github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-01 11:56:29 +00:00
Code Issues Projects Releases Wiki Activity

gpu: Add the proper handling in build-kernel.sh

Browse Source 
If KBUILD_SIGN_PIN is provided we can encrypt the signing key
for out-of-tree builds and second round jobs in GHA

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
This commit is contained in:
Zvonko Kaiser 2025-02-12 15:27:57 +00:00
parent bc8360e8a9
commit c2cb89532b
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
tools/packaging/kernel/build-kernel.sh
View File

@ -32,6 +32,7 @@ readonly default_initramfs="${script_dir}/initramfs.cpio.gz"
# xPU vendor # xPU vendor
readonly VENDOR_INTEL="intel" readonly VENDOR_INTEL="intel"
readonly VENDOR_NVIDIA="nvidia" readonly VENDOR_NVIDIA="nvidia"
readonly KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-""}
#Path to kernel directory #Path to kernel directory
kernel_path="" kernel_path=""
@ -493,6 +494,15 @@ build_kernel_headers() {
if [ "$linux_headers" == "rpm" ]; then if [ "$linux_headers" == "rpm" ]; then
make -j $(nproc) rpm-pkg ARCH="${arch_target}" make -j $(nproc) rpm-pkg ARCH="${arch_target}"
fi fi
# If we encrypt the key earlier it will break the kernel_headers build.
# At this stage the kernel has created the certs/signing_key.pem
# encrypt it for later usage in another job or out-of-tree build
# only encrypt if we have KBUILD_SIGN_PIN set
local key="certs/signing_key.pem"
if [ -n "${KBUILD_SIGN_PIN}" ]; then
[ -e "${key}" ] || die "${key} missing but KBUILD_SIGN_PIN is set"
openssl rsa -aes256 -in ${key} -out ${key} -passout env:KBUILD_SIGN_PIN
fi
popd >>/dev/null popd >>/dev/null
} }