talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Add a config for the disc recovery machine.

Browse Source
This commit is contained in:
Tom Alexander 2025-10-25 15:00:14 -04:00
parent 2f05b9e600
commit 24b089a313
Signed by: talexander
GPG Key ID: 36C99E8B3C39D85F
21 changed files with 1373 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
nix/configuration/configuration.nix
View File

@ -57,6 +57,7 @@
./roles/podman
./roles/python
./roles/qemu
./roles/recovery
./roles/reset
./roles/rpcs3
./roles/rust
@ -147,21 +148,37 @@
# })
# ];
nixpkgs.overlays = [
(final: prev: {
imagemagick = prev.imagemagick.overrideAttrs (old: rec {
# 7.1.2-6 seems to no longer exist, so use 7.1.2-7
version = "7.1.2-7";
nixpkgs.overlays =
let
disableTests = (
package_name:
(final: prev: {
"${package_name}" = prev."${package_name}".overrideAttrs (old: {
doCheck = false;
doInstallCheck = false;
});
})
);
in
[
(final: prev: {
imagemagick = prev.imagemagick.overrideAttrs (old: rec {
# 7.1.2-6 seems to no longer exist, so use 7.1.2-7
version = "7.1.2-7";
src = final.fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
tag = version;
hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
};
});
})
];
src = final.fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
tag = version;
hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
};
});
})
(final: prev: {
grub2 = (final.callPackage ./package/grub { });
})
(disableTests "git")
];
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.

3
nix/configuration/flake.nix
View File

@ -48,6 +48,9 @@
quark = {
system = "x86_64-linux";
};
recovery = {
system = "x86_64-linux";
};
};
nixosConfigs = builtins.mapAttrs (
hostname: nodeConfig: format:

1
nix/configuration/hosts/odo/default.nix
View File

@ -105,6 +105,7 @@
me.podman.enable = true;
me.python.enable = true;
me.qemu.enable = true;
me.recovery.enable = true;
me.rpcs3.enable = true;
me.rust.enable = true;
me.sequoia.enable = true;

1
nix/configuration/hosts/quark/default.nix
View File

@ -100,6 +100,7 @@
me.podman.enable = true;
me.python.enable = true;
me.qemu.enable = true;
me.recovery.enable = true;
me.rpcs3.enable = true;
me.rust.enable = true;
me.sequoia.enable = true;

13
nix/configuration/hosts/recovery/DEPLOY_BOOT Executable file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=recovery
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/configuration/hosts/recovery/DEPLOY_SWITCH Executable file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=recovery
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#recovery" --target-host "$TARGET" --build-host "$TARGET" --fast --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/recovery/ISO Executable file
View File

@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#recovery.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/recovery/SELF_BOOT Executable file
View File

@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/recovery/SELF_BUILD Executable file
View File

@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json

10
nix/configuration/hosts/recovery/SELF_SWITCH Executable file
View File

@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#recovery" --log-format internal-json -v "${@}" |& nom --json

57
nix/configuration/hosts/recovery/default.nix Normal file
View File

@ -0,0 +1,57 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./wrapped-disk-config.nix
./distributed_build.nix
./power_management.nix
];
config = {
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
networking.hostId = "46b62d92";
networking.hostName = "recovery"; # Define your hostname.
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.secure = true;
me.mountPersistence = true;
me.optimizations = {
enable = true;
arch = "kabylake";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-kabylake"
"gccarch-x86-64-v3"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Early KMS
# boot.initrd.kernelModules = [ "amdgpu" ];
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
me.recovery.enable = true;
me.ssh.enable = true;
me.sshd.enable = true;
me.user.enable = true;
me.zfs.enable = true;
me.zrepl.enable = true;
};
}

142
nix/configuration/hosts/recovery/disk-config.nix Normal file
View File

@ -0,0 +1,142 @@
# Manual Step:
# Check if drive supports 4kn: nvme id-ns -H /dev/nvme0n1
# Format the drive to 4kn: nvme format --lbaf=1 /dev/nvme0n1
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"umask=0077"
"noatime"
"discard"
];
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
# mode = "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
options = {
ashift = "12";
compatibility = "openzfs-2.2-freebsd";
autotrim = "on";
};
rootFsOptions = {
acltype = "posixacl";
atime = "off";
relatime = "off";
xattr = "sa";
mountpoint = "none";
compression = "lz4";
canmount = "off";
utf8only = "on";
dnodesize = "auto";
normalization = "formD";
};
datasets = {
"linux/nix" = {
type = "zfs_fs";
options.mountpoint = "none";
options = {
# encryption = "aes-256-gcm";
# keyformat = "passphrase";
# keylocation = "file:///tmp/secret.key";
};
};
"linux/nix/root" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/root@blank$' || zfs snapshot zroot/linux/nix/root@blank";
};
"linux/nix/nix" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/nix";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/nix@blank$' || zfs snapshot zroot/linux/nix/nix@blank";
options = {
recordsize = "16MiB";
compression = "zstd-19";
};
};
"linux/nix/home" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/home";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/home@blank$' || zfs snapshot zroot/linux/nix/home@blank";
};
"linux/nix/persist" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/persist";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/persist@blank$' || zfs snapshot zroot/linux/nix/persist@blank";
};
"linux/nix/state" = {
type = "zfs_fs";
options.mountpoint = "legacy";
mountpoint = "/state";
postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot/linux/nix/state@blank$' || zfs snapshot zroot/linux/nix/state@blank";
};
};
};
};
};
# Make sure all persistent volumes are marked as neededForBoot
#
# Also mounts /home so it is mounted before the user home directories are created.
fileSystems."/persist".neededForBoot = true;
fileSystems."/state".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/".options = [
"noatime"
"norelatime"
];
fileSystems."/nix".options = [
"noatime"
"norelatime"
];
fileSystems."/persist".options = [
"noatime"
"norelatime"
];
fileSystems."/state".options = [
"noatime"
"norelatime"
];
fileSystems."/home".options = [
"noatime"
"norelatime"
];
# Only attempt to decrypt the main pool. Otherwise it attempts to decrypt pools that aren't even used.
# boot.zfs.requestEncryptionCredentials = [ "zroot/linux/nix" ];
}

19
nix/configuration/hosts/recovery/distributed_build.nix Normal file
View File

@ -0,0 +1,19 @@
{
imports = [ ];
config = {
me.distributed_build.enable = true;
me.distributed_build.machines.hydra = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
me.distributed_build.machines.quark = {
enable = true;
additional_config = {
speedFactor = 2;
};
};
};
}

34
nix/configuration/hosts/recovery/hardware-configuration.nix Normal file
View File

@ -0,0 +1,34 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
};
}

63
nix/configuration/hosts/recovery/power_management.nix Normal file
View File

@ -0,0 +1,63 @@
{
pkgs,
...
}:
{
imports = [ ];
config = {
environment.systemPackages = with pkgs; [
powertop
];
# pcie_aspm=force pcie_aspm.policy=powersupersave :: Enable PCIe active state power management for power reduction.
# nowatchdog :: Disable watchdog for power savings (related to disable_sp5100_watchdog above).
boot.kernelParams = [
"pcie_aspm=force"
# "pcie_aspm.policy=powersupersave"
"nowatchdog"
];
systemd.tmpfiles.rules = [
"w- /sys/firmware/acpi/platform_profile - - - - low-power"
"w- /sys/devices/system/cpu/cpufreq/policy0/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy1/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy2/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy3/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy4/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy5/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy6/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy7/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy8/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy9/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy10/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy11/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy12/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy13/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy14/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpufreq/policy15/energy_performance_preference - - - - power"
"w- /sys/devices/system/cpu/cpu0/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu1/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu2/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu3/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu4/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu5/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu6/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu7/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu8/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu9/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu10/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu11/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu12/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu13/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu14/cpufreq/boost - - - - 0"
"w- /sys/devices/system/cpu/cpu15/cpufreq/boost - - - - 0"
];
boot.extraModprobeConfig = ''
# Sound power-saving was causing chat notifications to be inaudible.
# options snd_hda_intel power_save=1
'';
};
}

7
nix/configuration/hosts/recovery/wrapped-disk-config.nix Normal file
View File

@ -0,0 +1,7 @@
{
config,
lib,
...
}:
lib.mkIf (!config.me.buildingPortable) (import ./disk-config.nix)

204
nix/configuration/package/grub/add-hidden-menu-entries.patch Normal file
View File

@ -0,0 +1,204 @@
diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
index e9e9d94ef..54e08a1b4 100644
--- a/grub-core/commands/legacycfg.c
+++ b/grub-core/commands/legacycfg.c
@@ -143,7 +143,7 @@ legacy_file (const char *filename)
args[0] = oldname;
grub_normal_add_menu_entry (1, args, NULL, NULL, "legacy",
NULL, NULL,
- entrysrc, 0);
+ entrysrc, 0, 0);
grub_free (args);
entrysrc[0] = 0;
grub_free (oldname);
@@ -205,7 +205,7 @@ legacy_file (const char *filename)
}
args[0] = entryname;
grub_normal_add_menu_entry (1, args, NULL, NULL, NULL,
- NULL, NULL, entrysrc, 0);
+ NULL, NULL, entrysrc, 0, 0);
grub_free (args);
}
diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
index 720e6d8ea..50632ccce 100644
--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
@@ -78,7 +78,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
char **classes, const char *id,
const char *users, const char *hotkey,
const char *prefix, const char *sourcecode,
- int submenu)
+ int submenu, int hidden)
{
int menu_hotkey = 0;
char **menu_args = NULL;
@@ -188,8 +188,11 @@ grub_normal_add_menu_entry (int argc, const char **args,
(*last)->args = menu_args;
(*last)->sourcecode = menu_sourcecode;
(*last)->submenu = submenu;
+ (*last)->hidden = hidden;
+
+ if (!hidden)
+ menu->size++;
- menu->size++;
return GRUB_ERR_NONE;
fail:
@@ -286,7 +289,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
users,
ctxt->state[2].arg, 0,
ctxt->state[3].arg,
- ctxt->extcmd->cmd->name[0] == 's');
+ ctxt->extcmd->cmd->name[0] == 's',
+ ctxt->extcmd->cmd->name[0] == 'h');
src = args[argc - 1];
args[argc - 1] = NULL;
@@ -303,7 +307,8 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
ctxt->state[0].args, ctxt->state[4].arg,
users,
ctxt->state[2].arg, prefix, src + 1,
- ctxt->extcmd->cmd->name[0] == 's');
+ ctxt->extcmd->cmd->name[0] == 's',
+ ctxt->extcmd->cmd->name[0] == 'h');
src[len - 1] = ch;
args[argc - 1] = src;
@@ -311,7 +316,7 @@ grub_cmd_menuentry (grub_extcmd_context_t ctxt, int argc, char **args)
return r;
}
-static grub_extcmd_t cmd, cmd_sub;
+static grub_extcmd_t cmd, cmd_sub, cmd_hidden;
void
grub_menu_init (void)
@@ -327,6 +332,12 @@ grub_menu_init (void)
| GRUB_COMMAND_FLAG_EXTRACTOR,
N_("BLOCK"), N_("Define a submenu."),
options);
+ cmd_hidden = grub_register_extcmd ("hiddenentry", grub_cmd_menuentry,
+ GRUB_COMMAND_FLAG_BLOCKS
+ | GRUB_COMMAND_ACCEPT_DASH
+ | GRUB_COMMAND_FLAG_EXTRACTOR,
+ N_("BLOCK"), N_("Define a hidden menu entry."),
+ options);
}
void
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 6a90e091f..4236f55bc 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -37,6 +37,8 @@
entry failing to boot. */
#define DEFAULT_ENTRY_ERROR_DELAY_MS 2500
+#define MENU_INCLUDE_HIDDEN 0x10000
+
grub_err_t (*grub_gfxmenu_try_hook) (int entry, grub_menu_t menu,
int nested) = NULL;
@@ -80,8 +82,20 @@ grub_menu_get_entry (grub_menu_t menu, int no)
{
grub_menu_entry_t e;
- for (e = menu->entry_list; e && no > 0; e = e->next, no--)
- ;
+ if (no & MENU_INCLUDE_HIDDEN) {
+ no &= ~MENU_INCLUDE_HIDDEN;
+
+ for (e = menu->entry_list; e && no > 0; e = e->next, no--)
+ ;
+ } else {
+ for (e = menu->entry_list; e && no > 0; e = e->next, no--) {
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
+ }
+ while (e && e->hidden)
+ e = e->next;
+ }
return e;
}
@@ -93,10 +107,10 @@ get_entry_index_by_hotkey (grub_menu_t menu, int hotkey)
grub_menu_entry_t entry;
int i;
- for (i = 0, entry = menu->entry_list; i < menu->size;
+ for (i = 0, entry = menu->entry_list; entry;
i++, entry = entry->next)
if (entry->hotkey == hotkey)
- return i;
+ return i | MENU_INCLUDE_HIDDEN;
return -1;
}
@@ -509,6 +523,10 @@ get_entry_number (grub_menu_t menu, const char *name)
grub_menu_entry_t e = menu->entry_list;
int i;
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
+
grub_errno = GRUB_ERR_NONE;
for (i = 0; e; i++)
@@ -520,6 +538,10 @@ get_entry_number (grub_menu_t menu, const char *name)
break;
}
e = e->next;
+
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
}
if (! e)
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
index b1321eb26..d2e46cac8 100644
--- a/grub-core/normal/menu_text.c
+++ b/grub-core/normal/menu_text.c
@@ -289,7 +289,11 @@ print_entries (grub_menu_t menu, const struct menu_viewer_data *data)
print_entry (data->geo.first_entry_y + i, data->offset == i,
e, data);
if (e)
- e = e->next;
+ e = e->next;
+
+ /* Skip hidden entries */
+ while (e && e->hidden)
+ e = e->next;
}
grub_term_gotoxy (data->term,
diff --git a/include/grub/menu.h b/include/grub/menu.h
index ee2b5e910..eb8a86ba9 100644
--- a/include/grub/menu.h
+++ b/include/grub/menu.h
@@ -58,6 +58,8 @@ struct grub_menu_entry
int submenu;
+ int hidden;
+
/* The next element. */
struct grub_menu_entry *next;
};
diff --git a/include/grub/normal.h b/include/grub/normal.h
index 218cbabcc..bcb412466 100644
--- a/include/grub/normal.h
+++ b/include/grub/normal.h
@@ -145,7 +145,7 @@ grub_normal_add_menu_entry (int argc, const char **args, char **classes,
const char *id,
const char *users, const char *hotkey,
const char *prefix, const char *sourcecode,
- int submenu);
+ int submenu, int hidden);
grub_err_t
grub_normal_set_password (const char *user, const char *password);

