dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #333948 from SigmaSquadron/xen-drop-figs

Browse Source 
xen: code quality updates and generic patch deduplication
This commit is contained in:
Emily 2024-08-21 18:22:55 +01:00 committed by GitHub
commit 42afc9de23
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
18 changed files with 184 additions and 300 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkgs/applications/virtualization/xen/4.16/0001-xen-fig-geneneration-4.16.patch
View File

@ -1,16 +0,0 @@
Remove a pipe that was causing SIGPIPE
issues on overloaded Hydra machines.
diff --git a/docs/figs/Makefile b/docs/figs/Makefile
index e128a4364f..943f745dda 100644
--- a/docs/figs/Makefile
+++ b/docs/figs/Makefile
@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png
all: $(TARGETS)
%.png: %.fig
- $(FIG2DEV) -L png $< >$@.tmp
+ $(FIG2DEV) -L png $< $@.tmp
mv -f $@.tmp $@
clean:

23
pkgs/applications/virtualization/xen/4.16/default.nix
View File

@ -7,19 +7,23 @@
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
upstreamPatches = import ../generic/patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [
upstreamPatches.XSA_458
upstreamPatches.XSA_460
upstreamPatches.XSA_461
];
upstreamPatchList = lib.lists.flatten (
with upstreamPatches;
[
XSA_458
XSA_460
XSA_461
]
);
in
callPackage (import ../generic.nix {
callPackage (import ../generic/default.nix {
pname = "xen";
branch = "4.16";
version = "4.16.6";
latest = false;
@ -27,10 +31,7 @@ callPackage (import ../generic.nix {
xen = {
rev = "4b33780de790bd438dd7cbb6143b410d94f0f049";
hash = "sha256-2kcmfKwBo3w1U5CSxLSYSteqvzcJaB+cA7keVb3amyA=";
patches = [
./0000-xen-ipxe-src-4.16.patch
./0001-xen-fig-geneneration-4.16.patch
] ++ upstreamPatchList;
patches = [ ] ++ upstreamPatchList;
};
qemu = {
rev = "c02cb236b5e4a76cf74e641cc35a0e3ebd3e52f3";

27
pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch
View File

@ -1,27 +0,0 @@
Hack to make etherboot use pre-fetched iPXE.
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index ed9e11305f..979a3acea8 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz
D=ipxe
T=ipxe.tar.gz
+G=ipxe.git
ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS)))
ROM = $D/src/bin/ipxe.bin
@@ -41,9 +42,9 @@ $T:
fi
mv _$T $T
-$D/src/arch/i386/Makefile: $T Config
- rm -rf $D
- gzip -dc $T | tar xf -
+$D/src/arch/i386/Makefile: $G Config
+ mkdir $D
+ cp -a $G/* $D
for i in $$(cat patches/series) ; do \
patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \
done

16
pkgs/applications/virtualization/xen/4.17/0001-xen-fig-geneneration-4.17.patch
View File

@ -1,16 +0,0 @@
Remove a pipe that was causing SIGPIPE
issues on overloaded Hydra machines.
diff --git a/docs/figs/Makefile b/docs/figs/Makefile
index e128a4364f..943f745dda 100644
--- a/docs/figs/Makefile
+++ b/docs/figs/Makefile
@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png
all: $(TARGETS)
%.png: %.fig
- $(FIG2DEV) -L png $< >$@.tmp
+ $(FIG2DEV) -L png $< $@.tmp
mv -f $@.tmp $@
clean:

