[PATCH] x86/efi: Do not insert timestamps in efi files

[PATCH] x86/efi: Do not insert timestamps in efi files

[Bernhard M. Wiedemann]

in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good.

Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
---
 xen/arch/x86/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
index 162b0b94c0..052bdb1e25 100644
--- a/xen/arch/x86/Makefile
+++ b/xen/arch/x86/Makefile
@@ -158,6 +158,7 @@ note.o: $(TARGET)-syms
 
 EFI_LDFLAGS = $(patsubst -m%,-mi386pep,$(LDFLAGS)) --subsystem=10
 EFI_LDFLAGS += --image-base=$(1) --stack=0,0 --heap=0,0 --strip-debug
+EFI_LDFLAGS += --no-insert-timestamp
 EFI_LDFLAGS += --section-alignment=0x200000 --file-alignment=0x20
 EFI_LDFLAGS += --major-image-version=$(XEN_VERSION)
 EFI_LDFLAGS += --minor-image-version=$(XEN_SUBVERSION)
-- 
2.16.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] x86/efi: Do not insert timestamps in efi files

[Andrew Cooper]

On 24/10/2018 09:03, Bernhard M. Wiedemann wrote:
> in order to make builds reproducible.
> See https://reproducible-builds.org/ for why this is good.
>
> Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>

Please follow the MAINTAINERS file and CC the correct people.  I've done
so on this email.

> ---
>  xen/arch/x86/Makefile | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
> index 162b0b94c0..052bdb1e25 100644
> --- a/xen/arch/x86/Makefile
> +++ b/xen/arch/x86/Makefile
> @@ -158,6 +158,7 @@ note.o: $(TARGET)-syms
>  
>  EFI_LDFLAGS = $(patsubst -m%,-mi386pep,$(LDFLAGS)) --subsystem=10
>  EFI_LDFLAGS += --image-base=$(1) --stack=0,0 --heap=0,0 --strip-debug
> +EFI_LDFLAGS += --no-insert-timestamp
>  EFI_LDFLAGS += --section-alignment=0x200000 --file-alignment=0x20
>  EFI_LDFLAGS += --major-image-version=$(XEN_VERSION)
>  EFI_LDFLAGS += --minor-image-version=$(XEN_SUBVERSION)

This change is fine in principle, but do all i386pep compatible versions
of LD support this parameter?

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] x86/efi: Do not insert timestamps in efi files

[Bernhard M. Wiedemann]

On 24/10/2018 10.16, Andrew Cooper wrote:
> This change is fine in principle, but do all i386pep compatible versions
> of LD support this parameter?

It seems, it was added in 2014 to GNU binutils when the default was
reversed to be unreproducible:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=eeb14e5a5b378450ca2ed139e76f317f491f4613

Don't know about other ld implementations.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] x86/efi: Do not insert timestamps in efi files

[Wei Liu]

On Wed, Oct 24, 2018 at 02:49:49PM +0200, Bernhard M. Wiedemann wrote:
> On 24/10/2018 10.16, Andrew Cooper wrote:
> > This change is fine in principle, but do all i386pep compatible versions
> > of LD support this parameter?
> 
> It seems, it was added in 2014 to GNU binutils when the default was
> reversed to be unreproducible:
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=eeb14e5a5b378450ca2ed139e76f317f491f4613

I think adding this unconditionally will break older ld? Keep in mind
that our supported binutils dates back to 2005.

Either some sort of filtering is required or we bump the required
binutils version.  For the former route see ld-ver-build-id in
Config.mk.

Wei.

> 
> Don't know about other ld implementations.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH] x86/efi: Do not insert timestamps in efi files

[Bernhard M. Wiedemann]

in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good.

We only add the option, if ld understands it.

Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
---
 Config.mk             | 8 ++++++++
 xen/arch/x86/Makefile | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/Config.mk b/Config.mk
index 9b13e75a3e..46b064bcae 100644
--- a/Config.mk
+++ b/Config.mk
@@ -151,6 +151,14 @@ export XEN_HAS_BUILD_ID=y
 build_id_linker := --build-id=sha1
 endif
 
+ld-ver-timestamp = $(shell $(1) -mi386pep --no-insert-timestamp 2>&1 | \
+				grep -q no-insert-timestamp && echo n || echo y)
+ifeq ($(call ld-ver-timestamp,$(LD)),n)
+ld_no_insert_timestamp :=
+else
+ld_no_insert_timestamp := --no-insert-timestamp
+endif
+
 ifndef XEN_HAS_CHECKPOLICY
     CHECKPOLICY ?= checkpolicy
     XEN_HAS_CHECKPOLICY := $(shell $(CHECKPOLICY) -h 2>&1 | grep -q xen && echo y || echo n)
diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
index 162b0b94c0..61ca474179 100644
--- a/xen/arch/x86/Makefile
+++ b/xen/arch/x86/Makefile
@@ -157,7 +157,7 @@ note.o: $(TARGET)-syms
 	rm -f $@.bin
 
