From dd32e5275a73fd325632f9b4e6c807dd367e95c4 Mon Sep 17 00:00:00 2001 From: fryd Date: Thu, 9 Apr 2026 19:07:43 +0200 Subject: [PATCH 01/16] Improve devtools profile for FlashBox L2 (#129) --- mkosi.profiles/devtools/mkosi.extra/etc/devmode | 0 .../flashbox-l2/mkosi.extra/usr/bin/fetch-config.sh | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 mkosi.profiles/devtools/mkosi.extra/etc/devmode diff --git a/mkosi.profiles/devtools/mkosi.extra/etc/devmode b/mkosi.profiles/devtools/mkosi.extra/etc/devmode new file mode 100644 index 00000000..e69de29b diff --git a/modules/flashbox/flashbox-l2/mkosi.extra/usr/bin/fetch-config.sh b/modules/flashbox/flashbox-l2/mkosi.extra/usr/bin/fetch-config.sh index ddbdf7fb..3324fc50 100755 --- a/modules/flashbox/flashbox-l2/mkosi.extra/usr/bin/fetch-config.sh +++ b/modules/flashbox/flashbox-l2/mkosi.extra/usr/bin/fetch-config.sh @@ -14,7 +14,7 @@ if [ -f "$CONFIG_PATH" ]; then fi if dmidecode -s system-manufacturer 2>/dev/null | grep -q "QEMU" && \ - [ -f /etc/systemd/system/serial-console.service ]; then + [ -f /etc/devmode ]; then echo "Running in local QEMU dev image, using default test values" # Get default gateway (host in QEMU user-mode networking) @@ -30,8 +30,8 @@ CONFIG_NETWORK_NAME='local-testnet' CONFIG_JWT_SECRET='1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef' CONFIG_EL_STATIC_PEERS='enode://abc123@${GATEWAY}:30303' CONFIG_EL_PEERS_IPS='${GATEWAY}' -CONFIG_SIMULATOR_RPC_URL='http://${GATEWAY}:8545' -CONFIG_SIMULATOR_WS_URL='ws://${GATEWAY}:8546' +CONFIG_SIMULATOR_RPC_URL='http://${GATEWAY}:8601' +CONFIG_SIMULATOR_WS_URL='ws://${GATEWAY}:8600' CONFIG_SIMULATOR_IP='${GATEWAY}' EOF From f777ec052d53acf07d0631804dfeaa7edd631c31 Mon Sep 17 00:00:00 2001 From: peg Date: Mon, 13 Apr 2026 14:05:14 +0200 Subject: [PATCH 02/16] Shell scripts should use #!/usr/bin/env bash and flake.nix should add all needed tool to development shell --- flake.nix | 10 +++++++++- mkosi.profiles/azure/mkosi.postoutput | 2 +- mkosi.profiles/devtools/mkosi.postinst | 2 +- mkosi.profiles/gcp/mkosi.postinst | 2 +- mkosi.profiles/gcp/mkosi.postoutput | 2 +- mkosi.version | 2 +- modules/flashbox/common/mkosi.build | 2 +- modules/flashbox/common/mkosi.postinst | 2 +- modules/flashbox/common/unmask-systemd.sh | 2 +- modules/flashbox/flashbox-l1/mkosi.build | 2 +- modules/flashbox/flashbox-l1/mkosi.postinst | 2 +- modules/l2/_common/mkosi.build | 2 +- modules/l2/_common/mkosi.postinst.chroot | 2 +- modules/l2/_common/mkosi.sync | 2 +- modules/l2/_devtools_no_console/mkosi.postinst.chroot | 2 +- .../l2/_devtools_no_root_login/mkosi.postinst.chroot | 2 +- modules/l2/_devtools_users/mkosi.postinst.chroot | 2 +- modules/l2/_gcp/mkosi.postinst.chroot | 2 +- modules/l2/op-rbuilder-bproxy/mkosi.build | 2 +- modules/l2/op-rbuilder-bproxy/mkosi.postinst.chroot | 2 +- modules/l2/op-rbuilder/mkosi.build | 2 +- modules/l2/op-rbuilder/mkosi.postinst.chroot | 2 +- modules/l2/simulator/mkosi.build | 2 +- modules/l2/simulator/mkosi.postinst.chroot | 2 +- modules/tdx-dummy/mkosi.build | 2 +- modules/tdx-dummy/mkosi.postinst | 2 +- scripts/build_rust_package.sh | 2 +- scripts/make_git_package.sh | 2 +- scripts/unpack_image.sh | 2 +- shared/mkosi.build.d/10-kernel.sh | 2 +- shared/mkosi.finalize.d/10-remove-image-version.sh | 2 +- shared/mkosi.finalize.d/90-debloat.sh | 2 +- shared/mkosi.postinst.d/10-efi-stub.sh | 2 +- shared/mkosi.postinst.d/90-debloat-systemd.sh | 2 +- shared/mkosi.sync.d/10-setup-apt.sh | 2 +- shared/mkosi.sync.d/20-normalize-umask.sh | 2 +- 36 files changed, 44 insertions(+), 36 deletions(-) diff --git a/flake.nix b/flake.nix index 46090cdd..06a543a2 100644 --- a/flake.nix +++ b/flake.nix @@ -106,7 +106,15 @@ devShells = builtins.listToAttrs (map (system: { name = system; value.default = pkgs.mkShell { - nativeBuildInputs = [(mkosi system) measured-boot measured-boot-gcp]; + nativeBuildInputs = with pkgs; [ + (mkosi system) + measured-boot + measured-boot-gcp + bash + curl + git + jq + ]; shellHook = '' mkdir -p mkosi.packages mkosi.cache mkosi.builddir ~/.cache/mkosi touch mkosi.builddir/mkosi.sources diff --git a/mkosi.profiles/azure/mkosi.postoutput b/mkosi.profiles/azure/mkosi.postoutput index d30a15ae..6df59ec6 100755 --- a/mkosi.profiles/azure/mkosi.postoutput +++ b/mkosi.profiles/azure/mkosi.postoutput @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail EFI_FILE="${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.efi" diff --git a/mkosi.profiles/devtools/mkosi.postinst b/mkosi.profiles/devtools/mkosi.postinst index 10dd0934..916afae7 100755 --- a/mkosi.profiles/devtools/mkosi.postinst +++ b/mkosi.profiles/devtools/mkosi.postinst @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/mkosi.profiles/gcp/mkosi.postinst b/mkosi.profiles/gcp/mkosi.postinst index 565af05a..23905077 100755 --- a/mkosi.profiles/gcp/mkosi.postinst +++ b/mkosi.profiles/gcp/mkosi.postinst @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/mkosi.profiles/gcp/mkosi.postoutput b/mkosi.profiles/gcp/mkosi.postoutput index 2d4dbe66..2c7991c5 100755 --- a/mkosi.profiles/gcp/mkosi.postoutput +++ b/mkosi.profiles/gcp/mkosi.postoutput @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -eu -o pipefail diff --git a/mkosi.version b/mkosi.version index 9309e4c2..d5176eba 100755 --- a/mkosi.version +++ b/mkosi.version @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail # mkosi doesn't support customizing version script path in config files, diff --git a/modules/flashbox/common/mkosi.build b/modules/flashbox/common/mkosi.build index a8c8bda9..2b0ddbc7 100755 --- a/modules/flashbox/common/mkosi.build +++ b/modules/flashbox/common/mkosi.build @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail source scripts/make_git_package.sh diff --git a/modules/flashbox/common/mkosi.postinst b/modules/flashbox/common/mkosi.postinst index fa200ca4..5deecdff 100755 --- a/modules/flashbox/common/mkosi.postinst +++ b/modules/flashbox/common/mkosi.postinst @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail # Create users and groups diff --git a/modules/flashbox/common/unmask-systemd.sh b/modules/flashbox/common/unmask-systemd.sh index 347005af..3c410116 100755 --- a/modules/flashbox/common/unmask-systemd.sh +++ b/modules/flashbox/common/unmask-systemd.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail # Additional systemd units to enable for proper reboot support in bob-common diff --git a/modules/flashbox/flashbox-l1/mkosi.build b/modules/flashbox/flashbox-l1/mkosi.build index b6d2a3bd..ac978be6 100755 --- a/modules/flashbox/flashbox-l1/mkosi.build +++ b/modules/flashbox/flashbox-l1/mkosi.build @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail source scripts/make_git_package.sh diff --git a/modules/flashbox/flashbox-l1/mkosi.postinst b/modules/flashbox/flashbox-l1/mkosi.postinst index d0611936..844037fa 100755 --- a/modules/flashbox/flashbox-l1/mkosi.postinst +++ b/modules/flashbox/flashbox-l1/mkosi.postinst @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail # Create user and group diff --git a/modules/l2/_common/mkosi.build b/modules/l2/_common/mkosi.build index 762b970f..c835a611 100755 --- a/modules/l2/_common/mkosi.build +++ b/modules/l2/_common/mkosi.build @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/_common/mkosi.postinst.chroot b/modules/l2/_common/mkosi.postinst.chroot index 2c0d8e90..7a8807d4 100755 --- a/modules/l2/_common/mkosi.postinst.chroot +++ b/modules/l2/_common/mkosi.postinst.chroot @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/_common/mkosi.sync b/modules/l2/_common/mkosi.sync index 0cb90316..3f373da7 100755 --- a/modules/l2/_common/mkosi.sync +++ b/modules/l2/_common/mkosi.sync @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash if [ ! -f "$SRCDIR/mkosi.packages/fluent-bit.deb" ]; then curl -sSfL https://packages.fluentbit.io/debian/bookworm/fluent-bit_3.1.6_amd64.deb -o "$SRCDIR/mkosi.packages/fluent-bit.deb" diff --git a/modules/l2/_devtools_no_console/mkosi.postinst.chroot b/modules/l2/_devtools_no_console/mkosi.postinst.chroot index b8df0c59..0a5270f4 100755 --- a/modules/l2/_devtools_no_console/mkosi.postinst.chroot +++ b/modules/l2/_devtools_no_console/mkosi.postinst.chroot @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/_devtools_no_root_login/mkosi.postinst.chroot b/modules/l2/_devtools_no_root_login/mkosi.postinst.chroot index eb1ae9ca..a3516279 100755 --- a/modules/l2/_devtools_no_root_login/mkosi.postinst.chroot +++ b/modules/l2/_devtools_no_root_login/mkosi.postinst.chroot @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/_devtools_users/mkosi.postinst.chroot b/modules/l2/_devtools_users/mkosi.postinst.chroot index 7d74c4a3..9b7b4c49 100755 --- a/modules/l2/_devtools_users/mkosi.postinst.chroot +++ b/modules/l2/_devtools_users/mkosi.postinst.chroot @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/_gcp/mkosi.postinst.chroot b/modules/l2/_gcp/mkosi.postinst.chroot index aea5f967..59737fea 100755 --- a/modules/l2/_gcp/mkosi.postinst.chroot +++ b/modules/l2/_gcp/mkosi.postinst.chroot @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/op-rbuilder-bproxy/mkosi.build b/modules/l2/op-rbuilder-bproxy/mkosi.build index 629e0c8c..7054b761 100755 --- a/modules/l2/op-rbuilder-bproxy/mkosi.build +++ b/modules/l2/op-rbuilder-bproxy/mkosi.build @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/op-rbuilder-bproxy/mkosi.postinst.chroot b/modules/l2/op-rbuilder-bproxy/mkosi.postinst.chroot index 13d9ec96..9faf21a3 100755 --- a/modules/l2/op-rbuilder-bproxy/mkosi.postinst.chroot +++ b/modules/l2/op-rbuilder-bproxy/mkosi.postinst.chroot @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/op-rbuilder/mkosi.build b/modules/l2/op-rbuilder/mkosi.build index 9f12363e..3fa179ff 100755 --- a/modules/l2/op-rbuilder/mkosi.build +++ b/modules/l2/op-rbuilder/mkosi.build @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/op-rbuilder/mkosi.postinst.chroot b/modules/l2/op-rbuilder/mkosi.postinst.chroot index 13d9ec96..9faf21a3 100755 --- a/modules/l2/op-rbuilder/mkosi.postinst.chroot +++ b/modules/l2/op-rbuilder/mkosi.postinst.chroot @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/simulator/mkosi.build b/modules/l2/simulator/mkosi.build index 4f700923..530f7ccf 100755 --- a/modules/l2/simulator/mkosi.build +++ b/modules/l2/simulator/mkosi.build @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/l2/simulator/mkosi.postinst.chroot b/modules/l2/simulator/mkosi.postinst.chroot index 80ed0deb..4b6e3099 100755 --- a/modules/l2/simulator/mkosi.postinst.chroot +++ b/modules/l2/simulator/mkosi.postinst.chroot @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail diff --git a/modules/tdx-dummy/mkosi.build b/modules/tdx-dummy/mkosi.build index 22ac161e..4d53616a 100755 --- a/modules/tdx-dummy/mkosi.build +++ b/modules/tdx-dummy/mkosi.build @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail source scripts/make_git_package.sh diff --git a/modules/tdx-dummy/mkosi.postinst b/modules/tdx-dummy/mkosi.postinst index 95ce0ed2..0ad419f5 100755 --- a/modules/tdx-dummy/mkosi.postinst +++ b/modules/tdx-dummy/mkosi.postinst @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euxo pipefail # Install systemd service units diff --git a/scripts/build_rust_package.sh b/scripts/build_rust_package.sh index 3943c02a..57f1d232 100755 --- a/scripts/build_rust_package.sh +++ b/scripts/build_rust_package.