docker: centralize X11/KVM/USB handling

- Add `docker/common.sh` with helpers: `build_docker_opts`, `run_docker`, `usage`, and `kill_usb_processes`.
- Programmatic Xauthority (`/tmp/.docker.xauth-<uid>`) with fallback to `~/.Xauthority` and `HEADS_X11_XAUTH` override.
- Detect and mount `/dev/kvm` when available; handle USB passthrough and token cleanup. Add `HEADS_DISABLE_USB` and avoid prompting for sudo in non-interactive shells (prompt only on TTY).
- Refactor `docker_*` wrappers to source shared helpers and remove duplicated device/X11/KVM/USB logic.

Docs:
- `README.md` and `targets/qemu.md`: document `canokey-qemu` inclusion and default token behavior; make Docker wrappers the canonical workflow and mark host-side QEMU/swtpm installs as unnecessary.

Tests:
- `bash -n` and `shellcheck` passed; runtime `build_docker_opts` validation created Xauthority and showed expected flags.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

README.md

@@ -36,9 +36,48 @@ Building heads with prebuilt and versioned docker images
 Heads now builds with Nix built docker images since https://github.com/linuxboot/heads/pull/1661.
 
 The short path to build Heads is to do what CircleCI would do (./docker_repro.sh under heads git cloned directory):
-- Install _docker-ce_ for your OS of choice (refer to their documentation)
+- Install Docker (docker-ce) for your OS by following Docker's official installation instructions: https://docs.docker.com/engine/install/
 - run `./docker_repro.sh make BOARD=XYZ`
 
+Note: `./docker_repro.sh` is the canonical, reproducible way to build and test Heads. The `docker_local_dev.sh` helper is intended for developers who need to modify the local image built from `flake.nix`/`flake.lock` and is not recommended for general testing.
+
+Important: the supported and tested workflow uses the provided Docker
+wrappers (`./docker_repro.sh`, `./docker_local_dev.sh`, or
+`./docker_latest.sh`). Host-side installation of QEMU, `swtpm`, or other
+QEMU-related tooling is unnecessary for the standard workflow and is not
+part of the tested configuration. Only advanced or edge-case workflows
+may require installing those tools on the host (see `targets/qemu.md`
+for guidance).
+
+The Docker images produced by our Nix build include QEMU
+(`qemu-system-x86_64`), `swtpm` / `libtpms`, `canokey-qemu` (a virtual
+OpenPGP smartcard), and other userspace tooling required to build and
+test QEMU boards. If you use `./docker_repro.sh` you only need Docker on
+the host (for example, `docker-ce`). For KVM acceleration the host
+must expose `/dev/kvm` (load `kvm_intel` / `kvm_amd` as appropriate);
+our wrapper scripts mount `/dev/kvm` automatically when it exists.
+
+If you plan to manage disk images or use `qemu-img` snapshots on the
+host (outside containers), install the `qemu-utils` package locally
+(which provides `qemu-img`).
+
+If you do not specify `USB_TOKEN` when running QEMU targets, the container will use the included `canokey-qemu` virtual token by default; set `USB_TOKEN` (or use `hostbus`/`hostport`/`vendorid,productid`) to forward a hardware token instead.
+
+Wrapper options & environment variables
+---
+
+- `HEADS_DISABLE_USB=1` — disable automatic USB passthrough and the
+  automatic USB cleanup (default: `0`).
+- `HEADS_X11_XAUTH=1` — force mounting your `${HOME}/.Xauthority` into
+  the container for X11 authentication.
+
+For details about selecting or forwarding a physical USB token to QEMU
+(handled by the `USB_TOKEN` make variable), see `targets/qemu.md`.
+
+Note: when USB passthrough is active the wrappers will detect processes that may be holding a USB token (for example `scdaemon` or `pcscd`). The wrapper will warn and, on interactive shells, give a 3s abort window before attempting to kill those processes to free the token. Set `HEADS_DISABLE_USB=1` to opt out of this automatic cleanup.
+
+Example: `HEADS_DISABLE_USB=1 ./docker_repro.sh make BOARD=qemu-coreboot-fbwhiptail-tpm2 run`
+
 Using Nix local dev environement / building docker images with Nix
 ==
 
@@ -88,16 +127,17 @@ Your local docker image "linuxboot/heads:dev-env" is ready to use, reproducible
 
