From a434010c9352e71986b677e6f7f1e30f0655cd87 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Wed, 18 Dec 2024 18:36:11 +0100
Subject: [PATCH] deps: update nix lock file

A few patches are necessary to adapt to the updates brought in by the flake's version bump:

- packages/OVMF-SNP: correctly apply hardening flags
  We previously relied on `hardeningDisable` for `-f{no-}stack-protector`, which doesn't work now in OVMF, since it gets overriden by an explicit declaration of `-fstack-protector` in EDK2's upstream build system. This fixes it by patching it out in said build system.
- packages/qemu-static: drop obsolete patch
  This patch is now upstreamed in QEMU 9.1.2, which we build here.
- tools/tdx-measure: address upstream RTMR calculation changes
  This commit [^1] changed the way RTMR 0 and RTMR 1 are calculated when booting a TD in OVMF. The separator got moved from RTMR 0 to RTMR 1, which means we just have to do the same in our precalculation tool.
- chore: apply new formatting rules
- overlays: drop treefmt pin
- treefmt/yamlfmt: use upstream settings option

[^1]: https://github.com/tianocore/edk2/commit/efaf8931bbfa33a81b8792fbf9e2ccc239d53204#diff-d7a1c39ce3475b95ef5d09de899d1114395bab0ce6280ee455680c8792e1867aR2171

Co-authored-by: Paul Meyer <katexochen0@gmail.com>
---
 flake.lock                                    | 12 +++----
 internal/meshapi/meshapi.pb.go                |  2 +-
 internal/userapi/userapi.pb.go                |  2 +-
 overlays/nixpkgs.nix                          | 21 -----------
 packages/by-name/OVMF-SNP/package.nix         | 10 ++++--
 .../microsoft/cloud-hypervisor/package.nix    |  4 ++-
 .../nvidia-ctk-with-config/package.nix        |  3 +-
 packages/by-name/ociLayerTar/package.nix      |  9 +++--
 ...check-for-KVM_CAP_READONLY_MEM-on-VM.patch | 36 -------------------
 packages/by-name/qemu-static/package.nix      |  5 +--
 packages/nixos/gpu.nix                        |  3 +-
 packages/nixos/kata.nix                       |  6 ++--
 tools/tdx-measure/rtmr/rtmr.go                |  6 ++--
 treefmt.nix                                   | 14 +++-----
 14 files changed, 41 insertions(+), 92 deletions(-)
 delete mode 100644 packages/by-name/qemu-static/0003-accel-kvm-check-for-KVM_CAP_READONLY_MEM-on-VM.patch

diff --git a/flake.lock b/flake.lock
index 48e67ff0b4..5f07576b11 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731676054,
-        "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
+        "lastModified": 1734119587,
+        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
+        "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
         "type": "github"
       },
       "original": {
@@ -63,11 +63,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732013921,
-        "narHash": "sha256-grEEN4LjL4DTDZUyZjVcj9dXRykH/SKnpOIADN0q5w8=",
+        "lastModified": 1733761991,
+        "narHash": "sha256-s4DalCDepD22jtKL5Nw6f4LP5UwoMcPzPZgHWjAfqbQ=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "5f5c2787576f3e39bbc2ebdbf8521b3177c5c19c",
+        "rev": "0ce9d149d99bc383d1f2d85f31f6ebd146e46085",
         "type": "github"
       },
       "original": {
diff --git a/internal/meshapi/meshapi.pb.go b/internal/meshapi/meshapi.pb.go
index 5e466ed61f..5f1f2dc800 100644
--- a/internal/meshapi/meshapi.pb.go
+++ b/internal/meshapi/meshapi.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.35.2
 // 	protoc        v5.28.3
 // source: meshapi.proto
 
diff --git a/internal/userapi/userapi.pb.go b/internal/userapi/userapi.pb.go
index 5559708d75..aa32f708a4 100644
--- a/internal/userapi/userapi.pb.go
+++ b/internal/userapi/userapi.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.35.2
 // 	protoc        v5.28.3
 // source: internal/userapi/userapi.proto
 
