From 1fc79d2643d0d3942fd2e27591075e50c7e68aa8 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Wed, 3 Jul 2024 11:46:30 +0000 Subject: [PATCH 1/5] xen: 4.15 -> {4.16,4.17,4.18,4.19} There are too many changes to list between these versions, but here's what's important for Nixpkgs: - Enabled xen.efi building, allowing the nixos/xen module to support EFI booting. - Renamed xen-light to xen-slim, and removed the old xen-slim package, as qemu-traditional has been removed per an upstream recommendation. - xen-slim (formerly xen-light) no longer builds iPXE. - You can now use the OVMF from Xen's repos. - Further generalised generic.nix. Maintaining three versions at once is finally doable. - Removed as many recursions as possible. - Split the package output. Signed-off-by: Fernando Rodrigues --- .../xen/0000-fix-install-python.4.15.patch | 16 - .../0000-qemu-seabios-enable-ATA_DMA.patch | 19 - .../xen/0004-makefile-use-efi-ld.4.15.patch | 42 - ...5-makefile-fix-efi-mountdir-use.4.15.patch | 37 - pkgs/applications/virtualization/xen/4.15.nix | 183 ---- .../0000-xen-ipxe-src-4.16.patch} | 8 +- .../virtualization/xen/4.16/default.nix | 49 + .../xen/4.17/0000-xen-ipxe-src-4.17.patch | 27 + .../virtualization/xen/4.17/default.nix | 52 + .../xen/4.18/0000-xen-ipxe-src-4.18.patch | 27 + .../virtualization/xen/4.18/default.nix | 52 + .../xen/4.19/0000-xen-ipxe-src-4.19.patch | 27 + .../virtualization/xen/4.19/default.nix | 49 + .../virtualization/xen/generic.nix | 898 +++++++++++++----- .../virtualization/xen/packages.nix | 96 +- .../virtualization/xen/patches.nix | 114 +++ .../virtualization/xen/xsa-patches.nix | 493 ---------- pkgs/top-level/all-packages.nix | 14 +- 18 files changed, 1119 insertions(+), 1084 deletions(-) delete mode 100644 pkgs/applications/virtualization/xen/0000-fix-install-python.4.15.patch delete mode 100644 pkgs/applications/virtualization/xen/0000-qemu-seabios-enable-ATA_DMA.patch delete mode 100644 pkgs/applications/virtualization/xen/0004-makefile-use-efi-ld.4.15.patch delete mode 100644 pkgs/applications/virtualization/xen/0005-makefile-fix-efi-mountdir-use.4.15.patch delete mode 100644 pkgs/applications/virtualization/xen/4.15.nix rename pkgs/applications/virtualization/xen/{0000-fix-ipxe-src.4.15.patch => 4.16/0000-xen-ipxe-src-4.16.patch} (93%) create mode 100644 pkgs/applications/virtualization/xen/4.16/default.nix create mode 100644 pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch create mode 100644 pkgs/applications/virtualization/xen/4.17/default.nix create mode 100644 pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch create mode 100644 pkgs/applications/virtualization/xen/4.18/default.nix create mode 100644 pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch create mode 100644 pkgs/applications/virtualization/xen/4.19/default.nix create mode 100644 pkgs/applications/virtualization/xen/patches.nix delete mode 100644 pkgs/applications/virtualization/xen/xsa-patches.nix diff --git a/pkgs/applications/virtualization/xen/0000-fix-install-python.4.15.patch b/pkgs/applications/virtualization/xen/0000-fix-install-python.4.15.patch deleted file mode 100644 index 5fc5a6012ee30..0000000000000 --- a/pkgs/applications/virtualization/xen/0000-fix-install-python.4.15.patch +++ /dev/null @@ -1,16 +0,0 @@ -tools/python/install-wrap script brakes shebangs patching, disable - -diff --git a/tools/Rules.mk b/tools/Rules.mk -index 444e5bacdd..c99ea959ff 100644 ---- a/tools/Rules.mk -+++ b/tools/Rules.mk -@@ -135,8 +135,7 @@ CFLAGS += $(CFLAGS-y) - - CFLAGS += $(EXTRA_CFLAGS_XEN_TOOLS) - --INSTALL_PYTHON_PROG = \ -- $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH)" $(INSTALL_PROG) -+INSTALL_PYTHON_PROG = $(INSTALL_PROG) - - %.opic: %.c - $(CC) $(CPPFLAGS) -DPIC $(CFLAGS) $(CFLAGS_$*.opic) -fPIC -c -o $@ $< $(APPEND_CFLAGS) diff --git a/pkgs/applications/virtualization/xen/0000-qemu-seabios-enable-ATA_DMA.patch b/pkgs/applications/virtualization/xen/0000-qemu-seabios-enable-ATA_DMA.patch deleted file mode 100644 index 339972a2cdeb1..0000000000000 --- a/pkgs/applications/virtualization/xen/0000-qemu-seabios-enable-ATA_DMA.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -uNr a/src/Kconfig b/src/Kconfig ---- a/src/Kconfig 2015-08-31 10:15:13.231134858 +0200 -+++ b/src/Kconfig 2015-08-31 10:14:24.039180178 +0200 -@@ -144,13 +144,13 @@ - config ATA_DMA - depends on ATA - bool "ATA DMA" -- default n -+ default y - help - Detect and try to use ATA bus mastering DMA controllers. - config ATA_PIO32 - depends on ATA - bool "ATA 32bit PIO" -- default n -+ default y - help - Use 32bit PIO accesses on ATA (minor optimization on PCI transfers). - config AHCI diff --git a/pkgs/applications/virtualization/xen/0004-makefile-use-efi-ld.4.15.patch b/pkgs/applications/virtualization/xen/0004-makefile-use-efi-ld.4.15.patch deleted file mode 100644 index c64ec52315c92..0000000000000 --- a/pkgs/applications/virtualization/xen/0004-makefile-use-efi-ld.4.15.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile -index b6567c4127..83defeee95 100644 ---- a/xen/arch/x86/Makefile -+++ b/xen/arch/x86/Makefile -@@ -124,11 +124,11 @@ ifneq ($(efi-y),) - export XEN_BUILD_EFI := $(shell $(CC) $(XEN_CFLAGS) -c efi/check.c -o efi/check.o 2>/dev/null && echo y) - # Check if the linker supports PE. - EFI_LDFLAGS = $(patsubst -m%,-mi386pep,$(XEN_LDFLAGS)) --subsystem=10 --strip-debug --XEN_BUILD_PE := $(if $(XEN_BUILD_EFI),$(shell $(LD) $(EFI_LDFLAGS) -o efi/check.efi efi/check.o 2>/dev/null && echo y)) -+XEN_BUILD_PE := $(if $(XEN_BUILD_EFI),$(shell $(EFI_LD) $(EFI_LDFLAGS) -o efi/check.efi efi/check.o 2>/dev/null && echo y)) - CFLAGS-$(XEN_BUILD_EFI) += -DXEN_BUILD_EFI - # Check if the linker produces fixups in PE by default (we need to disable it doing so for now). - XEN_NO_PE_FIXUPS := $(if $(XEN_BUILD_EFI), \ -- $(shell $(LD) $(EFI_LDFLAGS) --disable-reloc-section -o efi/check.efi efi/check.o 2>/dev/null && \ -+ $(shell $(EFI_LD) $(EFI_LDFLAGS) --disable-reloc-section -o efi/check.efi efi/check.o 2>/dev/null && \ - echo --disable-reloc-section)) - endif - -@@ -217,20 +217,20 @@ note_file_option ?= $(note_file) - ifeq ($(XEN_BUILD_PE),y) - $(TARGET).efi: prelink-efi.o $(note_file) efi.lds efi/relocs-dummy.o efi/mkreloc - $(foreach base, $(VIRT_BASE) $(ALT_BASE), \ -- $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< efi/relocs-dummy.o \ -+ $(EFI_LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< efi/relocs-dummy.o \ - $(BASEDIR)/common/symbols-dummy.o $(note_file_option) -o $(@D)/.$(@F).$(base).0 &&) : - efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).0) >$(@D)/.$(@F).0r.S - $(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).0 \ - | $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).0s.S - $(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o - $(foreach base, $(VIRT_BASE) $(ALT_BASE), \ -- $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \ -+ $(EFI_LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \ - $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o $(note_file_option) -o $(@D)/.$(@F).$(base).1 &&) : - efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).1) >$(@D)/.$(@F).1r.S - $(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).1 \ - | $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).1s.S - $(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o -- $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \ -+ $(EFI_LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \ - $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o $(note_file_option) -o $@ - $(NM) -pa --format=sysv $(@D)/$(@F) \ - | $(BASEDIR)/tools/symbols --all-symbols --xensyms --sysv --sort >$(@D)/$(@F).map diff --git a/pkgs/applications/virtualization/xen/0005-makefile-fix-efi-mountdir-use.4.15.patch b/pkgs/applications/virtualization/xen/0005-makefile-fix-efi-mountdir-use.4.15.patch deleted file mode 100644 index 8f07c1a8e29ff..0000000000000 --- a/pkgs/applications/virtualization/xen/0005-makefile-fix-efi-mountdir-use.4.15.patch +++ /dev/null @@ -1,37 +0,0 @@ -EFI_MOUNTPOINT is conventionally /boot/efi or /boot/EFI or something -like that, and (on my machine) has directories within that called -{Boot, nixos, gummiboot}. - -This patch does two things: - -1) Xen apparently wants to put files in -$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR) - we remove the duplicate 'efi' name -because I can't see why we have it - -2) Ensures the said directory exists - - -diff --git a/xen/Makefile b/xen/Makefile -index acb2d28891..d0763fbbe7 100644 ---- a/xen/Makefile -+++ b/xen/Makefile -@@ -289,7 +289,9 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) - ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ - ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ - if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ -- $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ -+ [ -d $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR) ] || \ -+ $(INSTALL_DIR) $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR) ;\ -+ $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ - elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ - echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ - fi; \ -@@ -319,7 +321,7 @@ _uninstall: - rm -f $(D)$(DEBUG_DIR)/$(T)-$(XEN_FULLVERSION).efi.map - rm -f $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi - rm -f $(D)$(EFI_DIR)/$(T).efi -- rm -f $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi -+ rm -f $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi - - .PHONY: _debug - _debug: diff --git a/pkgs/applications/virtualization/xen/4.15.nix b/pkgs/applications/virtualization/xen/4.15.nix deleted file mode 100644 index d4905088ae1e3..0000000000000 --- a/pkgs/applications/virtualization/xen/4.15.nix +++ /dev/null @@ -1,183 +0,0 @@ -{ lib, callPackage, fetchurl, fetchpatch, fetchgit -, ocaml-ng -, withInternalQemu ? true -, withInternalTraditionalQemu ? true -, withInternalSeabios ? true -, withSeabios ? !withInternalSeabios, seabios -, withInternalOVMF ? false # FIXME: tricky to build -, withOVMF ? false, OVMF -, withLibHVM ? false - -# xen -, python3Packages - -# qemu -, udev, pciutils, xorg, SDL, pixman, acl, glusterfs, spice-protocol, usbredir -, alsa-lib, glib, python3 -, ... } @ args: - -assert withInternalSeabios -> !withSeabios; -assert withInternalOVMF -> !withOVMF; -assert !withLibHVM; - -with lib; - -# Patching XEN? Check the XSAs at -# https://xenbits.xen.org/xsa/ -# and try applying all the ones we don't have yet. - -let - xsa = import ./xsa-patches.nix { inherit fetchpatch; }; - - qemuMemfdBuildFix = fetchpatch { - name = "xen-4.8-memfd-build-fix.patch"; - url = "https://github.com/qemu/qemu/commit/75e5b70e6b5dcc4f2219992d7cffa462aa406af0.patch"; - sha256 = "0gaz93kb33qc0jx6iphvny0yrd17i8zhcl3a9ky5ylc2idz0wiwa"; - }; - - qemuDeps = [ - udev pciutils xorg.libX11 SDL pixman acl glusterfs spice-protocol usbredir - alsa-lib glib python3 - ]; -in - -callPackage (import ./generic.nix (rec { - version = "4.15.1"; - - src = fetchurl { - url = "https://downloads.xenproject.org/release/xen/${version}/xen-${version}.tar.gz"; - sha256 = "1rmc7gb72xwhr3h9rc3bkac41s8kjjzz45miwdq6yalyq7j7vss5"; - }; - - # Sources needed to build tools and firmwares. - xenfiles = optionalAttrs withInternalQemu { - qemu-xen = { - src = fetchgit { - url = "https://xenbits.xen.org/git-http/qemu-xen.git"; - # rev = "refs/tags/qemu-xen-${version}"; - # use revision hash - reproducible but must be updated with each new version - rev = "e2af2d050338c99e8436e251ad67aafb3ebbd501"; - sha256 = "sha256-gVykPtzAA7tmpe6iVvnulaW+b0jD3gwL1JXC5yeIA7M="; - }; - buildInputs = qemuDeps; - postPatch = '' - # needed in build but /usr/bin/env is not available in sandbox - substituteInPlace scripts/tracetool.py \ - --replace "/usr/bin/env python" "${python3}/bin/python" - ''; - meta.description = "Xen's fork of upstream Qemu"; - }; - } // optionalAttrs withInternalTraditionalQemu { - # TODO 4.15: something happened with traditional in this release? - qemu-xen-traditional = { - src = fetchgit { - url = "https://xenbits.xen.org/git-http/qemu-xen-traditional.git"; - # rev = "refs/tags/xen-${version}"; - # use revision hash - reproducible but must be updated with each new version - rev = "3d273dd05e51e5a1ffba3d98c7437ee84e8f8764"; - sha256 = "1dc6dhjp4y2irmi9yiyw1kzmm1habyy8j1s2zkf6qyak850krqj7"; - }; - buildInputs = qemuDeps; - patches = [ - ]; - postPatch = '' - substituteInPlace xen-hooks.mak \ - --replace /usr/include/pci ${pciutils}/include/pci - ''; - meta.description = "Xen's fork of upstream Qemu that uses old device model"; - }; - } // optionalAttrs withInternalSeabios { - "firmware/seabios-dir-remote" = { - src = fetchgit { - url = "https://xenbits.xen.org/git-http/seabios.git"; - rev = "155821a1990b6de78dde5f98fa5ab90e802021e0"; - sha256 = "sha256-F3lzr00CMAObJtpz0eZFT/rwjFx+bvlI37/JtHXP5Eo="; - }; - patches = [ ./0000-qemu-seabios-enable-ATA_DMA.patch ]; - meta.description = "Xen's fork of Seabios"; - }; - } // optionalAttrs withInternalOVMF { - "firmware/ovmf-dir-remote" = { - src = fetchgit { - url = "https://xenbits.xen.org/git-http/ovmf.git"; - rev = "a3741780fe3535e19e02efa869a7cac481891129"; - sha256 = "0000000000000000000000000000000000000000000000000000"; - }; - meta.description = "Xen's fork of OVMF"; - }; - } // { - # TODO: patch Xen to make this optional? - "firmware/etherboot/ipxe.git" = { - src = fetchgit { - url = "https://git.ipxe.org/ipxe.git"; - rev = "988d2c13cdf0f0b4140685af35ced70ac5b3283c"; - sha256 = "1pkf1n1c0rdlzfls8fvjvi1sd9xjd9ijqlyz3wigr70ijcv6x8i9"; - }; - meta.description = "Xen's fork of iPXE"; - }; - }; - - configureFlags = [] - ++ optional (!withInternalQemu) "--with-system-qemu" # use qemu from PATH - ++ optional (withInternalTraditionalQemu) "--enable-qemu-traditional" - ++ optional (!withInternalTraditionalQemu) "--disable-qemu-traditional" - - ++ optional (withSeabios) "--with-system-seabios=${seabios}/share/seabios" - ++ optional (!withInternalSeabios && !withSeabios) "--disable-seabios" - - ++ optional (withOVMF) "--with-system-ovmf=${OVMF.firmware}" - ++ optional (withInternalOVMF) "--enable-ovmf"; - - NIX_CFLAGS_COMPILE = toString [ - # TODO 4.15: drop unneeded ones - # Fix build on Glibc 2.24. - "-Wno-error=deprecated-declarations" - # Fix build with GCC 8 - "-Wno-error=maybe-uninitialized" - "-Wno-error=stringop-truncation" - "-Wno-error=format-truncation" - "-Wno-error=array-bounds" - # Fix build with GCC 9 - "-Wno-error=address-of-packed-member" - "-Wno-error=format-overflow" - "-Wno-error=absolute-value" - # Fix build with GCC 10 - "-Wno-error=enum-conversion" - "-Wno-error=zero-length-bounds" - # Fix build with GCC 12 - # xentoollog_stubs.c:57: error: "Some_val" redefined [-Werror] - "-Wno-error" - ]; - - patches = with xsa; flatten [ - ./0000-fix-ipxe-src.4.15.patch - ./0000-fix-install-python.4.15.patch - ./0004-makefile-use-efi-ld.4.15.patch - ./0005-makefile-fix-efi-mountdir-use.4.15.patch - - XSA_386 - ]; - - postPatch = '' - # Avoid a glibc >= 2.25 deprecation warnings that get fatal via -Werror. - sed 1i'#include ' \ - -i tools/libs/light/libxl_device.c - - # Fix missing pkg-config dir - mkdir -p tools/pkg-config - ''; - - preBuild = '' - # PKG_CONFIG env var collides with variables used in tools Makefiles. - unset PKG_CONFIG - ''; - - passthru = { - qemu-system-i386 = if withInternalQemu - then "lib/xen/bin/qemu-system-i386" - else throw "this xen has no qemu builtin"; - }; - -})) ({ - ocamlPackages = ocaml-ng.ocamlPackages_4_14; -} // args) diff --git a/pkgs/applications/virtualization/xen/0000-fix-ipxe-src.4.15.patch b/pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch similarity index 93% rename from pkgs/applications/virtualization/xen/0000-fix-ipxe-src.4.15.patch rename to pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch index 08e9aa5ad2fb9..d96023d1946ae 100644 --- a/pkgs/applications/virtualization/xen/0000-fix-ipxe-src.4.15.patch +++ b/pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch @@ -1,21 +1,21 @@ -hack to make etherboot use prefetched ipxe +Hack to make etherboot use pre-fetched iPXE. diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile index ed9e11305f..979a3acea8 100644 --- a/tools/firmware/etherboot/Makefile +++ b/tools/firmware/etherboot/Makefile @@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz - + D=ipxe T=ipxe.tar.gz +G=ipxe.git - + ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) ROM = $D/src/bin/ipxe.bin @@ -41,9 +42,9 @@ $T: fi mv _$T $T - + -$D/src/arch/i386/Makefile: $T Config - rm -rf $D - gzip -dc $T | tar xf - diff --git a/pkgs/applications/virtualization/xen/4.16/default.nix b/pkgs/applications/virtualization/xen/4.16/default.nix new file mode 100644 index 0000000000000..33aba63846236 --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.16/default.nix @@ -0,0 +1,49 @@ +{ + lib, + fetchpatch, + callPackage, + ocaml-ng, + ... +}@genericDefinition: + +let + upstreamPatches = import ../patches.nix { + inherit lib; + inherit fetchpatch; + }; + + upstreamPatchList = lib.lists.flatten [ upstreamPatches.XSA_458 ]; +in + +callPackage (import ../generic.nix { + branch = "4.16"; + version = "4.16.6"; + latest = false; + pkg = { + xen = { + rev = "4b33780de790bd438dd7cbb6143b410d94f0f049"; + hash = "sha256-2kcmfKwBo3w1U5CSxLSYSteqvzcJaB+cA7keVb3amyA="; + patches = [ ./0000-xen-ipxe-src-4.16.patch ] ++ upstreamPatchList; + }; + qemu = { + rev = "c02cb236b5e4a76cf74e641cc35a0e3ebd3e52f3"; + hash = "sha256-LwlPry04az9QQowaDG2la8PYlGOUMbZaQAsCHxj+pwM="; + patches = [ ]; + }; + seaBIOS = { + rev = "d239552ce7220e448ae81f41515138f7b9e3c4db"; + hash = "sha256-UKMceJhIprN4/4Xe4EG2EvKlanxVcEi5Qcrrk3Ogiik="; + patches = [ ]; + }; + ovmf = { + rev = "7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5"; + hash = "sha256-Qq2RgktCkJZBsq6Ch+6tyRHhme4lfcN7d2oQfxwhQt8="; + patches = [ ]; + }; + ipxe = { + rev = "3c040ad387099483102708bb1839110bc788cefb"; + hash = "sha256-y2QdZEoGsGUQjrrvD8YRa8VoqcZSr4tjLM//I/MrsLI="; + patches = [ ]; + }; + }; +}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition) diff --git a/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch b/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch new file mode 100644 index 0000000000000..d96023d1946ae --- /dev/null +++ b/pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch @@ -0,0 +1,27 @@ +Hack to make etherboot use pre-fetched iPXE. + +diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile +index ed9e11305f..979a3acea8 100644 +--- a/tools/firmware/etherboot/Makefile ++++ b/tools/firmware/etherboot/Makefile +@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz + + D=ipxe + T=ipxe.tar.gz ++G=ipxe.git + + ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS))) + ROM = $D/src/bin/ipxe.bin +@@ -41,9 +42,9 @@ $T: + fi + mv _$T $T + +-$D/src/arch/i386/Makefile: $T Config +- rm -rf $D +- gzip -dc $T | tar xf - ++$D/src/arch/i386/Makefile: $G Config ++ mkdir $D ++ cp -a $G/* $D + for i in $$(cat patches/series) ; do \ + patch -d $D -p1 --quiet Description of issue in XSA + #Extra lines + #are not indented, + #but markdown should be + #fine with it. + # Fixes: + # * [CVE-1999-00001](https://www.cve.org/CVERecord?id=CVE-1999-00001) + # * [CVE-1999-00002](https://www.cve.org/CVERecord?id=CVE-1999-00002) + # * [CVE-1999-00003](https://www.cve.org/CVERecord?id=CVE-1999-00003) + writeAdvisoryDescription = + if (lib.lists.remove null (retrievePatchAttributes [ "xsa" ]) != [ ]) then + lib.lists.zipListsWith (a: b: a + b) + (lib.lists.zipListsWith (a: b: a + "**" + b + ".**\n >") + (lib.lists.zipListsWith (a: b: "* [Xen Security Advisory #" + a + "](" + b + "): ") + (lib.lists.remove null (retrievePatchAttributes [ "xsa" ])) + ( + lib.lists.remove null (retrievePatchAttributes [ + "meta" + "homepage" + ]) + ) + ) + ( + lib.lists.remove null (retrievePatchAttributes [ + "meta" + "description" + ]) + ) + ) + ( + lib.lists.remove null (retrievePatchAttributes [ + "meta" + "longDescription" + ]) + ) + else + [ ]; + + withTools = + attr: file: + withPrefetchedSources ( + name: source: + lib.strings.optionalString (builtins.hasAttr attr source) '' + echo "processing ${name}" + __do() { + cd "tools/${name}" + ${file name source} + } + ( __do ) + '' + ); + + # Originally, there were two versions of binutils being used: the standard one and + # this patched one. Unfortunately, that required patches to the Xen Makefiles, and + # quickly became too complex to maintain. The new solution is to simply build this + # efi-binutils derivation and use it for the whole build process, except if + # enableEFI is disabled; it'll then use `binutils`. efiBinutils = binutils-unwrapped.overrideAttrs (oldAttrs: { name = "efi-binutils"; - configureFlags = oldAttrs.configureFlags ++ [ - "--enable-targets=x86_64-pep" - ]; - doInstallCheck = false; # We get a spurious failure otherwise, due to host/target mis-match + configureFlags = oldAttrs.configureFlags ++ [ "--enable-targets=x86_64-pep" ]; + doInstallCheck = false; # We get a spurious failure otherwise, due to a host/target mismatch. }); in -stdenv.mkDerivation (rec { - inherit (config) version; - - name = "xen-${version}"; +stdenv.mkDerivation (finalAttrs: { + inherit