linuxboot
diff --git a/‎.circleci/config.yml‎
Lines changed: 352 additions & 143 deletions b/‎.circleci/config.yml‎
Lines changed: 352 additions & 143 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 4 additions & 0 deletions b/‎Makefile‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 17 additions & 11 deletions b/‎README.md‎
Lines changed: 17 additions & 11 deletions
diff --git a/‎bin/fetch_source_archive.sh‎
Lines changed: 9 additions & 1 deletion b/‎bin/fetch_source_archive.sh‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎boards/UNTESTED_msi_z690a_ddr4/UNTESTED_msi_z690a_ddr4.config‎
Lines changed: 1 addition & 1 deletion b/‎boards/UNTESTED_msi_z690a_ddr4/UNTESTED_msi_z690a_ddr4.config‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎boards/UNTESTED_msi_z690a_ddr5/UNTESTED_msi_z690a_ddr5.config‎
Lines changed: 1 addition & 1 deletion b/‎boards/UNTESTED_msi_z690a_ddr5/UNTESTED_msi_z690a_ddr5.config‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎boards/UNTESTED_msi_z790p_ddr4/UNTESTED_msi_z790p_ddr4.config‎
Lines changed: 1 addition & 1 deletion b/‎boards/UNTESTED_msi_z790p_ddr4/UNTESTED_msi_z790p_ddr4.config‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config‎
Lines changed: 2 additions & 1 deletion b/‎boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎boards/msi_z790p_ddr5/msi_z790p_ddr5.config‎
Lines changed: 1 addition & 1 deletion b/‎boards/msi_z790p_ddr5/msi_z790p_ddr5.config‎
Lines changed: 1 addition & 1 deletion
@@ -25,3 +25,4 @@ crossgcc
 typescript*
 result
 .claude/
+tmpDir/
@@ -492,6 +492,10 @@ define define_module =
 		git -C "$(build)/$($1_base_dir)" submodule sync && \
 		echo "INFO: Updating submodules (init and checkout)" && \
 		git -C "$(build)/$($1_base_dir)" submodule update --init --checkout && \
+		echo "INFO: Cleaning board-specific build directories to prevent stale artifacts" && \
+		rm -rf "$(build)/$(BOARD)" "$(build)/$($1_base_dir)/$(BOARD)" && \
+		echo "INFO: Recreating board directories" && \
+		mkdir -p "$(build)/$(BOARD)" "$(build)/$($1_base_dir)/$(BOARD)" && \
 		echo "INFO: Updating .canary file with new repo info" && \
 		echo -n '$($1_repo)|$($1_commit_hash)' > "$$@" ; \
 	fi
 
@@ -34,6 +34,7 @@ Heads codebase. Start here:
 | [doc/ux-patterns.md](doc/ux-patterns.md) | GUI/UX conventions: whiptail wrappers, integrity report, error flows |
 | [doc/config.md](doc/config.md) | Board and user configuration system |
 | [doc/docker.md](doc/docker.md) | Reproducible build workflow using Docker |
+| [doc/circleci.md](doc/circleci.md) | CircleCI pipeline layout, workspace flow, and cache behavior |
 | [doc/qemu.md](doc/qemu.md) | QEMU board targets for development and testing |
 | [doc/wp-notes.md](doc/wp-notes.md) | Flash write-protection status per board |
 | [doc/BOARDS_AND_TESTERS.md](doc/BOARDS_AND_TESTERS.md) | Supported boards and their maintainers/testers |
@@ -65,9 +66,15 @@ provided Docker wrappers — no host-side QEMU or swtpm installation is needed.
 and QEMU runtime with software TPM (swtpm) and the bundled `canokey-qemu`
 virtual OpenPGP smartcard. Build and test entirely in software before flashing real hardware.
 
+Build targets are the directory names under `boards/`. For the current set of
+tested and maintained targets, see [doc/BOARDS_AND_TESTERS.md](doc/BOARDS_AND_TESTERS.md).
+
 For full details — wrapper scripts, Nix local dev, reproducibility verification, and
 maintainer workflow — see **[doc/docker.md](doc/docker.md)**.
 
+For CI cache/workspace behavior and the CircleCI job graph, see
+**[doc/circleci.md](doc/circleci.md)**.
+
 For QEMU board testing see **[doc/qemu.md](doc/qemu.md)**.
 
 For troubleshooting build issues see **[doc/faq.md](doc/faq.md)** and
@@ -97,13 +104,11 @@ enabled by most board configs include:
 
 * [musl-cross-make](https://github.com/richfelker/musl-cross-make) — cross-compiler toolchain
 * [coreboot](https://www.coreboot.org/) — minimal firmware replacing vendor BIOS/UEFI
-* [Linux](https://kernel.org) — minimal kernel payload (no built-in initramfs; boots with external initrd such as `initrd.cpio.xz`)
+* [Linux](https://kernel.org) — minimal kernel payload (no built-in initrd; boots with external initrd such as `initrd.cpio.xz`)
 * [busybox](https://busybox.net/) — core utilities
-* [kexec](https://wiki.archlinux.org/index.php/kexec) — boot OS from /boot
+* [kexec](https://wiki.archlinux.org/index.php/kexec) — Linux kernel executor (loads kernels from boot partition, USB, network)
+* [tpmtotp](https://github.com/osresearch/tpmtotp) — TPM-based TOTP/HOTP one-time password generator
 * [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup) — LUKS disk encryption
-* [GPG](https://www.gnupg.org/) — /boot signature verification
-* [mbedtls](https://tls.mbed.org/) — cryptography for TPM operations
-* [tpmtotp](https://trmm.net/Tpmtotp) — TPM-based TOTP/HOTP attestation
 
 The full build also includes: lvm2, tpm2-tools, flashrom/flashprog, dropbear (SSH),
 fbwhiptail (GUI), qrencode, and many others. See individual `modules/*` files and
@@ -118,12 +123,13 @@ kernel.
 
