diff --git a/boards/EOL_librem_15v3/EOL_librem_15v3.config b/boards/EOL_librem_15v3/EOL_librem_15v3.config
@@ -0,0 +1,50 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a librem_15v3
+CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-librem_15v3.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=purism
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_HOTPKEY=y
+
+CONFIG_LINUX_USB=y
+CONFIG_MOBILE_TETHERING=y
+
+export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE=""
+export CONFIG_BOARD_NAME="Librem 15 v3"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
diff --git a/boards/EOL_librem_15v4/EOL_librem_15v4.config b/boards/EOL_librem_15v4/EOL_librem_15v4.config
@@ -0,0 +1,51 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a librem_15v4
+CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-librem_15v4.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=purism
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KBD=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_HOTPKEY=y
+
+CONFIG_LINUX_USB=y
+CONFIG_MOBILE_TETHERING=y
+
+export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE=""
+export CONFIG_BOARD_NAME="Librem 15 v4"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
diff --git a/boards/EOL_librem_l1um/EOL_librem_l1um.config b/boards/EOL_librem_l1um/EOL_librem_l1um.config
@@ -0,0 +1,51 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a librem_l1um
+CONFIG_LINUX_CONFIG=config/linux-librem_common.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-librem_l1um.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.11
+export CONFIG_LINUX_VERSION=6.1.8
+export CONFIG_PURISM_BLOBS=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_HOTPKEY=y
+
+CONFIG_LINUX_USB=y
+CONFIG_MOBILE_TETHERING=y
+
+export CONFIG_TPM=y
+
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
+export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
+export CONFIG_BOARD_NAME="Librem Server L1UM"
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+export CONFIG_USB_KEYBOARD_REQUIRED=y
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
diff --git a/boards/EOL_optiplex-7010_9010-hotp-maximized/EOL_optiplex-7010_9010-hotp-maximized.config b/boards/EOL_optiplex-7010_9010-hotp-maximized/EOL_optiplex-7010_9010-hotp-maximized.config
@@ -0,0 +1,97 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a Optiplex 7010/9010 SFF running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to MSR
+#CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+#CONFIG_TPM2_TSS=y
+#CONFIG_OPENSSL=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+
+
+#platform locking finalization (PR0)
+# This prevents SPI from being writeable outside of Heads
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+#export CONFIG_TPM2_TOOLS=y
+#export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Dell Optiplex 7010/9010 HOTP maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+#Include bits related to Optiplex blobs (not enabling TXT in coreboot config)
+BOARD_TARGETS += optiplex_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/boards/EOL_optiplex-7010_9010-maximized/EOL_optiplex-7010_9010-maximized.config b/boards/EOL_optiplex-7010_9010-maximized/EOL_optiplex-7010_9010-maximized.config
@@ -0,0 +1,97 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a Optiplex 7010/9010 SFF running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to MSR
+#CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+#CONFIG_TPM2_TSS=y
+#CONFIG_OPENSSL=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=y
+
+
+#platform locking finalization (PR0)
+# This prevents SPI from being writeable outside of Heads
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+#export CONFIG_TPM2_TOOLS=y
+#export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Dell Optiplex 7010/9010 maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+#Include bits related to Optiplex blobs (not enabling TXT in coreboot config)
+BOARD_TARGETS += optiplex_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/...OL_optiplex-7010_9010_TXT-hotp-maximized/EOL_optiplex-7010_9010_TXT-hotp-maximized.config b/...OL_optiplex-7010_9010_TXT-hotp-maximized/EOL_optiplex-7010_9010_TXT-hotp-maximized.config
@@ -0,0 +1,97 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a Optiplex 7010/9010 SFF running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to MSR
+#CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+#CONFIG_TPM2_TSS=y
+#CONFIG_OPENSSL=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+
+
+#platform locking finalization (PR0)
+# This prevents SPI from being writeable outside of Heads
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+#export CONFIG_TPM2_TOOLS=y
+#export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Dell Optiplex 7010/9010 HOTP maximized (TXT enabled)"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+#Include bits related to Optiplex blobs (enabling TXT in coreboot config)
+BOARD_TARGETS += optiplex_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/boards/EOL_optiplex-7010_9010_TXT-maximized/EOL_optiplex-7010_9010_TXT-maximized.config b/boards/EOL_optiplex-7010_9010_TXT-maximized/EOL_optiplex-7010_9010_TXT-maximized.config
@@ -0,0 +1,97 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a Optiplex 7010/9010 SFF running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to MSR
+#CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+#CONFIG_TPM2_TSS=y
+#CONFIG_OPENSSL=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=y
+
+
+#platform locking finalization (PR0)
+# This prevents SPI from being writeable outside of Heads
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+#export CONFIG_TPM2_TOOLS=y
+#export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOARD_NAME="Dell Optiplex 7010/9010 maximized (TXT enabled)"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+#Include bits related to Optiplex blobs (enabling TXT in coreboot config)
+BOARD_TARGETS += optiplex_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/...hotp-maximized/t420-hotp-maximized.config → ...-maximized/EOL_t420-hotp-maximized.config b/...hotp-maximized/t420-hotp-maximized.config → ...-maximized/EOL_t420-hotp-maximized.config
@@ -1,3 +1,4 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
 # Configuration for a T420 running Qubes 4.1 and other Linux Based OSes (through kexec)
 #
 # Includes
@@ -9,18 +10,22 @@
 # - dropbear
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.19
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-t420-maximized.config
 CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
 
+#EXPLICITELY DEACTIVATE KBD + loadkeys + keymap support since sandy bridge based laptops with 8Mb SPI is not big enough
+CONFIG_KBD=n
+
 #Additional hardware support
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -31,8 +36,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
-
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements
@@ -43,6 +47,7 @@ CONFIG_TPMTOTP=y
 #HOTP based remote attestation for supported USB Security dongle
 #With/Without TPM support
 CONFIG_HOTPKEY=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
 
 #Nitrokey Storage admin tool
 CONFIG_NKSTORECLI=n
@@ -59,15 +64,20 @@ CONFIG_FBWHIPTAIL=y
 #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
 CONFIG_DROPBEAR=n
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="ThinkPad T420-hotp-maximized"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal:ich_spi_mode=hwseq"
 
-# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
-#  - blobs/xx20/download_parse_me.sh
-#     To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region.
+#Include bits related to sandybridge ME blob download/neutering down to BUP
+BOARD_TARGETS := xx20_me_blobs
diff --git a/boards/t420-maximized/t420-maximized.config → ..._t420-maximized/EOL_t420-maximized.config b/boards/t420-maximized/t420-maximized.config → ..._t420-maximized/EOL_t420-maximized.config
@@ -1,3 +1,4 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
 # Configuration for a T420 running Qubes 4.1 and other Linux Based OSes (through kexec)
 #
 # Includes
@@ -8,18 +9,22 @@
 # Doesn't include (to fit in 7mb image)
 # - dropbear
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.19
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-t420-maximized.config
 CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
 
+#EXPLICITELY DEACTIVATE KBD + loadkeys + keymap support since sandy bridge based laptops with 8Mb SPI is not big enough
+CONFIG_KBD=n
+
 #Additional hardware support
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -30,7 +35,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements
@@ -57,15 +62,20 @@ CONFIG_FBWHIPTAIL=y
 #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
 CONFIG_DROPBEAR=n
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="ThinkPad T420-maximized"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal:ich_spi_mode=hwseq"
 
-# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
-#  - blobs/xx20/download_parse_me.sh
-#     To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region.
+#Include bits related to sandybridge ME blob download/neutering down to BUP
+BOARD_TARGETS := xx20_me_blobs
diff --git a/boards/EOL_t430-hotp-maximized/EOL_t430-hotp-maximized.config b/boards/EOL_t430-hotp-maximized/EOL_t430-hotp-maximized.config
@@ -0,0 +1,81 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a T430 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t430-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkpad T430-hotp-maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/boards/EOL_t430-maximized/EOL_t430-maximized.config b/boards/EOL_t430-maximized/EOL_t430-maximized.config
@@ -0,0 +1,81 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a T430 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t430-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=y
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkpad T430-maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config b/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config
@@ -0,0 +1,100 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a T480 running Qubes 4.2.3 and other Linux Based OSes (through kexec)
+#
+# CAVEATS:
+# This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running.
+# This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash.
+# Also it can be used to extract FDE keys from a TPM.
+# The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576
+# Make sure you understand the implications of the attack for your threat model before using this board.
+#
+# Includes
+# - Deactivated+neutered+deguarded ME and expanded consequent IFD BIOS regions 
+# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+# - Flashable Thunderbolt tb.bin blob extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe
+#   - It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip,
+#     which is not the same as the 16MB chip to which the heads rom is flashed.
+#     External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip.
+#     You can find a guide here: https://osresearch.net/T430-maximized-flashing/
+#
+# - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t480-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-t480.config
+
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
+#Remote attestation support
+# TPM2 requirements
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+#Remote Attestation common tools
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+export CONFIG_TPM2_TOOLS=y
+export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+#export CONFIG_TPM=y
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkpad T480-hotp-maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx80_me_blobs
diff --git a/boards/EOL_t480-maximized/EOL_t480-maximized.config b/boards/EOL_t480-maximized/EOL_t480-maximized.config
@@ -0,0 +1,100 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a T480 running Qubes 4.2.3 and other Linux Based OSes (through kexec)
+#
+# CAVEATS:
+# This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running.
+# This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash.
+# Also it can be used to extract FDE keys from a TPM.
+# The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576
+# Make sure you understand the implications of the attack for your threat model before using this board.
+#
+# Includes
+# - Deactivated+neutered+deguarded ME and expanded consequent IFD BIOS regions 
+# - Forged GBE MAC address to 00:DE:AD:C0:FF:EE MAC address (if not extracting gbe.bin from backup with blobs/xx80/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+# - Flashable Thunderbolt tb.bin blob extracted from https://download.lenovo.com/pccbbs/mobiles/n24th13w.exe
+#   - It is zero-padded to 1MB and should be flashed to the Thunderbolt SPI chip,
+#     which is not the same as the 16MB chip to which the heads rom is flashed.
+#     External flashing is recommended as the only way to reliably fix a bug in the original Thunderbolt software on the SPI chip.
+#     You can find a guide here: https://osresearch.net/T430-maximized-flashing/
+#
+# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-t480-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-t480.config
+
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
+#Remote attestation support
+# TPM2 requirements
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+#Remote Attestation common tools
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=y
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+export CONFIG_TPM2_TOOLS=y
+export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+#export CONFIG_TPM=y
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkpad T480-maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx80_me_blobs
diff --git a/...hotp-maximized/w530-hotp-maximized.config → ...-maximized/EOL_w530-hotp-maximized.config b/...hotp-maximized/w530-hotp-maximized.config → ...-maximized/EOL_w530-hotp-maximized.config
@@ -1,3 +1,4 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
 # Configuration for a W530 running Qubes and other Linux Based OSes (through kexec)
 #
 # Includes 
@@ -8,18 +9,19 @@
 # - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 # This board ignores the in-built dGPU that comes with all w530's. In doing so the dGPU will not be initialized. This has some benefits in terms of reduced complexity in working with OS's with poor support for NVIDIA, better battery life and lower heat (making use of the thicker heatsink from a dGPU). Conversely, if you do not initialize the dGPU you will be unable to use an external monitor. To initialize the dGPU please use the dGPU boards that corresponds with the model of dGPU included with your device.
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.19
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-w530-maximized.config
 CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
 
 #Additional hardware support
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -30,7 +32,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support
@@ -42,6 +44,7 @@ CONFIG_TPMTOTP=y
 #HOTP based remote attestation for supported USB Security dongle
 #With/Without TPM support
 CONFIG_HOTPKEY=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
 
 #Nitrokey Storage admin tool
 CONFIG_NKSTORECLI=n
@@ -58,41 +61,23 @@ CONFIG_FBWHIPTAIL=y
 #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
 CONFIG_DROPBEAR=y
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="Thinkpad W530-hotp-maximized"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
-# xx30-*-maximized boards require of you initially call one of the
-#  following to have gbe.bin ifd.bin and me.bin
-#  - blobs/xx30/download_clean_me.sh
-#     To download Lenovo original ME binary, neuter+deactivate ME, produce
-#      reduced IFD ME region and expanded BIOS IFD region.
-#  - blobs/xx30/extract.sh
-#     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/boards/w530-maximized/w530-maximized.config → ..._w530-maximized/EOL_w530-maximized.config b/boards/w530-maximized/w530-maximized.config → ..._w530-maximized/EOL_w530-maximized.config
@@ -1,3 +1,4 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
 # Configuration for a W530 running Qubes and other Linux Based OSes (through kexec)
 #
 # Includes 
@@ -8,18 +9,19 @@
 # - Includes Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 # This board ignores the in-built dGPU that comes with all w530's. In doing so the dGPU will not be initialized. This has some benefits in terms of reduced complexity in working with OS's with poor support for NVIDIA, better battery life and lower heat (making use of the thicker heatsink from a dGPU). Conversely, if you do not initialize the dGPU you will be unable to use an external monitor. To initialize the dGPU please use the dGPU boards that corresponds with the model of dGPU included with your device.
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.19
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-w530-maximized.config
 CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
 
 #Additional hardware support
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -30,7 +32,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support
@@ -58,41 +60,23 @@ CONFIG_FBWHIPTAIL=y
 #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
 CONFIG_DROPBEAR=y
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="Thinkpad W530-maximized"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
-# xx30-*-maximized boards require of you initially call one of the
-#  following to have gbe.bin ifd.bin and me.bin
-#  - blobs/xx30/download_clean_me.sh
-#     To download Lenovo original ME binary, neuter+deactivate ME, produce
-#      reduced IFD ME region and expanded BIOS IFD region.
-#  - blobs/xx30/extract.sh
-#     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash t530-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/...hotp-maximized/x220-hotp-maximized.config → ...-maximized/EOL_x220-hotp-maximized.config b/...hotp-maximized/x220-hotp-maximized.config → ...-maximized/EOL_x220-hotp-maximized.config
@@ -1,3 +1,4 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
 # Configuration for a X220 running Qubes 4.1 and other Linux Based OSes (through kexec)
 #
 # Includes
@@ -9,18 +10,22 @@
 # - dropbear
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.19
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-x220-maximized.config
 CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
 
+#EXPLICITELY DEACTIVATE KBD + loadkeys + keymap support since sandy bridge based laptops with 8Mb SPI is not big enough
+CONFIG_KBD=n
+
 #Additional hardware support
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -31,8 +36,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
-
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements
@@ -43,6 +47,7 @@ CONFIG_TPMTOTP=y
 #HOTP based remote attestation for supported USB Security dongle
 #With/Without TPM support
 CONFIG_HOTPKEY=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
 
 #Nitrokey Storage admin tool
 CONFIG_NKSTORECLI=n
@@ -59,15 +64,20 @@ CONFIG_FBWHIPTAIL=y
 #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
 CONFIG_DROPBEAR=n
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="ThinkPad X220-hotp-maximized"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal:ich_spi_mode=hwseq"
 
-# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
-#  - blobs/xx20/download_parse_me.sh
-#     To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region.
+#Include bits related to sandybridge ME blob download/neutering down to BUP
+BOARD_TARGETS := xx20_me_blobs
diff --git a/boards/x220-maximized/x220-maximized.config → ..._x220-maximized/EOL_x220-maximized.config b/boards/x220-maximized/x220-maximized.config → ..._x220-maximized/EOL_x220-maximized.config
@@ -1,3 +1,4 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
 # Configuration for a X220 running Qubes 4.1 and other Linux Based OSes (through kexec)
 #
 # Includes
@@ -9,18 +10,22 @@
 # - dropbear
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.19
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-x220-maximized.config
 CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
 
+#EXPLICITELY DEACTIVATE KBD + loadkeys + keymap support since sandy bridge based laptops with 8Mb SPI is not big enough
+CONFIG_KBD=n
+
 #Additional hardware support
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -31,8 +36,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
-
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements
@@ -59,15 +63,20 @@ CONFIG_FBWHIPTAIL=y
 #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
 CONFIG_DROPBEAR=n
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="ThinkPad X220-maximized"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:ich_spi_mode=hwseq"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal:ich_spi_mode=hwseq"
 
-# xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin
-#  - blobs/xx20/download_parse_me.sh
-#     To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region.
+#Include bits related to sandybridge ME blob download/neutering down to BUP
+BOARD_TARGETS += xx20_me_blobs
diff --git a/...hd_edp/x230-hotp-maximized-fhd_edp.config → ...dp/EOL_x230-hotp-maximized-fhd_edp.config b/...hd_edp/x230-hotp-maximized-fhd_edp.config → ...dp/EOL_x230-hotp-maximized-fhd_edp.config
@@ -1,3 +1,4 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
 # Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
 #
 # Based on https://review.coreboot.org/c/coreboot/+/28950 for FHD mod
@@ -19,20 +20,22 @@
 #
 # - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.19
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized-fhd_edp.config
 CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
 
 #Additional hardware support
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
+CONFIG_KBD=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
@@ -41,7 +44,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support
@@ -53,6 +56,7 @@ CONFIG_TPMTOTP=y
 #HOTP based remote attestation for supported USB Security dongle
 #With/Without TPM support
 CONFIG_HOTPKEY=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
 
 #Nitrokey Storage admin tool
 CONFIG_NKSTORECLI=n
@@ -69,41 +73,23 @@ CONFIG_FBWHIPTAIL=y
 #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
 CONFIG_DROPBEAR=y
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="Thinkpad X230-hotp-maximized-eDP"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
-# xx30-*-maximized boards require of you initially call one of the
-#  following to have gbe.bin ifd.bin and me.bin
-#  - blobs/xx30/download_clean_me.sh
-#     To download Lenovo original ME binary, neuter+deactivate ME, produce
-#      reduced IFD ME region and expanded BIOS IFD region.
-#  - blobs/xx30/extract.sh
-#     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash x230-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
-$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
 
-all: $(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(build)/$(BOARD)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(build)/$(BOARD)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/boards/EOL_x230-hotp-maximized/EOL_x230-hotp-maximized.config b/boards/EOL_x230-hotp-maximized/EOL_x230-hotp-maximized.config
@@ -0,0 +1,93 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes: Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to MSR
+#CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+#CONFIG_TPM2_TSS=y
+#CONFIG_OPENSSL=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+
+
+#platform locking finalization (PR0)
+# This prevents SPI from being writeable outside of Heads
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+#export CONFIG_TPM2_TOOLS=y
+#export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkpad X230-hotp-maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/boards/EOL_x230-hotp-maximized_usb-kb/EOL_x230-hotp-maximized_usb-kb.config b/boards/EOL_x230-hotp-maximized_usb-kb/EOL_x230-hotp-maximized_usb-kb.config
@@ -0,0 +1,87 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - Includes: 
+# 	Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+# 	USB Keyboard support
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+#Additional features
+export CONFIG_USB_KEYBOARD_REQUIRED=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkpad X230-hotp-maximized_usb-kb"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/...zed-fhd_edp/x230-maximized-fhd_edp.config → ...fhd_edp/EOL_x230-maximized-fhd_edp.config b/...zed-fhd_edp/x230-maximized-fhd_edp.config → ...fhd_edp/EOL_x230-maximized-fhd_edp.config
@@ -1,3 +1,4 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
 # Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
 #
 # Based on https://review.coreboot.org/c/coreboot/+/28950 for FHD mod
@@ -19,20 +20,22 @@
 #
 # - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.19
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized-fhd_edp.config
 CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
 
 #Additional hardware support
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
+CONFIG_KBD=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
@@ -41,7 +44,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support
@@ -69,41 +72,23 @@ CONFIG_FBWHIPTAIL=y
 #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
 CONFIG_DROPBEAR=y
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="quiet"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="Thinkpad X230-maximized-eDP"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
-# xx30-*-maximized boards require of you initially call one of the
-#  following to have gbe.bin ifd.bin and me.bin
-#  - blobs/xx30/download_clean_me.sh
-#     To download Lenovo original ME binary, neuter+deactivate ME, produce
-#      reduced IFD ME region and expanded BIOS IFD region.
-#  - blobs/xx30/extract.sh
-#     To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs.
-#
-# This board has two SPI flash chips, an 8 MB that holds the IFD,
-# the ME image and part of the coreboot image, and a 4 MB one that
-# has the rest of the coreboot and the reset vector.
-#   
-# As a consequence, this replaces the need of having to flash x230-flash 
-#  and expands available CBFS region (11.5Mb available CBFS space)
-#
-# When flashing via an external programmer it is easiest to have
-# two separate files for these pieces.
-all: $(board_build)/$(CB_OUTPUT_FILE)
-	@sha256sum $@ | tee -a "$(HASHES)"
-
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
 
-all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom
-$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE)
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@ | tee -a "$(HASHES)"
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/boards/EOL_x230-maximized/EOL_x230-maximized.config b/boards/EOL_x230-maximized/EOL_x230-maximized.config
@@ -0,0 +1,81 @@
+# WARNING: This system remains perpetually vulnerable to Spectre v2 (CVE-2017-5715). Mitigations and microcode updates previously applied are now known to be ineffective due to QSB-107 and related CVEs. If Spectre v2 is a concern in your threat model, consider migrating to a platform with ongoing microcode support. Proper OPSEC for Memory Use MUST be followed:https://www.anarsec.guide/posts/qubes/#appendix-opsec-for-memory-use
+# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
+#
+# Includes 
+# - Deactivated+neutered ME and expanded consequent IFD BIOS regions 
+# - Forged 00:DE:AD:C0:FF:EE MAC address  (if not extracting gbe.bin from backup with blobs/xx30/extract.sh)
+#   - Note that this MAC address can be modified under build/coreboot-VER/util/bincfg/gbe-82579LM.set
+#
+# - DOES NOT INCLUDE Nitrokey/Librem Key HOTP Security dongle remote attestation (in addition to TOTP remote attestation through Qr Code)
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=24.12
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
+CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
+
+#Additional hardware support
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+CONFIG_MOBILE_TETHERING=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
+#Remote attestation support
+#TPM based requirements
+export CONFIG_TPM=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=y
+
+#Nitrokey Storage admin tool
+CONFIG_NKSTORECLI=n
+
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+
+#Additional tools:
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Thinkpad X230-maximized"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+#Include bits related to ivybridge ME blob download/neutering down to BUP+ROMP
+BOARD_TARGETS := xx30_me_blobs
+
+# Generate split 4MB top / 8MB bottom ROMs
+BOARD_TARGETS += split_8mb4mb
diff --git a/...-whiptail/kgpe-d16_server-whiptail.config → ...AINTAINED_kgpe-d16_server-whiptail.config b/...-whiptail/kgpe-d16_server-whiptail.config → ...AINTAINED_kgpe-d16_server-whiptail.config
@@ -19,13 +19,13 @@
 
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.11
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server-whiptail.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server-whiptail.config
 
-CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -51,6 +51,13 @@ export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
 
 export CONFIG_TPM=y
 #BOOT SCRIPT SELECTION
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 #export CONFIG_BOOTSCRIPT=/bin/generic-init
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 #export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery
@@ -70,8 +77,7 @@ export CONFIG_BOOT_STATIC_IP=192.168.2.3
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
-export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOARD_NAME="KGPE-D16 Server-whiptail"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 #export CONFIG_BOOT_STATIC_IP=192.168.1.2
diff --git a/...ds/kgpe-d16_server/kgpe-d16_server.config → ...erver/UNMAINTAINED_kgpe-d16_server.config b/...ds/kgpe-d16_server/kgpe-d16_server.config → ...erver/UNMAINTAINED_kgpe-d16_server.config
@@ -17,13 +17,15 @@
 # - Please support https://github.com/osresearch/heads/issues/719
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.11
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server.config
 
-CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+#flashprog to support internal flashing of BMC
+CONFIG_FLASHPROG_AST1100=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -41,6 +43,13 @@ CONFIG_LINUX_E1000E=y
 export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
 
 export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 #BOOT SCRIPT SELECTION
 export CONFIG_BOOTSCRIPT=/bin/generic-init
 #export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery
@@ -56,9 +65,8 @@ export CONFIG_BOOT_STATIC_IP=192.168.2.3
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
-export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOARD_NAME="KGPE-D16 Server"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 
-export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 #export CONFIG_BOOT_STATIC_IP=192.168.1.2
diff --git a/.../kgpe-d16_workstation-usb_keyboard.config → ..._kgpe-d16_workstation-usb_keyboard.config b/.../kgpe-d16_workstation-usb_keyboard.config → ..._kgpe-d16_workstation-usb_keyboard.config
@@ -13,13 +13,13 @@
 
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.11
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation-usb_keyboard.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_workstation.config
 
-CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -44,11 +44,18 @@ CONFIG_LINUX_E1000E=y
 export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
 
 #Enable USB Keyboard support
-export CONFIG_USB_KEYBOARD=y
+export CONFIG_USB_KEYBOARD_REQUIRED=y
 
 export CONFIG_TPM=y
 #BOOT SCRIPT SELECTION
 #export CONFIG_BOOTSCRIPT=/bin/generic-init
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 #export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery
 
@@ -65,7 +72,6 @@ export CONFIG_BOOT_KERNEL_ADD="nohz=on nouveau.config=NvForcePost=1"
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 #export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
-export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOARD_NAME="KGPE-D16 Workstation-USB-Keyboard"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
diff --git a/...6_workstation/kgpe-d16_workstation.config → .../UNMAINTAINED_kgpe-d16_workstation.config b/...6_workstation/kgpe-d16_workstation.config → .../UNMAINTAINED_kgpe-d16_workstation.config
@@ -17,13 +17,13 @@
 
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.11
-export CONFIG_LINUX_VERSION=5.10.5
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_workstation.config
 
-CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -50,6 +50,13 @@ export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
 export CONFIG_TPM=y
 #BOOT SCRIPT SELECTION
 #export CONFIG_BOOTSCRIPT=/bin/generic-init
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 #export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery
 
@@ -66,7 +73,6 @@ export CONFIG_BOOT_KERNEL_ADD="nohz=on nouveau.config=NvForcePost=1"
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 #export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
-export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOARD_NAME="KGPE-D16 Workstation"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
diff --git a/boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config b/boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config
@@ -0,0 +1,81 @@
+# Nitrokey Nitropad NS51 board configuration
+# Note: for reference, other GOP enabled FB board is librem_11
+#
+# Docs:
+#  Dissassembly and Recovery: https://docs.dasharo.com/unified/novacustom/recovery/#ns5x7x-12th-gen
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=dasharo
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-nitropad-ns50.config
+CONFIG_LINUX_CONFIG=config/linux-novacustom-common.config
+
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000=y
+CONFIG_MOBILE_TETHERING=y
+
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+
+#TODO: readd when tested
+#platform locking finalization (PR0)
+#CONFIG_IO386=y
+#export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
+#Remote attestation support
+# TPM2 requirements
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+#Remote Attestation common tools
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+CONFIG_HOTPKEY=y
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+export CONFIG_TPM2_TOOLS=y
+export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+#export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOARD_NAME="Nitropad NS50"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
diff --git a/boards/talos-2/talos-2.config → .../UNTESTED_talos-2/UNTESTED_talos-2.config b/boards/talos-2/talos-2.config → .../UNTESTED_talos-2/UNTESTED_talos-2.config
@@ -4,7 +4,10 @@ CONFIG_TARGET_ARCH=ppc64
 
 export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=talos_2
-export CONFIG_LINUX_VERSION=5.5-openpower
+export CONFIG_LINUX_VERSION=6.6.16-openpower
+
+#EXPLICITELY DEACTIVATE KBD + loadkeys + keymap support since doesn't build for now and nobody known to use talos-2
+CONFIG_KBD=n
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-talos-2.config
 CONFIG_COREBOOT_ROM=coreboot.rom.signed.ecc
@@ -21,7 +24,7 @@ CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
 CONFIG_GPG2=y
 CONFIG_PCIUTILS=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_POWERPC_UTILS=y
 
@@ -37,33 +40,23 @@ CONFIG_DROPBEAR=y
 
 # for OpenBMC VGA console
 export CONFIG_USE_AGETTY=y
-export CONFIG_USB_KEYBOARD=y
+export CONFIG_USB_KEYBOARD_REQUIRED=y
 export CONFIG_BOOT_EXTRA_TTYS="tty0"
 
 export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/talos-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_REMOVE="quiet"
 export CONFIG_BOOT_KERNEL_ADD="console=tty0 console=hvc0 rootdelay=3 rootwait panic=10"
-export CONFIG_BOOT_DEV="/dev/nvme0n1p2"
 export CONFIG_BOARD_NAME="Talos 2"
-export CONFIG_FLASHROM_OPTIONS="--noverify-all -p linux_mtd"
-
-OUTPUT_PREFIX	:= heads-$(BOARD)-$(HEADS_GIT_VERSION)
-BUNDLED_LINUX	:= $(OUTPUT_PREFIX)-zImage.bundled
-OUTPUT_FILES	:= $(CB_OUTPUT_FILE) $(CB_BOOTBLOCK_FILE) $(BUNDLED_LINUX)
-
-all: $(board_build)/$(BUNDLED_LINUX)
-$(board_build)/$(BUNDLED_LINUX): $(board_build)/zImage.bundled
-	$(call do-copy,$<,$@)
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer linux_mtd"
 
