BoB L1: new tdx-init, LH 8.0.0

[ilyaluk]

tdx-init version is forward-incompatible, so those images would need to get fresh persistent disks.

They support disk upsizing though.

best viewed per-commit

• backport: fix cmake hangs on macos under rosetta
• backport: kernel: fix macos rosetta reproducibility
• bob-common: bump tdx-init version
• bob-l1: include trixie-backports for rust 1.89
• bob-l1: bump lighthouse to 8.0.0
• bob-l1: move readme, clarify image measurements

[Copilot]

Pull Request Overview

This PR updates the tdx-init version from v0.1.1 to v0.3.0 (a forward-incompatible change requiring fresh persistent disks) and enhances documentation with a clarifying note about image measurements tied to specific commits.

Key Changes:

• Bumped tdx-init version to v0.3.0 in bob-common build configuration
• Added measurement reproducibility guidance in bob-l1 readme

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
bob-common/mkosi.build	Updates tdx-init dependency from v0.1.1 to v0.3.0
bob-l1/readme.md	Adds note about commit-specific measurements for reproducibility

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alexhulbert]

Nice

[alexhulbert]

The lighthouse build process can be simplified starting with v8 like so: https://github.com/flashbots/flashbots-images/pull/38/files#diff-3c7f2c5d727d89202366ab0b86107555d64c34fed340037e8204c3f8959d80e7R28-R38

I'll make the necessary changes to this PR to get it working

[ilyaluk]

Thanks!

[alexhulbert]

I'm slightly leaning towards a mkosi.* script so that we don't have to hard code the timestamp twice. What do you think? We could also just make this part of the base module. Everything should have backports, especially since it can help us avoid using rustup throughout the repo since it nontrivially slows down builds, depends on network access, and downloads untrusted binaries.

[ilyaluk]

Unfortunately, adding backports repo via mkosi.conf is not supported at the moment (or I could not figure it out). I assume that's becuase backports is a different suite. There's upstream issue about this, afaiu: systemd/mkosi#1755

Also, we can't add it via scripts (e.g. systemd/mkosi#3439), because build packages installation happens in sandbox, not image itself.

[alexhulbert]

Fluent bit is not reproducible on apple silicon, so if we want to target that platform, we need to grab it from the official .deb file

[ilyaluk]

Oh, I see. Feel free to rollback this, not sure if there's use case for building bob images on apple silicon

[alexhulbert]

Nice, i will look for other places we're using rustup in the repo to get newer version of rust and switch them out for this technique now that the backports version is new enough

[alexhulbert]

Did this do anything? I vaguely recall trying these exact LDFLAGS before I left for vacation and iirc it didn't fix anything.

[ilyaluk]

Not sure, I don't think I've built without this flag. I've seen this commit in your branch and backported it, assuming you've added them for a reason 😄

[alexhulbert]

oh yeah meant to revert that before leaving for vacation, it didn't do anything