feat: provide build instructions for NVIDIA kernel module

Actual module is built in the CI, but never pushed to the registry.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>

.drone.yml

@@ -44,6 +44,25 @@ steps:
       - name: docker
         path: /root/.docker/buildx
 
+  - name: build-nonfree-pull-request
+    image: autonomy/build-container:latest
+    pull: always
+    environment:
+      DOCKER_CLI_EXPERIMENTAL: enabled
+    commands:
+      - make nonfree
+    when:
+      event:
+        include:
+          - pull_request
+    volumes:
+      - name: docker-socket
+        path: /var/run
+      - name: ssh
+        path: /root/.ssh
+      - name: docker
+        path: /root/.docker/buildx
+
   - name: build-and-publish
     image: autonomy/build-container:latest
     pull: always

Makefile

@@ -20,9 +20,12 @@ empty :=
 space = $(empty) $(empty)
 
 TARGETS =  ca-certificates  cni  containerd cryptsetup dosfstools  eudev  fhs flannel-cni grub ipmitool  iptables ipxe kernel  kmod  libaio libjson-c liblzma libpopt libressl  libseccomp  linux-firmware lvm2  musl  open-iscsi  open-isns raspberrypi-firmware runc  socat  syslinux u-boot  util-linux  xfsprogs
+NONFREE_TARGETS = nonfree-kmod-nvidia
 
 all: $(TARGETS) ## Builds all known pkgs.
 
+nonfree: $(NONFREE_TARGETS) ## Builds all known non-free pkgs.
+
 .PHONY: help
 help: ## This help menu.
 	@grep -E '^[a-zA-Z%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
@@ -36,8 +39,8 @@ target-%: ## Builds the specified target defined in the Dockerfile. The build re
 docker-%: ## Builds the specified target defined in the Dockerfile using the docker output type. The build result will be loaded into docker.
 	@$(MAKE) target-$* TARGET_ARGS="$(TARGET_ARGS)"
 
-.PHONY: $(TARGETS)
-$(TARGETS):
+.PHONY: $(TARGETS) $(NONFREE_TARGETS)
+$(TARGETS) $(NONFREE_TARGETS):
 	@$(MAKE) docker-$@ TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/$@:$(TAG) --push=$(PUSH)"
 
 .PHONY: deps.png
@@ -48,7 +51,7 @@ kernel-%: ## Updates the kernel configs: e.g. make kernel-olddefconfig; make ker
 	for platform in $(subst $(,),$(space),$(PLATFORM)); do \
 		arch=`basename $$platform` ; \
 		$(MAKE) docker-kernel-prepare PLATFORM=$$platform TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch --load"; \
-		docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/kernel/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
+		docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/config/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
 	done
 
 # Utilities

containerd/pkg.yaml

@@ -9,8 +9,8 @@ steps:
         # sync with version and revision in build
       - url: https://github.com/containerd/containerd/archive/refs/tags/v1.5.8.tar.gz
         destination: containerd.tar.gz
-        sha256: a41ab8d39393c9456941b477c33bb1b221a29b635f1c9a99523aab2f5e74f790
-        sha512: c769506ff6d98689c46ffee94d70ae00ef2f32e0daac1e631cbe8a587f67c7e4f83eb3895707362bdf46198b61823c99df1d8ca61095ab1415de5596f106fd07
+        sha256: 0890f7b0ee8e20a279a617c60686874b3c7a99e064adb2b38d884499b5284c43
+        sha512: 672c1743150ec8ab8eac7562a815d55ce697fc4216d83e7f7d142c4a2fca08a70238d545328fa273d1cc15eef15e5e5bec51a3b8fbd6b8a83fba797769197cdf
     prepare:
       - |
         tar -xzf containerd.tar.gz --strip-components=1

kernel/config/certs/x509.genkey

@@ -0,0 +1,17 @@
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = Sidero Labs, Inc.
+CN = Build time throw-away kernel key
+#emailAddress = unspecified.user@unspecified.company
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid

kernel/config/pkg.yaml

@@ -0,0 +1,33 @@
+name: kernel-config
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: kernel-prepare
+steps:
+  - env:
+      CARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}amd64{{ else }}unsupported{{ end }}
+      KARCH: {{ if eq .ARCH "aarch64"}}ARM64{{ else if eq .ARCH "x86_64" }}X86_64{{ else }}unsupported{{ end }}
+      ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}
+    prepare:
+      - |
+        cd /src
+        cp -v /pkg/config-${CARCH} .config
+        cp -v /pkg/certs/* certs/
+    build:
+      - |
+        cd /src
+        python3 /toolchain/kconfig-hardened-check/bin/kconfig-hardened-check -c .config -p ${KARCH} -m json | python3 /pkg/scripts/filter-hardened-check.py
+      - |
+        cd /src
+        make scripts certs
+finalize:
+  - from: /src
+    to: /src
+  - from: /toolchain
+    to: /toolchain
+  - from: /usr
+    to: /usr
+  - from: /bin
+    to: /bin
+  - from: /lib
+    to: /lib

