Merge pull request #2465 from t-koulouris/ok_build_updates

Updates to okernel project build files

projects/okernel/Dockerfile.kvmod

@@ -1,5 +1,8 @@
-FROM alpine:3.5
+ARG IMAGE
+FROM ${IMAGE} AS kernel
 
-COPY ./kvmod .
-
-CMD ["insmod", "/root/kvmod/kernel_vuln.ko"]
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=kernel kernel_vuln.ko .
+CMD ["insmod", "/kernel_vuln.ko"]

projects/okernel/Dockerfile.okernel

@@ -1,4 +1,26 @@
-FROM linuxkit/alpine-build-kernel:cfdd576c36a52ed2dd62f237f79eeedc2dd3697b@sha256:3fe08db373a9373ba1616a485858f01ebd2d7a3cb364a099d0ed8b45fa419da2
+FROM linuxkit/alpine:a120ad6aead3fe583eaa20e9b75a05ac1b3487da AS kernel-build
+RUN apk --no-cache add \
+    argp-standalone \
+    automake \
+    bash \
+    bc \
+    binutils-dev \
+    bison \
+    build-base \
+    curl \
+    diffutils \
+    git \
+    installkernel \
+    kmod \
+    libelf-dev \
+    linux-headers \
+    sed \
+    tar \
+    xz \
+    zlib-dev \
+    openssl-dev
+
+RUN apk --no-cache add --repository http://dl-cdn.alpinelinux.org/alpine/edge/main openssl
 
 ARG KERNEL_VERSION
 ARG DEBUG=0
@@ -6,8 +28,6 @@ ARG DEBUG=0
 ENV OKERNEL_SOURCE=https://github.com/linux-okernel/linux-okernel/archive/${KERNEL_VERSION}.tar.gz
 ENV USPACE_SOURCE=https://github.com/linux-okernel/linux-okernel-components/archive/master.tar.gz
 
-RUN apk --update add openssl openssl-dev
-
 RUN if [ -n $HTTP_PROXY ]; then \
     curl -fsSL -x ${HTTP_PROXY} -o linux-${KERNEL_VERSION}.tar.gz ${OKERNEL_SOURCE}; \
     else \
@@ -16,47 +36,43 @@ RUN if [ -n $HTTP_PROXY ]; then \
 
 RUN cat linux-${KERNEL_VERSION}.tar.gz | tar --absolute-names -xz && mv /linux-okernel-${KERNEL_VERSION} /linux
 
-COPY kernel_config.okernel /linux/arch/x86/configs/x86_64_defconfig
-#COPY kernel_config.debug /linux/debug_config
+COPY kernel_config.okernel /linux/.config
 
-RUN if [ $DEBUG -ne "0" ]; then \
-    sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \
-    cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \
-    fi
-
-# Apply local patches
-# COPY patches-4.10 /patches
-#RUN cd /linux && \
-#   set -e && for patch in /patches/*.patch; do \
-#        echo "Applying $patch"; \
-#        patch -p1 < "$patch"; \
-#    done
+RUN mkdir /out
 
+# Kernel
 RUN cd /linux && \
-    make defconfig && \
     make oldconfig && \
-    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie"
+    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
+    cp arch/x86_64/boot/bzImage /out/kernel && \
+    cp System.map /out && \
+    cp vmlinux /out
 
+# Modules & Headers (userspace API)
 RUN cd /linux && \
     make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
     ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
       cd /tmp/kernel-modules/lib/modules/$DVER && \
       rm build source && \
       ln -s /usr/src/linux-headers-$DVER build ) && \
+    ( cd /tmp/kernel-modules && tar cf /out/kernel.tar lib ) && \
     mkdir -p /tmp/kernel-headers/usr && \
     make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
-    ( cd /tmp/kernel-headers && tar cf /kernel-headers.tar usr ) && \
-    ( cd /tmp/kernel-modules && tar cf /kernel-modules.tar lib ) && \
-    cp vmlinux arch/x86_64/boot/bzImage /
+    ( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr ) 
 
