pyrox.dev / nixpkgs
lol
fork atom

linuxPackages_latest.nvidiaPackages.{stable,latest,beta}: fix build

wxt 5ebc7f83 2221b837

+350
unified split
+251
pkgs/os-specific/linux/nvidia-x11/crypto-Add-fix-for-6.13-Module-compilation.patch
··· 1 + diff --git a/kernel-open/conftest.sh b/kernel-open/conftest.sh 2 + index fdceda72..3bfe39aa 100755 3 + --- a/kernel-open/conftest.sh 4 + +++ b/kernel-open/conftest.sh 5 + @@ -6721,6 +6721,47 @@ compile_test() { 6 + compile_check_conftest "$CODE" "NV_CRYPTO_PRESENT" "" "symbols" 7 + ;; 8 + 9 + + crypto_akcipher_verify) 10 + + # 11 + + # Determine whether the crypto_akcipher_verify API is still present. 12 + + # It was removed by commit 6b34562 ('crypto: akcipher - Drop sign/verify operations') 13 + + # in v6.13-rc1 (2024-10-04). 14 + + # 15 + + # This test is dependent on the crypto conftest to determine whether crypto should be 16 + + # enabled at all. That means that if the kernel is old enough such that crypto_akcipher_verify 17 + + # 18 + + # The test merely checks for the presence of the API, as it assumes that if the API 19 + + # is no longer present, the new API to replace it (crypto_sig_verify) must be present. 20 + + # If the kernel version is too old to have crypto_akcipher_verify, it will fail the crypto 21 + + # conftest above and all crypto code will be compiled out. 22 + + # 23 + + CODE=" 24 + + #include <crypto/akcipher.h> 25 + + #include <linux/crypto.h> 26 + + void conftest_crypto_akcipher_verify(void) { 27 + + (void)crypto_akcipher_verify; 28 + + }" 29 + + 30 + + compile_check_conftest "$CODE" "NV_CRYPTO_AKCIPHER_VERIFY_PRESENT" "" "symbols" 31 + + ;; 32 + + 33 + + ecc_digits_from_bytes) 34 + + # 35 + + # Determine whether ecc_digits_from_bytes is present. 36 + + # It was added in commit c6ab5c915da4 ('crypto: ecc - Prevent ecc_digits_from_bytes from 37 + + # reading too many bytes') in v6.10. 38 + + # 39 + + # This functionality is needed when crypto_akcipher_verify is not present. 40 + + # 41 + + CODE=" 42 + + #include <crypto/internal/ecc.h> 43 + + void conftest_ecc_digits_from_bytes(void) { 44 + + (void)ecc_digits_from_bytes; 45 + + }" 46 + + 47 + + compile_check_conftest "$CODE" "NV_ECC_DIGITS_FROM_BYTES_PRESENT" "" "symbols" 48 + + ;; 49 + + 50 + mempolicy_has_unified_nodes) 51 + # 52 + # Determine if the 'mempolicy' structure has 53 + diff --git a/kernel-open/nvidia/internal_crypt_lib.h b/kernel-open/nvidia/internal_crypt_lib.h 54 + index 2eac7d5e..917acb26 100644 55 + --- a/kernel-open/nvidia/internal_crypt_lib.h 56 + +++ b/kernel-open/nvidia/internal_crypt_lib.h 57 + @@ -64,7 +64,9 @@ 58 + * old or even just user disabled. If we should use LKCA, include headers, else 59 + * define stubs to return errors. 