pname; + inherit version; - dontUseCmakeConfigure = true; - - hardeningDisable = [ "stackprotector" "fortify" "pic" ]; - - nativeBuildInputs = [ pkg-config cmake ]; - buildInputs = [ - which - - # Xen - bison bzip2 checkpolicy dev86 figlet flex gettext glib acpica-tools libaio - libiconv libuuid ncurses openssl perl python3Packages.python xz yajl zlib - - # oxenstored - ocamlPackages.findlib ocamlPackages.ocaml systemd + outputs = [ + "out" # TODO: Split $out in $bin for binaries and $lib for libraries. + "man" # Manual pages for Xen userspace utilities. + "dev" # Development headers. + "boot" # xen.gz kernel, policy file if Flask is enabled, xen.efi if EFI is enabled. + ]; - # Python fixes - python3Packages.wrapPython + # Main Xen source. + src = fetchgit { + url = "https://xenbits.xen.org/git-http/xen.git"; + inherit (pkg.xen) rev; + inherit (pkg.xen) hash; + }; + + # Gets the patches from the pkg.xen.patches attribute from the versioned files. + patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches; + + nativeBuildInputs = + [ + autoPatchelfHook + bison + cmake + fig2dev + flex + pandoc + pkg-config + ] + ++ lib.lists.optionals withInternalQEMU [ + ninja + python311Packages.sphinx + ]; + buildInputs = + [ + # Xen + acpica-tools + bzip2 + dev86 + e2fsprogs.dev + libnl + libuuid + lzo + ncurses + perl + python311Packages.python + xz + yajl + zlib + zstd + + # oxenstored + ocamlPackages.findlib + ocamlPackages.ocaml + systemdMinimal + + # Python Fixes + python311Packages.wrapPython + ] + ++ lib.lists.optionals withInternalQEMU [ + glib + pixman + ] + ++ lib.lists.optional withInternalOVMF nasm + ++ lib.lists.optional withFlask checkpolicy; + + configureFlags = + [ "--enable-systemd" ] + ++ lib.lists.optional (!withInternalQEMU) "--with-system-qemu" + + ++ lib.lists.optional withSeaBIOS "--with-system-seabios=${seabios}/share/seabios" + ++ lib.lists.optional (!withInternalSeaBIOS && !withSeaBIOS) "--disable-seabios" + + ++ lib.lists.optional withOVMF "--with-system-ovmf=${OVMF.firmware}" + ++ lib.lists.optional withInternalOVMF "--enable-ovmf" + + ++ lib.lists.optional withIPXE "--with-system-ipxe=${ipxe}" + ++ lib.lists.optional withInternalIPXE "--enable-ipxe"; + + makeFlags = + [ + "PREFIX=$(out)" + "CONFIG_DIR=/etc" + "XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files" + "XEN_SCRIPT_DIR=$(CONFIG_DIR)/xen/scripts" + "BASH_COMPLETION_DIR=$(PREFIX)/share/bash-completion/completions" + ] + ++ lib.lists.optionals withEFI [ + "EFI_VENDOR=${efiVendor}" + "INSTALL_EFI_STRIP=1" + "LD=${efiBinutils}/bin/ld" # See the comment in the efiBinutils definition above. + ] + # These flags set the CONFIG_* options in /boot/xen.config + # and define if the default policy file is built. However, + # the Flask binaries always get compiled by default. + ++ lib.lists.optionals withFlask [ + "XSM_ENABLE=y" + "FLASK_ENABLE=y" + ] + ++ (pkg.xen.makeFlags or [ ]); + + buildFlags = [ + "xen" # Build the Xen Hypervisor. + "tools" # Build the userspace tools, such as `xl`. + "docs" # Build the Xen Documentation + # TODO: Enable the Stubdomains target. This requires another pre-fetched source: mini-os. Currently, Xen appears to build a limited version of stubdomains which does not include mini-os. + # "stubdom" + ]; - # Documentation - python3Packages.markdown fig2dev ghostscript texinfo pandoc + enableParallelBuilding = true; - # Others - ] ++ (concatMap (x: x.buildInputs or []) (attrValues config.xenfiles)) - ++ (config.buildInputs or []); + env.NIX_CFLAGS_COMPILE = builtins.toString ( + [ + "-Wno-error=maybe-uninitialized" + "-Wno-error=array-bounds" + ] + ++ lib.lists.optionals withInternalOVMF [ + "-Wno-error=format-security" + "-Wno-error=use-after-free" + "-Wno-error=vla-parameter" + "-Wno-error=dangling-pointer" + "-Wno-error=stringop-overflow" + ] + ); - prePatch = '' - ### Generic fixes + dontUseCmakeConfigure = true; + dontUseNinjaBuild = withInternalQEMU; + prePatch = # Xen's stubdoms, tools and firmwares need various sources that # are usually fetched at build time using wget and git. We can't - # have that, so we prefetch them in nix-expression and setup - # fake wget and git for debugging purposes. - - mkdir fake-bin - - # Fake git: just print what it wants and die - cat > fake-bin/wget << EOF - #!${stdenv.shell} -e - echo ===== FAKE WGET: Not fetching \$* - [ -e \$3 ] - EOF - - # Fake git: just print what it wants and die - cat > fake-bin/git << EOF - #!${stdenv.shell} - echo ===== FAKE GIT: Not cloning \$* - [ -e \$3 ] - EOF - - chmod +x fake-bin/* - export PATH=$PATH:$PWD/fake-bin - - # Remove in-tree qemu stuff in case we build from a tar-ball - rm -rf tools/qemu-xen tools/qemu-xen-traditional - - # Fix shebangs, mainly for build-scripts - # We want to do this before getting prefetched stuff to speed things up - # (prefetched stuff has lots of files) - find . -type f | xargs sed -i 's@/usr/bin/\(python\|perl\)@/usr/bin/env \1@g' - find . -type f -not -path "./tools/hotplug/Linux/xendomains.in" \ - | xargs sed -i 's@/bin/bash@${stdenv.shell}@g' - - # Get prefetched stuff - ${withXenfiles (name: x: '' - echo "${x.src} -> tools/${name}" - cp -r ${x.src} tools/${name} - chmod -R +w tools/${name} - '')} - ''; - - patches = [ - ] ++ (config.patches or []); - - postPatch = '' - ### Hacks - - # Work around a bug in our GCC wrapper: `gcc -MF foo -v' doesn't - # print the GCC version number properly. - substituteInPlace xen/Makefile \ - --replace '$(CC) $(CFLAGS) -v' '$(CC) -v' - - # Hack to get `gcc -m32' to work without having 32-bit Glibc headers. - mkdir -p tools/include/gnu - touch tools/include/gnu/stubs-32.h - - ### Fixing everything else - - substituteInPlace tools/libfsimage/common/fsimage_plugin.c \ - --replace /usr $out - - substituteInPlace tools/misc/xenpvnetboot \ - --replace /usr/sbin/mount ${util-linux}/bin/mount \ - --replace /usr/sbin/umount ${util-linux}/bin/umount - - substituteInPlace tools/xenmon/xenmon.py \ - --replace /usr/bin/pkill ${procps}/bin/pkill - - ${optionalString (builtins.compareVersions config.version "4.8" >= 0) '' + # have that, so we pre-fetch them in the versioned Nix expressions, + # and produce fake wget and git executables for debugging purposes. + # + # We also produce a fake hostname executable to prevent spurious + # command-not-found errors during compilation. + # + # The snippet below produces executables that simply print in stdout + # what they were supposed to fetch, and exit gracefully. + '' + mkdir fake-bin + + cat > fake-bin/wget << EOF + #!${stdenv.shell} -e + echo ===== FAKE WGET: Not fetching \$* + [ -e \$3 ] + EOF + + cat > fake-bin/git << EOF + #!${stdenv.shell} + echo ===== FAKE GIT: Not cloning \$* + [ -e \$3 ] + EOF + + cat > fake-bin/hostname << EOF + #!${stdenv.shell} + echo ${efiVendor} + [ -e \$3 ] + EOF + + chmod +x fake-bin/* + export PATH=$PATH:$PWD/fake-bin + '' + + # Remove in-tree QEMU sources, as we either pre-fetch them through + # the versioned Nix expressions if withInternalQEMU is true, or we + # don't build QEMU at all if withInternalQEMU is false. + + '' + rm --recursive --force tools/qemu-xen tools/qemu-xen-traditional + '' + + # The following expression moves the sources we fetched in the + # versioned Nix expressions to their correct locations inside + # the Xen source tree. + + '' + ${withPrefetchedSources ( + name: source: '' + echo "Copying pre-fetched source: ${source.src} -> tools/${name}" + cp --recursive ${source.src} tools/${name} + chmod --recursive +w tools/${name} + '' + )} + ''; + + postPatch = + # The following patch forces Xen to install xen.efi on $out/boot + # instead of $out/boot/efi/efi/nixos, as the latter directory + # would otherwise need to be created manually. This also creates + # a more consistent output for downstreams who override the + # efiVendor attribute above. + '' + substituteInPlace xen/Makefile \ + --replace-fail "\$(D)\$(EFI_MOUNTPOINT)/efi/\$(EFI_VENDOR)/\$(T)-\$(XEN_FULLVERSION).efi" \ + "\$(D)\$(BOOT_DIR)/\$(T)-\$(XEN_FULLVERSION).efi" + '' + + # The following patch fixes the call to /bin/mkdir on the + # launch_xenstore.sh helper script. + + '' substituteInPlace tools/hotplug/Linux/launch-xenstore.in \ - --replace /bin/mkdir mkdir - ''} - - ${optionalString (builtins.compareVersions config.version "4.6" < 0) '' - # TODO: use this as a template and support our own if-up scripts instead? - substituteInPlace tools/hotplug/Linux/xen-backend.rules.in \ - --replace "@XEN_SCRIPT_DIR@" $out/etc/xen/scripts - - # blktap is not provided by xen, but by xapi - sed -i '/blktap/d' tools/hotplug/Linux/xen-backend.rules.in - ''} - - ${withTools "patches" (name: x: '' - ${concatMapStringsSep "\n" (p: '' - echo "# Patching with ${p}" - patch -p1 < ${p} - '') x.patches} - '')} - - ${withTools "postPatch" (name: x: x.postPatch)} - - ${config.postPatch or ""} - ''; - - postConfigure = '' - substituteInPlace tools/hotplug/Linux/xendomains \ - --replace /bin/ls ls - ''; - - EFI_LD = "${efiBinutils}/bin/ld"; - EFI_VENDOR = "nixos"; - - # TODO: Flask needs more testing before enabling it by default. - #makeFlags = [ "XSM_ENABLE=y" "FLASK_ENABLE=y" "PREFIX=$(out)" "CONFIG_DIR=/etc" "XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files" ]; - makeFlags = [ "PREFIX=$(out) CONFIG_DIR=/etc" "XEN_SCRIPT_DIR=/etc/xen/scripts" ] - ++ (config.makeFlags or []); - - preBuild = '' - ${config.preBuild or ""} - ''; - - buildFlags = [ "xen" "tools" ]; + --replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir" + '' + + # The following expression fixes the paths called by Xen's systemd + # units, so we can use them in the NixOS module. + + '' + substituteInPlace \ + tools/hotplug/Linux/systemd/{xen-init-dom0,xen-qemu-dom0-disk-backend,xenconsoled,xendomains,xenstored}.service.in \ + --replace-fail /bin/grep ${gnugrep}/bin/grep + substituteInPlace \ + tools/hotplug/Linux/systemd/{xen-qemu-dom0-disk-backend,xenconsoled}.service.in \ + --replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir" + '' + + # The following expression applies the patches defined on each + # prefetchedSources attribute. + + '' + ${withTools "patches" ( + name: source: '' + ${lib.strings.concatMapStringsSep "\n" (patch: '' + echo "Patching with ${patch}" + patch --strip 1 < ${patch} + '') source.patches} + '' + )} + + ${withTools "postPatch" (name: source: source.postPatch)} + + ${pkg.xen.postPatch or ""} + ''; + + preBuild = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "preBuild" ] pkg.xen) pkg.xen.preBuild; postBuild = '' - make -C docs man-pages - - ${withTools "buildPhase" (name: x: x.buildPhase)} - ''; - - installPhase = '' - mkdir -p $out $out/share $out/share/man - cp -prvd dist/install/nix/store/*/* $out/ - cp -prvd dist/install/boot $out/boot - cp -prvd dist/install/etc $out - cp -dR docs/man1 docs/man5 $out/share/man/ - - ${withTools "installPhase" (name: x: x.installPhase)} - - # Hack - substituteInPlace $out/etc/xen/scripts/hotplugpath.sh \ - --replace SBINDIR=\"$out/sbin\" SBINDIR=\"$out/bin\" + ${withTools "buildPhase" (name: source: source.buildPhase)} - wrapPythonPrograms - # We also need to wrap pygrub, which lies in lib - wrapPythonProgramsIn "$out/lib" "$out $pythonPath" - - shopt -s extglob - for i in $out/etc/xen/scripts/!