Merge dev: M9.R.42.3 install drivers

Author: zah

_m9r42_install.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+# M9.R.42 — install driver running the M9.R.42 ISO.
+#
+# Boots the M9.R.42 ISO under QEMU OVMF; autorun service drives the
+# installer through Phase 2 (disk apply); REPRO_DISK_DIAG=
+# /tmp/installer.disk-diag.log lands in the diag-persist tarball
+# because the M9.R.42.1 stage-de-rootfs.sh change included it in the
+# tar list.
+#
+# Outputs:
+#   /tmp/m9r42_install.qcow2     — installed disk image
+#   /tmp/m9r42_install.log       — serial transcript
+#   /tmp/m9r42_diag/             — extracted launcher diag tarball
+#       installer.disk-diag.log  — M9.R.42.1 kernel-state snapshots
+#                                   AROUND each sgdisk + partprobe
+set -uo pipefail
+ISO="${ISO:-/opt/repro/reprobuild/recipes/reproos-iso/build/reproos.iso}"
+DISK="${DISK:-/tmp/m9r42_install.qcow2}"
+DIAG_DISK="${DIAG_DISK:-/tmp/m9r42_diag.qcow2}"
+INSTALL_LOG="${INSTALL_LOG:-/tmp/m9r42_install.log}"
+INSTALL_TIMEOUT="${INSTALL_TIMEOUT:-900}"
+DIAG_OUT="${DIAG_OUT:-/tmp/m9r42_diag}"
+
+[ -f "$ISO" ] || { echo "ISO $ISO does not exist" >&2; exit 2; }
+
+OVMF_FW="$(find /nix/store -maxdepth 5 -path '*OVMF*/FV/OVMF_CODE.fd' 2>/dev/null | head -1)"
+[ -n "$OVMF_FW" ] || { echo "No OVMF firmware in /nix/store" >&2; exit 2; }
+OVMF_DIR="$(dirname "$OVMF_FW")"
+OVMF_CODE="$OVMF_DIR/OVMF_CODE.fd"
+
+INSTALL_VARS=/tmp/m9r42_install_ovmf_vars.fd
+cp "$OVMF_DIR/OVMF_VARS.fd" "$INSTALL_VARS"
+chmod u+w "$INSTALL_VARS"
+
+date
+
+rm -f "$DISK" "$DIAG_DISK"
+nix-shell -p qemu --run "qemu-img create -f qcow2 $DISK 32G" >/dev/null
+truncate -s 64M "$DIAG_DISK"
+
+ISO_GRUB_HAS_AUTORUN="$(strings "$ISO" 2>/dev/null | grep -c 'repro.installer.autorun=1' || true)"
+if [ "${ISO_GRUB_HAS_AUTORUN:-0}" -lt 1 ]; then
+  echo "[m9r42-install] WARNING: '$ISO' does NOT carry repro.installer.autorun=1"
+fi
+
+echo "=== M9.R.42 instrumented install (timeout ${INSTALL_TIMEOUT}s) ===" | tee "$INSTALL_LOG"
