coreboot™: fast, flexible and reproducible Open Source firmware!

Reproducible Coreboot

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is more information about reproducible builds on the Debian wiki and on https://reproducible-builds.org. These pages explain in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Coreboot is an effort to apply this to coreboot. Thus each coreboot.rom is build twice (without payloads), with a few variations added and then those two ROMs are compared using diffoscope. Please note that the toolchain is not varied at all as the rebuild happens on exactly the same system. More variations are expected to be seen in the wild.

There is a weekly run jenkins job to test the master branch of coreboot.git. The jenkins job is running reproducible_coreboot.sh in a Debian environment and this script is solely responsible for creating this page. Feel invited to join #reproducible-builds (on irc.oftc.net) to request job runs whenever sensible. Patches and other feedback are very much appreciated - if you want to help, please start by looking at the ToDo list for coreboot, you might find something easy to contribute.
Thanks to IONOS for donating the virtual machines this is running on!

105 (100.0%) out of 105 built coreboot images were reproducible in our test setup ! These tests were last run on 2023-05-15 for version 4.20 using diffoscope 242.

variation	first build	second build
hostname	osuosl1-amd64 or osuosl2-amd64	the other one
domainname	is not yet varied between rebuilds of coreboot.
env CAPTURE_ENVIRONMENT	not set	CAPTURE_ENVIRONMENT="I capture the environment"
env TZ	TZ="/usr/share/zoneinfo/Etc/GMT+12"	TZ="/usr/share/zoneinfo/Etc/GMT-14"
env LANG	LANG="en_GB.UTF-8"	LANG="et_EE.UTF-8"
env LC_ALL	not set	LC_ALL="et_EE.UTF-8"
env PATH	PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:"	PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path"
env USER	is not yet varied between rebuilds of coreboot.
uid	is not yet varied between rebuilds of coreboot.
gid	is not yet varied between rebuilds of coreboot.
UTS namespace	is not yet varied between rebuilds of coreboot.
kernel version, modified using /usr/bin/linux64 --uname-2.6	Linux 5.10.0-23-amd64	Linux 2.6.70-23-amd64
umask	0022	0002
CPU type	AMD Opteron(tm) Processor 4284	same for both builds
/bin/sh	is not yet varied between rebuilds of coreboot.
year, month, date	today (2023-05-15)	same for both builds (currently, work in progress)
hour, minute	hour and minute will probably vary between two builds...	the future system actually runs 398 days, 6 hours and 23 minutes ahead...
Filesystem	tmpfs	same for both builds (currently, this could be varied using disorderfs)
everything else...	is likely the same. There will be more variations in the wild.

EMULATION_QEMU_AARCH64 (d4b5667a6822a80838eb6863e8d3afe5599c45e91b260d0c2c22b6cfb5d41b85, 4096K) is reproducible.
EMULATION_QEMU_AARCH64_FIT_SUPPORT_TIMESTAMPS (e4a07b41f7925d16479cb7d862eec432baa68407fcda6bfbe01b5361c1a39b1a, 16384K) is reproducible.
EMULATION_QEMU_ARMV7 (d98ae679299e159bc612c5d2fecd38b1936bab146f1c31c4297423475ab74057, 4096K) is reproducible.
EMULATION_QEMU_RISCV_RV32 (00d28e55fce51ad5f9fff68d5ac3bc69e08fd5eeb8fcb15f8e00c7febb8a6022, 4096K) is reproducible.
EMULATION_QEMU_RISCV_RV64 (39d2bac121b843e42c5969fc6b393e8c43bf4f45e6e0113613464184a1622f50, 4096K) is reproducible.
EMULATION_QEMU_RISCV_RV64_ (73039c53c84cbea17859fe1a1b5ab61f950bae7dbc76ba71aaaa5ca8d7fab2c7, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX (1e7a30ee3e3c7dfc976b05c78b0587b2a14def5719efbb219b0e88fb3b802512, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_ (1e7a30ee3e3c7dfc976b05c78b0587b2a14def5719efbb219b0e88fb3b802512, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_ASAN (b353f2970c35590cea2524d9d28b95cb99ca3b326cc5870621d40058ba8a7156, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_DEBUG (afbf2142cb77eadabf56e3f1e07d9979156b7ee24b57fb51d087d8a88f3c281b, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_NOSERIAL (707028e8bfe43470693352e2e9bc7ce8636117112fa3ce4c402b907b977f2135, 4096K) is reproducible.
EMULATION_QEMU_X86_I440FX_X86_64 (d7214a8b5bb56796f4ed15abea26de5ebab7ab059a2c93cb7d8d060a47468b42, 4096K) is reproducible.
EMULATION_QEMU_X86_Q35 (7f144afb12ec2c77f5c2ac9c9761e92fb2616ba7dd85bd5b1935f98a252dccb9, 2048K) is reproducible.
EMULATION_QEMU_X86_Q35_SMM_TSEG (3b49180cdcdd191ef58b8a50d1ee2b6223aceb8128318ed53f7c362717ad6c2b, 2048K) is reproducible.
EMULATION_SPIKE_RISCV (4f091724b5e6a22c7ca1cd1885ca87eabeaf2b58ce1d1e4c3fda209a5ee5c494, 4096K) is reproducible.
EXAMPLE_MIN86 (26a5ea64bc1582b38829e30fbb48f2c473f9a5b86ad0b106365e34e42eb0473a, 256K) is reproducible.
GOOGLE_ASURADA (9811f7a1034e2ad0afdfbfc4e9a7937a8f155bcc4dc81438b8e73f97d2e7cd44, 8192K) is reproducible.
GOOGLE_BOB (41fcb59bbfb274c8a2bcf468d4d6ff0c07c74dfcee13546e9b0b7f8d86f74376, 8192K) is reproducible.
GOOGLE_BURNET (90a61523a2e7b468c437c3f598c71a578f277b0688e5a2b21bf33b6479a9928f, 8192K) is reproducible.
GOOGLE_CERISE (d3cdea7eb5f52166891ef63260661102a68461a0d1ee0753f54b37aa7abd897c, 8192K) is reproducible.
GOOGLE_CHERRY (252e4de2b426bb589aa95b6a04c57987009140757a0726eec25c875fb23f6463, 8192K) is reproducible.
GOOGLE_COZMO (684cda4c3296a068e0a5c3d7c8c44447e1843c8d5e41e53f7fc694b7dc359cb9, 8192K) is reproducible.
GOOGLE_CRAASK (5f1ea35275f86c90c6c03c97edfab0ed0be676de2d1303c96b5f2d3c86972f11, 16384K) is reproducible.
GOOGLE_DAISY (d346f690fb73410ed7aab6c054f4ec8d1595cf9fea5636209c1a42aed00787f6, 4096K) is reproducible.
GOOGLE_DAMU (0a8abf73a26026c3f3d2261ca146372c2f0a8f185fe59dd1ac6bc3d9c9aa7028, 8192K) is reproducible.
GOOGLE_DOJO (7ecaad4596b29f1bc56e69671e64c618263ebb707f797060bb70916a5315505d, 8192K) is reproducible.
GOOGLE_ELM (73c92ce5b7b3e4ce423335bcf513c3f6c9206fc77ffd131e367d1c8cc0a7fb67, 4096K) is reproducible.
GOOGLE_ESCHE (928f443e7017c2190c451223607c69c69fa5e59a7b6bc1ca03071a311c80410e, 8192K) is reproducible.
GOOGLE_FENNEL (a3260ad090f9f12795f851d0b45f0bede3d41b14453587f8d02d1ec8ddf7fe18, 8192K) is reproducible.
GOOGLE_FLAPJACK (a97e16eeef95b9a388345cbf4decf149d271409d073c4d8dc742d90950bcc56a, 8192K) is reproducible.
GOOGLE_FOSTER (8fda335a811d90876944cb635551828efece3dcad0ad6bac63cab56e8af3be91, 4096K) is reproducible.
GOOGLE_GALE (c43d3f7014b201bd5fb62f63715c24317f15f9db2308c479176349764fb0d30a, 8192K) is reproducible.
GOOGLE_GERALT (48c7e5076d4162ff3ad4617886ac27f07bc3a566b22a7c1ab07ec64b27219ca3, 8192K) is reproducible.
GOOGLE_GOTHRAX (1526159aa400192247653f01ff87fb027d6dd7f8f9dda90d55367c86b4d340d2, 16384K) is reproducible.