(*.sh); do - sed -i "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i - done + ${pkg.xen.postBuild or ""} ''; - enableParallelBuilding = true; + installPhase = + let + cpFlags = builtins.toString [ + "--preserve=mode,ownership,timestamps,link" + "--recursive" + "--verbose" + "--no-dereference" + ]; + in + # Run the preInstall tasks. + '' + runHook preInstall + '' + + # Create $out directories and copy build output. + + '' + mkdir --parents $out $out/share $boot + cp ${cpFlags} dist/install/nix/store/*/* $out/ + cp ${cpFlags} dist/install/etc $out + cp ${cpFlags} dist/install/boot $boot + '' + + # Run the postInstall tasks. + + '' + runHook postInstall + ''; + + postInstall = + # Wrap xencov_split, xenmon and xentrace_format. + '' + wrapPythonPrograms + '' + + # We also need to wrap pygrub, which lies in $out/libexec/xen/bin. + + '' + wrapPythonProgramsIn "$out/libexec/xen/bin" "$out $pythonPath" + '' + + # Fix shebangs in Xen's various scripts. + #TODO: Remove any and all usage of `sed` and replace these complicated magic runes with readable code. + + '' + shopt -s extglob + for i in $out/etc/xen/scripts/!(*.sh); do + sed --in-place "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i + done + '' + + + '' + ${withTools "installPhase" (name: source: source.installPhase)} + + ${pkg.xen.installPhase or ""} + ''; + + postFixup = + # Fix binaries in $out/lib/xen/bin. + '' + addAutoPatchelfSearchPath $out/lib + autoPatchelf $out/libexec/xen/bin/ + '' + # Flask is particularly hard to disable. Even after + # setting the make flags to `n`, it still gets compiled. + # If withFlask is disabled, delete the extra binaries. + + lib.strings.optionalString (!withFlask) '' + rm -f $out/bin/flask-* + ''; + + passthru = { + efi = + if withEFI then "boot/xen-${version}.efi" else throw "This Xen was compiled without an EFI binary."; + flaskPolicy = + if withFlask then + "boot/xenpolicy-${version}" + else + throw "This Xen was compiled without FLASK support."; + qemu-system-i386 = + if withInternalQEMU then + "libexec/xen/bin/qemu-system-i386" + else + throw "This Xen was compiled without a built-in QEMU."; + # This test suite is very simple, as Xen's userspace + # utilities require the hypervisor to be booted. + tests = { + pkg-config = testers.hasPkgConfigModules { + package = finalAttrs.finalPackage; + moduleNames = [ + "xencall" + "xencontrol" + "xendevicemodel" + "xenevtchn" + "xenforeignmemory" + "xengnttab" + "xenguest" + "xenhypfs" + "xenlight" + "xenstat" + "xenstore" + "xentoolcore" + "xentoollog" + "xenvchan" + "xlutil" + ]; + }; + }; + }; - # TODO(@oxij): Stop referencing args here meta = { - homepage = "http://www.xen.org/"; - description = "Xen hypervisor and related components" - + optionalString (args ? meta && args.meta ? description) - " (${args.meta.description})"; - longDescription = (args.meta.longDescription or "") - + "\nIncludes:\n" - + withXenfiles (name: x: "* ${name}: ${x.meta.description or "(No description)"}."); - platforms = [ "x86_64-linux" ]; - maintainers = [ ]; - license = lib.licenses.gpl2; - knownVulnerabilities = [ - # https://www.openwall.com/lists/oss-security/2023/03/21/1 - # Affects 3.2 (at *least*) - 4.17 - "CVE-2022-42332" - # https://www.openwall.com/lists/oss-security/2023/03/21/2 - # Affects 4.11 - 4.17 - "CVE-2022-42333" - "CVE-2022-42334" - # https://www.openwall.com/lists/oss-security/2023/03/21/3 - # Affects 4.15 - 4.17 - "CVE-2022-42331" - # https://xenbits.xen.org/docs/unstable/support-matrix.html - ] ++ lib.optionals (lib.versionOlder version "4.15") [ - "This version of Xen has reached its end of life. See https://xenbits.xen.org/docs/unstable/support-matrix.html" + inherit branch; + # Short description for Xen. + description = + "Xen Hypervisor" + # The "and related components" addition is automatically hidden if said components aren't being built. + + lib.strings.optionalString (prefetchedSources != { }) " and related components" + # To alter the description inside the paranthesis, edit ./packages.nix. + + lib.strings.optionalString (lib.attrsets.hasAttrByPath [ + "meta" + "description" + ] packageDefinition) " (${packageDefinition.meta.description})"; + # Long description for Xen. + longDescription = + # Starts with the longDescription from ./packages.nix. + (packageDefinition.meta.longDescription or "") + + + lib.strings.optionalString (!withInternalQEMU) + "\nUse with `qemu_xen_${lib.stringAsChars (x: if x == "." then "_" else x) branch}`" + + lib.strings.optionalString latest "or `qemu_xen`" + + "." + # Then, if any of the optional with* components are being built, add the "Includes:" string. + + + lib.strings.optionalString + ( + withInternalQEMU + || withInternalSeaBIOS + || withInternalOVMF + || withInternalIPXE + || withEFI + || withFlask + ) + ( + "\nIncludes:\n" + # Originally, this was a call for the complicated withPrefetchedSources. Since there aren't + # that many optional components, we just use lib.strings.optionalString, because it's simpler. + # Optional components that aren't being built are automatically hidden. + + lib.strings.optionalString withEFI "* `xen.efi`: Xen's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package.\n" + + lib.strings.optionalString withFlask "* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package.\n" + + lib.strings.optionalString withInternalQEMU "* `qemu-xen`: Xen's mirror of [QEMU](https://www.qemu.org/).\n" + + lib.strings.optionalString withInternalSeaBIOS "* `seabios-xen`: Xen's mirror of [SeaBIOS](https://www.seabios.org/SeaBIOS).\n" + + lib.strings.optionalString withInternalOVMF "* `ovmf-xen`: Xen's mirror of [OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF).\n" + + lib.strings.optionalString withInternalIPXE "* `ipxe-xen`: Xen's pinned version of [iPXE](https://ipxe.org/).\n" + ) + # Finally, we write a notice explaining which vulnerabilities this Xen is NOT vulnerable to. + # This will hopefully give users the peace of mind that their Xen is secure, without needing + # to search the source code for the XSA patches. + + lib.strings.optionalString (writeAdvisoryDescription != [ ]) ( + "\nThis Xen (${version}) has been patched against the following known security vulnerabilities:\n" + + lib.strings.removeSuffix "\n" (lib.strings.concatLines writeAdvisoryDescription) + ); + homepage = "https://xenproject.org/"; + downloadPage = "https://downloads.xenproject.org/release/xen/${version}/"; + changelog = "https://wiki.xenproject.org/wiki/Xen_Project_${branch}_Release_Notes"; + license = with lib.licenses; [ + # Documentation. + cc-by-40 + # Most of Xen is licensed under the GPL v2.0. + gpl2Only + # Xen Libraries and the `xl` command-line utility. + lgpl21Only + # Development headers in $dev/include. + mit + ]; + maintainers = [ lib.maintainers.sigmasquadron ]; + mainProgram = "xl"; + # Evaluates to x86_64-linux. + platforms = lib.lists.intersectLists lib.platforms.linux lib.platforms.x86_64; + knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "4.16") [ + "Xen ${version} is no longer supported by the Xen Security Team. See https://xenbits.xenproject.org/docs/unstable/support-matrix.html" ]; - } // (config.meta or {}); -} // removeAttrs config [ "xenfiles" "buildInputs" "patches" "postPatch" "meta" ]) + }; +}) diff --git a/pkgs/applications/virtualization/xen/packages.nix b/pkgs/applications/virtualization/xen/packages.nix index c55a719995c0b..96bd42e052013 100644 --- a/pkgs/applications/virtualization/xen/packages.nix +++ b/pkgs/applications/virtualization/xen/packages.nix @@ -1,58 +1,68 @@ -{ callPackage - -}: - -# TODO(@oxij) on new Xen version: generalize this to generate [vanilla slim -# light] for each ./.nix. - -rec { - xen_4_15-vanilla = callPackage ./4.15.nix { +{ callPackage }: +let + standard = { meta = { - description = "vanilla"; + description = "Standard Xen"; longDescription = '' - Vanilla version of Xen. Uses forks of Qemu and Seabios bundled - with Xen. This gives vanilla experince, but wastes space and - build time: typical NixOS setup that runs lots of VMs will - build three different versions of Qemu when using this (two - forks and upstream). + Standard version of Xen. Uses forks of QEMU, SeaBIOS, OVMF and iPXE provided + by the Xen Project. This provides the vanilla Xen experince, but wastes space + and build time. A typical NixOS setup that runs lots of VMs will usually need + to build two different versions of QEMU when using this Xen derivation (one + fork and upstream). ''; }; }; - - xen_4_15-slim = xen_4_15-vanilla.override { - withInternalQemu = false; - withInternalTraditionalQemu = true; - withInternalSeabios = false; - withSeabios = true; - + slim = { meta = { - description = "slim"; + description = "Without Internal Components"; longDescription = '' - Slimmed-down version of Xen that reuses nixpkgs packages as - much as possible. Different parts may get out of sync, but - this builds faster and uses less space than vanilla. Use with - `qemu_xen` from nixpkgs. + Slimmed-down version of Xen that reuses nixpkgs packages as much as possible. + Instead of using the Xen forks for various internal components, this version uses + `seabios`, `ovmf` and `ipxe` from nixpkgs. These components may ocasionally get + out of sync with the hypervisor itself, but this builds faster and uses less space + than the default derivation. ''; }; }; +in +# TODO: generalise this to automatically generate both Xen variants for each .