Skip to content

Commit

Permalink
Allow accessing correct pkgs during preSignCommands
Browse files Browse the repository at this point in the history
`preSignCommands` is used in two different contexts, when building
derivations that are using the package-set defined in the NixOS config
for a machine (defaults to a native aarch64-linux package-set) and when
building flash scripts (defaults to a native x86_64-linux package-set).
In order to support the use-case of using nix outputs obtained from a
package-set within `preSignCommands`, the value set in this option must
not carry in any output paths from package-sets defined elsewhere. For
example, the following configuration is problematic and will not work
when building the flash script, due to `pkgs` having a `hostPlatform` of
aarch64-linux, thus `hello` will be an ELF binary targeting
aarch64-linux:

```nix
{ pkgs, ... }: {
  hardware.nvidia-jetpack.firmware.secureBoot.preSignCommands = ''
    ${pkgs.hello}/bin/hello
  '';
}
```

The correct usage would be:
```nix
{ ... }: {
  hardware.nvidia-jetpack.firmware.secureBoot.preSignCommands = pkgs: ''
    ${pkgs.hello}/bin/hello
  '';
}
```
  • Loading branch information
jmbaur authored and danielfullmer committed Sep 26, 2024
1 parent 776c1d4 commit 306d921
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 8 deletions.
7 changes: 5 additions & 2 deletions device-pkgs/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
, runCommand
, writeScript
, writeShellApplication
, buildPackages
}:

let
Expand Down Expand Up @@ -64,7 +65,7 @@ let
export RAMCODE=${variant.ramcode}
''}
${cfg.firmware.secureBoot.preSignCommands}
${cfg.firmware.secureBoot.preSignCommands buildPackages}
${mkFlashScript nvidia-jetpack.flash-tools (args // { flashArgs = [ "--no-root-check" "--no-flash" ] ++ (args.flashArgs or flashArgs); }) }
Expand Down Expand Up @@ -149,7 +150,9 @@ let
inherit (cfg.firmware.secureBoot) requiredSystemFeatures;
}
(mkFlashScript nvidia-jetpack.flash-tools {
flashCommands = cfg.firmware.secureBoot.preSignCommands + lib.concatMapStringsSep "\n"
flashCommands = ''
${cfg.firmware.secureBoot.preSignCommands buildPackages}
'' + lib.concatMapStringsSep "\n"
(v: with v; ''
BOARDID=${boardid} BOARDSKU=${boardsku} FAB=${fab} BOARDREV=${boardrev} FUSELEVEL=${fuselevel} CHIPREV=${chiprev} ${lib.optionalString (chipsku != null) "CHIP_SKU=${chipsku}"} ${lib.optionalString (ramcode != null) "RAMCODE=${ramcode}"} ./flash.sh ${lib.optionalString (partitionTemplate != null) "-c flash.xml"} --no-root-check --no-flash --sign ${builtins.toString flashArgs}
Expand Down
30 changes: 26 additions & 4 deletions modules/flash-script.nix
Original file line number Diff line number Diff line change
Expand Up @@ -136,9 +136,20 @@ in
};

preSignCommands = lib.mkOption {
type = types.lines;
type = types.oneOf [ (types.functionTo types.lines) types.lines ];
apply = val: if lib.isFunction val then val else _: val;
default = "";
description = "Additional commands to run before performing operation that involve signing. Can be used to set up environment to interact with an external HSM.";
description = ''
Additional commands to run before performing operation that
involve signing. Can be used to set up environment to interact
with an external HSM.
Since preSignCommands is used in different contexts where the
package-set in use may differ (mostly in order to satisfy
building NVIDIA's flash scripts for x86_64-linux), you should
define this option to be a function that accepts the `pkgs`
package-set if you need to access something from it.
'';
};
};
};
Expand Down Expand Up @@ -225,9 +236,20 @@ in
};

preSignCommands = lib.mkOption {
type = types.lines;
type = types.oneOf [ (types.functionTo types.lines) types.lines ];
apply = val: if lib.isFunction val then val else _: val;
default = "";
description = "Additional commands to run before performing operation that involve signing. Can be used to set up environment to interact with an external HSM.";
description = ''
Additional commands to run before performing operation that
involve signing. Can be used to set up environment to interact
with an external HSM.
Since preSignCommands is used in different contexts where the
package-set in use may differ (mostly in order to satisfy
building NVIDIA's flash scripts for x86_64-linux), you should
define this option to be a function that accepts the `pkgs`
package-set if you need to access something from it.
'';
};
};

Expand Down
6 changes: 4 additions & 2 deletions overlay-with-config.nix
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,9 @@ final: prev: (
final.pkgsBuildBuild.nvidia-jetpack.flash-tools # we need flash-tools for the buildPlatform
{
# TODO: Remove preSignCommands when we switch to using signedFirmware directly
flashCommands = cfg.firmware.secureBoot.preSignCommands + lib.concatMapStringsSep "\n"
flashCommands = ''
${cfg.firmware.secureBoot.preSignCommands final.buildPackages}
'' + lib.concatMapStringsSep "\n"
(v: with v;
"BOARDID=${boardid} BOARDSKU=${boardsku} FAB=${fab} BOARDREV=${boardrev} FUSELEVEL=${fuselevel} CHIPREV=${chiprev} ${lib.optionalString (chipsku != null) "CHIP_SKU=${chipsku}"} ${lib.optionalString (ramcode != null) "RAMCODE=${ramcode}"} ./flash.sh ${lib.optionalString (cfg.flashScriptOverrides.partitionTemplate != null) "-c flash.xml"} --no-flash --bup --multi-spec ${builtins.toString cfg.flashScriptOverrides.flashArgs}"
)
Expand All @@ -133,7 +135,7 @@ final: prev: (
inherit (cfg.firmware.uefi.capsuleAuthentication) requiredSystemFeatures;
}
(''
${cfg.firmware.uefi.capsuleAuthentication.preSignCommands}
${cfg.firmware.uefi.capsuleAuthentication.preSignCommands final.buildPackages}
bash ${finalJetpack.flash-tools}/generate_capsule/l4t_generate_soc_capsule.sh \
'' + (lib.optionalString cfg.firmware.uefi.capsuleAuthentication.enable ''
--trusted-public-cert ${cfg.firmware.uefi.capsuleAuthentication.trustedPublicCertPemFile} \
Expand Down

0 comments on commit 306d921

Please sign in to comment.