6 files changed, 193 insertions, 105 deletions

diff --git a/infra/corenix/pkgs/coreboot-payload-tianocore/default.nix b/infra/corenix/pkgs/coreboot-payload-tianocore/default.nix
index 5c3e5362462f..ce82ed6e1d32 100644
--- a/infra/corenix/pkgs/coreboot-payload-tianocore/default.nix
+++ b/infra/corenix/pkgs/coreboot-payload-tianocore/default.nix
@@ -1,4 +1,11 @@
-{ fetchFromGitHub, python2, stdenv, libuuid, bc, utillinux, nasm, iasl, seabios
+{ fetchFromGitHub
+, python2
+, stdenv
+, libuuid
+, bc
+, utillinux
+, nasm
+, iasl
 }:
 
 # we can not override the source in edk2, so we had to copy the entire thing
@@ -58,7 +65,7 @@ in stdenv.mkDerivation {
 
   buildPhase = ''
     runHook preBuild
-    build -a X64 -a IA32 -b RELEASE -t GCC5 -p CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc -n $NIX_BUILD_CORES -D CSM_ENABLE
+    build -a X64 -a IA32 -b RELEASE -t GCC5 -p CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc -n $NIX_BUILD_CORES
     runHook postBuild
   '';
 
@@ -68,11 +75,5 @@ in stdenv.mkDerivation {
     runHook postInstall
   '';
 
-  hardeningDisable = [ "format" "stackprotector" "pic" "fortify" ];
-
-  postPatch = ''
-    cp ${seabios}/Csm16.bin OvmfPkg/Csm/Csm16/Csm16.bin
-  '';
-
   dontPatchELF = true;
 }
diff --git a/infra/corenix/pkgs/coreboot-payload-tint/default.nix b/infra/corenix/pkgs/coreboot-payload-tint/default.nix
index b953c773336d..be5e64d327fd 100644
--- a/infra/corenix/pkgs/coreboot-payload-tint/default.nix
+++ b/infra/corenix/pkgs/coreboot-payload-tint/default.nix
@@ -6,7 +6,7 @@
 
 stdenv.mkDerivation rec {
   pname = "coreboot-payload-tint";
-  version = "0.04+nmu1";
+  version = "0.05";
   inherit (coreboot.drvAttrs) src postPatch;
 
   preConfigure = "cd payloads/external/tint";
@@ -14,8 +14,8 @@ stdenv.mkDerivation rec {
     tar -xf ${
       fetchurl {
         url =
-          "https://mirror.fsf.org/trisquel/pool/main/t/tint/tint_${version}.tar.gz";
-        sha256 = "17gbga1lha9yp5hpyr5vn1sc93fx413cksxmpyl8zv3b5rjvzsy1";
+          "https://mirror.fsf.org/trisquel/pool/main/t/tint/tint_${version}.tar.xz";
+        sha256 = "1pfp3pqwci4wsjxhqik49v74hlgyg78j98x0g5disfcv37hpxb6r";
       }
     }
     mv tint{-${version},}
diff --git a/infra/corenix/pkgs/coreboot/default.nix b/infra/corenix/pkgs/coreboot/default.nix
index cc0c2f39b209..d5dc4919d683 100644
--- a/infra/corenix/pkgs/coreboot/default.nix
+++ b/infra/corenix/pkgs/coreboot/default.nix
@@ -2,61 +2,63 @@
 , callPackage, lib, corebootConfig ? { CONFIG_PAYLOAD_NONE = "y"; } }:
 
 let
-  version = "4.12";
-  src = fetchgit {
-    url = "https://review.coreboot.org/coreboot.git";
-    rev = "${version}";
-    fetchSubmodules = true;
-    sha256 = "1l140zbvn6pkbrr55lymhi4lycimhpy8xgm45shl4zv6a9vjd66z";
-  };
-
   toolchain = stdenv.mkDerivation rec {
     pname = "coreboot-toolchain";
-    inherit version src;
+    inherit (coreboot) version src;
+
     nativeBuildInputs = [ curl stdenv m4 flex bison zlib gnat ];
+
     buildPhase = ''
       mkdir -p util/crossgcc/tarballs
       ${lib.concatMapStringsSep "\n"
       (file: "ln -s ${file.archive} util/crossgcc/tarballs/${file.name}")
       (callPackage ./files.nix { })}
-      NIX_HARDENING_ENABLE="$\{NIX_HARDENING_ENABLE/ format/\}" make crossgcc-i386 CPUS=$NIX_BUILD_CORES
+      make crossgcc-i386 CPUS=$NIX_BUILD_CORES
     '';
+
     installPhase = ''
       cp -r util/crossgcc $out
     '';
   };
 
