Merge pull request #2798 from flatcar/danzatt/nvidia-drivers-signing

Add prebuilt NVIDIA drivers in a sysext

- Add capability to specify per-sysext USE flags and compile different versions of upstream portage nvidia-drivers (including open and non-open variants).
- Allow architecture-specific OS-dependent sysexts
- Pull `nvidia-drivers` from portage and build sysexts from the package

Related PRs:
NVIDIA tests using sysext: [mantle #598](flatcar/mantle#598)
NVIDIA runtime modifications to remove `nvidia-smi` symlink: [sysext-bakery #153](flatcar/sysext-bakery#153)

Author: danzatt

.github/workflows/portage-stable-packages-list

@@ -51,6 +51,7 @@ acct-user/named
 acct-user/netperf
 acct-user/nobody
 acct-user/ntp
+acct-user/nvpd
 acct-user/pcap
 acct-user/pcscd
 acct-user/polkitd

build_image

@@ -33,7 +33,7 @@ DEFINE_string base_pkg "coreos-base/coreos" \
   "The base portage package to base the build off of (only applies to prod images)"
 DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \
   "The base portage package to base the build off of (only applies to dev containers)"
-DEFINE_string base_sysexts "containerd-flatcar:app-containers/containerd,docker-flatcar:app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx" \
+DEFINE_string base_sysexts "containerd-flatcar|app-containers/containerd,docker-flatcar|app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx" \
   "Comma-separated list of name:package[&package[&package]] - build 'package' (a single package or a list of packages separated by '&') into sysext 'name', and include with OS image and update payload. Must be in order of dependencies, base sysexts come first."
 DEFINE_string output_root "${DEFAULT_BUILD_ROOT}/images" \
   "Directory in which to place image result directories (named by version)"

build_library/extra_sysexts.sh

@@ -1,5 +1,27 @@
 EXTRA_SYSEXTS=(
-  zfs:sys-fs/zfs
-  podman:app-containers/podman,net-misc/passt
-  python:dev-lang/python,dev-python/pip
+  "zfs|sys-fs/zfs"
+  "podman|app-containers/podman,net-misc/passt"
+  "python|dev-lang/python,dev-python/pip"
+  "nvidia-drivers-535|x11-drivers/nvidia-drivers:0/535|-kernel-open persistenced|amd64"
+  "nvidia-drivers-535-open|x11-drivers/nvidia-drivers:0/535|kernel-open persistenced|amd64"
+  "nvidia-drivers-550|x11-drivers/nvidia-drivers:0/550|-kernel-open persistenced|amd64"
+  "nvidia-drivers-550-open|x11-drivers/nvidia-drivers:0/550|kernel-open persistenced|amd64"
+  "nvidia-drivers-570|x11-drivers/nvidia-drivers:0/570|-kernel-open persistenced|amd64"
+  "nvidia-drivers-570-open|x11-drivers/nvidia-drivers:0/570|kernel-open persistenced|amd64"
 )
+
+_get_unversioned_sysext_packages_unsorted() {
+  for sysext in "${EXTRA_SYSEXTS[@]}"; do
+    IFS="|" read -r _ PACKAGE_ATOMS _ <<< "$sysext"
+
+    IFS=,
+    for atom in $PACKAGE_ATOMS; do
+       qatom "$atom" -F "%{CATEGORY}/%{PN}"
+    done
+    unset IFS
+  done
+}
+
+get_unversioned_sysext_packages() {
+  _get_unversioned_sysext_packages_unsorted | sort | uniq
+}

