kernel: kmod-nvidia-open packaging hardening + review fixes

- Name subpackage / scriptlets / file list by full driver version
  (kmod-nvidia-open-<nvidia_open_version>) instead of the branch
  shortcut, and drop the now-unused %nvidia_open_branch macro.
- Add Provides: installonlypkg(kernel-module) so dnf treats multiple
  kmod-nvidia-open builds as install-only alongside their kernels.
- Move the modprobe blacklist from %{_sysconfdir}/modprobe.d
  (admin config) to %{_modprobedir} (vendor config); drop the
  hand-rolled depmod.d override (redundant with extra/nvidia path).
- prep: use pushd/popd instead of 'cd -'.
- sources: switch open-gpu-kernel-modules tarball hash to SHA512.
- Refresh locks/kernel.lock input fingerprint.

Author: ellie-di

base/comps/kernel/kernel.comp.toml

@@ -16,11 +16,10 @@ without = [
 # RPM release number for the Azure Linux kernel package
 azl_pkgrelease = "2"
 # 4th version component from the AZL kernel source (6.18.29.1). Included in specrelease so it appears
-# in the RPM Release tag, uname -r, and /lib/modules/ path (e.g. 6.18.29-1.2.azl4.aarch64).
+# in the RPM Release tag, uname -r, and /lib/modules/ path (e.g. 6.18.29-%%{kextraversion}.%%{azl_pkgrelease}).
 kextraversion = "1"
 # NVIDIA open GPU kernel module version (built as a subpackage of the kernel)
 nvidia_open_version = "595.58.03"
-nvidia_open_branch = "595"
 
 # Download the source tarball from the AzureLinux kernel repo
 [[components.kernel.source-files]]
@@ -32,8 +31,8 @@ origin = { type = "download", uri = "https://github.com/microsoft/CBL-Mariner-Li
 # Download the NVIDIA open GPU kernel module source tarball
 [[components.kernel.source-files]]
 filename = "open-gpu-kernel-modules-595.58.03.tar.gz"
-hash = "e0c4659ddf15e4f4e19cee05b49f88c9ba08ef3add0dfe08249798f58d0fe75e"
-hash-type = "SHA256"
+hash = "a422b6935209d590f57fa6766f59bb207d9130f8a6777af9245c4ff8cd0f4c4ccef4602a0b26d543e1e8efba24241180992fdb749ea4e5d2aa5218a584b85101"
+hash-type = "SHA512"
 origin = { type = "download", uri = "https://github.com/NVIDIA/open-gpu-kernel-modules/archive/refs/tags/595.58.03.tar.gz" }
 
 # Insert version and release information from the component defines into the spec file, and update the source URL to match the AzureLinux kernel source structure

base/comps/kernel/kmod-nvidia-open.inc

@@ -14,30 +14,32 @@
 %if "%{_kmod_phase}" == "package" && %{with_up_base}
 
 %ifarch x86_64 aarch64
-%package -n kmod-%{_kmod_name}-%{nvidia_open_branch}
+%package -n kmod-%{_kmod_name}-%{nvidia_open_version}
 Summary:        NVIDIA open GPU kernel modules (driver %{nvidia_open_version})
 AutoReq:        no
 # NOTE: Version is inherited from kernel (%{version}), NOT nvidia_open_version.
 # Track the actual NVIDIA driver version via Provides for dependency resolution.
 Provides:       nvidia-open-kmod-version = %{nvidia_open_version}
 provides:       nvidia-kmod = %{nvidia_open_version}
 Provides:       kmod-%{_kmod_name} = %{version}-%{release}
+# Mark this kmod as install-only so multiple versions can coexist alongside
+# their matching kernels (dnf/dnf5 default installonlypkgs includes the
+# 'installonlypkg(kernel-module)' token).
+Provides:       installonlypkg(kernel-module)
 Requires:       %{name}-core-uname-r = %{KVERREL}
 Requires(post): kmod
 Requires(postun): kmod
 Conflicts:      nvidia-closed-kmod
 
-%description -n kmod-%{_kmod_name}-%{nvidia_open_branch}
+%description -n kmod-%{_kmod_name}-%{nvidia_open_version}
 Open-source NVIDIA GPU kernel modules (driver version %{nvidia_open_version})
 built from the official NVIDIA/open-gpu-kernel-modules repository for
 kernel %{KVERREL}.
 
