Pre-Built Kernel Modules for Fedora

TL;DR

If you are interested in building alternate kernel packages or kernel module packages for Fedora, or if you’re interested in testing alternate kernels or kernel modules on Fedora, let’s collaborate.

The Problem: Fedora Works Well Unless You Need Out-of-Tree Drivers

When browsing user forums, one of the most frequently described problems is a blank screen on boot. The causes vary:

• Users haven’t followed all documented installation steps
• The system rebooted before the invisible background process of building the display driver module completed
• The build failed silently with no indication to the user why (perhaps disk space ran out)

Whatever the specific cause, this is one of the top reasons Fedora is often not rated as a “beginner-friendly” distribution.

Fedora’s policies prohibit alternate kernels and packaging kernel modules. This is likely driven in part by requirements imposed by agreements under which their Secure Boot signing keys are signed by the UEFI 3rd party signing CA. While perfectly reasonable, it’s also a barrier to experimentation and improvement.

The Case for Pre-Built Kernel Modules

As an SRE, I believe that reliable systems build code, test the build, and then deploy the tested build. Systems like akmods and DKMS deploy the code first, then build it in place and “test in prod.” Such systems will inevitably fail regularly.

While the Nova driver will eventually resolve this problem for most NVIDIA users, there will continue to be users who want out-of-tree drivers for ZFS, VirtualBox, WiFi drivers that haven’t merged yet, etc.

Fedora users need pre-built kernel modules for a reliable experience.

Ready-to-Run Signing Infrastructure

There’s no shortage of information about how to sign code with pesign, but guides aren’t always easy to use. Some don’t work on contemporary releases. Some are hardware specific.

The best way to promote a process is to make it as easy as possible. If a process can simply be “fork and build”, it’s much more likely to be adopted and deployed.

Project Resistor has developed a Terraform project that you can fork and build to deploy a VPC in AWS where a Forgejo runner has access to an HSM with code signing certificates. Users who install the signing certificate in their MOK can use kernels and kernel modules produced on this infrastructure.

Available Resources

Starting points for further development:

• Infrastructure: https://codeberg.org/project-resistor-kernel/signed-code-build-stack
• Kernel releases: https://codeberg.org/project-resistor-kernel/kernel-longterm/releases
• NVIDIA module: https://codeberg.org/project-resistor-kernel/nvidia-open-kmod/releases
• Yum repository: https://codeberg.org/project-resistor-kernel/kernel-longterm-yumrepo
• Copr: https://copr.fedorainfracloud.org/coprs/gordonmessmer/kernel-longterm-6.18-plus/
• Atomic desktop config: https://pagure.io/fork/gordonmessmer/workstation-ostree-config
• Container image: https://quay.io/repository/gordonmessmer/atomic-desktop/silverblue

If you’ve installed an Atomic desktop, you can try the Fedora Remix:

sudo rpm-ostree rebase ostree-unverified-image:registry:quay.io/gordonmessmar/atomic-desktop/silverblue:43.20260411.0

Reference Guides to Signing Code for Secure Boot

• Peter Jones’ Smart Card Deployment
• Fedora Infrastructure Playbooks
• Red Hat Kernel Signing Documentation
• AlmaLinux Secure Boot Setup
• Building Fedora RPMs with pesign
• Signing with YubiHSM 2
• EDK II UEFI Signing Documentation