RPM with proprietary nvidia drivers

[marmarek]

Reported by joanna on 12 Jul 2011 19:11 UTC
None

Migrated-From: https://wiki.qubes-os.org/ticket/270

[marmarek]

Comment by marmarek on 13 Jul 2011 23:55 UTC
http://git.qubes-os.org/gitweb/?p=marmarek/installer.git;a=commit;h=deb3a1cc251683703c10be81e4053f20ac9bc1d9

I've noticed that it adds /etc/init.d/nvidia which loads nvidia module and modifies xorg.conf to use it... Don't know if it checks for nvidia hardware first, but I don't think so.

[marmarek]

Comment by marmarek on 13 Jul 2011 23:55 UTC
http://git.qubes-os.org/gitweb/?p=marmarek/installer.git;a=commit;h=deb3a1cc251683703c10be81e4053f20ac9bc1d9

I've noticed that it adds /etc/init.d/nvidia which loads nvidia module and modifies xorg.conf to use it... Don't know if it checks for nvidia hardware first, but I don't think so.

[marmarek]

Modified by joanna on 30 Jul 2011 11:22 UTC

[marmarek]

Modified by joanna on 30 Jul 2011 11:22 UTC

[marmarek]

Comment by joanna on 31 Jul 2011 16:36 UTC
The nvidia rpm generating script doesn't create/download the required 'nvidia-kmod-common' rpm, which is required by kmod-nvidia*'.

[marmarek]

Comment by joanna on 31 Jul 2011 16:36 UTC
The nvidia rpm generating script doesn't create/download the required 'nvidia-kmod-common' rpm, which is required by kmod-nvidia*'.

[marmarek]

Modified by joanna on 2 Aug 2011 12:58 UTC

[marmarek]

Modified by joanna on 2 Aug 2011 12:58 UTC

[marmarek]

Modified by joanna on 13 Sep 2011 20:55 UTC

[marmarek]

Modified by joanna on 13 Sep 2011 20:55 UTC

[marmarek]

Comment by marmarek on 13 Sep 2011 21:58 UTC
nvidia-kmod-common is provided by xorg-x11-drv-nvidia

[marmarek]

Comment by marmarek on 13 Sep 2011 21:58 UTC
nvidia-kmod-common is provided by xorg-x11-drv-nvidia

[marmarek]

Comment by joanna on 13 Sep 2011 22:40 UTC
Ok, so, I understand that we should copy all the rpms from 3rd_party-packages/x86_64/ into yum/dom0-updates/rpm and it wil be automatically picked by the installer? Or not?

If not, then I would just upload them into current yum repo?

[marmarek]

Comment by joanna on 13 Sep 2011 22:40 UTC
Ok, so, I understand that we should copy all the rpms from 3rd_party-packages/x86_64/ into yum/dom0-updates/rpm and it wil be automatically picked by the installer? Or not?

If not, then I would just upload them into current yum repo?

[marmarek]

Comment by marmarek on 13 Sep 2011 22:45 UTC
Not - only if included in comps config.
Also it is unclear how it will behave on non-nvidia hardware... Have you checked it?
IMHO it's better to place it in current yum repo.

[marmarek]

Comment by marmarek on 13 Sep 2011 22:45 UTC
Not - only if included in comps config.
Also it is unclear how it will behave on non-nvidia hardware... Have you checked it?
IMHO it's better to place it in current yum repo.

[marmarek]

Comment by joanna on 13 Sep 2011 23:01 UTC
RPMs uploaded to current, pls test.

[marmarek]

Comment by joanna on 13 Sep 2011 23:01 UTC
RPMs uploaded to current, pls test.

[marmarek]

Comment by marmarek on 13 Sep 2011 23:14 UTC
Downloaded RPMs are signed by RPM Fusion key. Should we import it as trusted key, or resign packages?

[marmarek]

Comment by marmarek on 13 Sep 2011 23:14 UTC
Downloaded RPMs are signed by RPM Fusion key. Should we import it as trusted key, or resign packages?

[marmarek]

Comment by marmarek on 13 Sep 2011 23:29 UTC
Besides gpg key problem, looks good.

1. qvm-dom0-update x11-xorg-drv-nvidia
2. reboot
   and now xorg uses nvidia binary driver :)

Notice: this package modifies kernel cmdline (blacklist nouveau), so AEM secret should resealed (and stick should be mounted as /boot during installation).

[marmarek]

Comment by marmarek on 13 Sep 2011 23:29 UTC
Besides gpg key problem, looks good.

1. qvm-dom0-update x11-xorg-drv-nvidia
2. reboot
   and now xorg uses nvidia binary driver :)

Notice: this package modifies kernel cmdline (blacklist nouveau), so AEM secret should resealed (and stick should be mounted as /boot during installation).