 Jump into nix develop created docker image for interactive workflow
 ====
-There is 3 helpers:
-- `./docker_local_dev.sh`: for developers wanting to customize docker image built from flake.nix(nix devenv creation) and flake.lock (pinned versions used by flake.nix)
-- `./docker_latest.sh`: for Heads developers, wanting to use latest published docker images to develop Heads
-- `./docker_repro.sh`: versioned docker image used under CircleCI to produce reproducivle builds, both locally and under CircleCI. **Use this one if in doubt**
+There are three helpers:
+- `./docker_local_dev.sh`: developer-only — customize the local image built from `flake.nix`/`flake.lock` (not recommended for general testing)
+- `./docker_latest.sh`: convenience — use the latest published Docker image for development
+- `./docker_repro.sh`: canonical, reproducible builds that match CircleCI; **this is the recommended way to build and test Heads**
 
 ie: `./docker_repro.sh` will jump into CircleCI used versioned docker image for that Heads commit id to build images reproducibly if git repo is clean (not dirty).
 
 From there you can use the docker image interactively.
 
-`make BOARD=board_name` where board_name is the name of the board directory under `./boards` directory.
+Use `./docker_repro.sh make BOARD=board_name` to run builds and tests (this runs `make` inside the canonical Docker image). 
+If you are already inside the container interactively, run `make BOARD=board_name` as usual.
 
 
 One such useful example is to build and test qemu board roms and test them through qemu/kvm/swtpm provided in the docker image. 

