Build restricted kernel bin from Bazel, not Cargo.

Also rename a few paths in justfile to not use cargo-like paths (e.g. target/x86_64-unknown-none/...) etc and normalise naming around oak_rk_bin and oak_rk_wrapper.

BUG: 352276933
Change-Id: I1b134d57536ba0b7d60e850a2719feac16a1577b

FORCE_CI

@@ -1 +1 @@
-48
+49

buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh

@@ -10,12 +10,12 @@ export BUILD_COMMAND=(
   .#rust
   --command
   just
-  oak_restricted_kernel_simple_io_init_rd_wrapper
+  oak_restricted_kernel_wrapper_simple_io_channel
 )
 
 # The first element must be the Transparent Release binary (the main binary).
 export SUBJECT_PATHS=(
-  oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
-  oak_restricted_kernel_wrapper/bin/oak_restricted_kernel_simple_io_init_rd/subjects/oak_restricted_kernel_simple_io_init_rd_image
-  oak_restricted_kernel_wrapper/bin/oak_restricted_kernel_simple_io_init_rd/subjects/oak_restricted_kernel_simple_io_init_rd_setup_data
+  oak_restricted_kernel_wrapper/bin/wrapper_bzimage_simple_io_channel
+  oak_restricted_kernel_wrapper/bin/wrapper_simple_io_channel_subjects/oak_restricted_kernel_simple_io_channel_image
+  oak_restricted_kernel_wrapper/bin/wrapper_simple_io_channel_subjects/oak_restricted_kernel_simple_io_channel_setup_data
 )

justfile

@@ -27,9 +27,6 @@ build_enclave_app name:
 oak_functions_insecure_enclave_app:
     env --chdir=enclave_apps/oak_functions_enclave_app cargo build --release --no-default-features --features=allow_sensitive_logging
 
-oak_restricted_kernel_bin:
-    env --chdir=oak_restricted_kernel_bin cargo build --release --bin=oak_restricted_kernel_bin
-
 run_oak_functions_containers_launcher wasm_path port lookup_data_path communication_channel virtio_guest_cid:
     target/x86_64-unknown-linux-gnu/release/oak_functions_containers_launcher \
         --vmm-binary=$(which qemu-system-x86_64) \
@@ -49,36 +46,40 @@ run_oak_functions_containers_launcher wasm_path port lookup_data_path communicat
 run_oak_functions_launcher wasm_path port lookup_data_path:
     target/x86_64-unknown-linux-gnu/release/oak_functions_launcher \
         --bios-binary=stage0_bin/target/x86_64-unknown-none/release/stage0_bin \
-        --kernel=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper_bin \
+        --kernel=oak_restricted_kernel_wrapper/bin/wrapper_bzimage_virtio_console_channel \
         --vmm-binary=$(which qemu-system-x86_64) \
         --app-binary=enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app \
         --initrd=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator \
         --memory-size=256M \
         --wasm={{wasm_path}} \
         --port={{port}} \
-        --lookup-data={{lookup_data_path}} \
+        --lookup-data={{lookup_data_path}}
 
 # Run an integration test for Oak Functions making sure all the dependencies are built.
-run_oak_functions_test: oak_orchestrator oak_functions_launcher oak_functions_enclave_app (wasm_release_crate "key_value_lookup") oak_restricted_kernel_wrapper
+run_oak_functions_test: oak_orchestrator oak_functions_launcher oak_functions_enclave_app (wasm_release_crate "key_value_lookup") oak_restricted_kernel_wrapper_virtio_console_channel
     cargo test --package=key_value_lookup test_server
 
