coreboot™: fast, flexible and reproducible Open Source firmware!

Reproducible Coreboot

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is more information about reproducible builds on the Debian wiki and on https://reproducible-builds.org. These pages explain in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Coreboot is an effort to apply this to coreboot. Thus each coreboot.rom is build twice (without payloads), with a few variations added and then those two ROMs are compared using diffoscope. Please note that the toolchain is not varied at all as the rebuild happens on exactly the same system. More variations are expected to be seen in the wild.

There is a weekly run jenkins job to test the master branch of coreboot.git. The jenkins job is running reproducible_coreboot.sh in a Debian environment and this script is solely responsible for creating this page. Feel invited to join #reproducible-builds (on irc.oftc.net) to request job runs whenever sensible. Patches and other feedback are very much appreciated - if you want to help, please start by looking at the ToDo list for coreboot, you might find something easy to contribute.
Thanks to IONOS for donating the virtual machines this is running on!

111 (100.0%) out of 111 built coreboot images were reproducible in our test setup ! These tests were last run on 2023-08-18 for version 4.20-1184-g873ebf201f using diffoscope 247.

variation	first build	second build
hostname	osuosl1-amd64 or osuosl2-amd64	the other one
domainname	is not yet varied between rebuilds of coreboot.
env CAPTURE_ENVIRONMENT	not set	CAPTURE_ENVIRONMENT="I capture the environment"
env TZ	TZ="/usr/share/zoneinfo/Etc/GMT+12"	TZ="/usr/share/zoneinfo/Etc/GMT-14"
env LANG	LANG="en_GB.UTF-8"	LANG="et_EE.UTF-8"
env LC_ALL	not set	LC_ALL="et_EE.UTF-8"
env PATH	PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:"	PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path"
env USER	is not yet varied between rebuilds of coreboot.
uid	is not yet varied between rebuilds of coreboot.
gid	is not yet varied between rebuilds of coreboot.
UTS namespace	is not yet varied between rebuilds of coreboot.
kernel version, modified using /usr/bin/linux64 --uname-2.6	Linux 6.1.0-11-amd64	Linux 2.6.61-11-amd64
umask	0022	0002
CPU type	AMD Opteron(tm) Processor 4284	same for both builds
/bin/sh	is not yet varied between rebuilds of coreboot.
year, month, date	today (2023-08-18)	same for both builds (currently, work in progress)
hour, minute	hour and minute will probably vary between two builds...	the future system actually runs 398 days, 6 hours and 23 minutes ahead...
Filesystem	tmpfs	same for both builds (currently, this could be varied using disorderfs)
everything else...	is likely the same. There will be more variations in the wild.

