Re: [PATCH 1/2] Create Nix derivation for building verity images

6 Nov 2025

On 11/6/25 05:20, Alyssa Ross wrote:
...
Demi Marie Obenour <demiobenour@gmail.com> writes:
...
This gets rid of a lot of duplicated code and allows building the verity
roothash and superblock only when needed.  It also removes a hack used
to work around make limitations.  Furthermore,
'veritysetup --root-hash-file' is used to avoid an awk script.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
nix-shell --pure --run 'make run' in host/initramfs fails.  This is a
preexisting bug and I will send a separate patch for it.
---
 host/initramfs/Makefile  | 25 +++++--------------------
 host/initramfs/shell.nix |  4 +++-
 host/rootfs/Makefile     | 24 +++++-------------------
 host/rootfs/shell.nix    |  3 +++
 host/verity.nix          | 19 +++++++++++++++++++
 lib/common.mk            |  1 -
 pkgs/default.nix         |  1 +
 release/live/Makefile    | 26 +++++---------------------
 release/live/default.nix |  4 +++-
 9 files changed, 44 insertions(+), 63 deletions(-)
...

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 00d125774bb7b98736d0928c69cb307740cee034..bb602e2745fb5873204f453b35fc529c5c96f64a 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -82,25 +82,11 @@ clean:
  rm -rf build
 .PHONY: clean
-# veritysetup format produces two files, but Make only (portably)
-# supports one output per rule, so we combine the two outputs then
-# define two more rules to separate them again.
-build/rootfs.verity: $(dest)
-	$(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \
-	    | awk -F ':[[:blank:]]*' '$$1 == "Root hash" {print $$2; exit}' \
-	    > build/rootfs.verity.roothash.tmp
-	cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp \
-	    > $@
-	rm build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp
-build/rootfs.verity.roothash: build/rootfs.verity
-	head -n 1 build/rootfs.verity > $@
-build/rootfs.verity.superblock: build/rootfs.verity
-	tail -n +2 build/rootfs.verity > $@
-build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sfdisk-field.awk build/rootfs.verity.superblock build/rootfs.verity.roothash $(dest)
+build/live.img: ../../scripts/format-uuid.sh ../../scripts/make-gpt.sh ../../scripts/sfdisk-field.awk $(ROOT_FS_VERITY) $(ROOT_FS_VERITY_ROOTHASH) $(dest)
  ../../scripts/make-gpt.sh $@.tmp \
-	    build/rootfs.verity.superblock:verity:$$(../../scripts/format-uuid.sh "$$(dd if=build/rootfs.verity.roothash bs=32 skip=1 count=1 status=none)") \
-	    $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 build/rootfs.verity.roothash)")
+	"$$ROOT_FS_VERITY:verity:$$(../../scripts/format-uuid.sh "$$(dd "if=$$ROOT_FS_VERITY_ROOTHASH" bs=32 skip=1 count=1 status=none)")" \
+	    $(dest):root:$$(../../scripts/format-uuid.sh "$$(head -c 32 "$$ROOT_FS_VERITY_ROOTHASH")")
  mv $@.tmp $@
debug:
@@ -110,7 +96,7 @@ debug:
      $(VMLINUX)
 .PHONY: debug
-run: build/live.img $(EXT_FS) build/rootfs.verity.roothash
+run: build/live.img $(EXT_FS) $(ROOT_FS_VERITY_ROOTHASH)
  @set -x && \
  ext="$$(mktemp build/spectrum-rootfs-extfs.XXXXXXXXXX.img)" && \
  truncate -s 10G "$$ext" && \
@@ -131,7 +117,7 @@ run: build/live.img $(EXT_FS) build/rootfs.verity.roothash
      -device virtconsole,chardev=virtiocon0 \
      -drive file=build/live.img,if=virtio,format=raw,readonly=on \
      -drive file=/proc/self/fd/3,if=virtio,format=raw \
-	    -append "earlycon console=hvc0 roothash=$$(< build/rootfs.verity.roothash) intel_iommu=on nokaslr" \
+	    -append "earlycon console=hvc0 roothash=$$(< "$$ROOT_FS_VERITY_ROOTHASH") intel_iommu=on nokaslr" \
      -device virtio-keyboard \
      -device virtio-mouse \
      -device virtio-gpu \
diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix
index 1bf61bebf418333624e799cc8ca231f5783206f4..f16e4905adfbc8faebde19d0a1364ad9df90219b 100644
--- a/host/rootfs/shell.nix
+++ b/host/rootfs/shell.nix
@@ -5,6 +5,7 @@
 import ../../lib/call-package.nix (
 { callSpectrumPackage, rootfs, pkgsStatic, srcOnly, stdenv
 , btrfs-progs, cryptsetup, jq, netcat, qemu_kvm, reuse, util-linux
+, verity
 }:
rootfs.overrideAttrs (
@@ -20,5 +21,7 @@ rootfs.overrideAttrs (
     KERNEL = "${passthru.kernel}/${stdenv.hostPlatform.linux-kernel.target}";
     LINUX_SRC = srcOnly passthru.kernel.configfile;
     VMLINUX = "${passthru.kernel.dev}/vmlinux";
+    ROOT_FS_VERITY = "${verity}/rootfs.verity.superblock";
+    ROOT_FS_VERITY_ROOTHASH = "${verity}/rootfs.verity.roothash";
   };
 })) (_: {})
Surely this would break interactive development of the rootfs?
If I'm in a Nix shell, and make a change to any part of the rootfs, the
verity data in the environment will be out of date.  I'd have to leave
and re-enter the Nix shell after /any/ change, waiting for an evaluation
each time, as opposed to the current situation where that's only
necessary when modifying Nix code or other Spectrum components.
It would.  Are there alternatives you can recommend?  I don't want the
updater and the installer to have to use two different copies.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

    