[coreboot] Reproducible builds
Alexander Couzens
lynxis at fe80.eu
Tue Jun 5 03:44:38 CEST 2018
Hi Tom,
only the coreboot region itself should be reproducible.
The BIOS flash contains multiple regions (or call them "partitions").
Only the bios region, which contains coreboot and the payloads is
reproducible. And so far I know, only SeaBIOS as payload is
reproducible.
GRUB might be reproducible, but I'vn't tracked the reamining issues
there. Those might have been fixed.
> I found the config used,
> https://github.com/coreboot/coreboot/blob/master/configs/builder/config.lenovo_x230,
> does not include payloads and that the IFD, ME and GBE binaries were
> sourced from "./site-local/" but I cannot find these files in any
> public repo. If these are not available, then the generated hashes
> cannot be confirmed outside of the reproducible-builds Jenkins
> environments.
Those 3 files needs to be extracted from the BIOS chip.
Here is an example, how the layout of a sandy/ivy machine look like:
0 MB
-------
| IFD |
-------
| GBE |
-------
| ME |
-------
| BIOS|
-------
12 MB
>
> My question ultimately comes down to how much of Coreboot is
> reproducible and can a complete binary with payloads be built
> consistently given the same build enviroment? The more specific
> question is, if the downloading the Coreboot 4.8.1 release using this
> config,
> https://github.com/Thrilleratplay/coreboot-builder-scripts/blob/master/x230/config-4.8.1,
> why would the SHA256 hashes never match and, at times, cbfstool
> partition sizes vary?
That's a good question, it shouldn't! Sounds like a bug in our versions
script.
You can try out diffoscope to find more about the reproducible builds
issue. There is also a website around diffoscope, so you don't have to
install the toolsuite on your machine.
https://try.diffoscope.org/
Best,
lynxis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20180605/91e390b6/attachment.sig>
More information about the coreboot
mailing list