Skip to content
/ firmwareci-base-image Public

This repository provides a minimal, NixOS-based image designed to serve as a base environment for FirmwareCI tests. It equips the host machine with all necessary capabilities required for running the tests.

License

BSD-2-Clause license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

BlindspotSoftware/firmwareci-base-image

BranchesTags

Repository files navigation

FirmwareCI Base Image

This repository provides modular, reproducible NixOS base images for FirmwareCI and custom hardware testing. It is intended as a foundation for building your own NixOS-based CI images, offering flexible configuration of kernel, firmware, packages, and services. Each image includes essential default tooling, enabling your host machine to execute any FirmwareCI test step reliably.

Note: Chipsec is compatible with kernel versions 6.16 and earlier. For kernel versions newer than 6.16, exclude chipsec from your builds by setting includeChipSec = false.

For a comprehensive overview of available FirmwareCI commands and usage, refer to the FirmwareCI Commands Reference.

Features

  • Nix Flake-based: Modern, reproducible, and composable.
  • Easy to extend: Use as a base for your own hardware.

Quick Start

Prerequisites

  • Nix with flakes enabled (experimental-features = nix-command flakes in your nix.conf).

Build All Images

make all

Build a Specific Image

make base

Clean build outputs

make clean

The resulting images will be symlinked as ./base.

Flake Structure

  • flake.nix – Flake entrypoint, exposes base image and modules.
  • modules/base.nix – Base system options and configuration.
  • modules/kernel.nix – Kernel options and configuration.
  • pkgs/ – Package definitions (default-tools, chipsec, amd-debug-tools, etc.).
  • Makefile – Simple build automation for images.

Using as a Base for Your Own Image

You can use this flake as a base for your own NixOS image or configuration.

Example: Extend in Your Own Flake

{
  description = "My Custom FirmwareCI Image";

  inputs.firmwareci-base-image.url = "github:BlindspotSoftware/firmwareci-base-image";

  outputs = { self, nixpkgs, firmwareci-base-image, ... }:
    let
      myHardwareConfig = { ... }: {
        firmwareci.base = {
          sshAccess = {
            user = "root";
            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcSD9iHnCrJXkSt7aGSnfL0tVHUm+x6/EDr/FchmBfu";
          };
        };

        firmwareci.kernel = {
          version = "6.6.7";
          sha256 = "...";
          extraKernelModules = [ "dummy" "loop" ];
          kernelPatches = [
            {
              name = "my-custom-patch";
              patch = ./path/to/my-patch.patch;
            }
          ];
        };
      };
    in {
      nixosConfigurations.my-custom-image = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          firmwareci-base-image.baseConfig
          myHardwareConfig
        ];
      };
    };
}

Configuration Options

You can override these options in your own configuration or flake:

firmwareci.base options

Option Type Default Description
sshAccess submodule { user = ""; key = ""; } Add an SSH public key for a user (see below).
enableFwupd bool true Enable the fwupd firmware update service.
enableAllFirmware bool true Enable all available firmware blobs.
allowBroken bool true Allow installation of broken packages.
allowUnfree bool true Allow installation of unfree packages.
includeChipSec bool true Include chipsec with kernel module.
includeDefaultTools bool true Include the default tools package in the image.

sshAccess submodule

Option Type Default Description
user str "" SSH user for access (e.g. "root").
key str "" SSH public key to add to the user's authorized_keys.

firmwareci.kernel options

Option Type Default Description
version str "6.12.58" Linux kernel version to use.
sha256 str SRI hash SHA256 hash for the kernel tarball (must be in SRI format, e.g. sha256-...).
extraKernelModules list of str [] Extra kernel modules to load at boot (e.g. ["dummy"]).
includeIntelModules bool true Include Intel-specific kernel modules (rapl, pmc, lpss).
kernelPatches list of attrs [] List of kernel patches to apply. Each patch should have name and patch attributes.

SSH Access and Security

Note:
The default FirmwareCI images are configured to allow SSH access to the root user:

users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcSD9iHnCrJXkSt7aGSnfL0tVHUm+x6/EDr/FchmBfu"
];

This configuration allows FirmwareCI to securely connect to your device via SSH using a preconfigured key at /root/.ssh/fwci inside the test environment. You may also customize the SSH access settings to suit your specific requirements.

Example SSH transport configuration for FirmwareCI to connect to the machine:

transport: &transport
  proto: ssh
  options:
    host: "my.network"
    user: root
    identity_file: /root/.ssh/fwci #pre-configured SSH-key

Caution:
Do not enable this configuration on devices connected to publicly accessible networks, as it may expose your system to unauthorized access.

Development

We welcome contributions from everyone!
Format and lint Nix code with:

nix fmt
nix run .#statix

Pre-commit hooks are available via pre-commit-hooks.nix and will run nixpkgs-fmt and statix on all .nix files before commit.

License

BSD 2-Clause License

Maintainers

Contributing

Contributions and issues are welcome! Please open a PR or issue on GitHub.

References

About

This repository provides a minimal, NixOS-based image designed to serve as a base environment for FirmwareCI tests. It equips the host machine with all necessary capabilities required for running the tests.

Resources

Readme

License

BSD-2-Clause license
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages