uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948
this can do it nicely.

Signed-off-by: Anton Arapov <anton@deadbeef.mx>

pkgs/applications/virtualization/crosvm/default-seccomp-policy-dir.diff

@@ -0,0 +1,15 @@
+diff --git a/src/crosvm.rs b/src/crosvm.rs
+index b7055df..5989c87 100644
+--- a/src/crosvm.rs
++++ b/src/crosvm.rs
+@@ -141,7 +141,9 @@ impl Default for Config {
+             x_display: None,
+             shared_dirs: Vec::new(),
+             sandbox: !cfg!(feature = "default-no-sandbox"),
+-            seccomp_policy_dir: PathBuf::from(SECCOMP_POLICY_DIR),
++            seccomp_policy_dir: PathBuf::from(
++                option_env!("DEFAULT_SECCOMP_POLICY_DIR").unwrap_or(SECCOMP_POLICY_DIR),
++            ),
+             seccomp_log_failures: false,
+             cras_audio: false,
+             cras_capture: false,

pkgs/applications/virtualization/crosvm/default.nix

@@ -0,0 +1,61 @@
+{ stdenv, lib, rustPlatform, fetchgit
+, pkg-config, wayland-scanner, libcap, minijail, wayland, wayland-protocols
+, linux
+}:
+
+let
+
+  upstreamInfo = with builtins; fromJSON (readFile ./upstream-info.json);
+
+  arch = with stdenv.hostPlatform;
+    if isAarch64 then "arm"
+    else if isx86_64 then "x86_64"
+    else throw "no seccomp policy files available for host platform";
+
+in
+
+  rustPlatform.buildRustPackage rec {
+    pname = "crosvm";
+    inherit (upstreamInfo) version;
+
+    src = fetchgit (builtins.removeAttrs upstreamInfo.src [ "date" "path" ]);
+
+    patches = [
+      ./default-seccomp-policy-dir.diff
+    ];
+
+    cargoLock.lockFile = ./Cargo.lock;
+
+    nativeBuildInputs = [ pkg-config wayland-scanner ];
+
+    buildInputs = [ libcap minijail wayland wayland-protocols ];
+
+    postPatch = ''
+      cp ${./Cargo.lock} Cargo.lock
+      sed -i "s|/usr/share/policy/crosvm/|$out/share/policy/|g" \
+             seccomp/*/*.policy
+    '';
+
+    preBuild = ''
+      export DEFAULT_SECCOMP_POLICY_DIR=$out/share/policy
+    '';
+
+    postInstall = ''
+      mkdir -p $out/share/policy/
+      cp seccomp/${arch}/* $out/share/policy/
+    '';
+
+    CROSVM_CARGO_TEST_KERNEL_BINARY =
+      lib.optionalString (stdenv.buildPlatform == stdenv.hostPlatform)
+        "${linux}/${stdenv.hostPlatform.linux-kernel.target}";
+
+    passthru.updateScript = ./update.py;
+
+    meta = with lib; {
+      description = "A secure virtual machine monitor for KVM";
+      homepage = "https://chromium.googlesource.com/chromiumos/platform/crosvm/";
+      maintainers = with maintainers; [ qyliss ];
+      license = licenses.bsd3;
+      platforms = [ "aarch64-linux" "x86_64-linux" ];
+    };
+  }

pkgs/applications/virtualization/crosvm/generate-cargo.sh

@@ -0,0 +1,7 @@
+dir="$(mktemp -d)" &&
+    cd "$dir" &&
+    unpackPhase &&
+    cd "${sourceRoot:-}" &&
+    cargo generate-lockfile &&
+    mv Cargo.lock "$1"
+rm -rf "$dir"

