airgap/Makefile

NAME := airgap
IMAGE := local/$(NAME):latest
ARCH := x86_64
TARGET := $(ARCH)
DEVICES := librem_13v4 librem_15v4
USER := $(shell id -u):$(shell id -g)
CPUS := $(shell docker run -it debian nproc)
GIT_REF := $(shell git log -1 --format=%H config)
GIT_AUTHOR := $(shell git log -1 --format=%an config)
GIT_KEY := $(shell git log -1 --format=%GP config)
GIT_EPOCH := $(shell git log -1 --format=%at config)
GIT_DATETIME := \
	$(shell git log -1 --format=%cd --date=format:'%Y-%m-%d %H:%M:%S' config)
ifeq ($(strip $(shell git status --porcelain 2>/dev/null)),)
	GIT_STATE=clean
else
	GIT_STATE=dirty
endif
VERSION := $(shell TZ=UTC0 git show --quiet --date='format-local:%Y%m%dT%H%M%SZ' --format="%cd")
RELEASE_DIR := release/$(VERSION)
CONFIG_DIR := config
BR2_EXTERNAL := $(CONFIG_DIR)/buildroot
HEADS_EXTERNAL := $(CONFIG_DIR)/heads
CACHE_DIR := build
SRC_DIR := src
OUT_DIR := out
docker = docker
executables = $(docker) git patch

include $(PWD)/config/config.env

.DEFAULT_GOAL := all

## Primary Targets

.PHONY: build
build: build-os build-fw

.PHONY: fetch
fetch: $(CACHE_DIR)/toolchain.tar
	mkdir -p build release
	$(call toolchain,$(USER),"fetch")

.PHONY: clean
clean: $(CACHE_DIR)/toolchain.tar
	$(call toolchain,$(USER),"clean")

.PHONY: mrproper
mrproper:
	docker image rm -f $(IMAGE)
	rm -rf $(CACHE_DIR)

.PHONY: build-os
build-os: $(CACHE_DIR)/toolchain.tar $(RELEASE_DIR)/airgap_$(ARCH).iso

.PHONY: build-fw
build-fw: $(CACHE_DIR)/toolchain.tar
	$(call toolchain,$(USER),"build-fw")
	mkdir -p $(RELEASE_DIR)
	for device in $(DEVICES); do \
		cp \
			$(CACHE_DIR)/heads/build/$${device}/pureboot*.rom \
			$(RELEASE_DIR)/$${device}.rom ; \
	done

## Release Targets

.PHONY: audit
audit: $(CACHE_DIR)/toolchain.tar
	mkdir -p $(CACHE_DIR)/audit
	$(call toolchain,$(USER),"audit")

.PHONY: hash
hash:
	if [ ! -f release/$(VERSION)/hashes.txt ]; then \
		openssl sha256 -r release/$(VERSION)/*.rom \
			> release/$(VERSION)/hashes.txt; \
		openssl sha256 -r release/$(VERSION)/*.iso \
			>> release/$(VERSION)/hashes.txt; \
	fi

.PHONY: verify
verify:
	mkdir -p $(CACHE_DIR)/audit/$(VERSION)
	openssl sha256 -r $(RELEASE_DIR)/*.rom \
		> $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt
	openssl sha256 -r $(RELEASE_DIR)/*.iso \
		>> $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt
	diff -q $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt $(RELEASE_DIR)/hashes.txt;

.PHONY: sign
sign: $(RELEASE_DIR)/*.rom $(RELEASE_DIR)/*.iso
	set -e; \
	for file in $^; do \
		gpg --armor --detach-sig "$${file}"; \
		fingerprint=$$(\
			gpg --list-packets $${file}.asc \
				| grep "issuer key ID" \
				| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
		); \
		mv $${file}.asc $${file}.$${fingerprint}.asc; \
	done

## Development Targets

.PHONY: menuconfig
menuconfig: $(CACHE_DIR)/toolchain.tar
	$(call toolchain,$(USER),"menuconfig")
	cp $(CACHE_DIR)/buildroot/.config \
	"config/buildroot/configs/airgap_$(TARGET)_defconfig"

.PHONY: linux-menuconfig
linux-menuconfig: $(CACHE_DIR)/toolchain.tar
	$(call toolchain,$(USER),"linux-menuconfig")

.PHONY: vm
vm: $(CACHE_DIR)/toolchain.tar
	$(call toolchain,$(USER),"vm")