60 + */ 61 + -#if defined(NV_CRYPTO_PRESENT) && defined (NV_CONFIG_CRYPTO_PRESENT) 62 + +#if defined(NV_CRYPTO_PRESENT) && defined (NV_CONFIG_CRYPTO_PRESENT) && \ 63 + + (defined(NV_CRYPTO_AKCIPHER_VERIFY_PRESENT) || \ 64 + + (defined(NV_CRYPTO_SIG_H_PRESENT) && defined(NV_ECC_DIGITS_FROM_BYTES_PRESENT))) 65 + #define USE_LKCA 1 66 + #endif 67 + 68 + diff --git a/kernel-open/nvidia/libspdm_ecc.c b/kernel-open/nvidia/libspdm_ecc.c 69 + index 1f8f0100..a9eb4db5 100644 70 + --- a/kernel-open/nvidia/libspdm_ecc.c 71 + +++ b/kernel-open/nvidia/libspdm_ecc.c 72 + @@ -30,14 +30,26 @@ MODULE_SOFTDEP("pre: ecdh_generic,ecdsa_generic"); 73 + #include <crypto/akcipher.h> 74 + #include <crypto/ecdh.h> 75 + #include <crypto/internal/ecc.h> 76 + +#ifndef NV_CRYPTO_AKCIPHER_VERIFY_PRESENT 77 + +#include <crypto/sig.h> 78 + + 79 + +struct signature 80 + +{ 81 + + u64 r[ECC_MAX_DIGITS]; 82 + + u64 s[ECC_MAX_DIGITS]; 83 + +}; 84 + +#endif // NV_CRYPTO_AKCIPHER_VERIFY_PRESENT 85 + + 86 + +#define ECDSA_PUBKEY_HEADER_XY_PRESENT (0x4) 87 + 88 + struct ecc_ctx { 89 + unsigned int curve_id; 90 + u64 priv_key[ECC_MAX_DIGITS]; // In big endian 91 + 92 + struct { 93 + - // ecdsa wants byte preceding pub_key to be set to '4' 94 + - u64 pub_key_prefix; 95 + + // ecdsa pubkey has header indicating length of pubkey 96 + + u8 padding[7]; 97 + + u8 pub_key_prefix; 98 + u64 pub_key[2 * ECC_MAX_DIGITS]; 99 + }; 100 + 101 + @@ -221,25 +233,84 @@ bool lkca_ec_compute_key(void *ec_context, const uint8_t *peer_public, 102 + #endif 103 + } 104 + 105 + -bool lkca_ecdsa_verify(void *ec_context, size_t hash_nid, 106 + - const uint8_t *message_hash, size_t hash_size, 107 + - const uint8_t *signature, size_t sig_size) 108 + +#ifndef NV_CRYPTO_AKCIPHER_VERIFY_PRESENT 109 + +static bool lkca_ecdsa_verify_crypto_sig(void *ec_context, size_t hash_nid, 110 + + const uint8_t *message_hash, size_t hash_size, 111 + + const uint8_t *signature, size_t sig_size) 112 + { 113 + #ifndef USE_LKCA 114 + return false; 115 + #else 116 + struct ecc_ctx *ctx = ec_context; 117 + + u8 *pub_key; 118 + + int err; 119 + + DECLARE_CRYPTO_WAIT(wait); 120 + + struct crypto_sig * tfm = NULL; 121 + + struct signature sig; 122 + + 123 + + if (sig_size != ctx->size || !ctx->pub_key_set) 124 + + { 125 + + return false; 126 + + } 127 + + 128 + + tfm = crypto_alloc_sig(ctx->name, CRYPTO_ALG_TYPE_SIG, 0); 129 + + if (IS_ERR(tfm)) { 130 + + pr_info("crypto_alloc_sig failed in lkca_ecdsa_verify\n"); 131 + + return false; 132 + + } 133 + + 134 + + // modify header of pubkey to indicate size 135 + + pub_key = (u8 *) &(ctx->pub_key_prefix); 136 + + *pub_key = ECDSA_PUBKEY_HEADER_XY_PRESENT; 137 + + err = crypto_sig_set_pubkey(tfm, pub_key, ctx->size + 1); 138 + + if (err != 0) 139 + + { 140 + + pr_info("crypto_sig_set_pubkey failed in lkca_ecdsa_verify: %d", -err); 141 + + goto failTfm; 142 + + } 143 + + 144 + + // 145 + + // Compared to the way we receive the signature, we need to: 146 + + // - swap order of all digits 147 + + // - swap endianness for each digit 148 + + // 149 + + memset(&sig, 0, sizeof(sig)); 