search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

APU4 Reproducible Builds #1113

Closed coval3nte closed 3 weeks ago

coval3nte commented 4 weeks ago

Component

Dasharo firmware

Device

PC Engines APU4

Dasharo version

v24.05.00.01

Dasharo Tools Suite version

No response

Test case ID

No response

Brief summary

sha256 not matching with dasharo

How reproducible

No response

How to reproduce

SBOM

part 1

#!/bin/bash
git clone https://review.coreboot.org/coreboot
cd coreboot
git checkout 24.05 -b patchqueue
git clone https://github.com/Dasharo/dasharo-pq.git .git/patches
cd .git/patches
git checkout 24.05.00.01
cd -
ln -s patches .git/patches/patchqueue
touch .git/patches/patchqueue/status
guilt init
guilt push -a

guilt applied patches are 86, which is fine

submodules commit hashes match SBOM

part 2

coreboot-sdk version not present in SBOM

#!/bin/bash
cd ../
git clone https://github.com/pcengines/pce-fw-builder
cd pce-fw-builder
git checkout b538c921e7032fee8ef70f2925edf52e65307979
docker build . -t pcengines/pce-fw-builder:2024-03-30_cccada28f7
./build_apus.sh ../coreboot seabios_apu4

Expected behavior

expected hash

Actual behavior

got 3 different hashes while trying build

Screenshots

No response

Additional context

No response

Solutions you've tried

No response

pietrushnic commented 4 weeks ago

@coval3nte, thanks; I will take care of it ASAP.

pietrushnic commented 3 weeks ago

For tracking purposes, let me add what hashes you get while building above using the above procedure (based on what was reported on matrix).

/coreboot
5a0207e56a (tag: 24.05, patchqueue) Documentation: Finalize 24.05 release notes
/coreboot/.git/patches
c86db36 (HEAD, tag: 24.05.00.01) add gitignore-add-memstest86plus_v5-and-sortbootorder-payloads

seabios_apu4.sha256sum
fd4bf67129c32489851e443ef15916ca0819100d88c553ce405c43e80097bfe4 seabios_apu4.rom
pietrushnic commented 3 weeks ago

My commits.

coreboot:

* 0a088dea043a - (HEAD -> guilt/patchqueue) gitignore: add memtest86plu_v5 and sortbootorder payloads (12 minutes ago) <Piotr Król>
* 5a0207e56a4d - (tag: 24.05, patchqueue) Documentation: Finalize 24.05 release notes (6 months ago) <Martin Roth>

Patches:

* c86db36f95fc - (HEAD, tag: 24.05.00.01) add gitignore-add-memstest86plus_v5-and-sortbootorder-payloads (4 months ago) <Piotr Król>

and my binary has different has than anything you reported or we included in the release:

aa4524c0e98e4eccee90f32ca8f4c07264ac302db13f0a3bdc98938fdee7560f  seabios_apu4.rom

So this is definitely a bug because binary is not reproducible. Question is why.

coval3nte commented 3 weeks ago

cb852033c1 (HEAD -> guilt/patchqueue) gitignore: add memtest86plu_v5 and sortbootorder payloads

we've different commit hashes after patches are applied, something within guilt process is non deterministic

pietrushnic commented 3 weeks ago

That's completely normal git takes timestamp of the patch application into the hash calculation formula under consideration, so whenever you apply queue, you will get different hash, I tried one more time and have different one:

git log -1 --oneline
0a088dea043a (HEAD -> guilt/patchqueue) gitignore: add memtest86plu_v5 and sortbootorder payloads

Regarding seabios_apu4.rom, I keep getting the same hash after rebuilding, so it is not when it gets into the binary. I will use the hex dump release binary and what I get here to determine the difference.

Of course HEAD hash is one suspected piece which may be is added somewhere in the coreboot final binary.

pietrushnic commented 3 weeks ago

We already knew the issue while working on the build: https://github.com/Dasharo/dasharo-issues/issues/890

However, this seems like it could be more correct because I rebuilt after reapplying patches, which resulted in a different hash at the HEAD, but the final binary hash is the same. I will change the build path and see if the hash changes. Although we build in a container, this shouldn't be the case.

coval3nte commented 3 weeks ago

you're right, binary contains the commit hash. there are other differences too between binaries

pietrushnic commented 3 weeks ago

And the tag:

(...)
1547c1512
< #define COREBOOT_VERSION "v24.05.00.01"
---
> #define COREBOOT_VERSION "24.05-86-g0a088dea043a"
1566c1531
< COREBOOT_VERSION: v24.05.00.01
---
> COREBOOT_VERSION: 24.05-86-g0a088dea043a
2445c2410
< v24.05.00.01
---
> 24.05-86-g0a088dea043a
10818c10783
< v24.05.00.01
---
> 24.05-86-g0a088dea043a
10820c10785
< v24.05.00.01
---
> 24.05-86-g0a088dea043a

I think consistent tagging is the missing step for reproducibility. Verifying that, I will create a pull request if that is the case.

pietrushnic commented 3 weeks ago

@coval3nte adding correct tag should fix the reproducibility issues: https://github.com/Dasharo/dasharo-pq/pull/7/files

coval3nte commented 3 weeks ago 
Built pcengines/apu2 (apu4)
All builds completed successfully.
b14b6001bad80d9753f5fd1854a73786f22696f725b8d4a686ed29d4b2c7d64d  seabios_apu4.rom

you did it :)

pietrushnic commented 3 weeks ago

Thanks for the verification.