[Lenovo X1]: Created host-hardening profile & updated lanzaboote

[vunnyso]

Description of changes

• Created host-hardening profile which holds hardening configuration needed for the host. Also added secure boot configuration under host. By default host-hardening profile is disabled.
• Updated lanzaboote package version to v0.4.1.
• Addresses SP-4919

Checklist for things done

• [x] Summary of the proposed changes in the PR description
• [x] More detailed description in the commit message(s)
• [x] Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
• [x] Contribution guidelines followed
• [ ] Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• [ ] PR linked to architecture documentation and requirement(s) (ticket id)
• [x] Test procedure described (or includes tests). Select one or more:
  • [x] Tested on Lenovo X1 x86_64
  • [ ] Tested on Jetson Orin NX or AGX aarch64
  • [ ] Tested on Polarfire riscv64
• [ ] Author has run nix flake check --accept-flake-config and it passes
• [ ] All automatic Github Action checks pass - see actions
• [x] Author has added reviewers and removed PR draft status

Testing

1) To test secure boot working change here host-hardening.enable = true; 2) You may need to flash image as some of lanzaboote file may not install with nixos-rebuild ... switch 3) Enable secure boot from BIOS. 4) Enroll keys sudo sbctl enroll-keys --microsoft and reboot 5) Run below command to verify functionality

[ghaf@ghaf-host:~]$ sbctl status | grep Secure
Secure Boot:    ✓ Enabled

6. Also can verify lanzaboote version

   [ghaf@ghaf-host:~]$ sudo bootctl status | grep lanza
        Stub: lanzastub 0.4.1

[milva-unikie]

Lenovo-X1 debug image gets stuck at boot, same problem that Samuli first noticed here. I built the pr with nix build github:vunnyso/ghaf/vs-sbfix#lenovo-x1-carbon-gen11-debug and booted from external SSD.

[vunnyso]

Issue is seen with mainline ghaf commit c7eab7f995cf841104f26db62222b862b5915c79 as well.

[milva-unikie]

Issue is seen with mainline ghaf commit c7eab7f as well.

We confirmed that the issue is caused by mainline. It did not happen the first two times I tried, but both me and Samuli have now seen it in main too. https://github.com/tiiuae/ghaf/pull/703#issuecomment-2268312667

[vunnyso]

Looks like some issue with zfs pool selection during system boot, I have tried to import zfspool manually but somehow system boot cannot continue.

[unbel13ver]

The root cause of the issue with ZFS pool is that ZFS keeps its metadata in the beginning and in the end of the storage device. When the media device is reflashed, this metadata does not match anymore. I made a PR with the flashing script that correctly wipes the target device before reflashing the image. https://github.com/tiiuae/ghaf/pull/713

[vunnyso]

The root cause of the issue with ZFS pool is that ZFS keeps its metadata in the beginning and in the end of the storage device. When the media device is reflashed, this metadata does not match anymore. I made a PR with the flashing script that correctly wipes the target device before reflashing the image. #713

Thanks @unbel13ver

[milva-unikie]

Tested on Lenovo-X1

• Automated tests pass with both host-hardening off and on, performance ok
• Secure boot works when host-hardening is on
• Secure boot is not available when host-hardening is off
• Lanzaboote version is correct
• No findings in manual regression tests