25
pkgs/applications/virtualization/xen/4.17/default.nix
View File

@ -7,20 +7,24 @@
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
upstreamPatches = import ../generic/patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [
upstreamPatches.QUBES_REPRODUCIBLE_BUILDS
upstreamPatches.XSA_458
upstreamPatches.XSA_460
upstreamPatches.XSA_461
];
upstreamPatchList = lib.lists.flatten (
with upstreamPatches;
[
QUBES_REPRODUCIBLE_BUILDS
XSA_458
XSA_460
XSA_461
]
);
in
callPackage (import ../generic.nix {
callPackage (import ../generic/default.nix {
pname = "xen";
branch = "4.17";
version = "4.17.4";
latest = false;
@ -28,10 +32,7 @@ callPackage (import ../generic.nix {
xen = {
rev = "d530627aaa9b6e03c7f911434bb342fca3d13300";
hash = "sha256-4ltQUzo4XPzGT/7fGt1hnNMqBQBVF7VP+WXD9ZaJcGo=";
patches = [
./0000-xen-ipxe-src-4.17.patch
./0001-xen-fig-geneneration-4.17.patch
] ++ upstreamPatchList;
patches = [ ] ++ upstreamPatchList;
};
qemu = {
rev = "ffb451126550b22b43b62fb8731a0d78e3376c03";

27
pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch
View File

@ -1,27 +0,0 @@
Hack to make etherboot use pre-fetched iPXE.
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index ed9e11305f..979a3acea8 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz
D=ipxe
T=ipxe.tar.gz
+G=ipxe.git
ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS)))
ROM = $D/src/bin/ipxe.bin
@@ -41,9 +42,9 @@ $T:
fi
mv _$T $T
-$D/src/arch/i386/Makefile: $T Config
- rm -rf $D
- gzip -dc $T | tar xf -
+$D/src/arch/i386/Makefile: $G Config
+ mkdir $D
+ cp -a $G/* $D
for i in $$(cat patches/series) ; do \
patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \
done

16
pkgs/applications/virtualization/xen/4.18/0001-xen-fig-geneneration-4.18.patch
View File

@ -1,16 +0,0 @@
Remove a pipe that was causing SIGPIPE
issues on overloaded Hydra machines.
diff --git a/docs/figs/Makefile b/docs/figs/Makefile
index e128a4364f..943f745dda 100644
--- a/docs/figs/Makefile
+++ b/docs/figs/Makefile
@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png
all: $(TARGETS)
%.png: %.fig
- $(FIG2DEV) -L png $< >$@.tmp
+ $(FIG2DEV) -L png $< $@.tmp
mv -f $@.tmp $@
clean:

25
pkgs/applications/virtualization/xen/4.18/default.nix
View File

@ -7,20 +7,24 @@
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
upstreamPatches = import ../generic/patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [
upstreamPatches.QUBES_REPRODUCIBLE_BUILDS
upstreamPatches.XSA_458
upstreamPatches.XSA_460
upstreamPatches.XSA_461
];
upstreamPatchList = lib.lists.flatten (
with upstreamPatches;
[
QUBES_REPRODUCIBLE_BUILDS
XSA_458
XSA_460
XSA_461
]
);
in
callPackage (import ../generic.nix {
callPackage (import ../generic/default.nix {
pname = "xen";
branch = "4.18";
version = "4.18.2";
latest = false;
@ -28,10 +32,7 @@ callPackage (import ../generic.nix {
xen = {
rev = "d152a0424677d8b78e00ed1270a583c5dafff16f";
hash = "sha256-pHCjj+Bcy4xQfB9xHU9fccFwVdP2DXrUhdszwGvrdmY=";
patches = [
./0000-xen-ipxe-src-4.18.patch
./0001-xen-fig-geneneration-4.18.patch
] ++ upstreamPatchList;
patches = [ ] ++ upstreamPatchList;
};
qemu = {
rev = "0df9387c8983e1b1e72d8c574356f572342c03e6";

27
pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch
View File

@ -1,27 +0,0 @@
Hack to make etherboot use pre-fetched iPXE.
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index ed9e11305f..979a3acea8 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz
D=ipxe
T=ipxe.tar.gz
+G=ipxe.git
ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS)))
ROM = $D/src/bin/ipxe.bin
@@ -41,9 +42,9 @@ $T:
fi
mv _$T $T
-$D/src/arch/i386/Makefile: $T Config
- rm -rf $D
- gzip -dc $T | tar xf -
+$D/src/arch/i386/Makefile: $G Config
+ mkdir $D
+ cp -a $G/* $D
for i in $$(cat patches/series) ; do \
patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \
done