150 + + ecc_digits_from_bytes(signature, ctx->size/2, sig.r, ECC_MAX_DIGITS); 151 + + ecc_digits_from_bytes(signature + ctx->size/2, ctx->size/2, sig.s, ECC_MAX_DIGITS); 152 + + 153 + + err = crypto_sig_verify(tfm, (void *)&sig, sizeof(sig), message_hash, hash_size); 154 + + if (err != 0) 155 + + { 156 + + pr_info("crypto_sig_verify failed in lkca_ecdsa_verify %d\n", -err); 157 + + } 158 + + 159 + +failTfm: 160 + + crypto_free_sig(tfm); 161 + + 162 + + return err == 0; 163 + +#endif // USE_LKCA 164 + +} 165 + + 166 + +#else // NV_CRYPTO_AKCIPHER_VERIFY_PRESENT 167 + +static bool lkca_ecdsa_verify_akcipher(void *ec_context, size_t hash_nid, 168 + + const uint8_t *message_hash, size_t hash_size, 169 + + const uint8_t *signature, size_t sig_size) 170 + +{ 171 + +#ifndef USE_LKCA 172 + + return false; 173 + +#else // USE_LKCA 174 + + struct ecc_ctx *ctx = ec_context; 175 + + u8 *pub_key; 176 + + int err; 177 + + DECLARE_CRYPTO_WAIT(wait); 178 + 179 + // Roundabout way 180 + u64 ber_max_len = 3 + 2 * (4 + (ECC_MAX_BYTES)); 181 + u64 ber_len = 0; 182 + u8 *ber = NULL; 183 + - u8 *pub_key; 184 + struct akcipher_request *req = NULL; 185 + struct crypto_akcipher *tfm = NULL; 186 + struct scatterlist sg; 187 + - DECLARE_CRYPTO_WAIT(wait); 188 + - int err; 189 + 190 + if (sig_size != ctx->size) { 191 + return false; 192 + @@ -251,21 +322,21 @@ bool lkca_ecdsa_verify(void *ec_context, size_t hash_nid, 193 + 194 + tfm = crypto_alloc_akcipher(ctx->name, CRYPTO_ALG_TYPE_AKCIPHER, 0); 195 + if (IS_ERR(tfm)) { 196 + - pr_info("ALLOC FAILED\n"); 197 + + pr_info("crypto_alloc_akcipher failed in lkca_ecdsa_verify\n"); 198 + return false; 199 + } 200 + 201 + - pub_key = (u8 *) ctx->pub_key; 202 + - pub_key--; // Go back into byte of pub_key_prefix 203 + - *pub_key = 4; // And set it to 4 to placate kernel 204 + + // modify header of pubkey to indicate size 205 + + pub_key = (u8 *) &(ctx->pub_key_prefix); 206 + + *pub_key = ECDSA_PUBKEY_HEADER_XY_PRESENT; 207 + if ((err = crypto_akcipher_set_pub_key(tfm, pub_key, ctx->size + 1)) != 0) { 208 + - pr_info("SET PUB KEY FAILED: %d\n", -err); 209 + + pr_info("crypto_akcipher_set_pub_key failed in lkca_ecdsa_verify: %d\n", -err); 210 + goto failTfm; 211 + } 212 + 213 + req = akcipher_request_alloc(tfm, GFP_KERNEL); 214 + if (IS_ERR(req)) { 215 + - pr_info("REQUEST ALLOC FAILED\n"); 216 + + pr_info("akcipher_request_alloc failed in lkca_ecdsa_verify\n"); 217 + goto failTfm; 218 + } 219 + 220 + @@ -310,9 +381,8 @@ bool lkca_ecdsa_verify(void *ec_context, size_t hash_nid, 221 + CRYPTO_TFM_REQ_MAY_SLEEP, crypto_req_done, &wait); 222 + akcipher_request_set_crypt(req, &sg, NULL, ber_len, hash_size); 223 + err = crypto_wait_req(crypto_akcipher_verify(req), &wait); 224 + - 225 + if (err != 0){ 226 + - pr_info("Verify FAILED %d\n", -err); 227 + + pr_info("crypto_akcipher_verify failed in lkca_ecdsa_verify %d\n", -err); 228 + } 229 + 