coreboot™: fast, flexible and reproducible Open Source firmware!

Reproducible Coreboot

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is more information about reproducible builds on the Debian wiki and on These pages explain in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Coreboot is an effort to apply this to coreboot. Thus each coreboot.rom is build twice (without payloads), with a few varitations added and then those two ROMs are compared using diffoscope. Please note that the toolchain is not varied at all as the rebuild happens on exactly the same system. More variations are expected to be seen in the wild.

There is a weekly run jenkins job to test the master branch of coreboot.git. The jenkins job is running in a Debian environment and this script is solely responsible for creating this page. Feel invited to join #debian-reproducible (on to request job runs whenever sensible. Patches and other feedback are very much appreciated - if you want to help, please start by looking at the ToDo list for coreboot, you might find something easy to contribute.
Thanks to Profitbricks for donating the virtual machines this is running on!

306 (100.0%) out of 306 built coreboot images were reproducible in our test setup ! These tests were last run on 2017-03-20 for version 4.5-1352-gdce629b using diffoscope 80.

variationfirst buildsecond build
hostname is not yet varied between rebuilds of coreboot.
domainname is not yet varied between rebuilds of coreboot.
env CAPTURE_ENVIRONMENTnot setCAPTURE_ENVIRONMENT="I capture the environment"
env TZTZ="/usr/share/zoneinfo/Etc/GMT+12"TZ="/usr/share/zoneinfo/Etc/GMT-14"
env LANGLANG="en_GB.UTF-8"LANG="fr_CH.UTF-8"
env LC_ALLnot setLC_ALL="fr_CH.UTF-8"
env PATHPATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:"PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path"
env USER is not yet varied between rebuilds of coreboot.
uid is not yet varied between rebuilds of coreboot.
gid is not yet varied between rebuilds of coreboot.
UTS namespace is not yet varied between rebuilds of coreboot.
kernel version, modified using /usr/bin/linux64 --uname-2.6Linux 3.16.0-4-amd64Linux 2.6.56-4-amd64
CPU type AMD Opteron 62xx class CPUsame for both builds
/bin/sh is not yet varied between rebuilds of coreboot.
year, month, datetoday (2017-03-20)same for both builds (currently, work in progress)
hour, minutehour and minute will probably vary between two builds...but this is not enforced systematically... (currently, work in progress)
Filesystemtmpfssame for both builds (currently, this could be varied using disorderfs)
everything likely the same. There will be more variations in the wild.

commit dce629b2f8260010a06ea5a9bd31f5c65f483f3d
Author: Patrick Georgi 
Date:   Fri Jan 13 13:30:54 2017 +0100

    util/cbfstool: avoid memleaks and off-by-ones
    Change-Id: Iac136a5dfe76f21aa7c0d5ee4e974e50b955403b
    Signed-off-by: Patrick Georgi 
    Found-by: scan-build 3.8
    Tested-by: build bot (Jenkins)
    Reviewed-by: Nico Huber      

cross toolchain sourcesha256sum
acpica-unix2-20161222.tar.gz bac650fd93d101a6ef2e9a30b449b32a480b0ac4f6f253c49aa80511b017b7fa
binutils-2.28.tar.bz2 6297433ee120b11b4b0a1c8f3512d7d73501753142ab9e2daa13c5a3edd32a72
gcc-6.3.0.tar.bz2 f06ae7f3f790fbf0f018f6d40e844451e6bc3b7bc96e128e63b09825c1f8b29f
gmp-6.1.2.tar.xz 87b565e89a9a684fe4ebeeddb8399dce2599f9c9049854ca8c0dfbdea0e21912
libelf-0.8.13.tar.gz 591a9b4ec81c1f2042a97aa60564e0cb79d041c52faa7416acb38bc95bd2c76d
mpc-1.0.3.tar.gz 617decc6ea09889fb08ede330917a00b16809b8db88c29c31bfbb49cbf88ecc3
mpfr-3.1.5.tar.xz 015fde82b3979fbe5f83501986d328331ba8ddf008c1ff3da3c238f49ca062bc
Debian 8.7 package on amd64installed version
gcc 4:4.9.2-2
g++ 4:4.9.2-2
make 4.0-8.1
cmake 3.0.2-1+deb8u1
flex 2.5.39-8+deb8u2
bison 2:3.0.2.dfsg-2
iasl 20140926-1