diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc
index 1042fe898ace..e7564b7bb7cb 100644
--- a/lib/libsecureboot/Makefile.inc
+++ b/lib/libsecureboot/Makefile.inc
@@ -92,6 +92,19 @@ VE_HASH_KAT_STR?= vc_PEM
 XCFLAGS.vets+= -DVE_HASH_KAT_STR=${VE_HASH_KAT_STR}
 .endif
 
+# this should be updated occassionally this is 2019-01-01Z
+SOURCE_DATE_EPOCH?= 1546329600
+.if ${MK_REPRODUCIBLE_BUILD} == "yes"
+BUILD_UTC?= ${SOURCE_DATE_EPOCH}
+.endif
+# BUILD_UTC provides a basis for the loader's notion of time
+# By default we use the mtime of BUILD_UTC_FILE
+.if empty(BUILD_UTC_FILE)
+BUILD_UTC_FILE:= ${.PARSEDIR:tA}/${.PARSEFILE}
+.endif
+# you can of course set BUILD_UTC to any value you like
+BUILD_UTC?= ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}
+
 # Generate ta.h containing one or more PEM encoded trust anchors in ta_PEM.
 #
 # If we are doing self-tests, we define another arrary vc_PEM
@@ -110,9 +123,7 @@ ta.h: ${.ALLTARGETS:M[tv]*pem:O:u}
 	( cat ${.ALLSRC:N*crl*:Mv*.pem} /dev/null | \
 	file2c -sx 'static const char vc_PEM[] = {' '};'; echo ) >> ${.TARGET}
 .endif
-.if !empty(BUILD_UTC_FILE)
-	echo '#define BUILD_UTC ${${STAT:Ustat} -f %m ${BUILD_UTC_FILE}:L:sh}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP}
-.endif
+	echo '#define BUILD_UTC ${BUILD_UTC}' >> ${.TARGET} ${.OODATE:MNOMETA_CMP}
 
 # This header records our preference for signature extensions.
 vesigned.o vesigned.po vesigned.pico: vse.h
diff --git a/lib/libsecureboot/tests/Makefile b/lib/libsecureboot/tests/Makefile
index 0cc32562d36b..3ff88281081a 100644
--- a/lib/libsecureboot/tests/Makefile
+++ b/lib/libsecureboot/tests/Makefile
@@ -1,5 +1,7 @@
 # $FreeBSD$
 
+.include <src.opts.mk>
+
 PROG= tvo
 
 SRCS+= tvo.c