[coreboot] Reproducible builds

Tom Hiller thrilleratplay at gmail.com
Mon Jun 4 06:37:59 CEST 2018


I am trying to make a series of scripts with configs to help simplify 
the Coreboot build process for the Lenovo X230, and soon the X220, using 
the Coreboot-sdk Docker image.  The one issue I am having is creating 
consistent builds.  This was confusing after heading the news that 
Coreboot was reproducible and finding that the x230 was one of the many 
models confirmed here: 
https://tests.reproducible-builds.org/coreboot/coreboot.html. After 
doing some digging through the Coreboot git repo and searching gerrit, I 
found the config used, 
does not include payloads and that the IFD, ME and GBE binaries were 
sourced from "./site-local/" but I cannot find these files in any public 
repo.  If these are not available, then the generated hashes cannot be 
confirmed outside of the reproducible-builds Jenkins environments.

My question ultimately comes down to how much of Coreboot is 
reproducible and can a complete binary with payloads be built 
consistently given the same build enviroment?  The more specific 
question is, if the downloading the Coreboot 4.8.1 release using this 
why would the SHA256 hashes never match and, at times, cbfstool 
partition sizes vary?

More information about the coreboot mailing list