Release ghaf-25.09.2
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Release Tag
Section titled “Release Tag”https://github.com/tiiuae/ghaf/releases/tag/ghaf-25.09.2
Supported Hardware
Section titled “Supported Hardware”The following target hardware is supported by this release:
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What’s Changed
Section titled “What’s Changed”- version: bump to the next target by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1385
- Fix multiple code scanning security issues by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1373
- Fix path injection vulnerability in GPS module subprocess call by @Copilot in https://github.com/tiiuae/ghaf/pull/1387
- fix(chrome-vm, business-vm): multiple chrome fixes and adjustments by @kajusnau in https://github.com/tiiuae/ghaf/pull/1348
- docs: fix the flake init template attribute by @elmankku in https://github.com/tiiuae/ghaf/pull/1388
- build(deps): bump github/codeql-action from 3.30.1 to 3.30.2 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1392
- cleanup: minor house keeping by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1390
- docs: bump npm packages by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1394
- script: Add script to update docs npm deps by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1376
- Fix malformed mime type by @avnik in https://github.com/tiiuae/ghaf/pull/1397
- build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1399
- feat(vm-target): simple host ui by @mbssrc in https://github.com/tiiuae/ghaf/pull/1400
- Bump givc to support BT mouse and add eventProxy Config by @vunnyso in https://github.com/tiiuae/ghaf/pull/1395
- fix(vm): empty event proxy on host by @mbssrc in https://github.com/tiiuae/ghaf/pull/1401
- Bump: Update microvm.nix module by @vunnyso in https://github.com/tiiuae/ghaf/pull/1402
- docs: add ghaf-25.09.1 release note by @clayhill66 in https://github.com/tiiuae/ghaf/pull/1403
- build(deps): bump github/codeql-action from 3.30.2 to 3.30.3 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1404
- fix: Element issues by @enesoztrk in https://github.com/tiiuae/ghaf/pull/1379
- Protect admin VM from VM controls by @slakkala in https://github.com/tiiuae/ghaf/pull/1372
- feat: improve waypipe performance, adjust trusted browser by @kajusnau in https://github.com/tiiuae/ghaf/pull/1398
- fix(logging): stop losing admin-vm logs across offline reboots by @everton-dematos in https://github.com/tiiuae/ghaf/pull/1396
- bump: drop the qemu 10.1 carry patches by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1405
- Add hardware information service for host-to-guest data passing by @juliuskoskela in https://github.com/tiiuae/ghaf/pull/1380
- qemu: Use the new qemu api for battery/lid/power by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1391
- docs: Add fake battery info by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1410
- build(deps): bump astral-sh/setup-uv from 6.6.1 to 6.7.0 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1411
- build(deps): bump tj-actions/changed-files from 46.0.5 to 47.0.0 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1412
- docs: bump npm packages by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1414
- dependabot: change the frequency of checks by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1415
- feat(boot): enable graphical boot on guivm, fix darp11 graphical boot by @kajusnau in https://github.com/tiiuae/ghaf/pull/1406
- disable suspension on darp11, increase guivm core count by @kajusnau in https://github.com/tiiuae/ghaf/pull/1417
- Update vhotplug to support new config format and external API by @nesteroff in https://github.com/tiiuae/ghaf/pull/1389
- Enabling fail2ban module by @enesoztrk in https://github.com/tiiuae/ghaf/pull/1407
- Documentation addons regarding security architecture and features by @vadika in https://github.com/tiiuae/ghaf/pull/1419
- Fix ctrl-panel VM starting by @slakkala in https://github.com/tiiuae/ghaf/pull/1418
- lenovo-x1-gen11: Add TPM-backed encryption for the persist partition by @hros-tii in https://github.com/tiiuae/ghaf/pull/1232
- build(deps): bump cachix/install-nix-action from 31.6.1 to 31.6.2 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1422
- docs: bump NPM depends by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1427
- Minor fix and Enable the disk encryption for ‘mvp-user-trial’ profile by @vunnyso in https://github.com/tiiuae/ghaf/pull/1420
New Contributors
Section titled “New Contributors”- @elmankku made their first contribution in https://github.com/tiiuae/ghaf/pull/1388
Full Changelog: https://github.com/tiiuae/ghaf/compare/ghaf-25.09.1…ghaf-25.09.2
Bug fixes
Section titled “Bug fixes”Fixed bugs that were present in the previous release
- x86: Element support has been brought back
- Orin: The keyboars defaults to the English layout on boot
Known Issues and Limitations
Section titled “Known Issues and Limitations”| Issue | Status | Comments |
|---|---|---|
| x86 | ||
| (System76 only) Suspension has been disabled | In Progress | |
| Battery drains fast after suspension | In Progress | Issue is under investigation |
| Can’t share Trusted Browser window in Teams | In Progress | Issue is under investigation |
| Using audio through USB device may cause instability | In Progress | Workaround: Use either internal speaker or headphones with 3.5mm jack |
| Downloading large file (10G) crashes the browser | In progress | Issue is under investigation |
| Unlock with fingerprint doesn’t work | In Progress | Issue is under investigation |
| GUI not launched if booting with Yubikey | In Progress | Fix will be available in next release |
| Audio control not working after suspend | In Progress | Issue is under investigation |
| NVIDIA Jetson AGX Orin / Orin NX | ||
| Element does not start | In progress | Issue is under investigation |
| If suspended, device doesn’t wake-up | In Progress | Issue is under investigation |
| Locking the device from power menu doesn’t work | In Progress | Issue is under investigation |
| Unlocking from lock screen does not work | In Progress | Issue is under investigation |
Installation Instructions
Section titled “Installation Instructions”Released images are available at https://archive.vedenemo.dev/ghaf-25.09.2/
Download the required image and use the following instructions: Build and Run.