From d7eb68a4bc934e278a0ac343c2764f22b6a87b33 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Tue, 19 Nov 2024 16:11:19 +0100
Subject: [PATCH] packages/buildVerityMicroVM: init

This adds a Nix builder to build a micro VM image for direct Linux boot, specifically for the bare-metal Kata image where this is necessary to satisfy Contrast's security assumptions made on the SNP launch digest computation.
---
 .../by-name/buildVerityMicroVM/package.nix    | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 packages/by-name/buildVerityMicroVM/package.nix

diff --git a/packages/by-name/buildVerityMicroVM/package.nix b/packages/by-name/buildVerityMicroVM/package.nix
new file mode 100644
index 0000000000..b0df81b21b
--- /dev/null
+++ b/packages/by-name/buildVerityMicroVM/package.nix
@@ -0,0 +1,58 @@
+# Copyright 2024 Edgeless Systems GmbH
+# SPDX-License-Identifier: AGPL-3.0-only
+
+# Builds a micro VM image (i.e. rootfs, kernel and kernel cmdline) from a NixOS
+# configuration. These components can then be booted in a microVM-fashion
+# with QEMU's direct Linux boot feature.
+# See: https://qemu-project.gitlab.io/qemu/system/linuxboot.html
+
+{
+  symlinkJoin,
+  lib,
+}:
+
+nixos-config:
+
+let
+  image = nixos-config.image.overrideAttrs (oldAttrs: {
+    passthru = oldAttrs.passthru // {
+      imageFile = "${oldAttrs.pname}_${oldAttrs.version}.raw";
+    };
+  });
+in
+
+lib.throwIf
+  (lib.foldlAttrs (
+    acc: _: partConfig:
+    acc || (partConfig.repartConfig.Type == "esp")
+  ) false nixos-config.config.image.repart.partitions)
+  "MicroVM images should not contain an ESP."
+
+  symlinkJoin
+  {
+    pname = "microvm-image";
+    inherit (nixos-config.config.system.image) version;
+
+    paths = [
+      nixos-config.config.system.build.kernel
+      nixos-config.config.system.build.initialRamdisk
+      image
+    ];
+
+    passthru =
+      let
+        roothash = builtins.head (
+          lib.map (e: e.roothash) (builtins.fromJSON (builtins.readFile "${image}/repart-output.json"))
+        );
+      in
+      {
+        cmdline = lib.concatStringsSep " " (
+          nixos-config.config.boot.kernelParams
+          ++ [
+            "init=${nixos-config.config.system.build.toplevel}/init"
+            "roothash=${roothash}"
+          ]
+        );
+        inherit (image) imageFile;
+      };
+  }