diff --git a/.drone.yml b/.drone.yml
index c974fb0a2..00ccd5b35 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -44,6 +44,25 @@ steps:
       - name: docker
         path: /root/.docker/buildx
 
+  - name: build-nonfree-pull-request
+    image: autonomy/build-container:latest
+    pull: always
+    environment:
+      DOCKER_CLI_EXPERIMENTAL: enabled
+    commands:
+      - make nonfree
+    when:
+      event:
+        include:
+          - pull_request
+    volumes:
+      - name: docker-socket
+        path: /var/run
+      - name: ssh
+        path: /root/.ssh
+      - name: docker
+        path: /root/.docker/buildx
+
   - name: build-and-publish
     image: autonomy/build-container:latest
     pull: always
diff --git a/Makefile b/Makefile
index 67dc5493c..1c0c693d4 100644
--- a/Makefile
+++ b/Makefile
@@ -20,9 +20,12 @@ empty :=
 space = $(empty) $(empty)
 
 TARGETS =  ca-certificates  cni  containerd cryptsetup dosfstools  eudev  fhs flannel-cni grub ipmitool  iptables ipxe kernel  kmod  libaio libjson-c liblzma libpopt libressl  libseccomp  linux-firmware lvm2  musl  open-iscsi  open-isns raspberrypi-firmware runc  socat  syslinux u-boot  util-linux  xfsprogs
+NONFREE_TARGETS = nonfree-kmod-nvidia
 
 all: $(TARGETS) ## Builds all known pkgs.
 
+nonfree: $(NONFREE_TARGETS) ## Builds all known non-free pkgs.
+
 .PHONY: help
 help: ## This help menu.
 	@grep -E '^[a-zA-Z%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
@@ -36,8 +39,8 @@ target-%: ## Builds the specified target defined in the Dockerfile. The build re
 docker-%: ## Builds the specified target defined in the Dockerfile using the docker output type. The build result will be loaded into docker.
 	@$(MAKE) target-$* TARGET_ARGS="$(TARGET_ARGS)"
 
-.PHONY: $(TARGETS)
-$(TARGETS):
+.PHONY: $(TARGETS) $(NONFREE_TARGETS)
+$(TARGETS) $(NONFREE_TARGETS):
 	@$(MAKE) docker-$@ TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/$@:$(TAG) --push=$(PUSH)"
 
 .PHONY: deps.png
@@ -48,7 +51,7 @@ kernel-%: ## Updates the kernel configs: e.g. make kernel-olddefconfig; make ker
 	for platform in $(subst $(,),$(space),$(PLATFORM)); do \
 		arch=`basename $$platform` ; \
 		$(MAKE) docker-kernel-prepare PLATFORM=$$platform TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch --load"; \
-		docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/kernel/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
+		docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
 	done
 
