kernel-builder/scripts/build-kernel-wrapper at 7f5085b3794786b94428fc1b53e8ccaa46f406b6 · freedomofpress/kernel-builder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/bash

set -e
set -u
set -o pipefail


# SOURCE_DATE_EPOCH="$(git log -1 --pretty=%ct)"
# DEBUG: setting constant value to make eval easier
SOURCE_DATE_EPOCH="1309379017"
export SOURCE_DATE_EPOCH
export KBUILD_BUILD_TIMESTAMP="@${SOURCE_DATE_EPOCH}"
export DEB_BUILD_TIMESTAMP="${SOURCE_DATE_EPOCH}"
export TERM=dumb  # to omit control characters from "script" transcripts

# Build container image for kernel dependencies
IMG_NAME="fpf.local/kernel-builder"
docker build -t "$IMG_NAME" \
    --build-arg UID="$(id -u)" \
    --build-arg GID="$(id -g)" \
    .

# Configure local customizations
local_config_volume_opt=""
if [[ -n "${LINUX_LOCAL_CONFIG_PATH:-}" ]]; then
    local_config_volume_opt="-v ${LINUX_LOCAL_CONFIG_PATH}:/config:ro"
fi
local_patches_volume_opt=""
if [[ -n "${LINUX_LOCAL_PATCHES_PATH:-}" ]]; then
    local_patches_volume_opt="-v ${LINUX_LOCAL_PATCHES_PATH}:/patches:ro"
fi

# Create output dir
kernel_dir="$PWD/build"
mkdir -p -m 755 "$kernel_dir"

# TODO: It'd be great to pass `-i` here so the builds can be cancelled,
# but that breaks reprotest. Pass it conditionally, depending on whether
# there's an interactive session available.
docker run --rm -t \
    -e GRSECURITY_USERNAME \
    -e GRSECURITY_PASSWORD \
    -e GRSECURITY_PATCH_TYPE \
    -e GRSECURITY \
    -e SOURCE_DATE_EPOCH \
    -e KBUILD_BUILD_TIMESTAMP \
    -e DEB_BUILD_TIMESTAMP \
    -e LINUX_MAJOR_VERSION \
    -e LOCALVERSION \
    -e TERM \
    -v "${kernel_dir}:/output:Z" \
    $local_config_volume_opt \
    $local_patches_volume_opt \
    "$IMG_NAME"

echo "Build complete. Packages can be found at:"
find "$kernel_dir" -type f | sort