deps: update nix lock file

A few patches are necessary to adapt to the updates brought in by the flake's version bump:

- packages/OVMF-SNP: correctly apply hardening flags
  We previously relied on `hardeningDisable` for `-f{no-}stack-protector`, which doesn't work now in OVMF, since it gets overriden by an explicit declaration of `-fstack-protector` in EDK2's upstream build system. This fixes it by patching it out in said build system.
- packages/qemu-static: drop obsolete patch
  This patch is now upstreamed in QEMU 9.1.2, which we build here.
- tools/tdx-measure: address upstream RTMR calculation changes
  This commit [^1] changed the way RTMR 0 and RTMR 1 are calculated when booting a TD in OVMF. The separator got moved from RTMR 0 to RTMR 1, which means we just have to do the same in our precalculation tool.
- chore: apply new formatting rules
- overlays: drop treefmt pin
- treefmt/yamlfmt: use upstream settings option

[^1]: tianocore/edk2@efaf893#diff-d7a1c39ce3475b95ef5d09de899d1114395bab0ce6280ee455680c8792e1867aR2171

Co-authored-by: Paul Meyer <[email protected]>

overlays/nixpkgs.nix

@@ -34,25 +34,4 @@ final: prev:
         --set SOURCE_DATE_EPOCH 0
     '';
   });
-
-  # There is a regression in 2.1.0, and 2.1.1 isn't available in nixpkgs yet.
-  # TODO(katexochen): Remove with the next nixpkgs update.
-  treefmt2 = prev.treefmt2.overrideAttrs (
-    finalAttrs: _prevAttrs: {
-      version = "2.1.1";
-      src = final.fetchFromGitHub {
-        owner = "numtide";
-        repo = "treefmt";
-        rev = "v${finalAttrs.version}";
-        hash = "sha256-XD61nZhdXYrFzprv/YuazjXK/NWP5a9oCF6WBO2XTY0=";
-      };
-      vendorHash = "sha256-0qCOpLMuuiYNCX2Lqa/DUlkmDoPIyUzUHIsghoIaG1s=";
-      ldflags = [
-        "-s"
-        "-w"
-        "-X github.com/numtide/treefmt/v2/build.Name=treefmt"
-        "-X github.com/numtide/treefmt/v2/build.Version=v${finalAttrs.version}"
-      ];
-    }
-  );
 }

packages/by-name/OVMF-SNP/package.nix

@@ -25,10 +25,15 @@ edk2.mkDerivation "OvmfPkg/AmdSev/AmdSevX64.dsc" {
   postPatch = ''
     touch OvmfPkg/AmdSev/Grub/grub.efi
   '';
-  # Disable making all warnings errors. Nix's GCC is fairly new, so it spews a
-  # few more warnings, but that shouldn't prevent us from building OVMF.
+
   postConfigure = ''
+    # Disable making all warnings errors. Nix's GCC is fairly new, so it spews a
+    # few more warnings, but that shouldn't prevent us from building OVMF.
     sed -i "s/-Werror//g" Conf/tools_def.txt
+
+    # Disable the stack protection manually. We can't use `hardeningDisable` as it gets
+    # overriden by the GCC flags in the EDK2 build system. (See Conf/tools_def.txt)
+    sed -i "s/-fstack-protector/-fno-stack-protector/g" Conf/tools_def.txt
   '';
 
   nativeBuildInputs = [
@@ -38,7 +43,6 @@ edk2.mkDerivation "OvmfPkg/AmdSev/AmdSevX64.dsc" {
 
   hardeningDisable = [
     "format"
-    "stackprotector"
     "pic"
     "fortify"
   ];

packages/by-name/microsoft/cloud-hypervisor/package.nix

@@ -58,7 +58,9 @@ rustPlatform.buildRustPackage rec {
       "mshv"
       "kvm"
     ]
-    ++ lib.optional withIGVM "igvm" ++ lib.optional withSEVSNP "sev_snp" ++ lib.optional withTDX "tdx";
+    ++ lib.optional withIGVM "igvm"
+    ++ lib.optional withSEVSNP "sev_snp"
+    ++ lib.optional withTDX "tdx";
 
   OPENSSL_NO_VENDOR = true;
 

packages/by-name/nvidia-ctk-with-config/package.nix

@@ -14,7 +14,8 @@
 nvidia-container-toolkit.override {
   configTemplatePath = replaceVars ./config.toml {
     "nvidia-container-cli" = "${lib.getExe' libnvidia-container "nvidia-container-cli"}";
-    "nvidia-container-runtime-hook" = "${lib.getExe' nvidia-container-toolkit "nvidia-container-runtime-hook"}";
+    "nvidia-container-runtime-hook" =
+      "${lib.getExe' nvidia-container-toolkit "nvidia-container-runtime-hook"}";
     "nvidia-ctk" = "${lib.getExe' nvidia-container-toolkit "nvidia-ctk"}";
     "glibcbin" = "${lib.getBin glibc}";
   };