-  writeConfig = config:
-    let
-      filteredConfig = lib.filterAttrs (n: v: v != null) config;
-      lines =
-        lib.mapAttrsToList (name: value: "${name}=${value}") filteredConfig;
+  writeConfig = config: let
+    filteredConfig = lib.filterAttrs (n: v: v != null) config;
+    lines =
+      lib.mapAttrsToList (name: value: "${name}=${value}") filteredConfig;
       configFile = writeText "config" (lib.concatStringsSep "\n" lines);
-    in configFile;
-
-in stdenv.mkDerivation rec {
-
-  pname = "coreboot";
-  inherit version src;
-
-  postPatch = ''
-    rm -rf util/crossgcc
-    cp -r ${toolchain} util/crossgcc
-    chmod u+rwX -R util/crossgcc
-    patchShebangs util/xcompile/xcompile
-  '';
-
-  configurePhase = ''
-    runHook preConfigure
-    cp ${writeConfig corebootConfig} .config
-    make olddefconfig
-    runHook postConfigure
-  '';
-
-  installPhase = ''
-    mkdir -p $out
-    cp build/coreboot.rom $out
-  '';
-
-  passthru = { inherit toolchain writeConfig corebootConfig; };
-}
+  in configFile;
+
+  coreboot = stdenv.mkDerivation rec {
+    pname = "coreboot";
+    version = "4.13";
+
+    src = fetchgit {
+      url = "https://review.coreboot.org/coreboot.git";
+      rev = version;
+      sha256 = "sha256-O5udH6RAfs5IPqzvluXAApU7TDow39aOEewL5+nln3c=";
+      fetchSubmodules = true;
+    };
+
+    postPatch = ''
+      rm -rf util/crossgcc
+      cp -r ${toolchain} util/crossgcc
+      chmod u+rwX -R util/crossgcc
+      patchShebangs util/xcompile/xcompile
+    '';
+
+    configurePhase = ''
+      runHook preConfigure
+      cp ${writeConfig corebootConfig} .config
+      make olddefconfig
+      runHook postConfigure
+    '';
+
+    installPhase = ''
+      mkdir -p $out
+      cp build/coreboot.rom $out
+    '';
+
+    passthru = { inherit toolchain writeConfig corebootConfig; };
+  };
+
+in coreboot
diff --git a/infra/corenix/pkgs/coreboot/files.nix b/infra/corenix/pkgs/coreboot/files.nix
index f5d71ec46b53..5306b22bb674 100644
--- a/infra/corenix/pkgs/coreboot/files.nix
+++ b/infra/corenix/pkgs/coreboot/files.nix
@@ -1,67 +1,107 @@
-{ fetchurl }:
-
-# from util/crossgcc/buildgcc
-[
-  (rec {
-    version = "6.1.2";
-    name = "gmp-${version}.tar.xz";
+{ fetchurl }: [
+  {
+    name = "gmp-6.2.0.tar.xz";
     archive = fetchurl {
-      sha256 = "04hrwahdxyqdik559604r7wrj9ffklwvipgfxgj4ys4skbl6bdc7";
-      url = "mirror://gnu/gmp/${name}";
+      sha256 = "09hmg8k63mbfrx1x3yy6y1yzbbq85kw5avbibhcgrg9z3ganr3i5";
+      url = "https://ftpmirror.gnu.org/gmp/gmp-6.2.0.tar.xz";
     };
-  })
-
-  (rec {
-    version = "4.0.2";
-    name = "mpfr-${version}.tar.xz";
+  }
+  {
+    name = "mpfr-4.1.0.tar.xz";
     archive = fetchurl {
-      sha256 = "12m3amcavhpqygc499s3fzqlb8f2j2rr7fkqsm10xbjfc04fffqx";
