"Bazelify" oak_containers/kernel

We use a nix-built kernel, but we can expose it in a Bazel-friendly way. Change-Id: I0c5226b173b1859a8ee40aee279a2c6392e6cae7
project-oak · Oct 26, 2024 · f6cbb67 · f6cbb67
1 parent 6c24b58
commit f6cbb67
Show file tree

Hide file tree

Showing 11 changed files with 129 additions and 25 deletions.
diff --git a/WORKSPACE b/WORKSPACE
@@ -413,3 +413,12 @@ http_archive(
     strip_prefix = "e2fsprogs-1.47.0",
     urls = ["https://mirrors.edge.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v1.47.0/e2fsprogs-1.47.0.tar.xz"],
 )
+
+load("//bazel/nix:kernel.bzl", "nix_kernel_repo")
+
+# Get the nix-built Kernels into our Bazel workspace, and verify the sha256
+nix_kernel_repo(
+    name = "nix_kernels",
+    bzImage_sha256 = "2f007b90ed57aff8d6c8c3207c538047c4c7364c0177f3cdd6c15bce4aa4b400",
+    bzImage_vanilla_sha256 = "e87135a4fc4c22c48fad23c52d8c43c548faa2963a0f2a0a091243b9a54bc1c2",
+)
diff --git a/bazel/nix/BUILD b/bazel/nix/BUILD
@@ -0,0 +1,17 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package(licenses = ["notice"])
diff --git a/bazel/nix/kernel.bzl b/bazel/nix/kernel.bzl
@@ -0,0 +1,57 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+"""Properly expose nix kernel to Bazel
+
+In most contexts in Bazel, we can't access ambient environment variables. But in
+a repository_rule, we can. So here we can "properly" expose the nix-built
+kernels to Bazel, using the environment variables that we provide in flake.nix.
+"""
+
+def _nix_kernel_repo_impl(repository_ctx):
+    kernel_path = repository_ctx.os.environ["LINUX_KERNEL"]
+    vanilla_kernel_path = repository_ctx.os.environ["VANILLA_LINUX_KERNEL"]
+
+    if not kernel_path:
+        fail("Environment variable 'LINUX_KERNEL' is not set.")
+
+    if not vanilla_kernel_path:
+        fail("Environment variable 'VANILLA_LINUX_KERNEL' is not set.")
+
+    repository_ctx.download(
+        "file:///%s/bzImage" % kernel_path,
+        sha256 = repository_ctx.attr.bzImage_sha256,
+        output = "bzImage",
+    )
+    repository_ctx.download(
+        "file:///%s/bzImage" % vanilla_kernel_path,
+        sha256 = repository_ctx.attr.bzImage_vanilla_sha256,
+        output = "bzImage_vanilla",
+    )
+
+    repository_ctx.file("BUILD", """
+exports_files(
+    srcs = ["bzImage", "bzImage_vanilla"]
+)
+    """)
+
+nix_kernel_repo = repository_rule(
+    implementation = _nix_kernel_repo_impl,
+    local = True,
+    attrs = {
+        "bzImage_sha256": attr.string(mandatory = False),
+        "bzImage_vanilla_sha256": attr.string(mandatory = False),
+    },
+)
diff --git a/buildconfigs/oak_containers_kernel.sh b/buildconfigs/oak_containers_kernel.sh
@@ -15,7 +15,7 @@ export BUILD_COMMAND=(
 
 # The first element must be the Transparent Release binary (the main binary).
 export SUBJECT_PATHS=(
-  oak_containers/kernel/target/bzImage
+  artifacts/oak_containers_kernel
   oak_containers/kernel/bin/subjects/oak_containers_kernel_image
   oak_containers/kernel/bin/subjects/oak_containers_kernel_setup_data
 )
diff --git a/justfile b/justfile
@@ -40,7 +40,7 @@ run_oak_functions_containers_launcher wasm_path port lookup_data_path communicat
     target/x86_64-unknown-linux-gnu/release/oak_functions_containers_launcher \
         --vmm-binary=$(which qemu-system-x86_64) \
         --stage0-binary=generated/stage0_bin \
-        --kernel=oak_containers/kernel/target/bzImage \
+        --kernel=bazel-bin/oak_containers/kernel/bzImage \
         --initrd=target/stage1.cpio \
         --system-image=artifacts/containers_system_image.tar.xz \
         --container-bundle=oak_functions_containers_container/target/oak_functions_container_oci_filesystem_bundle.tar \
@@ -173,10 +173,15 @@ stage1_cpio:
     env --chdir=oak_containers/stage1 make
 
