[Git][hardenedbsd/HardenedBSD][hardened/current/master] 5 commits: kernel: MK_REPRODUCIBLE_PATHS for full paths vs /usr/src

[Shawn Webb (@shawn.webb)]

Shawn Webb pushed to branch hardened/current/master at HardenedBSD / HardenedBSD


Commits:
faeaa25f by Warner Losh at 2025-12-28T01:16:39-07:00
kernel: MK_REPRODUCIBLE_PATHS for full paths vs /usr/src

There are many environments that you do not want the paths to be
canonicalized. For example, if I always build a product from a specific
path in a jail that's dependent on the product version, I don't want
that to be sanitized to /usr/src because when I have profiling tools run
against multiple kernels, I can't do A/B testing and results processing
if everything points to /usr/src (sadly, the profiling tools cannot
remap back to the original like gdb can). Since we need both active at
the same time, symbloic link fallbacks don't work.

We do want the rest of the build to be reproducible, however. We'll get
the same binaries if we rebuild later since we always rebuild with the
same path.

Turn them both on for maximum reproduction for environments where that
cannot be guaranteed.

Sponsored by: Netflix
Input from: emaste, ivy
Differential Revision: https://reviews.freebsd.org/D52959

- - - - -
3cd0bcc5 by Shawn Webb at 2025-12-28T10:59:44-07:00
HBSD: Some pkgbase related changes

Signed-off-by: Shawn Webb <shawn...@hardenedbsd.org>

- - - - -
2d1e8797 by Shawn Webb at 2025-12-28T11:00:04-07:00
Merge remote-tracking branch 'internal/freebsd/current/main' into hardened/current/master

Conflicts:
share/man/man5/src.conf.5 (unresolved)
share/mk/src.opts.mk (unresolved)

- - - - -
e561e15d by Shawn Webb at 2025-12-28T11:00:32-07:00
HBSD: Resolve merge conflict for share/mk/src.opts.mk

Signed-off-by: Shawn Webb <shawn...@hardenedbsd.org>

- - - - -
fb18070c by Shawn Webb at 2025-12-28T11:11:38-07:00
HBSD: Regen src.conf.5.

Signed-off-by: Shawn Webb <shawn...@hardenedbsd.org>

- - - - -


10 changed files:

- release/Makefile
- share/man/man5/src.conf.5
- share/mk/bsd.debug.mk
- share/mk/src.opts.mk
- sys/conf/kern.opts.mk
- sys/conf/kern.post.mk
- sys/conf/kmod.mk
- + tools/build/options/WITH_REPRODUCIBLE_PATHS
- usr.sbin/bsdinstall/Makefile
- usr.sbin/bsdinstall/scripts/pkgbase.in


Changes:

=====================================
release/Makefile
=====================================
@@ -266,7 +266,6 @@ disc1:
echo "./usr/freebsd-dist/$${dist} type=file uname=root gname=wheel mode=0644" >> ${.TARGET}/METALOG; \
done
.endif
-.endif
.if ${.MAKE.OS} == "FreeBSD" && (!defined(NOPKG) || empty(NOPKG))
# Install packages onto release media.
.if !defined(NOPKGBASE) || empty(NOPKGBASE)


=====================================
share/man/man5/src.conf.5
=====================================
@@ -1,5 +1,5 @@
.\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman.
-.Dd December 15, 2025
+.Dd December 28, 2025
.Dt SRC.CONF 5
.Os
.Sh NAME
@@ -1583,6 +1583,13 @@ option.
Exclude build metadata (such as the build time, user, or host)
from the kernel, boot loaders, and uname output, so that builds produce
bit-for-bit identical output.
+.It Va WITH_REPRODUCIBLE_PATHS
+Modify the paths encoded in binary artifacts to be standard path
+
+Normaly, the actual path is encoded in the binary. However, this makes the build
+differ depending on the path it was built from. With this option enabled, the
+paths recorded are /usr/src, regardless of the actual path. With this option
+disabled, the actual paths are recorded.
.It Va WITHOUT_RESCUE
Do not build
.Xr rescue 8 .


