diff --git a/FORCE_CI b/FORCE_CI index 21e72e8ac3d..95f9650f015 100644 --- a/FORCE_CI +++ b/FORCE_CI @@ -1 +1 @@ -48 +49 diff --git a/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh b/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh index 96fbe05bbb0..6027949e9d8 100644 --- a/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh +++ b/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh @@ -10,12 +10,12 @@ export BUILD_COMMAND=( .#rust --command just - oak_restricted_kernel_simple_io_init_rd_wrapper + oak_restricted_kernel_wrapper_simple_io_channel ) # The first element must be the Transparent Release binary (the main binary). export SUBJECT_PATHS=( - oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin - oak_restricted_kernel_wrapper/bin/oak_restricted_kernel_simple_io_init_rd/subjects/oak_restricted_kernel_simple_io_init_rd_image - oak_restricted_kernel_wrapper/bin/oak_restricted_kernel_simple_io_init_rd/subjects/oak_restricted_kernel_simple_io_init_rd_setup_data + oak_restricted_kernel_wrapper/bin/wrapper_bzimage_simple_io_channel + oak_restricted_kernel_wrapper/bin/wrapper_simple_io_channel_subjects/oak_restricted_kernel_simple_io_channel_image + oak_restricted_kernel_wrapper/bin/wrapper_simple_io_channel_subjects/oak_restricted_kernel_simple_io_channel_setup_data ) diff --git a/justfile b/justfile index 30f5721c177..69b707d7eda 100644 --- a/justfile +++ b/justfile @@ -27,9 +27,6 @@ build_enclave_app name: oak_functions_insecure_enclave_app: env --chdir=enclave_apps/oak_functions_enclave_app cargo build --release --no-default-features --features=allow_sensitive_logging -oak_restricted_kernel_bin: - env --chdir=oak_restricted_kernel_bin cargo build --release --bin=oak_restricted_kernel_bin - run_oak_functions_containers_launcher wasm_path port lookup_data_path communication_channel virtio_guest_cid: target/x86_64-unknown-linux-gnu/release/oak_functions_containers_launcher \ --vmm-binary=$(which qemu-system-x86_64) \ @@ -49,36 +46,40 @@ run_oak_functions_containers_launcher wasm_path port lookup_data_path communicat run_oak_functions_launcher wasm_path port lookup_data_path: target/x86_64-unknown-linux-gnu/release/oak_functions_launcher \ --bios-binary=stage0_bin/target/x86_64-unknown-none/release/stage0_bin \ - --kernel=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper_bin \ + --kernel=oak_restricted_kernel_wrapper/bin/wrapper_bzimage_virtio_console_channel \ --vmm-binary=$(which qemu-system-x86_64) \ --app-binary=enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app \ --initrd=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator \ --memory-size=256M \ --wasm={{wasm_path}} \ --port={{port}} \ - --lookup-data={{lookup_data_path}} \ + --lookup-data={{lookup_data_path}} # Run an integration test for Oak Functions making sure all the dependencies are built. -run_oak_functions_test: oak_orchestrator oak_functions_launcher oak_functions_enclave_app (wasm_release_crate "key_value_lookup") oak_restricted_kernel_wrapper +run_oak_functions_test: oak_orchestrator oak_functions_launcher oak_functions_enclave_app (wasm_release_crate "key_value_lookup") oak_restricted_kernel_wrapper_virtio_console_channel cargo test --package=key_value_lookup test_server # Builds a variant of the restricted kernel and creates a bzImage of it. # Then creates provenance subjects for it. -restricted_kernel_bzimage_and_provenance_subjects kernel_bin_prefix: - env \ - --chdir=oak_restricted_kernel_wrapper OAK_RESTRICTED_KERNEL_FILE_NAME={{kernel_bin_prefix}}_bin cargo build \ - --release - mkdir \ - --parents \ - ./oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} +# kernel_suffix examples: _virtio_console_channel, _simple_io_channel +restricted_kernel_bzimage_and_provenance_subjects kernel_suffix: + mkdir --parents oak_restricted_kernel_wrapper/bin + + # Buidling in "opt" mode is required so that Rust won't try to prevent underflows. + # This check must be OFF otherwise checks will be too conservative and fail at