24fdeddc0a
GitOrigin-RevId: 2768c7d042a37de65bb1b5b3268fc987e534c49d
471 lines
13 KiB
Nix
471 lines
13 KiB
Nix
{
|
|
lib,
|
|
stdenv,
|
|
autoPatchelfHook,
|
|
cmake,
|
|
pkg-config,
|
|
testers,
|
|
which,
|
|
fetchgit,
|
|
fetchpatch,
|
|
|
|
# Xen
|
|
acpica-tools,
|
|
bison,
|
|
bzip2,
|
|
dev86,
|
|
e2fsprogs,
|
|
flex,
|
|
libnl,
|
|
libuuid,
|
|
lzo,
|
|
ncurses,
|
|
ocamlPackages,
|
|
perl,
|
|
python3Packages,
|
|
systemdMinimal,
|
|
xz,
|
|
yajl,
|
|
zlib,
|
|
zstd,
|
|
|
|
# Optional Components
|
|
seabios-qemu,
|
|
systemSeaBIOS ? seabios-qemu,
|
|
OVMF,
|
|
ipxe,
|
|
checkpolicy,
|
|
binutils-unwrapped-all-targets,
|
|
|
|
# Documentation
|
|
pandoc,
|
|
|
|
# Scripts
|
|
bridge-utils,
|
|
coreutils,
|
|
diffutils,
|
|
gawk,
|
|
gnugrep,
|
|
gnused,
|
|
inetutils,
|
|
iproute2,
|
|
iptables,
|
|
multipath-tools,
|
|
nbd,
|
|
openvswitch,
|
|
util-linux,
|
|
}:
|
|
|
|
{
|
|
pname,
|
|
branch ? lib.versions.majorMinor version,
|
|
version,
|
|
vendor ? "nixos",
|
|
withFlask ? false,
|
|
withSeaBIOS ? true,
|
|
withOVMF ? true,
|
|
withIPXE ? true,
|
|
useDefaultPatchList ? true,
|
|
rev,
|
|
hash,
|
|
patches ? [ ],
|
|
meta ? { },
|
|
}:
|
|
|
|
let
|
|
# Inherit helper functions from lib and builtins.
|
|
inherit (builtins) elemAt isAttrs;
|
|
inherit (lib.strings)
|
|
concatLines
|
|
enableFeature
|
|
makeSearchPathOutput
|
|
optionalString
|
|
removeSuffix
|
|
versionOlder
|
|
;
|
|
inherit (lib.platforms) linux aarch64;
|
|
inherit (lib) teams;
|
|
inherit (lib.licenses)
|
|
cc-by-40
|
|
gpl2Only
|
|
lgpl21Only
|
|
mit
|
|
;
|
|
inherit (lib.meta) getExe';
|
|
inherit (lib.lists)
|
|
count
|
|
flatten
|
|
optional
|
|
optionals
|
|
range
|
|
remove
|
|
zipListsWith
|
|
;
|
|
inherit (lib.attrsets) attrByPath;
|
|
|
|
# Mark versions older than minSupportedVersion as EOL.
|
|
minSupportedVersion = "4.16";
|
|
|
|
## Generic Patch Handling ##
|
|
|
|
upstreamPatches = import ./patches.nix {
|
|
inherit lib fetchpatch;
|
|
};
|
|
|
|
upstreamPatchList = flatten (
|
|
with upstreamPatches;
|
|
[
|
|
QUBES_REPRODUCIBLE_BUILDS
|
|
XSA_460
|
|
XSA_461
|
|
XSA_462
|
|
]
|
|
);
|
|
|
|
## XSA Patches Description Builder ##
|
|
|
|
# Simple counter for the number of attrsets (patches) in the patches list after normalisation.
|
|
numberOfPatches = count (patch: isAttrs patch) upstreamPatchList;
|
|
|
|
# builtins.elemAt's index begins at 0, so we subtract 1 from the number of patches in order to
|
|
# produce the range that will be used in the following builtin.map calls.
|
|
availablePatchesToTry = range 0 (numberOfPatches - 1);
|
|
|
|
# Takes in an attrByPath input, and outputs the attribute value for each patch in a list.
|
|
# If a patch does not have a given attribute, returns `null`. Use lib.lists.remove null
|
|
# to remove these junk values, if necessary.
|
|
retrievePatchAttributes =
|
|
attributeName:
|
|
map (x: attrByPath attributeName null (elemAt upstreamPatchList x)) availablePatchesToTry;
|
|
|
|
# Produces a list of newline-separated strings that lists the vulnerabilities this
|
|
# Xen is NOT affected by, due to the applied Xen Security Advisory patches. This is
|
|
# then used in meta.longDescription, to let users know their Xen is patched against
|
|
# known vulnerabilities, as the package version isn't always the best indicator.
|
|
#
|
|
# Produces something like this: (one string for each XSA)
|
|
# * [Xen Security Advisory #1](https://xenbits.xenproject.org/xsa/advisory-1.html): **Title for XSA.**
|
|
# >Description of issue in XSA
|
|
#Extra lines
|
|
#are not indented,
|
|
#but markdown should be
|
|
#fine with it.
|
|
# Fixes:
|
|
# * [CVE-1999-00001](https://www.cve.org/CVERecord?id=CVE-1999-00001)
|
|
# * [CVE-1999-00002](https://www.cve.org/CVERecord?id=CVE-1999-00002)
|
|
# * [CVE-1999-00003](https://www.cve.org/CVERecord?id=CVE-1999-00003)
|
|
writeAdvisoryDescription =
|
|
if (remove null (retrievePatchAttributes [ "xsa" ]) != [ ]) then
|
|
zipListsWith (a: b: a + b)
|
|
(zipListsWith (a: b: a + "**" + b + ".**\n >")
|
|
(zipListsWith (a: b: "* [Xen Security Advisory #" + a + "](" + b + "): ")
|
|
(remove null (retrievePatchAttributes [ "xsa" ]))
|
|
(
|
|
remove null (retrievePatchAttributes [
|
|
"meta"
|
|
"homepage"
|
|
])
|
|
)
|
|
)
|
|
(
|
|
remove null (retrievePatchAttributes [
|
|
"meta"
|
|
"description"
|
|
])
|
|
)
|
|
)
|
|
(
|
|
remove null (retrievePatchAttributes [
|
|
"meta"
|
|
"longDescription"
|
|
])
|
|
)
|
|
else
|
|
[ ];
|
|
|
|
#TODO: fix paths instead.
|
|
scriptEnvPath = makeSearchPathOutput "out" "bin" [
|
|
bridge-utils
|
|
coreutils
|
|
diffutils
|
|
gawk
|
|
gnugrep
|
|
gnused
|
|
inetutils
|
|
iproute2
|
|
iptables
|
|
multipath-tools
|
|
nbd
|
|
openvswitch
|
|
perl
|
|
util-linux.bin
|
|
which
|
|
];
|
|
in
|
|
|
|
stdenv.mkDerivation (finalAttrs: {
|
|
inherit pname version;
|
|
|
|
# TODO: Split $out in $bin for binaries and $lib for libraries.
|
|
# TODO: Python package to be in separate output/package.
|
|
outputs = [
|
|
"out"
|
|
"man"
|
|
"doc"
|
|
"dev"
|
|
"boot"
|
|
];
|
|
|
|
# Main Xen source.
|
|
src = fetchgit {
|
|
url = "https://xenbits.xenproject.org/git-http/xen.git";
|
|
inherit rev hash;
|
|
};
|
|
|
|
patches = optionals useDefaultPatchList upstreamPatchList ++ patches;
|
|
|
|
nativeBuildInputs = [
|
|
autoPatchelfHook
|
|
bison
|
|
cmake
|
|
flex
|
|
pandoc
|
|
pkg-config
|
|
python3Packages.setuptools
|
|
];
|
|
buildInputs = [
|
|
# Xen
|
|
acpica-tools
|
|
bzip2
|
|
dev86
|
|
e2fsprogs.dev
|
|
libnl
|
|
libuuid
|
|
lzo
|
|
ncurses
|
|
perl
|
|
python3Packages.python
|
|
xz
|
|
yajl
|
|
zlib
|
|
zstd
|
|
|
|
# oxenstored
|
|
ocamlPackages.findlib
|
|
ocamlPackages.ocaml
|
|
|
|
# Python Fixes
|
|
python3Packages.wrapPython
|
|
] ++ optional withFlask checkpolicy ++ optional (versionOlder version "4.19") systemdMinimal;
|
|
|
|
configureFlags = [
|
|
"--enable-systemd"
|
|
"--disable-qemu-traditional"
|
|
"--with-system-qemu"
|
|
(if withSeaBIOS then "--with-system-seabios=${systemSeaBIOS.firmware}" else "--disable-seabios")
|
|
(if withOVMF then "--with-system-ovmf=${OVMF.firmware}" else "--disable-ovmf")
|
|
(if withIPXE then "--with-system-ipxe=${ipxe}" else "--disable-ipxe")
|
|
(enableFeature withFlask "xsmpolicy")
|
|
];
|
|
|
|
makeFlags =
|
|
[
|
|
"SUBSYSTEMS=${toString finalAttrs.buildFlags}"
|
|
|
|
"PREFIX=$(out)"
|
|
"BASH_COMPLETION_DIR=$(PREFIX)/share/bash-completion/completions"
|
|
|
|
"XEN_WHOAMI=${pname}"
|
|
"XEN_DOMAIN=${vendor}"
|
|
|
|
"GIT=${coreutils}/bin/false"
|
|
"WGET=${coreutils}/bin/false"
|
|
"EFI_VENDOR=${vendor}"
|
|
"INSTALL_EFI_STRIP=1"
|
|
"LD=${getExe' binutils-unwrapped-all-targets "ld"}"
|
|
]
