Bug#845194: amd64-microcode: please make the early initramfs image reproducible

Thu, 24 Nov 2016 09:43:08 -0800 

Chris,

Please test the attached patch.  Does it pass all the reproducibility
testing?

-- 
  Henrique Holschuh

diff --git a/debian/initramfs.hook b/debian/initramfs.hook
index d250719..c65d7d4 100755
--- a/debian/initramfs.hook
+++ b/debian/initramfs.hook
@@ -73,6 +73,9 @@ fi
 
 verbose "installing AMD64 microcode into the early initramfs..."
 
+# set during package build to the date from the package *version*
+CHANGELOG_TS=@CHANGELOG_TS@
+
 EFWD=$(mktemp -d "${TMPDIR:-/var/tmp}/mkinitramfs-EFW_XXXXXXXXXX") || {
     echo "E: amd64-microcode: cannot create temporary directory" >&2
     exit 1
@@ -88,11 +91,19 @@ EFWE="${EFWD}/early-initramfs.cpio"
 EFWCD="${EFWD}/d/kernel/x86/microcode"
 EFWF="${EFWCD}/AuthenticAMD.bin"
 
+# note: to build a reproducible early initramfs, we force
+# the microcode component ordering inside the microcode
+# firmware file, as well as the timestamp and ordering of
+# all cpio members.
 mkdir -p "${EFWCD}" && \
- find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -print0 | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \
- test -s "${EFWF}" && \
- ( cd "${EFWD}/d" ; find . -print0 | sort -z | cpio --null -R 0:0 -H newc -o --quiet > "${EFWE}" ) \
+ find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -print0 | LC_ALL=C sort -z | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \
+ find "${EFWD}" -print0 | xargs -0r touch --no-dereference --date="@${CHANGELOG_TS}" && { \
+    # --reproducible requires cpio >= 2.12
+    cpio --usage | grep -qs -- "--reproducible" && cpio_reproducible="--reproducible" || true
+ } && test -s "${EFWF}" && \
+ ( cd "${EFWD}/d" ; find . -print0 | LC_ALL=C sort -z | cpio --null $cpio_reproducible -R 0:0 -H newc -o --quiet > "${EFWE}" ) \
 && prepend_earlyinitramfs "${EFWE}" || {
+    # something failed somewhere in that pipeline
     [ -d "${EFWD}" ] && rm -fr "${EFWD}"
     echo "E: amd64-microcode: failed to create or prepend the early initramfs to the initramfs" >&2
     exit 0
diff --git a/debian/rules b/debian/rules
index 326617d..72c6ae5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,6 +13,9 @@ export DH_ALWAYS_EXCLUDE=CVS:.svn:.git
 # Work around Debian bug #688794
 INITRAMFS_NAME := $(subst -,_,$(subst +,_,$(subst .,_,$(PACKAGE))))
 
+# For reproducible builds...
+CHANGELOG_TS :=$(shell date +%s --date=$(shell dpkg-parsechangelog | sed -n -e "/^Version:/ {s/.*\.\([0-9]\{8\}\)\..*/\1/;p}"))
+
 build-indep:
 
 build-arch:
@@ -32,8 +35,10 @@ install:
 	dh_install
 
 	mkdir -p "$(PKGDIR)/usr/share/initramfs-tools/hooks"
-	install -m 755 "$(DEBDIR)/initramfs.hook" \
-		"$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
+	sed -e "s/@CHANGELOG_TS@/$(CHANGELOG_TS)/g" \
+	    <"$(DEBDIR)/initramfs.hook" \
+	    >"$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
+	chmod 755 "$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
 
 	# We have a /etc/default file, but no initscript
 	install -m 644 "$(DEBDIR)/$(PACKAGE).default" "$(PKGDIR)/etc/default/$(PACKAGE)"

Reply via email to