From c732c671d95a4bec46d70e93411cefe3ab9f0f9e Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 5 Oct 2022 16:06:43 +0200 Subject: [PATCH 01/26] wfvm/layers: update vs_Community.exe sha256 --- wfvm/layers/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wfvm/layers/default.nix b/wfvm/layers/default.nix index a9068a6..c5e7aed 100644 --- a/wfvm/layers/default.nix +++ b/wfvm/layers/default.nix @@ -72,7 +72,7 @@ in bootstrapper = pkgs.fetchurl { name = "RESTRICTDIST-vs_Community.exe"; url = "https://aka.ms/vs/16/release/vs_community.exe"; - sha256 = "0b3csxz0qsafnvc0d74ywfpralwz8chv4zf9k07akpm8lp8ycgq0"; + sha256 = "0vj6s82b1c0n6cjysx1lba7xmgmy7pmmk3apq1i4xsqwcjv80xwv"; }; # This touchy-feely "community" piece of trash seems deliberately crafted to break Wine, so we use the VM to run it. download-vs = wfvm.utils.wfvm-run { -- 2.42.0 From b33b71eec7da578bc280ce9f6698f936cef0dc2f Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 5 Oct 2022 16:07:06 +0200 Subject: [PATCH 02/26] wfvm/win: lower wimsplit size to 4070 MB for more headroom --- wfvm/win.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wfvm/win.nix b/wfvm/win.nix index 0e153e4..5d89cb4 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -120,7 +120,7 @@ let 7z x -y ${windowsIso} -owin # Split image so it fits in FAT32 partition - wimsplit win/sources/install.wim win/sources/install.swm 4090 + wimsplit win/sources/install.wim win/sources/install.swm 4070 rm win/sources/install.wim cp ${autounattend.autounattendXML} win/autounattend.xml -- 2.42.0 From 3b87f787a8eb9ad7fd99d2090114dd5d97fbf0f3 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 5 Oct 2022 16:46:27 +0200 Subject: [PATCH 03/26] s/runCommandNoCC/runCommand/ --- wfvm/autounattend.nix | 2 +- wfvm/bundle/default.nix | 2 +- wfvm/win.nix | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index 99b0429..95ce44a 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -305,7 +305,7 @@ let in { # Lint and format as a sanity check - autounattendXML = pkgs.runCommandNoCC "autounattend.xml" {} '' + autounattendXML = pkgs.runCommand "autounattend.xml" {} '' ${pkgs.libxml2}/bin/xmllint --format ${autounattendXML} > $out ''; diff --git a/wfvm/bundle/default.nix b/wfvm/bundle/default.nix index 16a0fed..c3bc5ab 100644 --- a/wfvm/bundle/default.nix +++ b/wfvm/bundle/default.nix @@ -1,6 +1,6 @@ { pkgs }: -pkgs.runCommandNoCC "win-bundle-installer.exe" {} '' +pkgs.runCommand "win-bundle-installer.exe" {} '' mkdir bundle cd bundle cp ${./go.mod} go.mod diff --git a/wfvm/win.nix b/wfvm/win.nix index 5d89cb4..820e669 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -24,7 +24,7 @@ let }); runQemuCommand = name: command: ( - pkgs.runCommandNoCC name { buildInputs = [ p7zip utils.qemu libguestfs ]; } + pkgs.runCommand name { buildInputs = [ p7zip utils.qemu libguestfs ]; } ( '' if ! test -f; then @@ -138,12 +138,12 @@ let '' ); - baseImage = pkgs.runCommandNoCC "RESTRICTDIST-windows.img" {} '' + baseImage = pkgs.runCommand "RESTRICTDIST-windows.img" {} '' ${installScript} mv c.img $out ''; - finalImage = builtins.foldl' (acc: v: pkgs.runCommandNoCC "RESTRICTDIST-${v.name}.img" { + finalImage = builtins.foldl' (acc: v: pkgs.runCommand "RESTRICTDIST-${v.name}.img" { buildInputs = with utils; [ qemu win-wait win-exec win-put ] ++ (v.buildInputs or []); -- 2.42.0 From c124cfc5dc6602ffa7099158279ef053de63bd10 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 11 Oct 2022 00:10:32 +0200 Subject: [PATCH 04/26] flakify --- flake.lock | 27 +++++++++++++++++++++++++++ flake.nix | 19 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..a9fe259 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1665259268, + "narHash": "sha256-ONFhHBLv5nZKhwV/F2GOH16197PbvpyWhoO0AOyktkU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c5924154f000e6306030300592f4282949b2db6c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..47d5d54 --- /dev/null +++ b/flake.nix @@ -0,0 +1,19 @@ +{ + description = "WFVM: Windows Functional Virtual Machine"; + + inputs = { + }; + + outputs = { self, nixpkgs }: + let + # only x64 is supported + system = "x86_64-linux"; + + pkgs = nixpkgs.legacyPackages.