-      url = "mirror://gnu/mpfr/${name}";
+      sha256 = "0zwaanakrqjf84lfr5hfsdr7hncwv9wj0mchlr7cmxigfgqs760c";
+      url = "https://ftpmirror.gnu.org/mpfr/mpfr-4.1.0.tar.xz";
     };
-  })
-
-  (rec {
-    version = "1.1.0";
-    name = "mpc-${version}.tar.gz";
+  }
+  {
+    name = "mpc-1.2.0.tar.gz";
     archive = fetchurl {
-      sha256 = "0biwnhjm3rx3hc0rfpvyniky4lpzsvdcwhmcn7f0h4iw2hwcb1b9";
-      url = "mirror://gnu/mpc/${name}";
+      sha256 = "19pxx3gwhwl588v496g3aylhcw91z1dk1d5x3a8ik71sancjs3z9";
+      url = "https://ftpmirror.gnu.org/mpc/mpc-1.2.0.tar.gz";
     };
-  })
-
-  (rec {
-    version = "8.3.0";
-    name = "gcc-${version}.tar.xz";
+  }
+  {
+    name = "gcc-8.3.0.tar.xz";
     archive = fetchurl {
       sha256 = "0b3xv411xhlnjmin2979nxcbnidgvzqdf4nbhix99x60dkzavfk4";
-      url = "mirror://gnu/gcc/${name}";
+      url = "https://ftpmirror.gnu.org/gcc/gcc-8.3.0/gcc-8.3.0.tar.xz";
     };
-  })
-
-  (rec {
-    version = "2.33.1";
-    name = "binutils-${version}.tar.xz";
+  }
+  {
+    name = "binutils-2.35.tar.xz";
     archive = fetchurl {
-      sha256 = "1grcf8jaw3i0bk6f9xfzxw3qfgmn6fgkr108isdkbh1y3hnzqrmb";
-      url = "mirror://gnu/binutils/${name}";
+      sha256 = "119g6340ksv1jkg6bwaxdp2whhlly22l9m30nj6y284ynjgna48v";
+      url = "https://ftpmirror.gnu.org/binutils/binutils-2.35.tar.xz";
     };
-  })
-
-  (rec {
-    version = "20200110";
-    name = "acpica-unix2-${version}.tar.gz";
+  }
+  {
+    name = "gdb-9.2.tar.xz";
     archive = fetchurl {
-      sha256 = "1hb4g6r7w8s4bhlkk36fmb4qxghnrwvad7f18cpn6zz0b4sjs7za";
-      url = "https://acpica.org/sites/acpica/files/${name}";
+      sha256 = "0mf5fn8v937qwnal4ykn3ji1y2sxk0fa1yfqi679hxmpg6pdf31n";
+      url = "https://ftpmirror.gnu.org/gdb/gdb-9.2.tar.xz";
     };
-  })
-
-  (rec {
-    version = "2.14.02";
-    name = "nasm-${version}.tar.bz2";
+  }
+  {
+    name = "acpica-unix2-20200717.tar.gz";
     archive = fetchurl {
-      sha256 = "1g409sr1kj7v1089s9kv0i4azvddkcwcypnbakfryyi71b3jdz9l";
-      url = "https://www.nasm.us/pub/nasm/releasebuilds/${version}/${name}";
+      sha256 = "0jyy71szjr40c8v40qqw6yh3gfk8d6sl3nay69zrn5d88i3r0jca";
+      url = "https://acpica.org/sites/acpica/files/acpica-unix2-20200717.tar.gz";
     };
-  })
+  }
+  {
+    name = "Python-3.8.5.tar.xz";
+    archive = fetchurl {
+      sha256 = "1c43dbv9lvlp3ynqmgdi4rh8q94swanhqarqrdx62zmigpakw073";
+      url = "https://www.python.org/ftp/python/3.8.5/Python-3.8.5.tar.xz";
+    };
+  }
+  {
+    name = "expat-2.2.9.tar.bz2";
+    archive = fetchurl {
+      sha256 = "0dx2m58gkj7cadk51lmp54ma7cqjhff4kjmwv8ks80j3vj2301pi";
+      url = "https://downloads.sourceforge.net/sourceforge/expat/expat-2.2.9.tar.bz2";
+    };
+  }
+  {
+    name = "llvm-10.0.1.src.tar.xz";
+    archive = fetchurl {