# Launch a shell inside the toolchain container
.PHONY: toolchain-shell
toolchain-shell: $(CACHE_DIR)/toolchain.tar
	$(call toolchain,$(USER),"bash --norc")

# Pin all packages in toolchain container to latest versions
.PHONY: toolchain-update
toolchain-update:
	docker run \
		--rm \
		--env LOCAL_USER=$(USER) \
		--platform=linux/$(ARCH) \
		--volume $(PWD)/$(CONFIG_DIR):/config \
		--volume $(PWD)/$(SRC_DIR)/toolchain/scripts:/usr/local/bin \
		--env ARCH=$(ARCH) \
		--interactive \
		--tty \
		debian@sha256:$(DEBIAN_HASH) \
		bash -c /usr/local/bin/packages-update

## Real targets

$(CACHE_DIR)/toolchain.tar:
	mkdir -p $(CACHE_DIR)
	DOCKER_BUILDKIT=1 \
	docker build \
		--tag $(IMAGE) \
		--build-arg DEBIAN_HASH=$(DEBIAN_HASH) \
		--build-arg CONFIG_DIR=$(CONFIG_DIR) \
		--build-arg SCRIPTS_DIR=$(SRC_DIR)/toolchain/scripts \
		--platform=linux/$(ARCH) \
		-f $(SRC_DIR)/toolchain/Dockerfile \
		.
	docker save "$(IMAGE)" -o "$@"

$(CACHE_DIR)/buildroot: $(CACHE_DIR)/toolchain.tar
	$(call git_clone,buildroot,$(BUILDROOT_REPO),$(BUILDROOT_REF))

$(CACHE_DIR)/heads: $(CACHE_DIR)/toolchain.tar
	$(call git_clone,heads,$(HEADS_REPO),$(HEADS_REF))

$(OUT_DIR)/airgap.iso: $(CACHE_DIR)/buildroot
	$(call apply_patches,buildroot,$(BR2_EXTERNAL)/patches)
	$(call toolchain,$(USER)," \
    	cd buildroot; \
    	make "airgap_$(TARGET)_defconfig"; \
		unset FAKETIME; \
    	make source; \
		make; \
	")
	mkdir -p $(OUT_DIR)
	cp $(CACHE_DIR)/buildroot/output/images/rootfs.iso9660 \
		$(OUT_DIR)/airgap.iso

## Make Helpers

check_executables := $(foreach exec,$(executables),\$(if \
	$(shell which $(exec)),some string,$(error "No $(exec) in PATH")))

define git_clone
	[ -d $(CACHE_DIR)/$(1) ] || git clone $(2) $(CACHE_DIR)/$(1)
	git -C $(CACHE_DIR)/$(1) checkout $(3)
	git -C $(CACHE_DIR)/$(1) rev-parse --verify HEAD | grep -q $(3) || { \
		echo 'Error: Git ref/branch collision.'; exit 1; \
	};
endef

define apply_patches
	[ -d $(2) ] && $(call toolchain,$(USER)," \
		cd $(1); \
		git restore .; \
		find /$(2) -type f -iname '*.patch' -print0 \
		| xargs -t -0 -n 1 patch -p1 --no-backup-if-mismatch -i ; \
	")
endef