BYTEDANCE_BD_EGS (b7989df2bd71d05092526818c95ab33621a55e3e0ebbc6a06bfb55819857d24a, 64M) is reproducible.
EMULATION_QEMU_AARCH64 (e89a487ecc54e90a1a3a63445c362291c21006e9726d13b4d92764e6b524f46a, 16384K) is reproducible.
EMULATION_QEMU_AARCH64_FIT_SUPPORT_TIMESTAMPS (400868d400d1c9637ce0bbcf9a247f4ac17567b630202e50503ee969e9493bd8, 16384K) is reproducible.
EMULATION_QEMU_ARMV7 (edc312f29b5891f9b8f1d9ef83b57326542e710737afc77a7cd4e6564410efb9, 4096K) is reproducible.
EMULATION_QEMU_RISCV_RV32 (2f6058630ff3472b94de304f771c439f42a9d9dcde1f0588aa1e3d24a48947be, 16384K) is reproducible.
EMULATION_QEMU_RISCV_RV64 (bb1168830c68f5414f64b1b90cabb58327237dec39911f06e63d67965191cc62, 16384K) is reproducible.
EMULATION_QEMU_RISCV_RV64_ (a290caafbfe209e204cff02e488aa9d21b9eb32a6924c7e621bb6b65ec34172b, 16384K) is reproducible.
EMULATION_QEMU_X86_I440FX (f3ffe4a728de8df3cdb9e42a658dce7d998851661b6adb64aa5f7ac7c8c406be, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_ (f3ffe4a728de8df3cdb9e42a658dce7d998851661b6adb64aa5f7ac7c8c406be, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_ASAN (fd297425af295be1e1549ce62f5b7d0b2920edebf1a9f18bc7f47fd4f13cc878, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_DEBUG (b9130e644fc45eceeced65ab413b2faf37d75ff3449a4ffa3984c7462a576360, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_NOSERIAL (be695a4b7cf51b959a2e37d11bfffb130b469d6ef4bce864762314b178efb65c, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_X86_64 (97902c6c0369d0232a54d5f0f2b0f143ec6424329b90beccec3e14904e35b851, 4096K) is reproducible.
EMULATION_QEMU_X86_Q35 (4dc1b4d5bdf94b9cebdbd4c2caefa801e2293f7d79f481a5442fd4ae802dee07, 16384K) is reproducible.
EMULATION_QEMU_X86_Q35_SMM_TSEG (4583b9af688b84cb85cc53badae2f11e868a3adbdd7c451ed5529053c0d09922, 16384K) is reproducible.
EMULATION_SPIKE_RISCV (fa57d5f1816bab2dff543efd7f28cc72c2409d3082aa0ebdfa13917d04d5ff40, 4096K) is reproducible.
EXAMPLE_MIN86 (09d11e4d3c9fc636e16f2f9b8670f513b47c3fd89b1513c076207fe4b52ba29f, 256K) is reproducible.
GOOGLE_ASURADA (9a48120eab83d0412678792430dabb627afd2f222607b2125e344387aae5657f, 8192K) is reproducible.
GOOGLE_BOB (feb58fed23ab5866ee5856c1707f8f950318519d7b72dc361073bdb207ae661e, 8192K) is reproducible.
GOOGLE_BURNET (86e39d43e2bc6cc89fca5a86c600294fbec9fdc67297bb89d3cf2cbb50c14afc, 8192K) is reproducible.
GOOGLE_CERISE (70e550d9630bfc55f533734a350950015bf594f4dc34411b4e844b914823a8bd, 8192K) is reproducible.
GOOGLE_CHERRY (0708ec70ca2a6a0c2e7190b52b99eb6e013b4a07d870f3d69042ef204a2570b0, 8192K) is reproducible.
GOOGLE_COZMO (5ed5f3579e740028500e13d4dac1087696389a24b711bf25eca50c3e80cd0f14, 8192K) is reproducible.
GOOGLE_CRAASK (d8323ea512139c6ca6c842c6df331968af7dede607784e36c93256a62774b117, 16384K) is reproducible.
GOOGLE_CRAASKOV (39db3054fb1671329df41562132b0c87036dde8bb0124026a2207bababb9d45d, 16384K) is reproducible.
GOOGLE_DAISY (e21e97be163ba01b0f28f7f4f9fc44ea656b5b0499d5ddfe0a24fd248f3289d5, 4096K) is reproducible.