+# Headers (kernel development)
 RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
     dir=/tmp/usr/src/linux-headers-$DVER && \
     mkdir -p $dir && \
     cp /linux/.config $dir && \
-    cd /linux && \
-    cp -a include "$dir" && \
-    mkdir -p "$dir"/arch/x86 && cp -a arch/x86/include "$dir"/arch/x86/ && \
-    ( cd /tmp && tar cf /kernel-dev.tar usr/src )
+    cp /linux/Module.symvers $dir && \
+    find . -path './include/*' -prune -o \
+           -path './arch/*/include' -prune -o \
+           -path './scripts/*' -prune -o \
+           -type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
+                      -name '*.lds' -o -name '*.pl' -o -name '*.sh' \) | \
+         tar cf - -T - | (cd $dir; tar xf -) && \
+    ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
 
 RUN printf "KERNEL_SOURCE=${OKERNEL_SOURCE}\n" > /kernel-source-info
 
@@ -73,8 +89,11 @@ WORKDIR /ok_components/test_mappings/kvmod
 
 RUN sed -i 's_~/linux-okernel_/linux_' Makefile && \
     make && \
-    mkdir -p /tmp/root/kvmod && cp kernel_vuln.ko /tmp/root/kvmod && \
-    cd /tmp && \
-    tar cf /kernel_vuln.tar root
+    cp kernel_vuln.ko /out/
 
+FROM scratch
+ENTRYPOINT []
+CMD []
 WORKDIR /
+COPY --from=kernel-build /out/* /
+

projects/okernel/Makefile

@@ -1,90 +1,67 @@
+all: image tag
+
+IMAGE=okernel
+OKERNEL_REPO=https://github.com/linux-okernel/linux-okernel
+DEPS=Dockerfile.okernel Makefile kernel_config.okernel Dockerfile.kvmod
+
 DEBUG ?= 0
 
-all:	bzImage tag
-
-# We push the image to hub twice, once with the full kernel version of
-# "linuxkit/kernel:<kernel version>.<major version>.<minor version>-<n>",
-# where "<n>" is a monotonically increasing config number, and as
-# "linuxkit/kernel:<kernel version>.<major version>.x". This version
-# number is stored in IMAGE_VERSION.
-#
-# We expect most users to us the "<kernel version>.<major version>.x"
-# variant as this simply is the latest version of a given major kernel
-# version. This version number is stored in IMAGE_MAJOR_VERSION.
-#
-# For IMAGE_VERSION, the "<n>" must be increased whenever
-# the kernel config or the patches change. We don't expect this to
-# happen very often as the minor version number gets update quite
-# frequently.
-#
-# IMAGE_VERSION is used to determine if a new image should be pushed to hub.
-
 ifdef KERNEL
 ifneq ($(KERNEL),latest)
+ifneq (,$(findstring ok-,$(KERNEL)))
 KERNEL_VERSION=$(KERNEL)
-IMAGE_VERSION=$(KERNEL_VERSION)-0
+IMAGE_VERSION=$(KERNEL_VERSION)
+LATEST=0
 else
-KERNEL_VERSION=linux-okernel
-IMAGE_VERSION=latest
+$(error Error, valid okernel kernel versions begin with "ok-")
 endif
 else
 KERNEL_VERSION=linux-okernel
-IMAGE_VERSION=latest
+IMAGE_VERSION=$(shell git ls-remote --tags $(OKERNEL_REPO) ok-\* | awk -F"/" '{print $$3}' | tail -1)
+LATEST=1
+endif
+else
+KERNEL_VERSION=linux-okernel
+IMAGE_VERSION=$(shell git ls-remote --tags $(OKERNEL_REPO) ok-\* | awk -F"/" '{print $$3}' | tail -1)
+LATEST=1
 endif
 
-IMAGE=okernel
-IMAGE_MAJOR_VERSION=4.11.x
-DEPS=Dockerfile.okernel Makefile kernel_config.okernel Dockerfile.kvmod
-
-MEDIA_TOYBOX=linuxkit/toybox-media:d7e82a7d19ccc84c9071fa7a88ecaa58ae958f7c@sha256:4c7d25f2be2429cd08417c36e04161cb924e46f3e419ee33a0aa9ff3a0942e02
 
 
-kernel.tag: $(DEPS)
 ifdef HTTP_PROXY
-	BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) --build-arg HTTP_PROXY=$(HTTP_PROXY) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@
-else
-	BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@
+	PROXY_ARG = --build-arg HTTP_PROXY=$(HTTP_PROXY)
 endif
 
-bzImage: kernel.tag
-	rm -rf etc/kernel-patches
-	mkdir -p x86_64 etc lib usr sbin etc/kernel-patches kvmod
-	docker run --rm --net=none --log-driver=none $(shell cat kernel.tag) tar cf - bzImage kernel-dev.tar kernel-headers.tar vmlinux kernel-modules.tar kernel_vuln.tar | tar xf - -C x86_64
-	cp x86_64/kernel-modules.tar kernel.tar
-	cp x86_64/kernel_vuln.tar kernel_vuln.tar
-	tar xf kernel_vuln.tar -C kvmod
-	cp x86_64/bzImage $@
+ifdef HTTPS_PROXY
+	PROXY_ARG += --build-arg HTTPS_PROXY=$(HTTPS_PROXY)
+endif
 
 .PHONY: image push tag kvmod
+image: $(DEPS)
+	BUILD=$$( tar cf - $^ | docker build -f $< $(PROXY_ARG) --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q -t $(IMAGE):build - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > build_info
 
-default: push
 
-Dockerfile.media:
-	printf "FROM $(MEDIA_TOYBOX)\nCOPY bzImage kernel.tar /\n" > $@
+default: tag
 
-image: Dockerfile.media bzImage kernel.tar Dockerfile.kvmod kvmod/root/kvmod/kernel_vuln.ko $(DEPS)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -f Dockerfile.media -
-
-kvmod: Dockerfile.kvmod kvmod/root/kvmod/kernel_vuln.ko $(DEPS)
-	tar cf - $^ | docker build --no-cache -t okernel-kvmod:$(IMAGE_VERSION) -f Dockerfile.kvmod -
+kvmod: 
+	docker build --no-cache --build-arg IMAGE=$(IMAGE):$(IMAGE_VERSION) -t okernel-kvmod:$(IMAGE_VERSION) - < Dockerfile.kvmod
 
 push: image
-	docker pull linuxkit/$(IMAGE):$(IMAGE_VERSION) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(IMAGE_VERSION) && \
-		 docker push linuxkit/$(IMAGE):$(IMAGE_VERSION) && \
-		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(IMAGE_MAJOR_VERSION) && \
-		 docker push linuxkit/$(IMAGE):$(IMAGE_MAJOR_VERSION))
+	(docker tag $(IMAGE):build $(IMAGE):$(IMAGE_VERSION) && \
+	 docker push $(IMAGE):$(IMAGE_VERSION)) 
 	docker rmi $(IMAGE):build
 	rm -f hash
 
 tag: image
-	(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(IMAGE_VERSION) && \
-	docker tag $(IMAGE):build linuxkit/$(IMAGE):$(IMAGE_MAJOR_VERSION))
+	docker tag $(IMAGE):build $(IMAGE):$(IMAGE_VERSION)
+ifeq (1,$(LATEST))
+	docker tag $(IMAGE):build $(IMAGE):latest
+endif
 	docker rmi $(IMAGE):build
 	rm -f hash
 
 .PHONY: clean
 clean:
-	rm -rf x86_64 lib usr sbin kernel.tag Dockerfile.media bzImage kernel.tar kernel_vuln.tar kvmod
+	rm -f build_info
 
 .DELETE_ON_ERROR:

projects/okernel/README.md

@@ -73,18 +73,18 @@ then entered where the permission violation can be handled.
 # Integration with LinuxKit
 
 Custom Linux distributions utilizing the split kernel can be readily built
-using LinuxKit by simply specifying an okernel Docker image in the `kernel`
-section of the OS image YAML specification. See the sample YAML files provided
-in [examples](https://github.com/linuxkit/linuxkit/tree/master/projects/okernel/examples).
+using LinuxKit by simply specifying an okernel image in the `kernel` section
+of the LinuxKit OS image YAML specification. See the sample YAML files provided
+in [examples/](https://github.com/linuxkit/linuxkit/tree/master/projects/okernel/examples) for more details.
 
