Update ERIS and record URN mappings in ELF notes

flake.lock

@@ -3,14 +3,16 @@
     "eris": {
       "inputs": {
         "nimble": "nimble",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1652741572,
-        "narHash": "sha256-c+8/yxYckS2PrA7SoEmEr6dqDwzQnw1Hz2LhJBDN4DA=",
-        "ref": "master",
-        "rev": "27bd39452ec548744e14a3169e85602340125851",
-        "revCount": 10,
+        "lastModified": 1665183375,
+        "narHash": "sha256-soRRiLo2fGGiup7vK3nKUQ7rvJQWt1d941uD+wGT2Oc=",
+        "ref": "refs/heads/trunk",
+        "rev": "c190cc13e5f2518913a266180a26b54d39dbcc87",
+        "revCount": 30,
         "type": "git",
         "url": "https://codeberg.org/eris/nix-eris"
       },
@@ -21,31 +23,17 @@
     },
     "nimble": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
+          "eris",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1652579357,
-        "narHash": "sha256-hy50WWc872o177Ok4GQoMOi3La2DlzJyEboOD4iGE8Q=",
+        "lastModified": 1662949370,
+        "narHash": "sha256-tNGaNy/0iOS54wYK7g7AQIpArMg8XqCQsAisoZ7Dg4U=",
         "owner": "nix-community",
         "repo": "flake-nimble",
-        "rev": "a48df7c801b1da371492f5689dfbd5f6a128a6c2",
-        "type": "github"
-      },
-      "original": {
-        "id": "nimble",
-        "type": "indirect"
-      }
-    },
-    "nimble_2": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_3"
-      },
-      "locked": {
-        "lastModified": 1652924471,
-        "narHash": "sha256-8lxEUhy5XXLaMy8J8eWwiufHUZpTnrI4ykS5lekPq3Y=",
-        "owner": "nix-community",
-        "repo": "flake-nimble",
-        "rev": "c3993134d3d8e6a601311fb662b2698b26b43575",
+        "rev": "54dd3e91c0b61ea63eb4065f95b97f3f0fc98b06",
         "type": "github"
       },
       "original": {
@@ -55,53 +43,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1641555862,
-        "narHash": "sha256-AJK1Q5djPXs/ba3K6gHsVAer9yDPVLic78ZIDsFSkHU=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "d1acd89e0116ff88eba80541027429fc922612e9",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1652692103,
-        "narHash": "sha256-ygRLh8g0F/WkVCSfQcxMoVaaD45i6Ky+f+b4wCOazag=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "556ce9a40abde33738e6c9eac65f965a8be3b623",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1641555862,
-        "narHash": "sha256-AJK1Q5djPXs/ba3K6gHsVAer9yDPVLic78ZIDsFSkHU=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "d1acd89e0116ff88eba80541027429fc922612e9",
-        "type": "github"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1653521725,
-        "narHash": "sha256-JO3Ni/gV4+7eloZrXW0hY7PNfy5TGVJWOPEhtnV9ugQ=",
+        "lastModified": 1665079737,
+        "narHash": "sha256-mbi/+D73l2VXmiIJzh1oNjohrh+o2MrPblEGzaR7IiI=",
         "owner": "ehmry",
         "repo": "nixpkgs",
-        "rev": "2ec153670397dd3393e6b79d3057c0279539eb10",
+        "rev": "f971220848e4f9efe39667bc986f10e378a8b877",
         "type": "github"
       },
       "original": {
@@ -114,8 +60,11 @@
     "root": {
       "inputs": {
         "eris": "eris",
-        "nimble": "nimble_2",
-        "nixpkgs": "nixpkgs_4"
+        "nimble": [
+          "eris",
+          "nimble"
+        ],
+        "nixpkgs": "nixpkgs"
       }
     }
   },

flake.nix

@@ -2,7 +2,11 @@
   description = "Nix flavored Genode distribution";
 
   inputs = {
-    eris.url = "git+https://codeberg.org/eris/nix-eris";
+    eris = {
+      url = "git+https://codeberg.org/eris/nix-eris";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nimble.follows = "eris/nimble";
     nixpkgs.url = "github:ehmry/nixpkgs/sigil-21.11";
   };
 
