Create a new target lenovo-x1-carbon-gen11-uki

[alextserepov]

Description of Changes

Create a new target lenovo-x1-carbon-gen11-uki with a UKI-enabled EFI partition.

At the moment, we generate the UKI in CI, which technically violates SLSA principles because it modifies the image after the build step. Although UEFI signing is also a form of post-build modification, introducing this new target ensures that signing becomes the only such change, thereby minimizing CI-side modifications and improving alignment with SLSA requirements.

We are introducing this as a separate target for testing purposes. If this approach proves successful, we may later update the existing x86_64 targets to produce UKI images directly.

Type of Change

• [ X] New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

https://jira.tii.ae/browse/SSRCSP-7187

Checklist

• [ X] Clear summary in PR description
• [ X] Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• [ X] Lenovo X1 x86_64
• Dell Latitude x86_64
• System 76 x86_64

Installation Method

• [ X] Requires full re-installation
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

This PR introduces a new target that makes significant changes to the EFI partition and may therefore impact the boot process. After a successful boot, the system is expected to behave identically to the existing lenovo-x1-carbon-gen11-debug target. For this reason, testing should focus primarily on validating the boot flow and early startup behaviour.

To build the new target, run:

nix build .#lenovo-x1-carbon-gen11-uki-debug

Test procedure

• Deploy the resulting image to the Lenovo X1 SSD.
• Boot the system and closely observe the boot process.
• The system should behave the same as lenovo-x1-carbon-gen11-debug after startup, although boot management details may differ due to EFI changes.

Alternative testing

Basic boot validation tests may be performed instead of manual testing.

[alextserepov]

Couple of comments, please also squash commits

git reset --soft HEAD~5; gc -s

On a separate note, if this is to be tested by QA, please also provide more thorough testing instructions in the description or to QA directly.

Absolutely. I will happily squash it as soon as I get it through pre-checks. :D

[alextserepov]

Couple of comments, please also squash commits

git reset --soft HEAD~5; gc -s

On a separate note, if this is to be tested by QA, please also provide more thorough testing instructions in the description or to QA directly.

QA will test it as part of secure boot testing, not this one specifically.

[milva-unikie]

Please update the testing instructions @alextserepov

[alextserepov]

Please update the testing instructions @alextserepov

Sure. Done.

[leivos-unikie]

Tested
nix build .#lenovo-x1-carbon-gen11-uki-debug --> boot from USB SSD
and
nix build .#lenovo-x1-carbon-gen11-uki-debug-installer --> install ghaf to the internal SSD --> boot from internal SSD

In both cases ghaf booted to emergency mode.