Refactor uefi-firmware

This splits out uefi-firmware into multiple derivations to allow for
easier overriding of individual components. This will eventually allow
for the removal of nixos options that override these components, as
overlays are now easier to use.

Author: jmbaur

UPGRADE_CHECKLIST.md

@@ -1,10 +1,11 @@
 ### Updating
 - [ ] Update `l4tVersion`, `jetpackVersion`, and `cudaVersion` in overlay.nix
-- [ ] Update branch/revision/sha256s in:
+- [ ] Update branch/revision/hashes in:
     - [ ] `overlay.nix`
     - [ ] `kernel/default.nix`
-    - [ ] `pkgs/uefi-firmware/default.nix`
-    - [ ] Grep for "sha256 = ", see if there is anything else not covered
+    - [ ] `pkgs/uefi-firmware/edk2-nvidia.nix`
+    - [ ] `pkgs/uefi-firmware/jetson-edk2-uefi.nix`
+    - [ ] `grep -r -e "hash = " -e "sha256 = "` to see if there is anything else not covered
 - [ ] Update the kernel version in `kernel/default.nix` if it chaged.
 - [ ] Run `debs-update.py` and `gitrepos-update.py` under `sourceinfo` to generate new sourceinfo json files
 - [ ] Compare files from `unpackedDebs` before and after

device-pkgs/flash-script.nix

@@ -9,7 +9,7 @@
   # be used by the bootloader(s) and passed to the kernel.
   dtbsDir ? null
 , # Optional package containing uefi_jetson.efi to replace prebuilt version
-  uefi-firmware ? null
+  uefiFirmware ? null
 , # Optional package containing tos.img to replace prebuilt version
   tosImage ? null
 , # Optional EKS file containing encrypted keyblob
@@ -44,15 +44,15 @@
 
   ${lib.optionalString (partitionTemplate != null) "cp ${partitionTemplate} flash.xml"}
   ${lib.optionalString (dtbsDir != null) "cp -r ${dtbsDir}/. kernel/dtb/"}
-  ${lib.optionalString (uefi-firmware != null) ''
-  cp ${uefi-firmware}/uefi_jetson.bin bootloader/uefi_jetson.bin
+  ${lib.optionalString (uefiFirmware != null) ''
+  cp ${uefiFirmware}/uefi_jetson.bin bootloader/uefi_jetson.bin
 
   # For normal NixOS usage, we'd probably use systemd-boot or GRUB instead,
   # but lets replace the upstream L4TLauncher EFI payload anyway
-  cp ${uefi-firmware}/L4TLauncher.efi bootloader/BOOTAA64.efi
+  cp ${uefiFirmware}/L4TLauncher.efi bootloader/BOOTAA64.efi
 
   # Replace additional dtbos
-  cp ${uefi-firmware}/dtbs/*.dtbo kernel/dtb/
+  cp ${uefiFirmware}/dtbs/*.dtbo kernel/dtb/
   ''}
   ${lib.optionalString (tosImage != null) ''
   cp ${tosImage}/tos.img bootloader/tos-optee_${socType}.img

modules/flash-script.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, utils, ... }:
+{ options, config, pkgs, lib, utils, ... }:
 
 # Convenience package that allows you to set options for the flash script using the NixOS module system.
 # You could do the overrides yourself if you'd prefer.

overlay-with-config.nix

@@ -38,14 +38,19 @@ final: prev: (
         inherit (config.boot.loader.efi) efiSysMountPoint;
       };
 
-      uefi-firmware = prevJetpack.uefi-firmware.override ({
+      edk2NvidiaSrc = (prevJetpack.edk2NvidiaSrc.override {
+        errorLevelInfo = cfg.firmware.uefi.errorLevelInfo;
         bootLogo = cfg.firmware.uefi.logo;
+      }).overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.uefi.edk2NvidiaPatches;
+      });
+
+      jetsonEdk2Uefi = (prevJetpack.jetsonEdk2Uefi.override ({
         debugMode = cfg.firmware.uefi.debugMode;
-        errorLevelInfo = cfg.firmware.uefi.errorLevelInfo;
-        edk2NvidiaPatches = cfg.firmware.uefi.edk2NvidiaPatches;
-        edk2UefiPatches = cfg.firmware.uefi.edk2UefiPatches;
       } // lib.optionalAttrs cfg.firmware.uefi.capsuleAuthentication.enable {
         inherit (cfg.firmware.uefi.capsuleAuthentication) trustedPublicCertPemFile;
+      })).overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.uefi.edk2UefiPatches;
       });
 