 EFI_LDFLAGS = $(patsubst -m%,-mi386pep,$(LDFLAGS)) --subsystem=10
-EFI_LDFLAGS += --image-base=$(1) --stack=0,0 --heap=0,0 --strip-debug
+EFI_LDFLAGS += --image-base=$(1) --stack=0,0 --heap=0,0 --strip-debug $(ld_no_insert_timestamp)
 EFI_LDFLAGS += --section-alignment=0x200000 --file-alignment=0x20
 EFI_LDFLAGS += --major-image-version=$(XEN_VERSION)
 EFI_LDFLAGS += --minor-image-version=$(XEN_SUBVERSION)
-- 
2.16.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] x86/efi: Do not insert timestamps in efi files

[Wei Liu]

On Wed, Oct 24, 2018 at 03:45:22PM +0200, Bernhard M. Wiedemann wrote:
> in order to make builds reproducible.
> See https://reproducible-builds.org/ for why this is good.
> 
> We only add the option, if ld understands it.
> 
> Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>

Reviewed-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] x86/efi: Do not insert timestamps in efi files

[Jan Beulich]

>>> On 24.10.18 at 15:45, <bwiedemann@suse.de> wrote:
> in order to make builds reproducible.
> See https://reproducible-builds.org/ for why this is good.

But is this something everyone wants, unconditionally? I'm
generally happy to have this basic indication of when a certain
image was built; I regret that ELF images have no such
indication.

> --- a/Config.mk
> +++ b/Config.mk
> @@ -151,6 +151,14 @@ export XEN_HAS_BUILD_ID=y
>  build_id_linker := --build-id=sha1
>  endif
>  
> +ld-ver-timestamp = $(shell $(1) -mi386pep --no-insert-timestamp 2>&1 | \
> +				grep -q no-insert-timestamp && echo n || echo y)
> +ifeq ($(call ld-ver-timestamp,$(LD)),n)
> +ld_no_insert_timestamp :=
> +else
> +ld_no_insert_timestamp := --no-insert-timestamp
> +endif

Irrespective of build_id_linker also living here - is this the
right place? And can't you simplify things by using the
common list model, i.e. populate ld_no_insert_timestamp-$(...)
and ...

> --- a/xen/arch/x86/Makefile
> +++ b/xen/arch/x86/Makefile
> @@ -157,7 +157,7 @@ note.o: $(TARGET)-syms
>  	rm -f $@.bin
>  
>  EFI_LDFLAGS = $(patsubst -m%,-mi386pep,$(LDFLAGS)) --subsystem=10
> -EFI_LDFLAGS += --image-base=$(1) --stack=0,0 --heap=0,0 --strip-debug
> +EFI_LDFLAGS += --image-base=$(1) --stack=0,0 --heap=0,0 --strip-debug $(ld_no_insert_timestamp)

... use $(ld_no_insert_timestamp-y) here?

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] x86/efi: Do not insert timestamps in efi files

[Andrew Cooper]

On 25/10/18 13:35, Jan Beulich wrote:
>>>> On 24.10.18 at 15:45, <bwiedemann@suse.de> wrote:
>> in order to make builds reproducible.
>> See https://reproducible-builds.org/ for why this is good.
> But is this something everyone wants, unconditionally? I'm
> generally happy to have this basic indication of when a certain
> image was built; I regret that ELF images have no such
> indication.

What practical purpose does having a time stamp serve?  If you really
need to see, what is wrong with the mtime in your build tree?

For shipped binaries to customers, exactly when it was built is
irrelevant, whereas peoples ability to independently verify the
integrity of the binary is important.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] x86/efi: Do not insert timestamps in efi files

[Jan Beulich]

>>> On 25.10.18 at 16:00, <andrew.cooper3@citrix.com> wrote:
> On 25/10/18 13:35, Jan Beulich wrote:
>>>>> On 24.10.18 at 15:45, <bwiedemann@suse.de> wrote:
>>> in order to make builds reproducible.
>>> See https://reproducible-builds.org/ for why this is good.
>> But is this something everyone wants, unconditionally? I'm
>> generally happy to have this basic indication of when a certain
>> image was built; I regret that ELF images have no such
>> indication.
> 
> What practical purpose does having a time stamp serve?  If you really
> need to see, what is wrong with the mtime in your build tree?

This can be changed by simple "cp" to another location.

> For shipped binaries to customers, exactly when it was built is
> irrelevant, whereas peoples ability to independently verify the
> integrity of the binary is important.

Correct, which is why I appreciate the _option_ of zapping the
timestamp.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] x86/efi: Do not insert timestamps in efi files

[Bernhard M. Wiedemann]

[-- Attachment #1.1.1: Type: text/plain, Size: 773 bytes --]

On 25/10/2018 16.08, Jan Beulich wrote:
>>>> On 25.10.18 at 16:00, <andrew.cooper3@citrix.com> wrote:
>> For shipped binaries to customers, exactly when it was built is
>> irrelevant, whereas peoples ability to independently verify the
>> integrity of the binary is important.
> 
> Correct, which is why I appreciate the _option_ of zapping the
> timestamp.

Adding an option for this, would make the (already somewhat ugly) patch
even more ugly, so I thought, that fixing it in binutils might be the
better way, because other projects will also want to create reproducible
PE binaries and we do not want to add such ugly patches to all of them.
=> https://sourceware.org/ml/binutils/2018-10/msg00279.html


Let's see what they say.

Ciao
Bernhard M.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

[-- Attachment #2: Type: text/plain, Size: 157 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel