Skip to content

Comments

Phase1 orin agx fde#1739

Closed
vadika wants to merge 2 commits intotiiuae:mainfrom
vadika:phase1-orin-agx-fde
Closed

Phase1 orin agx fde#1739
vadika wants to merge 2 commits intotiiuae:mainfrom
vadika:phase1-orin-agx-fde

Conversation

@vadika
Copy link
Contributor

@vadika vadika commented Feb 10, 2026

Description of Changes

  • Add phase-1 AGX deferred FDE targets for Orin with additive -fde-phase1 variants (including -from-x86_64) while leaving existing targets unchanged.
  • Refactor Orin flash image handling to support both legacy sdImage artifacts and disko disk1.raw artifacts, enabling phase-1 flash workflows.
  • Make deferred encryption first-boot logic configurable for non-installer flows by introducing device-path override and optional installer-marker requirement.
    What Changed
  • targets/nvidia-jetson-orin/flake-module.nix
    • Added generate-fde-phase1 and generate-fde-phase1-cross-from-x86_64.
    • Added phase-1 targets for:
      • nvidia-jetson-orin-agx-debug-fde-phase1
      • nvidia-jetson-orin-agx-debug-nodemoapps-fde-phase1
      • and their -from-x86_64 variants.
    • Switched phase-1 package output to system.build.ghafImage.
    • Enabled disko/deferred encryption for phase-1 only.
    • Added phase-1 flash package generation by extending flashable cross targets.
    • Applied image-builder and sizing overrides required for stable cross-built phase-1 images.
  • modules/reference/hardware/jetpack/nvidia-jetson-orin/partition-template.nix
    • Added dual extraction flow:
      • sdImage path (existing behavior)
      • disk1.raw path (phase-1 disko images)
    • Added sparse root extraction to reduce temporary disk pressure.
    • Added APP size clamp for Jetson AGX flash XML compatibility to prevent GPT generation failures.
  • modules/partitioning/deferred-disk-encryption.nix
    • Added new options:
      • ghaf.storage.encryption.lvmPartitionDevice
      • ghaf.storage.encryption.requireInstallerMarker (default true)
    • Updated deferred encryption script to:
      • use explicit partition override when set
      • conditionally enforce/remove installer marker based on config
        Behavior / Compatibility
  • Existing Orin targets and default installer-based deferred encryption behavior remain unchanged.
  • Phase-1 targets are additive and explicitly scoped to AGX debug (+ nodemoapps).
  • For phase-1, marker requirement is disabled and encrypted device is set to /dev/disk/by-partlabel/APP.
    Validation
  • Evaluated phase-1 configs:
    • deferred encryption enabled
    • marker bypass set to false requirement
    • first-boot-encrypt initrd unit enabled
    • encrypted device resolves to /dev/disk/by-partlabel/APP
  • Built successfully :
    • nvidia-jetson-orin-agx-debug-fde-phase1-from-x86_64
    • nvidia-jetson-orin-agx-debug-nodemoapps-fde-phase1-from-x86_64
    • corresponding -flash-script outputs
    • -flash-qspi package derivation

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. ...

Signed-off-by: vadik likholetov <vadikas@gmail.com>
- Modified files:
  - targets/nvidia-jetson-orin/flake-module.nix
  - modules/reference/hardware/jetpack/nvidia-jetson-orin/partition-template.nix
  - modules/partitioning/deferred-disk-encryption.nix
What This Change Set Achieves
- Adds phase-1 full disk encryption (FDE) support for Orin AGX debug targets using deferred first-boot encryption.
- Keeps existing Orin targets intact; introduces additive -fde-phase1 target variants.
- Refactors flash flow so phase1 targets can produce working -flash-script / -flash-qspi artifacts.
- Preserves default installer-marker behavior globally, while bypassing marker only for phase1 targets.
Previously Added (same target file, same branch context)
- Logging enabled for all Orin targets (copied from x86 template style) in targets/nvidia-jetson-orin/flake-module.nix.
- GIVC enabled for AGX debug cross targets (agx-debug and agx-debug-nodemoapps) in targets/nvidia-jetson-orin/flake-module.nix.
Detailed Changes
- targets/nvidia-jetson-orin/flake-module.nix
  - Added phase1 generator functions:
    - generate-fde-phase1
    - generate-fde-phase1-cross-from-x86_64
  - New additive target variants for:
    - nvidia-jetson-orin-agx-debug-fde-phase1
    - nvidia-jetson-orin-agx-debug-nodemoapps-fde-phase1
    - plus their -from-x86_64 variants.
  - Phase1 target behavior:
    - Disables sd-image format modules.
    - Switches package output to system.build.ghafImage.
    - Imports disko+verity partition modules.
    - Enables deferred encryption.
    - Overrides encrypted device path to "/dev/disk/by-partlabel/APP".
    - Disables installer marker requirement for phase1 only.
  - Cross image-builder compatibility tuning:
    - Uses pkgs.buildPackages, enables binfmt, pins image-builder kernel packages to build-side kernel packages.
    - Adds host/build platform overrides for disko builder config.
  - Disk layout tuning for flash constraints:
    - Forces disk image size/LV sizing (58G image, 44G root, 8G swap, 2G persist).
  - Refactors flash package generation:
    - Introduces flashableCrossTargets = crossTargets ++ fdePhase1CrossTargets.
    - Flash artifacts are now emitted for both existing and phase1 cross targets.
- modules/partitioning/deferred-disk-encryption.nix
  - Added new options:
    - ghaf.storage.encryption.lvmPartitionDevice (nullable string override)
    - ghaf.storage.encryption.requireInstallerMarker (bool, default true)
  - Updated device selection logic:
    - Uses override if provided, then verity path, then disko default.
  - Marker handling is now conditional:
    - Marker-check + marker-removal are wrapped under requireInstallerMarker.
  - Result:
    - Existing behavior unchanged by default.
    - Phase1 can bypass installer marker safely and target APP.
- modules/reference/hardware/jetpack/nvidia-jetson-orin/partition-template.nix
  - Refactored image handling to support two source layouts:
    - Traditional sd-image (esp.offset/root.offset)
    - Disko raw image (disk1.raw)
  - For raw-image path:
    - Detects ESP/APP partitions via fdisk.
    - Extracts ESP and APP with dd.
  - Added conv=sparse for root extraction to avoid temporary-space exhaustion.
  - Added APP-size clamp to align with Jetson flash XML fixed upper bound:
    - Prevents GPT generation failure (End sector for APP ... expected ... actual: 0).
Target/Artifact Matrix After Change
- Existing targets remain unchanged.
- New phase1 outputs include:
  - ...-fde-phase1
  - ...-fde-phase1-from-x86_64
  - ...-fde-phase1-from-x86_64-flash-script
  - ...-fde-phase1-from-x86_64-flash-qspi
  - same for ...-agx-debug-nodemoapps...
Validation Performed
- Evaluated phase1 config options successfully:
  - encryption enabled/deferred
  - lvmPartitionDevice resolves to /dev/disk/by-partlabel/APP
  - installer marker requirement false for phase1
  - first-boot-encrypt initrd service enabled and wired
- Built successfully in Docker Compose:
  - nvidia-jetson-orin-agx-debug-fde-phase1-from-x86_64
  - nvidia-jetson-orin-agx-debug-nodemoapps-fde-phase1-from-x86_64
  - ...-flash-script for both
  - ...-flash-qspi evaluates and builds to initrd-flash output
- Fixed several intermediate blockers during validation:
  - exec-format issues in image builder
  - missing kernel module expectations in initrd
  - flash temp-space issues
  - APP GPT boundary mismatch
Runtime/Operational Guidance
- Recommended deployment flow for phase1:
  - dd phase1 disk1.raw to USB.
  - Flash only QSPI with ...-flash-qspi.
  - Boot with USB attached.
- Why QSPI-only:
  - Avoids potential APP label ambiguity between internal and external media during deferred encryption.
What Is Not Changed
- Non-phase1 targets do not inherit deferred-encryption behavior.
- Global default marker requirement remains enabled (true), preserving existing installer-based expectations outside phase1.

Signed-off-by: vadik likholetov <vadikas@gmail.com>
@vadika vadika marked this pull request as draft February 10, 2026 10:50
@vadika vadika closed this Feb 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant