Introduce jetsonCheckSpecCompatability pre-switch check

We can check whether the bup for a NixOS configuration matches the
machine we're trying to deploy the NixOS system to. This aims to improve
user experience: if the firmware doesn't support the expected board, the
capsule update will fail and it's not clear why unless you inspect the
serial logs.

The check can be manually skipped by setting the
SKIP_TEGRA_COMPAT_CHECK environment variable.

Author: elliotberman

modules/flash-script.nix

@@ -436,6 +436,14 @@ in
       inherit (pkgs.nvidia-jetpack) uefiCapsuleUpdate flashScript initrdFlashScript fuseScript signedFirmware;
     };
 
+    system.preSwitchChecks.jetsonCheckSpecCompatability = "${lib.getExe (pkgs.writeShellApplication {
+      name = "ota-check-tegra-compatability-spec";
+      text = ''
+        [ -n "$SKIP_TEGRA_COMPAT_CHECK" ] && exit 0
+        exec ${lib.getExe' pkgs.nvidia-jetpack.otaUtils "ota-check-compat"} ${pkgs.nvidia-jetpack.bupSpecs}
+      '';
+    })}";
+
     hardware.nvidia-jetpack.flashScriptOverrides.flashArgs = lib.mkAfter (
       lib.optional (cfg.firmware.secureBoot.pkcFile != null) "-u ${cfg.firmware.secureBoot.pkcFile}" ++
       lib.optional (cfg.firmware.secureBoot.sbkFile != null) "-v ${cfg.firmware.secureBoot.sbkFile}" ++

overlay-with-config.nix

@@ -150,6 +150,7 @@ final: prev: (
             # TODO: Remove preSignCommands when we switch to using signedFirmware directly
             flashCommands = ''
               ${cfg.firmware.secureBoot.preSignCommands final.buildPackages}
+              touch nix-multispec
             '' + lib.concatMapStringsSep "\n"
               (v: with v;
               (lib.concatStringsSep " " [
@@ -168,10 +169,17 @@ final: prev: (
                 "--bup"
                 "--multi-spec"
                 (builtins.toString cfg.flashScriptOverrides.flashArgs)
-              ]))
+              ]) + ''
+
+                find bootloader/multi_signed -maxdepth 1 -type d -name ${boardid}\* -printf "%f\n" >> nix-multispec
+              '')
               cfg.firmware.variants;
           }) + ''
           mkdir -p $out
+          # it's likely that the nix-multispec has duplicate entries because
+          # boardid is the same across the different variants.
+          # sort -u to remove the duplicates.
+          sort -u nix-multispec > $out/nix-multispec
           cp -r bootloader/payloads_*/* $out/
         '');
 
@@ -196,6 +204,8 @@ final: prev: (
           ${finalJetpack.socType}
         '');
 
+      bupSpecs = prev.runCommand "${config.networking.hostName}-specs" {} "cp ${finalJetpack.bup}/nix-multispec $out";
+
       signedFirmware = final.runCommand "signed-${hostName}-${finalJetpack.l4tMajorMinorPatchVersion}"
         { inherit (cfg.firmware.secureBoot) requiredSystemFeatures; }
         (finalJetpack.mkFlashScript final.pkgsBuildBuild.nvidia-jetpack.flash-tools {

pkgs/ota-utils/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenvNoCC, bash, util-linux, e2fsprogs, tegra-eeprom-tool, efiSysMountPoint ? "/boot", expectedBiosVersion ? "Unknown" }:
+{ lib, stdenvNoCC, bash, coreutils, util-linux, e2fsprogs, tegra-eeprom-tool, efiSysMountPoint ? "/boot", expectedBiosVersion ? "Unknown" }:
 
 stdenvNoCC.mkDerivation {
   name = "ota-utils";
@@ -21,8 +21,9 @@ stdenvNoCC.mkDerivation {
     cp ${./ota-apply-capsule-update.sh} $out/bin/ota-apply-capsule-update
     cp ${./ota-check-firmware.sh} $out/bin/ota-check-firmware
     cp ${./ota-abort-capsule-update.sh} $out/bin/ota-abort-capsule-update
+    cp ${./ota-check-compat.sh} $out/bin/ota-check-compat
     cp ${./ota_helpers.func} $out/share/ota_helpers.func
-    chmod +x $out/bin/ota-setup-efivars $out/bin/ota-apply-capsule-update $out/bin/ota-check-firmware $out/bin/ota-abort-capsule-update
+    chmod +x $out/bin/ota-setup-efivars $out/bin/ota-apply-capsule-update $out/bin/ota-check-firmware $out/bin/ota-abort-capsule-update $out/bin/ota-check-compat
 
