efi: Add support for reproducible builds

Having randomly generated bytes in the binary output breaks reproducible
builds. Since build timestamps are usually the source of irreproducibility
there is a standard which defines an environment variable SOURCE_DATE_EPOCH
to be used when set for build timestamps. According to the standard [1], the
value of SOURCE_DATE_EPOCH is a base-10 integer of the number of seconds
since the UNIX epoch. Currently, this is a 10 digit number that fits into
32-bits, but will not shortly after the year 2100. So to be future-proof
only use the least significant 32-bits. On 64-bit architectures, where the
canary is also 64-bits, there is an extra 32-bits that can be filled to
provide more entropy. The first byte is NUL to filter out string buffer
overflow attacks and the remaining 24-bits are set to static random bytes.

[1] https://reproducible-builds.org/specs/source-date-epoch

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/configure.ac b/configure.ac
index b8c5c78d53eadb929c137e09bf54d514d345bb45..cb7abc5734eb06ce4fb4c8d7a89a94e51805d64d 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1439,7 +1439,9 @@ else
   fi
   TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
 
-  if test -r /dev/urandom; then
+  if test -n "$SOURCE_DATE_EPOCH"; then
+     GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2$(printf "%x" "$SOURCE_DATE_EPOCH" | sed 's/.*\(........\)$/\1/')"
+  elif test -r /dev/urandom; then
      # Generate the 8 byte stack protector canary at build time if /dev/urandom
      # is able to be read. The first byte should be NUL to filter out string
      # buffer overflow attacks.