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash build_rust_package() { local package="$1" diff --git a/scripts/make_git_package.sh b/scripts/make_git_package.sh index 360a2e9e..2a32a766 100644 --- a/scripts/make_git_package.sh +++ b/scripts/make_git_package.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Note env variables: DESTDIR, BUILDROOT, GOCACHE, BUILDDIR diff --git a/scripts/unpack_image.sh b/scripts/unpack_image.sh index f7c1b19c..cc3f9098 100755 --- a/scripts/unpack_image.sh +++ b/scripts/unpack_image.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail usage() { diff --git a/shared/mkosi.build.d/10-kernel.sh b/shared/mkosi.build.d/10-kernel.sh index 9ff7a575..01e36f91 100755 --- a/shared/mkosi.build.d/10-kernel.sh +++ b/shared/mkosi.build.d/10-kernel.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail shopt -s inherit_errexit # propagate errexit to $() subshells shopt -s nullglob # non-matching globs expand to nothing diff --git a/shared/mkosi.finalize.d/10-remove-image-version.sh b/shared/mkosi.finalize.d/10-remove-image-version.sh index d032f032..8aeb109f 100755 --- a/shared/mkosi.finalize.d/10-remove-image-version.sh +++ b/shared/mkosi.finalize.d/10-remove-image-version.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail # mkosi adds IMAGE_VERSION tag to /usr/lib/os-release, if it's set. diff --git a/shared/mkosi.finalize.d/90-debloat.sh b/shared/mkosi.finalize.d/90-debloat.sh index 349f4258..966a9124 100755 --- a/shared/mkosi.finalize.d/90-debloat.sh +++ b/shared/mkosi.finalize.d/90-debloat.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail # Ensure deterministic ordering of uid and gids before debloating diff --git a/shared/mkosi.postinst.d/10-efi-stub.sh b/shared/mkosi.postinst.d/10-efi-stub.sh index 49ffe57d..b8a7fba3 100755 --- a/shared/mkosi.postinst.d/10-efi-stub.sh +++ b/shared/mkosi.postinst.d/10-efi-stub.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail # Use a version of systemd-boot that is compatible with measured-boot script diff --git a/shared/mkosi.postinst.d/90-debloat-systemd.sh b/shared/mkosi.postinst.d/90-debloat-systemd.sh index 716fac52..1e8a8ffe 100755 --- a/shared/mkosi.postinst.d/90-debloat-systemd.sh +++ b/shared/mkosi.postinst.d/90-debloat-systemd.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail # Core systemd units to keep diff --git a/shared/mkosi.sync.d/10-setup-apt.sh b/shared/mkosi.sync.d/10-setup-apt.sh index 587875a9..b3f5cbb3 100755 --- a/shared/mkosi.sync.d/10-setup-apt.sh +++ b/shared/mkosi.sync.d/10-setup-apt.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # Adds mkosi sources. See https://github.com/systemd/mkosi/issues/1755 SNAPSHOT=$(jq -r .Snapshot /work/config.json) diff --git a/shared/mkosi.sync.d/20-normalize-umask.sh b/shared/mkosi.sync.d/20-normalize-umask.sh index b5d13b12..490d73b1 100755 --- a/shared/mkosi.sync.d/20-normalize-umask.sh +++ b/shared/mkosi.sync.d/20-normalize-umask.sh @@ -1,3 +1,3 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail chmod -cR go-w "$SRCDIR" From d3c02276761741562f0e804a9a62bd53b1304b39 Mon Sep 17 00:00:00 2001 From: peg Date: Tue, 14 Apr 2026 08:19:42 +0200 Subject: [PATCH 03/16] Rm jq as it is already added as a system dependency --- flake.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/flake.nix b/flake.nix index 06a543a2..f9316424 100644 --- a/flake.nix +++ b/flake.nix @@ -113,7 +113,6 @@ bash curl git - jq ]; shellHook = '' mkdir -p mkosi.packages mkosi.cache mkosi.builddir ~/.cache/mkosi From 49debcd09a1af65b2685dbd87d1234e3fec6bb55 Mon Sep 17 00:00:00 2001 From: Pablo <118397961+pablin-10@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:56:54 -0300 Subject: [PATCH 04/16] Bump lighthouse to v8.1.3 (#134) --- modules/flashbox/flashbox-l1/mkosi.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/flashbox/flashbox-l1/mkosi.build b/modules/flashbox/flashbox-l1/mkosi.build index ac978be6..af1aad45 100755 --- a/modules/flashbox/flashbox-l1/mkosi.build +++ b/modules/flashbox/flashbox-l1/mkosi.build @@ -19,7 +19,7 @@ LIGHTHOUSE_BUILD_CMD=" " make_git_package \ "lighthouse" \ - "v8.1.2" \ + "v8.1.3" \ "https://github.com/sigp/lighthouse.git" \ "$LIGHTHOUSE_BUILD_CMD" \ "target/x86_64-unknown-linux-gnu/release/lighthouse:/usr/bin/lighthouse" From cedd66987bc5f772379dc41e0fb5d898f611e7a0 Mon Sep 17 00:00:00 2001 From: Niccolo Raspa <6024049+niccoloraspa@users.noreply.github.com> Date: Fri, 17 Apr 2026 13:34:46 +0200 Subject: [PATCH 05/16] Update readme to remove integration messaging details Removed integration contact information from readme. --- modules/flashbox/flashbox-l1/readme.