${system}; + + in { + lib = import ./wfvm { + inherit pkgs; + }; + }; +} -- 2.42.0 From 4f7aef8788de3e43794178db5a44ad0255c08bf1 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 11 Oct 2022 00:10:58 +0200 Subject: [PATCH 05/26] wfvm/win: replace libguestfs with guestfs-tools tools like virt-make-fs have been split off into a separate package. --- flake.nix | 2 ++ wfvm/win.nix | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 47d5d54..c197975 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,8 @@ description = "WFVM: Windows Functional Virtual Machine"; inputs = { + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:astro/nixpkgs/guestfs-tools"; }; outputs = { self, nixpkgs }: diff --git a/wfvm/win.nix b/wfvm/win.nix index 820e669..091da95 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -14,7 +14,7 @@ let lib = pkgs.lib; utils = import ./utils.nix { inherit pkgs efi; }; - libguestfs = pkgs.libguestfs-with-appliance; + inherit (pkgs) guestfs-tools; # p7zip on >20.03 has known vulns but we have no better option p7zip = pkgs.p7zip.overrideAttrs(old: { @@ -24,7 +24,7 @@ let }); runQemuCommand = name: command: ( - pkgs.runCommand name { buildInputs = [ p7zip utils.qemu libguestfs ]; } + pkgs.runCommand name { buildInputs = [ p7zip utils.qemu guestfs-tools ]; } ( '' if ! test -f; then @@ -109,7 +109,7 @@ let '' #!${pkgs.runtimeShell} set -euxo pipefail - export PATH=${lib.makeBinPath [ p7zip utils.qemu libguestfs pkgs.wimlib ]}:$PATH + export PATH=${lib.makeBinPath [ p7zip utils.qemu guestfs-tools pkgs.wimlib ]}:$PATH # Create a bootable "USB" image # Booting in USB mode circumvents the "press any key to boot from cdrom" prompt -- 2.42.0 From 9845a998632e1d9c65640a852e154b89911a9f4d Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 12 Oct 2022 19:04:51 +0200 Subject: [PATCH 06/26] flake.nix: switch input back to nixos-unstable now that fix PRs have landed --- flake.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index c197975..5932ac6 100644 --- a/flake.nix +++ b/flake.nix @@ -2,8 +2,7 @@ description = "WFVM: Windows Functional Virtual Machine"; inputs = { - # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.url = "github:astro/nixpkgs/guestfs-tools"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; }; outputs = { self, nixpkgs }: -- 2.42.0 From dfdcf0f19a2f7b073cb87061b0609e606f2fb0bc Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 12 Oct 2022 19:05:56 +0200 Subject: [PATCH 07/26] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c5924154f000e6306030300592f4282949b2db6c' (2022-10-08) → 'github:nixos/nixpkgs/285e77efe87df64105ec14b204de6636fb0a7a27' (2022-10-11) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index a9fe259..39d0bec 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1665259268, - "narHash": "sha256-ONFhHBLv5nZKhwV/F2GOH16197PbvpyWhoO0AOyktkU=", + "lastModified": 1665449268, + "narHash": "sha256-cw4xrQIAZUyJGj58Dp5VLICI0rscd+uap83afiFzlcA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c5924154f000e6306030300592f4282949b2db6c", + "rev": "285e77efe87df64105ec14b204de6636fb0a7a27", "type": "github" }, "original": { -- 2.42.0 From 5ba57fb5024dddd3c7ce31bb3b54a99965684317 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 12 Oct 2022 21:05:39 +0200 Subject: [PATCH 08/26] wfvm/win: pass format of backing image to qemu-img required since qemu 6.1.0 --- wfvm/win.