 * Building coreboot's cross compilers can take a while.  Luckily this is only done once.
 * Builds are finally reproducible! The [reproduciblebuilds tag](https://github.com/osresearch/heads/issues?q=is%3Aopen+is%3Aissue+milestone%3Areproduciblebuilds) tracks any regressions.
-* Currently only tested in QEMU, the Thinkpad x230, Librem series and the Chell Chromebook.
-** Xen does not work in QEMU.  Signing, HOTP, and TOTP do work; see below.
-* Building for the Lenovo X220 requires binary blobs to be placed in the blobs/x220/ folder.
-See the readme.md file in that folder
-* Building for the Librem 13 v2/v3 or Librem 15 v3/v4 requires binary blobs to be placed in
-the blobs/librem_skl folder. See the readme.md file in that folder
+* Current tested and maintained boards are tracked in [doc/BOARDS_AND_TESTERS.md](doc/BOARDS_AND_TESTERS.md). Board targets themselves live under `boards/`.
+* Xen does not work in QEMU.  Signing, HOTP, and TOTP do work; see below.
+* Blob requirements are board- or board-family-specific. Check the relevant documentation under `blobs/` for the target you are building.
+* Purism boards use Purism-managed coreboot blob paths from the Purism fork (for example `3rdparty/purism-blobs/...` via `CONFIG_IFD_BIN_PATH` and `CONFIG_ME_BIN_PATH` in `config/coreboot-librem_*.config`). Heads should not maintain those vendor blob payloads. Runtime firmware notes for Librem blob jail are in [blobs/librem_jail/README](blobs/librem_jail/README).
+* Lenovo xx20 boards such as X220 and X230 use the shared xx20 blob flow documented in [blobs/xx20/readme.md](blobs/xx20/readme.md). X220-specific notes are in [blobs/x220/readme.md](blobs/x220/readme.md).
+* Other boards can source blobs from board-family directories under `blobs/` (for example xx20/xx30/xx80, t420, t440p, w541) or from fork-specific paths configured in coreboot configs (for example Dasharo boards using `3rdparty/dasharo-blobs/...`). Vendor blob payloads remain maintained by their upstream vendors/forks.
+* T480 and T480s blob requirements are documented in [blobs/xx80/README.md](blobs/xx80/README.md). Other families have their own docs under `blobs/`, for example `t420/`, `t440p/`, and `w541/`.
 
 ### QEMU
 
 
@@ -75,6 +75,11 @@ rm -f "$FILE" "$TMP_FILE"
 # Try the primary source
 download "$URL" && exit 0
 
+# Log mirror fallback for developer awareness
+MIRROR_LOG="${MIRROR_LOG:-build/mirror_fallbacks.log}"
+mkdir -p "$(dirname "$MIRROR_LOG")"
+echo "$(date -Iseconds) MIRROR_FALLBACK primary=$URL" >>"$MIRROR_LOG"
+
 # Shuffle the mirrors so we try each equally
 readarray -t BACKUP_MIRRORS < <(shuf -e "${BACKUP_MIRRORS[@]}")
 
@@ -86,7 +91,10 @@ archive="$(basename "$FILE")"
 echo "Try mirrors for $archive" >&2
 
 for mirror in "${BACKUP_MIRRORS[@]}"; do
-	download "$mirror$archive" && exit 0
+	if download "$mirror$archive"; then
+		echo "$(date -Iseconds) MIRROR_USED mirror=$mirror$archive" >>"$MIRROR_LOG"
+		exit 0
+	fi
 done
 
 # All mirrors failed
 
@@ -1,7 +1,7 @@
 # MSI PRO Z690-A DDR4 board configuration
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=dasharo_msi
+export CONFIG_COREBOOT_VERSION=dasharo_msi_z690
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-msi_z690a_ddr4.config
 
@@ -1,7 +1,7 @@
 # MSI PRO Z690-A (DDR5) board configuration
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=dasharo_msi
+export CONFIG_COREBOOT_VERSION=dasharo_msi_z690
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-msi_z690a_ddr5.config
 
@@ -1,7 +1,7 @@
 # MSI PRO Z790-P DDR4 board configuration
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=dasharo_msi
+export CONFIG_COREBOOT_VERSION=dasharo_msi_z790
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-msi_z790p_ddr4.config
 
@@ -5,7 +5,8 @@
 #  Dissassembly and Recovery: https://docs.dasharo.com/unified/novacustom/recovery/#ns5x7x-12th-gen
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=dasharo
+export CONFIG_COREBOOT_VERSION=dasharo_nv4x
+CONFIG_DASHARO_EC=y
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-nitropad-ns50.config
 
@@ -1,7 +1,7 @@
 # MSI PRO Z790-P (DDR5) board configuration
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=dasharo_msi
+export CONFIG_COREBOOT_VERSION=dasharo_msi_z790
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-msi_z790p_ddr5.config