Merge commit 'aeac2f8adcd683ade3be74a4680d4e96f39aef49' into main

3 years ago · 5a38091398
parent 01ebfa7aac aeac2f8adc
commit 5a38091398
14 changed files with 438 additions and 191 deletions
--- a/infra/corenix/README.md
+++ b/infra/corenix/README.md
@ -5,8 +5,8 @@
 *How to use:*

 1. Create a configuration file for your device in `configs/`
-2. Add an entry to flake.nix, i.e. `my-device = makeDevice ./configs/my-device.nix;`
-3. Build the coreboot rom: `nix build -A pkgs.my-device`
+2. Add an entry to default.nix, i.e. `my-device = makeDevice ./configs/my-device.nix;`
+3. Build the coreboot rom: `nix build -A my-device`

 *Features*

--- a/infra/corenix/configs/milan/milan-x230-fhd.nix
+++ b/infra/corenix/configs/milan/milan-x230-fhd.nix
@ -6,7 +6,7 @@
  corenix.corebootConfig = {
    CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH = "1920";
    CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT = "1080";
-    CONFIG_CBFS_SIZE = "0xbe5000";
+    CONFIG_CBFS_SIZE = "0xbe5000"; # DON'T copy this unless you know what you're doing
  };

  tianocore.enable = true;
--- a/infra/corenix/default.nix
+++ b/infra/corenix/default.nix
@ -1,6 +1,34 @@
-(import (fetchTarball {
-  url =
-    "https://github.com/edolstra/flake-compat/archive/94cf59784c73ecec461eaa291918eff0bfb538ac.tar.gz";
-  sha256 = "03qz7h3hpb7jhlyidd4jxxncns40kvw8aqsq5l8d0rsdq9nj02qj";
-}) { src = ./.; }).defaultNix
+{ ... }:

+let
+  sources = import ./nix/sources.nix;
+  nixpkgsOptions = {
+    system = "x86_64-linux";
+    overlays = [ (import ./pkgs/overlay.nix) ];
+  };
+  pkgs = import sources.nixpkgs nixpkgsOptions;
+  inherit (pkgs) lib;
+
+  makeDevice = configFile:
+    (lib.evalModules {
+      modules = [
+        ({ ... }: { nixpkgs = nixpkgsOptions; })
+        ("${sources.nixpkgs}/nixos/modules/misc/assertions.nix")
+        ("${sources.nixpkgs}/nixos/modules/misc/nixpkgs.nix")
+        ./modules
+        configFile
+      ];
+    }).config.corenix.rom;
+
+in rec {
+  inherit makeDevice;
+
+  inherit (pkgs)
+    coreboot coreboot-payload-grub2 coreboot-payload-tianocore
+    coreboot-payload-seabios coreboot-payload-tint
+    coreboot-payload-nvramcui coreboot-payload-coreinfo;
+
+  milan-x1c = makeDevice ./configs/milan/milan-x1c.nix;
+  milan-x230t = makeDevice ./configs/milan/milan-x230t.nix;
+  milan-x230-fhd = makeDevice ./configs/milan/milan-x230-fhd.nix;
+}
--- a/infra/corenix/flake.lock
+++ b/infra/corenix/flake.lock
@ -1,27 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1604414673,
-        "narHash": "sha256-Z8yNdN5G17J8Ro9Go9LGN5NtEwL2oleZAZkEhdC4q7I=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "a9f4945fa4e0ec655554149e82bdac935c9ba747",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/infra/corenix/flake.nix
+++ b/infra/corenix/flake.nix
@ -1,49 +0,0 @@
-{
-  inputs.nixpkgs = {
-    type = "github";
-    owner = "nixos";
-    repo = "nixpkgs";
-    ref = "master";
-  };
-
-  description = "A collections of derivations for coreboot and payloads";
-  outputs = { self, nixpkgs }:
-    let
-      nixpkgsOptions = {
-        system = "x86_64-linux";
-        overlays = [ (import ./pkgs/overlay.nix) ];
-      };
-      pkgs = import nixpkgs nixpkgsOptions;
-      inherit (pkgs) lib;
-
-      makeDevice = configFile:
-        (lib.evalModules {
-          modules = [
-            ({ ... }: { nixpkgs = nixpkgsOptions; })
-            ("${nixpkgs}/nixos/modules/misc/assertions.nix")
-            ("${nixpkgs}/nixos/modules/misc/nixpkgs.nix")
-            ./modules
-            configFile
-          ];
-        }).config.corenix.rom;
-
-      exportedPkgs = {
-        inherit (pkgs)
-          coreboot coreboot-payload-grub2 coreboot-payload-tianocore
-          coreboot-payload-seabios coreboot-payload-tint
-          coreboot-payload-nvramcui coreboot-payload-coreinfo;
-
-        milan-x1c = makeDevice ./configs/milan/milan-x1c.nix;
-        milan-x230t = makeDevice ./configs/milan/milan-x230t.nix;
-        milan-x230-fhd = makeDevice ./configs/milan/milan-x230-fhd.nix;
-      };
-
-    in {
-      lib = { inherit makeDevice; };
-
-      packages.x86_64-linux = exportedPkgs;
-
-      # shortcut for use with flake-compat
-      pkgs = exportedPkgs;
-    };
-}
--- a/infra/corenix/modules/grub2/default.nix
+++ b/infra/corenix/modules/grub2/default.nix
@ -8,7 +8,10 @@ let
    if cfg.asSecondaryPayload then "img/grub2" else "fallback/payload";