+nix-shell -p qemu OVMF --run "
+  tail -f /dev/null | qemu-system-x86_64 -machine q35 -m 4096 -smp 4 \
+    -drive if=pflash,format=raw,readonly=on,file=$OVMF_CODE \
+    -drive if=pflash,format=raw,file=$INSTALL_VARS \
+    -cdrom $ISO \
+    -drive file=$DISK,if=virtio,format=qcow2 \
+    -drive file=$DIAG_DISK,if=virtio,format=raw \
+    -nographic -serial mon:stdio -display none
+" >> "$INSTALL_LOG" 2>&1 &
+QPID=$!
+
+T=0
+while kill -0 $QPID 2>/dev/null && [ $T -lt $INSTALL_TIMEOUT ]; do
+  sleep 10
+  T=$((T+10))
+done
+if kill -0 $QPID 2>/dev/null; then
+  echo "[m9r42-install] ${INSTALL_TIMEOUT}s timeout, killing QEMU" | tee -a "$INSTALL_LOG"
+  kill -9 $QPID 2>/dev/null
+fi
+wait $QPID 2>/dev/null
+
+echo ""
+echo "=== M9.R.42 install log (last 200 lines, ANSI stripped) ==="
+sed 's/\x1B\[[0-9;]*[mK]//g' "$INSTALL_LOG" | tail -200
+
+echo ""
+echo "=== M9.R.42 post-mortem diag extraction ==="
+rm -rf "$DIAG_OUT"
+mkdir -p "$DIAG_OUT"
+HEADER="$(dd if="$DIAG_DISK" bs=512 count=1 status=none 2>/dev/null | tr -d '\0' | head -1)"
+echo "diag-header=$HEADER"
+DIAG_SIZE="$(echo "$HEADER" | sed -nE 's/^M9R39DIAGv1 SIZE=([0-9]+).*$/\1/p')"
+if [ -z "$DIAG_SIZE" ] || [ "$DIAG_SIZE" = "0" ]; then
+  echo "[m9r42-install] no M9R39DIAGv1 header on /dev/vdb; launcher diag-persist did not fire"
+  date
+  exit 0
+fi
+dd if="$DIAG_DISK" bs=512 skip=1 count=$(( (DIAG_SIZE + 511) / 512 )) \
+  status=none 2>/dev/null \
+  | head -c "$DIAG_SIZE" \
+  > "$DIAG_OUT/installer.diag.tar.gz"
+tar -xzf "$DIAG_OUT/installer.diag.tar.gz" -C "$DIAG_OUT" 2>&1
+
+echo ""
+echo "=== installer.rc ==="
+cat "$DIAG_OUT/installer.rc" 2>&1 || echo MISSING
+echo ""
+echo "=== installer.log (last 80) ==="
+tail -80 "$DIAG_OUT/installer.log" 2>&1
+echo ""
+echo "=== installer.disk-diag.log (M9.R.42.1 kernel-state snapshots) ==="
+if [ -f "$DIAG_OUT/installer.disk-diag.log" ]; then
+  cat "$DIAG_OUT/installer.disk-diag.log"
+else
+  echo "MISSING — REPRO_DISK_DIAG didn't reach the apply driver"
+fi
+echo ""
+date

