diff --git a/.github/workflows/common.yml b/.github/workflows/common.yml index 54ff2c22fa..fc3fa90006 100644 --- a/.github/workflows/common.yml +++ b/.github/workflows/common.yml @@ -90,7 +90,8 @@ jobs: # See also: # https://github.com/NixOS/nixpkgs/blob/b00c7c2d1d905eb63c81a0917f1a94b763a7843b/pkgs/development/interpreters/python/cpython/default.nix#L103 # https://github.com/NixOS/nixpkgs/pull/98915 - - run: nix-shell --arg fullDeps true --run "unset _PYTHON_SYSCONFIGDATA_NAME && cd python && poetry run tox" + # LD_LIBRARY_PATH workaround: https://discourse.nixos.org/t/nixpkgs-nixos-unstable-many-package-fail-with-glibc-2-38-not-found/35078 https://github.com/NixOS/nixpkgs/issues/287764 + - run: nix-shell --arg fullDeps true --run "unset _PYTHON_SYSCONFIGDATA_NAME && unset LD_LIBRARY_PATH && cd python && poetry run tox" python_support_test: name: Python support test diff --git a/.github/workflows/core.yml b/.github/workflows/core.yml index 95fc1db1bd..ced7379718 100644 --- a/.github/workflows/core.yml +++ b/.github/workflows/core.yml @@ -124,7 +124,7 @@ jobs: submodules: recursive - uses: ./.github/actions/environment - run: nix-shell --run "poetry run make -C core build_bootloader_emu" - if: matrix.coins == 'universal' + if: matrix.coins == 'universal' && matrix.asan == 'noasan' - run: nix-shell --run "poetry run make -C core build_unix_frozen" - run: cp core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-${{ matrix.model }}-${{ matrix.coins }} - uses: actions/upload-artifact@v4 diff --git a/core/Makefile b/core/Makefile index a47adaa70b..18397227f4 100644 --- a/core/Makefile +++ b/core/Makefile @@ -155,6 +155,9 @@ endif SCONS = scons $(SCONS_OPTS) $(SCONS_VARS) +# LD_LIBRARY_PATH workaround: https://discourse.nixos.org/t/nixpkgs-nixos-unstable-many-package-fail-with-glibc-2-38-not-found/35078 https://github.com/NixOS/nixpkgs/issues/287764 +unexport LD_LIBRARY_PATH + ## help commands: help: ## show this help diff --git a/shell.nix b/shell.nix index 2c9f5cd238..cebca6a33e 100644 --- a/shell.nix +++ b/shell.nix @@ -4,39 +4,27 @@ }: let - # the last commit from master as of 2024-01-22 + # the last commit from master as of 2024-11-21 rustOverlay = import (builtins.fetchTarball { - url = "https://github.com/oxalica/rust-overlay/archive/e36f66bb10b09f5189dc3b1706948eaeb9a1c555.tar.gz"; - sha256 = "1vivsmqmqajbvv7181y7mfl48fxmm75hq2c8rj6h1l2ymq28zcpg"; + url = "https://github.com/oxalica/rust-overlay/archive/2d484c7a0db32f2700e253160bcd2aaa6cdca3ba.tar.gz"; + sha256 = "17b32lz7kc12l8fwg8kc7ma83b51105z0xp2j0lfnsjr9qqc5r2y"; }); # define this variable and devTools if you want nrf{util,connect} acceptJlink = builtins.getEnv "TREZOR_FIRMWARE_ACCEPT_JLINK_LICENSE" == "yes"; - # the last successful build of nixpkgs-unstable as of 2023-04-14 + # the last successful build of nixpkgs-unstable as of 2024-11-21 nixpkgs = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs/archive/5083ec887760adfe12af64830a66807423a859a7.tar.gz"; + sha256 = "0sr45csfh2ff8w7jpnkkgl22aa89sza4jlhs6wq0368dpmklsl8g"; + }) { + config = { + allowUnfree = acceptJlink; + segger-jlink.acceptLicense = acceptJlink; + }; + overlays = [ rustOverlay ]; + }; + oldNixpkgs = import (builtins.fetchTarball { url = "https://github.com/NixOS/nixpkgs/archive/c58e6fbf258df1572b535ac1868ec42faf7675dd.tar.gz"; sha256 = "18pna0yinvdprhhcmhyanlgrmgf81nwpc0j2z9fy9mc8cqkx3937"; - }) { - config = { - allowUnfree = acceptJlink; - segger-jlink.acceptLicense = acceptJlink; - }; - overlays = [ rustOverlay ]; - }; - # 23.11 from 15. 4. 