docker/common.sh

@@ -0,0 +1,150 @@
+#!/bin/bash
+
+# Shared common Docker helpers for Heads dev scripts
+# Meant to be sourced from docker_latest.sh / docker_local_dev.sh / docker_repro.sh
+
+set -euo pipefail
+
+usage() {
+  cat <<'USAGE'
+Usage: $0 [OPTIONS] -- [COMMAND]
+Options:
+Environment variables (opt-ins / opt-outs):
+  HEADS_DISABLE_USB=1   Disable automatic USB passthrough (default: enabled when /dev/bus/usb exists)
+  HEADS_X11_XAUTH=1     Explicitly mount $HOME/.Xauthority into the container for X11 auth
+Command:
+  The command to run inside the Docker container, e.g., make BOARD=BOARD_NAME
+USAGE
+}
+
+# Track whether we supply Xauthority into the container
+DOCKER_XAUTH_USED=0
+
+# Kill scdaemon/pcscd when USB passthrough is present (minimal, automatic)
+kill_usb_processes() {
+  [ -d /dev/bus/usb ] || return 0
+  [ "${HEADS_DISABLE_USB:-0}" = "1" ] && { echo "HEADS_DISABLE_USB=1: skipping USB cleanup" >&2; return 0; }
+
+  # Collect scdaemon and pcscd PIDs (simple, per-origin/master behavior)
+  mapfile -t pids_array < <(pgrep -x scdaemon || true; pgrep -x pcscd || true)
+  [ ${#pids_array[@]} -eq 0 ] && { [ "${HEADS_USB_VERBOSE:-0}" = "1" ] && echo "No scdaemon/pcscd running." >&2; return 0; }
+
+  echo "Detected scdaemon/pcscd processes: ${pids_array[*]}" >&2
+
+  # Warn before attempting kills. Non-interactive shells continue; interactive shells get a short abort window.
+  echo "WARNING: About to kill the above processes to free USB devices for passthrough. To skip this automatic action set HEADS_DISABLE_USB=1 in your environment." >&2
+  if [ -t 1 ]; then
+    echo "Press Ctrl-C to abort within 3 seconds if you do NOT want these processes killed." >&2
+    sleep 3
+  fi
+
+  # Try to kill: prefer running as root, else try sudo without prompting in non-interactive shells
+  if [ "$(id -u)" = "0" ]; then
+    kill -9 "${pids_array[@]}" && echo "Killed PIDs: ${pids_array[*]}" >&2 || echo "Failed to kill some PIDs: ${pids_array[*]}" >&2
+  elif sudo -n true 2>/dev/null; then
+    sudo kill -9 "${pids_array[@]}" && echo "Killed PIDs: ${pids_array[*]}" >&2 || echo "Failed to kill some PIDs: ${pids_array[*]}" >&2
+  elif [ -t 1 ]; then
+    sudo kill -9 "${pids_array[@]}" && echo "Killed PIDs: ${pids_array[*]}" >&2 || echo "Failed to kill some PIDs: ${pids_array[*]}" >&2
+  else
+    echo "Non-interactive: sudo would prompt but cannot proceed; please run: sudo kill -9 ${pids_array[*]}" >&2
+  fi
+}
+
+# Build docker options (returns single string on stdout)
+build_docker_opts() {
+  local opts=( -e "DISPLAY=${DISPLAY:-}" --network host --rm -ti )
+
+  # USB passthrough
+  if [ -d "/dev/bus/usb" ] && [ "${HEADS_DISABLE_USB:-0}" != "1" ]; then
+    opts+=( --device=/dev/bus/usb:/dev/bus/usb )
+    echo "--->USB passthrough enabled; to disable set HEADS_DISABLE_USB=1" >&2
+  elif [ -d "/dev/bus/usb" ]; then
+    echo "--->Host USB present; USB passthrough disabled by HEADS_DISABLE_USB=1" >&2
+  fi
+
+  # KVM passthrough
+  if [ -e /dev/kvm ]; then
+    opts+=( --device=/dev/kvm:/dev/kvm )
+    echo "--->Host KVM device found; enabling /dev/kvm passthrough" >&2
+  elif [ -e /proc/kvm ]; then
+    echo "--->Host reports KVM available but /dev/kvm is missing; load kvm module" >&2
+  fi
+
+  # X11 forwarding: mount socket and try programmatic Xauthority when possible
+  if [ -d "/tmp/.X11-unix" ]; then
+    opts+=( -v /tmp/.X11-unix:/tmp/.X11-unix )
+    if command -v xauth >/dev/null 2>&1; then
+      local XAUTH_HOST
+      XAUTH_HOST="/tmp/.docker.xauth-$(id -u)"
+      : >"$XAUTH_HOST" 2>/dev/null || true
+      xauth nlist "${DISPLAY}" 2>/dev/null | sed -e 's/^..../ffff/' | xauth -f "$XAUTH_HOST" nmerge - 2>/dev/null || true
+      if [ -s "$XAUTH_HOST" ]; then
+        DOCKER_XAUTH_USED=1
+        opts+=( -v "$XAUTH_HOST:$XAUTH_HOST:ro" -e "XAUTHORITY=$XAUTH_HOST" )
+        echo "--->Using programmatic Xauthority $XAUTH_HOST for X11 auth" >&2
+      elif [ -f "${HOME}/.Xauthority" ]; then
+        DOCKER_XAUTH_USED=1
+        opts+=( -v "${HOME}/.Xauthority:/root/.Xauthority:ro" -e "XAUTHORITY=/root/.Xauthority" )
+        echo "--->Falling back to mounting ${HOME}/.Xauthority into container" >&2
+      else
+        echo "--->X11 socket present but no Xauthority found; GUI may fail" >&2
+      fi
+    else
+      if [ -f "${HOME}/.Xauthority" ]; then
+        opts+=( -v "${HOME}/.Xauthority:/root/.Xauthority:ro" -e "XAUTHORITY=/root/.Xauthority" )
+        echo "--->Mounting ${HOME}/.Xauthority into container for X11 auth (xauth missing)" >&2
+      fi
+    fi
+  elif [ "${HEADS_X11_XAUTH:-0}" != "0" ] && [ -f "${HOME}/.Xauthority" ]; then
+    opts+=( -v "${HOME}/.Xauthority:/root/.Xauthority:ro" -e "XAUTHORITY=/root/.Xauthority" )
+    echo "--->HEADS_X11_XAUTH=1: mounting ${HOME}/.Xauthority into container" >&2
+  fi
+
+  # If host xhost does not list LOCAL, warn the user about enabling access only when
+  # we did NOT supply an Xauthority cookie. We do NOT modify xhost automatically (security).
+  if [ "${DOCKER_XAUTH_USED:-0}" = "0" ] && command -v xhost >/dev/null 2>&1 && ! xhost | grep -q "LOCAL:"; then
+    echo "--->X11 auth may be strict; no automatic 'xhost' changes are performed. Provide Xauthority (install xauth) or run 'xhost +SI:localuser:root' manually if you accept the security risk." >&2
+  fi
+
+  local joined
+  printf -v joined "%s " "${opts[@]}"
+  echo "${joined}"
+}
+
+# Common run helper
+run_docker() {
+  local image="$1"; shift
+  local opts host_workdir container_workdir DOCKER_OPTS_ARRAY
+  opts=$(build_docker_opts)
+  # Convert the single-line opts string into an array for safe expansion
+  read -r -a DOCKER_OPTS_ARRAY <<< "$opts"
+  host_workdir="$(pwd)"
+  container_workdir="${host_workdir}"
+
+  parts=()
+  case "${opts}" in *"/dev/kvm"*) parts+=(KVM=on) ;; *) parts+=(KVM=off) ;; esac
+  case "${opts}" in *"/dev/bus/usb"*) parts+=(USB=on) ;; *) parts+=(USB=off) ;; esac
+  case "${opts}" in *"/tmp/.X11-unix"*) parts+=(X11=on) ;; *) parts+=(X11=off) ;; esac
+
+  echo "---> Running container with: ${parts[*]} ; mount ${host_workdir} -> ${container_workdir}" >&2
+  echo "---> Full docker command: docker run ${DOCKER_OPTS_ARRAY[*]} -v ${host_workdir}:${container_workdir} -w ${container_workdir} ${image} -- $*" >&2
+
+  exec docker run "${DOCKER_OPTS_ARRAY[@]}" -v "${host_workdir}:${container_workdir}" -w "${container_workdir}" "${image}" -- "$@"
+}
+
+trap "echo 'Script interrupted. Exiting...'; exit 1" SIGINT
+for arg in "$@"; do
+  case "$arg" in -h|--help) usage; exit 0 ;; esac
+done
+
+# Run the USB cleanup common action
+kill_usb_processes
+
+# Informational reminder printed by each docker wrapper
+echo "----"
+echo "Usage reminder: The minimal command is 'make BOARD=XYZ', where additional options, including 'V=1' or 'CPUS=N' are optional."
+echo "For more advanced QEMU testing options, refer to targets/qemu.md and boards/qemu-*/*.config."
+echo
+echo "Type exit within docker image to get back to host if launched interactively!"
+echo "----"
+echo

