[edk2-devel] Current State of Build Reproducibility in edk2

[edk2-devel] Current State of Build Reproducibility in edk2

[Oliver Smith-Denny via groups.io]

Hi,

What is the current state of build reproducibility in edk2?
I saw some mail threads about it awhile back and have looked
at this
https://tianocore-docs.github.io/edk2-BuildSpecification/release-1.28/12_build_changes_and_customizations/126_build_reproducibility.html#126-build-reproducibility,
which seems to claim that you can just do a RELEASE build with
MDEPKG_NDEBUG set and get binary compatible builds.

However, when attempting that with a clean OVMF IA32X64 VS2022 RELEASE
build at the same commit (and rebuilt basetools), I am getting
significantly different FDs and FVs. The driver files are almost
identical except for what I am assuming is a build identifier or
timestamp.

Are there any additional resources or thoughts towards complete binary
reproducible builds?

Thanks,
Oliver


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121422): https://edk2.groups.io/g/devel/message/121422
Mute This Topic: https://groups.io/mt/113714425/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Current State of Build Reproducibility in edk2

[Michael D Kinney via groups.io]

Should work for physical platform builds.

The OVMF and EmulatorPkg build may have some timestamps in them.

If the EmbeddedPkg VirtualRealTimeClockLib is used, then it pulls in system time 
in Linux builds.  I have a proposal to address this one queued up to support
both windows and linux and reproducible builds when needed.

[BuildOptions]
  GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`printenv SOURCE_DATE_EPOCH || date +%s`

The following is a good resource on this topic and all the
elements need to be tracked so issues do not get introduced.

	https://reproducible-builds.org/docs/

Mike

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Oliver
> Smith-Denny via groups.io
> Sent: Wednesday, June 18, 2025 12:45 PM
> To: devel@edk2.groups.io
> Subject: [edk2-devel] Current State of Build Reproducibility in edk2
> 
> Hi,
> 
> What is the current state of build reproducibility in edk2?
> I saw some mail threads about it awhile back and have looked
> at this
> https://tianocore-docs.github.io/edk2-BuildSpecification/release-
> 1.28/12_build_changes_and_customizations/126_build_reproducibility.html#
> 126-build-reproducibility,
> which seems to claim that you can just do a RELEASE build with
> MDEPKG_NDEBUG set and get binary compatible builds.
> 
> However, when attempting that with a clean OVMF IA32X64 VS2022 RELEASE
> build at the same commit (and rebuilt basetools), I am getting
> significantly different FDs and FVs. The driver files are almost
> identical except for what I am assuming is a build identifier or
> timestamp.
> 
> Are there any additional resources or thoughts towards complete binary
> reproducible builds?
> 
> Thanks,
> Oliver
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121424): https://edk2.groups.io/g/devel/message/121424
Mute This Topic: https://groups.io/mt/113714425/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Current State of Build Reproducibility in edk2

[Oliver Smith-Denny via groups.io]

On 6/18/2025 5:21 PM, Michael D Kinney via groups.io wrote:
> Should work for physical platform builds.
> 
> The OVMF and EmulatorPkg build may have some timestamps in them.
> 
> If the EmbeddedPkg VirtualRealTimeClockLib is used, then it pulls in system time
> in Linux builds.  I have a proposal to address this one queued up to support
> both windows and linux and reproducible builds when needed.
> 
> [BuildOptions]
>    GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`printenv SOURCE_DATE_EPOCH || date +%s`
> 
> The following is a good resource on this topic and all the
> elements need to be tracked so issues do not get introduced.
> 
> 	https://reproducible-builds.org/docs/
> 

Thanks, let me play around with this some more. It may be that the
platform I started trying this with had some similar dependencies.

