diff --git a/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch b/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch deleted file mode 100644 index 1d814b562a179..0000000000000 --- a/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch +++ /dev/null @@ -1,16 +0,0 @@ -Remove a pipe that was causing SIGPIPE -issues on overloaded Hydra machines. - -diff --git a/docs/figs/Makefile b/docs/figs/Makefile -index e128a4364f..943f745dda 100644 ---- a/docs/figs/Makefile -+++ b/docs/figs/Makefile -@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png - all: $(TARGETS) - - %.png: %.fig -- $(FIG2DEV) -L png $< >$@.tmp -+ $(FIG2DEV) -L png $< $@.tmp - mv -f $@.tmp $@ - - clean: diff --git a/pkgs/applications/virtualization/xen/4.16/default.nix b/pkgs/applications/virtualization/xen/4.16/default.nix index e67b2b052a6ee..27139ca06e8ee 100644 --- a/pkgs/applications/virtualization/xen/4.16/default.nix +++ b/pkgs/applications/virtualization/xen/4.16/default.nix @@ -7,19 +7,23 @@ }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ - upstreamPatches.XSA_458 - upstreamPatches.XSA_460 - upstreamPatches.XSA_461 - ]; + upstreamPatchList = lib.lists.flatten ( + with upstreamPatches; + [ + XSA_458 + XSA_460 + XSA_461 + ] + ); in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { + pname = "xen"; branch = "4.16"; version = "4.16.6"; latest = false; @@ -27,10 +31,7 @@ callPackage (import ../generic.nix { xen = { rev = "4b33780de790bd438dd7cbb6143b410d94f0f049"; hash = "sha256-2kcmfKwBo3w1U5CSxLSYSteqvzcJaB+cA7keVb3amyA="; - patches = [ - ./0000-xen-ipxe-src-4.16.patch - ./0001-xen-fig-geneneration-4.16.patch - ] ++ upstreamPatchList; + patches = [ ] ++ upstreamPatchList; }; qemu = { rev = "c02cb236b5e4a76cf74e641cc35a0e3ebd3e52f3"; diff --git a/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch b/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch deleted file mode 100644 index d96023d1946ae..0000000000000 --- a/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch +++ /dev/null @@ -1,27 +0,0 @@ -Hack to make etherboot use pre-fetched iPXE. - -diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile -index ed9e11305f..979a3acea8 100644 ---- a/tools/firmware/etherboot/Makefile -+++ b/tools/firmware/etherboot/Makefile -@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz - - D=ipxe - T=ipxe.tar.gz -+G=ipxe.git - - ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) - ROM = $D/src/bin/ipxe.bin -@@ -41,9 +42,9 @@ $T: - fi - mv _$T $T - --$D/src/arch/i386/Makefile: $T Config -- rm -rf $D -- gzip -dc $T | tar xf - -+$D/src/arch/i386/Makefile: $G Config -+ mkdir $D -+ cp -a $G/* $D - for i in $$(cat patches/series) ; do \ - patch -d $D -p1 --quiet $@.tmp -+ $(FIG2DEV) -L png $< $@.tmp - mv -f $@.tmp $@ - - clean: diff --git a/pkgs/applications/virtualization/xen/4.17/default.nix b/pkgs/applications/virtualization/xen/4.17/default.nix index a179ac94d9c28..6887696fcfe94 100644 --- a/pkgs/applications/virtualization/xen/4.17/default.nix +++ b/pkgs/applications/virtualization/xen/4.17/default.nix @@ -7,20 +7,24 @@ }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ - upstreamPatches.QUBES_REPRODUCIBLE_BUILDS - upstreamPatches.XSA_458 - upstreamPatches.XSA_460 - upstreamPatches.XSA_461 - ]; + upstreamPatchList = lib.lists.flatten ( + with upstreamPatches; + [ + QUBES_REPRODUCIBLE_BUILDS + XSA_458 + XSA_460 + XSA_461 + ] + ); in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { + pname = "xen"; branch = "4.17"; version = "4.17.4"; latest = false; @@ -28,10 +32,7 @@ callPackage (import ../generic.nix { xen = { rev = "d530627aaa9b6e03c7f911434bb342fca3d13300"; hash = "sha256-4ltQUzo4XPzGT/7fGt1hnNMqBQBVF7VP+WXD9ZaJcGo="; - patches = [ - ./0000-xen-ipxe-src-4.17.patch - ./0001-xen-fig-geneneration-4.17.patch - ] ++ upstreamPatchList; + patches = [ ] ++ upstreamPatchList; }; qemu = { rev = "ffb451126550b22b43b62fb8731a0d78e3376c03"; diff --git a/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch b/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch deleted file mode 100644 index d96023d1946ae..0000000000000 --- a/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch +++ /dev/null @@ -1,27 +0,0 @@ -Hack to make etherboot use pre-fetched iPXE. - -diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile -index ed9e11305f..979a3acea8 100644 ---- a/tools/firmware/etherboot/Makefile -+++ b/tools/firmware/etherboot/Makefile -@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz - - D=ipxe - T=ipxe.tar.gz -+G=ipxe.git - - ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) - ROM = $D/src/bin/ipxe.bin -@@ -41,9 +42,9 @@ $T: - fi - mv _$T $T - --$D/src/arch/i386/Makefile: $T Config -- rm -rf $D -- gzip -dc $T | tar xf - -+$D/src/arch/i386/Makefile: $G Config -+ mkdir $D -+ cp -a $G/* $D - for i in $$(cat patches/series) ; do \ - patch -d $D -p1 --quiet $@.tmp -+ $(FIG2DEV) -L png $< $@.tmp - mv -f $@.tmp $@ - - clean: diff --git a/pkgs/applications/virtualization/xen/4.18/default.nix b/pkgs/applications/virtualization/xen/4.18/default.nix index 292d55058e7bf..ed2df662e26e6 100644 --- a/pkgs/applications/virtualization/xen/4.18/default.nix +++ b/pkgs/applications/virtualization/xen/4.18/default.nix @@ -7,20 +7,24 @@ }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ - upstreamPatches.QUBES_REPRODUCIBLE_BUILDS - upstreamPatches.XSA_458 - upstreamPatches.XSA_460 - upstreamPatches.XSA_461 - ]; + upstreamPatchList = lib.lists.flatten ( + with upstreamPatches; + [ + QUBES_REPRODUCIBLE_BUILDS + XSA_458 + XSA_460 + XSA_461 + ] + ); in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { + pname = "xen"; branch = "4.18"; version = "4.18.2"; latest = false; @@ -28,10 +32,7 @@ callPackage (import ../generic.nix { xen = { rev = "d152a0424677d8b78e00ed1270a583c5dafff16f"; hash = "sha256-pHCjj+Bcy4xQfB9xHU9fccFwVdP2DXrUhdszwGvrdmY="; - patches = [ - ./0000-xen-ipxe-src-4.18.patch - ./0001-xen-fig-geneneration-4.18.patch - ] ++ upstreamPatchList; + patches = [ ] ++ upstreamPatchList; }; qemu = { rev = "0df9387c8983e1b1e72d8c574356f572342c03e6"; diff --git a/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch b/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch deleted file mode 100644 index d96023d1946ae..0000000000000 --- a/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch +++ /dev/null @@ -1,27 +0,0 @@ -Hack to make etherboot use pre-fetched iPXE. - -diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile -index ed9e11305f..979a3acea8 100644 ---- a/tools/firmware/etherboot/Makefile -+++ b/tools/firmware/etherboot/Makefile -@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz - - D=ipxe - T=ipxe.tar.gz -+G=ipxe.git - - ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) - ROM = $D/src/bin/ipxe.bin -@@ -41,9 +42,9 @@ $T: - fi - mv _$T $T - --$D/src/arch/i386/Makefile: $T Config -- rm -rf $D -- gzip -dc $T | tar xf - -+$D/src/arch/i386/Makefile: $G Config -+ mkdir $D -+ cp -a $G/* $D - for i in $$(cat patches/series) ; do \ - patch -d $D -p1 --quiet $@.tmp -+ $(FIG2DEV) -L png $< $@.tmp - mv -f $@.tmp $@ - - clean: diff --git a/pkgs/applications/virtualization/xen/4.19/default.nix b/pkgs/applications/virtualization/xen/4.19/default.nix index 278c40121433a..5b8cf5d21788a 100644 --- a/pkgs/applications/virtualization/xen/4.19/default.nix +++ b/pkgs/applications/virtualization/xen/4.19/default.nix @@ -7,19 +7,23 @@ }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ - upstreamPatches.QUBES_REPRODUCIBLE_BUILDS - upstreamPatches.XSA_460 - upstreamPatches.XSA_461 - ]; + upstreamPatchList = lib.lists.flatten ( + with upstreamPatches; + [ + QUBES_REPRODUCIBLE_BUILDS + XSA_460 + XSA_461 + ] + ); in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { + pname = "xen"; branch = "4.19"; version = "4.19.0"; latest = true; @@ -27,10 +31,7 @@ callPackage (import ../generic.nix { xen = { rev = "026c9fa29716b0ff0f8b7c687908e71ba29cf239"; hash = "sha256-Q6x+2fZ4ITBz6sKICI0NHGx773Rc919cl+wzI89UY+Q="; - patches = [ - ./0000-xen-ipxe-src-4.19.patch - ./0001-xen-fig-geneneration-4.19.patch - ] ++ upstreamPatchList; + patches = [ ] ++ upstreamPatchList; }; qemu = { rev = "0df9387c8983e1b1e72d8c574356f572342c03e6"; diff --git a/pkgs/applications/virtualization/xen/README.md b/pkgs/applications/virtualization/xen/README.md index c059808dcecbf..0df84ad8e4c25 100644 --- a/pkgs/applications/virtualization/xen/README.md +++ b/pkgs/applications/virtualization/xen/README.md @@ -88,14 +88,15 @@ open a PR fixing the script, and update Xen manually: ### For Both Update Methods -1. Update `packages.nix` with the new versions. Don't forget the `slim` packages! +1. Update `packages.nix` and `../../../top-level/all-packages.nix` with the new + versions. Don't forget the `slim` packages! 1. Make sure all branches build. (Both the `standard` and `slim` versions) 1. Use the NixOS module to test if dom0 boots successfully on all new versions. 1. Make sure the `meta` attributes evaluate to something that makes sense. The following one-line command is useful for testing this: ```console - xenToEvaluate=xen; echo -e "\033[1m$(nix eval .#"$xenToEvaluate".meta.description 2> /dev/null | tail -c +2 | head -c -2)\033[0m\n\n$(nix eval .#"$xenToEvaluate".meta.longDescription 2> /dev/null | tail -c +2 | head -c -2)" + xenToEvaluate=xen; echo -e "\033[1m$(nix eval .#"$xenToEvaluate".meta.description --raw 2> /dev/null)\033[0m\n\n$(nix eval .#"$xenToEvaluate".meta.longDescription --raw 2> /dev/null)" ``` Change the value of `xenToEvaluate` to evaluate all relevant Xen packages. @@ -118,7 +119,7 @@ are requested by the main Xen build. Building `xen.efi` requires an `ld` with PE support.[^2] We use a `makeFlag` to override the `$LD` environment variable to point to our -patched `efiBinutils`. For more information, see the comment in `./generic.nix`. +patched `efiBinutils`. For more information, see the comment in `./generic/default.nix`. > [!TIP] > If you are certain you will not be running Xen in an x86 EFI environment, disable diff --git a/pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch b/pkgs/applications/virtualization/xen/generic/0000-xen-ipxe-src-generic.patch similarity index 100% rename from pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch rename to pkgs/applications/virtualization/xen/generic/0000-xen-ipxe-src-generic.patch diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic/default.nix similarity index 77% rename from pkgs/applications/virtualization/xen/generic.nix rename to pkgs/applications/virtualization/xen/generic/default.nix index b8672770e5bdd..d273f9b1f381d 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -58,8 +58,6 @@ versionDefinition: binutils-unwrapped, # Documentation - fig2dev, - imagemagick, pandoc, # Scripts @@ -81,7 +79,7 @@ versionDefinition: let #TODO: fix paths instead. - scriptEnvPath = lib.strings.concatMapStringsSep ":" (x: "${x}/bin") [ + scriptEnvPath = lib.strings.makeSearchPathOutput "out" "bin" [ bridge-utils coreutils diffutils @@ -95,20 +93,30 @@ let nbd openvswitch perl - util-linux + util-linux.bin which ]; + # Inherit attributes from a versionDefinition. + inherit (versionDefinition) pname; inherit (versionDefinition) branch; inherit (versionDefinition) version; inherit (versionDefinition) latest; inherit (versionDefinition) pkg; - pname = "xen"; - # Sources needed to build tools and firmwares. + # Mark versions older than minSupportedVersion as EOL. + minSupportedVersion = "4.16"; + + ## Pre-fetched Source Handling ## + + # Main attribute set for sources needed to build tools and firmwares. + # Each source takes in: + # * A `src` attribute, which contains the actual fetcher, + # * A 'patches` attribute, which is a list of patches that need to be applied in the source. + # * A `path` attribute, which is the destination of the source inside the Xen tree. prefetchedSources = lib.attrsets.optionalAttrs withInternalQEMU { - qemu-xen = { + qemu = { src = fetchgit { url = "https://xenbits.xen.org/git-http/qemu-xen.git"; fetchSubmodules = true; @@ -116,14 +124,11 @@ let inherit (pkg.qemu) hash; }; patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.qemu) pkg.qemu.patches; - postPatch = '' - substituteInPlace scripts/tracetool.py \ - --replace-fail "/usr/bin/env python" "${python311Packages.python}/bin/python" - ''; + path = "tools/qemu-xen"; }; } // lib.attrsets.optionalAttrs withInternalSeaBIOS { - "firmware/seabios-dir-remote" = { + seaBIOS = { src = fetchgit { url = "https://xenbits.xen.org/git-http/seabios.git"; inherit (pkg.seaBIOS) rev; @@ -132,10 +137,11 @@ let patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.seaBIOS) pkg.seaBIOS.patches; + path = "tools/firmware/seabios-dir-remote"; }; } // lib.attrsets.optionalAttrs withInternalOVMF { - "firmware/ovmf-dir-remote" = { + ovmf = { src = fetchgit { url = "https://xenbits.xen.org/git-http/ovmf.git"; fetchSubmodules = true; @@ -143,15 +149,11 @@ let inherit (pkg.ovmf) hash; }; patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ovmf) pkg.ovmf.patches; - postPatch = '' - substituteInPlace \ - OvmfPkg/build.sh BaseTools/BinWrappers/PosixLike/{AmlToC,BrotliCompress,build,GenFfs,GenFv,GenFw,GenSec,LzmaCompress,TianoCompress,Trim,VfrCompile} \ - --replace-fail "/usr/bin/env bash" ${stdenv.shell} - ''; + path = "tools/firmware/ovmf-dir-remote"; }; } // lib.attrsets.optionalAttrs withInternalIPXE { - "firmware/etherboot/ipxe.git" = { + ipxe = { src = fetchFromGitHub { owner = "ipxe"; repo = "ipxe"; @@ -159,10 +161,68 @@ let inherit (pkg.ipxe) hash; }; patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ipxe) pkg.ipxe.patches; + path = "tools/firmware/etherboot/ipxe.git"; }; }; - withPrefetchedSources = - sourcePkg: lib.strings.concatLines (lib.attrsets.mapAttrsToList sourcePkg prefetchedSources); + + # Gets a list containing the names of the top-level attribute for each pre-fetched + # source, to be used in the map functions below. + prefetchedSourcesList = lib.attrsets.mapAttrsToList (name: value: name) prefetchedSources; + + # Produces bash commands that will copy each pre-fetched source. + copyPrefetchedSources = + # Finish the deployment by concatnating the list of commands together. + lib.strings.concatLines ( + # Iterate on each pre-fetched source. + builtins.map ( + source: + # Only produce a copy command if patches exist. + lib.strings.optionalString (lib.attrsets.hasAttrByPath [ "${source}" ] prefetchedSources) + # The actual copy command. `src` is always an absolute path to a fetcher output + # inside the /nix/store, and `path` is always a path relative to the Xen root. + # We need to `mkdir -p` the target directory first, and `chmod +w` the contents last, + # as the copied files will still be edited by the postPatchPhase. + '' + echo "Copying ${prefetchedSources.