16
pkgs/applications/virtualization/xen/4.19/0001-xen-fig-geneneration-4.19.patch
View File

@ -1,16 +0,0 @@
Remove a pipe that was causing SIGPIPE
issues on overloaded Hydra machines.
diff --git a/docs/figs/Makefile b/docs/figs/Makefile
index e128a4364f..943f745dda 100644
--- a/docs/figs/Makefile
+++ b/docs/figs/Makefile
@@ -8,7 +8,7 @@ TARGETS= network-bridge.png network-basic.png
all: $(TARGETS)
%.png: %.fig
- $(FIG2DEV) -L png $< >$@.tmp
+ $(FIG2DEV) -L png $< $@.tmp
mv -f $@.tmp $@
clean:

23
pkgs/applications/virtualization/xen/4.19/default.nix
View File

@ -7,19 +7,23 @@
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
upstreamPatches = import ../generic/patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [
upstreamPatches.QUBES_REPRODUCIBLE_BUILDS
upstreamPatches.XSA_460
upstreamPatches.XSA_461
];
upstreamPatchList = lib.lists.flatten (
with upstreamPatches;
[
QUBES_REPRODUCIBLE_BUILDS
XSA_460
XSA_461
]
);
in
callPackage (import ../generic.nix {
callPackage (import ../generic/default.nix {
pname = "xen";
branch = "4.19";
version = "4.19.0";
latest = true;
@ -27,10 +31,7 @@ callPackage (import ../generic.nix {
xen = {
rev = "026c9fa29716b0ff0f8b7c687908e71ba29cf239";
hash = "sha256-Q6x+2fZ4ITBz6sKICI0NHGx773Rc919cl+wzI89UY+Q=";
patches = [
./0000-xen-ipxe-src-4.19.patch
./0001-xen-fig-geneneration-4.19.patch
] ++ upstreamPatchList;
patches = [ ] ++ upstreamPatchList;
};
qemu = {
rev = "0df9387c8983e1b1e72d8c574356f572342c03e6";

7
pkgs/applications/virtualization/xen/README.md
View File

@ -88,14 +88,15 @@ open a PR fixing the script, and update Xen manually:
### For Both Update Methods
1. Update `packages.nix` with the new versions. Don't forget the `slim` packages!
1. Update `packages.nix` and `../../../top-level/all-packages.nix` with the new
versions. Don't forget the `slim` packages!
1. Make sure all branches build. (Both the `standard` and `slim` versions)
1. Use the NixOS module to test if dom0 boots successfully on all new versions.
1. Make sure the `meta` attributes evaluate to something that makes sense. The
following one-line command is useful for testing this:
```console
xenToEvaluate=xen; echo -e "\033[1m$(nix eval .#"$xenToEvaluate".meta.description 2> /dev/null | tail -c +2 | head -c -2)\033[0m\n\n$(nix eval .#"$xenToEvaluate".meta.longDescription 2> /dev/null | tail -c +2 | head -c -2)"
xenToEvaluate=xen; echo -e "\033[1m$(nix eval .#"$xenToEvaluate".meta.description --raw 2> /dev/null)\033[0m\n\n$(nix eval .#"$xenToEvaluate".meta.longDescription --raw 2> /dev/null)"
```
Change the value of `xenToEvaluate` to evaluate all relevant Xen packages.
@ -118,7 +119,7 @@ are requested by the main Xen build.
Building `xen.efi` requires an `ld` with PE support.[^2]
We use a `makeFlag` to override the `$LD` environment variable to point to our
patched `efiBinutils`. For more information, see the comment in `./generic.nix`.
patched `efiBinutils`. For more information, see the comment in `./generic/default.nix`.
> [!TIP]
> If you are certain you will not be running Xen in an x86 EFI environment, disable

0
pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch → pkgs/applications/virtualization/xen/generic/0000-xen-ipxe-src-generic.patch
View File

200
pkgs/applications/virtualization/xen/generic.nix → pkgs/applications/virtualization/xen/generic/default.nix
View File

