[coreboot] Reproducible builds
Tom Hiller
thrilleratplay at gmail.com
Mon Jun 4 06:37:59 CEST 2018
Hi,
I am trying to make a series of scripts with configs to help simplify
the Coreboot build process for the Lenovo X230, and soon the X220, using
the Coreboot-sdk Docker image. The one issue I am having is creating
consistent builds. This was confusing after heading the news that
Coreboot was reproducible and finding that the x230 was one of the many
models confirmed here:
https://tests.reproducible-builds.org/coreboot/coreboot.html. After
doing some digging through the Coreboot git repo and searching gerrit, I
found the config used,
https://github.com/coreboot/coreboot/blob/master/configs/builder/config.lenovo_x230,
does not include payloads and that the IFD, ME and GBE binaries were
sourced from "./site-local/" but I cannot find these files in any public
repo. If these are not available, then the generated hashes cannot be
confirmed outside of the reproducible-builds Jenkins environments.
My question ultimately comes down to how much of Coreboot is
reproducible and can a complete binary with payloads be built
consistently given the same build enviroment? The more specific
question is, if the downloading the Coreboot 4.8.1 release using this
config,
https://github.com/Thrilleratplay/coreboot-builder-scripts/blob/master/x230/config-4.8.1,
why would the SHA256 hashes never match and, at times, cbfstool
partition sizes vary?
More information about the coreboot
mailing list