mkimage: fit_image: Add support for SOURCE_DATE_EPOCH in signatures
When generating timestamps in signatures, use imagetool_get_source_date()
so we can be overridden by SOURCE_DATE_EPOCH to generate reproducible
images.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Reviewed-by: Simon Glass <sjg@chromum.org>
diff --git a/include/image.h b/include/image.h
index 420b8ff..3bb7d29 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1009,6 +1009,7 @@
* @comment: Comment to add to signature nodes
* @require_keys: Mark all keys as 'required'
* @engine_id: Engine to use for signing
+ * @cmdname: Command name used when reporting errors
*
* Adds hash values for all component images in the FIT blob.
* Hashes are calculated for all component images which have hash subnodes
@@ -1022,7 +1023,7 @@
*/
int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys,
- const char *engine_id);
+ const char *engine_id, const char *cmdname);
int fit_image_verify_with_data(const void *fit, int image_noffset,
const void *data, size_t size);
diff --git a/tools/fit_image.c b/tools/fit_image.c
index 6f09a66..3c26535 100644
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -60,7 +60,8 @@
ret = fit_add_verification_data(params->keydir, dest_blob, ptr,
params->comment,
params->require_keys,
- params->engine_id);
+ params->engine_id,
+ params->cmdname);
}
if (dest_blob) {
diff --git a/tools/image-host.c b/tools/image-host.c
index be2d59b..09e4f47 100644
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -106,7 +106,7 @@
*/
static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
int value_len, const char *comment, const char *region_prop,
- int region_proplen)
+ int region_proplen, const char *cmdname)
{
int string_size;
int ret;
@@ -128,8 +128,12 @@
}
if (comment && !ret)
ret = fdt_setprop_string(fit, noffset, "comment", comment);
- if (!ret)
- ret = fit_set_timestamp(fit, noffset, time(NULL));
+ if (!ret) {
+ time_t timestamp = imagetool_get_source_date(cmdname,
+ time(NULL));
+
+ ret = fit_set_timestamp(fit, noffset, timestamp);
+ }
if (region_prop && !ret) {
uint32_t strdata[2];
@@ -201,7 +205,8 @@
static int fit_image_process_sig(const char *keydir, void *keydest,
void *fit, const char *image_name,
int noffset, const void *data, size_t size,
- const char *comment, int require_keys, const char *engine_id)
+ const char *comment, int require_keys, const char *engine_id,
+ const char *cmdname)
{
struct image_sign_info info;
struct image_region region;
@@ -229,7 +234,7 @@
}
ret = fit_image_write_sig(fit, noffset, value, value_len, comment,
- NULL, 0);
+ NULL, 0, cmdname);
if (ret) {
if (ret == -FDT_ERR_NOSPACE)
return -ENOSPC;
@@ -296,7 +301,7 @@
*/
int fit_image_add_verification_data(const char *keydir, void *keydest,
void *fit, int image_noffset, const char *comment,
- int require_keys, const char *engine_id)
+ int require_keys, const char *engine_id, const char *cmdname)
{
const char *image_name;
const void *data;
@@ -333,7 +338,7 @@
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_process_sig(keydir, keydest,
fit, image_name, noffset, data, size,
- comment, require_keys, engine_id);
+ comment, require_keys, engine_id, cmdname);
}
if (ret)
return ret;
@@ -574,7 +579,7 @@
static int fit_config_process_sig(const char *keydir, void *keydest,
void *fit, const char *conf_name, int conf_noffset,
int noffset, const char *comment, int require_keys,
- const char *engine_id)
+ const char *engine_id, const char *cmdname)
{
struct image_sign_info info;
const char *node_name;
@@ -609,7 +614,7 @@
}
ret = fit_image_write_sig(fit, noffset, value, value_len, comment,
- region_prop, region_proplen);
+ region_prop, region_proplen, cmdname);
if (ret) {
if (ret == -FDT_ERR_NOSPACE)
return -ENOSPC;
@@ -638,7 +643,7 @@
static int fit_config_add_verification_data(const char *keydir, void *keydest,
void *fit, int conf_noffset, const char *comment,
- int require_keys, const char *engine_id)
+ int require_keys, const char *engine_id, const char *cmdname)
{
const char *conf_name;
int noffset;
@@ -657,7 +662,7 @@
strlen(FIT_SIG_NODENAME))) {
ret = fit_config_process_sig(keydir, keydest,
fit, conf_name, conf_noffset, noffset, comment,
- require_keys, engine_id);
+ require_keys, engine_id, cmdname);
}
if (ret)
return ret;
@@ -668,7 +673,7 @@
int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys,
- const char *engine_id)
+ const char *engine_id, const char *cmdname)
{
int images_noffset, confs_noffset;
int noffset;
@@ -691,7 +696,8 @@
* i.e. component image node.
*/
ret = fit_image_add_verification_data(keydir, keydest,
- fit, noffset, comment, require_keys, engine_id);
+ fit, noffset, comment, require_keys, engine_id,
+ cmdname);
if (ret)
return ret;
}
@@ -715,7 +721,7 @@
ret = fit_config_add_verification_data(keydir, keydest,
fit, noffset, comment,
require_keys,
- engine_id);
+ engine_id, cmdname);
if (ret)
return ret;
}