Merge pull request #1661 from tlaurion/wip-nix-for-build

Move to nix buildstack (and nix develop produced docker image used under CircleCI)
2024-12-20 05:28:08 +00:00 · 2024-05-10 16:05:34 -04:00 · 2024-05-10 16:05:34 -04:00 · 1e583e01a0
commit 1e583e01a0
parent 77f1e346d0 ecbfdbc57b
78 changed files with 997 additions and 288 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -11,15 +11,12 @@ commands:
        type: string
    steps:
      - run:
-          name: Install dependencies
+          name: Make Board (console logs not contiguous because multiple CPUS used to build under CircleCI, see logs in artifacts or Output build failing logs below in case of failed step)
          command: |
-            ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime
+            echo "Sourcing /devenv.sh since docker entrypoint doesn't do it as expected"
-            apt update
+            source /devenv.sh
-            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo libssl-dev device-tree-compiler u-boot-tools sharutils e2fsprogs parted curl unzip imagemagick libncurses5-dev zip
+            rm -rf build/<<parameters.arch>>/<<parameters.target>>/* build/<<parameters.arch>>/log/*
-      - run:
+            make V=1 BOARD=<<parameters.target>> <<parameters.subcommand>> || touch ./tmpDir/failed_build
          name: Make Board (FULL ORDERED BUILD LOGS HERE UNTIL JOB FAILED)
          command: |
            rm -rf build/<<parameters.arch>>/<<parameters.target>>/* build/<<parameters.arch>>/log/* && make V=1 BOARD=<<parameters.target>> <<parameters.subcommand>> || touch ./tmpDir/failed_build
          no_output_timeout: 3h
      - run:
          name: Output hashes
@ -32,93 +29,89 @@ commands:
      - run:
          name: Archiving build logs.
          command: |
-             tar zcvf build/<<parameters.arch>>/<<parameters.target>>/logs.tar.gz $(find build/ -name "*.log")
+            tar zcvf build/<<parameters.arch>>/<<parameters.target>>/logs.tar.gz $(find build/ -name "*.log")
      - run:
          name: Output build failing logs
          command: |
-            if [[ -f ./tmpDir/failed_build ]]; then find ./build/<<parameters.arch>>/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1;else echo "Step hasn't failed. Continuing with next step..."; fi \
+            if [[ -f ./tmpDir/failed_build ]]; then
            	find "./build/<<parameters.arch>>/" -name "*.log" -type f -mmin -1 -exec tail -n +1 '{}' +
            	exit 1
            else
            	echo "Step hasn't failed. Continuing with next step..."
            fi
      - store_artifacts:
          path: build/<<parameters.arch>>/<<parameters.target>>
 jobs:
  prep_env:
    docker:
-      - image: debian:11
+      - image: tlaurion/heads-dev-env:v0.1.4
    resource_class: large
    working_directory: ~/heads
    steps:
      - run:
          name: Install dependencies
          command: |
            ln -fs /usr/share/zoneinfo/America/New_York /etc/localtime 
            apt update
            apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg gawk iasl m4 nasm patch python python2 python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract sudo imagemagick libncurses5-dev
      - checkout
      - run:
          name: git reset
          command: |
-            git reset --hard "$CIRCLE_SHA1" \
+            git reset --hard "$CIRCLE_SHA1"
      - run:
          name: Make tmp dir
          command: |
-            mkdir ./tmpDir \
+            mkdir ./tmpDir
      - run:
          name: Creating all modules and patches digest (All modules cache digest)
          command: |
-            find ./Makefile ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > ./tmpDir/all_modules_and_patches.sha256sums \
+            find .circleci/config.yml ./Makefile ./flake.lock ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > ./tmpDir/all_modules_and_patches.sha256sums
      - run:
          name: Creating coreboot (and associated patches) and musl-cross-make modules digest (musl-cross-make and coreboot cache digest)
          command: |
-            find ./Makefile ./modules/coreboot ./modules/musl-cross* ./patches/coreboot* -type f | sort -h | xargs sha256sum > ./tmpDir/coreboot_musl-cross.sha256sums \
+            find .circleci/config.yml ./Makefile ./flake.lock ./modules/coreboot ./modules/musl-cross* ./patches/coreboot* -type f | sort -h | xargs sha256sum > ./tmpDir/coreboot_musl-cross.sha256sums
      - run:
          name: Creating musl-cross-make and musl-cross-make patches digest (musl-cross-make cache digest)
          command: |
-            find ./Makefile modules/musl-cross* -type f | sort -h | xargs sha256sum > ./tmpDir/musl-cross.sha256sums \
+            find .circleci/config.yml ./Makefile ./flake.lock modules/musl-cross* -type f | sort -h | xargs sha256sum > ./tmpDir/musl-cross.sha256sums
      - restore_cache:
          # First matched/found key wins and following keys are not tried
          keys:
-            #Restore existing cache for matching modules digest, validated to be exactly the same as in github current commit.
+            # Cache for matching modules digest, validated to be exactly the same as in github current commit.
-            #This cache was made on top of below caches, if previously existing. If no module definition changed, we reuse this one. Otherwise...
+            # This cache was made on top of below caches, if previously existing.
-            - heads-modules-and-patches-{{ checksum "./tmpDir/all_modules_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }}
+            # If no module definition changed, we reuse this one
-            #If precedent cache not found, restore cache for coreboot module (and patches) and musl-cross-make digests (coreboot: triannual release)
+            - nix-docker-heads-modules-and-patches-{{ checksum "./tmpDir/all_modules_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }}
-            #Otehrwise....
+
-            - heads-coreboot-musl-cross-{{ checksum "./tmpDir/coreboot_musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
+            # Cache for coreboot module (and patches) and musl-cross-make digests (coreboot: triannual release)
-            #If precedent cache not found. Restore cache for musl-cross-make module digest (rarely modified).
+            - nix-docker-heads-coreboot-musl-cross-{{ checksum "./tmpDir/coreboot_musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
-            #Otherwise, we build cleanly.
+
-            - heads-musl-cross-{{ checksum "./tmpDir/musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
+            # Cache for musl-cross-make module digest (rarely modified).
            - nix-docker-heads-musl-cross-{{ checksum "./tmpDir/musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
      - run:
          name: Download and neuter xx20 ME (keep generated GBE and extracted IFD in tree)
          command: |
            ./blobs/xx20/download_parse_me.sh
      - run:
          name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
          # me_cleaner.py present under heads xx30 blobs dir comes from https://github.com/corna/me_cleaner/blob/43612a630c79f3bc6f2653bfe90dfe0b7b137e08/me_cleaner.py
          name: Download and neuter xx30 ME (keep generated GBE and extracted IFD in tree)
          command: |
            ./blobs/xx30/download_clean_me_manually.sh -m $(readlink -f ./blobs/xx30/me_cleaner.py)
      - run:
          name: Download and extract t530 vbios roms for dgpu boards
          command: |
            echo skipping for now
            exit 0
            ./blobs/xx30/vbios_t530.sh
      - run:
          name: Download and extract w530 vbios roms for dgpu boards
          command: |
            echo skipping for now
            exit 0
            ./blobs/xx30/vbios_w530.sh
      - persist_to_workspace:
-          root: ~/
+          root: ~/heads
          paths:
            - .
  build_and_persist:
    docker:
-      - image: debian:11
+      - image: tlaurion/heads-dev-env:v0.1.4
    resource_class: large
    working_directory: ~/heads
    parameters:
@ -131,22 +124,22 @@ jobs:
        type: string
    steps:
      - attach_workspace:
-          at: ~/
+          at: ~/heads
      - build_board:
          arch: <<parameters.arch>>
          target: <<parameters.target>>
          subcommand: <<parameters.subcommand>>
      - persist_to_workspace:
-          root: ~/
+          root: ~/heads
          paths:
-            - heads/packages/<<parameters.arch>>
+            - packages/<<parameters.arch>>
-            - heads/build/<<parameters.arch>>
+            - build/<<parameters.arch>>
-            - heads/crossgcc/<<parameters.arch>>
+            - crossgcc/<<parameters.arch>>
-            - heads/install/<<parameters.arch>>
+            - install/<<parameters.arch>>
  build:
    docker:
-      - image: debian:11
+      - image: tlaurion/heads-dev-env:v0.1.4
    resource_class: large
    working_directory: ~/heads
    parameters:
@ -159,7 +152,7 @@ jobs:
        type: string
    steps:
      - attach_workspace:
-          at: ~/
+          at: ~/heads
      - build_board:
          arch: <<parameters.arch>>
          target: <<parameters.target>>
@ -167,47 +160,47 @@ jobs:
  save_cache:
    docker:
-      - image: debian:11
+      - image: tlaurion/heads-dev-env:v0.1.4
    resource_class: large
    working_directory: ~/heads
    steps:
      - attach_workspace:
-          at: ~/
+          at: ~/heads
      - save_cache:
-          #Generate cache for the same musl-cross module definition if hash is not previously existing
+          # Generate cache for the same musl-cross module definition if hash is not previously existing
-          #CircleCI removed their wildcard support, so we have to list precise versions to cache in directory names
+          # CircleCI removed their wildcard support, so we have to list precise versions to cache in directory names
-          key: heads-musl-cross-{{ checksum "./tmpDir/musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
+          key: nix-docker-heads-musl-cross-{{ checksum "./tmpDir/musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
          paths:
            - crossgcc
            - build/x86/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
            - build/ppc64/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
            - build/x86/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
            - crossgcc
            - packages
      - save_cache:
-          #Generate cache for the same coreboot mnd musl-cross-make modules definition if hash is not previously existing
+          # Generate cache for the same coreboot mnd musl-cross-make modules definition if hash is not previously existing
-          #CircleCI removed their wildcard support, so we have to list precise versions to cache in directory names
+          # CircleCI removed their wildcard support, so we have to list precise versions to cache in directory names
-          key: heads-coreboot-musl-cross-{{ checksum "./tmpDir/coreboot_musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
+          key: nix-docker-heads-coreboot-musl-cross-{{ checksum "./tmpDir/coreboot_musl-cross.sha256sums" }}{{ .Environment.CACHE_VERSION }}
          paths:
-            - crossgcc
+            - build/ppc64/coreboot-talos_2
            - build/x86/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
            - build/ppc64/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
            - packages
            - build/x86/coreboot-4.11
            - build/x86/coreboot-4.13
            - build/x86/coreboot-4.14
            - build/x86/coreboot-4.15
            - build/x86/coreboot-4.17
            - build/x86/coreboot-4.22.01
            - build/x86/coreboot-purism
            - build/x86/coreboot-nitrokey
-            - build/ppc64/coreboot-talos_2
+            - build/x86/coreboot-purism
            - build/x86/musl-cross-38e52db8358c043ae82b346a2e6e66bc86a53bc1
            - crossgcc
            - packages
      - save_cache:
          #Generate cache for the exact same modules definitions if hash is not previously existing
-          key: heads-modules-and-patches-{{ checksum "./tmpDir/all_modules_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }}
+          key: nix-docker-heads-modules-and-patches-{{ checksum "./tmpDir/all_modules_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }}
          paths:
            - crossgcc
            - build
-            - packages
+            - crossgcc
            - install
            - packages
 workflows:
  version: 2
@ -215,9 +208,8 @@ workflows:
    jobs:
      - prep_env
-# Below, sequentially build one board for each coreboot
+      # Below, sequentially build one board for each coreboot version.
