diff --git a/nix/configuration/configuration.nix b/nix/configuration/configuration.nix index 1111bba..cb576a9 100644 --- a/nix/configuration/configuration.nix +++ b/nix/configuration/configuration.nix @@ -57,6 +57,7 @@ ./roles/podman ./roles/python ./roles/qemu + ./roles/recovery ./roles/reset ./roles/rpcs3 ./roles/rust @@ -147,21 +148,37 @@ # }) # ]; - nixpkgs.overlays = [ - (final: prev: { - imagemagick = prev.imagemagick.overrideAttrs (old: rec { - # 7.1.2-6 seems to no longer exist, so use 7.1.2-7 - version = "7.1.2-7"; + nixpkgs.overlays = + let + disableTests = ( + package_name: + (final: prev: { + "${package_name}" = prev."${package_name}".overrideAttrs (old: { + doCheck = false; + doInstallCheck = false; + }); + }) + ); + in + [ + (final: prev: { + imagemagick = prev.imagemagick.overrideAttrs (old: rec { + # 7.1.2-6 seems to no longer exist, so use 7.1.2-7 + version = "7.1.2-7"; - src = final.fetchFromGitHub { - owner = "ImageMagick"; - repo = "ImageMagick"; - tag = version; - hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo="; - }; - }); - }) - ]; + src = final.fetchFromGitHub { + owner = "ImageMagick"; + repo = "ImageMagick"; + tag = version; + hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo="; + }; + }); + }) + (final: prev: { + grub2 = (final.callPackage ./package/grub { }); + }) + (disableTests "git") + ]; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. diff --git a/nix/configuration/flake.nix b/nix/configuration/flake.nix index a46b0c2..649a624 100644 --- a/nix/configuration/flake.nix +++ b/nix/configuration/flake.nix @@ -48,6 +48,9 @@ quark = { system = "x86_64-linux"; }; + recovery = { + system = "x86_64-linux"; + }; }; nixosConfigs = builtins.mapAttrs ( hostname: nodeConfig: format: diff --git a/nix/configuration/hosts/odo/default.nix b/nix/configuration/hosts/odo/default.nix index 2cabb7d..bb796ab 100644 --- a/nix/configuration/hosts/odo/default.nix +++ b/nix/configuration/hosts/odo/default.nix @@ -105,6 +105,7 @@ me.podman.enable = true; me.python.enable = true; me.qemu.enable = true; + me.recovery.enable = true; me.rpcs3.enable = true; me.rust.enable = true; me.sequoia.enable = true; diff --git a/nix/configuration/hosts/quark/default.nix b/nix/configuration/hosts/quark/default.nix index 34cf8bb..1159abb 100644 --- a/nix/configuration/hosts/quark/default.nix +++ b/nix/configuration/hosts/quark/default.nix @@ -100,6 +100,7 @@ me.podman.enable = true; me.python.enable = true; me.qemu.enable = true; + me.recovery.enable = true; me.rpcs3.enable = true; me.rust.enable = true; me.sequoia.enable = true; diff --git a/nix/configuration/hosts/recovery/DEPLOY_BOOT b/nix/configuration/hosts/recovery/DEPLOY_BOOT new file mode 100755 index 0000000..9985959 --- /dev/null +++ b/nix/configuration/hosts/recovery/DEPLOY_BOOT @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +TARGET=recovery + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done + +nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/recovery/DEPLOY_SWITCH b/nix/configuration/hosts/recovery/DEPLOY_SWITCH new file mode 100755 index 0000000..05e6862 --- /dev/null +++ b/nix/configuration/hosts/recovery/DEPLOY_SWITCH @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +TARGET=recovery + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done + +nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/recovery/ISO b/nix/configuration/hosts/recovery/ISO new file mode 100755 index 0000000..9f9ff1d --- /dev/null +++ b/nix/configuration/hosts/recovery/ISO @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done +nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/recovery/SELF_BOOT b/nix/configuration/hosts/recovery/SELF_BOOT new file mode 100755 index 0000000..2addcd0 --- /dev/null +++ b/nix/configuration/hosts/recovery/SELF_BOOT @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done +nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/recovery/SELF_BUILD b/nix/configuration/hosts/recovery/SELF_BUILD new file mode 100755 index 0000000..e24c831 --- /dev/null +++ b/nix/configuration/hosts/recovery/SELF_BUILD @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done +nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/recovery/SELF_SWITCH b/nix/configuration/hosts/recovery/SELF_SWITCH new file mode 100755 index 0000000..d0c54f6 --- /dev/null +++ b/nix/configuration/hosts/recovery/SELF_SWITCH @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# +set -euo pipefail +IFS=$'\n\t' +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +: "${JOBS:="1"}" + +for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done +nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json diff --git a/nix/configuration/hosts/recovery/default.nix b/nix/configuration/hosts/recovery/default.nix new file mode 100644 index 0000000..cac7293 --- /dev/null +++ b/nix/configuration/hosts/recovery/default.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + imports = [ + ./hardware-configuration.nix + ./wrapped-disk-config.nix + ./distributed_build.nix + ./power_management.nix + ]; + + config = { + # Generate with `head -c4 /dev/urandom | od -A none -t x4` + networking.hostId = "46b62d92"; + + networking.hostName = "recovery"; # Define your hostname. + + time.timeZone = "America/New_York"; + i18n.defaultLocale = "en_US.UTF-8"; + + me.boot.secure = true; + me.mountPersistence = true; + + me.optimizations = { + enable = true; + arch = "kabylake"; + # build_arch = "x86-64-v3"; + system_features = [ + "gccarch-kabylake" + "gccarch-x86-64-v3" + "benchmark" + "big-parallel" + "kvm" + "nixos-test" + ]; + }; + + # Early KMS + # boot.initrd.kernelModules = [ "amdgpu" ]; + + # Mount tmpfs at /tmp + boot.tmp.useTmpfs = true; + + # Enable TRIM + # services.fstrim.enable = lib.mkDefault