nixos/systemd-boot-builder: verify content of existing entry files

A file named nixos-<hash>.conf whose content no longer hashes to <hash> is corrupt. Skip it so GC removes it and a fresh entry is written.
2026-06-05 21:03:40 +00:00 · 2026-05-04 12:18:11 +02:00
parent 820d20f8b9
commit 3ff32972f8
1 changed files with 9 additions and 6 deletions
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
@@ -194,14 +194,17 @@ class BootFile:
    ) -> tuple["BootFile", str]:
        contents_hash = hashlib.sha256(contents).hexdigest()
        path_prefix = f"nixos-{contents_hash}"
+        pat = re.compile(rf"{re.escape(path_prefix)}(\+[0-9]+(-[0-9]+)?)?\.conf")
        path = None
        for e in os.scandir(path=BOOT_MOUNT_POINT / "loader" / "entries"):
-            mat = re.fullmatch(
-                rf"{re.escape(path_prefix)}(\+[0-9]+(-[0-9]+)?)?\.conf", e.name
-            )
-            if mat is not None:
-                path = Path("loader/entries") / e.name
-                break
+            if pat.fullmatch(e.name) is None:
+                continue
+            # Ignore files whose content does not match the hash in their
+            # name so GC removes them and a fresh entry is written.
+            if hashlib.sha256(Path(e.path).read_bytes()).hexdigest() != contents_hash:
+                continue
+            path = Path("loader/entries") / e.name
+            break
        if path is None:
            counters = f"+{BOOT_COUNTING_TRIES}" if BOOT_COUNTING else ""
            path = Path(f"loader/entries/{path_prefix}{counters}.conf")