From f1a35b70280a9f74d0c7a533ab0b3e263e5fb55a Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 26 May 2026 21:05:59 -0700 Subject: [PATCH] kernel: enable CONFIG_CRYPTO_ECDSA for H100 confidential compute NVIDIA's open kernel driver (nvidia.ko) gates its LKCA-backed libspdm crypto provider on `CONFIG_CRYPTO_ECDSA` being defined when the driver is built (see `kernel-open/nvidia/internal_crypt_lib.h`: the `USE_LKCA` macro requires the kernel to advertise ECDSA, ECDH, RSA, HMAC, AKCIPHER, etc.). When `CONFIG_CRYPTO_ECDSA` is missing, libspdm falls back to stubs and at runtime prints `libspdm expects LKCA but found stubs!` then fails `spdmEstablishSession`, so H100 in Confidential Compute mode (e.g. GCP TDX + a3-highgpu-1g) never finishes init and `nvidia-smi` reports no devices. `meta-nvidia/recipes-kernel/linux/files/nvidia.cfg` already sets this config, but it ships as a `linux-yocto%.bbappend`, which does not attach to the in-tree `linux-custom_*.bb` recipes that build the dstack kernel from a defconfig. Add the option directly to the 6.17 and 6.18 defconfigs so all flavors (incl. nvidia) pick it up. Verified end-to-end on GCP a3-highgpu-1g + TDX after rebuilding the kernel + nvidia kernel modules with this change: SPDM session establishes, `nvidia-smi conf-compute -f` reports `CC status: ON`, and a PyTorch matmul runs at ~38 TFLOPs. --- meta-dstack/recipes-kernel/linux/files/6.17/defconfig | 1 + meta-dstack/recipes-kernel/linux/files/6.18/defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/meta-dstack/recipes-kernel/linux/files/6.17/defconfig b/meta-dstack/recipes-kernel/linux/files/6.17/defconfig index 0a953ff..f9ba4a7 100644 --- a/meta-dstack/recipes-kernel/linux/files/6.17/defconfig +++ b/meta-dstack/recipes-kernel/linux/files/6.17/defconfig @@ -344,6 +344,7 @@ CONFIG_CRYPTO_USER_API_SKCIPHER=m CONFIG_CRYPTO_USER_API_RNG=m CONFIG_CRYPTO_USER_API_AEAD=m CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ECDSA=y CONFIG_CRYPTO_DEV_VIRTIO=y CONFIG_CORDIC=m CONFIG_PRINTK_TIME=y diff --git a/meta-dstack/recipes-kernel/linux/files/6.18/defconfig b/meta-dstack/recipes-kernel/linux/files/6.18/defconfig index 2894e97..dc6dbbe 100644 --- a/meta-dstack/recipes-kernel/linux/files/6.18/defconfig +++ b/meta-dstack/recipes-kernel/linux/files/6.18/defconfig @@ -344,6 +344,7 @@ CONFIG_CRYPTO_USER_API_SKCIPHER=m CONFIG_CRYPTO_USER_API_RNG=m CONFIG_CRYPTO_USER_API_AEAD=m CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ECDSA=y CONFIG_CRYPTO_DEV_VIRTIO=y CONFIG_CORDIC=m CONFIG_PRINTK_TIME=y