runtime. + bazel build //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}} \ + --platforms=//:x86_64-unknown-none \ + --compilation_mode opt + rust-objcopy \ --output-target=binary \ - oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper \ - oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin + bazel-bin/oak_restricted_kernel_wrapper/oak_restricted_kernel_wrapper{{kernel_suffix}} \ + oak_restricted_kernel_wrapper/bin/wrapper_bzimage{{kernel_suffix}} + just bzimage_provenance_subjects \ - {{kernel_bin_prefix}} \ - oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin \ - oak_restricted_kernel_wrapper/bin/{{kernel_bin_prefix}}/subjects + oak_restricted_kernel{{kernel_suffix}} \ + oak_restricted_kernel_wrapper/bin/wrapper_bzimage{{kernel_suffix}} \ + oak_restricted_kernel_wrapper/bin/wrapper{{kernel_suffix}}_subjects # Create provenance subjects for a kernel bzImage, by extracting the setup data # and image to the output directory. @@ -90,14 +91,21 @@ bzimage_provenance_subjects kernel_name bzimage_path output_dir: --kernel-setup-data-output="{{output_dir}}/{{kernel_name}}_setup_data" \ --kernel-image-output="{{output_dir}}/{{kernel_name}}_image" -oak_restricted_kernel_wrapper: oak_restricted_kernel_bin - just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel +oak_restricted_kernel_bin_virtio_console_channel: + # Buidling in "opt" mode is required so that Rust won't try to prevent underflows. + # This check must be OFF otherwise checks will be too conservative and fail at runtime. + bazel build //oak_restricted_kernel_bin:oak_restricted_kernel_bin_virtio_console_channel \ + --platforms=//:x86_64-unknown-none \ + --compilation_mode opt + +oak_restricted_kernel_wrapper_virtio_console_channel: + just restricted_kernel_bzimage_and_provenance_subjects _virtio_console_channel -oak_restricted_kernel_simple_io_init_rd_bin: - env --chdir=oak_restricted_kernel_bin cargo build --release --no-default-features --features=simple_io_channel --bin=oak_restricted_kernel_simple_io_init_rd_bin +oak_restricted_kernel_bin_simple_io_channel: + bazel build //oak_restricted_kernel_bin:oak_restricted_kernel_bin_simple_io_channel --platforms=//:x86_64-unknown-none -oak_restricted_kernel_simple_io_init_rd_wrapper: oak_restricted_kernel_simple_io_init_rd_bin - just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel_simple_io_init_rd +oak_restricted_kernel_wrapper_simple_io_channel: + just restricted_kernel_bzimage_and_provenance_subjects _simple_io_channel oak_client_android_app: bazel build --noexperimental_check_desugar_deps --compilation_mode opt \ @@ -256,8 +264,8 @@ oak_attestation_explain_wasm: # Entry points for Kokoro CI. -kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin \ - oak_restricted_kernel_simple_io_init_rd_wrapper stage0_bin \ +kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin_virtio_console_channel \ + oak_restricted_kernel_wrapper_simple_io_channel stage0_bin \ oak_client_android_app kokoro_oak_containers: all_oak_containers_binaries oak_functions_containers_container_bundle_tar @@ -270,7 +278,7 @@ kokoro_oak_containers: all_oak_containers_binaries oak_functions_containers_cont # TODO: b/349572480 - Enable benchmarks in Bazel and remove oak_functions_service and oak_functions_launcher (after integration tests bazelified) from this list. cargo_test_packages_arg := "-p key_value_lookup -p oak_functions_containers_app -p oak_functions_containers_launcher -p oak_functions_launcher -p oak_functions_service" -kokoro_run_cargo_tests: all_ensure_no_std all_oak_functions_containers_binaries oak_restricted_kernel_wrapper oak_orchestrator stage0_bin oak_functions_enclave_app all_wasm_test_crates build-clients +kokoro_run_cargo_tests: all_ensure_no_std all_oak_functions_containers_binaries oak_restricted_kernel_wrapper_virtio_console_channel oak_orchestrator stage0_bin oak_functions_enclave_app all_wasm_test_crates build-clients RUST_LOG="debug" cargo nextest run --all-targets --hide-progress-bar {{cargo_test_packages_arg}} clang-tidy: diff --git a/kokoro/build_binaries_rust.sh b/kokoro/build_binaries_rust.sh index 11d9e41e6e6..cdb2b13f069 100755 --- a/kokoro/build_binaries_rust.sh +++ b/kokoro/build_binaries_rust.sh @@ -28,7 +28,7 @@ readonly generated_binaries=( enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator - oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin + oak_restricted_kernel_wrapper/bin/wrapper_bzimage_simple_io_channel stage0_bin/target/x86_64-unknown-none/release/stage0_bin ) readonly binary_names=( diff --git a/oak_functions/examples/key_value_lookup/module/src/tests.rs b/oak_functions/examples/key_value_lookup/module/src/tests.rs index 0b006bee2b4..54072fe5f60 100644 --- a/oak_functions/examples/key_value_lookup/module/src/tests.rs +++ b/oak_functions/examples/key_value_lookup/module/src/tests.rs @@ -101,7 +101,7 @@ fn bench_wasm_handler(bencher: &mut Bencher) { ); // Wait for the server to start up. - std::thread::sleep(Duration::from_secs(20)); + std::thread::sleep(Duration::from_secs(180)); let uri = format!("http://localhost:{server_port}/"); let mut client = runtime diff --git a/oak_functions_test_utils/src/lib.rs b/oak_functions_test_utils/src/lib.rs index 6caf6519fe4..48b1b41cba5 100644 --- a/oak_functions_test_utils/src/lib.rs +++ b/oak_functions_test_utils/src/lib.rs @@ -22,10 +22,8 @@ pub static MOCK_LOOKUP_DATA_PATH: Lazy = pub static OAK_RESTRICTED_KERNEL_WRAPPER_BIN: Lazy = Lazy::new(|| { workspace_path(&[ "oak_restricted_kernel_wrapper", - "target", - "x86_64-unknown-none", - "release", - "oak_restricted_kernel_wrapper_bin", + "bin", + "wrapper_bzimage_virtio_console_channel", ]) }); diff --git a/oak_kernel_measurement/README.md b/oak_kernel_measurement/README.md index b694e8d74e9..ffb55681341 100644 --- a/oak_kernel_measurement/README.md +++ b/oak_kernel_measurement/README.md @@ -10,7 +10,9 @@ Stage 0 measures these split, modified components rather than the original bzImage kernel. This tool can be used to predict the Stage 0 measurements of these components from a bzImage kernel. -The tool can be run using: +The tool can be run using either: + +- All built with Cargo option: ```bash cargo run --package=oak_kernel_measurement -- \ @@ -19,11 +21,14 @@ cargo run --package=oak_kernel_measurement -- \ --kernel=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin ``` -or by: +- Restricted kernel built with Bazel option (oak_containers_kernel still Cargo): ```bash -bazel run //oak_kernel_measurement -- \ - --kernel=$(pwd)/oak_containers_kernel/target/bzImage -bazel run //oak_kernel_measurement -- \ - --kernel=$(pwd)/oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin +cargo run --package=oak_kernel_measurement -- \ + --kernel=oak_containers_kernel/target/bzImage +just oak_restricted_kernel_wrapper_simple_io_channel +cargo run --package=oak_kernel_measurement -- \ + --kernel=oak_restricted_kernel_wrapper/bin/wrapper_bzimage_simple_io_channel ``` + +You may need to prepend "$(pwd)" to paths. diff --git a/oak_restricted_kernel/layout.ld b/oak_restricted_kernel/layout.ld index 6c002b0b7b1..79f1333cde5 100644 --- a/oak_restricted_kernel/layout.ld +++ b/oak_restricted_kernel/layout.ld @@ -23,13 +23,12 @@ PHDRS * has a sanity check that expects the section with the lowest address to come * first. */ - hdrs PT_LOAD FILEHDR PHDRS FLAGS(4); + hdrs PT_LOAD FILEHDR PHDRS FLAGS(4) AT(2M); /* Executable text. */ boot PT_LOAD FLAGS(4 + 1); /* PF_R + PF_X */ text PT_LOAD FLAGS(4 + 1); /* PF_R + PF_X */ /* Read-only data. */ rodata PT_LOAD FLAGS(4); /* PF_R */ - payload PT_LOAD FLAGS(4); /* PF_R */ /* Initialized read-write data. */ data PT_LOAD FLAGS(4 + 2); /* PF_R + PF_W */ /* Uninitialized read-write data. */ @@ -44,10 +43,7 @@ SECTIONS { . = 2M; /* The kernel code expects FILEHDR and PHDRS to be located at 0x20_0000. */ - hdrs = .; . += SIZEOF_HEADERS; - .hdrs : { - } : hdrs /* * Boot code is executed with identity mapping; the main duty of the boot @@ -79,9 +75,10 @@ SECTIONS { .bss : ALIGN(2M) { bss_start = .; *(.bss .bss.