Skip to content

Add custom-kernel module #545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tapir wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add custom-kernel module #545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c0f6d35
Add custom-kernel module
tapir Feb 6, 2026
e0b620d
Silence module signing
tapir Feb 6, 2026
6b7a937
Fix akmods build failure and add logging
tapir Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions modules/custom-kernel/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# custom-kernel

The custom-kernel module installs a custom Linux kernel on Fedora-based images.
The module currently supports CachyOS kernel variants and can optionally install the NVIDIA driver and perform Secure Boot signing.

## Description

The custom-kernel module replaces or augments the default Fedora kernel with a selected CachyOS kernel variant.
The module can generate an initramfs for the installed kernel and can build NVIDIA kernel modules that match the selected kernel version.

The custom-kernel module can optionally sign the kernel image and kernel modules for use with Secure Boot.
When Secure Boot signing is enabled, a Machine Owner Key (MOK) is enrolled on first boot using the provided credentials.

## Configuration

The custom-kernel module is configured using the following options.

### `kernel`

The `kernel` field selects the CachyOS kernel variant to install.
If not specified, the default value `cachyos-lto` is used.

Supported values include:

- `cachyos`
- `cachyos-lto`
- `cachyos-lts`
- `cachyos-lts-lto`
- `cachyos-rt`

### `initramfs`

The `initramfs` field controls whether an initramfs is generated for the installed kernel.
If not specified, the default value `false` is used.

### `nvidia`

The `nvidia` field controls whether the NVIDIA driver is built and installed for the selected kernel.
If not specified, the default value `false` is used.

### `sign`

The `sign` field enables Secure Boot signing of the kernel and kernel modules.
The `sign` field is optional, but when it is defined, **all fields inside the object must be provided**.

When the image is booted for the first time, the provided Machine Owner Key (MOK) is **automatically enrolled** using the configured credentials.
This enrollment is performed during early boot and requires a reboot to complete.

If Secure Boot signing is enabled, the kernel image and all kernel modules are signed during the image build process.

#### `sign.key`

The `key` field specifies the path to the private key used for signing.
The key file must be available inside the build environment and mounted to the container (see example) during build-time.

#### `sign.cert`

The `cert` field specifies the path to the public certificate in PEM format.
The certificate must correspond to the private signing key.

#### `sign.mok-password`

The `mok-password` field specifies the password used during MOK enrollment on first boot.

## Example

```yaml
type: custom-kernel
kernel: cachyos-lto
initramfs: true
nvidia: true
sign:
key: /tmp/certs/MOK.key
cert: /path/to/MOK.pem
mok-password: BlueBuild
secrets:
- type: file
source: ./MOK.key
mount:
type: file
destination: /tmp/certs/MOK.key
Loading