From de31924be3e955427e456679d7d27fdbf4e3203c Mon Sep 17 00:00:00 2001
From: Nicolas Stalder <n@stalder.io>
Date: Sat, 16 Feb 2019 18:46:13 +0100
Subject: [PATCH] Lock down reproducible make targets and use in docker build

---
 Makefile                   |  4 ++--
 docker-build.sh            | 22 ----------------------
 in-docker-build.sh         | 37 +++++++++++++++++++++++++++++++++++++
 targets/stm32l432/Makefile |  4 ++--
 4 files changed, 41 insertions(+), 26 deletions(-)
 delete mode 100755 docker-build.sh
 create mode 100755 in-docker-build.sh

diff --git a/Makefile b/Makefile
index bb5530f..db5ca71 100644
--- a/Makefile
+++ b/Makefile
@@ -75,10 +75,10 @@ fido2-test: venv
 	venv/bin/python tools/ctap_test.py
 
 DOCKER_IMAGE := "solokeys/solo-firmware:local"
-SOLO_VERSION := "master"
+SOLO_VERSIONISH := "master"
 docker-build:
 	docker build -t $(DOCKER_IMAGE) .
-	docker run --rm -v$(PWD)/builds:/builds -v$(PWD)/docker-build.sh:/build.sh $(DOCKER_IMAGE) /build.sh $(SOLO_VERSION)
+	docker run --rm -v$(PWD)/builds:/builds -v$(PWD)/in-docker-build.sh:/in-docker-build.sh $(DOCKER_IMAGE) /in-docker-build.sh $(SOLO_VERSIONISH)
 
 CPPCHECK_FLAGS=--quiet --error-exitcode=2
 
diff --git a/docker-build.sh b/docker-build.sh
deleted file mode 100755
index 1a73535..0000000
--- a/docker-build.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash -xe
-
-version=${1:-master}
-
-export PREFIX=/opt/gcc-arm-none-eabi-8-2018-q4-major/bin/
-
-cd /solo/targets/stm32l432
-git fetch
-git checkout ${version}
-version=$(git describe)
-make cbor
-make all-hacker
-
-cd /
-
-out_dir="builds"
-out_hex="solo-${version}.hex"
-out_sha2="solo-${version}.sha2"
-cp /solo/targets/stm32l432/solo.hex ${out_dir}/${out_hex}
-cd ${out_dir}
-sha256sum ${out_hex} > ${out_sha2}
-
diff --git a/in-docker-build.sh b/in-docker-build.sh
new file mode 100755
index 0000000..3b17ebd
--- /dev/null
+++ b/in-docker-build.sh
@@ -0,0 +1,37 @@
+#!/bin/bash -xe
+
+version=${1:-master}
+
+export PREFIX=/opt/gcc-arm-none-eabi-8-2018-q4-major/bin/
+
+cd /solo/targets/stm32l432
+git fetch
+git checkout ${version}
+version=$(git describe)
+
+make cbor
+
+out_dir="/builds"
+
+function build() {
+    part=${1}
+    variant=${2}
+    output=${3:-${part}}
+    what="${part}-${variant}"
+
+    make full-clean
+
+    make ${what}
+
+    out_hex="${what}-${version}.hex"
+    out_sha2="${what}-${version}.sha2"
+
+    mv ${output}.hex ${out_hex}
+    sha256sum ${out_hex} > ${out_sha2}
+    cp ${out_hex} ${out_sha2} ${out_dir}
+}
+
+build bootloader nonverifying
+build bootloader verifying
+build firmware hacker solo
+build firmware secure solo
diff --git a/targets/stm32l432/Makefile b/targets/stm32l432/Makefile
index d769a30..4bbf516 100644
--- a/targets/stm32l432/Makefile
+++ b/targets/stm32l432/Makefile
@@ -13,10 +13,10 @@ merge_hex=../../tools/solotool.py mergehex
 # The following are the main targets for reproducible builds.
 # TODO: better explanation
 firmware-hacker:
-	$(MAKE) -f $(APPMAKE) -j8 solo.hex PREFIX=$(PREFIX) DEBUG=$(DEBUG) EXTRA_DEFINES='-DSOLO_HACKER -DFLASH_ROP=1'
+	$(MAKE) -f $(APPMAKE) -j8 solo.hex PREFIX=$(PREFIX) DEBUG=0 EXTRA_DEFINES='-DSOLO_HACKER -DFLASH_ROP=1'
 
 firmware-secure:
-	$(MAKE) -f $(APPMAKE) -j8 solo.hex PREFIX=$(PREFIX) DEBUG=$(DEBUG) EXTRA_DEFINES='-DUSE_SOLOKEYS_CERT -DFLASH_ROP=2'
+	$(MAKE) -f $(APPMAKE) -j8 solo.hex PREFIX=$(PREFIX) DEBUG=0 EXTRA_DEFINES='-DUSE_SOLOKEYS_CERT -DFLASH_ROP=2'
 
 bootloader-nonverifying:
 	$(MAKE) -f $(BOOTMAKE) -j8 bootloader.hex PREFIX=$(PREFIX) EXTRA_DEFINES='-DSOLO_HACKER' DEBUG=0