@ -58,8 +58,6 @@ versionDefinition:
binutils-unwrapped,
# Documentation
fig2dev,
imagemagick,
pandoc,
# Scripts
@ -81,7 +79,7 @@ versionDefinition:
let
#TODO: fix paths instead.
scriptEnvPath = lib.strings.concatMapStringsSep ":" (x: "${x}/bin") [
scriptEnvPath = lib.strings.makeSearchPathOutput "out" "bin" [
bridge-utils
coreutils
diffutils
@ -95,20 +93,30 @@ let
nbd
openvswitch
perl
util-linux
util-linux.bin
which
];
# Inherit attributes from a versionDefinition.
inherit (versionDefinition) pname;
inherit (versionDefinition) branch;
inherit (versionDefinition) version;
inherit (versionDefinition) latest;
inherit (versionDefinition) pkg;
pname = "xen";
# Sources needed to build tools and firmwares.
# Mark versions older than minSupportedVersion as EOL.
minSupportedVersion = "4.16";
## Pre-fetched Source Handling ##
# Main attribute set for sources needed to build tools and firmwares.
# Each source takes in:
# * A `src` attribute, which contains the actual fetcher,
# * A 'patches` attribute, which is a list of patches that need to be applied in the source.
# * A `path` attribute, which is the destination of the source inside the Xen tree.
prefetchedSources =
lib.attrsets.optionalAttrs withInternalQEMU {
qemu-xen = {
qemu = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/qemu-xen.git";
fetchSubmodules = true;
@ -116,14 +124,11 @@ let
inherit (pkg.qemu) hash;
};
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.qemu) pkg.qemu.patches;
postPatch = ''
substituteInPlace scripts/tracetool.py \
--replace-fail "/usr/bin/env python" "${python311Packages.python}/bin/python"
'';
path = "tools/qemu-xen";
};
}
// lib.attrsets.optionalAttrs withInternalSeaBIOS {
"firmware/seabios-dir-remote" = {
seaBIOS = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/seabios.git";
inherit (pkg.seaBIOS) rev;
@ -132,10 +137,11 @@ let
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [
"patches"
] pkg.seaBIOS) pkg.seaBIOS.patches;
path = "tools/firmware/seabios-dir-remote";
};
}
// lib.attrsets.optionalAttrs withInternalOVMF {
"firmware/ovmf-dir-remote" = {
ovmf = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/ovmf.git";
fetchSubmodules = true;
@ -143,15 +149,11 @@ let
inherit (pkg.ovmf) hash;
};
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ovmf) pkg.ovmf.patches;
postPatch = ''
substituteInPlace \
OvmfPkg/build.sh BaseTools/BinWrappers/PosixLike/{AmlToC,BrotliCompress,build,GenFfs,GenFv,GenFw,GenSec,LzmaCompress,TianoCompress,Trim,VfrCompile} \
--replace-fail "/usr/bin/env bash" ${stdenv.shell}
'';
path = "tools/firmware/ovmf-dir-remote";
};
}
// lib.attrsets.optionalAttrs withInternalIPXE {
"firmware/etherboot/ipxe.git" = {
ipxe = {
src = fetchFromGitHub {
owner = "ipxe";
repo = "ipxe";
@ -159,10 +161,68 @@ let
inherit (pkg.ipxe) hash;
};
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ipxe) pkg.ipxe.patches;
path = "tools/firmware/etherboot/ipxe.git";
};
};
withPrefetchedSources =
sourcePkg: lib.strings.concatLines (lib.attrsets.mapAttrsToList sourcePkg prefetchedSources);
# Gets a list containing the names of the top-level attribute for each pre-fetched
# source, to be used in the map functions below.
prefetchedSourcesList = lib.attrsets.mapAttrsToList (name: value: name) prefetchedSources;
# Produces bash commands that will copy each pre-fetched source.
copyPrefetchedSources =
# Finish the deployment by concatnating the list of commands together.
lib.strings.concatLines (
# Iterate on each pre-fetched source.
builtins.map (
source:
# Only produce a copy command if patches exist.
lib.strings.optionalString (lib.attrsets.hasAttrByPath [ "${source}" ] prefetchedSources)
# The actual copy command. `src` is always an absolute path to a fetcher output
# inside the /nix/store, and `path` is always a path relative to the Xen root.
# We need to `mkdir -p` the target directory first, and `chmod +w` the contents last,
# as the copied files will still be edited by the postPatchPhase.
''
echo "Copying ${prefetchedSources.${source}.src} -> ${prefetchedSources.${source}.path}"
