coreboot

coreboot™: fast, flexible and reproducible Open Source firmware?

Reproducible Coreboot

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is more information about reproducible builds on the Debian wiki and on https://reproducible-builds.org. These pages explain in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Coreboot is an effort to apply this to coreboot. Thus each coreboot.rom is build twice (without payloads), with a few variations added and then those two ROMs are compared using diffoscope. Please note that the toolchain is not varied at all as the rebuild happens on exactly the same system. More variations are expected to be seen in the wild.

There is a weekly run jenkins job to test the master branch of coreboot.git. The jenkins job is running reproducible_coreboot.sh in a Debian environment and this script is solely responsible for creating this page. Feel invited to join #reproducible-builds (on irc.oftc.net) to request job runs whenever sensible. Patches and other feedback are very much appreciated - if you want to help, please start by looking at the ToDo list for coreboot, you might find something easy to contribute.
Thanks to Profitbricks for donating the virtual machines this is running on!

271 (99.2%) out of 273 built coreboot images were reproducible in our test setup , while 2 (.7%) failed to build from source. These tests were last run on 2018-08-20 for version 4.8-1280-g3388fdecf2 using diffoscope 99.

variationfirst buildsecond build
hostname profitbricks-build3-amd64 or profitbricks-build4-amd64the other one
domainname is not yet varied between rebuilds of coreboot.
env CAPTURE_ENVIRONMENTnot setCAPTURE_ENVIRONMENT="I capture the environment"
env TZTZ="/usr/share/zoneinfo/Etc/GMT+12"TZ="/usr/share/zoneinfo/Etc/GMT-14"
env LANGLANG="en_GB.UTF-8"LANG="fr_CH.UTF-8"
env LC_ALLnot setLC_ALL="fr_CH.UTF-8"
env PATHPATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:"PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path"
env USER is not yet varied between rebuilds of coreboot.
uid is not yet varied between rebuilds of coreboot.
gid is not yet varied between rebuilds of coreboot.
UTS namespace is not yet varied between rebuilds of coreboot.
kernel version, modified using /usr/bin/linux64 --uname-2.6Linux 4.9.0-8-amd64Linux 2.6.69-8-amd64
umask00220002
CPU type AMD Opteron 62xx class CPUsame for both builds
/bin/sh is not yet varied between rebuilds of coreboot.
year, month, datetoday (2018-08-20)same for both builds (currently, work in progress)
hour, minutehour and minute will probably vary between two builds...the future system actually runs 398 days, 6 hours and 23 minutes ahead...
Filesystemtmpfssame for both builds (currently, this could be varied using disorderfs)
everything else...is likely the same. There will be more variations in the wild.

commit 3388fdecf2ad6a0edc843284e7068ab8fd39fcd6
Author: Richard Spiegel 
Date:   Fri Aug 17 08:57:10 2018 -0700

    vendorcode/amd/pi/00670F00/Lib: Remove unused functions
    
    The only code still used are LibAmdPciRead() and LibAmdPciWrite(). These
    functions are used by PspBaseLib. Remove all functions that are not used,
    directly or indirectly, by LibAmdPciRead() and LibAmdPciWrite().
    
    BUG=b:112688270
    TEST=Build grunt
    
    Change-Id: Iba5cfbeee8e83ca78279a1bc2a333370c04f55ed
    Signed-off-by: Richard Spiegel 
    Reviewed-on: https://review.coreboot.org/28194
    Reviewed-by: Paul Menzel 
    Reviewed-by: Martin Roth 
    Tested-by: build bot (Jenkins)      

cross toolchain sourcesha256sum
acpica-unix2-20180531.tar.gz e50df20e76c44941277686d4fb4c264605333e7d04ca6dc2cbc385926d78fb60
binutils-2.30.tar.xz 6e46b8aeae2f727a36f0bd9505e405768a72218f1796f0d09757d45209871ae6
gcc-8.1.0.tar.xz 1d1866f992626e61349a1ccd0b8d5253816222cdc13390dcfaa74b093aa2b153
gmp-6.1.2.tar.xz 87b565e89a9a684fe4ebeeddb8399dce2599f9c9049854ca8c0dfbdea0e21912
mpc-1.0.3.tar.gz 617decc6ea09889fb08ede330917a00b16809b8db88c29c31bfbb49cbf88ecc3
mpfr-3.1.5.tar.xz 015fde82b3979fbe5f83501986d328331ba8ddf008c1ff3da3c238f49ca062bc
Debian 9.5 package on amd64installed version
gcc 4:6.3.0-4
g++ 4:6.3.0-4
make 4.1-9.1
cmake 3.7.2-1
flex 2.6.1-1.3
bison 2:3.0.4.dfsg-1+b1
iasl