|
|
# These flags set the CONFIG_* options in /boot/xen.config
|
|
# and define if the default policy file is built. However,
|
|
# the Flask binaries always get compiled by default.
|
|
++ optionals withFlask [
|
|
"XSM_ENABLE=y"
|
|
"FLASK_ENABLE=y"
|
|
];
|
|
|
|
buildFlags = [
|
|
"xen"
|
|
"tools"
|
|
"docs"
|
|
];
|
|
|
|
enableParallelBuilding = true;
|
|
|
|
env.NIX_CFLAGS_COMPILE = toString [
|
|
"-Wno-error=maybe-uninitialized"
|
|
"-Wno-error=array-bounds"
|
|
];
|
|
|
|
dontUseCmakeConfigure = true;
|
|
|
|
# Remove in-tree QEMU sources, we don't need them in any circumstance.
|
|
prePatch = "rm --recursive --force tools/qemu-xen tools/qemu-xen-traditional";
|
|
|
|
postPatch =
|
|
# The following patch forces Xen to install xen.efi on $out/boot
|
|
# instead of $out/boot/efi/efi/nixos, as the latter directory
|
|
# would otherwise need to be created manually. This also creates
|
|
# a more consistent output for downstreams who override the
|
|
# vendor attribute above.
|
|
''
|
|
substituteInPlace xen/Makefile \
|
|
--replace-fail "\$(D)\$(EFI_MOUNTPOINT)/efi/\$(EFI_VENDOR)/\$(T)-\$(XEN_FULLVERSION).efi" \
|
|
"\$(D)\$(BOOT_DIR)/\$(T)-\$(XEN_FULLVERSION).efi"
|
|
''
|
|
|
|
# The following patch fixes the call to /bin/mkdir on the
|
|
# launch_xenstore.sh helper script.
|
|
+ ''
|
|
substituteInPlace tools/hotplug/Linux/launch-xenstore.in \
|
|
--replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir"
|
|
''
|
|
|
|
# The following expression fixes the paths called by Xen's systemd
|
|
# units, so we can use them in the NixOS module.
|
|
+ ''
|
|
substituteInPlace \
|
|
tools/hotplug/Linux/systemd/{xen-init-dom0,xen-qemu-dom0-disk-backend,xenconsoled,xendomains,xenstored}.service.in \
|
|
--replace-fail /bin/grep ${gnugrep}/bin/grep
|
|
substituteInPlace \
|
|
tools/hotplug/Linux/systemd/{xen-qemu-dom0-disk-backend,xenconsoled}.service.in \
|
|
--replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir"
|
|
'';
|
|
|
|
installPhase = ''
|
|
runHook preInstall
|
|
|
|
mkdir --parents $out $out/share $boot
|
|
cp -prvd dist/install/nix/store/*/* $out/
|
|
cp -prvd dist/install/etc $out
|
|
cp -prvd dist/install/boot $boot
|
|
|
|
runHook postInstall
|
|
'';
|
|
|
|
postInstall =
|
|
# Wrap xencov_split, xenmon and xentrace_format.
|
|
''
|
|
wrapPythonPrograms
|
|
''
|
|
|
|
# We also need to wrap pygrub, which lies in $out/libexec/xen/bin.
|
|
+ ''
|
|
wrapPythonProgramsIn "$out/libexec/xen/bin" "$out $pythonPath"
|
|
''
|
|
|
|
# Fix shebangs in Xen's various scripts.
|
|
#TODO: Remove any and all usage of `sed` and replace these complicated magic runes with readable code.