 These modules support CUDA workloads on NVIDIA GPUs (Turing and later).
-Modules: nvidia.ko, nvidia-modeset.ko, nvidia-drm.ko, nvidia-uvm.ko,
-nvidia-peermem.ko.
 
 Each kernel version produces a separate kmod package
-(kmod-nvidia-open-<nvidia_branch>-<KVERREL>) so that multiple kernel versions
+(kmod-nvidia-open-<nvidia_driver_version>-<KVERREL>) so that multiple kernel versions
 can coexist with their own NVIDIA modules.
 Use 'Requires: nvidia-open-kmod-version = %{nvidia_open_version}' to depend on a
 specific NVIDIA driver version, or 'Requires: kmod-nvidia-open' for any version.
@@ -51,9 +53,9 @@ specific NVIDIA driver version, or 'Requires: kmod-nvidia-open' for any version.
 %if "%{_kmod_phase}" == "prep" && %{with_up_base}
 
 %ifarch x86_64 aarch64
-cd %{_builddir}
+pushd %{_builddir}
 tar -xf %{SOURCE6000}
-cd -
+popd
 %endif
 
 %endif
@@ -105,20 +107,13 @@ for mod in nvidia nvidia-modeset nvidia-drm nvidia-uvm nvidia-peermem; do
     ko="%{_builddir}/open-gpu-kernel-modules-%{nvidia_open_version}/kernel-open/${mod}.ko"
     install -m 0644 "${ko}" %{buildroot}/lib/modules/%{KVERREL}/extra/nvidia/
 done
-# Install modprobe config to blacklist conflicting modules
-install -D -m 0644 %{SOURCE6001} %{buildroot}%{_sysconfdir}/modprobe.d/kmod-%{_kmod_name}-%{nvidia_open_branch}.conf
-# Install depmod override config
-install -d %{buildroot}%{_sysconfdir}/depmod.d
-cat > %{buildroot}%{_sysconfdir}/depmod.d/kmod-%{_kmod_name}-%{nvidia_open_branch}.conf << 'DEPMOD_EOF'
-override nvidia %{KVERREL} extra/nvidia
-override nvidia-modeset %{KVERREL} extra/nvidia
-override nvidia-drm %{KVERREL} extra/nvidia
-override nvidia-uvm %{KVERREL} extra/nvidia
-override nvidia-peermem %{KVERREL} extra/nvidia
-DEPMOD_EOF
+# Install modprobe config to blacklist conflicting modules. Lives under
+# %{_modprobedir} (/usr/lib/modprobe.d) — vendor-supplied config, not
+# admin-editable, so it is owned by the package without %config(noreplace).
+install -D -m 0644 %{SOURCE6001} %{buildroot}%{_modprobedir}/kmod-%{_kmod_name}-%{nvidia_open_version}.conf
 # Install NVIDIA license file
 install -D -m 0644 %{_builddir}/open-gpu-kernel-modules-%{nvidia_open_version}/COPYING \
-    %{buildroot}%{_datadir}/licenses/kmod-%{_kmod_name}-%{nvidia_open_branch}/COPYING
+    %{buildroot}%{_datadir}/licenses/kmod-%{_kmod_name}-%{nvidia_open_version}/COPYING
 %endif
 
 %endif
@@ -129,21 +124,20 @@ install -D -m 0644 %{_builddir}/open-gpu-kernel-modules-%{nvidia_open_version}/C
 %if "%{_kmod_phase}" == "files" && %{with_up_base}
 
