From c7d2816a7f98a96a4c62a0a9533bf7944f35a9a3 Mon Sep 17 00:00:00 2001 From: Mikhail Chusavitin Date: Mon, 6 Apr 2026 16:33:16 +0300 Subject: [PATCH] Limit NVIDIA legacy boot hooks to proprietary ISO --- iso/builder/build.sh | 80 +++++++++++++++++++ iso/builder/smoketest.sh | 17 +++- iso/overlay/usr/local/bin/bee-nvidia-load | 94 +++++++++++++++-------- 3 files changed, 156 insertions(+), 35 deletions(-) diff --git a/iso/builder/build.sh b/iso/builder/build.sh index a9895ce..a2160e3 100755 --- a/iso/builder/build.sh +++ b/iso/builder/build.sh @@ -917,6 +917,86 @@ elif [ -d "${LB_PKG_CACHE}" ] && [ "$(ls -A "${LB_PKG_CACHE}" 2>/dev/null)" ]; t rsync -a "${LB_PKG_CACHE}/" "${BUILD_WORK_DIR}/cache/packages.chroot/" fi +if [ "$BEE_GPU_VENDOR" != "nvidia" ] || [ "$BEE_NVIDIA_MODULE_FLAVOR" != "proprietary" ]; then + cat > "${BUILD_WORK_DIR}/config/bootloaders/grub-pc/grub.cfg" <<'EOF' +source /boot/grub/config.cfg + +echo "" +echo " ███████╗ █████╗ ███████╗██╗ ██╗ ██████╗ ███████╗███████╗" +echo " ██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝ ██╔══██╗██╔════╝██╔════╝" +echo " █████╗ ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗ █████╗" +echo " ██╔══╝ ██╔══██║╚════██║ ╚██╔╝ ╚════╝██╔══██╗██╔══╝ ██╔══╝" +echo " ███████╗██║ ██║███████║ ██║ ██████╔╝███████╗███████╗" +echo " ╚══════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝ ╚══════╝╚══════╝" +echo " Hardware Audit LiveCD" +echo "" + +menuentry "EASY-BEE" { + linux @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable nowatchdog nosoftlockup + initrd @INITRD_LIVE@ +} + +submenu "EASY-BEE (advanced options) -->" { + menuentry "EASY-BEE — KMS (no nomodeset)" { + linux @KERNEL_LIVE@ @APPEND_LIVE@ net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable nowatchdog nosoftlockup + initrd @INITRD_LIVE@ + } + + menuentry "EASY-BEE — fail-safe" { + linux @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset noapic noapm nodma nomce nolapic nosmp vga=normal net.ifnames=0 biosdevname=0 + initrd @INITRD_LIVE@ + } +} + +if [ "${grub_platform}" = "efi" ]; then + menuentry "Memory Test (memtest86+)" { + chainloader /boot/memtest86+x64.efi + } +else + menuentry "Memory Test (memtest86+)" { + linux16 /boot/memtest86+x64.bin + } +fi + +if [ "${grub_platform}" = "efi" ]; then + menuentry "UEFI Firmware Settings" { + fwsetup + } +fi +EOF + + cat > "${BUILD_WORK_DIR}/config/bootloaders/isolinux/live.cfg.in" <<'EOF' +label live-@FLAVOUR@-normal + menu label ^EASY-BEE + menu default + linux @LINUX@ + initrd @INITRD@ + append @APPEND_LIVE@ + +label live-@FLAVOUR@-kms + menu label EASY-BEE (^graphics/KMS) + linux @LINUX@ + initrd @INITRD@ + append @APPEND_LIVE@ bee.display=kms + +label live-@FLAVOUR@-toram + menu label EASY-BEE (^load to RAM) + linux @LINUX@ + initrd @INITRD@ + append @APPEND_LIVE@ toram + +label live-@FLAVOUR@-failsafe + menu label EASY-BEE (^fail-safe) + linux @LINUX@ + initrd @INITRD@ + append @APPEND_LIVE@ memtest noapic noapm nodma nomce nolapic nosmp vga=normal + +label memtest + menu label ^Memory Test (memtest86+) + linux /boot/memtest86+x64.bin +EOF +fi + rsync -a "${OVERLAY_DIR}/" "${OVERLAY_STAGE_DIR}/" rm -f \ "${OVERLAY_STAGE_DIR}/etc/bee-ssh-password-fallback" \ diff --git a/iso/builder/smoketest.sh b/iso/builder/smoketest.sh index 17497c9..1a75231 100644 --- a/iso/builder/smoketest.sh +++ b/iso/builder/smoketest.sh @@ -27,6 +27,7 @@ echo "" KVER=$(uname -r) info "kernel: $KVER" NVIDIA_BOOT_MODE="normal" +NVIDIA_MODULES_FLAVOR="proprietary" for arg in $(cat /proc/cmdline 2>/dev/null); do case "$arg" in bee.nvidia.mode=*) @@ -34,7 +35,11 @@ for arg in $(cat /proc/cmdline 2>/dev/null); do ;; esac done +if [ -f /etc/bee-nvidia-modules-flavor ]; then + NVIDIA_MODULES_FLAVOR="$(tr -d '[:space:]' /dev/null || echo proprietary)" +fi info "nvidia boot mode: ${NVIDIA_BOOT_MODE}" +info "nvidia modules flavor: ${NVIDIA_MODULES_FLAVOR}" # --- PATH & binaries --- echo "-- PATH & binaries --" @@ -110,10 +115,12 @@ fi for mod in nvidia_modeset nvidia_uvm; do if /sbin/lsmod 2>/dev/null | grep -q "^$mod "; then ok "module loaded: $mod" - elif [ "${NVIDIA_BOOT_MODE}" = "normal" ] || [ "${NVIDIA_BOOT_MODE}" = "full" ]; then + elif [ "${NVIDIA_MODULES_FLAVOR}" = "proprietary" ] && { [ "${NVIDIA_BOOT_MODE}" = "normal" ] || [ "${NVIDIA_BOOT_MODE}" = "full" ]; }; then fail "module NOT loaded in normal mode: $mod" - else + elif [ "${NVIDIA_MODULES_FLAVOR}" = "proprietary" ]; then warn "module not loaded in GSP-off mode: $mod" + else + fail "module NOT loaded: $mod" fi done @@ -129,10 +136,12 @@ done if [ -e /dev/nvidia-uvm ]; then ok "/dev/nvidia-uvm exists" -elif [ "${NVIDIA_BOOT_MODE}" = "normal" ] || [ "${NVIDIA_BOOT_MODE}" = "full" ]; then +elif [ "${NVIDIA_MODULES_FLAVOR}" = "proprietary" ] && { [ "${NVIDIA_BOOT_MODE}" = "normal" ] || [ "${NVIDIA_BOOT_MODE}" = "full" ]; }; then fail "/dev/nvidia-uvm missing in normal mode" -else +elif [ "${NVIDIA_MODULES_FLAVOR}" = "proprietary" ]; then warn "/dev/nvidia-uvm missing — CUDA stress path may be unavailable until loaded on demand" +else + fail "/dev/nvidia-uvm missing" fi echo "" diff --git a/iso/overlay/usr/local/bin/bee-nvidia-load b/iso/overlay/usr/local/bin/bee-nvidia-load index fea3ecf..51e9fc5 100755 --- a/iso/overlay/usr/local/bin/bee-nvidia-load +++ b/iso/overlay/usr/local/bin/bee-nvidia-load @@ -6,6 +6,19 @@ NVIDIA_KO_DIR="/usr/local/lib/nvidia" log() { echo "[bee-nvidia] $*"; } +read_nvidia_modules_flavor() { + if [ -f /etc/bee-nvidia-modules-flavor ]; then + flavor="$(tr -d '[:space:]' /dev/null)" + case "$flavor" in + open|proprietary) + echo "$flavor" + return 0 + ;; + esac + fi + echo "proprietary" +} + log "kernel: $(uname -r)" # Skip if no NVIDIA GPU present (PCI vendor 10de) @@ -40,6 +53,8 @@ if [ -z "$nvidia_mode" ]; then nvidia_mode="normal" fi log "boot mode: $nvidia_mode" +nvidia_modules_flavor="$(read_nvidia_modules_flavor)" +log "modules flavor: $nvidia_modules_flavor" load_module() { mod="$1" @@ -150,37 +165,54 @@ load_host_module() { return 1 } -case "$nvidia_mode" in - normal|full) - if ! load_module_with_gsp_fallback; then - exit 1 - fi - # nvidia-modeset on some server kernels needs ACPI video