Hello guys/gals

There is tickets opened to:

remove networking ( #564 ), with corresponding PR attempt to remove networking with cleanup ( #572 ) while cryptsetup seemed to depend on CONFIG_NET and some explicit crypto modules in the past ( #79 ), while putting CONFIG_LINUX_E1000E=n in board config liberates 295688 bytes. @merge : Is that enough?
reduce libslang.so.2 footprint ( #517 )
reduce kernel crypto footprint (what ticket?)

The priorities should be, see below for binaries/libraries footprints:

[x] Reduce libgcrypt.so.20 footprint (1145176 uncompressed bytes)
[x] Reduce lvm footprint (1599032 uncompressed bytes)
[x] Reduce gpg footprint (869568 uncompressed bytes)
[x] libcairo.so.2 footprint (851968 uncompressed bytes)
[x] libpixman-1.so.0 footprint (667048 uncompressed bytes)

EDIT: one liner to decompress and differenciate builds space

To help in finding consumed space, here is what I do.

make BOARD=x230
cd build/x230/
xz --decompress initrd.cpio.xz
cpio --extract < initrd.cpio
cpio --extract < heads.cpio
cpio --extract < modules.cpio

find . -type f -ls | sort -r -n -k7

789884 12288 -rw-r--r-- 1 user 789885 11912 -rw-r--r-- 1 user 789821 10648 -rw-r--r-- 1 user 789880 2868 -rw-r--r-- 1 user 789986 1564 -rwx------ 1 user 790106 1120 -rwx------ 1 user 789881 968 -rw-r--r-- 1 user 789943 852 -rwx------ 1 user 790103 832 -rwx------ 1 user 790113 652 -rwx------ 1 user 790102 556 -rwx------ 1 user 789938 480 -rwx------ 1 user 789900 476 -rwx------ 1 user 790018 384 -rwx------ 1 user 789944 352 -rwx------ 1 user 790117 328 -rwx------ 1 user 790105 320 -rwx------ 1 user 789882 316 -rw-r--r-- 1 user 790109 312 -rwx------ 1 user 790123 292 -rw------- 1 user 790108 216 -rwx------ 1 user 790114 200 -rwx------ 1 user 789925 180 -rwx------ 1 user 790037 172 -rwx------ 1 user 790127 168 -rw------- 1 user 790131 160 -rw------- 1 user 789960 156 -rwx------ 1 user 790104 156 -rwx------ 1 user 789924 132 -rwx------ 1 user 790130 132 -rw------- 1 user 790051 124 -rwx------ 1 user 790107 120 -rwx------ 1 user 790097 108 -rw------- 1 user 790121 108 -rwx------ 1 user 790119 96 -rwx------ 1 user 789983 76 -rwx------ 1 user 790101 72 -rwx------ 1 user 790124 68 -rw------- 1 user 789914 64 -rwx------ 1 user 789913 56 -rwx------ 1 user 790129 52 -rw------- 1 user 790004 52 -rwx------ 1 user 790126 52 -rw------- 1 user 789934 48 -rwx------ 1 user 790112 48 -rwx------ 1 user 790111 48 -rwx------ 1 user 790115 48 -rwx------ 1 user 790116 44 -rwx------ 1 user 790128 40 -rw------- 1 user 790089 36 -rwx------ 1 user 790068 32 -rwx------ 1 user 789977 32 -rwx------ 1 user 789906 24 -rwx------ 1 user 789940 24 -rwx------ 1 user 790019 20 -rwx------ 1 user 790087 20 -rw------- 1 user 790118 20 -rwx------ 1 user 789949 20 -rwx------ 1 user 789904 16 -rwx------ 1 user 790110 16 -rwx------ 1 user 790056 16 -rwx------ 1 user 790120 16 -rwx------ 1 user 790085 16 -rw------- 1 user 789879 12 -rw-r--r-- 1 user 790007 12 -rwx------ 1 user 790125 12 -rw------- 1 user 790132 12 -rw------- 1 user 789931 12 -rwx------ 1 user 789969 12 -rwx------ 1 user 789945 12 -rwx------ 1 user 790014 12 -rwx------ 1 user 789966 8 -rwx------ 1 user 790002 8 -rwx------ 1 user 789993 8 -rwx------ 1 user 790049 8 -rwx------ 1 user 789957 8 -rwx------ 1 user 789896 8 -rwx------ 1 user 790011 8 -rwx------ 1 user 789968 8 -rwx------ 1 user 789994 8 -rwx------ 1 user 789965 4 -rwx------ 1 user 790098 4 -rwx------ 1 user 789910 4 -rwx------ 1 user 789961 4 -rwx------ 1 user 790020 4 -rwx------ 1 user 789970 4 -rwx------ 1 user 789962 4 -rwx------ 1 user 789937 4 -rwx------ 1 user 789936 4 -rwx------ 1 user 790066 4 -rwx------ 1 user 789964 4 -rwx------ 1 user 790021 4 -rwx------ 1 user 790061 4 -rwx------ 1 user 789883 4 -rw------- 1 user 789967 4 -rwx------ 1 user 790086 4 -rw------- 1 user 789921 4 -rwx------ 1 user 789963 4 -rwx------ 1 user 790134 4 -rwx------ 1 user 789941 4 -rwx------ 1 user 789971 4 -rwx------ 1 user 790151 4 -rwx------ 1 user 790052 4 -rwx------ 1 user 789976 4 -rwx------ 1 user 790140 4 -rwx------ 1 user 789972 4 -rwx------ 1 user 789905 4 -rwx------ 1 user 790082 4 -rw------- 1 user 789997 4 -rwx------ 1 user 790057 4 -rwx------ 1 user 790062 4 -rwx------ 1 user 790074 4 -rwx------ 1 user 790012 4 -rwx------ 1 user 789939 4 -rwx------ 1 user 790092 4 -rwx------ 1 user 790072 4 -rwx------ 1 user 790013 4 -rwx------ 1 user 790065 4 -rwx------ 1 user 790008 4 -rwx------ 1 user 790088 4 -rw------- 1 user 790093 4 -rw------- 1 user 789946 4 -rwx------ 1 user 789888 4 -rw------- 1 user 789920 4 -rwx------ 1 user 790073 4 -rwx------ 1 user 790096 4 -rw------- 1 user 790095 4 -rw------- 1 user 790091 4 -rw------- 1 user 790090 4 -rw------- 1 user 789889 4 -rw------- 1 user user 12582912 Jun 28 13:00 ./coreboot.rom user 12212224 Jun 28 13:00 ./initrd.cpio user 10903552 Jun 28 13:00 ./tools.cpio user 2936832 Jun 28 12:59 ./bzImage user 1599032 Jun 28 13:01 ./bin/lvm user 1145176 Jun 28 13:01 ./lib/libgcrypt.so.20 user 989696 Jun 28 12:59 ./modules.cpio user 869568 Jun 28 13:01 ./bin/gpg user 851968 Jun 28 13:01 ./lib/libcairo.so.2 user 667048 Jun 28 13:01 ./lib/libpixman-1.so.0 user 568680 Jun 28 13:01 ./lib/libc.so user 490640 Jun 28 13:01 ./bin/flashrom user 486024 Jun 28 13:01 ./bin/busybox user 391760 Jun 28 13:01 ./bin/scdaemon user 359960 Jun 28 13:01 ./bin/gpg-agent user 332504 Jun 28 13:01 ./lib/libtpm.so user 324784 Jun 28 13:01 ./lib/libdevmapper.so.1.02 user 321024 Jun 28 13:00 ./heads.cpio user 318464 Jun 28 13:01 ./lib/libmbedcrypto.so.0 user 295688 Jun 28 13:01 ./lib/modules/e1000e.ko user 217192 Jun 28 13:01 ./lib/libksba.so.8 user 201096 Jun 28 13:01 ./lib/libpng16.so.16 user 180960 Jun 28 13:01 ./bin/dropbear user 172544 Jun 28 13:01 ./bin/ssh user 170512 Jun 28 13:01 ./lib/modules/mmc_core.ko user 160792 Jun 28 13:01 ./lib/modules/xhci-hcd.ko user 158952 Jun 28 13:01 ./bin/kexec user 155744 Jun 28 13:01 ./lib/libcryptsetup.so.4 user 133216 Jun 28 13:01 ./bin/dmsetup user 132520 Jun 28 13:01 ./lib/modules/usb-storage.ko user 122992 Jun 28 13:01 ./bin/tpm user 120024 Jun 28 13:01 ./lib/libgpg-error.so.0 user 108800 Jun 28 13:01 ./etc/wordlist_en_eff.txt user 107512 Jun 28 13:01 ./lib/libz.so.1 user 98064 Jun 28 13:01 ./lib/libusb-1.0.so.0 user 73920 Jun 28 13:01 ./bin/lspci user 73416 Jun 28 13:01 ./lib/libassuan.so.0 user 66208 Jun 28 13:01 ./lib/modules/ehci-hcd.ko user 62680 Jun 28 13:01 ./bin/cryptsetup-reencrypt user 55760 Jun 28 13:01 ./bin/cryptsetup user 53136 Jun 28 13:01 ./lib/modules/sdhci.ko user 52520 Jun 28 13:01 ./bin/pinentry-tty user 49352 Jun 28 13:01 ./lib/modules/mmc_block.ko user 49032 Jun 28 13:01 ./bin/fbwhiptail user 48672 Jun 28 13:01 ./lib/libpci.so.3.5.4 user 48672 Jun 28 13:01 ./lib/libpci.so.3 user 45160 Jun 28 13:01 ./lib/libpopt.so.0 user 43864 Jun 28 13:01 ./lib/libqrencode.so.3 user 38104 Jun 28 13:01 ./lib/modules/sdhci-pci.ko user 35654 Jun 28 13:01 ./etc/functions user 29584 Jun 28 13:01 ./bin/veritysetup user 29568 Jun 28 13:01 ./bin/libremkey_hotp_verification user 23696 Jun 28 13:01 ./bin/cbmem user 21064 Jun 28 13:01 ./bin/flashtool user 20400 Jun 28 13:01 ./bin/scp user 19992 Jun 28 13:01 ./etc/distro/keys/tails.key user 18800 Jun 28 13:01 ./lib/libusb-0.1.so.4 user 16936 Jun 28 13:01 ./bin/gui-init user 15368 Jun 28 13:01 ./bin/cbfs user 14912 Jun 28 13:01 ./lib/libnpth.so.0 user 14464 Jun 28 13:01 ./bin/uefi user 13984 Jun 28 13:01 ./lib/libuuid.so.1 user 12413 Jun 28 13:01 ./etc/distro/keys/fedora.key user 11225 Jun 28 13:00 ./hashes.txt user 10776 Jun 28 13:01 ./bin/poke user 10592 Jun 28 13:01 ./lib/modules/ehci-pci.ko user 10456 Jun 28 13:01 ./lib/modules/xhci-pci.ko user 10409 Jun 28 13:01 ./bin/factory-reset-libremkey.sh user 10093 Jun 28 13:01 ./bin/kexec-select-boot user 8780 Jun 28 13:01 ./bin/gpg-gui.sh user 8581 Jun 28 13:01 ./bin/reencrypt-luks user 7944 Jun 28 13:01 ./bin/kexec-save-default user 7872 Jun 28 13:01 ./bin/peek user 7556 Jun 28 13:01 ./bin/mount-sdcard user 7448 Jun 28 13:01 ./bin/totp user 7064 Jun 28 13:01 ./bin/hotp user 6832 Jun 28 13:01 ./bin/base32 user 5304 Jun 28 13:01 ./bin/qrenc user 4972 Jun 28 13:01 ./bin/kexec-seal-key user 4185 Jun 28 13:01 ./bin/mount-usb user 3654 Jun 28 13:01 ./bin/kexec-parse-boot user 3622 Jun 28 13:01 ./init user 3329 Jun 28 13:01 ./bin/config-gui.sh user 3099 Jun 28 13:01 ./bin/kexec-boot user 2753 Jun 28 13:01 ./bin/seal-libremkey user 2628 Jun 28 13:01 ./bin/kexec-sign-config user 2379 Jun 28 13:01 ./bin/kexec-insert-key user 2107 Jun 28 13:01 ./bin/flash.sh user 2077 Jun 28 13:01 ./bin/flash-gui.sh user 2070 Jun 28 13:01 ./bin/usb-scan user 2033 Jun 28 13:01 ./bin/kexec-parse-bls user 2027 Jun 28 13:01 ./bin/seal-totp user 1839 Jun 28 13:01 ./bin/unseal-hotp user 1748 Jun 28 13:01 ./.ash_history user 1689 Jun 28 13:01 ./bin/kexec-save-key user 1629 Jun 28 13:01 ./etc/distro/keys/qubes-4.key user 1552 Jun 28 13:01 ./bin/diceware.sh user 1375 Jun 28 13:01 ./bin/kexec-iso-init user 1373 Jun 28 13:01 ./mount-boot user 1299 Jun 28 13:01 ./bin/generic-init user 1119 Jun 28 13:01 ./bin/kexec-unseal-key user 1000 Jun 28 13:01 ./sbin/insmod user 983 Jun 28 13:01 ./bin/tpm-reset user 965 Jun 28 13:01 ./bin/libremkey_hotp_initialize user 922 Jun 28 13:01 ./sbin/config-dhcp.sh user 875 Jun 28 13:01 ./bin/key-init user 799 Jun 28 13:01 ./bin/cbfs-init user 736 Jun 28 13:01 ./etc/config user 675 Jun 28 13:01 ./bin/network-init-recovery user 661 Jun 28 13:01 ./bin/uefi-init user 634 Jun 28 13:01 ./bin/unseal-totp user 574 Jun 28 13:01 ./bin/x230-flash.init user 366 Jun 28 13:01 ./bin/qubes-measure-luks user 360 Jun 28 13:01 ./bin/flashrom-kgpe-d16-openbmc.sh user 340 Jun 28 13:01 ./etc/keylime-init user 320 Jun 28 13:01 ./bin/wget-measure.sh user 258 Jun 28 13:01 ./bin/reboot user 220 Jun 28 13:01 ./bin/usb-init user 205 Jun 28 13:01 ./bin/poweroff user 197 Jun 28 13:01 ./etc/fstab user 174 Jun 28 13:01 ./etc/motd user 106 Jun 28 13:01 ./bin/gpgv user 73 Jun 28 13:01 ./.gnupg/gpg-agent.conf user 62 Jun 28 13:01 ./bin/diceware-eff.sh user 35 Jun 28 13:01 ./bin/whiptail user 27 Jun 28 13:01 ./etc/shells user 27 Jun 28 13:01 ./etc/passwd user 20 Jun 28 13:01 ./etc/hosts user 10 Jun 28 13:01 ./etc/group user 10 Jun 28 13:01 ./.gnupg/gpg.conf

A few other ideas:

Clean up board-specific files from other devices. (Example is flashrom-kgpe-d16-openbmc.sh is present in X230 builds, x230-flash.init being in main X230 or on Chell Chromebook). This change will likely need to happen during the build process.
Move flash definitions from flash.sh to the board config files. As we support more boards, this will be critical, as all maintained boards are presently defined in flash.sh, and as this project supports more and more boards, flash.sh will get larger and larger. I've started work on this.

These may not be as high priority as other changes, but ones to certainly look at to help reduce firmware size, especially as the project grows.

@SebastianMcMillan : Those are good cleanup ideas, but unfortunately, will not impact the initrd.cpio.xz (including heads.cpio and tools.cpio), those text files being highly compressed.

The problem lies in binaries, not higly compressed under initrd.cpio.xz

This article (or the series it comes from) may yield some inspiration: https://lwn.net/Articles/748198/ Edit: this one is probably more useful https://lwn.net/Articles/741494/

Solution lies in #307

@zaolin pointed out:

Update: Getting rid of libgcrypt and replacement for gpg would be a good way to safe 2MB in total. See, https://sequoia-pgp.org/ as alternative

@zaolin : Unfortunately, there is no smartcard support in sequoia-pgp ATM, on which Heads relies on for verified /boot integrity.

@tlaurion ask them for support, they should have basic support for it. They are on IRC #sequoia at Freenode

Here we go again, since

710 would require newer versions of gpg toolchain, which won't fit in actual x230 board config. EDIT: it actually fitted.
709 non neutered ME board configs lack around 300k to fit VBOOT in.

