kernel: Add config option for signing

Only sign the kernel if the user has provided the KBUILD_SIGN_PIN otherwise ignore. Whole here, let's move the functionality to the common fragments as it's not a GPU specific functionality. Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-19 09:51:29 +00:00 · 2025-05-29 17:10:03 +00:00 · 2025-05-29 17:10:03 +00:00 · e2f18057a4
commit e2f18057a4
parent 0aca20986b
4 changed files with 16 additions and 8 deletions
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@ -308,6 +308,13 @@ get_kernel_frag_path() {
 		all_configs="${all_configs} ${tmpfs_configs}"
 	fi

+	if [[ "${KBUILD_SIGN_PIN}" != "" ]]; then
+		info "Enabling config for module signing"
+		local sign_configs
+		sign_configs="$(ls ${common_path}/signing/module_signing.conf)"
+		all_configs="${all_configs} ${sign_configs}"
+	fi
+
 	if [[ "$force_setup_generate_config" == "true" ]]; then
 		info "Remove existing config ${config_path} due to '-f'"
 		[ -f "$config_path" ] && rm -f "${config_path}"
--- a/tools/packaging/kernel/configs/fragments/common/signing/module_signing.conf
+++ b/tools/packaging/kernel/configs/fragments/common/signing/module_signing.conf
@ -0,0 +1,7 @@
+# Module signing
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_SHA512=y
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
--- a/tools/packaging/kernel/configs/fragments/gpu/nvidia.x86_64.conf.in
+++ b/tools/packaging/kernel/configs/fragments/gpu/nvidia.x86_64.conf.in
@ -23,11 +23,5 @@ CONFIG_CRYPTO_ECC=y
 CONFIG_CRYPTO_ECDH=y
 CONFIG_CRYPTO_ECDSA=y

-# Module signing
+# Dependency of _CRYPTO_
 CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_FORCE=y
-CONFIG_MODULE_SIG_ALL=y
-CONFIG_MODULE_SIG_SHA512=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@ -1 +1 @@
-156
+157