Reproducible build: introduce a tool to help reproducible build

[longlongyang]

fix #256

1. Introduce a reproducible tool, td-reproducible-tool, to help reproducible
2. Add strip = "symbols" to cargo.toml in root workspace to remove symbols

Signed-off-by: Longlong Yang longlong.yang@intel.com

[gaojiaqi7]

The CI failure caused by secure boot verification is due to strip = "symbols", there may be some hidden optimizations which are not compatible with the new setting

[jiangliu]

Could 2, 3, 4 also be solved by using build container to normalize the build env?

[jyao1]

It is based upon the definition of "reproducible build".

In our definition, "reproducible build" means
A) Release build
B) Build with same code and version
C) Build with same compiler and version
D) Build at different time.
E) Build at different directory/path <==

If we normalize the build, then E) is not requirement, then we don't need 2/3/4.

[jyao1]

The final design:
1 and 2 are handled by build option.
3 and 4 are handled by post-build tool as an option.
5. Timestamp is always cleared.

[jyao1]

Can we make it optional?

[longlongyang]

Can we make it optional?

It is optional now, please check the latest code change.

[jyao1]

Can we make it optional?

[longlongyang]

Can we make it optional?

It is optional now, please check the latest code change.

[jyao1]

Can we make it optional?

[longlongyang]

Can we make it optional?

It is optional now, please check the latest code change.

[jyao1]

Can we make it optional?

[longlongyang]

It is optional now, please check the latest code change.

[jyao1]

still panic?

[longlongyang]

still panic?

td-shim/td-reproducible-tool/src/main.rs

Lines 138 to 151 in c3a977b

	// No more action is needed if strip_path is not specified.
	if !strip_path {
	println!(
	"INFO: -s or --strip_path is not specified, Skipping strip related rust file path."
	);
	return Ok(());
	}
	// Check out CARGO_HOME and RUSTUP_HOME, proceed to strip rust file path.
	cargo_home = if cargo_home == "" {
	if env::var("CARGO_HOME").is_err() {
	panic!("Neither --cargo_home nor system environment for \"CARGO_HOME\" is found!\n")
	} else {
	env::var("CARGO_HOME").unwrap()

If need to strip file path(-s or --strip_path is pecified), then this two is required to set. We can't strip file path without this file path prefix known to us. So I just panic here if not found the path prefix.

[jyao1]

OK. I did not found -s or --strip_path in readme.

Please add it.

[longlongyang]

OK. I did not found -s or --strip_path in readme.

Please add it.

Sorry for forgot to update readme. Now added, please check the latest readme.md

[jyao1]

still panic?

[liuw1]

I validated reproducible build with the latest code, there are still some differences. And the secure boot issue was found in the latest CI test.

[jyao1]

@liuw1 , please file a new issue, or reopen the old issue.

[longlongyang]

I validated reproducible build with the latest code, there are still some differences. And the secure boot issue was found in the latest CI test.

This position is the where TimeDateStamp sit at, Did you run reproducible tool after every binary built?
And are you sure you observed the secure boot issue using the commit newer or equal to commit#fc436aabae?

[jyao1]

@longlongyang , I think we need update readme.md to add step for reproducible tool.
Otherwise, people may forget that step.

[longlongyang]

@longlongyang , I think we need update readme.md to add step for reproducible tool. Otherwise, people may forget that step.

Okay, will update.