 # Builds a variant of the restricted kernel and creates a bzImage of it.
 # Then creates provenance subjects for it.
-restricted_kernel_bzimage_and_provenance_subjects kernel_bin_prefix:
-    env \
-        --chdir=oak_restricted_kernel_wrapper OAK_RESTRICTED_KERNEL_FILE_NAME={{kernel_bin_prefix}}_bin cargo build \
-        --release
-    mkdir \
-        --parents \
-        ./oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}}
+# kernel_suffix examples: _virtio_console_channel, _simple_io_channel
+restricted_kernel_bzimage_and_provenance_subjects kernel_suffix:
+    mkdir --parents oak_restricted_kernel_wrapper/bin
+
+    # Buidling in "opt" mode is required so that Rust won't try to prevent underflows.
+    # This check must be OFF otherwise checks will be too conservative and fail at runtime.
+    bazel build //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}} \
+        --platforms=//:x86_64-unknown-none \
+        --compilation_mode opt
+
     rust-objcopy \
         --output-target=binary \
-        oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper \
-        oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin
+        bazel-bin/oak_restricted_kernel_wrapper/oak_restricted_kernel_wrapper{{kernel_suffix}} \
+        oak_restricted_kernel_wrapper/bin/wrapper_bzimage{{kernel_suffix}}
+
     just bzimage_provenance_subjects \
-        {{kernel_bin_prefix}} \
-        oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin \
-        oak_restricted_kernel_wrapper/bin/{{kernel_bin_prefix}}/subjects
+        oak_restricted_kernel{{kernel_suffix}} \
+        oak_restricted_kernel_wrapper/bin/wrapper_bzimage{{kernel_suffix}} \
+        oak_restricted_kernel_wrapper/bin/wrapper{{kernel_suffix}}_subjects
 
 # Create provenance subjects for a kernel bzImage, by extracting the setup data
 # and image to the output directory.
@@ -90,14 +91,21 @@ bzimage_provenance_subjects kernel_name bzimage_path output_dir:
         --kernel-setup-data-output="{{output_dir}}/{{kernel_name}}_setup_data" \
         --kernel-image-output="{{output_dir}}/{{kernel_name}}_image"
 
-oak_restricted_kernel_wrapper: oak_restricted_kernel_bin
-    just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel
+oak_restricted_kernel_bin_virtio_console_channel:
+    # Buidling in "opt" mode is required so that Rust won't try to prevent underflows.
+    # This check must be OFF otherwise checks will be too conservative and fail at runtime.
+    bazel build //oak_restricted_kernel_bin:oak_restricted_kernel_bin_virtio_console_channel \
+        --platforms=//:x86_64-unknown-none \
+        --compilation_mode opt
+
+oak_restricted_kernel_wrapper_virtio_console_channel:
+    just restricted_kernel_bzimage_and_provenance_subjects _virtio_console_channel
 
-oak_restricted_kernel_simple_io_init_rd_bin:
-    env --chdir=oak_restricted_kernel_bin cargo build --release --no-default-features --features=simple_io_channel --bin=oak_restricted_kernel_simple_io_init_rd_bin
+oak_restricted_kernel_bin_simple_io_channel:
+    bazel build //oak_restricted_kernel_bin:oak_restricted_kernel_bin_simple_io_channel --platforms=//:x86_64-unknown-none
 
-oak_restricted_kernel_simple_io_init_rd_wrapper: oak_restricted_kernel_simple_io_init_rd_bin
-    just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel_simple_io_init_rd
+oak_restricted_kernel_wrapper_simple_io_channel:
+    just restricted_kernel_bzimage_and_provenance_subjects _simple_io_channel
 
 oak_client_android_app:
     bazel build --noexperimental_check_desugar_deps --compilation_mode opt \
@@ -256,8 +264,8 @@ oak_attestation_explain_wasm:
 
 # Entry points for Kokoro CI.
 
-kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin \
-    oak_restricted_kernel_simple_io_init_rd_wrapper stage0_bin \
+kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin_virtio_console_channel \
+    oak_restricted_kernel_wrapper_simple_io_channel stage0_bin \
     oak_client_android_app
 
 kokoro_oak_containers: all_oak_containers_binaries oak_functions_containers_container_bundle_tar
@@ -270,7 +278,7 @@ kokoro_oak_containers: all_oak_containers_binaries oak_functions_containers_cont
 # TODO: b/349572480 - Enable benchmarks in Bazel and remove oak_functions_service and oak_functions_launcher (after integration tests bazelified) from this list.
 cargo_test_packages_arg := "-p key_value_lookup -p oak_functions_containers_app -p oak_functions_containers_launcher -p oak_functions_launcher -p oak_functions_service"
 
