Set mtime of all initramfs files and directories to 01-01-1970

Mtime files are not important for executing the image. But at the same time, the constancy of mtime makes it possible to acquire the reproducibility of the image. The same image will be generated on the same hardware and with the same configuration. Signed-off-by: Alexey Gladkov <[email protected]>
osboot · Sep 9, 2021 · bd31890 · bd31890
1 parent 58dc836
commit bd31890
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 11 deletions.
diff --git a/features/ucode/bin/add-ucode b/features/ucode/bin/add-ucode
@@ -51,13 +51,10 @@ prep_early_firmware()
 		return 0
 	fi
 
-	cd "$workdir"
-	mkdir -p kernel/x86/microcode
-	cp ${VERBOSE:+-v} -- "$fw_file" kernel/x86/microcode/"$cpu_vendor".bin
-	find ./kernel | cpio -o -H newc >"$workdir"/ucode.cpio && \
-	    rm -rf -- kernel
-
-	return $?
+	mkdir "$workdir"/ucode ||
+		return
+	mkdir -p -- "$workdir"/ucode/kernel/x86/microcode
+	cp ${VERBOSE:+-v} -- "$fw_file" "$workdir"/ucode/kernel/x86/microcode/"$cpu_vendor".bin
 }
 
 prep_amd_ucode()
@@ -89,8 +86,10 @@ prep_intel_ucode()
 					--quiet \
 					$iucode_scan_system \
 					--write-earlyfw="$workdir"/ucode.cpio \
-					"$fw_path"/intel-ucode && \
-				return 0 ||:
+					"$fw_path"/intel-ucode
+			mkdir "$workdir"/ucode &&
+				cpio -D "$workdir"/ucode --quiet -id < "$workdir"/ucode.cpio
+			return
 		fi
 	done
 
@@ -105,5 +104,22 @@ case "$cpu_vendor" in
 	*) exit 0
 		;;
 esac
+rc=$?
+
+if [ -d "$workdir/ucode" ]; then
+	cd "$workdir/ucode"
+
+	find . -execdir touch -c -m --date="1970-01-01 00:00:00 +0000" '{}' '+'
+
+	# shellcheck disable=SC2185
+	find -O2 . -mindepth 1 \
+		   \( -type f -a -printf 'file %p %p %#m 0 0\n'  \) \
+		-o \( -type l -a -printf 'slink %p %l %#m 0 0\n' \) \
+		-o \( -type d -a -printf 'dir %p %#m 0 0\n'      \) |
+		sort |
+		gen_init_cpio -t 0 - > "$workdir"/ucode.cpio
+
+	rm -rf -- "$workdir/ucode"
+fi
 
-exit $?
+exit $rc
diff --git a/tools/pack-image b/tools/pack-image
@@ -26,4 +26,7 @@ printf >> "$workdir"/initcpio 'nod ./dev/%s\n' \
 	"console 0600 0 0 c 5 1" \
 	"ptmx    0666 0 0 c 5 2"
 
-gen_init_cpio "$workdir"/initcpio > "$outfile"
+find . -execdir touch -c -m --date="1970-01-01 00:00:00 +0000" '{}' '+'
+
+sort "$workdir"/initcpio |
+	gen_init_cpio -t 0 - > "$outfile"