coreboot™: fast, flexible and reproducible Open Source firmware!

Reproducible Coreboot

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is more information about reproducible builds on the Debian wiki and on These pages explain in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Coreboot is an effort to apply this to coreboot. Thus each coreboot.rom is build twice (without payloads), with a few variations added and then those two ROMs are compared using diffoscope. Please note that the toolchain is not varied at all as the rebuild happens on exactly the same system. More variations are expected to be seen in the wild.

There is a weekly run jenkins job to test the master branch of coreboot.git. The jenkins job is running in a Debian environment and this script is solely responsible for creating this page. Feel invited to join #reproducible-builds (on to request job runs whenever sensible. Patches and other feedback are very much appreciated - if you want to help, please start by looking at the ToDo list for coreboot, you might find something easy to contribute.
Thanks to IONOS for donating the virtual machines this is running on!

123 (100.0%) out of 123 built coreboot images were reproducible in our test setup ! These tests were last run on 2024-03-01 for version 24.02-100-g67862de79f using diffoscope 258.

variationfirst buildsecond build
hostname osuosl1-amd64 or osuosl2-amd64the other one
domainname is not yet varied between rebuilds of coreboot.
env CAPTURE_ENVIRONMENTnot setCAPTURE_ENVIRONMENT="I capture the environment"
env TZTZ="/usr/share/zoneinfo/Etc/GMT+12"TZ="/usr/share/zoneinfo/Etc/GMT-14"
env LANGLANG="en_GB.UTF-8"LANG="et_EE.UTF-8"
env LC_ALLnot setLC_ALL="et_EE.UTF-8"
env PATHPATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:"PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path"
env USER is not yet varied between rebuilds of coreboot.
uid is not yet varied between rebuilds of coreboot.
gid is not yet varied between rebuilds of coreboot.
UTS namespace is not yet varied between rebuilds of coreboot.
kernel version, modified using /usr/bin/linux64 --uname-2.6Linux 6.5.0-0.deb12.4-amd64Linux 2.6.65-0.deb12.4-amd64
CPU type AMD Opteron(tm) Processor 4284same for both builds
/bin/sh is not yet varied between rebuilds of coreboot.
year, month, datetoday (2024-03-01)same for both builds (currently, work in progress)
hour, minutehour and minute will probably vary between two builds...the future system actually runs 398 days, 6 hours and 23 minutes ahead...
Filesystemtmpfssame for both builds (currently, this could be varied using disorderfs)
everything likely the same. There will be more variations in the wild.

commit 67862de79f5600b0b5a1973941e135bbe4b27e40
Author: Matt DeVillier 
Date:   Fri Aug 4 10:34:53 2023 -0500

    mb/google/link: Use automatic fan control
    Several users complained of link's fan not running at all, particularly
    when using ChromeOS Flex. Enabling auto fan control at boot/s3 resume
    resolved the issue for them.
    Change-Id: I8f0db6b6c94fac2e0dcb580be0f6df839780c38c
    Signed-off-by: Matt DeVillier 
    Reviewed-by: Felix Held 
    Tested-by: build bot (Jenkins)      

cross toolchain sourcesha256sum
R06_28_23.tar.gz 2248799b7ca08a7711ac87d31924354ed49047507607d033bd327ba861ec4d31
binutils-2.42.tar.xz f6e4d41fd5fc778b06b7891457b3620da5ecea1006c6a4a41ae998109f85a800
gcc-13.2.0.tar.xz e275e76442a6067341a27f04c5c6b83d8613144004c0413528863dc6b5c743da
gmp-6.3.0.tar.xz a3c2b80201b89e68616f4ad30bc66aee4927c3ce50e33929ca819d5c43538898
mpc-1.3.1.tar.gz ab642492f5cf882b74aa0cb730cd410a81edcdbec895183ce930e706c1c759b8
mpfr-4.2.1.tar.xz 277807353a6726978996945af13e52829e3abd7a9a5b7fb2793894e18f1fcbb2
Debian 12.5 package on amd64installed version
gcc 4:12.2.0-3
g++ 4:12.2.0-3
make 4.3-4.1
cmake 3.25.1-1
flex 2.6.4-8.2
bison 2:3.8.2+dfsg-1+b1
pkg-config 1.8.1-1