Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make efi partition creation reproducible #1212

Closed
malt3 opened this issue Oct 3, 2022 · 2 comments
Closed

Make efi partition creation reproducible #1212

malt3 opened this issue Oct 3, 2022 · 2 comments
Labels
RFE

Comments

@malt3
Copy link
Contributor

malt3 commented Oct 3, 2022
edited
Loading

I'm following the developments around reproducible builds (mostly in #1112) and noticed that the plan laid out there is mostly focused on the root filetree.

The efi partition included in bootable images is currently created and mounted writable early in the build process and modified in multiple build steps including the following:

  • run_kernel_install
  • install_boot_loader
  • secure_boot_sign
  • possibly by user defined scripts

I would suggest an alternative approach that is similar to how the root filesystems (or /usr depending on the config) is handled:

  1. Create + mount an EFI partition early as it happens currently or bind mount a folder in the same location
  2. Let all build steps modify the EFI partition as usual
  3. Have a make_generated_efi + insert_generated_efi similar to what is done for the root filesystem. After that, the EFI partition must not be modified anymore.

The last step should also ensure that the EFI partition is generated in a canonical fashion. This can be achieved by creating the filesystem with some special parameters:

mkfs.fat -nEFI -F32 --invariant -i HARDCODED_VOLUME_ID -C ESP_FILENAME BLOCKCOUNT

Copying the final efi file tree can be made reproducible by using LC_ALL=C sort to sort the input file tree and using faketime "$TIMESTAMP" mmd -i $ESP_FILENAME ::DIRNAME to create directories and faketime "$TIMESTAMP" mcopy -i $ESP_FILENAME FILENAME ::FILENAME to create files.

These steps are documented in a 2018 report from the reproducible builds summit and are used in a similar way by mobile-nixos to generate the EFI partition.

I would be happy to create PRs with the changes I am suggesting here but would await feedback first.
@behrmann
Copy link
Contributor

behrmann commented Oct 5, 2022

Happy to review PR's for this. Just as a fair warning: It's planned to switch mkosi's partition handling over to repart in the not too distant future (no deadline for that yet), so this will be in flux. Nevertheless, always happy to review stuff and improving reproducibility is definitely something we want.

@DaanDeMeyer DaanDeMeyer added the RFE label Oct 5, 2022
@malt3
Copy link
Contributor Author

malt3 commented Oct 28, 2022

Superseded by #1228

@malt3 malt3 closed this as completed Oct 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
RFE
Milestone
No milestone
Development

No branches or pull requests
3 participants
@behrmann @malt3 @DaanDeMeyer