//default.nix. +rec { + xen_4_19 = callPackage ./4.19/default.nix { inherit (standard) meta; }; + xen_4_19-slim = xen_4_19.override { + withInternalQEMU = false; + withInternalSeaBIOS = false; + withInternalOVMF = false; + withInternalIPXE = false; + inherit (slim) meta; + }; - xen_4_15-light = xen_4_15-vanilla.override { - withInternalQemu = false; - withInternalTraditionalQemu = false; - withInternalSeabios = false; - withSeabios = true; + xen_4_18 = callPackage ./4.18/default.nix { inherit (standard) meta; }; + xen_4_18-slim = xen_4_18.override { + withInternalQEMU = false; + withInternalSeaBIOS = false; + withInternalOVMF = false; + withInternalIPXE = false; + inherit (slim) meta; + }; - meta = { - description = "light"; - longDescription = '' - Slimmed-down version of Xen without `qemu-traditional` (you - don't need it if you don't know what it is). Use with - `qemu_xen-light` from nixpkgs. - ''; - }; + xen_4_17 = callPackage ./4.17/default.nix { inherit (standard) meta; }; + xen_4_17-slim = xen_4_17.override { + withInternalQEMU = false; + withInternalSeaBIOS = false; + withInternalOVMF = false; + withInternalIPXE = false; + inherit (slim) meta; + }; + + xen_4_16 = callPackage ./4.16/default.nix { inherit (standard) meta; }; + xen_4_16-slim = xen_4_16.override { + withInternalQEMU = false; + withInternalSeaBIOS = false; + withInternalOVMF = false; + withInternalIPXE = false; + inherit (slim) meta; }; - xen-vanilla = xen_4_15-vanilla; - xen-slim = xen_4_15-slim; - xen-light = xen_4_15-light; + xen = xen_4_19; + xen-slim = xen_4_19-slim; } diff --git a/pkgs/applications/virtualization/xen/patches.nix b/pkgs/applications/virtualization/xen/patches.nix new file mode 100644 index 0000000000000..050bb91a544c5 --- /dev/null +++ b/pkgs/applications/virtualization/xen/patches.nix @@ -0,0 +1,114 @@ +# Patching Xen? Check the XSAs at https://xenbits.xen.org/xsa/ +# and try applying all the ones we haven't gotten around to +# yet, if any are necessary. Patches from other downstreams +# are also welcome if they fix important issues with vanilla Xen. + +{ lib, fetchpatch }: + +let + xsaPatch = + { + id, + title, + description, + type ? "xsa", + hash ? "", + cve ? null, + }: + (fetchpatch { + name = + "XSA-" + id + lib.strings.optionalString (cve != null) ("-" + builtins.concatStringsSep "+" cve); + url = "https://xenbits.xen.org/xsa/xsa${id}.patch"; + inherit hash; + passthru = { + xsa = id; + inherit type; + }; + meta = { + description = title; + longDescription = + description + + "\n" + + ( + if (cve == null) then + # Why the two spaces preceding these CVE messages? + # This is parsed by writeAdvisoryDescription in generic.nix, + # and doing this was easier than messing with lib.strings even more. + " _No CVE was assigned to this XSA._" + else + " Fixes:${ + lib.strings.concatMapStrings ( + x: "\n * [" + x + "](https://www.cve.org/CVERecord?id=" + x + ")" + ) cve + }" + ); + homepage = "https://xenbits.xenproject.org/xsa/advisory-${id}.html"; + }; + }); + qubesPatch = + { + name, + tag, + type ? "qubes", + hash ? "", + }: + (fetchpatch { + inherit name; + url = "https://raw.githubusercontent.com/QubesOS/qubes-vmm-xen/v${tag}/${name}.patch"; + inherit hash; + passthru.type = type; + }); +in +{ + # Example patches: + # + # "XSA_100" = xsaPatch { + # id = "100"; + # name = "Verbatim Title of XSA"; + # cve = [ "CVE-1999-0001" "CVE-1999-0002" ]; # Not all XSAs have CVEs. This attribute is optional. + # hash = "sha256-0000000000000000000000000000000000000000000000000000"; + # }; + # + # "QUBES_libxl-fix-all-issues" = qubesPatch { + # name = "1000-libxl-fix-all-issues"; + # tag = "4.20.0-1"; + # hash = "sha256-0000000000000000000000000000000000000000000000000000"; + # }; + + # Build reproducibility patches for Xen. + # Qubes OS has not updated them to later versions of Xen yet, + # but they appear to work on Xen 4.17.4 - 4.19.0. + QUBES_REPRODUCIBLE_BUILDS = [ + (qubesPatch { + name = "1100-Define-build-dates-time-based-on-SOURCE_DATE_EPOCH"; + tag = "4.17.4-5"; + hash = "sha256-OwKA9oPTwhRcSmiOb+PxzifbO/IG8IHWlvddFh/nP6s="; + }) + (qubesPatch { + name = "1101-docs-rename-DATE-to-PANDOC_REL_DATE-and-allow-to-spe"; + tag = "4.17.4-5"; + hash = "sha256-BUtYt0mM3bURVaGv4oDznzxx1Wo4sfOpGV5GB8qc5Ns="; + }) + (qubesPatch { + name = "1102-docs-xen-headers-use-alphabetical-sorting-for-incont"; + tag = "4.17.4-5"; + hash = "sha256-mQUp2w9lUb7KDq5MuPQjs6y7iuMDeXoZjDjlXfa5z44="; + }) + ]; + + # Xen Security Advisory #458: (4.16 - 4.19-rc3) + "XSA_458" = xsaPatch { + id = "458"; + title = "Double unlock in x86 guest IRQ handling"; + description = '' + An optional feature of PCI MSI called "Multiple Message" allows a device + to use multiple consecutive interrupt vectors. Unlike for MSI-X, the + setting up of these consecutive vectors needs to happen all in one go. + In this handling an error path could be taken in different situations, + with or without a particular lock held. This error path wrongly releases + the lock even when it is not currently held. + ''; + cve = [ "CVE-2024-31143" ]; + hash = "sha256-yHI9Sp/7Ed40iIYQ/HOOIULlfzAzL0c0MGqdF+GR+AQ="; + }; +} diff --git a/pkgs/applications/virtualization/xen/xsa-patches.nix b/pkgs/applications/virtualization/xen/xsa-patches.nix deleted file mode 100644 index d789697a55991..0000000000000 --- a/pkgs/applications/virtualization/xen/xsa-patches.nix +++ /dev/null @@ -1,493 +0,0 @@ -{ fetchpatch }: - -let - xsaPatch = { name , sha256 }: (fetchpatch { - url = "https://xenbits.xen.org/xsa/xsa${name}.patch"; - inherit sha256; - }); -in { - # 4.5 - XSA_190 = (xsaPatch { - name = "190-4.5"; - sha256 = "0f8pw38kkxky89ny3ic5h26v9zsjj9id89lygx896zc3w1klafqm"; - }); - - # 4.5 - XSA_191 = (xsaPatch { - name = "191-4.6"; - sha256 = "1wl1ndli8rflmc44pkp8cw4642gi8z7j7gipac8mmlavmn3wdqhg"; - }); - - # 4.5 - XSA_192 = (xsaPatch { - name = "192-4.5"; - sha256 = "0m8cv0xqvx5pdk7fcmaw2vv43xhl62plyx33xqj48y66x5z9lxpm"; - }); - - # 4.5 - XSA_193 = (xsaPatch { - name = "193-4.5"; - sha256 = "0k9mykhrpm4rbjkhv067f6s05lqmgnldcyb3vi8cl0ndlyh66lvr"; - }); - - # 4.5 - XSA_195 = (xsaPatch { - name = "195"; - sha256 = "0m0g953qnjy2knd9qnkdagpvkkgjbk3ydgajia6kzs499dyqpdl7"; - }); - - # 4.5 - XSA_196 = [ - (xsaPatch { - name = "196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject"; - sha256 = "0z53nzrjvc745y26z1qc8jlg3blxp7brawvji1hx3s74n346ssl6"; - }) - (xsaPatch { - name = "196-0002-x86-svm-Fix-injection-of-software-interrupts"; - sha256 = "11cqvr5jn2s92wsshpilx9qnfczrd9hnyb5aim6qwmz3fq3hrrkz"; - }) - ]; - - # 4.5 - XSA_198 = (xsaPatch { - name = "198"; - sha256 = "0d1nndn4p520c9xa87ixnyks3mrvzcri7c702d6mm22m8ansx6d9"; - }); - - # 4.5 - XSA_200 = (xsaPatch { - name = "200-4.6"; - sha256 = "0k918ja83470iz5k4vqi15293zjvz2dipdhgc9sy9rrhg4mqncl7"; - }); - - # 4.5 - XSA_202_45 = (xsaPatch { - name = "202-4.6"; - sha256 = "0nnznkrvfbbc8z64dr9wvbdijd4qbpc0wz2j5vpmx6b32sm7932f"; - }); - - # 4.5 - XSA_204_45 = (xsaPatch { - name = "204-4.5"; - sha256 = "083z9pbdz3f532fnzg7n2d5wzv6rmqc0f4mvc3mnmkd0rzqw8vcp"; - }); - - # 4.5 - XSA_206_45 = [ - (xsaPatch { - name = "206-4.5/0001-xenstored-apply-a-write-transaction-rate-limit"; - sha256 = "07vsm8mlbxh2s01ny2xywnm1bqhhxas1az31fzwb6f1g14vkzwm4"; - }) - (xsaPatch { - name = "206-4.5/0002-xenstored-Log-when-the-write-transaction-rate-limit-"; - sha256 = "17pnvxjmhny22abwwivacfig4vfsy5bqlki07z236whc2y7yzbsx"; - }) - (xsaPatch { - name = "206-4.5/0003-oxenstored-refactor-putting-response-on-wire"; - sha256 = "0xf566yicnisliy82cydb2s9k27l3bxc43qgmv6yr2ir3ixxlw5s"; - }) - (xsaPatch { - name = "206-4.5/0004-oxenstored-remove-some-unused-parameters"; - sha256 = "16cqx9i0w4w3x06qqdk9rbw4z96yhm0kbc32j40spfgxl82d1zlk"; - }) - (xsaPatch { - name = "206-4.5/0005-oxenstored-refactor-request-processing"; - sha256 = "1g2hzlv7w03sqnifbzda85mwlz3bw37rk80l248180sv3k7k6bgv"; - }) - (xsaPatch { - name = "206-4.5/0006-oxenstored-keep-track-of-each-transaction-s-operatio"; - sha256 = "0n65yfxvpfd4cz95dpbwqj3nablyzq5g7a0klvi2y9zybhch9cmg"; - }) - (xsaPatch { - name = "206-4.5/0007-oxenstored-move-functions-that-process-simple-operat"; - sha256 = "0qllvbc9rnj7jhhlslxxs35gvphvih0ywz52jszj4irm23ka5vnz"; - }) - (xsaPatch { - name = "206-4.5/0008-oxenstored-replay-transaction-upon-conflict"; - sha256 = "0lixkxjfzciy9l0f980cmkr8mcsx14c289kg0mn5w1cscg0hb46g"; - }) - (xsaPatch { - name = "206-4.5/0009-oxenstored-log-request-and-response-during-transacti"; - sha256 = "09ph8ddcx0k7rndd6hx6kszxh3fhxnvdjsq13p97n996xrpl1x7b"; - }) - (xsaPatch { - name = "206-4.5/0010-oxenstored-allow-compilation-prior-to-OCaml-3.12.0"; - sha256 = "1y0m7sqdz89z2vs4dfr45cyvxxas323rxar0xdvvvivgkgxawvxj"; - }) - (xsaPatch { - name = "206-4.5/0011-oxenstored-comments-explaining-some-variables"; - sha256 = "1d3n0y9syya4kaavrvqn01d3wsn85gmw7qrbylkclznqgkwdsr2p"; - }) - (xsaPatch { - name = "206-4.5/0012-oxenstored-handling-of-domain-conflict-credit"; - sha256 = "12zgid5y9vrhhpk2syxp0x01lzzr6447fa76n6rjmzi1xgdzpaf8"; - }) - (xsaPatch { - name = "206-4.5/0013-oxenstored-ignore-domains-with-no-conflict-credit"; - sha256 = "0v3g9pm60w6qi360hdqjcw838s0qcyywz9qpl8gzmhrg7a35avxl"; - }) - (xsaPatch { - name = "206-4.5/0014-oxenstored-add-transaction-info-relevant-to-history-"; - sha256 = "0vv3w0h5xh554i9v2vbc8gzm8wabjf2vzya3dyv5yzvly6ygv0sb"; - }) - (xsaPatch { - name = "206-4.5/0015-oxenstored-support-commit-history-tracking"; - sha256 = "1iv2vy29g437vj73x9p33rdcr5ln2q0kx1b3pgxq202ghbc1x1zj"; - }) - (xsaPatch { - name = "206-4.5/0016-oxenstored-only-record-operations-with-side-effects-"; - sha256 = "1cjkw5ganbg6lq78qsg0igjqvbgph3j349faxgk1p5d6nr492zzy"; - }) - (xsaPatch { - name = "206-4.5/0017-oxenstored-discard-old-commit-history-on-txn-end"; - sha256 = "0lm15lq77403qqwpwcqvxlzgirp6ffh301any9g401hs98f9y4ps"; - }) - (xsaPatch { - name = "206-4.5/0018-oxenstored-track-commit-history"; - sha256 = "1jh92p6vjhkm3bn5vz260npvsjji63g2imsxflxs4f3r69sz1nkd"; - }) - (xsaPatch { - name = "206-4.5/0019-oxenstored-blame-the-connection-that-caused-a-transa"; - sha256 = "17k264pk0fvsamj85578msgpx97mw63nmj0j9v5hbj4bgfazvj4h"; - }) - (xsaPatch { - name = "206-4.5/0020-oxenstored-allow-self-conflicts"; - sha256 = "15z3rd49q0pa72si0s8wjsy2zvbm613d0hjswp4ikc6nzsnsh4qy"; - }) - (xsaPatch { - name = "206-4.5/0021-oxenstored-do-not-commit-read-only-transactions"; - sha256 = "04wpzazhv90lg3228z5i6vnh1z4lzd08z0d0fvc4br6pkd0w4va8"; - }) - (xsaPatch { - name = "206-4.5/0022-oxenstored-don-t-wake-to-issue-no-conflict-credit"; - sha256 = "1shbrn0w68rlywcc633zcgykfccck1a77igmg8ydzwjsbwxsmsjy"; - }) - (xsaPatch { - name = "206-4.5/0023-oxenstored-transaction-conflicts-improve-logging"; - sha256 = "1086y268yh8047k1vxnxs2nhp6izp7lfmq01f1gq5n7jiy1sxcq7"; - }) - (xsaPatch { - name = "206-4.5/0024-oxenstored-trim-history-in-the-frequent_ops-function"; - sha256 = "014zs6i4gzrimn814k5i7gz66vbb0adkzr2qyai7i4fxc9h9r7w8"; - }) - ]; - - # 4.5 - 4.8 - XSA_207 = (xsaPatch { - name = "207"; - sha256 = "0wdlhijmw9mdj6a82pyw1rwwiz605dwzjc392zr3fpb2jklrvibc"; - }); - - # 4.5 - 4.8 - XSA_212 = (xsaPatch { - name = "212"; - sha256 = "1ggjbbym5irq534a3zc86md9jg8imlpc9wx8xsadb9akgjrr1r8d"; - }); - - # 4.5 - XSA_213_45 = (xsaPatch { - name = "213-4.5"; - sha256 = "1vnqf89ydacr5bq3d6z2r33xb2sn5vsd934rncyc28ybc9rvj6wm"; - }); - - # 4.5 - 4.8 - XSA_214 = (xsaPatch { - name = "214"; - sha256 = "0qapzx63z0yl84phnpnglpkxp6b9sy1y7cilhwjhxyigpfnm2rrk"; - }); - - # 4.5 - XSA_215 = (xsaPatch { - name = "215"; - sha256 = "0sv8ccc5xp09f1w1gj5a9n3mlsdsh96sdb1n560vh31f4kkd61xs"; - }); - - # 4.5 - XSA_217_45 = (xsaPatch { - name = "217-4.5"; - sha256 = "067pgsfrb9py2dhm1pk9g8f6fs40vyfrcxhj8c12vzamb6svzmn4"; - }); - - # 4.5 - XSA_218_45 = [ - (xsaPatch { - name = "218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures"; - sha256 = "00y6j3yjxw0igpldsavikmhlxw711k2jsj1qx0s05w2k608gadkq"; - }) - (xsaPatch { - name = "218-4.5/0002-gnttab-fix-unmap-pin-accounting-race"; - sha256 = "0qbbfnnjlpdcd29mzmacfmi859k92c213l91q7w1rg2k6pzx928k"; - }) - (xsaPatch { - name = "218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry"; - sha256 = "1cndzvyhf41mk4my6vh3bk9jvh2y4gpmqdhvl9zhxhmppszslqkc"; - }) - (xsaPatch { - name = "218-4.5/0004-gnttab-correct-maptrack-table-accesses"; - sha256 = "02zpb0ffigijacqvyyjylwx3qpgibwslrka7mbxwnclf4s9c03a2"; - }) - ]; - - # 4.5 - XSA_219_45 = (xsaPatch { - name = "219-4.5"; - sha256 = "003msr5vhsc66scmdpgn0lp3p01g4zfw5vj86y5lw9ajkbaywdsm"; - }); - - # 4.5 - XSA_220_45 = (xsaPatch { - name = "220-4.5"; - sha256 = "1dj9nn6lzxlipjb3nb7b9m4337fl6yn2bd7ap1lqrjn8h9zkk1pp"; - }); - - # 4.5 - 4.8 - XSA_221 = (xsaPatch { - name = "221"; - sha256 = "1mcr1nqgxyjrkywdg7qhlfwgz7vj2if1dhic425vgd41p9cdgl26"; - }); - - # 4.5 - XSA_222_45 = [ - (xsaPatch { - name = "222-1-4.6"; - sha256 = "1g4dqm5qx4wqlv1520jpfiscph95vllcp4gqp1rdfailk8xi0mcf"; - }) - (xsaPatch { - name = "222-2-4.5"; - sha256 = "1hw8rhc7q4v309f4w11gxfsn5x1pirvxkg7s4kr711fnmvp9hkzd"; - }) - ]; - - # 4.5 - 4.8 - XSA_223 = (xsaPatch { - name = "223"; - sha256 = "0803gjgcbq9vaz2mq0v5finf1fq8iik1g4hqsjqhjxvspn8l70c5"; - }); - - # 4.5 - XSA_224_45 = [ - (xsaPatch { - name = "224-4.5/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap"; - sha256 = "1aislj66ss4cb3v2bh12mrqsyrf288d4h54rj94jjq7h1hnycw7h"; - }) - (xsaPatch { - name = "224-4.5/0002-gnttab-never-create-host-mapping-unless-asked-to"; - sha256 = "1j6fgm1ccb07gg0mi5qmdr0vqwwc3n12z433g1jrija2gbk1x8aq"; - }) - (xsaPatch { - name = "224-4.5/0003-gnttab-correct-logic-to-get-page-references-during-m"; - sha256 = "166kmicwx280fjqjvgigbmhabjksa0hhvqx5h4v6kjlcjpmxqy08"; - }) - (xsaPatch { - name = "224-4.5/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth"; - sha256 = "1skc0yj1zsn8xgyq1y57bdc0scvvlmd0ynrjwwf1zkias1wlilav"; - }) - ]; - - # 4.5 - XSA_226_45 = [ - (xsaPatch { - name = "226-4.5/0001-gnttab-dont-use-possibly-unbounded-tail-calls"; - sha256 = "1hx47ppv5q33cw4dwp82lgvv4fp28gx7rxijw0iaczsv8bvb8vcg"; - }) - (xsaPatch { - name = "226-4.5/0002-gnttab-fix-transitive-grant-handling"; - sha256 = "1gzp8m2zfihwlk71c3lqyd0ajh9h11pvkhzhw0mawckxy0qksvlc"; - }) - ]; - - # 4.5 - XSA_227_45 = (xsaPatch { - name = "227-4.5"; - sha256 = "1qfjfisgqm4x98qw54x2qrvgjnvvzizx9p1pjhcnsps9q6g1y3x8"; - }); - - # 4.5 - 4.9 - XSA_230 = (xsaPatch { - name = "230"; - sha256 = "10x0j7wmzkrwycs1ng89fgjzvzh8vsdd4c5nb68b3j1azdx4ld83"; - }); - - # 4.5 - XSA_231_45 = (xsaPatch { - name = "231-4.5"; - sha256 = "06gwx2f1lg51dfk2b4zxp7wv9c4pxdi87pg2asvmxqc78ir7l5s6"; - }); - - # 4.5 - 4.9 - XSA_232 = (xsaPatch { - name = "232"; - sha256 = "0n6irjpmraa3hbxxm64a1cplc6y6g07x7v2fmlpvn70ql3fs0220"; - }); - - # 4.5 - 4.9 - XSA_233 = (xsaPatch { - name = "233"; - sha256 = "1w3m8349cqav56av63w6jzvlsv4jw5rimwvskr9pq2rcbk2dx8kf"; - }); - - # 4.5 - XSA_234_45 = (xsaPatch { - name = "234-4.5"; - sha256 = "1ji6hbgybb4gbgz5l5fis9midnvjbddzam8d63377rkzdyb3yz9f"; - }); - - # 4.5 - XSA_235_45 = (xsaPatch { - name = "235-4.5"; - sha256 = "0hhgnql2gji111020z4wiyzg23wqs6ymanb67rg11p4qad1fp3ff"; - }); - - # 4.5 - XSA_236_45 = (xsaPatch { - name = "236-4.5"; - sha256 = "0hcla86x81wykssd2967gblp7fzx61290p4ls4v0hcyxdg2bs2yz"; - }); - - # 4.5 - XSA_237_45 = [ - (xsaPatch { - name = "237-4.5/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device"; - sha256 = "0hjxs20jhls4i0iph45a0qpw4znkm04gv74jmwhw84gy4hrhzq3b"; - }) - (xsaPatch { - name = "237-4.5/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s"; - sha256 = "0ki8nmbc2g1l9wnqsph45a2k4c6dk5s7jvdlxg3zznyiyxjcv8yn"; - }) - (xsaPatch { - name = "237-4.5/0003-x86-MSI-disallow-redundant-enabling"; - sha256 = "1hdz83qrjaqnihz8ji186dypxiblbfpgyb01j9m5alhk4whjqvp1"; - }) - (xsaPatch { - name = "237-4.5/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error"; - sha256 = "0csdfn9kzn1k94pg3fcwsgqw14wcd4myi1jkcq5alj1fmkhw4wmk"; - }) - (xsaPatch { - name = "237-4.5/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook"; - sha256 = "14b73rkvbkd1a2gh9kp0zrvv2d3kfwkiv24fg9agh4hrf2w3nx7y"; - }) - ]; - - # 4.5 - XSA_238_45 = (xsaPatch { - name = "238-4.5"; - sha256 = "1x2fg5vfv5jc084h5gjm6fq0nxjpzvi96px3sqzz4pvsvy4y4i1z"; - }); - - # 4.5 - XSA_239_45 = (xsaPatch { - name = "239-4.5"; - sha256 = "06bi8q3973yajxsdj7pcqarvb56q2gisxdiy0cpbyffbmpkfv3h6"; - }); - - # 4.5 - XSA_240_45 = [ - (xsaPatch { - name = "240-4.5/0001-x86-limit-linear-page-table-use-to-a-single-level"; - sha256 = "0pmf10mbnmb88y7mly8s2l0j88cg0ayhkcnmj1zbjrkjmpccv395"; - }) - (xsaPatch { - name = "240-4.5/0002-x86-mm-Disable-PV-linear-pagetables-by-default"; - sha256 = "19f096ra3xndvzkjjasx73p2g25hfkm905px0p3yakwll0qzd029"; - }) - ]; - - # 4.5 - 4.8 - XSA_241 = (xsaPatch { - name = "241-4.8"; - sha256 = "16zb75kzs98f4mdxhbyczk5mbh9dvn6j3yhfafki34x1dfdnq4pj"; - }); - - # 4.5 - 4.9 - XSA_242 = (xsaPatch { - name = "242-4.9"; - sha256 = "0yx3x0i2wybsm7lzdffxa2mm866bjl4ipbb9vipnw77dyg705zpr"; - }); - - # 4.5 - XSA_243_45 = [ - (xsaPatch { - name = "243-4.6-1"; - sha256 = "1cqanpyysa7px0j645z4jw9yqsvv6cbh7yq1b86ap134axfifcan"; - }) - (xsaPatch { - name = "243-4.5-2"; - sha256 = "0wbcgw4m0nzm2902jnda2020l7bd5adkq8j5myi1zmsfzbq03hwn"; - }) - ]; - - # 4.5 - XSA_244_45 = (xsaPatch { - name = "244-4.5"; - sha256 = "05ci3vdl1ywfjpzcvsy1k52whxjk8pxzj7dh3r94yqasr56i5v2l"; - }); - - # 4.5 - 4.9 - XSA_245 = [ - (xsaPatch { - name = "245/0001-xen-page_alloc-Cover-memory-unreserved-after-boot-in"; - sha256 = "12brsgbn7xwakalsn10afykgqmx119mqg6vjj3v2b1pnmf4ss0w8"; - }) - (xsaPatch { - name = "245/0002-xen-arm-Correctly-report-the-memory-region-in-the-du"; - sha256 = "1k6z5r7wnrswsczn2j3a1mc4nvxqm4ydj6n6rvgqizk2pszdkqg8"; - }) - ]; - - # 4.5 - 4.7 - XSA_246_45 = [ - (xsaPatch { - name = "246-4.7"; - sha256 = "13rad4k8z3bq15d67dhgy96kdbrjiq9sy8px0jskbpx9ygjdahkn"; - }) - ]; - - # 4.5 - XSA_247_45 = [ - (xsaPatch { - name = "247-4.5/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu"; - sha256 = "0h1mp5s9si8aw2gipds317f27h9pi7bgnhj0bcmw11p0ch98sg1m"; - }) - (xsaPatch { - name = "247-4.5/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas"; - sha256 = "0vjjybxbcm4xl26wbqvcqfiyvvlayswm4f98i1fr5a9abmljn5sb"; - }) - ]; - - # 4.5 - XSA_248_45 = [ - (xsaPatch { - name = "248-4.5"; - sha256 = "0csxg6h492ddsa210b45av28iqf7cn2dfdqk4zx10zwf1pv2shyn"; - }) - ]; - - # 4.5 .. 4.9 - XSA_249 = [ - (xsaPatch { - name = "249"; - sha256 = "0v6ngzqhkz7yv4n83xlpxfbkr2qyg5b1cds7ikkinm86hiqy6agl"; - }) - ]; - - # 4.5 - XSA_250_45 = [ - (xsaPatch { - name = "250-4.5"; - sha256 = "0pqldl6qnl834gvfp90z247q9xcjh3835s2iffnajz7jhjb2145d"; - }) - ]; - - # 4.5 - XSA_251_45 = [ - (xsaPatch { - name = "251-4.5"; - sha256 = "0lc94cx271z09r0mhxaypyd9d4740051p28idf5calx5228dqjgm"; - }) - ]; - - XSA_386 = (xsaPatch { - name = "386"; - sha256 = "sha256-pAuLgt3sDeL73NSDqZCWxRGZk1tWaYlDbh7cUcJ4s+w="; - }); -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index ed2192dd8e0fe..5a1d8f211b3de 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -27319,9 +27319,10 @@ with pkgs; # See `xenPackages` source for explanations. # Building with `xen` instead of `xen-slim` is possible, but makes no sense. qemu_xen = lowPrio (qemu.override { hostCpuOnly = true; xenSupport = true; xen = xen-slim; }); - qemu_xen-light = lowPrio (qemu.override { hostCpuOnly = true; xenSupport = true; xen = xen-light; }); - qemu_xen_4_15 = lowPrio (qemu.override { hostCpuOnly = true; xenSupport = true; xen = xen_4_15-slim; }); - qemu_xen_4_15-light = lowPrio (qemu.override { hostCpuOnly = true; xenSupport = true; xen = xen_4_15-light; }); + qemu_xen_4_19 = lowPrio (qemu.override { hostCpuOnly = true; xenSupport = true; xen = xenPackages.xen_4_19-slim; }); + qemu_xen_4_18 = lowPrio (qemu.override { hostCpuOnly = true; xenSupport = true; xen = xenPackages.xen_4_18-slim; }); + qemu_xen_4_17 = lowPrio (qemu.override { hostCpuOnly = true; xenSupport = true; xen = xenPackages.xen_4_17-slim; }); + qemu_xen_4_16 = lowPrio (qemu.override { hostCpuOnly = true; xenSupport = true; xen = xenPackages.xen_4_16-slim; }); qemu_test = lowPrio (qemu.override { hostCpuOnly = true; nixosTestRunner = true; }); @@ -35026,13 +35027,8 @@ with pkgs; xenPackages = recurseIntoAttrs (callPackage ../applications/virtualization/xen/packages.nix {}); - xen = xenPackages.xen-vanilla; + xen = xenPackages.xen; xen-slim = xenPackages.xen-slim; - xen-light = xenPackages.xen-light; - - xen_4_15 = xenPackages.xen_4_15-vanilla; - xen_4_15-slim = xenPackages.xen_4_15-slim; - xen_4_15-light = xenPackages.xen_4_15-light; xkbset = callPackage ../tools/X11/xkbset { }; From 9458dd0bbf83b990ea6ea8581acec38af5853088 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Sun, 28 Jul 2024 15:49:01 +0000 Subject: [PATCH 2/5] xen: add README and update script The update script is interactive, not automated, and is meant to run with human intervention in order to verify Xen's code signature. It produces default.nix files for all security-supported branches. Signed-off-by: Fernando Rodrigues --- .../applications/virtualization/xen/README.md | 195 ++++++++++++++++++ .../applications/virtualization/xen/update.sh | 194 +++++++++++++++++ 2 files changed, 389 insertions(+) create mode 100644 pkgs/applications/virtualization/xen/README.md create mode 100755 pkgs/applications/virtualization/xen/update.sh diff --git a/pkgs/applications/virtualization/xen/README.md b/pkgs/applications/virtualization/xen/README.md new file mode 100644 index 0000000000000..c3cc2d20d417c --- /dev/null +++ b/pkgs/applications/virtualization/xen/README.md @@ -0,0 +1,195 @@ +

+ + + + + Xen Project Logo + + +

