kata.kata-kernel-uvm: disable CONFIG_MODULE_SIG

This config option enables signing of kernel modules. This is a source of non-reproducability. Disable it.
edgelesssys · Sep 26, 2024 · a343de3 · a343de3
1 parent b34e2ac
commit a343de3
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/packages/by-name/kata/kata-kernel-uvm/package.nix b/packages/by-name/kata/kata-kernel-uvm/package.nix
@@ -23,9 +23,11 @@ let
 
  # 1. We don't use an initrd.
  # 2. Enable dm-init, so that we can use `dm-mod.create`.
+ # 3. Disable module signing to make the build reproducable.
  substituteInPlace $config \
  --replace-fail 'CONFIG_INITRAMFS_SOURCE="initramfs.cpio.gz"' 'CONFIG_INITRAMFS_SOURCE=""' \
- --replace-fail '# CONFIG_DM_INIT is not set' 'CONFIG_DM_INIT=y'
+ --replace-fail '# CONFIG_DM_INIT is not set' 'CONFIG_DM_INIT=y' \
+ --replace-fail 'CONFIG_MODULE_SIG=y' 'CONFIG_MODULE_SIG=n'
  '';
 
  dontBuild = true;