All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] image_types: improve reproducibility of .cpio files.
@ 2018-05-24 21:27 Kamel Hacene
  2018-05-24 21:56 ` Andre McCurdy
  0 siblings, 1 reply; 2+ messages in thread
From: Kamel Hacene @ 2018-05-24 21:27 UTC (permalink / raw)
  To: openembedded-core

When BUILD_REPRODUCIBLE_BINARIES is set, run cpio command with the
--reproducible flag and set the timestamp of the created /init file to
REPRODUCIBLE_TIMESTAMP_ROOTFS in accordance with reproducible_final_image_task
in image.bbclass.

Signed-off-by: Kamel Hacene <kamel.hacene@smile.fr>
---
 meta/classes/image_types.bbclass | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index 00a00d318f..345dba5358 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -127,9 +127,16 @@ IMAGE_CMD_TAR ?= "tar"
 # ignore return code 1 "file changed as we read it" as other tasks(e.g. do_image_wic) may be hardlinking rootfs
 IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
 
+# Extra options given to the cpio command
+CPIO_EXTRA_OPTS ?= ""
+CPIO_EXTRA_OPTS += "${@'--reproducible' if d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1' else ''}"
 do_image_cpio[cleandirs] += "${WORKDIR}/cpio_append"
 IMAGE_CMD_cpio () {
-	(cd ${IMAGE_ROOTFS} && find . | cpio -o -H newc >${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio)
+	# Ensure cpio provides --reproducible option if generating a reproducible binary
+	if [ "$BUILD_REPRODUCIBLE_BINARIES" = "1" ] && ! cpio --help | grep -q "\-\-reproducible"; then
+		bbfatal "cpio v2.12 or higher is required to generate a reproducible binary. Upgrade your host's cpio command or use oe's cpio recipe by adding a depend to cpio-native in your image."
+	fi
+	(cd ${IMAGE_ROOTFS} && find . | cpio ${CPIO_EXTRA_OPTS} -o -H newc >${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio)
 	# We only need the /init symlink if we're building the real
 	# image. The -dbg image doesn't need it! By being clever
 	# about this we also avoid 'touch' below failing, as it
@@ -142,7 +149,10 @@ IMAGE_CMD_cpio () {
 			else
 				touch ${WORKDIR}/cpio_append/init
 			fi
-			(cd  ${WORKDIR}/cpio_append && echo ./init | cpio -oA -H newc -F ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio)
+			if [ "$BUILD_REPRODUCIBLE_BINARIES" = "1" ]; then
+				touch --no-dereference --date=@${REPRODUCIBLE_TIMESTAMP_ROOTFS} ${WORKDIR}/cpio_append/init
+			fi
+			(cd  ${WORKDIR}/cpio_append && echo ./init | cpio ${CPIO_EXTRA_OPTS} -oA -H newc -F ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio)
 		fi
 	fi
 }
-- 
2.16.2



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] image_types: improve reproducibility of .cpio files.
  2018-05-24 21:27 [PATCH] image_types: improve reproducibility of .cpio files Kamel Hacene
@ 2018-05-24 21:56 ` Andre McCurdy
  0 siblings, 0 replies; 2+ messages in thread
From: Andre McCurdy @ 2018-05-24 21:56 UTC (permalink / raw)
  To: Kamel Hacene; +Cc: OE Core mailing list

On Thu, May 24, 2018 at 2:27 PM, Kamel Hacene <kamel.hacene@smile.fr> wrote:
> When BUILD_REPRODUCIBLE_BINARIES is set, run cpio command with the
> --reproducible flag and set the timestamp of the created /init file to
> REPRODUCIBLE_TIMESTAMP_ROOTFS in accordance with reproducible_final_image_task
> in image.bbclass.
>
> Signed-off-by: Kamel Hacene <kamel.hacene@smile.fr>
> ---
>  meta/classes/image_types.bbclass | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
> index 00a00d318f..345dba5358 100644
> --- a/meta/classes/image_types.bbclass
> +++ b/meta/classes/image_types.bbclass
> @@ -127,9 +127,16 @@ IMAGE_CMD_TAR ?= "tar"
>  # ignore return code 1 "file changed as we read it" as other tasks(e.g. do_image_wic) may be hardlinking rootfs
>  IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
>
> +# Extra options given to the cpio command
> +CPIO_EXTRA_OPTS ?= ""
> +CPIO_EXTRA_OPTS += "${@'--reproducible' if d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1' else ''}"
>  do_image_cpio[cleandirs] += "${WORKDIR}/cpio_append"
>  IMAGE_CMD_cpio () {
> -       (cd ${IMAGE_ROOTFS} && find . | cpio -o -H newc >${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio)
> +       # Ensure cpio provides --reproducible option if generating a reproducible binary
> +       if [ "$BUILD_REPRODUCIBLE_BINARIES" = "1" ] && ! cpio --help | grep -q "\-\-reproducible"; then
> +               bbfatal "cpio v2.12 or higher is required to generate a reproducible binary. Upgrade your host's cpio command or use oe's cpio recipe by adding a depend to cpio-native in your image."

If the host version of cpio can't be relied on it would be better to
make use of cpio-native.

> +       fi
> +       (cd ${IMAGE_ROOTFS} && find . | cpio ${CPIO_EXTRA_OPTS} -o -H newc >${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio)
>         # We only need the /init symlink if we're building the real
>         # image. The -dbg image doesn't need it! By being clever
>         # about this we also avoid 'touch' below failing, as it
> @@ -142,7 +149,10 @@ IMAGE_CMD_cpio () {
>                         else
>                                 touch ${WORKDIR}/cpio_append/init
>                         fi
> -                       (cd  ${WORKDIR}/cpio_append && echo ./init | cpio -oA -H newc -F ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio)
> +                       if [ "$BUILD_REPRODUCIBLE_BINARIES" = "1" ]; then
> +                               touch --no-dereference --date=@${REPRODUCIBLE_TIMESTAMP_ROOTFS} ${WORKDIR}/cpio_append/init
> +                       fi
> +                       (cd  ${WORKDIR}/cpio_append && echo ./init | cpio ${CPIO_EXTRA_OPTS} -oA -H newc -F ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio)
>                 fi
>         fi
>  }
> --
> 2.16.2
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-05-24 21:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-24 21:27 [PATCH] image_types: improve reproducibility of .cpio files Kamel Hacene
2018-05-24 21:56 ` Andre McCurdy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.