From e073c3321b83b8878e2991664b9796617d7787c7 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Mon, 5 Aug 2024 18:13:50 +0000 Subject: [PATCH 1/3] xen: package documentation fixes Minor changes to comments, examples and the README. Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/README.md | 12 +++++++++++- pkgs/applications/virtualization/xen/generic.nix | 4 ++-- pkgs/applications/virtualization/xen/patches.nix | 5 ++++- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/pkgs/applications/virtualization/xen/README.md b/pkgs/applications/virtualization/xen/README.md index c3cc2d20d417c..c059808dcecbf 100644 --- a/pkgs/applications/virtualization/xen/README.md +++ b/pkgs/applications/virtualization/xen/README.md @@ -40,7 +40,8 @@ but you should verify this information by seeking the fingerprint from other tru sources, as this document may be compromised. Once the PGP key is verified, it will use `git verify-tag` to ascertain the validity of the cloned Xen sources. -After the script is done, follow the steps in [**For Both Update Methods**](#for-both-update-methods) below. +After the script is done, follow the steps in +[**For Both Update Methods**](#for-both-update-methods) below. #### Downstream Patch Names @@ -87,8 +88,17 @@ open a PR fixing the script, and update Xen manually: ### For Both Update Methods +1. Update `packages.nix` with the new versions. Don't forget the `slim` packages! 1. Make sure all branches build. (Both the `standard` and `slim` versions) 1. Use the NixOS module to test if dom0 boots successfully on all new versions. +1. Make sure the `meta` attributes evaluate to something that makes sense. The + following one-line command is useful for testing this: + + ```console + xenToEvaluate=xen; echo -e "\033[1m$(nix eval .#"$xenToEvaluate".meta.description 2> /dev/null | tail -c +2 | head -c -2)\033[0m\n\n$(nix eval .#"$xenToEvaluate".meta.longDescription 2> /dev/null | tail -c +2 | head -c -2)" + ``` + + Change the value of `xenToEvaluate` to evaluate all relevant Xen packages. 1. Clean up your changes and commit them, making sure to follow the [Nixpkgs Contribution Guidelines](../../../../CONTRIBUTING.md). 1. Open a PR and await a review from the current maintainers. diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 94abe86e85e53..c6f5d19d43514 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -561,10 +561,10 @@ stdenv.mkDerivation (finalAttrs: { ''; postFixup = - # Fix binaries in $out/lib/xen/bin. + # Fix binaries in $out/libexec/xen/bin. '' addAutoPatchelfSearchPath $out/lib - autoPatchelf $out/libexec/xen/bin/ + autoPatchelf $out/libexec/xen/bin '' # Flask is particularly hard to disable. Even after # setting the make flags to `n`, it still gets compiled. diff --git a/pkgs/applications/virtualization/xen/patches.nix b/pkgs/applications/virtualization/xen/patches.nix index 050bb91a544c5..7236fcf28e0f6 100644 --- a/pkgs/applications/virtualization/xen/patches.nix +++ b/pkgs/applications/virtualization/xen/patches.nix @@ -64,7 +64,10 @@ in # # "XSA_100" = xsaPatch { # id = "100"; - # name = "Verbatim Title of XSA"; + # title = "Verbatim Title of XSA"; + # description = '' + # Verbatim description of XSA. + # ''; # cve = [ "CVE-1999-0001" "CVE-1999-0002" ]; # Not all XSAs have CVEs. This attribute is optional. # hash = "sha256-0000000000000000000000000000000000000000000000000000"; # }; From 7d7fc6900462858a9311dce474b632eb3c9ba45d Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Mon, 5 Aug 2024 18:14:30 +0000 Subject: [PATCH 2/3] xen: build full html documentation Xen not only has manual pages, but also a full documentation written in HTML files. By adding ImageMagick, the `fig2dev` build doesn't fail, so we can have the docs build in the $doc output. This also fixes the Hydra build, but who cares about that? We have good Xen docs now! Signed-off-by: Fernando Rodrigues --- pkgs/applications/virtualization/xen/generic.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index c6f5d19d43514..12a7820059bdd 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -59,6 +59,7 @@ versionDefinition: # Documentation fig2dev, + imagemagick, pandoc, # Scripts @@ -273,6 +274,7 @@ stdenv.mkDerivation (finalAttrs: { outputs = [ "out" # TODO: Split $out in $bin for binaries and $lib for libraries. "man" # Manual pages for Xen userspace utilities. + "doc" # The full Xen documentation in HTML format. "dev" # Development headers. "boot" # xen.gz kernel, policy file if Flask is enabled, xen.efi if EFI is enabled. ]; @@ -293,6 +295,7 @@ stdenv.mkDerivation (finalAttrs: { bison cmake fig2dev + imagemagick # Causes build failures in Hydra related to fig generation if not included. flex pandoc pkg-config From 13b41a1ed13a596337c4eca08e257822f076ae76 Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Mon, 5 Aug 2024 18:16:43 +0000 Subject: [PATCH 3/3] xen: fix meta.longDescription The description was mangled in search.nixos.org. It recommended using qemu_xen with a Xen that already included QEMU, and there were edge cases where there wouldn't be enough newlines to properly display the full description. Signed-off-by: Fernando Rodrigues --- .../virtualization/xen/generic.nix | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 12a7820059bdd..b8672770e5bdd 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -631,11 +631,11 @@ stdenv.mkDerivation (finalAttrs: { longDescription = # Starts with the longDescription from ./packages.nix. (packageDefinition.meta.longDescription or "") - + - lib.strings.optionalString (!withInternalQEMU) - "\nUse with `qemu_xen_${lib.stringAsChars (x: if x == "." then "_" else x) branch}`" - + lib.strings.optionalString latest "or `qemu_xen`" - + "." + + lib.strings.optionalString (!withInternalQEMU) ( + "\nUse with `qemu_xen_${lib.stringAsChars (x: if x == "." then "_" else x) branch}`" + + lib.strings.optionalString latest " or `qemu_xen`" + + ".\n" + ) # Then, if any of the optional with* components are being built, add the "Includes:" string. + lib.strings.optionalString @@ -648,22 +648,22 @@ stdenv.mkDerivation (finalAttrs: { || withFlask ) ( - "\nIncludes:\n" + "\nIncludes:" # Originally, this was a call for the complicated withPrefetchedSources. Since there aren't # that many optional components, we just use lib.strings.optionalString, because it's simpler. # Optional components that aren't being built are automatically hidden. - + lib.strings.optionalString withEFI "* `xen.efi`: Xen's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package.\n" - + lib.strings.optionalString withFlask "* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package.\n" - + lib.strings.optionalString withInternalQEMU "* `qemu-xen`: Xen's mirror of [QEMU](https://www.qemu.org/).\n" - + lib.strings.optionalString withInternalSeaBIOS "* `seabios-xen`: Xen's mirror of [SeaBIOS](https://www.seabios.org/SeaBIOS).\n" - + lib.strings.optionalString withInternalOVMF "* `ovmf-xen`: Xen's mirror of [OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF).\n" - + lib.strings.optionalString withInternalIPXE "* `ipxe-xen`: Xen's pinned version of [iPXE](https://ipxe.org/).\n" + + lib.strings.optionalString withEFI "\n* `xen.efi`: Xen's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package." + + lib.strings.optionalString withFlask "\n* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package." + + lib.strings.optionalString withInternalQEMU "\n* `qemu-xen`: Xen's mirror of [QEMU](https://www.qemu.org/)." + + lib.strings.optionalString withInternalSeaBIOS "\n* `seabios-xen`: Xen's mirror of [SeaBIOS](https://www.seabios.org/SeaBIOS)." + + lib.strings.optionalString withInternalOVMF "\n* `ovmf-xen`: Xen's mirror of [OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF)." + + lib.strings.optionalString withInternalIPXE "\n* `ipxe-xen`: Xen's pinned version of [iPXE](https://ipxe.org/)." ) # Finally, we write a notice explaining which vulnerabilities this Xen is NOT vulnerable to. # This will hopefully give users the peace of mind that their Xen is secure, without needing # to search the source code for the XSA patches. + lib.strings.optionalString (writeAdvisoryDescription != [ ]) ( - "\nThis Xen (${version}) has been patched against the following known security vulnerabilities:\n" + "\n\nThis Xen (${version}) has been patched against the following known security vulnerabilities:\n" + lib.strings.removeSuffix "\n" (lib.strings.concatLines writeAdvisoryDescription) ); homepage = "https://xenproject.org/";