public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kernel: make the RANDSTRUCT seed deterministic

Browse Source
This commit is contained in:
Pierre Bourdon 2019-01-11 12:32:53 +01:00
parent e9b34b1bfa
commit 1b9bf8fa75
No known key found for this signature in database
GPG Key ID: 6FB80DCD84DA0F1C
2 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkgs/os-specific/linux/kernel/manual-config.nix
View File

@ -88,7 +88,10 @@ let
inherit src; inherit src;
patches = map (p: p.patch) kernelPatches; patches =
map (p: p.patch) kernelPatches
# Required for deterministic builds along with some postPatch magic.
++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch;
prePatch = '' prePatch = ''
for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do
@ -99,6 +102,19 @@ let
sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|" sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|"
''; '';
postPatch = ''
# Set randstruct seed to a deterministic but diversified value. Note:
# we could have instead patched gen-random-seed.sh to take input from
# the buildFlags, but that would require also patching the kernel's
# toplevel Makefile to add a variable export. This would be likely to
# cause future patch conflicts.
if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then
substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \
--replace NIXOS_RANDSTRUCT_SEED \
$(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
fi
'';
configurePhase = '' configurePhase = ''
runHook preConfigure runHook preConfigure

12
pkgs/os-specific/linux/kernel/randstruct-provide-seed.patch Normal file
View File

@ -0,0 +1,12 @@
diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh
--- a/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 11:50:29.228258920 +0100
+++ b/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 12:18:33.555902720 +0100
@@ -2,7 +2,7 @@
# SPDX-License-Identifier: GPL-2.0
if [ ! -f "$1" ]; then
- SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
+ SEED="NIXOS_RANDSTRUCT_SEED"
echo "const char *randstruct_seed = \"$SEED\";" > "$1"
HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'`
echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"