Thanks,
Oliver



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121425): https://edk2.groups.io/g/devel/message/121425
Mute This Topic: https://groups.io/mt/113714425/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Current State of Build Reproducibility in edk2

[Richard Lyu via groups.io]

Hi Oliver,

I also noticed that edk2 is currently not reproducible in OvmfPkg because the stack cookie value has been randomized in AutoGen.h since edk2-stable202502. Fortunately, commit "cac0955658 BaseTools: Update Stack Cookie Logic" addresses this issue. By keeping the JSON files in the build directory, the STACK_COOKIE_VALUE can be made reproducible.

I’ve tested this and was able to reproduce the same FDs and FVs with both edk2-stable202502 and edk2-stable202505. Perhaps you might like to give it a try as well.

Best regards,
Richard Lyu



On 2025/06/19 09:53, Oliver Smith-Denny via groups.io wrote:
> On 6/18/2025 5:21 PM, Michael D Kinney via groups.io wrote:
> > Should work for physical platform builds.
> > 
> > The OVMF and EmulatorPkg build may have some timestamps in them.
> > 
> > If the EmbeddedPkg VirtualRealTimeClockLib is used, then it pulls in system time
> > in Linux builds.  I have a proposal to address this one queued up to support
> > both windows and linux and reproducible builds when needed.
> > 
> > [BuildOptions]
> >    GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`printenv SOURCE_DATE_EPOCH || date +%s`
> > 
> > The following is a good resource on this topic and all the
> > elements need to be tracked so issues do not get introduced.
> > 
> > 	https://reproducible-builds.org/docs/
> > 
> 
> Thanks, let me play around with this some more. It may be that the
> platform I started trying this with had some similar dependencies.
> 
> Thanks,
> Oliver
> 
> 
> 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121428): https://edk2.groups.io/g/devel/message/121428
Mute This Topic: https://groups.io/mt/113714425/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Current State of Build Reproducibility in edk2

[Oliver Smith-Denny via groups.io]

Hi Richard,

Ah, so its my fault :). Thanks for pointing that out, that makes sense
of course. A partner team of mine is looking at build reproducibility
across environments, e.g. being able to reproduce what a pipeline
has built.

I think there is a path forward with using the same JSON file across
builds.

Thanks,
Oliver

On 6/24/2025 7:57 AM, Richard Lyu via groups.io wrote:
> Hi Oliver,
> 
> I also noticed that edk2 is currently not reproducible in OvmfPkg because the stack cookie value has been randomized in AutoGen.h since edk2-stable202502. Fortunately, commit "cac0955658 BaseTools: Update Stack Cookie Logic" addresses this issue. By keeping the JSON files in the build directory, the STACK_COOKIE_VALUE can be made reproducible.
> 
> I’ve tested this and was able to reproduce the same FDs and FVs with both edk2-stable202502 and edk2-stable202505. Perhaps you might like to give it a try as well.
> 
> Best regards,
> Richard Lyu
> 
> 
> 
> On 2025/06/19 09:53, Oliver Smith-Denny via groups.io wrote:
>> On 6/18/2025 5:21 PM, Michael D Kinney via groups.io wrote:
>>> Should work for physical platform builds.
>>>
>>> The OVMF and EmulatorPkg build may have some timestamps in them.
>>>
>>> If the EmbeddedPkg VirtualRealTimeClockLib is used, then it pulls in system time
>>> in Linux builds.  I have a proposal to address this one queued up to support
>>> both windows and linux and reproducible builds when needed.
>>>
>>> [BuildOptions]
>>>     GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`printenv SOURCE_DATE_EPOCH || date +%s`
>>>
>>> The following is a good resource on this topic and all the
>>> elements need to be tracked so issues do not get introduced.
>>>
>>> 	https://reproducible-builds.org/docs/
>>>
>>
>> Thanks, let me play around with this some more. It may be that the
>> platform I started trying this with had some similar dependencies.
>>
>> Thanks,
>> Oliver
>>
>>
>>
>>
>>
>>
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121436): https://edk2.groups.io/g/devel/message/121436
Mute This Topic: https://groups.io/mt/113714425/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-