_TPMVER := --tpm2 -SWTPM_PRESETUP := swtpm_setup --create-config-files skip-if-exist +SWTPM_PRESETUP := swtpm_setup --create-config-files root skip-if-exist else # TPM1 is the default SWTPM_TPMVER :=