microcodeAmd, microcodeIntel: fix reproducibility

2 years ago · a51fea4403
parent a9414de122
commit a51fea4403
2 changed files with 6 additions and 4 deletions
--- a/pkgs/os-specific/linux/microcode/amd.nix
+++ b/pkgs/os-specific/linux/microcode/amd.nix
@ -12,13 +12,14 @@ stdenv.mkDerivation {

  buildPhase = ''
    mkdir -p kernel/x86/microcode
-    find ${linux-firmware}/lib/firmware/amd-ucode -name \*.bin \
-      -exec sh -c 'cat {} >> kernel/x86/microcode/AuthenticAMD.bin' \;
+    find ${linux-firmware}/lib/firmware/amd-ucode -name \*.bin -print0 | sort -z |\
+      xargs -0 -I{} sh -c 'cat {} >> kernel/x86/microcode/AuthenticAMD.bin'
  '';

  installPhase = ''
    mkdir -p $out
-    echo kernel/x86/microcode/AuthenticAMD.bin | bsdcpio -o -H newc -R 0:0 > $out/amd-ucode.img
+    touch -d @$SOURCE_DATE_EPOCH kernel/x86/microcode/AuthenticAMD.bin
+    echo kernel/x86/microcode/AuthenticAMD.bin | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @- > $out/amd-ucode.img
  '';

  meta = with lib; {
--- a/pkgs/os-specific/linux/microcode/intel.nix
+++ b/pkgs/os-specific/linux/microcode/intel.nix
@ -18,7 +18,8 @@ stdenv.mkDerivation rec {

    mkdir -p $out kernel/x86/microcode
    iucode_tool -w kernel/x86/microcode/GenuineIntel.bin intel-ucode/
-    echo kernel/x86/microcode/GenuineIntel.bin | bsdcpio -o -H newc -R 0:0 > $out/intel-ucode.img
+    touch -d @$SOURCE_DATE_EPOCH kernel/x86/microcode/GenuineIntel.bin
+    echo kernel/x86/microcode/GenuineIntel.bin | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @- > $out/intel-ucode.img

    runHook postInstall
  '';