diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh index 80da5e83a0..28b92e0ad0 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh @@ -6,10 +6,19 @@ #!/bin/bash set -euo pipefail +[[ -n "${DEBUG}" ]] && set -x shopt -s nullglob shopt -s extglob +# Error helpers +trap 'echo "chroot: ERROR at line ${LINENO}: ${BASH_COMMAND}" >&2' ERR +die() { + local msg="${*:-fatal error}" + echo "chroot: ${msg}" >&2 + exit 1 +} + run_file_name=$2 run_fm_file_name=$3 arch_target=$4 @@ -97,6 +106,19 @@ install_nvidia_fabricmanager_from_distribution() { apt-mark hold nvidia-fabricmanager-"${driver_version}" libnvidia-nscq-"${driver_version}" } +check_kernel_sig_config() { + [[ -n ${kernel_version} ]] || die "kernel_version is not set" + [[ -e /lib/modules/"${kernel_version}"/build/scripts/config ]] || die "Cannot find /lib/modules/${kernel_version}/build/scripts/config" + # make sure the used kernel has the proper CONFIG(s) set + readonly scripts_config=/lib/modules/"${kernel_version}"/build/scripts/config + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG must be =Y" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_FORCE)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_FORCE must be =Y" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_ALL)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_ALL must be =Y" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_SHA512)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_SHA512 must be =Y" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_SYSTEM_TRUSTED_KEYS)" == "" ]] || die "Kernel config CONFIG_SYSTEM_TRUSTED_KEYS must be =\"\"" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_SYSTEM_TRUSTED_KEYRING)" == "y" ]] || die "Kernel config CONFIG_SYSTEM_TRUSTED_KEYRING must be =Y" +} + build_nvidia_drivers() { is_feature_enabled "compute" || { echo "chroot: Skipping NVIDIA drivers build" @@ -133,6 +155,7 @@ build_nvidia_drivers() { if [[ -n "${KBUILD_SIGN_PIN}" ]]; then mkdir -p "${certs_dir}" && mv /signing_key.* "${certs_dir}"/. + check_kernel_sig_config fi make INSTALL_MOD_STRIP=1 -j "$(nproc)" CC=gcc SYSSRC=/lib/modules/"${kernel_version}"/build modules_install diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh index 0ece0f06fb..7fbfdb782a 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh @@ -7,6 +7,15 @@ set -euo pipefail [[ -n "${DEBUG}" ]] && set -x +# Error helpers +trap 'echo "rootfs: ERROR at line ${LINENO}: ${BASH_COMMAND}" >&2' ERR +die() { + local msg="${*:-fatal error}" + echo "rootfs: ${msg}" >&2 + exit 1 +} + + readonly BUILD_DIR="/kata-containers/tools/packaging/kata-deploy/local-build/build/" # catch errors and then assign script_dir="$(dirname "$(readlink -f "$0")")" diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index d997f86d1a..5a20728d14 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -74,6 +74,7 @@ container_build+=" --build-arg ARCH=${ARCH:-}" "${container_engine}" run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ --env KERNEL_DEBUG_ENABLED="${KERNEL_DEBUG_ENABLED}" \ + --env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \ --user "$(id -u)":"$(id -g)" \ "${container_image}" \ bash -c "${kernel_builder} ${kernel_builder_args} setup"