build: allow overriding docker UID for rootless environments

[Suraj-kumar00]

Description

This PR enables building the EC firmware using a rootless Docker setup, fixing Dasharo/dasharo-issues#1197.

Currently, build.sh hardcodes the user ID passed to the Docker container via -u "$(id -u)". In a rootless Docker environment, the Docker daemon runs in userspace, and forcing the host's UID inside the container causes user-namespace mapping issues, leading to Permission denied errors.

This introduces a DOCKER_UID environment variable that falls back to $(id -u). This allows developers using rootless Docker to easily bypass the restriction by running:

DOCKER_UID=root EC_BOARD_VENDOR=clevo EC_BOARD_MODEL=nv40mz ./build.sh

Because of rootless Docker user namespaces, the container runs as root internally, but the resulting .rom file is safely owned by the standard developer user on the host machine.

Testing

• Standard Docker (Regression Test):

  BUILD_TIMELESS=1 EC_BOARD_VENDOR=clevo EC_BOARD_MODEL=nv40mz ./build.sh

  Builds successfully.

• Rootless Docker:

  BUILD_TIMELESS=1 DOCKER_UID=root EC_BOARD_VENDOR=clevo EC_BOARD_MODEL=nv40mz ./build.sh

  Successfully completes the build.

• Verification:
  The SHA256 hashes of the resulting ec.rom files match perfectly between both build environments, confirming reproducible builds without permission errors.

[philipanda]

Tested that on a rootless docker installation.

The build succeeds with and without the fix in my case - contradictory to the message in the PR. Can you verify that @Suraj-kumar00?

The sha256sum I get on your change (63df54a):

• 46b30841400a30ead236fcb4df8dcdd63cfb16791375b334ef77a706315d96c6.

The hash on the commit prior (d198b64) (built on the same rootless docker installation):

• d227452d81fdf3d7fd468f1d2145c137a2f5be6cb226aac226a7b02c012e4644

I've re-used the environment from Dasharo/coreboot#862 (comment) here.
Result binaries:

• On the Suraj's branch: suraj.rom.zip
• on the commit prior: clevo_nv40mz_ec.rom.zip

A hex diff shows that the binaries only differ with the build timestamp.

--- clevo_nv40mz_ec.hex 2026-03-24 10:45:45.471109845 +0100
+++ suraj.hex   2026-03-24 10:45:35.051142712 +0100
@@ -2424,8 +2424,8 @@
 00009770: f6f7 f8f9 fafb fcfd feff 3736 4543 5f42  ..........76EC_B
 00009780: 4f41 5244 3d63 6c65 766f 2f6e 7634 306d  OARD=clevo/nv40m
 00009790: 7a00 3736 4543 5f56 4552 5349 4f4e 3d32  z.76EC_VERSION=2
-000097a0: 3032 362d 3033 2d31 325f 6431 3938 6236  026-03-12_d198b6
-000097b0: 3400 0419 0019 1900 1819 0006 1900 0819  4...............
+000097a0: 3032 362d 3033 2d31 355f 3633 6466 3534  026-03-15_63df54
+000097b0: 6100 0419 0019 1900 1819 0006 1900 0819  a...............
 000097c0: 0007 1900 0919 000b 1900 0a19 000c 1900  ................
 000097d0: 0e19 000d 1900 3819 0039 1900 3a19 003b  ......8..9..:..;
 000097e0: 1900 3c19 003d 1900 3e19 003f 1900 4019  ..<..=..>..?..@.

@Suraj-kumar00 Can you explain how did you get the same SHA hash? The EC build script does not use the BUILD_TIMELESS environment variable.

Test procedure

1. On a fresh Ubuntu 22.04 machine, as a non-root user Install rootless Docker

curl -fsSL https://get.docker.com/rootless | sh
export PATH=$HOME/bin:$PATH
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock

2. Verify it's truly rootless

docker info | grep -i rootless

3. Setup repo

git clone https://github.com/dasharo/ec.git && cd ec
git remote add suraj https://github.com/Suraj-kumar00/ec.git

4. Test if it fails on rootless

EC_BOARD_VENDOR=clevo EC_BOARD_MODEL=nv40mz ./build.sh

5. Test if fix works

git checkout suraj fix/rootless-docker-uid-ec
EC_BOARD_VENDOR=clevo EC_BOARD_MODEL=nv40mz ./build.sh

6. Build without fix and compare SHA256

sha256sum clevo_nv40mz_ec.rom
git checkout suraj fix/rootless-docker-uid~1
EC_BOARD_VENDOR=clevo EC_BOARD_MODEL=nv40mz ./build.sh
sha256sum clevo_nv40mz_ec.rom