GOOGLE_DAMU (8303257f032665d1d1d0b8541230f712f20cc5d879e15c03b3c3af32816faaea, 8192K) is reproducible.
GOOGLE_DOJO (f00cb639dab8b05ffa1b0ae797a4039f3460b79341dae27d2edbd4c50b943788, 8192K) is reproducible.
GOOGLE_ELM (6da9678f8e426b89b576e2ee5f8954d85ebfa01f254e236cd0b11241791a2207, 4096K) is reproducible.
GOOGLE_ESCHE (81bcad461ef8dc8b150a72d5e08f1b4a73220aa3a2cc217d968ce73f541e00fc, 8192K) is reproducible.
GOOGLE_FENNEL (566a9c96b30fd1b2c8f3853ccf4cc1c000a8b9a1c4c930813391608b62972639, 8192K) is reproducible.
GOOGLE_FLAPJACK (98d1142ac1f2f9ab9a139c7552014a19ad2b11958b7b0f47d0847794ceb78e74, 8192K) is reproducible.
GOOGLE_FOSTER (3b4f17efdcbce6fcb81ed89682664834bd904caa26688ecb518d33f193140027, 4096K) is reproducible.
GOOGLE_GALE (0ff37b893513497bea3ffbc2a687c7cd5133689bec165c80e98509db36dbb909, 8192K) is reproducible.
GOOGLE_GERALT (9ab345352250c83ea77b4e4cb906daa22a503086b0c38120cf28e5c8de199f6b, 8192K) is reproducible.
GOOGLE_GOTHRAX (7a2e904c7d15211f63e1d03ebdf6f40a72869e3253c753161a6936c3ef08bf00, 16384K) is reproducible.
GOOGLE_GRU (121ad9d11d27c9400bb3fb52abfc2a57d44de0d3d047dccfbdc7ef939a249ee1, 8192K) is reproducible.
GOOGLE_HANA (2832c483d979680479a07945d79ce997b9850e88bc137ce6ef400dce83c68724, 4096K) is reproducible.
GOOGLE_HAYATO (6c33e25552cc8fd8eefc96dd12fde6e8cf9cc19a1aa433df00fe4bea9954e8ad, 8192K) is reproducible.
GOOGLE_JACUZZI (3263750b3fd86417b5e0ca7d74509a3bb0b2651b190efefd277c5741a328d4bb, 8192K) is reproducible.
GOOGLE_JOXER (a2f1979a0c9782d81bce5bdc5fdf5526857eaba651cda850e8499726e9f67964, 16384K) is reproducible.
GOOGLE_JUNIPER (08748f745db8b65871fc41b17b8d468b16bcbb34c8b23b54fafb41014d103f43, 8192K) is reproducible.
GOOGLE_KAKADU (f1e80ab83486188e0731677dd515cd2315ced79d9e88c24af39aac82d5a7aef1, 8192K) is reproducible.
GOOGLE_KAPPA (00114c2f4e62db2d657c7c6aeb40877f8d010d9beb9a3bf6f9eca48d20a9e143, 8192K) is reproducible.
GOOGLE_KARIS (256b6c5737c40df111640b5d35bb704a5be3c3357b127db211164ba45fd94181, 32M) is reproducible.
GOOGLE_KARIS4ES (f01d7a91b4e87ff40ed276d47e44d533be7e6d320e99a8647fb07b10efbb8ccc, 32M) is reproducible.
GOOGLE_KATSU (fd062d7ee51780ec9b16a120a8401e5b99854fc29ec806306743609122a6e2bb, 8192K) is reproducible.
GOOGLE_KEVIN (288af4356e3cc9aab81cfc96719c6cc1be40b6f5e8f6a7f168f15e4a41fd841a, 8192K) is reproducible.
GOOGLE_KEVIN_SECDATA_MOCK (9a6046c37d9167111347c5b9cdb52095de173aba1423916d01afd0a51d6f22ec, 8192K) is reproducible.
GOOGLE_KINGLER (122b5fd1871c841f05ee840a82ac97ba3f5b04dcf2e978b0bc0755e133e924f0, 8192K) is reproducible.
GOOGLE_KODAMA (98dd65e4e3ddec8bd0a05a58691d56779ece8e55e93cdba2710e04eace6d759d, 8192K) is reproducible.
GOOGLE_KRABBY (04fd261b47999bdd772a6710f80019c8f8f545df365578593862e31857960756, 8192K) is reproducible.
GOOGLE_KRANE (44b6958772ec5faba5a781909a25c393908f71f81ed62c221b7c5055e40ca50b, 8192K) is reproducible.
GOOGLE_KUKUI (c101b741faeb9e5f3d7b764c57d1725a4ef226724c927b3621eca64af566a4fd, 8192K) is reproducible.
GOOGLE_MAGIKARP (b6bb706fec3b52b6c7fdbd87425b5ced9ffe36f937ca753673b1c1f06ef632df, 8192K) is reproducible.