define toolchain
	docker load -i $(CACHE_DIR)/toolchain.tar
	docker run \
		--rm \
		--tty \
		--interactive \
		--user=$(1) \
		--platform=linux/$(ARCH) \
		--volume $(PWD)/config:/config \
		--volume $(PWD)/$(KEY_DIR):/keys \
		--volume $(PWD)/$(SRC_DIR):/src \
		--volume $(PWD)/$(CACHE_DIR):/home/build \
		--volume $(PWD)/scripts:/usr/local/bin \
		--cpus $(CPUS) \
		--workdir /home/build \
		--env HOME=/home/build \
		--env PS1="$(NAME)-toolchain" \
		--env GNUPGHOME=/cache/.gnupg \
		--env ARCH=$(ARCH) \
		--env TARGET="$(ARCH)" \
		--env GIT_REF="$(GIT_REF)" \
		--env GIT_AUTHOR="$(GIT_AUTHOR)" \
		--env GIT_KEY="$(GIT_KEY)" \
		--env GIT_DATETIME="$(GIT_DATETIME)" \
		--env GIT_EPOCH="$(GIT_EPOCH)" \
		--env KBUILD_BUILD_USER=$(KBUILD_BUILD_USER) \
		--env KBUILD_BUILD_HOST=$(KBUILD_BUILD_HOST) \
		--env KBUILD_BUILD_VERSION=$(KBUILD_BUILD_VERSION) \
		--env KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP) \
		--env KCONFIG_NOTIMESTAMP=$(KCONFIG_NOTIMESTAMP) \
		--env SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
		--env FAKETIME_FMT=$(FAKETIME_FMT) \
		--env FAKETIME=$(FAKETIME) \
		--env BR2_EXTERNAL="/$(BR2_EXTERNAL)" \
		--env HEADS_EXTERNAL="/$(HEADS_EXTERNAL)" \
		--env DEVICES="$(DEVICES)" \
		--env UID="$(shell id -u)" \
		--env GID="$(shell id -g)" \
		$(IMAGE) \
		bash -c $(2)
endef
rename to airgap 2020-06-15 18:04:50 +00:00			`NAME := airgap`
			`IMAGE := local/$(NAME):latest`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`ARCH := x86_64`
			`TARGET := $(ARCH)`
bump HEADS to latest upstream from purism 2020-10-22 05:59:10 +00:00			`DEVICES := librem_13v4 librem_15v4`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`USER := $(shell id -u):$(shell id -g)`
			`CPUS := $(shell docker run -it debian nproc)`
embed build details into build as splash screen 2020-07-17 02:15:03 +00:00			`GIT_REF := $(shell git log -1 --format=%H config)`
			`GIT_AUTHOR := $(shell git log -1 --format=%an config)`
			`GIT_KEY := $(shell git log -1 --format=%GP config)`
re-embed git date for useful embed time 2020-12-16 10:02:55 +00:00			`GIT_EPOCH := $(shell git log -1 --format=%at config)`
			`GIT_DATETIME := \`
			`$(shell git log -1 --format=%cd --date=format:'%Y-%m-%d %H:%M:%S' config)`
embed build details into build as splash screen 2020-07-17 02:15:03 +00:00			`ifeq ($(strip $(shell git status --porcelain 2>/dev/null)),)`
			`GIT_STATE=clean`
			`else`
			`GIT_STATE=dirty`
			`endif`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`VERSION := $(shell TZ=UTC0 git show --quiet --date='format-local:%Y%m%dT%H%M%SZ' --format="%cd")`
			`RELEASE_DIR := release/$(VERSION)`
			`CONFIG_DIR := config`
			`BR2_EXTERNAL := $(CONFIG_DIR)/buildroot`
			`HEADS_EXTERNAL := $(CONFIG_DIR)/heads`
			`CACHE_DIR := build`
			`SRC_DIR := src`
			`OUT_DIR := out`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`docker = docker`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`executables = $(docker) git patch`

			`include $(PWD)/config/config.env`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00
			`.DEFAULT_GOAL := all`

			`## Primary Targets`

add release verification and signing 2020-07-19 08:31:10 +00:00			`.PHONY: build`
			`build: build-os build-fw`

working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`.PHONY: fetch`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`fetch: $(CACHE_DIR)/toolchain.tar`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`mkdir -p build release`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`$(call toolchain,$(USER),"fetch")`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00
			`.PHONY: clean`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`clean: $(CACHE_DIR)/toolchain.tar`
			`$(call toolchain,$(USER),"clean")`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00
add release verification and signing 2020-07-19 08:31:10 +00:00			`.PHONY: mrproper`
			`mrproper:`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`docker image rm -f $(IMAGE)`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`rm -rf $(CACHE_DIR)`
add release verification and signing 2020-07-19 08:31:10 +00:00
			`.PHONY: build-os`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`build-os: $(CACHE_DIR)/toolchain.tar $(RELEASE_DIR)/airgap_$(ARCH).iso`
add release verification and signing 2020-07-19 08:31:10 +00:00
			`.PHONY: build-fw`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`build-fw: $(CACHE_DIR)/toolchain.tar`
			`$(call toolchain,$(USER),"build-fw")`
add release verification and signing 2020-07-19 08:31:10 +00:00			`mkdir -p $(RELEASE_DIR)`
			`for device in $(DEVICES); do \`
			`cp \`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`$(CACHE_DIR)/heads/build/$${device}/pureboot*.rom \`
add release verification and signing 2020-07-19 08:31:10 +00:00			`$(RELEASE_DIR)/$${device}.rom ; \`
			`done`

updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`## Release Targets`

			`.PHONY: audit`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`audit: $(CACHE_DIR)/toolchain.tar`
			`mkdir -p $(CACHE_DIR)/audit`
			`$(call toolchain,$(USER),"audit")`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00
add release verification and signing 2020-07-19 08:31:10 +00:00			`.PHONY: hash`
			`hash:`
			`if [ ! -f release/$(VERSION)/hashes.txt ]; then \`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`openssl sha256 -r release/$(VERSION)/*.rom \`
add release verification and signing 2020-07-19 08:31:10 +00:00			`> release/$(VERSION)/hashes.txt; \`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`openssl sha256 -r release/$(VERSION)/*.iso \`
add release verification and signing 2020-07-19 08:31:10 +00:00			`>> release/$(VERSION)/hashes.txt; \`
			`fi`

updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`.PHONY: verify`
			`verify:`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`mkdir -p $(CACHE_DIR)/audit/$(VERSION)`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`openssl sha256 -r $(RELEASE_DIR)/*.rom \`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`> $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`openssl sha256 -r $(RELEASE_DIR)/*.iso \`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`>> $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt`
			`diff -q $(CACHE_DIR)/audit/$(VERSION)/release_hashes.txt $(RELEASE_DIR)/hashes.txt;`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00
			`.PHONY: sign`
			`sign: $(RELEASE_DIR)/.rom $(RELEASE_DIR)/.iso`
allow multiple detached signatures named by fingerprint 2020-07-26 00:53:15 +00:00			`set -e; \`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`for file in $^; do \`
			`gpg --armor --detach-sig "$${file}"; \`
allow multiple detached signatures named by fingerprint 2020-07-26 00:53:15 +00:00			`fingerprint=$$(\`
			`gpg --list-packets $${file}.asc \`
			`\| grep "issuer key ID" \`
			`\| sed 's/.\([A-Z0-9]\{16\}\)./\1/g' \`
			`); \`
			`mv $${file}.asc $${file}.$${fingerprint}.asc; \`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`done`

working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`## Development Targets`

			`.PHONY: menuconfig`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`menuconfig: $(CACHE_DIR)/toolchain.tar`
			`$(call toolchain,$(USER),"menuconfig")`
			`cp $(CACHE_DIR)/buildroot/.config \`
			`"config/buildroot/configs/airgap_$(TARGET)_defconfig"`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00
safer/simpler uid/gid mapping w/ reduced build privs 2020-10-15 23:26:28 +00:00			`.PHONY: linux-menuconfig`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`linux-menuconfig: $(CACHE_DIR)/toolchain.tar`
			`$(call toolchain,$(USER),"linux-menuconfig")`
working usb, yubikeys, and some kernel hardening 2020-07-15 01:35:16 +00:00
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`.PHONY: vm`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`vm: $(CACHE_DIR)/toolchain.tar`
			`$(call toolchain,$(USER),"vm")`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`# Launch a shell inside the toolchain container`
			`.PHONY: toolchain-shell`
			`toolchain-shell: $(CACHE_DIR)/toolchain.tar`
			`$(call toolchain,$(USER),"bash --norc")`

			`# Pin all packages in toolchain container to latest versions`
			`.PHONY: toolchain-update`
			`toolchain-update:`
cleaned up, updated, and more reliable package updates 2020-10-08 01:24:58 +00:00			`docker run \`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`--rm \`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`--env LOCAL_USER=$(USER) \`
			`--platform=linux/$(ARCH) \`
			`--volume $(PWD)/$(CONFIG_DIR):/config \`
			`--volume $(PWD)/$(SRC_DIR)/toolchain/scripts:/usr/local/bin \`
			`--env ARCH=$(ARCH) \`
			`--interactive \`
			`--tty \`
			`debian@sha256:$(DEBIAN_HASH) \`
			`bash -c /usr/local/bin/packages-update`

			`## Real targets`

			`$(CACHE_DIR)/toolchain.tar:`
			`mkdir -p $(CACHE_DIR)`
			`DOCKER_BUILDKIT=1 \`
			`docker build \`
			`--tag $(IMAGE) \`
			`--build-arg DEBIAN_HASH=$(DEBIAN_HASH) \`
			`--build-arg CONFIG_DIR=$(CONFIG_DIR) \`
			`--build-arg SCRIPTS_DIR=$(SRC_DIR)/toolchain/scripts \`
			`--platform=linux/$(ARCH) \`
			`-f $(SRC_DIR)/toolchain/Dockerfile \`
			`.`
			`docker save "$(IMAGE)" -o "$@"`