       flash-tools = prevJetpack.flash-tools.overrideAttrs ({ patches ? [ ], postPatch ? "", ... }: {
@@ -112,7 +117,7 @@ final: prev: (
         inherit lib flash-tools;
         inherit (cfg.firmware) eksFile;
         inherit (cfg.flashScriptOverrides) flashArgs partitionTemplate preFlashCommands postFlashCommands;
-        inherit (finalJetpack) tosImage socType uefi-firmware;
+        inherit (finalJetpack) tosImage socType uefiFirmware;
 
         additionalDtbOverlays = args.additionalDtbOverlays or cfg.flashScriptOverrides.additionalDtbOverlays;
         dtbsDir = config.hardware.deviceTree.package;

overlay.nix

@@ -59,8 +59,9 @@ in
         self.gitRepos
     );
 
-    inherit (prev.callPackages ./pkgs/uefi-firmware { inherit (self) l4tVersion; })
-      edk2-jetson uefi-firmware;
+    edk2NvidiaSrc = self.callPackage ./pkgs/uefi-firmware/edk2-nvidia-src.nix { };
+    jetsonEdk2Uefi = self.callPackage ./pkgs/uefi-firmware/jetson-edk2-uefi.nix { };
+    uefiFirmware = self.callPackage ./pkgs/uefi-firmware/default.nix { };
 
     inherit (prev.callPackages ./pkgs/optee {
       # Nvidia's recommended toolchain is gcc9:

pkgs/uefi-firmware/default.nix

@@ -1,269 +1,29 @@
-{ lib
-, stdenv
-, buildPackages
-, fetchFromGitHub
-, fetchurl
-, fetchpatch
-, fetchpatch2
-, runCommand
-, edk2
-, acpica-tools
-, dtc
+{ runCommand
 , python3
-, bc
-, imagemagick
-, unixtools
-, libuuid
-, applyPatches
 , nukeReferences
 , l4tVersion
-, # Optional path to a boot logo that will be converted and cropped into the format required
-  bootLogo ? null
-, # Patches to apply to edk2-nvidia source tree
-  edk2NvidiaPatches ? [ ]
-, # Patches to apply to edk2 source tree
-  edk2UefiPatches ? [ ]
-, debugMode ? false
-, errorLevelInfo ? debugMode
-, # Enables a bunch more info messages
-
-  # The root certificate (in PEM format) for authenticating capsule updates. By
-  # default, EDK2 authenticates using a test keypair commited upstream.
-  trustedPublicCertPemFile ? null
+, edk2NvidiaSrc
+, jetsonEdk2Uefi
 }:
 