diff --git a/overlays/nixpkgs.nix b/overlays/nixpkgs.nix
index fa28a10482..5561b6b42c 100644
--- a/overlays/nixpkgs.nix
+++ b/overlays/nixpkgs.nix
@@ -34,25 +34,4 @@ final: prev:
         --set SOURCE_DATE_EPOCH 0
     '';
   });
-
-  # There is a regression in 2.1.0, and 2.1.1 isn't available in nixpkgs yet.
-  # TODO(katexochen): Remove with the next nixpkgs update.
-  treefmt2 = prev.treefmt2.overrideAttrs (
-    finalAttrs: _prevAttrs: {
-      version = "2.1.1";
-      src = final.fetchFromGitHub {
-        owner = "numtide";
-        repo = "treefmt";
-        rev = "v${finalAttrs.version}";
-        hash = "sha256-XD61nZhdXYrFzprv/YuazjXK/NWP5a9oCF6WBO2XTY0=";
-      };
-      vendorHash = "sha256-0qCOpLMuuiYNCX2Lqa/DUlkmDoPIyUzUHIsghoIaG1s=";
-      ldflags = [
-        "-s"
-        "-w"
-        "-X github.com/numtide/treefmt/v2/build.Name=treefmt"
-        "-X github.com/numtide/treefmt/v2/build.Version=v${finalAttrs.version}"
-      ];
-    }
-  );
 }
diff --git a/packages/by-name/OVMF-SNP/package.nix b/packages/by-name/OVMF-SNP/package.nix
index 8b44c1088a..ee7f877c03 100644
--- a/packages/by-name/OVMF-SNP/package.nix
+++ b/packages/by-name/OVMF-SNP/package.nix
@@ -25,10 +25,15 @@ edk2.mkDerivation "OvmfPkg/AmdSev/AmdSevX64.dsc" {
   postPatch = ''
     touch OvmfPkg/AmdSev/Grub/grub.efi
   '';
-  # Disable making all warnings errors. Nix's GCC is fairly new, so it spews a
-  # few more warnings, but that shouldn't prevent us from building OVMF.
+
   postConfigure = ''
+    # Disable making all warnings errors. Nix's GCC is fairly new, so it spews a
+    # few more warnings, but that shouldn't prevent us from building OVMF.
     sed -i "s/-Werror//g" Conf/tools_def.txt
+
+    # Disable the stack protection manually. We can't use `hardeningDisable` as it gets
+    # overriden by the GCC flags in the EDK2 build system. (See Conf/tools_def.txt)
+    sed -i "s/-fstack-protector/-fno-stack-protector/g" Conf/tools_def.txt
   '';
 
   nativeBuildInputs = [
@@ -38,7 +43,6 @@ edk2.mkDerivation "OvmfPkg/AmdSev/AmdSevX64.dsc" {
 
   hardeningDisable = [
     "format"
-    "stackprotector"
     "pic"
     "fortify"
   ];
diff --git a/packages/by-name/microsoft/cloud-hypervisor/package.nix b/packages/by-name/microsoft/cloud-hypervisor/package.nix
index 2ab1a1f56b..6a836e6169 100644
--- a/packages/by-name/microsoft/cloud-hypervisor/package.nix
+++ b/packages/by-name/microsoft/cloud-hypervisor/package.nix
@@ -58,7 +58,9 @@ rustPlatform.buildRustPackage rec {
       "mshv"
       "kvm"
     ]
-    ++ lib.optional withIGVM "igvm" ++ lib.optional withSEVSNP "sev_snp" ++ lib.optional withTDX "tdx";
+    ++ lib.optional withIGVM "igvm"
+    ++ lib.optional withSEVSNP "sev_snp"
+    ++ lib.optional withTDX "tdx";
 
   OPENSSL_NO_VENDOR = true;
 
