FDE port from x86 to nvidia

- Modified files:
  - targets/nvidia-jetson-orin/flake-module.nix
  - modules/reference/hardware/jetpack/nvidia-jetson-orin/partition-template.nix
  - modules/partitioning/deferred-disk-encryption.nix
What This Change Set Achieves
- Adds phase-1 full disk encryption (FDE) support for Orin AGX debug targets using deferred first-boot encryption.
- Keeps existing Orin targets intact; introduces additive -fde-phase1 target variants.
- Refactors flash flow so phase1 targets can produce working -flash-script / -flash-qspi artifacts.
- Preserves default installer-marker behavior globally, while bypassing marker only for phase1 targets.
Previously Added (same target file, same branch context)
- Logging enabled for all Orin targets (copied from x86 template style) in targets/nvidia-jetson-orin/flake-module.nix.
- GIVC enabled for AGX debug cross targets (agx-debug and agx-debug-nodemoapps) in targets/nvidia-jetson-orin/flake-module.nix.
Detailed Changes
- targets/nvidia-jetson-orin/flake-module.nix
  - Added phase1 generator functions:
    - generate-fde-phase1
    - generate-fde-phase1-cross-from-x86_64
  - New additive target variants for:
    - nvidia-jetson-orin-agx-debug-fde-phase1
    - nvidia-jetson-orin-agx-debug-nodemoapps-fde-phase1
    - plus their -from-x86_64 variants.
  - Phase1 target behavior:
    - Disables sd-image format modules.
    - Switches package output to system.build.ghafImage.
    - Imports disko+verity partition modules.
    - Enables deferred encryption.
    - Overrides encrypted device path to "/dev/disk/by-partlabel/APP".
    - Disables installer marker requirement for phase1 only.
  - Cross image-builder compatibility tuning:
    - Uses pkgs.buildPackages, enables binfmt, pins image-builder kernel packages to build-side kernel packages.
    - Adds host/build platform overrides for disko builder config.
  - Disk layout tuning for flash constraints:
    - Forces disk image size/LV sizing (58G image, 44G root, 8G swap, 2G persist).
  - Refactors flash package generation:
    - Introduces flashableCrossTargets = crossTargets ++ fdePhase1CrossTargets.
    - Flash artifacts are now emitted for both existing and phase1 cross targets.
- modules/partitioning/deferred-disk-encryption.nix
  - Added new options:
    - ghaf.storage.encryption.lvmPartitionDevice (nullable string override)
    - ghaf.storage.encryption.requireInstallerMarker (bool, default true)
  - Updated device selection logic:
    - Uses override if provided, then verity path, then disko default.
  - Marker handling is now conditional:
    - Marker-check + marker-removal are wrapped under requireInstallerMarker.
  - Result:
    - Existing behavior unchanged by default.
    - Phase1 can bypass installer marker safely and target APP.
- modules/reference/hardware/jetpack/nvidia-jetson-orin/partition-template.nix
  - Refactored image handling to support two source layouts:
    - Traditional sd-image (esp.offset/root.offset)
    - Disko raw image (disk1.raw)
  - For raw-image path:
    - Detects ESP/APP partitions via fdisk.
    - Extracts ESP and APP with dd.
  - Added conv=sparse for root extraction to avoid temporary-space exhaustion.
  - Added APP-size clamp to align with Jetson flash XML fixed upper bound:
    - Prevents GPT generation failure (End sector for APP ... expected ... actual: 0).
Target/Artifact Matrix After Change
- Existing targets remain unchanged.
- New phase1 outputs include:
  - ...-fde-phase1
  - ...-fde-phase1-from-x86_64
  - ...-fde-phase1-from-x86_64-flash-script
  - ...-fde-phase1-from-x86_64-flash-qspi
  - same for ...-agx-debug-nodemoapps...
Validation Performed
- Evaluated phase1 config options successfully:
  - encryption enabled/deferred
  - lvmPartitionDevice resolves to /dev/disk/by-partlabel/APP
  - installer marker requirement false for phase1
  - first-boot-encrypt initrd service enabled and wired
- Built successfully in Docker Compose:
  - nvidia-jetson-orin-agx-debug-fde-phase1-from-x86_64
  - nvidia-jetson-orin-agx-debug-nodemoapps-fde-phase1-from-x86_64
  - ...-flash-script for both
  - ...-flash-qspi evaluates and builds to initrd-flash output
- Fixed several intermediate blockers during validation:
  - exec-format issues in image builder
  - missing kernel module expectations in initrd
  - flash temp-space issues
  - APP GPT boundary mismatch
Runtime/Operational Guidance
- Recommended deployment flow for phase1:
  - dd phase1 disk1.raw to USB.
  - Flash only QSPI with ...-flash-qspi.
  - Boot with USB attached.
- Why QSPI-only:
  - Avoids potential APP label ambiguity between internal and external media during deferred encryption.
What Is Not Changed
- Non-phase1 targets do not inherit deferred-encryption behavior.
- Global default marker requirement remains enabled (true), preserving existing installer-based expectations outside phase1.