-let
-  # TODO: Move this generation out of uefi-firmware.nix, because this .nix
-  # file is callPackage'd using an aarch64 version of nixpkgs, and we don't
-  # want to have to recompilie imagemagick
-  bootLogoVariants = runCommand "uefi-bootlogo" { nativeBuildInputs = [ buildPackages.buildPackages.imagemagick ]; } ''
-    mkdir -p $out
-    convert ${bootLogo} -resize 1920x1080 -gravity Center -extent 1920x1080 -format bmp -define bmp:format=bmp3 $out/logo1080.bmp
-    convert ${bootLogo} -resize 1280x720  -gravity Center -extent 1280x720  -format bmp -define bmp:format=bmp3 $out/logo720.bmp
-    convert ${bootLogo} -resize 640x480   -gravity Center -extent 640x480   -format bmp -define bmp:format=bmp3 $out/logo480.bmp
-  '';
-
-  ###
-
-  # See: https://github.com/NVIDIA/edk2-edkrepo-manifest/blob/main/edk2-nvidia/Jetson/NVIDIAJetsonManifest.xml
-  edk2-src = applyPatches {
-    src = fetchFromGitHub {
-      owner = "NVIDIA";
-      repo = "edk2";
-      rev = "r${l4tVersion}-edk2-stable202208";
-      fetchSubmodules = true;
-      sha256 = "sha256-w+rZq7Wjni62MJds6QmqpLod+zSFZ/qAN7kRDOit+jo=";
-    };
-    patches = [
-      # Fix GCC 14 compile issue.
-      # PR: https://github.com/tianocore/edk2/pull/5781
-      (fetchpatch {
-        url = "https://github.com/NVIDIA/edk2/commit/57a890fd03356350a1b7a2a0064c8118f44e9958.patch";
-        hash = "sha256-on+yJOlH9B2cD1CS9b8Pmg99pzrlrZT6/n4qPHAbDcA=";
-      })
-    ];
-  };
-
-  edk2-platforms = fetchFromGitHub {
-    owner = "NVIDIA";
-    repo = "edk2-platforms";
-    rev = "r${l4tVersion}-upstream-20220830";
-    sha256 = "sha256-PjAJEbbswOLYupMg/xEqkAOJuAC8SxNsQlb9YBswRfo=";
-  };
-
-  edk2-non-osi = fetchFromGitHub {
-    owner = "NVIDIA";
-    repo = "edk2-non-osi";
-    rev = "r${l4tVersion}-upstream-20220830";
-    sha256 = "sha256-EPtI63jYhEIo4uVTH3lUt9NC/lK5vPVacUAc5qgmz9M=";
-  };
-
-  edk2-nvidia = applyPatches {
-    src = fetchFromGitHub {
-      owner = "NVIDIA";
-      repo = "edk2-nvidia";
-      rev = "c101ba515b2737fb78d8929c2852f5c8f9607330"; # Latest on r${l4tVersion}-updates branch as of 2024-01-15
-      sha256 = "sha256-Ofj1FS1wLTLf6rCCPbB841SSBM3wjW4tdUJD6cY0ixE=";
-    };
-    patches = edk2NvidiaPatches ++ [
-      # Fix Eqos driver to use correct TX clock name
-      # PR: https://github.com/NVIDIA/edk2-nvidia/pull/76
-      (fetchpatch {
-        url = "https://github.com/NVIDIA/edk2-nvidia/commit/26f50dc3f0f041d20352d1656851c77f43c7238e.patch";
-        hash = "sha256-cc+eGLFHZ6JQQix1VWe/UOkGunAzPb8jM9SXa9ScIn8=";
-      })
-
-      ./capsule-authentication.patch
-
-      # Have UEFI use the device tree compiled into the firmware, instead of
-      # using one from the kernel-dtb partition.
-      # See: https://github.com/anduril/jetpack-nixos/pull/18
-      ./edk2-uefi-dtb.patch
-
-      # Include patches to fix "Assertion 3" mentioned here:
-      # https://forums.developer.nvidia.com/t/assertion-issue-in-uefi-during-boot/315628
-      # From this PR: https://github.com/NVIDIA/edk2-nvidia/pull/110
-      # It is unclear if it does (as of 2025-01-03), but hopefully this also
-      # resolves the critical issue mentioned here:
-      # https://forums.developer.nvidia.com/t/possible-uefi-memory-leak-and-partition-full/308540
-      ./fix-bug-in-block-erase-logic.patch