 oak_containers_kernel:
-    env --chdir=oak_containers/kernel make
+    bazel build //oak_containers/kernel/...
+
+    cp --force --preserve=timestamps \
+        ./bazel-bin/oak_containers/kernel/bzImage \
+        artifacts/oak_containers_kernel
+
     just bzimage_provenance_subjects \
         oak_containers_kernel \
-        oak_containers/kernel/target/bzImage \
+        ./bazel-bin/oak_containers/kernel/bzImage \
         oak_containers/kernel/bin/subjects
 
 oak_containers_launcher:
@@ -263,7 +268,7 @@ kokoro_verify_buildconfigs:
     ./scripts/test_buildconfigs buildconfigs/*.sh
 
 kokoro_oak_containers: all_oak_containers_binaries oak_functions_containers_container_bundle_tar containers_placer_artifacts
-    OAK_CONTAINERS_BINARIES_ALREADY_BUILT=1 RUST_LOG="debug" cargo nextest run --all-targets --hide-progress-bar --package='oak_containers_hello_world_untrusted_app'
+    OAK_CONTAINERS_BINARIES_ALREADY_BUILT=1 RUST_LOG="debug" cargo nextest run --all-targets --hide-progress-bar --nocapture --package='oak_containers_hello_world_untrusted_app'
 
 # This list should contain all crates that either a) have tests and are not bazelified yet or b) have bench tests (not supported on Bazel yet).
 # TODO: b/349587489 - Bazelify oak_functions_containers_launcher

diff --git a/kokoro/build_binaries_oak_containers.sh b/kokoro/build_binaries_oak_containers.sh
@@ -27,7 +27,7 @@ touch "${KOKORO_ARTIFACTS_DIR}/binaries/git_commit_${KOKORO_GIT_COMMIT_oak:?}"
 # verification (i.e., do Kokoro and GitHub produce identical results).
 readonly generated_binaries=(
     ./target/stage1.cpio
-    ./oak_containers/kernel/target/bzImage
+    ./artifacts/oak_containers_kernel
     ./artifacts/oak_containers_orchestrator
     ./artifacts/oak_containers_syslogd
     ./artifacts/oak_containers_agent

diff --git a/oak_containers/kernel/BUILD b/oak_containers/kernel/BUILD
@@ -0,0 +1,28 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
+
+package(
+    default_visibility = ["//:internal"],
+    licenses = ["notice"],
+)
+
+copy_file(
+    name = "bzImage",
+    src = "@nix_kernels//:bzImage",
+    out = "bzImage",
+)
diff --git a/oak_containers/kernel/Makefile b/oak_containers/kernel/Makefile
diff --git a/oak_containers/kernel/README.md b/oak_containers/kernel/README.md
@@ -14,6 +14,11 @@ Oak Containers.
 The Linux kernel is built using Nix to help with reproducibility. The kernel
 version is specified in `flake.nix` in the root.
 
+You may need to update the symlinks if the nix store absolute path has changed.
+
+You'll also need to update the checksums, so that the checksum verification test
+continues to pass.
+
 If the Linux configuration options have changed significantly between versions
 the config file must be updated. This can be done by manually building the
 kernel using the existing config file and the new version's source code. Choose

diff --git a/oak_functions_containers_launcher/README.md b/oak_functions_containers_launcher/README.md
@@ -28,7 +28,7 @@ root@hostname:~/project/oak_functions_containers_launcher$ cargo run -- \
     --container-bundle=../oak_functions_containers_container/target/oak_container_example_oci_filesystem_bundle.tar \
     --vmm-binary=$(which qemu-system-x86_64) \
     --stage0-binary=../generated/stage0_bin \
-    --kernel=../oak_containers/kernel/target/bzImage \
+    --kernel=../bazel-bin/oak_containers/kernel/bzImage \
     --initrd=../target/stage1.cpio \
     --ramdrive-size=5000000 \
     --memory-size=10G

diff --git a/oak_kernel_measurement/README.md b/oak_kernel_measurement/README.md
@@ -14,7 +14,7 @@ The tool can be run using:
 
 ```bash
 cargo run --package=oak_kernel_measurement -- \
-    --kernel=oak_containers/kernel/target/bzImage
+    --kernel="bazel-bin/oak_containers/kernel/bzImage
 just oak_restricted_kernel_wrapper_simple_io_channel
 cargo run --package=oak_kernel_measurement -- \
     --kernel=oak_restricted_kernel_wrapper/bin/wrapper_bzimage_simple_io_channel