Add --baobit-commit flag for build provenance#821
Conversation
sbellem
force-pushed
the
bao1x-boot-baobit-toolchain
branch
from
cbc4953 to
3ea92d3
Compare
sbellem
changed the title
--baobit-commit flag for build provenance
| const GIT_ABBREV_LEN: u8 = 9; | ||
|
|
||
| pub(crate) fn generate_version(add_timestamp: bool, forced_version: Option<String>) { | ||
| fn write_if_changed(path: &str, new_data: &[u8]) { |
There was a problem hiding this comment.
I added a function we can re-use to check if files have been written before
| .open(boot1_version_file) | ||
| .expect("Can't open our version file for writing"); | ||
| vfile.write_all(&semver_code).expect("couldn't write semver to version.rs"); | ||
| // Baochip versioning is just SEMVER + BAOBIT_COMMIT. Now that |
There was a problem hiding this comment.
semver has already been appended to the Precursor version of the version.rs, so we can re-use it to build the baochip version here without having to copy it.
| .expect("couldn't add baobit commit"); | ||
| } else { | ||
| // For builds that aren't built in the reproducible environment, the baobit commit is unspecified | ||
| writeln!(semver_code, "pub const BAOBIT_COMMIT: &'static str = \"unspecified\";") |
There was a problem hiding this comment.
I hope unspecified is OK with you? I feel like this is less alarming than unknown - in an audit, I feel like "unknown" could mean the version got corrupted, where as "unspecified" indicates intent to not specify it.
|
If this goes CI-clean I'll merge it - please open a new PR if you disagree with the changes! The main reason I'm merging before you can comment is it drops this into the hardware CI hopper, which I want to have run overnight. |
Adds BAOBIT_COMMIT constant to boot0/boot1 version.rs, allowing the Guix build channel commit to be embedded in firmware for reproducibility verification. - Add --baobit-commit CLI flag to xtask - Generate BAOBIT_COMMIT in boot version files - Display in audit command output - Simplify versioning.rs to always write files
- add a function we can re-use to check if a file needs updating - change the wording of the baobit commit when it's not specified to "unspecified" vs. "unknown"
2 participants
Summary
This PR adds support for embedding the Guix build channel (baobit) commit hash in firmware, enabling verification of reproducible builds.
Changes
--baobit-commit <hash>CLI flagBAOBIT_COMMITconstant in boot0/boot1 version.rs files; simplified to always write version filesUsage
Audit Output
Motivation
For reproducible builds via Guix, it's useful to know which version of the build toolchain (baobit channel) was used to produce a given firmware. This enables:
When
--baobit-commitis not provided, the constant defaults to"unknown".