@@ -55,7 +59,7 @@
         # Overlay of adjustments applied to Nixpkgs as well as
         # the "genodePackages" set which the "packages"
         # output of this flake is taken.
-        import ./overlay { flake = self; };
+        import ./overlay;
 
       lib =
         # Local utilities merged with the Nixpkgs lib

overlay/default.nix

@@ -1,4 +1,3 @@
-{ flake }:
 final: prev:
 with prev;
 
@@ -99,6 +98,8 @@ in nullPkgs // {
     # The Genode-only packages.
     import ../packages { inherit final prev; };
 
+  getdns = overrideHost { doxygen = null; } prev.getdns;
+
   grub2 =
     # No need for a Genode build of GRUB.
     if stdenv.targetPlatform.isGenode then
@@ -168,17 +169,18 @@ in nullPkgs // {
     # Packages from the Nimble flake with adjustments.
     prev.nimPackages.overrideScope' (_: prev': {
 
-      dhall = with prev'; buildNimPackage rec {
-        name = "dhall";
-        version = "0.1.0";
-        src = prev.fetchFromSourcehut {
-          owner = "~ehmry";
-          repo = "dhall-nim";
-          rev = version;
-          hash = "sha256-AhGD/h61Yqiq80woD8bfrvwuTjqCPGYCmUFhK5xFur4=";
+      dhall = with prev';
+        buildNimPackage rec {
+          pname = "dhall";
+          version = "20221007";
+          src = prev.fetchFromSourcehut {
+            owner = "~ehmry";
+            repo = "${pname}-nim";
+            rev = version;
+            hash = "sha256-wDD9ZRQ6FcQrPLFMCFJcsBIXFzE3wLYqL12AF1KPE0g=";
+          };
+          buildInputs = [ bigints cbor ];
         };
-        buildInputs = [ bigints cbor ];
-      };
 
       genode = prev'.genode.overrideAttrs (attrs: rec {
         version = "20.11.1";

overlay/eris-patch-hook/default.nix

@@ -1,9 +1,10 @@
-{ buildNimPackage, patchelf, base32, bigints, cbor, dhall, eris }:
+{ lib, buildNimPackage, bintools-unwrapped, patchelf, base32, bigints, cbor, dhall, eris }:
 
 buildNimPackage {
   name = "eris_patch";
   buildInputs = [ base32 bigints cbor dhall eris ];
-  inherit patchelf;
+  patchelf = "${lib.getBin patchelf}/bin/patchelf";
+  objcopy = "${lib.getBin bintools-unwrapped}/bin/objcopy";
   unpackPhase = "install -D ${./eris_patch.nim} ./src/eris_patch.nim";
   nimBinOnly = true;
   preConfigure = ''

overlay/eris-patch-hook/eris_patch.nim

@@ -1,6 +1,29 @@
 import std/[asyncdispatch, deques, json, os, osproc, streams, strutils, tables]
-import dhall/[render, terms]
-import eris
+import cbor, dhall/[render, terms], eris
+
+const selfDescribedCbor = 55799
+
+proc writeErisLinks(path: string; node: CborNode) =
+  # Inspired by "Package Metadata for Core Files"
+  # - https://systemd.io/COREDUMP_PACKAGE_METADATA/
+  # - http://netbsd.org/docs/kernel/elf-notes.html
+  const name = "Sigil\x00"
+  var links = newStringStream()
+  links.writeCborTag(selfDescribedCbor)
+  links.writeCbor(node)
+  var file = openFileStream(path, fmWrite)
+  file.write(uint32 name.len)
+  file.write(uint32 links.data.len)
+  file.write(uint32 1)
+  file.write(name)
+  while (file.getPosition and 3) != 0: file.write(byte 0)
+  file.write(links.data)
+  while (file.getPosition and 3) != 0: file.write(byte 0)
+  close(file)
+
+proc toCbor(cap: ErisCap): CborNode =
+  result = initCborBytes(cap.bytes)
+  result.tag = erisCborTag
 
 proc toDhall(js: JsonNode): Value =
   case js.kind
@@ -13,14 +36,6 @@ proc toDhall(js: JsonNode): Value =
   else:
     raiseAssert "unhandled JSON value"
 
-if getEnv("dontErisPatch") != "": quit 0
-
-let
-  patchelf = getEnv("ERIS_PATCHELF", "patchelf")
-  nixStore = getEnv("NIX_STORE", "/nix/store")
-  jsonManifestSubPath = "nix-support" / "eris-manifest.json"
-  dhallManifestSubPath = "nix-support" / "eris-manifest.dhall"
-
 proc isElf(path: string): bool =
   var magic: array[4, char]
   let file = open(path)
@@ -28,176 +43,224 @@ proc isElf(path: string): bool =
   close(file)
   magic == [0x7f.char, 'E', 'L', 'F']
 
-type PendingFile = ref object
-  outputRoot, filePath: string
-  replacements: Table[string, string]
+proc main =
+  var generateManifests, generateNotes, addNotes, runPatchelf: bool
+  for arg in commandLineParams():
+    case arg
+    of "--add-notes": addNotes = true
+    of "--run-patchelf": runPatchelf = true
+    of "--generate-manifests": generateManifests = true
+    of "--generate-notes": generateNotes = true
 
-var
-  outputManifests = initTable[string, JsonNode]()
-  pendingFiles = initDeque[PendingFile]()
-  failed = false
-for outputName in getEnv("outputs").splitWhitespace:
-  let outputRoot = getEnv(outputName)
-  if fileExists(outputRoot / jsonManifestSubPath):
-    echo "Not running ERIS patch hook again"
-    quit 0
-  outputManifests[outputRoot] = newJObject()
+  if getEnv("dontErisPatch") != "": quit 0
+  let
+    patchelf = getEnv("ERIS_PATCHELF", "patchelf")
+    objcopy = getEnv("ERIS_OBJCOPY", "objcopy")
+    nixStore = getEnv("NIX_STORE", "/nix/store")
+    jsonManifestSubPath = "nix-support" / "eris-manifest.json"
+    dhallManifestSubPath = "nix-support" / "eris-manifest.dhall"
 
