From d7915e16391216f27175bfd15d8d1d2dd838101f Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Wed, 27 Mar 2024 16:14:31 -0400
Subject: [PATCH] OpenSSL (libcrypto): patch so that crypto/buildinfo.h
 generated by perl script contains reproducible date and fake compiler_flags 
 hardcode VERSION='reproducible_build' into generated configure script to get
 rid of generate random git abbrev 8/12 chars (could not find source) 
 patches/openssl-3.0.8.patch: clean up

tpm2-tools/tpm2-tss:
 hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
  Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.

CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds

TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 .circleci/config.yml        | 17 ++++++++++-------
 modules/tpm2-tools          | 13 ++++++++++++-
 modules/tpm2-tss            | 14 ++++++++++++++
 patches/openssl-3.0.8.patch | 35 +++++++++++++++++++++++++++++++++++
 4 files changed, 71 insertions(+), 8 deletions(-)
 create mode 100644 patches/openssl-3.0.8.patch

diff --git a/.circleci/config.yml b/.circleci/config.yml
index d0bff577..303e1121 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -45,6 +45,7 @@ jobs:
     docker:
       - image: debian:11
     resource_class: large
+    working_directory: ~/heads
     steps:
       - run:
           name: Install dependencies
@@ -53,7 +54,6 @@ jobs:
             apt update
             apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo imagemagick libncurses5-dev
       - checkout
-
       - run:
           name: git reset
           command: |
@@ -120,6 +120,7 @@ jobs:
     docker:
       - image: debian:11
     resource_class: large
+    working_directory: ~/heads
     parameters:
       arch:
         type: string
@@ -138,15 +139,16 @@ jobs:
       - persist_to_workspace:
           root: ~/
           paths:
-            - project/packages/<<parameters.arch>>
-            - project/build/<<parameters.arch>>
-            - project/crossgcc/<<parameters.arch>>
-            - project/install/<<parameters.arch>>
+            - heads/packages/<<parameters.arch>>
+            - heads/build/<<parameters.arch>>
+            - heads/crossgcc/<<parameters.arch>>
+            - heads/install/<<parameters.arch>>
 
   build:
     docker:
       - image: debian:11
     resource_class: large
+    working_directory: ~/heads
     parameters:
       arch:
         type: string
@@ -167,6 +169,7 @@ jobs:
     docker:
       - image: debian:11
     resource_class: large
+    working_directory: ~/heads
     steps:
       - attach_workspace:
           at: ~/
@@ -236,13 +239,12 @@ workflows:
       # since kernel is 6.x and coreboot is git is unshared
       # We use nitropad's coreboot's fork crossgcc
       # No need to wait further for other board's cache.
-      # We reuse built modules from x230-hotp-maximized cache only
       - build_and_persist:
           name: nitropad-nv41
           target: nitropad-nv41
           subcommand: ""
           requires:
-            - x230-hotp-maximized
+            - prep_env
 
       # coreboot-git Talos II (PPC)
       - build_and_persist:
@@ -527,3 +529,4 @@ workflows:
 #          path: build/UNMAINTAINED_qemu-linuxboot/linuxboot.rom
 #      - store-artifacts:
 #          path: build/UNMAINTAINED_qemu-linuxboot/hashes.txt
+
diff --git a/modules/tpm2-tools b/modules/tpm2-tools
index 98711195..7407dae0 100644
--- a/modules/tpm2-tools
+++ b/modules/tpm2-tools
@@ -18,7 +18,18 @@ tpm2-tools_url := https://github.com/tpm2-software/tpm2-tools/releases/download/
 tpm2-tools_hash := c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630
 
