[Reproducible-builds] Bug#816439: linux-grsec: feeding the seed with SOURCE_DATE_EPOCH

Steven Chamberlain stevenc at debian.org
Tue Jul 12 23:43:57 UTC 2016 

tags 816439 + patch
thanks

Hi,

> >     Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is
> >     actually compatible with reproducible builds, just need to
> >     keep randomize_layout_seed.h.
> >     https://twitter.com/grsecurity/status/704869584218685440

Holger Levsen wrote:
> seens like the it should be seeded with 
> https://reproducible-builds.org/specs/source-date-epoch/

Patch attached!  (please read it for the long description)

I'm afraid I couldn't find where to do this in linux-grsec Git.
So I've attached it in debdiff form instead.

There might still be other reproducibility issues after this.

Thanks,
Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
diff -Nru linux-grsec-4.6.3/debian/patches/features/all/grsec/reproducible-randstruct.patch linux-grsec-4.6.3/debian/patches/features/all/grsec/reproducible-randstruct.patch
--- linux-grsec-4.6.3/debian/patches/features/all/grsec/reproducible-randstruct.patch	1970-01-01 00:00:00.000000000 +0000
+++ linux-grsec-4.6.3/debian/patches/features/all/grsec/reproducible-randstruct.patch	2016-07-12 22:02:33.000000000 +0000
@@ -0,0 +1,29 @@
+Date: Tue, 12 Jul 2016 22:59:00 +0100
+From: Steven Chamberlain <stevenc at debian.org>
+Subject: make reproducible randomize_layout_seed.h
+
+If the SOURCE_DATE_EPOCH environment variable is defined, use the
+SHA-256 hash of that value, instead of /dev/urandom, to initialise
+randstruct_seed in randomize_layout_seed.h
+
+This allows the build to be reproducible.  In order to force a new seed,
+modify the SOURCE_DATE_EPOCH.  (In Debian, bumping the package version
+and adding a new debian/changelog entry will have that effect).
+
+Signed-off-by: Steven Chamberlain <stevenc at debian.org>
+
+--- a/scripts/gcc-plugins/gen-random-seed.sh
++++ b/scripts/gcc-plugins/gen-random-seed.sh
+@@ -1,7 +1,11 @@
+ #!/bin/sh
+ 
+ if [ ! -f "$1" ]; then
+-	SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
++	if [ ! -z "$SOURCE_DATE_EPOCH" ]; then
++		SEED=`echo -n "$SOURCE_DATE_EPOCH" | sha256sum | cut -d" " -f1`
++	else
++		SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
++	fi
+ 	echo "const char *randstruct_seed = \"$SEED\";" > "$1"
+ 	HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'`
+ 	echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
diff -Nru linux-grsec-4.6.3/debian/patches/series-grsec linux-grsec-4.6.3/debian/patches/series-grsec
--- linux-grsec-4.6.3/debian/patches/series-grsec	2016-07-07 05:17:23.000000000 +0000
+++ linux-grsec-4.6.3/debian/patches/series-grsec	2016-07-12 21:57:58.000000000 +0000
@@ -1 +1,2 @@
 features/all/grsec/grsecurity-3.1-4.6.3-201607062159+debian.patch
+features/all/grsec/reproducible-randstruct.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160713/406273a3/attachment.sig>

More information about the Reproducible-builds mailing list