-
Notifications
You must be signed in to change notification settings - Fork 0
/
kmp-post.sh
162 lines (142 loc) · 5.68 KB
/
kmp-post.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# get rid of broken weak-updates symlinks created in some %post apparently;
# either by kmp itself or by kernel package update
for i in $(find /lib/modules/*/weak-updates -type l 2> /dev/null); do
test -e $i || rm $i
done
dirprefix=linux
%ifarch %ix86
arch=i386
%endif
%ifarch x86_64
arch=x86_64
%endif
%ifarch aarch64
arch=aarch64
# -Wall is upstream default
export CFLAGS="-Wall -mno-outline-atomics"
%endif
#export CONCURRENCY_LEVEL=nproc && \
#export JOBS=${CONCURRENCY_LEVEL} && \
#export __JOBS=${JOBS} && \
#export MAKEFLAGS="-j ${JOBS}"
if [ "$flavor" == "azure" ]; then
dir=$(pushd /usr/src &> /dev/null; ls -d linux-*-azure-obj|sort -n|tail -n 1; popd &> /dev/null)
kver=$(make -j$(nproc) -sC /usr/src/${dir}/$arch/$flavor kernelrelease)
else
kver=$(make -j$(nproc) -sC /usr/src/${dirprefix}-obj/$arch/$flavor kernelrelease)
fi
RES=0
# mold is not supported (boo#1223344)
export LD=ld.bfd
if [ "$flavor" == "azure" ]; then
export SYSSRC=/usr/src/${dirprefix}-azure
dir=$(pushd /usr/src &> /dev/null; ls -d linux-*-azure-obj|sort -n|tail -n 1; popd &> /dev/null)
export SYSOUT=/usr/src/${dir}/$arch/$flavor
else
export SYSSRC=/usr/src/${dirprefix}
export SYSOUT=/usr/src/${dirprefix}-obj/$arch/$flavor
fi
pushd /usr/src/kernel-modules/nvidia-%{version}-$flavor
make -j$(nproc) modules || RES=1
# remove still existing old kernel modules (boo#1174204)
rm -f /lib/modules/$kver/updates/nvidia*.ko
export INSTALL_MOD_DIR=updates
make modules_install
tw="false"
cat /etc/os-release | grep ^NAME | grep -q Tumbleweed && tw=true
# move kernel modules where they belong and can be found by weak-modules2 script
kver_build=$(cat kernel_version)
if [ "$kver" != "$kver_build" -a "$flavor" != "azure" -a "$tw" != "true" ]; then
mkdir -p %{kernel_module_directory}/$kver_build/updates
mv %{kernel_module_directory}/$kver/updates/nvidia*.ko \
%{kernel_module_directory}/$kver_build/updates
fi
# create initrd
/usr/lib/module-init-tools/weak-modules2 --add-kernel $kver
popd
depmod $kver
# cleanup (boo#1200310)
pushd /usr/src/kernel-modules/nvidia-%{version}-$flavor || true
cp -a Makefile{,.tmp} || true
make clean || true
# NVIDIA's "make clean" not being perfect (boo#1201937)
rm -f conftest*.c nv_compiler.h
mv Makefile{.tmp,} || true
popd || true
# Sign modules on secureboot systems
if [ -x /usr/bin/mokutil ]; then
mokutil --sb-state | grep -q "SecureBoot enabled"
if [ $? -eq 0 ]; then
privkey=$(mktemp /tmp/MOK.priv.XXXXXX)
pubkeydir=/var/lib/nvidia-pubkeys
pubkey=$pubkeydir/MOK-%{name}-%{version}-$flavor.der
# make sure creation of pubkey doesn't fail later
test -d pubkeydir || mkdir -p $pubkeydir
if [ $1 -eq 2 ] && [ -e $pubkey ]; then
# Special case: reinstall of the same pkg version
# ($pubkey file name includes version and release)
# Run mokutil --delete here, because we can't be sure preun
# will be run (bsc#1176146)
mv -f $pubkey $pubkey.delete
mokutil --delete $pubkey.delete --root-pw
# We can't remove $pubkey.delete, the preun script
# uses it as indicator not to delete $pubkey
else
rm -f $pubkey $pubkey.delete
fi
# Create a key pair (private key, public key)
openssl req -new -x509 -newkey rsa:2048 \
-keyout $privkey \
-outform DER -out $pubkey -days 1000 \
-subj "/CN=Local build for %{name} %{version} on $(date +"%Y-%m-%d")/" \
-addext "extendedKeyUsage=codeSigning" \
-nodes
# Install the public key to MOK
mokutil --import $pubkey --root-pw
# Sign the Nvidia modules (weak-updates appears to be broken)
if [ "$kver" != "$kver_build" -a "$flavor" != "azure" -a "$tw" != "true" ]; then
for i in /lib/modules/$kver_build/updates/nvidia*.ko; do
/lib/modules/$kver/build/scripts/sign-file sha256 $privkey $pubkey $i
done
else
for i in /lib/modules/$kver/updates/nvidia*.ko; do
/lib/modules/$kver/build/scripts/sign-file sha256 $privkey $pubkey $i
done
fi
# cleanup: private key no longer needed
rm -f $privkey
fi
fi
# Create symlinks for udev so these devices will get user ACLs by logind later (bnc#1000625)
mkdir -p /run/udev/static_node-tags/uaccess
mkdir -p /usr/lib/tmpfiles.d
ln -snf /dev/nvidiactl /run/udev/static_node-tags/uaccess/nvidiactl
ln -snf /dev/nvidia-uvm /run/udev/static_node-tags/uaccess/nvidia-uvm
ln -snf /dev/nvidia-uvm-tools /run/udev/static_node-tags/uaccess/nvidia-uvm-tools
ln -snf /dev/nvidia-modeset /run/udev/static_node-tags/uaccess/nvidia-modeset
cat > /usr/lib/tmpfiles.d/nvidia-logind-acl-trick-G06.conf << EOF
L /run/udev/static_node-tags/uaccess/nvidiactl - - - - /dev/nvidiactl
L /run/udev/static_node-tags/uaccess/nvidia-uvm - - - - /dev/nvidia-uvm
L /run/udev/static_node-tags/uaccess/nvidia-uvm-tools - - - - /dev/nvidia-uvm-tools
L /run/udev/static_node-tags/uaccess/nvidia-modeset - - - - /dev/nvidia-modeset
EOF
devid=-1
for dev in $(ls -d /sys/bus/pci/devices/*); do
vendorid=$(cat $dev/vendor)
if [ "$vendorid" == "0x10de" ]; then
class=$(cat $dev/class)
classid=${class%%00}
if [ "$classid" == "0x0300" -o "$classid" == "0x0302" ]; then
devid=$((devid+1))
ln -snf /dev/nvidia${devid} /run/udev/static_node-tags/uaccess/nvidia${devid}
echo "L /run/udev/static_node-tags/uaccess/nvidia${devid} - - - - /dev/nvidia${devid}" >> /usr/lib/tmpfiles.d/nvidia-logind-acl-trick-G06.conf
fi
fi
done
# groups are now dynamic
if [ -f %{_sysconfdir}/modprobe.d/50-nvidia-$flavor.conf ]; then
VIDEOGID=`getent group video | cut -d: -f3`
sed -i "s/33/$VIDEOGID/" %{_sysconfdir}/modprobe.d/50-nvidia-$flavor.conf
fi
#needed to move this to specfile after running posttrans
#exit $RES