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wfvm/win.nix b/wfvm/win.nix index 091da95..b4ac2b3 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -158,8 +158,9 @@ let ]); in '' + set -x # Create an image referencing the previous image in the chain - qemu-img create -f qcow2 -b ${acc} c.img + qemu-img create -F qcow2 -f qcow2 -b ${acc} c.img set -m qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams} & -- 2.42.0 From d8e9f9878bdfbca0affd7b7387988a46b6f114b9 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 12 Oct 2022 21:29:11 +0200 Subject: [PATCH 09/26] wfvm/utils: update baseRtc --- wfvm/utils.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wfvm/utils.nix b/wfvm/utils.nix index 9039682..7138d0b 100644 --- a/wfvm/utils.nix +++ b/wfvm/utils.nix @@ -1,4 +1,4 @@ -{ pkgs, baseRtc ? "2020-04-20T14:21:42", cores ? "4", qemuMem ? "4G", efi ? true }: +{ pkgs, baseRtc ? "2022-10-10T10:10:10", cores ? "4", qemuMem ? "4G", efi ? true }: rec { # qemu_test is a smaller closure only building for a single system arch -- 2.42.0 From a6b677f5645e30993b59771588b0d81093609da1 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 13 Oct 2022 21:39:33 +0200 Subject: [PATCH 10/26] wfvm/win: upgrade windowsIso from 21H1 to 21H2 --- wfvm/win.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wfvm/win.nix b/wfvm/win.nix index b4ac2b3..c818e2e 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -36,8 +36,8 @@ let ); windowsIso = if windowsImage != null then windowsImage else pkgs.requireFile rec { - name = "Win10_21H1_English_x64.iso"; - sha256 = "1sl51lnx4r6ckh5fii7m2hi15zh8fh7cf7rjgjq9kacg8hwyh4b9"; + name = "Win10_21H2_English_x64.iso"; + sha256 = "0kr3m0bjy086whcbssagsshdxj6lffcz7wmvbh50zhrkxgq3hrbz"; message = "Get ${name} from https://www.microsoft.com/en-us/software-download/windows10ISO"; }; -- 2.42.0 From abd67ce2e62d15c52356302d3d229e464dba32fb Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 13 Oct 2022 21:39:56 +0200 Subject: [PATCH 11/26] wfvm/layers: update msvc binary sha256 --- wfvm/layers/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wfvm/layers/default.nix b/wfvm/layers/default.nix index c5e7aed..f0af606 100644 --- a/wfvm/layers/default.nix +++ b/wfvm/layers/default.nix @@ -72,7 +72,7 @@ in bootstrapper = pkgs.fetchurl { name = "RESTRICTDIST-vs_Community.exe"; url = "https://aka.ms/vs/16/release/vs_community.exe"; - sha256 = "0vj6s82b1c0n6cjysx1lba7xmgmy7pmmk3apq1i4xsqwcjv80xwv"; + sha256 = "sha256-4X8NhdcNyfHkN6eKkNz8Unvv49wRZE4CQ1vf6P1R2ic="; }; # This touchy-feely "community" piece of trash seems deliberately crafted to break Wine, so we use the VM to run it. download-vs = wfvm.utils.wfvm-run { -- 2.42.0 From 6542c378639ba9705470ea79bdc4920288553ab7 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 13 Oct 2022 21:41:03 +0200 Subject: [PATCH 12/26] wfvm/demo-image: make buildable from flake --- flake.nix | 4 ++++ wfvm/demo-image.nix | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 5932ac6..920e60f 100644 --- a/flake.nix +++ b/flake.nix @@ -16,5 +16,9 @@ lib = import ./wfvm { inherit pkgs; }; + + packages.${system}.demoImage = import ./wfvm/demo-image.nix { + inherit self; + }; }; } diff --git a/wfvm/demo-image.nix b/wfvm/demo-image.nix index a928de1..cede253 100644 --- a/wfvm/demo-image.nix +++ b/wfvm/demo-image.nix @@ -1,7 +1,17 @@ -{ pkgs ? import {}, impureMode ? false }: +{ pkgs ? import {} +# Whether to generate just a script to start and debug the windows installation +, impureMode ? false +# Flake input `self` +, self ? null +}: let - wfvm = (import ./default.nix { inherit pkgs; }); + wfvm = + if self == null + # nix-build + then (import ./default.nix { inherit pkgs; }) + # built from flake.nix + else self.lib; in wfvm.makeWindowsImage { # Build install script & skip building iso -- 2.42.0 From a3df68b61f4741700e8a9c37da1ccf7890491f3e Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 13 Oct 2022 21:41:23 +0200 Subject: [PATCH 13/26] README: add flakes section --- README.