mkdir --parents ${prefetchedSources.${source}.path}
cp --recursive --no-target-directory ${prefetchedSources.${source}.src} ${
prefetchedSources.${source}.path
}
chmod --recursive +w ${prefetchedSources.${source}.path}
''
) prefetchedSourcesList
);
# Produces strings with `patch` commands to be ran on postPatch.
# These deploy the .patch files for each pre-fetched source.
deployPrefetchedSourcesPatches =
# Finish the deployment by concatnating the list of commands together.
lib.strings.concatLines (
# The double map functions create a list of lists. Flatten it so we can concatnate it.
lib.lists.flatten (
# Iterate on each pre-fetched source.
builtins.map (
source:
# Iterate on each available patch.
(builtins.map (
patch:
# Only produce a patch command if patches exist.
lib.strings.optionalString
(lib.attrsets.hasAttrByPath [
"${source}"
"patches"
] prefetchedSources)
# The actual patch command. It changes directories to the correct source each time.
''
echo "Applying patch ${patch} to ${source}."
patch --directory ${prefetchedSources.${source}.path} --strip 1 < ${patch}
''
) prefetchedSources.${source}.patches)
) prefetchedSourcesList
)
);
## XSA Patches Description Builder ##
# Sometimes patches are sourced through a path, like ./0000-xen.patch.
# This would break the patch attribute parser functions, so we normalise
@ -175,7 +235,7 @@ let
if builtins.isPath patch then
{ type = "path"; }
else
throw "xen/generic.nix: normalisedPatchList attempted to normalise something that is not a Path or an Attribute Set."
throw "xen/generic/default.nix: normalisedPatchList attempted to normalise something that is not a Path or an Attribute Set."
else
patch
) pkg.xen.patches;
@ -241,19 +301,7 @@ let
else
[ ];
withTools =
attr: file:
withPrefetchedSources (
name: source:
lib.strings.optionalString (builtins.hasAttr attr source) ''
echo "processing ${name}"
__do() {
cd "tools/${name}"
${file name source}
}
( __do )
''
);
## Binutils Override ##
# Originally, there were two versions of binutils being used: the standard one and
# this patched one. Unfortunately, that required patches to the Xen Makefiles, and
@ -264,6 +312,7 @@ let
name = "efi-binutils";
configureFlags = oldAttrs.configureFlags ++ [ "--enable-targets=x86_64-pep" ];
doInstallCheck = false; # We get a spurious failure otherwise, due to a host/target mismatch.
meta.mainProgram = "ld"; # We only really care for `ld`.
});
in
@ -286,16 +335,17 @@ stdenv.mkDerivation (finalAttrs: {
inherit (pkg.xen) hash;
};
# Gets the patches from the pkg.xen.patches attribute from the versioned files.
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches;
patches =
# Generic Xen patches that apply to all Xen versions.
[ ./0000-xen-ipxe-src-generic.patch ]
# Gets the patches from the pkg.xen.patches attribute from the versioned files.
++ lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches;
nativeBuildInputs =
[
autoPatchelfHook
bison
cmake
fig2dev
imagemagick # Causes build failures in Hydra related to fig generation if not included.
flex
pandoc
pkg-config
@ -325,7 +375,6 @@ stdenv.mkDerivation (finalAttrs: {
# oxenstored
ocamlPackages.findlib
ocamlPackages.ocaml
systemdMinimal
# Python Fixes
python311Packages.wrapPython
@ -335,10 +384,14 @@ stdenv.mkDerivation (finalAttrs: {
pixman
]
++ lib.lists.optional withInternalOVMF nasm
++ lib.lists.optional withFlask checkpolicy;
++ lib.lists.optional withFlask checkpolicy
++ lib.lists.optional (lib.strings.versionOlder version "4.19") systemdMinimal;
configureFlags =
[ "--enable-systemd" ]
[
"--enable-systemd"
"--disable-qemu-traditional"
]
++ lib.lists.optional (!withInternalQEMU) "--with-system-qemu"
++ lib.lists.optional withSeaBIOS "--with-system-seabios=${seabios}/share/seabios"
@ -348,20 +401,21 @@ stdenv.mkDerivation (finalAttrs: {
++ lib.lists.optional withInternalOVMF "--enable-ovmf"
++ lib.lists.optional withIPXE "--with-system-ipxe=${ipxe}"
++ lib.lists.optional withInternalIPXE "--enable-ipxe";
++ lib.lists.optional withInternalIPXE "--enable-ipxe"
