refactor kernel devshell, add jetson orin kernel

Signed-off-by: Alexander Nikolaev <[email protected]>

.reuse/dep5

@@ -6,3 +6,7 @@ Source: https://github.com/tiiuae/ghaf
 Copyright: 2022-2024 Technology Innovation Institute (TII) <https://github.com/tiiuae/ghaf>
 License: Apache-2.0
 Files: *.lock *.png *.svg *.patch *.db *.key *.pem *.cer *.p12
+
+Copyright: 2022-2024 Technology Innovation Institute (TII) <https://github.com/tiiuae/ghaf>
+License: Apache-2.0
+Files: modules/host/ghaf_host_hardened_baseline-x86 modules/host/ghaf_host_hardened_baseline-jetson-orin

nix/devshell.nix

@@ -3,6 +3,7 @@
 {inputs, ...}: {
   imports = with inputs; [
     flake-root.flakeModule
+    ./devshell/kernel.nix
     # TODO this import needs to be filtered to remove RISCV
     # pre-commit-hooks-nix.flakeModule
   ];
@@ -11,32 +12,9 @@
     inputs',
     self',
     lib,
+    system,
     ...
   }: {
-    devShells.kernel-x86 = pkgs.mkShell {
-      name = "Kernel-x86 devshell";
-      packages = with pkgs; [
-        ncurses
-        pkg-config
-        self'.packages.kernel-hardening-checker
-      ];
-
-      inputsFrom = [pkgs.linux_latest];
-
-      shellHook = ''
-        export src=${pkgs.linux_latest.src}
-        if [ ! -d "linux-${pkgs.linux_latest.version}" ]; then
-          unpackPhase
-          patchPhase
-        fi
-        cd linux-${pkgs.linux_latest.version}
-
-        export PS1="[ghaf-kernel-devshell:\w]$ "
-      '';
-      # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707
-      checkPhase = "cp ../modules/host/ghaf_host_hardened_baseline ./.config && make -j$(nproc)";
-    };
-
     devShells.default = let
       nix-build-all = pkgs.writeShellApplication {
         name = "nix-build-all";

nix/devshell/kernel.nix

@@ -0,0 +1,63 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{inputs, ...}: {
+  perSystem = {
+    pkgs,
+    self',
+    system,
+    ...
+  }: let
+    mkKernelShell = {
+      platform,
+      linux,
+      extraPackages ? [],
+      shellHook ? "",
+    }:
+      pkgs.mkShell {
+        name = "Kernel-${platform} devshell";
+        packages = with pkgs;
+          [
+            ncurses
+            pkg-config
+            self'.packages.kernel-hardening-checker
+          ]
+          ++ extraPackages;
+
+        inputsFrom = [linux];
+
+        shellHook = ''
+          export src=${linux.src}
+          if [ -d "$src" ]; then
+            # Jetpack's kernel named "source-patched" or likewise, workaround it
+            linuxDir=$(stripHash ${linux.src})
+          else
+            linuxDir="linux-${linux.version}"
+          fi
+          if [ ! -d "$linuxDir" ]; then
+            unpackPhase
+            patchPhase
+          fi
+          cd "$linuxDir"
+          # extra post-patching for NVidia
+          ${shellHook}
+
+          export PS1="[ghaf-kernel-${platform}-devshell:\w]$ "
+        '';
+        # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707
+        checkPhase = "cp ../modules/host/ghaf_host_hardened_baseline-${platform} ./.config && make -j$(nproc)";
+      };
+  in {
+    devShells.kernel-x86 = mkKernelShell {
+      platform = "x86";
+      linux = pkgs.linux_latest;
+    };
+    devShells.kernel-jetson-orin = mkKernelShell {
+      platform = "jetson-orin";
+      linux = inputs.jetpack-nixos.legacyPackages.${system}.kernel;
+      extraPackages = [pkgs.gawk];
+      shellHook = ''
+        patchShebangs scripts/
+      '';
+    };
+  };
+}