681
nix/configuration/package/grub/default.nix Normal file
View File

@ -0,0 +1,681 @@
{
lib,
stdenv,
fetchgit,
flex,
bison,
python3,
autoconf,
automake,
libtool,
bash,
gettext,
ncurses,
libusb-compat-0_1,
freetype,
qemu,
lvm2,
unifont,
pkg-config,
help2man,
fetchzip,
fetchpatch,
buildPackages,
nixosTests,
fuse, # only needed for grub-mount
runtimeShell,
zfs ? null,
efiSupport ? false,
zfsSupport ? false,
xenSupport ? false,
xenPvhSupport ? false,
kbdcompSupport ? false,
ckbcomp,
}:
let
pcSystems = {
i686-linux.target = "i386";
x86_64-linux.target = "i386";
};
efiSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
armv7l-linux.target = "arm";
aarch64-linux.target = "aarch64";
loongarch64-linux.target = "loongarch64";
riscv32-linux.target = "riscv32";
riscv64-linux.target = "riscv64";
};
# For aarch64, we need to use '--target=aarch64-efi' when building,
# but '--target=arm64-efi' when installing. Insanity!
efiSystemsInstall = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
armv7l-linux.target = "arm";
aarch64-linux.target = "arm64";
loongarch64-linux.target = "loongarch64";
riscv32-linux.target = "riscv32";
riscv64-linux.target = "riscv64";
};
xenSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "x86_64";
};
xenPvhSystemsBuild = {
i686-linux.target = "i386";
x86_64-linux.target = "i386"; # Xen PVH is only i386 on x86.
};
inPCSystems = lib.any (system: stdenv.hostPlatform.system == system) (lib.attrNames pcSystems);
gnulib = fetchgit {
url = "https://git.savannah.gnu.org/git/gnulib.git";
# NOTE: keep in sync with bootstrap.conf!
rev = "9f48fb992a3d7e96610c4ce8be969cff2d61a01b";
hash = "sha256-mzbF66SNqcSlI+xmjpKpNMwzi13yEWoc1Fl7p4snTto=";
};
# The locales are fetched from translationproject.org at build time,
# but those translations are not versioned/stable. For that reason
# we take them from the nearest release tarball instead:
locales = fetchzip {
url = "https://ftp.gnu.org/gnu/grub/grub-2.12.tar.gz";
hash = "sha256-IoRiJHNQ58y0UhCAD0CrpFiI8Mz1upzAtyh5K4Njh/w=";
};
in
assert zfsSupport -> zfs != null;
assert !(efiSupport && (xenSupport || xenPvhSupport));
assert !(xenSupport && xenPvhSupport);
stdenv.mkDerivation rec {
pname = "grub";
version = "2.12";
src = fetchgit {
url = "https://git.savannah.gnu.org/git/grub.git";
tag = "grub-${version}";
hash = "sha256-lathsBb2f7urh8R86ihpTdwo3h1hAHnRiHd5gCLVpBc=";
};
patches = [
./fix-bash-completion.patch
./add-hidden-menu-entries.patch
# https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
(fetchpatch {
name = "01_implement_grub_strlcpy.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f";
hash = "sha256-MSMgu1vMG83HRImUUsTyA1YQaIhgEreGGPd+ZDWSI2I=";
})
(fetchpatch {
name = "02_CVE-2024-45781.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba";
hash = "sha256-q8ErK+cQzaqwSuhLRFL3AfYBkpgJq1IQmadnlmlz2yw=";
})
(fetchpatch {
name = "03_CVE-2024-45782_CVE-2024-56737.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=417547c10410b714e43f08f74137c24015f8f4c3";
hash = "sha256-mRinw27WZ2d1grzyzFGO18yXx72UVBM6Lf5cR8XJfs8=";
})
(fetchpatch {
name = "04_fs_tar_initialize_name_in_grub_cpio_find_file.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2c8ac08c99466c0697f704242363fc687f492a0d";
hash = "sha256-EMGF0B+Fw6tSmllWUJAp1ynzWk+w2C/XM1LmXSReHWg=";
})
(fetchpatch {
name = "05_CVE-2024-45780.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3";
hash = "sha256-IlW5i4EJVoUYPu9/lb0LeytTpzltQuu5fpkFPQNIhls=";
})
(fetchpatch {
name = "06_fs_f2fs_grub_errno_mount_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=563436258cde64da6b974880abff1bf0959f4da3";
hash = "sha256-Iu0RPyB+pAnqMT+MTX+TrJbYJsvYPn7jbMgE1jcLh/Q=";
})
(fetchpatch {
name = "07_CVE-2024-45783.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898";
hash = "sha256-V1wh2dPeTazmad61jFtOjhq2MdoD+txPWY/AfwwyTZM=";
})
(fetchpatch {
name = "08_fs_iso9660_grub_errno_mount_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=965db5970811d18069b34f28f5f31ddadde90a97";
hash = "sha256-6eN1AvZwXkJOQVcjgymy/E7QiAxzL/d0W3KlAZRqUzI=";
})
(fetchpatch {
name = "09_fs_iso9660_fix_invalid_free.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1443833a9535a5873f7de3798cf4d8389f366611";
hash = "sha256-Gt5yMy5Vg9zrDggj3o/TLNt2vT9/6IuHg4Se2p8e8pI=";
})
(fetchpatch {
name = "10_fs_jfs_fix_oob_read_jfs_getent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=66175696f3a385b14bdf1ebcda7755834bd2d5fb";
hash = "sha256-ETbzbc5gvf55sTLjmJOXXC9VH3qcP1Gv5seR/U9NRiY=";
})
(fetchpatch {
name = "11_fs_jfs_fix_oob_read_caused_by_invalid_dir_slot_index.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ab09fd0531f3523ac0ef833404526c98c08248f7";
hash = "sha256-wE6niiIx4BdN800/Eegb6IbBRoMFpXq9kPvatwhWNXY=";
})
(fetchpatch {
name = "12_fs_jfs_use_full_40_bits_offset_and_address_for_data_extent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=bd999310fe67f35a66de3bfa2836da91589d04ef";
hash = "sha256-fbC4oTEIoGWJASzJI5RXfoanrMLTfjFOI51LCUU7Ctg=";
})
