coreboot

coreboot™: fast, flexible and reproducible Open Source firmware!

Reproducible Coreboot

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is more information about reproducible builds on the Debian wiki and on https://reproducible-builds.org. These pages explain in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Coreboot is an effort to apply this to coreboot. Thus each coreboot.rom is build twice (without payloads), with a few variations added and then those two ROMs are compared using diffoscope. Please note that the toolchain is not varied at all as the rebuild happens on exactly the same system. More variations are expected to be seen in the wild.

There is a weekly run jenkins job to test the master branch of coreboot.git. The jenkins job is running reproducible_coreboot.sh in a Debian environment and this script is solely responsible for creating this page. Feel invited to join #reproducible-builds (on irc.oftc.net) to request job runs whenever sensible. Patches and other feedback are very much appreciated - if you want to help, please start by looking at the ToDo list for coreboot, you might find something easy to contribute.
Thanks to IONOS for donating the virtual machines this is running on!

97 (100.0%) out of 97 built coreboot images were reproducible in our test setup ! These tests were last run on 2022-11-23 for version 4.18-694-g8c974509ea using diffoscope 227.

variationfirst buildsecond build
hostname osuosl184-amd64 or osuosl170-amd64the other one
domainname is not yet varied between rebuilds of coreboot.
env CAPTURE_ENVIRONMENTnot setCAPTURE_ENVIRONMENT="I capture the environment"
env TZTZ="/usr/share/zoneinfo/Etc/GMT+12"TZ="/usr/share/zoneinfo/Etc/GMT-14"
env LANGLANG="en_GB.UTF-8"LANG="et_EE.UTF-8"
env LC_ALLnot setLC_ALL="et_EE.UTF-8"
env PATHPATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:"PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path"
env USER is not yet varied between rebuilds of coreboot.
uid is not yet varied between rebuilds of coreboot.
gid is not yet varied between rebuilds of coreboot.
UTS namespace is not yet varied between rebuilds of coreboot.
kernel version, modified using /usr/bin/linux64 --uname-2.6Linux 5.10.0-19-amd64Linux 2.6.70-19-amd64
umask00220002
CPU type Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHzsame for both builds
/bin/sh is not yet varied between rebuilds of coreboot.
year, month, datetoday (2022-11-23)same for both builds (currently, work in progress)
hour, minutehour and minute will probably vary between two builds...the future system actually runs 398 days, 6 hours and 23 minutes ahead...
Filesystemtmpfssame for both builds (currently, this could be varied using disorderfs)
everything else...is likely the same. There will be more variations in the wild.

commit 8c974509ea90eec18e22027c3e71de3e875fc964
Author: Martin Roth 
Date:   Sun Nov 20 17:56:44 2022 -0700

    soc/intel/common: Define post codes
    
    For the most part, this just moves the existing post codes into macros
    so that they're not just bare numbers.
    
    cache_as_ram.S:
    Post code 0x28 was previously pointless with just a single jump between
    it and post code 0x29, car_init_done.  This code was removed, and the
    0x28 value was used to differentiate the car_nem_enhanced subroutine
    from the other 0x26 post codes used before calling the clear_car
    subroutine.
    
    All other post codes remain identical.
    
    POST_BOOTBLOCK and POST_CODE_ZERO are expected to become global, whereas
    the POST_SOC codes are expected to be Intel only.
    
    Signed-off-by: Martin Roth 
    Change-Id: I82a34960ae73fc263359e4519234ee78e7e3daab
    Reviewed-on: https://review.coreboot.org/c/coreboot/+/69865
    Reviewed-by: Eric Lai 
    Reviewed-by: Subrata Banik 
    Tested-by: build bot (Jenkins)      

cross toolchain sourcesha256sum
acpica-unix2-20220331.tar.gz 1ccda5c6a08a90b145777df635eb09f995b3472b3128f375009c5a6b01a04c7a
binutils-2.37.tar.xz 820d9724f020a3e69cb337893a0b63c2db161dadcb0e06fc11dc29eb1e84a32c
gcc-11.2.0.tar.xz d08edc536b54c372a1010ff6619dd274c0f1603aa49212ba20f7aa2cda36fa8b
gmp-6.2.1.tar.xz fd4829912cddd12f84181c3451cc752be224643e87fac497b69edddadc49b4f2
mpc-1.2.1.tar.gz 17503d2c395dfcf106b622dc142683c1199431d095367c6aacba6eec30340459
mpfr-4.1.0.tar.xz 0c98a3f1732ff6ca4ea690552079da9c597872d30e96ec28414ee23c95558a7f
Debian 11.5 package on amd64installed version
gcc 4:10.2.1-1
g++ 4:10.2.1-1
make 4.3-4.1
cmake 3.18.4-2+deb11u1
flex 2.6.4-8
bison 2:3.7.5+dfsg-1