When generating timestamps in signatures, use imagetool_get_source_date()
so we can be overridden by SOURCE_DATE_EPOCH to generate reproducible
images.
Signed-off-by: Alex Kiernan
---
include/image.h| 3 ++-
tools/fit_image.c | 3 ++-
tools/image-host.c | 34 --
3 files changed, 24 insertions(+), 16 deletions(-)
diff --git a/include/image.h b/include/image.h
index 420b8ff576..3bb7d29ef2 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1009,6 +1009,7 @@ int fit_set_timestamp(void *fit, int noffset, time_t
timestamp);
* @comment: Comment to add to signature nodes
* @require_keys: Mark all keys as 'required'
* @engine_id: Engine to use for signing
+ * @cmdname: Command name used when reporting errors
*
* Adds hash values for all component images in the FIT blob.
* Hashes are calculated for all component images which have hash subnodes
@@ -1022,7 +1023,7 @@ int fit_set_timestamp(void *fit, int noffset, time_t
timestamp);
*/
int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys,
- const char *engine_id);
+ const char *engine_id, const char *cmdname);
int fit_image_verify_with_data(const void *fit, int image_noffset,
const void *data, size_t size);
diff --git a/tools/fit_image.c b/tools/fit_image.c
index 6f09a66106..3c265357ae 100644
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -60,7 +60,8 @@ static int fit_add_file_data(struct image_tool_params
*params, size_t size_inc,
ret = fit_add_verification_data(params->keydir, dest_blob, ptr,
params->comment,
params->require_keys,
- params->engine_id);
+ params->engine_id,
+ params->cmdname);
}
if (dest_blob) {
diff --git a/tools/image-host.c b/tools/image-host.c
index 8e43671714..faa5e23c79 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -106,7 +106,7 @@ static int fit_image_process_hash(void *fit, const char
*image_name,
*/
static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
int value_len, const char *comment, const char *region_prop,
- int region_proplen)
+ int region_proplen, const char *cmdname)
{
int string_size;
int ret;
@@ -128,8 +128,12 @@ static int fit_image_write_sig(void *fit, int noffset,
uint8_t *value,
}
if (comment && !ret)
ret = fdt_setprop_string(fit, noffset, "comment", comment);
- if (!ret)
- ret = fit_set_timestamp(fit, noffset, time(NULL));
+ if (!ret) {
+ time_t timestamp = imagetool_get_source_date(cmdname,
+time(NULL));
+
+ ret = fit_set_timestamp(fit, noffset, timestamp);
+ }
if (region_prop && !ret) {
uint32_t strdata[2];
@@ -200,7 +204,8 @@ static int fit_image_setup_sig(struct image_sign_info *info,
static int fit_image_process_sig(const char *keydir, void *keydest,
void *fit, const char *image_name,
int noffset, const void *data, size_t size,
- const char *comment, int require_keys, const char *engine_id)
+ const char *comment, int require_keys, const char *engine_id,
+ const char *cmdname)
{
struct image_sign_info info;
struct image_region region;
@@ -228,7 +233,7 @@ static int fit_image_process_sig(const char *keydir, void
*keydest,
}
ret = fit_image_write_sig(fit, noffset, value, value_len, comment,
- NULL, 0);
+ NULL, 0, cmdname);
if (ret) {
if (ret == -FDT_ERR_NOSPACE)
return -ENOSPC;
@@ -295,7 +300,7 @@ static int fit_image_process_sig(const char *keydir, void
*keydest,
*/
int fit_image_add_verification_data(const char *keydir, void *keydest,
void *fit, int image_noffset, const char *comment,
- int require_keys, const char *engine_id)
+ int require_keys, const char *engine_id, const char *cmdname)
{
const char *image_name;
const void *data;
@@ -332,7 +337,7 @@ int fit_image_add_verification_data(const char *keydir,
void *keydest,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_process_sig(keydir, keydest,
fit, image_name, noffset, data, size,
- comment, require_keys, engine_id);
+ comment, require_keys, engine_id, cmdname);
}