true; + + me.recovery.enable = true; + me.ssh.enable = true; + me.sshd.enable = true; + me.user.enable = true; + me.zfs.enable = true; + me.zrepl.enable = true; + }; +} diff --git a/nix/configuration/hosts/recovery/disk-config.nix b/nix/configuration/hosts/recovery/disk-config.nix new file mode 100644 index 0000000..d19e0b7 --- /dev/null +++ b/nix/configuration/hosts/recovery/disk-config.nix @@ -0,0 +1,142 @@ +# Manual Step: +# Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1 +# Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1 + +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "umask=0077" + "noatime" + "discard" + ]; + }; + }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + zpool = { + zroot = { + type = "zpool"; + # mode = "mirror"; + # Workaround: cannot import 'zroot': I/O error in disko tests + options.cachefile = "none"; + options = { + ashift = "12"; + compatibility = "openzfs-2.2-freebsd"; + autotrim = "on"; + }; + rootFsOptions = { + acltype = "posixacl"; + atime = "off"; + relatime = "off"; + xattr = "sa"; + mountpoint = "none"; + compression = "lz4"; + canmount = "off"; + utf8only = "on"; + dnodesize = "auto"; + normalization = "formD"; + }; + + datasets = { + "linux/nix" = { + type = "zfs_fs"; + options.mountpoint = "none"; + options = { + # encryption = "aes-256-gcm"; + # keyformat = "passphrase"; + # keylocation = "file:///tmp/secret.key"; + }; + }; + "linux/nix/root" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/"; + postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank"; + }; + "linux/nix/nix" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/nix"; + postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank"; + options = { + recordsize = "16MiB"; + compression = "zstd-19"; + }; + }; + "linux/nix/home" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/home"; + postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank"; + }; + "linux/nix/persist" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/persist"; + postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank"; + }; + "linux/nix/state" = { + type = "zfs_fs"; + options.mountpoint = "legacy"; + mountpoint = "/state"; + postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank"; + }; + }; + }; + }; + }; + + # Make sure all persistent volumes are marked as neededForBoot + # + # Also mounts /home so it is mounted before the user home directories are created. + fileSystems."/persist".neededForBoot = true; + fileSystems."/state".neededForBoot = true; + fileSystems."/home".neededForBoot = true; + + fileSystems."/".options = [ + "noatime" + "norelatime" + ]; + fileSystems."/nix".options = [ + "noatime" + "norelatime" + ]; + fileSystems."/persist".options = [ + "noatime" + "norelatime" + ]; + fileSystems."/state".options = [ + "noatime" + "norelatime" + ]; + fileSystems."/home".options = [ + "noatime" + "norelatime" + ]; + + # Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used. + # boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ]; +} diff --git a/nix/configuration/hosts/recovery/distributed_build.nix b/nix/configuration/hosts/recovery/distributed_build.nix new file mode 100644 index 0000000..10755e8 --- /dev/null +++ b/nix/configuration/hosts/recovery/distributed_build.nix @@ -0,0 +1,19 @@ +{ + imports = [ ]; + + config = { + me.distributed_build.enable = true; + me.distributed_build.machines.hydra = { + enable = true; + additional_config = { + speedFactor = 2; + }; + }; + me.distributed_build.machines.quark = { + enable = true; + additional_config = { + speedFactor = 2; + }; + }; + }; +} diff --git a/nix/configuration/hosts/recovery/hardware-configuration.nix b/nix/configuration/hosts/recovery/hardware-configuration.nix new file mode 100644 index 0000000..05c540b --- /dev/null +++ b/nix/configuration/hosts/recovery/hardware-configuration.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + config = { + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; +} diff --git a/nix/configuration/hosts/recovery/power_management.nix b/nix/configuration/hosts/recovery/power_management.nix new file mode 100644 index 0000000..d2b2315 --- /dev/null +++ b/nix/configuration/hosts/recovery/power_management.nix @@ -0,0 +1,63 @@ +{ + pkgs, + ... +}: + +{ + imports = [ ]; + + config = { + environment.systemPackages = with pkgs; [ + powertop + ]; + + # pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction. + # nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above). + boot.kernelParams = [ + "pcie_aspm=force" + # "pcie_aspm.policy=powersupersave" + "nowatchdog" + ]; + + systemd.tmpfiles.rules = [ + "w- /sys/firmware/acpi/platform_profile - - - - low-power" + "w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power" + "w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0" + "w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0" + ]; + + boot.extraModprobeConfig = '' + # Sound power-saving was causing chat notifications to be inaudible. + # options snd_hda_intel power_save=1 + ''; + }; +} diff --git a/nix/configuration/hosts/recovery/wrapped-disk-config.nix b/nix/configuration/hosts/recovery/wrapped-disk-config.nix new file mode 100644 index 0000000..39e74f4 --- /dev/null +++ b/nix/configuration/hosts/recovery/wrapped-disk-config.nix @@ -0,0 +1,7 @@ +{ + config, + lib, + ... +}: + +lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix) diff --git a/nix/configuration/package/grub/add-hidden-menu-entries.patch b/nix/configuration/package/grub/add-hidden-menu-entries.patch new file mode 100644 index 0000000..836a985 --- /dev/null +++ b/nix/configuration/package/grub/add-hidden-menu-entries.patch @@ -0,0 +1,204 @@ +diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c +index e9e9d94ef..54e08a1b4 100644 +--- a/grub-core/commands/legacycfg.c ++++ b/grub-core/commands/legacycfg.c +@@ -143,7 +143,7 @@ legacy_file (const char *filename) + args[0] = oldname; + grub_normal_add_menu_entry (1, args, NULL, NULL, "legacy", + NULL, NULL, +- entrysrc, 0); ++ entrysrc, 0, 0); + grub_free (args); + entrysrc[0] = 0; + grub_free (oldname); +@@ -205,7 +205,7 @@ legacy_file (const char *filename) + } + args[0] = entryname; + grub_normal_add_menu_entry (1, args, NULL, NULL, NULL, +- NULL, NULL, entrysrc, 0); ++ NULL, NULL, entrysrc, 0, 0); + grub_free (args); + } + +diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c +index 720e6d8ea..50632ccce 100644 +--- a/grub-core/commands/menuentry.c ++++ b/grub-core/commands/menuentry.c +@@ -78,7 +78,7 @@ grub_normal_add_menu_entry (int argc, const char **args, + char **classes, const char *id, + const char *users, const char *hotkey, + const char *prefix, const char *sourcecode, +- int submenu) ++ int submenu, int hidden) + { + int menu_hotkey = 0; + char **menu_args = NULL; +@@ -188,8 +188,11 @@ grub_normal_add_menu_entry (int argc, const char **args, + (*last)->args = menu_args; + (*last)->sourcecode = menu_sourcecode; + (*last)->submenu = submenu; ++ (*last)->hidden = hidden; ++ ++ if (!hidden) ++ menu->size++; + +- menu->size++; + return GRUB_ERR_NONE; + + fail: +@@ -286,7 +289,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args) + users, + ctxt->state[2].arg, 0, + ctxt->state[3].arg, +- ctxt->extcmd->cmd->name[0] == 's'); ++ ctxt->extcmd->cmd->name[0] == 's', ++ ctxt->extcmd->cmd->name[0] == 'h'); + + src = args[argc - 1]; + args[argc - 1] = NULL; +@@ -303,7 +307,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args) + ctxt->state[0].args, ctxt->state[4].arg, + users, + ctxt->state[2].arg, prefix, src + 1, +- ctxt->extcmd->cmd->name[0] == 's'); ++ ctxt->extcmd->cmd->name[0] == 's', ++ ctxt->extcmd->cmd->name[0] == 'h'); + + src[len - 1] = ch; + args[argc - 1] = src; +@@ -311,7 +316,7 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args) + return r; + } + +-static grub_extcmd_t cmd, cmd_sub; ++static grub_extcmd_t cmd, cmd_sub, cmd_hidden; + + void + grub_menu_init (void) +@@ -327,6 +332,12 @@ grub_menu_init (void) + | GRUB_COMMAND_FLAG_EXTRACTOR, + N_("BLOCK"), N_("Define a submenu."), + options); ++ cmd_hidden = grub_register_extcmd ("hiddenentry", grub_cmd_menuentry, ++ GRUB_COMMAND_FLAG_BLOCKS ++ | GRUB_COMMAND_ACCEPT_DASH ++ | GRUB_COMMAND_FLAG_EXTRACTOR, ++ N_("BLOCK"), N_("Define a hidden menu entry."), ++ options); + } + + void +diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c +index 6a90e091f..4236f55bc 100644 +--- a/grub-core/normal/menu.c ++++ b/grub-core/normal/menu.c +@@ -37,6 +37,8 @@ + entry failing to boot. */ + #define DEFAULT_ENTRY_ERROR_DELAY_MS 2500 + ++#define MENU_INCLUDE_HIDDEN 0x10000 ++ + grub_err_t (*grub_gfxmenu_try_hook) (int entry, grub_menu_t menu, + int nested) = NULL; + +@@ -80,8 +82,20 @@ grub_menu_get_entry (grub_menu_t menu, int no) + { + grub_menu_entry_t e; + +- for (e = menu->entry_list; e && no > 0; e = e->next, no--) +- ; ++ if (no & MENU_INCLUDE_HIDDEN) { ++ no &= ~MENU_INCLUDE_HIDDEN; ++ ++ for (e = menu->entry_list; e && no > 0; e = e->next, no--) ++ ; ++ } else { ++ for (e = menu->entry_list; e && no > 0; e = e->next, no--) { ++ /* Skip hidden entries */ ++ while (e && e->hidden) ++ e = e->next; ++ } ++ while (e && e->hidden) ++ e = e->next; ++ } + + return e; + } +@@ -93,10 +107,10 @@ get_entry_index_by_hotkey (grub_menu_t menu, int hotkey) + grub_menu_entry_t entry; + int i; + +- for (i = 0, entry = menu->entry_list; i < menu->size; ++ for (i = 0, entry = menu->entry_list; entry; + i++, entry = entry->next) + if (entry->hotkey == hotkey) +- return i; ++ return i | MENU_INCLUDE_HIDDEN; + + return -1; + } +@@ -509,6 +523,10 @@ get_entry_number (grub_menu_t menu, const char *name) + grub_menu_entry_t e = menu->entry_list; + int i; + ++ /* Skip hidden entries */ ++ while (e && e->hidden) ++ e = e->next; ++ + grub_errno = GRUB_ERR_NONE; + + for (i = 0; e; i++) +@@ -520,6 +538,10 @@ get_entry_number (grub_menu_t menu, const char *name) + break; + } + e = e->next; ++ ++ /* Skip hidden entries */ ++ while (e && e->hidden) ++ e = e->next; + } + + if (! e) +diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c +index b1321eb26..d2e46cac8 100644 +--- a/grub-core/normal/menu_text.c ++++ b/grub-core/normal/menu_text.c +@@ -289,7 +289,11 @@ print_entries (grub_menu_t menu, const struct menu_viewer_data *data) + print_entry (data->geo.first_entry_y + i, data->offset == i, + e, data); + if (e) +- e = e->next; ++ e = e->next; ++ ++ /* Skip hidden entries */ ++ while (e && e->hidden) ++ e = e->next; + } + + grub_term_gotoxy (data->term, +diff --git a/include/grub/menu.h b/include/grub/menu.h +index ee2b5e910..eb8a86ba9 100644 +--- a/include/grub/menu.h ++++ b/include/grub/menu.h +@@ -58,6 +58,8 @@ struct grub_menu_entry + + int submenu; + ++ int hidden; ++ + /* The next element. */ + struct grub_menu_entry *next; + }; +diff --git a/include/grub/normal.h b/include/grub/normal.h +index 218cbabcc..bcb412466 100644 +--- a/include/grub/normal.h ++++ b/include/grub/normal.h +@@ -145,7 +145,7 @@ grub_normal_add_menu_entry (int argc, const char **args, char **classes, + const char *id, + const char *users, const char *hotkey, + const char *prefix, const char *sourcecode, +- int submenu); ++ int submenu, int hidden); + + grub_err_t + grub_normal_set_password (const char *user, const char *password); diff --git a/nix/configuration/package/grub/default.nix b/nix/configuration/package/grub/default.nix new file mode 100644 index 0000000..ac0431e --- /dev/null +++ b/nix/configuration/package/grub/default.nix @@ -0,0 +1,681 @@ +{ + lib, + stdenv, + fetchgit, + flex, + bison, + python3, + autoconf, + automake, + libtool, + bash, + gettext, + ncurses, + libusb-compat-0_1, + freetype, + qemu, + lvm2, + unifont, + pkg-config, + help2man, + fetchzip, + fetchpatch, + buildPackages, + nixosTests, + fuse, # only needed for grub-mount + runtimeShell, + zfs ? null, + efiSupport ? false, + zfsSupport ? false, + xenSupport ? false, + xenPvhSupport ? false, + kbdcompSupport ? false, + ckbcomp, +}: + +let + pcSystems = { + i686-linux.target = "i386"; + x86_64-linux.target = "i386"; + }; + + efiSystemsBuild = { + i686-linux.target = "i386"; + x86_64-linux.target = "x86_64"; + armv7l-linux.target = "arm"; + aarch64-linux.target = "aarch64"; + loongarch64-linux.target = "loongarch64"; + riscv32-linux.target = "riscv32"; + riscv64-linux.target = "riscv64"; + }; + + # For aarch64, we need to use '--target=aarch64-efi' when building, + # but '--target=arm64-efi' when installing. Insanity! + efiSystemsInstall = { + i686-linux.target = "i386"; + x86_64-linux.target = "x86_64"; + armv7l-linux.target = "arm"; + aarch64-linux.target = "arm64"; + loongarch64-linux.target = "loongarch64"; + riscv32-linux.target = "riscv32"; + riscv64-linux.target = "riscv64"; + }; + + xenSystemsBuild = { + i686-linux.target = "i386"; + x86_64-linux.target = "x86_64"; + }; + + xenPvhSystemsBuild = { + i686-linux.target = "i386"; + x86_64-linux.target = "i386"; # Xen PVH is only i386 on x86. + }; + + inPCSystems = lib.any (system: stdenv.hostPlatform.system == system) (lib.attrNames pcSystems); + + gnulib = fetchgit { + url = "https://git.savannah.gnu.org/git/gnulib.git"; + # NOTE: keep in sync with bootstrap.conf! + rev = "9f48fb992a3d7e96610c4ce8be969cff2d61a01b"; + hash = "sha256-mzbF66SNqcSlI+xmjpKpNMwzi13yEWoc1Fl7p4snTto="; + }; + + # The locales are fetched from translationproject.org at build time, + # but those translations are not versioned/stable. For that reason + # we take them from the nearest release tarball instead: + locales = fetchzip { + url = "https://ftp.gnu.org/gnu/grub/grub-2.12.tar.gz"; + hash = "sha256-IoRiJHNQ58y0UhCAD0CrpFiI8Mz1upzAtyh5K4Njh/w="; + }; +in + +assert zfsSupport -> zfs != null; +assert !(efiSupport && (xenSupport || xenPvhSupport)); +assert !(xenSupport && xenPvhSupport); + +stdenv.mkDerivation rec { + pname = "grub"; + version = "2.12"; + + src = fetchgit { + url = "https://git.savannah.gnu.org/git/grub.git"; + tag = "grub-${version}"; + hash = "sha256-lathsBb2f7urh8R86ihpTdwo3h1hAHnRiHd5gCLVpBc="; + }; + + patches = [ + ./fix-bash-completion.patch + ./add-hidden-menu-entries.patch + + # https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html + (fetchpatch { + name = "01_implement_grub_strlcpy.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f"; + hash = "sha256-MSMgu1vMG83HRImUUsTyA1YQaIhgEreGGPd+ZDWSI2I="; + }) + (fetchpatch { + name = "02_CVE-2024-45781.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba"; + hash = "sha256-q8ErK+cQzaqwSuhLRFL3AfYBkpgJq1IQmadnlmlz2yw="; + }) + (fetchpatch { + name = "03_CVE-2024-45782_CVE-2024-56737.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=417547c10410b714e43f08f74137c24015f8f4c3"; + hash = "sha256-mRinw27WZ2d1grzyzFGO18yXx72UVBM6Lf5cR8XJfs8="; + }) + (fetchpatch { + name = "04_fs_tar_initialize_name_in_grub_cpio_find_file.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2c8ac08c99466c0697f704242363fc687f492a0d"; + hash = "sha256-EMGF0B+Fw6tSmllWUJAp1ynzWk+w2C/XM1LmXSReHWg="; + }) + (fetchpatch { + name = "05_CVE-2024-45780.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3"; + hash = "sha256-IlW5i4EJVoUYPu9/lb0LeytTpzltQuu5fpkFPQNIhls="; + }) + (fetchpatch { + name = "06_fs_f2fs_grub_errno_mount_fails.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=563436258cde64da6b974880abff1bf0959f4da3"; + hash = "sha256-Iu0RPyB+pAnqMT+MTX+TrJbYJsvYPn7jbMgE1jcLh/Q="; + }) + (fetchpatch { + name = "07_CVE-2024-45783.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898"; + hash = "sha256-V1wh2dPeTazmad61jFtOjhq2MdoD+txPWY/AfwwyTZM="; + }) + (fetchpatch { + name = "08_fs_iso9660_grub_errno_mount_fails.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=965db5970811d18069b34f28f5f31ddadde90a97"; + hash = "sha256-6eN1AvZwXkJOQVcjgymy/E7QiAxzL/d0W3KlAZRqUzI="; + }) + (fetchpatch { + name = "09_fs_iso9660_fix_invalid_free.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1443833a9535a5873f7de3798cf4d8389f366611"; + hash = "sha256-Gt5yMy5Vg9zrDggj3o/TLNt2vT9/6IuHg4Se2p8e8pI="; + }) + (fetchpatch { + name = "10_fs_jfs_fix_oob_read_jfs_getent.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=66175696f3a385b14bdf1ebcda7755834bd2d5fb"; + hash = "sha256-ETbzbc5gvf55sTLjmJOXXC9VH3qcP1Gv5seR/U9NRiY="; + }) + (fetchpatch { + name = "11_fs_jfs_fix_oob_read_caused_by_invalid_dir_slot_index.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ab09fd0531f3523ac0ef833404526c98c08248f7"; + hash = "sha256-wE6niiIx4BdN800/Eegb6IbBRoMFpXq9kPvatwhWNXY="; + }) + (fetchpatch { + name = "12_fs_jfs_use_full_40_bits_offset_and_address_for_data_extent.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=bd999310fe67f35a66de3bfa2836da91589d04ef"; + hash = "sha256-fbC4oTEIoGWJASzJI5RXfoanrMLTfjFOI51LCUU7Ctg="; + }) + (fetchpatch { + name = "13_fs_jfs_inconsistent_signed_unsigned_types_usage.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=edd995a26ec98654d907a9436a296c2d82bc4b28"; + hash = "sha256-aa1G1vi4bPZejfKEqZokAZTzY9Ea2lyxTrP4drDV9tk="; + }) + (fetchpatch { + name = "14_fs_ext2_fix_out-of-bounds_read_for_inline_extent.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7e2f750f0a795c4d64ec7dc7591edac8da2e978c"; + hash = "sha256-PtPqZHMU2fy7btRRaaswLyHizplxnygCzDfcg5ievOQ="; + }) + (fetchpatch { + name = "15_fs_ntfs_fix_out-of-bounds_read.