Creating a verity store using image.repart leads to empty ESP partition

andreluis034 · April 11, 2025, 1:44pm

I’ve just started adventuring into the world of Nix(OS) and wanted to create a reproducible system image with a dm-verity-backed nix-store.

Looking at the tests available in nixpkgs, appliance-repart-image-verity-store.nix appears to implement about 90% of what I need. Based on that, I created a flake to mimic its behaviour (GitHub - andreluis034/nixos-verity-example). However, every time I attempt to boot the generated image in QEMU, I end up in the EFI shell.

Upon inspection, I found that the boot partition of my generated image is empty and does not contain an UKI:

$ nix build
$ sgdisk -p result/test-image_1.raw
Disk result/test-image_1.raw: 2663696 sectors, 1.3 GiB
Sector size (logical): 512 bytes
Disk identifier (GUID): B581FEF7-24ED-4F31-990B-099EC86BBA03
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 2048, last usable sector is 2663662
Partitions will be aligned on 8-sector boundaries
Total free space is 7 sectors (3.5 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048          133119   64.0 MiB    EF00  esp
   2          133120          291287   77.2 MiB    8319  store-verity
   3          291288         2663655   1.1 GiB     8314  store
$ sudo losetup -P /dev/loop0 result/test-image_1.raw
$ sudo mount /dev/loop0p1 /mnt/ESP/
$ ls -la /mnt/ESP/
total 5
drwxr-xr-x  2 root root  512 Jan  1  1970 .
drwxr-xr-x 12 root root 4096 Apr 11 14:14 ..

For comparison, running the nixosTests.appliance-repart-image-verity-store test from nixpkgs I can indeed confirm that the test virtual machine is indeed able to boot (presumably because the UKI has been placed in the ESP partition):

$ nix build .#nixosTests.appliance-repart-image-verity-store
$ nix log .#nixosTests.appliance-repart-image-verity-store
...
machine # EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
machine # [    0.000000] Linux version 6.6.86 (nixbld@localhost) (gcc (GCC) 13.3.0, GNU ld (GNU Binutils) 2.43.1) #1-NixOS SMP PREEMPT_DYNAMIC Mon Apr  7 08:06:37 UTC 2025
...

I have no idea what could be going wrong in my build. Being new to nix, I am uncertain how to begin debugging my configuration. Could anyone suggest ways to further trace why my build isn’t properly populating the EFI partition? Any pointers on additional debugging steps or configuration differences would be greatly appreciated!

ElvishJerricco · April 11, 2025, 2:26pm

Due to some hackiness with how the dm-verity module works, the attr you need to build is finalImage, not image.

andreluis034 · April 11, 2025, 3:56pm

Well, that was embarrassing… That was it, thank you!