Skip to content

Comments

Enable Dynamic Policy Management via ghaf-givc#1758

Open
gngram wants to merge 8 commits intotiiuae:mainfrom
gngram:pulls/policy-management
Open

Enable Dynamic Policy Management via ghaf-givc#1758
gngram wants to merge 8 commits intotiiuae:mainfrom
gngram:pulls/policy-management

Conversation

@gngram
Copy link
Contributor

@gngram gngram commented Feb 16, 2026

Description of Changes

This PR introduces policy management capabilities within the ghaf-givc implementation. It establishes a distinction between policy administrators and clients, allowing for dynamic updates to system configurations such as firewalls and proxies.

Key Changes:
Policy Architecture:

  • Implemented policyAdmin specifically for the admin-vm.
  • Implemented policyClient for the host and remaining VMs.
  • Added ghaf.common.policies option to accumulate policies from various VMs.

Dynamic Configuration:

  • Enabled dynamic firewall rule updates via the policy admin.
  • Enabled proxy-config updates via the policy admin.

GIVC Integration:

  • Updated givc configurations to align with agents.
  • Updated configs for YubiKey and Boot-UI integration.

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. Every functionality should work as usual.
  2. I have restricted access of chatgpt in chrome vm via dynamic policy update for testing (will remove it later). With this PR you should not be able to access chatgpt from google chrome.

kajusnau
kajusnau reviewed Feb 16, 2026
View reviewed changes
Copy link
Collaborator

@kajusnau kajusnau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool change!
Some opinionated, some refactor comments.
Also is it possible to define some example test scenario instead of a generic Every functionality should work as usual.? 😁

vunnyso
vunnyso reviewed Feb 16, 2026
View reviewed changes
Copy link
Collaborator

@vunnyso vunnyso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR title has title has typo and wip can removed if change is ready.

@gngram gngram force-pushed the pulls/policy-management branch from f085696 to 0d35917 Compare February 16, 2026 14:39
@gngram gngram force-pushed the pulls/policy-management branch from 0d35917 to b4321a1 Compare February 16, 2026 14:46
@gngram
Copy link
Contributor Author

gngram commented Feb 16, 2026

PR title has title has typo and wip can removed if change is ready.

waiting for ghaf-givc commit to be merged on mainline. once done I will remove wip status and will update givc url also in flake.nix.

vunnyso
vunnyso reviewed Feb 16, 2026
View reviewed changes
@gngram
policy management through ghaf-givc
3a23386 
- updated givc options to align it with the givc agents
- policyAdmin is for admin-vm, policyClient is for rest of the VMs and host

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
add common option to accumulate policies from vms
a68bcf8 
- option added ghaf.common.policies

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
update commong config from evaluated config
1a0f986 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
enable policy admin in admin vm
a7da197 
- update givc configs for yubikey and boot-ui

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
enable proxy-config update via policy admin
e6f04f1 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
enable dynamic firwall rule update via policy admin
ace5bb9 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram gngram force-pushed the pulls/policy-management branch from b4321a1 to 70ee43b Compare February 20, 2026 10:59
@gngram
code review feedback modification
8c834f3 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram
givc package update
92bcecc 
Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
@gngram gngram force-pushed the pulls/policy-management branch from 70ee43b to 92bcecc Compare February 20, 2026 11:17
@gngram gngram added the Needs Testing CI Team to pre-verify label Feb 20, 2026
@gngram gngram changed the title [wip] nable Dynamic Policy Management via ghaf-givc Enable Dynamic Policy Management via ghaf-givc Feb 20, 2026
@milva-unikie
Copy link

milva-unikie commented Feb 23, 2026

Tested on Darter Pro (new image)

  • Policy management is not working as described in the testing instructions, ChatGPT is not blocked in chrome-vm Google Chrome

@milva-unikie milva-unikie added Bug on System76 and removed Needs Testing CI Team to pre-verify labels Feb 23, 2026
@gngram
Copy link
Contributor Author

gngram commented Feb 23, 2026

@milva-unikie, I am sorry for not providing clear steps to test it.
First time when you are booting with network cable plugged in then the policy applies within 1-2 minutes. In case you are using wifi, after configuring wifi network you need to wait for 5-6 minutes.
On boot it polls for policy every 5 minutes. By the time we configure wifi, first poll happens and due to network unavailability it doesn't get latest policy. If you don't want to wait reboot the system after saving the wifi configuration.

Once policy is downloaded then it persists the effect is permanent so subsequent boot will have the effect immediately.

I always tested with network cable plugged in on Lenovo-X1, so forgot to mention these details.
I tested with wifi on system76, it works fine as expected.

@milva-unikie
Copy link

milva-unikie commented Feb 23, 2026

@milva-unikie, I am sorry for not providing clear steps to test it. First time when you are booting with network cable plugged in then the policy applies within 1-2 minutes. In case you are using wifi, after configuring wifi network you need to wait for 5-6 minutes. On boot it polls for policy every 5 minutes. By the time we configure wifi, first poll happens and due to network unavailability it doesn't get latest policy. If you don't want to wait reboot the system after saving the wifi configuration.

Once policy is downloaded then it persists the effect is permanent so subsequent boot will have the effect immediately.

I always tested with network cable plugged in on Lenovo-X1, so forgot to mention these details. I tested with wifi on system76, it works fine as expected.

After waiting for a while chatgpt.com can no longer be accessed. However, I would argue that it being available for several minutes is still a bug. It is not very secure that the pages can be accessed before the policy is applied.

@gngram
Copy link
Contributor Author

gngram commented Feb 23, 2026

Since policy polling is periodic by design, there will always be a small window between checks. That is indeed a performance trade-off between reducing CPU/network overhead and achieving real-time policy enforcement. The fact that the polling interval is configurable helps balance security requirements with system efficiency.

Also, once the policy is successfully downloaded and applied, it becomes resident and effective immediately — including across reboots — which means the security posture is maintained after the initial update.

This is a common trade-off: polling avoids complexity and resource overhead, while push frameworks can reduce latency but require additional infrastructure on Ghaf machine and Policy server both.

@milva-unikie
Copy link

milva-unikie commented Feb 23, 2026

Since policy polling is periodic by design, there will always be a small window between checks. That is indeed a performance trade-off between reducing CPU/network overhead and achieving real-time policy enforcement. The fact that the polling interval is configurable helps balance security requirements with system efficiency.

Also, once the policy is successfully downloaded and applied, it becomes resident and effective immediately — including across reboots — which means the security posture is maintained after the initial update.

This is a common trade-off: polling avoids complexity and resource overhead, while push frameworks can reduce latency but require additional infrastructure on Ghaf machine and Policy server both.

Allowed addresses are also restricted in business-vm, but there everything is blocked until the list has been fetched. I believe it takes a maximum of two minutes to update after the internet connection is established.

I don’t think the current solution is optimal, but it works like described.

For testing purposes, it would be good to keep some address blocked. Definitely not Chatgpt, but some random website that we are not expecting anyone to visit accidentally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vunnyso vunnyso vunnyso left review comments

@kajusnau kajusnau kajusnau left review comments

@brianmcgillion brianmcgillion Awaiting requested review from brianmcgillion

@mbssrc mbssrc Awaiting requested review from mbssrc

@everton-dematos everton-dematos Awaiting requested review from everton-dematos

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Tested on System76

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gngram @milva-unikie @vunnyso @kajusnau