diff --git a/build.zig b/build.zig
index 94d1dca..3a3e715 100644
--- a/build.zig
+++ b/build.zig
@@ -85,7 +85,7 @@ pub fn build(b: *std.Build) !void {
     const tboot_sign = b.addExecutable(.{
         .name = "tboot-sign",
         .root_source_file = .{ .path = "src/tboot-sign.zig" },
-        .target = b.host,
+        .target = target,
         .optimize = optimize,
         .strip = optimize != std.builtin.OptimizeMode.Debug,
     });
diff --git a/flake.nix b/flake.nix
index 7ffc0d2..3b260b9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,7 +21,8 @@
             corebootSrc = inputs.coreboot.outPath;
             version = "24.05";
           };
-          tinyboot = prev.callPackage ./pkgs/tinyboot.nix { zigSrc = inputs.zig.outPath; };
+          # TODO(jared): use pkgsStatic for now since zig's cross-compilation dynamic linking support seems to be broken
+          tinyboot = prev.pkgsStatic.callPackage ./pkgs/tinyboot.nix { zigSrc = inputs.zig.outPath; };
           armTrustedFirmwareMT8183 = prev.callPackage ./pkgs/arm-trusted-firmware-cros.nix {
             platform = "mt8183";
           };
@@ -65,6 +66,9 @@
           qemu
           zon2nix
         ];
+        shellHook = ''
+          unset ZIG_GLOBAL_CACHE_DIR
+        '';
         env.TINYBOOT_KERNEL = ''${pkgs."tinyboot-qemu-${pkgs.stdenv.hostPlatform.qemuArch}".linux}/kernel'';
       };
     }) inputs.self.legacyPackages;
diff --git a/module.nix b/module.nix
index 9bedb83..6519599 100644
--- a/module.nix
+++ b/module.nix
@@ -69,11 +69,11 @@ in
         boot.loader.external.enable = true;
         boot.loader.external.installHook = toString [
           (lib.getExe' pkgs.tinyboot "tboot-nixos-install")
-          "efi-sys-mount-point=${config.boot.loader.efi.efiSysMountPoint}"
-          "private-key=${cfg.verifiedBoot.tbootPrivateKey}"
-          "public-key=${cfg.verifiedBoot.tbootPublicCertificate}"
-          "timeout=${toString config.boot.loader.timeout}"
-          "max-tries=${toString cfg.maxFailedBootAttempts}"
+          "--esp-mnt=${config.boot.loader.efi.efiSysMountPoint}"
+          "--private-key=${cfg.verifiedBoot.tbootPrivateKey}"
+          "--public-key=${cfg.verifiedBoot.tbootPublicCertificate}"
+          "--timeout=${toString config.boot.loader.timeout}"
+          "--max-tries=${toString cfg.maxFailedBootAttempts}"
         ];
         systemd.additionalUpstreamSystemUnits = [ "boot-complete.target" ];
         systemd.generators.tboot-bless-boot-generator = lib.getExe' pkgs.tinyboot "tboot-bless-boot-generator";
diff --git a/pkgs/tinyboot.nix b/pkgs/tinyboot.nix
index d673967..e9547cc 100644
--- a/pkgs/tinyboot.nix
+++ b/pkgs/tinyboot.nix
@@ -35,8 +35,9 @@ stdenv.mkDerivation (
     strictDeps = true;
 
     nativeBuildInputs = [
-      (pkgsBuildBuild.zig_0_12.overrideAttrs (_: {
+      (pkgsBuildBuild.zig_0_12.overrideAttrs (old: {
         src = zigSrc;
+        patches = (old.patches or [ ]) ++ [ ./zig-pkg-config-cross.patch ];
       })).hook
       xz
       pkg-config
@@ -56,13 +57,13 @@ stdenv.mkDerivation (
       "${finalAttrs.deps}"
     ];
 
-    # TODO(jared): this is a bug in nixpkgs in the zig hook
+    # TODO(jared): The checkPhase should already include the zigBuildFlags,
+    # probably a nixpkgs bug.
     zigCheckFlags = finalAttrs.zigBuildFlags;
 
     # TODO(jared): make embedFile work better with the test key
     preConfigure = ''
       ln -sf ${../test/keys/tboot/key.der} src/test_key
-      export ZIG_GLOBAL_CACHE_DIR=$(mktemp -d)
     '';
 
     postInstall = ''
diff --git a/pkgs/zig-pkg-config-cross.patch b/pkgs/zig-pkg-config-cross.patch
new file mode 100644
index 0000000..9c06690
--- /dev/null
+++ b/pkgs/zig-pkg-config-cross.patch
@@ -0,0 +1,25 @@
+diff --git a/lib/std/Build/Step/Compile.zig b/lib/std/Build/Step/Compile.zig
+index 314db765cb..c4b4dbacc4 100644
+--- a/lib/std/Build/Step/Compile.zig
++++ b/lib/std/Build/Step/Compile.zig
+@@ -703,8 +703,9 @@ fn runPkgConfig(self: *Compile, lib_name: []const u8) !PkgConfigResult {
+     };
+ 
+     var code: u8 = undefined;
++    const pkg_config_exe = b.graph.env_map.get("PKG_CONFIG") orelse "pkg-config";
+     const stdout = if (b.runAllowFail(&[_][]const u8{
+-        "pkg-config",
++        pkg_config_exe,
+         pkg_name,
+         "--cflags",
+         "--libs",
+@@ -1824,7 +1825,8 @@ pub fn doAtomicSymLinks(
+ }
+ 
+ fn execPkgConfigList(self: *std.Build, out_code: *u8) (PkgConfigError || RunError)![]const PkgConfigPkg {
+-    const stdout = try self.runAllowFail(&[_][]const u8{ "pkg-config", "--list-all" }, out_code, .Ignore);
++    const pkg_config_exe = self.graph.env_map.get("PKG_CONFIG") orelse "pkg-config";
++    const stdout = try self.runAllowFail(&[_][]const u8{ pkg_config_exe, "--list-all" }, out_code, .Ignore);
+     var list = ArrayList(PkgConfigPkg).init(self.allocator);
+     errdefer list.deinit();
+     var line_it = mem.tokenizeAny(u8, stdout, "\r\n");