diff options
| author | Pierre Bourdon <delroth@gmail.com> | 2019-01-11 12:32:53 +0100 |
|---|---|---|
| committer | Pierre Bourdon <delroth@gmail.com> | 2019-01-11 12:35:16 +0100 |
| commit | 1b9bf8fa7559d1bbf030f3fe3513d25eada65a41 (patch) | |
| tree | c9631799b47cb78c9a2581c9121ed70b46baf613 /pkgs/os-specific | |
| parent | e9b34b1bfa30a51d3ca80bf87f371145a8b4e88c (diff) | |
| download | nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.gz nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.bz2 nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.lz nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.xz nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.tar.zst nixlib-1b9bf8fa7559d1bbf030f3fe3513d25eada65a41.zip | |
kernel: make the RANDSTRUCT seed deterministic
Diffstat (limited to 'pkgs/os-specific')
| -rw-r--r-- | pkgs/os-specific/linux/kernel/manual-config.nix | 18 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch | 12 |
2 files changed, 29 insertions, 1 deletions
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 6adc3a33bb06..4b570c1fe940 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -88,7 +88,10 @@ let inherit src; - patches = map (p: p.patch) kernelPatches; + patches = + map (p: p.patch) kernelPatches + # Required for deterministic builds along with some postPatch magic. + ++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch; prePatch = '' for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do @@ -99,6 +102,19 @@ let sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|" ''; + postPatch = '' + # Set randstruct seed to a deterministic but diversified value. Note: + # we could have instead patched gen-random-seed.sh to take input from + # the buildFlags, but that would require also patching the kernel's + # toplevel Makefile to add a variable export. This would be likely to + # cause future patch conflicts. + if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then + substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \ + --replace NIXOS_RANDSTRUCT_SEED \ + $(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n') + fi + ''; + configurePhase = '' runHook preConfigure diff --git a/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch b/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch new file mode 100644 index 000000000000..1328b9cee3c9 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch @@ -0,0 +1,12 @@ +diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh +--- a/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 11:50:29.228258920 +0100 ++++ b/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 12:18:33.555902720 +0100 +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: GPL-2.0 + + if [ ! -f "$1" ]; then +- SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` ++ SEED="NIXOS_RANDSTRUCT_SEED" + echo "const char *randstruct_seed = \"$SEED\";" > "$1" + HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'` + echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2" |