diff --git a/.reuse/dep5 b/.reuse/dep5 index 281be01f3..6975c9e2c 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -6,3 +6,7 @@ Source: https://github.com/tiiuae/ghaf Copyright: 2022-2024 Technology Innovation Institute (TII) License: Apache-2.0 Files: *.lock *.png *.svg *.patch *.db *.key *.pem *.cer *.p12 + +Copyright: 2022-2024 Technology Innovation Institute (TII) +License: Apache-2.0 +Files: modules/host/ghaf_host_hardened_baseline-x86 modules/host/ghaf_host_hardened_baseline-jetson-orin diff --git a/modules/host/ghaf_host_hardened_baseline b/modules/host/ghaf_host_hardened_baseline-x86 similarity index 100% rename from modules/host/ghaf_host_hardened_baseline rename to modules/host/ghaf_host_hardened_baseline-x86 diff --git a/modules/host/ghaf_host_hardened_baseline.license b/modules/host/ghaf_host_hardened_baseline.license deleted file mode 100644 index 4c903bea8..000000000 --- a/modules/host/ghaf_host_hardened_baseline.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors - -SPDX-License-Identifier: Apache-2.0 diff --git a/nix/devshell.nix b/nix/devshell.nix index edaf6e8c6..96d2adb2a 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -3,6 +3,7 @@ {inputs, ...}: { imports = with inputs; [ flake-root.flakeModule + ./devshell/kernel.nix # TODO this import needs to be filtered to remove RISCV # pre-commit-hooks-nix.flakeModule ]; @@ -11,32 +12,9 @@ inputs', self', lib, + system, ... }: { - devShells.kernel-x86 = pkgs.mkShell { - name = "Kernel-x86 devshell"; - packages = with pkgs; [ - ncurses - pkg-config - self'.packages.kernel-hardening-checker - ]; - - inputsFrom = [pkgs.linux_latest]; - - shellHook = '' - export src=${pkgs.linux_latest.src} - if [ ! -d "linux-${pkgs.linux_latest.version}" ]; then - unpackPhase - patchPhase - fi - cd linux-${pkgs.linux_latest.version} - - export PS1="[ghaf-kernel-devshell:\w]$ " - ''; - # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707 - checkPhase = "cp ../modules/host/ghaf_host_hardened_baseline ./.config && make -j$(nproc)"; - }; - devShells.default = let nix-build-all = pkgs.writeShellApplication { name = "nix-build-all"; diff --git a/nix/devshell/kernel.nix b/nix/devshell/kernel.nix new file mode 100644 index 000000000..66157a260 --- /dev/null +++ b/nix/devshell/kernel.nix @@ -0,0 +1,63 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{inputs, ...}: { + perSystem = { + pkgs, + self', + system, + ... + }: let + mkKernelShell = { + platform, + linux, + extraPackages ? [], + shellHook ? "", + }: + pkgs.mkShell { + name = "Kernel-${platform} devshell"; + packages = with pkgs; + [ + ncurses + pkg-config + self'.packages.kernel-hardening-checker + ] + ++ extraPackages; + + inputsFrom = [linux]; + + shellHook = '' + export src=${linux.src} + if [ -d "$src" ]; then + # Jetpack's kernel named "source-patched" or likewise, workaround it + linuxDir=$(stripHash ${linux.src}) + else + linuxDir="linux-${linux.version}" + fi + if [ ! -d "$linuxDir" ]; then + unpackPhase + patchPhase + fi + cd "$linuxDir" + # extra post-patching for NVidia + ${shellHook} + + export PS1="[ghaf-kernel-${platform}-devshell:\w]$ " + ''; + # use "eval $checkPhase" - see https://discourse.nixos.org/t/nix-develop-and-checkphase/25707 + checkPhase = "cp ../modules/host/ghaf_host_hardened_baseline-${platform} ./.config && make -j$(nproc)"; + }; + in { + devShells.kernel-x86 = mkKernelShell { + platform = "x86"; + linux = pkgs.linux_latest; + }; + devShells.kernel-jetson-orin = mkKernelShell { + platform = "jetson-orin"; + linux = inputs.jetpack-nixos.legacyPackages.${system}.kernel; + extraPackages = [pkgs.gawk]; + shellHook = '' + patchShebangs scripts/ + ''; + }; + }; +}