linuxboot
diff --git a/‎.circleci/config.yml‎
Lines changed: 352 additions & 146 deletions b/‎.circleci/config.yml‎
Lines changed: 352 additions & 146 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 17 additions & 11 deletions b/‎README.md‎
Lines changed: 17 additions & 11 deletions
diff --git a/‎doc/architecture.md‎
Lines changed: 2 additions & 0 deletions b/‎doc/architecture.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎doc/circleci.md‎
Lines changed: 305 additions & 0 deletions b/‎doc/circleci.md‎
Lines changed: 305 additions & 0 deletions
@@ -25,3 +25,4 @@ crossgcc
 typescript*
 result
 .claude/
+tmpDir/
@@ -34,6 +34,7 @@ Heads codebase. Start here:
 | [doc/ux-patterns.md](doc/ux-patterns.md) | GUI/UX conventions: whiptail wrappers, integrity report, error flows |
 | [doc/config.md](doc/config.md) | Board and user configuration system |
 | [doc/docker.md](doc/docker.md) | Reproducible build workflow using Docker |
+| [doc/circleci.md](doc/circleci.md) | CircleCI pipeline layout, workspace flow, and cache behavior |
 | [doc/qemu.md](doc/qemu.md) | QEMU board targets for development and testing |
 | [doc/wp-notes.md](doc/wp-notes.md) | Flash write-protection status per board |
 | [doc/BOARDS_AND_TESTERS.md](doc/BOARDS_AND_TESTERS.md) | Supported boards and their maintainers/testers |
@@ -65,9 +66,15 @@ provided Docker wrappers — no host-side QEMU or swtpm installation is needed.
 and QEMU runtime with software TPM (swtpm) and the bundled `canokey-qemu`
 virtual OpenPGP smartcard. Build and test entirely in software before flashing real hardware.
 
+Build targets are the directory names under `boards/`. For the current set of
+tested and maintained targets, see [doc/BOARDS_AND_TESTERS.md](doc/BOARDS_AND_TESTERS.md).
+
 For full details — wrapper scripts, Nix local dev, reproducibility verification, and
 maintainer workflow — see **[doc/docker.md](doc/docker.md)**.
 
+For CI cache/workspace behavior and the CircleCI job graph, see
+**[doc/circleci.md](doc/circleci.md)**.
+
 For QEMU board testing see **[doc/qemu.md](doc/qemu.md)**.
 
 For troubleshooting build issues see **[doc/faq.md](doc/faq.md)** and
@@ -97,13 +104,11 @@ enabled by most board configs include:
 
 * [musl-cross-make](https://github.com/richfelker/musl-cross-make) — cross-compiler toolchain
 * [coreboot](https://www.coreboot.org/) — minimal firmware replacing vendor BIOS/UEFI
-* [Linux](https://kernel.org) — minimal kernel payload (no built-in initramfs; boots with external initrd such as `initrd.cpio.xz`)
+* [Linux](https://kernel.org) — minimal kernel payload (no built-in initrd; boots with external initrd such as `initrd.cpio.xz`)
 * [busybox](https://busybox.net/) — core utilities
-* [kexec](https://wiki.archlinux.org/index.php/kexec) — boot OS from /boot
+* [kexec](https://wiki.archlinux.org/index.php/kexec) — Linux kernel executor (loads kernels from boot partition, USB, network)
+* [tpmtotp](https://github.com/osresearch/tpmtotp) — TPM-based TOTP/HOTP one-time password generator
 * [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup) — LUKS disk encryption
-* [GPG](https://www.gnupg.org/) — /boot signature verification
-* [mbedtls](https://tls.mbed.org/) — cryptography for TPM operations
-* [tpmtotp](https://trmm.net/Tpmtotp) — TPM-based TOTP/HOTP attestation
 
 The full build also includes: lvm2, tpm2-tools, flashrom/flashprog, dropbear (SSH),
 fbwhiptail (GUI), qrencode, and many others. See individual `modules/*` files and
@@ -118,12 +123,13 @@ kernel.
 
