chrisguest75 · chrisguest75 · Mar 30, 2025 · Apr 2, 2025
diff --git a/16_qemu/README.md b/16_qemu/README.md
@@ -2,6 +2,10 @@
 
 Demonstrate how to get aarch64 machine running on qemu (ubuntu)
 
+NOTES:
+
+* `armv6l-linux` & `armv7l-linux` are 32-bit, whereas `aarch64` is 64-bit
+
 ## Prereqs
 
 ```sh
@@ -24,6 +28,7 @@ qemu-system-arm -M  help
 qemu-system-aarch64 -version  
 qemu-system-aarch64 -M  help
 
+# on debian
 apt-file list qemu-kvm
 apt-file list qemu-system   
 ```

diff --git a/16_qemu/nix/README.md b/16_qemu/nix/README.md
@@ -0,0 +1,12 @@
+# NIX
+
+Build an image with nix and run as aarch64.  
+
+```sh
+just nix
+```
+
+## Resources
+
+* https://gist.github.com/lheckemann/63c52f2115346e6c9bbc6ecdfde9f43b
+* Spawn a Linux virtual machine on Arm using QEMU (KVM) [here](https://community.arm.com/oss-platforms/w/docs/510/spawn-a-linux-virtual-machine-on-arm-using-qemu-kvm)
diff --git a/16_qemu/nix/flake.lock b/16_qemu/nix/flake.lock
diff --git a/16_qemu/nix/flake.nix b/16_qemu/nix/flake.nix
@@ -0,0 +1,32 @@
+{
+  description = "Nix flake to build and run a NixOS VM for aarch64";
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-24.11";
+  };
+
+  outputs = { self, nixpkgs }:
+  let
+    pkgs = import nixpkgs { system = "x86_64-linux"; };
+    pkgsAarch64 = import nixpkgs { system = "aarch64-linux"; };
+
+    iso = (pkgsAarch64.nixos {
+      imports = [ "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix" ];
+    }).config.system.build.isoImage;
+
+    vmScript = pkgs.writeScriptBin "run-nixos-vm" ''
+      #!${pkgs.runtimeShell}
+      ${pkgs.qemu}/bin/qemu-system-aarch64 \
+        -machine virt,gic-version=max \
+        -cpu max \
+        -m 2G \
+        -smp 4 \
+        -drive file=$(echo ${iso}/iso/*.iso),format=raw,readonly=on \
+        -nographic \
+        -bios ${pkgsAarch64.OVMF.fd}/FV/QEMU_EFI.fd
+    '';
+
+  in {
+    defaultPackage.x86_64-linux = vmScript;
+  };
+}
diff --git a/16_qemu/nix/justfile b/16_qemu/nix/justfile
@@ -0,0 +1,14 @@
+#!/usr/bin/env just --justfile
+# ^ A shebang isn't required, but allows a justfile to be executed
+#   like a script, with `./justfile test`, for example.
+
+set dotenv-load := true
+
+# default lists actions
+default:
+  @just -f justfile --list
+
+nix:
+  #!/usr/bin/env bash
+  set -eufo pipefail
+  nix run
diff --git a/48_osv_scanner/.gitignore b/48_osv_scanner/.gitignore
@@ -0,0 +1 @@
+out
diff --git a/48_osv_scanner/README.md b/48_osv_scanner/README.md
@@ -25,6 +25,10 @@ just scan-repo ../my_repo --json | jq .
 ```sh
 docker pull nginx:1.27.4
 osv-scanner scan --docker nginx:1.27.4
+
+# NOTE: It doesn't seem to be scanning the .venv or pipfile.lock in the container.
+mkdir -p ./out
+osv-scanner scan --experimental-all-packages --format=json --docker nginx:1.27.4 > ./out/nginx1.27.4.json
 ```
 
 ## Resources