			`$(CACHE_DIR)/buildroot: $(CACHE_DIR)/toolchain.tar`
			`$(call git_clone,buildroot,$(BUILDROOT_REPO),$(BUILDROOT_REF))`

			`$(CACHE_DIR)/heads: $(CACHE_DIR)/toolchain.tar`
			`$(call git_clone,heads,$(HEADS_REPO),$(HEADS_REF))`

			`$(OUT_DIR)/airgap.iso: $(CACHE_DIR)/buildroot`
			`$(call apply_patches,buildroot,$(BR2_EXTERNAL)/patches)`
			`$(call toolchain,$(USER)," \`
			`cd buildroot; \`
			`make "airgap_$(TARGET)_defconfig"; \`
			`unset FAKETIME; \`
			`make source; \`
			`make; \`
			`")`
			`mkdir -p $(OUT_DIR)`
			`cp $(CACHE_DIR)/buildroot/output/images/rootfs.iso9660 \`
			`$(OUT_DIR)/airgap.iso`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00
			`## Make Helpers`

			`check_executables := $(foreach exec,$(executables),\$(if \`
			`$(shell which $(exec)),some string,$(error "No $(exec) in PATH")))`

big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`define git_clone`
			`[ -d $(CACHE_DIR)/$(1) ] \|\| git clone $(2) $(CACHE_DIR)/$(1)`
			`git -C $(CACHE_DIR)/$(1) checkout $(3)`
			`git -C $(CACHE_DIR)/$(1) rev-parse --verify HEAD \| grep -q $(3) \|\| { \`
			`echo 'Error: Git ref/branch collision.'; exit 1; \`
			`};`
			`endef`

			`define apply_patches`
			`[ -d $(2) ] && $(call toolchain,$(USER)," \`
			`cd $(1); \`
			`git restore .; \`
			`find /$(2) -type f -iname '*.patch' -print0 \`
			`\| xargs -t -0 -n 1 patch -p1 --no-backup-if-mismatch -i ; \`
			`")`
			`endef`

			`define toolchain`
			`docker load -i $(CACHE_DIR)/toolchain.tar`
			`docker run \`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`--rm \`
			`--tty \`
			`--interactive \`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`--user=$(1) \`
			`--platform=linux/$(ARCH) \`
			`--volume $(PWD)/config:/config \`
			`--volume $(PWD)/$(KEY_DIR):/keys \`
			`--volume $(PWD)/$(SRC_DIR):/src \`
			`--volume $(PWD)/$(CACHE_DIR):/home/build \`
			`--volume $(PWD)/scripts:/usr/local/bin \`
			`--cpus $(CPUS) \`
			`--workdir /home/build \`
			`--env HOME=/home/build \`
			`--env PS1="$(NAME)-toolchain" \`
			`--env GNUPGHOME=/cache/.gnupg \`
			`--env ARCH=$(ARCH) \`
			`--env TARGET="$(ARCH)" \`
embed build details into build as splash screen 2020-07-17 02:15:03 +00:00			`--env GIT_REF="$(GIT_REF)" \`
			`--env GIT_AUTHOR="$(GIT_AUTHOR)" \`
			`--env GIT_KEY="$(GIT_KEY)" \`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`--env GIT_DATETIME="$(GIT_DATETIME)" \`
			`--env GIT_EPOCH="$(GIT_EPOCH)" \`
			`--env KBUILD_BUILD_USER=$(KBUILD_BUILD_USER) \`
			`--env KBUILD_BUILD_HOST=$(KBUILD_BUILD_HOST) \`
			`--env KBUILD_BUILD_VERSION=$(KBUILD_BUILD_VERSION) \`
			`--env KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP) \`
			`--env KCONFIG_NOTIMESTAMP=$(KCONFIG_NOTIMESTAMP) \`
			`--env SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \`
			`--env FAKETIME_FMT=$(FAKETIME_FMT) \`
			`--env FAKETIME=$(FAKETIME) \`
			`--env BR2_EXTERNAL="/$(BR2_EXTERNAL)" \`
			`--env HEADS_EXTERNAL="/$(HEADS_EXTERNAL)" \`
			`--env DEVICES="$(DEVICES)" \`
safer/simpler uid/gid mapping w/ reduced build privs 2020-10-15 23:26:28 +00:00			`--env UID="$(shell id -u)" \`
			`--env GID="$(shell id -g)" \`
big refactor bumping deps and fixing broken determinism patterns 2022-12-24 05:15:00 +00:00			`$(IMAGE) \`
			`bash -c $(2)`
			`endef`