  configText = (readFile ./files/grub.cfg) + cfg.extraConfig
-    + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg))
+    + (optionalString (cfg.signKey != null) ''
+      trust (cbfsdisk)/etc/trusted.key
+      set check_signatures=enforce
+    '') + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg))
    + (optionalString (cfg.users != { }) ((concatStringsSep "\n" (mapAttrsToList
      (n: u: ''
        ${
@ -86,6 +89,11 @@ in {
      default = pkgs.coreboot-payload-grub2;
    };

+    signKey = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+    };
+
    extraPayloadModules = mkOption {
      type = types.listOf types.str;
      default = [ ];
@ -118,6 +126,8 @@ in {
          "grub-mkfont --range=0x20-0x7E,0x2501-0x251F,0x2191-0x2193 --size=14 -o $out ${cfg.font}");
      "etc/grub.cfg".src = cfg.configFile;
      "background.png".src = ./files/background.png;
-    };
+    } // (optionalAttrs (cfg.signKey != null) {
+      "etc/trusted.key".src = cfg.signKey;
+    });
  };
 }
--- a/infra/corenix/nix/sources.json
+++ b/infra/corenix/nix/sources.json
@ -0,0 +1,26 @@
+{
+    "niv": {
+        "branch": "master",
+        "description": "Easy dependency management for Nix projects",
+        "homepage": "https://github.com/nmattia/niv",
+        "owner": "nmattia",
+        "repo": "niv",
+        "rev": "ba57d5a29b4e0f2085917010380ef3ddc3cf380f",
+        "sha256": "1kpsvc53x821cmjg1khvp1nz7906gczq8mp83664cr15h94sh8i4",
+        "type": "tarball",
+        "url": "https://github.com/nmattia/niv/archive/ba57d5a29b4e0f2085917010380ef3ddc3cf380f.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixpkgs": {
+        "branch": "master",
+        "description": "Nix Packages collection",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "30f4aedd0ef8ef9b1cc007519e3e7536201055af",
+        "sha256": "1am8zhhnrhxvl7siw50lilnrpvc35lzs8kvky7ms7gs8a1mj4sbn",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/30f4aedd0ef8ef9b1cc007519e3e7536201055af.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    }
+}
--- a/infra/corenix/nix/sources.nix
+++ b/infra/corenix/nix/sources.nix
@ -0,0 +1,171 @@
+# This file has been generated by Niv.
+
+let
+
+  #
+  # The fetchers. fetch_<type> fetches specs of type <type>.
+  #
+
+  fetch_file = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+      else
+        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+
+  fetch_tarball = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+      else
+        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+
+  fetch_git = name: spec:
+    let
+      ref =
+        if spec ? ref then spec.ref else
+          if spec ? branch then "refs/heads/${spec.branch}" else
+            if spec ? tag then "refs/tags/${spec.tag}" else
+              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
+    in
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
+
+  fetch_local = spec: spec.path;
+
+  fetch_builtin-tarball = name: throw
+    ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=tarball -a builtin=true'';
+
+  fetch_builtin-url = name: throw
+    ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=file -a builtin=true'';
+
+  #
+  # Various helpers
+  #
+
+  # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
+  sanitizeName = name:
+    (
+      concatMapStrings (s: if builtins.isList s then "-" else s)
+        (
+          builtins.split "[^[:alnum:]+._?=-]+"
+            ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
+        )
+    );
+
+  # The set of packages used when specs are fetched using non-builtins.
+  mkPkgs = sources: system:
+    let
+      sourcesNixpkgs =
+        import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
+      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
+      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
+    in
+      if builtins.hasAttr "nixpkgs" sources
+      then sourcesNixpkgs
+      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+        import <nixpkgs> {}
+      else
+        abort
+          ''
+            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+            add a package called "nixpkgs" to your sources.json.
+          '';
+
+  # The actual fetching function.
+  fetch = pkgs: name: spec:
+
+    if ! builtins.hasAttr "type" spec then
+      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
+    else if spec.type == "file" then fetch_file pkgs name spec
+    else if spec.type == "tarball" then fetch_tarball pkgs name spec
+    else if spec.type == "git" then fetch_git name spec
+    else if spec.type == "local" then fetch_local spec
+    else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
+    else if spec.type == "builtin-url" then fetch_builtin-url name
+    else
+      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
+
+  # If the environment variable NIV_OVERRIDE_${name} is set, then use
+  # the path directly as opposed to the fetched source.
+  replace = name: drv:
+    let
+      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
+      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
+    in
+      if ersatz == "" then drv else ersatz;
+
+  # Ports of functions for older nix versions
+
+  # a Nix version of mapAttrs if the built-in doesn't exist
+  mapAttrs = builtins.mapAttrs or (
+    f: set: with builtins;
+    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
+  );
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
+  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
+  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
+  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+  concatMapStrings = f: list: concatStrings (map f list);
+  concatStrings = builtins.concatStringsSep "";
+
+  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
+  optionalAttrs = cond: as: if cond then as else {};
+
+  # fetchTarball version that is compatible between all the versions of Nix
+  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchTarball;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchTarball attrs;
+
+  # fetchurl version that is compatible between all the versions of Nix
+  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchurl;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchurl attrs;
+
+  # Create the final "sources" from the config
+  mkSources = config:
+    mapAttrs (
+      name: spec:
+        if builtins.hasAttr "outPath" spec
+        then abort
+          "The values in sources.json should not have an 'outPath' attribute"
+        else
+          spec // { outPath = replace name (fetch config.pkgs name spec); }
+    ) config.sources;
+
+  # The "config" used by the fetchers
+  mkConfig =
+    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
+    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
+    , system ? builtins.currentSystem
+    , pkgs ? mkPkgs sources system
+    }: rec {
+      # The sources, i.e. the attribute set of spec name to spec
+      inherit sources;
+
+      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
+      inherit pkgs;
+    };
+
+in
+mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
--- a/infra/corenix/pkgs/coreboot-payload-tianocore/default.nix
+++ b/infra/corenix/pkgs/coreboot-payload-tianocore/default.nix
@ -1,4 +1,11 @@
-{ fetchFromGitHub, python2, stdenv, libuuid, bc, utillinux, nasm, iasl, seabios
+{ fetchFromGitHub
+, python2
+, stdenv
+, libuuid
+, bc
+, utillinux
+, nasm
+, iasl
 }:

