Fix zig build run outside of sandboxed builds

jmbaur · Feb 11, 2025 · 75ef9cf · 75ef9cf
1 parent 22f87f3
commit 75ef9cf
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 69 deletions.
diff --git a/build.zig b/build.zig
@@ -4,7 +4,9 @@ const builtin = @import("builtin");
 
 pub fn build(b: *std.Build) !void {
     const target = b.standardTargetOptions(
-        .{ .default_target = .{ .cpu_model = .baseline } },
+        .{
+            .default_target = .{ .cpu_model = .baseline, .abi = .musl },
+        },
     );
 
     const optimize = b.standardOptimizeOption(.{});

diff --git a/pkgs/tinyboot/default.nix b/pkgs/tinyboot/default.nix
@@ -12,83 +12,81 @@
   zigForTinyboot,
 }:
 
+let
+  zigLibc =
+    {
+      "glibc" = "gnu";
+      "musl" = "musl";
+    }
+    .${stdenv.hostPlatform.libc} or "none";
+in
 # Using zig-overlay (without the patches from nixpkgs) does not work well when
 # doing sandboxed builds because of the following issue: https://github.com/ziglang/zig/issues/15898
-assert stdenv.hostPlatform.isStatic;
-stdenv.mkDerivation (
-  let
-    zigLibc =
-      {
-        "glibc" = "gnu";
-        "musl" = "musl";
-      }
-      .${stdenv.hostPlatform.libc} or "none";
-  in
-  {
-    pname = "tinyboot";
-    version = "0.1.0";
+assert stdenv.hostPlatform.isStatic && stdenv.hostPlatform.libc == "musl";
+stdenv.mkDerivation {
+  pname = "tinyboot";
+  version = "0.1.0";
 
-    src = lib.fileset.toSource {
-      root = ../../.;
-      fileset = lib.fileset.unions [
-        ../../build.zig
-        ../../build.zig.zon
-        ../../src
-        ../../tests/keys/tboot/key.der
-      ];
-    };
+  src = lib.fileset.toSource {
+    root = ../../.;
+    fileset = lib.fileset.unions [
+      ../../build.zig
+      ../../build.zig.zon
+      ../../src
+      ../../tests/keys/tboot/key.der
+    ];
+  };
+
+  strictDeps = true;
 
-    strictDeps = true;
+  nativeBuildInputs = [
+    zigForTinyboot
+    xz
+    pkg-config
+  ];
+  buildInputs = lib.optionals withTools [ openssl ];
 
-    nativeBuildInputs = [
-      zigForTinyboot
-      xz
-      pkg-config
+  zigBuildFlags =
+    [
+      "--release=safe"
+      "-Dcpu=baseline"
+      "-Dtarget=${stdenv.hostPlatform.qemuArch}-${stdenv.hostPlatform.parsed.kernel.name}-${zigLibc}"
+      "-Ddynamic-linker=${stdenv.cc.bintools.dynamicLinker}"
+      "-Dloader=${lib.boolToString withLoader}"
+      "-Dtools=${lib.boolToString withTools}"
+    ]
+    ++ lib.optionals (firmwareDirectory != null) [
+      "-Dfirmware-directory=${firmwareDirectory}"
     ];
-    buildInputs = lib.optionals withTools [ openssl ];
 
-    zigBuildFlags =
-      [
-        "--release=safe"
-        "-Dcpu=baseline"
-        "-Dtarget=${stdenv.hostPlatform.qemuArch}-${stdenv.hostPlatform.parsed.kernel.name}-${zigLibc}"
-        "-Ddynamic-linker=${stdenv.cc.bintools.dynamicLinker}"
-        "-Dloader=${lib.boolToString withLoader}"
-        "-Dtools=${lib.boolToString withTools}"
-      ]
-      ++ lib.optionals (firmwareDirectory != null) [
-        "-Dfirmware-directory=${firmwareDirectory}"
-      ];
+  dontInstall = true;
+  doCheck = true;
 
-    dontInstall = true;
-    doCheck = true;
+  configurePhase = ''
+    runHook preConfigure
+    export ZIG_GLOBAL_CACHE_DIR=$TEMPDIR
+    ln -s ${callPackage ../../build.zig.zon.nix { }} $ZIG_GLOBAL_CACHE_DIR/p
+    runHook postConfigure
+  '';
 
-    configurePhase = ''
-      runHook preConfigure
-      export ZIG_GLOBAL_CACHE_DIR=$TEMPDIR
-      ln -s ${callPackage ../../build.zig.zon.nix { }} $ZIG_GLOBAL_CACHE_DIR/p
-      runHook postConfigure
+  buildPhase =
+    ''
+      runHook preBuild
+      zig build install --prefix $out $zigBuildFlags
+    ''
+    + lib.optionalString withLoader ''
+      xz --threads=$NIX_BUILD_CORES --check=crc32 --lzma2=dict=512KiB $out/tboot-loader.cpio
+    ''
+    + ''
+      runHook postBuild
     '';
 
-    buildPhase =
-      ''
-        runHook preBuild
-        zig build install --prefix $out $zigBuildFlags
-      ''
-      + lib.optionalString withLoader ''
-        xz --threads=$NIX_BUILD_CORES --check=crc32 --lzma2=dict=512KiB $out/tboot-loader.cpio
-      ''
-      + ''
-        runHook postBuild
-      '';
-
-    checkPhase = ''
-      runHook preCheck
-      zig build test $zigBuildFlags
-      runHook postCheck
-    '';
+  checkPhase = ''
+    runHook preCheck
+    zig build test $zigBuildFlags
+    runHook postCheck
+  '';
 
-    passthru = lib.optionalAttrs withLoader { initrdPath = "tboot-loader.cpio.xz"; };
-    meta.platforms = lib.platforms.linux;
-  }
-)
+  passthru = lib.optionalAttrs withLoader { initrdPath = "tboot-loader.cpio.xz"; };
+  meta.platforms = lib.platforms.linux;
+}