From a52df9cf48d0d2f61e2ea7819c634a2123e8b64f Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:25:58 +0000 Subject: [PATCH 01/15] xen: move generic files to generic/ directory Most patches used in the Xen build are generic, so let's keep everything that applies to all versions in one folder. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/4.16/default.nix | 4 ++-- pkgs/applications/virtualization/xen/4.17/default.nix | 4 ++-- pkgs/applications/virtualization/xen/4.18/default.nix | 4 ++-- pkgs/applications/virtualization/xen/4.19/default.nix | 4 ++-- pkgs/applications/virtualization/xen/README.md | 2 +- .../virtualization/xen/{generic.nix => generic/default.nix} | 4 ++-- .../virtualization/xen/{ => generic}/patches.nix | 0 pkgs/applications/virtualization/xen/update.sh | 6 +++--- 8 files changed, 14 insertions(+), 14 deletions(-) rename pkgs/applications/virtualization/xen/{generic.nix => generic/default.nix} (98%) rename pkgs/applications/virtualization/xen/{ => generic}/patches.nix (100%) diff --git a/pkgs/applications/virtualization/xen/4.16/default.nix b/pkgs/applications/virtualization/xen/4.16/default.nix index e67b2b052a6ee..88b4946ef7124 100644 --- a/pkgs/applications/virtualization/xen/4.16/default.nix +++ b/pkgs/applications/virtualization/xen/4.16/default.nix @@ -7,7 +7,7 @@ }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; @@ -19,7 +19,7 @@ let ]; in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { branch = "4.16"; version = "4.16.6"; latest = false; diff --git a/pkgs/applications/virtualization/xen/4.17/default.nix b/pkgs/applications/virtualization/xen/4.17/default.nix index a179ac94d9c28..31b12685271cb 100644 --- a/pkgs/applications/virtualization/xen/4.17/default.nix +++ b/pkgs/applications/virtualization/xen/4.17/default.nix @@ -7,7 +7,7 @@ }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; @@ -20,7 +20,7 @@ let ]; in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { branch = "4.17"; version = "4.17.4"; latest = false; diff --git a/pkgs/applications/virtualization/xen/4.18/default.nix b/pkgs/applications/virtualization/xen/4.18/default.nix index 292d55058e7bf..0494a2d054e01 100644 --- a/pkgs/applications/virtualization/xen/4.18/default.nix +++ b/pkgs/applications/virtualization/xen/4.18/default.nix @@ -7,7 +7,7 @@ }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; @@ -20,7 +20,7 @@ let ]; in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { branch = "4.18"; version = "4.18.2"; latest = false; diff --git a/pkgs/applications/virtualization/xen/4.19/default.nix b/pkgs/applications/virtualization/xen/4.19/default.nix index 278c40121433a..469302f14b2b6 100644 --- a/pkgs/applications/virtualization/xen/4.19/default.nix +++ b/pkgs/applications/virtualization/xen/4.19/default.nix @@ -7,7 +7,7 @@ }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; @@ -19,7 +19,7 @@ let ]; in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { branch = "4.19"; version = "4.19.0"; latest = true; diff --git a/pkgs/applications/virtualization/xen/README.md b/pkgs/applications/virtualization/xen/README.md index c059808dcecbf..5f16607b25cba 100644 --- a/pkgs/applications/virtualization/xen/README.md +++ b/pkgs/applications/virtualization/xen/README.md @@ -118,7 +118,7 @@ are requested by the main Xen build. Building `xen.efi` requires an `ld` with PE support.[^2] We use a `makeFlag` to override the `$LD` environment variable to point to our -patched `efiBinutils`. For more information, see the comment in `./generic.nix`. +patched `efiBinutils`. For more information, see the comment in `./generic/default.nix`. > [!TIP] > If you are certain you will not be running Xen in an x86 EFI environment, disable diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic/default.nix similarity index 98% rename from pkgs/applications/virtualization/xen/generic.nix rename to pkgs/applications/virtualization/xen/generic/default.nix index b8672770e5bdd..591d4ab945e4d 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -175,7 +175,7 @@ let if builtins.isPath patch then { type = "path"; } else - throw "xen/generic.nix: normalisedPatchList attempted to normalise something that is not a Path or an Attribute Set." + throw "xen/generic/default.nix: normalisedPatchList attempted to normalise something that is not a Path or an Attribute Set." else patch ) pkg.xen.patches; @@ -632,7 +632,7 @@ stdenv.mkDerivation (finalAttrs: { # Starts with the longDescription from ./packages.nix. (packageDefinition.meta.longDescription or "") + lib.strings.optionalString (!withInternalQEMU) ( - "\nUse with `qemu_xen_${lib.stringAsChars (x: if x == "." then "_" else x) branch}`" + "\nUse with `qemu_xen_${lib.strings.stringAsChars (x: if x == "." then "_" else x) branch}`" + lib.strings.optionalString latest " or `qemu_xen`" + ".\n" ) diff --git a/pkgs/applications/virtualization/xen/patches.nix b/pkgs/applications/virtualization/xen/generic/patches.nix similarity index 100% rename from pkgs/applications/virtualization/xen/patches.nix rename to pkgs/applications/virtualization/xen/generic/patches.nix diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh index 0b0c7516fa835..f5034d11c0af3 100755 --- a/pkgs/applications/virtualization/xen/update.sh +++ b/pkgs/applications/virtualization/xen/update.sh @@ -32,7 +32,7 @@ latestVersion=$(echo "$versionList" | tr ' ' '\n' | tail --lines=1) branchList=($(echo "$versionList" | tr ' ' '\n' | sed s/\.