tags 816439 + patch thanks Hi,
> > Contrary to: https://bugs.debian.org/816439, RANDSTRUCT is > > actually compatible with reproducible builds, just need to > > keep randomize_layout_seed.h. > > https://twitter.com/grsecurity/status/704869584218685440 Holger Levsen wrote: > seens like the it should be seeded with > https://reproducible-builds.org/specs/source-date-epoch/ Patch attached! (please read it for the long description) I'm afraid I couldn't find where to do this in linux-grsec Git. So I've attached it in debdiff form instead. There might still be other reproducibility issues after this. Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -Nru linux-grsec-4.6.3/debian/patches/features/all/grsec/reproducible-randstruct.patch linux-grsec-4.6.3/debian/patches/features/all/grsec/reproducible-randstruct.patch --- linux-grsec-4.6.3/debian/patches/features/all/grsec/reproducible-randstruct.patch 1970-01-01 00:00:00.000000000 +0000 +++ linux-grsec-4.6.3/debian/patches/features/all/grsec/reproducible-randstruct.patch 2016-07-12 22:02:33.000000000 +0000 @@ -0,0 +1,29 @@ +Date: Tue, 12 Jul 2016 22:59:00 +0100 +From: Steven Chamberlain <stev...@debian.org> +Subject: make reproducible randomize_layout_seed.h + +If the SOURCE_DATE_EPOCH environment variable is defined, use the +SHA-256 hash of that value, instead of /dev/urandom, to initialise +randstruct_seed in randomize_layout_seed.h + +This allows the build to be reproducible. In order to force a new seed, +modify the SOURCE_DATE_EPOCH. (In Debian, bumping the package version +and adding a new debian/changelog entry will have that effect). + +Signed-off-by: Steven Chamberlain <stev...@debian.org> + +--- a/scripts/gcc-plugins/gen-random-seed.sh ++++ b/scripts/gcc-plugins/gen-random-seed.sh +@@ -1,7 +1,11 @@ + #!/bin/sh + + if [ ! -f "$1" ]; then +- SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` ++ if [ ! -z "$SOURCE_DATE_EPOCH" ]; then ++ SEED=`echo -n "$SOURCE_DATE_EPOCH" | sha256sum | cut -d" " -f1` ++ else ++ SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` ++ fi + echo "const char *randstruct_seed = \"$SEED\";" > "$1" + HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'` + echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2" diff -Nru linux-grsec-4.6.3/debian/patches/series-grsec linux-grsec-4.6.3/debian/patches/series-grsec --- linux-grsec-4.6.3/debian/patches/series-grsec 2016-07-07 05:17:23.000000000 +0000 +++ linux-grsec-4.6.3/debian/patches/series-grsec 2016-07-12 21:57:58.000000000 +0000 @@ -1 +1,2 @@ features/all/grsec/grsecurity-3.1-4.6.3-201607062159+debian.patch +features/all/grsec/reproducible-randstruct.patch
signature.asc
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds