Replace /bin/cp with cp for nix-build

[sbellem]

When using nix-build, /bin/cp cannot be found as there's nothing under
/bin except for sh.

Signed-off-by: Sylvain Bellemare sbellem@gmail.com

Unless there's a good reason to keep /bin/cp, it seems that simply using cp is preferable as suggested in https://discourse.nixos.org/t/bin-cp-cannot-be-found-when-using-nix-build/13683/2.

[veehaitch]

Please merge this to get one step closer to pure reproducible builds using Nix.

[veehaitch]

Related intel/SGXDataCenterAttestationPrimitives#205

[veehaitch]

@sbellem would you mind adding this commit veehaitch@f3c0892? Patching the getconf FHS path is also required to build the PSW.

[veehaitch]

@lzha101 anything we can do to get this merged?

[sbellem]

@veehaitch:

Added commit veehaitch@f3c0892

[lzha101]

When using nix-build, /bin/cp cannot be found as there's nothing under
/bin except for sh.

Note that we are using Nix instead of NixOS for reproducible build of several components only. So SGX code doesn't have such problem.

[veehaitch]

Thanks for merging this PR! 🙏🏻

Note that we are using Nix instead of NixOS for reproducible build of several components only. So SGX code doesn't have such problem.

Please note that this change helps you as much as anybody else using Nix to build your software and is not related to NixOS. In fact, it is necessary to have proper reproducibility. You just didn't run into problems with regard to absolute paths to binaries as you have been using Nix on an Ubuntu host with sandboxing disabled:

linux-sgx/linux/reproducibility/Dockerfile

Line 7 in e0cce77

&& echo 'sandbox = false' > /etc/nix/nix.conf \

From the sandbox section of nix.conf(5):

If set to true, builds will be performed in a sandboxed environment, i.e., they’re isolated from the normal file system hierarchy and will only see their dependencies in the Nix store, the temporary build directory, private versions of /proc, /dev, /dev/shm and /dev/pts (on Linux), and the paths configured with the sandbox-paths option. This is useful to prevent undeclared dependencies on files in directories such as /usr/bin. In addition, on Linux, builds run in private PID, mount, network, IPC and UTS namespaces to isolate them from other processes in the system (except that fixed-output derivations do not run in private network namespace to ensure they can access the network).

Sandboxing is enabled by default. Disabling it means your Nix builds are not hermetic and might contain additional impurities. Against this background, avoiding absolute FHS paths is even a prerequisite for having proper reproducible builds using Nix.