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/README.md b/README.md index 4b8e9c8..7792f8a 100644 --- a/README.md +++ b/README.md @@ -52,3 +52,30 @@ Impure/pure mode Sometimes it can be useful to build the image _outside_ of the Nix sandbox for debugging purposes. For this purpose we have an attribute called `impureMode` which outputs the shell script used by Nix inside the sandbox to build the image. + + +Usage with Nix Flakes +--------------------- + +Build the demo by running: +```shell +nix build .#demoImage +``` + +This project's **flake.nix** exposes its functions under `lib`. To use +in your own project, setup your flake like this: + +```nix +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + wfvm.url = "git+https://git.m-labs.hk/m-labs/wfvm"; + }; + + outputs = { self, nixpkgs, wfvm }: { + packages."x86_64-linux".flaky-os = wfvm.lib.makeWindowsImage { + # configuration parameters go here + }; + }; +} +``` -- 2.42.0 From 79c1685f89b1ae8cf62c26e6f6dc8b8445e7c370 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 23 May 2023 21:48:23 +0200 Subject: [PATCH 14/26] virtioWinIso: 0.1.185-2 -> 0.1.229-1 --- wfvm/win.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/wfvm/win.nix b/wfvm/win.nix index c818e2e..d7066bf 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -41,10 +41,9 @@ let message = "Get ${name} from https://www.microsoft.com/en-us/software-download/windows10ISO"; }; - # stable as of 2021-04-08 virtioWinIso = pkgs.fetchurl { - url = "https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.185-2/virtio-win-0.1.185.iso"; - sha256 = "11n3kjyawiwacmi3jmfmn311g9xvfn6m0ccdwnjxw1brzb4kqaxg"; + url = "https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.229-1/virtio-win.iso"; + sha256 = "1q5vrcd70kya4nhlbpxmj7mwmwra1hm3x7w8rzkawpk06kg0v2n8"; }; openSshServerPackage = pkgs.fetchurl { -- 2.42.0 From 598b311215bc0d03736beb8c539e555d2e3915de Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 23 May 2023 21:48:23 +0200 Subject: [PATCH 15/26] windowsIso: Win10_21H2 -> Win11_22H2 --- wfvm/autounattend.nix | 4 ++-- wfvm/demo-image.nix | 8 ++++---- wfvm/win.nix | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index 95ce44a..6936717 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -15,7 +15,7 @@ , impureShellCommands ? [] , driveLetter ? "D:" , efi ? true -, imageSelection ? "Windows 10 Pro" +, imageSelection ? "Windows 11 Pro N" , ... }: @@ -299,7 +299,7 @@ let - + ''; diff --git a/wfvm/demo-image.nix b/wfvm/demo-image.nix index cede253..9c6bfb1 100644 --- a/wfvm/demo-image.nix +++ b/wfvm/demo-image.nix @@ -19,9 +19,9 @@ wfvm.makeWindowsImage { # Custom base iso # windowsImage = pkgs.requireFile rec { - # name = "Win10_21H1_English_x64.iso"; - # sha256 = "1sl51lnx4r6ckh5fii7m2hi15zh8fh7cf7rjgjq9kacg8hwyh4b9"; - # message = "Get ${name} from https://www.microsoft.com/en-us/software-download/windows10ISO"; + # name = "Win11_22H2_English_x64v1.iso"; + # sha256 = "08mbppsm1naf73z8fjyqkf975nbls7xj9n4fq0yp802dv1rz3whd"; + # message = "Get disk image ${name} from https://www.microsoft.com/en-us/software-download/windows11/"; # }; # impureShellCommands = [ @@ -70,7 +70,7 @@ wfvm.makeWindowsImage { # License key (required) # productKey = throw "Search the f* web" - imageSelection = "Windows 10 