feat: change docker configuration to native setup without nix-shell a…

…nd download latest arm builds from data.trezor.io
trezor · Aug 2, 2024 · 84d503a · 84d503a
1 parent 5323c4d
commit 84d503a
Show file tree

Hide file tree

Showing 9 changed files with 131 additions and 36 deletions.
diff --git a/.github/workflows/build-tenv-test.yml b/.github/workflows/build-tenv-test.yml
@@ -24,7 +24,7 @@ jobs:
         uses: docker/build-push-action@v2
         with:
           context: .
-          file: ./docker/Dockerfile
+          file: ./docker/Dockerfile-debian
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |

diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,7 @@ __pycache__
 src/binaries/firmware/bin/*
 !src/binaries/firmware/bin/download.sh
 !src/binaries/firmware/bin/download_latest_gh.py
+!src/binaries/firmware/bin/patch-bin.sh
 !src/binaries/firmware/bin/arm
 !src/binaries/trezord-go/bin/download.sh
 emulator.img

diff --git a/docker/Dockerfile-debian b/docker/Dockerfile-debian
@@ -0,0 +1,54 @@
+# Start with a base Debian image
+FROM debian:bookworm-slim
+
+# Set environment variables
+ENV TERM=xterm \
+    XDG_RUNTIME_DIR="/var/tmp" \
+    LC_ALL=C.UTF-8 \
+    LANG=C.UTF-8 \
+    GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt \
+    NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Install required packages
+RUN curl -sL https://deb.nodesource.com/setup_22.x  | bash -
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openssl \
+    bash \
+    git \
+    nodejs \
+    python3 \
+    python3-dev \
+    python3-pip \
+    python3-venv \
+    python3-poetry \
+    libsdl2-2.0-0 \
+    libsdl2-image-2.0-0 \
+    x11-xserver-utils \
+    wget \
+    unzip \
+    curl \
+    procps \
+    build-essential \
+    g++ \
+    libc6 \
+    libc6-dev \
+    patchelf \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+
+# Add basic trezor-user-env files
+COPY ./ /trezor-user-env
+WORKDIR /trezor-user-env
+
+# Install Python dependencies using poetry
+RUN poetry cache clear --all pypi
+RUN poetry install --no-dev --no-root
+
+# Execute scripts and clean up
+RUN ./src/binaries/firmware/bin/download.sh
+RUN ./src/binaries/trezord-go/bin/download.sh
+# Patch emulator binaries
+RUN cd src/binaries/firmware/bin && ./patch-bin.sh
+
+# Command to run on container start
+CMD poetry run python src/main.py
diff --git a/docker/compose.yml b/docker/compose.yml
@@ -1,4 +1,3 @@
-version: '3'
 services:
   trezor-user-env-unix:
     container_name: trezor-user-env.unix

diff --git a/patch_emulators.sh b/patch_emulators.sh
@@ -7,4 +7,4 @@ DIR_TO_PATCH="${1:-src/binaries/firmware/bin}"
 
 echo "Patching ${DIR_TO_PATCH}"
 
-nix-shell --run "autoPatchelf ${DIR_TO_PATCH}"
+patchelf ${DIR_TO_PATCH}
diff --git a/shell.nix b/shell.nix
@@ -21,7 +21,6 @@ stdenv.mkDerivation {
     xorg.xhost
     wget
     git
-    unzip
     curl
     procps
   ];

diff --git a/src/binaries/firmware/bin/download.sh b/src/binaries/firmware/bin/download.sh
@@ -6,22 +6,12 @@ SYSTEM_ARCH=$(uname -m)
 cd "$(dirname "${BASH_SOURCE[0]}")"
 BIN_DIR=$(pwd)
 
-# WARNING: this will download the emulators from the latest SUCCESSFULLY run pipeline from trezor-firmware.
-# If the pipeline fails, it will download from the previous successful run.
-GITLAB_URL="https://gitlab.com/satoshilabs/trezor/trezor-firmware/-/jobs/artifacts/main/download"
-
 if [[ $SYSTEM_ARCH == x86_64* ]]; then
-    # All core emulators are downloaded from trezor.io
     SITE="https://data.trezor.io/dev/firmware/releases/emulators/"
-    LEGACY_LATEST_BUILD="${GITLAB_URL}?job=legacy%20emu%20regular%20debug%20build"
     CUT_DIRS=4
 
 elif [[ $SYSTEM_ARCH == aarch64* ]]; then
     SITE="https://data.trezor.io/dev/firmware/releases/emulators/arm/"
-    CORE_LATEST_BUILD="${GITLAB_URL}?job=core%20unix%20frozen%20debug%20build%20arm"
-    R_LATEST_BUILD="${GITLAB_URL}?job=core%20unix%20frozen%20R%20debug%20build%20arm"
-    LEGACY_LATEST_BUILD="${GITLAB_URL}?job=legacy%20emu%20regular%20debug%20build%20arm"
-    T3T1_LATEST_BUILD="${GITLAB_URL}?job=core%20unix%20frozen%20T3T1%20debug%20build%20arm"
     CUT_DIRS=5
 
 else
@@ -52,38 +42,31 @@ cd "$TMP_DIR"
 # otherwise extracting TR into already existing TT will ask for confirmation
 
 if [[ $SYSTEM_ARCH == x86_64* ]]; then
-    wget --no-config -O trezor-emu-legacy-main.zip "$LEGACY_LATEST_BUILD"
-    unzip -o -q trezor-emu-legacy-main.zip
-    mv legacy/firmware/trezor.elf ../trezor-emu-legacy-v1-main
+    wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-legacy-T1B1-universal
+    mv trezor-emu-legacy-T1B1-universal ../trezor-emu-legacy-v1-main
 
     wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-core-T2T1-universal
     mv trezor-emu-core-T2T1-universal ../trezor-emu-core-v2-main
 
