x230-flash depends on independent and minimal linux-x230-flash.config. ash_history content replaced with usefull commands. Everything is there to generate keys from Yubikey/Nitrokey, export armored versions to external media and cbfs them into reproducible rom and flash resulting rom with flashrom-x230.sh.

boards/x230-flash/x230-flash.config

@@ -3,17 +3,19 @@ BOARD=x230.flash
 
 export CONFIG_COREBOOT=y
 CONFIG_FLASHROM=y
+CONFIG_GPG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_PCIUTILS=y
-CONFIG_MBEDTLS=y
-CONFIG_QRENCODE=y
-CONFIG_TPMTOTP=y
+#CONFIG_MBEDTLS=y
+#CONFIG_QRENCODE=y
+#CONFIG_TPMTOTP=y
 CONFIG_DROPBEAR=y
 
-CONFIG_LINUX_CONFIG=config/linux-x230.config
+CONFIG_LINUX_CONFIG=config/linux-x230-flash.config
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
 
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 export CONFIG_BOOTSCRIPT=/bin/x230-flash.init
 
 # This board is "special" in that we only want the top 4 MB of the ROM

initrd/.ash_history

@@ -1,5 +1,15 @@
-/boot/start-xen
-mount -o ro /dev/sda2 /boot
-unsealtotp.sh
+mount /dev/sda1 /boot
+mount -o remount,rw /boot
+rm /boot/kexec_*
+usb-scan
+mount -o rw $CONFIG_USB_BOOT_DEV /media
+mkdir /media/gpg_keys
+gpg --home=/media/gpg_keys --edit-card
+gpg --home=/media/gpg_keys --export --armor e@mail.address > /media/gpg_keys/public.key
+gpg --home=/media/gpg_keys --export-secret-keys --armor e@mail.address > /media/gpg_keys/private.key
+cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key
+cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/private.key" -f /media/gpg_keys/private.key
+flashrom-x230.sh /media/coreboot.com
+umount /media
 cbmem --console | grep '^ME'
 cbmem --console | less