[0-9]*$//g | awk '!seen[$0]++')) # Figure out which versions we're actually going to install. -minSupportedBranch="$(grep " knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version " "$xenPath"/generic.nix | sed s/' knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "'//g | sed s/'") \['//g)" +minSupportedBranch="$(grep " knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version " "$xenPath"/generic/default.nix | sed s/' knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "'//g | sed s/'") \['//g)" supportedBranches=($(for version in "${branchList[@]}"; do if [ "$(printf '%s\n' "$minSupportedBranch" "$version" | sort -V | head -n1)" = "$minSupportedBranch" ]; then echo "$version"; fi; done)) supportedVersions=($(for version in "${supportedBranches[@]}"; do echo "$versionList" | tr ' ' '\n' | grep "$version" | tail --lines=1; done)) @@ -139,7 +139,7 @@ for version in "${supportedVersions[@]}"; do }@genericDefinition: let - upstreamPatches = import ../patches.nix { + upstreamPatches = import ../generic/patches.nix { inherit lib; inherit fetchpatch; }; @@ -149,7 +149,7 @@ let ]; in -callPackage (import ../generic.nix { +callPackage (import ../generic/default.nix { branch = "$branch"; version = "$version"; latest = $latest; From 403837b6a8ef48cd2573bd6d3e703a6e42561523 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:28:36 +0000 Subject: [PATCH 02/15] xen: deduplicate pkgs.xen and pkgs.xenPackages.xen There is no point in having both. The top-level package now points directly to the latest version. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/README.md | 3 ++- pkgs/applications/virtualization/xen/packages.nix | 3 --- pkgs/top-level/all-packages.nix | 4 ++-- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/pkgs/applications/virtualization/xen/README.md b/pkgs/applications/virtualization/xen/README.md index 5f16607b25cba..d5e22318d610c 100644 --- a/pkgs/applications/virtualization/xen/README.md +++ b/pkgs/applications/virtualization/xen/README.md @@ -88,7 +88,8 @@ open a PR fixing the script, and update Xen manually: ### For Both Update Methods -1. Update `packages.nix` with the new versions. Don't forget the `slim` packages! +1. Update `packages.nix` and `../../../top-level/all-packages.nix` with the new + versions. Don't forget the `slim` packages! 1. Make sure all branches build. (Both the `standard` and `slim` versions) 1. Use the NixOS module to test if dom0 boots successfully on all new versions. 1. Make sure the `meta` attributes evaluate to something that makes sense. The diff --git a/pkgs/applications/virtualization/xen/packages.nix b/pkgs/applications/virtualization/xen/packages.nix index 96bd42e052013..5f0f50ecd736c 100644 --- a/pkgs/applications/virtualization/xen/packages.nix +++ b/pkgs/applications/virtualization/xen/packages.nix @@ -62,7 +62,4 @@ rec { withInternalIPXE = false; inherit (slim) meta; }; - - xen = xen_4_19; - xen-slim = xen_4_19-slim; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 6c2d439768869..d940b1597150d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -34771,8 +34771,8 @@ with pkgs; xenPackages = recurseIntoAttrs (callPackage ../applications/virtualization/xen/packages.nix {}); - xen = xenPackages.xen; - xen-slim = xenPackages.xen-slim; + xen = xenPackages.xen_4_19; + xen-slim = xenPackages.xen_4_19-slim; xkbset = callPackage ../tools/X11/xkbset { }; From 37eddc4f7e2865292e79745dc309f60227260889 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:30:10 +0000 Subject: [PATCH 03/15] xen: dehardcode pname This is useful for the future when we begin building custom versions of Xen, such as `qubes-vmm-xen`. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/4.16/default.nix | 1 + pkgs/applications/virtualization/xen/4.17/default.nix | 1 + pkgs/applications/virtualization/xen/4.18/default.nix | 1 + pkgs/applications/virtualization/xen/4.19/default.nix | 1 + pkgs/applications/virtualization/xen/generic/default.nix | 2 +- pkgs/applications/virtualization/xen/update.sh | 1 + 6 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/xen/4.16/default.nix b/pkgs/applications/virtualization/xen/4.16/default.nix index 88b4946ef7124..c87c29edb5b02 100644 --- a/pkgs/applications/virtualization/xen/4.16/default.nix +++ b/pkgs/applications/virtualization/xen/4.16/default.nix @@ -20,6 +20,7 @@ let in callPackage (import ../generic/default.nix { + pname = "xen"; branch = "4.16"; version = "4.16.6"; latest = false; diff --git a/pkgs/applications/virtualization/xen/4.17/default.nix b/pkgs/applications/virtualization/xen/4.17/default.nix index 31b12685271cb..b96fe5e51fc42 100644 --- a/pkgs/applications/virtualization/xen/4.17/default.nix +++ b/pkgs/applications/virtualization/xen/4.17/default.nix @@ -21,6 +21,7 @@ let in callPackage (import ../generic/default.nix { + pname = "xen"; branch = "4.17"; version = "4.17.4"; latest = false; diff --git a/pkgs/applications/virtualization/xen/4.18/default.nix b/pkgs/applications/virtualization/xen/4.18/default.nix index 0494a2d054e01..ada7503519370 100644 --- a/pkgs/applications/virtualization/xen/4.18/default.nix +++ b/pkgs/applications/virtualization/xen/4.18/default.nix @@ -21,6 +21,7 @@ let in callPackage (import ../generic/default.nix { + pname = "xen"; branch = "4.18"; version = "4.18.2"; latest = false; diff --git a/pkgs/applications/virtualization/xen/4.19/default.nix b/pkgs/applications/virtualization/xen/4.19/default.nix index 469302f14b2b6..fc43e18faeab6 100644 --- a/pkgs/applications/virtualization/xen/4.19/default.nix +++ b/pkgs/applications/virtualization/xen/4.19/default.nix @@ -20,6 +20,7 @@ let in callPackage (import ../generic/default.nix { + pname = "xen"; branch = "4.19"; version = "4.19.0"; latest = true; diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index 591d4ab945e4d..7411acd1d8555 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -99,11 +99,11 @@ let which ]; + inherit (versionDefinition) pname; inherit (versionDefinition) branch; inherit (versionDefinition) version; inherit (versionDefinition) latest; inherit (versionDefinition) pkg; - pname = "xen"; # Sources needed to build tools and firmwares. prefetchedSources = diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh index f5034d11c0af3..310fd6606f787 100755 --- a/pkgs/applications/virtualization/xen/update.sh +++ b/pkgs/applications/virtualization/xen/update.sh @@ -150,6 +150,7 @@ let in callPackage (import ../generic/default.nix { + pname = "xen"; branch = "$branch"; version = "$version"; latest = $latest; From 49433ed9cc2126b756f2ca98604bd144c161df9d Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:34:54 +0000 Subject: [PATCH 04/15] xen: call the postPatch for each pre-fetched source manually instead of going through withTools withTools and withPrefetchedSources are pretty complicated functions meant to generalise per-version calls to build phases by each pre-fetched source. This is step 1 in deprecating them. Signed-off-by: Fernando Rodrigues --- .../virtualization/xen/generic/default.nix | 30 ++++--------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index 7411acd1d8555..d3937bcd45b68 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -116,10 +116,6 @@ let inherit (pkg.qemu) hash; }; patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.qemu) pkg.qemu.patches; - postPatch = '' - substituteInPlace scripts/tracetool.py \ - --replace-fail "/usr/bin/env python" "${python311Packages.python}/bin/python" - ''; }; } // lib.attrsets.optionalAttrs withInternalSeaBIOS { @@ -143,11 +139,6 @@ let inherit (pkg.ovmf) hash; }; patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ovmf) pkg.ovmf.patches; - postPatch = '' - substituteInPlace \ - OvmfPkg/build.sh BaseTools/BinWrappers/PosixLike/{AmlToC,BrotliCompress,build,GenFfs,GenFv,GenFw,GenSec,LzmaCompress,TianoCompress,Trim,VfrCompile} \ - --replace-fail "/usr/bin/env bash" ${stdenv.shell} - ''; }; } // lib.attrsets.optionalAttrs withInternalIPXE { @@ -497,19 +488,14 @@ stdenv.mkDerivation (finalAttrs: { '' )} - ${withTools "postPatch" (name: source: source.postPatch)} - ${pkg.xen.postPatch or ""} + '' + # Patch shebangs for QEMU and OVMF build scripts. + + '' + patchShebangs --build tools/qemu-xen/scripts/tracetool.py + patchShebangs --build tools/firmware/ovmf-dir-remote/OvmfPkg/build.sh tools/firmware/ovmf-dir-remote/BaseTools/BinWrappers/PosixLike/{AmlToC,BrotliCompress,build,GenFfs,GenFv,GenFw,GenSec,LzmaCompress,TianoCompress,Trim,VfrCompile} ''; - preBuild = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "preBuild" ] pkg.xen) pkg.xen.preBuild; - - postBuild = '' - ${withTools "buildPhase" (name: source: source.buildPhase)} - - ${pkg.xen.postBuild or ""} - ''; - installPhase = let cpFlags = builtins.toString [ @@ -555,12 +541,6 @@ stdenv.mkDerivation (finalAttrs: { for i in $out/etc/xen/scripts/!(*.sh); do sed --in-place "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i done - '' - - + '' - ${withTools "installPhase" (name: source: source.installPhase)} - - ${pkg.xen.installPhase or ""} ''; postFixup = From 84c4c4be35b89f92e914798220f70a0858f78050 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:40:10 +0000 Subject: [PATCH 05/15] xen: drop systemd dependency from 4.19 and above From the 4.19 release notes: When building with Systemd support (./configure --enable-systemd), remove libsystemd as a build dependency. Systemd Notify support is retained, now using a standalone library implementation. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/generic/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index d3937bcd45b68..98f6cb785b4d5 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -316,7 +316,6 @@ stdenv.mkDerivation (finalAttrs: { # oxenstored ocamlPackages.findlib ocamlPackages.ocaml - systemdMinimal # Python Fixes python311Packages.wrapPython @@ -326,7 +325,8 @@ stdenv.mkDerivation (finalAttrs: { pixman ] ++ lib.lists.optional withInternalOVMF nasm - ++ lib.lists.optional withFlask checkpolicy; + ++ lib.lists.optional withFlask checkpolicy + ++ lib.lists.optional (lib.strings.versionOlder version "4.19") systemdMinimal; configureFlags = [ "--enable-systemd" ] From 5facf7887fbdb5255bacb87e7ba2b2be9d94c99e Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:40:47 +0000 Subject: [PATCH 06/15] xen: fully remove qemu-traditional We were still building some minor parts of qemu-traditional by not disabling it explicitly. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/generic/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index 98f6cb785b4d5..a59c2f5aea06a 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -329,7 +329,10 @@ stdenv.mkDerivation (finalAttrs: { ++ lib.lists.optional (lib.strings.versionOlder version "4.19") systemdMinimal; configureFlags = - [ "--enable-systemd" ] + [ + "--enable-systemd" + "--disable-qemu-traditional" + ] ++ lib.lists.optional (!withInternalQEMU) "--with-system-qemu" ++ lib.lists.optional withSeaBIOS "--with-system-seabios=${seabios}/share/seabios" From 59f88cc37ab13246a21b00a18b709fa16c58754f Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:42:16 +0000 Subject: [PATCH 07/15] xen: ensure xsm-policy is being built when FLASK is enabled Flask is disabled by default, but this will save someone an overrideAttrs overlay if they're using FLASK. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/generic/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index a59c2f5aea06a..32b9c54060460 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -342,7 +342,9 @@ stdenv.mkDerivation (finalAttrs: { ++ lib.lists.optional withInternalOVMF "--enable-ovmf" ++ lib.lists.optional withIPXE "--with-system-ipxe=${ipxe}" - ++ lib.lists.optional withInternalIPXE "--enable-ipxe"; + ++ lib.lists.optional withInternalIPXE "--enable-ipxe" + + ++ lib.lists.optional withFlask "--enable-xsmpolicy"; makeFlags = [ From 1a2e3c11388a75aab166ec95240f4a0803baf677 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:49:11 +0000 Subject: [PATCH 08/15] xen: make meta.maintainers more friendly for new contributors From Peder Sundt: > I read maintainers = with lib.maintainers; [ ]; as a friendly open > invitation, while maintainers = [ ]; as a sad state of reality. > I want people to join the project hence I very much prefer the former. I don't plan on leaving anytime soon, but let's not make it more difficult for new maintainers to step up. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/generic/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index 32b9c54060460..3a0b3d2631774 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -664,7 +664,7 @@ stdenv.mkDerivation (finalAttrs: { # Development headers in $dev/include. mit ]; - maintainers = [ lib.maintainers.sigmasquadron ]; + maintainers = with lib.maintainers; [ sigmasquadron ]; mainProgram = "xl"; # Evaluates to x86_64-linux. platforms = lib.lists.intersectLists lib.platforms.linux lib.platforms.x86_64; From bd30f27bd16baa149f00598df25f9c508a612b1c Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:51:01 +0000 Subject: [PATCH 09/15] xen: deprecate withPrefetchedSources and withTools functions We now use easier to understand functions that are properly documented and aren't as generic. Signed-off-by: Fernando Rodrigues --- .../virtualization/xen/generic/default.nix | 125 ++++++++++++------ 1 file changed, 81 insertions(+), 44 deletions(-) diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index 3a0b3d2631774..a403cf1569cb2 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -81,7 +81,7 @@ versionDefinition: let #TODO: fix paths instead. - scriptEnvPath = lib.strings.concatMapStringsSep ":" (x: "${x}/bin") [ + scriptEnvPath = lib.strings.makeSearchPathOutput "out" "bin" [ bridge-utils coreutils diffutils @@ -95,7 +95,7 @@ let nbd openvswitch perl - util-linux + util-linux.bin which ]; @@ -105,10 +105,16 @@ let inherit (versionDefinition) latest; inherit (versionDefinition) pkg; - # Sources needed to build tools and firmwares. + ## Pre-fetched Source Handling ## + + # Main attribute set for sources needed to build tools and firmwares. + # Each source takes in: + # * A `src` attribute, which contains the actual fetcher, + # * A 'patches` attribute, which is a list of patches that need to be applied in the source. + # * A `path` attribute, which is the destination of the source inside the Xen tree. prefetchedSources = lib.attrsets.optionalAttrs withInternalQEMU { - qemu-xen = { + qemu = { src = fetchgit { url = "https://xenbits.xen.org/git-http/qemu-xen.git"; fetchSubmodules = true; @@ -116,10 +122,11 @@ let inherit (pkg.qemu) hash; }; patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.qemu) pkg.qemu.patches; + path = "tools/qemu-xen"; }; } // lib.attrsets.optionalAttrs withInternalSeaBIOS { - "firmware/seabios-dir-remote" = { + seaBIOS = { src = fetchgit { url = "https://xenbits.xen.org/git-http/seabios.git"; inherit (pkg.seaBIOS) rev; @@ -128,10 +135,11 @@ let patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.seaBIOS) pkg.seaBIOS.patches; + path = "tools/firmware/seabios-dir-remote"; }; } // lib.attrsets.optionalAttrs withInternalOVMF { - "firmware/ovmf-dir-remote" = { + ovmf = { src = fetchgit { url = "https://xenbits.xen.org/git-http/ovmf.git"; fetchSubmodules = true; @@ -139,10 +147,11 @@ let inherit (pkg.ovmf) hash; }; patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ovmf) pkg.ovmf.patches; + path = "tools/firmware/ovmf-dir-remote"; }; } // lib.attrsets.optionalAttrs withInternalIPXE { - "firmware/etherboot/ipxe.git" = { + ipxe = { src = fetchFromGitHub { owner = "ipxe"; repo = "ipxe"; @@ -150,10 +159,68 @@ let inherit (pkg.ipxe) hash; }; patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ipxe) pkg.ipxe.patches; + path = "tools/firmware/etherboot/ipxe.git"; }; }; - withPrefetchedSources = - sourcePkg: lib.strings.concatLines (lib.attrsets.mapAttrsToList sourcePkg prefetchedSources); + + # Gets a list containing the names of the top-level attribute for each pre-fetched + # source, to be used in the map functions below. + prefetchedSourcesList = lib.attrsets.mapAttrsToList (name: value: name) prefetchedSources; + + # Produces bash commands that will copy each pre-fetched source. + copyPrefetchedSources = + # Finish the deployment by concatnating the list of commands together. + lib.strings.concatLines ( + # Iterate on each pre-fetched source. + builtins.map ( + source: + # Only produce a copy command if patches exist. + lib.strings.optionalString (lib.attrsets.hasAttrByPath [ "${source}" ] prefetchedSources) + # The actual copy command. `src` is always an absolute path to a fetcher output + # inside the /nix/store, and `path` is always a path relative to the Xen root. + # We need to `mkdir -p` the target directory first, and `chmod +w` the contents last, + # as the copied files will still be edited by the postPatchPhase. + '' + echo "Copying ${prefetchedSources.${source}.src} -> ${prefetchedSources.${source}.path}" + mkdir --parents ${prefetchedSources.${source}.path} + cp --recursive --no-target-directory ${prefetchedSources.${source}.src} ${ + prefetchedSources.${source}.path + } + chmod --recursive +w ${prefetchedSources.${source}.path} + '' + ) prefetchedSourcesList + ); + + # Produces strings with `patch` commands to be ran on postPatch. + # These deploy the .patch files for each pre-fetched source. + deployPrefetchedSourcesPatches = + # Finish the deployment by concatnating the list of commands together. + lib.strings.concatLines ( + # The double map functions create a list of lists. Flatten it so we can concatnate it. + lib.lists.flatten ( + # Iterate on each pre-fetched source. + builtins.map ( + source: + # Iterate on each available patch. + (builtins.map ( + patch: + # Only produce a patch command if patches exist. + lib.strings.optionalString + (lib.attrsets.hasAttrByPath [ + "${source}" + "patches" + ] prefetchedSources) + # The actual patch command. It changes directories to the correct source each time. + '' + echo "Applying patch ${patch} to ${source}." + patch --directory ${prefetchedSources.${source}.path} --strip 1 < ${patch} + '' + ) prefetchedSources.${source}.patches) + ) prefetchedSourcesList + ) + ); + + ## XSA Patches Description Builder ## # Sometimes patches are sourced through a path, like ./0000-xen.patch. # This would break the patch attribute parser functions, so we normalise @@ -232,19 +299,7 @@ let else [ ]; - withTools = - attr: file: - withPrefetchedSources ( - name: source: - lib.strings.optionalString (builtins.hasAttr attr source) '' - echo "processing ${name}" - __do() { - cd "tools/${name}" - ${file name source} - } - ( __do ) - '' - ); + ## Binutils Override ## # Originally, there were two versions of binutils being used: the standard one and # this patched one. Unfortunately, that required patches to the Xen Makefiles, and @@ -438,17 +493,9 @@ stdenv.mkDerivation (finalAttrs: { rm --recursive --force tools/qemu-xen tools/qemu-xen-traditional '' - # The following expression moves the sources we fetched in the - # versioned Nix expressions to their correct locations inside - # the Xen source tree. + # Call copyPrefetchedSources, which copies all aviable sources to their correct positions. + '' - ${withPrefetchedSources ( - name: source: '' - echo "Copying pre-fetched source: ${source.src} -> tools/${name}" - cp --recursive ${source.src} tools/${name} - chmod --recursive +w tools/${name} - '' - )} + ${copyPrefetchedSources} ''; postPatch = @@ -481,19 +528,9 @@ stdenv.mkDerivation (finalAttrs: { --replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir" '' - # The following expression applies the patches defined on each - # prefetchedSources attribute. + # # Call deployPrefetchedSourcesPatches, which patches all pre-fetched sources with their specified patchlists. + '' - ${withTools "patches" ( - name: source: '' - ${lib.strings.concatMapStringsSep "\n" (patch: '' - echo "Patching with ${patch}" - patch --strip 1 < ${patch} - '') source.patches} - '' - )} - - + ${deployPrefetchedSourcesPatches} '' # Patch shebangs for QEMU and OVMF build scripts. + '' From 4dd8450a22371b4ccc10793047a58fab7f9829c7 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Fri, 16 Aug 2024 02:54:32 +0000 Subject: [PATCH 10/15] xen: simplify make flags. XEN_EXTFILES_URL wasn't working back when this override did anything, and now we bypass it entirely. The LD variable was rewritten to use lib.meta.getExe. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/generic/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index a403cf1569cb2..e73198e833850 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -310,6 +310,7 @@ let name = "efi-binutils"; configureFlags = oldAttrs.configureFlags ++ [ "--enable-targets=x86_64-pep" ]; doInstallCheck = false; # We get a spurious failure otherwise, due to a host/target mismatch. + meta.mainProgram = "ld"; # We only really care for `ld`. }); in @@ -405,14 +406,13 @@ stdenv.mkDerivation (finalAttrs: { [ "PREFIX=$(out)" "CONFIG_DIR=/etc" - "XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files" "XEN_SCRIPT_DIR=$(CONFIG_DIR)/xen/scripts" "BASH_COMPLETION_DIR=$(PREFIX)/share/bash-completion/completions" ] ++ lib.lists.optionals withEFI [ "EFI_VENDOR=${efiVendor}" "INSTALL_EFI_STRIP=1" - "LD=${efiBinutils}/bin/ld" # See the comment in the efiBinutils definition above. + "LD=${lib.meta.getExe efiBinutils}" # See the comment in the efiBinutils definition above. ] # These flags set the CONFIG_* options in /boot/xen.config # and define if the default policy file is built. However, From e1d3b403f3b601c3a0001a98c4da6d6f3feea1de Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 11 Aug 2024 16:47:31 +0000 Subject: [PATCH 11/15] xen: deduplicate common patches and drop figs The IPXE patch is the same across all versions. Let us put generic patches in the new generic/ directory. We also disable figs, as they were broken. Signed-off-by: Fernando Rodrigues --- .../4.16/0001-xen-fig-geneneration-4.16.patch | 16 ----------- .../virtualization/xen/4.16/default.nix | 5 +--- .../xen/4.17/0000-xen-ipxe-src-4.17.patch | 27 ------------------- .../4.17/0001-xen-fig-geneneration-4.17.patch | 16 ----------- .../virtualization/xen/4.17/default.nix | 5 +--- .../xen/4.18/0000-xen-ipxe-src-4.18.patch | 27 ------------------- .../4.18/0001-xen-fig-geneneration-4.18.patch | 16 ----------- .../virtualization/xen/4.18/default.nix | 5 +--- .../xen/4.19/0000-xen-ipxe-src-4.19.patch | 27 ------------------- .../4.19/0001-xen-fig-geneneration-4.19.patch | 16 ----------- .../virtualization/xen/4.19/default.nix | 5 +--- .../0000-xen-ipxe-src-generic.patch} | 0 .../virtualization/xen/generic/default.nix | 11 ++++---- 13 files changed, 9 insertions(+), 167 deletions(-) delete mode 100644 pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch delete mode 100644 pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch delete mode 100644 pkgs/applications/virtualization/xen/4.17/0001-xen-fig-geneneration-4.17.patch delete mode 100644 pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch delete mode 100644 pkgs/applications/virtualization/xen/4.18/0001-xen-fig-geneneration-4.18.patch delete mode 100644 pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch delete mode 100644 pkgs/applications/virtualization/xen/4.19/0001-xen-fig-geneneration-4.19.patch rename pkgs/applications/virtualization/xen/{4.16/0000-xen-ipxe-src-4.16.patch => generic/0000-xen-ipxe-src-generic.patch} (100%) diff --git a/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch b/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch deleted file mode 100644 index 1d814b562a179..0000000000000 --- a/pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch +++ /dev/null @@ -1,16 +0,0 @@ -Remove a pipe that was causing SIGPIPE -issues on overloaded Hydra machines. - -diff --git a/docs/figs/Makefile b/docs/figs/Makefile -index e128a4364f..943f745dda 100644 ---- a/docs/figs/Makefile -+++ b/docs/figs/Makefile -@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png - all: $(TARGETS) - - %.png: %.fig -- $(FIG2DEV) -L png $< >$@.tmp -+ $(FIG2DEV) -L png $< $@.tmp - mv -f $@.tmp $@ - - clean: diff --git a/pkgs/applications/virtualization/xen/4.16/default.nix b/pkgs/applications/virtualization/xen/4.16/default.nix index c87c29edb5b02..a4e601fdc10a6 100644 --- a/pkgs/applications/virtualization/xen/4.16/default.nix +++ b/pkgs/applications/virtualization/xen/4.16/default.nix @@ -28,10 +28,7 @@ callPackage (import ../generic/default.nix { xen = { rev = "4b33780de790bd438dd7cbb6143b410d94f0f049"; hash = "sha256-2kcmfKwBo3w1U5CSxLSYSteqvzcJaB+cA7keVb3amyA="; - patches = [ - ./0000-xen-ipxe-src-4.16.patch - ./0001-xen-fig-geneneration-4.16.patch - ] ++ upstreamPatchList; + patches = [ ] ++ upstreamPatchList; }; qemu = { rev = "c02cb236b5e4a76cf74e641cc35a0e3ebd3e52f3"; diff --git a/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch b/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch deleted file mode 100644 index d96023d1946ae..0000000000000 --- a/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch +++ /dev/null @@ -1,27 +0,0 @@ -Hack to make etherboot use pre-fetched iPXE. - -diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile -index ed9e11305f..979a3acea8 100644 ---- a/tools/firmware/etherboot/Makefile -+++ b/tools/firmware/etherboot/Makefile -@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz - - D=ipxe - T=ipxe.tar.gz -+G=ipxe.git - - ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) - ROM = $D/src/bin/ipxe.bin -@@ -41,9 +42,9 @@ $T: - fi - mv _$T $T - --$D/src/arch/i386/Makefile: $T Config -- rm -rf $D -- gzip -dc $T | tar xf - -+$D/src/arch/i386/Makefile: $G Config -+ mkdir $D -+ cp -a $G/* $D - for i in $$(cat patches/series) ; do \ - patch -d $D -p1 --quiet $@.tmp -+ $(FIG2DEV) -L png $< $@.tmp - mv -f $@.tmp $@ - - clean: diff --git a/pkgs/applications/virtualization/xen/4.17/default.nix b/pkgs/applications/virtualization/xen/4.17/default.nix index b96fe5e51fc42..b1d97e824b7a0 100644 --- a/pkgs/applications/virtualization/xen/4.17/default.nix +++ b/pkgs/applications/virtualization/xen/4.17/default.nix @@ -29,10 +29,7 @@ callPackage (import ../generic/default.nix { xen = { rev = "d530627aaa9b6e03c7f911434bb342fca3d13300"; hash = "sha256-4ltQUzo4XPzGT/7fGt1hnNMqBQBVF7VP+WXD9ZaJcGo="; - patches = [ - ./0000-xen-ipxe-src-4.17.patch - ./0001-xen-fig-geneneration-4.17.patch - ] ++ upstreamPatchList; + patches = [ ] ++ upstreamPatchList; }; qemu = { rev = "ffb451126550b22b43b62fb8731a0d78e3376c03"; diff --git a/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch b/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch deleted file mode 100644 index d96023d1946ae..0000000000000 --- a/pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch +++ /dev/null @@ -1,27 +0,0 @@ -Hack to make etherboot use pre-fetched iPXE. - -diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile -index ed9e11305f..979a3acea8 100644 ---- a/tools/firmware/etherboot/Makefile -+++ b/tools/firmware/etherboot/Makefile -@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz - - D=ipxe - T=ipxe.tar.gz -+G=ipxe.git - - ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) - ROM = $D/src/bin/ipxe.bin -@@ -41,9 +42,9 @@ $T: - fi - mv _$T $T - --$D/src/arch/i386/Makefile: $T Config -- rm -rf $D -- gzip -dc $T | tar xf - -+$D/src/arch/i386/Makefile: $G Config -+ mkdir $D -+ cp -a $G/* $D - for i in $$(cat patches/series) ; do \ - patch -d $D -p1 --quiet $@.tmp -+ $(FIG2DEV) -L png $< $@.tmp - mv -f $@.tmp $@ - - clean: diff --git a/pkgs/applications/virtualization/xen/4.18/default.nix b/pkgs/applications/virtualization/xen/4.18/default.nix index ada7503519370..39281f85cba39 100644 --- a/pkgs/applications/virtualization/xen/4.18/default.nix +++ b/pkgs/applications/virtualization/xen/4.18/default.nix @@ -29,10 +29,7 @@ callPackage (import ../generic/default.nix { xen = { rev = "d152a0424677d8b78e00ed1270a583c5dafff16f"; hash = "sha256-pHCjj+Bcy4xQfB9xHU9fccFwVdP2DXrUhdszwGvrdmY="; - patches = [ - ./0000-xen-ipxe-src-4.18.patch - ./0001-xen-fig-geneneration-4.18.patch - ] ++ upstreamPatchList; + patches = [ ] ++ upstreamPatchList; }; qemu = { rev = "0df9387c8983e1b1e72d8c574356f572342c03e6"; diff --git a/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch b/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch deleted file mode 100644 index d96023d1946ae..0000000000000 --- a/pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch +++ /dev/null @@ -1,27 +0,0 @@ -Hack to make etherboot use pre-fetched iPXE. - -diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile -index ed9e11305f..979a3acea8 100644 ---- a/tools/firmware/etherboot/Makefile -+++ b/tools/firmware/etherboot/Makefile -@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz - - D=ipxe - T=ipxe.tar.gz -+G=ipxe.git - - ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) - ROM = $D/src/bin/ipxe.bin -@@ -41,9 +42,9 @@ $T: - fi - mv _$T $T - --$D/src/arch/i386/Makefile: $T Config -- rm -rf $D -- gzip -dc $T | tar xf - -+$D/src/arch/i386/Makefile: $G Config -+ mkdir $D -+ cp -a $G/* $D - for i in $$(cat patches/series) ; do \ - patch -d $D -p1 --quiet $@.tmp -+ $(FIG2DEV) -L png $< $@.tmp - mv -f $@.tmp $@ - - clean: diff --git a/pkgs/applications/virtualization/xen/4.19/default.nix b/pkgs/applications/virtualization/xen/4.19/default.nix index fc43e18faeab6..99a4d6d6c674e 100644 --- a/pkgs/applications/virtualization/xen/4.19/default.nix +++ b/pkgs/applications/virtualization/xen/4.19/default.nix @@ -28,10 +28,7 @@ callPackage (import ../generic/default.nix { xen = { rev = "026c9fa29716b0ff0f8b7c687908e71ba29cf239"; hash = "sha256-Q6x+2fZ4ITBz6sKICI0NHGx773Rc919cl+wzI89UY+Q="; - patches = [ - ./0000-xen-ipxe-src-4.19.patch - ./0001-xen-fig-geneneration-4.19.patch - ] ++ upstreamPatchList; + patches = [ ] ++ upstreamPatchList; }; qemu = { rev = "0df9387c8983e1b1e72d8c574356f572342c03e6"; diff --git a/pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch b/pkgs/applications/virtualization/xen/generic/0000-xen-ipxe-src-generic.patch similarity index 100% rename from pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch rename to pkgs/applications/virtualization/xen/generic/0000-xen-ipxe-src-generic.patch diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index e73198e833850..fbd343ce057d7 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -58,8 +58,6 @@ versionDefinition: binutils-unwrapped, # Documentation - fig2dev, - imagemagick, pandoc, # Scripts @@ -333,16 +331,17 @@ stdenv.mkDerivation (finalAttrs: { inherit (pkg.xen) hash; }; - # Gets the patches from the pkg.xen.patches attribute from the versioned files. - patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches; + patches = + # Generic Xen patches that apply to all Xen versions. + [ ./0000-xen-ipxe-src-generic.patch ] + # Gets the patches from the pkg.xen.patches attribute from the versioned files. + ++ lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches; nativeBuildInputs = [ autoPatchelfHook bison cmake - fig2dev - imagemagick # Causes build failures in Hydra related to fig generation if not included. flex pandoc pkg-config From 15256c05eb3160fea8b6669e338c7e8d28e49ce9 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Fri, 16 Aug 2024 04:45:20 +0000 Subject: [PATCH 12/15] xen: prefer flags to pipes or variables in bash scripts For the update script and the one-liner in the README, use flags that do what we want to do instead of piping the output to different commands or using environment variables. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/README.md | 2 +- pkgs/applications/virtualization/xen/update.sh | 8 +++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/pkgs/applications/virtualization/xen/README.md b/pkgs/applications/virtualization/xen/README.md index d5e22318d610c..0df84ad8e4c25 100644 --- a/pkgs/applications/virtualization/xen/README.md +++ b/pkgs/applications/virtualization/xen/README.md @@ -96,7 +96,7 @@ open a PR fixing the script, and update Xen manually: following one-line command is useful for testing this: ```console - xenToEvaluate=xen; echo -e "\033[1m$(nix eval .#"$xenToEvaluate".meta.description 2> /dev/null | tail -c +2 | head -c -2)\033[0m\n\n$(nix eval .#"$xenToEvaluate".meta.longDescription 2> /dev/null | tail -c +2 | head -c -2)" + xenToEvaluate=xen; echo -e "\033[1m$(nix eval .#"$xenToEvaluate".meta.description --raw 2> /dev/null)\033[0m\n\n$(nix eval .#"$xenToEvaluate".meta.longDescription --raw 2> /dev/null)" ``` Change the value of `xenToEvaluate` to evaluate all relevant Xen packages. diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh index 310fd6606f787..230c1e5f60010 100755 --- a/pkgs/applications/virtualization/xen/update.sh +++ b/pkgs/applications/virtualization/xen/update.sh @@ -3,8 +3,6 @@ # shellcheck disable=SC2206,SC2207 shell=bash set -e -# Set a temporary $HOME in /tmp for GPG. -HOME=/tmp/xenUpdateScript # This script expects to be called in an interactive terminal somewhere inside Nixpkgs. echo "Preparing..." @@ -15,8 +13,8 @@ mkdir /tmp/xenUpdateScript # Import and verify PGP key. curl --silent --output /tmp/xenUpdateScript/xen.asc https://keys.openpgp.org/vks/v1/by-fingerprint/23E3222C145F4475FA8060A783FE14C957E82BD9 -gpg --quiet --import /tmp/xenUpdateScript/xen.asc -fingerprint="$(gpg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')" +gpg --homedir /tmp/xenUpdateScript/.gnupg --quiet --import /tmp/xenUpdateScript/xen.asc +fingerprint="$(gpg --homedir /tmp/xenUpdateScript/.gnupg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')" echo -e "Please ascertain through multiple external sources that the \e[1;32mXen Project PGP Key Fingerprint\e[0m is indeed \e[1;33m$fingerprint\e[0m. If that is not the case, \e[1;31mexit immediately\e[0m." read -r -p $'Press \e[1;34menter\e[0m to continue with a pre-filled expected fingerprint, or input an arbitrary PGP fingerprint to match with the key\'s fingerprint: ' userInputFingerprint userInputFingerprint=${userInputFingerprint:-"23E3222C145F4475FA8060A783FE14C957E82BD9"} @@ -51,7 +49,7 @@ for version in "${supportedVersions[@]}"; do # Verify PGP key automatically. If the fingerprint matches what the user specified, or the default fingerprint, then we consider it trusted. cd /tmp/xenUpdateScript/xen if [[ "$fingerprint" = "$userInputFingerprint" ]]; then - echo "$fingerprint:6:" | gpg --quiet --import-ownertrust + echo "$fingerprint:6:" | gpg --homedir /tmp/xenUpdateScript/.gnupg --quiet --import-ownertrust (git verify-tag RELEASE-"$version" 2>/dev/null && echo -e "\n\e[1;32mSuccessfully authenticated Xen $version.\e[0m") || (echo -e "\e[1;31merror:\e[0m Unable to verify tag \e[1;32mRELEASE-$version\e[0m.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or a \e[1;31msupply chain attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1) else echo -e "\e[1;31merror:\e[0m Unable to verify \e[1;34mpgp@xen.org\e[0m's fingerprint.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or an \e[1;31mimpersonation attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1 From bdcf44c52df10766949f59ac2f5fa868754c3917 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Fri, 16 Aug 2024 04:48:23 +0000 Subject: [PATCH 13/15] xen: add more sanitation options to update script We use a lot of pipes, so it's good to exit if any of the dependent commands fail. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/update.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh index 230c1e5f60010..893ed5fa34dab 100755 --- a/pkgs/applications/virtualization/xen/update.sh +++ b/pkgs/applications/virtualization/xen/update.sh @@ -1,8 +1,9 @@ #!/usr/bin/env nix-shell #!nix-shell -i bash -p gitMinimal curl gnupg nix-prefetch-git nixfmt-rfc-style # shellcheck disable=SC2206,SC2207 shell=bash -set -e - +set -o errexit +set -o pipefail +set -o nounset # This script expects to be called in an interactive terminal somewhere inside Nixpkgs. echo "Preparing..." From 28f1c8701c962ff203881152796635ce536e3f4a Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Fri, 16 Aug 2024 04:49:14 +0000 Subject: [PATCH 14/15] xen: avoid writing upstreamPatches multiple times Use `with upstreamPatches;` instead. Signed-off-by: Fernando Rodrigues --- .../virtualization/xen/4.16/default.nix | 13 ++++++++----- .../virtualization/xen/4.17/default.nix | 15 +++++++++------ .../virtualization/xen/4.18/default.nix | 15 +++++++++------ .../virtualization/xen/4.19/default.nix | 13 ++++++++----- pkgs/applications/virtualization/xen/update.sh | 9 ++++----- 5 files changed, 38 insertions(+), 27 deletions(-) diff --git a/pkgs/applications/virtualization/xen/4.16/default.nix b/pkgs/applications/virtualization/xen/4.16/default.nix index a4e601fdc10a6..27139ca06e8ee 100644 --- a/pkgs/applications/virtualization/xen/4.16/default.nix +++ b/pkgs/applications/virtualization/xen/4.16/default.nix @@ -12,11 +12,14 @@ let inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ - upstreamPatches.XSA_458 - upstreamPatches.XSA_460 - upstreamPatches.XSA_461 - ]; + upstreamPatchList = lib.lists.flatten ( + with upstreamPatches; + [ + XSA_458 + XSA_460 + XSA_461 + ] + ); in callPackage (import ../generic/default.nix { diff --git a/pkgs/applications/virtualization/xen/4.17/default.nix b/pkgs/applications/virtualization/xen/4.17/default.nix index b1d97e824b7a0..6887696fcfe94 100644 --- a/pkgs/applications/virtualization/xen/4.17/default.nix +++ b/pkgs/applications/virtualization/xen/4.17/default.nix @@ -12,12 +12,15 @@ let inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ - upstreamPatches.QUBES_REPRODUCIBLE_BUILDS - upstreamPatches.XSA_458 - upstreamPatches.XSA_460 - upstreamPatches.XSA_461 - ]; + upstreamPatchList = lib.lists.flatten ( + with upstreamPatches; + [ + QUBES_REPRODUCIBLE_BUILDS + XSA_458 + XSA_460 + XSA_461 + ] + ); in callPackage (import ../generic/default.nix { diff --git