GOOGLE_GRU (69ca4091f4803b0b02ef07badaba202cc5448d0db7b8b131d17bf59f94c11305, 8192K) is reproducible.
GOOGLE_HANA (2a2b6add73d6334682c199eff6d53507fcac6f64cc6ad1e3a9540d45bbc8694f, 4096K) is reproducible.
GOOGLE_HAYATO (57557a1acb0f5b0d1e46a1421d80389d3a2e92159e585f2b09230fdaf0b1c9c0, 8192K) is reproducible.
GOOGLE_JACUZZI (c2a221130c300ab131585aa15c6e90b089149b9f185a06c559476d53b4b8f9bb, 8192K) is reproducible.
GOOGLE_JOXER (3b3ea894ab029a8b69cb57c3fc39ab0a1fb73b1a1d5f6955f6cd6f47c43b82fd, 16384K) is reproducible.
GOOGLE_JUNIPER (9018c4d72fe35725055378ed23c5af3731ea77b362bfd3ff8bf1c4432a0942d6, 8192K) is reproducible.
GOOGLE_KAKADU (7629bd61706c86a506b1de59e1da66e1aa3df66996e3e560dca8de8bd0165e1e, 8192K) is reproducible.
GOOGLE_KAPPA (db4c90a334931bac8ca767859cbbed60a62cdb9ccac5d6ae3eb63438411bf109, 8192K) is reproducible.
GOOGLE_KATSU (c7016702988372eb06c0150a5633daa78d0f10b10f16c485d186740c03a8cbca, 8192K) is reproducible.
GOOGLE_KEVIN (0c2c1cdb8143228de79684f24f8f0807c69a3362645abc7304c534440ed90030, 8192K) is reproducible.
GOOGLE_KEVIN_SECDATA_MOCK (f2c86198401471d88e97e5552a17abb36ef74507b4c3e39b6ae06c503a00b662, 8192K) is reproducible.
GOOGLE_KINGLER (58e528c8a7b44c1d5fc7af305926689494b5a4c1c20fc3ccea31017305ed7762, 8192K) is reproducible.
GOOGLE_KODAMA (c9ba40b74fda75ee704d481e0d169d7bb607e2a92fec084eff4dc69288e3ed5f, 8192K) is reproducible.
GOOGLE_KRABBY (ee7e4e797b9246971cfefda097d944ddade94b89c00d228a2335546f08688cd0, 8192K) is reproducible.
GOOGLE_KRANE (87bca9b70f694a2e8750b73b182c1eff6fbb28b1f8e551bd356731d18e626988, 8192K) is reproducible.
GOOGLE_KUKUI (2ac94674fac9db7e7024ba6a71a6b1d7fd1f01e174969ad400b8d7ff45d01b83, 8192K) is reproducible.
GOOGLE_MAGIKARP (3346fc23ff46c9967f4bba5be36eb75b2ebef9d0f5e31b159360aef7a16e3f2e, 8192K) is reproducible.
GOOGLE_MAKOMO (30dc81cc2dd5943cf88f88773c2fc293016b47eb42deccd5afd35fb58aa6f2c1, 8192K) is reproducible.
GOOGLE_MISTRAL (24e447ac6b9b3dbcf62b4cb1c13207dd9e18f6f82334e218676133947f4ba10d, 8192K) is reproducible.
GOOGLE_MUNNA (2cd2fa263f5f6a8fae4441049b403f8f6216c1e9bcc950f6a7f51b0836111d69, 8192K) is reproducible.
GOOGLE_NEFARIO (b45e58a9c8c987a1f8b170b2b758fdeb5c93cc22b142f062a70023160b07eca5, 8192K) is reproducible.
GOOGLE_NEREID (3d626c773f6a0319f03b68bb22191b67944afd166403dca7d2925b87ee9a042c, 32M) is reproducible.
GOOGLE_NIVVIKS (bee08879a22913a40141706b1bedceb7928dea1441a328c095ddce6c7709d9d9, 32M) is reproducible.
GOOGLE_NYAN (265f0acf5351594eb7ad4e13c8cd2320be72f88d64db96ac551989d488eab7d5, 4096K) is reproducible.
GOOGLE_NYAN_BIG (bbbd1d5aa70ea4c775b5da18b929660620b430e52aa2866bede2d7cad9f24d8b, 4096K) is reproducible.
GOOGLE_NYAN_BLAZE (a4a41fa20b9afa7897c2741632bbf70ba55671cf4ae181eac26ac924ea1f7d32, 4096K) is reproducible.
GOOGLE_OAK (7f4e577b722e499e42ce528e39d37787c619398671df9106e26d5ffc2f8e070b, 4096K) is reproducible.
GOOGLE_PEACH_PIT (f95dfac30c9bf02ce8e34f3c651f29064fa586101db21f7c5012e7cef7228f26, 4096K) is reproducible.
GOOGLE_PICO (73d94abd7b02996946ea6b1b8741532bfe80988ecd1e39184223f16b25d3ce2f, 8192K) is reproducible.
GOOGLE_PUJJO (9cb5c8b68cb7b812db4784313408c340f8848ca154ef7ae3c58ba3a33b097255, 16384K) is reproducible.
GOOGLE_RAINIER (6b129af2ad4b6f90b4ee2cecd1e82985f3226631d3388304973b46cedc3dec58, 8192K) is reproducible.
GOOGLE_REX0 (6ed5afa1104e0546e96ee3506db4d2c91735d887d6a4bd24f7949fb711ebec84, 32M) is reproducible.
GOOGLE_SCARLET (3063256dad963415c3289a8b1abf182bbbcc19548e6cfcf023c3138a961291f8, 8192K) is reproducible.
GOOGLE_SCREEBO (19134e5aac1fd31ac090b12afbb838a033ac94bfca6dcf840c13c32046be6f33, 32M) is reproducible.
GOOGLE_SMAUG (9a6c60ed35484bea06b8c4e8e123bfb3860f5e4690867dc739d62559251e89f9, 16384K) is reproducible.
GOOGLE_SPHERION (cd96b597735b50e408105ea2b9e955f367a9b5756fbfa821a007f4c838507fa4, 8192K) is reproducible.
GOOGLE_STARMIE (dfecc9ec521cc1fb95734dc3f88a76b6bf9f1f7b45332fd5b5bd1c73222ce392, 8192K) is reproducible.
GOOGLE_STEELIX (dcbbd832788f2d5bcf13fbca2b2b1ab61cf8724fbd4a68617bd9e0832ab85a11, 8192K) is reproducible.
GOOGLE_STERN (3b3825682df7f749ed190aede1c02617c9c40e9e16248359ab4a21a775b3dae6, 8192K) is reproducible.
GOOGLE_STORM (86236fec9df42f5942f191e37f8d022b1148be547d24d5f753829936cef5b369, 8192K) is reproducible.
GOOGLE_TENTACRUEL (31adfea36267efe3a83bc3f87a28289682c2645e964bdfabb6cd76bec779cd40, 8192K) is reproducible.
GOOGLE_TOMATO (3c5f98feb9eb8c488b078634060fe405f953ce8689be22f9cf1064f7cd6dc188, 8192K) is reproducible.
GOOGLE_ULDREN (e4e8ef69480d2eb606f2b7f1fdda32784ef1cd2f97a003cfa41bf5b48ff5360c, 16384K) is reproducible.
GOOGLE_VEYRON_JAQ (e4a20f60af6949bf6ece8d06a40670f22482dda214d1c36c0044e86381689b23, 4096K) is reproducible.
GOOGLE_VEYRON_JERRY (fffb1c48ea9b1d20dc97a97cb1cbed9940bd489ee31e4adc89331fb74f5eb5c0, 4096K) is reproducible.
GOOGLE_VEYRON_MICKEY (b0d7206e7af2994ebcec9f0ffdbeaf86e12572304529917998b143c245eed2be, 4096K) is reproducible.
GOOGLE_VEYRON_MIGHTY (1dea49bc5c6839dd41d53c3c6e22d2bc5aa4db3c57e7378747b01267e200656c, 4096K) is reproducible.
GOOGLE_VEYRON_MINNIE (1ff6817aa920981e13978c0c685ab0b4ea49af790123793c3995a0fb937ce7a7, 4096K) is reproducible.
GOOGLE_VEYRON_RIALTO (5ddffbdfd86434457f58841d272ffdcc2af32ffc4bacae5626555a4b0709e32d, 4096K) is reproducible.
GOOGLE_VEYRON_SPEEDY (3711f611dd4c7aa04b5f639b74521683eeb99fc1cf185df80518ceeaf2110ffe, 4096K) is reproducible.
GOOGLE_VOLTORB (07d5756c7906d641e00dd2bc05bc8e096c8e4889765f25ff6515d420c09f6d86, 8192K) is reproducible.
GOOGLE_WILLOW (8cedc1521324e8fc9611aebfce4751e9376bf7d3a1850e60c57896e0b4479e7e, 8192K) is reproducible.
GOOGLE_XIVU (34aa51a6b9a40e3b058acbe78a879c869e0425ddc4da196f3b341c488f3663c0, 16384K) is reproducible.
GOOGLE_YAVIKS (fffae7ee63a2371ac1d6956241a42124e1df34c79579e48733f9886516a6768d, 16384K) is reproducible.
GOOGLE_YAVILLA (8449c7ee13d68f01364e3c3c8f2fe4d76d4a9e82c7e7d63c0deb9901db4e9e6a, 16384K) is reproducible.
INTEL_ADLRVP_N (e40a6c84cad0e1db488035ae476d11da3ca7a3a3737268e5d4ad6fa378004493, 32M) is reproducible.
INTEL_ADLRVP_N_EXT_EC (dc6687629e479df8c6bb53634298074574dbb0b22ab45c545ff33c6cb9b3ff7d, 32M) is reproducible.
INTEL_ARCHERCITY_CRB (a9067bc11ce3b03a8577ff361e8408cbf66ba4fd8d906d23c73000f5857d2bb3, 64M) is reproducible.
INTEL_GALILEO (c668fbe01d93b68522f70d08ff0e988d39a4faaca1de3650ab422b47730a8b5a, 8192K) is reproducible.
INTEL_GALILEO_GEN1 (6f5151d424b6b260a9016c69dc3c67e170ac625ed833e20daf00c13a8e9fa493, 8192K) is reproducible.
INTEL_GALILEO_GEN2 (572822bc2ffffb10dda729ce6d04365d07ca9362be025d7e242d8970ca640c9c, 8192K) is reproducible.
INTEL_GALILEO_GEN2.DEBUG (c3dd46a28525a071198373282e49a943a9adff331a225638b6235bee97371e19, 8192K) is reproducible.
INTEL_GALILEO_GEN2.FSP2.0 (029d82a1c1fdf5dc204101665ebfa07191142ab44046d214bf28749cbff6c6e0, 8192K) is reproducible.
INTEL_GALILEO_GEN2.SD (684232a938d25e4b692e1cce80a2462e53c4b17561e4328bda0d82e67a635785, 8192K) is reproducible.
INTEL_GALILEO_GEN2.VBOOT (2dbdf823edf3ba14d783a3542135d5bf80d36e360bd2d3f641fd255237af20e2, 8192K) is reproducible.
INTEL_MTLRVP_P (cdec2338e424ac7b08584da4dd62ffa44e016d12b2bca548019e9fd6458616ab, 32M) is reproducible.
INTEL_MTLRVP_P_EXT_EC (55630b0229f13d1d8aa70d53bfa44a4fc95d0ea013ce52e8da8f34b7e5fe1b35, 32M) is reproducible.
INTEL_MTLRVP_P_MCHP (7877e7671b8c1401fb3108c59fd90c583e1179985ef2d3d53d652c2374231c3b, 32M) is reproducible.
OPENCELLULAR_ELGON (a188514ce0a999cc59fba519718151896f03cb0cd7f74ad69d0ac147439939c1, 16384K) is reproducible.
PINE64_ROCKPRO64 (77cd8e44eaf7d768a04e989c25b56fa67b488c57e5e2f65941e1426260bf1309, 16384K) is reproducible.
TI_BEAGLEBONE (3892fcb3e91d2bbf57b289b13f721c91ac01541fbadc10ba04868b86fcce335f, 32M) is reproducible.