 # we can not override the source in edk2, so we had to copy the entire thing
@ -58,7 +65,7 @@ in stdenv.mkDerivation {

  buildPhase = ''
    runHook preBuild
-    build -a X64 -a IA32 -b RELEASE -t GCC5 -p CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc -n $NIX_BUILD_CORES -D CSM_ENABLE
+    build -a X64 -a IA32 -b RELEASE -t GCC5 -p CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc -n $NIX_BUILD_CORES
    runHook postBuild
  '';

@ -68,11 +75,5 @@ in stdenv.mkDerivation {
    runHook postInstall
  '';

-  hardeningDisable = [ "format" "stackprotector" "pic" "fortify" ];
-
-  postPatch = ''
-    cp ${seabios}/Csm16.bin OvmfPkg/Csm/Csm16/Csm16.bin
-  '';
-
  dontPatchELF = true;
 }
--- a/infra/corenix/pkgs/coreboot-payload-tint/default.nix
+++ b/infra/corenix/pkgs/coreboot-payload-tint/default.nix
@ -6,7 +6,7 @@

 stdenv.mkDerivation rec {
  pname = "coreboot-payload-tint";
-  version = "0.04+nmu1";
+  version = "0.05";
  inherit (coreboot.drvAttrs) src postPatch;

  preConfigure = "cd payloads/external/tint";
@ -14,8 +14,8 @@ stdenv.mkDerivation rec {
    tar -xf ${
      fetchurl {
        url =
-          "https://mirror.fsf.org/trisquel/pool/main/t/tint/tint_${version}.tar.gz";
-        sha256 = "17gbga1lha9yp5hpyr5vn1sc93fx413cksxmpyl8zv3b5rjvzsy1";
+          "https://mirror.fsf.org/trisquel/pool/main/t/tint/tint_${version}.tar.xz";
+        sha256 = "1pfp3pqwci4wsjxhqik49v74hlgyg78j98x0g5disfcv37hpxb6r";
      }
    }
    mv tint{-${version},}
--- a/infra/corenix/pkgs/coreboot/default.nix
+++ b/infra/corenix/pkgs/coreboot/default.nix
@ -2,61 +2,63 @@
 , callPackage, lib, corebootConfig ? { CONFIG_PAYLOAD_NONE = "y"; } }:

 let
-  version = "4.12";
-  src = fetchgit {
-    url = "https://review.coreboot.org/coreboot.git";
-    rev = "${version}";
-    fetchSubmodules = true;
-    sha256 = "1l140zbvn6pkbrr55lymhi4lycimhpy8xgm45shl4zv6a9vjd66z";
-  };
-
  toolchain = stdenv.mkDerivation rec {
    pname = "coreboot-toolchain";
-    inherit version src;
+    inherit (coreboot) version src;
+
    nativeBuildInputs = [ curl stdenv m4 flex bison zlib gnat ];
+
    buildPhase = ''
      mkdir -p util/crossgcc/tarballs
      ${lib.concatMapStringsSep "\n"
      (file: "ln -s ${file.archive} util/crossgcc/tarballs/${file.name}")
      (callPackage ./files.nix { })}
-      NIX_HARDENING_ENABLE="$\{NIX_HARDENING_ENABLE/ format/\}" make crossgcc-i386 CPUS=$NIX_BUILD_CORES
+      make crossgcc-i386 CPUS=$NIX_BUILD_CORES
    '';
+
    installPhase = ''
      cp -r util/crossgcc $out
    '';
  };