|
|
+ ''
|
|
shopt -s extglob
|
|
for i in $out/etc/xen/scripts/!(*.sh); do
|
|
sed --in-place "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i
|
|
done
|
|
'';
|
|
|
|
postFixup =
|
|
''
|
|
addAutoPatchelfSearchPath $out/lib
|
|
autoPatchelf $out/libexec/xen/bin
|
|
''
|
|
# Flask is particularly hard to disable. Even after
|
|
# setting the make flags to `n`, it still gets compiled.
|
|
# If withFlask is disabled, delete the extra binaries.
|
|
+ optionalString (!withFlask) ''
|
|
rm -f $out/bin/flask-*
|
|
'';
|
|
|
|
passthru = {
|
|
efi = "boot/xen-${version}.efi";
|
|
flaskPolicy =
|
|
if withFlask then
|
|
"boot/xenpolicy-${version}"
|
|
else
|
|
throw "This Xen was compiled without FLASK support.";
|
|
# This test suite is very simple, as Xen's userspace
|
|
# utilities require the hypervisor to be booted.
|
|
tests = {
|
|
pkg-config = testers.hasPkgConfigModules {
|
|
package = finalAttrs.finalPackage;
|
|
moduleNames = [
|
|
"xencall"
|
|
"xencontrol"
|
|
"xendevicemodel"
|
|
"xenevtchn"
|
|
"xenforeignmemory"
|
|
"xengnttab"
|
|
"xenguest"
|
|
"xenhypfs"
|
|
"xenlight"
|
|
"xenstat"
|
|
"xenstore"
|
|
"xentoolcore"
|
|
"xentoollog"
|
|
"xenvchan"
|
|
"xlutil"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
meta = {
|
|
inherit branch;
|
|
|
|
description = "Type-1 hypervisor intended for embedded and hyperscale use cases";
|
|
longDescription =
|
|
''
|
|
The Xen Project Hypervisor is a virtualisation technology defined as a *type-1
|
|
hypervisor*, which allows multiple virtual machines, known as domains, to run
|
|
concurrently with the host on the physical machine. On a typical *type-2
|
|
hypervisor*, the virtual machines run as applications on top of the
|
|
host. NixOS runs as the privileged **Domain 0**, and can paravirtualise or fully
|
|
virtualise **Unprivileged Domains**.
|
|
|
|
Use with the `qemu_xen` package.
|
|
''
|
|
+ "\nIncludes:\n* `xen.efi`: The Xen Project's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package."
|
|
+ optionalString withFlask "\n* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package."
|
|
+ optionalString withSeaBIOS "\n* `seabios`: Support for the SeaBIOS boot firmware on HVM domains."
|
|
+ optionalString withOVMF "\n* `ovmf`: Support for the OVMF UEFI boot firmware on HVM domains."
|
|
+ optionalString withIPXE "\n* `ipxe`: Support for the iPXE boot firmware on HVM domains."
|
|
# Finally, we write a notice explaining which vulnerabilities this Xen is NOT vulnerable to.
|
|
# This will hopefully give users the peace of mind that their Xen is secure, without needing
|
|
# to search the source code for the XSA patches.
|
|
+ optionalString (writeAdvisoryDescription != [ ]) (
|
|
"\n\nThis Xen Project Hypervisor (${version}) has been patched against the following known security vulnerabilities:\n"
|
|
+ removeSuffix "\n" (concatLines writeAdvisoryDescription)
|
|
);
|
|
|
|
homepage = "https://xenproject.org/";
|
|
downloadPage = "https://downloads.xenproject.org/release/xen/${version}/";
|
|
changelog = "https://wiki.xenproject.org/wiki/Xen_Project_${branch}_Release_Notes";
|
|
|
|
license = [
|
|
# Documentation.
|
|
cc-by-40
|
|
# Most of Xen is licensed under the GPL v2.0.
|
|
gpl2Only
|
|
# Xen Libraries and the `xl` command-line utility.
|
|
lgpl21Only
|
|
# Development headers in $dev/include.
|
|
mit
|
|
];
|
|
|
|
maintainers = teams.xen.members;
|
|
knownVulnerabilities = optional (versionOlder version minSupportedVersion) "The Xen Project Hypervisor version ${version} is no longer supported by the Xen Project Security Team. See https://xenbits.xenproject.org/docs/unstable/support-matrix.html";
|
|
|
|
mainProgram = "xl";
|
|
|
|
#TODO: Migrate meta.platforms to the new lib.systems.inspect.patterns.* format.
|
|
platforms = linux;
|
|
badPlatforms = aarch64;
|
|
} // meta;
|
|
})
|