${source}.src} -> ${prefetchedSources.${source}.path}" + mkdir --parents ${prefetchedSources.${source}.path} + cp --recursive --no-target-directory ${prefetchedSources.${source}.src} ${ + prefetchedSources.${source}.path + } + chmod --recursive +w ${prefetchedSources.${source}.path} + '' + ) prefetchedSourcesList + ); + + # Produces strings with `patch` commands to be ran on postPatch. + # These deploy the .patch files for each pre-fetched source. + deployPrefetchedSourcesPatches = + # Finish the deployment by concatnating the list of commands together. + lib.strings.concatLines ( + # The double map functions create a list of lists. Flatten it so we can concatnate it. + lib.lists.flatten ( + # Iterate on each pre-fetched source. + builtins.map ( + source: + # Iterate on each available patch. + (builtins.map ( + patch: + # Only produce a patch command if patches exist. + lib.strings.optionalString + (lib.attrsets.hasAttrByPath [ + "${source}" + "patches" + ] prefetchedSources) + # The actual patch command. It changes directories to the correct source each time. + '' + echo "Applying patch ${patch} to ${source}." + patch --directory ${prefetchedSources.${source}.path} --strip 1 < ${patch} + '' + ) prefetchedSources.${source}.patches) + ) prefetchedSourcesList + ) + ); + + ## XSA Patches Description Builder ## # Sometimes patches are sourced through a path, like ./0000-xen.patch. # This would break the patch attribute parser functions, so we normalise @@ -175,7 +235,7 @@ let if builtins.isPath patch then { type = "path"; } else - throw "xen/generic.nix: normalisedPatchList attempted to normalise something that is not a Path or an Attribute Set." + throw "xen/generic/default.nix: normalisedPatchList attempted to normalise something that is not a Path or an Attribute Set." else patch ) pkg.xen.patches; @@ -241,19 +301,7 @@ let else [ ]; - withTools = - attr: file: - withPrefetchedSources ( - name: source: - lib.strings.optionalString (builtins.hasAttr attr source) '' - echo "processing ${name}" - __do() { - cd "tools/${name}" - ${file name source} - } - ( __do ) - '' - ); + ## Binutils Override ## # Originally, there were two versions of binutils being used: the standard one and # this patched one. Unfortunately, that required patches to the Xen Makefiles, and @@ -264,6 +312,7 @@ let name = "efi-binutils"; configureFlags = oldAttrs.configureFlags ++ [ "--enable-targets=x86_64-pep" ]; doInstallCheck = false; # We get a spurious failure otherwise, due to a host/target mismatch. + meta.mainProgram = "ld"; # We only really care for `ld`. }); in @@ -286,16 +335,17 @@ stdenv.mkDerivation (finalAttrs: { inherit (pkg.xen) hash; }; - # Gets the patches from the pkg.xen.patches attribute from the versioned files. - patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches; + patches = + # Generic Xen patches that apply to all Xen versions. + [ ./0000-xen-ipxe-src-generic.patch ] + # Gets the patches from the pkg.xen.patches attribute from the versioned files. + ++ lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches; nativeBuildInputs = [ autoPatchelfHook bison cmake - fig2dev - imagemagick # Causes build failures in Hydra related to fig generation if not included. flex pandoc pkg-config @@ -325,7 +375,6 @@ stdenv.mkDerivation (finalAttrs: { # oxenstored ocamlPackages.findlib ocamlPackages.ocaml - systemdMinimal # Python Fixes python311Packages.wrapPython @@ -335,10 +384,14 @@ stdenv.mkDerivation (finalAttrs: { pixman ] ++ lib.lists.optional withInternalOVMF nasm - ++ lib.lists.optional withFlask checkpolicy; + ++ lib.lists.optional withFlask checkpolicy + ++ lib.lists.optional (lib.strings.versionOlder version "4.19") systemdMinimal; configureFlags = - [ "--enable-systemd" ] + [ + "--enable-systemd" + "--disable-qemu-traditional" + ] ++ lib.lists.optional (!withInternalQEMU) "--with-system-qemu" ++ lib.lists.optional withSeaBIOS "--with-system-seabios=${seabios}/share/seabios" @@ -348,20 +401,21 @@ stdenv.mkDerivation (finalAttrs: { ++ lib.lists.optional withInternalOVMF "--enable-ovmf" ++ lib.lists.optional withIPXE "--with-system-ipxe=${ipxe}" - ++ lib.lists.optional withInternalIPXE "--enable-ipxe"; + ++ lib.lists.optional withInternalIPXE "--enable-ipxe" + + ++ lib.lists.optional withFlask "--enable-xsmpolicy"; makeFlags = [ "PREFIX=$(out)" "CONFIG_DIR=/etc" - "XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files" "XEN_SCRIPT_DIR=$(CONFIG_DIR)/xen/scripts" "BASH_COMPLETION_DIR=$(PREFIX)/share/bash-completion/completions" ] ++ lib.lists.optionals withEFI [ "EFI_VENDOR=${efiVendor}" "INSTALL_EFI_STRIP=1" - "LD=${efiBinutils}/bin/ld" # See the comment in the efiBinutils definition above. + "LD=${lib.meta.getExe efiBinutils}" # See the comment in the efiBinutils definition above. ] # These flags set the CONFIG_* options in /boot/xen.config # and define if the default policy file is built. However, @@ -442,17 +496,9 @@ stdenv.mkDerivation (finalAttrs: { rm --recursive --force tools/qemu-xen tools/qemu-xen-traditional '' - # The following expression moves the sources we fetched in the - # versioned Nix expressions to their correct locations inside - # the Xen source tree. + # Call copyPrefetchedSources, which copies all aviable sources to their correct positions. + '' - ${withPrefetchedSources ( - name: source: '' - echo "Copying pre-fetched source: ${source.src} -> tools/${name}" - cp --recursive ${source.src} tools/${name} - chmod --recursive +w tools/${name} - '' - )} + ${copyPrefetchedSources} ''; postPatch = @@ -485,31 +531,16 @@ stdenv.mkDerivation (finalAttrs: { --replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir" '' - # The following expression applies the patches defined on each - # prefetchedSources attribute. + # # Call deployPrefetchedSourcesPatches, which patches all pre-fetched sources with their specified patchlists. + + '' + ${deployPrefetchedSourcesPatches} + '' + # Patch shebangs for QEMU and OVMF build scripts. + '' - ${withTools "patches" ( - name: source: '' - ${lib.strings.concatMapStringsSep "\n" (patch: '' - echo "Patching with ${patch}" - patch --strip 1 < ${patch} - '') source.patches} - '' - )} - - ${withTools "postPatch" (name: source: source.postPatch)} - - ${pkg.xen.postPatch or ""} + patchShebangs --build tools/qemu-xen/scripts/tracetool.py + patchShebangs --build tools/firmware/ovmf-dir-remote/OvmfPkg/build.sh tools/firmware/ovmf-dir-remote/BaseTools/BinWrappers/PosixLike/{AmlToC,BrotliCompress,build,GenFfs,GenFv,GenFw,GenSec,LzmaCompress,TianoCompress,Trim,VfrCompile} ''; - preBuild = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "preBuild" ] pkg.xen) pkg.xen.preBuild; - - postBuild = '' - ${withTools "buildPhase" (name: source: source.buildPhase)} - - ${pkg.xen.postBuild or ""} - ''; - installPhase = let cpFlags = builtins.toString [ @@ -555,12 +586,6 @@ stdenv.mkDerivation (finalAttrs: { for i in $out/etc/xen/scripts/!(*.sh); do sed --in-place "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i done - '' - - + '' - ${withTools "installPhase" (name: source: source.installPhase)} - - ${pkg.xen.installPhase or ""} ''; postFixup = @@ -632,7 +657,7 @@ stdenv.mkDerivation (finalAttrs: { # Starts with the longDescription from ./packages.nix. (packageDefinition.meta.longDescription or "") + lib.strings.optionalString (!withInternalQEMU) ( - "\nUse with `qemu_xen_${lib.stringAsChars (x: if x == "." then "_" else x) branch}`" + "\nUse with `qemu_xen_${lib.strings.stringAsChars (x: if x == "." then "_" else x) branch}`" + lib.strings.optionalString latest " or `qemu_xen`" + ".