-  writeConfig = config:
-    let
-      filteredConfig = lib.filterAttrs (n: v: v != null) config;
-      lines =
-        lib.mapAttrsToList (name: value: "${name}=${value}") filteredConfig;
+  writeConfig = config: let
+    filteredConfig = lib.filterAttrs (n: v: v != null) config;
+    lines =
+      lib.mapAttrsToList (name: value: "${name}=${value}") filteredConfig;
      configFile = writeText "config" (lib.concatStringsSep "\n" lines);
-    in configFile;
-
-in stdenv.mkDerivation rec {
-
-  pname = "coreboot";
-  inherit version src;
-
-  postPatch = ''
-    rm -rf util/crossgcc
-    cp -r ${toolchain} util/crossgcc
-    chmod u+rwX -R util/crossgcc
-    patchShebangs util/xcompile/xcompile
-  '';
-
-  configurePhase = ''
-    runHook preConfigure
-    cp ${writeConfig corebootConfig} .config
-    make olddefconfig
-    runHook postConfigure
-  '';
-
-  installPhase = ''
-    mkdir -p $out
-    cp build/coreboot.rom $out
-  '';
-
-  passthru = { inherit toolchain writeConfig corebootConfig; };
-}
+  in configFile;
+
+  coreboot = stdenv.mkDerivation rec {
+    pname = "coreboot";
+    version = "4.13";
+
+    src = fetchgit {
+      url = "https://review.coreboot.org/coreboot.git";
+      rev = version;
+      sha256 = "sha256-O5udH6RAfs5IPqzvluXAApU7TDow39aOEewL5+nln3c=";
+      fetchSubmodules = true;
+    };
+
+    postPatch = ''
+      rm -rf util/crossgcc
+      cp -r ${toolchain} util/crossgcc
+      chmod u+rwX -R util/crossgcc
+      patchShebangs util/xcompile/xcompile
+    '';
+
+    configurePhase = ''
+      runHook preConfigure
+      cp ${writeConfig corebootConfig} .config
+      make olddefconfig
+      runHook postConfigure
+    '';
+
+    installPhase = ''
+      mkdir -p $out
+      cp build/coreboot.rom $out
+    '';
+
+    passthru = { inherit toolchain writeConfig corebootConfig; };
+  };
+
+in coreboot
--- a/infra/corenix/pkgs/coreboot/files.nix
+++ b/infra/corenix/pkgs/coreboot/files.nix
@ -1,67 +1,107 @@
-{ fetchurl }:
-
-# from util/crossgcc/buildgcc
-[
-  (rec {
-    version = "6.1.2";
-    name = "gmp-${version}.tar.xz";
+{ fetchurl }: [
+  {
+    name = "gmp-6.2.0.tar.xz";
    archive = fetchurl {
-      sha256 = "04hrwahdxyqdik559604r7wrj9ffklwvipgfxgj4ys4skbl6bdc7";
-      url = "mirror://gnu/gmp/${name}";
+      sha256 = "09hmg8k63mbfrx1x3yy6y1yzbbq85kw5avbibhcgrg9z3ganr3i5";
+      url = "https://ftpmirror.gnu.org/gmp/gmp-6.2.0.tar.xz";
    };
-  })
-
-  (rec {
-    version = "4.0.2";
-    name = "mpfr-${version}.tar.xz";
+  }
+  {
+    name = "mpfr-4.1.0.tar.xz";
    archive = fetchurl {
-      sha256 = "12m3amcavhpqygc499s3fzqlb8f2j2rr7fkqsm10xbjfc04fffqx";
-      url = "mirror://gnu/mpfr/${name}";