To troubleshoot:

make BOARD=x230
cd build/x230
xz -d initrd.cpio.xz ; for i in initrd.cpio modules.cpio tools.cpio heads.cpio; do cpio -i < $i; done && find . -type f -ls | sort -r -n -k7 |grep -v cpio

Output:

    28192   2956 -rw-r--r--   1 user     user      3023312 May  3 12:25 ./bzImage
    61393   1592 -rwx------   1 user     user      1627856 May  3 12:45 ./bin/lvm
    61507   1132 -rwx------   1 user     user      1156424 May  3 12:45 ./lib/libgcrypt.so.20
    61352    892 -rwx------   1 user     user       911264 May  3 12:45 ./bin/gpg
    61504    740 -rwx------   1 user     user       757232 May  3 12:45 ./lib/libcairo.so.2
    61515    652 -rwx------   1 user     user       666216 May  3 12:45 ./lib/libpixman-1.so.0
    61502    584 -rwx------   1 user     user       596544 May  3 12:45 ./lib/libc.so
    61347    556 -rwx------   1 user     user       568264 May  3 12:45 ./bin/flashrom
    61313    472 -rwx------   1 user     user       483160 May  3 12:45 ./bin/busybox
    61424    400 -rwx------   1 user     user       407784 May  3 12:45 ./bin/scdaemon
    61353    368 -rwx------   1 user     user       376024 May  3 12:45 ./bin/gpg-agent
    61519    332 -rwx------   1 user     user       339304 May  3 12:45 ./lib/libtpm.so
    61506    328 -rwx------   1 user     user       333240 May  3 12:45 ./lib/libdevmapper.so.1.02
    61511    320 -rwx------   1 user     user       325104 May  3 12:45 ./lib/libmbedcrypto.so.0
    61524    300 -rw-------   1 user     user       304272 May  3 12:45 ./lib/modules/e1000e.ko
    61510    224 -rwx------   1 user     user       227696 May  3 12:45 ./lib/libksba.so.8
    61516    204 -rwx------   1 user     user       207912 May  3 12:45 ./lib/libpng16.so.16
    61335    184 -rwx------   1 user     user       184824 May  3 12:45 ./bin/dropbear
    61442    176 -rwx------   1 user     user       176408 May  3 12:45 ./bin/ssh
    61369    168 -rwx------   1 user     user       170984 May  3 12:45 ./bin/kexec
    61528    160 -rw-------   1 user     user       159840 May  3 12:45 ./lib/modules/xhci-hcd.ko
    61505    156 -rwx------   1 user     user       159000 May  3 12:45 ./lib/libcryptsetup.so.4
    61334    136 -rwx------   1 user     user       137464 May  3 12:45 ./bin/dmsetup
    61527    132 -rw-------   1 user     user       132360 May  3 12:45 ./lib/modules/usb-storage.ko
    61509    128 -rwx------   1 user     user       130000 May  3 12:45 ./lib/libgpg-error.so.0
    61456    124 -rwx------   1 user     user       126584 May  3 12:45 ./bin/tpm
    61523    108 -rwx------   1 user     user       108832 May  3 12:45 ./lib/libz.so.1
    61521     96 -rwx------   1 user     user        96896 May  3 12:45 ./lib/libusb-1.0.so.0
    61501     76 -rwx------   1 user     user        76736 May  3 12:45 ./lib/libassuan.so.0
    61390     72 -rwx------   1 user     user        73600 May  3 12:45 ./bin/lspci
    61525     64 -rw-------   1 user     user        64800 May  3 12:45 ./lib/modules/ehci-hcd.ko
    61326     64 -rwx------   1 user     user        62328 May  3 12:45 ./bin/cryptsetup-reencrypt
    61325     60 -rwx------   1 user     user        59144 May  3 12:45 ./bin/cryptsetup
    61514     52 -rwx------   1 user     user        52272 May  3 12:45 ./lib/libpci.so.3.5.4
    61513     52 -rwx------   1 user     user        52272 May  3 12:45 ./lib/libpci.so.3
    61411     52 -rwx------   1 user     user        52200 May  3 12:45 ./bin/pinentry-tty
    61343     52 -rwx------   1 user     user        51616 May  3 12:45 ./bin/fbwhiptail
    61517     48 -rwx------   1 user     user        48088 May  3 12:45 ./lib/libpopt.so.0
    61518     48 -rwx------   1 user     user        47448 May  3 12:45 ./lib/libqrencode.so.3
    61473     32 -rwx------   1 user     user        32560 May  3 12:45 ./bin/veritysetup
    61319     28 -rwx------   1 user     user        27048 May  3 12:45 ./bin/cbmem
    61425     24 -rwx------   1 user     user        22664 May  3 12:45 ./bin/scp
    61349     24 -rwx------   1 user     user        22432 May  3 12:45 ./bin/flashtool
    61488     20 -rw-------   1 user     user        19992 May  3 12:45 ./etc/distro/keys/tails.key
    61495     20 -rw-------   1 user     user        18852 May  3 12:45 ./etc/oem/keys/insurgo.key
    61520     20 -rwx------   1 user     user        18464 May  3 12:45 ./lib/libusb-0.1.so.4
    61317     20 -rwx------   1 user     user        18352 May  3 12:45 ./bin/cbfs
    61461     20 -rwx------   1 user     user        18320 May  3 12:45 ./bin/uefi
    61358     16 -rwx------   1 user     user        14657 May  3 12:45 ./bin/gui-init
    61522     16 -rwx------   1 user     user        14656 May  3 12:45 ./lib/libuuid.so.1
    61512     16 -rwx------   1 user     user        14552 May  3 12:45 ./lib/libnpth.so.0
    61414     16 -rwx------   1 user     user        14200 May  3 12:45 ./bin/poke
    61407     12 -rwx------   1 user     user        12056 May  3 12:45 ./bin/oem-factory-reset
    61486     12 -rw-------   1 user     user        10955 May  3 12:45 ./etc/distro/keys/fedora.key
    61526     12 -rw-------   1 user     user        10728 May  3 12:45 ./lib/modules/ehci-pci.ko
    61529     12 -rw-------   1 user     user        10568 May  3 12:45 ./lib/modules/xhci-pci.ko
    61409     12 -rwx------   1 user     user        10096 May  3 12:45 ./bin/peek
    61309     12 -rwx------   1 user     user        10088 May  3 12:45 ./bin/base32
      100     12 -rw-r--r--   1 user     user        10056 May  3 12:39 ./hashes.txt
    61454     12 -rwx------   1 user     user        10048 May  3 12:45 ./bin/totp
    61366     12 -rwx------   1 user     user        10024 May  3 12:45 ./bin/hotp
    61378     12 -rwx------   1 user     user         9894 May  3 12:45 ./bin/kexec-select-boot
    61354     12 -rwx------   1 user     user         9681 May  3 12:45 ./bin/gpg-gui.sh
    61490      8 -rwx------   1 user     user         8173 May  3 12:45 ./etc/functions
    61322      8 -rwx------   1 user     user         5924 May  3 12:45 ./bin/config-gui.sh
    61418      8 -rwx------   1 user     user         5912 May  3 12:45 ./bin/qrenc
    61377      8 -rwx------   1 user     user         4178 May  3 12:45 ./bin/kexec-seal-key
    61345      4 -rwx------   1 user     user         4074 May  3 12:45 ./bin/flash-gui.sh
    61374      4 -rwx------   1 user     user         3654 May  3 12:45 ./bin/kexec-parse-boot
    61375      4 -rwx------   1 user     user         3364 May  3 12:45 ./bin/kexec-save-default
    61498      4 -rwx------   1 user     user         3322 May  3 12:45 ./init
    61370      4 -rwx------   1 user     user         3099 May  3 12:45 ./bin/kexec-boot
    61400      4 -rwx------   1 user     user         3043 May  3 12:45 ./bin/mount-usb
    61426      4 -rwx------   1 user     user         2717 May  3 12:45 ./bin/seal-libremkey
    61371      4 -rwx------   1 user     user         2344 May  3 12:45 ./bin/kexec-insert-key
    61471      4 -rwx------   1 user     user         2130 May  3 12:45 ./bin/usb-scan
    61373      4 -rwx------   1 user     user         2033 May  3 12:45 ./bin/kexec-parse-bls
    61427      4 -rwx------   1 user     user         2027 May  3 12:45 ./bin/seal-totp
    61466      4 -rwx------   1 user     user         1838 May  3 12:45 ./bin/unseal-hotp
    61346      4 -rwx------   1 user     user         1724 May  3 12:45 ./bin/flash.sh
    61376      4 -rwx------   1 user     user         1677 May  3 12:45 ./bin/kexec-save-key
    61487      4 -rw-------   1 user     user         1629 May  3 12:45 ./etc/distro/keys/qubes-4.key
    61379      4 -rwx------   1 user     user         1407 May  3 12:45 ./bin/kexec-sign-config
    61372      4 -rwx------   1 user     user         1375 May  3 12:45 ./bin/kexec-iso-init
    61530      4 -rwx------   1 user     user         1373 May  3 12:45 ./mount-boot
    61350      4 -rwx------   1 user     user         1299 May  3 12:45 ./bin/generic-init
    60093      4 -rw-------   1 user     user         1247 May  3 12:45 ./.ash_history
    61380      4 -rwx------   1 user     user         1044 May  3 12:45 ./bin/kexec-unseal-key
    61546      4 -rwx------   1 user     user         1000 May  3 12:45 ./sbin/insmod
    61535      4 -rwx------   1 user     user          922 May  3 12:45 ./sbin/config-dhcp.sh
    61318      4 -rwx------   1 user     user          799 May  3 12:45 ./bin/cbfs-init
    61381      4 -rwx------   1 user     user          770 May  3 12:45 ./bin/key-init
    61485      4 -rw-------   1 user     user          700 May  3 12:45 ./etc/config
    61457      4 -rwx------   1 user     user          694 May  3 12:45 ./bin/tpm-reset
    61403      4 -rwx------   1 user     user          675 May  3 12:45 ./bin/network-init-recovery
    61462      4 -rwx------   1 user     user          661 May  3 12:45 ./bin/uefi-init
    61467      4 -rwx------   1 user     user          634 May  3 12:45 ./bin/unseal-totp
    61479      4 -rwx------   1 user     user          574 May  3 12:45 ./bin/x230-flash.init
    61419      4 -rwx------   1 user     user          366 May  3 12:45 ./bin/qubes-measure-luks
    61348      4 -rwx------   1 user     user          360 May  3 12:45 ./bin/flashrom-kgpe-d16-openbmc.sh
    61477      4 -rwx------   1 user     user          320 May  3 12:45 ./bin/wget-measure.sh
    61420      4 -rwx------   1 user     user          258 May  3 12:45 ./bin/reboot
    61470      4 -rwx------   1 user     user          220 May  3 12:45 ./bin/usb-init
    61415      4 -rwx------   1 user     user          205 May  3 12:45 ./bin/poweroff
    61489      4 -rw-------   1 user     user          197 May  3 12:45 ./etc/fstab
    61493      4 -rw-------   1 user     user          174 May  3 12:45 ./etc/motd
    61355      4 -rwx------   1 user     user          106 May  3 12:45 ./bin/gpgv
    60437      4 -rw-------   1 user     user           73 May  3 12:45 ./.gnupg/gpg-agent.conf
    61478      4 -rwx------   1 user     user           35 May  3 12:45 ./bin/whiptail
    61497      4 -rw-------   1 user     user           27 May  3 12:45 ./etc/shells
    61496      4 -rw-------   1 user     user           27 May  3 12:45 ./etc/passwd
    61492      4 -rw-------   1 user     user           20 May  3 12:45 ./etc/hosts
    61491      4 -rw-------   1 user     user           10 May  3 12:45 ./etc/group
    61303      4 -rw-------   1 user     user           10 May  3 12:45 ./.gnupg/gpg.conf

A public build showing that not moving along with this actual ticket or with #703 is breaking x230 support and 12Mb boards altogether, Heads having become too big.

@flammit: This build will fail at coreboot integration of cpios (CBFS region not being big enough), but artifacts will include initird.cpio.xz, heads.cpio, tools.cpio and modules.cpio for others to see the limit and dead end we are now facing.

Now what?

@tlaurion is reducing the kernel size not an option, or simply too much effort?

@MrChromebox : my reluctance in attacking Kernel size reduction comes with the conclusions of #453 where some 300k were obtained. Of course, those recommendations should be investigated.

Will reread myself. I have tagged you in #517 to resume there if you can reduce FBWhiptail general footprint, which are the next in line (when combined) after kernel, while lvm and gpg would also to be addressed.

I'll revisit gpg2 myself, in the goal of fixing #668 for #710

@MrChromebox #668 and #710 being resolved, I've been looking at multiple source on kernel debloating to do some state of the art.

It seems that be most interesting articles are...

Runtime collection based optimizations:

[ ] https://hckuo.github.io/pdfs/cozart.pdf

LTO:

Reading.

Playing around with information found under this "Shrinking the kernel with an AXE" blog post to reduce kernel size prior of going the LTO way.

git diff osresearch/master> patch
cat patch

diff --git a/config/linux-x230.config b/config/linux-x230.config
index dd5af0c..6cb7ea8 100644
--- a/config/linux-x230.config
+++ b/config/linux-x230.config
@@ -14,6 +14,7 @@ CONFIG_INITRAMFS_SOURCE="../../../blobs/dev.cpio"
 # CONFIG_RD_LZO is not set
 # CONFIG_RD_LZ4 is not set
 CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+# CONFIG_MULTIUSER is not set
 # CONFIG_SGETMASK_SYSCALL is not set
 # CONFIG_SYSFS_SYSCALL is not set
 # CONFIG_BASE_FULL is not set
@@ -25,18 +26,18 @@ CONFIG_CC_OPTIMIZE_FOR_SIZE=y
 # CONFIG_MEMBARRIER is not set
 CONFIG_EMBEDDED=y
 # CONFIG_VM_EVENT_COUNTERS is not set
-# CONFIG_SLUB_DEBUG is not set
 # CONFIG_COMPAT_BRK is not set
+CONFIG_SLOB=y
 CONFIG_JUMP_LABEL=y
 CONFIG_CC_STACKPROTECTOR_STRONG=y
 CONFIG_MODULES=y
+CONFIG_TRIM_UNUSED_KSYMS=y
 # CONFIG_IOSCHED_DEADLINE is not set
 # CONFIG_IOSCHED_CFQ is not set
 CONFIG_SMP=y
 # CONFIG_X86_EXTENDED_PLATFORM is not set
 CONFIG_PROCESSOR_SELECT=y
 # CONFIG_CPU_SUP_CENTAUR is not set
-CONFIG_PREEMPT_VOLUNTARY=y
 CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
 # CONFIG_X86_MCE_AMD is not set
 # CONFIG_PERF_EVENTS_INTEL_RAPL is not set
@@ -56,7 +57,6 @@ CONFIG_KEXEC_FILE=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
 # CONFIG_MODIFY_LDT_SYSCALL is not set
 # CONFIG_SUSPEND is not set
-CONFIG_ACPI_VIDEO=y
 CONFIG_PCI_MSI=y
 # CONFIG_HT_IRQ is not set
 CONFIG_PCI_IOV=y
@@ -184,9 +184,7 @@ CONFIG_MFD_SYSCON=y
 CONFIG_DRM=y
 CONFIG_DRM_I915=y
 CONFIG_FB_VESA=y
-CONFIG_BACKLIGHT_LCD_SUPPORT=y
 # CONFIG_LCD_CLASS_DEVICE is not set
-CONFIG_BACKLIGHT_CLASS_DEVICE=y
 # CONFIG_BACKLIGHT_GENERIC is not set
 CONFIG_FRAMEBUFFER_CONSOLE=y
 CONFIG_USB=y
@@ -207,9 +205,7 @@ CONFIG_GENERIC_PHY=y
 # CONFIG_DMIID is not set
 CONFIG_GOOGLE_FIRMWARE=y
 CONFIG_GOOGLE_MEMCONSOLE_X86_LEGACY=y
-# CONFIG_EXT2_FS is not set
 CONFIG_EXT4_FS=y
-CONFIG_EXT4_USE_FOR_EXT2=y
 # CONFIG_DNOTIFY is not set
 # CONFIG_INOTIFY_USER is not set
 CONFIG_ISO9660_FS=y
@@ -218,7 +214,6 @@ CONFIG_MSDOS_FS=y
 CONFIG_VFAT_FS=y
 # CONFIG_PROC_SYSCTL is not set
 # CONFIG_PROC_PAGE_MONITOR is not set
-CONFIG_TMPFS=y
 # CONFIG_MISC_FILESYSTEMS is not set
 CONFIG_NLS_DEFAULT="utf8"
 CONFIG_NLS_CODEPAGE_437=y
@@ -238,13 +233,11 @@ CONFIG_STACKTRACE=y
 # CONFIG_DEBUG_BUGVERBOSE is not set
 # CONFIG_RCU_TRACE is not set
 # CONFIG_FTRACE is not set
-# CONFIG_STRICT_DEVMEM is not set
 # CONFIG_X86_VERBOSE_BOOTUP is not set
 # CONFIG_DOUBLEFAULT is not set
 CONFIG_IO_DELAY_0XED=y
 CONFIG_OPTIMIZE_INLINING=y
 # CONFIG_X86_DEBUG_FPU is not set
-CONFIG_HARDENED_USERCOPY=y
 CONFIG_CRYPTO_RSA=m
 CONFIG_CRYPTO_USER=y
 CONFIG_CRYPTO_MCRYPTD=m

Raw results Before: 28192 2956 -rw-r--r-- 1 user user 3023312 May 3 12:25 ./bzImage Now: 31097 2876 -rw-r--r-- 1 user user 2941392 May 26 10:46 ./bzImage Gain: 81.92Kb without LTO following this blog post.

