Fix setup.sh for newer Ubuntu versions by falling back to libncursesw6/libtinfo6

Author: Willy Zhang

.github/workflows/main.yml

@@ -108,22 +108,18 @@ jobs:
   integration_tests_nix:
     runs-on: ot-provisioning-nix-runner
     timeout-minutes: 60
-    env:
-      OT_PROV_ORCHESTRATOR_PATH: /home/ci/orchestrator/latest/orchestrator.zip
-      OT_PROV_ORCHESTRATOR_UNPACK: /home/ci/orchestrator/latest/copy_files.sh
     steps:
       - uses: actions/checkout@v4
         with:
           lfs: true
       - name: Initialize LFS objects
         run: git lfs pull
       - name: Run provisioning appliance load test (Nix)
-        run: OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev nix develop --command ./tests/run_pa_loadtest.sh --prod
+        run: nix develop --command env OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev ./tests/run_pa_loadtest.sh
       - name: Run provisioning appliance load test (PQ) (Nix)
-        run: OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev-pq nix develop --command ./tests/run_pa_loadtest.sh --pq
+        run: nix develop --command env OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev-pq ./tests/run_pa_loadtest.sh --pq
       - name: Run TLS test (Nix)
-        run: OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev nix develop --command ./tests/run_tls_test.sh --prod
+        run: nix develop --command env OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev ./tests/run_tls_test.sh
       - name: Run integration tests (SoftHSM2) (Nix)
-        run: OT_PROV_ORCHESTRATOR_PATH="${OT_PROV_ORCHESTRATOR_PATH}" OT_PROV_ORCHESTRATOR_UNPACK="${OT_PROV_ORCHESTRATOR_UNPACK}" OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev nix develop --command ./tests/run_ate_test.sh
-      - name: Run integration tests (Thales HSM) (Nix)
-        run: OT_PROV_ORCHESTRATOR_PATH="${OT_PROV_ORCHESTRATOR_PATH}" OT_PROV_ORCHESTRATOR_UNPACK="${OT_PROV_ORCHESTRATOR_UNPACK}" OPENTITAN_VAR_DIR=$(pwd)/.otvar-prod nix develop --command ./tests/run_ate_test.sh --prod
+        run: nix develop --command env OPENTITAN_VAR_DIR=$(pwd)/.otvar-dev ./tests/run_ate_test.sh
+

flake.nix

@@ -24,6 +24,7 @@ outputs = { self, nixpkgs, ... }:
       unzip
 
       # Build tools
+      bazelisk
       go
       python3
       python3Packages.pip
@@ -36,54 +37,12 @@ outputs = { self, nixpkgs, ... }:
       libusb1
       libftdi1
       openssl
+      libp11
       ncurses5
       udev
       stdenv.cc.cc.lib
     ];
 