-kokoro_run_cargo_tests: all_ensure_no_std all_oak_functions_containers_binaries oak_restricted_kernel_wrapper oak_orchestrator stage0_bin oak_functions_enclave_app all_wasm_test_crates build-clients
+kokoro_run_cargo_tests: all_ensure_no_std all_oak_functions_containers_binaries oak_restricted_kernel_wrapper_virtio_console_channel oak_orchestrator stage0_bin oak_functions_enclave_app all_wasm_test_crates build-clients
     RUST_LOG="debug" cargo nextest run --all-targets --hide-progress-bar {{cargo_test_packages_arg}}
 
 clang-tidy:

kokoro/build_binaries_rust.sh

@@ -28,7 +28,7 @@ readonly generated_binaries=(
     enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app
     enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app
     enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator
-    oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
+    oak_restricted_kernel_wrapper/bin/wrapper_bzimage_simple_io_channel
     stage0_bin/target/x86_64-unknown-none/release/stage0_bin
 )
 readonly binary_names=(

oak_functions/examples/key_value_lookup/module/src/tests.rs

@@ -101,7 +101,7 @@ fn bench_wasm_handler(bencher: &mut Bencher) {
     );
 
     // Wait for the server to start up.
-    std::thread::sleep(Duration::from_secs(20));
+    std::thread::sleep(Duration::from_secs(180));
 
     let uri = format!("http://localhost:{server_port}/");
     let mut client = runtime

oak_functions_test_utils/src/lib.rs

@@ -22,10 +22,8 @@ pub static MOCK_LOOKUP_DATA_PATH: Lazy<PathBuf> =
 pub static OAK_RESTRICTED_KERNEL_WRAPPER_BIN: Lazy<PathBuf> = Lazy::new(|| {
     workspace_path(&[
         "oak_restricted_kernel_wrapper",
-        "target",
-        "x86_64-unknown-none",
-        "release",
-        "oak_restricted_kernel_wrapper_bin",
+        "bin",
+        "wrapper_bzimage_virtio_console_channel",
     ])
 });
 

oak_kernel_measurement/README.md

@@ -10,7 +10,9 @@ Stage 0 measures these split, modified components rather than the original
 bzImage kernel. This tool can be used to predict the Stage 0 measurements of
 these components from a bzImage kernel.
 
-The tool can be run using:
+The tool can be run using either:
+
+- All built with Cargo option:
 
 ```bash
 cargo run --package=oak_kernel_measurement -- \
@@ -19,11 +21,14 @@ cargo run --package=oak_kernel_measurement -- \
     --kernel=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
 ```
 
-or by:
+- Restricted kernel built with Bazel option (oak_containers_kernel still Cargo):
 
 ```bash
-bazel run //oak_kernel_measurement -- \
-    --kernel=$(pwd)/oak_containers_kernel/target/bzImage
-bazel run //oak_kernel_measurement -- \
-    --kernel=$(pwd)/oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
+cargo run --package=oak_kernel_measurement -- \
+    --kernel=oak_containers_kernel/target/bzImage
+just oak_restricted_kernel_wrapper_simple_io_channel
+cargo run --package=oak_kernel_measurement -- \
+    --kernel=oak_restricted_kernel_wrapper/bin/wrapper_bzimage_simple_io_channel
 ```
+
+You may need to prepend "$(pwd)" to paths.

oak_restricted_kernel/layout.ld

@@ -23,13 +23,12 @@ PHDRS
      * has a sanity check that expects the section with the lowest address to come
      * first.
      */
-    hdrs    PT_LOAD FILEHDR PHDRS FLAGS(4);
+    hdrs    PT_LOAD FILEHDR PHDRS FLAGS(4) AT(2M);
     /* Executable text. */
     boot    PT_LOAD FLAGS(4 + 1); /* PF_R + PF_X */
     text    PT_LOAD FLAGS(4 + 1); /* PF_R + PF_X */
     /* Read-only data. */
     rodata  PT_LOAD FLAGS(4); /* PF_R */
-    payload PT_LOAD FLAGS(4); /* PF_R */
     /* Initialized read-write data. */
     data    PT_LOAD FLAGS(4 + 2); /* PF_R + PF_W */
     /* Uninitialized read-write data. */
@@ -44,10 +43,7 @@ SECTIONS {
     . = 2M;
 
     /* The kernel code expects FILEHDR and PHDRS to be located at 0x20_0000. */
-    hdrs = .;
     . += SIZEOF_HEADERS;
-    .hdrs : {
-    } : hdrs
 
      /*
      * Boot code is executed with identity mapping; the main duty of the boot
@@ -79,9 +75,10 @@ SECTIONS {
     .bss : ALIGN(2M) {
         bss_start = .;
         *(.bss .bss.*)
-        bss_size = . - bss_start;
     } : bss
 