(fetchpatch {
name = "13_fs_jfs_inconsistent_signed_unsigned_types_usage.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=edd995a26ec98654d907a9436a296c2d82bc4b28";
hash = "sha256-aa1G1vi4bPZejfKEqZokAZTzY9Ea2lyxTrP4drDV9tk=";
})
(fetchpatch {
name = "14_fs_ext2_fix_out-of-bounds_read_for_inline_extent.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7e2f750f0a795c4d64ec7dc7591edac8da2e978c";
hash = "sha256-PtPqZHMU2fy7btRRaaswLyHizplxnygCzDfcg5ievOQ=";
})
(fetchpatch {
name = "15_fs_ntfs_fix_out-of-bounds_read.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=aff26318783a135562b904ff09e2359893885732";
hash = "sha256-znN6lkAB9aAhTGKR1038DzOz5nzuTp+7ylHVqRM7HeI=";
})
(fetchpatch {
name = "16_fs_ntfs_track_the_end_of_the_MFT_attribute_buffer.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=237a71184a32d1ef7732f5f49ed6a89c5fe1c99a";
hash = "sha256-0I/g0qHkWY6PArPn1UaYRhCrrh9bHknADh34v5eSjjM=";
})
(fetchpatch {
name = "17_fs_ntfs_use_a_helper_function_to_access_attributes.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=048777bc29043403d077d41a81d0183767b8bc71";
hash = "sha256-Mm49MSLqCq143r8ruLJm1QoyCoLtOlCBfqoAPwPlv8E=";
})
# Patch 18 (067b6d225d482280abad03944f04e30abcbdafa1) has been removed because it causes regressions
# https://lists.gnu.org/archive/html/grub-devel/2025-03/msg00067.html
(fetchpatch {
name = "19_fs_xfs_fix_out-of-bounds_read.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6ccc77b59d16578b10eaf8a4fe85c20b229f0d8a";
hash = "sha256-FvTzFvfEi3oyxPC/dUHreyzzeVCskaUlYUjpKY/l0DE=";
})
(fetchpatch {
name = "20_fs_xfs_ensuring_failing_to_mount_sets_a_grub_errno.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d1d6b7ea58aa5a80a4c4d0666b49460056c8ef0a";
hash = "sha256-SLdXMmYHq/gRmWrjRrOu5ZYFod84EllUL6hk+gnr3kg=";
})
(fetchpatch {
name = "21_kern_file_ensure_file_data_is_set.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a7910687294b29288ac649e71b47493c93294f17";
hash = "sha256-DabZK9eSToEmSA9dEwtEN+URiVyS9qf6e2Y2UiMuy8Q=";
})
(fetchpatch {
name = "22_kern_file_implement_filesystem_reference_counting.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=16f196874fbe360a1b3c66064ec15adadf94c57b";
excludes = [ "grub-core/fs/erofs.c" ]; # Does not exist on 2.12
hash = "sha256-yGU//1tPaxi+xFKZrsbUAnvgFpwtrIMG+8cPbSud4+U=";
})
(fetchpatch {
name = "23_prerequisite_1_key_protector_add_key_protectors_framework.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5d260302da672258444b01239803c8f4d753e3f3";
hash = "sha256-5aFHzc5qXBNLEc6yzI17AH6J7EYogcXdLxk//1QgumY=";
})
(fetchpatch {
name = "23_prerequisite_2_disk_cryptodisk_allow_user_to_retry_failed_passphrase.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=386b59ddb42fa3f86ddfe557113b25c8fa16f88c";
hash = "sha256-e1kGQB7wGWvEb2bY3xIpZxE1uzTt9JOKi05jXyUm+bI=";
})
(fetchpatch {
name = "23_prerequisite_3_cryptodisk_support_key_protectors.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ad0c52784a375cecaa8715d7deadcf5d65baf173";
hash = "sha256-+YIvUYA3fLiOFFsXDrQjqjWFluzLa7N1tv0lwq8BqCs=";
})
(fetchpatch {
name = "23_prerequisite_4_cryptodisk_fallback_to_passphrase.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6abf8af3c54abc04c4ec71c75d10fcfbc190e181";
hash = "sha256-eMu9rW4iJucDAsTQMJD1XE6dDIcUmn02cGqIaqBbO3o=";
})
(fetchpatch {
name = "23_prerequisite_5_cryptodisk_wipe_out_the_cached_keys_from_protectors.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b35480b48e6f9506d8b7ad8a3b5206d29c24ea95";
hash = "sha256-5L6Rr+X5Z+Ip91z8cpLcatDW1vyEoZa1icL2oMXPXuI=";
})
(fetchpatch {
name = "23_prerequisite_6_cli_lock_add_build_option_to_block_command_line_interface.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=bb65d81fe320e4b20d0a9b32232a7546eb275ecc";
hash = "sha256-HxXgtvEhtaIjXbOcxJHNpD9/NVOv3uXPnue7cagEMu8=";
})
# (fetchpatch {
# name = "23_CVE-2024-49504.patch";
# url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13febd78db3cd85dcba67d8ad03ad4d42815f11e";
# hash = "sha256-U7lNUb4iVAyQ1yEg5ECHCQGE51tKvY13T9Ji09Q1W9Y=";
# })
(fetchpatch {
name = "24_disk_loopback_reference_tracking_for_the_loopback.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=67f70f70a36b6e87a65f928fe1e840a12eafb7ae";
hash = "sha256-sWBnSF3rAuY1A/IIK1Pc+BqTvyK3j7+lLEhvImtBQMA=";
})
(fetchpatch {
name = "25_kern_disk_limit_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=18212f0648b6de7d71d4c8f41eb4d8b78b3a299b";
hash = "sha256-HiVzXUNs45Fxh4DSqO8wAxSBM7CaYU/bix0PVBcIHGw=";
})
(fetchpatch {
name = "26_kern_partition_limit_recursion_in_part_iterate.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8a7103fddfd6664f41081f3bb88eebbf2871da2a";
hash = "sha256-Nw1VFRVww1VSDSBkRrnTGeaA2PKCitugM12XH6X/2YI=";
})
(fetchpatch {
name = "27_script_execute_limit_the_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d8a937ccae5c6d86dc4375698afca5cefdcd01e1";
hash = "sha256-YOAdPMZ2iBNMzIwAXFkkyTMKh4ptZUQ0J3v9EjnRlbo=";
})
(fetchpatch {
