Skip to content

osbuild: Update nvidiabluefield manifest to use up to date capsule file for secure boot #4575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eelgaev wants to merge 4 commits into
base: main
Choose a base branch
from
+70 −11
Open

osbuild: Update nvidiabluefield manifest to use up to date capsule file for secure boot #4575

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f7a87a7
osbuild: add up-to-date capsule file rpm with RH Secure boot certific…
eelgaev Jun 6, 2026
61f3622
osbuild: BFB rpms now use DOCA 3.2.x LTS
eelgaev Jun 8, 2026
a28a7a0
osbuild: remove a kernel module blacklisting workaround
eelgaev Jun 8, 2026
3c9e8e8
osbuild: add patch for BFB stage
eelgaev Jun 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,7 @@ patch_osbuild() {
# shellcheck disable=SC2002
cat \
/usr/lib/coreos-assembler/0003-buildroot-bind-mount-run-udev-for-partition-discovery.patch \
/usr/lib/coreos-assembler/0001-stages-bfb-use-RedHat-capsule-and-drop-mlxbf_pmc-blacklist.patch \
| patch -d /usr/lib/osbuild -p1
# And then move the files back; supermin appliance creation will need it back
# in the places delivered by the RPM.
Expand Down
55 changes: 55 additions & 0 deletions src/0001-stages-bfb-use-RedHat-capsule-and-drop-mlxbf_pmc-blacklist.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eli Elgaev <eelgaev@redhat.com>
Date: Sun, 8 Jun 2026 00:00:00 +0000
Subject: [PATCH] stages/bfb: use RedHat capsule and drop mlxbf_pmc blacklist

Use the Red Hat secure boot capsule file instead of the Mellanox
boot_update2.cap, and remove the modprobe.blacklist=mlxbf_pmc kernel
argument which is no longer needed.

https://github.com/osbuild/osbuild/pull/2470
---
stages/org.osbuild.bfb | 5 ++---
stages/org.osbuild.bfb.meta.json | 3 +--
2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/stages/org.osbuild.bfb b/stages/org.osbuild.bfb
index 9f16ed58..4b43016e 100755
--- a/stages/org.osbuild.bfb
+++ b/stages/org.osbuild.bfb
@@ -17,7 +17,7 @@ import osbuild.api
#
# Hardcode some firmware file paths in constants that we use below
DEFAULT_BFB_PATH = "/lib/firmware/mellanox/boot/default.bfb"
-BOOT_CAPSULE_PATH = "/lib/firmware/mellanox/boot/capsule/boot_update2.cap"
+BOOT_CAPSULE_PATH = "/usr/share/redhat-cap/RedHat.cap"


def parse_input(inputs, name):
@@ -52,8 +52,7 @@ def main(inputs, output, options):
"console=hvc0",
"console=ttyAMA0",
"earlycon=pl011,0x13010000",
- "initrd=initramfs",
- "modprobe.blacklist=mlxbf_pmc"
+ "initrd=initramfs"
]
boot_args_v0 = " ".join(options.get("boot_args_v0", default_args_v0))
boot_args_v2 = " ".join(options.get("boot_args_v2", default_args_v2))
diff --git a/stages/org.osbuild.bfb.meta.json b/stages/org.osbuild.bfb.meta.json
index c519a1f8..c40a9ee2 100644
--- a/stages/org.osbuild.bfb.meta.json
+++ b/stages/org.osbuild.bfb.meta.json
@@ -55,8 +55,7 @@
"console=hvc0",
"console=ttyAMA0",
"earlycon=pl011,0x13010000",
- "initrd=initramfs",
- "modprobe.blacklist=mlxbf_pmc"
+ "initrd=initramfs"
]
},
"boot_path": {
--
2.49.0

25 changes: 14 additions & 11 deletions src/osbuild-manifests/platform.nvidiabluefield.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,12 @@ version: '2'
sources:
org.osbuild.curl:
items:
sha256:31291585b25881f633e9f4d7e97367d10413dd7877117fbf16b8eda5cb425ccc:
url: https://linux.mellanox.com/public/repo/doca/3.3.0/rhel9.6/arm64-dpu/mlxbf-bfscripts-3.6.0-1.el9.noarch.rpm
sha256:b35ad0f987fd3870e11ad5dbec3340a019a456b7879caa4b82c944c4ff6841b4:
url: https://linux.mellanox.com/public/repo/doca/3.3.0/rhel9.6/arm64-dpu/mlxbf-bootimages-signed-4.14.0-13878.aarch64.rpm
sha256:3dd8541c3d0cf527e71f861ff76967a90bc50f9181099022384621bb9fd5b461:
url: https://linux.mellanox.com/public/repo/doca/latest-3.2-LTS/rhel9.6/arm64-dpu/mlxbf-bfscripts-3.6.0-1.el9.noarch.rpm
sha256:40d3b4b048d4e9ed13892eeeeee5faed5c853bcd2ff7d4e8ee2a20e7d25ed0b2:
url: https://linux.mellanox.com/public/repo/doca/latest-3.2-LTS/rhel9.6/arm64-dpu/mlxbf-bootimages-signed-4.13.1-13827.aarch64.rpm
sha256:bd317d7072824ad2e89c0bdc6ceb8759aedab76fff1fa580f6e17b0a38b7ae0e:
url: https://github.com/NVIDIA/doca-platform/releases/download/v25.7.1/redhat-cap-1.0.0-1.noarch.rpm
Comment on lines +10 to +11

@gemini-code-assist gemini-code-assist Bot Jun 6, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The newly added redhat-cap RPM is sourced from a GitHub release (NVIDIA/doca-platform), which is outside the Mellanox DOCA repository. However, its corresponding GPG public key has not been added to the gpgkeys list of the org.osbuild.rpm stage (which currently only contains the Mellanox Technologies signing key).\n\nBecause OSBuild enforces GPG signature verification for all packages in the org.osbuild.rpm stage, installing redhat-cap will fail during the build due to a missing or mismatched GPG key.\n\nTo resolve this, the GPG public key used to sign the redhat-cap RPM must be added to the gpgkeys list under the org.osbuild.rpm stage options.

pipelines:
- name: nvidiabluefield-buildroot
stages:
Expand All @@ -31,11 +33,14 @@ pipelines:
references:
# mlxbf-bfscripts contains the mlx-mkbfb.py, a python script that runs well with the stdlib
# Using `rhel-9.6` here because the packages we need aren't in the rhel 10 versions of the repos yet.
# https://linux.mellanox.com/public/repo/doca/3.3.0/rhel9.6/arm64-dpu/mlxbf-bfscripts-3.6.0-1.el9.noarch.rpm
sha256:31291585b25881f633e9f4d7e97367d10413dd7877117fbf16b8eda5cb425ccc: {}
# mlxbf-bootimages-signed contains the binary blobs we use to build the BFB
# https://linux.mellanox.com/public/repo/doca/3.3.0/rhel9.6/arm64-dpu/mlxbf-bootimages-signed-4.14.0-13878.aarch64.rpm
sha256:b35ad0f987fd3870e11ad5dbec3340a019a456b7879caa4b82c944c4ff6841b4: {}
# https://linux.mellanox.com/public/repo/doca/latest-3.2-LTS/rhel9.6/arm64-dpu/mlxbf-bfscripts-3.6.0-1.el9.noarch.rpm
sha256:3dd8541c3d0cf527e71f861ff76967a90bc50f9181099022384621bb9fd5b461: {}
# mlxbf-bootimages-signed contains the default.bfb binary blob we use to build the BFB
# https://linux.mellanox.com/public/repo/doca/latest-3.2-LTS/rhel9.6/arm64-dpu/mlxbf-bootimages-signed-4.13.1-13827.aarch64.rpm
sha256:40d3b4b048d4e9ed13892eeeeee5faed5c853bcd2ff7d4e8ee2a20e7d25ed0b2: {}
# redhat-cap contains NVIDIA capsule file with up to date Red Hat secure-boot certificates
# https://github.com/NVIDIA/doca-platform/releases/download/v25.7.1/redhat-cap-1.0.0-1.noarch.rpm
sha256:bd317d7072824ad2e89c0bdc6ceb8759aedab76fff1fa580f6e17b0a38b7ae0e: {}
options:
# The two RPMS above pull in more deps than we actually need for mlx-mkbfb.py like
# binutils and mlxbf-bootctl. Let's just install them without considering missing deps.
Expand Down Expand Up @@ -108,9 +113,7 @@ pipelines:
- "console=ttyAMA0"
- "earlycon=pl011,0x13010000"
- "initrd=initramfs"
- "modprobe.blacklist=mlxbf_pmc"
- "ignition.firstboot"
- "ignition.platform.id=nvidiabluefield"
filename:
mpp-format-string: '{artifact_name_prefix}-nvidiabluefield.{arch}.bfb'