-    wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-core-T3T1-universal
-    mv trezor-emu-core-T3T1-universal ../trezor-emu-core-T3T1-v2-main
-
     wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-core-T2B1-universal
     mv trezor-emu-core-T2B1-universal ../trezor-emu-core-R-v2-main
 
+    wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-core-T3T1-universal
+    mv trezor-emu-core-T3T1-universal ../trezor-emu-core-T3T1-v2-main
+
 elif [[ $SYSTEM_ARCH == aarch64* ]]; then
-    wget --no-config -O trezor-emu-core-arm-main.zip "$CORE_LATEST_BUILD"
-    unzip -o -q trezor-emu-core-arm-main.zip -d arm/
-    mv arm/core/build/unix/trezor-emu-core-arm ../trezor-emu-core-v2-main-arm
 
-    wget --no-config -O trezor-emu-core-R-arm-main.zip "$R_LATEST_BUILD"
-    unzip -o -q trezor-emu-core-R-arm-main.zip -d arm/
-    mv arm/core/build/unix/trezor-emu-core-arm ../trezor-emu-core-R-v2-main-arm
+    wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-arm-legacy-T1B1-universal
+    mv trezor-emu-arm-legacy-T1B1-universal ../trezor-emu-legacy-v1-main-arm
 
-    # TEMPORARILY replaced by baking the emulators into the image
-    wget --no-config -O trezor-emu-core-T3T1-arm-main.zip "$T3T1_LATEST_BUILD"
-    unzip -o -q trezor-emu-core-T3T1-arm-main.zip -d arm/
-    mv arm/core/build/unix/trezor-emu-core-arm ../trezor-emu-core-T3T1-v2-main-arm
-    mv ../arm/trezor-emu-core-T3T1-v2-main-arm ../trezor-emu-core-T3T1-v2-main-static-arm
+    wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-arm-core-T2T1-universal
+    mv trezor-emu-arm-core-T2T1-universal ../trezor-emu-core-v2-main-arm
 
-    wget --no-config -O trezor-emu-legacy-arm-main.zip "$LEGACY_LATEST_BUILD"
-    unzip -o -q trezor-emu-legacy-arm-main.zip -d arm/
-    mv arm/legacy/firmware/trezor-arm.elf ../trezor-emu-legacy-v1-main-arm
+    wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-arm-core-T2B1-universal
+    mv trezor-emu-arm-core-T2B1-universal ../trezor-emu-core-R-v2-main-arm
 
+    wget https://data.trezor.io/dev/firmware/emu-nightly/trezor-emu-arm-core-T3T1-universal
+    mv trezor-emu-arm-core-T3T1-universal ../trezor-emu-core-T3T1-v2-main-arm
 fi
 
 cd "$BIN_DIR"

diff --git a/src/binaries/firmware/bin/patch-bin.sh b/src/binaries/firmware/bin/patch-bin.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+INTERPRETER_X86_64="/lib64/ld-linux-x86-64.so.2"
+INTERPRETER_ARM64="/lib/ld-linux-aarch64.so.1"
+BINARY_DIR="./"
+
+get_interpreter() {
+    local arch="$1"
+    case "$arch" in
+        "Advanced Micro Devices X86-64")
+            echo "$INTERPRETER_X86_64"
+            ;;
+        "AArch64")
+            echo "$INTERPRETER_ARM64"
+            ;;
+        *)
+            echo "Unknown architecture: $arch"
+            return 1
+            ;;
+    esac
+}
+
+change_interpreter() {
+    local binary="$1"
+    local arch current_interpreter new_interpreter
+
+    if ! readelf -h "$binary" &>/dev/null; then
+        echo "Skipping $binary: Not an ELF file."
+        return
+    fi
+
+    arch=$(readelf -h "$binary" | grep 'Machine:' | awk '{print $2}')
+    echo "Detected architecture for $binary: $arch"
+
+    new_interpreter=$(get_interpreter "$arch")
+
+    if [[ $? -ne 0 || -z "$new_interpreter" ]]; then
+        echo "Skipping $binary: Unsupported or unknown architecture."
+        return
+    fi
+
+    current_interpreter=$(patchelf --print-interpreter "$binary" 2>/dev/null)
+    echo "Current interpreter for $binary: $current_interpreter"
+
+    if [[ $? -eq 0 && "$current_interpreter" != "$new_interpreter" ]]; then
+        echo "Patching $binary (arch: $arch, old: $current_interpreter, new: $new_interpreter)"
+        patchelf --set-interpreter "$new_interpreter" "$binary"
+    else
+        echo "No need to patch $binary."
+    fi
+}
+
+export -f change_interpreter
+export -f get_interpreter
+export INTERPRETER_X86_64
+export INTERPRETER_ARM64
+
+find "$BINARY_DIR" -type f -executable -exec bash -c 'change_interpreter "$0"' {} \;
+
+echo "All binaries patched."
diff --git a/src/binaries/trezord-go/bin/download.sh b/src/binaries/trezord-go/bin/download.sh
@@ -14,5 +14,4 @@ else
    exit 1
 fi
 
-# Older bridge (<= 31) needs older glibc so we are pinning to nixos-21.05 (stable) as of 2021-07-02
-nix-shell -p autoPatchelfHook -I "nixpkgs=https://github.com/NixOS/nixpkgs/archive/e9148dc1c30e02aae80cc52f68ceb37b772066f3.tar.gz" --run "autoPatchelf $FILES"
+# nix-shell --run "autoPatchelf $FILES"