 # we have ESYS 3.0, but it doesn't figure that out on its own
-tpm2-tools_configure := ./bootstrap && ./configure \
+tpm2-tools_configure := \
+	./bootstrap \
+	&& sed -i 's/hardcode_direct=yes/hardcode_direct=no/g' configure \
+	&& sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \
+	&& sed -i 's/hardcode_minus_L=yes/hardcode_minus_L=no/g' configure \
+	&& sed -i 's/hardcode_automatic=yes/hardcode_automatic=no/g' configure \
+	&& sed -i 's/hardcode_runpath_var=yes/hardcode_runpath_var=no/g' configure \
+	&& sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \
+	&& sed -i 's/hardcode_direct_absolute=yes/hardcode_direct_absolute=no/g' configure \
+	&& sed -i 's/inherit_rpath=yes/inherit_rpath=no/g' configure \
+	&& sed -i "s/VERSION='.*'/VERSION='reproducible_build'/g" configure \
+	&& ./configure \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
diff --git a/modules/tpm2-tss b/modules/tpm2-tss
index 0fad79ef..eb5af1b4 100644
--- a/modules/tpm2-tss
+++ b/modules/tpm2-tss
@@ -8,6 +8,20 @@ tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tp
 tpm2-tss_hash := 48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912
 
 tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \
+	&& sed -i 's/hardcode_direct=yes/hardcode_direct=no/g' configure \
+	&& sed -i 's/hardcode_libdir_flag_spec=.*/hardcode_libdir_flag_spec=" "/' configure \
+	&& sed -i 's/hardcode_minus_L=yes/hardcode_minus_L=no/g' configure \
+	&& sed -i 's/hardcode_direct_absolute=yes/hardcode_direct_absolute=no/g' configure \
+	&& sed -i 's/hardcode_into_libs=yes/hardcode_into_libs=no/g' configure \
+	&& sed -i 's/hardcode_libdir_flag_spec_CXX=.*/hardcode_libdir_flag_spec_CXX=" "/' configure \
+	&& sed -i 's/hardcode_automatic=yes/hardcode_automatic=no/g' configure \
+	&& sed -i 's/hardcode_runpath_var=yes/hardcode_runpath_var=no/g' configure \
+	&& sed -i 's/hardcode_direct_CXX=yes/hardcode_direct_CXX=no/g' configure \
+	&& sed -i 's/hardcode_direct_absolute_CXX=yes/hardcode_direct_absolute_CXX=no/g' configure \
+	&& sed -i 's/hardcode_minus_L_CXX=yes/hardcode_minus_L_CXX=no/g' configure \
+	&& sed -i 's/hardcode_automatic_CXX=yes/hardcode_automatic_CXX=no/g' configure \
+	&& sed -i 's/inherit_rpath=yes/inherit_rpath=no/g' configure \
+	&& sed -i 's/inherit_rpath_CXX=yes/inherit_rpath_CXX=no/g' configure \
 	&& ./configure \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
diff --git a/patches/openssl-3.0.8.patch b/patches/openssl-3.0.8.patch
new file mode 100644
index 00000000..db4e79e4
--- /dev/null
+++ b/patches/openssl-3.0.8.patch
@@ -0,0 +1,35 @@
+--- ./util/mkbuildinf.pl.orig   2023-02-07 08:43:33.000000000 -0500
++++ ./util/mkbuildinf.pl	2024-03-27 14:36:49.974651246 -0400
+@@ -12,7 +12,7 @@
+ my ($cflags, $platform) = @ARGV;
+ $cflags = "compiler: $cflags";
+ 
+-my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC";
++my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || '0') . " UTC";
+ 
+ print <<"END_OUTPUT";
+ /*
+@@ -36,21 +36,7 @@
+  * literal
+  */
+ static const char compiler_flags[] = {
+-END_OUTPUT
+-
+-my $ctr = 0;
+-foreach my $c (split //, $cflags) {
+-    $c =~ s|([\\'])|\\$1|;
+-    # Max 16 characters per line
+-    if  (($ctr++ % 16) == 0) {
+-        if ($ctr != 1) {
+-            print "\n";
+-        }
+-        print "    ";
+-    }
+-    print "'$c',";
+-}
+-print <<"END_OUTPUT";
+-'\\0'
++    'r','e','p','r','o','d','u','c','i','b','l','e',' ','b','u','i',
++    'l','d','\\0'
+ };
+ END_OUTPUT