From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id A269C5EB17; Thu, 8 Sep 2022 11:41:30 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 0FCE75EB10; Thu, 8 Sep 2022 11:41:29 +0000 (UTC) Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by atuin.qyliss.net (Postfix) with ESMTPS id 16A365EAA6 for ; Thu, 8 Sep 2022 11:41:27 +0000 (UTC) Received: by mail-ed1-x533.google.com with SMTP id z97so2579233ede.8 for ; Thu, 08 Sep 2022 04:41:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unikie.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=cMofV2Zzaq4wApotoRPe6/cLittC2U7OSHEzzOSqIPg=; b=aZJCn8X/ZbBq7Lvg2eAHwN/fE+d00M3pkoSrQVfQcC/N9eyxdzqBbsCihzIBr2Yekh Bk02+WV/qyNv6bWAiygneLON5Ge2E5nfVrJJjyl8nqtQEgrxLYbsVYpK/VymlYqwvxKP jsvowhNemOCZ8NLrdHQFpJ5KypNRmMrhfmXaxFyr8Y6faGpwXhThVXq8JO05vZAH9Iu6 eOXan09tXLXgEgTNtLd1VAAQShWt2/yZRfkOFS4ZvrDjhVp9Xg2KjxTkJVmc9F1YTDGZ ny/4t0ovvm6cDgh1SBQb4T7rgysomSRQKb56R9PkOmn1gLNEkooo+kheaACCknfAv8lB 0/PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=cMofV2Zzaq4wApotoRPe6/cLittC2U7OSHEzzOSqIPg=; b=IniCyvjk9Do1/a0dWOFw0F6myqHc4MmMlOurxrsSC0xa/uZGkNvSApVok8nqWZGn7d nTMnxcLsIx0fuOUJfT+2MqPp75C1ta2q8UPL4ota2rPJRc4gbVTGE4I9218dzTK/FfON PzrSeUQ4RdGEuMUGDAmed9P35T5BUyu0Sf9njAOZKS8uTcM4guw0EfS6phpHxk5NyVbd 5RmsIqmJGDIC72/PlILWzd1CuQUztZ0IPV0rfz8B0Vl5jCyhVIX2ihf3o6xzcXtDPmym CKB/Rz6kVaZc03RYFAYpxcdVrDMxhMdysMSCJgmwB0jLrqmcCsrgjyRxFOewNGgIW+qY wJjQ== X-Gm-Message-State: ACgBeo0Q/twoow+Jc9AvVnQH94GH02vaRkoyGHqpOdr9xIyNLhCFFy2h mM/smss99Qywd4wWhmb8yf23TZ+S+RHO4kIMianOkhlpxWLGxxrW/hmg/g== X-Google-Smtp-Source: AA6agR77owZhosVTlQ9M6497mvpl/qxPqQU6KJIbtaM6Sd8fT5gywZcxd9n5CFG7Gxgt7dr8fWR6V4/ZGuNaj7CRko4= X-Received: by 2002:a05:6402:350b:b0:43e:f4be:c447 with SMTP id b11-20020a056402350b00b0043ef4bec447mr6974115edd.427.1662637286591; Thu, 08 Sep 2022 04:41:26 -0700 (PDT) MIME-Version: 1.0 References: <20220901104629.863380-1-hi@alyssa.is> In-Reply-To: <20220901104629.863380-1-hi@alyssa.is> From: =?UTF-8?Q?Jos=C3=A9_Pekkarinen?= Date: Thu, 8 Sep 2022 14:40:49 +0300 Message-ID: Subject: Re: [PATCH 1/2] host/rootfs: use initramfs in "make run" To: Alyssa Ross Content-Type: multipart/alternative; boundary="000000000000dba92305e828e855" Message-ID-Hash: O4IUTMJYFA2HZ72QM52CYGB2W6HDYCZQ X-Message-ID-Hash: O4IUTMJYFA2HZ72QM52CYGB2W6HDYCZQ X-MailFrom: jose.pekkarinen@unikie.com X-Mailman-Rule-Hits: header-match-devel.spectrum-os.org-0 X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1 CC: devel@spectrum-os.org X-Mailman-Version: 3.3.5 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --000000000000dba92305e828e855 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Sep 1, 2022 at 1:47 PM Alyssa Ross wrote: > This will allow us to stop compiling e.g. the virtio-blk module into > the kernel, because it will be loaded by the initramfs. > > This introduces some duplication between the rootfs and initramfs's > Makefiles. I don't think it's worth the effort at the moment to try > to reduce that, because it would come at the expense of additional > complexity in the Makefiles. We can revisit this later if we want to. > > Signed-off-by: Alyssa Ross > Tested-by: Jos=C3=A9 Pekkarinen > --- > host/rootfs/Makefile | 32 ++++++++++++++++++++++++++++---- > host/rootfs/shell.nix | 10 ++++++++-- > 2 files changed, 36 insertions(+), 6 deletions(-) > > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index 41cf87c..31f76d2 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -6,6 +6,9 @@ > # QEMU_KVM =3D qemu-system-x86_64 -enable-kvm. > QEMU_KVM =3D qemu-kvm > > +SCRIPTS =3D ../../scripts > +VERITYSETUP =3D veritysetup > + > # tar2ext4 