github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-10-22 04:18:53 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11916 from zvonkok/fix-kernel-module-signing

Browse Source 
gpu: Fix kernel module signing
This commit is contained in:
Aurélien Bombo
2025-10-10 17:17:08 -05:00
committed by GitHub
parent e782d1ad50 b00013c717
commit ff973a95c8
3 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh
View File

@@ -6,10 +6,19 @@
#!/bin/bash
set -euo pipefail
[[ -n "${DEBUG}" ]] && set -x
shopt -s nullglob
shopt -s extglob
# Error helpers
trap 'echo "chroot: ERROR at line ${LINENO}: ${BASH_COMMAND}" >&2' ERR
die() {
local msg="${*:-fatal error}"
echo "chroot: ${msg}" >&2
exit 1
}
run_file_name=$2
run_fm_file_name=$3
arch_target=$4
@@ -97,6 +106,19 @@ install_nvidia_fabricmanager_from_distribution() {
apt-mark hold nvidia-fabricmanager-"${driver_version}" libnvidia-nscq-"${driver_version}"
}
check_kernel_sig_config() {
[[ -n ${kernel_version} ]] || die "kernel_version is not set"
[[ -e /lib/modules/"${kernel_version}"/build/scripts/config ]] || die "Cannot find /lib/modules/${kernel_version}/build/scripts/config"
# make sure the used kernel has the proper CONFIG(s) set
readonly scripts_config=/lib/modules/"${kernel_version}"/build/scripts/config
[[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG must be =Y"
[[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_FORCE)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_FORCE must be =Y"
[[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_ALL)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_ALL must be =Y"
[[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_MODULE_SIG_SHA512)" == "y" ]] || die "Kernel config CONFIG_MODULE_SIG_SHA512 must be =Y"
[[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_SYSTEM_TRUSTED_KEYS)" == "" ]] || die "Kernel config CONFIG_SYSTEM_TRUSTED_KEYS must be =\"\""
[[ "$("${scripts_config}" --file "/boot/config-${kernel_version}" --state CONFIG_SYSTEM_TRUSTED_KEYRING)" == "y" ]] || die "Kernel config CONFIG_SYSTEM_TRUSTED_KEYRING must be =Y"
}
build_nvidia_drivers() {
is_feature_enabled "compute" || {
echo "chroot: Skipping NVIDIA drivers build"
@@ -133,6 +155,7 @@ build_nvidia_drivers() {
if [[ -n "${KBUILD_SIGN_PIN}" ]]; then
mkdir -p "${certs_dir}" && mv /signing_key.* "${certs_dir}"/.
check_kernel_sig_config
fi
make INSTALL_MOD_STRIP=1 -j "$(nproc)" CC=gcc SYSSRC=/lib/modules/"${kernel_version}"/build modules_install

9
tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
View File

@@ -7,6 +7,15 @@
set -euo pipefail
[[ -n "${DEBUG}" ]] && set -x
# Error helpers
trap 'echo "rootfs: ERROR at line ${LINENO}: ${BASH_COMMAND}" >&2' ERR
die() {
local msg="${*:-fatal error}"
echo "rootfs: ${msg}" >&2
exit 1
}
readonly BUILD_DIR="/kata-containers/tools/packaging/kata-deploy/local-build/build/"
# catch errors and then assign
script_dir="$(dirname "$(readlink -f "$0")")"

1
tools/packaging/static-build/kernel/build.sh
View File

@@ -74,6 +74,7 @@ container_build+=" --build-arg ARCH=${ARCH:-}"
"${container_engine}" run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
-w "${PWD}" \
--env KERNEL_DEBUG_ENABLED="${KERNEL_DEBUG_ENABLED}" \
--env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \
--user "$(id -u)":"$(id -g)" \
"${container_image}" \
bash -c "${kernel_builder} ${kernel_builder_args} setup"