@@ -37,6 +37,11 @@ Heads codebase. Start here:
3737| [ doc/qemu.md] ( doc/qemu.md ) | QEMU board targets for development and testing |
3838| [ doc/wp-notes.md] ( doc/wp-notes.md ) | Flash write-protection status per board |
3939| [ doc/BOARDS_AND_TESTERS.md] ( doc/BOARDS_AND_TESTERS.md ) | Supported boards and their maintainers/testers |
40+ | [ doc/prerequisites.md] ( doc/prerequisites.md ) | USB security dongles (HOTP/TPMTOTP), OS requirements, flashing methods |
41+ | [ doc/faq.md] ( doc/faq.md ) | Common questions: UEFI vs coreboot, TPM, LUKS, threat models |
42+ | [ doc/keys.md] ( doc/keys.md ) | All keys and secrets: TPM owner, GPG PINs, Disk Recovery Key, LUKS DUK |
43+ | [ doc/development.md] ( doc/development.md ) | Commit conventions, coding standards, testing checklist |
44+ | [ doc/build-freshness.md] ( doc/build-freshness.md ) | Debugging stale builds: initrd.cpio.xz composition, verification |
4045
4146For user-facing documentation and guides, see [ Heads-wiki] ( https://osresearch.net ) .
4247
@@ -56,11 +61,18 @@ provided Docker wrappers — no host-side QEMU or swtpm installation is needed.
5661./docker_repro.sh make BOARD=qemu-coreboot-fbwhiptail-tpm2 run
5762```
5863
64+ ** No hardware required for testing** — Docker provides the full build stack
65+ and QEMU runtime with software TPM (swtpm) and the bundled ` canokey-qemu `
66+ virtual OpenPGP smartcard. Build and test entirely in software before flashing real hardware.
67+
5968For full details — wrapper scripts, Nix local dev, reproducibility verification, and
6069maintainer workflow — see ** [ doc/docker.md] ( doc/docker.md ) ** .
6170
6271For QEMU board testing see ** [ doc/qemu.md] ( doc/qemu.md ) ** .
6372
73+ For troubleshooting build issues see ** [ doc/faq.md] ( doc/faq.md ) ** and
74+ ** [ doc/build-freshness.md] ( doc/build-freshness.md ) ** .
75+
6476## General notes on reproducible builds
6577
6678In order to build reproducible firmware images, Heads builds a specific
@@ -78,19 +90,24 @@ There are still dependencies on the build system's coreutils in
7890` /bin ` and ` /usr/bin/ ` , but any problems should be detectable if you
7991end up with a different hash than the official builds.
8092
81- The various components that are downloaded are in the ` ./modules `
82- directory and include:
83-
84- * [ musl-libc] ( https://www.musl-libc.org/ )
85- * [ busybox] ( https://busybox.net/ )
86- * [ kexec] ( https://wiki.archlinux.org/index.php/kexec )
87- * [ mbedtls] ( https://tls.mbed.org/ )
88- * [ tpmtotp] ( https://trmm.net/Tpmtotp )
89- * [ coreboot] ( https://www.coreboot.org/ )
90- * [ cryptsetup] ( https://gitlab.com/cryptsetup/cryptsetup )
91- * [ lvm2] ( https://sourceware.org/lvm2/ )
92- * [ gnupg] ( https://www.gnupg.org/ )
93- * [ Linux kernel] ( https://kernel.org )
93+ ## Key components
94+
95+ Heads builds a curated set of packages (from ` modules/ ` ). Key components
96+ enabled by most board configs include:
97+
98+ * [ musl-cross-make] ( https://github.com/richfelker/musl-cross-make ) — cross-compiler toolchain
99+ * [ coreboot] ( https://www.coreboot.org/ ) — minimal firmware replacing vendor BIOS/UEFI
100+ * [ Linux] ( https://kernel.org ) — minimal kernel payload (no built-in initramfs; boots with external initrd such as ` initrd.cpio.xz ` )
101+ * [ busybox] ( https://busybox.net/ ) — core utilities
102+ * [ kexec] ( https://wiki.archlinux.org/index.php/kexec ) — boot OS from /boot
103+ * [ cryptsetup] ( https://gitlab.com/cryptsetup/cryptsetup ) — LUKS disk encryption
104+ * [ GPG] ( https://www.gnupg.org/ ) — /boot signature verification
105+ * [ mbedtls] ( https://tls.mbed.org/ ) — cryptography for TPM operations
106+ * [ tpmtotp] ( https://trmm.net/Tpmtotp ) — TPM-based TOTP/HOTP attestation
107+
108+ The full build also includes: lvm2, tpm2-tools, flashrom/flashprog, dropbear (SSH),
109+ fbwhiptail (GUI), qrencode, and many others. See individual ` modules/* ` files and
110+ board configs for the complete picture.
94111
95112We also recommend installing [ Qubes OS] ( https://www.qubes-os.org/ ) ,
96113although there Heads can ` kexec ` into any Linux or
0 commit comments