lenovo-x1-extras: build image with dm-verity

Signed-off-by: Humaid Alqasimi <humaid.alqassimi@tii.ae>

Author: humaidq-tii

modules/common/systemd/base.nix

@@ -59,6 +59,7 @@ let
         inherit (cfg) withUkify;
         withUserDb = cfg.withHomed;
         withUtmp = cfg.withJournal || cfg.withAudit;
+        withSysupdate = true;
       }
       // lib.optionalAttrs (lib.strings.versionAtLeast pkgs.systemdMinimal.version "255.0") {
         withVmspawn = cfg.withMachines;
@@ -230,7 +231,7 @@ in
     withRepart = mkOption {
       description = "Enable systemd repart functionality.";
       type = types.bool;
-      default = false;
+      default = true;
     };
 
     withHomed = mkOption {
@@ -290,13 +291,13 @@ in
     withCryptsetup = mkOption {
       description = "Enable systemd LUKS2 functionality.";
       type = types.bool;
-      default = false;
+      default = true;
     };
 
     withFido2 = mkOption {
       description = "Enable systemd Fido2 token functionality.";
       type = types.bool;
-      default = false;
+      default = true;
     };
 
     withTpm2Tss = mkOption {

modules/hardware/common/input.nix

@@ -26,10 +26,6 @@ let
 in
 {
   config = {
-    # Disk configuration
-    # TODO Remove or move this
-    disko.devices.disk = cfg.disks;
-
     # Host udev rules for input devices
     services.udev.extraRules = ''
       # Keyboard

modules/partitioning/disko-postboot.nix modules/partitioning/btrfs-postboot.nixmodules/partitioning/disko-postboot.nix renamed to modules/partitioning/btrfs-postboot.nix

@@ -1,14 +1,10 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
 {
-  config,
   pkgs,
-  lib,
   ...
 }:
 let
-  cfg = config.ghaf.partitioning.disko;
-
   postBootCmds = pkgs.writeShellApplication {
     name = "postBootScript";
     runtimeInputs = with pkgs; [
@@ -49,7 +45,7 @@ let
   };
 in
 {
-  config = lib.mkIf cfg.enable {
+  config = {
     # To debug postBootCommands, one may run
     # journalctl -u initrd-nixos-activation.service
     # inside the running Ghaf host.

modules/partitioning/disko-debug-partition.nix

@@ -23,8 +23,6 @@ let
 in
 {
   options.ghaf.partitioning.disko = {
-    enable = lib.mkEnableOption "Enable the disko partitioning scheme";
-
     imageBuilder.compression = lib.mkOption {
       type = lib.types.enum [
         "none"
@@ -35,7 +33,8 @@ in
     };
   };
 
-  config = lib.mkIf cfg.enable {
+  config = {
+    system.build.ghafImage = config.system.build.diskoImages;
     disko = {
       imageBuilder = {
         extraPostVM = lib.mkIf (cfg.imageBuilder.compression == "zstd") ''
@@ -44,71 +43,73 @@ in
         '';
       };
       devices = {
-        disk.disk1 = {
-          type = "disk";
-          imageSize = "60G";
-          content = {
-            type = "gpt";
-            partitions = {
-              boot = {
-                name = "boot";
-                size = "1M";
-                type = "EF02";
-                priority = 1; # Needs to be first partition
-              };
-              esp = {
-                name = "ESP";
-                size = "500M";
-                type = "EF00";
-                content = {
-                  type = "filesystem";
-                  format = "vfat";
-                  mountpoint = "/boot";
-                  mountOptions = [
-                    "umask=0077"
-                    "nofail"
-                  ];
+        disk = {
+          disk1 = {
+            type = "disk";
+            imageSize = "60G";
+            content = {
+              type = "gpt";
+              partitions = {
+                boot = {
+                  name = "boot";
+                  size = "1M";
+                  type = "EF02";
+                  priority = 1; # Needs to be first partition
                 };
-                priority = 2;
-              };
-              swap = {
-                size = "12G";
-                type = "8200";
-                content = {
-                  type = "swap";
-                  resumeDevice = true; # resume from hiberation from this device
-                  randomEncryption = true;
+                esp = {
+                  name = "ESP";
+                  size = "500M";
+                  type = "EF00";
+                  content = {
+                    type = "filesystem";
+                    format = "vfat";
+                    mountpoint = "/boot";
+                    mountOptions = [
+                      "umask=0077"
+                      "nofail"
+                    ];
+                  };
+                  priority = 2;
                 };
-                priority = 3;
-              };
-              root = {
-                size = "40G";
-                content = {
-                  type = "filesystem";
-                  format = "ext4";
-                  mountpoint = "/";
-                  mountOptions = [
-                    "noatime"
-                    "nodiratime"
-                  ];
+                swap = {
+                  size = "12G";
+                  type = "8200";
+                  content = {
+                    type = "swap";
+                    resumeDevice = true; # resume from hiberation from this device
+                    randomEncryption = true;
+                  };
+                  priority = 3;
                 };
-                priority = 4;
-              };
-              persist = {
-                size = "100%";
-                content = {
-                  type = "filesystem";
-                  format = "btrfs";
-                  mountpoint = "/persist";
-                  mountOptions = [
-                    "noatime"
-                    "nodiratime"
-                  ];
+                root = {
+                  size = "40G";
+                  content = {
+                    type = "filesystem";
+                    format = "ext4";
+                    mountpoint = "/";
+                    mountOptions = [
+                      "noatime"
+                      "nodiratime"
+                    ];
+                  };
+                  priority = 4;
+                };
+                persist = {
+                  size = "100%";
+                  content = {
+                    type = "filesystem";
+                    format = "btrfs";
+                    mountpoint = "/persist";
+                    mountOptions = [
+                      "noatime"
+                      "nodiratime"
+                    ];
+                  };
                 };
               };
             };
           };
-        };
+        } // (if (builtins.hasAttr "disks" cfg) then cfg.disks else { });
       };
     };
   };

