From 9dd20575b3915ffddbac50f5df35024bc8449d6d Mon Sep 17 00:00:00 2001 From: Philip Hayes Date: Thu, 1 Feb 2024 11:44:36 +0800 Subject: [PATCH] sgx-sdk: disable mtime in bundled zip file for reproducible builds Context: The `aesm_service` binary depends on a vendored library called `CppMicroServices`. At build time, this lib creates and then bundles service resources into a zip file and then embeds this zip into the binary. Without changes, the `aesm_service` will be different after every build because the embedded zip file contents have different modified times. All credits to @haraldh for this patch <3 --- pkgs/os-specific/linux/sgx/psw/default.nix | 2 +- .../sgx/sdk/cppmicroservices-no-mtime.patch | 26 +++++++++++++++++++ pkgs/os-specific/linux/sgx/sdk/default.nix | 9 +++++++ 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix index 57bf3b095c7b..42e00071d810 100644 --- a/pkgs/os-specific/linux/sgx/psw/default.nix +++ b/pkgs/os-specific/linux/sgx/psw/default.nix @@ -14,7 +14,7 @@ , debug ? false }: stdenv.mkDerivation rec { - inherit (sgx-sdk) version versionTag src; + inherit (sgx-sdk) patches src version versionTag; pname = "sgx-psw"; postUnpack = diff --git a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch new file mode 100644 index 000000000000..019f58927152 --- /dev/null +++ b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch @@ -0,0 +1,26 @@ +diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp +index aee499e9..13fa89d4 100644 +--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp ++++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp +@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index, + const_cast(&m_ZipArchive), index) + ? true + : false; +- stat.modifiedTime = zipStat.m_time; ++ stat.modifiedTime = 0; + stat.crc32 = zipStat.m_crc32; + // This will limit the size info from uint64 to uint32 on 32-bit + // architectures. We don't care because we assume resources > 2GB +diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c +index 6b0ebd7a..fa2aebca 100644 +--- a/external/CppMicroServices/third_party/miniz.c ++++ b/external/CppMicroServices/third_party/miniz.c +@@ -170,7 +170,7 @@ + // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or + // get/set file times, and the C run-time funcs that get/set times won't be called. + // The current downside is the times written to your archives will be from 1979. +-//#define MINIZ_NO_TIME ++#define MINIZ_NO_TIME + + // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's. + //#define MINIZ_NO_ARCHIVE_APIS diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix index 2f6d0a728361..67489ee3c07c 100644 --- a/pkgs/os-specific/linux/sgx/sdk/default.nix +++ b/pkgs/os-specific/linux/sgx/sdk/default.nix @@ -49,6 +49,15 @@ stdenv.mkDerivation rec { # and applies some patches to the in-repo git submodules. This patch removes # the parts that download things, since we can't do that inside the sandbox. ./disable-downloads.patch + + # This patch disable mtime in bundled zip file for reproducible builds. + # + # Context: The `aesm_service` binary depends on a vendored library called + # `CppMicroServices`. At build time, this lib creates and then bundles + # service resources into a zip file and then embeds this zip into the + # binary. Without changes, the `aesm_service` will be different after every + # build because the embedded zip file contents have different modified times. + ./cppmicroservices-no-mtime.patch ]; postPatch = ''