-    # Create a wrapped bazelisk that handles all the environment and sandbox issues
-    bazelisk-wrapped = let
-      # GCC specific library paths (both shared and static)
-      gccLibPath = "${pkgs.stdenv.cc.cc.lib}/lib";
-    in pkgs.writeShellScriptBin "bazelisk" ''
-      export NIX_LIBS="${pkgs.lib.makeLibraryPath sharedTools}:$gccLibPath"
-      export NIX_INTERPRETER="${pkgs.stdenv.cc.libc}/lib/ld-linux-x86-64.so.2"
-      
-      # Final Force: Create a local directory in the workspace and COPY the libraries
-      # This ensures the sandbox MUST see them.
-      mkdir -p .nix-libs
-      cp -f $gccLibPath/libgcc_s.so* .nix-libs/ 2>/dev/null
-      
-      # Find libgcc.a in multiple locations and copy it
-      # 1. From Nix GCC
-      find ${pkgs.stdenv.cc.cc} -name "libgcc.a" -exec cp -f {} .nix-libs/ \; 2>/dev/null
-      # 2. From Host GCC (Ubuntu 24.04)
-      find /usr/lib/gcc -name "libgcc.a" -exec cp -f {} .nix-libs/ \; 2>/dev/null
-
-      # Create a local bazelrc for nix-specific settings
-      cat > .bazelrc-nix <<EOF
-# Point to our local physically injected libraries
-build --linkopt=-L\$PWD/.nix-libs
-build --action_env=RUSTFLAGS="-L\$PWD/.nix-libs"
-
-# Environment variables for actions
-build --action_env=LD_LIBRARY_PATH="$NIX_LIBS"
-build --host_action_env=LD_LIBRARY_PATH="$NIX_LIBS"
-build --action_env=LIBRARY_PATH="$NIX_LIBS"
-build --host_action_env=LIBRARY_PATH="$NIX_LIBS"
-
-# Sandbox mounts
-build --sandbox_add_mount_pair=/nix:/nix
-build --sandbox_add_mount_pair=/usr/lib:/usr/lib
-build --sandbox_add_mount_pair=/lib:/lib
-build --sandbox_add_mount_pair=/lib64:/lib64
-EOF
-
-      export LD_LIBRARY_PATH="$NIX_LIBS:$LD_LIBRARY_PATH"
-      export LIBRARY_PATH="$NIX_LIBS:$LIBRARY_PATH"
-
-      exec ${pkgs.bazelisk}/bin/bazelisk --bazelrc=.bazelrc-nix "$@"
-    '';
   in
   {
     # 1. For bare-metal deployment (future)
@@ -96,18 +55,22 @@ EOF
 
     # 2. For developers and Hybrid CI (current)
     devShells.${system}.default = pkgs.mkShell {
-      buildInputs = sharedTools ++ [ bazelisk-wrapped ];
+      buildInputs = sharedTools;
 
       shellHook = ''
         echo "OpenTitan Provisioning Development Environment"
         export OT_PROV_SHELL=1
 
-        # Set defaults for other tools (like go or python)
+        # Configure OpenSSL to find the pkcs11 engine provided by libp11
+        export OPENSSL_ENGINES="${pkgs.libp11}/lib/engines"
+
+        # Basic LD paths to ensure tools run correctly in the shell
         export LD_LIBRARY_PATH="${pkgs.lib.makeLibraryPath sharedTools}:$LD_LIBRARY_PATH"
         export NIX_LD_LIBRARY_PATH="${pkgs.lib.makeLibraryPath sharedTools}"
         export NIX_LD="${pkgs.stdenv.cc.libc}/lib/ld-linux-x86-64.so.2"
       '';
     };
 
+
   };
 }

setup.sh

@@ -9,9 +9,17 @@ readonly REPO_TOP="$(dirname "$0")"
 readonly OPENTITAN_VAR_DIR="/var/lib/opentitan"
 
 sudo apt update
-sed -e '/^$/d' -e '/^#/d' -e 's/#.*//' \
-  < "$REPO_TOP/apt-requirements.txt" \
-  | sudo xargs apt install -y
+PACKAGES=$(sed -e '/^$/d' -e '/^#/d' -e 's/#.*//' < "$REPO_TOP/apt-requirements.txt")
+
+# Fallback to newer ncurses/tinfo versions if older ones are missing (e.g. Ubuntu 24.04+)
+if ! apt-cache pkgnames "^libncursesw5$" | grep -q "libncursesw5"; then
+  PACKAGES=$(echo "$PACKAGES" | sed 's/libncursesw5/libncursesw6/g')
+fi
+if ! apt-cache pkgnames "^libtinfo5$" | grep -q "libtinfo5"; then
+  PACKAGES=$(echo "$PACKAGES" | sed 's/libtinfo5/libtinfo6/g')
+fi
+
+echo "$PACKAGES" | sudo xargs apt install -y
 sudo apt clean
 
 go install github.com/bazelbuild/bazelisk@v1.27.0