build_library/prod_image_util.sh

@@ -213,18 +213,36 @@ create_prod_sysexts() {
   local image_name="$1"
   local image_sysext_base="${image_name%.bin}_sysext.squashfs"
   for sysext in "${EXTRA_SYSEXTS[@]}"; do
-    local name="flatcar-${sysext%:*}"
-    local pkgs="${sysext#*:}"
+    local name pkgs useflags arches
+    IFS="|" read -r name pkgs useflags arches <<< "$sysext"
+    name="flatcar-$name"
     local pkg_array=(${pkgs//,/ })
+    local arch_array=(${arches//,/ })
+    local useflags_array=(${useflags//,/ })
+
     local mangle_script="${BUILD_LIBRARY_DIR}/sysext_mangle_${name}"
     if [[ ! -x "${mangle_script}" ]]; then
       mangle_script=
     fi
+
+    if [[ -n "$arches" ]]; then
+      should_skip=1
+      for arch in "${arch_array[@]}"; do
+        if [[ $arch == "$ARCH" ]]; then
+          should_skip=0
+        fi
+      done
+      if [[ $should_skip -eq 1 ]]; then
+        continue
+      fi
+    fi
+
     sudo rm -f "${BUILD_DIR}/${name}.raw" \
 	"${BUILD_DIR}/flatcar-test-update-${name}.gz" \
 	"${BUILD_DIR}/${name}_*"
-    sudo "${SCRIPT_ROOT}/build_sysext" --board="${BOARD}" \
-        --squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
+    # we use -E to pass the USE flags, but also MODULES_SIGN variables
+    USE="${useflags_array[*]}" sudo -E "${SCRIPT_ROOT}/build_sysext" --board="${BOARD}" \
+	--squashfs_base="${BUILD_DIR}/${image_sysext_base}" \
 	--image_builddir="${BUILD_DIR}" \
 	${mangle_script:+--manglefs_script=${mangle_script}} \
 	"${name}" "${pkg_array[@]}"

build_library/sysext_prod_builder

@@ -113,8 +113,8 @@ prev_pkginfo=""
 sysext_lowerdirs="${sysext_mountdir}/rootfs-lower"
 for sysext in ${sysexts_list//,/ }; do
   # format is "<name>:<group>/<package>"
-  name="${sysext%:*}"
-  grp_pkg="${sysext#*:}"
+  name="${sysext%|*}"
+  grp_pkg="${sysext#*|}"
   create_prod_sysext "${BOARD}" \
                      "${sysext_output_dir}" \
                      "${sysext_workdir}" \

build_packages

@@ -117,6 +117,7 @@ fi
 . "${BUILD_LIBRARY_DIR}/toolchain_util.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/test_image_content.sh" || exit 1
+. "${BUILD_LIBRARY_DIR}/extra_sysexts.sh" || exit 1
 
 # Setup all the emerge command/flags.
 EMERGE_FLAGS=( --update --deep --newuse --verbose --backtrack=30 --select )
@@ -285,6 +286,48 @@ export KBUILD_BUILD_HOST="${BUILD_HOST:-pony-truck.infra.kinvolk.io}"
 info "Merging board packages now"
 sudo -E "${EMERGE_CMD[@]}" "${EMERGE_FLAGS[@]}" "$@"
 
+info "Merging sysext packages now"
+for sysext in "${EXTRA_SYSEXTS[@]}"; do
+  IFS="|" read -r SYSEXT_NAME PACKAGE_ATOMS USEFLAGS ARCHES <<< "$sysext"
+
+  arch_array=("${ARCHES//,/ }")
+  if [[ -n $ARCHES ]]; then
+    should_skip=1
+    for arch in "${arch_array[@]}"; do
+      if [[ $arch == "$ARCH" ]]; then
+        should_skip=0
+      fi
+    done
+    if [[ $should_skip -eq 1 ]]; then
+      continue
+    fi
+  fi
+
+
+  info "Building packages for $SYSEXT_NAME sysext with USE=$USEFLAGS"
+  IFS=,
+  for package in $PACKAGE_ATOMS; do
+     # --buildpkgonly does not install dependencies, so we install them
+     # separately before building the binary package
+     sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
+       env USE="$USEFLAGS" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
+       "${EMERGE_FLAGS[@]}" \
+       --quiet \
+       --onlydeps \
+       --binpkg-respect-use=y \
+       "${package}"
+
+     sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
+       env USE="$USEFLAGS" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
+       "${EMERGE_FLAGS[@]}" \
+       --quiet \
+       --buildpkgonly \
+       --binpkg-respect-use=y \
+       "${package}"
+  done
+  unset IFS
+done
+
 info "Removing obsolete packages"
 # The return value of emerge is not clearly reliable. It may fail with
 # an output like following:
@@ -319,7 +362,16 @@ if [[ "${FLAGS_usepkgonly}" -eq "${FLAGS_FALSE}" ]]; then
   fi
 fi
 