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=aff26318783a135562b904ff09e2359893885732"; + hash = "sha256-znN6lkAB9aAhTGKR1038DzOz5nzuTp+7ylHVqRM7HeI="; + }) + (fetchpatch { + name = "16_fs_ntfs_track_the_end_of_the_MFT_attribute_buffer.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=237a71184a32d1ef7732f5f49ed6a89c5fe1c99a"; + hash = "sha256-0I/g0qHkWY6PArPn1UaYRhCrrh9bHknADh34v5eSjjM="; + }) + (fetchpatch { + name = "17_fs_ntfs_use_a_helper_function_to_access_attributes.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=048777bc29043403d077d41a81d0183767b8bc71"; + hash = "sha256-Mm49MSLqCq143r8ruLJm1QoyCoLtOlCBfqoAPwPlv8E="; + }) + # Patch 18 (067b6d225d482280abad03944f04e30abcbdafa1) has been removed because it causes regressions + # https://lists.gnu.org/archive/html/grub-devel/2025-03/msg00067.html + (fetchpatch { + name = "19_fs_xfs_fix_out-of-bounds_read.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6ccc77b59d16578b10eaf8a4fe85c20b229f0d8a"; + hash = "sha256-FvTzFvfEi3oyxPC/dUHreyzzeVCskaUlYUjpKY/l0DE="; + }) + (fetchpatch { + name = "20_fs_xfs_ensuring_failing_to_mount_sets_a_grub_errno.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d1d6b7ea58aa5a80a4c4d0666b49460056c8ef0a"; + hash = "sha256-SLdXMmYHq/gRmWrjRrOu5ZYFod84EllUL6hk+gnr3kg="; + }) + (fetchpatch { + name = "21_kern_file_ensure_file_data_is_set.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a7910687294b29288ac649e71b47493c93294f17"; + hash = "sha256-DabZK9eSToEmSA9dEwtEN+URiVyS9qf6e2Y2UiMuy8Q="; + }) + (fetchpatch { + name = "22_kern_file_implement_filesystem_reference_counting.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=16f196874fbe360a1b3c66064ec15adadf94c57b"; + excludes = [ "grub-core/fs/erofs.c" ]; # Does not exist on 2.12 + hash = "sha256-yGU//1tPaxi+xFKZrsbUAnvgFpwtrIMG+8cPbSud4+U="; + }) + (fetchpatch { + name = "23_prerequisite_1_key_protector_add_key_protectors_framework.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5d260302da672258444b01239803c8f4d753e3f3"; + hash = "sha256-5aFHzc5qXBNLEc6yzI17AH6J7EYogcXdLxk//1QgumY="; + }) + (fetchpatch { + name = "23_prerequisite_2_disk_cryptodisk_allow_user_to_retry_failed_passphrase.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=386b59ddb42fa3f86ddfe557113b25c8fa16f88c"; + hash = "sha256-e1kGQB7wGWvEb2bY3xIpZxE1uzTt9JOKi05jXyUm+bI="; + }) + (fetchpatch { + name = "23_prerequisite_3_cryptodisk_support_key_protectors.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ad0c52784a375cecaa8715d7deadcf5d65baf173"; + hash = "sha256-+YIvUYA3fLiOFFsXDrQjqjWFluzLa7N1tv0lwq8BqCs="; + }) + (fetchpatch { + name = "23_prerequisite_4_cryptodisk_fallback_to_passphrase.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6abf8af3c54abc04c4ec71c75d10fcfbc190e181"; + hash = "sha256-eMu9rW4iJucDAsTQMJD1XE6dDIcUmn02cGqIaqBbO3o="; + }) + (fetchpatch { + name = "23_prerequisite_5_cryptodisk_wipe_out_the_cached_keys_from_protectors.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b35480b48e6f9506d8b7ad8a3b5206d29c24ea95"; + hash = "sha256-5L6Rr+X5Z+Ip91z8cpLcatDW1vyEoZa1icL2oMXPXuI="; + }) + (fetchpatch { + name = "23_prerequisite_6_cli_lock_add_build_option_to_block_command_line_interface.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=bb65d81fe320e4b20d0a9b32232a7546eb275ecc"; + hash = "sha256-HxXgtvEhtaIjXbOcxJHNpD9/NVOv3uXPnue7cagEMu8="; + }) + # (fetchpatch { + # name = "23_CVE-2024-49504.patch"; + # url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13febd78db3cd85dcba67d8ad03ad4d42815f11e"; + # hash = "sha256-U7lNUb4iVAyQ1yEg5ECHCQGE51tKvY13T9Ji09Q1W9Y="; + # }) + (fetchpatch { + name = "24_disk_loopback_reference_tracking_for_the_loopback.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=67f70f70a36b6e87a65f928fe1e840a12eafb7ae"; + hash = "sha256-sWBnSF3rAuY1A/IIK1Pc+BqTvyK3j7+lLEhvImtBQMA="; + }) + (fetchpatch { + name = "25_kern_disk_limit_recursion_depth.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=18212f0648b6de7d71d4c8f41eb4d8b78b3a299b"; + hash = "sha256-HiVzXUNs45Fxh4DSqO8wAxSBM7CaYU/bix0PVBcIHGw="; + }) + (fetchpatch { + name = "26_kern_partition_limit_recursion_in_part_iterate.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8a7103fddfd6664f41081f3bb88eebbf2871da2a"; + hash = "sha256-Nw1VFRVww1VSDSBkRrnTGeaA2PKCitugM12XH6X/2YI="; + }) + (fetchpatch { + name = "27_script_execute_limit_the_recursion_depth.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d8a937ccae5c6d86dc4375698afca5cefdcd01e1"; + hash = "sha256-YOAdPMZ2iBNMzIwAXFkkyTMKh4ptZUQ0J3v9EjnRlbo="; + }) + (fetchpatch { + name = "28_net_unregister_net_default_ip_and_net_default_mac_variables_hooks_on_unload.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a1dd8e59da26f1a9608381d3a1a6c0f465282b1d"; + hash = "sha256-7fqdkhFqLECzhz1OLavkHrE9ktDAEmx9ZxZayNr/Eo4="; + }) + (fetchpatch { + name = "29_net_remove_variables_hooks_when_interface_is_unregisted.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=aa8b4d7facef7b75a2703274b1b9d4e0e734c401"; + hash = "sha256-m3VLDbJlwchV5meEpU4LJrDxBtA80qvYcVMJinHLnac="; + }) + (fetchpatch { + name = "30_CVE-2025-0624.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5eef88152833062a3f7e017535372d64ac8ef7e1"; + hash = "sha256-DvhzHnenAmO9SZpi4kU+0GhyKZB4q4xQYuNJgEhJmn0="; + }) + (fetchpatch { + name = "31_net_tftp_fix_stack_buffer_overflow_in_tftp_open.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0707accab1b9be5d3645d4700dde3f99209f9367"; + hash = "sha256-16NrpWFSE4jFT2uxmJg16jChw8HiGRTol25XQXNQ5l4="; + }) + (fetchpatch { + name = "32_CVE-2024-45774.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2c34af908ebf4856051ed29e46d88abd2b20387f"; + hash = "sha256-OWmF+fp2TmetQjV4EWMcESW8u52Okkb5C5IPLfczyv4="; + }) + (fetchpatch { + name = "33_kern_dl_fix_for_an_integer_overflow_in_grub_dl_ref.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=500e5fdd82ca40412b0b73f5e5dda38e4a3af96d"; + hash = "sha256-FNqOWo+oZ4/1sCbTi2uaeKchUxwAKXtbzhScezm0yxk="; + }) + # Patch 34 (https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d72208423dcabf9eb4a3bcb17b6b31888396bd49) + # is skipped, grub_dl_set_mem_attrs() does not exist on 2.12 + (fetchpatch { + name = "35_kern_dl_check_for_the_SHF_INFO_LINK_flag_in_grub_dl_relocate_symbols.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=98ad84328dcabfa603dcf5bd217570aa6b4bdd99"; + hash = "sha256-Zi4Pj2NbodL0VhhO5MWhvErb8xmA7Li0ur0MxpgQjzg="; + }) + (fetchpatch { + name = "36_CVE-2024-45775.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872"; + hash = "sha256-T6DO8iuImQTP7hPaCAHMtFnheQoCkZ6w+kfNolLPmrY="; + }) + (fetchpatch { + name = "37_commands_ls_fix_NULL_dereference.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0bf56bce47489c059e50e61a3db7f682d8c44b56"; + hash = "sha256-h5okwqv4ZFahP3ANUbsk1fiSV4pwEnxUExeBgQ4tiTI="; + }) + (fetchpatch { + name = "38_CVE-2025-0622.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2123c5bca7e21fbeb0263df4597ddd7054700726"; + hash = "sha256-tFE7VgImGZWDICyvHbrI1hqW6/XohgdTmk21MzljMGw="; + }) + (fetchpatch { + name = "39_CVE-2025-0622.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9c16197734ada8d0838407eebe081117799bfe67"; + hash = "sha256-tTeuEvadKbXVuY0m0dKtTr11Lpb3yQi4zk0bpwrMOeA="; + }) + (fetchpatch { + name = "40_CVE-2025-0622.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637"; + hash = "sha256-khRLpWqE7hzzoqssVkGFMjAv09T+uHn13Q9pCpogMms="; + }) + (fetchpatch { + name = "41_CVE-2024-45776.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91"; + hash = "sha256-yrl/6XUdKQg/MLe8KFuFoRRbQSyOhDmyvnWBV+sr3EY="; + }) + (fetchpatch { + name = "42_CVE-2024-45777.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b970a5ed967816bbca8225994cd0ee2557bad515"; + hash = "sha256-Vl5Emw3O3Ba2hD1GCWune4PGduDDPO0gM5u+zx/OwKo="; + }) + (fetchpatch { + name = "43_CVE-2025-0690.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc"; + hash = "sha256-DeWOncndX2VM8w1lb5fd5wHAZrI+ChB5Pj9XbUIfDWY="; + }) + (fetchpatch { + name = "44_commands_test_stack_overflow_due_to_unlimited_recursion_depth.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c68b7d23628a19da67ebe2e06f84165ee04961af"; + hash = "sha256-aputM9KqkB/cK8hBiU9VXbu0LpLNlNCMVIeE9h2pMgY="; + }) + (fetchpatch { + name = "45_CVE-2025-1118.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=34824806ac6302f91e8cabaa41308eaced25725f"; + hash = "sha256-PKQs+fCwj4a9p4hbMqAT3tFNoAOw4xnbKmCwjPUgEOc="; + }) + (fetchpatch { + name = "46_commands_memrw_disable_memory_reading_in_lockdown_mode.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=340e4d058f584534f4b90b7dbea2b64a9f8c418c"; + hash = "sha256-NiMIUnfRreDBw+k4yxUzoRNMFL8pkJhVtkINVgmv5XA="; + }) + (fetchpatch { + name = "47_commands_hexdump_disable_memory_reading_in_lockdown_mode.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5f31164aed51f498957cdd6ed733ec71a8592c99"; + hash = "sha256-NA7QjxZ9FP+WwiOveqLkbZqsF7hULIyaVS3gNaSUXJE="; + }) + (fetchpatch { + name = "48_CVE-2024-45778_CVE-2024-45779.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=26db6605036bd9e5b16d9068a8cc75be63b8b630"; + hash = "sha256-1+ImwkF/qsejWs2lpyO6xbcqVo2NJGv32gjrP8mEPnI="; + }) + (fetchpatch { + name = "49_CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c4bc55da28543d2522a939ba4ee0acde45f2fa74"; + hash = "sha256-qrlErSImMX8eXJHkXjOe5GZ6lWOya5SVpNoiqyEM1lE="; + }) + (fetchpatch { + name = "50_disk_use_safe_math_macros_to_prevent_overflows.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c407724dad6c3e2fc1571e57adbda71cc03f82aa"; + hash = "sha256-kkAjxXvCdzwqh+oWtEF3qSPiUX9cGWO6eSFVeo7WJzQ="; + }) + (fetchpatch { + name = "51_disk_prevent_overflows_when_allocating_memory_for_arrays.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d8151f98331ee4d15fcca59edffa59246d8fc15f"; + hash = "sha256-2U+gMLigOCCg3P1GB615xQ0B9PDA6j92tt1ba3Tqg+E="; + }) + (fetchpatch { + name = "52_disk_check_if_returned_pointer_for_allocated_memory_is_NULL.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=33bd6b5ac5c77b346769ab5284262f94e695e464"; + hash = "sha256-+BaJRskWP/YVEdvIxMvEydjQx2LpLlGphRtZjiOUxJ0="; + }) + (fetchpatch { + name = "53_disk_ieee1275_ofdisk_call_grub_ieee1275_close_when_grub_malloc_fails.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=fbaddcca541805c333f0fc792b82772594e73753"; + hash = "sha256-9sGA41HlB/8rtT/fMfkDo4ZJMXBSr+EyN92l/0gDfl4="; + }) + (fetchpatch { + name = "54_fs_use_safe_math_macros_to_prevent_overflows.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6608163b08a7a8be4b0ab2a5cd4593bba07fe2b7"; + excludes = [ "grub-core/fs/erofs.c" ]; # Does not exist on 2.12 + hash = "sha256-mW4MH5VH5pDxCaFhNh/4mEcYloga56p8vCi7X4kSaek="; + }) + (fetchpatch { + name = "55_CVE-2025-0678_CVE-2025-1125.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=84bc0a9a68835952ae69165c11709811dae7634e"; + hash = "sha256-rCliqM2+k7rTGNpdHFkg3pHvuISjoG0MQr6/8lIvwK4="; + }) + (fetchpatch { + name = "56_fs_prevent_overflows_when_assigning_returned_values_from_read_number.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=cde9f7f338f8f5771777f0e7dfc423ddf952ad31"; + hash = "sha256-dN3HJXNIYtaUZL0LhLabC4VKK6CVC8km9UTw/ln/6ys="; + }) + (fetchpatch { + name = "57_fs_zfs_use_safe_math_macros_to_prevent_overflows.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=88e491a0f744c6b19b6d4caa300a576ba56db7c9"; + hash = "sha256-taSuKyCf9+TiQZcF26yMWpDDQqCfTdRuZTqB9aEz3aA="; + }) + (fetchpatch { + name = "58_fs_zfs_prevent_overflows_when_allocating_memory_for_arrays.