Edit: Meanwhile, trying to upgrade the kernel breaks x230-flash board support because not enough space is available under CBFS on the 4MB flash chip alone.

LTO attempt is continuing under #730. Maybe extend the use to other tools being built, let's see...

Any help welcome!

@MrChromebox @Matthew-Bradley @merge @SebastianMcMillan ?

The goal of the 3 different commits linked to this issue is to show different use cases linked to previous discussions over Slack that happened in the past days.

We take #703 pipeline as a reference where the x230-hotp-maximized build output will serve as a reference for compressed saved space between feature deactivation.

This board has has the following board config initially, from which we will deactivate features to compare gained space.

Initially, this board is fully loaded with

FBWHIPTAIL(CAIRO) and dependencies
E1000E driver
HOTP (For HOTP remote attestation over Nitrokey/Librem Key USB Security dongles).
NKSTORECLI
GPG2

Here is an exerpt of used space:

"/root/project/build/coreboot-4.8.1/x230-hotp-maximized/cbfstool" "/root/project/build/coreboot-4.8.1/x230-hotp-maximized/coreboot.rom" print
Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           84708 none
cpu_microcode_blob.bin         0x14c00    microcode       25600 none
fallback/ramstage              0x1b080    stage           81122 none
config                         0x2edc0    raw               768 none
revision                       0x2f100    raw               581 none
cmos_layout.bin                0x2f380    cmos_layout      1804 none
fallback/dsdt.aml              0x2fb00    raw             13646 none
fallback/payload               0x330c0    simple elf    7191492 none
(empty)                        0x70ecc0   null          4524824 none
bootblock                      0xb5f800   bootblock        1968 none

Where total size of the Heads linux payload itself: fallback/payload 0x330c0 simple elf 7191492 none
Where free room in defined CBFS region created for the coreboot rom in coreboot config for that board: (empty) 0x70ecc0 null 4524824 none

Now let's compare.

x230-hotp-maximized: testing compressed gain from removing E1000E and DROPBEAR (User side network tools for https://github.com/osresearch/heads/issues/590) where build output:

Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           84708 none
cpu_microcode_blob.bin         0x14c00    microcode       25600 none
fallback/ramstage              0x1b080    stage           81123 none
config                         0x2edc0    raw               768 none
revision                       0x2f100    raw               581 none
cmos_layout.bin                0x2f380    cmos_layout      1804 none
fallback/dsdt.aml              0x2fb00    raw             13646 none
fallback/payload               0x330c0    simple elf    7028676 none
(empty)                        0x6e70c0   null          4687640 none
bootblock                      0xb5f800   bootblock        1968 none

x230-hotp-maximized: reverting network tools deactivation. Testing compressed gain from removing FBwhiptail support(Deactivating CAIRO and FBWHIPTAIL) and switching to SLANG and NEWT for console only output without fancyness for https://github.com/osresearch/heads/issues/590) where build output:

Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           84708 none
cpu_microcode_blob.bin         0x14c00    microcode       25600 none
fallback/ramstage              0x1b080    stage           81122 none
config                         0x2edc0    raw               768 none
revision                       0x2f100    raw               581 none
cmos_layout.bin                0x2f380    cmos_layout      1804 none
fallback/dsdt.aml              0x2fb00    raw             13646 none
fallback/payload               0x330c0    simple elf    6910916 none
(empty)                        0x6ca4c0   null          4805400 none
bootblock                      0xb5f800   bootblock        1968 none

x230-hotp-maximized: Testing compressed gain from removing Whiptail altogether and switching back to generic-init for https://github.com/osresearch/heads/issues/590) where build output:

cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           84708 none
cpu_microcode_blob.bin         0x14c00    microcode       25600 none
fallback/ramstage              0x1b080    stage           81110 none
config                         0x2edc0    raw               768 none
revision                       0x2f100    raw               581 none
cmos_layout.bin                0x2f380    cmos_layout      1804 none
fallback/dsdt.aml              0x2fb00    raw             13646 none
fallback/payload               0x330c0    simple elf    6588868 none
(empty)                        0x67bac0   null          5127448 none
bootblock                      0xb5f800   bootblock        1968 none

For comparison available in CI, the current X230-hotp-verification board, with E1000E and DROPBEAR already deactivated in tree build's log:

cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           84708 none
cpu_microcode_blob.bin         0x14c00    microcode       25600 none
fallback/ramstage              0x1b080    stage           81111 none
config                         0x2edc0    raw               570 none
revision                       0x2f040    raw               581 none
cmos_layout.bin                0x2f2c0    cmos_layout      1804 none
fallback/dsdt.aml              0x2fa40    raw             13646 none
fallback/payload               0x33000    simple elf    6860228 none
(empty)                        0x6bde00   null           137688 none
bootblock                      0x6df800   bootblock        1968 none

As we can see from past reffered commit failing CI build failing log

E: Could not add [../../build/x230/bzImage, 7015364 bytes (6850 KB)@0x0]; too big?
E: Failed to add '../../build/x230/bzImage' into ROM image.
E: Failed while operating on 'COREBOOT' region!
E: The image will be left unmodified.
make[1]: *** [Makefile.inc:920: x230/coreboot.pre] Error 1
make[1]: Leaving directory '/root/project/build/coreboot-4.8.1'
tail /root/project/build/log/coreboot.log
-----
    CBFS       revision
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add -f ./x230/build.h -n revision -t raw   -r COREBOOT   
printf "    CBFS       cmos.default\n"
    CBFS       cmos.default
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add -f x230/mainboard/lenovo/x230/cbfs-file.I1T2KJ.out -n cmos.default -t cmos_default   -r COREBOOT   
printf "    CBFS       cmos_layout.bin\n"
    CBFS       cmos_layout.bin
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add -f x230/cmos_layout.bin -n cmos_layout.bin -t cmos_layout   -r COREBOOT   
printf "    CBFS       fallback/dsdt.aml\n"
    CBFS       fallback/dsdt.aml
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add -f x230/dsdt.aml -n fallback/dsdt.aml -t raw -c none  -r COREBOOT   
printf "    CBFS       fallback/payload\n"
    CBFS       fallback/payload
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add-payload -f ../../build/x230/bzImage -n fallback/payload  -c none  -r COREBOOT   -C "intel_iommu=igfx_off quiet" -I "../../build/x230/initrd.cpio.xz"
E: Could not add [../../build/x230/bzImage, 7015364 bytes (6850 KB)@0x0]; too big?
E: Failed to add '../../build/x230/bzImage' into ROM image.
E: Failed while operating on 'COREBOOT' region!
E: The image will be left unmodified.
make[1]: *** [Makefile.inc:920: x230/coreboot.pre] Error 1

Where the x230 coreboot config specifies the maximal usable space without neutering ME of CONFIG_CBFS_SIZE=0x700000.

Let's note that x220 and x220/t420 current configs sets that limit to CONFIG_CBFS_SIZE=0x750000 which implies external ME neutering, where the x230 is not. Should we change that?

@flammit @Thrilleratplay

@tlaurion so basically we'd be splitting the xx20/30 boards into two versions:

1) stock IFD / BIOS region size - reduced capability, no networking, UI, etc 2) 'max' versions which assume modified IFD, cleaned/shrunk ME, etc - full capability

@tlaurion If you are only asking if the current xx20 CONFIG_CBFS_SIZE should be set to stock for these boards, I am not sure. This is roughly 3Mb. Is this enough for even the most striped down version of Heads? Maybe only have the xx20 maximum versions?

Also note, that these boards are not supported by 1vyrain and would have needed to have been flashed externally initially.

@tlaurion so basically we'd be splitting the xx20/30 boards into two versions:
1. stock IFD / BIOS region size - reduced capability, no networking, UI, etc
Well, the x230 board config is already reducing its functionalities to fit in stock BIOS region. So yes, no more DROPBEAR nor E1000E as of right now. That baseline was made to have x230-hotp-verification board, which could compile only from x230 version + HOTP.

I'm just letting eveyone know the challenges, and choices that are ahead of us in specializing boards with current force functionnalities since we rely on GPG for key generation, that GNU toolstack is huge and I wasn't able to reduce it further more. The same logic applied with FBWHIPTAIL and its WHIPTAIL equivalents for servers, as detailed in previous posts. I just thought that those extracted binaries in first posts were irrelevant for comparison, since what matters is their compressed sizes.

2. 'max' versions which assume modified IFD, cleaned/shrunk ME, etc - full capability

Correct.

@tlaurion If you are only asking if the current xx20 CONFIG_CBFS_SIZE should be set to stock for these boards, I am not sure. This is roughly 3Mb. Is this enough for even the most striped down version of Heads? Maybe only have the xx20 maximum versions?

Also note, that these boards are not supported by 1vyrain and would have needed to have been flashed externally initially.

Right. Forgot about that, but original ROM version was really small for x220 stock. We can imply that xx20 users are already well aware of those restrictions. Funny enough, the x230 base board limits to 7mb where x220 limits to 7.5mb. Consequently, the base boards (xx20 xx30) already differ in base functionalities. Like I said on slack to @flammit which proposed to maintain minimal boards, I will focus on adding functionalities and will stray away of the base boards which will probably soon enough requir features to be removed further more, or adjusted to have users do decisions they cannot do, or all those answers. We are drifting from having Heads accessible, which i'm strongly against.

As I raised the flag a while ago, it is really difficult to maintain mutliple versions and different toolstacks. More people are welcome, but we need to face the reality that new OSes install with LUKS2 which require new version of cryptsetup part of #893, which will result soon enough into cryptsetup2 module, which will require maximized versions. Or.... users, once again, technical and knowledgeable enough, to make aware choices of going into manual mode when partitionning hteir drives to force (forced kickstart at install or equivalent???) to force LUKS1 encrypted partition, or choose an older kernel or coreboot version to keep their xx20/board board... instead of moving to the -maximized ones. We are asking people (I'm in the consumer field) to do decisions they cannot do because they are not understanding those low levels choices. I think it is silly, I already answer 20+ questions a day and diagnosed, troubleshooted, documented and explained a lot of time (#897 #815 and others...) the joys of having the user play with different stock bios versions, not following instructions, bricking their devices, not following upgrade paths... I just want fwupd for everyone. And that requires CI builds for boards. And that requires blobs. And that requires space for developers to want to contribute... I'm tired of the same viscious circles and need a way out. -maximized boards are my way out. You can choose maintainership if you want and you would be more then welcome! :)

Note also that the stalled #709 wil lalso required available space. So there will be a need to minimize the base boards and a choice to continue supporting those from community members. Otherwise, as @flammit said, we wil lbe able to bring back gpg1 still in modules and require users to generate their 4096 bits keys outside and import their public key inside of heads, modify the scripts to valide which version of modules is used etc.... Which means more maintainserhip, not less, on which I do not personally agree from lack of time already.

So this opens the debate on where to go from now for the base boards and who will take the lead into pursuing space reduction or feature reduction when CI builds will start to fail. My only option at that point will be to remove those boards from CI.

@tlaurion Something that needs to be defined is "what is included in the stock builds"?. For the sake of argument, lets say Heads is stripped down to just a Linux payload. No encryption functionality, no e1000, module, no dropbear, no fbwhiptail, and maybe no flashrom. Basically, drops to a shell and the user would run a kexec command to boot from the hard drive or usb or whatever. Would Heads fit within the 3Mb? If so, how close because if I remember correctly, the Linux 5.x kernel is larger. With such a limited space, what is the possible longevity of this build if the most fundamental part of Heads will not fit?

Would the stock builds be the same for xx20 and xx30 boards given the significant difference in available space? I would suspect yes, so a break down of features added to each build would need to be added to the documentation.

The flip side to these questions are "what can be remove?". How basic can Heads become and still be considered Heads? While the idea of removing all of the security functionality may sound ludicrous to you, it was something I was going thinking about building for myself. I miss the days when you flip a switch on a VIC20 and get a prompt almost instantly; security wouldn't be moved to the BIOS, it would not be user friendly, but turning on my computer and getting a prompt in 2 seconds sounds damn sexy to me. However, this would no longer be Heads at this point. So a line in the sand must be drawn saying that Heads must include certain functionality to be called Heads if the hardware supports it. Heads for a X200 does not need to include TPM functionality as the device doesn't support it.

To give concrete details to this discussion, all you would need to do is disable the UI bits and that gives you enough space for everything else (including cryptsetup2 and gpg2) to fit into a 6.4M payload which fits for standard x230 and ME-shrunked x220 (seems like the only route for that hardware) and 600k of free space to play with on an x230. (Note: there are other combinations of configs that work as well if you consider gpg1).

If that's not a trade off that is acceptable to you as the x230 hardware owner (no luck for x220 yet), there's a perfectly reasonable alternative by installing the "max" version.

Just based on my quick tests past last hour, I think if you clean up the kernel config to remove the networking bits (not relevant for laptop boot), you can also fit in the UI bits with at least 300k of space for user config. It's tight but it doesn't seem like there's really a problem.

Then again if there's a need for even more space for future features/modules, it can be accommodated in the "max" version.

Just based on my quick tests past last hour, I think if you clean up the kernel config to remove the networking bits (not relevant for laptop boot), you can also fit in the UI bits with at least 300k of space for user config. It's tight but it doesn't seem like there's really a problem.

Then again if there's a need for even more space for future features/modules, it can be accommodated in the "max" version.

@flammit: please revive https://github.com/osresearch/heads/issues/564, that was investigated with some effort in the past and for which conclusions are the original post: remove networking ( #564 ), with corresponding PR attempt to remove networking with cleanup ( #572 ) while cryptsetup seemed to depend on CONFIG_NET and some explicit crypto modules in the past ( #79 ), while putting CONFIG_LINUX_E1000E=n in board config liberates 295688 bytes. @merge : Is that enough?

@tlaurion Something that needs to be defined is "what is included in the stock builds"?. For the sake of argument, lets say Heads is stripped down to just a Linux payload. No encryption functionality, no e1000, module, no dropbear, no fbwhiptail, and maybe no flashrom. Basically, drops to a shell and the user would run a kexec command to boot from the hard drive or usb or whatever. Would Heads fit within the 3Mb? If so, how close because if I remember correctly, the Linux 5.x kernel is larger. With such a limited space, what is the possible longevity of this build if the most fundamental part of Heads will not fit?

Would the stock builds be the same for xx20 and xx30 boards given the significant difference in available space? I would suspect yes, so a break down of features added to each build would need to be added to the documentation.

The flip side to these questions are "what can be remove?". How basic can Heads become and still be considered Heads? While the idea of removing all of the security functionality may sound ludicrous to you, it was something I was going thinking about building for myself. I miss the days when you flip a switch on a VIC20 and get a prompt almost instantly; security wouldn't be moved to the BIOS, it would not be user friendly, but turning on my computer and getting a prompt in 2 seconds sounds damn sexy to me. However, this would no longer be Heads at this point. So a line in the sand must be drawn saying that Heads must include certain functionality to be called Heads if the hardware supports it. Heads for a X200 does not need to include TPM functionality as the device doesn't support it.

I invite you @flammit @Thrilleratplay both to jump into #818. (sooner then later this time :) )

I think the simplest from now on, to check for x220 space limitations, is to follow xx30 boards already in CI, which informs us quite quickly of the compressed CBFS space still available.

For example, busybox 1.32 inclusion PR ( #900 ) CI's x230 board build informs us that:

"/root/project/build/coreboot-4.8.1/x230/cbfstool" "/root/project/build/coreboot-4.8.1/x230/coreboot.rom" print
Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           85188 none
cpu_microcode_blob.bin         0x14dc0    microcode       25600 none
fallback/ramstage              0x1b240    stage           81881 none
config                         0x2f280    raw               589 none
revision                       0x2f540    raw               581 none
cmos.default                   0x2f7c0    cmos_default      256 none
cmos_layout.bin                0x2f900    cmos_layout      1804 none
fallback/dsdt.aml              0x30080    raw             13646 none
fallback/payload               0x33640    simple elf    6863812 none
(empty)                        0x6bf240   null           131480 none
bootblock                      0x6df400   bootblock        3000 none

From this point of time, Heads payload consumes 6863812 and leaves us 131480 to play with, after which the CBFS region of 7mb will be filled. This is interesting to follow and could be used as a deprecation warning and need of changes, since the xx20 has 7.5mb to play with, and will tolerate more changes before failing (and is not under CI for regression validation and ROM production at each merged commit).

Where last master commit CircleCI build of x230 board:

touch /root/project/build/coreboot-4.8.1/x230/.build 
"/root/project/build/coreboot-4.8.1/x230/cbfstool" "/root/project/build/coreboot-4.8.1/x230/coreboot.rom" print
Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           85188 none
cpu_microcode_blob.bin         0x14dc0    microcode       25600 none
fallback/ramstage              0x1b240    stage           81876 none
config                         0x2f280    raw               589 none
revision                       0x2f540    raw               581 none
cmos.default                   0x2f7c0    cmos_default      256 none
cmos_layout.bin                0x2f900    cmos_layout      1804 none
fallback/dsdt.aml              0x30080    raw             13646 none
fallback/payload               0x33640    simple elf    6851524 none
(empty)                        0x6bc240   null           143768 none
bootblock                      0x6df400   bootblock        3000 none
2020-12-03 22:12:25+00:00 INSTALL   build/coreboot-4.8.1/x230/coreboot.rom => build/x230/heads-x230-v0.2.0-972-g671522e.rom

So a change from 6851524 -> 6863812 in consumed compressed space. Coherent reduction of free space being 143768 -> 131480 being useable.