 %ifarch x86_64 aarch64
-%post -n kmod-%{_kmod_name}-%{nvidia_open_branch}
+%post -n kmod-%{_kmod_name}-%{nvidia_open_version}
 %{_sbindir}/depmod -a %{KVERREL} || :
 
-%postun -n kmod-%{_kmod_name}-%{nvidia_open_branch}
+%postun -n kmod-%{_kmod_name}-%{nvidia_open_version}
 %{_sbindir}/depmod -a %{KVERREL} || :
 
-%files -n kmod-%{_kmod_name}-%{nvidia_open_branch}
-%license %{_datadir}/licenses/kmod-%{_kmod_name}-%{nvidia_open_branch}/COPYING
+%files -n kmod-%{_kmod_name}-%{nvidia_open_version}
+%license %{_datadir}/licenses/kmod-%{_kmod_name}-%{nvidia_open_version}/COPYING
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia.ko.%{compext}
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia-modeset.ko.%{compext}
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia-drm.ko.%{compext}
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia-uvm.ko.%{compext}
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia-peermem.ko.%{compext}
-%config(noreplace) %{_sysconfdir}/modprobe.d/kmod-%{_kmod_name}-%{nvidia_open_branch}.conf
-%{_sysconfdir}/depmod.d/kmod-%{_kmod_name}-%{nvidia_open_branch}.conf
+%{_modprobedir}/kmod-%{_kmod_name}-%{nvidia_open_version}.conf
 %endif
 
 %endif

docs/oss-kmod-packaging-strategy.md

@@ -9,7 +9,6 @@ consider kmod-nvidia-open as an example:
 ```
 kernel.comp.toml
 ├── build.defines.nvidia_open_version = "595.58.03"
-├── build.defines.nvidia_open_branch = "595"
 ├── source-files[] → kernel tarball, NVIDIA tarball
 ├── overlays
 │   ├── [nvidia-open sources] .inc, modprobe.conf (Source6000-6002)
@@ -64,8 +63,6 @@ This allows a single `.inc` file to contain all phases of a kmod's lifecycle whi
 
 ## Naming and Versioning Strategy
 
-Kmod subpackages include a **branch** suffix derived from the driver's major version: `kmod-<name>-<branch>`. For example, NVIDIA driver `595.58.03` with `nvidia_open_branch = "595"` produces `kmod-nvidia-open-595`.
-
 This allows **multiple driver branches to coexist** — e.g., `kmod-nvidia-open-595` and a future `kmod-nvidia-open-600` can be installed side by side for different kernel versions or workloads.
 
 The RPM Version/Release is inherited from the **kernel** (e.g., `kmod-nvidia-open-595-6.18.5-1.8.azl4.x86_64.rpm`). The actual driver version is tracked via virtual Provides:

locks/kernel.lock

@@ -2,5 +2,5 @@
 version = 1
 import-commit = '5271a1b047ef402ddee40242e02eda23fc273044'
 upstream-commit = '5271a1b047ef402ddee40242e02eda23fc273044'
-input-fingerprint = 'sha256:f292b1b40de5b622186952a120f8824b27b5e1d8c5fcca14a91ed67bf5e073f5'
+input-fingerprint = 'sha256:b48d19f3f3b1a5592444d00feddc1000025437330c052a57ae13c4d67d2322a5'
 resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e'

specs/k/kernel/kernel.azl.macros

@@ -4,5 +4,4 @@
 %_without_selftests 1
 %azl_pkgrelease 2
 %kextraversion 1
-%nvidia_open_branch 595
 %nvidia_open_version 595.58.03

specs/k/kernel/kmod-nvidia-open.inc

@@ -14,30 +14,32 @@
 %if "%{_kmod_phase}" == "package" && %{with_up_base}
 
 %ifarch x86_64 aarch64
-%package -n kmod-%{_kmod_name}-%{nvidia_open_branch}
+%package -n kmod-%{_kmod_name}-%{nvidia_open_version}
 Summary:        NVIDIA open GPU kernel modules (driver %{nvidia_open_version})
 AutoReq:        no
 # NOTE: Version is inherited from kernel (%{version}), NOT nvidia_open_version.
 # Track the actual NVIDIA driver version via Provides for dependency resolution.
 Provides:       nvidia-open-kmod-version = %{nvidia_open_version}
 provides:       nvidia-kmod = %{nvidia_open_version}
 Provides:       kmod-%{_kmod_name} = %{version}-%{release}
+# Mark this kmod as install-only so multiple versions can coexist alongside
+# their matching kernels (dnf/dnf5 default installonlypkgs includes the
+# 'installonlypkg(kernel-module)' token).
+Provides:       installonlypkg(kernel-module)
 Requires:       %{name}-core-uname-r = %{KVERREL}
 Requires(post): kmod
 Requires(postun): kmod
 Conflicts:      nvidia-closed-kmod
 
-%description -n kmod-%{_kmod_name}-%{nvidia_open_branch}
+%description -n kmod-%{_kmod_name}-%{nvidia_open_version}
 Open-source NVIDIA GPU kernel modules (driver version %{nvidia_open_version})
 built from the official NVIDIA/open-gpu-kernel-modules repository for
 kernel %{KVERREL}.
 
 These modules support CUDA workloads on NVIDIA GPUs (Turing and later).
-Modules: nvidia.ko, nvidia-modeset.ko, nvidia-drm.ko, nvidia-uvm.ko,
-nvidia-peermem.ko.
 
 Each kernel version produces a separate kmod package
-(kmod-nvidia-open-<nvidia_branch>-<KVERREL>) so that multiple kernel versions
+(kmod-nvidia-open-<nvidia_driver_version>-<KVERREL>) so that multiple kernel versions
 can coexist with their own NVIDIA modules.
 Use 'Requires: nvidia-open-kmod-version = %{nvidia_open_version}' to depend on a
 specific NVIDIA driver version, or 'Requires: kmod-nvidia-open' for any version.
@@ -51,9 +53,9 @@ specific NVIDIA driver version, or 'Requires: kmod-nvidia-open' for any version.
 %if "%{_kmod_phase}" == "prep" && %{with_up_base}
 
 %ifarch x86_64 aarch64
-cd %{_builddir}
+pushd %{_builddir}
 tar -xf %{SOURCE6000}
-cd -
+popd
 %endif
 
 %endif
@@ -105,20 +107,13 @@ for mod in nvidia nvidia-modeset nvidia-drm nvidia-uvm nvidia-peermem; do
     ko="%{_builddir}/open-gpu-kernel-modules-%{nvidia_open_version}/kernel-open/${mod}.ko"
     install -m 0644 "${ko}" %{buildroot}/lib/modules/%{KVERREL}/extra/nvidia/
 done
-# Install modprobe config to blacklist conflicting modules
-install -D -m 0644 %{SOURCE6001} %{buildroot}%{_sysconfdir}/modprobe.d/kmod-%{_kmod_name}-%{nvidia_open_branch}.conf
-# Install depmod override config
-install -d %{buildroot}%{_sysconfdir}/depmod.d
-cat > %{buildroot}%{_sysconfdir}/depmod.d/kmod-%{_kmod_name}-%{nvidia_open_branch}.conf << 'DEPMOD_EOF'
-override nvidia %{KVERREL} extra/nvidia
-override nvidia-modeset %{KVERREL} extra/nvidia
-override nvidia-drm %{KVERREL} extra/nvidia
-override nvidia-uvm %{KVERREL} extra/nvidia
-override nvidia-peermem %{KVERREL} extra/nvidia
-DEPMOD_EOF
+# Install modprobe config to blacklist conflicting modules. Lives under
+# %{_modprobedir} (/usr/lib/modprobe.d) — vendor-supplied config, not
+# admin-editable, so it is owned by the package without %config(noreplace).
+install -D -m 0644 %{SOURCE6001} %{buildroot}%{_modprobedir}/kmod-%{_kmod_name}-%{nvidia_open_version}.conf
 # Install NVIDIA license file
 install -D -m 0644 %{_builddir}/open-gpu-kernel-modules-%{nvidia_open_version}/COPYING \
-    %{buildroot}%{_datadir}/licenses/kmod-%{_kmod_name}-%{nvidia_open_branch}/COPYING
+    %{buildroot}%{_datadir}/licenses/kmod-%{_kmod_name}-%{nvidia_open_version}/COPYING
 %endif
 
 %endif
@@ -129,21 +124,20 @@ install -D -m 0644 %{_builddir}/open-gpu-kernel-modules-%{nvidia_open_version}/C
 %if "%{_kmod_phase}" == "files" && %{with_up_base}
 
 %ifarch x86_64 aarch64
-%post -n kmod-%{_kmod_name}-%{nvidia_open_branch}
+%post -n kmod-%{_kmod_name}-%{nvidia_open_version}
 %{_sbindir}/depmod -a %{KVERREL} || :
 
-%postun -n kmod-%{_kmod_name}-%{nvidia_open_branch}
+%postun -n kmod-%{_kmod_name}-%{nvidia_open_version}
 %{_sbindir}/depmod -a %{KVERREL} || :
 
-%files -n kmod-%{_kmod_name}-%{nvidia_open_branch}
-%license %{_datadir}/licenses/kmod-%{_kmod_name}-%{nvidia_open_branch}/COPYING
+%files -n kmod-%{_kmod_name}-%{nvidia_open_version}
+%license %{_datadir}/licenses/kmod-%{_kmod_name}-%{nvidia_open_version}/COPYING
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia.ko.%{compext}
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia-modeset.ko.%{compext}
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia-drm.ko.%{compext}
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia-uvm.ko.%{compext}
 /lib/modules/%{KVERREL}/extra/nvidia/nvidia-peermem.ko.%{compext}
-%config(noreplace) %{_sysconfdir}/modprobe.d/kmod-%{_kmod_name}-%{nvidia_open_branch}.conf
-%{_sysconfdir}/depmod.d/kmod-%{_kmod_name}-%{nvidia_open_branch}.conf
+%{_modprobedir}/kmod-%{_kmod_name}-%{nvidia_open_version}.conf
 %endif
 
 %endif

specs/k/kernel/sources

@@ -2,4 +2,4 @@ SHA512 (linux-6.18.13.tar.xz) = a1d1b27391ed55ae2b17dd25841037d3399e4d87900eb098
 SHA512 (kernel-abi-stablelists-6.18.13.tar.xz) = 69bbcdd86ae7999b19de306c29bc5cef442e309a8b033900c10a206a97d61b8b4e6d7c6baf6d356daf14e85766bd6a31120b54cfd1eb1c773450e44bae5d2d9b
 SHA512 (kernel-kabi-dw-6.18.13.tar.xz) = 6473ea636d813e602a59d7332255c4b4597032501a2ed0507985800500451065618a0b6909663e3dc8db2b75c6f4ba10d498dbc41a3b42758cae38f30ca13115
 SHA512 (kernel-6.18.29.1.tar.gz) = 9c71dec3ea3897107c176c89014134ab31aba0c3a669af549993e1134cf2896c7d6f6b751bbef5dbd260da514a7b8a2b1ad89067b748efc90cf6096e43e5b246
-SHA256 (open-gpu-kernel-modules-595.58.03.tar.gz) = e0c4659ddf15e4f4e19cee05b49f88c9ba08ef3add0dfe08249798f58d0fe75e
+SHA512 (open-gpu-kernel-modules-595.58.03.tar.gz) = a422b6935209d590f57fa6766f59bb207d9130f8a6777af9245c4ff8cd0f4c4ccef4602a0b26d543e1e8efba24241180992fdb749ea4e5d2aa5218a584b85101