13 files changed, 169 insertions, 68 deletions
diff --git a/host/initramfs/Makefile b/host/initramfs/Makefile
index 77919c9..6f8dac0 100644
--- a/host/initramfs/Makefile
+++ b/host/initramfs/Makefile
@@ -8,11 +8,7 @@ QEMU_KVM = qemu-kvm
 
 CPIO = cpio
 CPIOFLAGS = --reproducible -R +0:+0 -H newc
-MCOPY = mcopy
-MKFS_FAT = mkfs.fat
-MMD = mmd
-OBJCOPY = objcopy
-TRUNCATE = truncate
+SCRIPTS = ../../scripts
 VERITYSETUP = veritysetup
 
 build/initramfs: build/local.cpio $(PACKAGES_CPIO)
@@ -40,23 +36,6 @@ build/mountpoints:
 	cd build/mountpoints && mkdir -p $(MOUNTPOINTS)
 	find build/mountpoints -mindepth 1 -exec touch -d @0 {} ';'
 
-build/cmdline: build/rootfs.verity.roothash
-	printf "ro console=ttyS0 roothash=" > $@
-	cat build/rootfs.verity.roothash >> $@
-
-build/bootx64.efi: etc/os-release build/cmdline build/initramfs
-	$(OBJCOPY) --add-section .osrel=etc/os-release --change-section-vma .osrel=0x20000 \
-	    --add-section .cmdline=build/cmdline --change-section-vma .cmdline=0x30000 \
-	    --add-section .linux=$(KERNEL) --change-section-vma .linux=0x40000 \
-	    --add-section .initrd=build/initramfs --change-section-vma .initrd=0x3000000 \
-	    $(EFI_STUB) $@
-
-build/boot.fat: build/bootx64.efi
-	$(TRUNCATE) -s 157286400 $@
-	$(MKFS_FAT) $@
-	$(MMD) -i $@ ::/EFI ::/EFI/BOOT
-	$(MCOPY) -i $@ build/bootx64.efi ::/EFI/BOOT
-
 # veritysetup format produces two files, but Make only (portably)
 # supports one output per rule, so we combine the two outputs then
 # define two more rules to separate them again.
@@ -73,25 +52,26 @@ build/rootfs.verity.roothash: build/rootfs.verity
 build/rootfs.verity.superblock: build/rootfs.verity
 	tail -n +2 build/rootfs.verity > $@
 
-build/live.img: scripts/format-uuid.sh scripts/make-gpt.sh build/boot.fat build/rootfs.verity.superblock build/rootfs.verity.roothash $(ROOT_FS) $(EXT_FS)
-	scripts/make-gpt.sh $@.tmp \
-	    build/boot.fat:c12a7328-f81f-11d2-ba4b-00a0c93ec93b \
-	    build/rootfs.verity.superblock:2c7357ed-ebd2-46d9-aec1-23d437ec2bf5:$$(scripts/format-uuid.sh "$$(dd if=build/rootfs.verity.roothash bs=32 skip=1 count=1 status=none)") \
-	    $(ROOT_FS):4f68bce3-e8cd-4db1-96e7-fbcaf984b709:$$(scripts/format-uuid.sh "$$(head -c 32 build/rootfs.verity.roothash)") \
-	    $(EXT_FS):9293e1ff-cee4-4658-88be-898ec863944f
+build/live.img: $(SCRIPTS)/format-uuid.sh $(SCRIPTS)/make-gpt.sh build/rootfs.verity.superblock build/rootfs.verity.roothash $(ROOT_FS) $(EXT_FS)
+	$(SCRIPTS)/make-gpt.sh $@.tmp \
+	    build/rootfs.verity.superblock:2c7357ed-ebd2-46d9-aec1-23d437ec2bf5:$$($(SCRIPTS)/format-uuid.sh "$$(dd if=build/rootfs.verity.roothash bs=32 skip=1 count=1 status=none)") \
+	    $(ROOT_FS):4f68bce3-e8cd-4db1-96e7-fbcaf984b709:$$($(SCRIPTS)/format-uuid.sh "$$(head -c 32 build/rootfs.verity.roothash)")
 	mv $@.tmp $@
 
