From nobody Sat Feb 7 21:16:01 2026 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7790B35E544; Mon, 2 Feb 2026 11:06:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770030402; cv=none; b=TEbpam/P+lPHg3cDFiw7dWTx/lfsqFDNvAL8cGbP/n9mG3BLtX+/BDrdT8ZfiXdaqhNEnJZVX65lHo6TsqnxR3SNGAGlzip78P20+LpNQnWZys/JCTXYzLtE1EZQ74bK/RNYfmuJgivJer2D+3OF5miOGjllW1zWzLqx/apSLW0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770030402; c=relaxed/simple; bh=20XLJ8vTV6VFM74zVheFIqma4qoPLb9CMtF7SJhQTYc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Fl6N4LWDsYaTkXmCDzaSBSw4e4RNDz3p3Bg6bQlm908oOFSZUD0hOX/GsmizuV7+uafNnySvUtHmDaRMZZ3Mlmsl7jSib6IZ7Cg1eiAxs+22v+FarFJ+ad+i8wYVmS9vuWjGf7oz88EavY0ofNpCGIRKvmxeYRfv2GCph9w9ROE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=rDLRrBIC; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="rDLRrBIC" Received: from CPC-namja-026ON.redmond.corp.microsoft.com (unknown [4.213.232.19]) by linux.microsoft.com (Postfix) with ESMTPSA id 2C45720B7167; Mon, 2 Feb 2026 03:06:34 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2C45720B7167 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1770030400; bh=YK1bIPZnnWv7pQYIyhk35+mOVNMBab8mq9bTqqdASAg=; h=From:To:Cc:Subject:Date:From; b=rDLRrBIC+PuwHWuZRDUn1bNSeLTo7bn6JCiV/ZM1HvjeiM6WLaX53h53yDp6MvcWb vXyWWf4Moz8HSk4Ogpv1PSyNJ3j1GZOIWriHLA7pVpZWmpfotYkVhOAxbknZEK/kTL mGi7sIcvYoGJMxF5ZqiIHh8Lf0Hp3cZYreq6HUEU= From: Naman Jain To: Nathan Chancellor , Nicolas Schier , Catalin Marinas , Will Deacon , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H . Peter Anvin" Cc: Masahiro Yamada , Miguel Ojeda , thomas.weissschuh@linutronix.de, Tamir Duberstein , Steven Rostedt , Naman Jain , Kees Cook , Ard Biesheuvel , linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Saurabh Singh Sengar Subject: [RFC PATCH] kbuild: Make --build-id linker flag configurable Date: Mon, 2 Feb 2026 11:06:31 +0000 Message-ID: <20260202110631.978412-1-namjain@linux.microsoft.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Build ID hashes include file paths, so building the same source from different directories produces different binaries. This breaks reproducible builds. Add KBUILD_BUILD_ID variable (default: sha1) to allow overriding: make KBUILD_BUILD_ID=3Dnone The variable is exported to VDSO Makefiles which also include a fallback default for standalone invocation. Signed-off-by: Naman Jain --- Hi, Sending this change for RFC, as it is quite possible that this is a generic problem and I may be missing something. I am trying to implement reproducible builds for one of my product kernel. I referred https://reproducible-builds.org/docs/build-path/ and tried to use both -fdebug-prefix-map=3DOLD=3DNEW and -fmacro-prefix-map=3DOLD=3DNEW, but still could not achieve bit by bit binary reproducibility without overwriting build-id to none.=20 If I move the kernel to same path in other setup, I was able to create same binary hash, however, without it, there is some difference in build-id hash values. Reproducibility wiki says "In most cases however, post-processing is required to either remove the build path or to normalize it to a predefined value.". I have tried that, and it works, but wanted to conclude if that is my last option here. Thanks. --- Makefile | 8 ++++++-- arch/arm64/kernel/vdso/Makefile | 5 ++++- arch/arm64/kernel/vdso32/Makefile | 5 ++++- arch/x86/entry/vdso/Makefile | 5 ++++- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 3373308d2217c..3fcff4af200d7 100644 --- a/Makefile +++ b/Makefile @@ -1132,8 +1132,12 @@ KBUILD_AFLAGS +=3D $(KAFLAGS) KBUILD_CFLAGS +=3D $(KCFLAGS) KBUILD_RUSTFLAGS +=3D $(KRUSTFLAGS) =20 -KBUILD_LDFLAGS_MODULE +=3D --build-id=3Dsha1 -LDFLAGS_vmlinux +=3D --build-id=3Dsha1 +# Can be overridden for reproducible builds by using "make KBUILD_BUILD_ID= =3Dnone" +KBUILD_BUILD_ID ?