Pro"; + imageSelection = "Windows 11 Pro N"; # Locales diff --git a/wfvm/win.nix b/wfvm/win.nix index d7066bf..081b36b 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -6,7 +6,7 @@ , installCommands ? [] , users ? {} # autounattend always installs index 1, so this default is backward-compatible -, imageSelection ? "Windows 10 Pro" +, imageSelection ? "Windows 11 Pro N" , efi ? true , ... }@attrs: @@ -36,9 +36,9 @@ let ); windowsIso = if windowsImage != null then windowsImage else pkgs.requireFile rec { - name = "Win10_21H2_English_x64.iso"; - sha256 = "0kr3m0bjy086whcbssagsshdxj6lffcz7wmvbh50zhrkxgq3hrbz"; - message = "Get ${name} from https://www.microsoft.com/en-us/software-download/windows10ISO"; + name = "Win11_22H2_English_x64v1.iso"; + sha256 = "08mbppsm1naf73z8fjyqkf975nbls7xj9n4fq0yp802dv1rz3whd"; + message = "Get disk image ${name} from https://www.microsoft.com/en-us/software-download/windows11/"; }; virtioWinIso = pkgs.fetchurl { -- 2.42.0 From 1550caf4429239c9d28e4ce1a706ece344a2e254 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 23 May 2023 21:48:23 +0200 Subject: [PATCH 16/26] autounattend: add Bypass*Check At least the TPM2.0 is missing from our qemu run but Windows 11's error message doesn't reveal what else is missing. It is therefore hard to estimate the work to do this properly. --- wfvm/autounattend.nix | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index 6936717..d444ab5 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -148,6 +148,28 @@ let + + + 1 + reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f + + + 2 + reg add HKLM\System\Setup\LabConfig /v BypassSecureBootCheck /t reg_dword /d 0x00000001 /f + + + 3 + reg add HKLM\System\Setup\LabConfig /v BypassRAMCheck /t reg_dword /d 0x00000001 /f + + + 5 + reg add HKLM\System\Setup\LabConfig /v BypassCPUCheck /t reg_dword /d 0x00000001 /f + + + 4 + reg add HKLM\System\Setup\LabConfig /v BypassStorageCheck /t reg_dword /d 0x00000001 /f + + -- 2.42.0 From 267b3eec44996258a6d2aaaac872c6f8c10d7339 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 23 May 2023 21:48:23 +0200 Subject: [PATCH 17/26] autounattend: explicitly set the InstallFrom/Path Apparently required for Win11. --- wfvm/autounattend.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index d444ab5..e73636f 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -221,6 +221,7 @@ let 3 + \install.swm /IMAGE/NAME ${imageSelection} -- 2.42.0 From d2d9c7acf6cd7b82f1655749b10b0d9f7aab0477 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 23 May 2023 21:48:23 +0200 Subject: [PATCH 18/26] layers.msvc: update bootstapper sha256 --- wfvm/layers/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wfvm/layers/default.nix b/wfvm/layers/default.nix index f0af606..cc24d61 100644 --- a/wfvm/layers/default.nix +++ b/wfvm/layers/default.nix @@ -72,7 +72,7 @@ in bootstrapper = pkgs.fetchurl { name = "RESTRICTDIST-vs_Community.exe"; url = "https://aka.ms/vs/16/release/vs_community.exe"; - sha256 = "sha256-4X8NhdcNyfHkN6eKkNz8Unvv49wRZE4CQ1vf6P1R2ic="; + sha256 = "sha256-l4ZKFZTgHf3BmD0eFWyGwsvb4lqB/LiQYizAABOs3gg="; }; # This touchy-feely "community" piece of trash seems deliberately crafted to break Wine, so we use the VM to run it. download-vs = wfvm.utils.wfvm-run { -- 2.42.0 From fe347240f550320653ededb7661e42c0a018b08b Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 24 May 2023 01:12:51 +0200 Subject: [PATCH 19/26] enable secureboot --- wfvm/autounattend.nix | 6 +----- wfvm/utils.nix | 8 ++++++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index e73636f..065c8fd 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -155,14 +155,10 @@ let 2 - reg add HKLM\System\Setup\LabConfig /v