packages/by-name/ociLayerTar/package.nix

@@ -36,9 +36,12 @@ runCommandLocal "ociLayer"
       );
     mediaType =
       "application/vnd.oci.image.layer.v1.tar" + (if compression == "" then "" else "+" + compression);
-    nativeBuildInputs = [
-      nix
-    ] ++ lib.optional (compression == "gzip") gzip ++ lib.optional (compression == "zstd") zstd;
+    nativeBuildInputs =
+      [
+        nix
+      ]
+      ++ lib.optional (compression == "gzip") gzip
+      ++ lib.optional (compression == "zstd") zstd;
     inherit compression;
   }
   ''

packages/by-name/qemu-static/package.nix

@@ -15,7 +15,7 @@
   hostCpuOnly = true;
   hostCpuTargets = [ "x86_64-softmmu" ];
 })).overrideAttrs
-  (previousAttrs: rec {
+  (previousAttrs: {
     configureFlags = previousAttrs.configureFlags ++ [
       "-Dlinux_aio_path=${libaio}/lib"
       "-Dlinux_fdt_path=${dtc}/lib"
@@ -33,8 +33,5 @@
       # Based on https://github.com/NixOS/nixpkgs/pull/300070/commits/96054ca98020df125bb91e5cf49bec107bea051b#diff-7246126ac058898e6da6aadc1e831bb26afe07fa145958e55c5e112dc2c578fd.
       # We applied the same change done to libaio to libfdt as well.
       ./0002-add-options-for-library-paths.patch
-      # Fix needed for a behaviour change in Linux 6.11-rc4.
-      # TODO(freax13): Remove this when QEMU 9.1.2 is released.
-      ./0003-accel-kvm-check-for-KVM_CAP_READONLY_MEM-on-VM.patch
     ];
   })

packages/nixos/gpu.nix

@@ -40,7 +40,8 @@ in
     };
     hardware.nvidia-container-toolkit.enable = true;
 
-    image.repart.partitions."10-root".contents."/usr/share/oci/hooks/prestart/nvidia-container-toolkit.sh".source = lib.getExe pkgs.nvidia-ctk-oci-hook;
+    image.repart.partitions."10-root".contents."/usr/share/oci/hooks/prestart/nvidia-container-toolkit.sh".source =
+      lib.getExe pkgs.nvidia-ctk-oci-hook;
 
     boot.initrd.kernelModules = [
       # Extra kernel modules required to talk to the GPU in CC-Mode.

packages/nixos/kata.nix

@@ -88,7 +88,9 @@ in
 
     networking.resolvconf.enable = false;
 
-    environment.etc."resolv.conf".text = "dummy file, to be bind-mounted by the Kata agent when writing network configuration";
-    environment.etc."kata-opa/default-policy.rego".source = "${pkgs.kata-runtime.src}/src/kata-opa/allow-set-policy.rego";
+    environment.etc."resolv.conf".text =
+      "dummy file, to be bind-mounted by the Kata agent when writing network configuration";
+    environment.etc."kata-opa/default-policy.rego".source =
+      "${pkgs.kata-runtime.src}/src/kata-opa/allow-set-policy.rego";
   };
 }

tools/tdx-measure/rtmr/rtmr.go

@@ -237,8 +237,6 @@ func CalcRtmr0(firmware []byte) ([48]byte, error) {
 	}
 	rtmr.extendVariableValue(boot0000)
 
-	rtmr.extendSeparator()
-
 	return rtmr.Get(), nil
 }
 
@@ -254,6 +252,10 @@ func CalcRtmr1(kernelFile, initrdFile []byte) ([48]byte, error) {
 
 	// https://github.com/tianocore/edk2/blob/0f3867fa6ef0553e26c42f7d71ff6bdb98429742/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c#L2155
 	rtmr.hashAndExtend([]byte("Calling EFI Application from Boot Option"))
+
+	// https://github.com/tianocore/edk2/blob/efaf8931bbfa33a81b8792fbf9e2ccc239d53204/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c#L2171
+	rtmr.extendSeparator()
+
 	// https://github.com/tianocore/edk2/blob/0f3867fa6ef0553e26c42f7d71ff6bdb98429742/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c#L2243
 	rtmr.hashAndExtend([]byte("Exit Boot Services Invocation"))
 	// https://github.com/tianocore/edk2/blob/0f3867fa6ef0553e26c42f7d71ff6bdb98429742/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c#L2254

treefmt.nix

@@ -21,6 +21,10 @@
     shfmt.enable = true;
     statix.enable = true;
     terraform.enable = true;
+    yamlfmt = {
+      enable = true;
+      settings.formatter.retain_line_breaks_single = true;
+    };
     # keep-sorted end
   };
   settings.formatter = {
@@ -53,15 +57,5 @@
         "LICENSE"
       ];
     };
-    # TODO(katexochen): move back to programs after
-    # https://github.com/numtide/treefmt-nix/pull/193 is merged.
-    yamlfmt = {
-      command = "${lib.getExe pkgs.yamlfmt}";
-      options = [ "-formatter=retain_line_breaks_single=true" ];
-      includes = [
-        "*.yaml"
-        "*.yml"
-      ];
-    };
   };
 }