{ nixpkgsOnBuildForBuild
, coreboot-toolchain ? throw "missing"
, payload            ? throw "you must provide a coreboot payload (Linux kernel image or FIT)"
, fmap               ? throw "you must provide an FMAP (flash chip partition table)"
, config             ? throw "you must provide a coreboot .config file"
, initramfs_image    # path to the initramfs `cpio` archive
, iasl               ? null # a specific iasl to use, if needed
, console_loglevel   ? "7"
}:
let
  version = "4.9";
  inherit (nixpkgsOnBuildForBuild) stdenv lib git python2 ncurses fetchgit;
in
stdenv.mkDerivation {
  pname = "coreboot";
  inherit version;

  src = fetchgit {
    url = "https://review.coreboot.org/coreboot";
    branchName = "${version}";
    rev = "7f520c8fe6fc991df2c4e91f42843d4290744ebb";
    hash = "sha256-lX6QnUS4a/F4Y68qK9i45O4OP+UEjHlCK+YaKJOQLUo=";
    fetchSubmodules = false;
  };

  prePatch = ''
    patchShebangs .
  '';

  patches = let inherit (nixpkgsOnBuildForBuild) fetchpatch; in [
    (fetchpatch {
      # Makefile.inc: Use `define` for cbfs-files-processor-defconfig
      url = "https://github.com/coreboot/coreboot/commit/1c08a9a9c4986f2b3c47322f041e289121536dc0.patch";
      hash = "sha256-DqrzD8JVW0z+s426p2PCtmO24Of14r4FDN8FynaqS14=";
    })
    (fetchpatch {
      # Makefile.inc: Adapt $(spc) definition
      url = "https://github.com/coreboot/coreboot/commit/0f6f70c3942c152c512b1aa51b6f6079a05e003b.patch";
      hash = "sha256-x7PK/PLYXqWG6Y8IbmUXAqp2L8/pkPW7btmdyWoR1cI=";
    })
    (fetchpatch {
      # asus/am1i-a: Enable UART according to CONFIG_UART_FOR_CONSOLE
      url = "https://github.com/coreboot/coreboot/commit/16a70c3d40db0d31d8b6c6c13603d27ad6bf5be3.patch";
      hash = "sha256-tG465Y56TMYQdiyeGPg9I5BfakAkxi0pyBWvmJRgMKM=";
    })
    (fetchpatch {
      # drivers/spi/gigadevice.c: Add the rest of >=1MB Gigadevice GD25 chips
      url = "https://github.com/coreboot/coreboot/commit/2db6e6806b0966d5e921752aa3f91af0310b3181.patch";
      hash = "sha256-Bvtz4joH+v5RSzDPAa8w0in/UKXdPvGO2tijamHPAfs=";
    })
    ./patches/0006-remove-submodules.patch
    ./patches/0008-payloads-external-linux-allow-CONFIG_LINUX_COMMAND_L.patch
    ./patches/0009-payloads-Kconfig-add-CONFIG_UNCOMPRESSED_PAYLOAD.patch
    ./patches/0010-rk3399-mainboard-google-gru-add-define-for-GPIO_PEN_.patch
    ./patches/0011-rk3399-src-Kconfig-increase-HEAP_SIZE-to-0x40000-byt.patch
    ./patches/0012-rk3399-include-soc-memlayout.ld-enlarge-RAMSTAGE-and.patch
    ./patches/0013-kgpe-d16-src-arch-x86-use-CONFIG_CBFS_PREFIX-instead.patch
    ./patches/0014-kgpe-d16-ignore-nvram-for-power_state-always_on-iomm.patch
    ./patches/0015-kgpe-d16-factor-out-is_recovery_jumper_set-print-val.patch
    ./patches/0016-kgpe-d16-src-drivers-pc80-factor-rewrite_cmos-out-of.patch
    ./patches/0017-use_fallback-platform-independent-part.patch
    ./patches/0018-use_fallback-rk3399-gru-kevin-use-fallback-if-watchd.patch
    ./patches/0019-use_fallback-rk3399-gru-kevin-update-for-coreboot-4..patch
    ./patches/0020-use_fallback-kgpe-d16-implement-using-nvram-with-cmo.patch
    ./patches/0021-am1i-omit-amdfw.rom-completely-it-has-broken-address.patch
    ./patches/0022-kgpe-d16-disable-sanitize_cmos-it-causes-too-many-pr.patch
  ];

  nativeBuildInputs = [
    git
    python2
    ncurses
  ] ++ coreboot-toolchain;

  enableParallelBuilding = false;   # does not work

  # FIXME: use the nixpkgs `kernel/manual-config.nix` machinery here
  configurePhase = ''
    runHook preConfigure
    cp ${config} .config
    chmod +w .config
    sed -i 's/^CONFIG_DEFAULT_CONSOLE_LOGLEVEL//' .config
    echo 'CONFIG_DEFAULT_CONSOLE_LOGLEVEL_${console_loglevel}=y' >> .config
    echo 'CONFIG_DEFAULT_CONSOLE_LOGLEVEL=${console_loglevel}' >> .config
    sed -i 's/^CONFIG_FMDFILE=.*//' .config
    echo 'CONFIG_FMDFILE="${fmap}"' >> .config
    sed -i 's/^CONFIG_PAYLOAD_FILE=.*//' .config
    echo 'CONFIG_PAYLOAD_FILE="${payload}"' >> .config
    sed -i 's/^CONFIG_LINUX_INITRD=.*//' .config
    echo 'CONFIG_LINUX_INITRD="${initramfs_image}"' >> .config
  '' + lib.optionalString (iasl != null) ''
    echo CONFIG_ANY_TOOLCHAIN=y >> .config
  '' + ''
    runHook postConfigure
  '';

  preBuild = ''
    mkdir -p build/cbfs/prefix/
  '';

  makeFlags = [
    "build/coreboot.rom"
  ] ++ lib.optionals (iasl != null) [
    "IASL=${iasl}/bin/iasl"
  #] ++ [ "V=1"
  ];

  # see https://review.coreboot.org/c/coreboot/+/12825/ for why this is needed
  postBuild = ''
    build/util/cbfstool/cbfstool build/coreboot.rom add-master-header -r NORMAL
  '';

  dontPatchELF = true;

  installPhase = ''
    runHook preInstall

    mkdir -p $out
    cp build/coreboot.rom $out/

    # note that coreboot's `Makefile` rewrites the `.config`, so we
    # keep a copy of the final version
    grep -v '^#' .config | sort > $out/config

    runHook postInstall
  '';
}