-
-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linux: omit build id #106648
linux: omit build id #106648
Conversation
please tartget staging instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not know what the makefile looks like, but the regex looks brittle. It would turn --build-id=xxx
to --build-id=none=xxx
. It there a way to detect that of fail in such cases ? Will gcc behave correctly with --build-id=none=xxx
?
Oh, and thanks for investigating kernel reproducibility. That's not a easy one. |
The sed command suggested here is the same as the one described in https://kernelnewbies.org/BuildId (which references https://github.com/mempo/mempo-kernel - probably used by Debian). |
Wouldn't upstream accept a patch where you can more conveniently set the build id? |
Have you tested whether the build ID is actually stable now? When I tried this a few weeks ago, it didn't work and the build id was still random. You can extract the kernel using |
Yes, it does look like it (though the readelf warning makes it so I'm not sure): Without this PR:
With this PR:
|
(I also verified that, when disabling MODULE_SIG and SECURITY_LOCKDOWN_LSM, it seems the kernel is now reproducible) |
@@ -113,6 +113,7 @@ let | |||
sed -i "$mf" -e 's|/usr/bin/||g ; s|/bin/||g ; s|/sbin/||g' | |||
done | |||
sed -i Makefile -e 's|= depmod|= ${buildPackages.kmod}/bin/depmod|' | |||
sed -i Makefile -e 's|--build-id|--build-id=none|' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would appreciate a comment here explaining what this line is for.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 done
Don't include an NT_GNU_BUILD_ID (that is randomly generated at build time). This improves the kernel reproducibility: when also disabling the MOUDLE_SIG and SECURITY_LOCKDOWN_LSM options the build is bit-by-bit reproducible.
caf300f
to
bfffb51
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can confirm that the buildId section is now omitted, LGTM!
We're actually really close to a fully reproducible kernel now :0
Motivation for this change
Don't include an NT_GNU_BUILD_ID (that is randomly generated
at build time).
This improves the kernel reproducibility (though there is
still some other remaining problems)
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)