diff --git a/0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch b/0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch new file mode 100644 index 0000000..a2b5a56 --- /dev/null +++ b/0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch @@ -0,0 +1,76 @@ +From 1fdc9daf97a1518960e5603dd43a5f353cb3ca89 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Thu, 30 Nov 2023 13:45:13 +0800 +Subject: [PATCH 1/2] mkstandalone: ensure stable timestamps for generated + images + +This change mirrors a previous fix [1] but is specific to images +generated by grub-mkstandalone. + +The former fix (85a7be241) focused on utilizing a stable timestamp +during binary generation in the util/mkimage context. This commit +extends that approach to the images produced by grub-mkstandalone, +ensuring consistency and stability in timestamps across all generated +binaries. + +[1] 85a7be241 util/mkimage: Use stable timestamp when generating +binaries. + +Signed-off-by: Michael Chang +Signed-off-by: Bernhard Wiedemann +--- + util/grub-mkstandalone.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c +index bdbeea6a6..8e1229925 100644 +--- a/util/grub-mkstandalone.c ++++ b/util/grub-mkstandalone.c +@@ -30,6 +30,9 @@ + #pragma GCC diagnostic error "-Wmissing-prototypes" + #pragma GCC diagnostic error "-Wmissing-declarations" + ++/* use 2015-01-01T00:00:00+0000 as a stock timestamp */ ++#define STABLE_EMBEDDING_TIMESTAMP 1420070400 ++ + static char *output_image; + static char **files; + static int nfiles; +@@ -184,7 +187,6 @@ add_tar_file (const char *from, + struct head hd; + grub_util_fd_t in; + ssize_t r; +- grub_uint32_t mtime = 0; + grub_uint32_t size; + + COMPILE_TIME_ASSERT (sizeof (hd) == 512); +@@ -192,8 +194,6 @@ add_tar_file (const char *from, + if (grub_util_is_special_file (from)) + return; + +- mtime = grub_util_get_mtime (from); +- + optr = tcn = xmalloc (strlen (to) + 1); + for (iptr = to; *iptr == '/'; iptr++); + for (; *iptr; iptr++) +@@ -234,7 +234,7 @@ add_tar_file (const char *from, + memcpy (hd.gid, "0001750", 7); + + set_tar_value (hd.size, optr - tcn, 12); +- set_tar_value (hd.mtime, mtime, 12); ++ set_tar_value (hd.mtime, STABLE_EMBEDDING_TIMESTAMP, 12); + hd.typeflag = 'L'; + memcpy (hd.magic, MAGIC, sizeof (hd.magic)); + memcpy (hd.uname, "grub", 4); +@@ -264,7 +264,7 @@ add_tar_file (const char *from, + memcpy (hd.gid, "0001750", 7); + + set_tar_value (hd.size, size, 12); +- set_tar_value (hd.mtime, mtime, 12); ++ set_tar_value (hd.mtime, STABLE_EMBEDDING_TIMESTAMP, 12); + hd.typeflag = '0'; + memcpy (hd.magic, MAGIC, sizeof (hd.magic)); + memcpy (hd.uname, "grub", 4); +-- +2.43.0 + diff --git a/0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch b/0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch new file mode 100644 index 0000000..991dc3f --- /dev/null +++ b/0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch @@ -0,0 +1,75 @@ +From bb9bbe0f66a8462a1b2477fbc2aa1d70973035d4 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Thu, 30 Nov 2023 16:30:45 +0800 +Subject: [PATCH 2/2] mkstandalone: ensure deterministic tar file creation by + sorting contents + +The add_tar_files() function currently iterates through a directory's +content using readdir(), which doesn't guarantee a specific order. This +lack of deterministic behavior impacts reproducibility in the build +process. + +This commit resolves the issue by introducing sorting functionality. The +list retrieved by readdir() is now sorted alphabetically before +incorporation into the tar archive, ensuring consistent and predictable +file ordering within the archive. + +Signed-off-by: Michael Chang +Signed-off-by: Bernhard Wiedemann +--- + util/grub-mkstandalone.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c +index 8e1229925..e4b5bcab4 100644 +--- a/util/grub-mkstandalone.c ++++ b/util/grub-mkstandalone.c +@@ -205,22 +205,42 @@ add_tar_file (const char *from, + { + grub_util_fd_dir_t d; + grub_util_fd_dirent_t de; ++ char **from_files; ++ grub_size_t alloc = 8, used = 0; ++ grub_size_t i; + + d = grub_util_fd_opendir (from); + ++ from_files = xmalloc (alloc * sizeof (*from_files)); + while ((de = grub_util_fd_readdir (d))) + { +- char *fp, *tfp; + if (strcmp (de->d_name, ".") == 0) + continue; + if (strcmp (de->d_name, "..") == 0) + continue; +- fp = grub_util_path_concat (2, from, de->d_name); +- tfp = xasprintf ("%s/%s", to, de->d_name); ++ if (alloc <= used) ++ { ++ alloc <<= 1; ++ from_files = xrealloc (from_files, alloc * sizeof (*from_files)); ++ } ++ from_files[used++] = xstrdup(de->d_name); ++ } ++ qsort (from_files, used, sizeof (*from_files), grub_qsort_strcmp); ++ ++ for (i = 0; i < used; i++) ++ { ++ char *fp, *tfp; ++ ++ fp = grub_util_path_concat (2, from, from_files[i]); ++ tfp = xasprintf ("%s/%s", to, from_files[i]); + add_tar_file (fp, tfp); ++ free (tfp); + free (fp); ++ free (from_files[i]); + } ++ + grub_util_fd_closedir (d); ++ free (from_files); + free (tcn); + return; + } +-- +2.43.0 + diff --git a/grub2.changes b/grub2.changes index f4d8de7..9d0fcba 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Nov 30 09:41:10 UTC 2023 - Michael Chang + +- Fix reproducible build for grub.xen (bsc#1217619) + * 0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch + * 0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch + ------------------------------------------------------------------- Wed Nov 22 09:25:23 UTC 2023 - Michael Chang diff --git a/grub2.spec b/grub2.spec index d36e5dd..809f22c 100644 --- a/grub2.spec +++ b/grub2.spec @@ -397,6 +397,8 @@ Patch204: 0001-Improve-TPM-key-protection-on-boot-interruptions.patch Patch205: 0002-Restrict-file-access-on-cryptodisk-print.patch Patch206: 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch Patch207: 0004-Key-revocation-on-out-of-bound-file-access.patch +Patch208: 0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch +Patch209: 0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140