commit 1b9bf8fa7559d1bbf030f3fe3513d25eada65a41 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

kernel: make the RANDSTRUCT seed deterministic

Pierre Bourdon 7 years ago 1b9bf8fa e9b34b1b

+29 -1

2 changed files

expand all

unified split

pkgs

os-specific

linux

kernel

manual-config.nix

randstruct-provide-seed.patch

+17 -1

pkgs/os-specific/linux/kernel/manual-config.nix

··· 88 88 89 89 inherit src; 90 90 91 - patches = map (p: p.patch) kernelPatches; 91 + patches = 92 + map (p: p.patch) kernelPatches 93 + # Required for deterministic builds along with some postPatch magic. 94 + ++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch; 92 95 93 96 prePatch = '' 94 97 for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do ··· 97 100 done 98 101 sed -i Makefile -e 's|= depmod|= ${buildPackages.kmod}/bin/depmod|' 99 102 sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|" 103 + ''; 104 + 105 + postPatch = '' 106 + # Set randstruct seed to a deterministic but diversified value. Note: 107 + # we could have instead patched gen-random-seed.sh to take input from 108 + # the buildFlags, but that would require also patching the kernel's 109 + # toplevel Makefile to add a variable export. This would be likely to 110 + # cause future patch conflicts. 111 + if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then 112 + substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \ 113 + --replace NIXOS_RANDSTRUCT_SEED \ 114 + $(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n') 115 + fi 100 116 ''; 101 117 102 118 configurePhase = ''

+12

pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch

··· 1 + diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh 2 + --- a/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 11:50:29.228258920 +0100 3 + +++ b/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 12:18:33.555902720 +0100 4 + @@ -2,7 +2,7 @@ 5 + # SPDX-License-Identifier: GPL-2.0 6 + 7 + if [ ! -f "$1" ]; then 8 + - SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` 9 + + SEED="NIXOS_RANDSTRUCT_SEED" 10 + echo "const char *randstruct_seed = \"$SEED\";" > "$1" 11 + HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'` 12 + echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"