TL;DR: when x230 board will start to fail building in CI, this will be the sign that some modules will need to be removed even more and modules, specialized, or when users will need to consider moving away of basic boards to their maximized counterpart.

Apologies is this is patently obvious but isn't the most obvious thing to do is to set the -Os flag in gcc? Currently the Makefiles all use the -O2 flag. Using GPG2 as my test, I manually patched all the generated Makefiles using

find . | grep "Makefile" | grep -v "Makefile." | xargs sed -i 's/O2/Os/g'

and running make, which yielded about 15% space reduction in the gpg2 binary and about 5% in the scdaemon and 5% in gpg-agent. Is there some limitation (breaking reproducibility? just really hard to patch the makefiles?) preventhing this?

find . | grep "Makefile" | grep -v "Makefile." | xargs sed -i 's/O2/Os/g'

@aesrentai excellent insight! Yes, this would require creation of patches under patches/* to patch all related Makefiles after decompresion of the archives and prior of compilation.

On reproducibility, as far as I know, since musl-cross-make is used to create the final binaries, it should be a magic gain without impact. Note that kernel modules are stripped prior of being injected into modules.cpio and prior en compression of that cpio into modules.cpio.xz

Do you have a PoC of this?

Quick test i'm doing locally right now:

make BOARD=t430-hotp-verification modules.clean
find . | grep "Makefile" | grep -v "Makefile." | xargs sed -i 's/O2/Os/g'
make BOARD=t430-hotp-verification

Before:

FMAP REGION: COREBOOT
Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           87948 none
fallback/ramstage              0x15880    stage           99973 none
config                         0x2df40    raw               684 none
revision                       0x2e240    raw               690 none
fallback/dsdt.aml              0x2e540    raw             14609 none
cmos.default                   0x31ec0    cmos_default      256 none
vbt.bin                        0x32000    raw              1409 LZMA (4459 decompressed)
cmos_layout.bin                0x325c0    cmos_layout      1980 none
fallback/postcar               0x32dc0    stage           27288 none
fallback/payload               0x398c0    simple elf    6854599 none
(empty)                        0x6c30c0   null           117976 none
bootblock                      0x6dfdc0   bootblock       65536 none

After:

FMAP REGION: COREBOOT
Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           87948 none
fallback/ramstage              0x15880    stage           99973 none
config                         0x2df40    raw               684 none
revision                       0x2e240    raw               690 none
fallback/dsdt.aml              0x2e540    raw             14609 none
cmos.default                   0x31ec0    cmos_default      256 none
vbt.bin                        0x32000    raw              1409 LZMA (4459 decompressed)
cmos_layout.bin                0x325c0    cmos_layout      1980 none
fallback/postcar               0x32dc0    stage           27288 none
fallback/payload               0x398c0    simple elf    6839751 none
(empty)                        0x6bf6c0   null           132824 none
bootblock                      0x6dfdc0   bootblock       65536 none

With:

user@heads-tests:~/heads/build/x230-hotp-maximized$ git diff
diff --git a/modules/cairo b/modules/cairo
index 647ed2ca..217137c0 100644
--- a/modules/cairo
+++ b/modules/cairo
@@ -8,7 +8,7 @@ cairo_hash := 8c90f00c500b2299c0a323dd9beead2a00353752b2092ead558139bd67f7bf16

 cairo_configure := \
        $(CROSS_TOOLS) \
-       CFLAGS="-DCAIRO_NO_MUTEX=1 -O3"  \
+       CFLAGS="-DCAIRO_NO_MUTEX=1 -O2"  \
        ./configure \
         --host i386-elf-linux \
        --prefix="/" \

Before: 3434539 740 -rwx------ 1 user user 757232 Feb 21 16:48 ./lib/libcairo.so.2 After: 284396 740 -rwx------ 1 user user 757232 Feb 21 17:08 ./lib/libcairo.so.2

diff --git a/modules/pixman b/modules/pixman
index 65a2e200..b8202672 100644
--- a/modules/pixman
+++ b/modules/pixman
@@ -8,6 +8,7 @@ pixman_hash := 21b6b249b51c6800dc9553b65106e1e37d0e25df942c90531d4c3997aa20a88e

 pixman_configure := \
        $(CROSS_TOOLS) \
+       CFLAGS="-O2"  \
        ./configure \
         --host i386-elf-linux \
        --prefix="/" \

Before: 3434550 652 -rwx------ 1 user user 666216 Feb 21 16:48 ./lib/libpixman-1.so.0

After: 284407 652 -rwx------ 1 user user 666216 Feb 21 17:08 ./lib/libpixman-1.so.0

diff --git a/modules/cairo b/modules/cairo
index 647ed2ca..7fc92331 100644
--- a/modules/cairo
+++ b/modules/cairo
@@ -8,7 +8,7 @@ cairo_hash := 8c90f00c500b2299c0a323dd9beead2a00353752b2092ead558139bd67f7bf16

 cairo_configure := \
    $(CROSS_TOOLS) \
-   CFLAGS="-DCAIRO_NO_MUTEX=1 -O3"  \
+   CFLAGS="-DCAIRO_NO_MUTEX=1 -Os"  \
    ./configure \
         --host i386-elf-linux \
    --prefix="/" \
diff --git a/modules/libpng b/modules/libpng
index e5c3d718..8debbda4 100644
--- a/modules/libpng
+++ b/modules/libpng
@@ -8,6 +8,7 @@ libpng_hash := 574623a4901a9969080ab4a2df9437026c8a87150dfd5c235e28c94b212964a7

 libpng_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os" \
    ./configure \
         --host i386-elf-linux \
    --prefix="/" \
diff --git a/modules/pixman b/modules/pixman
index 65a2e200..e7ec1bd8 100644
--- a/modules/pixman
+++ b/modules/pixman
@@ -8,6 +8,7 @@ pixman_hash := 21b6b249b51c6800dc9553b65106e1e37d0e25df942c90531d4c3997aa20a88e

 pixman_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os"  \
    ./configure \
         --host i386-elf-linux \
    --prefix="/" \
diff --git a/modules/tpmtotp b/modules/tpmtotp
index 433df8ce..1ce561d0 100644
--- a/modules/tpmtotp
+++ b/modules/tpmtotp
@@ -13,7 +13,7 @@ tpmtotp_hash := 1082f2b0e4af833e04220dddedcc21a39eb39ee4dc5668bb010e7bcc795c606c

 tpmtotp_target := \
    $(CROSS_TOOLS) \
-   CFLAGS="-I$(INSTALL)/include" \
+   CFLAGS="-I$(INSTALL)/include -Os" \
    LDFLAGS="-L$(INSTALL)/lib" \

 tpmtotp_output := \
diff --git a/modules/zlib b/modules/zlib
index dbdb44e3..b1d2adf5 100644
--- a/modules/zlib
+++ b/modules/zlib
@@ -9,6 +9,7 @@ zlib_hash := c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1

 zlib_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os" \
    ./configure \
    --prefix="/" \

xz -d initrd.cpio.xz ; for i in initrd.cpio modules.cpio tools.cpio heads.cpio; do cpio -i < $i; done && find . -type f -ls | sort -r -n -k7 |grep -v cpio

Before :

3434331  12288 -rw-r--r--   1 user     user     12582912 Feb 21 12:56 ./heads-x230-hotp-maximized-v0.2.1.bis2-35-g3fabfa20-dirty.rom
  3434335   8192 -rw-r--r--   1 user     user      8388608 Feb 21 12:56 ./heads-x230-hotp-maximized-v0.2.1.bis2-35-g3fabfa20-dirty-bottom.rom
  3424621   8192 -rw-r--r--   1 user     user      8388608 Feb 17 12:34 ./heads-x230-hotp-maximized-v0.2.1.bis2-32-g9fd9c0d4-dirty-bottom.rom
  3434336   4096 -rw-r--r--   1 user     user      4194304 Feb 21 12:56 ./heads-x230-hotp-maximized-v0.2.1.bis2-35-g3fabfa20-dirty-top.rom
  3424622   4096 -rw-r--r--   1 user     user      4194304 Feb 17 12:34 ./heads-x230-hotp-maximized-v0.2.1.bis2-32-g9fd9c0d4-dirty-top.rom
  3423309   2956 -rw-r--r--   1 user     user      3023312 Feb 21 12:41 ./bzImage
  3434095   1592 -rwx------   1 user     user      1627856 Feb 21 16:48 ./bin/lvm
  3434542   1136 -rwx------   1 user     user      1160520 Feb 21 16:48 ./lib/libgcrypt.so.20
  3434052    896 -rwx------   1 user     user       915328 Feb 21 16:48 ./bin/gpg
  3434539    740 -rwx------   1 user     user       757232 Feb 21 16:48 ./lib/libcairo.so.2
  3434550    652 -rwx------   1 user     user       666216 Feb 21 16:48 ./lib/libpixman-1.so.0
  3434538    584 -rwx------   1 user     user       596544 Feb 21 16:48 ./lib/libc.so
  3434046    568 -rwx------   1 user     user       580568 Feb 21 16:48 ./bin/flashrom
  3434010    496 -rwx------   1 user     user       507776 Feb 21 16:48 ./bin/busybox
  3434540    456 -rwx------   1 user     user       464560 Feb 21 16:48 ./lib/libcryptsetup.so.12
  3434455    408 -rwx------   1 user     user       416040 Feb 21 16:48 ./bin/scdaemon
  3434053    372 -rwx------   1 user     user       380120 Feb 21 16:48 ./bin/gpg-agent
  3434554    332 -rwx------   1 user     user       339304 Feb 21 16:48 ./lib/libtpm.so
  3434541    328 -rwx------   1 user     user       333240 Feb 21 16:48 ./lib/libdevmapper.so.1.02
  3434546    320 -rwx------   1 user     user       325104 Feb 21 16:48 ./lib/libmbedcrypto.so.0
  3434559    300 -rw-------   1 user     user       304272 Feb 21 16:48 ./lib/modules/e1000e.ko
  3434537    268 -rwx------   1 user     user       271040 Feb 21 16:48 ./lib/libblkid.so.1
  3434545    252 -rwx------   1 user     user       256376 Feb 21 16:48 ./lib/libksba.so.8
  3434551    204 -rwx------   1 user     user       207912 Feb 21 16:48 ./lib/libpng16.so.16
  3434034    184 -rwx------   1 user     user       184824 Feb 21 16:48 ./bin/dropbear
  3434473    176 -rwx------   1 user     user       176408 Feb 21 16:48 ./bin/ssh
  3434071    168 -rwx------   1 user     user       170984 Feb 21 16:48 ./bin/kexec
  3434563    160 -rw-------   1 user     user       159840 Feb 21 16:48 ./lib/modules/xhci-hcd.ko
  3434033    136 -rwx------   1 user     user       137464 Feb 21 16:48 ./bin/dmsetup
  3434562    132 -rw-------   1 user     user       132360 Feb 21 16:48 ./lib/modules/usb-storage.ko
  3434543    128 -rwx------   1 user     user       130000 Feb 21 16:48 ./lib/libgpg-error.so.0
  3434489    124 -rwx------   1 user     user       126584 Feb 21 16:48 ./bin/tpm
  3434023    116 -rwx------   1 user     user       115192 Feb 21 16:48 ./bin/cryptsetup
  3434558    108 -rwx------   1 user     user       108832 Feb 21 16:48 ./lib/libz.so.1
  3434556     96 -rwx------   1 user     user        96896 Feb 21 16:48 ./lib/libusb-1.0.so.0
  3434024     88 -rwx------   1 user     user        87968 Feb 21 16:48 ./bin/cryptsetup-reencrypt
  3434544     80 -rwx------   1 user     user        81024 Feb 21 16:48 ./lib/libjson-c.so.5
  3434536     76 -rwx------   1 user     user        76736 Feb 21 16:48 ./lib/libassuan.so.0
  3434092     72 -rwx------   1 user     user        73600 Feb 21 16:48 ./bin/lspci
  3434560     64 -rw-------   1 user     user        64800 Feb 21 16:48 ./lib/modules/ehci-hcd.ko
  3434549     52 -rwx------   1 user     user        52272 Feb 21 16:48 ./lib/libpci.so.3.5.4
  3434548     52 -rwx------   1 user     user        52272 Feb 21 16:48 ./lib/libpci.so.3
  3434116     52 -rwx------   1 user     user        52200 Feb 21 16:48 ./bin/pinentry-tty
  3434042     52 -rwx------   1 user     user        51616 Feb 21 16:48 ./bin/fbwhiptail
  3434552     48 -rwx------   1 user     user        48088 Feb 21 16:48 ./lib/libpopt.so.0
  3434553     48 -rwx------   1 user     user        47448 Feb 21 16:48 ./lib/libqrencode.so.3
  3434506     48 -rwx------   1 user     user        45264 Feb 21 16:48 ./bin/veritysetup
  3434068     32 -rwx------   1 user     user        29944 Feb 21 16:48 ./bin/hotp_verification
  3434523     28 -rw-------   1 user     user        27936 Feb 21 16:48 ./etc/distro/keys/tails.key
  3434016     28 -rwx------   1 user     user        27048 Feb 21 16:48 ./bin/cbmem
  3434456     24 -rwx------   1 user     user        22664 Feb 21 16:48 ./bin/scp
  3434048     24 -rwx------   1 user     user        22432 Feb 21 16:48 ./bin/flashtool
  3434555     20 -rwx------   1 user     user        18464 Feb 21 16:48 ./lib/libusb-0.1.so.4
  3434058     20 -rwx------   1 user     user        18412 Feb 21 16:48 ./bin/gui-init
  3434014     20 -rwx------   1 user     user        18352 Feb 21 16:48 ./bin/cbfs
  3434494     20 -rwx------   1 user     user        18320 Feb 21 16:48 ./bin/uefi
  3434110     16 -rwx------   1 user     user        15960 Feb 21 16:48 ./bin/oem-factory-reset
  3434557     16 -rwx------   1 user     user        14656 Feb 21 16:48 ./lib/libuuid.so.1
  3434547     16 -rwx------   1 user     user        14552 Feb 21 16:48 ./lib/libnpth.so.0
  3434444     16 -rwx------   1 user     user        14200 Feb 21 16:48 ./bin/poke
  3434520     12 -rw-------   1 user     user        10955 Feb 21 16:48 ./etc/distro/keys/fedora.key
  3434561     12 -rw-------   1 user     user        10728 Feb 21 16:48 ./lib/modules/ehci-pci.ko
  3434564     12 -rw-------   1 user     user        10568 Feb 21 16:48 ./lib/modules/xhci-pci.ko
  3423306     12 -rw-r--r--   1 user     user        10159 Feb 21 12:56 ./hashes.txt
  3434113     12 -rwx------   1 user     user        10096 Feb 21 16:48 ./bin/peek
  3434005     12 -rwx------   1 user     user        10088 Feb 21 16:48 ./bin/base32
  3434487     12 -rwx------   1 user     user        10048 Feb 21 16:48 ./bin/totp
  3434066     12 -rwx------   1 user     user        10024 Feb 21 16:48 ./bin/hotp
  3434080     12 -rwx------   1 user     user         9891 Feb 21 16:48 ./bin/kexec-select-boot
  3434054     12 -rwx------   1 user     user         9003 Feb 21 16:48 ./bin/gpg-gui.sh
  3434525     12 -rwx------   1 user     user         8388 Feb 21 16:48 ./etc/functions
  3434449      8 -rwx------   1 user     user         5912 Feb 21 16:48 ./bin/qrenc
  3434045      8 -rwx------   1 user     user         5268 Feb 21 16:48 ./bin/flash.sh
  3434020      8 -rwx------   1 user     user         5030 Feb 21 16:48 ./bin/config-gui.sh
  3434079      8 -rwx------   1 user     user         4195 Feb 21 16:48 ./bin/kexec-seal-key
  3434533      4 -rwx------   1 user     user         3891 Feb 21 16:48 ./init
  3434076      4 -rwx------   1 user     user         3785 Feb 21 16:48 ./bin/kexec-parse-boot
  3434103      4 -rwx------   1 user     user         3510 Feb 21 16:48 ./bin/mount-usb
  3434077      4 -rwx------   1 user     user         3408 Feb 21 16:48 ./bin/kexec-save-default
  3434457      4 -rwx------   1 user     user         3381 Feb 21 16:48 ./bin/seal-hotpkey
  3434072      4 -rwx------   1 user     user         3118 Feb 21 16:48 ./bin/kexec-boot
  3434522      4 -rw-------   1 user     user         3078 Feb 21 16:48 ./etc/distro/keys/qubes-testing.key
  3434044      4 -rwx------   1 user     user         2557 Feb 21 16:48 ./bin/flash-gui.sh
  3434073      4 -rwx------   1 user     user         2344 Feb 21 16:48 ./bin/kexec-insert-key
  3434504      4 -rwx------   1 user     user         2101 Feb 21 16:48 ./bin/usb-scan
  3434075      4 -rwx------   1 user     user         2059 Feb 21 16:48 ./bin/kexec-parse-bls
  3434458      4 -rwx------   1 user     user         2026 Feb 21 16:48 ./bin/seal-totp
  3434081      4 -rwx------   1 user     user         1909 Feb 21 16:48 ./bin/kexec-sign-config
  3434527      4 -rwx------   1 user     user         1888 Feb 21 16:48 ./etc/gui_functions
  3434499      4 -rwx------   1 user     user         1838 Feb 21 16:48 ./bin/unseal-hotp
  3434519      4 -rw-------   1 user     user         1725 Feb 21 16:48 ./etc/distro/keys/archlinux.key
  3434078      4 -rwx------   1 user     user         1677 Feb 21 16:48 ./bin/kexec-save-key
  3434521      4 -rw-------   1 user     user         1629 Feb 21 16:48 ./etc/distro/keys/qubes-4.key
  3434074      4 -rwx------   1 user     user         1430 Feb 21 16:48 ./bin/kexec-iso-init
  3434565      4 -rwx------   1 user     user         1373 Feb 21 16:48 ./mount-boot
  3434050      4 -rwx------   1 user     user         1299 Feb 21 16:48 ./bin/generic-init
  3421973      4 -rw-------   1 user     user         1247 Feb 21 16:48 ./.ash_history
  3434106      4 -rwx------   1 user     user         1244 Feb 21 16:48 ./bin/network-init-recovery
  3434067      4 -rwx------   1 user     user         1087 Feb 21 16:48 ./bin/hotp_initialize
  3434082      4 -rwx------   1 user     user         1044 Feb 21 16:48 ./bin/kexec-unseal-key
  2641524      4 -rwx------   1 user     user         1000 Feb 21 16:48 ./sbin/insmod
  2641513      4 -rwx------   1 user     user          922 Feb 21 16:48 ./sbin/config-dhcp.sh
  3434015      4 -rwx------   1 user     user          799 Feb 21 16:48 ./bin/cbfs-init
  3434083      4 -rwx------   1 user     user          770 Feb 21 16:48 ./bin/key-init
  3434490      4 -rwx------   1 user     user          694 Feb 21 16:48 ./bin/tpm-reset
  3434495      4 -rwx------   1 user     user          661 Feb 21 16:48 ./bin/uefi-init
  3434500      4 -rwx------   1 user     user          634 Feb 21 16:48 ./bin/unseal-totp
  3434518      4 -rw-------   1 user     user          625 Feb 21 16:48 ./etc/config
  3434512      4 -rwx------   1 user     user          574 Feb 21 16:48 ./bin/x230-flash.init
  3434479      4 -rwx------   1 user     user          574 Feb 21 16:48 ./bin/t430-flash.init
  3434450      4 -rwx------   1 user     user          538 Feb 21 16:48 ./bin/qubes-measure-luks
  3434047      4 -rwx------   1 user     user          360 Feb 21 16:48 ./bin/flashrom-kgpe-d16-openbmc.sh
  3434510      4 -rwx------   1 user     user          320 Feb 21 16:48 ./bin/wget-measure.sh
  3434451      4 -rwx------   1 user     user          258 Feb 21 16:48 ./bin/reboot
  3434503      4 -rwx------   1 user     user          220 Feb 21 16:48 ./bin/usb-init
  3434445      4 -rwx------   1 user     user          205 Feb 21 16:48 ./bin/poweroff
  3434524      4 -rw-------   1 user     user          197 Feb 21 16:48 ./etc/fstab
  3434529      4 -rw-------   1 user     user          174 Feb 21 16:48 ./etc/motd
  3434055      4 -rwx------   1 user     user          106 Feb 21 16:48 ./bin/gpgv
  3433998      4 -rw-------   1 user     user           73 Feb 21 16:48 ./.gnupg/gpg-agent.conf
  3434511      4 -rwx------   1 user     user           35 Feb 21 16:48 ./bin/whiptail
  3434532      4 -rw-------   1 user     user           27 Feb 21 16:48 ./etc/shells
  3434531      4 -rw-------   1 user     user           27 Feb 21 16:48 ./etc/passwd
  3434528      4 -rw-------   1 user     user           20 Feb 21 16:48 ./etc/hosts
  3434526      4 -rw-------   1 user     user           10 Feb 21 16:48 ./etc/group
  3433999      4 -rw-------   1 user     user           10 Feb 21 16:48 ./.gnupg/gpg.conf
   666243      0 -rw-------   1 user     user            0 Feb 21 16:48 ./run/cryptsetup/.placeholder

After:

   281273  12288 -rw-r--r--   1 user     user     12582912 Feb 21 17:53 ./heads-x230-hotp-maximized-v0.2.1.bis2-31-g0670bcd1-dirty.rom
   281274   8192 -rw-r--r--   1 user     user      8388608 Feb 21 17:53 ./heads-x230-hotp-maximized-v0.2.1.bis2-31-g0670bcd1-dirty-bottom.rom
   281275   4096 -rw-r--r--   1 user     user      4194304 Feb 21 17:53 ./heads-x230-hotp-maximized-v0.2.1.bis2-31-g0670bcd1-dirty-top.rom
   281230   2956 -rw-r--r--   1 user     user      3023312 Feb 21 17:49 ./bzImage
   281372   1592 -rwx------   1 user     user      1627856 Feb 21 17:56 ./bin/lvm
   281498   1136 -rwx------   1 user     user      1160520 Feb 21 17:56 ./lib/libgcrypt.so.20
   281329    896 -rwx------   1 user     user       915328 Feb 21 17:56 ./bin/gpg
   281494    584 -rwx------   1 user     user       596544 Feb 21 17:56 ./lib/libc.so
   281323    568 -rwx------   1 user     user       580568 Feb 21 17:56 ./bin/flashrom
   281506    560 -rwx------   1 user     user       572016 Feb 21 17:56 ./lib/libpixman-1.so.0
   281287    496 -rwx------   1 user     user       507776 Feb 21 17:56 ./bin/busybox
   281495    480 -rwx------   1 user     user       491024 Feb 21 17:56 ./lib/libcairo.so.2
   281496    456 -rwx------   1 user     user       464560 Feb 21 17:56 ./lib/libcryptsetup.so.12
   281407    408 -rwx------   1 user     user       416040 Feb 21 17:56 ./bin/scdaemon
   281330    372 -rwx------   1 user     user       380120 Feb 21 17:56 ./bin/gpg-agent
   281497    328 -rwx------   1 user     user       333240 Feb 21 17:56 ./lib/libdevmapper.so.1.02
   281502    320 -rwx------   1 user     user       325104 Feb 21 17:56 ./lib/libmbedcrypto.so.0
   281510    308 -rwx------   1 user     user       314728 Feb 21 17:56 ./lib/libtpm.so
   400850    300 -rw-------   1 user     user       304272 Feb 21 17:56 ./lib/modules/e1000e.ko
   281493    268 -rwx------   1 user     user       271040 Feb 21 17:56 ./lib/libblkid.so.1
   281501    252 -rwx------   1 user     user       256376 Feb 21 17:56 ./lib/libksba.so.8
   281311    184 -rwx------   1 user     user       184824 Feb 21 17:56 ./bin/dropbear
   281425    176 -rwx------   1 user     user       176408 Feb 21 17:56 ./bin/ssh
   281507    168 -rwx------   1 user     user       171032 Feb 21 17:56 ./lib/libpng16.so.16
   281348    168 -rwx------   1 user     user       170984 Feb 21 17:56 ./bin/kexec
   400854    160 -rw-------   1 user     user       159840 Feb 21 17:56 ./lib/modules/xhci-hcd.ko
   281310    136 -rwx------   1 user     user       137464 Feb 21 17:56 ./bin/dmsetup
   400853    132 -rw-------   1 user     user       132360 Feb 21 17:56 ./lib/modules/usb-storage.ko
   281499    128 -rwx------   1 user     user       130000 Feb 21 17:56 ./lib/libgpg-error.so.0
   281441    116 -rwx------   1 user     user       118392 Feb 21 17:56 ./bin/tpm
   281300    116 -rwx------   1 user     user       115192 Feb 21 17:56 ./bin/cryptsetup
   281512     96 -rwx------   1 user     user        96896 Feb 21 17:56 ./lib/libusb-1.0.so.0
   281301     88 -rwx------   1 user     user        87968 Feb 21 17:56 ./bin/cryptsetup-reencrypt
   281500     80 -rwx------   1 user     user        81024 Feb 21 17:56 ./lib/libjson-c.so.5
   281492     76 -rwx------   1 user     user        76736 Feb 21 17:56 ./lib/libassuan.so.0
   281514     76 -rwx------   1 user     user        76040 Feb 21 17:56 ./lib/libz.so.1
   281369     72 -rwx------   1 user     user        73600 Feb 21 17:56 ./bin/lspci
   400851     64 -rw-------   1 user     user        64800 Feb 21 17:56 ./lib/modules/ehci-hcd.ko
   281505     52 -rwx------   1 user     user        52272 Feb 21 17:56 ./lib/libpci.so.3.5.4
   281504     52 -rwx------   1 user     user        52272 Feb 21 17:56 ./lib/libpci.so.3
   281393     52 -rwx------   1 user     user        52200 Feb 21 17:56 ./bin/pinentry-tty
   281319     52 -rwx------   1 user     user        51616 Feb 21 17:56 ./bin/fbwhiptail
   281508     48 -rwx------   1 user     user        48088 Feb 21 17:56 ./lib/libpopt.so.0
   281509     48 -rwx------   1 user     user        47448 Feb 21 17:56 ./lib/libqrencode.so.3
   281458     48 -rwx------   1 user     user        45264 Feb 21 17:56 ./bin/veritysetup
   281345     32 -rwx------   1 user     user        29944 Feb 21 17:56 ./bin/hotp_verification
   281478     28 -rw-------   1 user     user        27936 Feb 21 17:56 ./etc/distro/keys/tails.key
   281293     28 -rwx------   1 user     user        27048 Feb 21 17:56 ./bin/cbmem
   281408     24 -rwx------   1 user     user        22664 Feb 21 17:56 ./bin/scp
   281325     24 -rwx------   1 user     user        22432 Feb 21 17:56 ./bin/flashtool
   281511     20 -rwx------   1 user     user        18464 Feb 21 17:56 ./lib/libusb-0.1.so.4
   281335     20 -rwx------   1 user     user        18412 Feb 21 17:56 ./bin/gui-init
   281291     20 -rwx------   1 user     user        18352 Feb 21 17:56 ./bin/cbfs
   281446     20 -rwx------   1 user     user        18320 Feb 21 17:56 ./bin/uefi
   281387     16 -rwx------   1 user     user        15960 Feb 21 17:56 ./bin/oem-factory-reset
   281513     16 -rwx------   1 user     user        14656 Feb 21 17:56 ./lib/libuuid.so.1
   281503     16 -rwx------   1 user     user        14552 Feb 21 17:56 ./lib/libnpth.so.0
   281396     16 -rwx------   1 user     user        14200 Feb 21 17:56 ./bin/poke
   281475     12 -rw-------   1 user     user        10955 Feb 21 17:56 ./etc/distro/keys/fedora.key
   281229     12 -rw-r--r--   1 user     user        10865 Feb 21 17:53 ./hashes.txt
   400852     12 -rw-------   1 user     user        10728 Feb 21 17:56 ./lib/modules/ehci-pci.ko
   400855     12 -rw-------   1 user     user        10568 Feb 21 17:56 ./lib/modules/xhci-pci.ko
   281390     12 -rwx------   1 user     user        10096 Feb 21 17:56 ./bin/peek
   281439     12 -rwx------   1 user     user        10032 Feb 21 17:56 ./bin/totp
   281357     12 -rwx------   1 user     user         9891 Feb 21 17:56 ./bin/kexec-select-boot
   281331     12 -rwx------   1 user     user         9003 Feb 21 17:56 ./bin/gpg-gui.sh
   281480     12 -rwx------   1 user     user         8388 Feb 21 17:56 ./etc/functions
   281343      8 -rwx------   1 user     user         5912 Feb 21 17:56 ./bin/hotp
   281282      8 -rwx------   1 user     user         5912 Feb 21 17:56 ./bin/base32
   281401      8 -rwx------   1 user     user         5904 Feb 21 17:56 ./bin/qrenc
   281322      8 -rwx------   1 user     user         5268 Feb 21 17:56 ./bin/flash.sh
   281297      8 -rwx------   1 user     user         5030 Feb 21 17:56 ./bin/config-gui.sh
   281356      8 -rwx------   1 user     user         4195 Feb 21 17:56 ./bin/kexec-seal-key
   281488      4 -rwx------   1 user     user         3891 Feb 21 17:56 ./init
   281353      4 -rwx------   1 user     user         3680 Feb 21 17:56 ./bin/kexec-parse-boot
   281380      4 -rwx------   1 user     user         3510 Feb 21 17:56 ./bin/mount-usb
   281354      4 -rwx------   1 user     user         3408 Feb 21 17:56 ./bin/kexec-save-default
   281409      4 -rwx------   1 user     user         3381 Feb 21 17:56 ./bin/seal-hotpkey
   281349      4 -rwx------   1 user     user         3118 Feb 21 17:56 ./bin/kexec-boot
   281477      4 -rw-------   1 user     user         3078 Feb 21 17:56 ./etc/distro/keys/qubes-testing.key
   281321      4 -rwx------   1 user     user         2557 Feb 21 17:56 ./bin/flash-gui.sh
   281350      4 -rwx------   1 user     user         2344 Feb 21 17:56 ./bin/kexec-insert-key
   281456      4 -rwx------   1 user     user         2101 Feb 21 17:56 ./bin/usb-scan
   281352      4 -rwx------   1 user     user         2059 Feb 21 17:56 ./bin/kexec-parse-bls
   281410      4 -rwx------   1 user     user         2026 Feb 21 17:56 ./bin/seal-totp
   281358      4 -rwx------   1 user     user         1909 Feb 21 17:56 ./bin/kexec-sign-config
   281482      4 -rwx------   1 user     user         1888 Feb 21 17:56 ./etc/gui_functions
   281451      4 -rwx------   1 user     user         1838 Feb 21 17:56 ./bin/unseal-hotp
   281516      4 -rw-r--r--   1 user     user         1767 Feb 21 17:57 ./listchange
   281355      4 -rwx------   1 user     user         1677 Feb 21 17:56 ./bin/kexec-save-key
   281476      4 -rw-------   1 user     user         1629 Feb 21 17:56 ./etc/distro/keys/qubes-4.key
   281351      4 -rwx------   1 user     user         1375 Feb 21 17:56 ./bin/kexec-iso-init
   281515      4 -rwx------   1 user     user         1373 Feb 21 17:56 ./mount-boot
   281327      4 -rwx------   1 user     user         1299 Feb 21 17:56 ./bin/generic-init
   284045      4 -rw-------   1 user     user         1247 Feb 21 17:08 ./.ash_history
   281383      4 -rwx------   1 user     user         1244 Feb 21 17:56 ./bin/network-init-recovery
   281344      4 -rwx------   1 user     user         1087 Feb 21 17:56 ./bin/hotp_initialize
   281359      4 -rwx------   1 user     user         1044 Feb 21 17:56 ./bin/kexec-unseal-key
  1084916      4 -rwx------   1 user     user         1000 Feb 21 17:56 ./sbin/insmod
  1084905      4 -rwx------   1 user     user          922 Feb 21 17:56 ./sbin/config-dhcp.sh
   281292      4 -rwx------   1 user     user          799 Feb 21 17:56 ./bin/cbfs-init
   281360      4 -rwx------   1 user     user          770 Feb 21 17:56 ./bin/key-init
   281442      4 -rwx------   1 user     user          694 Feb 21 17:56 ./bin/tpm-reset
   281447      4 -rwx------   1 user     user          661 Feb 21 17:56 ./bin/uefi-init
   281452      4 -rwx------   1 user     user          634 Feb 21 17:56 ./bin/unseal-totp
   281472      4 -rw-------   1 user     user          625 Feb 21 17:56 ./etc/config
   281464      4 -rwx------   1 user     user          574 Feb 21 17:56 ./bin/x230-flash.init
   281431      4 -rwx------   1 user     user          574 Feb 21 17:56 ./bin/t430-flash.init
   281402      4 -rwx------   1 user     user          538 Feb 21 17:56 ./bin/qubes-measure-luks
   281324      4 -rwx------   1 user     user          360 Feb 21 17:56 ./bin/flashrom-kgpe-d16-openbmc.sh
   281462      4 -rwx------   1 user     user          320 Feb 21 17:56 ./bin/wget-measure.sh
   281403      4 -rwx------   1 user     user          258 Feb 21 17:56 ./bin/reboot
   281455      4 -rwx------   1 user     user          220 Feb 21 17:56 ./bin/usb-init
   281397      4 -rwx------   1 user     user          205 Feb 21 17:56 ./bin/poweroff
   281479      4 -rw-------   1 user     user          197 Feb 21 17:56 ./etc/fstab
   281484      4 -rw-------   1 user     user          174 Feb 21 17:56 ./etc/motd
   281332      4 -rwx------   1 user     user          106 Feb 21 17:56 ./bin/gpgv
   284192      4 -rw-------   1 user     user           73 Feb 21 17:08 ./.gnupg/gpg-agent.conf
   281463      4 -rwx------   1 user     user           35 Feb 21 17:56 ./bin/whiptail
   281487      4 -rw-------   1 user     user           27 Feb 21 17:56 ./etc/shells
   281486      4 -rw-------   1 user     user           27 Feb 21 17:56 ./etc/passwd
   281483      4 -rw-------   1 user     user           20 Feb 21 17:56 ./etc/hosts
   284193      4 -rw-------   1 user     user           10 Feb 21 17:08 ./.gnupg/gpg.conf
   281481      4 -rw-------   1 user     user           10 Feb 21 17:56 ./etc/group
   677025      0 -rw-------   1 user     user            0 Feb 21 17:56 ./run/cryptsetup/.placeholder