kernel/kernel/pkg.yaml

@@ -2,21 +2,13 @@ name: kernel
 variant: scratch
 shell: /toolchain/bin/bash
 dependencies:
-  - stage: kernel-prepare
+  - stage: kernel-config
 steps:
   - env:
       ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}
-      CARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}amd64{{ else }}unsupported{{ end }}
-      KARCH: {{ if eq .ARCH "aarch64"}}ARM64{{ else if eq .ARCH "x86_64" }}X86_64{{ else }}unsupported{{ end }}
     prepare:
       - |
         cp -a /src/. .
-
-        cp -v /pkg/config-${CARCH} .config
-
-        patch -p0 < /pkg/patches/sign-file.patch
-      - |
-        python3 /toolchain/kconfig-hardened-check/bin/kconfig-hardened-check -c .config -p ${KARCH} -m json | python3 /pkg/scripts/filter-hardened-check.py
     build:
       - |
         make -j $(nproc)

kernel/kernel-prepare/pkg.yaml → kernel/prepare/pkg.yaml

@@ -44,6 +44,7 @@ steps:
         cd /toolchain && git clone https://github.com/a13xp0p0v/kconfig-hardened-check.git
       - |
         patch -p1 < /pkg/patches/hardening.kconfig.patch
+        patch -p0 < /pkg/patches/sign-file.patch
     install:
       - |
         mkdir -p /src

nonfree/kmod-nvidia/pkg.yaml

@@ -0,0 +1,53 @@
+name: nonfree-kmod-nvidia
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: kernel-config
+steps:
+  # driver sources: https://www.nvidia.com/en-us/drivers/unix/
+  - sources:
+      # {{ if eq .ARCH "aarch64" }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
+      - url: https://us.download.nvidia.com/XFree86/aarch64/470.94/NVIDIA-Linux-aarch64-470.94.run
+        destination: nvidia.run
+        sha256: a1c991051c6cbd3fa69d9768fa7cd0084bfa6d4c384cc6a6e3ab88b5b51e57c8
+        sha512: e27b04ec5025b5ce1d6cd78306f55f5699032fc350f78fb7a731a82ec4691ba0764fd3e36d8738d38f17cafd93988c7542d55c370e219bdbab6d0e7eb2f9a5fd
+      # {{ else }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
+      - url: https://us.download.nvidia.com/XFree86/Linux-x86_64/470.94/NVIDIA-Linux-x86_64-470.94.run
+        destination: nvidia.run
+        sha256: 9585aa29330ebad9bdf22ce3ca2bac2026c85a9a32f03d7c59f714a7798500eb
+        sha512: b70542af04691da623b494d49fcbd58c58b83388fdb1c7ea6dcc779755b595444a324f613840ccbba0d9029456668376fe6049a3e4496c6054efbbf1e0a59c0f
+      # {{ end }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
+    prepare:
+      - |
+        export PATH=/toolchain/bin:$PATH
+        export GUESS_MD5_PATH=/toolchain/bin
+
+        rm -f /dev/tty && ln -s /dev/stdout /dev/tty
+        ln -s /toolchain/bin/echo /toolchain/bin/which
+
+        /toolchain/bin/bash nvidia.run --extract-only
+      - |
+        cd /src
+
+        make -j $(nproc) modules
+      - |
+        cd /src
+
+        make -j $(nproc) modules_install DEPMOD=/toolchain/bin/depmod INSTALL_MOD_PATH=/rootfs
+    build:
+      - |
+        cd NVIDIA-Linux-*/kernel
+
+        make -j $(nproc) SYSSRC=/src
+    install:
+      - |
+        cd NVIDIA-Linux-*/kernel
+
+        make -j $(nproc) modules_install SYSSRC=/src DEPMOD=/toolchain/bin/depmod INSTALL_MOD_PATH=/rootfs INSTALL_MOD_DIR=extra
+
+        export KERNELRELEASE=$(cat /src/include/config/kernel.release)
+        rm /rootfs/lib/modules/$KERNELRELEASE/build
+        rm /rootfs/lib/modules/$KERNELRELEASE/source
+finalize:
+  - from: /rootfs
+    to: /