+      sha256 = "1wydhbp9kyjp5y0rc627imxgkgqiv3dfirbqil9dgpnbaw5y7n65";
+      url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/llvm-10.0.1.src.tar.xz";
+    };
+  }
+  {
+    name = "clang-10.0.1.src.tar.xz";
+    archive = fetchurl {
+      sha256 = "091bvcny2lh32zy8f3m9viayyhb2zannrndni7325rl85cwgr6pr";
+      url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/clang-10.0.1.src.tar.xz";
+    };
+  }
+  {
+    name = "compiler-rt-10.0.1.src.tar.xz";
+    archive = fetchurl {
+      sha256 = "1yjqjri753w0fzmxcyz687nvd97sbc9rsqrxzpq720na47hwh3fr";
+      url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/compiler-rt-10.0.1.src.tar.xz";
+    };
+  }
+  {
+    name = "clang-tools-extra-10.0.1.src.tar.xz";
+    archive = fetchurl {
+      sha256 = "06n1yp638rh24xdxv9v2df0qajxbjz4w59b7dd4ky36drwmpi4yh";
+      url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/clang-tools-extra-10.0.1.src.tar.xz";
+    };
+  }
+  {
+    name = "cmake-3.18.1.tar.gz";
+    archive = fetchurl {
+      sha256 = "0215srmc9l7ygwdpfms8yx0wbd96qgz2d58ykmdiarvysf5k7qy0";
+      url = "https://cmake.org/files/v3.18/cmake-3.18.1.tar.gz";
+    };
+  }
+  {
+    name = "nasm-2.15.03.tar.bz2";
+    archive = fetchurl {
+      sha256 = "0y6p3d5lhmwzvgi85f00sz6c485ir33zd1nskzxby4pikcyk9rq4";
+      url = "https://www.nasm.us/pub/nasm/releasebuilds/2.15.03/nasm-2.15.03.tar.bz2";
+    };
+  }
 ]
diff --git a/infra/corenix/pkgs/coreboot/update-shell.nix b/infra/corenix/pkgs/coreboot/update-shell.nix
new file mode 100644
index 000000000000..a2f2da23b6f8
--- /dev/null
+++ b/infra/corenix/pkgs/coreboot/update-shell.nix
@@ -0,0 +1,11 @@
+let
+  sources = import ../../nix/sources.nix;
+  pkgs = import sources.nixpkgs {};
+in
+
+with pkgs;
+
+mkShell {
+  buildInputs = [ nix git cacert getopt ];
+  NIX_PATH = "nixpkgs=${sources.nixpkgs}";
+}
diff --git a/infra/corenix/pkgs/coreboot/update.sh b/infra/corenix/pkgs/coreboot/update.sh
new file mode 100755
index 000000000000..d73f21404cd7
--- /dev/null
+++ b/infra/corenix/pkgs/coreboot/update.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env nix-shell
+#!nix-shell --pure -i bash update-shell.nix
+
+set -xe
+
+cd "$(dirname "$0")/../.."
+
+export PATH="/nix/store/yhr5cl61hqqx12zgfq8i3pkg0diq9v5k-nix-update/bin:$PATH"
+nix-update coreboot $@
+
+src="$(nix-build --no-out-link -A coreboot.src)"
+urls=$($src/util/crossgcc/buildgcc -u)
+
+echo '{ fetchurl }: [' > pkgs/coreboot/.files.nix.tmp
+
+for url in $urls
+do
+	name="$(basename $url)"
+	hash="$(nix-prefetch-url "$url")"
+
+	cat << EOF >> pkgs/coreboot/.files.nix.tmp
+  {
+    name = "$name";
+    archive = fetchurl {
+      sha256 = "$hash";
+      url = "$url";
+    };
+  }
+EOF
+
+done
+
+echo ']' >> pkgs/coreboot/.files.nix.tmp
+mv pkgs/coreboot/.files.nix.tmp pkgs/coreboot/files.nix