name = "28_net_unregister_net_default_ip_and_net_default_mac_variables_hooks_on_unload.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a1dd8e59da26f1a9608381d3a1a6c0f465282b1d";
hash = "sha256-7fqdkhFqLECzhz1OLavkHrE9ktDAEmx9ZxZayNr/Eo4=";
})
(fetchpatch {
name = "29_net_remove_variables_hooks_when_interface_is_unregisted.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=aa8b4d7facef7b75a2703274b1b9d4e0e734c401";
hash = "sha256-m3VLDbJlwchV5meEpU4LJrDxBtA80qvYcVMJinHLnac=";
})
(fetchpatch {
name = "30_CVE-2025-0624.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5eef88152833062a3f7e017535372d64ac8ef7e1";
hash = "sha256-DvhzHnenAmO9SZpi4kU+0GhyKZB4q4xQYuNJgEhJmn0=";
})
(fetchpatch {
name = "31_net_tftp_fix_stack_buffer_overflow_in_tftp_open.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0707accab1b9be5d3645d4700dde3f99209f9367";
hash = "sha256-16NrpWFSE4jFT2uxmJg16jChw8HiGRTol25XQXNQ5l4=";
})
(fetchpatch {
name = "32_CVE-2024-45774.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2c34af908ebf4856051ed29e46d88abd2b20387f";
hash = "sha256-OWmF+fp2TmetQjV4EWMcESW8u52Okkb5C5IPLfczyv4=";
})
(fetchpatch {
name = "33_kern_dl_fix_for_an_integer_overflow_in_grub_dl_ref.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=500e5fdd82ca40412b0b73f5e5dda38e4a3af96d";
hash = "sha256-FNqOWo+oZ4/1sCbTi2uaeKchUxwAKXtbzhScezm0yxk=";
})
# Patch 34 (https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d72208423dcabf9eb4a3bcb17b6b31888396bd49)
# is skipped, grub_dl_set_mem_attrs() does not exist on 2.12
(fetchpatch {
name = "35_kern_dl_check_for_the_SHF_INFO_LINK_flag_in_grub_dl_relocate_symbols.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=98ad84328dcabfa603dcf5bd217570aa6b4bdd99";
hash = "sha256-Zi4Pj2NbodL0VhhO5MWhvErb8xmA7Li0ur0MxpgQjzg=";
})
(fetchpatch {
name = "36_CVE-2024-45775.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872";
hash = "sha256-T6DO8iuImQTP7hPaCAHMtFnheQoCkZ6w+kfNolLPmrY=";
})
(fetchpatch {
name = "37_commands_ls_fix_NULL_dereference.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0bf56bce47489c059e50e61a3db7f682d8c44b56";
hash = "sha256-h5okwqv4ZFahP3ANUbsk1fiSV4pwEnxUExeBgQ4tiTI=";
})
(fetchpatch {
name = "38_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2123c5bca7e21fbeb0263df4597ddd7054700726";
hash = "sha256-tFE7VgImGZWDICyvHbrI1hqW6/XohgdTmk21MzljMGw=";
})
(fetchpatch {
name = "39_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9c16197734ada8d0838407eebe081117799bfe67";
hash = "sha256-tTeuEvadKbXVuY0m0dKtTr11Lpb3yQi4zk0bpwrMOeA=";
})
(fetchpatch {
name = "40_CVE-2025-0622.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637";
hash = "sha256-khRLpWqE7hzzoqssVkGFMjAv09T+uHn13Q9pCpogMms=";
})
(fetchpatch {
name = "41_CVE-2024-45776.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91";
hash = "sha256-yrl/6XUdKQg/MLe8KFuFoRRbQSyOhDmyvnWBV+sr3EY=";
})
(fetchpatch {
name = "42_CVE-2024-45777.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b970a5ed967816bbca8225994cd0ee2557bad515";
hash = "sha256-Vl5Emw3O3Ba2hD1GCWune4PGduDDPO0gM5u+zx/OwKo=";
})
(fetchpatch {
name = "43_CVE-2025-0690.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc";
hash = "sha256-DeWOncndX2VM8w1lb5fd5wHAZrI+ChB5Pj9XbUIfDWY=";
})
(fetchpatch {
name = "44_commands_test_stack_overflow_due_to_unlimited_recursion_depth.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c68b7d23628a19da67ebe2e06f84165ee04961af";
hash = "sha256-aputM9KqkB/cK8hBiU9VXbu0LpLNlNCMVIeE9h2pMgY=";
})
(fetchpatch {
name = "45_CVE-2025-1118.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=34824806ac6302f91e8cabaa41308eaced25725f";
hash = "sha256-PKQs+fCwj4a9p4hbMqAT3tFNoAOw4xnbKmCwjPUgEOc=";
})
(fetchpatch {
name = "46_commands_memrw_disable_memory_reading_in_lockdown_mode.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=340e4d058f584534f4b90b7dbea2b64a9f8c418c";
hash = "sha256-NiMIUnfRreDBw+k4yxUzoRNMFL8pkJhVtkINVgmv5XA=";
})
(fetchpatch {
name = "47_commands_hexdump_disable_memory_reading_in_lockdown_mode.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5f31164aed51f498957cdd6ed733ec71a8592c99";
hash = "sha256-NA7QjxZ9FP+WwiOveqLkbZqsF7hULIyaVS3gNaSUXJE=";
})
(fetchpatch {
name = "48_CVE-2024-45778_CVE-2024-45779.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=26db6605036bd9e5b16d9068a8cc75be63b8b630";
hash = "sha256-1+ImwkF/qsejWs2lpyO6xbcqVo2NJGv32gjrP8mEPnI=";
})
(fetchpatch {
name = "49_CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c4bc55da28543d2522a939ba4ee0acde45f2fa74";
hash = "sha256-qrlErSImMX8eXJHkXjOe5GZ6lWOya5SVpNoiqyEM1lE=";
})
(fetchpatch {
name = "50_disk_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c407724dad6c3e2fc1571e57adbda71cc03f82aa";
hash = "sha256-kkAjxXvCdzwqh+oWtEF3qSPiUX9cGWO6eSFVeo7WJzQ=";
})
(fetchpatch {
name = "51_disk_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d8151f98331ee4d15fcca59edffa59246d8fc15f";
hash = "sha256-2U+gMLigOCCg3P1GB615xQ0B9PDA6j92tt1ba3Tqg+E=";
})
(fetchpatch {