++ lib.lists.optional withFlask "--enable-xsmpolicy";
makeFlags =
[
"PREFIX=$(out)"
"CONFIG_DIR=/etc"
"XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files"
"XEN_SCRIPT_DIR=$(CONFIG_DIR)/xen/scripts"
"BASH_COMPLETION_DIR=$(PREFIX)/share/bash-completion/completions"
]
++ lib.lists.optionals withEFI [
"EFI_VENDOR=${efiVendor}"
"INSTALL_EFI_STRIP=1"
"LD=${efiBinutils}/bin/ld" # See the comment in the efiBinutils definition above.
"LD=${lib.meta.getExe efiBinutils}" # See the comment in the efiBinutils definition above.
]
# These flags set the CONFIG_* options in /boot/xen.config
# and define if the default policy file is built. However,
@ -442,17 +496,9 @@ stdenv.mkDerivation (finalAttrs: {
rm --recursive --force tools/qemu-xen tools/qemu-xen-traditional
''
# The following expression moves the sources we fetched in the
# versioned Nix expressions to their correct locations inside
# the Xen source tree.
# Call copyPrefetchedSources, which copies all aviable sources to their correct positions.
+ ''
${withPrefetchedSources (
name: source: ''
echo "Copying pre-fetched source: ${source.src} -> tools/${name}"
cp --recursive ${source.src} tools/${name}
chmod --recursive +w tools/${name}
''
)}
${copyPrefetchedSources}
'';
postPatch =
@ -485,31 +531,16 @@ stdenv.mkDerivation (finalAttrs: {
--replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir"
''
# The following expression applies the patches defined on each
# prefetchedSources attribute.
# # Call deployPrefetchedSourcesPatches, which patches all pre-fetched sources with their specified patchlists.
+ ''
${withTools "patches" (
name: source: ''
${lib.strings.concatMapStringsSep "\n" (patch: ''
echo "Patching with ${patch}"
patch --strip 1 < ${patch}
'') source.patches}
''
)}
${withTools "postPatch" (name: source: source.postPatch)}
${pkg.xen.postPatch or ""}
${deployPrefetchedSourcesPatches}
''
# Patch shebangs for QEMU and OVMF build scripts.
+ ''
patchShebangs --build tools/qemu-xen/scripts/tracetool.py
patchShebangs --build tools/firmware/ovmf-dir-remote/OvmfPkg/build.sh tools/firmware/ovmf-dir-remote/BaseTools/BinWrappers/PosixLike/{AmlToC,BrotliCompress,build,GenFfs,GenFv,GenFw,GenSec,LzmaCompress,TianoCompress,Trim,VfrCompile}
'';
preBuild = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "preBuild" ] pkg.xen) pkg.xen.preBuild;
postBuild = ''
${withTools "buildPhase" (name: source: source.buildPhase)}
${pkg.xen.postBuild or ""}
'';
installPhase =
let
cpFlags = builtins.toString [
@ -555,12 +586,6 @@ stdenv.mkDerivation (finalAttrs: {
for i in $out/etc/xen/scripts/!(*.sh); do
sed --in-place "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i
done
''
+ ''
${withTools "installPhase" (name: source: source.installPhase)}
${pkg.xen.installPhase or ""}
'';
postFixup =
@ -632,7 +657,7 @@ stdenv.mkDerivation (finalAttrs: {
# Starts with the longDescription from ./packages.nix.
(packageDefinition.meta.longDescription or "")
+ lib.strings.optionalString (!withInternalQEMU) (
"\nUse with `qemu_xen_${lib.stringAsChars (x: if x == "." then "_" else x) branch}`"
"\nUse with `qemu_xen_${lib.strings.stringAsChars (x: if x == "." then "_" else x) branch}`"
+ lib.strings.optionalString latest " or `qemu_xen`"
+ ".\n"
)
@ -679,11 +704,14 @@ stdenv.mkDerivation (finalAttrs: {
# Development headers in $dev/include.
mit
];
maintainers = [ lib.maintainers.sigmasquadron ];
# This automatically removes maintainers from EOL versions of Xen, so we aren't bothered about versions we don't explictly support.
maintainers = lib.lists.optionals (lib.strings.versionAtLeast version minSupportedVersion) (
with lib.maintainers; [ sigmasquadron ]
);
mainProgram = "xl";
# Evaluates to x86_64-linux.
platforms = lib.lists.intersectLists lib.platforms.linux lib.platforms.x86_64;
knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "4.16") [
knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version minSupportedVersion) [
"Xen ${version} is no longer supported by the Xen Security Team. See https://xenbits.xenproject.org/docs/unstable/support-matrix.html"
];
};