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7f38e32c7ebeaebb79e2c71e3c7d5ea367d3a39c"; + hash = "sha256-E5VmP7I4TAEXxTz3j7mi/uIr9kOSzMoPHAYAbyu56Xk="; + }) + (fetchpatch { + name = "59_fs_zfs_check_if_returned_pointer_for_allocated_memory_is_NULL.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13065f69dae0eeb60813809026de5bd021051892"; + hash = "sha256-1W//rHUspDS+utdNc069J8lX1ONfoBKiJYnUt46C/D0="; + }) + (fetchpatch { + name = "60_fs_zfs_add_missing_NULL_check_after_grub_strdup_call.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dd6a4c8d10e02ca5056681e75795041a343636e4"; + hash = "sha256-iFLEkz5G6aQ8FXGuY7/wgN4d4o0+sUxWMKYIFcQ/H+o="; + }) + (fetchpatch { + name = "61_net_use_safe_math_macros_to_prevent_overflows.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4beeff8a31c4fb4071d2225533cfa316b5a58391"; + hash = "sha256-/gs5ZhplQ1h7PWw0p+b5+0OxmRcvDRKWHj39ezhivcg="; + }) + (fetchpatch { + name = "62_net_prevent_overflows_when_allocating_memory_for_arrays.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dee2c14fd66bc497cdc74c69fde8c9b84637c8eb"; + hash = "sha256-cO02tCGEeQhQF0TmgtNOgUwRLnNgmxhEefo1gtSlFOk="; + }) + (fetchpatch { + name = "63_net_check_if_returned_pointer_for_allocated_memory_is_NULL.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1c06ec900591d1fab6fbacf80dc010541d0a5ec8"; + hash = "sha256-oSRhWWVraitoVDqGlFOVzdCkaNqFGOHLjJu75CSc388="; + }) + (fetchpatch { + name = "64_fs_sfs_check_if_allocated_memory_is_NULL.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e3c578a56f9294e286b6028ca7c1def997a17b15"; + hash = "sha256-7tvFbmjWmWmmRykQjMvZV6IYlhSS8oNR7YfaO5XXAfU="; + }) + (fetchpatch { + name = "65_script_execute_fix_potential_underflow_and_NULL.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d13b6e8ebd10b4eb16698a002aa40258cf6e6f0e"; + hash = "sha256-paMWaAIImzxtufUrVF5v4T4KnlDAJIPhdaHznu5CyZ8="; + }) + (fetchpatch { + name = "66_osdep_unix_getroot_fix_potential_underflow.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=66733f7c7dae889861ea3ef3ec0710811486019e"; + hash = "sha256-/14HC1kcW7Sy9WfJQFfC+YnvS/GNTMP+Uy6Dxd3zkwc="; + }) + (fetchpatch { + name = "67_misc_ensure_consistent_overflow_error_messages.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f8795cde217e21539c2f236bcbb1a4bf521086b3"; + hash = "sha256-4X7wr1Tg16xDE9FO6NTlgkfLV5zFKmajeaOspIqcCuI="; + }) + (fetchpatch { + name = "68_bus_usb_ehci_define_GRUB_EHCI_TOGGLE_as_grub_uint32_t.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9907d9c2723304b42cf6da74f1cc6c4601391956"; + hash = "sha256-D8xaI8g7ffGGmZqqeS8wxWIFLUWUBfmHwMVOHkYTc2I="; + }) + (fetchpatch { + name = "69_normal_menu_use_safe_math_to_avoid_an_integer_overflow.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5b36a5210e21bee2624f8acc36aefd8f10266adb"; + hash = "sha256-UourmM0Zlaj4o+SnYi5AtjfNujDOt+2ez2XH/uWyiaM="; + }) + (fetchpatch { + name = "70_kern_partition_add_sanity_check_after_grub_strtoul_call.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8e6e87e7923ca2ae880021cb42a35cc9bb4c8fe2"; + hash = "sha256-4keMUu6ZDKmuSQlFnldV15dDGUibsnSvoEWhLsqWieI="; + }) + (fetchpatch { + name = "71_kern_misc_add_sanity_check_after_grub_strtoul_call.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a8d6b06331a75d75b46f3dd6cc6fcd40dcf604b7"; + hash = "sha256-2Mpe1sqyuoUPyMAKGZTNzG/ig3G3K8w0gia7lc508Rg="; + }) + (fetchpatch { + name = "72_loader_i386_linux_cast_left_shift_to_grub_uint32_t.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=490a6ab71cebd96fae7a1ceb9067484f5ccbec2a"; + hash = "sha256-e49OC1EBaX0/nWTTXT5xE5apTJPQV0myP5Ohxn9Wwa8="; + }) + (fetchpatch { + name = "73_loader_i386_bsd_use_safe_math_to_avoid_underflow.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4dc6166571645780c459dde2cdc1b001a5ec844c"; + hash = "sha256-e8X+oBvejcFNOY1Tp/f6QqCDwrgK7f9u1F8SdO/dhy4="; + }) + (fetchpatch { + # Fixes 7e2f750f0a (security patch 14/73) + name = "fs_ext2_rework_out-of-bounds_read_for_inline_and_external_extents.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=348cd416a3574348f4255bf2b04ec95938990997"; + hash = "sha256-WBLYQxv8si2tvdPAvbm0/4NNqYWBMJpFV4GC0HhN/kE="; + }) + ]; + + postPatch = + if kbdcompSupport then + '' + sed -i util/grub-kbdcomp.in -e 's@\bckbcomp\b@${ckbcomp}/bin/ckbcomp@' + '' + else + '' + echo '#! ${runtimeShell}' > util/grub-kbdcomp.in + echo 'echo "Compile grub2 with { kbdcompSupport = true; } to enable support for this command."' >> util/grub-kbdcomp.in + ''; + + depsBuildBuild = [ buildPackages.stdenv.cc ]; + nativeBuildInputs = [ + bison + flex + python3 + pkg-config + gettext + freetype + autoconf + automake + help2man + ]; + buildInputs = [ + ncurses + libusb-compat-0_1 + freetype + lvm2 + fuse + libtool + bash + ] + ++ lib.optional doCheck qemu + ++ lib.optional zfsSupport zfs; + + strictDeps = true; + + hardeningDisable = [ "all" ]; + + separateDebugInfo = !xenSupport; + + preConfigure = '' + for i in "tests/util/"*.in + do + sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g' + done + + # Apparently, the QEMU executable is no longer called + # `qemu-system-i386', even on i386. + # + # In addition, use `-nodefaults' to avoid errors like: + # + # chardev: opening backend "stdio" failed + # qemu: could not open serial device 'stdio': Invalid argument + # + # See . + sed -i "tests/util/grub-shell.in" \ + -e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g' + + unset CPP # setting CPP intereferes with dependency calculation + + patchShebangs . + + GNULIB_REVISION=$(. bootstrap.conf; echo $GNULIB_REVISION) + if [ "$GNULIB_REVISION" != ${gnulib.rev} ]; then + echo "This version of GRUB requires a different gnulib revision!" + echo "We have: ${gnulib.rev}" + echo "GRUB needs: $GNULIB_REVISION" + exit 1 + fi + + cp -f --no-preserve=mode ${locales}/po/LINGUAS ${locales}/po/*.po