diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore index 2e81031..1338efc 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,8 @@ _markdown_* *.bbl *.blg !papers/graphics/*.pdf + +# Nix +**/result +**/result-* +.direnv diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..728a4da --- /dev/null +++ b/flake.lock @@ -0,0 +1,96 @@ +{ + "nodes": { + "fenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1674240251, + "narHash": "sha256-AVMmf/CtcGensTZmMicToDpOwySEGNKYgRPC7lu3m8w=", + "owner": "nix-community", + "repo": "fenix", + "rev": "d8067f4d1d3d30732703209bec5ca7d62aaececc", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1672968032, + "narHash": "sha256-26Jns3GmHem44a06UN5Rj/KOD9qNJThyQrom02Ijur8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2dea8991d89b9f1e78d874945f78ca15f6954289", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1676496762, + "narHash": "sha256-GFAxjaTgh8KJ8q7BYaI4EVGI5K98ooW70fG/83rSb08=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1bddde315297c092712b0ef03d9def7a474b28ae", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "fenix": "fenix", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable" + } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1674162026, + "narHash": "sha256-iY0bxoVE7zAZmp0BB/m5hZW5pWHUfgntDvc1m2zyt/U=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "6e52c64031825920983515b9e975e93232739f7f", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..85552e7 --- /dev/null +++ b/flake.nix @@ -0,0 +1,211 @@ +{ + inputs = { + nixpkgs-unstable.url = "github:NixOS/nixpkgs"; + flake-utils.url = "github:numtide/flake-utils"; + + # for rust nightly with llvm-tools-preview + fenix.url = "github:nix-community/fenix"; + fenix.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { self, nixpkgs, flake-utils, ... }@inputs: + nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [ + + # + ### Actual Rosenpass Package and Docker Container Images ### + # + (flake-utils.lib.eachSystem [ + "x86_64-linux" + "aarch64-linux" + + # unsuported best-effort + "x86_64-darwin" + "aarch64-darwin" + "x86_64-windows" + ] + (system: + let + # normal nixpkgs + pkgs = import nixpkgs { + inherit system; + + # TODO remove overlay once a fix for + # https://github.com/NixOS/nixpkgs/issues/216904 got merged + overlays = [ + ( + final: prev: { + iproute2 = prev.iproute2.overrideAttrs (old: + let + isStatic = prev.stdenv.hostPlatform.isStatic; + in + { + makeFlags = old.makeFlags ++ prev.lib.optional isStatic [ + "TC_CONFIG_NO_XT=y" + ]; + }); + } + ) + ]; + }; + # parsed Cargo.toml + cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml); + # source files relevant for rust + src = pkgs.lib.sourceByRegex ./. [ + "Cargo\\.(toml|lock)" + "(src|benches)(/.*\\.(rs|md))?" + "rp" + ]; + # builds a bin path for all dependencies for the `rp` shellscript + rpBinPath = p: with p; lib.makeBinPath [ + coreutils + findutils + gawk + wireguard-tools + ]; + # a function to generate a nix derivation for rosenpass against any + # given set of nixpkgs + rpDerivation = p: let + isStatic = p.stdenv.hostPlatform.isStatic; + in p.rustPlatform.buildRustPackage { + # metadata and source + pname = cargoToml.package.name; + version = cargoToml.package.version; + inherit src; + cargoLock = { + lockFile = src + "/Cargo.lock"; + }; + + nativeBuildInputs = with pkgs; [ + cmake # for oqs build in the oqs-sys crate + makeWrapper # for the rp shellscript + pkg-config # let libsodium-sys-stable find libsodium + removeReferencesTo + rustPlatform.bindgenHook # for C-bindings in the crypto libs + ]; + buildInputs = with p; [ bash libsodium ]; + + # otherwise pkg-config tries to link non-existent dynamic libs + PKG_CONFIG_ALL_STATIC = true; + + # nix defaults to building for aarch64 _without_ the armv8-a + # crypto extensions, but liboqs depens on these + preBuild = + if system == "aarch64-linux" then '' + NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -march=armv8-a+crypto" + '' else ""; + + preInstall = '' + install -D rp $out/bin/rp + wrapProgram $out/bin/rp --prefix PATH : "${ rpBinPath p }" + ''; + + # nix progated the *.dev outputs of buildInputs for static + # builds, but that is non-sense for an executables only package + postFixup = if isStatic then '' + remove-references-to -t ${p.bash.dev} -t ${p.libsodium.dev} \ + $out/nix-support/propagated-build-inputs + '' else ""; + + meta = with pkgs.lib; { + description = "Post-quantum crypto frontend for WireGuard"; + license = with licenses; [ mit asl20 ]; + maintainers = [ maintainers.wucke13 ]; + homepage = "https://rosenpass.eu/"; + platforms = platforms.all; + }; + }; + # a function to generate a docker image based of rosenpass + rosenpassOCI = name: pkgs.dockerTools.buildImage rec { + inherit name; + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [ self.packages.${system}.${name} ]; + pathsToLink = [ "/bin" ]; + }; + config.Cmd = [ "/bin/rosenpass" ]; + }; + in + rec { + packages = rec { + default = rosenpass; + rosenpass = rpDerivation pkgs; + rosenpass-oci-image = rosenpassOCI "rosenpass"; + } // (if pkgs.stdenv.isLinux then rec { + rosenpass-static = rpDerivation pkgs.pkgsStatic; + rosenpass-static-oci-image = rosenpassOCI "rosenpass-static"; + } else { }); + } + )) + + # + ### Linux specifics ### + # + (flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system: + let + pkgs = import nixpkgs { + inherit system; + }; + packages = self.packages.${system}; + in + { + + + # + ### Proof and Proof Tools ### + # + packages.proverif-patched = pkgs.proverif.overrideAttrs (old: { + postInstall = '' + install -D -t $out/lib cryptoverif.pvl + ''; + }); + packages.proof-proverif = pkgs.stdenv.mkDerivation { + name = "rosenpass-proverif-proof"; + version = "unstable"; + src = pkgs.lib.sourceByRegex ./. [ + "analyze.sh" + "marzipan(/marzipan.awk)?" + "analysis(/.*)?" + ]; + nativeBuildInputs = [ pkgs.proverif pkgs.graphviz ]; + CRYPTOVERIF_LIB = packages.proverif-patched + "/lib/cryptoverif.pvl"; + installPhase = '' + mkdir -p $out + bash analyze.sh -color -html $out + ''; + }; + + + # + ### Devshells ### + # + devShells.default = pkgs.mkShell { + inherit (packages.proof-proverif) CRYPTOVERIF_LIB; + inputsFrom = [ packages.default ]; + nativeBuildInputs = with pkgs; [ + cargo-release + clippy + rustfmt + packages.proverif-patched + ]; + }; + devShells.coverage = pkgs.mkShell { + inputsFrom = [ packages.default ]; + nativeBuildInputs = with pkgs; [ inputs.fenix.packages.${system}.complete.toolchain cargo-llvm-cov ]; + }; + + + checks = { + # Blocked by https://github.com/rust-lang/rustfmt/issues/4306 + # @dakoraa wants a coding style suitable for her accessible coding setup + # cargo-fmt = pkgs.runCommand "check-cargo-fmt" + # { inherit (devShells.default) nativeBuildInputs buildInputs; } '' + # cargo fmt --manifest-path=${src}/Cargo.toml --check > $out + # ''; + nixpkgs-fmt = pkgs.runCommand "check-nixpkgs-fmt" + { nativeBuildInputs = [ pkgs.nixpkgs-fmt ]; } '' + nixpkgs-fmt --check ${./.} > $out + ''; + }; + })) + ]; +}