GOOGLE_MAKOMO (7e1b558b66e12c935551bd24693b8713f701f8d66cf80b1124030a257ab3192e, 8192K) is reproducible.
GOOGLE_MISTRAL (847b572951ddab77587d57e8cbf4ee4bc901be2e2302e2c070635d2b4e00683b, 8192K) is reproducible.
GOOGLE_MUNNA (76fda74dfe9d4a24d7ff5a6460a176004daa6a5733a20b50274fc06bdddf1a2b, 8192K) is reproducible.
GOOGLE_NEFARIO (fbffe4bbaa62de3cc7f162ac293f02f6773c13a39b4045653991a489b348ef46, 8192K) is reproducible.
GOOGLE_NEREID (d68cd9b97b2e3417c1248fd01d8d0b76946e7d98833053decd5c0473591a5903, 32M) is reproducible.
GOOGLE_NIVVIKS (5cc9118d233651708cf89ba02b7506cb2cbc6732ae99a490896aa1bb8ad224bc, 32M) is reproducible.
GOOGLE_NYAN (2ab22c04d48d2272b79e24297f2999f2ec4c1c7642ceee2bc06057d6c929174f, 4096K) is reproducible.
GOOGLE_NYAN_BIG (82607005a94db383f8de2e5b4b1d1aadd77d40b7fc5a1e38021ed8adeb24a9ce, 4096K) is reproducible.
GOOGLE_NYAN_BLAZE (41ee764f8415d856ca07308412825b789f283561500f4613c38a54ee6a18fe40, 4096K) is reproducible.
GOOGLE_OAK (02a8b874424db9553e57cca3b5bc9498003ad4f002baaa2dbddf7123405bdfdd, 4096K) is reproducible.
GOOGLE_OVIS (07e64f15e4c0d2486defb617979b8c6ed11f8b45d3af9d1e01dabd4d157d70f9, 32M) is reproducible.
GOOGLE_OVIS4ES (63a6123ec06ebe1fcd0ef10217cc5a0bea0040577b7b8ae706ba4d6e102c9967, 32M) is reproducible.
GOOGLE_PEACH_PIT (d97f34689e3df3a134abbff6bbc178e3db8d60a18befc7d90b9d48ec290cceca, 4096K) is reproducible.
GOOGLE_PICO (b27cf933e1ba917264d73859d875897c7db186c864e9dc1fb4e27f66669a60fd, 8192K) is reproducible.
GOOGLE_PIRRHA (7dff38fb379595e2e93a033d05e28af5623df53595d05d7b92e362e214983f13, 16384K) is reproducible.
GOOGLE_PONYTA (96ba44ced710bffb05a4e40dbc60f5ce187fc876695277be86b82f75d9697cae, 8192K) is reproducible.
GOOGLE_PUJJO (a251127c867bc72111f2bac9967217196f56b0de5b4b47002e1888cab50c633e, 16384K) is reproducible.
GOOGLE_RAINIER (e7ace286efc14ff6c807dfe9143d6b1d0767854bc54c55b7e8bce6e897802548, 8192K) is reproducible.
GOOGLE_REX0 (18ad3b4cf5ab2cd847568d237b3fa042d0042e647b95d424373ab74b70eca1e6, 32M) is reproducible.
GOOGLE_REX4ES (75046cbc5b2b475cdeb387b245b973c6d9264c209ca0fc5af27067994cbf04fd, 32M) is reproducible.
GOOGLE_REX_EC_ISH (2ecae64e93d876b72882d2e282b0c03afea306cc5a22a766b055f6a18c6892e0, 32M) is reproducible.
GOOGLE_SCARLET (cfbfd7cc6b21cc1055e2ad40af81d1c42d422a409c29f2b7674bff50c794f1f6, 8192K) is reproducible.
GOOGLE_SCREEBO (d77aeddd6362d028cae8198d0cf449274ae66851392691146e624623f813ad46, 32M) is reproducible.
GOOGLE_SCREEBO4ES (b57e6202da6ab3a41c47f301b182210748320db3f4b66be2c23a14eca20463ee, 32M) is reproducible.
GOOGLE_SMAUG (157c68f6de609b4906eb6e0160082cc99a86fa8182a876c3aa14c40423eb6c20, 16384K) is reproducible.
GOOGLE_SPHERION (52c6fc42dcf3f6d0154353c8ed89e7497f40a85a08abadc57260e459b035bf7e, 8192K) is reproducible.
GOOGLE_STARMIE (86b05eb4a0146cfefcd3240e5ffa252edfeee54309eab7657eac8860c322dee2, 8192K) is reproducible.
GOOGLE_STEELIX (d5d3409f6e743ea864f3f174a6d5794c460914c3856f646370c9b15afa9b93c0, 8192K) is reproducible.
