Hi Tom,
only the coreboot region itself should be reproducible. The BIOS flash contains multiple regions (or call them "partitions"). Only the bios region, which contains coreboot and the payloads is reproducible. And so far I know, only SeaBIOS as payload is reproducible. GRUB might be reproducible, but I'vn't tracked the reamining issues there. Those might have been fixed.
I found the config used, https://github.com/coreboot/coreboot/blob/master/configs/builder/config.leno..., does not include payloads and that the IFD, ME and GBE binaries were sourced from "./site-local/" but I cannot find these files in any public repo. If these are not available, then the generated hashes cannot be confirmed outside of the reproducible-builds Jenkins environments.
Those 3 files needs to be extracted from the BIOS chip. Here is an example, how the layout of a sandy/ivy machine look like:
0 MB ------- | IFD | ------- | GBE | ------- | ME | ------- | BIOS| ------- 12 MB
My question ultimately comes down to how much of Coreboot is reproducible and can a complete binary with payloads be built consistently given the same build enviroment? The more specific question is, if the downloading the Coreboot 4.8.1 release using this config, https://github.com/Thrilleratplay/coreboot-builder-scripts/blob/master/x230/..., why would the SHA256 hashes never match and, at times, cbfstool partition sizes vary?
That's a good question, it shouldn't! Sounds like a bug in our versions script.
You can try out diffoscope to find more about the reproducible builds issue. There is also a website around diffoscope, so you don't have to install the toolsuite on your machine.
Best, lynxis