-# version. The last board in the sequence is the dependency
+      # The last board in the sequence is the dependency for the parallel boards built at the end, and also save_cache.
 # for the parallel boards built at the end, and also save_cache.
      # coreboot 4.22.01
      - build_and_persist:
@ -227,7 +219,7 @@ workflows:
          requires:
            - prep_env
-      # coreboot-git librems
+      # coreboot purism
      - build_and_persist:
          name: librem_14
          target: librem_14
@ -235,10 +227,11 @@ workflows:
          requires:
            - x230-hotp-maximized
-      # coreboot-git Nitropads depending on x230-hotp-maximized cache
+      # coreboot nitropad
-      # since kernel is 6.x and coreboot is git is unshared
+      # Nitropads depending on x230-hotp-maximized cache since kernel is 6.x and coreboot is git is unshared
      # We use nitropad's coreboot's fork crossgcc
-      # No need to wait further for other board's cache.
+      # No need to wait further for other board's cache
      # We reuse built modules from x230-hotp-maximized cache only
      - build_and_persist:
          name: nitropad-nv41
          target: nitropad-nv41
@ -246,7 +239,7 @@ workflows:
          requires:
            - prep_env
-      # coreboot-git Talos II (PPC)
+      # coreboot talos_2
      - build_and_persist:
          name: talos-2
          arch: ppc64
@ -255,18 +248,26 @@ workflows:
          requires:
            - prep_env
-      #Cache one workspace per architecture. Make sure workspace caches are chainloaded and the last in chain for an arch is saved.
+      # coreboot 4.11
      - build_and_persist:
          name: UNMAINTAINED_kgpe-d16_workstation
          target: UNMAINTAINED_kgpe-d16_workstation
          subcommand: ""
          requires:
            - prep_env
      # Cache one workspace per architecture
      # Make sure workspace caches are chainloaded and the last in chain for an arch is saved
      - save_cache:
          requires:
            - talos-2
            - librem_14
-#
+      #
-# Those onboarding new boards should add their entries below.
+      # Those onboarding new boards should add their entries below.
-#
+      #
 #
-#Coreboot 4.22.01 boards
+      # coreboot 4.22.01 boards
      - build:
          name: x220-hotp-maximized
          target: x220-hotp-maximized
@ -421,7 +422,8 @@ workflows:
          requires:
            - x230-hotp-maximized
-#coreboot-git librem boards
+      # coreboot purism
      # librem boards
      - build:
          name: librem_13v2
          target: librem_13v2
@ -464,7 +466,7 @@ workflows:
          requires:
            - librem_14
-#coreboot-git dasharo clevo_release + staging IASL patch
+      # dasharo release
      - build:
          name: nitropad-ns50
          target: nitropad-ns50
@ -472,6 +474,30 @@ workflows:
          requires:
            - nitropad-nv41
      # coreboot 4.11
      - build:
          name: UNMAINTAINED_kgpe-d16_workstation-usb_keyboard
          target: UNMAINTAINED_kgpe-d16_workstation-usb_keyboard
          subcommand: ""
          requires:
            - UNMAINTAINED_kgpe-d16_workstation
      # coreboot 4.11
      - build:
          name: UNMAINTAINED_kgpe-d16_server
          target: UNMAINTAINED_kgpe-d16_server
          subcommand: ""
          requires:
            - UNMAINTAINED_kgpe-d16_workstation
      # coreboot 4.11
      - build:
          name: UNMAINTAINED_kgpe-d16_server-whiptail
          target: UNMAINTAINED_kgpe-d16_server-whiptail
          subcommand: ""
          requires:
            - UNMAINTAINED_kgpe-d16_workstation
 #      - build:
 #          name: UNMAINTAINED_kgpe-d16_workstation-usb_keyboard
 #          target: UNMAINTAINED_kgpe-d16_workstation-usb_keyboard
@ -499,34 +525,3 @@ workflows:
 #          subcommand: ""
 #          requires:
 #            - librem_14
 ########################
 ########################
 ###    OLD STUFF     ###
 ########################
 ########################
 # linuxboot steps need something to pass in the kernel header path
 # skipping for now
 #      - run:
 #          name: UNMAINTAINED_qemu-linuxboot-edk2
 #          command: |
 #            ./build/make-4.2.1/make \
 #                CROSS=/cross/bin/x86_64-linux-musl- \
 #                BOARD=UNMAINTAINED_qemu-linuxboot \
 #                `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \
 #                # Run first to avoid too many processes
 #
 #      - run:
 #          name: UNMAINTAINED_qemu-linuxboot
 #          command: |
 #            ./build/make-4.2.1/make \
 #                CROSS=/cross/bin/x86_64-linux-musl- \
 #                CPUS=16 \
 #                V=1 \
 #                BOARD=UNMAINTAINED_qemu-linuxboot \
 #
 #      - store-artifacts:
 #          path: build/UNMAINTAINED_qemu-linuxboot/linuxboot.rom
 #      - store-artifacts:
 #          path: build/UNMAINTAINED_qemu-linuxboot/hashes.txt
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
 has nix && use flake
--- a/.gitignore
+++ b/.gitignore
@ -1,25 +1,25 @@
-.*.sw*
+*.bad
 *.xz
 *.bz2
 *.gz
 *.sign
 *.rom
 *.o
 *.gz
 *.tgz
 *.img
 *.rom
 *.cpio
 typescript*
 config/*.old
 *.log
 *~
 crossgcc
 clean
 *.sec
 *.dep
 *.ffs
 *.vol
 *.lz
 *.fv
-*.bad
+*.gz
 *.img
 *.log
 *.lz
 *.o
 *.rom
 *.sec
 *.sign
 *.tgz
 *.vol
 *.xz
 *~
 .*.sw*
 /.direnv
 clean
 config/*.old
 crossgcc
 typescript*
 result
--- a/80
+++ b/80
@ -25,11 +25,48 @@ INSTALL		= $(pwd)/install/$(CONFIG_TARGET_ARCH)
 log_dir		= $(build)/log
 board_build	= $(build)/$(BOARD)
 # Controls how many parallel jobs are invoked in subshells
 CPUS		?= $(shell nproc)
 MAKE_JOBS	?= -j$(CPUS) --max-load 16
-WGET ?= wget
+# Estimated memory required per job in GB (e.g., 1GB for gcc)
 MEM_PER_JOB_GB ?= 1
 # Controls how many parallel jobs are invoked in subshells
 CPUS            ?= $(shell nproc)
 AVAILABLE_MEM_GB   ?= $(shell cat /proc/meminfo | grep MemAvailable | awk '{print int($$2 / 1024)}')
 # Calculate the maximum number of jobs based on available memory
 MAX_JOBS_MEM := $(shell echo $$(( $(AVAILABLE_MEM_GB) / $(MEM_PER_JOB_GB) )))
 # Use the minimum of the system's CPUs and the calculated max jobs based on memory
 CPUS            := $(shell echo $$(($(CPUS) < $(MAX_JOBS_MEM) ? $(CPUS) : $(MAX_JOBS_MEM))))
 # Load average can be adjusted to be higher than CPUS to allow for some CPU overcommit
 # Multiply by 3 and then divide by 2 to achieve the effect of multiplying by 1.5 using integer arithmetic
 LOADAVG         ?= $(shell echo $$(( ($(CPUS) * 3) / 2 )))
 # Construct MAKE_JOBS with dynamic CPU count and load average
 MAKE_JOBS       := -j$(CPUS) --load-average=$(LOADAVG) # Add other flags as needed to be more adaptive to CIs
 # Print out the settings and compare system values with actual ones used
 $(info ----------------------------------------------------------------------)
 $(info !!!!!! BUILD SYSTEM INFO !!!!!!)
