Set PE/COFF timestamps to known value for reproducible builds
ClosedPublic
Actions

Authored by emaste on Aug 24 2016, 2:38 PM.

Details

Reviewers

glebius
rpokala
cperciva

Commits

rS305160: Set UEFI boot loader PE/COFF timestamps to known value for reproducible builds

Summary

As reported on the freebsd-security mailing list the EFI loader components are identified by freebsd-update builds as having changed on every build. This is due to timestamps embedded in the PE/COFF headers in the EFI files.

Use SOURCE_DATE_EPOCH to set the timestamps to a known value, arbitrarily chosen as Fri 1 Jan 2016 00:00:00 UTC.

[1] https://lists.freebsd.org/pipermail/freebsd-security/2016-August/009037.html

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

emaste updated this revision to Diff 19635.Aug 24 2016, 2:38 PM

emaste retitled this revision from to Set PE/COFF timestamps to known value for reproducible builds.

emaste updated this object.

emaste edited the test plan for this revision. (Show Details)

emaste added reviewers: cperciva, glebius.

emaste added a parent revision: D7632: elfcopy: use elftc_timestamp, to support SOURCE_DATE_EPOCH.

emaste added subscribers: jkoshy_users.sourceforge.net, kaiw.

Add a comment explaining the SOURCE_DATE_EPOCH timestamp based on IRC discussion with @bapt

emaste added a subscriber: gjb.Aug 24 2016, 2:50 PM

Timestamps can be checked with objdump -p boot1.efi

Time/Date               Fri Jan  1 00:00:00 2016

I'm not sure how to easily test the end-to-end process with freebsd-update though.

sys/conf/newvers.sh also uses SOURCE_DATE_EPOCH, but it allows it to be passed in (via environment?); it only sets SOURCE_DATE_EPOCH explicitly if it's not passed in. For the sake of consistency between parts of the build, shouldn't this do the same thing, and honor SOURCE_DATE_EPOCH if it's already set?