modules/partitioning/flake-module.nix

@@ -6,7 +6,13 @@
     disko-debug-partition.imports = [
       inputs.disko.nixosModules.disko
       ./disko-debug-partition.nix
-      ./disko-postboot.nix
+      ./btrfs-postboot.nix
+    ];
+    verity-release-partition.imports = [
+      ./verity-partition.nix
+      ./verity-repart.nix
+      ./verity-sysupdate.nix
+      ./btrfs-postboot.nix
     ];
   };
 }

modules/partitioning/verity-partition.nix

@@ -0,0 +1,129 @@
+# Copyright 2025 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+let
+  roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
+  cfg = config.ghaf.partitioning.verity;
+in
+{
+  options.ghaf.partitioning.verity = {
+    split = lib.mkOption {
+      description = "Whether to split the partitions to separate files instead of a single image";
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = {
+    imports = [
+      "${modulesPath}/image/repart.nix"
+      "${modulesPath}/system/boot/uki.nix"
+    ];
+
+    system.build.ghafImage = config.system.build.image.overrideAttrs (oldAttrs: {
+      nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ pkgs.jq ];
+      postInstall = ''
+        # Extract the roothash from the JSON
+        repartRoothash="$(
+          ${lib.getExe pkgs.jq} -r \
+            '[.[] | select(.roothash != null)] | .[0].roothash' \
+            "$out/repart-output.json"
+        )"
+
+        # Replace the placeholder with the real roothash in the target .raw file
+        sed -i \
+          "0,/${roothashPlaceholder}/ s/${roothashPlaceholder}/$repartRoothash/" \
+          "$out/${oldAttrs.pname}_${oldAttrs.version}.raw"
+      '';
+    });
+
+    boot.kernelParams = [
+      "roothash=${roothashPlaceholder}"
+    ];
+
+    # TODO remove these
+    boot.initrd.systemd.initrdBin = [
+      pkgs.less
+      pkgs.util-linux
+    ];
+    ghaf.systemd.withDebug = true;
+    nixpkgs.config.allowUnfree = true;
+    # TODO end
+
+    image.repart.split = cfg.split;
+
+    boot.loader.grub.enable = false;
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+    boot.initrd.systemd = {
+      enable = true;
+      dmVerity.enable = true;
+    };
+
+    boot.initrd.compressor = "zstd";
+    boot.initrd.compressorArgs = [ "-6" ];
+    environment.systemPackages = with pkgs; [
+      cryptsetup
+    ];
+
+    # System is now immutable
+    system.switch.enable = false;
+
+    # For some reason this needs to be true
+    users.mutableUsers = lib.mkForce true;
+
+    services.getty.autologinUser = "root";
+
+    boot.initrd.supportedFilesystems = {
+      btrfs = true;
+      erofs = true;
+    };
+
+    fileSystems =
+      let
+        tmpfsConfig = {
+          neededForBoot = true;
+          fsType = "tmpfs";
+        };
+      in
+      {
+        "/" = {
+          fsType = "erofs";
+          # for systemd-remount-fs
+          options = [ "ro" ];
+          device = "/dev/mapper/root";
+        };
+
+        "/persist" =
+          let
+            partConf = config.image.repart.partitions."50-persist".repartConfig;
+          in
+          {
+            device = "/dev/disk/by-partuuid/${partConf.UUID}";
+            fsType = partConf.Format;
+          };
+      }
+      // builtins.listToAttrs (
+        builtins.map
+          (path: {
+            name = path;
+            value = tmpfsConfig;
+          })
+          [
+            "/bin" # /bin/sh symlink needs to be created
+            "/etc"
+            "/home"
+            "/root"
+            "/tmp"
+            "/usr" # /usr/bin/env symlink needs to be created
+            "/var"
+          ]
+      );
+  };
+}