The Nix sandbox aims to provide a pure environment by isolating the build environment from the rest of the system.

The Nix sandbox aims to provide a pure environment by isolating the build environment from the rest of the system. However, some impurities can still affect builds inside the sandbox and lead to reproducibility issues. One of them is the filesystem.

A common example is builds that implicitly depend on inode numbering or directory entry ordering. In some cases, you might even run into a filesystem bug: a build succeeds on one machine, but fails on another with a different filesystem.

To debug these issues, you can now use nix-buildon. It lets you swap out the filesystem underneath the Nix sandbox. By running the sandbox on disorderfs, you can get a deterministic, sorted, or reverse-sorted view of directory entries. This makes it easy to check whether a build depends on filesystem behavior that should not matter in the first place.

https://github.com/katexochen/nix-buildon

I created this at #OceanSprint.

#Nix #NixOS #ReproducibleBuilds

Cool, KVM-based AMD SEV-SNP support was recently added to Cloud Hypervisor! Including support for Google's oak stage0 firmware and IGVM image format.
https://github.com/cloud-hypervisor/cloud-hypervisor/pull/7942

#ConfidentialComputing #virtualization #KVM #CloudHypervisor

Fabricked, a new attack on AMD SEV-SNP presented: software-based attack that manipulates memory routing of inter-component communication within the SoC to trick the secure processor into improperly initializing the RPM table. The root cause is a missing check in the secure processor firmware to enforce the Data Fabric is locked down.

https://fabricked-attack.github.io/

#ConfidentialComputing #CloudSecurity #AMD