will leave half a filesystem behind if it's interrupted > # half way through. > build/rootfs.ext4: build/rootfs.tar > @@ -116,16 +119,37 @@ clean: > rm -rf build > .PHONY: clean > > -run: build/rootfs.ext4 $(EXT_FS) > +# veritysetup format produces two files, but Make only (portably) > +# supports one output per rule, so we combine the two outputs then > +# define two more rules to separate them again. > +build/rootfs.verity: build/rootfs.ext4 > + $(VERITYSETUP) format build/rootfs.ext4 > build/rootfs.verity.superblock.tmp \ > + | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; > exit}' \ > + > build/rootfs.verity.roothash.tmp > + cat build/rootfs.verity.roothash.tmp > build/rootfs.verity.superblock.tmp \ > + > $@ > + rm build/rootfs.verity.roothash.tmp > build/rootfs.verity.superblock.tmp > +build/rootfs.verity.roothash: build/rootfs.verity > + head -n 1 build/rootfs.verity > $@ > +build/rootfs.verity.superblock: build/rootfs.verity > + tail -n +2 build/rootfs.verity > $@ > + > +build/live.img: $(SCRIPTS)/format-uuid.sh $(SCRIPTS)/make-gpt.sh > build/rootfs.verity.superblock build/rootfs.verity.roothash > build/rootfs.ext4 > + $(SCRIPTS)/make-gpt.sh $@.tmp \ > + > build/rootfs.verity.superblock:2c7357ed-ebd2-46d9-aec1-23d437ec2bf5:$$($= (SCRIPTS)/format-uuid.sh > "$$(dd if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 statu= s=3Dnone)") \ > + > build/rootfs.ext4:4f68bce3-e8cd-4db1-96e7-fbcaf984b709:$$($(SCRIPTS)/for= mat-uuid.sh > "$$(head -c 32 build/rootfs.verity.roothash)") > + mv $@.tmp $@ > + > +run: build/live.img $(EXT_FS) build/rootfs.verity.roothash > $(QEMU_KVM) -cpu host -m 2G \ > - -machine q35,kernel=3D$(KERNEL),kernel-irqchip=3Dsplit \ > + -machine > q35,kernel=3D$(KERNEL),kernel-irqchip=3Dsplit,initrd=3D$(INITRAMFS) \ > -display gtk,gl=3Don \ > -qmp unix:vmm.sock,server,nowait \ > -monitor vc \ > -parallel none \ > - -drive file=3Dbuild/rootfs.ext4,if=3Dvirtio,format=3Draw,read= only=3Don > \ > + -drive file=3Dbuild/live.img,if=3Dvirtio,format=3Draw,readonl= y=3Don \ > -drive file=3D$(EXT_FS),if=3Dvirtio,format=3Draw,readonly=3Do= n \ > - -append "console=3DttyS0 root=3D/dev/vda ext=3D/dev/vdb > intel_iommu=3Don" \ > + -append "console=3DttyS0 roothash=3D$$(< > build/rootfs.verity.roothash) ext=3D/dev/vdb intel_iommu=3Don" \ > -device intel-iommu,intremap=3Don \ > -device virtio-vga-gl \ > -device vhost-vsock-pci,guest-cid=3D3 > diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix > index 3b2310f..fe9df1b 100644 > --- a/host/rootfs/shell.nix > +++ b/host/rootfs/shell.nix > @@ -1,18 +1,24 @@ > # SPDX-License-Identifier: MIT > # SPDX-FileCopyrightText: 2021 Alyssa Ross > +# SPDX-FileCopyrightText: 2022 Unikie > > { pkgs ? import {} }: > > +let > + rootfs =3D import ./. { inherit pkgs; }; > +in > + > with pkgs; > > -(import ./. { inherit pkgs; }).overrideAttrs ( > +rootfs.overrideAttrs ( > { passthru ? {}, nativeBuildInputs ? [], ... }: > > { > nativeBuildInputs =3D nativeBuildInputs ++ [ > - jq netcat qemu_kvm reuse util-linux > + cryptsetup jq netcat qemu_kvm reuse util-linux > ]; > > EXT_FS =3D pkgsStatic.callPackage ../initramfs/extfs.nix { inherit pkg= s; > }; > + INITRAMFS =3D import ../initramfs { inherit pkgs rootfs; }; > KERNEL =3D > "${passthru.kernel}/${stdenv.hostPlatform.linux-kernel.target}"; > }) > -- > 2.37.1 > > --=20 Jos=C3=A9. --000000000000dba92305e828e855 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Thu, Sep 1, 2022 at 1:47 PM Alyssa= Ross <hi@alyssa.is> wrote:
This will allow us to= stop compiling e.g. the virtio-blk module into
the kernel, because it will be loaded by the initramfs.