 clean:
 	rm -rf build
 .PHONY: clean
 
-run: build/live.img
+run: build/initramfs build/rootfs.verity.roothash build/live.img
 	$(QEMU_KVM) -m 4G \
-	    -bios $(OVMF_FD) \
+	    -kernel $(KERNEL) \
+	    -initrd build/initramfs \
+	    -append "ro console=ttyS0 ext=vda roothash=$$(< build/rootfs.verity.roothash)" \
 	    -cpu host \
 	    -display gtk,gl=on \
 	    -device virtio-vga-gl \
 	    -device qemu-xhci \
 	    -device usb-storage,drive=drive1,removable=true \
-	    -drive file=build/live.img,id=drive1,format=raw,if=none,readonly=true
+	    -drive file=build/live.img,id=drive1,format=raw,if=none,readonly=true \
+	    -drive file=$(EXT_FS),format=raw,if=virtio,readonly=true
 .PHONY: run
diff --git a/host/initramfs/live.nix b/host/initramfs/live.nix
deleted file mode 100644
index 2c520d8..0000000
--- a/host/initramfs/live.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-# SPDX-License-Identifier: EUPL-1.2
-# SPDX-FileCopyrightText: 2021-2022 Alyssa Ross <hi@alyssa.is>
-
-{ pkgs ? import <nixpkgs> {} }:
-
-let
-  extfs = pkgs.pkgsStatic.callPackage ./extfs.nix { inherit pkgs; };
-  rootfs = import ../rootfs { inherit pkgs; };
-  initramfs = import ./. { inherit pkgs rootfs; };
-in
-
-with pkgs;
-
-initramfs.overrideAttrs ({ buildFlags ? "", nativeBuildInputs ? [], ... }: {
-  name = "spectrum-live.img";
-
-  nativeBuildInputs = nativeBuildInputs ++ [
-    cryptsetup dosfstools jq mtools util-linux
-  ];
-
-  EFI_STUB = "${systemd}/lib/systemd/boot/efi/linuxx64.efi.stub";
-  EXT_FS = extfs;
-  KERNEL = "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.target}";
-  ROOT_FS = rootfs;
-
-  buildFlags = "${toString buildFlags} build/live.img";
-
-  installPhase = ''
-    runHook preInstall
-    mv build/live.img $out
-    runHook postInstall
-  '';
-})
diff --git a/host/initramfs/shell.nix b/host/initramfs/shell.nix
index 02aa685..d00b39d 100644
--- a/host/initramfs/shell.nix
+++ b/host/initramfs/shell.nix
@@ -3,8 +3,22 @@
 
 { pkgs ? import <nixpkgs> {} }:
 
+let
+  inherit (pkgs.lib) cleanSource cleanSourceWith;
+
+  extfs = pkgs.pkgsStatic.callPackage ./extfs.nix {
+    inherit pkgs;
+  };
+  rootfs = import ../rootfs { inherit pkgs; };
+  initramfs = import ./. { inherit pkgs rootfs; };
+in
+
 with pkgs;
 
-(import ./live.nix { inherit pkgs; }).overrideAttrs ({ ... }: {
-  OVMF_FD = "${OVMF.fd}/FV/OVMF.fd";
+initramfs.overrideAttrs ({ nativeBuildInputs ? [], ... }: {
+  nativeBuildInputs = nativeBuildInputs ++ [ cryptsetup jq util-linux ];
+
+  EXT_FS = extfs;
+  KERNEL = "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.target}";
+  ROOT_FS = rootfs;
 })
diff --git a/installer/default.nix b/installer/default.nix
index 5f35ce1..9fc7493 100644
--- a/installer/default.nix
+++ b/installer/default.nix
@@ -9,7 +9,7 @@ let
   inherit (pkgs.lib) removePrefix;
   inherit (nixos ./configuration.nix) config;
 
