Lock down reproducible make targets and use in docker build

Makefile

@@ -75,10 +75,10 @@ fido2-test: venv
 	venv/bin/python tools/ctap_test.py
 
 DOCKER_IMAGE := "solokeys/solo-firmware:local"
-SOLO_VERSION := "master"
+SOLO_VERSIONISH := "master"
 docker-build:
 	docker build -t $(DOCKER_IMAGE) .
-	docker run --rm -v$(PWD)/builds:/builds -v$(PWD)/docker-build.sh:/build.sh $(DOCKER_IMAGE) /build.sh $(SOLO_VERSION)
+	docker run --rm -v$(PWD)/builds:/builds -v$(PWD)/in-docker-build.sh:/in-docker-build.sh $(DOCKER_IMAGE) /in-docker-build.sh $(SOLO_VERSIONISH)
 
 CPPCHECK_FLAGS=--quiet --error-exitcode=2
 

docker-build.sh

@@ -1,22 +0,0 @@
-#!/bin/bash -xe
-
-version=${1:-master}
-
-export PREFIX=/opt/gcc-arm-none-eabi-8-2018-q4-major/bin/
-
-cd /solo/targets/stm32l432
-git fetch
-git checkout ${version}
-version=$(git describe)
-make cbor
-make all-hacker
-
-cd /
-
-out_dir="builds"
-out_hex="solo-${version}.hex"
-out_sha2="solo-${version}.sha2"
-cp /solo/targets/stm32l432/solo.hex ${out_dir}/${out_hex}
-cd ${out_dir}
-sha256sum ${out_hex} > ${out_sha2}
-

in-docker-build.sh

@@ -0,0 +1,37 @@
+#!/bin/bash -xe
+
+version=${1:-master}
+
+export PREFIX=/opt/gcc-arm-none-eabi-8-2018-q4-major/bin/
+
+cd /solo/targets/stm32l432
+git fetch
+git checkout ${version}
+version=$(git describe)
+
+make cbor
+
+out_dir="/builds"
+
+function build() {
+    part=${1}
+    variant=${2}
+    output=${3:-${part}}
+    what="${part}-${variant}"
+
+    make full-clean
+
+    make ${what}
+
+    out_hex="${what}-${version}.hex"
+    out_sha2="${what}-${version}.sha2"
+
+    mv ${output}.hex ${out_hex}
+    sha256sum ${out_hex} > ${out_sha2}
+    cp ${out_hex} ${out_sha2} ${out_dir}
+}
+
+build bootloader nonverifying
+build bootloader verifying
+build firmware hacker solo
+build firmware secure solo

targets/stm32l432/Makefile

@@ -13,10 +13,10 @@ merge_hex=../../tools/solotool.py mergehex
 # The following are the main targets for reproducible builds.
 # TODO: better explanation
 firmware-hacker:
-	$(MAKE) -f $(APPMAKE) -j8 solo.hex PREFIX=$(PREFIX) DEBUG=$(DEBUG) EXTRA_DEFINES='-DSOLO_HACKER -DFLASH_ROP=1'
+	$(MAKE) -f $(APPMAKE) -j8 solo.hex PREFIX=$(PREFIX) DEBUG=0 EXTRA_DEFINES='-DSOLO_HACKER -DFLASH_ROP=1'
 
 firmware-secure:
-	$(MAKE) -f $(APPMAKE) -j8 solo.hex PREFIX=$(PREFIX) DEBUG=$(DEBUG) EXTRA_DEFINES='-DUSE_SOLOKEYS_CERT -DFLASH_ROP=2'
+	$(MAKE) -f $(APPMAKE) -j8 solo.hex PREFIX=$(PREFIX) DEBUG=0 EXTRA_DEFINES='-DUSE_SOLOKEYS_CERT -DFLASH_ROP=2'
 
 bootloader-nonverifying:
 	$(MAKE) -f $(BOOTMAKE) -j8 bootloader.hex PREFIX=$(PREFIX) EXTRA_DEFINES='-DSOLO_HACKER' DEBUG=0