GOOGLE_STERN (51b54133e02bf6ee9abd43f66c29d8c0f114bf1584d3e80b4c6baa622734b95c, 8192K) is reproducible.
GOOGLE_STORM (f63930d330954f3e005c95120dd54636df1723629a29862d9c3e21ef09e2761e, 8192K) is reproducible.
GOOGLE_TENTACRUEL (ec8f20071529befe17516eb867429f7c569677b067c99f1605313e482ce467bd, 8192K) is reproducible.
GOOGLE_TOMATO (5959718ea60e6d2d564798fe13fee46eb771e78e773f56e25db01e6cfc34333f, 8192K) is reproducible.
GOOGLE_ULDREN (7e09104821bb47116e97c74202c8703fe6986a85ea9c1c3576d8776f1a8297bf, 16384K) is reproducible.
GOOGLE_VEYRON_JAQ (a440d2dbcaf2ad1d4a0a15f916e0eace1fd02bc934a88b17dfe66ee8c050df29, 4096K) is reproducible.
GOOGLE_VEYRON_JERRY (5c0943f0985754e4acaabe67b16f3a3aee953729f2de3e0f186576e8a269cefe, 4096K) is reproducible.
GOOGLE_VEYRON_MICKEY (5ced8f8bfb21dd61ea797d051beb8cc1a8080459eb9cc21ea6c150aef603339a, 4096K) is reproducible.
GOOGLE_VEYRON_MIGHTY (2b5ff9c456de31efe4670830b3a793891eb8889c6060dbbe62c6c25ccd9dd91c, 4096K) is reproducible.
GOOGLE_VEYRON_MINNIE (9d9ae4c00663fa8f0820651945255b6321d5fff113d940548f22eb8f7063455c, 4096K) is reproducible.
GOOGLE_VEYRON_RIALTO (f55a058335c7d29cd4a90f0a34078d9b91ff379efa36993294c3e161698c6333, 4096K) is reproducible.
GOOGLE_VEYRON_SPEEDY (2e8092695ddcb3fdf1648675b3c67f78889b9fbb4b45756746383b5f8c2cf71f, 4096K) is reproducible.
GOOGLE_VOLTORB (03674f9743ce444873dda15e67a2f9988e3f02db791fe0ff45bf456797a6fa00, 8192K) is reproducible.
GOOGLE_WILLOW (0dc8914e091fd7638d0ea5c7c86dab79a3e5330c0d633b802d94381429d4f600, 8192K) is reproducible.
GOOGLE_XIVU (7836ccc11281f02b89656ee2e804f8380ae211f3de919001c779b363d7a44596, 16384K) is reproducible.
GOOGLE_YAVIKS (9d49ea9563abf92cac89b916b5950d91272712822531d75d15aa67eb2c3bc953, 16384K) is reproducible.
GOOGLE_YAVILLA (63f61d2b80b889aee9897ebcb81d24c6c11e87b60a2cb80096f23b90d21314a2, 16384K) is reproducible.
IBM_SBP1 (f482e8a8e84a002e6959646be1d51358f0d31acb14983fda189bc74069e9ec70, 64M) is reproducible.
INTEL_ADLRVP_N (b4fb43de0f53f107be02cafeb4cd1aacdf38fdd7ebe626d24fd00a767259bcf6, 32M) is reproducible.
INTEL_ADLRVP_N_EXT_EC (c482df089545c783e302f67f9f3f0ecdbb8b27a32c91a06477f72bab5686a896, 32M) is reproducible.
INTEL_ARCHERCITY_CRB (c89c43dd6d790e678e04ade9c005ba9f0e0eb4ca6cf0f361c658aa908f73f4ff, 64M) is reproducible.
INTEL_MTLRVP_P (1b82cabbdef0dcdec2f0a078e569c806c1d3b27e433aa637397f240885a993ce, 32M) is reproducible.
INTEL_MTLRVP_P_EXT_EC (6323f15598d226596be006174714d98f48970e5417eb835ef54d3635eba2fcef, 32M) is reproducible.
INTEL_MTLRVP_P_MCHP (a3eb2a55d79600f1a2720683e71a538de4a52daa10d8dc3777acbe0dd512aa9c, 32M) is reproducible.
INVENTEC_TRANSFORMERS (7a5e37ce4ac0713d6fc7e96fadc2d370b22cb600a51ea2fa7eea13a90220d1fc, 64M) is reproducible.
OPENCELLULAR_ELGON (81460b5755914843a85953e0bd0bd3c7ac2cf39a0c7b4d00c2825c864938d324, 16384K) is reproducible.
PINE64_ROCKPRO64 (32c8d49ecda75fff0006593a9d10ed1fd2b298f176a6a34ac59c214228a2d61e, 16384K) is reproducible.
TI_BEAGLEBONE (cb61025403b8ae576821a8d8694edbf25a713268f95edee044a610d2d4fd3269, 32M) is reproducible.