\n" ) @@ -679,11 +704,14 @@ stdenv.mkDerivation (finalAttrs: { # Development headers in $dev/include. mit ]; - maintainers = [ lib.maintainers.sigmasquadron ]; + # This automatically removes maintainers from EOL versions of Xen, so we aren't bothered about versions we don't explictly support. + maintainers = lib.lists.optionals (lib.strings.versionAtLeast version minSupportedVersion) ( + with lib.maintainers; [ sigmasquadron ] + ); mainProgram = "xl"; # Evaluates to x86_64-linux. platforms = lib.lists.intersectLists lib.platforms.linux lib.platforms.x86_64; - knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "4.16") [ + knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version minSupportedVersion) [ "Xen ${version} is no longer supported by the Xen Security Team. See https://xenbits.xenproject.org/docs/unstable/support-matrix.html" ]; }; diff --git a/pkgs/applications/virtualization/xen/patches.nix b/pkgs/applications/virtualization/xen/generic/patches.nix similarity index 100% rename from pkgs/applications/virtualization/xen/patches.nix rename to pkgs/applications/virtualization/xen/generic/patches.nix diff --git a/pkgs/applications/virtualization/xen/packages.nix b/pkgs/applications/virtualization/xen/packages.nix index 96bd42e052013..5f0f50ecd736c 100644 --- a/pkgs/applications/virtualization/xen/packages.nix +++ b/pkgs/applications/virtualization/xen/packages.nix @@ -62,7 +62,4 @@ rec { withInternalIPXE = false; inherit (slim) meta; }; - - xen = xen_4_19; - xen-slim = xen_4_19-slim; } diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh index 0b0c7516fa835..6ac8ba5a825ce 100755 --- a/pkgs/applications/virtualization/xen/update.sh +++ b/pkgs/applications/virtualization/xen/update.sh @@ -1,10 +1,9 @@ #!/usr/bin/env nix-shell #!nix-shell -i bash -p gitMinimal curl gnupg nix-prefetch-git nixfmt-rfc-style # shellcheck disable=SC2206,SC2207 shell=bash -set -e - -# Set a temporary $HOME in /tmp for GPG. -HOME=/tmp/xenUpdateScript +set -o errexit +set -o pipefail +set -o nounset # This script expects to be called in an interactive terminal somewhere inside Nixpkgs. echo "Preparing..." @@ -15,8 +14,8 @@ mkdir /tmp/xenUpdateScript # Import and verify PGP key. curl --silent --output /tmp/xenUpdateScript/xen.asc https://keys.openpgp.org/vks/v1/by-fingerprint/23E3222C145F4475FA8060A783FE14C957E82BD9 -gpg --quiet --import /tmp/xenUpdateScript/xen.asc -fingerprint="$(gpg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')" +gpg --homedir /tmp/xenUpdateScript/.gnupg --quiet --import /tmp/xenUpdateScript/xen.asc +fingerprint="$(gpg --homedir /tmp/xenUpdateScript/.gnupg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')" echo -e "Please ascertain through multiple external sources that the \e[1;32mXen Project PGP Key Fingerprint\e[0m is indeed \e[1;33m$fingerprint\e[0m. If that is not the case, \e[1;31mexit immediately\e[0m." read -r -p $'Press \e[1;34menter\e[0m to continue with a pre-filled expected fingerprint, or input an arbitrary PGP fingerprint to match with the key\'s fingerprint: ' userInputFingerprint userInputFingerprint=${userInputFingerprint:-"23E3222C145F4475FA8060A783FE14C957E82BD9"} @@ -32,7 +31,7 @@ latestVersion=$(echo "$versionList" | tr ' ' '\n' | tail --lines=1) branchList=($(echo "$versionList" | tr ' ' '\n' | sed s/\.