+ +# Xen Hypervisor Xen Fu Panda + +This directory includes the build recipes for the [Xen Hypervisor](https://xenproject.org/). + +Some other notable packages that compose the Xen Ecosystem include: + +- `ocamlPackages.xenstore`: Mirage's `oxenstore` implementation. +- `ocamlPackages.vchan`: Mirage's `xen-vchan` implementation. +- `ocamlPackages.xenstore-tool`: XAPI's `oxenstore` utilities. +- `xen-guest-agent`: Guest drivers for UNIX domUs. +- `win-pvdrivers`: Guest drivers for Windows domUs. + +## Updating + +### Automatically + +An automated update script is available in this directory. To produce up-to-date +files for all supported Xen branches, simply run `./update.sh`, and follow the +instructions given to you by the script. Notably, it will request that you verify +the Xen Project code signing PGP key. This README understands that the fingerprint +of that key is [`23E3 222C 145F 4475 FA80 60A7 83FE 14C9 57E8 2BD9`](https://keys.openpgp.org/search?q=pgp%40xen.org), +but you should verify this information by seeking the fingerprint from other trusted +sources, as this document may be compromised. Once the PGP key is verified, it will +use `git verify-tag` to ascertain the validity of the cloned Xen sources. + +After the script is done, follow the steps in [**For Both Update Methods**](#for-both-update-methods) below. + +#### Downstream Patch Names + +The script expects local patch names to follow a certain specification. +Please name any required patches using the template below: + +```console +0000-project-description-branch.patch +``` + +Where: + +1. The first four numbers define the patch order. + **0001** will be applied after **0000**, and so on. +1. `project` means the name of the source the patch should be applied to. + - If you are applying patches to the main Xen sources, use `xen`. + - For the pre-fetched QEMU, use `qemu`. + - For SeaBIOS, use `seabios`. + - For OVMF, use `ovmf`. + - For iPXE, use `ipxe`. +1. `description` is a string with uppercase and lowercase letters, numbers and + dashes. It describes the patch name and what it does to the upstream code. +1. `branch` is the branch for which this patch is supposed to patch. + It should match the name of the directory it is in. + +For example, a patch fixing `xentop`'s output in the 4.15 branch should have +the following name: `0000-xen-xentop-output-4.15.patch`, and it should be added +to the `4.15/` directory. + +### Manually + +The script is not infallible, and it may break in the future. If that happens, +open a PR fixing the script, and update Xen manually: + +1. Check the support matrix to see which branches are security-supported. +1. Create one directory per branch. +1. [Update](https://xenbits.xenproject.org/gitweb/) the `default.nix` files for + the branches that already exist and copy a new one to any branches that do + not yet exist in Nixpkgs. + - Do not forget to set the `branch`, `version`, and `latest` attributes for + each of the `default.nix` files. + - The revisions are preferably commit hashes, but tag names are acceptable + as well. + +### For Both Update Methods + +1. Make sure all branches build. (Both the `standard` and `slim` versions) +1. Use the NixOS module to test if dom0 boots successfully on all new versions. +1. Clean up your changes and commit them, making sure to follow the + [Nixpkgs Contribution Guidelines](../../../../CONTRIBUTING.md). +1. Open a PR and await a review from the current maintainers. + +## Features + +### Pre-fetched Sources + +On a typical Xen build, the Xen Makefiles will fetch more required sources with +`git` and `wget`. Due to the Nix Sandbox, build-time fetching will fail, so we +pre-fetch the required sources before building.[^1] To accomplish this, we have +a `prefetchedSources` attribute that contains the required derivations, if they +are requested by the main Xen build. + +### EFI + +Building `xen.efi` requires an `ld` with PE support.[^2] + +We use a `makeFlag` to override the `$LD` environment variable to point to our +patched `efiBinutils`. For more information, see the comment in `./generic.nix`. + +> [!TIP] +> If you are certain you will not be running Xen in an x86 EFI environment, disable +the `withEFI` flag with an [override](https://nixos.org/manual/nixpkgs/stable/#chap-overrides) +to save you the need to compile `efiBinutils`. + +### Default Overrides + +By default, Xen also builds +[QEMU](https://www.qemu.org/), +[SeaBIOS](https://www.seabios.org/SeaBIOS), +[OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF) and +[iPXE](https://ipxe.org/). + +- QEMU is used for stubdomains and handling devices. +- SeaBIOS is the default legacy BIOS ROM for HVM domains. +- OVMF is the default UEFI ROM for HVM domains. +- iPXE provides a PXE boot environment for HVMs. + +However, those packages are already available on Nixpkgs, and Xen does not +necessarily need to build them into the main hypervisor build. For this reason, +we also have the `withInternal` flags, which enables and disables +building those built-in components. The two most popular Xen configurations will +be the default build, with all built-in components, and a `slim` build, with none +of those components. To simplify this process, the `./packages.nix` file includes +the `xen-slim` package overrides that have all `withInternal` flags +disabled. See the `meta.longDescription` attribute for the `xen-slim` packages +for more information. + +## Security + +We aim to support all **security-supported** versions of Xen at any given time. +See the [Xen Support Matrix](https://xenbits.xen.org/docs/unstable/support-matrix.html) +for a list of versions. As soon as a version is no longer **security-supported**, +it should be removed from Nixpkgs. + +> [!CAUTION] +> Pull requests that introduce XSA patches +should have the `1.severity: security` label. + +### Maintainers + +Xen is a particularly complex piece of software, so we are always looking for new +maintainers. Help out by [making and triaging issues](https://github.com/NixOS/nixpkgs/issues/new/choose), +[sending build fixes and improvements through PRs](https://github.com/NixOS/nixpkgs/compare), +updating the branches, and [patching security flaws](https://xenbits.xenproject.org/xsa/). + +We are also looking for testers, particularly those who can test Xen on AArch64 +machines. Open issues for any build failures or runtime errors you find! + +## Tests + +So far, we only have had one simple automated test that checks for +the correct `pkg-config` output files. + +Due to Xen's nature as a type-1 hypervisor, it is not a trivial matter to design +new tests, as even basic functionality requires a machine booted in a dom0 +kernel. For this reason, most testing done with this package must be done +manually in a NixOS machine with `virtualisation.xen.enable` set to `true`. + +Another unfortunate thing is that none of the Xen commands have a `--version` +flag. This means that `testers.testVersion` cannot ascertain the Xen version. +The only way to verify that you have indeed built the correct version is to +boot into the freshly built Xen kernel and run `xl info`. + +

+ + Xen Fu Panda + +

+ +[^1]: We also produce fake `git`, `wget` and `hostname` binaries that do nothing, + to prevent the build from failing because Xen cannot fetch the sources that + were already fetched by Nix. +[^2]: From the [Xen Documentation](https://xenbits.xenproject.org/docs/unstable/misc/efi.html): + > For x86, building `xen.efi` requires `gcc` 4.5.x or above (4.6.x or newer + recommended, as 4.5.x was probably never really tested for this purpose) + and `binutils` 2.22 or newer. Additionally, the `binutils` build must be + configured to include support for the x86_64-pep emulation (i.e. + `--enable-targets=x86_64-pep` or an option of equivalent effect should be + passed to the configure script). diff --git a/pkgs/applications/virtualization/xen/update.sh b/pkgs/applications/virtualization/xen/update.sh new file mode 100755 index 0000000000000..0b0c7516fa835 --- /dev/null +++ b/pkgs/applications/virtualization/xen/update.sh @@ -0,0 +1,194 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p gitMinimal curl gnupg nix-prefetch-git nixfmt-rfc-style +# shellcheck disable=SC2206,SC2207 shell=bash +set -e + +# Set a temporary $HOME in /tmp for GPG. +HOME=/tmp/xenUpdateScript + +# This script expects to be called in an interactive terminal somewhere inside Nixpkgs. +echo "Preparing..." +nixpkgs=$(git rev-parse --show-toplevel) +xenPath="$nixpkgs/pkgs/applications/virtualization/xen" +rm -rf /tmp/xenUpdateScript +mkdir /tmp/xenUpdateScript + +# Import and verify PGP key. +curl --silent --output /tmp/xenUpdateScript/xen.asc https://keys.openpgp.org/vks/v1/by-fingerprint/23E3222C145F4475FA8060A783FE14C957E82BD9 +gpg --quiet --import /tmp/xenUpdateScript/xen.asc +fingerprint="$(gpg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')" +echo -e "Please ascertain through multiple external sources that the \e[1;32mXen Project PGP Key Fingerprint\e[0m is indeed \e[1;33m$fingerprint\e[0m. If that is not the case, \e[1;31mexit immediately\e[0m." +read -r -p $'Press \e[1;34menter\e[0m to continue with a pre-filled expected fingerprint, or input an arbitrary PGP fingerprint to match with the key\'s fingerprint: ' userInputFingerprint +userInputFingerprint=${userInputFingerprint:-"23E3222C145F4475FA8060A783FE14C957E82BD9"} + +# Clone xen.git. +echo -e "Cloning \e[1;34mxen.git\e[0m..." +git clone --quiet https://xenbits.xen.org/git-http/xen.git /tmp/xenUpdateScript/xen +cd /tmp/xenUpdateScript/xen + +# Get list of versions and branches. +versionList="$(git tag --list "RELEASE-*" | sed s/RELEASE-//g | sed s/4.1.6.1//g | sort --numeric-sort)" +latestVersion=$(echo "$versionList" | tr ' ' '\n' | tail --lines=1) +branchList=($(echo "$versionList" | tr ' ' '\n' | sed s/\.[0-9]*$//g | awk '!seen[$0]++')) + +# Figure out which versions we're actually going to install. +minSupportedBranch="$(grep " knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version " "$xenPath"/generic.nix | sed s/' knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "'//g | sed s/'") \['//g)" +supportedBranches=($(for version in "${branchList[@]}"; do if [ "$(printf '%s\n' "$minSupportedBranch" "$version" | sort -V | head -n1)" = "$minSupportedBranch" ]; then echo "$version"; fi; done)) +supportedVersions=($(for version in "${supportedBranches[@]}"; do echo "$versionList" | tr ' ' '\n' | grep "$version" | tail --lines=1; done)) + +# Main loop that installs every supportedVersion. +for version in "${supportedVersions[@]}"; do + echo -e "\n------------------------------------------------" + branch=${version/%.