0
pkgs/applications/virtualization/xen/patches.nix → pkgs/applications/virtualization/xen/generic/patches.nix
View File

3
pkgs/applications/virtualization/xen/packages.nix
View File

@ -62,7 +62,4 @@ rec {
withInternalIPXE = false;
inherit (slim) meta;
};
xen = xen_4_19;
xen-slim = xen_4_19-slim;
}

29
pkgs/applications/virtualization/xen/update.sh
View File

@ -1,10 +1,9 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p gitMinimal curl gnupg nix-prefetch-git nixfmt-rfc-style
# shellcheck disable=SC2206,SC2207 shell=bash
set -e
# Set a temporary $HOME in /tmp for GPG.
HOME=/tmp/xenUpdateScript
set -o errexit
set -o pipefail
set -o nounset
# This script expects to be called in an interactive terminal somewhere inside Nixpkgs.
echo "Preparing..."
@ -15,8 +14,8 @@ mkdir /tmp/xenUpdateScript
# Import and verify PGP key.
curl --silent --output /tmp/xenUpdateScript/xen.asc https://keys.openpgp.org/vks/v1/by-fingerprint/23E3222C145F4475FA8060A783FE14C957E82BD9
gpg --quiet --import /tmp/xenUpdateScript/xen.asc
fingerprint="$(gpg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')"
gpg --homedir /tmp/xenUpdateScript/.gnupg --quiet --import /tmp/xenUpdateScript/xen.asc
fingerprint="$(gpg --homedir /tmp/xenUpdateScript/.gnupg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')"
echo -e "Please ascertain through multiple external sources that the \e[1;32mXen Project PGP Key Fingerprint\e[0m is indeed \e[1;33m$fingerprint\e[0m. If that is not the case, \e[1;31mexit immediately\e[0m."
read -r -p $'Press \e[1;34menter\e[0m to continue with a pre-filled expected fingerprint, or input an arbitrary PGP fingerprint to match with the key\'s fingerprint: ' userInputFingerprint
userInputFingerprint=${userInputFingerprint:-"23E3222C145F4475FA8060A783FE14C957E82BD9"}
@ -32,7 +31,7 @@ latestVersion=$(echo "$versionList" | tr ' ' '\n' | tail --lines=1)
branchList=($(echo "$versionList" | tr ' ' '\n' | sed s/\.[0-9]*$//g | awk '!seen[$0]++'))
# Figure out which versions we're actually going to install.
minSupportedBranch="$(grep " knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version " "$xenPath"/generic.nix | sed s/' knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "'//g | sed s/'") \['//g)"
minSupportedBranch="$(grep " minSupportedVersion = " "$xenPath"/generic/default.nix | sed s/' minSupportedVersion = "'//g | sed s/'";'//g)"
supportedBranches=($(for version in "${branchList[@]}"; do if [ "$(printf '%s\n' "$minSupportedBranch" "$version" | sort -V | head -n1)" = "$minSupportedBranch" ]; then echo "$version"; fi; done))
supportedVersions=($(for version in "${supportedBranches[@]}"; do echo "$versionList" | tr ' ' '\n' | grep "$version" | tail --lines=1; done))
@ -51,7 +50,7 @@ for version in "${supportedVersions[@]}"; do
# Verify PGP key automatically. If the fingerprint matches what the user specified, or the default fingerprint, then we consider it trusted.
cd /tmp/xenUpdateScript/xen
