Skip to content

Build bit-by-bit reproducible OS images with mkosi and Nix

License

Notifications You must be signed in to change notification settings

edgelesssys/reproducible-mkosi

Repository files navigation

Reproducible mkosi

Build bit-by-bit reproducible OS images




mkosi is a tool for building customized OS images. This repository shows how to use Nix to pin mkosi and required tools and build bit-by-bit reproducible OS images.

Usage

  1. Clone the repository
    git clone https://github.com/edgelesssys/reproducible-mkosi
    cd reproducible-mkosi
    
  2. Install nix (we recommend the determinate systems installer)
  3. Enter a shell with mkosi and package manager tools for Fedora or Ubuntu
    nix develop .#mkosi-fedora
    # or
    nix develop .#mkosi-ubuntu
    
  4. Perform two builds and compare the output
    nix run .#diffimage fedora
    # or
    nix run .#diffimage ubuntu
    

History of getting and keeping this reproducible

Hours of debugging went into making this fully reproducible, and there are still things left to do, especially regarding the handling of packages pulled in by the package manger of the target distro. In the following, we list some work we did upstream that explicitly fix reproducibility issues.

Open tasks

  • Pin and archive rpm/deb packages
  • Build more parts of the CVM TCB (firmware, kernel, packages from source)

About

Build bit-by-bit reproducible OS images with mkosi and Nix

Resources

License

Stars

Watchers

Forks