[0-9]/} + if [[ "$version" == "$latestVersion" ]]; then + latest=true + echo -e "\nFound \e[1;34mlatest\e[0m release: \e[1;32mXen $version\e[0m in branch \e[1;36m$branch\e[0m." + else + latest=false + echo -e "\nFound \e[1;33msecurity-supported\e[0m release: \e[1;32mXen $version\e[0m in branch \e[1;36m$branch\e[0m." + fi + + # Verify PGP key automatically. If the fingerprint matches what the user specified, or the default fingerprint, then we consider it trusted. + cd /tmp/xenUpdateScript/xen + if [[ "$fingerprint" = "$userInputFingerprint" ]]; then + echo "$fingerprint:6:" | gpg --quiet --import-ownertrust + (git verify-tag RELEASE-"$version" 2>/dev/null && echo -e "\n\e[1;32mSuccessfully authenticated Xen $version.\e[0m") || (echo -e "\e[1;31merror:\e[0m Unable to verify tag \e[1;32mRELEASE-$version\e[0m.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or a \e[1;31msupply chain attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1) + else + echo -e "\e[1;31merror:\e[0m Unable to verify \e[1;34mpgp@xen.org\e[0m's fingerprint.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or an \e[1;31mimpersonation attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1 + fi + + git switch --quiet --detach RELEASE-"$version" + + # Originally we told people to go check the Makefile themselves. + echo -e "\nDetermining source versions from Xen Makefiles..." + qemuVersion="$(grep -ie "QEMU_UPSTREAM_REVISION ?=" /tmp/xenUpdateScript/xen/Config.mk | sed s/"QEMU_UPSTREAM_REVISION ?= "//g)" + seaBIOSVersion="$(grep -ie "SEABIOS_UPSTREAM_REVISION ?= rel-" /tmp/xenUpdateScript/xen/Config.mk | sed s/"SEABIOS_UPSTREAM_REVISION ?= "//g)" + ovmfVersion="$(grep -ie "OVMF_UPSTREAM_REVISION ?=" /tmp/xenUpdateScript/xen/Config.mk | sed s/"OVMF_UPSTREAM_REVISION ?= "//g)" + ipxeVersion="$(grep -ie "IPXE_GIT_TAG :=" /tmp/xenUpdateScript/xen/tools/firmware/etherboot/Makefile | sed s/"IPXE_GIT_TAG := "//g)" + + # Use `nix-prefetch-git` to fetch `rev`s and `hash`es. + echo "Pre-fetching sources and determining hashes..." + echo -e -n " \e[1;32mXen\e[0m..." + fetchXen=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/xen.git --rev RELEASE-"$version" --quiet) + finalVersion="$(echo "$fetchXen" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)" + hash="$(echo "$fetchXen" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)" + echo "done!" + echo -e -n " \e[1;36mQEMU\e[0m..." + fetchQEMU=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/qemu-xen.git --rev "$qemuVersion" --quiet --fetch-submodules) + finalQEMUVersion="$(echo "$fetchQEMU" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)" + qemuHash="$(echo "$fetchQEMU" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)" + echo "done!" + echo -e -n " \e[1;36mSeaBIOS\e[0m..." + fetchSeaBIOS=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/seabios.git --rev "$seaBIOSVersion" --quiet) + finalSeaBIOSVersion="$(echo "$fetchSeaBIOS" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)" + seaBIOSHash="$(echo "$fetchSeaBIOS" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)" + echo "done!" + echo -e -n " \e[1;36mOVMF\e[0m..." + ovmfHash="$(nix-prefetch-git --url https://xenbits.xen.org/git-http/ovmf.git --rev "$ovmfVersion" --quiet --fetch-submodules | grep -ie hash | sed s/' "hash": "'//g | sed s/'",'//g)" + echo "done!" + echo -e -n " \e[1;36miPXE\e[0m..." + ipxeHash="$(nix-prefetch-git --url https://github.com/ipxe/ipxe.git --rev "$ipxeVersion" --quiet | grep -ie hash | sed s/' "hash": "'//g | sed s/'",'//g)" + echo "done!" + + cd "$xenPath" + + echo -e "\nFound the following revisions:\n \e[1;32mXen\e[0m: \e[1;33m$finalVersion\e[0m (\e[1;33m$hash\e[0m)\n \e[1;36mQEMU\e[0m: \e[1;33m$finalQEMUVersion\e[0m (\e[1;33m$qemuHash\e[0m)\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$finalSeaBIOSVersion\e[0m (\e[1;33m$seaBIOSHash\e[0m)\n \e[1;36mOVMF\e[0m: \e[1;33m$ovmfVersion\e[0m (\e[1;33m$ovmfHash\e[0m)\n \e[1;36miPXE\e[0m: \e[1;33m$ipxeVersion\e[0m (\e[1;33m$ipxeHash\e[0m)" + + # Set OCaml Version + read -r -p $'\nEnter the corresponding \e[1;33mOCaml\e[0m version for \e[1;32mXen '"$version"$'\e[0m, or press \e[1;34menter\e[0m for the default value of \e[1;32m4_14\e[0m: ' ocamlVersion + ocamlVersion=${ocamlVersion:-"4_14"} + + mkdir -p "$branch"/ + rm -f "$branch"/default.nix + + # Prepare any .patch files that are called by Nix through a path value. + echo -e "\nPlease add any required patches to version \e[1;32m$branch\e[0m in \e[1;34m$branch/\e[0m, and press \e[1;34menter\e[0m when done." + read -r -p $'Remember to follow the naming specification as defined in \e[1;34m./README.md\e[0m.' + + echo -e "\nDiscovering patches..." + discoveredXenPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-xen-*-$branch.patch" -printf "./%f ")" + discoveredQEMUPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-qemu-*-$branch.patch" -printf "./%f ")" + discoveredSeaBIOSPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-seabios-*-$branch.patch" -printf "./%f ")" + discoveredOVMFPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-ovmf-*-$branch.patch" -printf "./%f ")" + discoveredIPXEPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-ipxe-*-$branch.patch" -printf "./%f ")" + + discoveredXenPatchesEcho=${discoveredXenPatches:-"\e[1;31mNone found!\e[0m"} + discoveredQEMUPatchesEcho=${discoveredQEMUPatches:-"\e[1;31mNone found!\e[0m"} + discoveredSeaBIOSPatchesEcho=${discoveredSeaBIOSPatches:-"\e[1;31mNone found!\e[0m"} + discoveredOVMFPatchesEcho=${discoveredOVMFPatches:-"\e[1;31mNone found!\e[0m"} + discoveredIPXEPatchesEcho=${discoveredIPXEPatches:-"\e[1;31mNone found!\e[0m"} + + echo -e "Found the following patches:\n \e[1;32mXen\e[0m: \e[1;33m$discoveredXenPatchesEcho\e[0m\n \e[1;36mQEMU\e[0m: \e[1;33m$discoveredQEMUPatchesEcho\e[0m\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$discoveredSeaBIOSPatchesEcho\e[0m\n \e[1;36mOVMF\e[0m: \e[1;33m$discoveredOVMFPatchesEcho\e[0m\n \e[1;36miPXE\e[0m: \e[1;33m$discoveredIPXEPatchesEcho\e[0m" + + # Prepare patches that are called in ./patches.nix. + defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458") + read -r -a defaultPatchList -p $'\nWould you like to override the \e[1;34mupstreamPatches\e[0m list for \e[1;32mXen '"$version"$'\e[0m? If no, press \e[1;34menter\e[0m to use the default patch list: [ \e[1;34m'"${defaultPatchListInit[*]}"$' \e[0m]: ' + defaultPatchList=(${defaultPatchList[@]:-${defaultPatchListInit[@]}}) + spaceSeparatedPatchList=${defaultPatchList[*]} + upstreamPatches="upstreamPatches.${spaceSeparatedPatchList// / upstreamPatches.}" + + # Write and format default.nix file. + echo -e "\nWriting updated \e[1;34mversionDefinition\e[0m..." + cat >"$branch"/default.nix < Date: Wed, 3 Jul 2024 11:46:54 +0000 Subject: [PATCH 3/5] xen: rename xen-light to xen-slim xen-light was dropped in favour of xen and xen-slim Signed-off-by: Fernando Rodrigues Reviewed-by: Matei Dibu --- pkgs/tools/virtualization/xen-guest-agent/default.nix | 10 +++++----- pkgs/top-level/aliases.nix | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/pkgs/tools/virtualization/xen-guest-agent/default.nix b/pkgs/tools/virtualization/xen-guest-agent/default.nix index 2ddbbe45955a1..1b9f637bf61a9 100644 --- a/pkgs/tools/virtualization/xen-guest-agent/default.nix +++ b/pkgs/tools/virtualization/xen-guest-agent/default.nix @@ -3,7 +3,7 @@ fetchFromGitLab, rustPlatform, llvmPackages, - xen-light, + xen-slim, }: rustPlatform.buildRustPackage rec { pname = "xen-guest-agent"; @@ -20,14 +20,14 @@ rustPlatform.buildRustPackage rec { env = { LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib"; - BINDGEN_EXTRA_CLANG_ARGS = "-isystem ${xen-light}/include"; - RUSTFLAGS = "-L ${xen-light}/lib"; + BINDGEN_EXTRA_CLANG_ARGS = "-isystem ${xen-slim.dev}/include"; + RUSTFLAGS = "-L ${xen-slim.out}/lib"; }; - nativeBuildInputs = [llvmPackages.clang xen-light]; + nativeBuildInputs = [llvmPackages.clang xen-slim.out]; postFixup = '' - patchelf $out/bin/xen-guest-agent --add-rpath ${xen-light}/lib + patchelf $out/bin/xen-guest-agent --add-rpath ${xen-slim.out}/lib ''; meta = with lib; { diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 4aeafb8575994..5f2971ac6bd16 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1538,6 +1538,7 @@ mapAliases ({ xcbuild6Hook = throw "'xcbuild6Hook has been renamed to/replaced by 'xcbuildHook'"; # Added 2023-12-10 xcodebuild6 = throw "'xcodebuild6' has been renamed to/replaced by 'xcodebuild'"; # Added 2023-12-10 xdg_utils = xdg-utils; # Added 2021-02-01 + xen-light = throw "'xen-light' has been renamed to/replaced by 'xen-slim'"; # Added 2024-06-30 xineLib = xine-lib; # Added 2021-04-27 xineUI = xine-ui; # Added 2021-04-27 xmlada = gnatPackages.xmlada; # Added 2024-02-25 From af205ce47a439b0965aae9ba153a21a8b76137e8 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Wed, 3 Jul 2024 13:36:40 +0000 Subject: [PATCH 4/5] qubes-core-vchan-xen: mark broken In function 'libvchan__check_domain_alive': error: unknown type name 'xc_dominfo_t'; did you mean 'xc_meminfo_t'? error: implicit declaration of function 'xc_domain_getinfo'; did you mean 'xc_domain_getvnuma'? [-Werror=implicit-function-declaration] error: request for member 'domid' in something not a structure or union error: request for member 'dying' in something not a structure or union Signed-off-by: Fernando Rodrigues Reviewed-by: Joachim Ernst --- pkgs/applications/qubes/qubes-core-vchan-xen/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/qubes/qubes-core-vchan-xen/default.nix b/pkgs/applications/qubes/qubes-core-vchan-xen/default.nix index 21b80fcf51dd6..7def14890300d 100644 --- a/pkgs/applications/qubes/qubes-core-vchan-xen/default.nix +++ b/pkgs/applications/qubes/qubes-core-vchan-xen/default.nix @@ -28,8 +28,9 @@ stdenv.mkDerivation rec { description = "Libraries required for the higher-level Qubes daemons and tools"; homepage = "https://qubes-os.org"; license = licenses.gpl2Plus; - maintainers = with maintainers; [ _0x4A6F ]; + maintainers = [ ]; platforms = platforms.linux; + broken = true; }; } From 8d4151a17148f5e95940d82b382212c54a9f40c5 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Wed, 3 Jul 2024 13:38:17 +0000 Subject: [PATCH 5/5] libvmi: mark broken In file included from ./driver/xen/xen_private.h:42, error: unknown type name 'xc_dominfo_t'; did you mean 'xc_meminfo_t'? PR #328873 reverts this commit and updates LibVMI. Signed-off-by: Fernando Rodrigues --- pkgs/development/libraries/libvmi/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/libraries/libvmi/default.nix b/pkgs/development/libraries/libvmi/default.nix index 9aded47d234af..b350592147bca 100644 --- a/pkgs/development/libraries/libvmi/default.nix +++ b/pkgs/development/libraries/libvmi/default.nix @@ -45,5 +45,6 @@ stdenv.mkDerivation rec { license = with licenses; [ gpl3 lgpl3 ]; platforms = platforms.linux; maintainers = [ ]; + broken = true; }; }