From f6ee247a1f0aa927e8e58da337a0bbf3deca08c9 Mon Sep 17 00:00:00 2001 From: Martin Schwaighofer Date: Sun, 5 Dec 2021 17:19:13 +0100 Subject: [PATCH 1/4] sd-image: make firmware partition deterministic Based on how it works for the EFI partition of an iso-image at nixos/modules/installer/cd-dvd/iso-image.nix. --- nixos/modules/installer/sd-card/sd-image.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index cb2522d86789..2921491c9c96 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -224,14 +224,24 @@ in # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img eval $(partx $img -o START,SECTORS --nr 1 --pairs) truncate -s $((SECTORS * 512)) firmware_part.img - faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img + + faketime "2000-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img # Populate the files intended for /boot/firmware mkdir firmware ${config.sdImage.populateFirmwareCommands} + find firmware -exec touch --date=2000-01-01 {} + # Copy the populated /boot/firmware into the SD image - (cd firmware; mcopy -psvm -i ../firmware_part.img ./* ::) + (cd firmware; + # Force a fixed order in mcopy for better determinism, and avoid file globbing + for d in $(find . -type d -mindepth 1 | sort); do + faketime "2000-01-01 00:00:00" mmd -i ../firmware_part.img "::/$d" + done + for f in $(find . -type f | sort); do + mcopy -pvm -i ../firmware_part.img "$f" "::/$f" + done) + # Verify the FAT partition before copying it. fsck.vfat -vn firmware_part.img dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS From a1d6fd3702f78d73f7d47729f7fe28820f6b30ed Mon Sep 17 00:00:00 2001 From: Martin Schwaighofer Date: Sun, 5 Dec 2021 18:23:58 +0100 Subject: [PATCH 2/4] sd-image: replace faketime with --invariant for mkfs.vfat This is done for sd-images only here, but should probably also be done for dvd-images. The --invariant arg should be a better way of making mkfs.vfat deterministic. The previous version of invoking faketime was building fine and reproducible when I was compiling an sdimage for aarch64 under emulation. It was however still logging errors: ERROR: ld.so: object '/nix/store/1c2cp2709kmvby8ql2n9946v7l52nn50-libfaketime-0.9.9/lib/libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. ERROR: ld.so: object '/nix/store/1c2cp2709kmvby8ql2n9946v7l52nn50-libfaketime-0.9.9/lib/libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. The logged errors were presumably inaccurate somehow as calling faketime was required for reproducibility, even though the log makes it looks like it failed. --- nixos/modules/installer/sd-card/sd-image.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index 2921491c9c96..c6b5e43ee1f0 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -225,7 +225,7 @@ in eval $(partx $img -o START,SECTORS --nr 1 --pairs) truncate -s $((SECTORS * 512)) firmware_part.img - faketime "2000-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img + mkfs.vfat --invariant -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img # Populate the files intended for /boot/firmware mkdir firmware From bacef6bb096ed0bdbeb5ffd9cb9b6960d87ea5eb Mon Sep 17 00:00:00 2001 From: Martin Schwaighofer Date: Mon, 6 Dec 2021 00:13:53 +0100 Subject: [PATCH 3/4] dvd-image: replace faketime with --invariant for mkfs.vfat --- nixos/modules/installer/cd-dvd/iso-image.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 35fa45dbc014..e37142f05f41 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -421,7 +421,7 @@ let echo "Usage size: $usage_size" echo "Image size: $image_size" truncate --size=$image_size "$out" - faketime "2000-01-01 00:00:00" mkfs.vfat -i 12345678 -n EFIBOOT "$out" + mkfs.vfat --invariant -i 12345678 -n EFIBOOT "$out" # Force a fixed order in mcopy for better determinism, and avoid file globbing for d in $(find EFI -type d | sort); do From 0c67f190b188ba25fc087bfae33eedcc5235a762 Mon Sep 17 00:00:00 2001 From: Martin Schwaighofer Date: Sun, 21 Aug 2022 19:15:20 +0200 Subject: [PATCH 4/4] sd-image: remove unnecessary subshell replace the subshell surrounding this block with cd before and after Co-authored-by: Sandro --- nixos/modules/installer/sd-card/sd-image.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index c6b5e43ee1f0..ad9b803b1d1e 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -233,14 +233,15 @@ in find firmware -exec touch --date=2000-01-01 {} + # Copy the populated /boot/firmware into the SD image - (cd firmware; + cd firmware # Force a fixed order in mcopy for better determinism, and avoid file globbing for d in $(find . -type d -mindepth 1 | sort); do faketime "2000-01-01 00:00:00" mmd -i ../firmware_part.img "::/$d" done for f in $(find . -type f | sort); do mcopy -pvm -i ../firmware_part.img "$f" "::/$f" - done) + done + cd .. # Verify the FAT partition before copying it. fsck.vfat -vn firmware_part.img