From 39d3b7fb90c4d8a902ebde58e85e12a505dee562 Mon Sep 17 00:00:00 2001 From: Zvonko Kaiser Date: Wed, 12 Feb 2025 15:46:50 +0000 Subject: [PATCH] gpu: Update NVIDIA chroot script We need to place the signing key and cert at the right place and hide the KBUILD_SIGN_PIN from echo'ing or xtrace Signed-off-by: Zvonko Kaiser --- .../rootfs-builder/nvidia/nvidia_chroot.sh | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh index 92ed8d078c..357195acde 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh @@ -5,7 +5,7 @@ # SPDX-License-Identifier: Apache-2.0 #!/bin/bash -set -xeuo pipefail +set -euo pipefail shopt -s nullglob shopt -s extglob @@ -21,6 +21,8 @@ base_os="jammy" APT_INSTALL="apt -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' -yqq --no-install-recommends install" +export KBUILD_SIGN_PIN=$6 + export DEBIAN_FRONTEND=noninteractive is_feature_enabled() { @@ -104,9 +106,13 @@ build_nvidia_drivers() { echo "chroot: Build NVIDIA drivers" pushd "${driver_source_files}" >> /dev/null + local certs_dir local kernel_version for version in /lib/modules/*; do kernel_version=$(basename "${version}") + certs_dir=/lib/modules/"${kernel_version}"/build/certs + signing_key=${certs_dir}/signing_key.pem + echo "chroot: Building GPU modules for: ${kernel_version}" cp /boot/System.map-"${kernel_version}" /lib/modules/"${kernel_version}"/build/System.map @@ -119,9 +125,16 @@ build_nvidia_drivers() { fi make -j "$(nproc)" CC=gcc SYSSRC=/lib/modules/"${kernel_version}"/build > /dev/null + + if [ -n "${KBUILD_SIGN_PIN}" ]; then + mkdir -p "${certs_dir}" && mv /signing_key.* "${certs_dir}"/. + fi + make INSTALL_MOD_STRIP=1 -j "$(nproc)" CC=gcc SYSSRC=/lib/modules/"${kernel_version}"/build modules_install make -j "$(nproc)" CC=gcc SYSSRC=/lib/modules/"${kernel_version}"/build clean > /dev/null - + # The make clean above should clear also the certs directory but just in case something + # went wroing make sure the signing_key.pem is removed + [ -e "${signing_key}" ] && rm -f "${signing_key}" done # Save the modules for later so that a linux-image purge does not remove it tar cvfa /lib/modules.save_from_purge.tar.zst /lib/modules