-all: $(board_build)/$(OUTPUT_PREFIX).tgz
-$(board_build)/$(OUTPUT_PREFIX).tgz: \
-	$(addprefix $(board_build)/,$(OUTPUT_FILES))
-	rm -rf $(board_build)/pkg # cleanup in case directory exists
-	mkdir $(board_build)/pkg
-	cp $^ $(board_build)/pkg
-	cd $(board_build)/pkg && sha256sum * > hashes.txt
-	cd $(board_build)/pkg && tar zcf $@ *
-	rm -r $(board_build)/pkg
+BOARD_TARGETS := ppc_tgz
diff --git a/boards/librem_11/initrd/etc/board_keys.map b/boards/librem_11/initrd/etc/board_keys.map
@@ -0,0 +1,5 @@
+keymaps 0-2,4-5,8,12
+# Use volume and power keys on tablet to navigate menus
+keycode 114 = Up
+keycode 115 = Down
+keycode 116 = Return
diff --git a/boards/librem_11/librem_11.config b/boards/librem_11/librem_11.config
@@ -0,0 +1,55 @@
+# Configuration for librem_11
+CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-librem_11.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=purism
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_KBD=y
+CONFIG_KBD_LOADKEYS=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_HOTPKEY=y
+
+CONFIG_LINUX_USB=y
+CONFIG_MOBILE_TETHERING=y
+
+export CONFIG_TPM=n
+
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE=""
+export CONFIG_BOARD_NAME="Librem 11"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+export CONFIG_USB_KEYBOARD_REQUIRED=y
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
+
+# Librem 11 builds include firmware for integrated AX201 Wi-Fi, Bluetooth, and
+# graphics microcontroller.
+export CONFIG_SUPPORT_BLOB_JAIL=y
diff --git a/boards/librem_13v2/librem_13v2.config b/boards/librem_13v2/librem_13v2.config
diff --git a/boards/librem_13v4/librem_13v4.config b/boards/librem_13v4/librem_13v4.config
diff --git a/boards/librem_14/librem_14.config b/boards/librem_14/librem_14.config
@@ -1,14 +1,13 @@
 # Configuration for a librem 14
-CONFIG_LINUX_CONFIG=config/linux-librem_common.config
+CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_14.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
-export CONFIG_LINUX_VERSION=5.10.5
-export CONFIG_PURISM_BLOBS=y
+export CONFIG_COREBOOT_VERSION=purism
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -25,17 +24,26 @@ CONFIG_FBWHIPTAIL=y
 CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
+CONFIG_MOBILE_TETHERING=y
 
 export CONFIG_TPM=y
-export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOARD_NAME="Librem 14"
-export CONFIG_FLASHROM_OPTIONS="-p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
diff --git a/boards/librem_15v3/librem_15v3.config b/boards/librem_15v3/librem_15v3.config
diff --git a/boards/librem_15v4/librem_15v4.config b/boards/librem_15v4/librem_15v4.config
diff --git a/boards/librem_l1um/librem_l1um.config b/boards/librem_l1um/librem_l1um.config
diff --git a/boards/librem_l1um_v2/librem_l1um_v2.config b/boards/librem_l1um_v2/librem_l1um_v2.config
@@ -0,0 +1,54 @@
+# Configuration for librem_l1um_v2
+CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-librem_l1um_v2.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=purism
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_HOTPKEY=y
+
+CONFIG_LINUX_USB=y
+CONFIG_MOBILE_TETHERING=y
+
+export CONFIG_TPM=y
+export CONFIG_TPM2_TOOLS=y
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+CONFIG_PRIMARY_KEY_TYPE=ecc
+
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
+export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
+export CONFIG_BOARD_NAME="Librem Server L1UM v2"
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+export CONFIG_USB_KEYBOARD_REQUIRED=y
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
diff --git a/boards/librem_mini/initrd/bin/board-init.sh b/boards/librem_mini/initrd/bin/board-init.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -o pipefail
+
+. /tmp/config
+
+# If CONFIG_AUTOMATIC_POWERON is set, always set the EC BRAM setting during
+# boot.  It persists as long as the RTC battery is set, but set it during every
+# boot for robustness in case the battery is temporarily removed, or the user
+# toggles in config-gui and then does not flash, etc.
+if [ "$CONFIG_AUTOMATIC_POWERON" = "y" ]; then
+	set_ec_poweron.sh y
+fi
+
+# Don't disable the setting in the EC BRAM though if CONFIG_AUTOMATIC_POWERON
+# is not enabled.  The default is disabled anyway, and the OS could configure
+# it.
diff --git a/boards/librem_mini/initrd/bin/set_ec_poweron.sh b/boards/librem_mini/initrd/bin/set_ec_poweron.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Set the EC BRAM setting for automatic power-on.
+# If $1 is 'y', enable automatic power-on.  Otherwise, disable it.
+
+# EC BRAM bank 1
+BRAMADDR=0x360
+BRAMDATA=0x361
+
+if [ "$1" = "y" ]; then
+	BRAM_VALUE="0x00" # 0 -> automatic power-on
+else
+	BRAM_VALUE="0x01" # 1 -> stay off
+fi
+
+outb "$BRAMADDR" 0x29 # Select byte at offset 29h
+outb "$BRAMDATA" "$BRAM_VALUE"
+# There's also a 16-bit checksum at offset 3eh in bank 1.  The only byte
+# included in the checksum is the automatic power-on setting, so the value is
+# the same, and the upper 8 bits remain 0.
+outb "$BRAMADDR" 0x3e
+outb "$BRAMDATA" "$BRAM_VALUE"
diff --git a/boards/librem_mini/librem_mini.config b/boards/librem_mini/librem_mini.config
@@ -1,16 +1,17 @@
 # Configuration for a librem mini
-CONFIG_LINUX_CONFIG=config/linux-librem_common.config
+CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_mini.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
-export CONFIG_LINUX_VERSION=5.10.5
-export CONFIG_PURISM_BLOBS=y
+export CONFIG_COREBOOT_VERSION=purism
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
+CONFIG_IOPORT=y
+CONFIG_KBD=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
@@ -25,17 +26,27 @@ CONFIG_FBWHIPTAIL=y
 CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
+CONFIG_MOBILE_TETHERING=y
 