-let buildInputs = getEnv("buildInputs").splitWhitespace
+  type PendingFile = ref object
+    outputRoot, filePath: string
+    replacements: Table[string, string]
+    erisLinks: CborNode
+
+  var
+    outputManifests = initTable[string, JsonNode]()
+    pendingFiles = initDeque[PendingFile]()
+    failed = false
+  if getEnv("outputs") == "":
+    quit """package $outputs not set in environment"""
+  for outputName in getEnv("outputs").splitWhitespace:
+    if getEnv(outputName) == "":
+      quit("package $" & outputName & " not set in environment")
+    let outputRoot = getEnv(outputName)
+    if fileExists(outputRoot / jsonManifestSubPath):
+      stderr.writeLine "Not running ERIS patch hook again"
+      quit 0
+    outputManifests[outputRoot] = newJObject()
+
+  let buildInputs = getEnv("buildInputs").splitWhitespace
+
+  proc resolveNeed(rpath: seq[string]; need: string): string =
+    if need.isAbsolute:
+      return need
+    for libdir in rpath:
+      let absNeed = libdir / need
+      if fileExists(absNeed):
+        return absNeed
+    for outputRoot in outputManifests.keys:
+      for relPath in [need, "lib" / need]:
+        let absNeed = outputRoot / relPath
+        if fileExists(absNeed):
+          return absNeed
+    for buildInput in buildInputs:
+      for relPath in [need, "lib" / need]:
+        let absNeed = buildInput / relPath
+        if fileExists(absNeed):
+          return absNeed
+
+  proc resolveFile(outputRoot, filePath: string): PendingFile =
+    result = PendingFile(
+        outputRoot: outputRoot,
+        filePath: filePath,
+        replacements: initTable[string, string](8),
+        erisLinks: initCborMap())
+    let needs = splitWhitespace(execProcess(
+        patchelf, args = ["--print-needed", filePath], options = {poUsePath}))
+    let rpath = splitWhitespace(execProcess(
+        patchelf, args = ["--print-rpath", filePath], options = {poUsePath}))
+    for need in needs:
+      if need == "ld.lib.so" or need.startsWith("urn:"): continue
+      result.replacements[need] = resolveNeed(rpath, need)
+
+  var capCache = initTable[string, ErisCap]()
+
+  proc fileCap(filePath: string): ErisCap =
+    ## Determine the ERIS read capabililty for ``filePath``.
+    if capCache.hasKey(filePath):
+      result = capCache[filePath]
+    else:
+      try:
+        let str = openFileStream(filePath)
+        result = waitFor encode(newDiscardStore(), str, convergentMode)
+        capCache["filePath"] = result
+        close(str)
+      except:
+        stderr.writeLine("failed to read \"", filePath, "\"")
+        quit 1
+
+  var closureCache = initTable[string, TableRef[string, ErisCap]]()
+
+  proc fileClosure(filePath: string): TableRef[string, ErisCap] =
+    ## Recusively find the dependency closure of  ``filePath``.
+    let filePath = expandFilename filePath
+    if closureCache.hasKey(filePath):
+      result = closureCache[filePath]
+    else:
+      result = newTable[string, ErisCap]()
+      var storePath = filePath
+      for p in parentDirs(filePath):
+        # find the top directory of the ``filePath`` derivation
+        if p == nixStore: break
+        storePath = p
+      if storePath.startsWith nixStore:
+        # read the closure manifest of the dependency
+        let manifestPath = storePath / jsonManifestSubPath
+        if fileExists(manifestPath):
+          let
+            manifest = parseFile(manifestPath)
+            entry = manifest[filePath.extractFilename]
+          for path, urn in entry["closure"].pairs:
+            result[path] = parseErisUrn urn.getStr
+            let otherClosure = fileClosure(path)
+            for otherPath, otherCap in otherClosure.pairs:
+              # merge the closure of the dependency
+              result[otherPath] = otherCap
+      closureCache[filePath] = result
 
-proc resolveNeed(rpath: seq[string]; need: string): string =
-  if need.isAbsolute:
-    return need
-  for libdir in rpath:
-    let absNeed = libdir / need
-    if fileExists(absNeed):
-      return absNeed
   for outputRoot in outputManifests.keys:
-    for relPath in [need, "lib" / need]:
-      let absNeed = outputRoot / relPath
-      if fileExists(absNeed):
-        return absNeed
-  for buildInput in buildInputs:
-    for relPath in [need, "lib" / need]:
-      let absNeed = buildInput / relPath
-      if fileExists(absNeed):
-        return absNeed
+    let manifestPath = outputRoot / jsonManifestSubPath
+    if fileExists manifestPath: continue
+    for filePath in walkDirRec(outputRoot, relative = false):
+      # Populate the queue of files to patch
+      if filePath.isElf:
+        pendingFiles.addLast(resolveFile(outputRoot, filePath))
 