BypassSecureBootCheck /t reg_dword /d 0x00000001 /f - - - 3 reg add HKLM\System\Setup\LabConfig /v BypassRAMCheck /t reg_dword /d 0x00000001 /f - 5 + 3 reg add HKLM\System\Setup\LabConfig /v BypassCPUCheck /t reg_dword /d 0x00000001 /f diff --git a/wfvm/utils.nix b/wfvm/utils.nix index 7138d0b..fa5ea78 100644 --- a/wfvm/utils.nix +++ b/wfvm/utils.nix @@ -4,18 +4,22 @@ rec { # qemu_test is a smaller closure only building for a single system arch qemu = pkgs.qemu; + OVMF = pkgs.OVMF.override { + secureBoot = true; + }; + mkQemuFlags = extraFlags: [ "-enable-kvm" "-cpu host" "-smp ${cores}" "-m ${qemuMem}" - "-M q35" + "-M q35,smm=on" "-vga qxl" "-rtc base=${baseRtc}" "-device qemu-xhci" "-device virtio-net-pci,netdev=n1" ] ++ pkgs.lib.optionals efi [ - "-bios ${pkgs.OVMF.fd}/FV/OVMF.fd" + "-bios ${OVMF.fd}/FV/OVMF.fd" ] ++ extraFlags; # Pass empty config file to prevent ssh from failing to create ~/.ssh -- 2.42.0 From af9218e6521005ad20749cd7489df0921502066c Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 24 May 2023 17:51:58 +0200 Subject: [PATCH 20/26] remove configurable efi flag Win11 is EFI-only --- wfvm/autounattend.nix | 10 ++++------ wfvm/utils.nix | 3 +-- wfvm/win.nix | 9 ++------- 3 files changed, 7 insertions(+), 15 deletions(-) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index 065c8fd..1421850 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -14,7 +14,6 @@ , services ? {} , impureShellCommands ? [] , driveLetter ? "D:" -, efi ? true , imageSelection ? "Windows 11 Pro N" , ... }: @@ -121,8 +120,7 @@ let # Windows expects a flat list of users while we want to manage them as a set flatUsers = builtins.attrValues (builtins.mapAttrs (name: s: s // { inherit name; }) users); - diskId = - if efi then 2 else 1; + diskId = 2; autounattendXML = pkgs.writeText "autounattend.xml" '' @@ -172,12 +170,12 @@ let 1 - ${if efi then "EFI" else "Primary"} + EFI 300 2 - ${if efi then "MSR" else "Primary"} + MSR 16 @@ -189,7 +187,7 @@ let 1 - ${if efi then "FAT32" else "NTFS"} + FAT32 1 diff --git a/wfvm/utils.nix b/wfvm/utils.nix index fa5ea78..f4fe9b2 100644 --- a/wfvm/utils.nix +++ b/wfvm/utils.nix @@ -1,4 +1,4 @@ -{ pkgs, baseRtc ? "2022-10-10T10:10:10", cores ? "4", qemuMem ? "4G", efi ? true }: +{ pkgs, baseRtc ? "2022-10-10T10:10:10", cores ? "4", qemuMem ? "4G" }: rec { # qemu_test is a smaller closure only building for a single system arch @@ -18,7 +18,6 @@ rec { "-rtc base=${baseRtc}" "-device qemu-xhci" "-device virtio-net-pci,netdev=n1" - ] ++ pkgs.lib.optionals efi [ "-bios ${OVMF.fd}/FV/OVMF.fd" ] ++ extraFlags; diff --git a/wfvm/win.nix b/wfvm/win.nix index 081b36b..58ca88e 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -7,13 +7,12 @@ , users ? {} # autounattend always installs index 1, so this default is backward-compatible , imageSelection ? "Windows 11 Pro N" -, efi ? true , ... }@attrs: let lib = pkgs.lib; - utils = import ./utils.nix { inherit pkgs efi; }; + utils = import ./utils.nix { inherit pkgs; }; inherit (pkgs) guestfs-tools; # p7zip on >20.03 has known vulns but we have no better option @@ -95,7 +94,7 @@ let "usb-storage,drive=virtio-win" # USB boot "-drive" - "id=win-install,file=${if efi then "usb" else "cd"}image.img,if=none,format=raw,readonly=on,media=${if efi then "disk" else "cdrom"}" + "id=win-install,file=usbimage.img,if=none,format=raw,readonly=on,media=disk" "-device" "usb-storage,drive=win-install" # Output image @@ -124,11 +123,7 @@ let cp ${autounattend.autounattendXML} win/autounattend.xml - ${if efi then '' virt-make-fs --partition --type=fat win/ usbimage.img - '' else '' - ${pkgs.cdrkit}/bin/mkisofs -iso-level 4 -l -R -udf -D -b boot/etfsboot.com -no-emul-boot -boot-load-size 8 -hide