Custom signing key for precompiled drivers on RHEL

This change adds the opportunity to use trusted signing key, instead of
a self-signed key generated on the fly for every build. This is required
to let users leverage their own key for Secure Boot. The addition of the
public certificate to the authorized signatures database remains the
responsibility of the user.

Signed-off-by: Fabien Dupont <fdupont@redhat.com>

Author: fabiendupont

rhel8/precompiled/Dockerfile

@@ -16,7 +16,7 @@ RUN useradd -u 1001 -m -s /bin/bash builder
 USER builder
 
 WORKDIR /home/builder
-COPY --chown=1001:0 x509-configuration.ini x509-configuration.ini
+COPY --chown=1001:0 x509-configuration.ini private_key.priv* public_key.der* /home/builder/
 
 RUN export KVER=$(echo ${KERNEL_VERSION} | cut -d '-' -f 1) \
         TARGET_ARCH=${KERNEL_VERSION##*.} \
@@ -33,11 +33,15 @@ RUN export KVER=$(echo ${KERNEL_VERSION} | cut -d '-' -f 1) \
     && mv tmp/kernel nvidia-kmod-${DRIVER_VERSION}-${TARGET_ARCH}/ \
     && tar -cJf SOURCES/nvidia-kmod-${DRIVER_VERSION}-${TARGET_ARCH}.tar.xz nvidia-kmod-${DRIVER_VERSION}-${TARGET_ARCH} \
     && mv kmod-nvidia.spec SPECS/ \
-    && sed -i -e "s/\$USER/${BUILDER_USER}/" -e "s/\$EMAIL/${BUILDER_EMAIL}/" ${HOME}/x509-configuration.ini \
-    && openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch \
-      -config ${HOME}/x509-configuration.ini \
-      -outform DER -out SOURCES/public_key.der \
-      -keyout SOURCES/private_key.priv \
+    && if test -f "/home/builder/private_key.priv" -a -f "/home/builder/public_key.der" ; then \
+        mv /home/builder/private_key.priv /home/builder/public_key.der SOURCES ; \
+    else \
+        sed -i -e "s/\$USER/${BUILDER_USER}/" -e "s/\$EMAIL/${BUILDER_EMAIL}/" ${HOME}/x509-configuration.ini ; \
+        openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch \
+            -config ${HOME}/x509-configuration.ini \
+            -outform DER -out SOURCES/public_key.der \
+            -keyout SOURCES/private_key.priv ; \
+    fi \
     && rpmbuild \
         --define "%_topdir $(pwd)" \
         --define "debug_package %{nil}" \

rhel8/precompiled/README.md

@@ -36,7 +36,21 @@ The procedure is based on [building custom kmod packages](https://github.com/NVI
     ...
     ```
 
-5. Set environment variables, build and push the image:
+5. [Optional] Use custom signing keys
+
+   By default, the build process generates self-signed key and certificate,
+   because the spec file expects them during the build. It uses the
+   `x509-configuration.ini` file to set the OpenSSL configuration. However,
+   for Secure Boot, it is recommended to use signing keys that are trusted by
+   the machines, i.e. that are part of the authorized keys database.
+
+   To pass custom signing key and certificate during the build, you can put
+   them in the current folder as `private_key.priv` for the private key and
+   `public_key.der` for the public certificate in DER format. The build process
+   will use them if they are present, and fallback to self-signed certificate
+   otherwise.
+
+6. Set environment variables, build and push the image:
 
     ```
     export RHSM_ORG_FILE=$HOME/rhsm_org

rhel9/precompiled/Dockerfile

@@ -26,7 +26,7 @@ RUN useradd -u 1001 -m -s /bin/bash builder
 USER builder
 
 WORKDIR /home/builder
-COPY --chown=1001:0 x509-configuration.ini x509-configuration.ini
+COPY --chown=1001:0 x509-configuration.ini private_key.priv* public_key.der* /home/builder/
 
 RUN export KVER=$(echo ${KERNEL_VERSION} | cut -d '-' -f 1) \
         KREL=$(echo ${KERNEL_VERSION} | cut -d '-' -f 2 | sed 's/\.el._.\..\+$//') \
@@ -48,11 +48,15 @@ RUN export KVER=$(echo ${KERNEL_VERSION} | cut -d '-' -f 1) \
     fi \
     && tar -cJf SOURCES/nvidia-kmod-${DRIVER_VERSION}-${BUILD_ARCH}.tar.xz nvidia-kmod-${DRIVER_VERSION}-${BUILD_ARCH} \
     && mv kmod-nvidia.spec SPECS/ \
-    && sed -i -e "s/\$USER/${BUILDER_USER}/" -e "s/\$EMAIL/${BUILDER_EMAIL}/" ${HOME}/x509-configuration.ini \
-    && openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch \
-      -config ${HOME}/x509-configuration.ini \
-      -outform DER -out SOURCES/public_key.der \
-      -keyout SOURCES/private_key.priv \
+    && if test -f "/home/builder/private_key.priv" -a -f "/home/builder/public_key.der" ; then \
+        mv /home/builder/private_key.priv /home/builder/public_key.der SOURCES ; \
+    else \
+        sed -i -e "s/\$USER/${BUILDER_USER}/" -e "s/\$EMAIL/${BUILDER_EMAIL}/" ${HOME}/x509-configuration.ini ; \
+        openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch \
+            -config ${HOME}/x509-configuration.ini \
+            -outform DER -out SOURCES/public_key.der \
+            -keyout SOURCES/private_key.priv ; \
+    fi \
     && rpmbuild \
         --define "% _arch ${BUILD_ARCH}" \
         --define "%_topdir $(pwd)" \

rhel9/precompiled/README.md

@@ -108,6 +108,20 @@ The procedure is based on [building custom kmod packages](https://github.com/NVI
    export DRIVER_VERSION=550.163.01
    ```
 
+6. [Optional] Use custom signing keys
+
+   By default, the build process generates self-signed key and certificate,
+   because the spec file expects them during the build. It uses the
+   `x509-configuration.ini` file to set the OpenSSL configuration. However,
+   for Secure Boot, it is recommended to use signing keys that are trusted by
+   the machines, i.e. that are part of the authorized keys database.
+
+   To pass custom signing key and certificate during the build, you can put
+   them in the current folder as `private_key.priv` for the private key and
+   `public_key.der` for the public certificate in DER format. The build process
+   will use them if they are present, and fallback to self-signed certificate
+   otherwise.
+
 6. [Optional] Build the vGPU guest driver
 
    To build the vGPU guest driver, set the `DRIVER_TYPE` environment