 $(info System CPUS: $(shell nproc))
 $(info System Available Memory: $(AVAILABLE_MEM_GB) GB)
 $(info System Load Average: $(shell uptime | awk '{print $$10}'))
 $(info ----------------------------------------------------------------------)
 $(info Used **CPUS**: $(CPUS))
 $(info Used **LOADAVG**: $(LOADAVG))
 $(info Used **AVAILABLE_MEM_GB**: $(AVAILABLE_MEM_GB) GB)
 $(info ----------------------------------------------------------------------)
 $(info **MAKE_JOBS**: $(MAKE_JOBS))
 $(info )
 $(info Variables available for override (use 'make VAR_NAME=value'):)
 $(info **CPUS** (default: number of processors, e.g., 'make CPUS=4'))
 $(info **LOADAVG** (default: 1.5 times CPUS, e.g., 'make LOADAVG=54'))
 $(info **AVAILABLE_MEM_GB** (default: memory available on the system in GB, e.g., 'make AVAILABLE_MEM_GB=4'))
 $(info **MEM_PER_JOB_GB** (default: 1GB per job, e.g., 'make MEM_PER_JOB_GB=2'))
 $(info ----------------------------------------------------------------------)
 $(info !!!!!! Build starts !!!!!!)
 # Timestamps should be in ISO format
 DATE=`date --rfc-3339=seconds`
@ -162,6 +199,7 @@ heads_cc	:= $(CROSS)gcc \
 	-fdebug-prefix-map=$(pwd)=heads \
 	-gno-record-gcc-switches \
 	-D__MUSL__ \
 	--sysroot  $(INSTALL) \
 	-isystem $(INSTALL)/include \
 	-L$(INSTALL)/lib \
@ -230,12 +268,10 @@ all payload:
 FORCE:
 # Copies config while replacing predefined placeholders with actual values
 # This is used in a command like 'this && $(call install_config ...) && that'
 # so it needs to evaluate to a shell command.
 define install_config =
-	sed -e 's!@BOARD_BUILD_DIR@!$(board_build)!g' \
+	$(pwd)/bin/prepare_module_config.sh "$1" "$2" "$(board_build)" "$(BRAND_NAME)"
 	    -e 's!@BLOB_DIR@!$(pwd)/blobs!g' \
 	    -e 's!@BRAND_DIR@!$(pwd)/branding/$(BRAND_NAME)!g' \
 	    -e 's!@BRAND_NAME@!$(BRAND_NAME)!g' \
 	    "$1" > "$2"
 endef
 # Make helpers to operate on lists of things
@ -783,6 +819,8 @@ $(board_build)/$(CB_OUTPUT_BASENAME)-gpg-injected.rom: $(board_build)/$(CB_OUTPU
 	./bin/inject_gpg_key.sh --cbfstool "$(build)/$(coreboot_dir)/cbfstool" \
 		"$(board_build)/$(CB_OUTPUT_FILE_GPG_INJ)" "$(PUBKEY_ASC)"
 #Dev cycles helpers:
 real.clean:
 	for dir in \
 		$(module_dirs) \
@ -794,4 +832,28 @@ real.clean:
 	done
 	cd install && rm -rf -- *
 real.gitclean:
 	@echo "Cleaning the repository using Git ignore file as a base..."
 	@echo "This will wipe everything not in the Git tree, but keep downloaded coreboot forks (detected as Git repos)."
 	git clean -fxd
 real.gitclean_keep_packages:
 	@echo "Cleaning the repository using Git ignore file as a base..."
 	@echo "This will wipe everything not in the Git tree, but keep the 'packages' directory."
 	git clean -fxd -e "packages"
 real.remove_canary_files-extract_patch_rebuild_what_changed:
 	@echo "Removing 'canary' files to force Heads to restart building board configurations..."
 	@echo "This will check package integrity, extract them, redo patching on files, and rebuild what needs to be rebuilt."
 	@echo "It will also reinstall the necessary files under './install'."
 	@echo "Limitations: If a patch creates a file in an extracted package directory, this approach may fail without further manual actions."
 	@echo "In such cases, Git will inform you about the file that couldn't be created as expected. Simply delete those files and relaunch the build."
 	@echo "This approach economizes time since most build artifacts do not need to be rebuilt, as the file dates should be the same as when you originally built them."
 	@echo "Only a minimal time is needed for rebuilding, which is also good for your SSD."
 	@echo "*** USE THIS APPROACH FIRST ***"
 	find ./build/ -type f -name ".canary" -print -delete
 	find ./install/*/* -print -exec rm -rf {} +
 real.gitclean_keep_packages_and_build:
 	@echo "Cleaning the repository using Git ignore file as a base..."
 	@echo "This will wipe everything not in the Git tree, but keep the 'packages' and 'build' directories."
 	git clean -fxd -e "packages" -e "build"
--- a/README.md
+++ b/README.md
@ -28,8 +28,87 @@ Please refer to [Heads-wiki](https://osresearch.net) for your Heads' documentati
 Building heads
 ===
 Under QubesOS?
 ====
 * Setup nix persistent layer under QubesOS (Thanks @rapenne-s !)
  * https://dataswamp.org/~solene/2023-05-15-qubes-os-install-nix.html
 * Install docker under QubesOS (imperfect old article of mine. Better somewhere?)
  * https://gist.github.com/tlaurion/9113983bbdead492735c8438cd14d6cd
 Build docker from nix develop layer locally
 ====
 #### Set up Nix and flakes  
 * If you don't already have Nix, install it:  
    * `[ -d /nix ] || sh <(curl -L https://nixos.org/nix/install) --no-daemon`  
    * `. /home/user/.nix-profile/etc/profile.d/nix.sh`  
 * Enable flake support in nix  
    * `mkdir -p ~/.config/nix`  
    * `echo 'experimental-features = nix-command flakes' >>~/.config/nix/nix.conf`  
 #### Build image
 * Build nix developer local environment with flakes locked to specified versions  
    * `nix --print-build-logs --verbose develop --ignore-environment --command true`  
 * Build docker image with current develop created environment (this will take a while and create "linuxboot/heads:dev-env" local docker image:  
    * `nix build .#dockerImage && docker load < result` 
 Done!
 Your local docker image "linuxboot/heads:dev-env" is ready to use, reproducible for the specific Heads commit used and will produce ROMs reproducible for that Heads commit ID.
 Jump into nix develop created docker image for interactive workflow
 =====
 `docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env`
 From there you can use the docker image interactively.
 `make BOARD=board_name` where board_name is the name of the board directory under `./boards` directory.
 One such useful example is to build and test qemu board roms and test them through qemu/kvm/swtpm provided in the docker image. 
 Please refer to [qemu documentation](targets/qemu.md) for more information.
 Eg:
 ```
 make BOARD=qemu-coreboot-fbwhiptail-tpm2 # Build rom, export public key to emulated usb storage from qemu runtime
 make BOARD=qemu-coreboot-fbwhiptail-tpm2 PUBKEY_ASC=~/pubkey.asc inject_gpg # Inject pubkey into rom image
 make BOARD=qemu-coreboot-fbwhiptail-tpm2 USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=~/pubkey.asc ROOT_DISK_IMG=~/qemu-disks/debian-9.cow2 INSTALL_IMG=~/Downloads/debian-9.13.0-amd64-xfce-CD-1.iso run # Install
 ```
 Alternatively, you can use locally built docker image to build a board ROM image in a single call.
 Eg:
 `docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=nitropad-nv41`
 Pull docker hub image to prepare reproducible ROMs as CircleCI in one call
 ====
 ```
 docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:latest -- make BOARD=x230-hotp-maximized
 docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:latest -- make BOARD=nitropad-nv41
 ```
 Maintenance notes on docker image
 ===
 Redo the steps above in case the flake.nix or nix.lock changes. Then publish on docker hub:
 ```
 docker tag tlaurion/heads-dev-env:vx.y.z tlaurion/heads-dev-env:latest
 docker push tlaurion/heads-dev-env:latest
 ```
 Notes:
 - Local builds can use ":latest" tag, which will use latest tested successful CircleCI run
 - To reproduce CirlceCI results, make sure to use the same versioned tag declared under .circleci/config.yml's "image:" 
 General notes on reproducible builds
 ===
 In order to build reproducible firmware images, Heads builds a specific
 version of gcc and uses it to compile the Linux kernel and various tools
 that go into the initrd.  Unfortunately this means the first step is a
--- a/bin/cpio-clean
+++ b/bin/cpio-clean
@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
 # Clean all non-deterministric fields in a newc cpio file
 #
 # Items fixed:
--- a/bin/prepare_module_config.sh
+++ b/bin/prepare_module_config.sh
@ -0,0 +1,27 @@
 #! /usr/bin/env bash
 TEMPLATE="$1"
 RESULT="$2"
 BOARD_BUILD="$3"
 BRAND_NAME="$4"
 repo="$(realpath "$(dirname "${BASH_SOURCE[0]}")/..")"
 # For both coreboot and Linux, the config file is in a board-
 # specific build directory, but the build occurs from the
 # parent of that directory.
 module_dir="$(realpath "$(dirname "$2")/..")"