name = "52_disk_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=33bd6b5ac5c77b346769ab5284262f94e695e464";
hash = "sha256-+BaJRskWP/YVEdvIxMvEydjQx2LpLlGphRtZjiOUxJ0=";
})
(fetchpatch {
name = "53_disk_ieee1275_ofdisk_call_grub_ieee1275_close_when_grub_malloc_fails.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=fbaddcca541805c333f0fc792b82772594e73753";
hash = "sha256-9sGA41HlB/8rtT/fMfkDo4ZJMXBSr+EyN92l/0gDfl4=";
})
(fetchpatch {
name = "54_fs_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6608163b08a7a8be4b0ab2a5cd4593bba07fe2b7";
excludes = [ "grub-core/fs/erofs.c" ]; # Does not exist on 2.12
hash = "sha256-mW4MH5VH5pDxCaFhNh/4mEcYloga56p8vCi7X4kSaek=";
})
(fetchpatch {
name = "55_CVE-2025-0678_CVE-2025-1125.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=84bc0a9a68835952ae69165c11709811dae7634e";
hash = "sha256-rCliqM2+k7rTGNpdHFkg3pHvuISjoG0MQr6/8lIvwK4=";
})
(fetchpatch {
name = "56_fs_prevent_overflows_when_assigning_returned_values_from_read_number.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=cde9f7f338f8f5771777f0e7dfc423ddf952ad31";
hash = "sha256-dN3HJXNIYtaUZL0LhLabC4VKK6CVC8km9UTw/ln/6ys=";
})
(fetchpatch {
name = "57_fs_zfs_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=88e491a0f744c6b19b6d4caa300a576ba56db7c9";
hash = "sha256-taSuKyCf9+TiQZcF26yMWpDDQqCfTdRuZTqB9aEz3aA=";
})
(fetchpatch {
name = "58_fs_zfs_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7f38e32c7ebeaebb79e2c71e3c7d5ea367d3a39c";
hash = "sha256-E5VmP7I4TAEXxTz3j7mi/uIr9kOSzMoPHAYAbyu56Xk=";
})
(fetchpatch {
name = "59_fs_zfs_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13065f69dae0eeb60813809026de5bd021051892";
hash = "sha256-1W//rHUspDS+utdNc069J8lX1ONfoBKiJYnUt46C/D0=";
})
(fetchpatch {
name = "60_fs_zfs_add_missing_NULL_check_after_grub_strdup_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dd6a4c8d10e02ca5056681e75795041a343636e4";
hash = "sha256-iFLEkz5G6aQ8FXGuY7/wgN4d4o0+sUxWMKYIFcQ/H+o=";
})
(fetchpatch {
name = "61_net_use_safe_math_macros_to_prevent_overflows.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4beeff8a31c4fb4071d2225533cfa316b5a58391";
hash = "sha256-/gs5ZhplQ1h7PWw0p+b5+0OxmRcvDRKWHj39ezhivcg=";
})
(fetchpatch {
name = "62_net_prevent_overflows_when_allocating_memory_for_arrays.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dee2c14fd66bc497cdc74c69fde8c9b84637c8eb";
hash = "sha256-cO02tCGEeQhQF0TmgtNOgUwRLnNgmxhEefo1gtSlFOk=";
})
(fetchpatch {
name = "63_net_check_if_returned_pointer_for_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1c06ec900591d1fab6fbacf80dc010541d0a5ec8";
hash = "sha256-oSRhWWVraitoVDqGlFOVzdCkaNqFGOHLjJu75CSc388=";
})
(fetchpatch {
name = "64_fs_sfs_check_if_allocated_memory_is_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e3c578a56f9294e286b6028ca7c1def997a17b15";
hash = "sha256-7tvFbmjWmWmmRykQjMvZV6IYlhSS8oNR7YfaO5XXAfU=";
})
(fetchpatch {
name = "65_script_execute_fix_potential_underflow_and_NULL.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d13b6e8ebd10b4eb16698a002aa40258cf6e6f0e";
hash = "sha256-paMWaAIImzxtufUrVF5v4T4KnlDAJIPhdaHznu5CyZ8=";
})
(fetchpatch {
name = "66_osdep_unix_getroot_fix_potential_underflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=66733f7c7dae889861ea3ef3ec0710811486019e";
hash = "sha256-/14HC1kcW7Sy9WfJQFfC+YnvS/GNTMP+Uy6Dxd3zkwc=";
})
(fetchpatch {
name = "67_misc_ensure_consistent_overflow_error_messages.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f8795cde217e21539c2f236bcbb1a4bf521086b3";
hash = "sha256-4X7wr1Tg16xDE9FO6NTlgkfLV5zFKmajeaOspIqcCuI=";
})
(fetchpatch {
name = "68_bus_usb_ehci_define_GRUB_EHCI_TOGGLE_as_grub_uint32_t.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9907d9c2723304b42cf6da74f1cc6c4601391956";
hash = "sha256-D8xaI8g7ffGGmZqqeS8wxWIFLUWUBfmHwMVOHkYTc2I=";
})
(fetchpatch {
name = "69_normal_menu_use_safe_math_to_avoid_an_integer_overflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5b36a5210e21bee2624f8acc36aefd8f10266adb";
hash = "sha256-UourmM0Zlaj4o+SnYi5AtjfNujDOt+2ez2XH/uWyiaM=";
})
(fetchpatch {
name = "70_kern_partition_add_sanity_check_after_grub_strtoul_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8e6e87e7923ca2ae880021cb42a35cc9bb4c8fe2";
hash = "sha256-4keMUu6ZDKmuSQlFnldV15dDGUibsnSvoEWhLsqWieI=";
})
(fetchpatch {
name = "71_kern_misc_add_sanity_check_after_grub_strtoul_call.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=a8d6b06331a75d75b46f3dd6cc6fcd40dcf604b7";
hash = "sha256-2Mpe1sqyuoUPyMAKGZTNzG/ig3G3K8w0gia7lc508Rg=";
})
(fetchpatch {
name = "72_loader_i386_linux_cast_left_shift_to_grub_uint32_t.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=490a6ab71cebd96fae7a1ceb9067484f5ccbec2a";
hash = "sha256-e49OC1EBaX0/nWTTXT5xE5apTJPQV0myP5Ohxn9Wwa8=";
})
(fetchpatch {
name = "73_loader_i386_bsd_use_safe_math_to_avoid_underflow.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4dc6166571645780c459dde2cdc1b001a5ec844c";