boot.catalog -eltorito-alt-boot -o cdimage.img win/ - ''} rm -rf win # Qemu requires files to be rw -- 2.42.0 From bc24fd6a2bb23de8f3dcef36a54fea5cb92751e8 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 24 May 2023 17:58:57 +0200 Subject: [PATCH 21/26] autounattend: remove more optional bypasses --- wfvm/autounattend.nix | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index 1421850..1508fc8 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -151,18 +151,6 @@ let 1 reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f - - 2 - reg add HKLM\System\Setup\LabConfig /v BypassRAMCheck /t reg_dword /d 0x00000001 /f - - - 3 - reg add HKLM\System\Setup\LabConfig /v BypassCPUCheck /t reg_dword /d 0x00000001 /f - - - 4 - reg add HKLM\System\Setup\LabConfig /v BypassStorageCheck /t reg_dword /d 0x00000001 /f - -- 2.42.0 From 16e041282fbf61b8f2fb93472b445c5fcb9f4101 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 24 May 2023 19:00:36 +0200 Subject: [PATCH 22/26] add enableTpm --- wfvm/autounattend.nix | 15 +++++++++------ wfvm/utils.nix | 19 ++++++++++++++++++- wfvm/win.nix | 9 +++++++-- 3 files changed, 34 insertions(+), 9 deletions(-) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index 1508fc8..c3f6277 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -15,6 +15,7 @@ , impureShellCommands ? [] , driveLetter ? "D:" , imageSelection ? "Windows 11 Pro N" +, enableTpm , ... }: @@ -146,12 +147,14 @@ let - - - 1 - reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f - - + ${lib.optionalString (!enableTpm) '' + + + 1 + reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f + + + ''} diff --git a/wfvm/utils.nix b/wfvm/utils.nix index f4fe9b2..fee901f 100644 --- a/wfvm/utils.nix +++ b/wfvm/utils.nix @@ -1,4 +1,9 @@ -{ pkgs, baseRtc ? "2022-10-10T10:10:10", cores ? "4", qemuMem ? "4G" }: +{ pkgs +, baseRtc ? "2022-10-10T10:10:10" +, cores ? "4" +, qemuMem ? "4G" +, enableTpm ? false +}: rec { # qemu_test is a smaller closure only building for a single system arch @@ -19,8 +24,19 @@ rec { "-device qemu-xhci" "-device virtio-net-pci,netdev=n1" "-bios ${OVMF.fd}/FV/OVMF.fd" + ] ++ pkgs.lib.optionals enableTpm [ + "-chardev" "socket,id=chrtpm,path=tpm.sock" + "-tpmdev" "emulator,id=tpm0,chardev=chrtpm" + "-device" "tpm-tis,tpmdev=tpm0" ] ++ extraFlags; + tpmStartCommands = pkgs.lib.optionalString enableTpm '' + mkdir -p tpmstate + ${pkgs.swtpm}/bin/swtpm socket \ + --tpmstate dir=tpmstate \ + --ctrl type=unixio,path=tpm.sock & + ''; + # Pass empty config file to prevent ssh from failing to create ~/.ssh sshOpts = "-F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=1"; win-exec = pkgs.writeShellScriptBin "win-exec" '' @@ -96,6 +112,7 @@ rec { ]); in pkgs.writeShellScriptBin "wfvm-run-${name}" '' set -e -m + ${tpmStartCommands} ${qemu}/bin/qemu-system-x86_64 ${pkgs.lib.concatStringsSep " " qemuParams} & ${win-wait}/bin/win-wait diff --git a/wfvm/win.nix b/wfvm/win.nix index 58ca88e..d3ce95a 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -5,6 +5,7 @@ , impureMode ? false , installCommands ? [] , users ? {} +, enableTpm ? true # autounattend always installs index 1, so this default is backward-compatible , imageSelection ? "Windows 11 Pro N" , ... @@ -12,7 +13,7 @@ let lib = pkgs.lib; - utils = import ./utils.nix { inherit pkgs; }; + utils = import ./utils.nix { inherit pkgs enableTpm; }; inherit (pkgs) guestfs-tools; # p7zip on >20.03 has known vulns but we have no better option @@ -52,7 +53,7 @@ let autounattend = import ./autounattend.nix ( attrs // { - inherit pkgs; + inherit pkgs enableTpm; users = users // { wfvm = { password = "1234"; @@ -126,6 +127,8 @@ let virt-make-fs --partition --type=fat win/ usbimage.img rm -rf win + ${utils.tpmStartCommands} + # Qemu requires files to be rw qemu-img create -f qcow2 c.img ${diskImageSize} qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams} @@ -153,6 +156,8 @@ let in '' set -x + ${utils.tpmStartCommands} + # Create an image referencing the previous image in the chain qemu-img create -F qcow2 -f qcow2 -b ${acc} c.img -- 2.42.0 From 9a921433378a5c57091e4370e87486dc283def27 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 24 May 2023 21:28:15 +0200 Subject: [PATCH 23/26] autounattend: disable forced password expiry in autounattended install stage already --- wfvm/autounattend.nix | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index c3f6277..1f14b10 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -58,18 +58,16 @@ let assertCommand = c: builtins.typeOf c == "string" || builtins.typeOf c == "set" && builtins.hasAttr "Path" c && builtins.hasAttr "Description" c; commands = builtins.map (x: assert assertCommand x; if builtins.typeOf x == "string" then { Path = x; Description = x; } else x) ( - [ - { - Path = "powershell.exe Set-ExecutionPolicy -Force Unrestricted"; - Description = "Allow unsigned powershell scripts."; - } - ] - ++ [ - { - Path = ''powershell.exe ${driveLetter}\win-bundle-installer.exe''; - Description = "Install any declared packages."; - } - ] + [ { + Path = "powershell.exe Set-ExecutionPolicy -Force Unrestricted"; + Description = "Allow unsigned powershell scripts."; + } { + Path = ''powershell.exe ${driveLetter}\win-bundle-installer.exe''; + Description = "Install any declared packages."; + } { + Path = "net accounts /maxpwage:unlimited"; + Description = "Disable forced password expiry."; + } ] ++ setupCommands ++ [ { -- 2.42.0 From 285b33a674cc5100ee502106433ebe7b1560213f Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 25 May 2023 15:43:50 +0200 Subject: [PATCH 24/26] autounattend: fix installation without productKey --- wfvm/autounattend.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix index 1f14b10..d4e4dfb 100644 --- a/wfvm/autounattend.nix +++ b/wfvm/autounattend.nix @@ -215,7 +215,7 @@ let - ${if productKey != null then "${productKey}" else ""} + ${if productKey != null then "${productKey}" else ""} OnError true -- 2.42.0 From b9e261de6f11450c558bb672c99ed7041fa7afd4 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 25 May 2023 15:57:52 +0200 Subject: [PATCH 25/26] layers msvc cache: update outputHash --- wfvm/layers/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wfvm/layers/default.nix b/wfvm/layers/default.nix index cc24d61..62ef39b 100644 --- a/wfvm/layers/default.nix +++ b/wfvm/layers/default.nix @@ -93,7 +93,7 @@ in outputHashAlgo = "sha256"; outputHashMode = "recursive"; - outputHash = "0ic3jvslp2y9v8yv9mfr2mafkvj2q5frmcyhmlbxj71si1x3kpag"; + outputHash = "sha256-GoOKzln8DXVMx52jWGEjwkOFkpSW+wEffAVmBVugIyk="; phases = [ "buildPhase" ]; buildInputs = [ download-vs ]; -- 2.42.0 From 3694b0a9f25f9989f1642311cfa20d50e88bea2d Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 26 May 2023 00:13:21 +0200 Subject: [PATCH 26/26] windowsIso: 22H2v1 -> 22H2v2 --- wfvm/win.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wfvm/win.nix b/wfvm/win.nix index d3ce95a..2319fe5 100644 --- a/wfvm/win.nix +++ b/wfvm/win.nix @@ -36,8 +36,8 @@ let ); windowsIso = if windowsImage != null then windowsImage else pkgs.requireFile rec { - name = "Win11_22H2_English_x64v1.iso"; - sha256 = "08mbppsm1naf73z8fjyqkf975nbls7xj9n4fq0yp802dv1rz3whd"; + name = "Win11_22H2_English_x64v2.iso"; + sha256 = "0xhhxy47yaf1jsfmskym5f65hljw8q0aqs70my86m402i6dsjnc0"; message = "Get disk image ${name} from https://www.microsoft.com/en-us/software-download/windows11/"; }; -- 2.42.0