*) - bss_size = . - bss_start; } : bss + bss_size = SIZEOF(.bss) ; + /* Stack grows down, so stack_start is the upper address in memory. */ .stack (NOLOAD) : ALIGN(2M) { . += 512K; diff --git a/oak_restricted_kernel/src/boot/boot.s b/oak_restricted_kernel/src/boot/boot.s index 5a790d3fe74..b18b9237bdb 100644 --- a/oak_restricted_kernel/src/boot/boot.s +++ b/oak_restricted_kernel/src/boot/boot.s @@ -55,7 +55,9 @@ _oak_start: # Finally, trigger a full TLB flush by overwriting CR3, even if it is the same value. movq %rbx, %cr3 - # Clear BSS: base address goes to RDI, value goes to AX, count goes into CX. + # Clear BSS: base address goes to RDI, value (0) goes to AX, count goes into CX. + # Set Direction Dlag (DF) to 0 for the address to increment (not decrement) after each rep of stosb. + cld mov $bss_start, %rdi mov $bss_size, %rcx xor %rax, %rax diff --git a/oak_restricted_kernel_launcher/README.md b/oak_restricted_kernel_launcher/README.md index 628b018f851..9c613a57a4e 100644 --- a/oak_restricted_kernel_launcher/README.md +++ b/oak_restricted_kernel_launcher/README.md @@ -20,13 +20,13 @@ must be built. # Stage0, the restricted kernel, and an enclave app may be built like so: just \ stage0_bin \ - oak_restricted_kernel_wrapper \ + oak_restricted_kernel_wrapper_virtio_console_channel \ oak_orchestrator oak_multi_process_test && \ # After building dependencies, an enclave app may be run like so: RUST_LOG=DEBUG \ cargo run --package=oak_restricted_kernel_launcher -- \ ---kernel=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper_bin \ +--kernel=oak_restricted_kernel_wrapper/bin/wrapper_bzimage_virtio_console_channel \ --vmm-binary=$(which qemu-system-x86_64) \ --memory-size=8G \ --bios-binary=stage0_bin/target/x86_64-unknown-none/release/stage0_bin \ diff --git a/oak_restricted_kernel_wrapper/BUILD b/oak_restricted_kernel_wrapper/BUILD index e0b0ec5ecc1..acc909934ce 100644 --- a/oak_restricted_kernel_wrapper/BUILD +++ b/oak_restricted_kernel_wrapper/BUILD @@ -23,11 +23,11 @@ package( rust_binary( name = "oak_restricted_kernel_wrapper_virtio_console_channel", srcs = glob(["src/**/*.rs"]), - compile_data = ["src/asm/boot.s"], - crate_features = ["bazel"], # TODO: b/333064338 remove. - data = [ + compile_data = [ + "src/asm/boot.s", "//oak_restricted_kernel_bin:oak_restricted_kernel_bin_virtio_console_channel", ], + crate_features = ["bazel"], # TODO: b/333064338 remove. features = ["no_libstdcxx"], # See https://github.com/f0rmiga/gcc-toolchain/blob/0.4.2/docs/README.md linker_script = ":layout.ld", platform = "//:x86_64-unknown-none-noavx-softfloat", @@ -36,7 +36,7 @@ rust_binary( }, rustc_flags = [ "-C", - "relocation-model=pie", + "relocation-model=static", ], deps = [ "@//oak_linux_boot_params", @@ -48,11 +48,11 @@ rust_binary( rust_binary( name = "oak_restricted_kernel_wrapper_simple_io_channel", srcs = glob(["src/**/*.rs"]), - compile_data = ["src/asm/boot.s"], - crate_features = ["bazel"], # TODO: b/333064338 remove. - data = [ + compile_data = [ + "src/asm/boot.s", "//oak_restricted_kernel_bin:oak_restricted_kernel_bin_simple_io_channel", ], + crate_features = ["bazel"], # TODO: b/333064338 remove. features = ["no_libstdcxx"], # See https://github.com/f0rmiga/gcc-toolchain/blob/0.4.2/docs/README.md linker_script = ":layout.ld", platform = "//:x86_64-unknown-none-noavx-softfloat", @@ -61,7 +61,7 @@ rust_binary( }, rustc_flags = [ "-C", - "relocation-model=pie", + "relocation-model=static", ], deps = [ "@//oak_linux_boot_params", diff --git a/oak_restricted_kernel_wrapper/README.md b/oak_restricted_kernel_wrapper/README.md index 552e0a790a9..5744d49c06e 100644 --- a/oak_restricted_kernel_wrapper/README.md +++ b/oak_restricted_kernel_wrapper/README.md @@ -13,5 +13,5 @@ NOTE: This wrapper is not intended to be built using `cargo build` directly. To build it, run the following in the workspace root: ```bash -just oak_restricted_kernel_wrapper +just oak_restricted_kernel_wrapper_virtio_console_channel ```