lanzaboote_tool fails to build on current unstable

[mxkrsv]

error: builder for '/nix/store/nhhd04plbhyv6akld7banyhnh34rj3z0-lanzaboote_tool-0.1.0.drv' failed with exit code 101;
       last 10 log lines:
       > thread 'overwrite_unsigned_images' panicked at 'assertion failed: verify_signature(&image1)?', tests/install.rs:63:5
       > note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
       >
       >
       > failures:
       >     overwrite_unsigned_images
       >
       > test result: FAILED. 2 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.31s
       >
       > error: test failed, to rerun pass `--test install`

[NickCao]

Same here, tracked it down to TEST_SYSTEMD, something is wrong with lib/systemd/boot/linuxx64.efi.stub in systemd 253.

[RaitoBezarius]

@nikstur when you will be back, if you have time to look into this?

[alyaeanyx]

Possibly relevant observation: The build of /nix/store/nhhd04plbhyv6akld7banyhnh34rj3z0-lanzaboote_tool-0.1.0.drv seems to fail non-reproducibly. Here's the log of a successful build from my machine:

nhhd04plbhyv6akld7banyhnh34rj3z0-lanzaboote_tool-0.1.0.drv_build_log.txt

[Myaats]

Possibly relevant observation: The build of /nix/store/nhhd04plbhyv6akld7banyhnh34rj3z0-lanzaboote_tool-0.1.0.drv seems to fail non-reproducibly. Here's the log of a successful build from my machine:

nhhd04plbhyv6akld7banyhnh34rj3z0-lanzaboote_tool-0.1.0.drv_build_log.txt

Did you use the current nixos-unstable version? Try running nix flake update in the lanzaboote repo and test again.

[alyaeanyx]

If I'm not mistaken, this shouldn't matter as long as the store hashes match.

[Myaats]

If I'm not mistaken, this shouldn't matter as long as the store hashes match.

It does matter, as lanzaboote relies on external tools and libraries provided by nixpkgs, some which has been updated since the nixpkgs version currently locked. But I am not quite sure why the output derivation does match for you.

EDIT: The tools that was updated is added in checkInputs and in a seperate wrapper derivation, so the main output derivation hash matching makes sense.

[alyaeanyx]

Here's the relevant parts from my system config nix flake info:

├───lanzaboote: github:nix-community/lanzaboote/7c55847aaf804398c0cd1c75f20591075eafcdee
│   ├───crane: github:ipetkov/crane/2552a2d1ccf33d43259a9e00f93dbacb9e6d6bed
│   │   ├───flake-compat: github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9
│   │   ├───flake-utils follows input 'lanzaboote/flake-utils'
│   │   ├───nixpkgs follows input 'lanzaboote/nixpkgs'
│   │   └───rust-overlay follows input 'lanzaboote/rust-overlay'
│   ├───flake-compat: github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9
│   ├───flake-parts: github:hercules-ci/flake-parts/c13d60b89adea3dc20704c045ec4d50dd964d447
│   │   └───nixpkgs-lib: github:NixOS/nixpkgs/130fa0baaa2b93ec45523fdcde942f6844ee9f6e?dir=lib
│   ├───flake-utils: github:numtide/flake-utils/93a2b84fc4b70d9e089d029deacc3583435c2ed6
│   ├───nixpkgs follows input 'nixpkgs-unstable'
│   ├───nixpkgs-test: github:NixOS/nixpkgs/371d3778c4f9cee7d5cf014e6ce400d57366570f
│   ├───pre-commit-hooks-nix: github:cachix/pre-commit-hooks.nix/32b1dbedfd77892a6e375737ef04d8efba634e9e
│   │   ├───flake-compat: github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9
│   │   ├───flake-utils follows input 'lanzaboote/flake-utils'
│   │   ├───gitignore: github:hercules-ci/gitignore.nix/a20de23b925fd8264fd7fad6454652e142fd7f73
│   │   │   └───nixpkgs follows input 'lanzaboote/pre-commit-hooks-nix/nixpkgs'
│   │   ├───nixpkgs follows input 'lanzaboote/nixpkgs'
│   │   └───nixpkgs-stable: github:NixOS/nixpkgs/9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8
│   └───rust-overlay: github:oxalica/rust-overlay/c680a0a4144bb0931f6cebd601a3978bbafc4f64
│       ├───flake-utils follows input 'lanzaboote/flake-utils'
│       └───nixpkgs follows input 'lanzaboote/nixpkgs'
├───nixpkgs-stable: github:NixOS/nixpkgs/a575c243c23e2851b78c00e9fa245232926ec32f
└───nixpkgs-unstable: github:NixOS/nixpkgs/9a6aabc4740790ef3bbb246b86d029ccf6759658

i.e. I'm on the latest unstable and have pinned the lanzaboote nixpkgs input to my system nixpkgs-unstable. This results in the same store hash for lanzaboote_tool, which should ideally also result in identical build results across different machines due to the purity guarantees of Nix. However it doesn't, which indicates some sort of non-determinism like memory-related bugs in the build process.