+      sha256 = "0zwaanakrqjf84lfr5hfsdr7hncwv9wj0mchlr7cmxigfgqs760c";
+      url = "https://ftpmirror.gnu.org/mpfr/mpfr-4.1.0.tar.xz";
    };
-  })
-
-  (rec {
-    version = "1.1.0";
-    name = "mpc-${version}.tar.gz";
+  }
+  {
+    name = "mpc-1.2.0.tar.gz";
    archive = fetchurl {
-      sha256 = "0biwnhjm3rx3hc0rfpvyniky4lpzsvdcwhmcn7f0h4iw2hwcb1b9";
-      url = "mirror://gnu/mpc/${name}";
+      sha256 = "19pxx3gwhwl588v496g3aylhcw91z1dk1d5x3a8ik71sancjs3z9";
+      url = "https://ftpmirror.gnu.org/mpc/mpc-1.2.0.tar.gz";
    };
-  })
-
-  (rec {
-    version = "8.3.0";
-    name = "gcc-${version}.tar.xz";
+  }
+  {
+    name = "gcc-8.3.0.tar.xz";
    archive = fetchurl {
      sha256 = "0b3xv411xhlnjmin2979nxcbnidgvzqdf4nbhix99x60dkzavfk4";
-      url = "mirror://gnu/gcc/${name}";
+      url = "https://ftpmirror.gnu.org/gcc/gcc-8.3.0/gcc-8.3.0.tar.xz";
    };
-  })
-
-  (rec {
-    version = "2.33.1";
-    name = "binutils-${version}.tar.xz";
+  }
+  {
+    name = "binutils-2.35.tar.xz";
    archive = fetchurl {
-      sha256 = "1grcf8jaw3i0bk6f9xfzxw3qfgmn6fgkr108isdkbh1y3hnzqrmb";
-      url = "mirror://gnu/binutils/${name}";
+      sha256 = "119g6340ksv1jkg6bwaxdp2whhlly22l9m30nj6y284ynjgna48v";
+      url = "https://ftpmirror.gnu.org/binutils/binutils-2.35.tar.xz";
    };
-  })
-
-  (rec {
-    version = "20200110";
-    name = "acpica-unix2-${version}.tar.gz";
+  }
+  {
+    name = "gdb-9.2.tar.xz";
    archive = fetchurl {
-      sha256 = "1hb4g6r7w8s4bhlkk36fmb4qxghnrwvad7f18cpn6zz0b4sjs7za";
-      url = "https://acpica.org/sites/acpica/files/${name}";
+      sha256 = "0mf5fn8v937qwnal4ykn3ji1y2sxk0fa1yfqi679hxmpg6pdf31n";
+      url = "https://ftpmirror.gnu.org/gdb/gdb-9.2.tar.xz";
    };
-  })
-
-  (rec {
-    version = "2.14.02";
-    name = "nasm-${version}.tar.bz2";
+  }
+  {
+    name = "acpica-unix2-20200717.tar.gz";
    archive = fetchurl {
-      sha256 = "1g409sr1kj7v1089s9kv0i4azvddkcwcypnbakfryyi71b3jdz9l";
-      url = "https://www.nasm.us/pub/nasm/releasebuilds/${version}/${name}";
+      sha256 = "0jyy71szjr40c8v40qqw6yh3gfk8d6sl3nay69zrn5d88i3r0jca";
+      url = "https://acpica.org/sites/acpica/files/acpica-unix2-20200717.tar.gz";
    };
-  })
+  }
+  {
+    name = "Python-3.8.5.tar.xz";
+    archive = fetchurl {
+      sha256 = "1c43dbv9lvlp3ynqmgdi4rh8q94swanhqarqrdx62zmigpakw073";
+      url = "https://www.python.org/ftp/python/3.8.5/Python-3.8.5.tar.xz";
+    };
+  }
+  {
+    name = "expat-2.2.9.tar.bz2";
+    archive = fetchurl {
+      sha256 = "0dx2m58gkj7cadk51lmp54ma7cqjhff4kjmwv8ks80j3vj2301pi";
+      url = "https://downloads.sourceforge.net/sourceforge/expat/expat-2.2.9.tar.bz2";
