Skip to content

deps: Update mu_msvm to v26.0.3 release #3421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
maheeraeron wants to merge 5 commits into
base: main
Choose a base branch
from
+5 −5
Open

deps: Update mu_msvm to v26.0.3 release #3421

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
718ed82
update uefi with latest
maheeraeron May 5, 2026
fc64b69
Update hashes and add python code that does it
maheeraeron May 6, 2026
2578d36
Add python file to do conversion
maheeraeron May 6, 2026
e4b8fb3
AI feedback
maheeraeron May 8, 2026
ed75ddb
remove python script
maheeraeron May 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion flowey/flowey_lib_hvlite/src/_jobs/cfg_versions.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ pub const GH_CLI: &str = "2.52.0";
pub const MDBOOK: &str = "0.4.40";
pub const MDBOOK_ADMONISH: &str = "1.18.0";
pub const MDBOOK_MERMAID: &str = "0.14.0";
pub const MU_MSVM: &str = "26.0.1";
pub const MU_MSVM: &str = "26.0.3";
pub const NEXTEST: &str = "0.9.101";
pub const NODEJS: &str = "24.x";
// N.B. Kernel version numbers for dev and stable branches are not directly
Expand Down
8 changes: 4 additions & 4 deletions nix/uefi_mu_msvm.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,17 @@ let
else if system == "aarch64-linux" then "AARCH64-CLANGPDB"
else "X64-VS2022";
hash = {
"AARCH64-CLANGPDB" = "sha256-ujHL96/irxRaITtIAxhocbrX+iBQuqNNWDDx8MYQ8i8=";
"X64-VS2022" = "sha256-3NJ4wNA7HXLiMIAVbQXS0cralheCok4rJ8CaedduN9I=";
"AARCH64-CLANGPDB" = "sha256-L1xRlkfek0cajN55neRPnaBjFQnz/G3liZPLzIf2WD4=";
"X64-VS2022" = "sha256-yThByWhaSWNPAdUyBrqzdY1VT/QIzf+yopFumoigajc=";
}.${archToolchain};

in stdenv.mkDerivation {
pname = "uefi-mu-msvm-${archToolchain}";
version = "26.0.1";
version = "26.0.3";

src = fetchzip {
url =
"https://github.com/microsoft/mu_msvm/releases/download/v26.0.1/RELEASE-${archToolchain}-artifacts.tar.gz";
"https://github.com/microsoft/mu_msvm/releases/download/v26.0.3/RELEASE-${archToolchain}-artifacts.tar.gz";
stripRoot = false;
inherit hash;
Comment on lines +17 to 23
Copy link
Copy Markdown
Member

@chris-oo chris-oo May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably real

Copy link
Copy Markdown
Contributor Author

@maheeraeron maheeraeron May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the hashes coming from the sha256 entries here?:
https://github.com/microsoft/mu_msvm/releases/tag/v26.0.3

RELEASE-X64-VS2022 is: sha256:d8e320f89f0e4871e5dfac6433dde62c4ac96988a192fcd713f12a96ff6c07a5
RELEASE-AARCH64-CLANGPDB is: sha256:255fbd69f1cf1d3d769d8bad20e1533fe1fcde3436f53bd94d8d387fbbad70f6

The format looks different than what is on this file right now?

Copy link
Copy Markdown
Contributor Author

@maheeraeron maheeraeron May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like it comes from some nix tool that you can get in linux, but there is some more conversion needed

Copy link
Copy Markdown
Member

@chris-oo chris-oo May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right you need to build nix locally otherwise this update will break it. if you're not ready to update this, you should hold off.

Copy link
Copy Markdown
Contributor Author

@maheeraeron maheeraeron May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ran sudo nix-shell --pure twice after emtpying those hash strings. The first one failed for x64 with:

unpacking source archive /build/RELEASE-X64-VS2022-artifacts.tar.gz
error: hash mismatch in fixed-output derivation '/nix/store/01c33fsp6vix5agcqkng26w6lcm22gkk-source.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-yThByWhaSWNPAdUyBrqzdY1VT/QIzf+yopFumoigajc=

And the second time fails for arm64 (after populating x64):

unpacking source archive /build/RELEASE-AARCH64-CLANGPDB-artifacts.tar.gz
error: hash mismatch in fixed-output derivation '/nix/store/lbj91hwmdv458pnp5602j8kl7wi4gj5y-source.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-L1xRlkfek0cajN55neRPnaBjFQnz/G3liZPLzIf2WD4=

These hashes match the state of what's in the PR today, so should be good to go

};
Expand Down
147 changes: 147 additions & 0 deletions nix/update_hashes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
#!/usr/bin/env python3
"""Helper for updating fetchzip/fetchurl SRI hashes in the .nix files in this folder.
Comment thread
maheeraeron marked this conversation as resolved.
Outdated

Given one or more URLs, this script invokes ``nix-prefetch-url --unpack`` to
download and hash the unpacked archive contents (matching what ``fetchzip``
does), then converts the resulting Nix base32 hash into the SRI format
(``sha256-<base64>=``) used by these .nix files.
Comment thread
maheeraeron marked this conversation as resolved.
Outdated

Usage:
# Prefetch one or more URLs and print SRI hashes.
./update_hashes.py <url> [<url> ...]

# Convert already-computed Nix base32 hashes to SRI without re-downloading.
./update_hashes.py --convert <nix32-hash> [<nix32-hash> ...]

Requires ``nix-prefetch-url`` on PATH (``sudo apt install nix-bin`` on Ubuntu /
WSL). On a multi-user Nix install you may need ``sudo`` to access the daemon
socket; in that case prefix the command with ``sudo``.

Example:
sudo ./update_hashes.py \\
https://github.com/microsoft/mu_msvm/releases/download/v26.0.3/RELEASE-X64-VS2022-artifacts.tar.gz \\
https://github.com/microsoft/mu_msvm/releases/download/v26.0.3/RELEASE-AARCH64-CLANGPDB-artifacts.tar.gz
"""

# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

from __future__ import annotations

import argparse
import base64
import shutil
import subprocess
import sys

# Nix base32 alphabet: omits 'e', 'o', 'u', 't' to avoid spelling words.
_NIX32_ALPHABET = "0123456789abcdfghijklmnpqrsvwxyz"


def nix32_to_bytes(s: str, hashlen: int = 32) -> bytes:
"""Decode a Nix base32 string (the format printed by ``nix-prefetch-url``)
into its raw bytes.

Nix base32 encodes characters in reverse order vs. position: char ``n`` of
the encoded string holds bits ``[5n .. 5n+4]`` of the hash, but the string
itself is reversed before encoding, so the most-significant bits appear
first when read left-to-right.
"""
if len(s) != (hashlen * 8 - 1) // 5 + 1:
raise ValueError(
f"unexpected nix32 length {len(s)} for {hashlen}-byte hash"
)

out = bytearray(hashlen)
# Reverse the string so character index 0 corresponds to the lowest bits.
for n, c in enumerate(reversed(s)):
try:
digit = _NIX32_ALPHABET.index(c)
except ValueError as e:
raise ValueError(f"invalid nix32 character: {c!r}") from e
Comment thread
maheeraeron marked this conversation as resolved.
Outdated
b = 5 * n
i, j = b // 8, b % 8
out[i] |= (digit << j) & 0xFF
if i + 1 < hashlen:
out[i + 1] |= (digit >> (8 - j)) & 0xFF
return bytes(out)


def nix32_to_sri(nix32: str) -> str:
"""Convert a Nix base32 sha256 hash to SRI (``sha256-<base64>``) format."""
raw = nix32_to_bytes(nix32)
return "sha256-" + base64.b64encode(raw).decode("ascii")


def prefetch(url: str) -> str:
"""Download ``url`` via ``nix-prefetch-url --unpack`` and return the hash.

The returned value is the Nix base32 string printed on the last line of
``nix-prefetch-url``'s stdout.
"""
if shutil.which("nix-prefetch-url") is None:
sys.exit(
"error: nix-prefetch-url not found on PATH.\n"
"Install it with: sudo apt install nix-bin"
)

result = subprocess.run(
["nix-prefetch-url", "--unpack", "--type", "sha256", url],
check=True,
capture_output=True,
text=True,
)
# nix-prefetch-url prints progress on stderr and the hash as the last
# non-empty line of stdout.
lines = [line for line in result.stdout.splitlines() if line.strip()]
if not lines:
sys.exit(f"error: nix-prefetch-url produced no output for {url}")
return lines[-1].strip()
Comment thread
maheeraeron marked this conversation as resolved.
Outdated


def main() -> int:
parser = argparse.ArgumentParser(
description=(
"Prefetch URLs and print SRI hashes suitable for fetchzip in the "
".nix files in this folder."
)
)
parser.add_argument(
"args",
nargs="*",
metavar="URL_OR_HASH",
help=(
"URLs to prefetch with `nix-prefetch-url --unpack`, or, with "
"--convert, Nix base32 hashes to convert to SRI."
),
)
parser.add_argument(
"--convert",
action="store_true",
help=(
"Treat positional arguments as Nix base32 hashes and convert "
"them to SRI without re-downloading."
),
)
parsed = parser.parse_args()

if not parsed.args:
parser.print_help()
return 2

if parsed.convert:
for h in parsed.args:
print(nix32_to_sri(h))
return 0

for url in parsed.args:
print(f"# {url}", file=sys.stderr)
nix32 = prefetch(url)
sri = nix32_to_sri(nix32)
print(sri)

return 0


if __name__ == "__main__":
sys.exit(main())
Loading