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/flashbox/flashbox-l1/readme.md b/modules/flashbox/flashbox-l1/readme.md index 808dc5fa..99765f16 100644 --- a/modules/flashbox/flashbox-l1/readme.md +++ b/modules/flashbox/flashbox-l1/readme.md @@ -105,8 +105,6 @@ In the future, we hope to add bare metal support, which will lower this cost dra We place searcher machines in Azure US East 2 to colocate with builders. -**To begin integration, please message @astarinmymind on Telegram with your desired machine and disk size from the table below. Searchers who integrate will be expected to pay their monthly machine costs up front!** - **Machine** | Name | CPU | Mem (GB) | Price (USD) | |------------|-----|----------|-------------| From 142a53db66ce183ec63be7d020cf09bed9625d3f Mon Sep 17 00:00:00 2001 From: MoeMahhouk Date: Mon, 27 Apr 2026 17:46:19 +0000 Subject: [PATCH 06/16] chore: memory optimizations --- modules/flashbox/flashbox-l1/mkosi.build | 2 +- .../mkosi.extra/etc/systemd/system/lighthouse.service | 1 + shared/mkosi.conf | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/flashbox/flashbox-l1/mkosi.build b/modules/flashbox/flashbox-l1/mkosi.build index af1aad45..c27c5432 100755 --- a/modules/flashbox/flashbox-l1/mkosi.build +++ b/modules/flashbox/flashbox-l1/mkosi.build @@ -12,7 +12,7 @@ LIGHTHOUSE_BUILD_CMD=" export RUSTFLAGS='-C link-arg=-Wl,--build-id=none -C metadata= --remap-path-prefix \$(pwd)=. -L /usr/lib/x86_64-linux-gnu -l z -l zstd -l snappy' cargo build --bin lighthouse \ - --features gnosis,slasher-lmdb,slasher-mdbx,slasher-redb,sysmalloc \ + --features gnosis,slasher-lmdb,slasher-mdbx,slasher-redb,jemalloc-unprefixed \ --profile release \ --locked \ --target x86_64-unknown-linux-gnu diff --git a/modules/flashbox/flashbox-l1/mkosi.extra/etc/systemd/system/lighthouse.service b/modules/flashbox/flashbox-l1/mkosi.extra/etc/systemd/system/lighthouse.service index df8422ed..39ac4efc 100644 --- a/modules/flashbox/flashbox-l1/mkosi.extra/etc/systemd/system/lighthouse.service +++ b/modules/flashbox/flashbox-l1/mkosi.extra/etc/systemd/system/lighthouse.service @@ -20,6 +20,7 @@ ExecStart=/usr/bin/lighthouse bn \ --datadir "/persistent/lighthouse" \ --disable-optimistic-finalized-sync \ --disable-quic \ + --state-cache-size 32 \ --logfile-dir /persistent/lighthouse_logs \ --logfile-format JSON \ --logfile-debug-level debug \ diff --git a/shared/mkosi.conf b/shared/mkosi.conf index 7f267b8f..b12de1fd 100644 --- a/shared/mkosi.conf +++ b/shared/mkosi.conf @@ -19,7 +19,7 @@ Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c [Content] SourceDateEpoch=0 -KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 systemd.unit=minimal.target +KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2 transparent_hugepage=madvise systemd.unit=minimal.target ExtraTrees=shared/mkosi.extra BuildScripts=shared/mkosi.build.d/* SyncScripts=shared/mkosi.sync.d/* From b92c3e63edeb8a78abf2b0409807bccb9a3d13d7 Mon Sep 17 00:00:00 2001 From: Alex Hulbert Date: Wed, 29 Apr 2026 11:15:08 -0400 Subject: [PATCH 07/16] Allow installing apt packages in dev mode (#137) --- mkosi.profiles/devtools/mkosi.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/mkosi.profiles/devtools/mkosi.conf b/mkosi.profiles/devtools/mkosi.conf index 7203abc0..e6351c6e 100644 --- a/mkosi.profiles/devtools/mkosi.conf +++ b/mkosi.profiles/devtools/mkosi.conf @@ -2,6 +2,7 @@ ExtraTrees=mkosi.extra custom PostInstallationScripts=custom.postinst.d/*.sh +CleanPackageMetadata=false Packages=adjtimex apt From 5b3729cc0b4827ea164f9df55a5186495a99219e Mon Sep 17 00:00:00 2001 From: peg Date: Wed, 29 Apr 2026 17:48:09 +0200 Subject: [PATCH 08/16] Add Contrast BadAML sandbox kernel patch on GCP (#131) --- ...cp-block-aml-systemmemory-ram-access.patch | 204 ++++++++++++++++++ 1 file changed, 204 insertions(+) create mode 100644 mkosi.profiles/gcp/kernel/patches/0001-acpi-gcp-block-aml-systemmemory-ram-access.patch diff --git a/mkosi.profiles/gcp/kernel/patches/0001-acpi-gcp-block-aml-systemmemory-ram-access.patch b/mkosi.profiles/gcp/kernel/patches/0001-acpi-gcp-block-aml-systemmemory-ram-access.patch new file mode 100644 index 00000000..09a4b8e2 --- /dev/null +++ b/mkosi.profiles/gcp/kernel/patches/0001-acpi-gcp-block-aml-systemmemory-ram-access.patch @@ -0,0 +1,204 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paul Meyer +Date: Tue, 17 Feb 2026 10:47:28 +0100 +Subject: [PATCH] drivers/acpi: add BadAML sandbox + +Signed-off-by: Paul Meyer +--- + drivers/acpi/acpica/exregion.c | 6 ++ + drivers/acpi/acpica/sandbox.h | 139 +++++++++++++++++++++++++++++++++ + 2 files changed, 145 insertions(+) + create mode 100644 drivers/acpi/acpica/sandbox.h + +diff --git a/drivers/acpi/acpica/exregion.c b/drivers/acpi/acpica/exregion.c +index a390a1c2b0abb01a7c8490b207ec377818120207..638323389e970500c004b7ccdd52a9e7455eaf67 100644 +--- a/drivers/acpi/acpica/exregion.c ++++ b/drivers/acpi/acpica/exregion.c +@@ -14,6 +14,8 @@ + #define _COMPONENT ACPI_EXECUTER + ACPI_MODULE_NAME("exregion") + ++#include "sandbox.h" ++ + /******************************************************************************* + * + * FUNCTION: acpi_ex_system_memory_space_handler +@@ -38,6 +40,7 @@ acpi_ex_system_memory_space_handler(u32 function, + u64 *value, + void *handler_context, void *region_context) + { ++ SANDBOX_SECT_START; + acpi_status status = AE_OK; + void *logical_addr_ptr = NULL; + struct acpi_mem_space_context *mem_info = region_context; +@@ -192,6 +195,7 @@ acpi_ex_system_memory_space_handler(u32 function, + case ACPI_READ: + + *value = 0; ++ SANDBOX_READ_HOOK((u64)logical_addr_ptr, (u64)address); + switch (bit_width) { + case 8: + +@@ -223,6 +227,7 @@ acpi_ex_system_memory_space_handler(u32 function, + + case ACPI_WRITE: + ++ SANDBOX_WRITE_HOOK((u64)logical_addr_ptr, (u64)address); + switch (bit_width) { + case 8: + +@@ -258,6 +263,7 @@ acpi_ex_system_memory_space_handler(u32 function, + break; + } + ++ SANDBOX_SECT_END; + return_ACPI_STATUS(status); + } + +diff --git a/drivers/acpi/acpica/sandbox.h b/drivers/acpi/acpica/sandbox.h +new file mode 100644 +index 0000000000000000000000000000000000000000..1d9d95a87698dde14429f2f33a0c375ad51774fe +--- /dev/null ++++ b/drivers/acpi/acpica/sandbox.h +@@ -0,0 +1,139 @@ ++/* SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0 */ ++/* SPDX-FileCopyrightText: Satoru Takekoshi, Manami Mori, Takaaki Fukai, ++ * Takahiro Shinagawa */ ++/* SPDX-FileCopyrightText: Edgeless Systems GmbH */ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define SANDBOX_READ_HOOK(virt_addr, phys_addr) { if (!__sandbox_validate_memory_access(virt_addr, phys_addr, true)) break; } ++#define SANDBOX_WRITE_HOOK(virt_addr, phys_addr) { if (!__sandbox_validate_memory_access(virt_addr, phys_addr, false)) break; } ++#define SANDBOX_SECT_START { __sandbox_section_start(); } ++#define SANDBOX_SECT_END { __sandbox_section_end(); } ++ ++static struct __sandbox_access_log { ++ bool is_read; ++ unsigned long phys_addr; ++ unsigned long virt_addr; ++ bool access_allowed; ++} __sandbox_access_log; ++ ++static void __sandbox_log_enabled(void) ++{ ++ DO_ONCE(pr_info, "SANDBOX: Enabled\n"); ++} ++ ++static unsigned long __sandbox_get_page_table_entry(unsigned long addr) ++{ ++ pgd_t *pgd; ++ p4d_t *p4d; ++ pud_t *pud; ++ pmd_t *pmd; ++ pte_t *pte; ++ ++ pgd = pgd_offset_k(addr); ++ if (pgd_none(*pgd)) { ++ return 0; ++ } ++ ++ p4d = p4d_offset(pgd, addr); ++ if (p4d_none(*p4d)) { ++ return 0; ++ } ++ ++ pud = pud_offset(p4d, addr); ++ if (pud_none(*pud)) { ++ return 0; ++ } ++ ++ /* Check for 1GB huge page */ ++ if (pud_leaf(*pud)) { ++ return pud_val(*pud); ++ } ++ ++ pmd = pmd_offset(pud, addr); ++ if (pmd_none(*pmd)) { ++ return 0; ++ } ++ ++ /* Check for 2MB huge page */ ++ if (pmd_leaf(*pmd)) { ++ return pmd_val(*pmd); ++ } ++ ++ pte = pte_offset_kernel(pmd, addr); ++ if (pte_none(*pte)) { ++ return 0; ++ } ++ ++ return pte_val(*pte); ++} ++ ++static bool __sandbox_is_encrypted_generic(unsigned long virt_addr) ++{ ++ unsigned long val; ++ ++ val = __sandbox_get_page_table_entry((unsigned long)(virt_addr)); ++ if (val) { ++ return val == cc_mkenc(val); ++ } else { ++ ACPI_ERROR((AE_INFO, "SANDBOX: Page table walk failed")); ++ } ++ ++ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "SANDBOX: Falling back to 'encrypted' state\n")); ++ return true; ++} ++ ++static bool __sandbox_validate_memory_access(unsigned long virt_addr, unsigned long phys_addr, bool is_read) ++{ ++ __sandbox_log_enabled(); ++ __sandbox_access_log.is_read = is_read; ++ __sandbox_access_log.phys_addr = phys_addr; ++ __sandbox_access_log.virt_addr = virt_addr; ++ phys_addr &= PAGE_MASK; ++ virt_addr &= PAGE_MASK; ++ ++ cond_resched(); ++ ++ bool encrypted = true; ++ if (cc_platform_has(CC_ATTR_MEM_ENCRYPT)) { ++ encrypted = __sandbox_is_encrypted_generic(virt_addr); ++ } else { ++ ACPI_ERROR((AE_INFO, "SANDBOX: Unknown platform")); ++ } ++ ++ cond_resched(); ++ ++ if (!encrypted) { ++ return true; ++ } ++ ++ __sandbox_access_log.access_allowed = false; ++ return false; ++} ++ ++static void __sandbox_section_start(void) ++{ ++ __sandbox_access_log.is_read = true; ++ __sandbox_access_log.phys_addr = 0xdeadbeefcafebabeuL; ++ __sandbox_access_log.virt_addr = 0xdeadbeefcafebabeuL; ++ __sandbox_access_log.access_allowed = true; ++} ++ ++static void __sandbox_section_end(void) ++{ ++ cond_resched(); ++ ++ ACPI_INFO(( ++ "SANDBOX: ACCESS %s virt=%lx phys=%lx %s", ++ __sandbox_access_log.is_read ? "r" : "w", ++ (unsigned long)__sandbox_access_log.virt_addr, ++ (unsigned long)__sandbox_access_log.phys_addr, ++ __sandbox_access_log.access_allowed ? "allowed" : "denied" ++ )); ++ ++ cond_resched(); ++} +-- +2.49.0 From e76dcf9018d6e40917e1fb371710429cfc760b0f Mon Sep 17 00:00:00 2001 From: MoeMahhouk Date: Thu, 30 Apr 2026 10:13:45 +0000 Subject: [PATCH 09/16] Bump kernel to 6.19 + Debian snapshot 20260430 to fix CVE-2026-31431 Pulls in Debian's linux-source-6.19_6.19.13-1~bpo13+1 from trixie-backports, which carries upstream a664bf3d603d ('crypto: algif_aead - Revert to operating out-of-place') and its authencesn follow-up. trixie's 6.18 line is still listed as vulnerable on the security tracker. Refs: - https://security-tracker.debian.org/tracker/CVE-2026-31431 - https://snapshot.debian.org/package/linux/6.19.13-1~bpo13%2B1/ - https://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_6.19.13-1~bpo13+1_changelog (line 168) - https://git.kernel.org/linus/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 --- images/flashbox-l1.conf | 2 +- images/flashbox-l2.conf | 2 +- images/l2-op-rbuilder-bproxy.conf | 2 +- images/l2-op-rbuilder.conf | 2 +- images/l2-simulator.conf | 2 +- shared/mkosi.conf | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/images/flashbox-l1.conf b/images/flashbox-l1.conf index 11fa947f..42f61ce8 100644 --- a/images/flashbox-l1.conf +++ b/images/flashbox-l1.conf @@ -7,4 +7,4 @@ Include=modules/flashbox/flashbox-l1/mkosi.conf Profiles=azure,gcp [Distribution] -Snapshot=20260301T083349Z +Snapshot=20260430T025253Z diff --git a/images/flashbox-l2.conf b/images/flashbox-l2.conf index 459dfc04..96076496 100644 --- a/images/flashbox-l2.conf +++ b/images/flashbox-l2.conf @@ -7,4 +7,4 @@ Include=modules/flashbox/flashbox-l2/mkosi.conf Profiles=gcp [Distribution] -Snapshot=20260301T083349Z +Snapshot=20260430T025253Z diff --git a/images/l2-op-rbuilder-bproxy.conf b/images/l2-op-rbuilder-bproxy.conf index c69cbdee..d798e665 100644 --- a/images/l2-op-rbuilder-bproxy.conf +++ b/images/l2-op-rbuilder-bproxy.conf @@ -2,7 +2,7 @@ Profiles=gcp [Distribution] -Snapshot=20260301T083349Z +Snapshot=20260430T025253Z [Include] Include=shared/mkosi.conf diff --git a/images/l2-op-rbuilder.conf b/images/l2-op-rbuilder.conf index 6756b7a8..211cb630 100644 --- a/images/l2-op-rbuilder.conf +++ b/images/l2-op-rbuilder.conf @@ -2,7 +2,7 @@ Profiles=gcp [Distribution] -Snapshot=20260301T083349Z +Snapshot=20260430T025253Z [Include] Include=shared/mkosi.conf diff --git a/images/l2-simulator.conf b/images/l2-simulator.conf index 5bf67f65..f7c2d54a 100644 --- a/images/l2-simulator.conf +++ b/images/l2-simulator.conf @@ -2,7 +2,7 @@ Profiles=gcp [Distribution] -Snapshot=20260301T083349Z +Snapshot=20260430T025253Z [Include] Include=shared/mkosi.conf diff --git a/shared/mkosi.conf b/shared/mkosi.conf index 7f267b8f..e8acb21f 100644 --- a/shared/mkosi.conf +++ b/shared/mkosi.conf @@ -6,7 +6,7 @@ Release=trixie [Build] PackageCacheDirectory=mkosi.cache SandboxTrees=mkosi.builddir/mkosi.sources:/etc/apt/sources.list.d/mkosi.sources -Environment=KERNEL_VERSION=6.18 +Environment=KERNEL_VERSION=6.19 KERNEL_CONFIG_SNIPPETS=shared/kernel/config.d KERNEL_PATCHES=shared/kernel/patches WithNetwork=true From e667c69cccc5524c343ddb77ddb2e738bb43729a Mon Sep 17 00:00:00 2001 From: Alex Hulbert Date: Thu, 30 Apr 2026 15:05:00 -0400 Subject: [PATCH 10/16] Move needed network deps to shared module (#141) --- mkosi.profiles/gcp/mkosi.conf | 4 +--- modules/flashbox/common/mkosi.conf | 1 - shared/mkosi.conf | 1 + 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/mkosi.profiles/gcp/mkosi.conf b/mkosi.profiles/gcp/mkosi.conf index b22a0c08..e916f075 100644 --- a/mkosi.profiles/gcp/mkosi.conf +++ b/mkosi.profiles/gcp/mkosi.conf @@ -5,7 +5,5 @@ Environment=KERNEL_CONFIG_SNIPPETS_GCP=mkosi.profiles/gcp/kernel/config.d [Content] ExtraTrees=mkosi.extra -Packages=udev - chrony - nvme-cli +Packages=nvme-cli xxd diff --git a/modules/flashbox/common/mkosi.conf b/modules/flashbox/common/mkosi.conf index e06aa8a2..bf0d19c9 100644 --- a/modules/flashbox/common/mkosi.conf +++ b/modules/flashbox/common/mkosi.conf @@ -27,7 +27,6 @@ Packages=podman libdevmapper1.02.1 libjson-c5 openssh-sftp-server - udev libsnappy1v5 BuildPackages=build-essential diff --git a/shared/mkosi.conf b/shared/mkosi.conf index 5c5fcbd7..e35fe336 100644 --- a/shared/mkosi.conf +++ b/shared/mkosi.conf @@ -41,6 +41,7 @@ Packages=kmod iproute2 e2fsprogs chrony + udev BuildPackages=build-essential git curl From ff5614f8984e33d2225ddd330cc1aaebc2ea7381 Mon Sep 17 00:00:00 2001 From: Alex Hulbert Date: Thu, 30 Apr 2026 15:05:46 -0400 Subject: [PATCH 11/16] Fixes for kernel build errors (#140) --- shared/mkosi.build.d/10-kernel.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/shared/mkosi.build.d/10-kernel.sh b/shared/mkosi.build.d/10-kernel.sh index 01e36f91..2d930928 100755 --- a/shared/mkosi.build.d/10-kernel.sh +++ b/shared/mkosi.build.d/10-kernel.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -euo pipefail +set -euxo pipefail shopt -s inherit_errexit # propagate errexit to $() subshells shopt -s nullglob # non-matching globs expand to nothing @@ -11,7 +11,7 @@ if [[ -z "${KERNEL_VERSION:-}" ]]; then fi # Read distribution info from mkosi config JSON -snapshot=$(jq -re '.Snapshot' "$MKOSI_CONFIG") +snapshot=$(jq -r '.Snapshot' "$MKOSI_CONFIG") release=$(jq -re '.Release' "$MKOSI_CONFIG") echo "Snapshot: $snapshot" echo "Release: $release" @@ -51,7 +51,7 @@ cache_hash=$( cache_dir="$BUILDDIR/kernel-${KERNEL_VERSION}-${cache_hash}" cached_deb="$cache_dir/kernel.deb" -cat < $BUILDDIR/manifest.md +cat < "$BUILDDIR/manifest.md" | component | version | built / cached | size | duration | | ---------- | -------- | --------------- | ----- | --------- | EOF @@ -59,7 +59,7 @@ EOF # Use cached kernel .deb if available if [[ -f "$cached_deb" ]] && [[ -s "$cached_deb" ]]; then echo "Using cached kernel .deb: $cached_deb" - echo "| \`kernel\` | \`${KERNEL_VERSION}\` (config hash \`${cache_hash}\`) | reused from cache | \`$( du -sh $cached_deb | cut -f1 )\` | |" >> $BUILDDIR/manifest.md + echo "| \`kernel\` | \`${KERNEL_VERSION}\` (config hash \`${cache_hash}\`) | reused from cache | \`$( du -sh "$cached_deb" | cut -f1 )\` | |" >> "$BUILDDIR/manifest.md" else ts=$( date +%s ) @@ -159,7 +159,7 @@ else rm -rf "${kernel_build_dir}" - echo "| \`kernel\` | \`${KERNEL_VERSION}\` (config hash \`${cache_hash}\`) | built | \`$( du -sh $cached_deb | cut -f1 )\` | \`$duration\` |" >> $BUILDDIR/manifest.md + echo "| \`kernel\` | \`${KERNEL_VERSION}\` (config hash \`${cache_hash}\`) | built | \`$( du -sh "$cached_deb" | cut -f1 )\` | \`$duration\` |" >> "$BUILDDIR/manifest.md" fi # Copy to PACKAGEDIR for mkosi VolatilePackages installation From 