[marmarek]

Modified by joanna on 15 Sep 2011 12:11 UTC

[marmarek]

Modified by joanna on 15 Sep 2011 12:11 UTC

[marmarek]

Comment by joanna on 15 Sep 2011 12:13 UTC
For some reason I'm unable to reasign a few of the auxiliary rpms with Qubes key. Apparently rpm --resign renders any previous signature BAD?!

Also one of the packages from rpm fusion is not signed at all akmods-0.3.6-3.fc12.noarch.rpm and, even worse, the makefile doesn't warn about it.

[marmarek]

Comment by joanna on 15 Sep 2011 12:13 UTC
For some reason I'm unable to reasign a few of the auxiliary rpms with Qubes key. Apparently rpm --resign renders any previous signature BAD?!

Also one of the packages from rpm fusion is not signed at all akmods-0.3.6-3.fc12.noarch.rpm and, even worse, the makefile doesn't warn about it.

[marmarek]

Comment by marmarek on 15 Sep 2011 12:22 UTC
akmods is signed, just one of signature cannot be verified (but the other, from rpmfusion-free-fedora-13-primary key IS correct):

rpm/x86_64/akmods-0.3.6-3.fc12.noarch.rpm:
Header V3 RSA/SHA256 Signature, key ID a3780952: OK
Header SHA1 digest: OK (180089b7979f80aecac92d0c65ead52d77ad3196)
V3 RSA/SHA256 Signature, key ID 16ca1a56: NOKEY
V3 RSA/SHA256 Signature, key ID a3780952: OK
MD5 digest: OK (0aeeaa37256fdaf4562d46f244165ec2)

[marmarek]

Comment by marmarek on 15 Sep 2011 12:22 UTC
akmods is signed, just one of signature cannot be verified (but the other, from rpmfusion-free-fedora-13-primary key IS correct):

rpm/x86_64/akmods-0.3.6-3.fc12.noarch.rpm:
Header V3 RSA/SHA256 Signature, key ID a3780952: OK
Header SHA1 digest: OK (180089b7979f80aecac92d0c65ead52d77ad3196)
V3 RSA/SHA256 Signature, key ID 16ca1a56: NOKEY
V3 RSA/SHA256 Signature, key ID a3780952: OK
MD5 digest: OK (0aeeaa37256fdaf4562d46f244165ec2)

[marmarek]

Comment by marmarek on 15 Sep 2011 12:32 UTC
This invalidating previous signatures is because of different hash used. In "original" packages SHA256 (and header V3) is used, but rpm --addsign (by default?) adds V4 sign with SHA1 hash.

From rpm manual:
For compatibility with older versions of GPG, PGP, and rpm, only V3 OpenPGP signature packets should be configured. Either DSA or RSA verification algo
rithms can be used, but DSA is preferred.

Trying to find out how to configure it...

[marmarek]

Comment by marmarek on 15 Sep 2011 12:32 UTC
This invalidating previous signatures is because of different hash used. In "original" packages SHA256 (and header V3) is used, but rpm --addsign (by default?) adds V4 sign with SHA1 hash.

From rpm manual:
For compatibility with older versions of GPG, PGP, and rpm, only V3 OpenPGP signature packets should be configured. Either DSA or RSA verification algo
rithms can be used, but DSA is preferred.

Trying to find out how to configure it...

[marmarek]

Comment by marmarek on 15 Sep 2011 20:26 UTC
Ok, the solution is to add "digest-algo sha256" to your ~/.gnupg/gpg.conf
(header version turned out to be irrelevant)

[marmarek]

Comment by marmarek on 15 Sep 2011 20:26 UTC
Ok, the solution is to add "digest-algo sha256" to your ~/.gnupg/gpg.conf
(header version turned out to be irrelevant)

[marmarek]

Modified by joanna on 2 Nov 2011 18:52 UTC

[marmarek]

Modified by joanna on 2 Nov 2011 18:52 UTC

[marmarek]

Comment by marmarek on 5 Dec 2011 15:11 UTC
Problem with signatures solved by rebuilding packages and signing only with Qubes key.
But still - this package cannot be installed by default (on non-nvidia hardware) as it unconditionally force to use nvidia driver.
Should be placed only on yum.qubes-os.org.

[marmarek]

Comment by marmarek on 5 Dec 2011 15:11 UTC
Problem with signatures solved by rebuilding packages and signing only with Qubes key.
But still - this package cannot be installed by default (on non-nvidia hardware) as it unconditionally force to use nvidia driver.
Should be placed only on yum.qubes-os.org.