_m9r42_iso_rebuild.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# M9.R.42 — ISO rebuild that picks up:
+#   * the M9.R.42.1 disk-apply REPRO_DISK_DIAG hook (the diag file
+#     lands at /tmp/installer.disk-diag.log; the launcher passes the
+#     env var through strace + the diag-persist tarball includes it).
+#   * the M9.R.41 install-root subcommand stays — only the disk_apply
+#     module gained the kernel-state snapshot instrumentation.
+#
+# Same shape as _m9r41_iso_rebuild.sh.
+set -uo pipefail
+cd /opt/repro/reprobuild
+
+LOG=/tmp/m9r42_iso_build.log
+date > "$LOG"
+echo "=== M9.R.42 ISO rebuild (REPRO_INSTALLER_AUTORUN=1) ===" >> "$LOG"
+
+pkill -KILL -f 'moc$' 2>/dev/null || true
+pkill -KILL -9 -f 'cmake.*reproos' 2>/dev/null || true
+pkill -KILL -9 -f 'ninja.*reproos' 2>/dev/null || true
+
+# Nuke the staged de-rootfs + ISO so build phase re-fires.
+chmod -R u+w recipes/reproos-iso/build/de-rootfs 2>/dev/null || true
+rm -rf recipes/reproos-iso/build/de-rootfs
+rm -f recipes/reproos-iso/build/reproos.iso
+
+# Force a reproos-installer rebuild only if its sources changed.  The
+# M9.R.42 milestone touched stage-de-rootfs.sh + the disk_apply +
+# disk_tools modules — the installer C++ is unchanged from M9.R.41.
+# But because base-rootfs is keyed on apt-pkg-list and stays the same
+# as M9.R.41 (no apt-list change in M9.R.42), the cache hit should
+# be valid and we re-use it.
+chmod -R u+w apps/reproos-installer/.repro 2>/dev/null || true
+rm -rf apps/reproos-installer/.repro
+
+CLINGO_DIR="$(dirname "$(find /nix/store -maxdepth 3 -name 'libclingo.so' 2>/dev/null | head -1)")"
+export LD_LIBRARY_PATH="${CLINGO_DIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+
+export REPRO_INSTALLER_AUTORUN=1
+export IO_MON_SRC=/opt/repro/io-mon/src
+
+echo "=== step 1: rebuild reproos-installer ===" >> "$LOG"
+nix-shell -p openssl patchelf gcc binutils gnumake autoconf automake libtool pkg-config gettext perl python3 bison flex xz gawk kmod cpio squashfsTools libisoburn grub2 mtools dosfstools curl docker rsync --run "PATH=/opt/repro/reprobuild/build/bin:\$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH repro build --daemon=off --tool-provisioning=from-source apps/reproos-installer" >> "$LOG" 2>&1
+INSTALLER_RC=$?
+echo "INSTALLER_RC=$INSTALLER_RC" >> "$LOG"
+ls -la apps/reproos-installer/.repro/output/install/usr/bin/reproos-installer 2>&1 | tee -a "$LOG"
+if [ "$INSTALLER_RC" -ne 0 ]; then
+  echo "FAIL: reproos-installer rebuild RC=$INSTALLER_RC; ISO build aborted" >> "$LOG"
+  exit "$INSTALLER_RC"
+fi
+
+echo "=== step 2: rebuild ISO with REPRO_INSTALLER_AUTORUN=1 ===" >> "$LOG"
+nix-shell -p openssl patchelf gcc binutils gnumake autoconf automake libtool pkg-config gettext perl python3 bison flex xz gawk kmod cpio squashfsTools libisoburn grub2 mtools dosfstools curl docker rsync --run "PATH=/opt/repro/reprobuild/build/bin:\$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH REPRO_INSTALLER_AUTORUN=1 repro build --daemon=off --tool-provisioning=from-source recipes/reproos-iso" >> "$LOG" 2>&1
+RC=$?
+echo "" >> "$LOG"
+echo "RC=$RC" >> "$LOG"
+date >> "$LOG"
+
+echo "=== ISO artifact ===" >> "$LOG"
+ls -la recipes/reproos-iso/build/reproos.iso 2>&1 | tee -a "$LOG"
+
+echo "=== verify autorun cmdline staged ===" >> "$LOG"
+nix-shell -p binutils --run "strings recipes/reproos-iso/build/reproos.iso | grep -c 'repro.installer.autorun=1'" 2>&1 | tee -a "$LOG"
+
+echo "=== verify REPRO_DISK_DIAG passthrough in staged launcher ===" >> "$LOG"
+grep -c 'REPRO_DISK_DIAG=/tmp/installer.disk-diag.log' \
+  recipes/reproos-iso/build/de-rootfs/usr/bin/reproos-installer-launcher.sh \
+  2>&1 | tee -a "$LOG"
+
+echo "=== verify installer.disk-diag.log entry in diag-persist tarball list ===" >> "$LOG"
+grep -c 'installer.disk-diag.log' \
+  recipes/reproos-iso/build/de-rootfs/usr/bin/reproos-installer-launcher.sh \
+  2>&1 | tee -a "$LOG"
+
+echo "=== verify install-root subcommand is reachable on the live ISO ===" >> "$LOG"
+nix-shell -p binutils --run "strings recipes/reproos-iso/build/de-rootfs/usr/bin/repro 2>/dev/null | grep -c 'install-root'" 2>&1 | tee -a "$LOG"
+
+exit $RC