po + + ./bootstrap --no-git --gnulib-srcdir=${gnulib} + + substituteInPlace ./configure --replace '/usr/share/fonts/unifont' '${unifont}/share/fonts' + ''; + + postConfigure = '' + # make sure .po files are up to date to workaround + # parallel `msgmerge --update` on autogenerated .po files: + # https://github.com/NixOS/nixpkgs/pull/248747#issuecomment-1676301670 + make dist + ''; + + configureFlags = [ + "--enable-grub-mount" # dep of os-prober + ] + ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ + # grub doesn't do cross-compilation as usual and tries to use unprefixed + # tools to target the host. Provide toolchain information explicitly for + # cross builds. + # + # Ref: # https://github.com/buildroot/buildroot/blob/master/boot/grub2/grub2.mk#L108 + "TARGET_CC=${stdenv.cc.targetPrefix}cc" + "TARGET_NM=${stdenv.cc.targetPrefix}nm" + "TARGET_OBJCOPY=${stdenv.cc.targetPrefix}objcopy" + "TARGET_RANLIB=${stdenv.cc.targetPrefix}ranlib" + "TARGET_STRIP=${stdenv.cc.targetPrefix}strip" + ] + ++ lib.optional zfsSupport "--enable-libzfs" + ++ lib.optionals efiSupport [ + "--with-platform=efi" + "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}" + "--program-prefix=" + ] + ++ lib.optionals xenSupport [ + "--with-platform=xen" + "--target=${xenSystemsBuild.${stdenv.hostPlatform.system}.target}" + ] + ++ lib.optionals xenPvhSupport [ + "--with-platform=xen_pvh" + "--target=${xenPvhSystemsBuild.${stdenv.hostPlatform.system}.target}" + ]; + + # save target that grub is compiled for + grubTarget = + if efiSupport then + "${efiSystemsInstall.${stdenv.hostPlatform.system}.target}-efi" + else + lib.optionalString inPCSystems "${pcSystems.${stdenv.hostPlatform.system}.target}-pc"; + + doCheck = false; + enableParallelBuilding = true; + + postInstall = '' + # Avoid a runtime reference to gcc + sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|" + # just adding bash to buildInputs wasn't enough to fix the shebang + substituteInPlace $out/lib/grub/*/modinfo.sh \ + --replace ${buildPackages.bash} "/usr/bin/bash" + ''; + + passthru.tests = { + nixos-grub = nixosTests.grub; + nixos-install-simple = nixosTests.installer.simple; + nixos-install-grub-uefi = nixosTests.installer.simpleUefiGrub; + nixos-install-grub-uefi-spec = nixosTests.installer.simpleUefiGrubSpecialisation; + }; + + meta = with lib; { + description = "GNU GRUB, the Grand Unified Boot Loader"; + + longDescription = '' + GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand + Unified Bootloader, which was originally designed and implemented by + Erich Stefan Boleyn. + + Briefly, the boot loader is the first software program that runs when a + computer starts. It is responsible for loading and transferring + control to the operating system kernel software (such as the Hurd or + the Linux). The kernel, in turn, initializes the rest of the + operating system (e.g., GNU). + ''; + + homepage = "https://www.gnu.org/software/grub/"; + + license = licenses.gpl3Plus; + + platforms = + if efiSupport then + lib.attrNames efiSystemsBuild + else if xenSupport then + lib.attrNames xenSystemsBuild + else if xenPvhSupport then + lib.attrNames xenPvhSystemsBuild + else + platforms.gnu ++ platforms.linux; + + maintainers = [ ]; + }; +} diff --git a/nix/configuration/package/grub/fix-bash-completion.patch b/nix/configuration/package/grub/fix-bash-completion.patch new file mode 100644 index 0000000..97cecdc --- /dev/null +++ b/nix/configuration/package/grub/fix-bash-completion.patch @@ -0,0 +1,24 @@ +diff -ubr grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in grub-2.00/util/bash-completion.d/grub-completion.bash.in +--- grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:02:36.342733957 +0200 ++++ grub-2.00/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:04:48.262733941 +0200 +@@ -17,6 +17,12 @@ + # along with GRUB. If not, see . + # bash completion for grub + ++have() ++{ ++ unset -v have ++ _have $1 && have=yes ++} ++ + __grub_dir() { + local i c=1 boot_dir + +@@ -479,6 +485,7 @@ + have ${__grub_script_check_program} && \ + complete -F _grub_script_check -o filenames ${__grub_script_check_program} + ++unset -f have + + # Local variables: + # mode: shell-script diff --git a/nix/configuration/roles/git/default.nix b/nix/configuration/roles/git/default.nix index 0527452..bbaa8f6 100644 --- a/nix/configuration/roles/git/default.nix +++ b/nix/configuration/roles/git/default.nix @@ -54,23 +54,17 @@ in nixpkgs.overlays = [ (final: prev: { my_git = ( - pkgs.buildEnv { - name = prev.git.name; - version = prev.git.version; + pkgs.symlinkJoin { + name = final.git.name; + version = final.git.version; paths = - (builtins.map (git_wrapped prev.git) [ + (builtins.map (git_wrapped final.git) [ "git" ]) ++ [ - prev.git + final.git ]; - extraOutputsToInstall = [ - "man" - "doc" - "info" - ]; nativeBuildInputs = [ final.makeWrapper ]; - ignoreCollisions = true; } ); }) @@ -79,7 +73,7 @@ in (lib.mkIf (!config.me.graphical) { nixpkgs.overlays = [ (final: prev: { - my_git = prev.git; + my_git = final.git; }) ]; }) diff --git a/nix/configuration/roles/recovery/default.nix b/nix/configuration/roles/recovery/default.nix new file mode 100644 index 0000000..4ecc476 --- /dev/null +++ b/nix/configuration/roles/recovery/default.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ ]; + + options.me = { + recovery.enable = lib.mkOption { + type = lib.types.bool; + default = false; + example = true; + description = "Whether we want to install recovery."; + }; + }; + + config = lib.mkIf config.me.recovery.enable ( + lib.mkMerge [ + { + environment.systemPackages = with pkgs; [ + ddrescue + ]; + } + (lib.mkIf config.me.graphical { + environment.systemPackages = with pkgs; [ + ddrescueview + ]; + }) + ] + ); +}