[alx-alexpark]

I also have this issue

[blitz]

Me too. Full log of test of failed test:

lanzaboote_tool> test overwrite_unsigned_images ... FAILED
lanzaboote_tool> failures:
lanzaboote_tool> ---- overwrite_unsigned_images stdout ----
lanzaboote_tool> Installing Lanzaboote to "/build/.tmpFbPuQZ"...
lanzaboote_tool> Signing and installing "/build/.tmpFbPuQZ/EFI/Linux/nixos-generation-1.efi"...
lanzaboote_tool> Signing and installing "/build/.tmpFbPuQZ/EFI/Linux/nixos-generation-2.efi"...
lanzaboote_tool> Installing "/build/.tmpFbPuQZ/EFI/nixos/toplevel-26xvPwpg-bzImage.efi"...
lanzaboote_tool> Installing "/build/.tmpFbPuQZ/EFI/nixos/toplevel-26xvPwpg-initrd.efi"...
lanzaboote_tool> Installing "/build/.tmpFbPuQZ/EFI/nixos/toplevel-nrZ60dID-bzImage.efi"...
lanzaboote_tool> Installing "/build/.tmpFbPuQZ/EFI/nixos/toplevel-nrZ60dID-initrd.efi"...
lanzaboote_tool> Updating "/build/.tmpFbPuQZ/EFI/BOOT/BOOTX64.EFI"...
lanzaboote_tool> Error reading file /build/.tmpFbPuQZ/EFI/BOOT/BOOTX64.EFI: No such file or directory
lanzaboote_tool> Can't open image /build/.tmpFbPuQZ/EFI/BOOT/BOOTX64.EFI
lanzaboote_tool> sbverify failed with args: `["--cert", "tests/fixtures/uefi-keys/db.pem", "/build/.tmpFbPuQZ/EFI/BOOT/BOOTX64.EFI"]`.
lanzaboote_tool> $"/build/.tmpFbPuQZ/EFI/BOOT/BOOTX64.EFI" is not signed. Replacing it with a signed binary...
lanzaboote_tool> Signing and installing "/build/.tmpFbPuQZ/EFI/BOOT/BOOTX64.EFI"...
lanzaboote_tool> Updating "/build/.tmpFbPuQZ/EFI/systemd/systemd-bootx64.efi"...
lanzaboote_tool> Error reading file /build/.tmpFbPuQZ/EFI/systemd/systemd-bootx64.efi: No such file or directory
lanzaboote_tool> Can't open image /build/.tmpFbPuQZ/EFI/systemd/systemd-bootx64.efi
lanzaboote_tool> sbverify failed with args: `["--cert", "tests/fixtures/uefi-keys/db.pem", "/build/.tmpFbPuQZ/EFI/systemd/systemd-bootx64.efi"]`.
lanzaboote_tool> $"/build/.tmpFbPuQZ/EFI/systemd/systemd-bootx64.efi" is not signed. Replacing it with a signed binary...
lanzaboote_tool> Signing and installing "/build/.tmpFbPuQZ/EFI/systemd/systemd-bootx64.efi"...
lanzaboote_tool> Installing "/build/.tmpFbPuQZ/loader/loader.conf"...
lanzaboote_tool> Collecting garbage...
lanzaboote_tool> Successfully installed Lanzaboote.
lanzaboote_tool> /build/.tmpFbPuQZ
lanzaboote_tool> /build/.tmpFbPuQZ/loader
lanzaboote_tool> /build/.tmpFbPuQZ/loader/loader.conf
lanzaboote_tool> /build/.tmpFbPuQZ/EFI
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/systemd
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/systemd/systemd-bootx64.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/BOOT
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/BOOT/BOOTX64.EFI
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos/toplevel-nrZ60dID-initrd.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos/toplevel-nrZ60dID-bzImage.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos/toplevel-26xvPwpg-initrd.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos/toplevel-26xvPwpg-bzImage.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/Linux
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/Linux/nixos-generation-2.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/Linux/nixos-generation-1.efi
lanzaboote_tool> Signature verification failed
lanzaboote_tool> No signature table present
lanzaboote_tool> Signature verification OK
lanzaboote_tool> Installing Lanzaboote to "/build/.tmpFbPuQZ"...
lanzaboote_tool> Signing and installing "/build/.tmpFbPuQZ/EFI/Linux/nixos-generation-2.efi"...
lanzaboote_tool> Collecting garbage...
lanzaboote_tool> Successfully installed Lanzaboote.
lanzaboote_tool> /build/.tmpFbPuQZ
lanzaboote_tool> /build/.tmpFbPuQZ/loader
lanzaboote_tool> /build/.tmpFbPuQZ/loader/loader.conf
lanzaboote_tool> /build/.tmpFbPuQZ/EFI
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/systemd
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/systemd/systemd-bootx64.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/BOOT
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/BOOT/BOOTX64.EFI
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos/toplevel-nrZ60dID-initrd.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos/toplevel-nrZ60dID-bzImage.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos/toplevel-26xvPwpg-initrd.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/nixos/toplevel-26xvPwpg-bzImage.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/Linux
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/Linux/nixos-generation-2.efi
lanzaboote_tool> /build/.tmpFbPuQZ/EFI/Linux/nixos-generation-1.efi
lanzaboote_tool> Signature verification failed
lanzaboote_tool> No signature table present
lanzaboote_tool> thread 'overwrite_unsigned_images' panicked at 'assertion failed: verify_signature(&image1)?', tests/install.rs:63:5
lanzaboote_tool> note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
lanzaboote_tool> failures:
lanzaboote_tool>     overwrite_unsigned_images
lanzaboote_tool> test result: FAILED. 2 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.13s
lanzaboote_tool> error: test failed, to rerun pass `--test install`