_m9r42_loopback_smoke.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# M9.R.42.1 Phase A loopback smoke — exercise the disk-apply driver
+# against a 4 GiB loopback file with REPRO_DISK_DIAG set, so the
+# kernel-state snapshots fire on a Linux host that has sgdisk +
+# udev + partprobe but is NOT inside the live ISO.  This tests
+# whether the M9.R.41 sgdisk-exit-4 race reproduces OUTSIDE the
+# live-ISO autorun path (i.e. on a fully-booted Debian Trixie or
+# a NixOS host) — a critical signal for whether the race is
+# inherent to sgdisk/Trixie OR specific to the live-ISO udev/devtmpfs.
+set -uo pipefail
+
+IMG="${IMG:-/tmp/m9r42_loop.img}"
+DIAG_OUT="${DIAG_OUT:-/tmp/m9r42_loop_diag.log}"
+DISKO_NIM="${DISKO_NIM:-/tmp/m9r42_loop_disko.nim}"
+REPRO_BIN="${REPRO_BIN:-/opt/repro/reprobuild/build/bin/repro}"
+
+# Reset
+sudo umount -lf /tmp/m9r42_mnt 2>/dev/null || true
+sudo umount -lf /tmp/m9r42_mnt/boot 2>/dev/null || true
+sudo losetup -D 2>/dev/null || true
+rm -f "$IMG" "$DIAG_OUT"
+
+# 4 GiB loopback image
+truncate -s 4G "$IMG"
+LOOPDEV="$(sudo losetup --find --show "$IMG")"
+echo "[loop] LOOPDEV=$LOOPDEV"
+LOOPBASE="$(basename "$LOOPDEV")"
+
+cat > "$DISKO_NIM" <<NIM
+import repro_profile
+
+hardware "01M9R42-LOOP":
+  cpu:
+    arch: "x86_64"
+  disko:
+    disks:
+      "main":
+        device: "$LOOPDEV"
+        table: gpt
+        partitions:
+          "esp":
+            kind: esp
+            size: "512M"
+            bootable: true
+            content:
+              filesystem:
+                format: "vfat"
+                mountpoint: "/boot"
+          "root":
+            kind: linux
+            size: "100%"
+            content:
+              filesystem:
+                format: "ext4"
+                mountpoint: "/"
+NIM
+
+export REPRO_DISK_DIAG="$DIAG_OUT"
+echo "[loop] starting repro disk apply against $LOOPDEV"
+echo "[loop] BEFORE state:"
+ls -la "/dev/${LOOPBASE}"* 2>&1
+cat /proc/partitions 2>&1 | head -20
+
+cd /opt/repro/reprobuild
+sudo -E "$REPRO_BIN" disk apply "$DISKO_NIM" --confirm --device "$LOOPDEV" 2>&1
+APPLY_RC=$?
+echo "[loop] apply RC=$APPLY_RC"
+echo "[loop] AFTER state:"
+ls -la "/dev/${LOOPBASE}"* 2>&1
+cat /proc/partitions 2>&1 | head -20
+
+echo ""
+echo "=== M9.R.42.1 diag file ($DIAG_OUT) ==="
+if [ -f "$DIAG_OUT" ]; then
+  cat "$DIAG_OUT"
+else
+  echo "MISSING — diag file not created"
+fi
+
+# Cleanup
+sudo losetup -d "$LOOPDEV" 2>/dev/null || true
+rm -f "$IMG"
+
+exit $APPLY_RC

_m9r42_smoke_disko.json

@@ -0,0 +1 @@
+{"id":"01M9R42-SMOKE","cpuArch":"x86_64","cpuMicrocode":"intel","kernelModules":[],"loaderDevice":"/dev/loop99","filesystems":[],"graphicsDrivers":[],"audioCards":[],"disko":{"disks":{"main":{"device":"/dev/loop99","type":"gpt","partitions":{"esp":{"type":"esp","size":"512M","bootable":true,"content":{"kind":"filesystem","format":"vfat","mountpoint":"/boot","mountOptions":[],"label":"","subvols":[]}},"root":{"type":"linux","size":"100%","bootable":false,"content":{"kind":"filesystem","format":"ext4","mountpoint":"/","mountOptions":[],"label":"","subvols":[]}}}}},"pools":[]}}

libs/repro_elevation/src/repro_elevation/posix_system_parse.nim

@@ -1204,14 +1204,43 @@ proc renderIcaclsGrantCommandArgs*(path, entry: string): seq[string] =
   of icaclsDenyVerb:
     @["icacls", path, "/deny", split.spec]
 
+proc canonicalizeAclPrincipal*(p: string): string =
+  ## Collapse the well-known Windows principal aliases ``icacls``
+  ## accepts as INPUT to the domain-qualified form it emits as
+  ## OUTPUT, so a desired entry written ``SYSTEM:(F)`` matches an
+  ## observed entry written ``NT AUTHORITY\SYSTEM:(F)``.
+  ## Case-insensitive on the alias side (``System``, ``SYSTEM``,
+  ## ``system`` are all icacls-equivalent); the canonical form keeps
+  ## the exact spelling icacls emits (mixed-case on the
+  ## Network/Local Service family, all-caps on SYSTEM).
+  ##
+  ## Without this collapse the post-apply digest of a
+  ## ``fs.systemDirectory`` recipe declaring
+  ## ``aclEntry(principal = "SYSTEM", ...)`` disagrees with the
+  ## observed ACL even when ``icacls`` happily granted exactly that
+  ## ACE — operators would have to hand-write
+  ## ``NT AUTHORITY\SYSTEM`` to make the digest converge.
+  case p.toLowerAscii
+  of "system": "NT AUTHORITY\\SYSTEM"
+  of "localservice", "local service": "NT AUTHORITY\\LOCAL SERVICE"
+  of "networkservice", "network service": "NT AUTHORITY\\NETWORK SERVICE"
+  of "administrators": "BUILTIN\\Administrators"
+  of "users": "BUILTIN\\Users"
+  of "everyone": "Everyone"
+  of "authenticated users": "NT AUTHORITY\\Authenticated Users"
+  else: p
+
 proc normalizeDirAclEntry*(ace: string): string =
-  ## Stable rendering of an ACE for digest purposes: trim outer
-  ## whitespace and collapse all internal whitespace runs to single
-  ## spaces. icacls permits extra whitespace inside the perm groups;
-  ## the canonical form collapses these so two visually-equivalent
-  ## ACE strings hash to the same digest. Mirrors the
-  ## `normalizeAclEntry` shape in `windows_system_parse.nim` so the
-  ## two ACL kinds digest equivalent entries identically.
+  ## Stable rendering of an ACE for digest purposes: collapse
+  ## internal whitespace and canonicalise the principal alias
+  ## (``SYSTEM`` ↔ ``NT AUTHORITY\SYSTEM`` etc.). icacls permits
+  ## extra whitespace inside the perm groups and accepts well-known
+  ## short names as input but always emits the domain-qualified form
+  ## on output; the canonical form collapses both axes so two
+  ## visually-equivalent ACE strings hash to the same digest.
+  ## Mirrors the ``normalizeAclEntry`` shape in
+  ## ``windows_system_parse.nim`` so the two ACL kinds digest
+  ## equivalent entries identically.
   var collapsed = ""
   var prevWasSpace = false
   for ch in ace.strip():
@@ -1222,7 +1251,25 @@ proc normalizeDirAclEntry*(ace: string): string =
     else:
       collapsed.add(ch)
       prevWasSpace = false
-  collapsed
+  # Split principal:perm-spec at the FIRST ``:`` that is NOT inside a
+  # parenthesised group (an ACE shape is ``Principal[\Name]:(perms)``).
+  # The principal canonicalisation only rewrites the prefix.
+  var depth = 0
+  var splitIdx = -1
+  for i, ch in collapsed:
+    case ch
+    of '(': inc depth
+    of ')': dec depth
+    of ':':
+      if depth == 0:
+        splitIdx = i
+        break
+    else: discard
+  if splitIdx < 0:
+    return collapsed
+  let principal = collapsed[0 ..< splitIdx]
+  let rest = collapsed[splitIdx .. ^1]
+  canonicalizeAclPrincipal(principal) & rest
 
