Implement kernel signing

2025-09-09 21:05:02 -04:00
parent 851b1c048e
commit 756653ae99
16 changed files with 200 additions and 39 deletions
--- a/recipes/base/common.yml
+++ b/recipes/base/common.yml
@@ -1,4 +1,12 @@
+---
+# yaml-language-server: $schema=https://schema.blue-build.org/module-list-v1.json
 modules:
+  - type: files
+    files:
+      - source: bootc-update
+        destination: /usr/lib/systemd/system
+      - source: base
+        destination: /
  - type: script
    env:
      CSFG: /usr/lib/systemd/system-generators/coreos-sulogin-force-generator
@@ -8,22 +16,13 @@ modules:
      # see detail: https://github.com/ublue-os/main/issues/653
      - curl -sSLo ${CSFG} https://raw.githubusercontent.com/coreos/fedora-coreos-config/refs/heads/stable/overlay.d/05core/usr/lib/systemd/system-generators/coreos-sulogin-force-generator
      - chmod +x ${CSFG}
-  - type: files
-    files:
-      - source: bootc-update
-        destination: /usr/lib/systemd/system
+  - type: dnf
+    install:
+      packages:
+        - sbsign
  - type: systemd
    system:
      masked:
        - rpm-ostreed-automatic.timer
      enabled:
        - bootc-fetch-apply-updates.timer
-  - type: copy
-    src: files/base/usr/share/plymouth
-    dest: /usr/share/plymouth
-  # - type: os-release
-  #   properties:
-  #     NAME: WunkerOS
-  #     ID: wunker_os
-  #     PRETTY_NAME: Wunker OS
-  - from-file: common/post-build.yml
--- a/recipes/base/nvidia.yml
+++ b/recipes/base/nvidia.yml
@@ -1,17 +1,20 @@
 ---
 # yaml-language-server: $schema=https://schema.blue-build.org/module-list-v1.json
 modules:
-  - type: dnf
-    repos:
-      cleanup: true
-      nonfree: rpmfusion
-    install:
-      packages:
-        - akmod-nvidia
  - type: script
-    snippets:
-      - echo "%_with_kmod_nvidia_open 1" > /etc/rpm/macros.nvidia-kmod
-      - akmods --kernels "$(rpm -q "kernel" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" --rebuild
+    env:
+      PUBLIC_KEY_DER_PATH: /etc/pki/akmods/certs/akmods-wunker-bunker.der
+    secrets:
+      - type: file
+        source: ./.secure-files/MOK.priv
+        mount:
+          type: file
+          destination: /tmp/certs/private_key.priv
+    scripts:
+      - installnvidiakmod.sh
+  - type: script
+    scripts:
+      - installnvidiapackages.sh
  - type: files
    files:
      - source: nvidia-kargs
--- a/recipes/base/post-build.yml
+++ b/recipes/base/post-build.yml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://schema.blue-build.org/module-list-v1.json
+modules:
+  - type: script
+    env:
+      PUBLIC_KEY_DER_PATH: /etc/pki/akmods/certs/akmods-wunker-bunker.der
+    secrets:
+      - type: file
+        source: ./.secure-files/MOK.priv
+        mount: 
+          type: file
+          destination: /tmp/certs/private_key.priv
+    scripts:
+      - signkernel.sh
+  - type: initramfs
+    env:
+      DRACUT_NO_XATTR: '1'
+    source: local