 export CONFIG_TPM=n
-export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOARD_NAME="Librem Mini"
-export CONFIG_FLASHROM_OPTIONS="-p internal"
-export CONFIG_USB_KEYBOARD=y
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+export CONFIG_USB_KEYBOARD_REQUIRED=y
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
+export CONFIG_SUPPORT_AUTOMATIC_POWERON=y
diff --git a/boards/librem_mini_v2/initrd/bin/board-init.sh b/boards/librem_mini_v2/initrd/bin/board-init.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -o pipefail
+
+. /tmp/config
+
+# If CONFIG_AUTOMATIC_POWERON is set, always set the EC BRAM setting during
+# boot.  It persists as long as the RTC battery is set, but set it during every
+# boot for robustness in case the battery is temporarily removed, or the user
+# toggles in config-gui and then does not flash, etc.
+if [ "$CONFIG_AUTOMATIC_POWERON" = "y" ]; then
+	set_ec_poweron.sh y
+fi
+
+# Don't disable the setting in the EC BRAM though if CONFIG_AUTOMATIC_POWERON
+# is not enabled.  The default is disabled anyway, and the OS could configure
+# it.
diff --git a/boards/librem_mini_v2/initrd/bin/set_ec_poweron.sh b/boards/librem_mini_v2/initrd/bin/set_ec_poweron.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Set the EC BRAM setting for automatic power-on.
+# If $1 is 'y', enable automatic power-on.  Otherwise, disable it.
+
+# EC BRAM bank 1
+BRAMADDR=0x360
+BRAMDATA=0x361
+
+if [ "$1" = "y" ]; then
+	BRAM_VALUE="0x00" # 0 -> automatic power-on
+else
+	BRAM_VALUE="0x01" # 1 -> stay off
+fi
+
+outb "$BRAMADDR" 0x29 # Select byte at offset 29h
+outb "$BRAMDATA" "$BRAM_VALUE"
+# There's also a 16-bit checksum at offset 3eh in bank 1.  The only byte
+# included in the checksum is the automatic power-on setting, so the value is
+# the same, and the upper 8 bits remain 0.
+outb "$BRAMADDR" 0x3e
+outb "$BRAMDATA" "$BRAM_VALUE"
diff --git a/boards/librem_mini_v2/librem_mini_v2.config b/boards/librem_mini_v2/librem_mini_v2.config
@@ -1,16 +1,17 @@
 # Configuration for a librem mini v2
-CONFIG_LINUX_CONFIG=config/linux-librem_common.config
+CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_mini_v2.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
-export CONFIG_LINUX_VERSION=5.10.5
-export CONFIG_PURISM_BLOBS=y
+export CONFIG_COREBOOT_VERSION=purism
+export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
+CONFIG_IOPORT=y
+CONFIG_KBD=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
@@ -25,17 +26,27 @@ CONFIG_FBWHIPTAIL=y
 CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
+CONFIG_MOBILE_TETHERING=y
 
 export CONFIG_TPM=n
-export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
-export CONFIG_BOOT_KERNEL_ADD="intel_iommu=igfx_off"
-export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
-export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
+export CONFIG_BOOT_KERNEL_ADD=""
+export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOARD_NAME="Librem Mini v2"
-export CONFIG_FLASHROM_OPTIONS="-p internal"
-export CONFIG_USB_KEYBOARD=y
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+export CONFIG_USB_KEYBOARD_REQUIRED=y
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
+export CONFIG_SUPPORT_AUTOMATIC_POWERON=y