=3D sha1 +export KBUILD_BUILD_ID + +KBUILD_LDFLAGS_MODULE +=3D --build-id=3D$(KBUILD_BUILD_ID) +LDFLAGS_vmlinux +=3D --build-id=3D$(KBUILD_BUILD_ID) =20 KBUILD_LDFLAGS +=3D -z noexecstack ifeq ($(CONFIG_LD_IS_BFD),y) diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makef= ile index 7dec05dd33b70..b3ee5982b4676 100644 --- a/arch/arm64/kernel/vdso/Makefile +++ b/arch/arm64/kernel/vdso/Makefile @@ -9,6 +9,9 @@ # Include the generic Makefile to check the built vdso. include $(srctree)/lib/vdso/Makefile.include =20 +# Fallback for standalone builds, normally inherited from top-level Makefi= le +KBUILD_BUILD_ID ?=3D sha1 + obj-vdso :=3D vgettimeofday.o note.o sigreturn.o vgetrandom.o vgetrandom-c= hacha.o =20 # Build rules @@ -22,7 +25,7 @@ btildflags-$(CONFIG_ARM64_BTI_KERNEL) +=3D -z force-bti # routines, as x86 does (see 6f121e548f83 ("x86, vdso: Reimplement vdso.so # preparation in build-time C")). ldflags-y :=3D -shared -soname=3Dlinux-vdso.so.1 \ - -Bsymbolic --build-id=3Dsha1 -n $(btildflags-y) + -Bsymbolic --build-id=3D$(KBUILD_BUILD_ID) -n $(btildflags-y) =20 ifdef CONFIG_LD_ORPHAN_WARN ldflags-y +=3D --orphan-handling=3D$(CONFIG_LD_ORPHAN_WARN_LEVEL) diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/M= akefile index 9d0efed91414c..991aed67e65a2 100644 --- a/arch/arm64/kernel/vdso32/Makefile +++ b/arch/arm64/kernel/vdso32/Makefile @@ -5,6 +5,9 @@ =20 include $(srctree)/lib/vdso/Makefile.include =20 +# Fallback for standalone builds, normally inherited from top-level Makefi= le +KBUILD_BUILD_ID ?=3D sha1 + # Same as cc-*option, but using CC_COMPAT instead of CC ifeq ($(CONFIG_CC_IS_CLANG), y) CC_COMPAT ?=3D $(CC) @@ -87,7 +90,7 @@ VDSO_AFLAGS +=3D -D__ASSEMBLY__ # From arm vDSO Makefile VDSO_LDFLAGS +=3D -Bsymbolic --no-undefined -soname=3Dlinux-vdso.so.1 VDSO_LDFLAGS +=3D -z max-page-size=3D4096 -z common-page-size=3D4096 -VDSO_LDFLAGS +=3D -shared --build-id=3Dsha1 +VDSO_LDFLAGS +=3D -shared --build-id=3D$(KBUILD_BUILD_ID) VDSO_LDFLAGS +=3D --orphan-handling=3D$(CONFIG_LD_ORPHAN_WARN_LEVEL) =20 =20 diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile index f247f5f5cb44d..fefddc91b41ea 100644 --- a/arch/x86/entry/vdso/Makefile +++ b/arch/x86/entry/vdso/Makefile @@ -6,6 +6,9 @@ # Include the generic Makefile to check the built vDSO: include $(srctree)/lib/vdso/Makefile.include =20 +# Fallback for standalone builds, normally inherited from top-level Makefi= le +KBUILD_BUILD_ID ?=3D sha1 + # Files to link into the vDSO: vobjs-y :=3D vdso-note.o vclock_gettime.o vgetcpu.o vgetrandom.o vgetrando= m-chacha.o vobjs32-y :=3D vdso32/note.o vdso32/system_call.o vdso32/sigreturn.o @@ -155,7 +158,7 @@ quiet_cmd_vdso =3D VDSO $@ $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \ -T $(filter %.lds,$^) $(filter %.o,$^) =20 -VDSO_LDFLAGS =3D -shared --hash-style=3Dboth --build-id=3Dsha1 --no-undefi= ned \ +VDSO_LDFLAGS =3D -shared --hash-style=3Dboth --build-id=3D$(KBUILD_BUILD_I= D) --no-undefined \ $(call ld-option, --eh-frame-hdr) -Bsymbolic -z noexecstack =20 quiet_cmd_vdso_and_check =3D VDSO $@ base-commit: 63804fed149a6750ffd28610c5c1c98cce6bd377 --=20 2.43.0