Skip to content

Comments

Decouple encryption from debug profile#1756

Merged
brianmcgillion merged 5 commits intotiiuae:mainfrom
brianmcgillion:decouple-encryption-from-debug-profile
Feb 15, 2026
Merged

Decouple encryption from debug profile#1756
brianmcgillion merged 5 commits intotiiuae:mainfrom
brianmcgillion:decouple-encryption-from-debug-profile

Conversation

@brianmcgillion
Copy link
Collaborator

@brianmcgillion brianmcgillion commented Feb 15, 2026

Description of Changes

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. ...

@brianmcgillion
refactor: Decouple encryption modules from debug profile
356a7f1 
Add interactiveSetup and debugTools options to ghaf.storage.encryption
so partitioning modules no longer cross-reference config.ghaf.profiles.
debug.enable. This eliminates a cross-bundle coupling that causes
undefined option errors when importing the partitioning bundle without
the profiles bundle.

The debug profile sets these options via mkDefault, preserving existing
behavior for all upstream targets while making the partitioning modules
independently importable by downstream consumers.

Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
@brianmcgillion
refactor: Replace hasAttr guards in qemu.nix and host-hardening.nix
085d3c0 
In qemu.nix, replace builtins.hasAttr checks on qemuExtraArgs
sub-attributes with Nix `or []` fallback syntax, which is both safer
and more idiomatic.

In host-hardening.nix, remove the hasAttr guards for ghaf.host and
ghaf.host.secureboot. This module is only accessible through the
profiles bundle which always imports common (and thus secureboot.nix),
so these attributes are always defined.

Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
@brianmcgillion
refactor: Extract storagevm option stubs into common bundle
077d514 
Move ghaf.storagevm option declarations from
modules/microvm/common/storagevm.nix into a new
modules/common/storage-persistence.nix file that is imported by the
common bundle. This allows modules in common, desktop, and reference
bundles to contribute persistent directories/files without requiring the
microvm bundle to be imported.

Replace all hasAttr "storagevm" guards in 11 consumer files with direct
config.ghaf.storagevm.enable checks, which is both more idiomatic and
avoids the anti-pattern of runtime option existence checks.

Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
@brianmcgillion
refactor: Replace hasAttr guards for hardware.definition
f5bdde9 
In createFakeBattery.nix (common bundle), replace the hasAttr
"definition" guard with an `or "unknown"` fallback, which avoids
evaluation failure when the hardware bundle is not imported.

In usb-static.nix (hardware bundle), remove the redundant hasAttr guard
since this module is always co-imported with definition.nix within the
hardware bundle.

Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
@brianmcgillion
refactor: Use mkIf instead of optionalAttrs for storagevm guards
76b055c 
Replace optionalAttrs config.ghaf.storagevm.enable with lib.mkIf in all
consumer modules. The optionalAttrs pattern causes infinite recursion
because it eagerly evaluates the condition at the Nix level while
constructing config.ghaf, creating a circular dependency. mkIf defers
condition evaluation through the NixOS module system, avoiding the
cycle.

Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
@brianmcgillion brianmcgillion merged commit d719572 into tiiuae:main Feb 15, 2026
31 of 32 checks passed
@brianmcgillion brianmcgillion deleted the decouple-encryption-from-debug-profile branch February 15, 2026 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brianmcgillion