hash = "sha256-e8X+oBvejcFNOY1Tp/f6QqCDwrgK7f9u1F8SdO/dhy4=";
})
(fetchpatch {
# Fixes 7e2f750f0a (security patch 14/73)
name = "fs_ext2_rework_out-of-bounds_read_for_inline_and_external_extents.patch";
url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=348cd416a3574348f4255bf2b04ec95938990997";
hash = "sha256-WBLYQxv8si2tvdPAvbm0/4NNqYWBMJpFV4GC0HhN/kE=";
})
];
postPatch =
if kbdcompSupport then
''
sed -i util/grub-kbdcomp.in -e 's@\bckbcomp\b@${ckbcomp}/bin/ckbcomp@'
''
else
''
echo '#! ${runtimeShell}' > util/grub-kbdcomp.in
echo 'echo "Compile grub2 with { kbdcompSupport = true; } to enable support for this command."' >> util/grub-kbdcomp.in
'';
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [
bison
flex
python3
pkg-config
gettext
freetype
autoconf
automake
help2man
];
buildInputs = [
ncurses
libusb-compat-0_1
freetype
lvm2
fuse
libtool
bash
]
++ lib.optional doCheck qemu
++ lib.optional zfsSupport zfs;
strictDeps = true;
hardeningDisable = [ "all" ];
separateDebugInfo = !xenSupport;
preConfigure = ''
for i in "tests/util/"*.in
do
sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
done
# Apparently, the QEMU executable is no longer called
# `qemu-system-i386', even on i386.
#
# In addition, use `-nodefaults' to avoid errors like:
#
# chardev: opening backend "stdio" failed
# qemu: could not open serial device 'stdio': Invalid argument
#
# See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
sed -i "tests/util/grub-shell.in" \
-e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
unset CPP # setting CPP intereferes with dependency calculation
patchShebangs .
GNULIB_REVISION=$(. bootstrap.conf; echo $GNULIB_REVISION)
if [ "$GNULIB_REVISION" != ${gnulib.rev} ]; then
echo "This version of GRUB requires a different gnulib revision!"
echo "We have: ${gnulib.rev}"
echo "GRUB needs: $GNULIB_REVISION"
exit 1
fi
cp -f --no-preserve=mode ${locales}/po/LINGUAS ${locales}/po/*.po po
./bootstrap --no-git --gnulib-srcdir=${gnulib}
substituteInPlace ./configure --replace '/usr/share/fonts/unifont' '${unifont}/share/fonts'
'';
postConfigure = ''
# make sure .po files are up to date to workaround
# parallel `msgmerge --update` on autogenerated .po files:
# https://github.com/NixOS/nixpkgs/pull/248747#issuecomment-1676301670
make dist
'';
configureFlags = [
"--enable-grub-mount" # dep of os-prober
]
++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
# grub doesn't do cross-compilation as usual and tries to use unprefixed
# tools to target the host. Provide toolchain information explicitly for
# cross builds.
#
# Ref: # https://github.com/buildroot/buildroot/blob/master/boot/grub2/grub2.mk#L108
"TARGET_CC=${stdenv.cc.targetPrefix}cc"
"TARGET_NM=${stdenv.cc.targetPrefix}nm"
"TARGET_OBJCOPY=${stdenv.cc.targetPrefix}objcopy"
"TARGET_RANLIB=${stdenv.cc.targetPrefix}ranlib"
"TARGET_STRIP=${stdenv.cc.targetPrefix}strip"
]
++ lib.optional zfsSupport "--enable-libzfs"
++ lib.optionals efiSupport [
"--with-platform=efi"
"--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}"
"--program-prefix="
]
++ lib.optionals xenSupport [
"--with-platform=xen"
"--target=${xenSystemsBuild.${stdenv.hostPlatform.system}.target}"
]
++ lib.optionals xenPvhSupport [
"--with-platform=xen_pvh"
"--target=${xenPvhSystemsBuild.${stdenv.hostPlatform.system}.target}"
];
# save target that grub is compiled for
grubTarget =
if efiSupport then
"${efiSystemsInstall.${stdenv.hostPlatform.system}.target}-efi"
else
lib.optionalString inPCSystems "${pcSystems.${stdenv.hostPlatform.system}.target}-pc";
doCheck = false;
enableParallelBuilding = true;
postInstall = ''
# Avoid a runtime reference to gcc
sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
# just adding bash to buildInputs wasn't enough to fix the shebang
substituteInPlace $out/lib/grub/*/modinfo.sh \
--replace ${buildPackages.bash} "/usr/bin/bash"
'';
passthru.tests = {
nixos-grub = nixosTests.grub;
nixos-install-simple = nixosTests.installer.simple;
nixos-install-grub-uefi = nixosTests.installer.simpleUefiGrub;
nixos-install-grub-uefi-spec = nixosTests.installer.simpleUefiGrubSpecialisation;
};
meta = with lib; {
description = "GNU GRUB, the Grand Unified Boot Loader";
longDescription = ''
GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand
Unified Bootloader, which was originally designed and implemented by
Erich Stefan Boleyn.
Briefly, the boot loader is the first software program that runs when a
computer starts. It is responsible for loading and transferring
control to the operating system kernel software (such as the Hurd or
the Linux). The kernel, in turn, initializes the rest of the
operating system (e.g., GNU).
'';
homepage = "https://www.gnu.org/software/grub/";
license = licenses.gpl3Plus;
platforms =
if efiSupport then
lib.attrNames efiSystemsBuild
else if xenSupport then
lib.attrNames xenSystemsBuild
else if xenPvhSupport then
lib.attrNames xenPvhSystemsBuild
else
platforms.gnu ++ platforms.linux;
maintainers = [ ];
};
}