This introduces some duplication between the rootfs and initramfs's
Makefiles.=C2=A0 I don't think it's worth the effort at the moment = to try
to reduce that, because it would come at the expense of additional
complexity in the Makefiles.=C2=A0 We can revisit this later if we want to.=

Signed-off-by: Alyssa Ross <hi@alyssa.is>
= =C2=A0
Tested-by: Jos=C3=A9 Pekkarinen <jose.pekkarinen@unikie.com>=C2= =A0
=C2=A0
---
=C2=A0host/rootfs/Makefile=C2=A0 | 32 ++++++++++++++++++++++++++++----
=C2=A0host/rootfs/shell.nix | 10 ++++++++--
=C2=A02 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 41cf87c..31f76d2 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -6,6 +6,9 @@
=C2=A0# QEMU_KVM =3D qemu-system-x86_64 -enable-kvm.
=C2=A0QEMU_KVM =3D qemu-kvm

+SCRIPTS =3D ../../scripts
+VERITYSETUP =3D veritysetup
+
=C2=A0# tar2ext4 will leave half a filesystem behind if it's interrupte= d
=C2=A0# half way through.
=C2=A0build/rootfs.ext4: build/rootfs.tar
@@ -116,16 +119,37 @@ clean:
=C2=A0 =C2=A0 =C2=A0 =C2=A0 rm -rf build
=C2=A0.PHONY: clean

