Description of changes

This pull request builds upon #1005.

This pull request adds a new partitioning scheme in a new lenovo-x1-gen11-hardening target, where it would use the new image-based disk partitioning scheme. All other targets aren't yet updated, as this partitioning scheme is still experimental and to eventually be used for the release targets. For testing we enable it for the extras debug target too, as the release variant might not be functional. The goal of this target is also to be a testing ground for newer hardening techniques.

The new partitioning scheme is similar to what is introduced in #1005, but it uses EROFS for the verity tree and root partitions. This is a read-only file system that will make the nix-store completely immutable, allowing us to verify that the system image hasn't been tampered with. EROFS is a modern and fast read-only filesystem, which would also help avoid unintentional tampering of the system.

Some refactoring has been done to allow multiple partitioning schemes without them affecting each other.

• Enables dm-verity.
  • Set default to kernel panic on any corrupted block.
• Added new image-based partitioning scheme.
  • Image generated by systemd-repart with dm-verity roothash included.
  • Uses EROFS for the verity tree and root (nix-store) partition.
• Added preliminary boilerplate for systemd-sysupdate (OTA system updates).
  • The code will require more work in order for it to work especially with the boot loader.
• Importing disko module now assumes that it must be enabled.
  • You cannot import disko partitioning scheme without using it, same with the new image-based partitioning scheme.
  • This is as certain options that are imported/inherited from disko (upstream) conflicts with repart NixOS module.
• Made some code generic (such as the laptop-configuration-builder.nix and the ghaf installer script).
• No disk encryption yet, also images aren't signed with secure boot keys.
• Enable QR code for kernel panics for all x86_64, this allows us to to see when dm-verity fails.
• Remove disk hardware definition as it isn't used for both dm-verity (repart) and debug (disko) builds.

Checklist for things done

• Summary of the proposed changes in the PR description
• More detailed description in the commit message(s)
• Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• PR linked to architecture documentation and requirement(s) (ticket id)
• Test procedure described (or includes tests). Select one or more:
  • Tested on Lenovo X1 x86_64
  • Tested on Jetson Orin NX or AGX aarch64
  • Tested on Polarfire riscv64
• Author has run make-checks and it passes
• All automatic Github Action checks pass - see actions
• Author has added reviewers and removed PR draft status
• Change requires full re-installation
• Change can be updated with nixos-rebuild ... switch: NO

Instructions for Testing

• List all targets that this applies to:
  • AGX
  • NX
  • x86_64: lenovo-x1-gen11-hardening only
• Is this a new feature: Yes, as it adds integrity checking which is also a security feature
  • List the test steps to verify:
    • Build .#lenovo-x1-gen11-hardening-debug-installer (do not test release).
    • Installer works properly.
    • Run sudo veritysetup status root on ghaf-host, should show status verified.
    • Open file manager, the Shares folder should be around 940GB or larger, indicating that the data partition expanded to fill disk after boot.
    • Build a normal debug build (not the extras). Should work as normal (specifically the installer script and boot).
• If it is an improvement how does it impact existing functionality?
  • Yes, nixos-rebuild will no longer work on the extras targets.