Adds reprotest to confirm reproducibility

.circleci/config.yml

@@ -10,11 +10,19 @@ jobs:
     #   - image: circleci/python:buster
     steps:
       - checkout
-      - run: mkdir -p /tmp/kernels && chmod 777 /tmp/kernels
       - run: sudo apt-get update && sudo apt-get install -y make build-essential
-      - run: ./go.sh
+      - run: make vanilla
+  # Run reprotest to confirm reproducible builds
+  reproducibility:
+    machine:
+      image: ubuntu-2004:202010-01
+    steps:
+      - checkout
+      - run: sudo apt-get update && sudo apt-get install -y make build-essential reprotest
+      - run: make reprotest
 workflows:
   version: 2
   build:
     jobs:
       - vanilla
+      - reproducibility

.gitignore

@@ -0,0 +1 @@
+build/

Dockerfile

@@ -3,6 +3,8 @@ FROM debian:stable
 ARG UID=1000
 ARG GID=1000
 ARG USERNAME=kernel-builder
+ENV KBUILD_BUILD_USER "$USERNAME"
+ENV KBUILD_BUILD_HOST "kernel-builder"
 
 RUN apt-get update && \
     apt-get install -y \
@@ -12,17 +14,18 @@ RUN apt-get update && \
 RUN apt-get install -y python3 python3-requests
 RUN apt-get install -y gnupg
 RUN apt-get install -y gcc-8-plugin-dev
+RUN apt-get install -y lsb-release
 
 RUN groupadd -g ${GID} ${USERNAME} && useradd -m -d /home/${USERNAME} -g ${GID} -u ${UID} ${USERNAME}
 
 COPY build-kernel.sh /usr/local/bin/build-kernel.sh
 COPY grsecurity-urls.py /usr/local/bin/grsecurity-urls.py
 
-RUN mkdir -p /kernel /patches
-RUN chown ${USERNAME}:${USERNAME} /kernel /patches
+RUN mkdir -p -m 0755 /kernel /patches /output
+RUN chown ${USERNAME}:${USERNAME} /kernel /patches /output
 WORKDIR /kernel
 
-VOLUME ["/kernel"]
+# VOLUME ["/kernel"]
 
 USER ${USERNAME}
 COPY pubkeys/ /tmp/pubkeys

Makefile

@@ -0,0 +1,20 @@
+.DEFAULT_GOAL := help
+
+.PHONY: vanilla
+vanilla: ## Builds latest stable kernel, unpatched
+	./scripts/build-kernel-wrapper
+
+.PHONY: grsec
+grsec: ## Builds grsecurity-patched kernel (requires credentials)
+	GRSECURITY=1 ./scripts/build-kernel-wrapper
+
+.PHONY: reprotest
+reprotest: ## Builds simple kernel multiple times to confirm reproducibility
+	./scripts/reproducibility-test
+
+.PHONY: help
+help: ## Prints this message and exits.
+	@printf "Subcommands:\n\n"
+	@perl -F':.*##\s+' -lanE '$$F[1] and say "\033[36m$$F[0]\033[0m : $$F[1]"' $(MAKEFILE_LIST) \
+		| sort \
+		| column -s ':' -t

README.md

@@ -4,20 +4,9 @@ A small suite of tools to build a Linux kernel, optionally patched with [grsecur
 
 ## Getting started
 
-Make sure you have docker installed. Then just run `./go.sh`, which contains:
-
-```
-mkdir -p /tmp/kernels
-docker run -it \
-    -e GRSECURITY_USERNAME \
-    -e GRSECURITY_PASSWORD \
-    -e GRSECURITY=1 \
-    -v /tmp/kernels:/output \
-    quay.io/conorsch/kernel-builder
-```
-
+Make sure you have docker installed. Then just run `make`.
 The script will look up the most recent stable Linux version from https://www.kernel.org
-and build that. Artifacts will be available in `/tmp/kernels/` afterward.
+and build that. Artifacts will be available in `./build/` afterward.
 
