kgpe-d16: add AGESA 15h fork support with TPM1/TPM2 variants

- Add coreboot-15h module (4.11_wip-tpm branch, commit 1afdea5572e4908c51c5b4bed43fcdc2a98fd768)
- Move 4 kgpe-d16 boards from unmaintained_boards/ to boards/
- Create TPM1 (SLB9635) and TPM2 (SLB9665) variants for each board
- Add coreboot configs with TPM1/TPM2 settings
- Add 15h.org wiki references to board documentation
- Add CircleCI jobs with coreboot-15h fork cache

helpers used:
- make BOARD=$board coreboot.save_in_defconfig_format_backup
- make BOARD=$board coreboot.save_in_oldconfig_format_backup
- make BOARD=$board linux.save_in_defconfig_format_backup
- make BOARD=$board linux.save_in_olddefconfig_format_backup

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

.circleci/config.yml

@@ -526,6 +526,67 @@ workflows:
           requires:
             - x86-musl-cross-make
 
+      # 15h.org AGESA fork
+      - x86_coreboot:
+          name: kgpe-d16_workstation-tpm1
+          target: kgpe-d16_workstation-tpm1
+          subcommand: ""
+          coreboot_dir: coreboot-15h
+          requires:
+            - x86-musl-cross-make
+
+      # 15h.org AGESA fork: seed is kgpe-d16_workstation-tpm1 (x86_coreboot job above)
+      # coreboot fam15h - TPM1 variants
+      - build:
+          name: kgpe-d16_workstation-usb_keyboard-tpm1
+          target: kgpe-d16_workstation-usb_keyboard-tpm1
+          subcommand: ""
+          requires:
+            - kgpe-d16_workstation-tpm1
+
+      - build:
+          name: kgpe-d16_server-tpm1
+          target: kgpe-d16_server-tpm1
+          subcommand: ""
+          requires:
+            - kgpe-d16_workstation-tpm1
+
+      - build:
+          name: kgpe-d16_server-whiptail-tpm1
+          target: kgpe-d16_server-whiptail-tpm1
+          subcommand: ""
+          requires:
+            - kgpe-d16_workstation-tpm1
+
+      # coreboot fam15h - TPM2 variants (use 15h fork cache from tpm1 seed)
+      - build:
+          name: kgpe-d16_workstation-tpm2
+          target: kgpe-d16_workstation-tpm2
+          subcommand: ""
+          requires:
+            - kgpe-d16_workstation-tpm1
+
+      - build:
+          name: kgpe-d16_workstation-usb_keyboard-tpm2
+          target: kgpe-d16_workstation-usb_keyboard-tpm2
+          subcommand: ""
+          requires:
+            - kgpe-d16_workstation-tpm2
+
+      - build:
+          name: kgpe-d16_server-tpm2
+          target: kgpe-d16_server-tpm2
+          subcommand: ""
+          requires:
+            - kgpe-d16_workstation-tpm2
+
+      - build:
+          name: kgpe-d16_server-whiptail-tpm2
+          target: kgpe-d16_server-whiptail-tpm2
+          subcommand: ""
+          requires:
+            - kgpe-d16_workstation-tpm2
+
       # Those onboarding new boards should add their entries below.
       # coreboot 25.09 boards
       - build:

…rver/UNMAINTAINED_kgpe-d16_server.config …_server-tpm1/kgpe-d16_server-tpm1.configunmaintained_boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config renamed to boards/kgpe-d16_server-tpm1/kgpe-d16_server-tpm1.config unmaintained_boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config renamed to boards/kgpe-d16_server-tpm1/kgpe-d16_server-tpm1.config

@@ -1,6 +1,8 @@
 # Configuration for a kgpe-d16_server
 # per https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-status.php work, with patches merged into Heads
 #
+# Hardware: Requires 16 MiB SPI flash chip upgrade (e.g., W25Q128) - stock 2 MiB (W25Q16V) is insufficient.
+#
 # Tested: ASMBV4 reprogrammed per https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-status.php
 #
 # Status:
@@ -16,10 +18,10 @@
 # - Please contribute documentation on heads-wiki
 # - Please support https://github.com/osresearch/heads/issues/719
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.11
+export CONFIG_COREBOOT_VERSION=15h
 export CONFIG_LINUX_VERSION=6.1.8
 
-CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server.config
 
 CONFIG_CRYPTSETUP2=y

boards/kgpe-d16_server-tpm2/kgpe-d16_server-tpm2.config

@@ -0,0 +1,91 @@
+# Configuration for a kgpe-d16_server (TPM2 variant)
+# See https://15h.org/index.php/ASUS_KGPE-D16 for full hardware details
+#
+# Hardware:
+# - Dual socket G34 for AMD Opteron 6200/6300 series (6100 series unsupported)
+# - AMD SR5690 northbridge, AMD SP5100 southbridge
+# - Winbond W83667HG-A Super I/O, ASPEED AST2050 BMC
+# - 16 DDR3 slots (8 channels), up to 512GB ECC UDIMM/RDIMM/LRDIMM
+# - Requires 16 MiB SPI flash chip upgrade (e.g., W25Q128) - stock 2 MiB (W25Q16V) is insufficient
+# - Intel 82574L dual gigabit Ethernet
+#
+# Display:
+# - VGA_SW1 jumper: "Enable" = onboard AST2050 VGA, "Disable" = PCIe GPU
+# - This config uses onboard VGA (text mode) via BMC serial console
+#
+# Fan Control:
+# - CPUFAN_SEL1: CPU fan zone (4-pin PWM recommended)
+# - CHAFAN_SEL1: Chassis fan zone (4-pin PWM recommended)
+# - 3-pin fans will run at 100% in PWM mode
+#
+# TPM:
+# - Infineon SLB9665 (Asus TPM-L R2.0)
+# - See https://15h.org/index.php/KGPE-D16_(Raptor)#TPM
+#
+# Status:
+# - TPM support still in progress (see 15h.org wiki)
+# - Two black SATA ports are inactive
+# - SeaBIOS does not respond to keyboards behind USB hub
+# - S3 Suspend/Resume unsupported
+# - No microcode included (see Linux panics with latest microcode)
+#   AMD Opteron 6300 series users: ensure OS loads microcode updates
+#
+# Flashing:
+# - External flashing required (3.3V CH341A programmer)
+# - CMOS clear required after flashing: move CLRTC1 to 2-3, wait 20s, restore
+# - Flash chip location: bottom right corner of board (labeled BIOS)
+#
+# BMC:
+# - Connect via ttyS1 at 115200n8
+# - https://github.com/osresearch/heads/issues/134#issuecomment-368922440
+#
+# Links:
+# - https://15h.org/index.php/ASUS_KGPE-D16
+# - https://15h.org/index.php/Coreboot-15h
+# - Please contribute documentation to heads-wiki
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=15h
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server-tpm2.config
+CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server.config
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHPROG_AST1100=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
+
+export CONFIG_TPM=y
+export CONFIG_TPM2=y
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+export CONFIG_TPM2_CAPTURE_PCAP=n
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/generic-init.sh
+
+# Console: dual output to BMC (ttyS1) and local VGA (tty0)
+export CONFIG_BOOT_KERNEL_ADD="nohz=on console=ttyS1,115200n8 console=tty0"
+export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
+export CONFIG_BOOT_STATIC_IP=192.168.2.3
+
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
+export CONFIG_BOARD_NAME="KGPE-D16 Server TPM2"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"

…INTAINED_kgpe-d16_server-whiptail.config …pm1/kgpe-d16_server-whiptail-tpm1.configunmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config renamed to boards/kgpe-d16_server-whiptail-tpm1/kgpe-d16_server-whiptail-tpm1.config unmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config renamed to boards/kgpe-d16_server-whiptail-tpm1/kgpe-d16_server-whiptail-tpm1.config

@@ -1,6 +1,8 @@
 # Configuration for a kgpe-d16_server with whiptail, permitting usage of gui-init on console without FB graphic
 # per https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-status.php work, with patches merged into Heads
 #
+# Hardware: Requires 16 MiB SPI flash chip upgrade (e.g., W25Q128) - stock 2 MiB (W25Q16V) is insufficient.
+#
 # Tested: ASMBV4 reprogrammed per https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-status.php
 #
 # Status:
@@ -18,10 +20,10 @@
 #   sure their operating system loads microcode updates.
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.11
+export CONFIG_COREBOOT_VERSION=15h
 export CONFIG_LINUX_VERSION=6.1.8
 
-CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server-whiptail.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server-whiptail-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server-whiptail.config
 