+    bss_size = SIZEOF(.bss) ;
+
     /* Stack grows down, so stack_start is the upper address in memory. */
     .stack (NOLOAD) : ALIGN(2M) {
         . += 512K;

oak_restricted_kernel/src/boot/boot.s

@@ -55,7 +55,9 @@ _oak_start:
     # Finally, trigger a full TLB flush by overwriting CR3, even if it is the same value.
     movq %rbx, %cr3
 
-    # Clear BSS: base address goes to RDI, value goes to AX, count goes into CX.
+    # Clear BSS: base address goes to RDI, value (0) goes to AX, count goes into CX.
+    # Set Direction Dlag (DF) to 0 for the address to increment (not decrement) after each rep of stosb.
+    cld
     mov $bss_start, %rdi
     mov $bss_size, %rcx
     xor %rax, %rax

oak_restricted_kernel_launcher/README.md

@@ -20,13 +20,13 @@ must be built.
 # Stage0, the restricted kernel, and an enclave app may be built like so:
 just \
   stage0_bin \
-  oak_restricted_kernel_wrapper \
+  oak_restricted_kernel_wrapper_virtio_console_channel \
   oak_orchestrator oak_multi_process_test && \
 
 # After building dependencies, an enclave app may be run like so:
 RUST_LOG=DEBUG \
 cargo run --package=oak_restricted_kernel_launcher -- \
---kernel=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper_bin \
+--kernel=oak_restricted_kernel_wrapper/bin/wrapper_bzimage_virtio_console_channel \
 --vmm-binary=$(which qemu-system-x86_64) \
 --memory-size=8G \
 --bios-binary=stage0_bin/target/x86_64-unknown-none/release/stage0_bin \

oak_restricted_kernel_wrapper/BUILD

@@ -23,11 +23,11 @@ package(
 rust_binary(
     name = "oak_restricted_kernel_wrapper_virtio_console_channel",
     srcs = glob(["src/**/*.rs"]),
-    compile_data = ["src/asm/boot.s"],
-    crate_features = ["bazel"],  # TODO: b/333064338 remove.
-    data = [
+    compile_data = [
+        "src/asm/boot.s",
         "//oak_restricted_kernel_bin:oak_restricted_kernel_bin_virtio_console_channel",
     ],
+    crate_features = ["bazel"],  # TODO: b/333064338 remove.
     features = ["no_libstdcxx"],  # See https://github.com/f0rmiga/gcc-toolchain/blob/0.4.2/docs/README.md
     linker_script = ":layout.ld",
     platform = "//:x86_64-unknown-none-noavx-softfloat",
@@ -36,7 +36,7 @@ rust_binary(
     },
     rustc_flags = [
         "-C",
-        "relocation-model=pie",
+        "relocation-model=static",
     ],
     deps = [
         "@//oak_linux_boot_params",
@@ -48,11 +48,11 @@ rust_binary(
 rust_binary(
     name = "oak_restricted_kernel_wrapper_simple_io_channel",
     srcs = glob(["src/**/*.rs"]),
-    compile_data = ["src/asm/boot.s"],
-    crate_features = ["bazel"],  # TODO: b/333064338 remove.
-    data = [
+    compile_data = [
+        "src/asm/boot.s",
         "//oak_restricted_kernel_bin:oak_restricted_kernel_bin_simple_io_channel",
     ],
+    crate_features = ["bazel"],  # TODO: b/333064338 remove.
     features = ["no_libstdcxx"],  # See https://github.com/f0rmiga/gcc-toolchain/blob/0.4.2/docs/README.md
     linker_script = ":layout.ld",
     platform = "//:x86_64-unknown-none-noavx-softfloat",
@@ -61,7 +61,7 @@ rust_binary(
     },
     rustc_flags = [
         "-C",
-        "relocation-model=pie",
+        "relocation-model=static",
     ],
     deps = [
         "@//oak_linux_boot_params",

oak_restricted_kernel_wrapper/README.md

@@ -13,5 +13,5 @@ NOTE: This wrapper is not intended to be built using `cargo build` directly.
 To build it, run the following in the workspace root:
 
 ```bash
-just oak_restricted_kernel_wrapper
+just oak_restricted_kernel_wrapper_virtio_console_channel
 ```