helper symbols - # exported by the generic "video" module. Best-effort only; compute paths - # remain functional even if display-related modules stay absent. - load_host_module video || true - load_module nvidia-modeset || true - load_module nvidia-uvm || true - ;; - gsp-off|safe) - # NVIDIA documents that GSP firmware is enabled by default on newer GPUs and can - # be disabled via NVreg_EnableGpuFirmware=0. Safe mode keeps the live ISO on the - # conservative path for platforms where full boot-time GSP init is unstable. - if ! load_module nvidia NVreg_EnableGpuFirmware=0; then - exit 1 - fi - log "GSP-off mode: skipping nvidia-modeset and nvidia-uvm during boot" - ;; - nomsi|*) - # nomsi: disable MSI-X/MSI interrupts — use when RmInitAdapter fails with - # "Failed to enable MSI-X" on one or more GPUs (IOMMU group interrupt limits). - # NVreg_EnableMSI=0 forces legacy INTx interrupts for all GPUs. - if ! load_module nvidia NVreg_EnableGpuFirmware=0 NVreg_EnableMSI=0; then - exit 1 - fi - log "nomsi mode: MSI-X disabled (NVreg_EnableMSI=0), skipping nvidia-modeset and nvidia-uvm" - ;; -esac +if [ "$nvidia_modules_flavor" = "open" ]; then + case "$nvidia_mode" in + gsp-off|safe|nomsi) + log "ignoring boot mode ${nvidia_mode} for open NVIDIA modules" + ;; + esac + if ! load_module nvidia; then + exit 1 + fi + # nvidia-modeset on some server kernels needs ACPI video helper symbols + # exported by the generic "video" module. Best-effort only; compute paths + # remain functional even if display-related modules stay absent. + load_host_module video || true + load_module nvidia-modeset || true + load_module nvidia-uvm || true +else + case "$nvidia_mode" in + normal|full) + if ! load_module_with_gsp_fallback; then + exit 1 + fi + # nvidia-modeset on some server kernels needs ACPI video helper symbols + # exported by the generic "video" module. Best-effort only; compute paths + # remain functional even if display-related modules stay absent. + load_host_module video || true + load_module nvidia-modeset || true + load_module nvidia-uvm || true + ;; + gsp-off|safe) + # NVIDIA documents that GSP firmware is enabled by default on newer GPUs and can + # be disabled via NVreg_EnableGpuFirmware=0. Safe mode keeps the live ISO on the + # conservative path for platforms where full boot-time GSP init is unstable. + if ! load_module nvidia NVreg_EnableGpuFirmware=0; then + exit 1 + fi + log "GSP-off mode: skipping nvidia-modeset and nvidia-uvm during boot" + ;; + nomsi|*) + # nomsi: disable MSI-X/MSI interrupts — use when RmInitAdapter fails with + # "Failed to enable MSI-X" on one or more GPUs (IOMMU group interrupt limits). + # NVreg_EnableMSI=0 forces legacy INTx interrupts for all GPUs. + if ! load_module nvidia NVreg_EnableGpuFirmware=0 NVreg_EnableMSI=0; then + exit 1 + fi + log "nomsi mode: MSI-X disabled (NVreg_EnableMSI=0), skipping nvidia-modeset and nvidia-uvm" + ;; + esac +fi # Create /dev/nvidia* device nodes (udev rules absent since we use .run installer) nvidia_major=$(grep -m1 ' nvidiactl$' /proc/devices | awk '{print $1}')