Ok ok.... Its useful!

diff --git a/modules/cairo b/modules/cairo
index 647ed2ca..7fc92331 100644
--- a/modules/cairo
+++ b/modules/cairo
@@ -8,7 +8,7 @@ cairo_hash := 8c90f00c500b2299c0a323dd9beead2a00353752b2092ead558139bd67f7bf16

 cairo_configure := \
    $(CROSS_TOOLS) \
-   CFLAGS="-DCAIRO_NO_MUTEX=1 -O3"  \
+   CFLAGS="-DCAIRO_NO_MUTEX=1 -Os"  \
    ./configure \
         --host i386-elf-linux \
    --prefix="/" \
diff --git a/modules/cryptsetup b/modules/cryptsetup
index 4cea7f35..cddffa18 100644
--- a/modules/cryptsetup
+++ b/modules/cryptsetup
@@ -10,8 +10,10 @@ cryptsetup_hash := af2b04e8475cf40b8d9ffd97a1acfa73aa787c890430afd89804fb544d6ad

 # Use an empty prefix so that the executables will not include the
 # build path.
-cryptsetup_configure := ./configure \
+cryptsetup_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os" \
+   ./configure \
    --host i386-elf-linux \
    --prefix "/" \
    --disable-gcrypt-pbkdf2 \
diff --git a/modules/flashrom b/modules/flashrom
index e8cecb63..aaad7325 100644
--- a/modules/flashrom
+++ b/modules/flashrom
@@ -9,6 +9,7 @@ flashrom_url := https://github.com/flashrom/flashrom/archive/$(flashrom_version)
 flashrom_hash := 4873ad50f500629c244fc3fbee64b56403a82307d7f555dfa235336a200c336c

 flashrom_target := \
+   CFLAGS="-Os" \
    $(MAKE_JOBS) \
    $(CROSS_TOOLS) \
    WARNERROR=no \
diff --git a/modules/gpg b/modules/gpg
index 4d4440a1..493bf6dc 100644
--- a/modules/gpg
+++ b/modules/gpg
@@ -19,6 +19,7 @@ gpg_hash := 6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276
 #
 gpg_configure := ./configure \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os"  \
    --build i386-elf-linux \
    --host x86_64-linux-musl \
    --with-libusb="$(INSTALL)" \
diff --git a/modules/libgcrypt b/modules/libgcrypt
index 3c2e5d9a..5cf97d79 100644
--- a/modules/libgcrypt
+++ b/modules/libgcrypt
@@ -7,6 +7,7 @@ libgcrypt_hash := 0cba2700617b99fc33864a0c16b1fa7fdf9781d9ed3509f5d767178e5fd7b9

 libgcrypt_configure := ./configure \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os"  \
    --host=x86_64-linux-musl \
    --prefix "/" \
    --disable-static \
diff --git a/modules/libgpg-error b/modules/libgpg-error
index 00bd0644..482f80f3 100644
--- a/modules/libgpg-error
+++ b/modules/libgpg-error
@@ -5,8 +5,10 @@ libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2
 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar)
 libgpg-error_hash := b32d6ff72a73cf79797f7f2d039e95e9c6f92f0c1450215410840ab62aea9763

-libgpg-error_configure := ./configure \
+libgpg-error_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os"  \
+   ./configure \
    --prefix "/" \
    --host=x86_64-linux-musl \
    --disable-static \
diff --git a/modules/libpng b/modules/libpng
index e5c3d718..8debbda4 100644
--- a/modules/libpng
+++ b/modules/libpng
@@ -8,6 +8,7 @@ libpng_hash := 574623a4901a9969080ab4a2df9437026c8a87150dfd5c235e28c94b212964a7

 libpng_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os" \
    ./configure \
         --host i386-elf-linux \
    --prefix="/" \
diff --git a/modules/lvm2 b/modules/lvm2
index e3005f1b..f6edd667 100644
--- a/modules/lvm2
+++ b/modules/lvm2
@@ -10,6 +10,7 @@ lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d
 # so we force it via the configure cache.
 lvm2_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os"  \
    PKG_CONFIG=/bin/false \
    MODPROBE_CMD=/bin/false \
    ac_cv_func_malloc_0_nonnull=yes \
diff --git a/modules/pixman b/modules/pixman
index 65a2e200..e7ec1bd8 100644
--- a/modules/pixman
+++ b/modules/pixman
@@ -8,6 +8,7 @@ pixman_hash := 21b6b249b51c6800dc9553b65106e1e37d0e25df942c90531d4c3997aa20a88e

 pixman_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os"  \
    ./configure \
         --host i386-elf-linux \
    --prefix="/" \
diff --git a/modules/tpmtotp b/modules/tpmtotp
index 433df8ce..1ce561d0 100644
--- a/modules/tpmtotp
+++ b/modules/tpmtotp
@@ -13,7 +13,7 @@ tpmtotp_hash := 1082f2b0e4af833e04220dddedcc21a39eb39ee4dc5668bb010e7bcc795c606c

 tpmtotp_target := \
    $(CROSS_TOOLS) \
-   CFLAGS="-I$(INSTALL)/include" \
+   CFLAGS="-I$(INSTALL)/include -Os" \
    LDFLAGS="-L$(INSTALL)/lib" \

 tpmtotp_output := \
diff --git a/modules/util-linux b/modules/util-linux
index 908ff3e7..6ea85f8a 100644
--- a/modules/util-linux
+++ b/modules/util-linux
@@ -8,6 +8,7 @@ util-linux_hash := accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe

 util-linux_configure := ./configure \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os"  \
    --host i386-elf-linux \
    --prefix "/" \
    --oldincludedir "$(INSTALL)/include" \
diff --git a/modules/zlib b/modules/zlib
index dbdb44e3..b1d2adf5 100644
--- a/modules/zlib
+++ b/modules/zlib
@@ -9,6 +9,7 @@ zlib_hash := c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1

 zlib_configure := \
    $(CROSS_TOOLS) \
+   CFLAGS="-Os" \
    ./configure \
    --prefix="/" \

user@heads-tests:~/heads/build/x230-hotp-maximized$ xz -d initrd.cpio.xz ; for i in initrd.cpio modules.cpio tools.cpio heads.cpio; do cpio -i < $i; done && find . -type f -ls | sort -r -n -k7

Before:

  3433968  12552 -rw-r--r--   1 user     user     12868096 Feb 21 12:56 ./initrd.cpio
  3434331  12288 -rw-r--r--   1 user     user     12582912 Feb 21 12:56 ./heads-x230-hotp-maximized-v0.2.1.bis2-35-g3fabfa20-dirty.rom
  3421972  11720 -rw-r--r--   1 user     user     11998208 Feb 21 12:42 ./tools.cpio
  3434335   8192 -rw-r--r--   1 user     user      8388608 Feb 21 12:56 ./heads-x230-hotp-maximized-v0.2.1.bis2-35-g3fabfa20-dirty-bottom.rom
  3424621   8192 -rw-r--r--   1 user     user      8388608 Feb 17 12:34 ./heads-x230-hotp-maximized-v0.2.1.bis2-32-g9fd9c0d4-dirty-bottom.rom
  3434336   4096 -rw-r--r--   1 user     user      4194304 Feb 21 12:56 ./heads-x230-hotp-maximized-v0.2.1.bis2-35-g3fabfa20-dirty-top.rom
  3424622   4096 -rw-r--r--   1 user     user      4194304 Feb 17 12:34 ./heads-x230-hotp-maximized-v0.2.1.bis2-32-g9fd9c0d4-dirty-top.rom
  3423309   2956 -rw-r--r--   1 user     user      3023312 Feb 21 12:41 ./bzImage
  3434095   1592 -rwx------   1 user     user      1627856 Feb 21 16:48 ./bin/lvm
  3434542   1136 -rwx------   1 user     user      1160520 Feb 21 16:48 ./lib/libgcrypt.so.20
  3434052    896 -rwx------   1 user     user       915328 Feb 21 16:48 ./bin/gpg
  3434539    740 -rwx------   1 user     user       757232 Feb 21 16:48 ./lib/libcairo.so.2
  3421971    668 -rw-r--r--   1 user     user       684032 Feb 21 12:41 ./modules.cpio
  3434550    652 -rwx------   1 user     user       666216 Feb 21 16:48 ./lib/libpixman-1.so.0
  3434538    584 -rwx------   1 user     user       596544 Feb 21 16:48 ./lib/libc.so
  3434046    568 -rwx------   1 user     user       580568 Feb 21 16:48 ./bin/flashrom
  3434010    496 -rwx------   1 user     user       507776 Feb 21 16:48 ./bin/busybox
  3434540    456 -rwx------   1 user     user       464560 Feb 21 16:48 ./lib/libcryptsetup.so.12
  3434455    408 -rwx------   1 user     user       416040 Feb 21 16:48 ./bin/scdaemon
  3434053    372 -rwx------   1 user     user       380120 Feb 21 16:48 ./bin/gpg-agent
  3434554    332 -rwx------   1 user     user       339304 Feb 21 16:48 ./lib/libtpm.so
  3434541    328 -rwx------   1 user     user       333240 Feb 21 16:48 ./lib/libdevmapper.so.1.02
  3434546    320 -rwx------   1 user     user       325104 Feb 21 16:48 ./lib/libmbedcrypto.so.0
  3434559    300 -rw-------   1 user     user       304272 Feb 21 16:48 ./lib/modules/e1000e.ko
  3434537    268 -rwx------   1 user     user       271040 Feb 21 16:48 ./lib/libblkid.so.1
  3434545    252 -rwx------   1 user     user       256376 Feb 21 16:48 ./lib/libksba.so.8
  3434551    204 -rwx------   1 user     user       207912 Feb 21 16:48 ./lib/libpng16.so.16
  3434337    184 -rw-r--r--   1 user     user       186880 Feb 21 12:56 ./heads.cpio
  3434034    184 -rwx------   1 user     user       184824 Feb 21 16:48 ./bin/dropbear
  3434473    176 -rwx------   1 user     user       176408 Feb 21 16:48 ./bin/ssh
  3434071    168 -rwx------   1 user     user       170984 Feb 21 16:48 ./bin/kexec
  3434563    160 -rw-------   1 user     user       159840 Feb 21 16:48 ./lib/modules/xhci-hcd.ko
  3434033    136 -rwx------   1 user     user       137464 Feb 21 16:48 ./bin/dmsetup
  3434562    132 -rw-------   1 user     user       132360 Feb 21 16:48 ./lib/modules/usb-storage.ko
  3434543    128 -rwx------   1 user     user       130000 Feb 21 16:48 ./lib/libgpg-error.so.0
  3434489    124 -rwx------   1 user     user       126584 Feb 21 16:48 ./bin/tpm
  3434023    116 -rwx------   1 user     user       115192 Feb 21 16:48 ./bin/cryptsetup
  3434558    108 -rwx------   1 user     user       108832 Feb 21 16:48 ./lib/libz.so.1
  3434556     96 -rwx------   1 user     user        96896 Feb 21 16:48 ./lib/libusb-1.0.so.0
  3434024     88 -rwx------   1 user     user        87968 Feb 21 16:48 ./bin/cryptsetup-reencrypt
  3434544     80 -rwx------   1 user     user        81024 Feb 21 16:48 ./lib/libjson-c.so.5
  3434536     76 -rwx------   1 user     user        76736 Feb 21 16:48 ./lib/libassuan.so.0
  3434092     72 -rwx------   1 user     user        73600 Feb 21 16:48 ./bin/lspci
  3434560     64 -rw-------   1 user     user        64800 Feb 21 16:48 ./lib/modules/ehci-hcd.ko
  3434549     52 -rwx------   1 user     user        52272 Feb 21 16:48 ./lib/libpci.so.3.5.4
  3434548     52 -rwx------   1 user     user        52272 Feb 21 16:48 ./lib/libpci.so.3
  3434116     52 -rwx------   1 user     user        52200 Feb 21 16:48 ./bin/pinentry-tty
  3434042     52 -rwx------   1 user     user        51616 Feb 21 16:48 ./bin/fbwhiptail
  3434552     48 -rwx------   1 user     user        48088 Feb 21 16:48 ./lib/libpopt.so.0
  3434553     48 -rwx------   1 user     user        47448 Feb 21 16:48 ./lib/libqrencode.so.3
  3434506     48 -rwx------   1 user     user        45264 Feb 21 16:48 ./bin/veritysetup
  3434068     32 -rwx------   1 user     user        29944 Feb 21 16:48 ./bin/hotp_verification
  3434523     28 -rw-------   1 user     user        27936 Feb 21 16:48 ./etc/distro/keys/tails.key
  3434016     28 -rwx------   1 user     user        27048 Feb 21 16:48 ./bin/cbmem
  3434456     24 -rwx------   1 user     user        22664 Feb 21 16:48 ./bin/scp
  3434048     24 -rwx------   1 user     user        22432 Feb 21 16:48 ./bin/flashtool
  3434555     20 -rwx------   1 user     user        18464 Feb 21 16:48 ./lib/libusb-0.1.so.4
  3434058     20 -rwx------   1 user     user        18412 Feb 21 16:48 ./bin/gui-init
  3434014     20 -rwx------   1 user     user        18352 Feb 21 16:48 ./bin/cbfs
  3434494     20 -rwx------   1 user     user        18320 Feb 21 16:48 ./bin/uefi
  3434110     16 -rwx------   1 user     user        15960 Feb 21 16:48 ./bin/oem-factory-reset
  3434557     16 -rwx------   1 user     user        14656 Feb 21 16:48 ./lib/libuuid.so.1
  3434547     16 -rwx------   1 user     user        14552 Feb 21 16:48 ./lib/libnpth.so.0
  3434444     16 -rwx------   1 user     user        14200 Feb 21 16:48 ./bin/poke
  3434520     12 -rw-------   1 user     user        10955 Feb 21 16:48 ./etc/distro/keys/fedora.key
  3434561     12 -rw-------   1 user     user        10728 Feb 21 16:48 ./lib/modules/ehci-pci.ko
  3434564     12 -rw-------   1 user     user        10568 Feb 21 16:48 ./lib/modules/xhci-pci.ko
  3423306     12 -rw-r--r--   1 user     user        10159 Feb 21 12:56 ./hashes.txt
  3434113     12 -rwx------   1 user     user        10096 Feb 21 16:48 ./bin/peek
  3434005     12 -rwx------   1 user     user        10088 Feb 21 16:48 ./bin/base32
  3434487     12 -rwx------   1 user     user        10048 Feb 21 16:48 ./bin/totp
  3434066     12 -rwx------   1 user     user        10024 Feb 21 16:48 ./bin/hotp
  3434080     12 -rwx------   1 user     user         9891 Feb 21 16:48 ./bin/kexec-select-boot
  3434054     12 -rwx------   1 user     user         9003 Feb 21 16:48 ./bin/gpg-gui.sh
  3434525     12 -rwx------   1 user     user         8388 Feb 21 16:48 ./etc/functions
  3434449      8 -rwx------   1 user     user         5912 Feb 21 16:48 ./bin/qrenc
  3434045      8 -rwx------   1 user     user         5268 Feb 21 16:48 ./bin/flash.sh
  3434020      8 -rwx------   1 user     user         5030 Feb 21 16:48 ./bin/config-gui.sh
  3434079      8 -rwx------   1 user     user         4195 Feb 21 16:48 ./bin/kexec-seal-key
  3434533      4 -rwx------   1 user     user         3891 Feb 21 16:48 ./init
  3434076      4 -rwx------   1 user     user         3785 Feb 21 16:48 ./bin/kexec-parse-boot
  3434103      4 -rwx------   1 user     user         3510 Feb 21 16:48 ./bin/mount-usb
  3434077      4 -rwx------   1 user     user         3408 Feb 21 16:48 ./bin/kexec-save-default
  3434457      4 -rwx------   1 user     user         3381 Feb 21 16:48 ./bin/seal-hotpkey
  3434072      4 -rwx------   1 user     user         3118 Feb 21 16:48 ./bin/kexec-boot
  3434522      4 -rw-------   1 user     user         3078 Feb 21 16:48 ./etc/distro/keys/qubes-testing.key
  3434044      4 -rwx------   1 user     user         2557 Feb 21 16:48 ./bin/flash-gui.sh
  3434073      4 -rwx------   1 user     user         2344 Feb 21 16:48 ./bin/kexec-insert-key
  3434504      4 -rwx------   1 user     user         2101 Feb 21 16:48 ./bin/usb-scan
  3434075      4 -rwx------   1 user     user         2059 Feb 21 16:48 ./bin/kexec-parse-bls
  3434458      4 -rwx------   1 user     user         2026 Feb 21 16:48 ./bin/seal-totp
  3434081      4 -rwx------   1 user     user         1909 Feb 21 16:48 ./bin/kexec-sign-config
  3434527      4 -rwx------   1 user     user         1888 Feb 21 16:48 ./etc/gui_functions
  3434499      4 -rwx------   1 user     user         1838 Feb 21 16:48 ./bin/unseal-hotp
  3434519      4 -rw-------   1 user     user         1725 Feb 21 16:48 ./etc/distro/keys/archlinux.key
  3434078      4 -rwx------   1 user     user         1677 Feb 21 16:48 ./bin/kexec-save-key
  3434521      4 -rw-------   1 user     user         1629 Feb 21 16:48 ./etc/distro/keys/qubes-4.key
  3434074      4 -rwx------   1 user     user         1430 Feb 21 16:48 ./bin/kexec-iso-init
  3434565      4 -rwx------   1 user     user         1373 Feb 21 16:48 ./mount-boot
  3434050      4 -rwx------   1 user     user         1299 Feb 21 16:48 ./bin/generic-init
  3421973      4 -rw-------   1 user     user         1247 Feb 21 16:48 ./.ash_history
  3434106      4 -rwx------   1 user     user         1244 Feb 21 16:48 ./bin/network-init-recovery
  3434067      4 -rwx------   1 user     user         1087 Feb 21 16:48 ./bin/hotp_initialize
  3434082      4 -rwx------   1 user     user         1044 Feb 21 16:48 ./bin/kexec-unseal-key
  2641524      4 -rwx------   1 user     user         1000 Feb 21 16:48 ./sbin/insmod
  2641513      4 -rwx------   1 user     user          922 Feb 21 16:48 ./sbin/config-dhcp.sh
  3434015      4 -rwx------   1 user     user          799 Feb 21 16:48 ./bin/cbfs-init
  3434083      4 -rwx------   1 user     user          770 Feb 21 16:48 ./bin/key-init
  3434490      4 -rwx------   1 user     user          694 Feb 21 16:48 ./bin/tpm-reset
  3434495      4 -rwx------   1 user     user          661 Feb 21 16:48 ./bin/uefi-init
  3434500      4 -rwx------   1 user     user          634 Feb 21 16:48 ./bin/unseal-totp
  3434518      4 -rw-------   1 user     user          625 Feb 21 16:48 ./etc/config
  3434512      4 -rwx------   1 user     user          574 Feb 21 16:48 ./bin/x230-flash.init
  3434479      4 -rwx------   1 user     user          574 Feb 21 16:48 ./bin/t430-flash.init
  3434450      4 -rwx------   1 user     user          538 Feb 21 16:48 ./bin/qubes-measure-luks
  3434047      4 -rwx------   1 user     user          360 Feb 21 16:48 ./bin/flashrom-kgpe-d16-openbmc.sh
  3434510      4 -rwx------   1 user     user          320 Feb 21 16:48 ./bin/wget-measure.sh
  3434451      4 -rwx------   1 user     user          258 Feb 21 16:48 ./bin/reboot
  3434503      4 -rwx------   1 user     user          220 Feb 21 16:48 ./bin/usb-init
  3434445      4 -rwx------   1 user     user          205 Feb 21 16:48 ./bin/poweroff
  3434524      4 -rw-------   1 user     user          197 Feb 21 16:48 ./etc/fstab
  3434529      4 -rw-------   1 user     user          174 Feb 21 16:48 ./etc/motd
  3434055      4 -rwx------   1 user     user          106 Feb 21 16:48 ./bin/gpgv
  3433998      4 -rw-------   1 user     user           73 Feb 21 16:48 ./.gnupg/gpg-agent.conf
  3434511      4 -rwx------   1 user     user           35 Feb 21 16:48 ./bin/whiptail
  3434532      4 -rw-------   1 user     user           27 Feb 21 16:48 ./etc/shells
  3434531      4 -rw-------   1 user     user           27 Feb 21 16:48 ./etc/passwd
  3434528      4 -rw-------   1 user     user           20 Feb 21 16:48 ./etc/hosts
  3434526      4 -rw-------   1 user     user           10 Feb 21 16:48 ./etc/group
  3433999      4 -rw-------   1 user     user           10 Feb 21 16:48 ./.gnupg/gpg.conf
   666243      0 -rw-------   1 user     user            0 Feb 21 16:48 ./run/cryptsetup/.placeholder