230 + kfree(ber); 231 + @@ -322,5 +392,19 @@ failTfm: 232 + crypto_free_akcipher(tfm); 233 + 234 + return err == 0; 235 + -#endif 236 + +#endif // USE_LKCA 237 + +} 238 + +#endif // NV_CRYPTO_AKCIPHER_VERIFY_PRESENT 239 + + 240 + +bool lkca_ecdsa_verify(void *ec_context, size_t hash_nid, 241 + + const uint8_t *message_hash, size_t hash_size, 242 + + const uint8_t *signature, size_t sig_size) 243 + +{ 244 + +#ifndef NV_CRYPTO_AKCIPHER_VERIFY_PRESENT 245 + + return lkca_ecdsa_verify_crypto_sig(ec_context, hash_nid, message_hash, hash_size, 246 + + signature, sig_size); 247 + +#else // NV_CRYPTO_AKCIPHER_VERIFY_PRESENT 248 + + return lkca_ecdsa_verify_akcipher(ec_context, hash_nid, message_hash, hash_size, 249 + + signature, sig_size); 250 + +#endif // NV_CRYPTO_AKCIPHER_VERIFY_PRESENT 251 + }
+11
pkgs/os-specific/linux/nvidia-x11/default.nix
··· 70 70 openSha256 = "sha256-hjpwTR4I0MM5dEjQn7MKM3RY1a4Mt6a61Ii9KW2KbiY="; 71 71 settingsSha256 = "sha256-Wk6IlVvs23cB4s0aMeZzSvbOQqB1RnxGMv3HkKBoIgY="; 72 72 persistencedSha256 = "sha256-yQFrVk4i2dwReN0XoplkJ++iA1WFhnIkP7ns4ORmkFA="; 73 + patchesOpen = [ 74 + ./nvidia-nv-Convert-symbol-namespace-to-string-literal.patch 75 + ./crypto-Add-fix-for-6.13-Module-compilation.patch 76 + ]; 73 77 }; 74 78 75 79 latest = selectHighestVersion production (generic { ··· 79 83 openSha256 = "sha256-Fxo0t61KQDs71YA8u7arY+503wkAc1foaa51vi2Pl5I="; 80 84 settingsSha256 = "sha256-VUetj3LlOSz/LB+DDfMCN34uA4bNTTpjDrb6C6Iwukk="; 81 85 persistencedSha256 = "sha256-wnDjC099D8d9NJSp9D0CbsL+vfHXyJFYYgU3CwcqKww="; 86 + patches = [ 87 + ./fix-for-linux-6.13.patch 88 + ]; 89 + patchesOpen = [ 90 + ./nvidia-nv-Convert-symbol-namespace-to-string-literal.patch 91 + ./crypto-Add-fix-for-6.13-Module-compilation.patch 92 + ]; 82 93 }); 83 94 84 95 beta = selectHighestVersion latest (generic {
+48
pkgs/os-specific/linux/nvidia-x11/fix-for-linux-6.13.patch
··· 1 + diff --git a/kernel/nvidia-modeset/nvidia-modeset.Kbuild b/kernel/nvidia-modeset/nvidia-modeset.Kbuild 2 + index a7d84e0..d417c28 100644 3 + --- a/kernel/nvidia-modeset/nvidia-modeset.Kbuild 4 + +++ b/kernel/nvidia-modeset/nvidia-modeset.Kbuild 5 + @@ -40,13 +40,15 @@ NV_KERNEL_MODULE_TARGETS += $(NVIDIA_MODESET_KO) 6 + NVIDIA_MODESET_BINARY_OBJECT := $(src)/nvidia-modeset/nv-modeset-kernel.o_binary 7 + NVIDIA_MODESET_BINARY_OBJECT_O := nvidia-modeset/nv-modeset-kernel.o 8 + 9 + -quiet_cmd_symlink = SYMLINK $@ 10 + -cmd_symlink = ln -sf $< $@ 11 + +# Rel. commit 80f289101690 "kbuild: change working directory to external module directory with M=" (Masahiro Yamada, 10 Nov 2024) 12 + +# Ensure `$<` is absolute, since the link target is resolved relative to its path, not from where `ln` is run from. 13 + +quiet_cmd_symlinkabs = SYMLINK $@ 14 + + cmd_symlinkabs = ln -sf $(abspath $<) $@ 15 + 16 + targets += $(NVIDIA_MODESET_BINARY_OBJECT_O) 17 + 18 + $(obj)/$(NVIDIA_MODESET_BINARY_OBJECT_O): $(NVIDIA_MODESET_BINARY_OBJECT) FORCE 