Release ghaf-26.04.1

This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms

Release Tag

https://github.com/tiiuae/ghaf/releases/tag/ghaf-26.04.1

Supported Hardware

The following target hardware is supported by this release:

NVIDIA Jetson Orin AGX
NVIDIA Jetson Orin NX
Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
Lenovo T14 AMD
Dell Latitude 7230, 7330
Alienware M18
System76 Darter Pro
NXP i.MX 8M Plus

What’s Changed

overlay hunt: refactor qemu_kvm from global overlay to module by @vadika in https://github.com/tiiuae/ghaf/pull/1844
docs: add 26.03.1 release note by @clayhill66 in https://github.com/tiiuae/ghaf/pull/1878
version bump by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1879
Bump: March end and few improvements by @vunnyso in https://github.com/tiiuae/ghaf/pull/1859
optimize(eval): template installer ISOs to single NixOS evaluation by @henrirosten in https://github.com/tiiuae/ghaf/pull/1877
docs: bump versions by @brianmcgillion in https://github.com/tiiuae/ghaf/pull/1880
overlay hunt: remove unused gtklock overlay and leftover .orig file by @vadika in https://github.com/tiiuae/ghaf/pull/1874
fix(systemd): suppress tmpfiles %b specifier errors by @vadika in https://github.com/tiiuae/ghaf/pull/1873
fix(firewall): preserve blacklist mark through nat prerouting by @enesoztrk in https://github.com/tiiuae/ghaf/pull/1885
jetson-orin: use XML-aware splicing for flash partition layout by @Mic92 in https://github.com/tiiuae/ghaf/pull/1849
SPIRE integration by @gngram in https://github.com/tiiuae/ghaf/pull/1837
givc: systray support via dbus proxy by @enesoztrk in https://github.com/tiiuae/ghaf/pull/1791
[spire] enable join token node attestation by @gngram in https://github.com/tiiuae/ghaf/pull/1881
fix(power): keep display on during suspension; virtiofs: enable cache by @kajusnau in https://github.com/tiiuae/ghaf/pull/1887
build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1891
build(deps): bump cachix/install-nix-action from 31.10.3 to 31.10.4 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1893
build(deps): bump step-security/harden-runner from 2.16.0 to 2.17.0 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1892
fix(suspend): fix lid close suspend not resuming properly by @kajusnau in https://github.com/tiiuae/ghaf/pull/1901
Clean up verity code, fix known issues by @avnik in https://github.com/tiiuae/ghaf/pull/1861
optimize(eval): make cross target packages lazy by @henrirosten in https://github.com/tiiuae/ghaf/pull/1890
Fix intel-laptop target by @nesteroff in https://github.com/tiiuae/ghaf/pull/1875
Apply firewall dynamic rules through policy update using iptables by @gngram in https://github.com/tiiuae/ghaf/pull/1886
ci: add conventional commits check github action by @kajusnau in https://github.com/tiiuae/ghaf/pull/1897
ci: add workflow to label stale issues and PRs by @kajusnau in https://github.com/tiiuae/ghaf/pull/1898
bump: april bump by @kajusnau in https://github.com/tiiuae/ghaf/pull/1900
build(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1903
build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1905
build(deps): bump tj-actions/changed-files from 47.0.5 to 47.0.6 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1902
fix(audit): gate verbose audit OSPP success rules by @everton-dematos in https://github.com/tiiuae/ghaf/pull/1889
fix(sys-tray): hide waypipe apps to tray on window close by @enesoztrk in https://github.com/tiiuae/ghaf/pull/1907
refactor(zathura): rename, refactor, add video file handling by @kajusnau in https://github.com/tiiuae/ghaf/pull/1908
build(deps): bump step-security/harden-runner from 2.17.0 to 2.19.0 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1904
build(deps): bump cachix/install-nix-action from 31.10.4 to 31.10.5 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1910
build(deps): bump webiny/action-conventional-commits from 1.3.1 to 1.4.2 by @dependabot[bot] in https://github.com/tiiuae/ghaf/pull/1911
fix(intel-laptop): add store disk variants and fix PCI hotplug by @nesteroff in https://github.com/tiiuae/ghaf/pull/1914
feat(spire): add x509pop attestation support by @gngram in https://github.com/tiiuae/ghaf/pull/1853
fix(shutdown): fix backlight going to 0% on shutdown by @kajusnau in https://github.com/tiiuae/ghaf/pull/1916
feat(installer): rework to TUI, improve UX by @kajusnau in https://github.com/tiiuae/ghaf/pull/1909
fix(flash-script): fix prebuilt bmap detection by @kajusnau in https://github.com/tiiuae/ghaf/pull/1915

Full Changelog: https://github.com/tiiuae/ghaf/compare/ghaf-26.03.1…ghaf-26.04.1

Bug fixes

Fixed bugs that were present in the previous release

MultiFactor Authentication doesn’t work
Screenshot is not saved to Pictures
Display stays black when re-opening the lid
Yubikey login doesn’t work

Known Issues and Limitations

Issue	Status	Comments
x86
(System76) Secure Boot key enrollment doesn’t work	In Progress	Will be fixed in next release
Reboot and shutdown takes long time	In Progress	Will be fixed in next release
Audio lost after suspend/resume	In Progress	Issue is under investigation
Occasional black screen and wifi connectivity issues after suspend/resume	In Progress	Issue is under investigation
(X1) Unlock with fingerprint doesn’t work In Progress Issue is under investigation
NVIDIA Jetson AGX Orin / Orin NX
GUI login does not work	On Hold
Device boots to black screen with only cursor blinking	On Hold
If suspended, device doesn’t wake-up	On Hold
Locking the device from power menu doesn’t work	On Hold
Unlocking from lock screen does not work	On Hold

Installation Instructions

Released images are available at https://archive.vedenemo.dev/

Download the required image and use the following instructions: Build and Run.