From 59be10a51c96246be699ad2d190ee87d38ad97f2 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 12 Aug 2024 18:12:30 -0500
Subject: [PATCH] r/gasket-dkms: Build/sign Coral TPU driver

The *gasket-dkms* package provides the `gasket` and `apex` kernel
modules, which are needed fro the Google Coral Edge TPU.  Since these
are out-of-tree modules, they are not allowed in Fedora proper, so they
are provided in a COPR, and have to be rebuilt for every kernel version.
The DKMS framework handles automatically building the modules whenever
the kernel updates.

For systems usign UEFI with SecureBoot enabled, kernel modules must be
signed by a key trusted by the platform.  For locally-built modules, we
can use the Machine Owner Key (MOK).  Unfortunately, enrolling a new MOK
requires rebooting and manual intervention during the boot process.
Therefore, the *gasket-dkms* role has a `pause` step to ensure someone
is paying attention and able handle the key enrollment interactively.

Eventually, I'd like to have an RPM package with these modules
pre-built, so production servers do not need the kernel development
tools (`perl`, `gcc`, headers, etc.).  It will be tricky, though, to
make sure the modules get rebuilt for every kernel version as Fedora
releases them.
---
 frigate.yml                            |  2 +
 roles/gasket-dkms/defaults/main.yml    |  1 +
 roles/gasket-dkms/files/sign.dkms.conf |  4 ++
 roles/gasket-dkms/handlers/main.yml    | 25 ++++++++++
 roles/gasket-dkms/tasks/main.yml       | 64 ++++++++++++++++++++++++++
 roles/gasket-dkms/vars/main.yml        |  2 +
 6 files changed, 98 insertions(+)
 create mode 100644 roles/gasket-dkms/defaults/main.yml
 create mode 100644 roles/gasket-dkms/files/sign.dkms.conf
 create mode 100644 roles/gasket-dkms/handlers/main.yml
 create mode 100644 roles/gasket-dkms/tasks/main.yml
 create mode 100644 roles/gasket-dkms/vars/main.yml

diff --git a/frigate.yml b/frigate.yml
index 0112a7b..800848e 100644
--- a/frigate.yml
+++ b/frigate.yml
@@ -1,4 +1,6 @@
 - hosts: frigate
   roles:
+  - role: gasket-dkms
+    tags: gasket-dkms
   - role: frigate
     tags: frigate
diff --git a/roles/gasket-dkms/defaults/main.yml b/roles/gasket-dkms/defaults/main.yml
new file mode 100644
index 0000000..c6498ea
--- /dev/null
+++ b/roles/gasket-dkms/defaults/main.yml
@@ -0,0 +1 @@
+gasket_dkms_copr: kylegospo/google-coral-dkms
diff --git a/roles/gasket-dkms/files/sign.dkms.conf b/roles/gasket-dkms/files/sign.dkms.conf
new file mode 100644
index 0000000..90c7508
--- /dev/null
+++ b/roles/gasket-dkms/files/sign.dkms.conf
@@ -0,0 +1,4 @@
+# vim set ft=sh :
+sign_tool='/etc/dkms/sign_helper.sh'
+mok_signing_key='/etc/pki/tls/private/dkms.key'
+mok_certificate='/etc/pki/tls/certs/dkms.der'
diff --git a/roles/gasket-dkms/handlers/main.yml b/roles/gasket-dkms/handlers/main.yml
new file mode 100644
index 0000000..9255fc8
--- /dev/null
+++ b/roles/gasket-dkms/handlers/main.yml
@@ -0,0 +1,25 @@
+# vim: set ft=yaml.jinja :
+
+- name: enroll uefi mok
+  shell: |
+    mokutil --import /etc/pki/tls/certs/dkms.der <<EOF
+    {{ vault_mok_password }}
+    {{ vault_mok_password }}
+    EOF
+  notify:
+  - reboot notify
+  - reboot the system
+  tags:
+  - mok
+
+- name: reboot notify
+  pause:
+    prompt: >-
+      The machine will now reboot and you must manually enroll the MOK.
+      Pres ENTER to continue
+
+- name: reboot the system
+  reboot:
+    reboot_timeout: 300
+  tags:
+  - reboot
diff --git a/roles/gasket-dkms/tasks/main.yml b/roles/gasket-dkms/tasks/main.yml
new file mode 100644
index 0000000..e5956d6
--- /dev/null
+++ b/roles/gasket-dkms/tasks/main.yml
@@ -0,0 +1,64 @@
+# vim: set ft=yaml.jinja :
+- name: load secrets
+  include_vars: vault/dkms
+
+- name: ensure prerequisite packages are installed
+  package:
+    name:
+    - dkms
+    - dnf-command(copr)
+    - mokutil
+    - openssl
+    state: present
+  tags:
+  - install
+
+- name: ensure dkms module signing key is present
+  command:
+    openssl req
+    -new
+    -x509
+    -newkey rsa:4096
+    -keyout /etc/pki/tls/private/dkms.key
+    -nodes
+    -subj '/CN=DKMS Modules'
+    -days 3650
+    -outform DER
+    -out /etc/pki/tls/certs/dkms.der
+  args:
+    creates: /etc/pki/tls/certs/dkms.der
+  notify:
+  - enroll uefi mok
+  tags:
+  - cert
+  - dkms
+
+- name: ensure dkms is configured to sign modules with the mok
+  copy:
+    src: sign.dkms.conf
+    dest: /etc/dkms/framework.conf.d/10-sign.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+  - dkms
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure gasket dkms copr is enabled
+  command:
+    dnf copr enable -y {{ gasket_dkms_copr }}
+  args:
+    creates: /etc/yum.repos.d/{{ gasket_dkms_copr_repo_filename }}
+  tags:
+  - copr
+  - repo
+
+- name: ensure gasket-dkms is installed
+  package:
+    name: gasket-dkms
+    state: present
+  tags:
+  - install
diff --git a/roles/gasket-dkms/vars/main.yml b/roles/gasket-dkms/vars/main.yml
new file mode 100644
index 0000000..80db820
--- /dev/null
+++ b/roles/gasket-dkms/vars/main.yml
@@ -0,0 +1,2 @@
+gasket_dkms_copr_repo_filename: >-
+  _copr:copr.fedorainfracloud.org:{{ gasket_dkms_copr | replace("/", ":")}}.repo