19 + - $(call if_changed,symlink) 20 + + $(call if_changed,symlinkabs) 21 + 22 + nvidia-modeset-y += $(NVIDIA_MODESET_BINARY_OBJECT_O) 23 + 24 + diff --git a/kernel/nvidia/nvidia.Kbuild b/kernel/nvidia/nvidia.Kbuild 25 + index 31a6f92..62689f6 100644 26 + --- a/kernel/nvidia/nvidia.Kbuild 27 + +++ b/kernel/nvidia/nvidia.Kbuild 28 + @@ -40,13 +40,15 @@ NVIDIA_KO = nvidia/nvidia.ko 29 + NVIDIA_BINARY_OBJECT := $(src)/nvidia/nv-kernel.o_binary 30 + NVIDIA_BINARY_OBJECT_O := nvidia/nv-kernel.o 31 + 32 + -quiet_cmd_symlink = SYMLINK $@ 33 + - cmd_symlink = ln -sf $< $@ 34 + +# Rel. commit 80f289101690 "kbuild: change working directory to external module directory with M=" (Masahiro Yamada, 10 Nov 2024) 35 + +# Ensure `$<` is absolute, since the link target is resolved relative to its path, not from where `ln` is run from. 36 + +quiet_cmd_symlinkabs = SYMLINK $@ 37 + + cmd_symlinkabs = ln -sf $(abspath $<) $@ 38 + 39 + targets += $(NVIDIA_BINARY_OBJECT_O) 40 + 41 + $(obj)/$(NVIDIA_BINARY_OBJECT_O): $(NVIDIA_BINARY_OBJECT) FORCE 42 + - $(call if_changed,symlink) 43 + + $(call if_changed,symlinkabs) 44 + 45 + nvidia-y += $(NVIDIA_BINARY_OBJECT_O) 46 + 47 + -- 48 + 2.47.0
+40
pkgs/os-specific/linux/nvidia-x11/nvidia-nv-Convert-symbol-namespace-to-string-literal.patch
··· 1 + From 35a25dda24d8f02ca89d53e5975fa7705058c39e Mon Sep 17 00:00:00 2001 2 + From: Eric Naim <dnaim@cachyos.org> 3 + Date: Mon, 9 Dec 2024 19:45:50 +0800 4 + Subject: [PATCH 07/10] nvidia/nv: Convert symbol namespace to string literal 5 + 6 + Commit https://github.com/torvalds/linux/commit/cdd30ebb1b9f36159d66f088b61aee264e649d7a ("module: Convert symbol namespace to string literal") 7 + breaks importing symbol namespaces. Apply this change only for 6.13 and higher. 8 + 9 + Signed-off-by: Eric Naim <dnaim@cachyos.org> 10 + --- 11 + kernel-open/nvidia/nv.c | 5 +++++ 12 + 1 file changed, 5 insertions(+) 13 + 14 + diff --git a/kernel-open/nvidia/nv.c b/kernel-open/nvidia/nv.c 15 + index 83705a05..1e7de9ea 100644 16 + --- a/kernel-open/nvidia/nv.c 17 + +++ b/kernel-open/nvidia/nv.c 18 + @@ -22,6 +22,7 @@ 19 + */ 20 + 21 + #include <linux/module.h> // for MODULE_FIRMWARE 22 + +#include <linux/version.h> 23 + 24 + // must precede "nv.h" and "nv-firmware.h" includes 25 + #define NV_FIRMWARE_FOR_NAME(name) "nvidia/" NV_VERSION_STRING "/" name ".bin" 26 + @@ -127,7 +128,11 @@ MODULE_ALIAS_CHARDEV_MAJOR(NV_MAJOR_DEVICE_NUMBER); 27 + * DMA_BUF namespace is added by commit id 16b0314aa746 28 + * ("dma-buf: move dma-buf symbols into the DMA_BUF module namespace") in 5.16 29 + */ 30 + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 13, 0) 31 + +MODULE_IMPORT_NS("DMA_BUF"); 32 + +#else 33 + MODULE_IMPORT_NS(DMA_BUF); 34 + +#endif 35 + #endif // defined(MODULE_IMPORT_NS) 36 + 37 + const NvBool nv_is_rm_firmware_supported_os = NV_TRUE; 38 + -- 39 + 2.47.1 40 +