commit 873ebf201fac31bfb76523906ffeadbbd54108d6
Author: Martin Roth 
Date:   Thu Aug 10 10:00:51 2023 -0600

    util/lint/kconfig_lint: Exclude site-local directory by default
    
    The site-local directory is not checked into the coreboot tree, so this
    change excludes it by default. By adding the site-local directory,
    an issue could be missed in the rest of the coreboot tree.
    
    This change also adds a new command-line argument of -S or --site_local
    that re-enables the site-local checking.
    
    Signed-off-by: Martin Roth 
    Change-Id: I95efa3e7b2cbb84e5c84d263222d8e914626d314
    Reviewed-on: https://review.coreboot.org/c/coreboot/+/77138
    Reviewed-by: Matt DeVillier 
    Tested-by: build bot (Jenkins) 
    Reviewed-by: Felix Singer 
    Reviewed-by: Arthur Heymans

cross toolchain source	sha256sum
R06_28_23.tar.gz	2248799b7ca08a7711ac87d31924354ed49047507607d033bd327ba861ec4d31
binutils-2.40.tar.xz	0f8a4c272d7f17f369ded10a4aca28b8e304828e95526da482b0ccc4dfc9d8e1
gcc-11.4.0.tar.xz	3f2db222b007e8a4a23cd5ba56726ef08e8b1f1eb2055ee72c1402cea73a8dd9
gmp-6.2.1.tar.xz	fd4829912cddd12f84181c3451cc752be224643e87fac497b69edddadc49b4f2
mpc-1.3.1.tar.gz	ab642492f5cf882b74aa0cb730cd410a81edcdbec895183ce930e706c1c759b8
mpfr-4.2.0.tar.xz	06a378df13501248c1b2db5aa977a2c8126ae849a9d9b7be2546fb4a9c26d993

Debian 12.1 package on amd64	installed version
gcc	4:12.2.0-3
g++	4:12.2.0-3
make	4.3-4.1
cmake	3.25.1-1
flex	2.6.4-8.2
bison	2:3.8.2+dfsg-1+b1