 ## Enabling grsecurity patches
 
@@ -27,7 +16,7 @@ Export your credentials:
 ```
 export GRSECURITY_USERNAME=foo
 export GRSECURITY_PASSWORD=bar
-./go.sh
+make
 ```
 
 The resulting packages will used the patch set.
@@ -36,7 +25,7 @@ The resulting packages will used the patch set.
 
 You can mount in any set of patches to be applied to the kernel
 source prior to building. Store the patches in a directory,
-then mount that directory into the container at `/patches`.
+such as `./patches/`, and those will be mounted into the container at `/patches/`.
 The build script will loop over all files in that dir and apply each
 patch prior to building.
 
@@ -50,7 +39,7 @@ Note that `make olddefconfig` will be run regardless to ensure the latest
 options have been applied.
 
 ## Where on my files?
-Check `/tmp/kernels/` on the host machine. You can mount any directory to `/output`
+Check `./build/` on the host machine. You can mount any directory to `/output`
 inside the container, and that's where the packages will be stored. By default,
 the build script attempts to save `.deb` packages and `.tar.gz`, the source tarball.
 

build-kernel.sh

@@ -7,6 +7,12 @@ set -o pipefail
 # Patching with grsecurity is disabled by default.
 # Can be renabled vai env var or cli flag.
 GRSECURITY="${GRSECURITY:-}"
+LINUX_VERSION="${LINUX_VERSION:-}"
+LINUX_CUSTOM_CONFIG="${LINUX_CUSTOM_CONFIG:-/config}"
+export SOURCE_DATE_EPOCH
+export KBUILD_BUILD_TIMESTAMP
+export DEB_BUILD_TIMESTAMP
+
 if [[ $# > 0 ]]; then
     x="$1"
     shift
@@ -18,6 +24,14 @@ if [[ $# > 0 ]]; then
     fi
 fi
 
+# If there's no output directory, then deb packages will be
+# lost in the ephemeral container.
+if [[ ! -d /output && ! -w /output ]]; then
+    echo "WARNING: Output directory /output not found" >&2
+    echo "WARNING: to save packages, you must mount /output as a volume" >&2
+    exit 1
+fi
+
 if [[ -n "$GRSECURITY" ]]; then
     LINUX_VERSION="$(/usr/local/bin/grsecurity-urls.py --print-version)"
     echo "Will include grsecurity patch for kernel $LINUX_VERSION"
@@ -26,20 +40,11 @@ else
     echo "Skipping grsecurity patch set"
 fi
 
-LINUX_VERSION="${LINUX_VERSION:-}"
 if [[ -z "$LINUX_VERSION" ]]; then
     LINUX_VERSION="$(curl -s https://www.kernel.org/ | grep -m1 -F stable: -A1 | tail -n1 | grep -oP '[\d\.]+')"
 fi
 LINUX_MAJOR_VERSION="$(cut -d. -f1 <<< "$LINUX_VERSION")"
 
-# If there's no output directory, then deb packages will be
-# lost in the ephemeral container.
-if [[ ! -d /output ]]; then
-    echo "WARNING: Output directory /output not found" >&2
-    echo "WARNING: to save packages, you must mount /output as a volume" >&2
-    exit 1
-fi
-
 echo "Fetching Linux kernel source $LINUX_VERSION"
 wget https://cdn.kernel.org/pub/linux/kernel/v${LINUX_MAJOR_VERSION}.x/linux-${LINUX_VERSION}.tar.xz
 
@@ -48,9 +53,9 @@ xz -d -v linux-${LINUX_VERSION}.tar.xz
 tar -xf linux-${LINUX_VERSION}.tar
 cd linux-${LINUX_VERSION}
 
-if [[ -e /config ]]; then
+if [[ -e "$LINUX_CUSTOM_CONFIG" ]]; then
     echo "Copying custom config for kernel source $LINUX_VERSION"
-    cp /config .config
+    cp "$LINUX_CUSTOM_CONFIG" .config
 fi
 
 if [[ -d /patches ]]; then