Dockerfile

## (c)2018,2021 Nikolai Kostrigin <nickel@basealt.ru>
## Create an ALT docker image for reproducible build of shim binaries

FROM alt:sisyphus
MAINTAINER Nikolai Kostrigin <nickel@basealt.ru>

RUN useradd builder

RUN apt-get update && apt-get -y install \
	vim-console \
	git

USER builder
WORKDIR /home/builder

# download shim-review artifacts for apt setup and build artifacts comparison
RUN git clone --branch BaseALT-shim15.5-ia32-x64-20220418 https://github.com/realnickel/shim-review.git

# setup apt for Sisyphus repository snapshot
USER root
RUN rm -rf /etc/apt/sources.list.d/*
RUN rm -f /etc/apt/sources.list
RUN cp -f /home/builder/shim-review/apt-setup/sisyphus-x86_64/sources.list /etc/apt
RUN cp -f /home/builder/shim-review/apt-setup/sisyphus-x86_64/preferences /etc/apt

RUN apt-get update && apt-get -y --force-yes install \
	patch \
	make \
	gcc \
	binutils \
	libelf-devel \
	dos2unix \
	xxd \
	wget \
	openssl

USER builder
WORKDIR /home/builder

ENV ALTVERSION=15.5
ENV ALTRELEASE=alt1
ENV BUILDDIR=/home/builder/RPM/BUILD/shim-15.5
ENV SUBMITDIR=/home/builder/shim-review

# avoid BuildMachine difference breaking resulting sha256sum after we changed
# "rpmbuild" to just "make"
# https://github.com/rhboot/shim-review/issues/156#issuecomment-819631537
ENV SOURCE_DATE_EPOCH=foo

# download git source tree of shim package to retreive patch set and vendor
# specific data
RUN git clone --branch 15.5-alt1 http://git.altlinux.org/gears/s/shim.git

# download shim tarball as README.md requires, keep the URL free of any variables
# to prevent ambiguities
RUN mkdir -p /home/builder/RPM/BUILD
WORKDIR /home/builder/RPM/BUILD
RUN wget https://github.com/rhboot/shim/releases/download/15.5/shim-15.5.tar.bz2 \
   && tar -xjvf shim-15.5.tar.bz2
WORKDIR /home/builder/RPM/BUILD/shim-15.5
# apply upstream patches taken from our distribution regular build tree back to upstream tarball source tree
# RUN for i in $(ls /home/builder/shim/.gear/*.patch); do patch -p1 < $i; done
# fill in SBAT section with ALT data
RUN echo "shim.altlinux,1,ALT Linux,shim,$ALTVERSION-$ALTRELEASE,http://git.altlinux.org/gears/s/shim.git" > data/sbat.altlinux.csv
# bring ALT vendor certificate
RUN cp /home/builder/shim/.gear/altlinux-ca.cer .

RUN mkdir -p build-ia32 build-x64
# build ia32 binary
WORKDIR /home/builder/RPM/BUILD/shim-15.5/build-ia32
RUN make VENDOR_CERT_FILE=../altlinux-ca.cer TOPDIR=.. \
         DISABLE_REMOVABLE_LOAD_OPTIONS=1 \
         ARCH=ia32 -f ../Makefile 2>&1 | tee /home/builder/build-ia32.log
# build x64 binary
WORKDIR /home/builder/RPM/BUILD/shim-15.5/build-x64
RUN make VENDOR_CERT_FILE=../altlinux-ca.cer TOPDIR=.. \
         DISABLE_REMOVABLE_LOAD_OPTIONS=1 \
         -f ../Makefile 2>&1 | tee /home/builder/build-x64.log

# compare built artifacts to those submitted
WORKDIR /home/builder/shim-review
#sha256 hashes
RUN echo; \
    echo '####'; \
    echo 'sha256 sum comparison:'; \
    echo; \
    sha256sum $SUBMITDIR/shimia32.efi $BUILDDIR/build-ia32/shimia32.efi \
              $SUBMITDIR/shimx64.efi $BUILDDIR/build-x64/shimx64.efi \
              > $BUILDDIR/sha256sum.shim; \
    cat $BUILDDIR/sha256sum.shim

# .sbat and .vendor_cert sections extraction and comparison
RUN for efiarch in x64 ia32; do \
      echo; \
      echo "####"; \
      echo "Hex diff for shim${efiarch}:"; \
      echo; \
      hexdump -Cv $SUBMITDIR/shim${efiarch}.efi \
              > $BUILDDIR/shim${efiarch}.hex.submitted; \
      hexdump -Cv $BUILDDIR/build-${efiarch}/shim${efiarch}.efi \
              > $BUILDDIR/shim${efiarch}.hex.rebuilt; \
      diff -y $BUILDDIR/shim${efiarch}.hex.submitted \
                $BUILDDIR/shim${efiarch}.hex.rebuilt \
              > $BUILDDIR/shim${efiarch}.hex.diff; \
      echo; \
      echo "####"; \
      echo "SBAT section comparison for shim$efiarch:"; \
      echo; \
      objdump -s -j .sbat $SUBMITDIR/shim${efiarch}.efi \
              > $BUILDDIR/shim${efiarch}.sbat.submitted; \
      objdump -s -j .sbat $BUILDDIR/build-${efiarch}/shim${efiarch}.efi \
              > $BUILDDIR/shim${efiarch}.sbat.rebuilt; \
      diff -y -w160 $BUILDDIR/shim${efiarch}.sbat.submitted \
              $BUILDDIR/shim${efiarch}.sbat.rebuilt \
              > $BUILDDIR/shim${efiarch}.sbat.diff; \
      cat $BUILDDIR/shim${efiarch}.sbat.diff; \
      echo; \
      echo "####"; \
      echo "VENDOR_CERT section comparison for shim${efiarch}:"; \
      echo; \
      objdump -s -j .vendor_cert $SUBMITDIR/shim${efiarch}.efi \
              > $BUILDDIR/shim${efiarch}.vcert.submitted; \
      objdump -s -j .vendor_cert $BUILDDIR/build-${efiarch}/shim${efiarch}.efi \
              > $BUILDDIR/shim${efiarch}.vcert.rebuilt; \
      diff -y -w160 $BUILDDIR/shim${efiarch}.vcert.submitted \
              $BUILDDIR/shim${efiarch}.vcert.rebuilt \
              > $BUILDDIR/shim${efiarch}.vcert.diff; \
      cat $BUILDDIR/shim${efiarch}.vcert.diff; \
   done

RUN echo; \
   echo "#####"; \
   echo "VENDOR_CERT (altlinux-ca.cer):"; \
   openssl x509 -in $SUBMITDIR/altlinux-ca.cer -inform der -text

# get back to home directory containing log files now for potential manual review
# RPM/BUILD/shim-15.5/... - rebuild tree based on upstream tarball
# shim/... - source git tree
# shim-review/... - submitted files
WORKDIR /home/builder