logging/givc: enable nvidia logging with cross-aware GIVC pin

Enable GIVC and logging wiring for Orin targets, remove temporary host TLS guard logic, and pin ghaf-givc to the cross-aware branch revision used for x86_64 -> aarch64 flash builds. Also drop redundant Jetson logging endpoint override now provided by global defaults.

Signed-off-by: vadik likholetov <vadikas@gmail.com>

Author: vadika

flake.lock

@@ -105,7 +105,7 @@
 
     # Ghaf Inter VM communication and control library
     givc = {
-      url = "github:tiiuae/ghaf-givc";
+      url = "github:vadika/ghaf-givc/vadika/cross-givc-packages";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         flake-parts.follows = "flake-parts";

flake.nix

@@ -108,17 +108,15 @@ let
       # 1. ghaf.profiles.{debug,release}.enable for host-side module activation
       # 2. ghaf.global-config to the corresponding profile for VM-side config propagation
       #
-      # Note: global-config uses mkDefault so that platform-specific profiles (like orin.nix)
-      # can override specific values. For example, orin.nix sets ghaf.givc.enable = false
-      # and this should propagate to VMs via ghaf.global-config.givc.enable.
+      # Note: global-config uses mkDefault so target modules can still override specific
+      # values when needed.
+
       variantModule = {
         ghaf.profiles = {
           debug.enable = variant == "debug";
           release.enable = variant == "release";
         };
         # Set global-config to match the variant's profile using mkDefault
-        # This allows profile modules to override specific global-config values
-        # Example: orin.nix can set ghaf.global-config.givc.enable = false
         ghaf.global-config = lib.mapAttrsRecursive (_: v: lib.mkDefault v) (
           lib.ghaf.profiles.${variant} or lib.ghaf.profiles.minimal
         );

lib/builders/mkGhafConfiguration.nix

@@ -52,6 +52,12 @@ rec {
             description = "Logging listener address";
           };
 
+          serverName = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = "Optional TLS server name for validating the admin-vm logging listener certificate";
+          };
+
           port = mkOption {
             type = types.port;
             default = 9999;

lib/global-config.nix

@@ -47,6 +47,10 @@
       logging.listener.address = lib.mkIf (
         config.ghaf.global-config.logging.enable && config.ghaf.common.adminHost != null
       ) (lib.mkDefault config.ghaf.networking.hosts.admin-vm.ipv4);
+      # Auto-populate logging TLS server_name for producer-side certificate validation.
+      logging.listener.serverName = lib.mkIf (
+        config.ghaf.global-config.logging.enable && config.ghaf.common.adminHost != null
+      ) (lib.mkDefault "admin-vm");
     };
   };
 }

modules/common/global-config.nix

@@ -11,6 +11,7 @@ let
     mkEnableOption
     mkOption
     types
+    hasPrefix
     optionalString
     ;
   cfg = config.ghaf.logging.client;
@@ -58,6 +59,11 @@ in
         default = "TLS12";
         description = "Minimum TLS version for the outbound connection.";
       };
+      serverName = mkOption {
+        type = types.nullOr types.str;
+        default = if listener.serverName != null then listener.serverName else "admin-vm";
+        description = "Expected TLS server_name (SNI) for validating the admin-vm listener certificate.";
+      };
     };
   };
 
@@ -121,6 +127,7 @@ in
               cert_file   = sys.env("CREDENTIALS_DIRECTORY") + "/client_cert"
               key_file    = sys.env("CREDENTIALS_DIRECTORY") + "/client_key"
               min_version = "${cfg.tls.minVersion}"
+              ${optionalString (cfg.tls.serverName != null) ''server_name = "${cfg.tls.serverName}"''}
             }
           }
         }
@@ -131,6 +138,18 @@ in
 
     services.alloy.enable = true;
 
+    systemd.services.alloy.unitConfig.RequiresMountsFor = lib.unique (
+      lib.optionals (cfg.tls.certFile != null && hasPrefix "/etc/givc/" (toString cfg.tls.certFile)) [
+        (dirOf (toString cfg.tls.certFile))
+      ]
+      ++ lib.optionals (cfg.tls.keyFile != null && hasPrefix "/etc/givc/" (toString cfg.tls.keyFile)) [
+        (dirOf (toString cfg.tls.keyFile))
+      ]
+      ++ lib.optionals (cfg.tls.caFile != null && hasPrefix "/etc/givc/" (toString cfg.tls.caFile)) [
+        (dirOf (toString cfg.tls.caFile))
+      ]
+    );
+
     systemd.services.alloy.serviceConfig = {
       after = [
         "systemd-journald.service"

modules/common/logging/client.nix

@@ -102,6 +102,15 @@ in
       default = 9999;
     };
 
+    listener.serverName = mkOption {
+      description = ''
+        Optional TLS server name used by log producers when
+        verifying the admin-vm listener certificate.
+      '';
+      type = types.nullOr types.str;
+      default = null;
+    };
+
     journalRetention = {
       enable = mkOption {
         description = ''

modules/common/logging/common.nix

@@ -453,6 +453,14 @@ in
         after = [ "systemd-journald.service" ];
         wants = [ "systemd-journald.service" ];
 
+        unitConfig = {
+          RequiresMountsFor = [
+            cfg.keyPath
+            "/var/log/journal"
+            "/run/log/journal"
+          ];
+        };
+
         serviceConfig = {
           Type = "oneshot";
           RemainAfterExit = true;
@@ -477,6 +485,11 @@ in
         unitConfig = {
           # Only run if FSS setup has completed successfully
           ConditionPathExists = "${cfg.keyPath}/initialized";
+          RequiresMountsFor = [
+            cfg.keyPath
+            "/var/log/journal"
+            "/run/log/journal"
+          ];
         };
 
         serviceConfig = {

modules/common/logging/fss.nix

@@ -114,6 +114,11 @@ in
 
         # Let systemd use default ordering for audit-rules instead of early-boot
         unitConfig.DefaultDependencies = lib.mkForce true;
+        unitConfig.RequiresMountsFor = [
+          "/etc/givc"
+          "/etc/common/journal-fss"
+          "/var/log/journal"
+        ];
         before = lib.mkForce [ ];
       };
 

modules/common/security/audit/default.nix

@@ -15,6 +15,7 @@ let
     optionalString
     optionals
     ;
+  tlsStoragePath = "/persist/storagevm/givc";
 in
 {
   _file = ./host.nix;
@@ -80,7 +81,7 @@ in
         addr = v.ipv4;
       }) config.ghaf.networking.hosts;
       generatorHostName = config.networking.hostName;
-      storagePath = "/persist/storagevm/givc";
+      storagePath = tlsStoragePath;
     };
 
     ghaf.security.audit.extraRules = [