forked from anduril/jetpack-nixos
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathoverlay-with-config.nix
202 lines (179 loc) · 9.33 KB
/
overlay-with-config.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
# device-specific packages that are influenced by the nixos config
config:
let
inherit (config.networking) hostName;
in
final: prev: (
let
cfg = config.hardware.nvidia-jetpack;
inherit (final) lib;
tosArgs = {
inherit (final.nvidia-jetpack) socType;
inherit (cfg.firmware.optee) taPublicKeyFile;
opteePatches = cfg.firmware.optee.patches;
extraMakeFlags = cfg.firmware.optee.extraMakeFlags;
};
flashTools = cfg.flasherPkgs.callPackages (import ./device-pkgs { inherit config; pkgs = final; }) { };
in
{
nvidia-jetpack = prev.nvidia-jetpack.overrideScope (finalJetpack: prevJetpack: {
socType =
if cfg.som == null then null
else if lib.hasPrefix "orin-" cfg.som then "t234"
else if lib.hasPrefix "xavier-" cfg.som then "t194"
else throw "Unknown SoC type";
chipId =
if cfg.som == null then null
else if lib.hasPrefix "orin-" cfg.som then "0x23"
else if lib.hasPrefix "xavier-" cfg.som then "0x19"
else throw "Unknown SoC type";
otaUtils = prevJetpack.otaUtils.override {
inherit (config.boot.loader.efi) efiSysMountPoint;
};
uefi-firmware = prevJetpack.uefi-firmware.override ({
bootLogo = cfg.firmware.uefi.logo;
debugMode = cfg.firmware.uefi.debugMode;
errorLevelInfo = cfg.firmware.uefi.errorLevelInfo;
edk2NvidiaPatches = cfg.firmware.uefi.edk2NvidiaPatches;
edk2UefiPatches = cfg.firmware.uefi.edk2UefiPatches;
} // lib.optionalAttrs cfg.firmware.uefi.capsuleAuthentication.enable {
inherit (cfg.firmware.uefi.capsuleAuthentication) trustedPublicCertPemFile;
});
flash-tools = prevJetpack.flash-tools.overrideAttrs ({ patches ? [ ], postPatch ? "", ... }: {
patches = patches ++ cfg.flashScriptOverrides.patches;
postPatch = postPatch + cfg.flashScriptOverrides.postPatch;
});
tosImage = finalJetpack.buildTOS tosArgs;
taDevKit = finalJetpack.buildOpteeTaDevKit tosArgs;
inherit (finalJetpack.tosImage) nvLuksSrv hwKeyAgent;
flashInitrd =
let
modules = [ "qspi_mtd" "spi_tegra210_qspi" "at24" "spi_nor" ];
modulesClosure = prev.makeModulesClosure {
rootModules = modules;
kernel = config.system.modulesTree;
firmware = config.hardware.firmware;
allowMissing = false;
};
jetpack-init = prev.writeScript "init" ''
#!${prev.pkgsStatic.busybox}/bin/sh
export PATH=${prev.pkgsStatic.busybox}/bin
mkdir -p /proc /dev /sys
mount -t proc proc -o nosuid,nodev,noexec /proc
mount -t devtmpfs none -o nosuid /dev
mount -t sysfs sysfs -o nosuid,nodev,noexec /sys
for mod in ${builtins.toString modules}; do
modprobe -v $mod
done
# `signedFirmware` must be built on x86_64, so we make a
# concatenated initrd that places `signedFirmware` at a well
# known path so that the final initrd can be constructed from
# outside the context of this nixos config (which has an
# aarch64-linux package-set).
if ${lib.getExe finalJetpack.flashFromDevice} ${finalJetpack.signedFirmware}; then
echo "Flashing platform firmware successful. Rebooting now."
sync
reboot -f
else
echo "Flashing platform firmware unsuccessful. Entering console"
exec ${prev.pkgsStatic.busybox}/bin/sh
fi
'';
in
prev.makeInitrd {
contents = [
{ object = jetpack-init; symlink = "/init"; }
{ object = "${modulesClosure}/lib"; symlink = "/lib"; }
];
};