-eclean-$BOARD -d packages
+exclusions_file=$(mktemp)
+if [ ! -f "$exclusions_file" ]; then
+    die_notrace "Couldn't create temporary exclusions file $exclusions_file for eclean"
+fi
+get_unversioned_sysext_packages > "$exclusions_file"
+eclean-"$BOARD" -d --exclude-file="$exclusions_file" packages
+rm -f "$exclusions_file"
+# run eclean again, this time without the --deep option, to clean old versions
+# of sysext packages (those, for which .ebuild file no  longer exists)
+eclean-"$BOARD" packages
 
 info "Checking build root"
 test_image_content "${BOARD_ROOT}"

build_sysext

@@ -221,11 +221,12 @@ info "Building '${SYSEXTNAME}' squashfs with (meta-)packages '${@}' in '${BUILD_
 
 for package; do
   echo "Installing package into sysext image: $package"
-  FEATURES="-ebuild-locks" emerge \
+  FEATURES="-ebuild-locks binpkg-multi-instance" emerge \
     --root="${BUILD_DIR}/install-root" \
     --config-root="/build/${FLAGS_board}"  \
     --sysroot="/build/${FLAGS_board}"  \
     --usepkgonly \
+    --binpkg-respect-use=y \
     --getbinpkg \
     --verbose \
     --jobs=${NUM_JOBS} \

changelog/changes/2025-05-13-nvidia-sysext.md

@@ -0,0 +1,2 @@
+- Compile OS-dependent NVIDIA kernel module sysexts signed for secure boot. ([scripts#2798](https://github.com/flatcar/scripts/pull/2798/))
+- Allow per-sysext USE flags and architecture-specific sysexts. ([scripts#2798](https://github.com/flatcar/scripts/pull/2798/))

changelog/changes/2025-05-13-oot-module-signing.md

@@ -0,0 +1 @@
+- Sign out-of-tree kernel modules using the ephemeral signing key so that ZFS and NVIDIA sysexts can work with secure boot. ([scripts#2636](https://github.com/flatcar/scripts/pull/2636/))

ci-automation/base_sysexts.sh

@@ -6,6 +6,6 @@ if [[ ${1:-} = 'local' ]]; then
 fi
 
 ciabs_base_sysexts=(
-    'containerd-flatcar:app-containers/containerd'
-    'docker-flatcar:app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx'
+    'containerd-flatcar|app-containers/containerd'
+    'docker-flatcar|app-containers/docker&app-containers/docker-cli&app-containers/docker-buildx'
 )

ci-automation/image_changes.sh

@@ -280,7 +280,7 @@ function get_base_sysext_list() {
 
     source "${scripts_repo}/ci-automation/base_sysexts.sh" 'local'
 
-    list_var_ref=( "${ciabs_base_sysexts[@]%%:*}" )
+    list_var_ref=( "${ciabs_base_sysexts[@]%%|*}" )
 }
 
 function get_extra_sysext_list() {
@@ -291,7 +291,7 @@ function get_extra_sysext_list() {
     local -a EXTRA_SYSEXTS
     source "${scripts_repo}/build_library/extra_sysexts.sh"
 
-    list_var_ref=( "${EXTRA_SYSEXTS[@]%%:*}" )
+    list_var_ref=( "${EXTRA_SYSEXTS[@]%%|*}" )
 }
 
 # Generates reports with passed parameters. The report is redirected

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild

@@ -206,7 +206,7 @@ RDEPEND="${RDEPEND}
 	sys-power/acpid
 	sys-process/lsof
 	sys-process/procps
-	x11-drivers/nvidia-drivers
+	x11-drivers/nvidia-drivers-service
 "
 
 # OEM specific bits that need to go in USR

sdk_container/src/third_party/coreos-overlay/coreos/config/env/x11-drivers/nvidia-drivers

@@ -0,0 +1,14 @@
+: ${MODULES_ROOT:=$(echo ${SYSROOT}/lib/modules/*)}
+KERNEL_DIR="${MODULES_ROOT}/build"
+
+# This addresses an issue with the kernel version compatibility check
+#  when installing zfs-kmod to /build/<arch> (e.g. via build_packages)
+#  from its binpkg (i.e. not recompiling it).
+SKIP_KERNEL_BINPKG_ENV_RESET=1
+
+# Necessary to prevent KV_FULL & KV_OUT_DIR from being unset
+# when building Kernel modules for sysext. See also eclass/linux-info.eclass.
+cros_pre_pkg_setup_kernel_version() {
+    LINUX_INFO_BINARY_RESET=1
+    get_version
+}

