qemu: enable canokey by default

[alyssais]

Description of changes

Given that we were overriding qemu_test to enable this anyway, enabling this by default saves Hydra a QEMU build.

There's also clear demand from users for this feature, so our alternatives are:

• Offer a qemu-canokey attribute. I don't want to do this, because I don't think there's any reason to make Hydra build an extra QEMU.

• Enable it only for qemu_test. I don't want to do this, because it will lead to users using qemu_test without understanding its subtleties.

• Force users to build from source. I don't think there's any reason to do this when it's unlikely to hurt anybody having it enabled by default. There's no reason to single out canokey to be disabled by default in spite of users' needs given that we enable so many other optional QEMU features.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[tlaurion]

@alyssais @oxalica thanks for moving this forward.

[oxalica]

I'm fine with enabling it as default. Diff LGTM.

[NickCao]

If the impact on closure size is minimal, I'm for this.

[oxalica]

If the impact on closure size is minimal

canokey-qemu's closure (31.5M) is smaller than the rounding errors of QEMU's (1.5G). The outputs of nix path-info -S -h is the same and you need to remove that -h to see the difference.

/nix/store/qz1n0j1c47crdj67zybn8lymbiryw14d-qemu-8.2.3   1653097944
/nix/store/yji397fspxvawqfiyx47kkfvkk46rfpa-qemu-8.2.3   1652325560

[alyssais]

Weird error to only get for a single architecture (x86_64-darwin):

/tmp/nix-build-canokey-qemu-0-unstable-2023-06-06.drv-0/source/canokey-core/applets/oath/oath.c:44:50: error: too many arguments provided to function-like macro invocation
  memcpy(RDATA, (uint8_t[]){OATH_TAG_VERSION, 3, 0x05, 0x05, 0x05, OATH_TAG_NAME, HANDLE_LEN}, 7);
                                                 ^
/nix/store/vw8y07yai2pjv02s1piw3r5cyhmjbddf-Libsystem-1238.60.2/include/secure/_string.h:64:9: note: macro 'memcpy' defined here
#define memcpy(dest, src, len)                                  \
        ^
/tmp/nix-build-canokey-qemu-0-unstable-2023-06-06.drv-0/source/canokey-core/applets/oath/oath.c:44:3: note: parentheses are required around macro argument containing braced initializer list
  memcpy(RDATA, (uint8_t[]){OATH_TAG_VERSION, 3, 0x05, 0x05, 0x05, OATH_TAG_NAME, HANDLE_LEN}, 7);
  ^
                (                                                                            )
1 error generated.

[alyssais]

I guess maybe on aarch64-darwin's libsystem memcpy isn't a macro

[alyssais]

@ofborg build qemu.tests

[tlaurion]

https://nixpk.gs/pr-tracker.html?pr=311914

Still new to nix so not sure how to track when things are part of nixos-unstable