Signed-off-by: vadik likholetov <vadikas@gmail.com>

Author: vadika

modules/partitioning/deferred-disk-encryption.nix

@@ -32,7 +32,9 @@ let
   # Determine the LVM partition device
   # This is the partition that will be encrypted
   lvmPartition =
-    if config.ghaf.partitioning.verity.enable then
+    if cfg.lvmPartitionDevice != null then
+      cfg.lvmPartitionDevice
+    else if config.ghaf.partitioning.verity.enable then
       # For verity setups, use persist partition
       "/dev/disk/by-partuuid/${config.image.repart.partitions."50-persist".repartConfig.UUID}"
     else
@@ -158,6 +160,7 @@ let
       fi
 
       # Check for installer/completion markers on the ESP partition.
+      ${lib.optionalString cfg.requireInstallerMarker ''
         ESP_DEVICE=""
         for i in {1..10}; do
             ESP_DEVICE="$(lsblk -pn -o PATH,PARTLABEL | awk 'tolower($2) ~ /esp/ { print $1; exit }')"
@@ -182,6 +185,7 @@ let
           umount /mnt/esp
           exit 0
         fi
+      ''}
 
       # Stop Plymouth to show encryption progress
       if command -v plymouth >/dev/null 2>&1; then
@@ -585,9 +589,11 @@ let
       echo ""
 
       # Remove the installer marker so we don't run again if this fails.
-      rm -f /mnt/esp/.ghaf-installer-encrypt
-      umount /mnt/esp
-      rmdir /mnt/esp
+      ${lib.optionalString cfg.requireInstallerMarker ''
+        rm -f /mnt/esp/.ghaf-installer-encrypt
+        umount /mnt/esp
+        rmdir /mnt/esp
+      ''}
 
       ${
         if config.ghaf.profiles.debug.enable then
@@ -619,6 +625,18 @@ in
 {
   options.ghaf.storage.encryption = {
     deferred = mkEnableOption "Apply disk encryption on first boot instead of at image creation";
+
+    lvmPartitionDevice = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Override block device path to encrypt during deferred first-boot encryption.";
+    };
+
+    requireInstallerMarker = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Require /.ghaf-installer-encrypt marker on ESP before running deferred first-boot encryption.";
+    };
   };
 
