image: include files from git reproducibly

edgelesssys · Dec 18, 2024 · 66eaf5a · 66eaf5a
1 parent ba0b252
commit 66eaf5a
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 10 deletions.
diff --git a/bazel/mkosi/mkosi_image.bzl b/bazel/mkosi/mkosi_image.bzl
@@ -141,3 +141,18 @@ mkosi_image = rule(
     executable = False,
     toolchains = ["@constellation//bazel/mkosi:toolchain_type"],
 )
+
+# This rule packages the given sources for inclusion into a Constellation rootfs. All files in the
+# output tarball are owned by root:root, date back to the UNIX epoch, are world readable, and
+# world executable if and only if one executable bit is set on the source file. This is different
+# from pkg_tar, where the mode is a fixed octal or needs to be passed for each file individually.
+#
+# NOTE: this rule dereferences symbolic links and hard links to weed out sources of nondeterminism.
+def reproducible_tar(name, srcs = [], visibility = []):
+    native.genrule(
+        name = name,
+        srcs = srcs,
+        outs = [name + ".tar"],
+        cmd = "tar --owner=0 --group=0 --mtime='1970-01-01' --mode=a=rX --dereference --hard-dereference --create -f $@ $(SRCS)",
+        visibility = visibility,
+    )
diff --git a/image/BUILD.bazel b/image/BUILD.bazel
@@ -1,6 +1,6 @@
 load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
-load("@rules_pkg//:pkg.bzl", "pkg_tar")
 load("@rules_pkg//pkg:mappings.bzl", "pkg_files", "strip_prefix")
+load("//bazel/mkosi:mkosi_image.bzl", "reproducible_tar")
 
 filegroup(
     name = "sysroot_tree",
@@ -14,7 +14,7 @@ pkg_files(
     visibility = ["//visibility:public"],
 )
 
-pkg_tar(
+reproducible_tar(
     name = "sysroot_tar",
     srcs = [":sysroot"],
     visibility = ["//visibility:public"],

diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel
@@ -1,6 +1,6 @@
 load("@aspect_bazel_lib//lib:copy_to_directory.bzl", "copy_to_directory")
 load("@rules_pkg//:pkg.bzl", "pkg_tar")
-load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image")
+load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image", "reproducible_tar")
 
 copy_to_directory(
     name = "rpms_lts",
@@ -33,9 +33,7 @@ copy_to_directory(
             "mkosi.finalize",
             "mkosi.postinst",
             "mkosi.prepare",
-        ] + glob([
-            "mkosi.skeleton/**",
-        ]),
+        ],
         outs = [
             kernel_variant,
             kernel_variant + ".tar",
@@ -46,6 +44,7 @@ copy_to_directory(
             kernel_variant + "-rpmdb.sqlite-wal",
         ],
         extra_trees = [
+            ":skeleton",
             "//image:sysroot_tar",
             "//image:cryptsetup_closure",
         ],
@@ -67,6 +66,13 @@ copy_to_directory(
     ]
 ]
 
+reproducible_tar(
+    name = "skeleton",
+    srcs = glob([
+        "mkosi.skeleton/**",
+    ]),
+)
+
 pkg_tar(
     name = "rpmdb",
     srcs = [

diff --git a/image/initrd/BUILD.bazel b/image/initrd/BUILD.bazel
@@ -1,17 +1,16 @@
-load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image")
+load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image", "reproducible_tar")
 
 mkosi_image(
     name = "initrd",
     srcs = [
         "mkosi.postinst",
-    ] + glob([
-        "mkosi.skeleton/**",
-    ]),
+    ],
     outs = [
         "image",
         "image.cpio.zst",
     ],
     extra_trees = [
+        ":skeleton",
         "//image:sysroot_tar",
         "//image:cryptsetup_closure",
         "//disk-mapper/cmd:disk-mapper-package.tar",
@@ -24,3 +23,10 @@ mkosi_image(
     ],
     visibility = ["//visibility:public"],
 )
+
+reproducible_tar(
+    name = "skeleton",
+    srcs = glob([
+        "mkosi.skeleton/**",
+    ]),
+)