buildVerityUKI: introduce func for verity image build

Signed-off-by: Paul Meyer <[email protected]>

packages/by-name/buildVerityUKI/package.nix

@@ -0,0 +1,27 @@
+# Copyright 2024 Edgeless Systems GmbH
+# SPDX-License-Identifier: AGPL-3.0-only
+
+{ lib, jq }:
+
+let
+ roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
+in
+
+nixos-config:
+
+(nixos-config.override {
+ # Inject the `roothash` parameter into the kernel command line,
+ # using a placeholder for the verity root hash.
+ boot.kernelParams = lib.optional (roothashPlaceholder != "") "roothash=${roothashPlaceholder}";
+}).image.overrideAttrs
+ (oldAttrs: {
+ nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ jq ];
+ # Replace the placeholder with the real root hash.
+ # The real root hash is only known after we build the image, so this
+ # is injected into the derivation that builds the image.
+ # Only replace first occurrence, or integrity of erofs will be compromised.
+ postInstall = ''
+ realRoothash=$(${lib.getExe jq} -r "[.[] | select(.roothash != null)] | .[0].roothash" $out/repart-output.json)
+ sed -i "0,/${roothashPlaceholder}/ s/${roothashPlaceholder}/$realRoothash/" $out/${oldAttrs.pname}_${oldAttrs.version}.raw
+ '';
+ })

packages/by-name/image-podvm/package.nix

@@ -2,33 +2,18 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 {
- lib,
- jq,
+ buildVerityUKI,
  mkNixosConfig,
 
  withDebug ? true,
  withGPU ? false,
  withCSP ? "azure",
 }:
 
-let
- roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
-in
-
-(mkNixosConfig {
- inherit roothashPlaceholder;
-
- contrast.debug.enable = withDebug;
- contrast.gpu.enable = withGPU;
- contrast.azure.enable = withCSP == "azure";
-
-}).image.overrideAttrs
- (oldAttrs: {
- nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ jq ];
- # Replace the placeholder with the real root hash.
- # Only replace first occurrence, or integrity of erofs will be compromised.
- postInstall = ''
- realRoothash=$(${lib.getExe jq} -r "[.[] | select(.roothash != null)] | .[0].roothash" $out/repart-output.json)
- sed -i "0,/${roothashPlaceholder}/ s/${roothashPlaceholder}/$realRoothash/" $out/${oldAttrs.pname}_${oldAttrs.version}.raw
- '';
- })
+buildVerityUKI (mkNixosConfig {
+ contrast = {
+ debug.enable = withDebug;
+ gpu.enable = withGPU;
+ azure.enable = withCSP == "azure";
+ };
+})

packages/by-name/mkNixosConfig/package.nix

@@ -7,14 +7,6 @@
  pkgs,
 }:
 
-{
- # If set, placeholder is written into the command line roothash parameter.
- # Used for building verity protected images.
- roothashPlaceholder ? "",
-
- ...
-}@args:
-
 let
  # 'nixos' uses 'pkgs' from the point in time where nixpkgs function is evaluated. According
  # to the documentation, we should be able to overwrite 'pkgs' by setting nixpkgs.pkgs in
@@ -28,33 +20,33 @@ let
  (lib.filterAttrs (_filename: type: type == "regular"))
  (lib.mapAttrsToList (filename: _type: "${dir}/${filename}"))
  ];
-
- args' = lib.removeAttrs args [ "roothashPlaceholder" ];
 in
 
-(nixos (
- { modulesPath, ... }:
-
- {
- imports = [
- "${modulesPath}/image/repart.nix"
- "${modulesPath}/system/boot/uki.nix"
- ] ++ readModulesDir ../../nixos;
-
- # TODO(katexochen): imporve, see comment above.
- nixpkgs.overlays = [
- (_self: _super: {
- inherit (outerPkgs)
- azure-no-agent
- cloud-api-adaptor
- kernel-podvm-azure
- pause-bundle
- ;
- inherit (outerPkgs.kata) kata-agent;
- })
- ];
-
- boot.kernelParams = lib.optional (roothashPlaceholder != "") "roothash=${roothashPlaceholder}";
- }
- // args'
-))
+lib.makeOverridable (
+ args:
+ nixos (
+ { modulesPath, ... }:
+
+ {
+ imports = [
+ "${modulesPath}/image/repart.nix"
+ "${modulesPath}/system/boot/uki.nix"
+ ] ++ readModulesDir ../../nixos;
+
+ # TODO(katexochen): imporve, see comment above.
+ nixpkgs.overlays = [
+ (_self: _super: {
+ inherit (outerPkgs)
+ azure-no-agent
+ cloud-api-adaptor
+ kernel-podvm-azure
+ pause-bundle
+ ;
+ inherit (outerPkgs.kata) kata-agent;
+ })
+ ];
+
+ }
+ // args
+ )
+)