diff options
| author | Pierre Bourdon <delroth@gmail.com> | 2019-01-11 12:32:53 +0100 |
|---|---|---|
| committer | Pierre Bourdon <delroth@gmail.com> | 2019-01-11 12:35:16 +0100 |
| commit | 1b9bf8fa7559d1bbf030f3fe3513d25eada65a41 (patch) | |
| tree | c9631799b47cb78c9a2581c9121ed70b46baf613 /pkgs/os-specific/linux/kernel/manual-config.nix | |
| parent | e9b34b1bfa30a51d3ca80bf87f371145a8b4e88c (diff) | |
| download | nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.gz nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.bz2 nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.lz nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.xz nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.zst nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.zip | |
kernel: make the RANDSTRUCT seed deterministic
Diffstat (limited to 'pkgs/os-specific/linux/kernel/manual-config.nix')
| -rw-r--r-- | pkgs/os-specific/linux/kernel/manual-config.nix | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 6adc3a33bb06..4b570c1fe940 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -88,7 +88,10 @@ let inherit src; - patches = map (p: p.patch) kernelPatches; + patches = + map (p: p.patch) kernelPatches + # Required for deterministic builds along with some postPatch magic. + ++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch; prePatch = '' for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do @@ -99,6 +102,19 @@ let sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|" ''; + postPatch = '' + # Set randstruct seed to a deterministic but diversified value. Note: + # we could have instead patched gen-random-seed.sh to take input from + # the buildFlags, but that would require also patching the kernel's + # toplevel Makefile to add a variable export. This would be likely to + # cause future patch conflicts. + if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then + substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \ + --replace NIXOS_RANDSTRUCT_SEED \ + $(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n') + fi + ''; + configurePhase = '' runHook preConfigure |