2024 - newNixpkgs = import (builtins.fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/53a2c32bc66f5ae41a28d7a9a49d321172af621e.tar.gz"; - sha256 = "0yqbwqbripb1bbhlwjfbqmg9qb0lai2fc0k1vfh674d6rrc8igwv"; - }) { - config = { - allowUnfree = acceptJlink; - segger-jlink.acceptLicense = acceptJlink; - }; - overlays = [ rustOverlay ]; - }; - # commit before python36 was removed - oldPythonNixpkgs = import (builtins.fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/b9126f77f553974c90ab65520eff6655415fc5f4.tar.gz"; - sha256 = "02s3qkb6kz3ndyx7rfndjbvp4vlwiqc42fxypn3g6jnc0v5jyz95"; }) { }; moneroTests = nixpkgs.fetchurl { url = "https://github.com/ph4r05/monero/releases/download/v0.18.1.1-dev-tests-u18.04-02/trezor_tests"; @@ -70,33 +58,19 @@ let # to use official binary, remove rustfmt from buildInputs and add it to extensions: extensions = [ "rust-src" "clippy" "rustfmt" ]; }; - openocd-stm = (newNixpkgs.openocd.overrideAttrs (oldAttrs: { - src = newNixpkgs.fetchFromGitHub { + openocd-stm = (nixpkgs.openocd.overrideAttrs (oldAttrs: { + src = nixpkgs.fetchFromGitHub { owner = "STMicroelectronics"; repo = "OpenOCD"; rev = "openocd-cubeide-v1.13.0"; sha256 = "a811402e19f0bfe496f6eecdc05ecea57f79a323879a810efaaff101cb0f420f"; }; version = "stm-cubeide-v1.13.0"; - nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ newNixpkgs.autoreconfHook ]; + nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ nixpkgs.autoreconfHook ]; })); - # backport https://github.com/NixOS/nixpkgs/pull/229537 - # remove after nixpkgs bump - gcc-arm-embedded-gdbfix = (nixpkgs.gcc-arm-embedded.overrideAttrs (oldAttrs: { - postFixup = '' - mv $out/bin/arm-none-eabi-gdb $out/bin/arm-none-eabi-gdb-unwrapped - cat < $out/bin/arm-none-eabi-gdb - #!${nixpkgs.runtimeShell} - export PYTHONPATH=${nixpkgs.python38}/lib/python3.8 - export PYTHONHOME=${nixpkgs.python38}/bin/python3.8 - exec $out/bin/arm-none-eabi-gdb-unwrapped "\$@" - EOF - chmod +x $out/bin/arm-none-eabi-gdb - ''; - })); - llvmPackages = nixpkgs.llvmPackages_14; + llvmPackages = nixpkgs.llvmPackages_17; # see pyright/README.md for update procedure - pyright = nixpkgs.callPackage ./ci/pyright {}; + pyright = oldNixpkgs.callPackage ./ci/pyright {}; in with nixpkgs; stdenvNoCC.mkDerivation ({ @@ -109,9 +83,7 @@ stdenvNoCC.mkDerivation ({ python311 python310 python39 - python38 - oldPythonNixpkgs.python37 - oldPythonNixpkgs.python36 + oldNixpkgs.python38 ] ++ [ SDL2 SDL2_image @@ -121,7 +93,12 @@ stdenvNoCC.mkDerivation ({ crowdin-cli # for translations curl # for connect tests editorconfig-checker - (if devTools then gcc-arm-embedded-gdbfix else gcc-arm-embedded) + gcc-arm-embedded + # GCC <14 seems to have broken varargs handling on arm64-darwin which makes micropython crash. + # GCC 14 causes crypto tests to fail in CI due to emitting non-constant-time instructions, + # and it's probably a good idea to keep it the same version as gcc-arm-embedded anyway + # https://github.com/trezor/trezor-firmware/issues/4393 + (if stdenv.isDarwin then gcc14 else gcc12) git gitAndTools.git-subrepo gnumake @@ -129,11 +106,11 @@ stdenvNoCC.mkDerivation ({ libffi libjpeg libusb1 - newNixpkgs.llvmPackages_17.clang + llvmPackages.clang openssl - pkgconfig + pkg-config poetry - protobuf3_19 + oldNixpkgs.protobuf3_19 pyright (mkBinOnlyWrapper rustNightly) wget @@ -141,7 +118,6 @@ stdenvNoCC.mkDerivation ({ moreutils ] ++ lib.optionals (!stdenv.isDarwin) [ autoPatchelfHook - gcc12 procps valgrind ] ++ lib.optionals (stdenv.isDarwin) [ diff --git a/tools/build_protobuf b/tools/build_protobuf index a4417b5dd7..84b1872549 100755 --- a/tools/build_protobuf +++ b/tools/build_protobuf @@ -26,6 +26,8 @@ do_rebuild() { local param="--python-outdir" fi + # LD_LIBRARY_PATH workaround: https://discourse.nixos.org/t/nixpkgs-nixos-unstable-many-package-fail-with-glibc-2-38-not-found/35078 https://github.com/NixOS/nixpkgs/issues/287764 + unset LD_LIBRARY_PATH # note $SOURCES is unquoted - we want wildcard expansion and multiple args $PROTOB/pb2py "$@" $param="$OUTPUT" $SOURCES }