     for path in $out/bin/ota-apply-capsule-update $out/share/ota_helpers.func $out/bin/ota-abort-capsule-update; do
       substituteInPlace "$path" --subst-var efiSysMountPoint
@@ -34,6 +35,8 @@ stdenvNoCC.mkDerivation {
       sed -i '2a export PATH=${lib.makeBinPath [ util-linux e2fsprogs tegra-eeprom-tool ]}:$PATH' $out/bin/$fname
     done
 
+    sed -i '2a PATH=${lib.makeBinPath [ coreutils util-linux ]}:$PATH' $out/bin/ota-check-compat
+
     substituteInPlace $out/bin/ota-check-firmware \
       --replace "@expectedBiosVersion@" "${expectedBiosVersion}"
 

pkgs/ota-utils/ota-check-compat.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+SPECS="$1"
+
+# See FwPackageCheckTnSpec() in edk2-nvidia/Silicon/NVIDIA/Library/FwPackageLib
+checkspec() {
+    local expected="$1"
+    local actual="$2"
+
+    # Return 1 (no match) if either argument is empty
+    if [[ -z "$expected" || -z "$actual" ]]; then
+        return 1
+    fi
+
+    # Split the strings into tokens using '-' as delimiter
+    IFS='-' read -ra tokensExpected <<< "$expected"
+    IFS='-' read -ra tokensActual   <<< "$actual"
+
+    # If the token counts differ, it's a mismatch
+    if [[ "${#tokensExpected[@]}" -ne "${#tokensActual[@]}" ]]; then
+        return 1
+    fi
+
+    # Iterate over each token index
+    for i in "${!tokensExpected[@]}"; do
+        local token1="${tokensExpected[i]}"
+        local token2="${tokensActual[i]}"
+
+        # If either token is empty, ignore and continue to next token
+        if [[ -z "$token1" || -z "$token2" ]]; then
+            continue
+        fi
+
+        # If the tokens do not match, return 1 indicating no match
+        if [[ "$token1" != "$token2" ]]; then
+            return 1
+        fi
+    done
+
+    # All tokens match (ignoring empty tokens), return 0 for success
+    return 0
+}
+
+extractboardname() {
+    local spec="$1"
+
+    # per flash.sh, spec="${BOARDID}-${FAB}-${BOARDSKU}-${BOARDREV}-${fuselevel_s}-${hwchiprev}-${ext_target_board}-";
+    # and we want ext_target_board. ext_target_board has "-" in it, which makes processing this a little more annoying
+    cut -d- -f7- <<< "$spec" | rev | cut -d- -f2- | rev
+}
+
+# cut -c 4- to remove the leading attributes from the efi variable
+# See the warning at: https://docs.kernel.org/filesystems/efivarfs.html
+PLATFORM_SPEC="$(cut -c 4- </sys/firmware/efi/efivars/TegraPlatformSpec-781e084c-a330-417c-b678-38e696380cb9 | tr -d '\0')"
+COMPAT_SPEC="$(cut -c 4- </sys/firmware/efi/efivars/TegraPlatformCompatSpec-781e084c-a330-417c-b678-38e696380cb9 | tr -d '\0')"
+
+NIXOS_BOARDS=""
+
+while read spec ; do
+    if checkspec "$PLATFORM_SPEC" "$spec" || checkspec "$COMPAT_SPEC" "$spec"; then
+        exit 0
+    fi
+    NIXOS_BOARDS+="$(extractboardname "$spec")"$'\n'
+done < "$SPECS"
+
+MACHINE_BOARDS="$( (extractboardname "$PLATFORM_SPEC" ; extractboardname "$COMPAT_SPEC") | sort -u | tr '\n' ' ' )"
+NIXOS_BOARDS="$( echo "$NIXOS_BOARDS" | sort -u | tr '\n' ' ' )"
+
+echo "This machine is not compatible with the platform specs for this NixOS system!"
+echo "This machine is a: ${MACHINE_BOARDS}"
+echo "This NixOS system supports: ${NIXOS_BOARDS}"
+exit 1