commit 465fbbe93ee01b4576689a90b7ddbeec23cdace2
Author: Sheng-Liang Pan 
Date:   Wed May 3 17:21:43 2023 +0800

    mb/google/dedede/var/taranza: Copy devicetree and GPIO from var/dibbi
    
    copy from dibbi since taranza base on dibbi,this is only for first
    initial configuration, will update the more setting afterward.
    
    BUG=b:277664211
    BRANCH=dedede
    TEST=build
    
    Signed-off-by: Sheng-Liang Pan 
    Change-Id: Ia319f65897c0fea2f0558c20a5bc36bb6fbaea96
    Reviewed-on: https://review.coreboot.org/c/coreboot/+/74934
    Tested-by: build bot (Jenkins) 
    Reviewed-by: David Wu

cross toolchain source	sha256sum
R10_20_22.tar.gz	1aa17eb1779cd171110074ce271a65c06046eacbba7be7ce5ee71df1b31c3b86
binutils-2.40.tar.xz	0f8a4c272d7f17f369ded10a4aca28b8e304828e95526da482b0ccc4dfc9d8e1
gcc-11.3.0.tar.xz	b47cf2818691f5b1e21df2bb38c795fac2cfbd640ede2d0a5e1c89e338a3ac39
gmp-6.2.1.tar.xz	fd4829912cddd12f84181c3451cc752be224643e87fac497b69edddadc49b4f2
mpc-1.3.1.tar.gz	ab642492f5cf882b74aa0cb730cd410a81edcdbec895183ce930e706c1c759b8
mpfr-4.2.0.tar.xz	06a378df13501248c1b2db5aa977a2c8126ae849a9d9b7be2546fb4a9c26d993

Debian 11.7 package on amd64	installed version
gcc	4:10.2.1-1
g++	4:10.2.1-1
make	4.3-4.1
cmake	3.18.4-2+deb11u1
flex	2.6.4-8
bison	2:3.7.5+dfsg-1