   config = mkIf (cfg.enable && cfg.deferred) {

modules/reference/hardware/jetpack/nvidia-jetson-orin/partition-template.nix

@@ -13,8 +13,8 @@ let
   # Using the same config for all orin boards (for now)
   # TODO should this be changed when NX added
   cfg = config.ghaf.hardware.nvidia.orin;
-
-  images = config.system.build.${config.formatAttr};
+  sdImages = config.system.build.sdImage or null;
+  ghafImages = config.system.build.ghafImage or null;
   partitionsEmmc = pkgs.writeText "sdmmc.xml" ''
     <partition name="master_boot_record" type="protective_master_boot_record">
       <allocation_policy> sequential </allocation_policy>
@@ -155,16 +155,55 @@ in
       #"${pkgs.pkgsBuildBuild.patch}/bin/patch" -p0 < ${./tegra2-mb2-bct-scr.patch}
     ''
     + lib.optionalString (!cfg.flashScriptOverrides.onlyQSPI) ''
-      ESP_OFFSET=$(cat "${images}/esp.offset")
-      ESP_SIZE=$(cat "${images}/esp.size")
-      ROOT_OFFSET=$(cat "${images}/root.offset")
-      ROOT_SIZE=$(cat "${images}/root.size")
-
-      img="${images}/sd-image/${config.image.fileName}"
-      echo "Extracting ESP partition to $WORKDIR/bootloader/esp.img ..."
-      dd if=<("${pkgs.pkgsBuildBuild.zstd}/bin/pzstd" -d "$img" -c) of="$WORKDIR/bootloader/esp.img" bs=512 iseek="$ESP_OFFSET" count="$ESP_SIZE"
-      echo "Extracting root partition to $WORKDIR/root.img ..."
-      dd if=<("${pkgs.pkgsBuildBuild.zstd}/bin/pzstd" -d "$img" -c) of="$WORKDIR/bootloader/root.img" bs=512 iseek="$ROOT_OFFSET" count="$ROOT_SIZE"
+      SD_IMAGES_DIR="${if sdImages != null then sdImages else ""}"
+      GHAF_IMAGES_DIR="${if ghafImages != null then ghafImages else ""}"
+
+      if [ -n "$SD_IMAGES_DIR" ] && [ -e "$SD_IMAGES_DIR/esp.offset" ] && [ -e "$SD_IMAGES_DIR/root.offset" ]; then
+        ESP_OFFSET=$(cat "$SD_IMAGES_DIR/esp.offset")
+        ESP_SIZE=$(cat "$SD_IMAGES_DIR/esp.size")
+        ROOT_OFFSET=$(cat "$SD_IMAGES_DIR/root.offset")
+        ROOT_SIZE=$(cat "$SD_IMAGES_DIR/root.size")
+
+        img=$(ls "$SD_IMAGES_DIR"/sd-image/*.img.zst | head -n 1)
+        echo "Extracting ESP partition from sd-image to $WORKDIR/bootloader/esp.img ..."
+        dd if=<("${pkgs.pkgsBuildBuild.zstd}/bin/pzstd" -d "$img" -c) of="$WORKDIR/bootloader/esp.img" bs=512 iseek="$ESP_OFFSET" count="$ESP_SIZE"