=====================================
share/mk/bsd.debug.mk
=====================================
@@ -16,7 +16,7 @@ MK_WERROR= no
# If reproducible build mode is enabled, map the root of the source
# directory to /usr/src and the root of the object directory to
# /usr/obj.
-.if ${MK_REPRODUCIBLE_BUILD} != "no" && !defined(DEBUG_PREFIX)
+.if ${MK_REPRODUCIBLE_PATHS} != "no" && !defined(DEBUG_PREFIX)
.if defined(SRCTOP)
DEBUG_PREFIX+= ${SRCTOP:S,/$,,}=/usr/src
.endif


=====================================
share/mk/src.opts.mk
=====================================
@@ -225,6 +225,7 @@ __DEFAULT_NO_OPTIONS = \
OFED_EXTRA \
OPENLDAP \
PORTSNAP \
+ REPRODUCIBLE_PATHS \
RPCBIND_WARMSTART_SUPPORT \
SORT_THREADS \
SPECTREV1_FIX \


=====================================
sys/conf/kern.opts.mk
=====================================
@@ -56,6 +56,7 @@ __DEFAULT_NO_OPTIONS = \
KERNEL_RETPOLINE \
RATELIMIT \
REPRODUCIBLE_BUILD \
+ REPRODUCIBLE_PATHS \
VERIEXEC

# Some options are totally broken on some architectures. We disable them. If you


=====================================
sys/conf/kern.post.mk
=====================================
@@ -372,7 +372,7 @@ _ILINKS+= x86
_ILINKS+= i386
.endif

-.if ${MK_REPRODUCIBLE_BUILD} != "no"
+.if ${MK_REPRODUCIBLE_PATHS} != "no"
PREFIX_SYSDIR=/usr/src/sys
PREFIX_OBJDIR=/usr/obj/usr/src/${MACHINE}.${MACHINE_CPUARCH}/sys/${KERN_IDENT}
CFLAGS+= -ffile-prefix-map=${SYSDIR}=${PREFIX_SYSDIR}


=====================================
sys/conf/kmod.mk
=====================================
@@ -307,7 +307,7 @@ all: ${PROG}
beforedepend: ${_ILINKS}
beforebuild: ${_ILINKS}

-.if ${MK_REPRODUCIBLE_BUILD} != "no"
+.if ${MK_REPRODUCIBLE_PATHS} != "no"
PREFIX_SYSDIR=/usr/src/sys
CFLAGS+= -ffile-prefix-map=${SYSDIR}=${PREFIX_SYSDIR}
.if defined(KERNBUILDDIR)


=====================================
tools/build/options/WITH_REPRODUCIBLE_PATHS
=====================================
@@ -0,0 +1,6 @@
+Modify the paths encoded in binary artifacts to be standard path
+
+Normaly, the actual path is encoded in the binary. However, this makes the build
+differ depending on the path it was built from. With this option enabled, the
+paths recorded are /usr/src, regardless of the actual path. With this option
+disabled, the actual paths are recorded.


=====================================
usr.sbin/bsdinstall/Makefile
=====================================
@@ -27,6 +27,6 @@ SUBURL= latest
.endif

HardenedBSD-base.conf: HardenedBSD-base.conf.in
- sed "s|%%PKGHOST%%|${PKGHOST}|;s|%%SUBURL%%|${SUBURL}|;s|%%KEYSDIR%%|${KEYSDIR}|" < ${.ALLSRC} > ${.TARGET}
+ sed "s|%%SUBURL%%|${SUBURL}|" < ${.ALLSRC} > ${.TARGET}

.include <bsd.prog.mk>


=====================================
usr.sbin/bsdinstall/scripts/pkgbase.in
=====================================
@@ -323,6 +323,9 @@ local function pkgbase()
local repos_dir = os.getenv("BSDINSTALL_PKG_REPOS_DIR")
if not repos_dir then
repos_dir = "/usr/share/bsdinstall/"
+ assert(os.execute("mkdir -p " .. repos_dir))
+ assert(os.execute("cp /usr/share/bsdinstall/HardenedBSD-base.conf " .. repos_dir))
+
-- Since pkg always interprets fingerprints paths as relative to
-- the --rootdir we must copy the key from the host.
assert(os.execute("mkdir -p " .. chroot .. "/usr/share/keys"))
@@ -355,7 +358,7 @@ local function pkgbase()

-- Enable the FreeBSD-base repository for this system.
assert(os.execute("mkdir -p " .. chroot .. "/usr/local/etc/pkg/repos"))
- assert(os.execute("echo 'FreeBSD-base: { enabled: yes }' > " .. chroot .. "/usr/local/etc/pkg/repos/FreeBSD.conf"))
+ assert(os.execute("echo 'HardenedBSD-base: { enabled: yes }' > " .. chroot .. "/usr/local/etc/pkg/repos/FreeBSD.conf"))
end

pkgbase()



View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/39fd0de18e97d96508da0e6d2ec48d804d1f6485...fb18070cb40dfccb8564869d0b456a6207952050

--
View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/39fd0de18e97d96508da0e6d2ec48d804d1f6485...fb18070cb40dfccb8564869d0b456a6207952050
You're receiving this email because of your account on git.hardenedbsd.org.