diff --git a/.circleci/config.yml b/.circleci/config.yml
index 0648492c5..cc245bc6f 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -116,7 +116,6 @@ jobs:
       - store-artifacts:
           path: build/x230
 
-
       - run:
           name: x230-hotp-verification
           command: |
@@ -135,6 +134,24 @@ jobs:
       - store-artifacts:
           path: build/x230-hotp-verification
 
+      - run:
+          name: t430-hotp-verification
+          command: |
+            rm -rf build/t430-hotp-verification/* build/log/* && make --load 2 \
+                V=1 \
+                BOARD=t430-hotp-verification \
+          no_output_timeout: 3h
+      - run:
+          name: Ouput t430-hotp-verification hashes
+          command: |
+            cat build/t430-hotp-verification/hashes.txt \
+      - run:
+          name: Archiving build logs for x230-hotp-verification
+          command: |
+             tar zcvf build/t430-hotp-verification/logs.tar.gz build/log/*
+      - store-artifacts:
+          path: build/t430-hotp-verification
+
       - run:
           name: qemu-coreboot
           command: |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 98bdcdc19..0957a78de 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -46,6 +46,15 @@ build:
     - cat ./build/x230-hotp-verification/hashes.txt
     - echo "Archiving x230-hotp-verification logs..."
     - tar zcvf ./build/x230-hotp-verification/logs.tar.gz ./build/log/*
+    - echo "Removing old t430-hotp-verification artifacts..."
+    - rm -rf ./build/t430-hotp-verification/*
+    - rm -rf ./build/log/*
+    - echo "Building BOARD=t430-hotp-verification board..."
+    - make BOARD=t430-hotp-verification || (find ./build/log/ -cmin 1|xargs tail; exit 1)
+    - echo "t430-hotp-verification hashes:"
+    - cat ./build/t430-hotp-verification/hashes.txt
+    - echo "Archiving t430-hotp-verification logs..."
+    - tar zcvf ./build/t430-hotp-verification/logs.tar.gz ./build/log/*
     - echo "Removing old x230 artifacts..."
     - rm -rf ./build/x230/*
     - rm -rf ./build/log/*
diff --git a/boards/t430-hotp-verification/t430-hotp-verification.config b/boards/t430-hotp-verification/t430-hotp-verification.config
new file mode 100644
index 000000000..9c2b7a66f
--- /dev/null
+++ b/boards/t430-hotp-verification/t430-hotp-verification.config
@@ -0,0 +1,47 @@
+# Configuration for a t430-hotp-verification running Qubes and other OSes
+export CONFIG_COREBOOT=y
+CONFIG_COREBOOT_CONFIG=config/coreboot-t430-hotp-verification.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_LIBREMKEY=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad T430-hotp Heads Boot Menu"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios"
+
+# This board has two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#
+# Only flashing to the bios region is safe to do. The easiest is to
+# flash internally when the IFD is unlocked for writing, and t430-hotp-verification-flash
+# is installed first.
diff --git a/config/coreboot-t430-hotp-verification.config b/config/coreboot-t430-hotp-verification.config
new file mode 100644
index 000000000..afd5e85fb
--- /dev/null
+++ b/config/coreboot-t430-hotp-verification.config
@@ -0,0 +1,26 @@
+CONFIG_LOCALVERSION="heads"
+CONFIG_ANY_TOOLCHAIN=y
+# CONFIG_INCLUDE_CONFIG_FILE is not set
+# CONFIG_COLLECT_TIMESTAMPS is not set
+CONFIG_USE_BLOBS=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x800000
+# CONFIG_POST_IO is not set
+# CONFIG_POST_DEVICE is not set
+CONFIG_DRIVERS_UART_8250IO=y
+CONFIG_BOARD_LENOVO_THINKPAD_T430=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_UART_PCI_ADDR=0
+# CONFIG_CONSOLE_SERIAL is not set
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/t430-hotp-verification/bzImage"
+CONFIG_PAYLOAD_OPTIONS=""
+# CONFIG_PXE is not set
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_LINUX_INITRD="../../build/t430-hotp-verification/initrd.cpio.xz"
+CONFIG_DEBUG_SMM_RELOCATION=y
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_STATIC_OPTION_TABLE=y