if [[ "$fingerprint" = "$userInputFingerprint" ]]; then
echo "$fingerprint:6:" | gpg --quiet --import-ownertrust
echo "$fingerprint:6:" | gpg --homedir /tmp/xenUpdateScript/.gnupg --quiet --import-ownertrust
(git verify-tag RELEASE-"$version" 2>/dev/null && echo -e "\n\e[1;32mSuccessfully authenticated Xen $version.\e[0m") || (echo -e "\e[1;31merror:\e[0m Unable to verify tag \e[1;32mRELEASE-$version\e[0m.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or a \e[1;31msupply chain attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1)
else
echo -e "\e[1;31merror:\e[0m Unable to verify \e[1;34mpgp@xen.org\e[0m's fingerprint.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or an \e[1;31mimpersonation attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1
@ -121,11 +120,10 @@ for version in "${supportedVersions[@]}"; do
echo -e "Found the following patches:\n \e[1;32mXen\e[0m: \e[1;33m$discoveredXenPatchesEcho\e[0m\n \e[1;36mQEMU\e[0m: \e[1;33m$discoveredQEMUPatchesEcho\e[0m\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$discoveredSeaBIOSPatchesEcho\e[0m\n \e[1;36mOVMF\e[0m: \e[1;33m$discoveredOVMFPatchesEcho\e[0m\n \e[1;36miPXE\e[0m: \e[1;33m$discoveredIPXEPatchesEcho\e[0m"
# Prepare patches that are called in ./patches.nix.
defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458")
defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458" "XSA_460" "XSA_461" )
read -r -a defaultPatchList -p $'\nWould you like to override the \e[1;34mupstreamPatches\e[0m list for \e[1;32mXen '"$version"$'\e[0m? If no, press \e[1;34menter\e[0m to use the default patch list: [ \e[1;34m'"${defaultPatchListInit[*]}"$' \e[0m]: '
defaultPatchList=(${defaultPatchList[@]:-${defaultPatchListInit[@]}})
spaceSeparatedPatchList=${defaultPatchList[*]}
upstreamPatches="upstreamPatches.${spaceSeparatedPatchList// / upstreamPatches.}"
upstreamPatches=${defaultPatchList[*]}
# Write and format default.nix file.
echo -e "\nWriting updated \e[1;34mversionDefinition\e[0m..."
@ -139,17 +137,18 @@ for version in "${supportedVersions[@]}"; do
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
upstreamPatches = import ../generic/patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [
upstreamPatchList = lib.lists.flatten (with upstreamPatches; [
$upstreamPatches
];
]);
in
callPackage (import ../generic.nix {
callPackage (import ../generic/default.nix {
pname = "xen";
branch = "$branch";
version = "$version";
latest = $latest;

4
pkgs/top-level/all-packages.nix
View File

@ -34730,8 +34730,8 @@ with pkgs;
xenPackages = recurseIntoAttrs (callPackage ../applications/virtualization/xen/packages.nix {});
xen = xenPackages.xen;
xen-slim = xenPackages.xen-slim;
xen = xenPackages.xen_4_19;
xen-slim = xenPackages.xen_4_19-slim;
xkbset = callPackage ../tools/X11/xkbset { };