-proc resolveFile(outputRoot, filePath: string): PendingFile =
-  result = PendingFile(
-      outputRoot: outputRoot,
-      filePath: filePath,
-      replacements: initTable[string, string](8))
-  let needs = splitWhitespace(execProcess(
-      patchelf, args = ["--print-needed", filePath], options = {poUsePath}))
-  let rpath = splitWhitespace(execProcess(
-      patchelf, args = ["--print-rpath", filePath], options = {poUsePath}))
-  for need in needs:
-    if need == "ld.lib.so" or need.startsWith("urn:"): continue
-    result.replacements[need] = resolveNeed(rpath, need)
-
-var capCache = initTable[string, ErisCap]()
-
-proc fileUrn(filePath: string): string =
-  ## Determine the ERIS URN for ``filePath``.
-  var cap: ErisCap
-  if capCache.hasKey(filePath):
-    cap = capCache[filePath]
-  else:
-    try:
-      let blockSize = if getFileSize(filePath) < (16 shl 10):
-        bs1k
-      else:
-        bs32k
-      let str = openFileStream(filePath)
-      cap = waitFor encode(newDiscardStore(), blockSize, str)
-      capCache["filePath"] = cap
-      close(str)
-    except:
-      stderr.writeLine("failed to read \"", filePath, "\"")
-      quit 1
-  $cap # & "#" & encodeUrl(extractFilename(filePath), usePlus = false)
-
-var closureCache = initTable[string, TableRef[string, string]]()
-
-proc fileClosure(filePath: string): TableRef[string, string] =
-  ## Recusively find the dependency closure of  ``filePath``.
-  let filePath = expandFilename filePath
-  if closureCache.hasKey(filePath):
-    result = closureCache[filePath]
-  else:
-    result = newTable[string, string]()
-    var storePath = filePath
-    for p in parentDirs(filePath):
-      # find the top directory of the ``filePath`` derivation
-      if p == nixStore: break
-      storePath = p
-    if storePath.startsWith nixStore:
-      # read the closure manifest of the dependency
-      let manifestPath = storePath / jsonManifestSubPath
-      if fileExists(manifestPath):
+  var
+    prevLen = pendingFiles.len
+    prevPrevLen = prevLen.succ
+      # used to detect reference cycles
+  while pendingFiles.len != 0:
+    block selfReferenceCheck:
+      # process the files that have been collected
+      # taking care not to take a the URN of an
+      # unprocessed file
+      let
+        pendingFile = pendingFiles.popFirst()
+        filePath = pendingFile.filePath
+      for need, replacementPath in pendingFile.replacements.pairs:
+        # search for self-references
+        if replacementPath == "":
+          stderr.writeLine need, " not found for ", filePath
+          failed = true
+          continue
+        for outputRoot in outputManifests.keys:
+          if replacementPath.startsWith(outputRoot):
+            for other in pendingFiles.items:
+              stderr.writeLine "compare for self-reference:"
+              stderr.writeLine '\t', replacementPath
+              stderr.writeLine '\t', other.filePath
+              if replacementPath == other.filePath:
+                stderr.writeLine "defering patch of ", filePath, " with reference to ", other.filePath
+                pendingFiles.addLast(pendingFile)
+                break selfReferenceCheck
+      var
+        closure = newJObject()
+        replaceCmd = patchelf & " --set-rpath '' " & filePath
+      for need, replacementPath in pendingFile.replacements.pairs:
+        if replacementPath == "": continue
         let
-          manifest = parseFile(manifestPath)
-          entry = manifest[filePath.extractFilename]
-        for path, cap in entry["closure"].pairs:
-          result[path] = cap.getStr
-          let otherClosure = fileClosure(path)
-          for otherPath, otherCap in otherClosure.pairs:
-            # merge the closure of the dependency
-            result[otherPath] = otherCap
-    closureCache[filePath] = result
+          cap = fileCap(replacementPath)
+          urn = $cap
+        stderr.writeLine "replace reference to ", need, " with ", urn
+        closure[replacementPath] = %urn
+        pendingFile.erisLinks[ replacementPath.toCbor] = cap.toCbor
+        replaceCmd.add(" --replace-needed $# $#" % [need, urn])
+        for path, cap in fileClosure(replacementPath).pairs:
+          closure[path] = %($cap)
+          pendingFile.erisLinks[path.toCbor] = cap.toCbor
 
-for outputRoot in outputManifests.keys:
-  let manifestPath = outputRoot / jsonManifestSubPath
-  if fileExists manifestPath: continue
-  for filePath in walkDirRec(outputRoot, relative = false):
-    # Populate the queue of files to patch
-    if filePath.isElf:
-      pendingFiles.addLast(resolveFile(outputRoot, filePath))
+      if runPatchelf and pendingFile.replacements.len != 0:
+        let exitCode = execCmd(replaceCmd)
+        if exitCode != 0:
+          stderr.writeLine "Patchelf failed - ", replaceCmd
+          quit exitCode
 