After:

   281354  12288 -rw-r--r--   1 user     user     12582912 Feb 21 18:19 ./heads-x230-hotp-maximized-v0.2.1.bis2-31-g0670bcd1-dirty.rom
   281287  11676 -rw-r--r--   1 user     user     11969536 Feb 21 18:15 ./initrd.cpio
   281351  10844 -rw-r--r--   1 user     user     11101184 Feb 21 18:14 ./tools.cpio
   281355   8192 -rw-r--r--   1 user     user      8388608 Feb 21 18:19 ./heads-x230-hotp-maximized-v0.2.1.bis2-31-g0670bcd1-dirty-bottom.rom
   281356   4096 -rw-r--r--   1 user     user      4194304 Feb 21 18:19 ./heads-x230-hotp-maximized-v0.2.1.bis2-31-g0670bcd1-dirty-top.rom
   281229   2956 -rw-r--r--   1 user     user      3023312 Feb 21 18:08 ./bzImage
   281398   1384 -rwx------   1 user     user      1414928 Feb 21 18:19 ./bin/lvm
   281523   1032 -rwx------   1 user     user      1054216 Feb 21 18:19 ./lib/libgcrypt.so.20
   281342    896 -rwx------   1 user     user       915328 Feb 21 18:19 ./bin/gpg
   281230    668 -rw-r--r--   1 user     user       684032 Feb 21 18:08 ./modules.cpio
   281519    584 -rwx------   1 user     user       596544 Feb 21 18:19 ./lib/libc.so
   281336    568 -rwx------   1 user     user       580568 Feb 21 18:19 ./bin/flashrom
   281531    560 -rwx------   1 user     user       572016 Feb 21 18:19 ./lib/libpixman-1.so.0
   281299    496 -rwx------   1 user     user       507776 Feb 21 18:19 ./bin/busybox
   281520    480 -rwx------   1 user     user       491024 Feb 21 18:19 ./lib/libcairo.so.2
   281521    456 -rwx------   1 user     user       464560 Feb 21 18:19 ./lib/libcryptsetup.so.12
   281433    408 -rwx------   1 user     user       416040 Feb 21 18:19 ./bin/scdaemon
   281353    372 -rwx------   1 user     user       380120 Feb 21 18:19 ./bin/gpg-agent
   281527    320 -rwx------   1 user     user       325104 Feb 21 18:19 ./lib/libmbedcrypto.so.0
   281535    308 -rwx------   1 user     user       314728 Feb 21 18:19 ./lib/libtpm.so
   281345    300 -rw-------   1 user     user       304272 Feb 21 18:13 ./lib/modules/e1000e.ko
   281522    280 -rwx------   1 user     user       284184 Feb 21 18:19 ./lib/libdevmapper.so.1.02
   281526    252 -rwx------   1 user     user       256376 Feb 21 18:19 ./lib/libksba.so.8
   281518    248 -rwx------   1 user     user       250528 Feb 21 18:19 ./lib/libblkid.so.1
   281352    184 -rw-r--r--   1 user     user       184832 Feb 21 18:14 ./heads.cpio
   281324    184 -rwx------   1 user     user       184824 Feb 21 18:19 ./bin/dropbear
   281451    176 -rwx------   1 user     user       176408 Feb 21 18:19 ./bin/ssh
   281532    168 -rwx------   1 user     user       171032 Feb 21 18:19 ./lib/libpng16.so.16
   281374    168 -rwx------   1 user     user       170984 Feb 21 18:19 ./bin/kexec
   281349    160 -rw-------   1 user     user       159840 Feb 21 18:13 ./lib/modules/xhci-hcd.ko
   281348    132 -rw-------   1 user     user       132360 Feb 21 18:13 ./lib/modules/usb-storage.ko
   281323    120 -rwx------   1 user     user       121080 Feb 21 18:19 ./bin/dmsetup
   281467    116 -rwx------   1 user     user       118392 Feb 21 18:19 ./bin/tpm
   281313    116 -rwx------   1 user     user       115192 Feb 21 18:19 ./bin/cryptsetup
   281524    108 -rwx------   1 user     user       109520 Feb 21 18:19 ./lib/libgpg-error.so.0
   281537     96 -rwx------   1 user     user        96896 Feb 21 18:19 ./lib/libusb-1.0.so.0
   281314     88 -rwx------   1 user     user        87968 Feb 21 18:19 ./bin/cryptsetup-reencrypt
   281525     80 -rwx------   1 user     user        81024 Feb 21 18:19 ./lib/libjson-c.so.5
   281517     76 -rwx------   1 user     user        76736 Feb 21 18:19 ./lib/libassuan.so.0
   281539     76 -rwx------   1 user     user        76040 Feb 21 18:19 ./lib/libz.so.1
   281395     72 -rwx------   1 user     user        73600 Feb 21 18:19 ./bin/lspci
   281346     64 -rw-------   1 user     user        64800 Feb 21 18:13 ./lib/modules/ehci-hcd.ko
   281530     52 -rwx------   1 user     user        52272 Feb 21 18:19 ./lib/libpci.so.3.5.4
   281529     52 -rwx------   1 user     user        52272 Feb 21 18:19 ./lib/libpci.so.3
   281419     52 -rwx------   1 user     user        52200 Feb 21 18:19 ./bin/pinentry-tty
   281332     52 -rwx------   1 user     user        51616 Feb 21 18:19 ./bin/fbwhiptail
   281533     48 -rwx------   1 user     user        48088 Feb 21 18:19 ./lib/libpopt.so.0
   281534     48 -rwx------   1 user     user        47448 Feb 21 18:19 ./lib/libqrencode.so.3
   281484     48 -rwx------   1 user     user        45264 Feb 21 18:19 ./bin/veritysetup
   281371     32 -rwx------   1 user     user        29944 Feb 21 18:19 ./bin/hotp_verification
   281504     28 -rw-------   1 user     user        27936 Feb 21 18:19 ./etc/distro/keys/tails.key
   281305     28 -rwx------   1 user     user        27048 Feb 21 18:19 ./bin/cbmem
   281434     24 -rwx------   1 user     user        22664 Feb 21 18:19 ./bin/scp
   281338     24 -rwx------   1 user     user        22432 Feb 21 18:19 ./bin/flashtool
   281536     20 -rwx------   1 user     user        18464 Feb 21 18:19 ./lib/libusb-0.1.so.4
   281361     20 -rwx------   1 user     user        18412 Feb 21 18:19 ./bin/gui-init
   281303     20 -rwx------   1 user     user        18352 Feb 21 18:19 ./bin/cbfs
   281472     20 -rwx------   1 user     user        18320 Feb 21 18:19 ./bin/uefi
   281413     16 -rwx------   1 user     user        15960 Feb 21 18:19 ./bin/oem-factory-reset
   281538     16 -rwx------   1 user     user        14656 Feb 21 18:19 ./lib/libuuid.so.1
   281528     16 -rwx------   1 user     user        14552 Feb 21 18:19 ./lib/libnpth.so.0
   281422     16 -rwx------   1 user     user        14200 Feb 21 18:19 ./bin/poke
   281501     12 -rw-------   1 user     user        10955 Feb 21 18:19 ./etc/distro/keys/fedora.key
   281347     12 -rw-------   1 user     user        10728 Feb 21 18:13 ./lib/modules/ehci-pci.ko
   281350     12 -rw-------   1 user     user        10568 Feb 21 18:13 ./lib/modules/xhci-pci.ko
   281416     12 -rwx------   1 user     user        10096 Feb 21 18:19 ./bin/peek
   281465     12 -rwx------   1 user     user        10032 Feb 21 18:19 ./bin/totp
   280171     12 -rw-r--r--   1 user     user         9954 Feb 21 18:19 ./hashes.txt
   281383     12 -rwx------   1 user     user         9891 Feb 21 18:19 ./bin/kexec-select-boot
   281357     12 -rwx------   1 user     user         9003 Feb 21 18:19 ./bin/gpg-gui.sh
   281506     12 -rwx------   1 user     user         8388 Feb 21 18:19 ./etc/functions
   281369      8 -rwx------   1 user     user         5912 Feb 21 18:19 ./bin/hotp
   281294      8 -rwx------   1 user     user         5912 Feb 21 18:19 ./bin/base32
   281427      8 -rwx------   1 user     user         5904 Feb 21 18:19 ./bin/qrenc
   281335      8 -rwx------   1 user     user         5268 Feb 21 18:19 ./bin/flash.sh
   281309      8 -rwx------   1 user     user         5030 Feb 21 18:19 ./bin/config-gui.sh
   281382      8 -rwx------   1 user     user         4195 Feb 21 18:19 ./bin/kexec-seal-key
   281514      4 -rwx------   1 user     user         3891 Feb 21 18:19 ./init
   281379      4 -rwx------   1 user     user         3680 Feb 21 18:19 ./bin/kexec-parse-boot
   281406      4 -rwx------   1 user     user         3510 Feb 21 18:19 ./bin/mount-usb
   281380      4 -rwx------   1 user     user         3408 Feb 21 18:19 ./bin/kexec-save-default
   281435      4 -rwx------   1 user     user         3381 Feb 21 18:19 ./bin/seal-hotpkey
   281375      4 -rwx------   1 user     user         3118 Feb 21 18:19 ./bin/kexec-boot
   281503      4 -rw-------   1 user     user         3078 Feb 21 18:19 ./etc/distro/keys/qubes-testing.key
   281334      4 -rwx------   1 user     user         2557 Feb 21 18:19 ./bin/flash-gui.sh
   281376      4 -rwx------   1 user     user         2344 Feb 21 18:19 ./bin/kexec-insert-key
   281482      4 -rwx------   1 user     user         2101 Feb 21 18:19 ./bin/usb-scan
   281378      4 -rwx------   1 user     user         2059 Feb 21 18:19 ./bin/kexec-parse-bls
   281436      4 -rwx------   1 user     user         2026 Feb 21 18:19 ./bin/seal-totp
   281384      4 -rwx------   1 user     user         1909 Feb 21 18:19 ./bin/kexec-sign-config
   281508      4 -rwx------   1 user     user         1888 Feb 21 18:19 ./etc/gui_functions
   281477      4 -rwx------   1 user     user         1838 Feb 21 18:19 ./bin/unseal-hotp
   281381      4 -rwx------   1 user     user         1677 Feb 21 18:19 ./bin/kexec-save-key
   281502      4 -rw-------   1 user     user         1629 Feb 21 18:19 ./etc/distro/keys/qubes-4.key
   281377      4 -rwx------   1 user     user         1375 Feb 21 18:19 ./bin/kexec-iso-init
   281540      4 -rwx------   1 user     user         1373 Feb 21 18:19 ./mount-boot
   281340      4 -rwx------   1 user     user         1299 Feb 21 18:19 ./bin/generic-init
   284045      4 -rw-------   1 user     user         1247 Feb 21 17:08 ./.ash_history
   281409      4 -rwx------   1 user     user         1244 Feb 21 18:19 ./bin/network-init-recovery
   281370      4 -rwx------   1 user     user         1087 Feb 21 18:19 ./bin/hotp_initialize
   281385      4 -rwx------   1 user     user         1044 Feb 21 18:19 ./bin/kexec-unseal-key
   281560      4 -rwx------   1 user     user         1000 Feb 21 18:19 ./sbin/insmod
   281549      4 -rwx------   1 user     user          922 Feb 21 18:19 ./sbin/config-dhcp.sh
   281304      4 -rwx------   1 user     user          799 Feb 21 18:19 ./bin/cbfs-init
   281386      4 -rwx------   1 user     user          770 Feb 21 18:19 ./bin/key-init
   281468      4 -rwx------   1 user     user          694 Feb 21 18:19 ./bin/tpm-reset
   281473      4 -rwx------   1 user     user          661 Feb 21 18:19 ./bin/uefi-init
   281478      4 -rwx------   1 user     user          634 Feb 21 18:19 ./bin/unseal-totp
   281498      4 -rw-------   1 user     user          625 Feb 21 18:19 ./etc/config
   281490      4 -rwx------   1 user     user          574 Feb 21 18:19 ./bin/x230-flash.init
   281457      4 -rwx------   1 user     user          574 Feb 21 18:19 ./bin/t430-flash.init
   281428      4 -rwx------   1 user     user          538 Feb 21 18:19 ./bin/qubes-measure-luks
   281337      4 -rwx------   1 user     user          360 Feb 21 18:19 ./bin/flashrom-kgpe-d16-openbmc.sh
   281488      4 -rwx------   1 user     user          320 Feb 21 18:19 ./bin/wget-measure.sh
   281429      4 -rwx------   1 user     user          258 Feb 21 18:19 ./bin/reboot
   281481      4 -rwx------   1 user     user          220 Feb 21 18:19 ./bin/usb-init
   281423      4 -rwx------   1 user     user          205 Feb 21 18:19 ./bin/poweroff
   281505      4 -rw-------   1 user     user          197 Feb 21 18:19 ./etc/fstab
   281510      4 -rw-------   1 user     user          174 Feb 21 18:19 ./etc/motd
   281358      4 -rwx------   1 user     user          106 Feb 21 18:19 ./bin/gpgv
   284192      4 -rw-------   1 user     user           73 Feb 21 17:08 ./.gnupg/gpg-agent.conf
   281489      4 -rwx------   1 user     user           35 Feb 21 18:19 ./bin/whiptail
   281513      4 -rw-------   1 user     user           27 Feb 21 18:19 ./etc/shells
   281512      4 -rw-------   1 user     user           27 Feb 21 18:19 ./etc/passwd
   281509      4 -rw-------   1 user     user           20 Feb 21 18:19 ./etc/hosts
   284193      4 -rw-------   1 user     user           10 Feb 21 17:08 ./.gnupg/gpg.conf
   281507      4 -rw-------   1 user     user           10 Feb 21 18:19 ./etc/group
   281543      0 -rw-------   1 user     user            0 Feb 21 18:19 ./run/cryptsetup/.placeholder

