coreboot™: fast, flexible and reproducible Open Source firmware!

Reproducible Coreboot

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is more information about reproducible builds on the Debian wiki and on These pages explain in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Coreboot is an effort to apply this to coreboot. Thus each coreboot.rom is build twice (without payloads), with a few variations added and then those two ROMs are compared using diffoscope. Please note that the toolchain is not varied at all as the rebuild happens on exactly the same system. More variations are expected to be seen in the wild.

There is a weekly run jenkins job to test the master branch of coreboot.git. The jenkins job is running in a Debian environment and this script is solely responsible for creating this page. Feel invited to join #reproducible-builds (on to request job runs whenever sensible. Patches and other feedback are very much appreciated - if you want to help, please start by looking at the ToDo list for coreboot, you might find something easy to contribute.
Thanks to Profitbricks for donating the virtual machines this is running on!

240 (100.0%) out of 240 built coreboot images were reproducible in our test setup ! These tests were last run on 2019-02-18 for version 4.9-729-g67100b4147 using diffoscope 111.

variationfirst buildsecond build
hostname osuosl-build169-amd64 or osuosl-build170-amd64the other one
domainname is not yet varied between rebuilds of coreboot.
env CAPTURE_ENVIRONMENTnot setCAPTURE_ENVIRONMENT="I capture the environment"
env TZTZ="/usr/share/zoneinfo/Etc/GMT+12"TZ="/usr/share/zoneinfo/Etc/GMT-14"
env LANGLANG="en_GB.UTF-8"LANG="fr_CH.UTF-8"
env LC_ALLnot setLC_ALL="fr_CH.UTF-8"
env PATHPATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:"PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path"
env USER is not yet varied between rebuilds of coreboot.
uid is not yet varied between rebuilds of coreboot.
gid is not yet varied between rebuilds of coreboot.
UTS namespace is not yet varied between rebuilds of coreboot.
kernel version, modified using /usr/bin/linux64 --uname-2.6Linux 4.9.0-8-amd64Linux 2.6.69-8-amd64
CPU type Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHzsame for both builds
/bin/sh is not yet varied between rebuilds of coreboot.
year, month, datetoday (2019-02-18)same for both builds (currently, work in progress)
hour, minutehour and minute will probably vary between two builds...the future system actually runs 398 days, 6 hours and 23 minutes ahead...
Filesystemtmpfssame for both builds (currently, this could be varied using disorderfs)
everything likely the same. There will be more variations in the wild.

commit 67100b414799c7b90c42d506de4ababdfb47119b
Date:   Fri Feb 15 10:15:23 2019 +0800

    mb/google/laser: Disable touch screen device that according to SKU ID
    We need disable touch screen device on laser SKU ID 6.
    TEST=according to sku_id (Laser(convertible): 5, Laser14(clamshell):
    6, Laser14(clamshell + touch):7) distinguish whether disable touch
    screen device.
    Change-Id: I6953c35a5e8c93d88fe63362156faa351e8ee71f
    Reviewed-by: Furquan Shaikh 
    Tested-by: build bot (Jenkins)      

cross toolchain sourcesha256sum
acpica-unix2-20190108.tar.gz 727b0691660f823046b3e7df0e9a27f908d9fdc1f8dc4ec88d99773c28fd61ac
binutils-2.32.tar.xz 0ab6c55dd86a92ed561972ba15b9b70a8b9f75557f896446c82e8b36e473ee04
gcc-8.2.0.tar.xz 196c3c04ba2613f893283977e6011b2345d1cd1af9abeac58e916b1aab3e0080
gmp-6.1.2.tar.xz 87b565e89a9a684fe4ebeeddb8399dce2599f9c9049854ca8c0dfbdea0e21912
mpc-1.1.0.tar.gz 6985c538143c1208dcb1ac42cedad6ff52e267b47e5f970183a3e75125b43c2e
mpfr-4.0.1.tar.xz 67874a60826303ee2fb6affc6dc0ddd3e749e9bfcb4c8655e3953d0458a6e16e
Debian 9.8 package on amd64installed version
gcc 4:6.3.0-4
g++ 4:6.3.0-4
make 4.1-9.1
cmake 3.7.2-1
flex 2.6.1-1.3
bison 2:3.0.4.dfsg-1+b1