24
nix/configuration/package/grub/fix-bash-completion.patch Normal file
View File

@ -0,0 +1,24 @@
diff -ubr grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in grub-2.00/util/bash-completion.d/grub-completion.bash.in
--- grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:02:36.342733957 +0200
+++ grub-2.00/util/bash-completion.d/grub-completion.bash.in 2012-10-16 19:04:48.262733941 +0200
@@ -17,6 +17,12 @@
# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
# bash completion for grub
+have()
+{
+ unset -v have
+ _have $1 && have=yes
+}
+
__grub_dir() {
local i c=1 boot_dir
@@ -479,6 +485,7 @@
have ${__grub_script_check_program} && \
complete -F _grub_script_check -o filenames ${__grub_script_check_program}
+unset -f have
# Local variables:
# mode: shell-script

18
nix/configuration/roles/git/default.nix
View File

@ -54,23 +54,17 @@ in
nixpkgs.overlays = [
(final: prev: {
my_git = (
pkgs.buildEnv {
name = prev.git.name;
version = prev.git.version;
pkgs.symlinkJoin {
name = final.git.name;
version = final.git.version;
paths =
(builtins.map (git_wrapped prev.git) [
(builtins.map (git_wrapped final.git) [
"git"
])
++ [
prev.git
final.git
];
extraOutputsToInstall = [
"man"
"doc"
"info"
];
nativeBuildInputs = [ final.makeWrapper ];
ignoreCollisions = true;
}
);
})
@ -79,7 +73,7 @@ in
(lib.mkIf (!config.me.graphical) {
nixpkgs.overlays = [
(final: prev: {
my_git = prev.git;
my_git = final.git;
})
];
})

34
nix/configuration/roles/recovery/default.nix Normal file
View File

@ -0,0 +1,34 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
options.me = {
recovery.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install recovery.";
};
};
config = lib.mkIf config.me.recovery.enable (
lib.mkMerge [
{
environment.systemPackages = with pkgs; [
ddrescue
];
}
(lib.mkIf config.me.graphical {
environment.systemPackages = with pkgs; [
ddrescueview
];
})
]
);
}