docker_latest.sh

@@ -3,56 +3,16 @@
 # Inform the user that the latest published Docker image is being used
 echo "Using the latest Docker image: tlaurion/heads-dev-env:latest"
 DOCKER_IMAGE="tlaurion/heads-dev-env:latest"
+# Check if Docker is installed
+if ! command -v docker >/dev/null 2>&1; then
+	echo "Error: Docker is not installed or not in PATH. Install Docker to use this script." >&2
+	exit 1
+fi
 
-# Function to display usage information
-usage() {
-	echo "Usage: $0 [OPTIONS] -- [COMMAND]"
-	echo "Options:"
-	echo "  CPUS=N  Set the number of CPUs"
-	echo "  V=1     Enable verbose mode"
-	echo "Command:"
-	echo "  The command to run inside the Docker container, e.g., make BOARD=BOARD_NAME"
-}
-
-# Function to kill GPG toolstack related processes using USB devices
-kill_usb_processes() {
-	# check if scdaemon or pcscd processes are using USB devices
-	if [ -d /dev/bus/usb ]; then
-		if sudo lsof /dev/bus/usb/00*/0* 2>/dev/null | awk 'NR>1 {print $2}' | xargs -r ps -p | grep -E 'scdaemon|pcscd' >/dev/null; then
-			echo "Killing GPG toolstack related processes using USB devices..."
-			sudo lsof /dev/bus/usb/00*/0* 2>/dev/null | awk 'NR>1 {print $2}' | xargs -r ps -p | grep -E 'scdaemon|pcscd' | awk '{print $1}' | xargs -r sudo kill -9
-		fi
-	fi
-}
-
-# Handle Ctrl-C (SIGINT) to exit gracefully
-trap "echo 'Script interrupted. Exiting...'; exit 1" SIGINT
-
-# Check if --help or -h is provided
-for arg in "$@"; do
-	if [[ "$arg" == "--help" || "$arg" == "-h" ]]; then
-		usage
-		exit 0
-	fi
-done
-
-# Kill processes using USB devices
-kill_usb_processes
+# Source shared docker helper functions
+source "$(dirname "$0")/docker/common.sh"
 
-# Inform the user about entering the Docker container
-echo "----"
-echo "Usage reminder: The minimal command is 'make BOARD=XYZ', where additional options, including 'V=1' or 'CPUS=N' are optional."
-echo "For more advanced QEMU testing options, refer to targets/qemu.md and boards/qemu-*/*.config."
-echo
-echo "Type exit within docker image to get back to host if launched interactively!"
-echo "----"
-echo
 
 # Execute the docker run command with the provided parameters
-if [ -d "/dev/bus/usb" ]; then
-	echo "--->Launching container with access to host's USB buses (some USB devices were connected to host)..."
-	docker run --device=/dev/bus/usb:/dev/bus/usb -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) $DOCKER_IMAGE -- "$@"
-else
-	echo "--->Launching container without access to host's USB buses (no USB devices was connected to host)..."
-	docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) $DOCKER_IMAGE -- "$@"
-fi
+# Delegate to shared run_docker so all docker_* scripts share identical device/X11/KVM handling
+run_docker "$DOCKER_IMAGE" "$@"

docker_local_dev.sh

@@ -27,67 +27,9 @@ echo "For using the latest published Docker image, refer to ./docker_latest.sh."
 echo "For producing reproducible builds as CircleCI, refer to ./docker_repro.sh."
 echo ""
 
-# Function to display usage information
-usage() {
-	echo "Usage: $0 [OPTIONS] -- [COMMAND]"
-	echo "Options:"
-	echo "  CPUS=N  Set the number of CPUs"
-	echo "  V=1     Enable verbose mode"
-	echo "Command:"
-	echo "  The command to run inside the Docker container, e.g., make BOARD=BOARD_NAME"
-}
-
-# Function to kill GPG toolstack related processes using USB devices
-kill_usb_processes() {
-	# check if scdaemon or pcscd processes are using USB devices
-	if [ -d /dev/bus/usb ]; then
-		if sudo lsof /dev/bus/usb/00*/0* 2>/dev/null | awk 'NR>1 {print $2}' | xargs -r ps -p | grep -E 'scdaemon|pcscd' >/dev/null; then
-			echo "Killing GPG toolstack related processes using USB devices..."
-			sudo lsof /dev/bus/usb/00*/0* 2>/dev/null | awk 'NR>1 {print $2}' | xargs -r ps -p | grep -E 'scdaemon|pcscd' | awk '{print $1}' | xargs -r sudo kill -9
-		fi
-	fi
-}
-
-# Handle Ctrl-C (SIGINT) to exit gracefully
-trap "echo 'Script interrupted. Exiting...'; exit 1" SIGINT
-
-# Check if --help or -h is provided
-for arg in "$@"; do
-	if [[ "$arg" == "--help" || "$arg" == "-h" ]]; then
-		usage
-		exit 0
-	fi
-done
-
-# Check if the git repository is dirty and if flake.nix or flake.lock are part of the uncommitted changes
-if [ -n "$(git status --porcelain | grep -E 'flake\.nix|flake\.lock')" ]; then
-	echo "**Warning: Uncommitted changes detected in flake.nix or flake.lock. The Docker image will be rebuilt!**"
-	echo "If this was not intended, please CTRL-C now, commit your changes and rerun the script."
-	echo "Building the Docker image from flake.nix..."
-	nix --print-build-logs --verbose develop --ignore-environment --command true
-	nix --print-build-logs --verbose build .#dockerImage && docker load <result
-else
-	echo "Git repository is clean. Using the previously built Docker image when repository was unclean and flake.nix/flake.lock changes were uncommited."
-	sleep 1
-fi
-
-# Kill processes using USB devices
-kill_usb_processes
-
-# Inform the user about entering the Docker container
-echo "----"
-echo "Usage reminder: The minimal command is 'make BOARD=XYZ', where additional options, including 'V=1' or 'CPUS=N' are optional."
-echo "For more advanced QEMU testing options, refer to targets/qemu.md and boards/qemu-*/*.config."
-echo
-echo "Type exit within docker image to get back to host if launched interactively!"
-echo "----"
-echo
+# Source shared docker helper functions
+source "$(dirname "$0")/docker/common.sh"
 
 # Execute the docker run command with the provided parameters
-if [ -d "/dev/bus/usb" ]; then
-	echo "--->Launching container with access to host's USB buses (some USB devices were connected to host)..."
-	docker run --device=/dev/bus/usb:/dev/bus/usb -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) $DOCKER_IMAGE -- "$@"
-else
-	echo "--->Launching container without access to host's USB buses (no USB devices was connected to host)..."
-	docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) $DOCKER_IMAGE -- "$@"
-fi
+# Delegate to shared run_docker so all docker_* scripts share identical device/X11/KVM handling
+run_docker "$DOCKER_IMAGE" "$@"