diff --git a/packages/by-name/nvidia-ctk-with-config/package.nix b/packages/by-name/nvidia-ctk-with-config/package.nix
index bdf57a1910..5f136e0c38 100644
--- a/packages/by-name/nvidia-ctk-with-config/package.nix
+++ b/packages/by-name/nvidia-ctk-with-config/package.nix
@@ -14,7 +14,8 @@
 nvidia-container-toolkit.override {
   configTemplatePath = replaceVars ./config.toml {
     "nvidia-container-cli" = "${lib.getExe' libnvidia-container "nvidia-container-cli"}";
-    "nvidia-container-runtime-hook" = "${lib.getExe' nvidia-container-toolkit "nvidia-container-runtime-hook"}";
+    "nvidia-container-runtime-hook" =
+      "${lib.getExe' nvidia-container-toolkit "nvidia-container-runtime-hook"}";
     "nvidia-ctk" = "${lib.getExe' nvidia-container-toolkit "nvidia-ctk"}";
     "glibcbin" = "${lib.getBin glibc}";
   };
diff --git a/packages/by-name/ociLayerTar/package.nix b/packages/by-name/ociLayerTar/package.nix
index 318f3f0957..c6a70b7239 100644
--- a/packages/by-name/ociLayerTar/package.nix
+++ b/packages/by-name/ociLayerTar/package.nix
@@ -36,9 +36,12 @@ runCommandLocal "ociLayer"
       );
     mediaType =
       "application/vnd.oci.image.layer.v1.tar" + (if compression == "" then "" else "+" + compression);
-    nativeBuildInputs = [
-      nix
-    ] ++ lib.optional (compression == "gzip") gzip ++ lib.optional (compression == "zstd") zstd;
+    nativeBuildInputs =
+      [
+        nix
+      ]
+      ++ lib.optional (compression == "gzip") gzip
+      ++ lib.optional (compression == "zstd") zstd;
     inherit compression;
   }
   ''
diff --git a/packages/by-name/qemu-static/0003-accel-kvm-check-for-KVM_CAP_READONLY_MEM-on-VM.patch b/packages/by-name/qemu-static/0003-accel-kvm-check-for-KVM_CAP_READONLY_MEM-on-VM.patch
deleted file mode 100644
index e0285dad45..0000000000
--- a/packages/by-name/qemu-static/0003-accel-kvm-check-for-KVM_CAP_READONLY_MEM-on-VM.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 5c1ad1ff44438402ec824a224ac4659c8044ec7e Mon Sep 17 00:00:00 2001
-From: Tom Dohrmann <erbse.13@gmx.de>
-Date: Tue, 3 Sep 2024 06:25:04 +0000
-Subject: [PATCH] accel/kvm: check for KVM_CAP_READONLY_MEM on VM
-
-KVM_CAP_READONLY_MEM used to be a global capability, but with the
-introduction of AMD SEV-SNP confidential VMs, this extension is not
-always available on all VM types [1,2].
-
-Query the extension on the VM level instead of on the KVM level.
-
-[1] https://patchwork.kernel.org/project/kvm/patch/20240809190319.1710470-2-seanjc@google.com/
-[2] https://patchwork.kernel.org/project/kvm/patch/20240902144219.3716974-1-erbse.13@gmx.de/
-
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Tom Dohrmann <erbse.13@gmx.de>
----
- accel/kvm/kvm-all.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
-index 75d11a07b2..acc23092e7 100644
---- a/accel/kvm/kvm-all.c
-+++ b/accel/kvm/kvm-all.c
-@@ -2603,7 +2603,7 @@ static int kvm_init(MachineState *ms)
-     }
- 
-     kvm_readonly_mem_allowed =
--        (kvm_check_extension(s, KVM_CAP_READONLY_MEM) > 0);
-+        (kvm_vm_check_extension(s, KVM_CAP_READONLY_MEM) > 0);
- 
-     kvm_resamplefds_allowed =
-         (kvm_check_extension(s, KVM_CAP_IRQFD_RESAMPLE) > 0);
--- 
-2.34.1
-
diff --git a/packages/by-name/qemu-static/package.nix b/packages/by-name/qemu-static/package.nix
index ac244f30db..fca040697f 100644
--- a/packages/by-name/qemu-static/package.nix
+++ b/packages/by-name/qemu-static/package.nix
@@ -15,7 +15,7 @@
   hostCpuOnly = true;
   hostCpuTargets = [ "x86_64-softmmu" ];
 })).overrideAttrs
-  (previousAttrs: rec {
+  (previousAttrs: {
     configureFlags = previousAttrs.configureFlags ++ [
       "-Dlinux_aio_path=${libaio}/lib"
       "-Dlinux_fdt_path=${dtc}/lib"
@@ -33,8 +33,5 @@
       # Based on https://github.com/NixOS/nixpkgs/pull/300070/commits/96054ca98020df125bb91e5cf49bec107bea051b#diff-7246126ac058898e6da6aadc1e831bb26afe07fa145958e55c5e112dc2c578fd.
       # We applied the same change done to libaio to libfdt as well.
       ./0002-add-options-for-library-paths.patch
-      # Fix needed for a behaviour change in Linux 6.11-rc4.
-      # TODO(freax13): Remove this when QEMU 9.1.2 is released.
-      ./0003-accel-kvm-check-for-KVM_CAP_READONLY_MEM-on-VM.patch
     ];
   })
diff --git a/packages/nixos/gpu.nix b/packages/nixos/gpu.nix
index d64404960f..f54051d3de 100644
--- a/packages/nixos/gpu.nix
+++ b/packages/nixos/gpu.nix
@@ -40,7 +40,8 @@ in
     };
     hardware.nvidia-container-toolkit.enable = true;
 
