coreboot

coreboot™: fast, flexible and reproducible Open Source firmware!

Reproducible Coreboot

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived. There is more information about reproducible builds on the Debian wiki and on https://reproducible-builds.org. These pages explain in more depth why this is useful, what common issues exist and which workarounds and solutions are known.

Reproducible Coreboot is an effort to apply this to coreboot. Thus each coreboot.rom is build twice (without payloads), with a few variations added and then those two ROMs are compared using diffoscope. Please note that the toolchain is not varied at all as the rebuild happens on exactly the same system. More variations are expected to be seen in the wild.

There is a weekly run jenkins job to test the master branch of coreboot.git. The jenkins job is running reproducible_coreboot.sh in a Debian environment and this script is solely responsible for creating this page. Feel invited to join #reproducible-builds (on irc.oftc.net) to request job runs whenever sensible. Patches and other feedback are very much appreciated - if you want to help, please start by looking at the ToDo list for coreboot, you might find something easy to contribute.
Thanks to Profitbricks for donating the virtual machines this is running on!

447 (100.0%) out of 447 built coreboot images were reproducible in our test setup ! These tests were last run on 2020-09-30 for version 4.12-3070-g075df92298 using diffoscope 160.

variationfirst buildsecond build
hostname osuosl-build169-amd64 or osuosl-build170-amd64the other one
domainname is not yet varied between rebuilds of coreboot.
env CAPTURE_ENVIRONMENTnot setCAPTURE_ENVIRONMENT="I capture the environment"
env TZTZ="/usr/share/zoneinfo/Etc/GMT+12"TZ="/usr/share/zoneinfo/Etc/GMT-14"
env LANGLANG="en_GB.UTF-8"LANG="et_EE.UTF-8"
env LC_ALLnot setLC_ALL="et_EE.UTF-8"
env PATHPATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:"PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path"
env USER is not yet varied between rebuilds of coreboot.
uid is not yet varied between rebuilds of coreboot.
gid is not yet varied between rebuilds of coreboot.
UTS namespace is not yet varied between rebuilds of coreboot.
kernel version, modified using /usr/bin/linux64 --uname-2.6Linux 4.19.0-11-amd64Linux 2.6.79-11-amd64
umask00220002
CPU type Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHzsame for both builds
/bin/sh is not yet varied between rebuilds of coreboot.
year, month, datetoday (2020-09-30)same for both builds (currently, work in progress)
hour, minutehour and minute will probably vary between two builds...the future system actually runs 398 days, 6 hours and 23 minutes ahead...
Filesystemtmpfssame for both builds (currently, this could be varied using disorderfs)
everything else...is likely the same. There will be more variations in the wild.

commit 075df92298fe3bb0ef04233395effe668c4a5550
Author: Eugene D Myers 
Date:   Tue Sep 8 16:53:43 2020 -0400

    security/intel/stm: Fix size_t printf format error
    
    Size_t seems to have a compiler dependency.  When building on the
    Purism librem 15v4, size_t is 'unsigned long'.  In this instance,
    the compiler is the coreboot configured cross-compiler.  In another
    instance, size_t is defined as 'unsigned short'.  To get around
    the formatting conflict caused by this, The variable of type
    size_t was cast as 'unsigned int' in the format.
    
    Change-Id: Id51730c883d8fb9e87183121deb49f5fdda0114e
    Signed-off-by: Eugene D Myers 
    Reviewed-on: https://review.coreboot.org/c/coreboot/+/45181
    Tested-by: build bot (Jenkins) 
    Reviewed-by: ron minnich      

cross toolchain sourcesha256sum
acpica-unix2-20200717.tar.gz 8a49904744a8159b7f325ed941b56968ba37a0371c634036628064f97538de4b
binutils-2.35.tar.xz 1b11659fb49e20e18db460d44485f09442c8c56d5df165de9461eb09c8302f85
gcc-8.3.0.tar.xz 64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c
gmp-6.2.0.tar.xz 258e6cd51b3fbdfc185c716d55f82c08aff57df0c6fbd143cf6ed561267a1526
mpc-1.2.0.tar.gz e90f2d99553a9c19911abdb4305bf8217106a957e3994436428572c8dfe8fda6
mpfr-4.1.0.tar.xz 0c98a3f1732ff6ca4ea690552079da9c597872d30e96ec28414ee23c95558a7f
Debian 10.6 package on amd64installed version
gcc 4:8.3.0-1
g++ 4:8.3.0-1
make 4.2.1-1.2
cmake 3.13.4-1
flex 2.6.4-6.2
bison 2:3.3.2.dfsg-1