 proc canonicalDirAclDesired*(present: bool; owner: string;
                              entries: seq[string];

libs/repro_elevation/src/repro_elevation/windows_system_driver.nim

@@ -1473,7 +1473,12 @@ when defined(windows):
       " -TaskName " & psQuote(parts.leaf) &
       " -ErrorAction SilentlyContinue; " &
       "if ($null -eq $t) { 'Missing=1' } else { " &
-      "'TaskName=' + $t.TaskName; " &
+      # Emit the FULL path (``$t.TaskPath`` already ends with ``\``)
+      # so the canonical observed-state string matches the desired
+      # one (which carries the full ``\Folder\Leaf`` path). Without
+      # this the digest disagrees even when Register/Get/Unregister
+      # all targeted the same folder.
+      "'TaskName=' + $t.TaskPath + $t.TaskName; " &
       "'Executable=' + $t.Actions[0].Execute; " &
       "'Arguments=' + $t.Actions[0].Arguments; " &
       "'WorkingDirectory=' + $t.Actions[0].WorkingDirectory; " &

libs/repro_elevation/tests/t_smoke_repro_elevation.nim

@@ -1175,11 +1175,26 @@ suite "repro_elevation: fs.systemDirectory Phase D — drift digest":
       observedInheritanceDisabled = false,
       desiredInheritance = "enabled")
 
-  test "normalizeDirAclEntry collapses internal whitespace":
-    check normalizeDirAclEntry("SYSTEM:(F)") == "SYSTEM:(F)"
-    check normalizeDirAclEntry("  SYSTEM:(F)  ") == "SYSTEM:(F)"
-    check normalizeDirAclEntry("SYSTEM:(F)  (OI)") == "SYSTEM:(F) (OI)"
-    check normalizeDirAclEntry("SYSTEM:(F)\t (CI)") == "SYSTEM:(F) (CI)"
+  test "normalizeDirAclEntry collapses internal whitespace + canonicalises principal":
+    # The principal-alias collapse (added alongside the whitespace
+    # pass) rewrites ``SYSTEM`` to ``NT AUTHORITY\SYSTEM`` so the
+    # desired digest matches the icacls-emitted observed digest.
+    check normalizeDirAclEntry("SYSTEM:(F)") == "NT AUTHORITY\\SYSTEM:(F)"
+    check normalizeDirAclEntry("  SYSTEM:(F)  ") ==
+      "NT AUTHORITY\\SYSTEM:(F)"
+    check normalizeDirAclEntry("SYSTEM:(F)  (OI)") ==
+      "NT AUTHORITY\\SYSTEM:(F) (OI)"
+    check normalizeDirAclEntry("SYSTEM:(F)\t (CI)") ==
+      "NT AUTHORITY\\SYSTEM:(F) (CI)"
+    # A principal already in domain-qualified form is left alone.
+    check normalizeDirAclEntry("NT AUTHORITY\\SYSTEM:(F)") ==
+      "NT AUTHORITY\\SYSTEM:(F)"
+    # NetworkService -> NT AUTHORITY\NETWORK SERVICE.
+    check normalizeDirAclEntry("NetworkService:(RX)") ==
+      "NT AUTHORITY\\NETWORK SERVICE:(RX)"
+    # An unknown principal is left alone (the canonicaliser only
+    # rewrites the documented well-known set).
+    check normalizeDirAclEntry("DOMAIN\\Alice:(F)") == "DOMAIN\\Alice:(F)"
 
   test "fsSystemDirectoryDigestPayload back-compat for ACL-unmanaged":
     # The aclPresent==false branch MUST produce a string