 * Building coreboot's cross compilers can take a while.  Luckily this is only done once.
 * Builds are finally reproducible! The [reproduciblebuilds tag](https://github.com/osresearch/heads/issues?q=is%3Aopen+is%3Aissue+milestone%3Areproduciblebuilds) tracks any regressions.
-* Currently only tested in QEMU, the Thinkpad x230, Librem series and the Chell Chromebook.
-** Xen does not work in QEMU.  Signing, HOTP, and TOTP do work; see below.
-* Building for the Lenovo X220 requires binary blobs to be placed in the blobs/x220/ folder.
-See the readme.md file in that folder
-* Building for the Librem 13 v2/v3 or Librem 15 v3/v4 requires binary blobs to be placed in
-the blobs/librem_skl folder. See the readme.md file in that folder
+* Current tested and maintained boards are tracked in [doc/BOARDS_AND_TESTERS.md](doc/BOARDS_AND_TESTERS.md). Board targets themselves live under `boards/`.
+* Xen does not work in QEMU.  Signing, HOTP, and TOTP do work; see below.
+* Blob requirements are board- or board-family-specific. Check the relevant documentation under `blobs/` for the target you are building.
+* Purism boards use Purism-managed coreboot blob paths from the Purism fork (for example `3rdparty/purism-blobs/...` via `CONFIG_IFD_BIN_PATH` and `CONFIG_ME_BIN_PATH` in `config/coreboot-librem_*.config`). Heads should not maintain those vendor blob payloads. Runtime firmware notes for Librem blob jail are in [blobs/librem_jail/README](blobs/librem_jail/README).
+* Lenovo xx20 boards such as X220 and X230 use the shared xx20 blob flow documented in [blobs/xx20/readme.md](blobs/xx20/readme.md). X220-specific notes are in [blobs/x220/readme.md](blobs/x220/readme.md).
+* Other boards can source blobs from board-family directories under `blobs/` (for example xx20/xx30/xx80, t420, t440p, w541) or from fork-specific paths configured in coreboot configs (for example Dasharo boards using `3rdparty/dasharo-blobs/...`). Vendor blob payloads remain maintained by their upstream vendors/forks.
+* T480 and T480s blob requirements are documented in [blobs/xx80/README.md](blobs/xx80/README.md). Other families have their own docs under `blobs/`, for example `t420/`, `t440p/`, and `w541/`.
 
 ### QEMU
 
 
@@ -98,6 +98,8 @@ The top-level `Makefile` orchestrates:
 - Final ROM image: coreboot ROM with Linux + initrd payload embedded
 
 Reproducible builds are achieved via Nix-pinned Docker images. See [docker.md](docker.md).
+The CI pipeline's workspace and cache behavior is documented in
+[circleci.md](circleci.md).
 
 ---
 
 
@@ -0,0 +1,305 @@
+# CircleCI Pipeline and Cache Model
+
+This document explains how the CircleCI pipeline in Heads is structured,
+what the cache layers mean, and how each coreboot fork saves its own modules cache.
+
+See also: [development.md](development.md), [docker.md](docker.md),
+[architecture.md](architecture.md).
+
+---
+
+## Goals
+
+The CircleCI pipeline is optimized for two constraints:
+
+- Avoid CircleCI workspace fan-in errors.
+- Reuse expensive build outputs across pipelines without delaying unrelated
+  board builds more than necessary.
+
+The current layout favors a linear x86 seed chain followed by parallel board
+builds.
+
+---
+
+## Key concepts
+
+### Workspace
+
+A workspace is data passed from an upstream job to downstream jobs in the same
+workflow run.
+
+- Workspaces help sibling jobs in the current pipeline.
+- Workspaces are downloaded fresh by downstream jobs.
+- Persisting the same paths from multiple upstream jobs into one downstream job
+  causes fan-in problems in CircleCI.
+
+### Cache
+
+A CircleCI cache is stored for reuse by later pipeline runs in the same
+repository.
+
+- Caches help future pipelines.
+- Caches do not speed up sibling jobs in the same workflow run.
+- Forks do not share caches with the upstream repository.
+- Each x86_coreboot job saves both modules and coreboot caches for its fork.
+
+---
+
+## x86 pipeline shape
+
+The x86 chain is intentionally linear until a seed board has produced a usable
+workspace:
+
+1. `create_hashes`
+2. `x86_blobs`
+3. `x86_musl_cross_make`
+4. `x86_coreboot` seed jobs, one per coreboot fork
+5. Downstream board builds for each fork, in parallel
+
+For the coreboot 25.09 branch, the seed board is `EOL_t480-hotp-maximized`.
+That job produces the workspace used by the other 25.09 boards in the same
+workflow.
+
+Other x86 forks follow the same pattern:
+
+- `novacustom-nv4x_adl` seeds the `coreboot-dasharo_nv4x` fork
+- `novacustom-v560tu` seeds the `coreboot-dasharo_v56` fork
+- `librem_14` seeds the `coreboot-purism` fork
+- `EOL_t480-hotp-maximized` seeds the `coreboot-25.09` fork
+- `EOL_librem_l1um` seeds the `coreboot-4.11` fork
+- `UNTESTED_msi_z690a_ddr4` seeds the `coreboot-dasharo_msi_z690` fork
+- `UNTESTED_msi_z790p_ddr4` seeds the `coreboot-dasharo_msi_z790` fork
+
+The downstream `build` jobs for each family consume the workspace from the
+relevant seed job instead of rebuilding the fork toolchain from scratch.
+
+The ppc64 chain mirrors x86:
+1. `create_hashes`
+2. `ppc64_musl_cross_make` - builds musl-cross-make toolchain, saves cache
+3. `ppc64_coreboot` - builds coreboot-talos_2 fork, saves cache
+4. (no downstream boards - only one ppc64 board exists)
+
+---
+
+## Cache layers
+
+The x86 pipeline uses hierarchical cache layers:
+
+1. **`{arch}-musl-cross-make-nix-docker-heads-{hash}`**
+   - Base toolchain (GCC + musl = musl-cross-make)
+   - Paths: `build/{arch}/musl-cross-make-*`, `crossgcc/{arch}`, `install/{arch}`, `packages/{arch}`
+
+2. **`{arch}-coreboot-musl-cross-make-nix-docker-heads-{hash}-{coreboot_dir}`**
+   - Includes musl + coreboot toolstack
+   - Paths: `build/{arch}/{coreboot_dir}`, `build/{arch}/musl-cross-make-*`, `crossgcc/{arch}`, `install/{arch}`, `packages/{arch}`
+
+3. **`{arch}-modules-coreboot-musl-cross-make-nix-docker-heads-{hash}-{coreboot_dir}`**
+   - Includes coreboot + musl + all built modules (FULL)
+   - Paths: `build/{arch}`, `install/{arch}`, `crossgcc/{arch}`, `packages/{arch}`
+
+4. **`{arch}-blobs-nix-docker-heads`** are handled separately
+
+Cache key naming: `{arch}-{layer}-nix-docker-heads-{hash}[-{fork}]`
+
+The cache key naming shows the dependency chain: each layer includes everything from the layers below it.
+
+Restore order (most complete to least):
+```
+1. {arch}-modules-coreboot-musl-cross-make-nix-docker-heads-{modules_hash}-{coreboot_dir}
+2. {arch}-coreboot-musl-cross-make-nix-docker-heads-{coreboot_hash}-{coreboot_dir}
+3. {arch}-musl-cross-make-nix-docker-heads-{musl_hash}
+```
+
+Each `x86_coreboot` job saves both:
+- modules cache (full build state)
+- coreboot cache (fork-specific toolstack)
+
+---
+
+## Current pipeline details
+
+The current pipeline behavior is:
+
+1. It uses explicit jobs for cache hashing, blob preparation, x86 musl seed,
+   x86 coreboot forks (each saves both modules and coreboot caches), generic board
+   builds, and the single ppc64 Talos II build.
+2. It uses a pinned `heads-docker` executor so the toolchain environment is
+   stable across jobs.
+3. It clears only `build/<arch>/log/*` before a build, not the restored build
+   trees themselves.
+4. It keeps x86 blob preparation separate from toolchain and firmware builds.
+5. It keys x86 coreboot caches by fork so one fork cannot restore another
+   fork's build tree.
+6. It restores the largest valid cache first, because CircleCI stops at the
+   first matching key.
+7. It stores `install/<arch>` together with the compiler and package trees so a
+   restored musl toolchain still has its sysroot.
+8. It refreshes restored `.configured` and `.build` stamps before invoking
+   `make`, so fresh checkout mtimes do not trigger a redundant rebuild of an
+   already restored musl-cross-make tree.
+9. It decouples ppc64 into musl-cross-make and coreboot jobs (like x86) so each
+   saves its cache immediately rather than at the end of a long combined build.
+
+---
+
+## Maintainer checklist
+
+When changing `.circleci/config.yml`, update this document by answering these
+questions in order:
+
+1. Did the job graph change?
+   Update the `x86 pipeline shape` section and the seed-board list.
+2. Did a cache key, restore order, or saved path change?
+Update `Cache layers` and `Why musl could rebuild after a cache hit`.
+3. Did the change alter current runtime behavior or restore/build semantics?
+   Update `Current pipeline details`.
+4. Did the change affect the maintenance workflow itself?
+   Update this section too.
+
+If you cannot summarize the change in one of those sections, the document is
+missing a section and should be extended rather than worked around.
+
+---
+
+## Edit map
+
+Use this map when modifying the pipeline:
+
+- Add or remove a cache hash input:
+  edit `create_hashes` in `.circleci/config.yml` and update `Cache layers` here.
+- Add or remove x86 blob preparation:
+  edit `x86_blobs` and update `x86 pipeline shape` plus `Cache layers`.
+- Add or remove an x86 coreboot fork seed:
+  edit the `x86_coreboot` workflow entries and update the seed-board list in
+  `x86 pipeline shape`.
+- Add or remove downstream boards for a fork:
+  edit the `build` workflow entries and verify the seed dependency still points
+  to the correct fork seed.
+- Change what makes musl reusable:
+  update the save/restore paths in `.circleci/config.yml` and re-check the
+  explanation in `Why musl could rebuild after a cache hit`.
+- Change ppc64 behavior:
+  edit `ppc64_musl_cross_make` and/or `ppc64_coreboot` and re-check both
+  `Cache layers` and the ppc64 chain description.
+
+---
+
+## Invariants
+
+These are the current rules worth preserving unless a deliberate design change:
+
+- Only one job at a time should persist a given workspace chain.
+- Blob download is separate from x86 toolchain and coreboot builds.
+- Each fork saves both modules and coreboot caches.
+- x86 and ppc64 restore lists should prefer the largest valid cache first.
+- Same-workflow cache misses can be expected when the broad key is being published during that workflow; this should improve on the next pipeline.
+- Musl reuse requires both `crossgcc/<arch>` and `install/<arch>`.
+- Each coreboot fork has its own cache keyed by `{coreboot_dir}` to prevent cross-fork contamination.
+- ppc64 now uses decoupled musl-cross-make + coreboot jobs, each saving cache immediately.
+
+## How each fork saves its cache
+
+Each `x86_coreboot` job (the first board for each coreboot fork) saves both:
+1. **modules cache** - full build state including all built modules
+2. **coreboot cache** - fork-specific coreboot toolstack
+
+This means every fork is self-sufficient:
+- First board of fork builds everything and saves both caches
+- Downstream boards in same fork restore full modules cache
+- No separate cache publication job needed
+
+---
+
+## Why musl could rebuild after a cache hit
+
+**Original problem**: Even when cache is restored, musl-cross-make was rebuilt
+because the Makefile only checked if `CROSS` env var was set, not if the
+compiler actually existed on disk.