-      ./fix-variant-read-records-per-erase-block-and-fix-leak.patch
-    ];
-    postPatch = lib.optionalString errorLevelInfo ''
-      sed -i 's#PcdDebugPrintErrorLevel|.*#PcdDebugPrintErrorLevel|0x8000004F#' Platform/NVIDIA/NVIDIA.common.dsc.inc
-    '' + lib.optionalString (bootLogo != null) ''
-      cp ${bootLogoVariants}/logo1080.bmp Silicon/NVIDIA/Assets/nvidiagray1080.bmp
-      cp ${bootLogoVariants}/logo720.bmp Silicon/NVIDIA/Assets/nvidiagray720.bmp
-      cp ${bootLogoVariants}/logo480.bmp Silicon/NVIDIA/Assets/nvidiagray480.bmp
-    '';
-  };
-
-  edk2-nvidia-non-osi = fetchFromGitHub {
-    owner = "NVIDIA";
-    repo = "edk2-nvidia-non-osi";
-    rev = "r${l4tVersion}";
-    sha256 = "sha256-Fg8s9Fjwt5IzrGdJ7TKI3AjZLh/wHN8oyvi5Xw+Jg+k=";
-  };
-
-  edk2-jetson = edk2.overrideAttrs (prev: {
-    # Upstream nixpkgs patch to use nixpkgs OpenSSL
-    # See https://github.com/NixOS/nixpkgs/blob/44733514b72e732bd49f5511bd0203dea9b9a434/pkgs/development/compilers/edk2/default.nix#L57
-    src = runCommand "edk2-unvendored-src" { } ''
-      cp --no-preserve=mode -r ${edk2-src} $out
-      rm -rf $out/CryptoPkg/Library/OpensslLib/openssl
-      mkdir -p $out/CryptoPkg/Library/OpensslLib/openssl
-      tar --strip-components=1 -xf ${buildPackages.openssl.src} -C $out/CryptoPkg/Library/OpensslLib/openssl
-      chmod -R +w $out/
-      # Fix missing INT64_MAX include that edk2 explicitly does not provide
-      # via it's own <stdint.h>. Let's pull in openssl's definition instead:
-      sed -i $out/CryptoPkg/Library/OpensslLib/openssl/crypto/property/property_parse.c \
-          -e '1i #include "internal/numbers.h"'
-    '';
-
-    depsBuildBuild = prev.depsBuildBuild ++ [ libuuid ];
-  });
-
-  pythonEnv = buildPackages.python3.withPackages (ps: [ ps.tkinter ]);
-  targetArch =
-    if stdenv.isi686 then
-      "IA32"
-    else if stdenv.isx86_64 then
-      "X64"
-    else if stdenv.isAarch64 then
-      "AARCH64"
-    else
-      throw "Unsupported architecture";
-
-  buildType =
-    if stdenv.isDarwin then
-      "CLANGPDB"
-    else
-      "GCC5";
-
-  buildTarget = if debugMode then "DEBUG" else "RELEASE";
-
-  jetson-edk2-uefi =
-    # TODO: edk2.mkDerivation doesn't have a way to override the edk version used!
-    # Make it not via passthru ?
-    stdenv.mkDerivation (finalAttrs: {
-      pname = "jetson-edk2-uefi";
-      version = l4tVersion;
-
-      # Initialize the build dir with the build tools from edk2
-      src = edk2-src;
-
-      depsBuildBuild = [ buildPackages.stdenv.cc ];
-      nativeBuildInputs = [ bc pythonEnv acpica-tools dtc unixtools.whereis ];
-      strictDeps = true;
-
-      NIX_CFLAGS_COMPILE = [
-        "-Wno-error=format-security" # TODO: Fix underlying issue
-
-        # Workaround for ../Silicon/NVIDIA/Drivers/EqosDeviceDxe/nvethernetrm/osi/core/osi_hal.c:1428: undefined reference to `__aarch64_ldadd4_sync'
-        "-mno-outline-atomics"
-      ];
-
-      ${"GCC5_${targetArch}_PREFIX"} = stdenv.cc.targetPrefix;
-
-      # From edk2-nvidia/Silicon/NVIDIA/edk2nv/stuart/settings.py
-      PACKAGES_PATH = lib.concatStringsSep ":" [
-        "${edk2-src}/BaseTools" # TODO: Is this needed?
-        finalAttrs.src
-        edk2-platforms
-        edk2-non-osi
-        edk2-nvidia
-        edk2-nvidia-non-osi
-        "${edk2-platforms}/Features/Intel/OutOfBandManagement"
