This is the upstream relevant part of Nitrokey's next release for the Nitropads, it consists of three parts:

1. update Dasharo Coreboot to the most recent version (1.7.2)

• all previous coreboot patches are now upstreamed and removed
• added a minimal-change patch to switch available S-states based on model during compile-time
• fixes: ns50 v2.3 suspend causes freeze on resume Nitrokey/heads#29 (suspend compatibility improved, see below)
• fixes: [nitropad-nx] igfx not properly working, reports llvm-pipe Nitrokey/heads#25 (see tests below)
• fixes: Integrate noise reduction feature from Dasharo Nitrokey/heads#32 (part of the dasharo coreboot bump)

2. fix watchdog-based powerdown for nitropad-nxx

• fixes: [nitropad-nx] watchdog-based poweroff/reboot not triggered correctly Nitrokey/heads#24

3. updates hotp-verification to obey Nitrokey 3's extended security model

• older hotp-verification versions + NK3 v1.6 will not allow overwriting the HOTP secret, workaround: delete it manually using nitropy
• using this hotp-verification version the HOTP secret is first removed before setting it again during HOTP regeneration
• this change is fully backwards compatible with any previously working tokens

Test Results

First round of tests was done for t430-hotp-max, nitropad-nv41, nitropad-ns50:

• QubesOS / ubuntu regular boot + installation
• splash screen visible
• flashing using the build-time-provided .zip
• suspend ns50 (S0ix) -> QubesOS (not ok/expected), Ubuntu (ok)
• suspend nv41 (S3) -> QubesOS (ok), Ubuntu (ok)
• igfx availability (nv41/ns50) inside Ubuntu (ok)
• igfx availability (nv41/ns50) inside QubesOS (4.1.2) still llvm-pipe, works with QubesOS 4.2
• branding and vendor reconfiguration works as expected (site-local)
• Nitrokey 3 HOTP with firmware <v1.6 & >=v1.6

We plan for another round of testing early in January, once these tests confirm the listed ones - I'll change the PR to be ready-for-review.