+
+**Fix**: The musl-cross-make module now uses `wildcard` to auto-detect if
+`crossgcc/<arch>/bin/<triplet>-gcc` exists. If found, it sets CROSS and uses
+the `--version` path (no rebuild). If not found, it builds from scratch.
+
+The build logic also requires both:
+- the compiler binaries under `crossgcc/<arch>`
+- the installed sysroot under `install/<arch>`
+
+If the cache only restores the compiler tree but not the installed headers and
+libraries, the generic module build rules still have missing outputs and musl
+is rebuilt.
+
+That is why the current branch stores `install/x86` and `install/ppc64` in the
+musl and coreboot cache layers, not only in the broad modules cache.
+
+There is a second reuse problem to watch for: restored stamp files can be older
+than freshly checked-out source files in CI. When that happens, GNU Make can
+decide that `.configured` and then `.build` are stale even though the restored
+outputs are complete. The current CI job refreshes restored `.configured` and
+`.build` timestamps before invoking `make` so restored musl-cross-make trees are
+reused instead of spending several minutes rebuilding for timestamp reasons
+alone.
+
+---
+
+## Cold-cache behavior
+
+Cold runs are still expensive because:
+
+- Downstream jobs still download the upstream workspace chain.
+- A fork starts with cold CircleCI caches because caches are repository-scoped.
+- CircleCI restores only the first matching key, so an unexpectedly narrow hit
+  can still leave later work to do if the cache contents are incomplete.
+- Saving a large cache still requires uploading the selected directories.
+
+---
+
+## When to change this design
+
+Adjust the model only if one of these is true:
+
+- The seed board is no longer representative of the fork workspace.
+- The persisted workspace is too large and should be split further.
+- The modules cache key is too broad and causes low reuse.
+- CircleCI changes workspace or cache semantics.
+
+## Design invariants
+
+- Each coreboot fork saves both modules and coreboot caches, eliminating single-point-of-failure.
+- Cache key naming shows the dependency chain: modules includes coreboot includes musl.
+- Restore ordering must be explicit and largest-first. If two keys are valid,
+  CircleCI uses the first match only.
+- Restored build markers can be older than fresh checkout files. Without stamp refresh,
+  Make can rebuild musl-cross-make even after a correct modules-cache restore.
+- For ppc64, the middle fallback `coreboot+musl` improves reuse when
+  `modules` is absent but a richer cache than plain `musl` exists.
+- Each x86 coreboot fork saves its own modules cache keyed by `{coreboot_dir}`.
+  This prevents cross-fork contamination while enabling fork-specific reuse.
+- x86 coreboot forks avoid generic cross-fork fallback keys to prevent
+  restoring another fork's coreboot tree.
+- ppc64 uses decoupled musl-cross-make + coreboot jobs. Each saves its cache
+  immediately rather than at the end of a long combined build.
+- musl-cross-make module auto-detects existing crossgcc using wildcard check,
+  skipping rebuild when compiler already exists from cache.
+
+## First run observations (pipeline 3789 on circleci-cache-fix branch)
+
+Cold cache run on new pipeline structure:
+- x86-musl-cross-make: 30 min (vs baseline 14.5 min) - slower due to new overhead
+- ppc64-musl-cross-make: 16 min (vs baseline 18 min) - slightly faster
+
+The Make Board step takes longer in new pipeline because it persists more
+data after build (build/, install/, crossgcc/, packages/). The real test is
+second run when cache exists - verifies if wildcard fix skips rebuild.
+
+## Cache hash inputs
+
+Cache key hashes intentionally exclude `.circleci/config.yml` to prevent cache
+invalidation on CircleCI configuration changes. Add back once cache model is stable
+(see TODO in `.circleci/config.yml` create_hashes job).
+
+Key files included in hashes:
+- `all_modules_and_patches.sha256sums`: `./Makefile`, `./flake.lock`, `./patches/`, `./modules/`
+- `coreboot_musl-cross-make.sha256sums`: `./flake.lock`, `./modules/coreboot`, `./modules/musl-cross-make*`, `./patches/coreboot*`
+- `musl-cross-make.sha256sums`: `./flake.lock`, `./modules/musl-cross-make*`
+
+