+    };
+  }
+  {
+    name = "llvm-10.0.1.src.tar.xz";
+    archive = fetchurl {
+      sha256 = "1wydhbp9kyjp5y0rc627imxgkgqiv3dfirbqil9dgpnbaw5y7n65";
+      url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/llvm-10.0.1.src.tar.xz";
+    };
+  }
+  {
+    name = "clang-10.0.1.src.tar.xz";
+    archive = fetchurl {
+      sha256 = "091bvcny2lh32zy8f3m9viayyhb2zannrndni7325rl85cwgr6pr";
+      url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/clang-10.0.1.src.tar.xz";
+    };
+  }
+  {
+    name = "compiler-rt-10.0.1.src.tar.xz";
+    archive = fetchurl {
+      sha256 = "1yjqjri753w0fzmxcyz687nvd97sbc9rsqrxzpq720na47hwh3fr";
+      url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/compiler-rt-10.0.1.src.tar.xz";
+    };
+  }
+  {
+    name = "clang-tools-extra-10.0.1.src.tar.xz";
+    archive = fetchurl {
+      sha256 = "06n1yp638rh24xdxv9v2df0qajxbjz4w59b7dd4ky36drwmpi4yh";
+      url = "https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/clang-tools-extra-10.0.1.src.tar.xz";
+    };
+  }
+  {
+    name = "cmake-3.18.1.tar.gz";
+    archive = fetchurl {
+      sha256 = "0215srmc9l7ygwdpfms8yx0wbd96qgz2d58ykmdiarvysf5k7qy0";
+      url = "https://cmake.org/files/v3.18/cmake-3.18.1.tar.gz";
+    };
+  }
+  {
+    name = "nasm-2.15.03.tar.bz2";
+    archive = fetchurl {
+      sha256 = "0y6p3d5lhmwzvgi85f00sz6c485ir33zd1nskzxby4pikcyk9rq4";
+      url = "https://www.nasm.us/pub/nasm/releasebuilds/2.15.03/nasm-2.15.03.tar.bz2";
+    };
+  }
 ]
--- a/infra/corenix/pkgs/coreboot/update-shell.nix
+++ b/infra/corenix/pkgs/coreboot/update-shell.nix
@ -0,0 +1,11 @@
+let
+  sources = import ../../nix/sources.nix;
+  pkgs = import sources.nixpkgs {};
+in
+
+with pkgs;
+
+mkShell {
+  buildInputs = [ nix git cacert getopt ];
+  NIX_PATH = "nixpkgs=${sources.nixpkgs}";
+}
--- a/infra/corenix/pkgs/coreboot/update.sh
+++ b/infra/corenix/pkgs/coreboot/update.sh
@ -0,0 +1,34 @@
+#!/usr/bin/env nix-shell
+#!nix-shell --pure -i bash update-shell.nix
+
+set -xe
+
+cd "$(dirname "$0")/../.."
+
+export PATH="/nix/store/yhr5cl61hqqx12zgfq8i3pkg0diq9v5k-nix-update/bin:$PATH"
+nix-update coreboot $@
+
+src="$(nix-build --no-out-link -A coreboot.src)"
+urls=$($src/util/crossgcc/buildgcc -u)
+
+echo '{ fetchurl }: [' > pkgs/coreboot/.files.nix.tmp
+
+for url in $urls
+do
+	name="$(basename $url)"
+	hash="$(nix-prefetch-url "$url")"
+
+	cat << EOF >> pkgs/coreboot/.files.nix.tmp
+  {
+    name = "$name";
+    archive = fetchurl {
+      sha256 = "$hash";
+      url = "$url";
+    };
+  }
+EOF
+
+done
+
+echo ']' >> pkgs/coreboot/.files.nix.tmp
+mv pkgs/coreboot/.files.nix.tmp pkgs/coreboot/files.nix