+        echo "Extracting root partition from sd-image to $WORKDIR/root.img ..."
+        dd if=<("${pkgs.pkgsBuildBuild.zstd}/bin/pzstd" -d "$img" -c) of="$WORKDIR/bootloader/root.img" bs=512 iseek="$ROOT_OFFSET" count="$ROOT_SIZE" conv=sparse
+      elif [ -n "$GHAF_IMAGES_DIR" ] && [ -e "$GHAF_IMAGES_DIR/disk1.raw" ]; then
+        img="$GHAF_IMAGES_DIR/disk1.raw"
+        echo "Extracting ESP and APP partitions from disko raw image ..."
+
+        fdisk_output=$(${pkgs.pkgsBuildBuild.util-linux}/bin/fdisk -l "$img")
+
+        part_esp=$(${pkgs.pkgsBuildBuild.gawk}/bin/awk -v img="$img" '$1 == img "2" { print $2 " " $4; exit }' <<< "$fdisk_output")
+        part_app=$(${pkgs.pkgsBuildBuild.gawk}/bin/awk -v img="$img" '$1 == img "3" { print $2 " " $4; exit }' <<< "$fdisk_output")
+
+        if [ -z "$part_esp" ] || [ -z "$part_app" ]; then
+          echo "Failed to locate ESP/APP partitions in raw image"
+          exit 1
+        fi
+
+        ESP_OFFSET=$(echo "$part_esp" | ${pkgs.pkgsBuildBuild.gawk}/bin/awk '{print $1}')
+        ESP_SIZE=$(echo "$part_esp" | ${pkgs.pkgsBuildBuild.gawk}/bin/awk '{print $2}')
+        ROOT_OFFSET=$(echo "$part_app" | ${pkgs.pkgsBuildBuild.gawk}/bin/awk '{print $1}')
+        ROOT_SIZE=$(echo "$part_app" | ${pkgs.pkgsBuildBuild.gawk}/bin/awk '{print $2}')
+
+        # Jetson AGX eMMC APP partition has a fixed upper bound in flash.xml.
+        # Clamp extracted APP size to avoid invalid GPT generation.
+        MAX_APP_END=119537630
+        MAX_ROOT_SIZE=$((MAX_APP_END - ROOT_OFFSET + 1))
+        if [ "$ROOT_SIZE" -gt "$MAX_ROOT_SIZE" ]; then
+          ROOT_SIZE="$MAX_ROOT_SIZE"
+        fi
+
+        echo "Extracting ESP partition from raw image to $WORKDIR/bootloader/esp.img ..."
+        dd if="$img" of="$WORKDIR/bootloader/esp.img" bs=512 iseek="$ESP_OFFSET" count="$ESP_SIZE"
+        echo "Extracting APP partition from raw image to $WORKDIR/root.img ..."
+        dd if="$img" of="$WORKDIR/bootloader/root.img" bs=512 iseek="$ROOT_OFFSET" count="$ROOT_SIZE" conv=sparse
+      else
+        echo "Unsupported image layout: expected sd-image offsets or disk1.raw"
+        exit 1
+      fi
 
