-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[gpu] Add support for secure boot with examples #83
[gpu] Add support for secure boot with examples #83
Conversation
instructions on how to insert a trust database into gce disk image for use with secure boot forthcoming is a python script to install the kernel modules on debian12 instance
The scripts examples/secure-boot/install-nvidia-driver-debian*.sh fails for me because my default network isn't configured for private google access. Other than that, this looks like it's working. The *-with-certs disk image is created ; I have not checked the kernel log to see whether the expected modulus md5sum is printed as the one read from the kernel. I have not attempted to create a dataproc cluster using any images I've generated yet. That's next on my list. |
* examples/secure-boot/README.md included example of how to grant secretAccessor role moved parameters that require defaults to the top removed noise and sleeps removed recommendation of using shutdown-instance-timer-sec added recommendation to use --disk-size 50 * examples/secure-boot/create-key-pair.sh collecting the modulus md5sum so that it can be passed in metadata * examples/secure-boot/install-nvidia-driver-debian11.sh execute script in /opt/install-nvidia-driver update package cache before installing from it clean up after downloaded packages remove excess packages remove driver.run and cuda.run after installation redirect make log to /var/log/ * examples/secure-boot/install-nvidia-driver-debian12.sh also execute script in /opt/install-nvidia-driver clean up after package installation
I do see in the kernel logs that the certificate is trusted:
|
The kernel drivers came out unsigned when I booted the cluster. I'm running a build of a new image. I'll try booting it shortly. |
The new cluster nodes built with the custom bookworm image come up with a working nvidia-smi
|
The Buster image looks good, too:
|
hmmm.. the 2.1 image is having no luck:
It seems somehow that the |
I do see in the logs that the base image was created with the
|
…adding another prior to completion
Opting to commit without approval to match release date of GoogleCloudDataproc/initialization-actions#1190 |
examples/secure-boot/install-nvidia-driver-debian12.sh
This file includes instructions to install nvidia drivers the Debian way on Bookworm and presumably future releases.
examples/secure-boot/install-nvidia-driver-debian11.sh
This file includes instructions to install nvidia drivers the NVIDIA way on Bullseye, Buster and presumably previous releases.
examples/secure-boot/create-key-pair.sh
This file includes instructions to create a key pair, and to make them available via google cloud secret manager
examples/secure-boot/README.md
This file includes instructions to execute the generate_custom_image.py script with parameters necessary to create a custom image for use with secure-boot. Either of the above installer scripts can be used to exercise the process.
custom_image_utils/shell_script_generator.py
--trusted-cert path/to/cert.der
is supplied, inject thatcert.der
and the MS UEFI CA 2011 into the disk image's efi signature databasecustom_image_utils/args_parser.py
--trusted-cert
:(Optional) Inserts the specified DER-format certificate into the custom image's EFI boot sector for use with secure boot.
Dockerfile
Since this package depends on python 2.7 and since I don't have time to help it move into the next decade, I've created a Dockerfile that can be used to build an image from which the script can be executed.
README.md
Documented the
--trusted-cert
argument