-  image = import ../host/initramfs/live.nix { inherit pkgs; };
+  image = import ../live { inherit pkgs; };
 
   grub = grub2_efi;
 
diff --git a/live/.gitignore b/live/.gitignore
new file mode 100644
index 0000000..2849946
--- /dev/null
+++ b/live/.gitignore
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
+
+/build
+result
+result-*
diff --git a/live/Makefile b/live/Makefile
new file mode 100644
index 0000000..8b06a17
--- /dev/null
+++ b/live/Makefile
@@ -0,0 +1,71 @@
+# SPDX-License-Identifier: EUPL-1.2
+# SPDX-FileCopyrightText: 2021-2022 Alyssa Ross <hi@alyssa.is>
+
+# qemu-kvm is non-standard, but is present in at least Fedora and
+# Nixpkgs.  If you don't have qemu-kvm, you'll need to set e.g.
+# QEMU_KVM = qemu-system-x86_64 -enable-kvm.
+QEMU_KVM = qemu-kvm
+
+MCOPY = mcopy
+MKFS_FAT = mkfs.fat
+MMD = mmd
+OBJCOPY = objcopy
+SCRIPTS = ../scripts
+TRUNCATE = truncate
+VERITYSETUP = veritysetup
+
+build/live.img: $(SCRIPTS)/format-uuid.sh $(SCRIPTS)/make-gpt.sh build/boot.fat build/rootfs.verity.superblock build/rootfs.verity.roothash $(ROOT_FS) $(EXT_FS)
+	$(SCRIPTS)/make-gpt.sh $@.tmp \
+	    build/boot.fat:c12a7328-f81f-11d2-ba4b-00a0c93ec93b \
+	    build/rootfs.verity.superblock:2c7357ed-ebd2-46d9-aec1-23d437ec2bf5:$$($(SCRIPTS)/format-uuid.sh "$$(dd if=build/rootfs.verity.roothash bs=32 skip=1 count=1 status=none)") \
+	    $(ROOT_FS):4f68bce3-e8cd-4db1-96e7-fbcaf984b709:$$($(SCRIPTS)/format-uuid.sh "$$(head -c 32 build/rootfs.verity.roothash)") \
+	    $(EXT_FS):9293e1ff-cee4-4658-88be-898ec863944f
+	mv $@.tmp $@
+
+build/cmdline: build/rootfs.verity.roothash
+	printf "ro console=ttyS0 roothash=" > $@
+	cat build/rootfs.verity.roothash >> $@
+
+build/bootx64.efi: etc/os-release build/cmdline $(INITRAMFS)
+	$(OBJCOPY) --add-section .osrel=etc/os-release --change-section-vma .osrel=0x20000 \
+	    --add-section .cmdline=build/cmdline --change-section-vma .cmdline=0x30000 \
+	    --add-section .linux=$(KERNEL) --change-section-vma .linux=0x40000 \
+	    --add-section .initrd=$(INITRAMFS) --change-section-vma .initrd=0x3000000 \
+	    $(EFI_STUB) $@
+
+build/boot.fat: build/bootx64.efi
+	$(TRUNCATE) -s 157286400 $@
+	$(MKFS_FAT) $@
+	$(MMD) -i $@ ::/EFI ::/EFI/BOOT
+	$(MCOPY) -i $@ build/bootx64.efi ::/EFI/BOOT
+
+# veritysetup format produces two files, but Make only (portably)
+# supports one output per rule, so we combine the two outputs then
+# define two more rules to separate them again.
+build/rootfs.verity: $(ROOT_FS)
+	mkdir -p build
+	$(VERITYSETUP) format $(ROOT_FS) build/rootfs.verity.superblock.tmp \
+	    | awk -F ':[[:blank:]]*' '$$1 == "Root hash" {print $$2; exit}' \
+	    > build/rootfs.verity.roothash.tmp
+	cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp \
+	    > $@
+	rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp
+build/rootfs.verity.roothash: build/rootfs.verity
+	head -n 1 build/rootfs.verity > $@
+build/rootfs.verity.superblock: build/rootfs.verity
+	tail -n +2 build/rootfs.verity > $@
+
+clean:
+	rm -rf build
+.PHONY: clean
+
+run: build/live.img
+	$(QEMU_KVM) -m 4G \
+	    -bios $(OVMF_FD) \
+	    -cpu host \
+	    -display gtk,gl=on \
+	    -device virtio-vga-gl \
+	    -device qemu-xhci \
+	    -device usb-storage,drive=drive1,removable=true \
+	    -drive file=build/live.img,id=drive1,format=raw,if=none,readonly=true
+.PHONY: run
diff --git a/live/default.nix b/live/default.nix
new file mode 100644
index 0000000..ad4bb4e
--- /dev/null
+++ b/live/default.nix
@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: EUPL-1.2
+# SPDX-FileCopyrightText: 2021-2022 Alyssa Ross <hi@alyssa.is>
+
+{ pkgs ? import <nixpkgs> {} }:
+
+let
+  inherit (pkgs.lib) cleanSource cleanSourceWith;
+
+  extfs = pkgs.pkgsStatic.callPackage ../host/initramfs/extfs.nix {
+    inherit pkgs;
+  };
+  rootfs = import ../host/rootfs { inherit pkgs; };
+  scripts = import ../scripts { inherit pkgs; };
+  initramfs = import ../host/initramfs { inherit pkgs rootfs; };
+in
+
+with pkgs;
+
+stdenv.mkDerivation {
+  name = "spectrum-live.img";
+
+  src = cleanSourceWith {
+    filter = name: _type: name != "${toString ./.}/build";
+    src = cleanSource ./.;
+  };
+
+  nativeBuildInputs = [ cryptsetup dosfstools jq mtools util-linux ];
+
+  EFI_STUB = "${systemd}/lib/systemd/boot/efi/linuxx64.efi.stub";
+  EXT_FS = extfs;
+  INITRAMFS = initramfs;
+  KERNEL = "${rootfs.kernel}/${stdenv.hostPlatform.linux-kernel.target}";
+  ROOT_FS = rootfs;
+
+  buildFlags = [ "build/live.img" ];
+  makeFlags = [ "SCRIPTS=${scripts}" ];
+
+  installPhase = ''
+    runHook preInstall
+    mv build/live.img $out
+    runHook postInstall
+  '';
+
+  enableParallelBuilding = true;
+}
diff --git a/host/initramfs/etc/os-release b/live/etc/os-release
index 4b2f7c4..4b2f7c4 100644
--- a/host/initramfs/etc/os-release
+++ b/live/etc/os-release
diff --git a/live/shell.nix b/live/shell.nix
new file mode 100644
index 0000000..e106cee
--- /dev/null
+++ b/live/shell.nix
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: EUPL-1.2
+# SPDX-FileCopyrightText: 2021-2022 Alyssa Ross <hi@alyssa.is>
+
+{ pkgs ? import <nixpkgs> {} }:
+
+with pkgs;
+
+(import ./. { inherit pkgs; }).overrideAttrs ({ ... }: {
+  OVMF_FD = "${OVMF.fd}/FV/OVMF.fd";
+})
diff --git a/scripts/default.nix b/scripts/default.nix
new file mode 100644
index 0000000..bacb0fb
--- /dev/null
+++ b/scripts/default.nix
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: EUPL-1.2
+# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
+
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.lib.cleanSource ./.
diff --git a/host/initramfs/scripts/format-uuid.sh b/scripts/format-uuid.sh
index bada8ce..bada8ce 100755
--- a/host/initramfs/scripts/format-uuid.sh
+++ b/scripts/format-uuid.sh
diff --git a/host/initramfs/scripts/make-gpt.sh b/scripts/make-gpt.sh
index 556db3f..f7cb20d 100755
--- a/host/initramfs/scripts/make-gpt.sh
+++ b/scripts/make-gpt.sh
@@ -33,6 +33,8 @@ $1
 EOF
 }
 
+scriptsDir="$(dirname "$0")"
+
 out="$1"
 shift
 
@@ -43,7 +45,7 @@ table="label: gpt"
 gptBytes=$TWO_MiB
 for partition; do
 	sizeMiB="$(sizeMiB "$(partitionPath "$partition")")"
-	table="$table${nl}size=${sizeMiB}MiB,$(awk -f scripts/sfdisk-field.awk -v partition="$partition")"
+	table="$table${nl}size=${sizeMiB}MiB,$(awk -f "$scriptsDir/sfdisk-field.awk" -v partition="$partition")"
 	gptBytes="$(expr "$gptBytes" + "$sizeMiB" \* $ONE_MiB)"
 done
 
diff --git a/host/initramfs/scripts/sfdisk-field.awk b/scripts/sfdisk-field.awk
index c2d9e5d..c2d9e5d 100644
--- a/host/initramfs/scripts/sfdisk-field.awk
+++ b/scripts/sfdisk-field.awk