 # Utilities
diff --git a/containerd/pkg.yaml b/containerd/pkg.yaml
index e71f0d6dd..600ab355c 100644
--- a/containerd/pkg.yaml
+++ b/containerd/pkg.yaml
@@ -9,8 +9,8 @@ steps:
         # sync with version and revision in build
       - url: https://github.com/containerd/containerd/archive/refs/tags/v1.5.8.tar.gz
         destination: containerd.tar.gz
-        sha256: a41ab8d39393c9456941b477c33bb1b221a29b635f1c9a99523aab2f5e74f790
-        sha512: c769506ff6d98689c46ffee94d70ae00ef2f32e0daac1e631cbe8a587f67c7e4f83eb3895707362bdf46198b61823c99df1d8ca61095ab1415de5596f106fd07
+        sha256: 0890f7b0ee8e20a279a617c60686874b3c7a99e064adb2b38d884499b5284c43
+        sha512: 672c1743150ec8ab8eac7562a815d55ce697fc4216d83e7f7d142c4a2fca08a70238d545328fa273d1cc15eef15e5e5bec51a3b8fbd6b8a83fba797769197cdf
     prepare:
       - |
         tar -xzf containerd.tar.gz --strip-components=1
diff --git a/kernel/build/certs/x509.genkey b/kernel/build/certs/x509.genkey
new file mode 100644
index 000000000..ba26827e7
--- /dev/null
+++ b/kernel/build/certs/x509.genkey
@@ -0,0 +1,17 @@
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = Sidero Labs, Inc.
+CN = Build time throw-away kernel key
+#emailAddress = unspecified.user@unspecified.company
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
diff --git a/kernel/kernel/config-amd64 b/kernel/build/config-amd64
similarity index 100%
rename from kernel/kernel/config-amd64
rename to kernel/build/config-amd64
diff --git a/kernel/kernel/config-arm64 b/kernel/build/config-arm64
similarity index 100%
rename from kernel/kernel/config-arm64
rename to kernel/build/config-arm64
diff --git a/kernel/build/pkg.yaml b/kernel/build/pkg.yaml
new file mode 100644
index 000000000..9972cf3bf
--- /dev/null
+++ b/kernel/build/pkg.yaml
@@ -0,0 +1,40 @@
+name: kernel-build
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: kernel-prepare
+steps:
+  - env:
+      CARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}amd64{{ else }}unsupported{{ end }}
+      KARCH: {{ if eq .ARCH "aarch64"}}ARM64{{ else if eq .ARCH "x86_64" }}X86_64{{ else }}unsupported{{ end }}
+      ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}
+    prepare:
+      - |
+        cd /src
+        cp -v /pkg/config-${CARCH} .config
+        cp -v /pkg/certs/* certs/
+    build:
+      - |
+        cd /src
+        python3 /toolchain/kconfig-hardened-check/bin/kconfig-hardened-check -c .config -p ${KARCH} -m json | python3 /pkg/scripts/filter-hardened-check.py
+      - |
+        cd /src
+
+        make -j $(nproc)
+        make -j $(nproc) modules
+
+        if [[ "${ARCH}" == "arm64" ]]; then
+          echo "Compiling device-tree blobs"
+          make -j $(nproc) dtbs
+        fi
+finalize:
+  - from: /src
+    to: /src
+  - from: /toolchain
+    to: /toolchain
+  - from: /usr
+    to: /usr
+  - from: /bin
+    to: /bin
+  - from: /lib
+    to: /lib
diff --git a/kernel/kernel/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py
similarity index 100%
rename from kernel/kernel/scripts/filter-hardened-check.py
rename to kernel/build/scripts/filter-hardened-check.py
diff --git a/kernel/kernel/pkg.yaml b/kernel/kernel/pkg.yaml
index 69f4809c0..1f5f2006d 100644
--- a/kernel/kernel/pkg.yaml
+++ b/kernel/kernel/pkg.yaml
@@ -2,31 +2,14 @@ name: kernel
 variant: scratch
 shell: /toolchain/bin/bash
 dependencies:
-  - stage: kernel-prepare
+  - stage: kernel-build
 steps:
   - env:
       ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}
-      CARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}amd64{{ else }}unsupported{{ end }}
-      KARCH: {{ if eq .ARCH "aarch64"}}ARM64{{ else if eq .ARCH "x86_64" }}X86_64{{ else }}unsupported{{ end }}
-    prepare:
-      - |
-        cp -a /src/. .
-
-        cp -v /pkg/config-${CARCH} .config
-
-        patch -p0 < /pkg/patches/sign-file.patch
-      - |
-        python3 /toolchain/kconfig-hardened-check/bin/kconfig-hardened-check -c .config -p ${KARCH} -m json | python3 /pkg/scripts/filter-hardened-check.py
-    build:
-      - |
-        make -j $(nproc)
-        make -j $(nproc) modules
-        if [[ "${ARCH}" == "arm64" ]]; then
-          echo "Compiling device-tree blobs"
-          make -j $(nproc) dtbs
-        fi
     install:
       - |
+        cd /src
+
         mkdir -p /rootfs/boot
         mkdir -p /rootfs/dtb
         case $ARCH in
diff --git a/kernel/kernel-prepare/patches/hardening.kconfig.patch b/kernel/prepare/patches/hardening.kconfig.patch
similarity index 100%
rename from kernel/kernel-prepare/patches/hardening.kconfig.patch
rename to kernel/prepare/patches/hardening.kconfig.patch
diff --git a/kernel/kernel/patches/sign-file.patch b/kernel/prepare/patches/sign-file.patch
similarity index 100%
rename from kernel/kernel/patches/sign-file.patch
rename to kernel/prepare/patches/sign-file.patch
diff --git a/kernel/kernel-prepare/pkg.yaml b/kernel/prepare/pkg.yaml
similarity index 97%
rename from kernel/kernel-prepare/pkg.yaml
rename to kernel/prepare/pkg.yaml
index f6294d0f0..f2d8cd1bc 100644
--- a/kernel/kernel-prepare/pkg.yaml
+++ b/kernel/prepare/pkg.yaml
@@ -44,6 +44,7 @@ steps:
         cd /toolchain && git clone https://github.com/a13xp0p0v/kconfig-hardened-check.git
       - |
         patch -p1 < /pkg/patches/hardening.kconfig.patch
+        patch -p0 < /pkg/patches/sign-file.patch
     install:
       - |
         mkdir -p /src
diff --git a/nonfree/kmod-nvidia/pkg.yaml b/nonfree/kmod-nvidia/pkg.yaml
new file mode 100644
index 000000000..59821fc89
--- /dev/null
+++ b/nonfree/kmod-nvidia/pkg.yaml
@@ -0,0 +1,53 @@
+name: nonfree-kmod-nvidia
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: kernel-build
+steps:
+  # driver sources: https://www.nvidia.com/en-us/drivers/unix/
+  # {{ if eq .ARCH "aarch64" }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
+  #
+  # build on ARM fails at the moment, not sure what is the reason, it feels like it tries to use x86 function
+  # for the PoC, we'll leave nvidia module x86-only
+  #
+  # - url: https://us.download.nvidia.com/XFree86/aarch64/470.94/NVIDIA-Linux-aarch64-470.94.run
+  #   destination: nvidia.run
+  #   sha256: a1c991051c6cbd3fa69d9768fa7cd0084bfa6d4c384cc6a6e3ab88b5b51e57c8
+  #   sha512: e27b04ec5025b5ce1d6cd78306f55f5699032fc350f78fb7a731a82ec4691ba0764fd3e36d8738d38f17cafd93988c7542d55c370e219bdbab6d0e7eb2f9a5fd
+  - install:
+      - |
+        mkdir -p /rootfs
+  # {{ else }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
+  - sources:
+      - url: https://us.download.nvidia.com/XFree86/Linux-x86_64/470.94/NVIDIA-Linux-x86_64-470.94.run
+        destination: nvidia.run
+        sha256: 9585aa29330ebad9bdf22ce3ca2bac2026c85a9a32f03d7c59f714a7798500eb
+        sha512: b70542af04691da623b494d49fcbd58c58b83388fdb1c7ea6dcc779755b595444a324f613840ccbba0d9029456668376fe6049a3e4496c6054efbbf1e0a59c0f
+    env:
+      ARCH: {{ if eq .ARCH "aarch64"}}arm64{{ else if eq .ARCH "x86_64" }}x86_64{{ else }}unsupported{{ end }}
+    prepare:
+      - |
+        export PATH=/toolchain/bin:$PATH
+        export GUESS_MD5_PATH=/toolchain/bin
+
+        rm -f /dev/tty && ln -s /dev/stdout /dev/tty
+        ln -s /toolchain/bin/echo /toolchain/bin/which
+
+        /toolchain/bin/bash nvidia.run --extract-only
+    build:
+      - |
+        cd NVIDIA-Linux-*/kernel
+
+        make -j $(nproc) SYSSRC=/src
+    install:
+      - |
+        cd NVIDIA-Linux-*/kernel
+
+        mkdir -p /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/
+        touch /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/modules.order /rootfs/lib/modules/$(cat /src/include/config/kernel.release)/modules.builtin
+
+        make -j $(nproc) modules_install SYSSRC=/src DEPMOD=/toolchain/bin/depmod INSTALL_MOD_PATH=/rootfs
+  # {{ end }} This in fact is YAML comment, but Go templating instruction is evaluated by bldr
+finalize:
+  - from: /rootfs
+    to: /