3.6 KiB
Nixboot
Simple declarative and reproducible coreboot images
This repository contains a minimal interface to build coreboot images using Nix. Coreboot is already near 100% binary reproducible and can be configured via Kconfig; however the process is somewhat involved: it requires maintaining a local checkout of the coreboot source, several config files and shell scripts. Nixboot automates this process and allows to control it declaratively from a single file.
Supported features
- Changing target architecture
- Building an Intel firmware
- Running
me_cleaner
- Generating blobs using
bincfg
- SeaBios as payload
Other payloads (including secondaries) can be very easily added.
Build instructions
1. Fetching sources
Go to the board status page and find the latest tested revision for your mainboard, or pick one yourself. Next, to fetch all the source archives needed to build coreboot, run:
scripts/gen-sources.sh REV > sources.nix
where REV is the revision you chose.
This may take a while depending on your connection: consider coreboot will build its own compiler toolchain from source.
2. Configuring
Once the sources.nix
has been generated, to configure coreboot and the
payload, write a board.nix
, like:
{ pkgs ? import <nixpkgs> { } }:
pkgs.callPackage ./coreboot.nix {
# known good revision
rev = "d8bc5c127ad13ed0475bbf7465f6ba56a5fa34ee";
sources = pkgs.callPackage ./sources.nix { };
conf = {
# mainboard
vendor.lenovo = true;
board.lenovo-x230 = true;
# drivers
pciexp = {
hotplug = true;
clk-pm = true;
l1-sub-state = true;
};
# display
generic-linear-framebuffer = true;
linear-framebuffer = {
max-width = 1024;
max-height = 768;
};
# payload
seabios = {
revision = true;
revision-id = "ef88eeaf052c8a7d28c5f85e790c5e45bcffa45e";
};
};
}
The configuration options can be found on the coreboot website. The names
are case-insensitive and options with the same prefix (for example PCIEXP_
)
can be conveniently grouped into a set.
Valid option values includes:
- booleans
- strings
- integers
- paths (will be copied into the Nix store)
- derivations (will be converted to store paths)
3. Building
Simply run
nix build -f board.nix coreboot
This will build the toolchain, the full configuration and use them to build coreboot itself. The output consist of:
result/
├── config
├── coreboot.rom
└── defconfig
where config
contains the full coreboot configuration, defconfig
only
the non-default ones and coreboot.rom
is the final image, ready to be
flashed.
It's also possible to only build the toolchain using the toolchain
attribute
and see the defconfig before building with defConfig
.
License
Copyright (C) 2021 Michele Guerini Rocco
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.