       echo "Patching flash.xml with absolute paths to esp.img and root.img ..."
       "${pkgs.pkgsBuildBuild.gnused}/bin/sed" -i \

targets/nvidia-jetson-orin/flake-module.nix

@@ -139,7 +139,10 @@ let
     // rec {
       name = tgt.name + "-from-x86_64";
       hostConfiguration = tgt.hostConfiguration.extendModules {
-        modules = [ self.nixosModules.cross-compilation-from-x86_64 ] ++ lib.optionals enableGivcForAgxDebug [
+        modules = [
+          self.nixosModules.cross-compilation-from-x86_64
+        ]
+        ++ lib.optionals enableGivcForAgxDebug [
           {
             ghaf.givc.enable = lib.mkForce true;
             ghaf.givc.debug = lib.mkForce false;
@@ -149,24 +152,111 @@ let
       package = hostConfiguration.config.system.build.${hostConfiguration.config.formatAttr};
     };
 
+  generate-fde-phase1 =
+    tgt:
+    tgt
+    // rec {
+      name = tgt.name + "-fde-phase1";
+      hostConfiguration = tgt.hostConfiguration.extendModules {
+        modules = [
+          (
+            { pkgs, ... }:
+            {
+              disabledModules = [
+                (nixos-generators + "/format-module.nix")
+                ../../modules/reference/hardware/jetpack/nvidia-jetson-orin/format-module.nix
+              ];
+
+              imports = [
+                self.nixosModules.disko-debug-partition
+                self.nixosModules.verity-release-partition
+              ];
+
+              ghaf = {
+                partitioning.disko.enable = lib.mkForce true;
+                partitioning.disko.imageBuilder.compression = lib.mkForce "none";
+                storage.encryption = {
+                  enable = lib.mkForce true;
+                  deferred = lib.mkForce true;
+                  lvmPartitionDevice = lib.mkForce "/dev/disk/by-partlabel/APP";
+                  requireInstallerMarker = lib.mkForce false;
+                };
+                virtualization.microvm.storeOnDisk = lib.mkForce true;
+              };
+
+              boot.initrd.luks.cryptoModules = lib.mkForce [ ];
+              boot.initrd.availableKernelModules = lib.mkForce [ ];
+              boot.initrd.kernelModules = lib.mkForce [ ];
+
+              disko.imageBuilder = {
+                pkgs = lib.mkForce pkgs.buildPackages;
+                enableBinfmt = lib.mkForce true;
+                kernelPackages = lib.mkForce pkgs.buildPackages.linuxPackages;
+                extraConfig = {
+                  nixpkgs.hostPlatform = lib.mkOverride 0 pkgs.stdenv.hostPlatform;
+                  nixpkgs.buildPlatform = lib.mkOverride 0 pkgs.stdenv.buildPlatform;
+                };
+              };
+
+              disko.devices = {
+                disk.disk1.imageSize = lib.mkForce "58G";
+                lvm_vg.pool.lvs = {
+                  swap.size = lib.mkForce "8G";
+                  root.size = lib.mkForce "44G";
+                  persist.size = lib.mkForce "2G";
+                };
+              };
+            }
+          )
+        ];
+      };
+      package = hostConfiguration.config.system.build.ghafImage;
+    };
+
+  generate-fde-phase1-cross-from-x86_64 =
+    tgt:
+    tgt
+    // rec {
+      name = tgt.name + "-from-x86_64";
+      hostConfiguration = tgt.hostConfiguration.extendModules {
+        modules = [ self.nixosModules.cross-compilation-from-x86_64 ];
+      };
+      package = hostConfiguration.config.system.build.ghafImage;
+    };
+
   # Add nodemoapps targets
   targets = target-configs ++ (map generate-nodemoapps target-configs);
   crossTargets = map generate-cross-from-x86_64 targets;
+  fdePhase1Targets = map generate-fde-phase1 (
+    builtins.filter (
+      t:
+      builtins.elem t.name [
+        "nvidia-jetson-orin-agx-debug"
+        "nvidia-jetson-orin-agx-debug-nodemoapps"
+      ]
+    ) targets
+  );
+  fdePhase1CrossTargets = map generate-fde-phase1-cross-from-x86_64 fdePhase1Targets;
+  flashableCrossTargets = crossTargets ++ fdePhase1CrossTargets;
 in
 {
   flake = {
     nixosConfigurations = builtins.listToAttrs (
-      map (t: lib.nameValuePair t.name t.hostConfiguration) (targets ++ crossTargets)
+      map (t: lib.nameValuePair t.name t.hostConfiguration) (
+        targets ++ crossTargets ++ fdePhase1Targets ++ fdePhase1CrossTargets
+      )
     );
 
     packages = {
-      aarch64-linux = builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) targets);
+      aarch64-linux = builtins.listToAttrs (
+        map (t: lib.nameValuePair t.name t.package) (targets ++ fdePhase1Targets)
+      );
       x86_64-linux =
-        builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) crossTargets)
+        builtins.listToAttrs (map (t: lib.nameValuePair t.name t.package) flashableCrossTargets)
         // builtins.listToAttrs (
           map (
             t: lib.nameValuePair "${t.name}-flash-script" t.hostConfiguration.pkgs.nvidia-jetpack.flashScript
-          ) crossTargets
+          ) flashableCrossTargets
         )
         // builtins.listToAttrs (
           map (
@@ -175,7 +265,7 @@ in
               (t.hostConfiguration.extendModules {
                 modules = [ { ghaf.hardware.nvidia.orin.flashScriptOverrides.onlyQSPI = true; } ];
               }).pkgs.nvidia-jetpack.flashScript
-          ) crossTargets
+          ) flashableCrossTargets
         );
     };
   };