[0-9]*$//g | awk '!seen[$0]++')) # Figure out which versions we're actually going to install. -minSupportedBranch="$(grep " knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version " "$xenPath"/generic.nix | sed s/' knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "'//g | sed s/'") \['//g)" +minSupportedBranch="$(grep " minSupportedVersion = " "$xenPath"/generic/default.nix | sed s/' minSupportedVersion = "'//g | sed s/'";'//g)" supportedBranches=($(for version in "${branchList[@]}"; do if [ "$(printf '%s\n' "$minSupportedBranch" "$version" | sort -V | head -n1)" = "$minSupportedBranch" ]; then echo "$version"; fi; done)) supportedVersions=($(for version in "${supportedBranches[@]}"; do echo "$versionList" | tr ' ' '\n' | grep "$version" | tail --lines=1; done)) @@ -51,7 +50,7 @@ for version in "${supportedVersions[@]}"; do # Verify PGP key automatically. If the fingerprint matches what the user specified, or the default fingerprint, then we consider it trusted. cd /tmp/xenUpdateScript/xen if [[ "$fingerprint" = "$userInputFingerprint" ]]; then - echo "$fingerprint:6:" | gpg --quiet --import-ownertrust + echo "$fingerprint:6:" | gpg --homedir /tmp/xenUpdateScript/.gnupg --quiet --import-ownertrust (git verify-tag RELEASE-"$version" 2>/dev/null && echo -e "\n\e[1;32mSuccessfully authenticated Xen $version.\e[0m") || (echo -e "\e[1;31merror:\e[0m Unable to verify tag \e[1;32mRELEASE-$version\e[0m.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or a \e[1;31msupply chain attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1) else echo -e "\e[1;31merror:\e[0m Unable to verify \e[1;34mpgp@xen.org\e[0m's fingerprint.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or an \e[1;31mimpersonation attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1 @@ -121,11 +120,10 @@ for version in "${supportedVersions[@]}"; do echo -e "Found the following patches:\n \e[1;32mXen\e[0m: \e[1;33m$discoveredXenPatchesEcho\e[0m\n \e[1;36mQEMU\e[0m: \e[1;33m$discoveredQEMUPatchesEcho\e[0m\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$discoveredSeaBIOSPatchesEcho\e[0m\n \e[1;36mOVMF\e[0m: \e[1;33m$discoveredOVMFPatchesEcho\e[0m\n \e[1;36miPXE\e[0m: \e[1;33m$discoveredIPXEPatchesEcho\e[0m" # Prepare patches that are called in ./patches.nix. - defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458") + defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458" "XSA_460" "XSA_461" ) read -r -a defaultPatchList -p $'\nWould you like to override the \e[1;34mupstreamPatches\e[0m list for \e[1;32mXen '"$version"$'\e[0m? If no, press \e[1;34menter\e[0m to use the default patch list: [ \e[1;34m'"${defaultPatchListInit[*]}"$' \e[0m]: ' defaultPatchList=(${defaultPatchList[@]:-${defaultPatchListInit[@]}}) - spaceSeparatedPatchList=${defaultPatchList[*]} - upstreamPatches="upstreamPatches.${spaceSeparatedPatchList// / upstreamPatches.}" + upstreamPatches=${defaultPatchList[*]} # Write and format default.nix file. echo -e "\nWriting updated \e[1;34mversionDefinition\e[0m..." @@ -139,17 +137,18 @@ for version in "${supportedVersions[@]}"; do }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ + upstreamPatchList = lib.lists.flatten (with upstreamPatches; [ $upstreamPatches - ]; + ]); in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { + pname = "xen"; branch = "$branch"; version = "$version"; latest = $latest; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1ab45f9ede8ae..2be39754e5a5b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -34730,8 +34730,8 @@ with pkgs; xenPackages = recurseIntoAttrs (callPackage ../applications/virtualization/xen/packages.nix {}); - xen = xenPackages.xen; - xen-slim = xenPackages.xen-slim; + xen = xenPackages.xen_4_19; + xen-slim = xenPackages.xen_4_19-slim; xkbset = callPackage ../tools/X11/xkbset { };