Hi,
I am trying to make a series of scripts with configs to help simplify the Coreboot build process for the Lenovo X230, and soon the X220, using the Coreboot-sdk Docker image. The one issue I am having is creating consistent builds. This was confusing after heading the news that Coreboot was reproducible and finding that the x230 was one of the many models confirmed here: https://tests.reproducible-builds.org/coreboot/coreboot.html. After doing some digging through the Coreboot git repo and searching gerrit, I found the config used, https://github.com/coreboot/coreboot/blob/master/configs/builder/config.leno..., does not include payloads and that the IFD, ME and GBE binaries were sourced from "./site-local/" but I cannot find these files in any public repo. If these are not available, then the generated hashes cannot be confirmed outside of the reproducible-builds Jenkins environments.
My question ultimately comes down to how much of Coreboot is reproducible and can a complete binary with payloads be built consistently given the same build enviroment? The more specific question is, if the downloading the Coreboot 4.8.1 release using this config, https://github.com/Thrilleratplay/coreboot-builder-scripts/blob/master/x230/..., why would the SHA256 hashes never match and, at times, cbfstool partition sizes vary?
Hi Tom,
only the coreboot region itself should be reproducible. The BIOS flash contains multiple regions (or call them "partitions"). Only the bios region, which contains coreboot and the payloads is reproducible. And so far I know, only SeaBIOS as payload is reproducible. GRUB might be reproducible, but I'vn't tracked the reamining issues there. Those might have been fixed.
I found the config used, https://github.com/coreboot/coreboot/blob/master/configs/builder/config.leno..., does not include payloads and that the IFD, ME and GBE binaries were sourced from "./site-local/" but I cannot find these files in any public repo. If these are not available, then the generated hashes cannot be confirmed outside of the reproducible-builds Jenkins environments.
Those 3 files needs to be extracted from the BIOS chip. Here is an example, how the layout of a sandy/ivy machine look like:
0 MB ------- | IFD | ------- | GBE | ------- | ME | ------- | BIOS| ------- 12 MB
My question ultimately comes down to how much of Coreboot is reproducible and can a complete binary with payloads be built consistently given the same build enviroment? The more specific question is, if the downloading the Coreboot 4.8.1 release using this config, https://github.com/Thrilleratplay/coreboot-builder-scripts/blob/master/x230/..., why would the SHA256 hashes never match and, at times, cbfstool partition sizes vary?
That's a good question, it shouldn't! Sounds like a bug in our versions script.
You can try out diffoscope to find more about the reproducible builds issue. There is also a website around diffoscope, so you don't have to install the toolsuite on your machine.
Best, lynxis
-
Alexander Couzens -
Tom Hiller