Before a3b058de:

FMAP REGION: COREBOOT
Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           85100 none
cpu_microcode_blob.bin         0x14d80    microcode       26624 none
fallback/ramstage              0x1b600    stage           97721 none
config                         0x33400    raw               790 none
revision                       0x33780    raw               695 none
fallback/dsdt.aml              0x33a80    raw             14615 none
vbt.bin                        0x37400    raw              1433 LZMA (4281 decompressed)
cmos_layout.bin                0x37a00    cmos_layout      1884 none
fallback/postcar               0x381c0    stage           25816 none
fallback/payload               0x3e700    simple elf    7305159 none
(empty)                        0x735f00   null          4365976 none
bootblock                      0xb5fdc0   bootblock       65536 none

After da3e653:

FMAP REGION: COREBOOT
Name                           Offset     Type           Size   Comp
cbfs master header             0x0        cbfs header        32 none
fallback/romstage              0x80       stage           85100 none
cpu_microcode_blob.bin         0x14d80    microcode       26624 none
fallback/ramstage              0x1b600    stage           97723 none
config                         0x33400    raw               790 none
revision                       0x33780    raw               695 none
fallback/dsdt.aml              0x33a80    raw             14615 none
vbt.bin                        0x37400    raw              1433 LZMA (4281 decompressed)
cmos_layout.bin                0x37a00    cmos_layout      1884 none
fallback/postcar               0x381c0    stage           25816 none
fallback/payload               0x3e700    simple elf    7013831 none
(empty)                        0x6eed00   null          4657304 none
bootblock                      0xb5fdc0   bootblock       65536 none

So free space has increased by 4657304 - 4365976 = 291328 bytes. Not bad

1184 freed 313856 bytes.

1121 freed 424960 bytes.

Combined, they free 5148824 - 4360856 787968 bytes (0.7mb)

If anybody can guide into tuning even more, please be my guest.

try tcc. you mentioned in the other thread about musl, but tcc is a great c compiler that can produce (usually) smaller binaries (especially when compressed) than gcc or clang, even with -Os etc used.

where gcc is used, try using link-time optimization

also, busybox isn't the smallest posix userland... look at chimera linux, some of freebsd's tools are smaller than busybox's, e.g. freebsd sh is 12k sloc, busybox sh is about 19k last i checked

i've been working on and off porting openbsd userland to linux+musl and stripping it down, their code is even more efficient than freebsd's and often (with features stripped to match busybox) can result in lower amount of code

with bsd-based userland you could probably shave off quite a bit of space used in cbfs. i hope to have something to show later in the year.

(chimera is a linux distro with freebsd userland, they recently ported sh)

(also tcc is pretty much a drop-in on most codebases, i rarely see it b0rk and most of the time it really does beat gcc/clang: e.g. binary that is 18k from gcc, in tcc i can get that down to 12k easy. you can pretty much just modify your makefile for a project to use tcc, or do e.g. make CC=tcc and see what works)

tcc is great and i really recommend using it. even if you don't use it for every program, using it will probably save you quite a bit of space in cbfs

oh also, try bearssl tls library if you haven't already. super super duper small tls lib, alpine is considering using it in their distro

you can mix and match binaries built with tcc or gcc

you could try integrating tcc into your build system, for your portable cross compiler setup that you described earlier. i didn't know heads had that!

i should clarify that tcc produces small binaries, not fast binaries. for speed you want gcc, it's the best one (clang is about as good too). but yeah you want small bins. try tcc!

@githubisnonfree interesting hints.

Yes, @osresearch chose musl-cross then changed it to musl-cross-make as a cross compiler. Enabling LTO was not concluding on my side but things improved a lot there.

Problem as of now is to go back to reproducible builds, totp tool is build against mbetls and everything is linked against musl-cross-make compiled libc.

We could reevaluated the choices here, but opened PRs for passing O3 O2 to Os freed 700kb, while cleaning Linux configurations (which are already minimalist) in another PR freed another 400kb.

With 1mb additional space across all boards using board configured modules, those are the first things to test, which requires t430/w530/x220/t420/t530 board owners which all depend on the shared linux-x230* configurations.

But you got my attention on busybox which is not bash compliant. Busybox is dash and requires people to code with posix style and prevents us to use shellcheck against code base.

I will try to find time to check that up first. But following your work, as you can see with nvmutil :)

i should clarify that tcc produces small binaries, not fast binaries. for speed you want gcc, it's the best one (clang is about as good too). but yeah you want small bins. try tcc

Thank you. Will see how it can also generalise to Power. But learned that musl musl-cross musl-cross-make was the beat path for safe, small, and generalized upon embedded world.

You have some references to share?

btw freebsd sh is also posix-only. it's basically the original bourne shell, rebourne

https://www.freebsd.org/cgi/man.cgi?query=sh&sektion=&n=1

not to be confused with csh which freebsd also has. here is sh, the posix one:

https://cgit.freebsd.org/src/tree/bin/sh

https://github.com/chimera-linux/bsdutils/commit/547ebb8dcfb0c6be55bb728732729cef86834a9a

the sh that i'm currently working on is oksh. someone already ported ksh to linux, so i didn't need to do that:

https://github.com/ibara/oksh

but this is about 19k same as busybox's shell, though with a ton of features. i have a hunch that if i strip down ksh it might be possible to make it smaller than freebsd sh

besides freebsd sh there's also mrsh aiming for full posix, it's slightly smaller than freebsd sh but incomplete. freebsd's is currently the best imo

as for reference, you mean a website or something?

https://en.wikipedia.org/wiki/Tiny_C_Compiler has some information and the website is https://bellard.org/tcc/ though the author himself doesn't maintain it anymoer, but you can check the mailing list, other people work on it now

by the way, the linux kernel can be compiled with tcc

as can musl, and many other things. i'm willing to bet that everything in your build system can be done with tcc

it's possible that you might maybe find a few programs that need minor patching here and there, but tcc is pretty complete. it doesn't have as robust warnings/errors as gcc though, so a thing i normally do is (with -Wall, -Wextra and -Werror set) test code with gcc and clang first, but (if size is a priority) i compile with tcc for what i put into production

in fact, one of the things people talk about with tcc is how quickly it compiles linux

that's another benefit. it only does a single pass, compiling line by line. it compiles very quickly

so in addition to reducing code size, it will reduce compile time aswell

try it. just literally modify your build system and/or musl-cross-build to use tcc. try using it as a drop-in replacement, and then see what breaks, if anything. then patch everything up and boot it, see if it works

tcc is a very competent compiler, it's much more "correct" than gcc/clang. the kind of hackiness you see in other compilers simply doesn't exist in tcc. it just compiles your code exactly as written, it doesn't mess around (no optimizer of any kind)

coreboot components probably still have to be built with coreboot crossgcc. modifying coreboot to work nicely with tcc might be nice but there's a lot of gcc-ish stuff in their codebase. but everything in your linux distro can probably be built and work nicely with tcc

[ ] Consider compressing with xz -9e and proper dictionary sizes both initrd.cpio.xz and linux wrapper script.

Pointers under https://github.com/osresearch/heads/pull/1195#issuecomment-1218046547

Sorry about commit messages above. All were related to -9e, and aimed to see what would pass for all boards and see which changes are actually reducing both kernel and initrd compression. As of now, passing to -9e shows an increase of size, but none of previous commit were just changing to -9e, they were also changing the dictionary size. It is also to note that xz has built-ins default that normally also change the disctionary size, so blunt tests playing with extremes above (dict 1Mib and 100Mib) shows that the defaults are better then random sizes. Nothing else is proven good or wrong at this point, just that changing dict to random sizes is not helping.

3e2a543 changes only initrd and linux bzImage to use -9e
d120023 changed to xz -9e and dictionnaries sizes to 1Mib (and failed to be packaged for some xx20)
fab908a changed to xz -9e and dictionnaries sizes to 100 Mib (expected to fail packaging for some xx20 as well)

Post will be edited with results when builds are done (those are clean builds if global Makefile is changed, as per master comparison which included CircleCI fix so that CircleCI can now be used to test and compare such builds and have build logs referred directly to proper lines for references). If Makefile is not touched but a patch in modules change outside of coreboot, coreboot + musl-cross-make cache will be reused, speeding up builds.

This might explain the increase of size when increasing past 1Mib of dictionary size, the computed dictionary seems to be added as well, while the actual dictionary should be at least the size of uncompressed

From https://www.kernel.org/doc/html/latest/staging/xz.html

In userspace, LZMA2 is typically used with dictionary sizes of several megabytes. The decoder needs to have the dictionary in RAM, thus big dictionaries cannot be used for files that are intended to be decoded by the kernel. 1 MiB is probably the maximum reasonable dictionary size for in-kernel use (maybe more is OK for initramfs). The presets in XZ Utils may not be optimal when creating files for the kernel, so don’t hesitate to use custom settings. Example:

xz --check=crc32 --lzma2=dict=512KiB inputfile

An exception to above dictionary size limitation is when the decoder is used in single-call mode. Decompressing the kernel itself is an example of this situation. In single-call mode, the memory usage doesn’t depend on the dictionary size, and it is perfectly fine to use a big dictionary: for maximum compression, the dictionary should be at least as big as the uncompressed data itself.

Also:

scripts/xz_wrap.sh is a wrapper for the xz command line tool found from XZ Utils. The wrapper sets compression options to values suitable for compressing the kernel image.

So:

uncompressed vmlinux is around 32mb (4.14 is 21mb).
default for linux 4.14 is 32MiB dictionary and xz -6 (default: no xz level passed on command line)
master's initrd compression 1MiB dictionary with -9 command line passed compression level (for uncompressed initrd.cpio of 12mb uncompressed on master)

comparison around x230-hotp-maximized's coreboot payload's (compressed initrd.cpio.xz + bzImage xz compressed size)

master: 7318471 : initrd xz -9 with default dict size (unspecified), bzImage xz -6 compressed with 32mb dict size
fab908a: 7326151 : changed to xz -9e and dictionnaries sizes to 100 Mib (expected to fail packaging for some xx20 as well)
d120023: 7359943 : changed to xz -9e and dictionnaries sizes to 1Mib (and failed to be packaged for some xx20)
3e2a543: 7325127 : changes only initrd and linux bzImage to use -9e
f0595b3: 7319495 : xz -6 (default) passed to xz -9 for bzImage only (32MiB dict size for bzImage and 1MiB unchanged for initrd with xz -9 unchanged)
d5608cd: 7326151 : xz -6 passed to xz -9e with dict 64MiB for both bzImage and initrd

@githubisnonfree: So basically, those results seem to prove that since initrd content is stripped before being added into tools.cpio (libs and binaries), same for modules.cpio (kernel drivers) while heads.cpio is text scripts but negligible in size, when they are packed into initrd.cpio.xz without so much gain possible with higher compression from bzImage wrapper script, while changing dictionary and compression to -9e seems to require a higher dictionary size (adding size) which is not showing any gain, since content is already stripped and no additional gain are showing when either changing dict size nor compression mode.

Some additional tests directly on bzImage (vmlinux) locally on built linux kernel prior of compression:

user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ ls -al vmlinux
-rwxr-xr-x 1 user user 21999528 Aug  2 16:18 vmlinux
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --check=crc32 -9 --lzma2=dict=32MiB vmlinux
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ ls -al vmlinux.xz 
-rwxr-xr-x 1 user user 3561164 Aug  2 16:18 vmlinux.xz
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --decompress vmlinux.xz
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --check=crc32 -9e vmlinux
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ ls -al vmlinux.xz 
-rwxr-xr-x 1 user user 3556864 Aug  2 16:18 vmlinux.xz
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --decompress vmlinux.xz
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --check=crc32 -6 vmlinux
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ ls -al vmlinux.xz 
-rwxr-xr-x 1 user user 3567516 Aug  2 16:18 vmlinux.xz
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --decompress vmlinux.xz
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --check=crc32 -9e --lzma2=dict=32MiB vmlinux 
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ ls -al vmlinux.xz 
-rwxr-xr-x 1 user user 3561164 Aug  2 16:18 vmlinux.xz
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --decompress vmlinux.xz
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ xz --check=crc32 -9e --lzma2=dict=22MiB vmlinux 
user@heads-tests:~/heads/build/linux-4.14.62-hardlink/linux-x230-maximized$ ls -al vmlinux.xz
-rwxr-xr-x 1 user user 3561164 Aug  2 16:18 vmlinux.xz

So here, the best compression scenario is obtained with:

xz --check=crc32 -9e vmlinux Where no manual invocation is able to get to that gain of 3561164 - 3556864 = 4300 bytes.

Some tests on local initrd.cpio.xz, decompressed and re-compressed with different modes:

user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio 
-rw-r--r-- 1 user user 12856832 Aug 16 14:00 initrd.cpio
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9 initrd.cpio 
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4283464 Aug 16 14:00 initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --decompress initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9e initrd.cpio 
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4294176 Aug 16 14:00 initrd.cpio.xz
 user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9e --lzma2=dict=64MiB initrd.cpio
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4283464 Aug 16 14:00 initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --decompress initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9e --lzma2=dict=32MiB initrd.cpio
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4283464 Aug 16 14:00 initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --decompress initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9e --lzma2=dict=1MiB initrd.cpio
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4482392 Aug 16 14:00 initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --decompress initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9 --lzma2=dict=1MiB initrd.cpio
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4482392 Aug 16 14:00 initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9 --lzma2=dict=16MiB initrd.cpio
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4283464 Aug 16 14:00 initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --decompress initrd.cpio.xz
user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9e --lzma2=dict=16MiB initrd.cpio
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4283464 Aug 16 14:00 initrd.cpio.xz

So we could gain 4482392 - 4283464 = 198928 bytes (0.1897 MiB)

So from above tests on initrd.cpio

Baseline:

user@heads-tests:~/heads/build/x230-hotp-maximized$ xz --check=crc32 -9 --lzma2=dict=1MiB initrd.cpio
user@heads-tests:~/heads/build/x230-hotp-maximized$ ls -al initrd.cpio.xz 
-rw-r--r-- 1 user user 4482392 Aug 16 14:00 initrd.cpio.xz

Best size is 4283464 which is either obtained with:

xz --check=crc32 -9 initrd.cpio
xz --check=crc32 -9e --lzma2=dict=64MiB initrd.cpio
xz --check=crc32 -9e --lzma2=dict=32MiB initrd.cpio
xz --check=crc32 -9e --lzma2=dict=16MiB initrd.cpio

So one last test implementing:

bzImage: xz --check=crc32 -9e
initrd: xz --check=crc32 -9e --lzma2=dict=16MiB initrd.cpio

So as of now, not sure what that -9e equivalent would be for bzImage: it is still an unknown. @githubisnonfree: review of results and advice more then welcome where fb7a132 should show result, where bzImage -9e implemented dictionary size (we would need to fixate it) is needed (now patch doesn't fixate it, which is not good for reproducibility)

I may forget about this: but if fb7a132 passes and reduce payload's size and increases coreboot's rom free space, we have a (non-completely explained) win. Once again, passed way too much time testing this and I welcome anyone jumping in this "Quest to reduce firmware size" (payload's size).

No gain compared to master: 7329735

Moving on

linuxboot / heads

Quest to reduce firmware size #590

710 would require newer versions of gpg toolchain, which won't fit in actual x230 board config. EDIT: it actually fitted.

709 non neutered ME board configs lack around 300k to fit VBOOT in.

1184 freed 313856 bytes.

1121 freed 424960 bytes.

So from above tests on initrd.cpio