63c4f2031d1612600bb7ba5ea6362f3d5bf96516 Mon Sep 17 00:00:00 2001 From: Alex Hulbert Date: Thu, 30 Apr 2026 15:33:17 -0400 Subject: [PATCH 12/16] Dynamically size ESP partition to support images > 512MB (#122) * Dynamically size ESP partition to support images > 512MB * Update to corresponding gcp measure commit --- flake.nix | 87 +++++++++++++------------ mkosi.profiles/gcp/mkosi.postoutput | 19 ++++-- mkosi.profiles/gcp/repart.d/00-uki.conf | 2 - 3 files changed, 59 insertions(+), 49 deletions(-) diff --git a/flake.nix b/flake.nix index f9316424..c1f4c0cf 100644 --- a/flake.nix +++ b/flake.nix @@ -44,53 +44,56 @@ src = pkgs.fetchFromGitHub { owner = "flashbots"; repo = "dstack-mr-gcp"; - rev = "503e7c506f89f9d81be04025c90921778b26f0a4"; - sha256 = "sha256-z6STTgcOXatiqA2rlpzwRyvAwnXrK30oNDCJqtIp7/8="; + rev = "ecf3284b72a507fd005de91d49f7372490cf6995"; + sha256 = "sha256-1rcm9sIZuvCojNN2HMPrsECYn9sd8eVChsgwleo8nFY="; }; vendorHash = "sha256-glOyRTrIF/zP78XGV+v58a1Bec6C3Fvc5c8G3PglzPM="; }; mkosi = system: let pkgsForSystem = import nixpkgs {inherit system;}; - mkosi-unwrapped = (pkgsForSystem.mkosi.override { - extraDeps = with pkgsForSystem; - [ - apt - dpkg - gnupg - debootstrap - squashfsTools - dosfstools - e2fsprogs - mtools - mustache-go - cryptsetup - gptfdisk - util-linux - zstd - which - qemu-utils - parted - unzip - jq - ] - ++ [reprepro]; - }).overrideAttrs (old: { - src = pkgsForSystem.fetchFromGitHub { - owner = "systemd"; - repo = "mkosi"; - rev = "df51194bc2d890d4c267af644a1832d2d53339ac"; - hash = "sha256-rGGzE9xIR8WvK07GBnaAmeLpmnM3Uy51wqyrmuHuWXo="; - }; - # TODO: remove these patch hunks from upstream nixpkgs next time mkosi has a release - # The latest mkosi doesn't need them - patches = pkgs.lib.drop 2 old.patches; - postPatch = let fd = "${pkgs.patchutils}/bin/filterdiff"; in '' - { ${fd} -x '*/run.py' --hunks=x2 ${builtins.elemAt old.patches 0} - ${fd} -i '*/run.py' --hunks=x1-2 ${builtins.elemAt old.patches 0} - ${fd} --hunks=x1 ${builtins.elemAt old.patches 1} - } | patch -p1 - ''; - }); + mkosi-unwrapped = + (pkgsForSystem.mkosi.override { + extraDeps = with pkgsForSystem; + [ + apt + dpkg + gnupg + debootstrap + squashfsTools + dosfstools + e2fsprogs + mtools + mustache-go + cryptsetup + gptfdisk + util-linux + zstd + which + qemu-utils + parted + unzip + jq + ] + ++ [reprepro]; + }).overrideAttrs (old: { + src = pkgsForSystem.fetchFromGitHub { + owner = "systemd"; + repo = "mkosi"; + rev = "df51194bc2d890d4c267af644a1832d2d53339ac"; + hash = "sha256-rGGzE9xIR8WvK07GBnaAmeLpmnM3Uy51wqyrmuHuWXo="; + }; + # TODO: remove these patch hunks from upstream nixpkgs next time mkosi has a release + # The latest mkosi doesn't need them + patches = pkgs.lib.drop 2 old.patches; + postPatch = let + fd = "${pkgs.patchutils}/bin/filterdiff"; + in '' + { ${fd} -x '*/run.py' --hunks=x2 ${builtins.elemAt old.patches 0} + ${fd} -i '*/run.py' --hunks=x1-2 ${builtins.elemAt old.patches 0} + ${fd} --hunks=x1 ${builtins.elemAt old.patches 1} + } | patch -p1 + ''; + }); in # Create a wrapper script that runs mkosi with unshare # Unshare is needed to create files owned by multiple uids/gids diff --git a/mkosi.profiles/gcp/mkosi.postoutput b/mkosi.profiles/gcp/mkosi.postoutput index 2c7991c5..ac95f434 100755 --- a/mkosi.profiles/gcp/mkosi.postoutput +++ b/mkosi.profiles/gcp/mkosi.postoutput @@ -10,11 +10,20 @@ cp ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.efi ${OUTPUTDIR}/esp/EFI/BOOT/BOOTX find ${OUTPUTDIR}/esp -exec touch -d "@${SOURCE_DATE_EPOCH}" {} + rm -f ${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.raw -# Hack to use the newer systemd-repart from nix instead of mkosi.tools one -# TODO: remove after updating mkosi -PATH="${PATH#/usr/bin:/usr/sbin:}" systemd-repart --empty=create \ - --size=1G \ - --definitions=mkosi.profiles/gcp/repart.d \ +# Dynamically size ESP partition and disk from EFI file +MIB=$((1024 * 1024)) +EFI_BYTES=$(stat -c%s "${OUTPUTDIR}/${IMAGE_ID}_${IMAGE_VERSION}.efi") +ESP_BYTES=$(( EFI_BYTES + 32 * MIB )) +DISK_GIB=$(numfmt --to-unit=1Gi --round=up $(( ESP_BYTES + MIB ))) # + 1MiB GPT overhead + +REPART_TMPDIR=$(mktemp -d) +cp mkosi.profiles/gcp/repart.d/00-uki.conf "${REPART_TMPDIR}/00-uki.conf" +echo "SizeMinBytes=${ESP_BYTES}" >> "${REPART_TMPDIR}/00-uki.conf" +echo "SizeMaxBytes=${ESP_BYTES}" >> "${REPART_TMPDIR}/00-uki.conf" + +systemd-repart --empty=create \ + --size=${DISK_GIB}G \ + --definitions="${REPART_TMPDIR}" \ --copy-source=${OUTPUTDIR} \ --seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c \ --dry-run=no \ diff --git a/mkosi.profiles/gcp/repart.d/00-uki.conf b/mkosi.profiles/gcp/repart.d/00-uki.conf index b161a108..64d96067 100644 --- a/mkosi.profiles/gcp/repart.d/00-uki.conf +++ b/mkosi.profiles/gcp/repart.d/00-uki.conf @@ -4,5 +4,3 @@ Format=vfat CopyFiles=/esp:/ Minimize=off UUID=87654321-4321-8765-4321-876543218765 -SizeMinBytes=524288000 -SizeMaxBytes=524288000 From 769c37fd70ee5c8e2687664a88cce24e9dd9eb5e Mon Sep 17 00:00:00 2001 From: peg Date: Fri, 8 May 2026 00:59:01 +0200 Subject: [PATCH 13/16] Log TDX measurements on boot (#143) * Log TDX measurements on boot * Use perl script rather than attested-tls-proxy for measurement logging * Switch to systemd oneshot service --- shared/mkosi.conf | 1 + .../etc/systemd/system/print-measurements.service | 12 ++++++++++++ shared/mkosi.extra/usr/bin/print-measurements | 8 ++++++++ shared/mkosi.postinst.d/90-debloat-systemd.sh | 1 + 4 files changed, 22 insertions(+) create mode 100644 shared/mkosi.extra/etc/systemd/system/print-measurements.service create mode 100755 shared/mkosi.extra/usr/bin/print-measurements diff --git a/shared/mkosi.conf b/shared/mkosi.conf index e35fe336..1d594ed2 100644 --- a/shared/mkosi.conf +++ b/shared/mkosi.conf @@ -36,6 +36,7 @@ Packages=kmod busybox util-linux procps + perl ca-certificates openssl iproute2 diff --git a/shared/mkosi.extra/etc/systemd/system/print-measurements.service b/shared/mkosi.extra/etc/systemd/system/print-measurements.service new file mode 100644 index 00000000..9a8c01ac --- /dev/null +++ b/shared/mkosi.extra/etc/systemd/system/print-measurements.service @@ -0,0 +1,12 @@ +[Unit] +Description=Log TDX measurements +After=basic.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/print-measurements +StandardOutput=journal+console +StandardError=journal+console + +[Install] +WantedBy=minimal.target diff --git a/shared/mkosi.extra/usr/bin/print-measurements b/shared/mkosi.extra/usr/bin/print-measurements new file mode 100755 index 00000000..a7ec5158 --- /dev/null +++ b/shared/mkosi.extra/usr/bin/print-measurements @@ -0,0 +1,8 @@ +#!/usr/bin/env perl + +my $errmsg = "Measurements not available on this platform\n"; +my $b = "\0" x 1088; +sysopen F, "/dev/tdx_guest", 2 or do { warn $errmsg; exit 0; }; +ioctl F, 0xc4405401, $b or do { warn $errmsg; exit 0; }; +my @r = unpack "(H96)4", substr $b, 784, 192; +print "RTMR$_: $r[$_]\n" for 0..3; diff --git a/shared/mkosi.postinst.d/90-debloat-systemd.sh b/shared/mkosi.postinst.d/90-debloat-systemd.sh index 1e8a8ffe..2ade56de 100755 --- a/shared/mkosi.postinst.d/90-debloat-systemd.sh +++ b/shared/mkosi.postinst.d/90-debloat-systemd.sh @@ -50,6 +50,7 @@ done # Enable chrony service mkosi-chroot systemctl add-wants minimal.target \ chrony.service \ + print-measurements.service \ systemd-resolved.service \ systemd-networkd.service \ systemd-networkd-wait-online.service From b28706e794b1d68bcd50e3206e8cf745007ccb98 Mon Sep 17 00:00:00 2001 From: shashial <10578726+shashial@users.noreply.github.com> Date: Fri, 8 May 2026 13:28:08 +0100 Subject: [PATCH 14/16] add security section --- modules/flashbox/flashbox-l1/readme.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/flashbox/flashbox-l1/readme.md b/modules/flashbox/flashbox-l1/readme.md index 99765f16..b5eec6fc 100644 --- a/modules/flashbox/flashbox-l1/readme.md +++ b/modules/flashbox/flashbox-l1/readme.md @@ -14,6 +14,7 @@ Using Intel TDX, Flashbots has built a way for searchers to trustlessly backrun - [Disk Persistence](#disk-persistence) - [Searcher Commands and Services](#searcher-commands-and-services) - [Developer Notes](#developer-notes) +- [Security](#security) TDX Mental Model ------------------------ @@ -622,3 +623,7 @@ journalctl -fu searcher-container ssh -4 -i /root/.ssh/id_ed25519 -p 10022 root@127.0.0.1 ssh -4 -i /root/.ssh/id_ed25519 searcher@127.0.0.1 toggle ``` + +### Security + +Flashbots may temporarily pause orderflow to a TEE searcher instance if we identify a security issue that may affect the host configuration or running instance. This is a precautionary measure while we investigate, assess impact, and prepare mitigations, and does not necessarily mean that the searcher instance, data, or credentials were compromised. During a pause, transaction streaming may be disabled and login access may be unavailable until the instance is remediated or migrated to an updated image. Once remediation is complete, Flashbots will share next steps for restoring access and safely resuming order flow. From 831883ff951dad210454b30a133972fa1eb63f2d Mon Sep 17 00:00:00 2001 From: Niccolo Raspa Date: Fri, 15 May 2026 14:12:22 +0200 Subject: [PATCH 15/16] Add CODEOWNERS --- .github/CODEOWNERS | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..ecbd76af --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,4 @@ +# These owners will be the default owners for everything in +# the repo. Unless a later match takes precedence, +# they will be requested for review when someone opens a pull request. +* @flashbots/devops @flashbots/andromeda From 526af72bf7199aff9fe3e104bab3f2de458d3ef2 Mon Sep 17 00:00:00 2001 From: 0x416e746f6e Date: Tue, 26 May 2026 13:24:51 +0200 Subject: [PATCH 16/16] fix: use `systemd-repart` from nix --- mkosi.profiles/gcp/mkosi.postoutput | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/mkosi.profiles/gcp/mkosi.postoutput b/mkosi.profiles/gcp/mkosi.postoutput index ac95f434..c59f38e6 100755 --- a/mkosi.profiles/gcp/mkosi.postoutput +++ b/mkosi.profiles/gcp/mkosi.postoutput @@ -21,7 +21,14 @@ cp mkosi.profiles/gcp/repart.d/00-uki.conf "${REPART_TMPDIR}/00-uki.conf" echo "SizeMinBytes=${ESP_BYTES}" >> "${REPART_TMPDIR}/00-uki.conf" echo "SizeMaxBytes=${ESP_BYTES}" >> "${REPART_TMPDIR}/00-uki.conf" -systemd-repart --empty=create \ +# +# - default systemd-repart (in /usr/bin) is "systemd 252 (252.39-1~deb12u2)" +# - the one from nix (/nix/store/*-systemd-*/bin) is newer ("systemd 258 (258.3)" a.t.m.) +# - to use "--copy-source" CLI option we need a newer one +# - this hack ensures systemd-repart resolves to the nix one +# +PATH="${PATH#/usr/bin:/usr/sbin:}" systemd-repart \ + --empty=create \ --size=${DISK_GIB}G \ --definitions="${REPART_TMPDIR}" \ --copy-source=${OUTPUTDIR} \