From e2f18057a477dcf7a8e4e8da77e0d532adeeb16c Mon Sep 17 00:00:00 2001
From: Zvonko Kaiser <zkaiser@nvidia.com>
Date: Thu, 29 May 2025 17:10:03 +0000
Subject: [PATCH] kernel: Add config option for signing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Only sign the kernel if the user has provided the KBUILD_SIGN_PIN
otherwise ignore.

Whole here, let's move the functionality to the common fragments as it's
not a GPU specific functionality.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
---
 tools/packaging/kernel/build-kernel.sh                    | 7 +++++++
 .../configs/fragments/common/signing/module_signing.conf  | 7 +++++++
 .../kernel/configs/fragments/gpu/nvidia.x86_64.conf.in    | 8 +-------
 tools/packaging/kernel/kata_config_version                | 2 +-
 4 files changed, 16 insertions(+), 8 deletions(-)
 create mode 100644 tools/packaging/kernel/configs/fragments/common/signing/module_signing.conf

diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index 72060acb82..c9a033d987 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -308,6 +308,13 @@ get_kernel_frag_path() {
 		all_configs="${all_configs} ${tmpfs_configs}"
 	fi
 
+	if [[ "${KBUILD_SIGN_PIN}" != "" ]]; then
+		info "Enabling config for module signing"
+		local sign_configs
+		sign_configs="$(ls ${common_path}/signing/module_signing.conf)"
+		all_configs="${all_configs} ${sign_configs}"
+	fi
+
 	if [[ "$force_setup_generate_config" == "true" ]]; then
 		info "Remove existing config ${config_path} due to '-f'"
 		[ -f "$config_path" ] && rm -f "${config_path}"
diff --git a/tools/packaging/kernel/configs/fragments/common/signing/module_signing.conf b/tools/packaging/kernel/configs/fragments/common/signing/module_signing.conf
new file mode 100644
index 0000000000..2643bc87d5
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/common/signing/module_signing.conf
@@ -0,0 +1,7 @@
+# Module signing
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_SHA512=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
diff --git a/tools/packaging/kernel/configs/fragments/gpu/nvidia.x86_64.conf.in b/tools/packaging/kernel/configs/fragments/gpu/nvidia.x86_64.conf.in
index 4285234e0f..c411b2d0de 100644
--- a/tools/packaging/kernel/configs/fragments/gpu/nvidia.x86_64.conf.in
+++ b/tools/packaging/kernel/configs/fragments/gpu/nvidia.x86_64.conf.in
@@ -23,11 +23,5 @@ CONFIG_CRYPTO_ECC=y
 CONFIG_CRYPTO_ECDH=y
 CONFIG_CRYPTO_ECDSA=y
 
-# Module signing
+# Dependency of _CRYPTO_
 CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_FORCE=y
-CONFIG_MODULE_SIG_ALL=y
-CONFIG_MODULE_SIG_SHA512=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index 91b629b0fa..29e49a0117 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-156
+157