Add working (but messy) config to start qemu KVM inside docker. TODO: clean up

Author: jul-sh

.devcontainer.json

@@ -4,7 +4,7 @@
 // - https://code.visualstudio.com/docs/remote/devcontainerjson-reference
 {
   // Do not modify manually. This value is automatically updated by ./scripts/docker_build .
-  "image": "sha256:ab889141f07b886f02ca3ec664341d7dfada94826c5538842b795b005bc1a417",
+  "image": "sha256:81502d6208dfe50f2ca92ac79f1f68a4e8f7553e0773288d6a5bbb8bca0eb2fd",
   "extensions": [
     "bazelbuild.vscode-bazel",
     "bodil.prettier-toml",
@@ -23,5 +23,8 @@
   // See https://code.visualstudio.com/docs/remote/containers-advanced#_changing-the-default-source-code-mount.
   "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
   "workspaceFolder": "/workspace",
+  "runArgs": [
+    "--device=/dev/kvm"
+  ],
   "containerUser": "docker"
 }

Dockerfile

@@ -334,6 +334,11 @@ RUN mkdir --parents ${sccache_dir} \
 
 # By default, sccache uses `~/.cache/sccache` locally: https://github.com/mozilla/sccache#local.
 
+# Getting curl and certificates dependecies.
+# We're rate-limiting HTTP requests to 500 kB/s as otherwise we may get timeout errors
+# when downloading from snapshot.debian.org.
+
+
 ENV RUSTC_WRAPPER sccache
 
 # Disable cargo incremental compilation, as it conflicts with sccache: https://github.com/mozilla/sccache#rust

experimental/uefi/app/.cargo/config.toml

@@ -7,7 +7,7 @@ runner = "qemu-system-x86_64 -nodefaults -nographic -bios /usr/share/OVMF/OVMF_C
 
 # Otherwise, (a) the first serial port gets routed to a log, and (b) the second serial gets attached to stdio.
 [target.'cfg(not(test))']
-runner = "qemu-system-x86_64 -nodefaults -nographic -bios /usr/share/OVMF/OVMF_CODE.fd -serial file:target/console.log -serial stdio -machine q35 -device isa-debug-exit,iobase=0xf4,iosize=0x04 -kernel"
+runner = "qemu-system-x86_64 -enable-kvm -cpu Broadwell-IBRS,vme=on,f16c=on,rdrand=on -nodefaults -nographic -bios /usr/share/OVMF/OVMF_CODE.fd -serial file:target/console.log -serial stdio -machine q35 -device isa-debug-exit,iobase=0xf4,iosize=0x04 -kernel"
 
 [unstable]
 build-std = ["core", "alloc"]

scripts/common

@@ -20,7 +20,7 @@ readonly DOCKER_IMAGE_NAME='gcr.io/oak-ci/oak:latest'
 # from a registry first.
 
 # Do not modify manually. This value is automatically updated by ./scripts/docker_build .
-readonly DOCKER_IMAGE_ID='sha256:ab889141f07b886f02ca3ec664341d7dfada94826c5538842b795b005bc1a417'
+readonly DOCKER_IMAGE_ID='sha256:81502d6208dfe50f2ca92ac79f1f68a4e8f7553e0773288d6a5bbb8bca0eb2fd'
 
 # Do not modify manually. This value is automatically updated by ./scripts/docker_push .
 readonly DOCKER_IMAGE_REPO_DIGEST='gcr.io/oak-ci/oak@sha256:8189809db8f834acb9c56c71f7a80e5ed00f8057ea3ac014b771443356534b1d'

scripts/docker_run

@@ -48,6 +48,7 @@ docker_run_flags=(
   # To do that, we map the socket from the host and add the right group
   '--volume=/var/run/docker.sock:/var/run/docker.sock'
   "--group-add=$HOST_DOCKER_GID"
+  "--device=/dev/kvm"
 )
 
 # Some CI systems (GitHub actions) do not run with an interactive TTY attached.

scripts/fix_docker_user_and_run

@@ -13,5 +13,5 @@ set -o pipefail
 
 groupmod --gid="${HOST_GID}" docker
 usermod --uid="${HOST_UID}" --gid="${HOST_GID}" docker
-chown "${HOST_UID}":"${HOST_GID}" "/home/docker" "/home/docker/.cache"
+chown "${HOST_UID}":"${HOST_GID}" "/home/docker" "/home/docker/.cache" "/dev/kvm"
 su docker --session-command="$*"

third_party/ring/src/rand.rs

@@ -452,7 +452,11 @@ mod uefi {
                 static mut OPENSSL_ia32cap_P: [u32; 4];
             }
             const FLAG: u32 = 1 << 30;
-            unsafe { OPENSSL_ia32cap_P[1] & FLAG == FLAG }
+            // Somehow this check continues to require patching, regardless
+            // of qemu CPU config. :/. That is even though RDRAND is in fact
+            // available and working.
+            // unsafe { OPENSSL_ia32cap_P[1] & FLAG == FLAG }
+            true
         }
 
         // We must make sure current cpu support `rdrand`