-      ];
-
-      enableParallelBuilding = true;
-
-      prePatch = ''
-        rm -rf BaseTools
-        cp -r ${edk2-jetson}/BaseTools BaseTools
-        chmod -R u+w BaseTools
-      '';
-
-      patches = edk2UefiPatches;
-
-      configurePhase = ''
-        runHook preConfigure
-        export WORKSPACE="$PWD"
-        source ./edksetup.sh BaseTools
-
-        ${lib.optionalString (trustedPublicCertPemFile != null) ''
-        echo Using ${trustedPublicCertPemFile} as public certificate for capsule verification
-        ${lib.getExe buildPackages.openssl} x509 -outform DER -in ${trustedPublicCertPemFile} -out PublicCapsuleKey.cer
-        python3 BaseTools/Scripts/BinToPcd.py -p gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer -i PublicCapsuleKey.cer -o PublicCapsuleKey.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
-        python3 BaseTools/Scripts/BinToPcd.py -x -p gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr -i PublicCapsuleKey.cer -o PublicCapsuleKey.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
-        ''}
-
-        runHook postConfigure
-      '';
-
-      buildPhase = ''
-        runHook preBuild
-
-        # The BUILDID_STRING and BUILD_DATE_TIME are used
-        # just by nvidia, not generic edk2
-        build -a ${targetArch} -b ${buildTarget} -t ${buildType} -p Platform/NVIDIA/Jetson/Jetson.dsc -n $NIX_BUILD_CORES \
-          -D BUILDID_STRING=${l4tVersion} \
-          -D BUILD_DATE_TIME="$(date --utc --iso-8601=seconds --date=@$SOURCE_DATE_EPOCH)" \
-          ${lib.optionalString (trustedPublicCertPemFile != null) "-D CUSTOM_CAPSULE_CERT"} \
-          $buildFlags
-
-        runHook postBuild
-      '';
-
-      installPhase = ''
-        runHook preInstall
-        mv -v Build/*/* $out
-        runHook postInstall
-      '';
-    });
-
-  uefi-firmware = runCommand "uefi-firmware-${l4tVersion}"
-    {
-      nativeBuildInputs = [ python3 nukeReferences ];
-    } ''
-    mkdir -p $out
-    python3 ${edk2-nvidia}/Silicon/NVIDIA/Tools/FormatUefiBinary.py \
-      ${jetson-edk2-uefi}/FV/UEFI_NS.Fv \
-      $out/uefi_jetson.bin
-
-    python3 ${edk2-nvidia}/Silicon/NVIDIA/Tools/FormatUefiBinary.py \
-      ${jetson-edk2-uefi}/AARCH64/L4TLauncher.efi \
-      $out/L4TLauncher.efi
-
-    mkdir -p $out/dtbs
-    for filename in ${jetson-edk2-uefi}/AARCH64/Silicon/NVIDIA/Tegra/DeviceTree/DeviceTree/OUTPUT/*.dtb; do
-      cp $filename $out/dtbs/$(basename "$filename" ".dtb").dtbo
-    done
-
-    # Get rid of any string references to source(s)
-    nuke-refs $out/uefi_jetson.bin
-  '';
-in
+runCommand "uefi-firmware-${l4tVersion}"
 {
-  inherit edk2-jetson uefi-firmware;
-}
+  nativeBuildInputs = [ python3 nukeReferences ];
+} ''
+  mkdir -p $out
+  python3 ${edk2NvidiaSrc}/Silicon/NVIDIA/Tools/FormatUefiBinary.py \
+    ${jetsonEdk2Uefi}/FV/UEFI_NS.Fv \
+    $out/uefi_jetson.bin
+
+  python3 ${edk2NvidiaSrc}/Silicon/NVIDIA/Tools/FormatUefiBinary.py \
+    ${jetsonEdk2Uefi}/AARCH64/L4TLauncher.efi \
+    $out/L4TLauncher.efi
+
+  mkdir -p $out/dtbs
+  for filename in ${jetsonEdk2Uefi}/AARCH64/Silicon/NVIDIA/Tegra/DeviceTree/DeviceTree/OUTPUT/*.dtb; do
+    cp $filename $out/dtbs/$(basename "$filename" ".dtb").dtbo
+  done
+
+  # Get rid of any string references to source(s)
+  nuke-refs $out/uefi_jetson.bin
+''