-var
-  prevLen = pendingFiles.len
-  prevPrevLen = prevLen.succ
-    # used to detect reference cycles
-while pendingFiles.len != 0:
-  block selfReferenceCheck:
-    # process the files that have been collected
-    # taking care not to take a the URN of an
-    # unprocessed file
-    let
-      pendingFile = pendingFiles.popFirst()
-      filePath = pendingFile.filePath
-    for need, replacementPath in pendingFile.replacements.pairs:
-      # search for self-references
-      if replacementPath == "":
-        echo need, " not found for ", filePath
-        failed = true
-        continue
-      for outputRoot in outputManifests.keys:
-        if replacementPath.startsWith(outputRoot):
-          for other in pendingFiles.items:
-            echo "compare for self-reference:"
-            echo '\t', replacementPath
-            echo '\t', other.filePath
-            if replacementPath == other.filePath:
-              echo "defering patch of ", filePath, " with reference to ", other.filePath
-              pendingFiles.addLast(pendingFile)
-              break selfReferenceCheck
-    var
-      closure = newJObject()
-      replaceCmd = patchelf & " --set-rpath '' " & filePath
-    for need, replacementPath in pendingFile.replacements.pairs:
-      if replacementPath == "": continue
-      let urn = fileUrn(replacementPath)
-      echo "replace reference to ", need, " with ", urn
-      replaceCmd.add(" --replace-needed $# $#" % [need, urn])
-      closure[replacementPath] = %urn
-      for path, urn in fileClosure(replacementPath).pairs:
-        closure[path] = %urn
-    if pendingFile.replacements.len != 0:
-      let exitCode = execCmd(replaceCmd)
-      if exitCode != 0:
-        echo "Patchelf failed - ", replaceCmd
-        quit exitCode
-    outputManifests[pendingFile.outputRoot][filePath.extractFilename] = %* {
-      "cap": fileUrn(filePath),
-      "closure": closure,
-      "path": filePath
-    }
-  if pendingFiles.len == prevPrevLen:
-    failed = true
-    echo "reference cycle detected in the following:"
-    for remain in pendingFiles.items:
-      echo '\t', " ", remain.filePath
-    break
-  prevPrevLen = prevLen
-  prevLen = pendingFiles.len
+      let notePath = getEnv("TMPDIR", ".") / "eris-links.note"
+      if generateNotes or addNotes:
+        if generateNotes:
+          stderr.writeLine("writing .notes.eris-links section to ", notePath)
+        sort(pendingFile.erisLinks)
+        writeErisLinks(notePath, pendingFile.erisLinks)
+      if addNotes:
+        # Modify the file with objcopy last because binutils surely
+        # has a more conventional interpretation of the ELF standard
+        # than patchelf.
+        let tmpFile = pendingFile.filePath & ".with-note"
+        let objcopyCommand = [
+          objcopy,
+          "--add-section .note.eris-links=" & notePath,
+          "--set-section-flags .note.eris-links=noload,readonly",
+          pendingFile.filePath, tmpfile]
+        let exitCode = execCmd(objcopyCommand.join(" "))
+        if exitCode != 0:
+          quit("Adding note to $1 failed" % pendingFile.filePath)
+        moveFile(tmpFile, pendingFile.filePath)
 
-if failed:
-  quit -1
+      outputManifests[pendingFile.outputRoot][filePath.extractFilename] = %* {
+        "cap": $fileCap(filePath),
+        "closure": closure,
+        "path": filePath
+      }
 
-for outputRoot, manifest in outputManifests:
-  let supportDir = outputRoot / "nix-support"
-  createDir(supportDir)
-  writeFile(outputRoot / jsonManifestSubPath, $manifest)
-  writeFile(outputRoot / dhallManifestSubPath, $(manifest.toDhall))
+    if pendingFiles.len == prevPrevLen:
+      failed = true
+      stderr.writeLine "reference cycle detected in the following:"
+      for remain in pendingFiles.items:
+        stderr.writeLine '\t', " ", remain.filePath
+      break
+    prevPrevLen = prevLen
+    prevLen = pendingFiles.len
+
+  if failed:
+    quit -1
+
+  if generateManifests:
+    for outputRoot, manifest in outputManifests:
+      let supportDir = outputRoot / "nix-support"
+      createDir(supportDir)
+      writeFile(outputRoot / jsonManifestSubPath, $manifest)
+      writeFile(outputRoot / dhallManifestSubPath, $(manifest.toDhall))
+
+main()

