Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chipsec: init at 1.3.7 #52988

Merged
merged 3 commits into from Apr 22, 2019
Merged

chipsec: init at 1.3.7 #52988

merged 3 commits into from Apr 22, 2019

Conversation

JohnAZoidberg
Copy link
Member

@JohnAZoidberg JohnAZoidberg commented Dec 27, 2018
edited

Motivation for this change

The Nix(OS) community should check their firmware and its settings for vulnerabilities!

It's included twice: The top-level attribute doesn't include the kernel driver and can be executed on any OS with Python, and the one in linuxPackages which includes the Linux kernel driver and is therefore able to do more advanced checks.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@JohnAZoidberg JohnAZoidberg changed the title chipsec: init at 1.3.6 chipsec: init at 1.3.7 Apr 20, 2019
@joachifm
Copy link
Contributor

@GrahamcOfBorg build chipsec linuxPackages.chipsec

@JohnAZoidberg
Copy link
Member Author

Oops, ofBorg failed to build it because it doesn't work on ARM.

@joachifm
Copy link
Contributor

LGTM. Added a few nits for your consideration.

@joachifm
Copy link
Contributor

Another thing that occurred to me is, if I add both variants to my system will I end up with two copies of the userland tools in the system closure? It seems to me like I will, as different flags would produce different store paths. Perhaps the withDriver case ought to build only the driver. On the other hand, I'd hope hardlinking would resolve the space inefficiency ... so maybe not worth the effort.

@JohnAZoidberg
Copy link
Member Author

Hmm, but it loads the driver on demand. We'd have to make sure it can find it if it's in a different derivation. I don't think the package is designed to be able to look for the driver elsewhere, I can look into it.
I didn't know a better way to make the driver optional other than including it in linuxPackages and top-level. Is there?

@joachifm
Copy link
Contributor

By loading on demand, I expect you mean calls modprobe? If so it should work as long as the package is added to boot.extraModulePackages (and the call to modprobe/insmod does not hardcode the module path). If it does hardcode the path, that can be patched out.

I think I was wrong to raise the concern about duplicated stuff in the system closure, I have not looked but extraModulePackages probably only copies kernel modules anyway. There will still be some wasted bandwidth & work in the linux driver+userspace scenario, however. This could be solved by simply defaulting withDriver = true when building for linux.

@JohnAZoidberg
Copy link
Member Author

Yes exactly, calling modprobe.
But if we rely on boot.extraModulePackages we'd have to make it a module which is not the right thing to do because using chipsec is a one-off kind of thing.

But can you just default to building the driver on Linux? I don't think you can, because you also need to get the exact kernel passed that used on the system. Hence linuxPackagesFor to build it for a specific kernel version.

Is there precedent? Is there another package that's not just a kernel module but a program that brings its own kernel module that we package but don't have a NixOS module for? P.S. Looks like sysdig is in a similar situation.

Otherwise I think it's fine like this. We'll have to hope that people are looking for the linuxPackages.chipsec attribute if they notice that chipsec doesn't include the driver.

@JohnAZoidberg
chipsec: Kernel driver only works on x86_64-linux
1636f11 
See: chipsec/chipsec#461

Noticed that when ofBorg failed to build the kernel driver on ARM.
@joachifm joachifm merged commit 0109c84 into NixOS:master Apr 22, 2019
@JohnAZoidberg JohnAZoidberg deleted the chipsec branch April 22, 2019 08:28
@JohnAZoidberg
Copy link
Member Author

Thanks for discussing the details!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachifm joachifm joachifm left review comments

Assignees
No one assigned
Labels
8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@JohnAZoidberg @joachifm @veprbl @GrahamcOfBorg