# mkFlashScript is declared here due to its dependence on values from
# `config`, but it is not inherently tied to any one particular
# hostPlatform or buildPlatform (for example, it can be used to build
# the "bup" entirely on an aarch64 build machine). mkFlashScript's
# hostPlatform and buildPlatform is determined by which flash-tools
# you give it, so if your flash-tools is for an x86_64-linux
# hostPlatform, then mkFlashScript will generate script commands that
# will need to be ran on x86_64-linux.
mkFlashScript = flash-tools: args: import ./device-pkgs/flash-script.nix ({
inherit lib flash-tools;
inherit (cfg.firmware) eksFile;
inherit (cfg.flashScriptOverrides) flashArgs partitionTemplate preFlashCommands postFlashCommands;
inherit (finalJetpack) tosImage socType uefi-firmware;
additionalDtbOverlays = args.additionalDtbOverlays or cfg.flashScriptOverrides.additionalDtbOverlays;
dtbsDir = config.hardware.deviceTree.package;
} // (builtins.removeAttrs args [ "additionalDtbOverlays" ]));
bup = prev.runCommand "bup-${config.networking.hostName}-${finalJetpack.l4tVersion}"
{
inherit (cfg.firmware.secureBoot) requiredSystemFeatures;
}
((finalJetpack.mkFlashScript
final.pkgsBuildBuild.nvidia-jetpack.flash-tools # we need flash-tools for the buildPlatform
{
# TODO: Remove preSignCommands when we switch to using signedFirmware directly
flashCommands = ''
${cfg.firmware.secureBoot.preSignCommands final.buildPackages}
'' + lib.concatMapStringsSep "\n"
(v: with v;
"BOARDID=${boardid} BOARDSKU=${boardsku} FAB=${fab} BOARDREV=${boardrev} FUSELEVEL=${fuselevel} CHIPREV=${chiprev} ${lib.optionalString (chipsku != null) "CHIP_SKU=${chipsku}"} ${lib.optionalString (ramcode != null) "RAMCODE=${ramcode}"} ./flash.sh ${lib.optionalString (cfg.flashScriptOverrides.partitionTemplate != null) "-c flash.xml"} --no-flash --bup --multi-spec ${builtins.toString cfg.flashScriptOverrides.flashArgs}"
)
cfg.firmware.variants;
}) + ''
mkdir -p $out
cp -r bootloader/payloads_*/* $out/
'');
# See l4t_generate_soc_bup.sh
# python ${edk2-jetson}/BaseTools/BinWrappers/PosixLike/GenerateCapsule -v --encode --monotonic-count 1
# NOTE: providing null public certs here will use the test certs in the EDK2 repo
uefiCapsuleUpdate = prev.runCommand "uefi-${config.networking.hostName}-${finalJetpack.l4tVersion}.Cap"
{
nativeBuildInputs = [ prev.buildPackages.python3 prev.buildPackages.openssl ];
inherit (cfg.firmware.uefi.capsuleAuthentication) requiredSystemFeatures;
}
(''
${cfg.firmware.uefi.capsuleAuthentication.preSignCommands final.buildPackages}
bash ${final.pkgsBuildBuild.nvidia-jetpack.flash-tools}/generate_capsule/l4t_generate_soc_capsule.sh \
'' + (lib.optionalString cfg.firmware.uefi.capsuleAuthentication.enable ''
--trusted-public-cert ${cfg.firmware.uefi.capsuleAuthentication.trustedPublicCertPemFile} \
--other-public-cert ${cfg.firmware.uefi.capsuleAuthentication.otherPublicCertPemFile} \
--signer-private-cert ${cfg.firmware.uefi.capsuleAuthentication.signerPrivateCertPemFile} \
'') + ''
-i ${finalJetpack.bup}/bl_only_payload \
-o $out \
${finalJetpack.socType}
'');
signedFirmware = final.runCommand "signed-${hostName}-${finalJetpack.l4tVersion}"
{ inherit (cfg.firmware.secureBoot) requiredSystemFeatures; }
(finalJetpack.mkFlashScript final.pkgsBuildBuild.nvidia-jetpack.flash-tools {
flashCommands = ''
${cfg.firmware.secureBoot.preSignCommands final}
'' + lib.concatMapStringsSep "\n"
(v: with v; ''
BOARDID=${boardid} BOARDSKU=${boardsku} FAB=${fab} BOARDREV=${boardrev} FUSELEVEL=${fuselevel} CHIPREV=${chiprev} ${lib.optionalString (chipsku != null) "CHIP_SKU=${chipsku}"} ${lib.optionalString (ramcode != null) "RAMCODE=${ramcode}"} ./flash.sh ${lib.optionalString (cfg.flashScriptOverrides.partitionTemplate != null) "-c flash.xml"} --no-root-check --no-flash --sign ${builtins.toString cfg.flashScriptOverrides.flashArgs}
outdir=$out/${boardid}-${fab}-${boardsku}-${boardrev}-${if fuselevel == "fuselevel_production" then "1" else "0"}-${chiprev}--
mkdir -p $outdir
cp -v bootloader/signed/flash.idx $outdir/
# Copy files referenced by flash.idx
while IFS=", " read -r partnumber partloc start_location partsize partfile partattrs partsha; do
if [[ "$partfile" != "" ]]; then
if [[ -f "bootloader/signed/$partfile" ]]; then
cp -v "bootloader/signed/$partfile" $outdir/
elif [[ -f "bootloader/$partfile" ]]; then
cp -v "bootloader/$partfile" $outdir/
else
echo "Unable to find $partfile"
exit 1
fi
fi
done < bootloader/signed/flash.idx
rm -rf bootloader/signed
'')
cfg.firmware.variants;
});
# Use the flash-tools produced by mkFlashScript, we need whatever changes
# the script made, as well as the flashcmd.txt from it
flash-tools-flashcmd = finalJetpack.callPackage ./device-pkgs/flash-tools-flashcmd.nix {
inherit cfg;
};
} // flashTools);
}
)