-    image.repart.partitions."10-root".contents."/usr/share/oci/hooks/prestart/nvidia-container-toolkit.sh".source = lib.getExe pkgs.nvidia-ctk-oci-hook;
+    image.repart.partitions."10-root".contents."/usr/share/oci/hooks/prestart/nvidia-container-toolkit.sh".source =
+      lib.getExe pkgs.nvidia-ctk-oci-hook;
 
     boot.initrd.kernelModules = [
       # Extra kernel modules required to talk to the GPU in CC-Mode.
diff --git a/packages/nixos/kata.nix b/packages/nixos/kata.nix
index 753db39634..7e7a63feac 100644
--- a/packages/nixos/kata.nix
+++ b/packages/nixos/kata.nix
@@ -88,7 +88,9 @@ in
 
     networking.resolvconf.enable = false;
 
-    environment.etc."resolv.conf".text = "dummy file, to be bind-mounted by the Kata agent when writing network configuration";
-    environment.etc."kata-opa/default-policy.rego".source = "${pkgs.kata-runtime.src}/src/kata-opa/allow-set-policy.rego";
+    environment.etc."resolv.conf".text =
+      "dummy file, to be bind-mounted by the Kata agent when writing network configuration";
+    environment.etc."kata-opa/default-policy.rego".source =
+      "${pkgs.kata-runtime.src}/src/kata-opa/allow-set-policy.rego";
   };
 }
diff --git a/tools/tdx-measure/rtmr/rtmr.go b/tools/tdx-measure/rtmr/rtmr.go
index a6a3fb71a9..eab9ca13d2 100644
--- a/tools/tdx-measure/rtmr/rtmr.go
+++ b/tools/tdx-measure/rtmr/rtmr.go
@@ -237,8 +237,6 @@ func CalcRtmr0(firmware []byte) ([48]byte, error) {
 	}
 	rtmr.extendVariableValue(boot0000)
 
-	rtmr.extendSeparator()
-
 	return rtmr.Get(), nil
 }
 
@@ -254,6 +252,10 @@ func CalcRtmr1(kernelFile, initrdFile []byte) ([48]byte, error) {
 
 	// https://github.com/tianocore/edk2/blob/0f3867fa6ef0553e26c42f7d71ff6bdb98429742/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c#L2155
 	rtmr.hashAndExtend([]byte("Calling EFI Application from Boot Option"))
+
+	// https://github.com/tianocore/edk2/blob/efaf8931bbfa33a81b8792fbf9e2ccc239d53204/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c#L2171
+	rtmr.extendSeparator()
+
 	// https://github.com/tianocore/edk2/blob/0f3867fa6ef0553e26c42f7d71ff6bdb98429742/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c#L2243
 	rtmr.hashAndExtend([]byte("Exit Boot Services Invocation"))
 	// https://github.com/tianocore/edk2/blob/0f3867fa6ef0553e26c42f7d71ff6bdb98429742/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c#L2254
diff --git a/treefmt.nix b/treefmt.nix
index 456c4f288e..42c32d058a 100644
--- a/treefmt.nix
+++ b/treefmt.nix
@@ -21,6 +21,10 @@
     shfmt.enable = true;
     statix.enable = true;
     terraform.enable = true;
+    yamlfmt = {
+      enable = true;
+      settings.formatter.retain_line_breaks_single = true;
+    };
     # keep-sorted end
   };
   settings.formatter = {
@@ -53,15 +57,5 @@
         "LICENSE"
       ];
     };
-    # TODO(katexochen): move back to programs after
-    # https://github.com/numtide/treefmt-nix/pull/193 is merged.
-    yamlfmt = {
-      command = "${lib.getExe pkgs.yamlfmt}";
-      options = [ "-formatter=retain_line_breaks_single=true" ];
-      includes = [
-        "*.yaml"
-        "*.yml"
-      ];
-    };
   };
 }