overlay/eris-patch-hook/eris_patch.sh

@@ -1,2 +1,3 @@
-export ERIS_PATCHELF=@patchelf@/bin/patchelf
-postFixupHooks+=('@out@/bin/eris_patch')
+export ERIS_PATCHELF=@patchelf@
+export ERIS_OBJCOPY=@objcopy@
+postFixupHooks+=('@out@/bin/eris_patch --add-notes --generate-manifests --run-patchelf')

packages/default.nix

@@ -24,13 +24,13 @@ let
     '';
   });
 
-in upstream // {
+in upstream // (with final; {
 
   bender = buildPackages.callPackage ./bender { };
 
   block_router = callPackage ./block_router { };
 
-  device_manager = callPackage ./device_manager { };
+  device_manager = nimPackages.callPackage ./device_manager { };
 
   dhallSigil = dhallPackages.sigil;
 
@@ -59,4 +59,4 @@ in upstream // {
     sha256 = "0dy906ffbw6khkwd05vhppcw2mr4ma0h3b6n52a71cfail87jfnw";
   };
 
-}
+})

packages/device_manager/default.nix

@@ -1,33 +1,26 @@
-{ lib, stdenv, fetchgit, nim, nimblePackages }:
+{ lib, buildNimPackage, fetchFromSourcehut, genode }:
 
-stdenv.mkDerivation rec {
+buildNimPackage rec {
   pname = "device_manager";
   version = "0.0";
   outputs = [ "out" "dhall" ];
 
-  src = fetchgit {
-    url = "https://git.sr.ht/~ehmry/${pname}";
+  src = fetchFromSourcehut {
+    owner = "~ehmry";
+    repo = pname;
     rev = "4ff7d47b83255a437d862d16b8424a3c05e3eab1";
-    sha256 = "0bmcl693w34ayrw77c6gicph43yfjfm800jwj57ryshr9fdh88dq";
+    hash = "sha256-uCEEm0sZap9PkVwCgKqTzg8CL4vPsHN49ooMPpKhrC4=";
   };
 
-  nimFlags = with nimblePackages;
-    map (lib: "--path:${lib}/src") [ genode ] ++ [ "-d:posix" ];
-
-  nativeBuildInputs = [ nim ];
-
-  preHook = ''
-    export HOME="$NIX_BUILD_TOP"
+  preConfigure = ''
+    echo 'backend = "cpp"' >> ${pname}.nimble
   '';
 
-  buildPhase = ''
-    runHook preBuild
-    nim cpp $nimFlags src/$pname
-    runHook postBuild
-  '';
+  nimDefines = [ "posix" ];
 
-  installPhase = ''
-    install -Dt $out/bin src/$pname
+  buildInputs = [ genode ];
+
+  postInstall = ''
     install -Dt $dhall config/package.dhall
   '';
 }

tests/nim.nix

@@ -3,23 +3,18 @@
   machine = { pkgs, ... }: {
     genode.init.children.test_nim = let
       testNim = with pkgs;
-        stdenv.mkDerivation {
-          pname = "test-nim";
-          inherit (nim-unwrapped) version;
-          nativeBuildInputs = [ nim ];
-          dontUnpack = true;
-          dontConfigure = true;
-          buildPhase = ''
-            export HOME=$NIX_BUILD_TOP
-            cat << EOF > test_nim.nim
-            echo "Hello Nim world!"
+        nimPackages.buildNimPackage {
+          pname = "test_nim";
+          inherit (nim) version;
+          nimDefines = [ "posix" ];
+          unpackPhase = ''
+            mkdir test
+            cd test
+            echo 'echo "Hello Nim world!"' > test_nim.nim
+            cat << EOF > eris_patch.nimble
+            backend = "cpp"
+            bin = @[ "test_nim"]
             EOF
-
-            nim cpp -d:posix -d:release --gc:orc test_nim
-          '';
-
-          installPhase = ''
-            install -Dt $out/bin test_nim
           '';
         };
     in {