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults

@@ -57,8 +57,9 @@ USE="${USE} bindist"
 # linux-fw-redistributable - license for sys-kernel/coreos-firmware
 # freedist - license for sys-kernel/coreos-kernel
 # intel-ucode - license for sys-firmware/intel-microcode
+# NVIDIA-r2 - license for x11-drivers/nvidia-drivers
 ACCEPT_LICENSE="${ACCEPT_LICENSE} no-source-code
-    linux-fw-redistributable freedist intel-ucode"
+    linux-fw-redistributable freedist intel-ucode NVIDIA-r2"
 
 # Favor our own mirrors over Gentoo's
 GENTOO_MIRRORS="

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask

@@ -31,3 +31,6 @@ dev-python/pillow jpeg
 # or not. We don't have gtk on Flatcar, so it is not an issue here,
 # but we need to mask X, so we won't try pulling gtk package.
 app-emulation/qemu X
+
+# disable all tools for NVIDIA driver, keep just kmods
+x11-drivers/nvidia-drivers tools X static-libs

sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers/files/bin/install-nvidia renamed to sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/files/bin/install-nvidia

@@ -97,20 +97,30 @@ EOF
 }
 
 function install_and_load() {
-  # This creates symlinks to sonames
-  mkdir -p /etc/ld.so.conf.d/
-  echo "/opt/nvidia/${NVIDIA_CURRENT_INSTALLATION}/usr/lib64" > /etc/ld.so.conf.d/nvidia.conf
-  ldconfig
-
   modprobe -a i2c_core ipmi_msghandler ipmi_devintf
   # This is needed on amd64 due to CONFIG_ACPI_VIDEO=m
   modprobe -q video || true
 
-  pushd "/opt/nvidia/${NVIDIA_CURRENT_INSTALLATION}/usr/lib/modules/$(uname -r)/video/"
-  insmod nvidia.ko
-  insmod nvidia-modeset.ko
-  insmod nvidia-uvm.ko
-  popd
+  if systemd-sysext list | grep -q flatcar-nvidia-drivers; then
+    modprobe nvidia
+    modprobe nvidia-modeset
+    modprobe nvidia-uvm
+
+    systemctl daemon-reload
+    # create the nvpd user
+    systemd-sysusers
+  else
+    # This creates symlinks to sonames
+    mkdir -p /etc/ld.so.conf.d/
+    echo "/opt/nvidia/${NVIDIA_CURRENT_INSTALLATION}/usr/lib64" > /etc/ld.so.conf.d/nvidia.conf
+
+    pushd "/opt/nvidia/${NVIDIA_CURRENT_INSTALLATION}/usr/lib/modules/$(uname -r)/video/"
+    insmod nvidia.ko
+    insmod nvidia-modeset.ko
+    insmod nvidia-uvm.ko
+    popd
+  fi
+  ldconfig
 
   # based on https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#runfile-verifications
   if [ ! -c /dev/nvidiactl ]
@@ -161,6 +171,11 @@ function is_nvidia_installation_required() {
   if [[ -d "/opt/nvidia/${NVIDIA_FLATCAR_VERSION_PAIR}" ]]; then
     return 1
   fi
+
+  if systemd-sysext list | grep -q flatcar-nvidia-drivers; then
+    echo "Pre-build NVIDIA drivers sysext is loaded, skipping drivers build."
+    return 1
+  fi
 }
 
 function presetup() {

sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers/files/bin/setup-nvidia renamed to sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/files/bin/setup-nvidia

@@ -1,7 +1,7 @@
 [Unit]
 Description=NVIDIA Configure Service
 Wants=network-online.target
-After=network-online.target
+After=network-online.target systemd-sysext.service
 Before=containerd.target
 
 [Service]

sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers/files/nvidia-metadata renamed to sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/files/nvidia-metadata

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>[email protected]</email>
+		<name>Ionen Wolkens</name>
+	</maintainer>
+</pkgmetadata>

sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers/files/units/nvidia.service renamed to sdk_container/src/third_party/coreos-overlay/x11-drivers/nvidia-drivers-service/files/units/nvidia.service

@@ -0,0 +1,12 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-user
+
+DESCRIPTION="User for nvidia-persistenced"
+ACCT_USER_ID=458
+ACCT_USER_GROUPS=( video )
+
+acct-user_add_deps