feat(installer): implement deferred disk encryption trigger

[vunnyso]

Description of Changes

This commit introduces an opt-in deferred disk encryption mechanism for the installer.

The ghaf-installer.sh script now includes -e flag, when used, sets up the system for deferred encryption. It does this by creating .ghaf-installer-encrypt marker file on the ESP partition after the image is written to the disk.

The deferred-disk-encryption.nix module is updated to check for this marker on boot. The encryption process will only
proceed if the marker is found, preventing encryption on non-installer boots. Upon completion or failure of the encryption process, the marker is removed to prevent the process from running again on subsequent reboots.

Type of Change

• New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

Checklist

• Clear summary in PR description
• Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• Lenovo X1 x86_64
• Dell Latitude x86_64
• System 76 x86_64

Installation Method

• Requires full re-installation
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

1. Full Disk encryption feature is available only with installer and can be enabled by using the -e option.

   sudo ghaf-installer -e

2. Full disk encryption will not be available if you are flashing disk image or omit the -e option with ghaf-installer.

Please note: when using the -e option, the first boot time may vary significantly. For NVME, it may take less than 2mins, while for a 500GB USB SSD, it could take around 5-6 minutes to complete encryption.

[vunnyso]

Eval tests are passing locally

[Ghaf devshell]$ python3 .github/eval.py  0 10
[+] Evaluating flake outputs (job 0/10)
[+] Starting nix-eval-jobs...
warning: unknown setting 'allowed-users'
warning: unknown setting 'trusted-users'
[   2.8s] ✓ devShells.aarch64-linux.default
[   3.3s] ✓ packages.aarch64-linux.audit-rules
[   3.3s] ✓ packages.aarch64-linux.ghaf-vms
[  12.5s] ✓ packages.aarch64-linux.nvidia-jetson-orin-agx-release
[  17.0s] ✓ packages.aarch64-linux.nxp-imx8mp-evk-debug
[  40.8s] ✓ packages.x86_64-linux.alienware-m18-R2-release
[  74.2s] ✓ packages.x86_64-linux.dell-latitude-7330-release-installer
[  82.5s] ✓ packages.x86_64-linux.generic-x86_64-release
[  87.2s] ✓ packages.x86_64-linux.laptop-hw-scan
[ 112.5s] ✓ packages.x86_64-linux.lenovo-x1-carbon-gen10-release-installer
[ 140.3s] ✓ packages.x86_64-linux.lenovo-x1-carbon-gen13-debug-installer
[ 169.2s] ✓ packages.x86_64-linux.lenovo-x1-gen11-hardening-release-installer
[ 172.8s] ✓ packages.x86_64-linux.nvidia-jetson-orin-agx-industrial-debug-from-x86_64-flash-qspi
[ 180.9s] ✓ packages.x86_64-linux.nvidia-jetson-orin-agx-industrial-release-nodemoapps-from-x86_64-flash-script
[ 189.3s] ✓ packages.x86_64-linux.nvidia-jetson-orin-agx64-debug-nodemoapps-from-x86_64
[ 192.7s] ✓ packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64-flash-qspi
[ 201.0s] ✓ packages.x86_64-linux.nvidia-jetson-orin-nx-release-nodemoapps-from-x86_64-flash-script
[ 228.2s] ✓ packages.x86_64-linux.system76-darp11-b-storeDisk-debug-installer
[ 230.1s] ✓ packages.x86_64-linux.windows-launcher

============================================================
Evaluated 19 attributes in 230.2s
  ✓ 19 succeeded
  ✗ 0 failed

[brianmcgillion]

tested both encrypted and not encrypted installs work.