 CONFIG_CRYPTSETUP2=y

boards/kgpe-d16_server-whiptail-tpm2/kgpe-d16_server-whiptail-tpm2.config

@@ -0,0 +1,93 @@
+# Configuration for a kgpe-d16_server with whiptail (TPM2 variant)
+# See https://15h.org/index.php/ASUS_KGPE-D16 for full hardware details
+#
+# Hardware:
+# - Dual socket G34 for AMD Opteron 6200/6300 series (6100 series unsupported)
+# - AMD SR5690 northbridge, AMD SP5100 southbridge
+# - Winbond W83667HG-A Super I/O, ASPEED AST2050 BMC
+# - 16 DDR3 slots (8 channels), up to 512GB ECC UDIMM/RDIMM/LRDIMM
+# - Requires 16 MiB SPI flash chip upgrade (e.g., W25Q128) - stock 2 MiB (W25Q16V) is insufficient
+# - Intel 82574L dual gigabit Ethernet
+#
+# Display:
+# - VGA_SW1 jumper: "Enable" = onboard AST2050 VGA, "Disable" = PCIe GPU
+# - This config uses onboard VGA (text mode) via BMC serial console
+#
+# Fan Control:
+# - CPUFAN_SEL1: CPU fan zone (4-pin PWM recommended)
+# - CHAFAN_SEL1: Chassis fan zone (4-pin PWM recommended)
+# - 3-pin fans will run at 100% in PWM mode
+#
+# TPM:
+# - Infineon SLB9665 (Asus TPM-L R2.0)
+# - See https://15h.org/index.php/KGPE-D16_(Raptor)#TPM
+#
+# Status:
+# - TPM support still in progress (see 15h.org wiki)
+# - Two black SATA ports are inactive
+# - SeaBIOS does not respond to keyboards behind USB hub
+# - S3 Suspend/Resume unsupported
+# - No microcode included (see Linux panics with latest microcode)
+#   AMD Opteron 6300 series users: ensure OS loads microcode updates
+#
+# Flashing:
+# - External flashing required (3.3V CH341A programmer)
+# - CMOS clear required after flashing: move CLRTC1 to 2-3, wait 20s, restore
+# - Flash chip location: bottom right corner of board (labeled BIOS)
+#
+# BMC:
+# - Connect via ttyS1 at 115200n8
+# - https://github.com/osresearch/heads/issues/134#issuecomment-368922440
+#
+# Links:
+# - https://15h.org/index.php/ASUS_KGPE-D16
+# - https://15h.org/index.php/Coreboot-15h
+# - Please contribute documentation to heads-wiki
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=15h
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server-whiptail-tpm2.config
+CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server-whiptail.config
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+CONFIG_SLANG=y
+CONFIG_NEWT=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
+
+export CONFIG_TPM=y
+export CONFIG_TPM2=y
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+export CONFIG_TPM2_CAPTURE_PCAP=n
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init.sh
+
+# Console: BMC serial console output
+export CONFIG_BOOT_KERNEL_ADD="nohz=on console=ttyS1,115200n8 "
+export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
+export CONFIG_BOOT_STATIC_IP=192.168.2.3
+
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
+export CONFIG_BOARD_NAME="KGPE-D16 Server-whiptail TPM2"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"

…UNMAINTAINED_kgpe-d16_workstation.config …on-tpm1/kgpe-d16_workstation-tpm1.configunmaintained_boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config renamed to boards/kgpe-d16_workstation-tpm1/kgpe-d16_workstation-tpm1.config unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config renamed to boards/kgpe-d16_workstation-tpm1/kgpe-d16_workstation-tpm1.config

@@ -2,24 +2,29 @@
 # Linux configuration supporting Nvidia, AMD GPUs, enforcing post on nvidia.
 # Please make sure jumper forces external GPU
 #
+# Hardware: Requires 16 MiB SPI flash chip upgrade (e.g., W25Q128) - stock 2 MiB (W25Q16V) is insufficient.
 #
 # Status:
 # - TPM support in romstage (not bootblock) with TPM SLB9635 TT 1.2 by Infineon
 # - To connect to BMC: https://github.com/osresearch/heads/issues/134#issuecomment-368922440
-# - Please contribute documentation on heads-wiki
+# - Please contribute documentation on heads-wiki / 15h.org
 # - Please support https://github.com/osresearch/heads/issues/719
 # - Disk Unlock Key released by TPM since not deactivated
 # - Currently, no microcode is included with coreboot. This is due to to a bug
 #   in which newer Linux releases panics when the newest microcode is loaded by
 #   coreboot. AMD Opteron 6300 series users are STRONGLY encouraged to make
 #   sure their operating system loads microcode updates.
-
+#
+# Since Qubes OS version 4.2 you need to use a speculative execution workaround to utilize qubes with pcie devices attached see https://15h.org/index.php/Qubes_OS
+# ask in the 15h.org matrix group about this if you are unsure or have trouble getting it to work
+#
+# read more about this board https://15h.org/index.php/KGPE-D16
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.11
+export CONFIG_COREBOOT_VERSION=15h
 export CONFIG_LINUX_VERSION=6.1.8
 
-CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_workstation.config
 
 CONFIG_CRYPTSETUP2=y