 ## Building the split kernel image for LinuxKit
 
- - `make` will build and package the latest version of the split kernel, by
-   pulling sources from the top-of-tree of the okernel project GitHub
-   (https://github.com/linux-okernel/linux-okernel).
- - Additionally, a specific version of the kernel can be built
+ - `make` will build and package the latest version of the split kernel
+   for LinuxKit, by    pulling sources from the top-of-tree of the
+   okernel project GitHub    (https://github.com/linux-okernel/linux-okernel).
+ - Alternatively, a specific version of the kernel can be built
    by setting the 'KERNEL' environment variable to the appropriate
-   value, e.g.: `make KERNEL=ok-4.11-rc2`. The value MUST correspond
+   value, e.g.: `make KERNEL=ok-4.13-rc7`. The value MUST correspond
    to a legitimate okernel tag present in the project GitHub
    (https://github.com/linux-okernel/linux-okernel/tags) beginning
    with __"ok-"__.
@@ -94,6 +94,29 @@ in [examples](https://github.com/linuxkit/linuxkit/tree/master/projects/okernel/
 string corresponding to a kernel version, will build the kernel
 vulnerability emulation kernel module for that kernel, useful for testing.
 
+## Enabling NR-mode protections in LinuxKit
+By default, okernel will treat processes like any standard Linux kernel, i.e. no
+R-mode/NR-mode split is applied when processes are created. This is by design to
+assist development and enable coexistence of normal and protected processes in
+the same environment. A consequence of that is that processes must be explicitly
+launched in NR-mode.
+
+In early versions of LinuxKit we provided a lightly-modified version of the
+default 'init' container to ensure runc launched in NR-mode and by extension all
+its children processes/containers got instantiated in NR-mode as well.
+
+Recent changes to how LinuxKit implements init made this approach obsolete. We
+are in the process of developing an alternative (and hopefully more elegant)
+way to launch containers in NR-mode (Aug 2017).
+
+Note that because okernel utilizes the processor's VMX facilities, okernel
+LinuxKit images with full NR-mode operation can only be run in baremetal
+environments. If no processes are switched to NR-mode, okernel will boot and
+operate normally inside a VM, however in this scenario it offers no benefits
+compared to a standard Linux kernel.
+We are investigating nested virtualization support to enable running okernel
+inside VMs.
+
 
 # Limitations and Caveats
 

projects/okernel/examples/okernel_simple.yaml

@@ -1,6 +1,6 @@
 kernel:
-  image: linuxkit/okernel:latest
-  cmdline: "console=ttyS0 console=tty0 page_poison=1"
+  image: okernel:latest
+  cmdline: "console=tty0 page_poison=1"
 init:
   - linuxkit/init:6d11a1f9d299d3425e78cce80dfba8b236d20412
   - linuxkit/runc:a1b564248a0d0b118c11e61db9f84ecf41dd2d2a
@@ -10,14 +10,12 @@ onboot:
   - name: sysctl
     image: linuxkit/sysctl:154913b72c6f1f33eb408609fca9963628e8c051
 services:
-  - name: rngd
-    image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e
   - name: dhcpcd
     image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7
-  - name: sshd
-    image: linuxkit/sshd:505a985d7bd7a90f15eca9cb4dc6ec92789d51a0
-files:
-  - path: root/.ssh/authorized_keys
-    source: ~/.ssh/id_rsa.pub
-    mode: "0600"
-    optional: true
+  - name: getty
+    image: linuxkit/getty:797cb79e0a229fcd16ebf44a0da74bcec03968ec
+    env:
+     - INSECURE=true
+trust:
+  org:
+    - linuxkit