diff --git a/WORKSPACE b/WORKSPACE index 8411c65940f..745951a8a33 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -413,3 +413,12 @@ http_archive( strip_prefix = "e2fsprogs-1.47.0", urls = ["https://mirrors.edge.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v1.47.0/e2fsprogs-1.47.0.tar.xz"], ) + +load("//bazel/nix:kernel.bzl", "nix_kernel_repo") + +# Get the nix-built Kernels into our Bazel workspace, and verify the sha256 +nix_kernel_repo( + name = "nix_kernels", + bzImage_sha256 = "2f007b90ed57aff8d6c8c3207c538047c4c7364c0177f3cdd6c15bce4aa4b400", + bzImage_vanilla_sha256 = "e87135a4fc4c22c48fad23c52d8c43c548faa2963a0f2a0a091243b9a54bc1c2", +) diff --git a/bazel/nix/BUILD b/bazel/nix/BUILD new file mode 100644 index 00000000000..2e6e6e45778 --- /dev/null +++ b/bazel/nix/BUILD @@ -0,0 +1,17 @@ +# +# Copyright 2024 The Project Oak Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package(licenses = ["notice"]) diff --git a/bazel/nix/kernel.bzl b/bazel/nix/kernel.bzl new file mode 100644 index 00000000000..d5ae9fc33dc --- /dev/null +++ b/bazel/nix/kernel.bzl @@ -0,0 +1,57 @@ +# +# Copyright 2024 The Project Oak Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Properly expose nix kernel to Bazel + +In most contexts in Bazel, we can't access ambient environment variables. But in +a repository_rule, we can. So here we can "properly" expose the nix-built +kernels to Bazel, using the environment variables that we provide in flake.nix. +""" + +def _nix_kernel_repo_impl(repository_ctx): + kernel_path = repository_ctx.os.environ["LINUX_KERNEL"] + vanilla_kernel_path = repository_ctx.os.environ["VANILLA_LINUX_KERNEL"] + + if not kernel_path: + fail("Environment variable 'LINUX_KERNEL' is not set.") + + if not vanilla_kernel_path: + fail("Environment variable 'VANILLA_LINUX_KERNEL' is not set.") + + repository_ctx.download( + "file:///%s/bzImage" % kernel_path, + sha256 = repository_ctx.attr.bzImage_sha256, + output = "bzImage", + ) + repository_ctx.download( + "file:///%s/bzImage" % vanilla_kernel_path, + sha256 = repository_ctx.attr.bzImage_vanilla_sha256, + output = "bzImage_vanilla", + ) + + repository_ctx.file("BUILD", """ +exports_files( + srcs = ["bzImage", "bzImage_vanilla"] +) + """) + +nix_kernel_repo = repository_rule( + implementation = _nix_kernel_repo_impl, + local = True, + attrs = { + "bzImage_sha256": attr.string(mandatory = False), + "bzImage_vanilla_sha256": attr.string(mandatory = False), + }, +) diff --git a/buildconfigs/oak_containers_kernel.sh b/buildconfigs/oak_containers_kernel.sh index 60e565d05da..dc308232941 100644 --- a/buildconfigs/oak_containers_kernel.sh +++ b/buildconfigs/oak_containers_kernel.sh @@ -15,7 +15,7 @@ export BUILD_COMMAND=( # The first element must be the Transparent Release binary (the main binary). export SUBJECT_PATHS=( - oak_containers/kernel/target/bzImage + artifacts/oak_containers_kernel oak_containers/kernel/bin/subjects/oak_containers_kernel_image oak_containers/kernel/bin/subjects/oak_containers_kernel_setup_data ) diff --git a/justfile b/justfile index e6ed8afbefb..cadf94c1c59 100644 --- a/justfile +++ b/justfile @@ -40,7 +40,7 @@ run_oak_functions_containers_launcher wasm_path port lookup_data_path communicat target/x86_64-unknown-linux-gnu/release/oak_functions_containers_launcher \ --vmm-binary=$(which qemu-system-x86_64) \ --stage0-binary=generated/stage0_bin \ - --kernel=oak_containers/kernel/target/bzImage \ + --kernel=bazel-bin/oak_containers/kernel/bzImage \ --initrd=target/stage1.cpio \ --system-image=artifacts/containers_system_image.tar.xz \ --container-bundle=oak_functions_containers_container/target/oak_functions_container_oci_filesystem_bundle.tar \ @@ -173,10 +173,15 @@ stage1_cpio: env --chdir=oak_containers/stage1 make oak_containers_kernel: - env --chdir=oak_containers/kernel make + bazel build //oak_containers/kernel/... + + cp --force --preserve=timestamps \ + ./bazel-bin/oak_containers/kernel/bzImage \ + artifacts/oak_containers_kernel + just bzimage_provenance_subjects \ oak_containers_kernel \ - oak_containers/kernel/target/bzImage \ + ./bazel-bin/oak_containers/kernel/bzImage \ oak_containers/kernel/bin/subjects oak_containers_launcher: @@ -263,7 +268,7 @@ kokoro_verify_buildconfigs: ./scripts/test_buildconfigs buildconfigs/*.sh kokoro_oak_containers: all_oak_containers_binaries oak_functions_containers_container_bundle_tar containers_placer_artifacts - OAK_CONTAINERS_BINARIES_ALREADY_BUILT=1 RUST_LOG="debug" cargo nextest run --all-targets --hide-progress-bar --package='oak_containers_hello_world_untrusted_app' + OAK_CONTAINERS_BINARIES_ALREADY_BUILT=1 RUST_LOG="debug" cargo nextest run --all-targets --hide-progress-bar --nocapture --package='oak_containers_hello_world_untrusted_app' # This list should contain all crates that either a) have tests and are not bazelified yet or b) have bench tests (not supported on Bazel yet). # TODO: b/349587489 - Bazelify oak_functions_containers_launcher diff --git a/kokoro/build_binaries_oak_containers.sh b/kokoro/build_binaries_oak_containers.sh index f2c38207e42..f3fdd43b391 100755 --- a/kokoro/build_binaries_oak_containers.sh +++ b/kokoro/build_binaries_oak_containers.sh @@ -27,7 +27,7 @@ touch "${KOKORO_ARTIFACTS_DIR}/binaries/git_commit_${KOKORO_GIT_COMMIT_oak:?}" # verification (i.e., do Kokoro and GitHub produce identical results). readonly generated_binaries=( ./target/stage1.cpio - ./oak_containers/kernel/target/bzImage + ./artifacts/oak_containers_kernel ./artifacts/oak_containers_orchestrator ./artifacts/oak_containers_syslogd ./artifacts/oak_containers_agent diff --git a/oak_containers/kernel/BUILD b/oak_containers/kernel/BUILD new file mode 100644 index 00000000000..e5c24a49224 --- /dev/null +++ b/oak_containers/kernel/BUILD @@ -0,0 +1,28 @@ +# +# Copyright 2024 The Project Oak Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file") + +package( + default_visibility = ["//:internal"], + licenses = ["notice"], +) + +copy_file( + name = "bzImage", + src = "@nix_kernels//:bzImage", + out = "bzImage", +) diff --git a/oak_containers/kernel/Makefile b/oak_containers/kernel/Makefile deleted file mode 100644 index 1c896ae1339..00000000000 --- a/oak_containers/kernel/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -all: target/bzImage - -target/bzImage: - mkdir --parents target - # We just copy the prebuilt kernel from nix to the target folder. - # We can probably simplify things a bit in the future. - cp $${LINUX_KERNEL}/bzImage target/bzImage - # Log digest of kernel in order to detect non reproducibility. - sha256sum target/bzImage - -target/vanilla_bzImage: - mkdir --parents target - cp $${VANILLA_LINUX_KERNEL}/bzImage target/vanilla_bzImage - sha256sum target/vanilla_bzImage - -clean: - rm --recursive --force target diff --git a/oak_containers/kernel/README.md b/oak_containers/kernel/README.md index a42f4a9b740..ef87dffa22f 100644 --- a/oak_containers/kernel/README.md +++ b/oak_containers/kernel/README.md @@ -14,6 +14,11 @@ Oak Containers. The Linux kernel is built using Nix to help with reproducibility. The kernel version is specified in `flake.nix` in the root. +You may need to update the symlinks if the nix store absolute path has changed. + +You'll also need to update the checksums, so that the checksum verification test +continues to pass. + If the Linux configuration options have changed significantly between versions the config file must be updated. This can be done by manually building the kernel using the existing config file and the new version's source code. Choose diff --git a/oak_functions_containers_launcher/README.md b/oak_functions_containers_launcher/README.md index 41b11aeb59c..c2b8e334bc8 100644 --- a/oak_functions_containers_launcher/README.md +++ b/oak_functions_containers_launcher/README.md @@ -28,7 +28,7 @@ root@hostname:~/project/oak_functions_containers_launcher$ cargo run -- \ --container-bundle=../oak_functions_containers_container/target/oak_container_example_oci_filesystem_bundle.tar \ --vmm-binary=$(which qemu-system-x86_64) \ --stage0-binary=../generated/stage0_bin \ - --kernel=../oak_containers/kernel/target/bzImage \ + --kernel=../bazel-bin/oak_containers/kernel/bzImage \ --initrd=../target/stage1.cpio \ --ramdrive-size=5000000 \ --memory-size=10G diff --git a/oak_kernel_measurement/README.md b/oak_kernel_measurement/README.md index 9ac63bb6c9a..7cc14cb0f58 100644 --- a/oak_kernel_measurement/README.md +++ b/oak_kernel_measurement/README.md @@ -14,7 +14,7 @@ The tool can be run using: ```bash cargo run --package=oak_kernel_measurement -- \ - --kernel=oak_containers/kernel/target/bzImage + --kernel="bazel-bin/oak_containers/kernel/bzImage just oak_restricted_kernel_wrapper_simple_io_channel cargo run --package=oak_kernel_measurement -- \ --kernel=oak_restricted_kernel_wrapper/bin/wrapper_bzimage_simple_io_channel