 # Use relative paths since the config may be part of the ROM
 # artifacts, and relative paths won't depend on the workspace
 # absolute path.
 board_build_rel="$(realpath --relative-to "$module_dir" "$BOARD_BUILD")"
 repo_rel="$(realpath --relative-to "$module_dir" "$repo")"
 echo "board_build_rel=$board_build_rel"
 echo "repo_rel=$repo_rel"
 sed -e "s!@BOARD_BUILD_DIR@!${board_build_rel}!g" \
    -e "s!@BLOB_DIR@!${repo_rel}/blobs!g" \
    -e "s!@BRAND_DIR@!${repo_rel}/branding/$BRAND_NAME!g" \
    -e "s!@BRAND_NAME@!$BRAND_NAME!g" \
    "$TEMPLATE" > "$RESULT"
--- a/bin/verity-sign
+++ b/bin/verity-sign
@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
 # Generate dm-verity hashes and sign the root hash
 #
 # Output looks like
--- a/blobs/haswell/.gitignore
+++ b/blobs/haswell/.gitignore
@ -0,0 +1 @@
 mrc.bin
--- a/blobs/haswell/obtain-mrc
+++ b/blobs/haswell/obtain-mrc
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e
--- a/blobs/p8z77-m_pro/download_BIOS_clean.sh
+++ b/blobs/p8z77-m_pro/download_BIOS_clean.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # P7 ASUS
 function printusage {
--- a/blobs/t420/extract.sh
+++ b/blobs/t420/extract.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 function printusage {
  echo "Usage: $0 -f <romdump> -m <me_cleaner>(optional) -i <ifdtool>(optional)"
--- a/blobs/t440p/.gitignore
+++ b/blobs/t440p/.gitignore
@ -0,0 +1 @@
 me.bin
--- a/blobs/t440p/download-clean-me
+++ b/blobs/t440p/download-clean-me
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e
--- a/blobs/t440p/extract
+++ b/blobs/t440p/extract
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e
--- a/blobs/w541/.gitignore
+++ b/blobs/w541/.gitignore
@ -0,0 +1 @@
 me.bin
--- a/blobs/w541/download-clean-me
+++ b/blobs/w541/download-clean-me
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e
--- a/blobs/w541/extract
+++ b/blobs/w541/extract
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e
--- a/blobs/x220/extract.sh
+++ b/blobs/x220/extract.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 function printusage {
  echo "Usage: $0 -f <romdump> -m <me_cleaner>(optional) -i <ifdtool>(optional)"
--- a/blobs/xx20/.gitignore
+++ b/blobs/xx20/.gitignore
@ -0,0 +1 @@
 me.bin
--- a/blobs/xx20/download_parse_me.sh
+++ b/blobs/xx20/download_parse_me.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
--- a/blobs/xx20/me7_update_parser.py
+++ b/blobs/xx20/me7_update_parser.py
@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 """ME7 Update binary parser."""
--- a/blobs/xx30/.gitignore
+++ b/blobs/xx30/.gitignore
@ -0,0 +1 @@
 me.bin
--- a/blobs/xx30/download_clean_me.sh
+++ b/blobs/xx30/download_clean_me.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 function printusage {
  echo "Usage: $0 -m <me_cleaner>(optional)"
--- a/blobs/xx30/download_clean_me_manually.sh
+++ b/blobs/xx30/download_clean_me_manually.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 function printusage {
  echo "Usage: $0 -m <me_cleaner>(optional)"
--- a/blobs/xx30/extract.sh
+++ b/blobs/xx30/extract.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 function printusage {
  echo "Usage: $0 -f <romdump> -m <me_cleaner>(optional) -i <ifdtool>(optional)"
--- a/blobs/xx30/me_cleaner.py
+++ b/blobs/xx30/me_cleaner.py
@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 # me_cleaner - Tool for partial deblobbing of Intel ME/TXE firmware images
 # Copyright (C) 2016-2018 Nicola Corna <nicola@corna.info>
--- a/blobs/xx30/vbios_t530.sh
+++ b/blobs/xx30/vbios_t530.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 ROMPARSER="94a615302f89b94e70446270197e0f5138d678f3"
--- a/blobs/xx30/vbios_w530.sh
+++ b/blobs/xx30/vbios_w530.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 ROMPARSER="94a615302f89b94e70446270197e0f5138d678f3"
--- a/blobs/z220/.gitignore
+++ b/blobs/z220/.gitignore
@ -0,0 +1,2 @@
 ifd.bin
 me.bin
--- a/blobs/z220/download_BIOS_clean.sh
+++ b/blobs/z220/download_BIOS_clean.sh
@ -1,4 +1,5 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # Z220 CMT HP
 function printusage {
--- a/unmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config
+++ b/unmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config
--- a/unmaintained_boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config
+++ b/unmaintained_boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config
--- a/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config
+++ b/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config
--- a/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config
+++ b/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,61 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1711703276,
        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,152 @@
 {
  description = "Optimized heads flake for Docker image with garbage collection protection";
  # Inputs define external dependencies and their sources.
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Using the unstable channel for the latest packages, while flake.lock fixates the commit reused until changed.
    flake-utils.url = "github:numtide/flake-utils"; # Utilities for flake functionality.
  };
  # Outputs are the result of the flake, including the development environment and Docker image.
  outputs = {
    self,
    flake-utils,
    nixpkgs,
    ...
  }:
    flake-utils.lib.eachDefaultSystem (system: let
      pkgs = nixpkgs.legacyPackages.${system}; # Accessing the legacy package set.
      lib = pkgs.lib; # The standard Nix packages library.
      # Dependencies are the packages required for the Heads project.
      # Organized into subsets for clarity and maintainability.
      deps = with pkgs; [
        # Core build utilities
        autoconf
        automake
        bashInteractive
        coreutils
        bc
        bison # Generate flashmap descriptor parser
        bzip2
        cacert
        ccache
        cmake
        cpio
        curl
        diffutils
        dtc
        e2fsprogs
        elfutils
        findutils
        flex
        gawk
        git
        gnat
        gnugrep
        gnumake
        gnused
        gnutar
        gzip
        imagemagick # For bootsplash manipulation.
        innoextract # ROM extraction for dGPU.
        libtool
        m4
        ncurses5 # make menuconfig and slang
        openssl #needed for talos-2 kernel build
        parted
        patch
        perl
        pkg-config
        python3 # me_cleaner, coreboot.
        rsync # coreboot.
        sharutils
        texinfo
        unzip
        wget
        which
        xz
        zip
        zlib
        zlib.dev
      ] ++ [
        # Packages for qemu support with Canokey integration.
        #qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker
        qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement.
        qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full
 	#
 	# TODO: make work qemu-canokey not existing in caches:
 	# Below are overrides to make canokey-qemu library availabe to qemu built derivative through override)
        #canokey doesn't work still even if compiled in, so no reason to add 1Gb of stuff in the image (qemu -device canokey not exposed even if configured in)
        #canokey-qemu # Canokey lib for qemu build-time compilation.
        #(qemu.override {
        #  canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available.
        #})
      ] ++ [
        # Additional tools for debugging/editing/testing.
        vim # Mostly used amongst us, sorry if you'd like something else, open issue.
        swtpm # QEMU requirement to emulate tpm1/tpm2.
        dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support).
      ] ++ [
        # Tools for handling binary blobs in their compressed state. (blobs/xx30/vbios_[tw]530.sh)
        bundler
        p7zip
        ruby
        sudo # ( °-° )
        upx
      ];
    in {
      # The development shell includes all the dependencies.
      devShell = pkgs.mkShellNoCC {
        buildInputs = deps;
      };
      # myDevShell outputs environment variables necessary for development.
      packages.myDevShell =
        pkgs.runCommand "my-dev-shell" {}
        #bash
        ''
          grep \
            -e CMAKE_PREFIX_PATH \
            -e NIX_CC_WRAPPER_TARGET_TARGET \
            -e NIX_CFLAGS_COMPILE_FOR_TARGET \
            -e NIX_LDFLAGS_FOR_TARGET \
            -e PKG_CONFIG_PATH_FOR_TARGET \
            -e ACLOCAL_PATH \
            ${self.devShell.${system}} >$out
        '';
      # Docker image configuration for the Heads project.
      packages.dockerImage = pkgs.dockerTools.buildLayeredImage {
        name = "linuxboot/heads";
        tag = "dev-env";
        config.Entrypoint = ["bash" "-c" ''source /devenv.sh; if (( $# == 0 )); then exec bash; else exec "$0" "$@"; fi''];
        contents =
          deps
          ++ [
          pkgs.dockerTools.binSh
          pkgs.dockerTools.caCertificates
          pkgs.dockerTools.usrBinEnv
        ];
        enableFakechroot = true;
        fakeRootCommands =
          #bash
          ''
          set -e
          # Environment setup for the development shell.
          grep \
            -e NIX_CC_WRAPPER_TARGET_TARGET \
            -e NIX_CFLAGS_COMPILE_FOR_TARGET \
            -e NIX_LDFLAGS_FOR_TARGET \
            -e NIX_PKG_CONFIG_WRAPPER_TARGET \
            -e PKG_CONFIG_PATH_FOR_TARGET \
            -e ACLOCAL_PATH \
            ${self.devShell.${system}} >/devenv.sh
          # Git configuration for safe directory access.
          printf '[safe]\n\tdirectory = *\n' >/.gitconfig
          mkdir /tmp; # Temporary directory for various operations.
        '';
      };
    });
 }
--- a/modules/bash
+++ b/modules/bash
@ -14,16 +14,16 @@ bash_configure := CFLAGS="-g0 -Os" LDFLAGS="-s" ./configure \
 	$(CROSS_TOOLS) \
 	--host $(target) \
 	--prefix="/usr" \
-        --enable-largefile \
+	--infodir=/usr/share/info \
-        --infodir=/usr/share/info \
+	--mandir=/usr/share/man \
        --mandir=/usr/share/man \
        --without-bash-malloc \
 	--disable-coprocesses \
 	--enable-debugger \
 	--disable-net-redirections \
 	--enable-single-help-strings \
 	--disable-nls \
 	--enable-debugger \
 	--enable-largefile \
 	--enable-readline \
 	--enable-single-help-strings \
 	--without-bash-malloc
 bash_target := $(MAKE_JOBS) \
 	&& $(MAKE) -C $(build)/$(bash_dir) \
--- a/modules/cairo
+++ b/modules/cairo
@ -12,10 +12,16 @@ cairo_configure := \
 	./configure \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix="/" \
-	--disable-xlib --disable-xcb --disable-pdf \
+	--disable-fc \
-	--disable-ps --disable-svg --disable-script \
+	--disable-ft \
 	--disable-ft --disable-fc --disable-pthread \
 	--disable-gobject \
 	--disable-pdf \
 	--disable-ps \
 	--disable-pthread \
 	--disable-script \
 	--disable-svg \
 	--disable-xcb \
 	--disable-xlib \
 	&& sed \
 		-e 's/^hardcode_libdir_flag_spec.*/hardcode_libdir_flag_spec=" -D__LIBTOOL_RPATH_DISABLE__ "/' \
 		< libtool \
--- a/modules/cryptsetup2
+++ b/modules/cryptsetup2
@ -16,8 +16,8 @@ cryptsetup2_configure := \
 	./configure \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--disable-rpath \
 	--disable-gcrypt-pbkdf2 \
 	--disable-rpath \
 	--enable-cryptsetup-reencrypt \
 	--with-crypto_backend=kernel \
 	--with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d
--- a/modules/dropbear
+++ b/modules/dropbear
@ -11,8 +11,8 @@ dropbear_configure := ./configure \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--disable-syslog \
 	--disable-lastlog \
 	--disable-syslog \
 	--disable-utmp \
 	--disable-utmpx \
 	--disable-wtmp \
--- a/modules/flashrom
+++ b/modules/flashrom
@ -27,10 +27,13 @@ ifeq "$(CONFIG_FLASHROM_AST1100)" "y"
 flashrom_cfg += CONFIG_AST1100=yes
 endif
 flashrom_target := \
 	$(MAKE_JOBS) \
 	CFLAGS="-Os -I$(INSTALL)/include/pci" \
 	DESTDIR="$(INSTALL)" \
 	INSTALL="$(INSTALL)" \
 	LDFLAGS="-L$(INSTALL)/lib" \
 	PREFIX="$(INSTALL)" \
 	$(CROSS_TOOLS) \
 	$(flashrom_cfg) \
 	flashrom
--- a/modules/flashtools
+++ b/modules/flashtools
@ -10,6 +10,7 @@ flashtools_hash := a68cdb4a2e312f96862119a6d829ac900b53d0cbc80caa5632efd43b5b7ee
 flashtools_target := \
 	$(CROSS_TOOLS) \
 	$(MAKE_JOBS) \
 	CFLAGS="-Os -I$(INSTALL)/include" \
 	LDFLAGS="-L$(INSTALL)/lib" \
--- a/modules/gpg
+++ b/modules/gpg
@ -23,20 +23,20 @@ gpg_configure := \
 	./configure \
 	--build $(MUSL_ARCH)-elf-linux \
 	--host $(MUSL_ARCH)-linux-musl \
 	--with-libusb="$(INSTALL)" \
 	--prefix "/" \
 	--enable-card-support \
 	--disable-bzip2 \
 	--disable-asm \
 	--disable-bzip2 \
 	--disable-dns-cert \
 	--disable-dns-srv \
 	--disable-exec \
-	--disable-photo-viewers \
+	--disable-finger \
 	--disable-hkp \
 	--disable-keyserver-helpers \
 	--disable-ldap \
-	--disable-hkp \
+	--disable-photo-viewers \
 	--disable-finger \
 	--disable-dns-srv \
 	--disable-dns-cert \
 	--disable-regex \
 	--enable-card-support \
 	--with-libusb="$(INSTALL)" \
 # Run one build to generate the executables with the pre-defined
 # exec_prefix and datarootdir, then a second make to install the binaries
--- a/modules/gpg2
+++ b/modules/gpg2
@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += gpg2
-gpg2_version := 2.4.0
+gpg2_version := 2.4.2
 gpg2_dir := gnupg-$(gpg2_version)
 gpg2_tar := gnupg-$(gpg2_version).tar.bz2
 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar)
-gpg2_hash := 1d79158dd01d992431dd2e3facb89fdac97127f89784ea2cb610c600fb0c1483
+gpg2_hash := 97eb47df8ae5a3ff744f868005a090da5ab45cb48ee9836dbf5ee739a4e5cf49
 gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb $(musl_dep)
 # For reproducibility reasons we have to override the exec_prefix
@ -18,35 +18,32 @@ gpg2_configure := \
 	./configure \
 	CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \
 	--host $(MUSL_ARCH)-linux-musl \
 	--with-libusb="$(INSTALL)" \
 	--with-gpg-error-prefix="$(INSTALL)" \
 	--with-libgcrypt-prefix="$(INSTALL)" \
 	--with-libassuan-prefix="$(INSTALL)" \
 	--with-ksba-prefix="$(INSTALL)" \
 	--with-npth-prefix="$(INSTALL)" \
 	--prefix "/" \
 	--libexecdir "/bin" \
 	--enable-scdaemon \
 	--enable-ccid-driver \
 	--disable-tofu \
 	--disable-rpath \
 	--disable-regex \
 	--disable-doc \
 	--disable-bzip2 \
 	--disable-exec \
 	--disable-photo-viewers \
 	--disable-ldap \
 	--disable-regex \
 	--disable-nls \
 	--disable-all-tests \
-	--disable-wks-tools \
+	--disable-bzip2 \
 	--disable-gnutls \
 	--disable-dirmngr \
-	--disable-ntbtls \
+	--disable-doc \
-	--disable-libdns \
+	--disable-exec \
-	--disable-zip \
+	--disable-gnutls \
 	--disable-sqlite \
 	--disable-gpgsm \
 	--disable-ldap \
 	--disable-libdns \
 	--disable-nls \
 	--disable-ntbtls \
 	--disable-photo-viewers \
 	--disable-rpath \
 	--disable-sqlite \
 	--disable-tofu \
 	--disable-wks-tools \
 	--disable-zip \
 	--enable-ccid-driver \
 	--enable-scdaemon \
 	--with-gpg-error-prefix="$(INSTALL)" \
 	--with-ksba-prefix="$(INSTALL)" \
 	--with-libassuan-prefix="$(INSTALL)" \
 	--with-libgcrypt-prefix="$(INSTALL)" \
 	--with-npth-prefix="$(INSTALL)" \
 # Run one build to generate the executables with the pre-defined
 # exec_prefix and datarootdir, then a second make to install the binaries
--- a/modules/ioport
+++ b/modules/ioport
@ -8,8 +8,8 @@ ioport_hash := 7fac1c4b61eb9411275de0e1e7d7a8c3f34166f64f16413f50741e8fce2b8dc0
 ioport_configure := CFLAGS=-Os ./configure \
 	$(CROSS_TOOLS) \
 	--host i386-elf-linux \
 	--prefix "/" \
 	--host i386-elf-linux
 ioport_target := \
 	$(MAKE_JOBS) $(CROSS_TOOLS) inb && \
--- a/modules/json-c
+++ b/modules/json-c
@ -31,7 +31,7 @@ json-c_configure := \
 	cmake .. -DCMAKE_INSTALL_PREFIX="$(INSTALL)" -DCMAKE_TOOLCHAIN_FILE=../toolchain -DCMAKE_BUILD_TYPE=minsizerel
 json-c_target := \
-	$(CROSS_TOOLS) -C $(build)/$(json-c_dir)/build \
+	$(CROSS_TOOLS) $(MAKE_JOBS) -C $(build)/$(json-c_dir)/build \
 	all install
 json-c_libraries := build/libjson-c.so.5
--- a/modules/kbd
+++ b/modules/kbd
@ -16,11 +16,11 @@ kbd_hash := aaed530a1490d63d041448372e2ad4f38c3179042903251000b71d527c46e945
 kbd_configure := CFLAGS=-Os ./configure \
 	$(CROSS_TOOLS) \
 	--prefix "" \
 	--host i386-elf-linux \
-	--disable-optional-progs \
+	--prefix "" \
 	--disable-libkeymap \
 	--disable-libkfont \
 	--disable-optional-progs \
 	--disable-vlock \
 kbd_target := \
--- a/modules/libassuan
+++ b/modules/libassuan
@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += libassuan
-libassuan_version := 2.5.5
+libassuan_version := 2.5.6
 libassuan_dir := libassuan-$(libassuan_version)
 libassuan_tar := libassuan-$(libassuan_version).tar.bz2
 libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar)
-libassuan_hash := 8e8c2fcc982f9ca67dcbb1d95e2dc746b1739a4668bc20b3a3c5be632edb34e4
+libassuan_hash := e9fd27218d5394904e4e39788f9b1742711c3e6b41689a31aa3380bd5aa4f426
 libassuan_configure := \
 	CFLAGS="-Os" \
@ -12,9 +12,9 @@ libassuan_configure := \
 	./configure \
 	--host $(MUSL_ARCH)-linux-musl \
 	--prefix "/" \
 	--disable-static \
 	--disable-doc \
-	--with-gpg-error-prefix="$(INSTALL)" \
+	--disable-static \
 	--with-libgpg-error-prefix="$(INSTALL)" \
 libassuan_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \
--- a/modules/libgcrypt
+++ b/modules/libgcrypt
@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += libgcrypt
-libgcrypt_version := 1.10.1
+libgcrypt_version := 1.10.2
 libgcrypt_dir := libgcrypt-$(libgcrypt_version)
 libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2
 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar)
-libgcrypt_hash := ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de
+libgcrypt_hash := 3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03
 libgcrypt_configure := \
 	$(CROSS_TOOLS) \
@ -12,9 +12,9 @@ libgcrypt_configure := \
 	./configure \
 	--host=$(MUSL_ARCH)-linux-musl \
 	--prefix "/" \
 	--disable-static \
 	--with-gpg-error-prefix="$(INSTALL)" \
 	--disable-doc \
 	--disable-static \
 	--with-libgpg-error-prefix="$(INSTALL)" \
 libgcrypt_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \
--- a/modules/libgpg-error
+++ b/modules/libgpg-error
@ -1,21 +1,21 @@
 modules-$(CONFIG_GPG2) += libgpg-error
-libgpg-error_version := 1.46
+libgpg-error_version := 1.47
 libgpg-error_dir := libgpg-error-$(libgpg-error_version)
 libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2
 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar)
-libgpg-error_hash := b7e11a64246bbe5ef37748de43b245abd72cfcd53c9ae5e7fc5ca59f1c81268d
+libgpg-error_hash := 9e3c670966b96ecc746c28c2c419541e3bcb787d1a73930f5e5f5e1bcbbb9bdb
 libgpg-error_configure := \
 	$(CROSS_TOOLS) \
 	CFLAGS="-Os"  \
 	./configure \
 	--prefix "/" \
 	--host=$(MUSL_ARCH)-linux-musl \
-	--disable-static \
+	--prefix "/" \
 	--disable-nls \
 	--disable-languages \
 	--disable-doc \
 	--disable-languages \
 	--disable-nls \
 	--disable-static \
 	--disable-tests \
 	--enable-install-gpg-error-config \
--- a/modules/libksba
+++ b/modules/libksba
@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += libksba
-libksba_version := 1.6.3
+libksba_version := 1.6.4
 libksba_dir := libksba-$(libksba_version)
 libksba_tar := libksba-$(libksba_version).tar.bz2
 libksba_url := https://gnupg.org/ftp/gcrypt/libksba/$(libksba_tar)
-libksba_hash := 3f72c68db30971ebbf14367527719423f0a4d5f8103fc9f4a1c01a9fa440de5c
+libksba_hash := bbb43f032b9164d86c781ffe42213a83bf4f2fee91455edfa4654521b8b03b6b
 libksba_configure := \
 	$(CROSS_TOOLS) \
@ -13,7 +13,7 @@ libksba_configure := \
 	--host $(MUSL_ARCH)-linux-musl \
 	--prefix "/" \
 	--disable-static \
-	--with-gpg-error-prefix="$(INSTALL)" \
+	--with-libgpg-error-prefix="$(INSTALL)" \
 libksba_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \
--- a/modules/libnitrokey
+++ b/modules/libnitrokey
@ -14,20 +14,20 @@ libnitrokey_hash := 4f3382b6193afe69c2001321038fce9490bc28803ed687152a397ccd8914
 cmake_cross := "-DCMAKE_AR=$(CROSS)ar" \
 	-DCMAKE_CXX_COMPILER="$(CROSS)g++" \
 	-DCMAKE_C_COMPILER="$(CROSS)gcc" \
 	-DCMAKE_CXX_FLAGS="-Os -fdata-sections -ffunction-sections -ffile-prefix-map=$(pwd)=heads -gno-record-gcc-switches -D__MUSL__ -I$(INSTALL)/include -L$(INSTALL)/lib " \
 	-DCMAKE_LINKER="$(CROSS)ld"
 	-DCMAKE_SHARED_LINKER_FLAGS="-gc-sections"
 	-DCMAKE_CXX_COMPILER_AR="$(CROSS)ar" \
 	-DCMAKE_CXX_FLAGS="-Os -fdata-sections -ffunction-sections -ffile-prefix-map=$(pwd)=heads -gno-record-gcc-switches -D__MUSL__ -I$(INSTALL)/include -L$(INSTALL)/lib " \
 	-DCMAKE_C_COMPILER="$(CROSS)gcc" \
 	-DCMAKE_LINKER="$(CROSS)ld"
 	-DCMAKE_NM="$(CROSS)nm" \
 	-DCMAKE_OBJDUMP="$(CROSS)objdump" \
 	-DCMAKE_OBCOPY="$(CROSS)obcopy" \
 	-DCMAKE_OBJDUMP="$(CROSS)objdump" \
 	-DCMAKE_SHARED_LINKER_FLAGS="-gc-sections"
 	-DCMAKE_STRIP="$(CROSS)strip" 
 libnitrokey_configure := \
 	mkdir build -p && \
 	cd build && \
-	$(CROSS_TOOLS) cmake .. -DNO_LOG=ON -DBUILD_SHARED_LIBS=OFF -DCOMPILE_TESTS=OFF -DCMAKE_INSTALL_PREFIX=/ -DCMAKE_INSTALL_LIBDIR=lib -DCMAKE_BUILD_TYPE=MinSizeRel $(cmake_cross) 
+	$(CROSS_TOOLS) cmake .. -DBUILD_SHARED_LIBS=OFF -DCMAKE_BUILD_TYPE=MinSizeRel -DCMAKE_INSTALL_LIBDIR=lib -DCMAKE_INSTALL_PREFIX=/ -DCOMPILE_TESTS=OFF -DNO_LOG=ON $(cmake_cross)
 # install "by-hand" as INSTALL_PREFIX is not working as expected
 libnitrokey_target := $(CROSS_TOOLS) $(MAKE_JOBS) -C build DESTDIR="$(INSTALL)" && \
--- a/modules/libusb
+++ b/modules/libusb
@ -12,11 +12,10 @@ libusb_hash := 7dce9cce9a81194b7065ee912bcd55eeffebab694ea403ffb91b67db66b1824b
 libusb_configure := \
 	CFLAGS="-Os" \
 	./configure \
-	$(CROSS_TOOLS)\
+	$(CROSS_TOOLS) \
-	--host $(MUSL_ARCH)-elf-linux\
+	--host $(MUSL_ARCH)-elf-linux \
-	--prefix "/"\
+	--prefix "/" \
-	--disable-udev\
+	--disable-udev \
 	--disable-tests\
 # Run one build to generate the executables with the pre-defined
 # exec_prefix and datarootdir, then a second make to install the binaries
--- a/modules/lvm2
+++ b/modules/lvm2
@ -18,20 +18,20 @@ lvm2_configure := \
 	./configure \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
-	--enable-devmapper \
+	--disable-blkid_wiping \
-	--disable-selinux \
+	--disable-cache_check_needs_check \
-	--disable-udev-systemd-background-jobs \
+	--disable-cmirrord \
 	--disable-realtime \
 	--disable-dmeventd \
 	--disable-lvmetad \
 	--disable-lvmpolld \
-	--disable-use-lvmlockd \
+	--disable-realtime \
-	--disable-use-lvmetad \
+	--disable-selinux \
 	--disable-use-lvmpolld \
 	--disable-blkid_wiping \
 	--disable-cmirrord \
 	--disable-cache_check_needs_check \
 	--disable-thin_check_needs_check \
 	--disable-udev-systemd-background-jobs \
 	--disable-use-lvmetad \
 	--disable-use-lvmlockd \
 	--disable-use-lvmpolld \
 	--enable-devmapper \
 	--with-cluster=none \
 	--with-thin-check= \
--- a/modules/msrtools
+++ b/modules/msrtools
@ -13,6 +13,7 @@ msrtools_url := https://github.com/osresearch/msr-tools/archive/$(msrtools_versi
 msrtools_hash := 80554790d0a404205fe215c9ae8d2de159e980ec23821d636f201f12550e6ac0
 msrtools_target := \
 	$(MAKE_JOBS) \
 	$(CROSS_TOOLS) \
 	CFLAGS="-I$(INSTALL)/include" \
 	LDFLAGS="-L$(INSTALL)/lib" \
--- a/modules/newt
+++ b/modules/newt
@ -23,6 +23,6 @@ newt_libraries := \
 newt_configure := \
 	./autogen.sh && CFLAGS="-Os" ./configure \
 	$(CROSS_TOOLS) \
 	--prefix "/" \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--without-tcl
--- a/modules/npth
+++ b/modules/npth
@ -11,7 +11,6 @@ npth_configure := ./configure \
 	--host $(MUSL_ARCH)-linux-musl \
 	--prefix "/" \
 	--disable-static \
 	--with-gpg-error-prefix="$(INSTALL)" \
 npth_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \
--- a/modules/openssl
+++ b/modules/openssl
@ -7,6 +7,9 @@ openssl_tar := openssl-$(openssl_version).tar.gz
 openssl_url := https://www.openssl.org/source/$(openssl_tar)
 openssl_hash := 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
 # hack to provide path to libgcc
 LIBGCC_DIR := $(dir $(shell $(heads_cc) -print-libgcc-file-name))
 # The only optional algorithm that's enabled is SM3.  tpm2-tss uses SHA, AES,
 # and SM3.
 openssl_configure := \
@ -14,7 +17,6 @@ openssl_configure := \
 	CFLAGS="-Os" \
 	./Configure \
 		--prefix="/" \
 		no-tests \
 		linux-$(strip $(arch)) \
 		no-aria \
 		no-bf \
@ -42,6 +44,7 @@ openssl_configure := \
 		no-siv \
 		no-sm2 \
 		no-sm4 \
 		no-tests \
 		no-whirlpool \
 openssl_target := $(MAKE_JOBS) \
--- a/modules/pinentry
+++ b/modules/pinentry
@ -19,19 +19,18 @@ pinentry_configure := \
 	./configure \
 	--host $(MUSL_ARCH)-linux-musl \
 	--prefix "/" \
-	--enable-pinentry-tty \
+	--disable-fallback-curses \
 	--disable-libsecret \
 	--disable-fallback-curses \
 	--disable-pinentry-curses \
 	--disable-pinentry-qt \
 	--disable-pinentry-gtk2 \
 	--disable-pinentry-gnome3 \
 	--disable-pinentry-fltk \
 	--disable-pinentry-emacs \
-	--disable-fallback-curses \
+	--disable-pinentry-fltk \
 	--disable-pinentry-gnome3 \
 	--disable-pinentry-gtk2 \
 	--disable-pinentry-qt \
 	--disable-pinentry-qt5   \
-	--with-gpg-error-prefix="$(INSTALL)" \
+	--enable-pinentry-tty \
 	--with-libassuan-prefix="$(INSTALL)" \
 	--with-libgpg-error-prefix="$(INSTALL)" \
 # Run one build to generate the executables with the pre-defined
 # exec_prefix and datarootdir, then a second make to install the binaries
--- a/modules/popt
+++ b/modules/popt
@ -8,9 +8,8 @@ popt_hash := c25a4838fc8e4c1c8aacb8bd620edb3084a3d63bf8987fdad3ca2758c63240f9
 popt_configure := ./configure \
 	$(CROSS_TOOLS) \
 	--prefix "/" \
 	--host $(MUSL_ARCH)-elf-linux \
-
+	--prefix "/" \
 popt_target := \
 	$(MAKE_JOBS) \
--- a/modules/powerpc-utils
+++ b/modules/powerpc-utils
@ -13,8 +13,8 @@ powerpc-utils_configure := \
 	./configure \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--without-librtas \
 	--without-systemd \
 	--without-librtas
 powerpc-utils_target := \
 	$(MAKE_JOBS) \
--- a/modules/qrencode
+++ b/modules/qrencode
@ -12,9 +12,9 @@ qrencode_configure := \
 	CFLAGS="-Os" \
 	./configure \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--without-tools \
 	--host $(MUSL_ARCH)-elf-linux \
 qrencode_target := \
 	$(MAKE_JOBS) \
--- a/modules/slang
+++ b/modules/slang
@ -1,20 +1,21 @@
 modules-$(CONFIG_SLANG) += slang
-slang_version := 2.3.1a
+slang_version := 2.3.3
 slang_dir := slang-$(slang_version)
 slang_tar := slang-$(slang_version).tar.bz2
 slang_url := https://www.jedsoft.org/releases/slang/$(slang_tar)
-slang_hash := 54f0c3007fde918039c058965dffdfd6c5aec0bad0f4227192cc486021f08c36
+slang_hash := f9145054ae131973c61208ea82486d5dd10e3c5cdad23b7c4a0617743c8f5a18
 slang_configure := ./configure \
 	$(CROSS_TOOLS) \
-	ac_cv_path_nc5config=no \
+	ac_cv_path_nc5config=ncurses-config \
 	--prefix "/" \
 	--host $(MUSL_ARCH)-elf-linux \
-	--with-z=no \
+	--prefix "/" \
 	--with-png=no \
 	--with-pcre=no \
 	--with-onig=no \
 	--with-pcre=no \
 	--with-png=no \
 	--with-z=no \
 	--disable-termcap \
  && mkdir -p src/elfobjs
 # Disable parallel make for the install target
--- a/modules/tpm2-tools
+++ b/modules/tpm2-tools
@ -31,7 +31,7 @@ tpm2-tools_configure := \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--disable-fapi \
-	CFLAGS="-fdebug-prefix-map=$(INSTALL)=." \
+	--with-sysroot=$(INSTALL) \
 tpm2-tools_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \
--- a/modules/tpm2-tss
+++ b/modules/tpm2-tss
@ -21,10 +21,11 @@ tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \
 	$(CROSS_TOOLS) \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--with-sysroot=$(INSTALL) \
 	--disable-doxygen-doc \
 	--disable-doxygen-html \
 	--disable-doxygen-man \
 	--disable-doxygen-rtf \
 	--disable-doxygen-html \
 	--disable-fapi \
 	--disable-static \
--- a/modules/tpmtotp
+++ b/modules/tpmtotp
@ -10,6 +10,7 @@ tpmtotp_hash := eaac1e8f652f1da7f5a1ed6a8cfefb6511f1e5e1dabf93b44db3b29c18c5ae53
 tpmtotp_target := \
 	$(CROSS_TOOLS) \
 	$(MAKE_JOBS) \
 	CFLAGS="-I$(INSTALL)/include -Os" \
 	LDFLAGS="-L$(INSTALL)/lib" \
--- a/modules/util-linux
+++ b/modules/util-linux
@ -13,16 +13,16 @@ util-linux_configure := \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
 	--oldincludedir "$(INSTALL)/include" \
 	--disable-all-programs \
 	--disable-bash-completion \
 	--enable-agetty \
 	--enable-libblkid \
 	--enable-libuuid \
 	--without-ncurses \
 	--without-ncursesw \
 	--without-python \
 	--without-tinfo \
 	--without-udev \
 	--without-python \
 	--disable-bash-completion \
 	--disable-all-programs \
 	--enable-libuuid \
 	--enable-libblkid \
 	--enable-agetty \
 util-linux_target := \
--- a/patches/gpg2-2.4.2.patch
+++ b/patches/gpg2-2.4.2.patch
--- a/patches/libassuan-2.5.6.patch
+++ b/patches/libassuan-2.5.6.patch
--- a/patches/libgcrypt-1.10.2.patch
+++ b/patches/libgcrypt-1.10.2.patch
--- a/patches/libgpg-error-1.47.patch
+++ b/patches/libgpg-error-1.47.patch
--- a/patches/libksba-1.6.4.patch
+++ b/patches/libksba-1.6.4.patch
--- a/patches/linux-5.10.5/shebangs.patch
+++ b/patches/linux-5.10.5/shebangs.patch
@ -0,0 +1,100 @@
 diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter
 index d7ca46c612b3..652e9542043f 100755
 --- a/scripts/bloat-o-meter
 +++ b/scripts/bloat-o-meter
@@ -1,4 +1,4 @@
 -#!/usr/bin/python
 +#!/usr/bin/env python
 #
 # Copyright 2004 Matt Mackall <mpm@selenic.com>
 #
 diff --git a/scripts/check-sysctl-docs b/scripts/check-sysctl-docs
 index 8bcb9e26c7bc..90137319c50a 100755
 --- a/scripts/check-sysctl-docs
 +++ b/scripts/check-sysctl-docs
@@ -1,4 +1,4 @@
 -#!/usr/bin/gawk -f
 +#!/usr/bin/env -S gawk -f
 # SPDX-License-Identifier: GPL-2.0
 # Script to check sysctl documentation against source files
 diff --git a/scripts/diffconfig b/scripts/diffconfig
 index 89abf777f197..627eba5849b5 100755
 --- a/scripts/diffconfig
 +++ b/scripts/diffconfig
@@ -1,4 +1,4 @@
 -#!/usr/bin/python
 +#!/usr/bin/env python
 # SPDX-License-Identifier: GPL-2.0
 #
 # diffconfig - a tool to compare .config files.
 diff --git a/scripts/get_abi.pl b/scripts/get_abi.pl
 index 68dab828a722..92d9aa6cc4f5 100755
 --- a/scripts/get_abi.pl
 +++ b/scripts/get_abi.pl
@@ -1,4 +1,4 @@
 -#!/usr/bin/perl
 +#!/usr/bin/env perl
 # SPDX-License-Identifier: GPL-2.0
 use strict;
 diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh
 index f2be0ff9a738..7a5b546ece16 100755
 --- a/scripts/ld-version.sh
 +++ b/scripts/ld-version.sh
@@ -1,4 +1,4 @@
 -#!/usr/bin/awk -f
 +#!/usr/bin/env -S awk -f
 # SPDX-License-Identifier: GPL-2.0
 # extract linker version number from stdin and turn into single number
 	{
 diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl
 index 2ca4eb3f190d..9515765158fa 100755
 --- a/scripts/parse-maintainers.pl
 +++ b/scripts/parse-maintainers.pl
@@ -1,4 +1,4 @@
 -#!/usr/bin/perl -w
 +#!/usr/bin/env -S perl -w
 # SPDX-License-Identifier: GPL-2.0
 use strict;
 diff --git a/scripts/show_delta b/scripts/show_delta
 index 264399307c4f..28e67e178194 100755
 --- a/scripts/show_delta
 +++ b/scripts/show_delta
@@ -1,4 +1,4 @@
 -#!/usr/bin/python
 +#!/usr/bin/env python
 # SPDX-License-Identifier: GPL-2.0-only
 #
 # show_deltas: Read list of printk messages instrumented with
 diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
 index 40fa6923e80a..828a8615a918 100755
 --- a/scripts/sphinx-pre-install
 +++ b/scripts/sphinx-pre-install
@@ -1,4 +1,4 @@
 -#!/usr/bin/perl
 +#!/usr/bin/env perl
 # SPDX-License-Identifier: GPL-2.0-or-later
 use strict;