a/pkgs/applications/virtualization/xen/4.18/default.nix b/pkgs/applications/virtualization/xen/4.18/default.nix index 39281f85cba39..ed2df662e26e6 100644 --- a/pkgs/applications/virtualization/xen/4.18/default.nix +++ b/pkgs/applications/virtualization/xen/4.18/default.nix @@ -12,12 +12,15 @@ let inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ - upstreamPatches.QUBES_REPRODUCIBLE_BUILDS - upstreamPatches.XSA_458 - upstreamPatches.XSA_460 - upstreamPatches.XSA_461 - ]; + upstreamPatchList = lib.lists.flatten ( + with upstreamPatches; + [ + QUBES_REPRODUCIBLE_BUILDS + XSA_458 + XSA_460 + XSA_461 + ] + ); in callPackage (import ../generic/default.nix { diff --git a/pkgs/applications/virtualization/xen/4.19/default.nix b/pkgs/applications/virtualization/xen/4.19/default.nix index 99a4d6d6c674e..5b8cf5d21788a 100644 --- a/pkgs/applications/virtualization/xen/4.19/default.nix +++ b/pkgs/applications/virtualization/xen/4.19/default.nix @@ -12,11 +12,14 @@ let inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ - upstreamPatches.QUBES_REPRODUCIBLE_BUILDS - upstreamPatches.XSA_460 - upstreamPatches.XSA_461 - ]; + upstreamPatchList = lib.lists.flatten ( + with upstreamPatches; + [ + QUBES_REPRODUCIBLE_BUILDS + XSA_460 + XSA_461 + ] + ); in callPackage (import ../generic/default.nix { diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh index 893ed5fa34dab..ade935aafc89d 100755 --- a/pkgs/applications/virtualization/xen/update.sh +++ b/pkgs/applications/virtualization/xen/update.sh @@ -120,11 +120,10 @@ for version in "${supportedVersions[@]}"; do echo -e "Found the following patches:\n \e[1;32mXen\e[0m: \e[1;33m$discoveredXenPatchesEcho\e[0m\n \e[1;36mQEMU\e[0m: \e[1;33m$discoveredQEMUPatchesEcho\e[0m\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$discoveredSeaBIOSPatchesEcho\e[0m\n \e[1;36mOVMF\e[0m: \e[1;33m$discoveredOVMFPatchesEcho\e[0m\n \e[1;36miPXE\e[0m: \e[1;33m$discoveredIPXEPatchesEcho\e[0m" # Prepare patches that are called in ./patches.nix. - defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458") + defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458" "XSA_460" "XSA_461" ) read -r -a defaultPatchList -p $'\nWould you like to override the \e[1;34mupstreamPatches\e[0m list for \e[1;32mXen '"$version"$'\e[0m? If no, press \e[1;34menter\e[0m to use the default patch list: [ \e[1;34m'"${defaultPatchListInit[*]}"$' \e[0m]: ' defaultPatchList=(${defaultPatchList[@]:-${defaultPatchListInit[@]}}) - spaceSeparatedPatchList=${defaultPatchList[*]} - upstreamPatches="upstreamPatches.${spaceSeparatedPatchList// / upstreamPatches.}" + upstreamPatches=${defaultPatchList[*]} # Write and format default.nix file. echo -e "\nWriting updated \e[1;34mversionDefinition\e[0m..." @@ -143,9 +142,9 @@ let inherit fetchpatch; }; - upstreamPatchList = lib.lists.flatten [ + upstreamPatchList = lib.lists.flatten (with upstreamPatches; [ $upstreamPatches - ]; + ]); in callPackage (import ../generic/default.nix { From 70ff32c47bea3ea8634ae97989d6a78aff0db014 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Fri, 16 Aug 2024 07:07:11 +0000 Subject: [PATCH 15/15] xen: only add maintainers if version is security-supported This prevents users browsing the package in search.nixos.org from messaging maintainers about an EOL Xen. Signed-off-by: Fernando Rodrigues --- .../virtualization/xen/generic/default.nix | 11 +++++++++-- pkgs/applications/virtualization/xen/update.sh | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/virtualization/xen/generic/default.nix b/pkgs/applications/virtualization/xen/generic/default.nix index fbd343ce057d7..d273f9b1f381d 100644 --- a/pkgs/applications/virtualization/xen/generic/default.nix +++ b/pkgs/applications/virtualization/xen/generic/default.nix @@ -97,12 +97,16 @@ let which ]; + # Inherit attributes from a versionDefinition. inherit (versionDefinition) pname; inherit (versionDefinition) branch; inherit (versionDefinition) version; inherit (versionDefinition) latest; inherit (versionDefinition) pkg; + # Mark versions older than minSupportedVersion as EOL. + minSupportedVersion = "4.16"; + ## Pre-fetched Source Handling ## # Main attribute set for sources needed to build tools and firmwares. @@ -700,11 +704,14 @@ stdenv.mkDerivation (finalAttrs: { # Development headers in $dev/include. mit ]; - maintainers = with lib.maintainers; [ sigmasquadron ]; + # This automatically removes maintainers from EOL versions of Xen, so we aren't bothered about versions we don't explictly support. + maintainers = lib.lists.optionals (lib.strings.versionAtLeast version minSupportedVersion) ( + with lib.maintainers; [ sigmasquadron ] + ); mainProgram = "xl"; # Evaluates to x86_64-linux. platforms = lib.lists.intersectLists lib.platforms.linux lib.platforms.x86_64; - knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "4.16") [ + knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version minSupportedVersion) [ "Xen ${version} is no longer supported by the Xen Security Team. See https://xenbits.xenproject.org/docs/unstable/support-matrix.html" ]; }; diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh index ade935aafc89d..6ac8ba5a825ce 100755 --- a/pkgs/applications/virtualization/xen/update.sh +++ b/pkgs/applications/virtualization/xen/update.sh @@ -31,7 +31,7 @@ latestVersion=$(echo "$versionList" | tr ' ' '\n' | tail --lines=1) branchList=($(echo "$versionList" | tr ' ' '\n' | sed s/\.[0-9]*$//g | awk '!seen[$0]++')) # Figure out which versions we're actually going to install. -minSupportedBranch="$(grep " knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version " "$xenPath"/generic/default.nix | sed s/' knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "'//g | sed s/'") \['//g)" +minSupportedBranch="$(grep " minSupportedVersion = " "$xenPath"/generic/default.nix | sed s/' minSupportedVersion = "'//g | sed s/'";'//g)" supportedBranches=($(for version in "${branchList[@]}"; do if [ "$(printf '%s\n' "$minSupportedBranch" "$version" | sort -V | head -n1)" = "$minSupportedBranch" ]; then echo "$version"; fi; done)) supportedVersions=($(for version in "${supportedBranches[@]}"; do echo "$versionList" | tr ' ' '\n' | grep "$version" | tail --lines=1; done))