Add working (but messy) config to start qemu KVM inside docker. TODO:…

… clean up
project-oak · Apr 12, 2022 · 11c7191 · 11c7191
1 parent d73e848
commit 11c7191
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 3 deletions.
diff --git a/.devcontainer.json b/.devcontainer.json
@@ -23,5 +23,8 @@
   // See https://code.visualstudio.com/docs/remote/containers-advanced#_changing-the-default-source-code-mount.
   "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
   "workspaceFolder": "/workspace",
+  "runArgs": [
+    "--device=/dev/kvm"
+  ],
   "containerUser": "docker"
 }
diff --git a/Dockerfile b/Dockerfile
@@ -334,6 +334,11 @@ RUN mkdir --parents ${sccache_dir} \
 
 # By default, sccache uses `~/.cache/sccache` locally: https://github.com/mozilla/sccache#local.
 
+# Getting curl and certificates dependecies.
+# We're rate-limiting HTTP requests to 500 kB/s as otherwise we may get timeout errors
+# when downloading from snapshot.debian.org.
+
+
 ENV RUSTC_WRAPPER sccache
 
 # Disable cargo incremental compilation, as it conflicts with sccache: https://github.com/mozilla/sccache#rust

diff --git a/experimental/uefi/app/.cargo/config.toml b/experimental/uefi/app/.cargo/config.toml
@@ -7,7 +7,7 @@ runner = "qemu-system-x86_64 -nodefaults -nographic -bios /usr/share/OVMF/OVMF_C
 
 # Otherwise, (a) the first serial port gets routed to a log, and (b) the second serial gets attached to stdio.
 [target.'cfg(not(test))']
-runner = "qemu-system-x86_64 -nodefaults -nographic -bios /usr/share/OVMF/OVMF_CODE.fd -serial file:target/console.log -serial stdio -machine q35 -device isa-debug-exit,iobase=0xf4,iosize=0x04 -kernel"
+runner = "qemu-system-x86_64 -enable-kvm -cpu Broadwell-IBRS,vme=on,f16c=on,rdrand=on -nodefaults -nographic -bios /usr/share/OVMF/OVMF_CODE.fd -serial file:target/console.log -serial stdio -machine q35 -device isa-debug-exit,iobase=0xf4,iosize=0x04 -kernel"
 
 [unstable]
 build-std = ["core", "alloc"]

diff --git a/scripts/docker_run b/scripts/docker_run
@@ -48,6 +48,7 @@ docker_run_flags=(
   # To do that, we map the socket from the host and add the right group
   '--volume=/var/run/docker.sock:/var/run/docker.sock'
   "--group-add=$HOST_DOCKER_GID"
+  "--device=/dev/kvm"
 )
 
 # Some CI systems (GitHub actions) do not run with an interactive TTY attached.

diff --git a/scripts/fix_docker_user_and_run b/scripts/fix_docker_user_and_run
@@ -13,5 +13,5 @@ set -o pipefail
 
 groupmod --gid="${HOST_GID}" docker
 usermod --uid="${HOST_UID}" --gid="${HOST_GID}" docker
-chown "${HOST_UID}":"${HOST_GID}" "/home/docker" "/home/docker/.cache"
+chown "${HOST_UID}":"${HOST_GID}" "/home/docker" "/home/docker/.cache" "/dev/kvm"
 su docker --session-command="$*"
diff --git a/third_party/ring/src/rand.rs b/third_party/ring/src/rand.rs
@@ -452,7 +452,11 @@ mod uefi {
                 static mut OPENSSL_ia32cap_P: [u32; 4];
             }
             const FLAG: u32 = 1 << 30;
-            unsafe { OPENSSL_ia32cap_P[1] & FLAG == FLAG }
+            // Somehow this check continues to require patching, regardless
+            // of qemu CPU config. :/. That is even though RDRAND is in fact
+            // available and working.
+            // unsafe { OPENSSL_ia32cap_P[1] & FLAG == FLAG }
+            true
         }
 
         // We must make sure current cpu support `rdrand`