 diff --git a/scripts/split-man.pl b/scripts/split-man.pl
 index c3db607ee9ec..96bd99dc977a 100755
 --- a/scripts/split-man.pl
 +++ b/scripts/split-man.pl
@@ -1,4 +1,4 @@
 -#!/usr/bin/perl
 +#!/usr/bin/env perl
 # SPDX-License-Identifier: GPL-2.0
 #
 # Author: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
 diff --git a/scripts/ver_linux b/scripts/ver_linux
 index 0968a3070eff..345b92f71d2d 100755
 --- a/scripts/ver_linux
 +++ b/scripts/ver_linux
@@ -1,4 +1,4 @@
 -#!/usr/bin/awk -f
 +#!/usr/bin/env -S awk -f
 # SPDX-License-Identifier: GPL-2.0
 # Before running this script please ensure that your PATH is
 # typical as you use for compilation/installation. I use
--- a/patches/linux-5.5-openpower/shebangs.patch
+++ b/patches/linux-5.5-openpower/shebangs.patch
@ -0,0 +1,190 @@
 diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter
 index 8c965f6a9881..bcd66a014453 100755
 --- a/scripts/bloat-o-meter
 +++ b/scripts/bloat-o-meter
@@ -1,4 +1,4 @@
 -#!/usr/bin/python
 +#!/usr/bin/env python
 #
 # Copyright 2004 Matt Mackall <mpm@selenic.com>
 #
 diff --git a/scripts/coccicheck b/scripts/coccicheck
 index e04d328210ac..851c3307ca74 100755
 --- a/scripts/coccicheck
 +++ b/scripts/coccicheck
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0
 # Linux kernel coccicheck
 #
 diff --git a/scripts/config b/scripts/config
 index e0e39826dae9..ba11e350e8af 100755
 --- a/scripts/config
 +++ b/scripts/config
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0
 # Manipulate options in a .config file from the command line
 diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
 index 13e5fbafdf2f..8c22ac90123b 100755
 --- a/scripts/decode_stacktrace.sh
 +++ b/scripts/decode_stacktrace.sh
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0
 # (c) 2014, Sasha Levin <sasha.levin@oracle.com>
 #set -x
 diff --git a/scripts/diffconfig b/scripts/diffconfig
 index 89abf777f197..627eba5849b5 100755
 --- a/scripts/diffconfig
 +++ b/scripts/diffconfig
@@ -1,4 +1,4 @@
 -#!/usr/bin/python
 +#!/usr/bin/env python
 # SPDX-License-Identifier: GPL-2.0
 #
 # diffconfig - a tool to compare .config files.
 diff --git a/scripts/faddr2line b/scripts/faddr2line
 index 6c6439f69a72..5079957d4993 100755
 --- a/scripts/faddr2line
 +++ b/scripts/faddr2line
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # Translate stack dump function offsets.
 diff --git a/scripts/find-unused-docs.sh b/scripts/find-unused-docs.sh
 index 3f46f8977dc4..363e7ecab554 100755
 --- a/scripts/find-unused-docs.sh
 +++ b/scripts/find-unused-docs.sh
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # (c) 2017, Jonathan Corbet <corbet@lwn.net>
 #           sayli karnik <karniksayli1995@gmail.com>
 #
 diff --git a/scripts/get_abi.pl b/scripts/get_abi.pl
 index c738cb795514..ba87b230fe0a 100755
 --- a/scripts/get_abi.pl
 +++ b/scripts/get_abi.pl
@@ -1,4 +1,4 @@
 -#!/usr/bin/perl
 +#!/usr/bin/env perl
 # SPDX-License-Identifier: GPL-2.0
 use strict;
 diff --git a/scripts/gfp-translate b/scripts/gfp-translate
 index b2ce416d944b..2fcea3e9afb3 100755
 --- a/scripts/gfp-translate
 +++ b/scripts/gfp-translate
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0-only
 # Translate the bits making up a GFP mask
 # (c) 2009, Mel Gorman <mel@csn.ul.ie>
 diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh
 index f2be0ff9a738..081efc679705 100755
 --- a/scripts/ld-version.sh
 +++ b/scripts/ld-version.sh
@@ -1,4 +1,4 @@
 -#!/usr/bin/awk -f
 +#!/usr/bin/env -S awk -f
 # SPDX-License-Identifier: GPL-2.0
 # extract linker version number from stdin and turn into single number
 	{
 diff --git a/scripts/mkuboot.sh b/scripts/mkuboot.sh
 index 4b1fe09e9042..0b6df121a3b5 100755
 --- a/scripts/mkuboot.sh
 +++ b/scripts/mkuboot.sh
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0
 #
 diff --git a/scripts/objdiff b/scripts/objdiff
 index 72b0b63c3fe1..95f087300637 100755
 --- a/scripts/objdiff
 +++ b/scripts/objdiff
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0-only
 # objdiff - a small script for validating that a commit or series of commits
 diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl
 index 255cef1b098d..c2d11c87fdb4 100644
 --- a/scripts/parse-maintainers.pl
 +++ b/scripts/parse-maintainers.pl
@@ -1,4 +1,4 @@
 -#!/usr/bin/perl -w
 +#!/usr/bin/env -S perl -w
 # SPDX-License-Identifier: GPL-2.0
 use strict;
 diff --git a/scripts/prune-kernel b/scripts/prune-kernel
 index e8aa940bc0a9..620230f677bc 100755
 --- a/scripts/prune-kernel
 +++ b/scripts/prune-kernel
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0
 # because I use CONFIG_LOCALVERSION_AUTO, not the same version again and
 diff --git a/scripts/show_delta b/scripts/show_delta
 index 264399307c4f..28e67e178194 100755
 --- a/scripts/show_delta
 +++ b/scripts/show_delta
@@ -1,4 +1,4 @@
 -#!/usr/bin/python
 +#!/usr/bin/env python
 # SPDX-License-Identifier: GPL-2.0-only
 #
 # show_deltas: Read list of printk messages instrumented with
 diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
 index 470ccfe678aa..214ed660c0d0 100755
 --- a/scripts/sphinx-pre-install
 +++ b/scripts/sphinx-pre-install
@@ -1,4 +1,4 @@
 -#!/usr/bin/perl
 +#!/usr/bin/env perl
 # SPDX-License-Identifier: GPL-2.0-or-later
 use strict;
 diff --git a/scripts/split-man.pl b/scripts/split-man.pl
 index c3db607ee9ec..96bd99dc977a 100755
 --- a/scripts/split-man.pl
 +++ b/scripts/split-man.pl
@@ -1,4 +1,4 @@
 -#!/usr/bin/perl
 +#!/usr/bin/env perl
 # SPDX-License-Identifier: GPL-2.0
 #
 # Author: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
 diff --git a/scripts/tags.sh b/scripts/tags.sh
 index 4e18ae5282a6..02c08d460997 100755
 --- a/scripts/tags.sh
 +++ b/scripts/tags.sh
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/bin/env bash
 # SPDX-License-Identifier: GPL-2.0-only
 # Generate tags or cscope files
 # Usage tags.sh <mode>
 diff --git a/scripts/ver_linux b/scripts/ver_linux
 index 85005d6b7f10..34e4530fd5b6 100755
 --- a/scripts/ver_linux
 +++ b/scripts/ver_linux
@@ -1,4 +1,4 @@
 -#!/usr/bin/awk -f
 +#!/usr/bin/env -S awk -f
 # SPDX-License-Identifier: GPL-2.0
 # Before running this script please ensure that your PATH is
 # typical as you use for compilation/installation. I use
--- a/patches/slang-2.3.3/unhardcode-ln-in-Makefile.patch
+++ b/patches/slang-2.3.3/unhardcode-ln-in-Makefile.patch
@ -0,0 +1,13 @@
 diff --git a/src/Makefile.in b/src/Makefile.in
 index 7fe4dc2..38fe174 100644
 --- a/src/Makefile.in
 +++ b/src/Makefile.in
@@ -75,7 +75,7 @@ RM 		= rm -f
 RM_R		= rm -rf
 AR_CR 		= ar cr
 RMDIR 		= rmdir
 -LN 		= /bin/ln -sf
 +LN 		= ln -sf
 CP 		= cp
 @SET_MAKE@
 #---------------------------------------------------------------------------
--- a/targets/qemu.md
+++ b/targets/qemu.md
@ -1,4 +1,4 @@
-qemu-coreboot-(fb)whiptail-tpm[1,2](-hotp) boards
+qemu-coreboot-(fb)whiptail-tpmX(-hotp) boards
 ===
 The `qemu-coreboot-fbwhiptail-tpm1-hotp` configuration (and their variants) permits testing of most features of Heads.  
@ -87,3 +87,14 @@ swtpm on Debian bookworm
 ===
 1. Install dependencies
   * `sudo apt install swtpm swtpm-tools`
 swtpm on nix docker image
 ===
 Nothing to do. Everything needed is in the docker image.
 Just make sure to pass DISPLAY environement variable on your docker command line. eg:
 * Remotely downloaded docker image (doing make command only inside of docker example):
  * `docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:latest -- make BOARD=qemu-coreboot-whiptail-tpm2`
  * `docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:latest -- make BOARD=qemu-coreboot-whiptail-tpm2 run`
 * Locally created docker image from nix develop environment (jumping into docker image variation of the above, where developer does what he wants within):
  * `docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env`
--- a/targets/qemu.mk
+++ b/targets/qemu.mk
@ -16,7 +16,7 @@ endif
 ifeq "$(CONFIG_TPM2_TSS)" "y"
 SWTPM_TPMVER := --tpm2
-SWTPM_PRESETUP := swtpm_setup --create-config-files skip-if-exist
+SWTPM_PRESETUP := swtpm_setup --create-config-files root skip-if-exist
 else
 # TPM1 is the default
 SWTPM_TPMVER :=
`@ -1,4 +1,4 @@`
	`#!/bin/bash`	`#!/usr/bin/env bash`

	`set -e`	`set -e`
`@ -1,4 +1,4 @@`
	`#!/usr/bin/python`	`#!/usr/bin/env python`

	`"""ME7 Update binary parser."""`	`"""ME7 Update binary parser."""`