-run: build/rootfs.ext4 $(EXT_FS)
+# veritysetup format produces two files, but Make only (portably)
+# supports one output per rule, so we combine the two outputs then
+# define two more rules to separate them again.
+build/rootfs.verity: build/rootfs.ext4
+=C2=A0 =C2=A0 =C2=A0 =C2=A0$(VERITYSETUP) format build/rootfs.ext4 build/r= ootfs.verity.superblock.tmp \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| awk -F ':[[:blank:]]*' = '$$1 =3D=3D "Root hash" {print $$2; exit}' \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> build/rootfs.verity.roothash= .tmp
+=C2=A0 =C2=A0 =C2=A0 =C2=A0cat build/rootfs.verity.roothash.tmp build/root= fs.verity.superblock.tmp \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> $@
+=C2=A0 =C2=A0 =C2=A0 =C2=A0rm build/rootfs.verity.roothash.tmp build/rootf= s.verity.superblock.tmp
+build/rootfs.verity.roothash: build/rootfs.verity
+=C2=A0 =C2=A0 =C2=A0 =C2=A0head -n 1 build/rootfs.verity > $@
+build/rootfs.verity.superblock: build/rootfs.verity
+=C2=A0 =C2=A0 =C2=A0 =C2=A0tail -n +2 build/rootfs.verity > $@
+
+build/live.img: $(SCRIPTS)/format-uuid.sh $(SCRIPTS)/make-gpt.sh build/roo= tfs.verity.superblock build/rootfs.verity.roothash build/rootfs.ext4
+=C2=A0 =C2=A0 =C2=A0 =C2=A0$(SCRIPTS)/make-gpt.sh $@.tmp \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0build/rootfs.verity.superblock:2c= 7357ed-ebd2-46d9-aec1-23d437ec2bf5:$$($(SCRIPTS)/format-uuid.sh "$$(dd= if=3Dbuild/rootfs.verity.roothash bs=3D32 skip=3D1 count=3D1 status=3Dnone= )") \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0build/rootfs.ext4:4f68bce3-e8cd-4= db1-96e7-fbcaf984b709:$$($(SCRIPTS)/format-uuid.sh "$$(head -c 32 buil= d/rootfs.verity.roothash)")
+=C2=A0 =C2=A0 =C2=A0 =C2=A0mv $@.tmp $@
+
+run: build/live.img $(EXT_FS) build/rootfs.verity.roothash
=C2=A0 =C2=A0 =C2=A0 =C2=A0 $(QEMU_KVM) -cpu host -m 2G \
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-machine q35,kernel=3D$(KERNEL),k= ernel-irqchip=3Dsplit \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-machine q35,kernel=3D$(KERNEL),k= ernel-irqchip=3Dsplit,initrd=3D$(INITRAMFS) \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -display gtk,gl=3Don \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -qmp unix:vmm.sock,server,nowait = \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -monitor vc \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -parallel none \
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-drive file=3Dbuild/rootfs.ext4,i= f=3Dvirtio,format=3Draw,readonly=3Don \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-drive file=3Dbuild/live.img,if= =3Dvirtio,format=3Draw,readonly=3Don \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -drive file=3D$(EXT_FS),if=3Dvirt= io,format=3Draw,readonly=3Don \
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-append "console=3DttyS0 roo= t=3D/dev/vda ext=3D/dev/vdb intel_iommu=3Don" \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-append "console=3DttyS0 roo= thash=3D$$(< build/rootfs.verity.roothash) ext=3D/dev/vdb intel_iommu=3D= on" \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -device intel-iommu,intremap=3Don= \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -device virtio-vga-gl \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -device vhost-vsock-pci,guest-cid= =3D3
diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix
index 3b2310f..fe9df1b 100644
--- a/host/rootfs/shell.nix
+++ b/host/rootfs/shell.nix
@@ -1,18 +1,24 @@
=C2=A0# SPDX-License-Identifier: MIT
=C2=A0# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2022 Unikie

=C2=A0{ pkgs ? import <nixpkgs> {} }:

+let
+=C2=A0 rootfs =3D import ./. { inherit pkgs; };
+in
+
=C2=A0with pkgs;

-(import ./. { inherit pkgs; }).overrideAttrs (
+rootfs.overrideAttrs (
=C2=A0{ passthru ? {}, nativeBuildInputs ? [], ... }:

=C2=A0{
=C2=A0 =C2=A0nativeBuildInputs =3D nativeBuildInputs ++ [
-=C2=A0 =C2=A0 jq netcat qemu_kvm reuse util-linux
+=C2=A0 =C2=A0 cryptsetup jq netcat qemu_kvm reuse util-linux
=C2=A0 =C2=A0];

=C2=A0 =C2=A0EXT_FS =3D pkgsStatic.callPackage ../initramfs/extfs.nix { inh= erit pkgs; };
+=C2=A0 INITRAMFS =3D import ../initramfs { inherit pkgs rootfs; };
=C2=A0 =C2=A0KERNEL =3D "${passthru.kernel}/${stdenv.hostPlatform.linu= x-kernel.target}";
=C2=A0})
--
2.37.1



--
Jos=C3=A9.
<= /div> --000000000000dba92305e828e855--