From 37bd5e3c9d080830b84e63dfd47a33148250a39c Mon Sep 17 00:00:00 2001 From: Zvonko Kaiser Date: Fri, 10 Oct 2025 16:01:53 +0000 Subject: [PATCH 1/2] gpu: Add kernel CONFIG check We need to make sure that the kernel we're using has the correct configs set, otherwise the module signing will not work. Signed-off-by: Zvonko Kaiser --- .../rootfs-builder/nvidia/nvidia_chroot.sh | 23 +++++++++++++++++++ .../rootfs-builder/nvidia/nvidia_rootfs.sh | 9 ++++++++ 2 files changed, 32 insertions(+) diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh index 80da5e83a0..23ecbbe8b8 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh @@ -6,10 +6,19 @@ #!/bin/bash set -euo pipefail +[[ -n "${DEBUG}" ]] && set -x shopt -s nullglob shopt -s extglob +# Error helpers +trap 'echo "chroot: ERROR at line ${LINENO}: ${BASH_COMMAND}" >&2' ERR +die() { + local msg="${*:-fatal error}" + echo "chroot: ${msg}" >&2 + exit 1 +} + run_file_name=$2 run_fm_file_name=$3 arch_target=$4 @@ -97,6 +106,19 @@ install_nvidia_fabricmanager_from_distribution() { apt-mark hold nvidia-fabricmanager-"${driver_version}" libnvidia-nscq-"${driver_version}" } +check_kernel_sig_config() { + [[ -n ${kernel_version} ]] || die "kernel_version is not set" + [[ -e /lib/modules/"${kernel_version}"/build/scripts/config ]] || die "Cannot find /lib/modules/${kernel_version}/build/scripts/config" + # make sure the used kernel has the proper CONFIG(s) set + readonly scripts_config=/lib/modules/"${kernel_version}"/build/scripts/config + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG must be =Y" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_FORCE)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_FORCE must be =Y" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_ALL)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_ALL must be =Y" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_SHA512)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_SHA512 must be =Y" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_SYSTEM_TRUSTED_KEYS)" == "" ]] || die "Kernel config CONFIG_SYSTEM_TRUSTED_KEYS must be =\"\"" + [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_SYSTEM_TRUSTED_KEYRING)" == "y" ]] || die "Kernel config CONFIG_SYSTEM_TRUSTED_KEYRING must be =Y" +} + build_nvidia_drivers() { is_feature_enabled "compute" || { echo "chroot: Skipping NVIDIA drivers build" @@ -133,6 +155,7 @@ build_nvidia_drivers() { if [[ -n "${KBUILD_SIGN_PIN}" ]]; then mkdir -p "${certs_dir}" && mv /signing_key.* "${certs_dir}"/. + check_kernel_sig_config fi make INSTALL_MOD_STRIP=1 -j "$(nproc)" CC=gcc SYSSRC=/lib/modules/"${kernel_version}"/build modules_install diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh index 0ece0f06fb..7fbfdb782a 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh @@ -7,6 +7,15 @@ set -euo pipefail [[ -n "${DEBUG}" ]] && set -x +# Error helpers +trap 'echo "rootfs: ERROR at line ${LINENO}: ${BASH_COMMAND}" >&2' ERR +die() { + local msg="${*:-fatal error}" + echo "rootfs: ${msg}" >&2 + exit 1 +} + + readonly BUILD_DIR="/kata-containers/tools/packaging/kata-deploy/local-build/build/" # catch errors and then assign script_dir="$(dirname "$(readlink -f "$0")")" From b00013c717bc0c9bd14c0ca8a50182206ecf4f4b Mon Sep 17 00:00:00 2001 From: Zvonko Kaiser Date: Fri, 10 Oct 2025 16:57:52 +0000 Subject: [PATCH 2/2] kernel: Add KBUILD_SIGN_PIN pass through This is needed to the kernel setup picks up the correct config values from our fragments directories. Signed-off-by: Zvonko Kaiser --- tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh | 2 +- tools/packaging/static-build/kernel/build.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh index 23ecbbe8b8..28b92e0ad0 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh @@ -108,7 +108,7 @@ install_nvidia_fabricmanager_from_distribution() { check_kernel_sig_config() { [[ -n ${kernel_version} ]] || die "kernel_version is not set" - [[ -e /lib/modules/"${kernel_version}"/build/scripts/config ]] || die "Cannot find /lib/modules/${kernel_version}/build/scripts/config" + [[ -e /lib/modules/"${kernel_version}"/build/scripts/config ]] || die "Cannot find /lib/modules/${kernel_version}/build/scripts/config" # make sure the used kernel has the proper CONFIG(s) set readonly scripts_config=/lib/modules/"${kernel_version}"/build/scripts/config [[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG must be =Y" diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index d997f86d1a..5a20728d14 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -74,6 +74,7 @@ container_build+=" --build-arg ARCH=${ARCH:-}" "${container_engine}" run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ --env KERNEL_DEBUG_ENABLED="${KERNEL_DEBUG_ENABLED}" \ + --env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \ --user "$(id -u)":"$(id -g)" \ "${container_image}" \ bash -c "${kernel_builder} ${kernel_builder_args} setup"