wireguard: add into default kernel

This integrates the WireGuard module directly into the kernel build system. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2025-07-21 18:11:35 +00:00 · 2017-07-19 19:25:00 +02:00 · 2017-07-19 19:25:00 +02:00 · e24cc5c77f
commit e24cc5c77f
parent 5545f3085a
8 changed files with 12 additions and 25699 deletions
--- a/kernel/Dockerfile
+++ b/kernel/Dockerfile
@ -38,6 +38,10 @@ ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VE
 ENV KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
 ENV KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.sign
 ENV WIREGUARD_VERSION=0.0.20170706
 ENV WIREGUARD_SHA256=5763b9436265421a67f92cb82142042867fc87c573ecc18033d40c1476146c33
 ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz
 # PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org) & 00411886 (torvalds@linux-foundation.org)
 COPY keys.asc keys.asc
@ -98,8 +102,15 @@ RUN make defconfig && \
    cp System.map /out && \
    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
 # WireGuard
 RUN curl -sSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
    echo "${WIREGUARD_SHA256}  /wireguard.tar.xz" | sha256sum -c - && \
    tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
    make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules
 # Modules
 RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
    make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
    ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
      cd /tmp/kernel-modules/lib/modules/$DVER && \
      rm build source && \
--- a/projects/wireguard/README.md
+++ b/projects/wireguard/README.md
@ -15,10 +15,7 @@ A full technical paper from NDSS 2017 is available [here](https://www.wireguard.
 ## Contents
 ### Kernel Patches
-This project keeps Linux kernel patches for WireGuard against a 4.9.x kernel.  
+The `kernel/patches-*` sub-directories contain a kernel patch.
 This kernel is built into the `mobylinux/kernel-wireguard` image that is generated by `cd kernel-wireguard && make`.
 WireGuard can also be included as a kernel module.
 ### Userspace Tools
 This project embeds the `wireguard-tools` package in the userspace image.
@ -32,11 +29,6 @@ WireGuard has a [network namespace integration](https://www.wireguard.com/netns/
 ## Roadmap
 **Near-term:**
 - decide between either carrying the WireGuard patches in our kernel tree or using a module
 **Long-term:**
 - We have yet to determine the best way to integrate WireGuard into Moby - at the node level or service level isolation.
  - Node level: it's plausible that Moby's provisioner could allocate keys per Moby node
  - Service level: swarmkit could set up WireGuard on a per-service basis, handing the container the wireguard interface
--- a/projects/wireguard/kernel/Dockerfile
+++ b/projects/wireguard/kernel/Dockerfile
@ -1,73 +0,0 @@
 FROM linuxkit/kernel-compile:1b396c221af673757703258159ddc8539843b02b@sha256:6b32d205bfc6407568324337b707d195d027328dbfec554428ea93e7b0a8299b AS kernel-build
 ARG KERNEL_VERSION
 ARG KERNEL_SERIES
 ARG DEBUG
 ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
 RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE}
 RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ &&  mv /linux-${KERNEL_VERSION} /linux
 COPY kernel_config-${KERNEL_SERIES} /linux/arch/x86/configs/x86_64_defconfig
 COPY kernel_config.debug /linux/debug_config
 RUN if [ -n "${DEBUG}" ]; then \
    sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \
    cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \
    fi
 # Apply local patches
 COPY patches-${KERNEL_SERIES} /patches
 WORKDIR /linux
 RUN set -e && for patch in /patches/*.patch; do \
        echo "Applying $patch"; \
        patch -p1 < "$patch"; \
    done
 RUN mkdir /out
 # Kernel
 RUN make defconfig && \
    make oldconfig && \
    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
    cp arch/x86_64/boot/bzImage /out/kernel && \
    cp System.map /out && \
    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
 # Modules
 RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
    ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
      cd /tmp/kernel-modules/lib/modules/$DVER && \
      rm build source && \
      ln -s /usr/src/linux-headers-$DVER build ) && \
    ( cd /tmp/kernel-modules && tar cf /out/kernel.tar lib )
 # Headers (userspace API)
 RUN mkdir -p /tmp/kernel-headers/usr && \
    make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
    ( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
 # Headers (kernel development)
 RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
    dir=/tmp/usr/src/linux-headers-$DVER && \
    mkdir -p $dir && \
    cp /linux/.config $dir && \
    cp /linux/Module.symvers $dir && \
    find . -path './include/*' -prune -o \
           -path './arch/*/include' -prune -o \
           -path './scripts/*' -prune -o \
           -type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
                      -name '*.lds' -o -name '*.pl' -o -name '*.sh' \) | \
         tar cf - -T - | (cd $dir; tar xf -) && \
    ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
 RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
 FROM scratch
 ENTRYPOINT []
 CMD []
 WORKDIR /
 COPY --from=kernel-build /out/* /
--- a/projects/wireguard/kernel/Makefile
+++ b/projects/wireguard/kernel/Makefile
@ -1,66 +0,0 @@
 # This builds the supported LinuxKit kernels. Kernels are wrapped up
 # in a minimal toybox container, which contains the bzImage, a tar
 # ball with modules and the kernel source.
 #
 # Each kernel is pushed to hub twice, once as
 # linuxkit/kernel:<kernel>.<major>.<minor>-<hash> and once as
 # inuxkit/kernel:<kernel>.<major>.x. The <hash> is the git tree hash
 # of the current directory. The build will only rebuild the kernel
 # image if the git tree hash changed.
 # Git tree hash of this directory. Override to force build
 HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
 # Name and Org on Hub
 ORG?=linuxkit
 IMAGE:=kernel-wireguard
 .PHONY: check tag push sign
 # Targets:
 # build: builds all kernels
 # push:  pushes all tagged kernel images to hub
 # sign:  sign and push all kernel images to hub
 build:
 push:
 sign:
 # A template for defining kernel build
 # Arguments:
 # $1: Full kernel version, e.g., 4.9.22
 # $2: Kernel "series", e.g., 4.9.x
 # $3: Build a debug kernel (used as suffix for image)
 # This defines targets like:
 # build_4.9.x, push_4.9.x and sign_4.9.x and adds them as dependencies
 # to the global targets
 # Set $3 to "_dbg", to build debug kernels. This defines targets like
 # build_4.9.x_dbg and adds "_dbg" to the hub image name.
 define kernel
 build_$(2)$(3): Dockerfile Makefile $(wildcard patches-$(2)/*) kernel_config-$(2) kernel_config.debug
 	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
 		docker build \
 			--build-arg KERNEL_VERSION=$(1) \
 			--build-arg KERNEL_SERIES=$(2) \
 			--build-arg DEBUG=$(3) \
 			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) .
 push_$(2)$(3): build_$(2)$(3)
 	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
 		(docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
 		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
 		 docker push $(ORG)/$(IMAGE):$(2)$(3))
 sign_$(2)$(3): build_$(2)$(3)
 	DOCKER_CONTENT_TRUST=1 docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
 		(DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
 		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
 		 DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(2)$(3))
 build: build_$(2)$(3)
 push: push_$(2)$(3)
 sign: sign_$(2)$(3)
 endef
 #
 # Build Targets
 # Debug targets only for latest stable and LTS stable
 #
 $(eval $(call kernel,4.9.15,4.9.x))
--- a/projects/wireguard/kernel/kernel_config-4.9.x
+++ b/projects/wireguard/kernel/kernel_config-4.9.x
--- a/projects/wireguard/kernel/kernel_config.debug
+++ b/projects/wireguard/kernel/kernel_config.debug
@ -1,26 +0,0 @@
 ## MOBY DEBUG OPTIONS ##
 CONFIG_LOCKDEP=y
 CONFIG_FRAME_POINTER=y
 CONFIG_LOCKUP_DETECTOR=y
 CONFIG_DETECT_HUNG_TASK=y
 CONFIG_DEBUG_TIMEKEEPING=y
 CONFIG_DEBUG_RT_MUTEXES=y
 CONFIG_DEBUG_SPINLOCK=y
 CONFIG_DEBUG_MUTEXES=y
 CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
 CONFIG_DEBUG_LOCK_ALLOC=y
 CONFIG_PROVE_LOCKING=y
 CONFIG_LOCK_STAT=y
 CONFIG_DEBUG_ATOMIC_SLEEP=y
 CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_PROVE_RCU=y
 CONFIG_RCU_TRACE=y
 CONFIG_KGDB=y
 CONFIG_KGDB_SERIAL_CONSOLE=y
 CONFIG_KGDBOC=y
 CONFIG_DEBUG_RODATA_TEST=y
 CONFIG_DEBUG_WX=y
--- a/projects/wireguard/kernel/patches-4.9.x/WireGuard.patch
+++ b/projects/wireguard/kernel/patches-4.9.x/WireGuard.patch
--- a/projects/wireguard/wireguard.yml
+++ b/projects/wireguard/wireguard.yml
@ -1,6 +1,3 @@
 kernel:
  image: linuxkit/kernel-wireguard:4.9.15-2ca28b7589b673373a33274023ca870a3a77e081
  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:d049e7b2074da5cd699a27defb47eb101142455d
  - linuxkit/runc:d5cbeb95bdafedb82ad2cf11cff1a5da7fcae630