Re: [PATCH] [rfc] Add SBOM (software bill of materials) to the efi binaries

Isaac Oram

I am also interested in this capability.

There are (undocumented?) capabilities in the build scripts currently that may be germane. --hash, --binary-destination, --binary-source.
The rough usage is:
build --hash --binary-destination
This creates a tree with binaries and hashes of all the source code and build flags used to generate the binary.

Then you can use
build --hash --binary-source
and the build will only rebuild a driver if source or build options have changed.

The effect is that every build can be roughly an incremental build if you have baseline binaries available. My understanding is that the hash is a combination of all the build inputs for a given INF. And I understand that it is a little blunt, in that if anything in a consumed package changes, it will rebuild the binary.

It may be interesting to understand possible leverage between the two. If the edition use and hash use can or should be well aligned. Anyway, I look forward to the discussion in July.


-----Original Message-----
From: <> On Behalf Of Richard Hughes
Sent: Monday, June 6, 2022 1:56 AM
To: Martin Fernandez <martin.fernandez@...>
Cc:; daniel.gutson@...; alex.bazhaniuk@...; jesse.michael@...
Subject: Re: [edk2-rfc] [PATCH] [rfc] Add SBOM (software bill of materials) to the efi binaries

On Fri, 3 Jun 2022 at 15:26, Martin Fernandez <martin.fernandez@...> wrote:
This patch is heavily experimental and really looking for comments and
more ideas.
If it helps drive progress, both AMI and Insyde have been testing building images based on this patch. I'd really like something like this to be included in edk2 to avoid two IBVs diverging with subtly different implementations.


Join { to automatically receive all group messages.