pkgs/applications/virtualization/crosvm/update.py

@@ -0,0 +1,92 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -p nix-prefetch-git "python3.withPackages (ps: with ps; [ lxml ])"
+#! nix-shell -i python
+
+import base64
+import json
+import re
+import shlex
+import subprocess
+from codecs import iterdecode
+from os.path import abspath, dirname, splitext
+from lxml import etree
+from lxml.etree import HTMLParser
+from urllib.request import urlopen
+
+git_path = 'chromiumos/platform/crosvm'
+git_root = 'https://chromium.googlesource.com/'
+manifest_versions = f'{git_root}chromiumos/manifest-versions'
+buildspecs_url = f'{manifest_versions}/+/refs/heads/master/full/buildspecs/'
+
+# CrOS version numbers look like this:
+# [<chrome-major-version>.]<tip-build>.<branch-build>.<branch-branch-build>
+#
+# As far as I can tell, branches are where internal Google
+# modifications are added to turn Chromium OS into Chrome OS, and
+# branch branches are used for fixes for specific devices.  So for
+# Chromium OS they will always be 0.  This is a best guess, and is not
+# documented.
+with urlopen('https://cros-updates-serving.appspot.com/') as resp:
+    document = etree.parse(resp, HTMLParser())
+    # bgcolor="lightgreen" is set on the most up-to-date version for
+    # each channel, so find a lightgreen cell in the "Stable" column.
+    (platform_version, chrome_version) = document.xpath("""
+        (//table[@id="cros-updates"]/tr/td[1 + count(
+            //table[@id="cros-updates"]/thead/tr[1]/th[text() = "Stable"]
+            /preceding-sibling::*)
+        ][@bgcolor="lightgreen"])[1]/text()
+    """)
+
+chrome_major_version = re.match(r'\d+', chrome_version)[0]
+chromeos_tip_build = re.match(r'\d+', platform_version)[0]
+
+# Find the most recent buildspec for the stable Chrome version and
+# Chromium OS build number.  Its branch build and branch branch build
+# numbers will (almost?) certainly be 0.  It will then end with an rc
+# number -- presumably these are release candidates, one of which
+# becomes the final release.  Presumably the one with the highest rc
+# number.
+with urlopen(f'{buildspecs_url}{chrome_major_version}/?format=TEXT') as resp:
+    listing = base64.decodebytes(resp.read()).decode('utf-8')
+    buildspecs = [(line.split('\t', 1)[1]) for line in listing.splitlines()]
+    buildspecs = [s for s in buildspecs if s.startswith(chromeos_tip_build)]
+    buildspecs.sort(reverse=True)
+    buildspec = splitext(buildspecs[0])[0]
+
+# Read the buildspec, and extract the git revision.
+with urlopen(f'{buildspecs_url}{chrome_major_version}/{buildspec}.xml?format=TEXT') as resp:
+    xml = base64.decodebytes(resp.read())
+    root = etree.fromstring(xml)
+    revision = root.find(f'./project[@name="{git_path}"]').get('revision')
+
+# Initialize the data that will be output from this script.  Leave the
+# rc number in buildspec so nobody else is subject to the same level
+# of confusion I have been.
+data = {'version': f'{chrome_major_version}.{buildspec}'}
+
+# Fill in the 'src' key with the output from nix-prefetch-git, which
+# can be passed straight to fetchGit when imported by Nix.
+argv = ['nix-prefetch-git',
+        '--fetch-submodules',
+        '--url', git_root + git_path,
+        '--rev', revision]
+output = subprocess.check_output(argv)
+data['src'] = json.loads(output.decode('utf-8'))
+
+# Find the path to crosvm's default.nix, so the src data can be
+# written into the same directory.
+argv = ['nix-instantiate', '--eval', '--json', '-A', 'crosvm.meta.position']
+position = json.loads(subprocess.check_output(argv).decode('utf-8'))
+filename = re.match(r'[^:]*', position)[0]
+
+# Write the output.
+with open(dirname(filename) + '/upstream-info.json', 'w') as out:
+    json.dump(data, out, indent=2)
+    out.write('\n')
+
+# Generate a Cargo.lock
+run = ['.',
+       dirname(abspath(__file__)) + '/generate-cargo.sh',
+       dirname(filename) + '/Cargo.lock']
+expr = '(import ./. {}).crosvm.overrideAttrs (_: { dontCargoSetupPostUnpack = true; })'
+subprocess.run(['nix-shell', '-E', expr, '--run', shlex.join(run)])

pkgs/applications/virtualization/crosvm/upstream-info.json

@@ -0,0 +1,14 @@
+{
+  "version": "100.14526.0.0-rc1",
+  "src": {
+    "url": "https://chromium.googlesource.com/chromiumos/platform/crosvm",
+    "rev": "bdf5e4d4379030cfa2d0510328b8acce73162217",
+    "date": "2022-02-14T19:13:41+00:00",
+    "path": "/nix/store/xw31chiwnpzgcp07nf448g2npcwiwkkm-crosvm-bdf5e4d",
+    "sha256": "0mrnjyyqmz24z1yvdq2mysmhmz0577k8kf9y4v51g7860crqp9ji",
+    "fetchLFS": false,
+    "fetchSubmodules": true,
+    "deepClone": false,
+    "leaveDotGit": false
+  }
+}