From e02be04c4678a804f4d6fb2da526808c0bcfdf90 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 08:53:17 +0000 Subject: [PATCH 01/16] Move bootloader grub.cfg to guestos and make grub_config a required parameter --- ic-os/bootloader/defs.bzl | 7 ++----- ic-os/defs.bzl | 2 +- ic-os/guestos/defs.bzl | 1 + ic-os/{bootloader => guestos}/grub.cfg | 0 4 files changed, 4 insertions(+), 6 deletions(-) rename ic-os/{bootloader => guestos}/grub.cfg (100%) diff --git a/ic-os/bootloader/defs.bzl b/ic-os/bootloader/defs.bzl index 171c1d5d8ac3..54c9403428c7 100644 --- a/ic-os/bootloader/defs.bzl +++ b/ic-os/bootloader/defs.bzl @@ -4,20 +4,17 @@ A macro to build grub partitions for ICOS images load("//toolchains/sysimage:toolchain.bzl", "vfat_image") -def build_grub_partition(name, grub_config = None, visibility = None, tags = None): +def build_grub_partition(name, grub_config, visibility = None, tags = None): """ Create a grub partition with the given configuration. Args: name: Name for the generated filegroup. - grub_config: If set, override the default grub config + grub_config: Label pointing to the grub.cfg file to include in the partition. visibility: See Bazel documentation tags: Bazel tags to be passed """ - if grub_config == None: - grub_config = Label("//ic-os/bootloader:grub.cfg") - vfat_image( name = name, src = Label("//ic-os/bootloader:bootloader-tree.tar"), diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 023e4aebc90e..806d2a9bd23e 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -460,7 +460,7 @@ def boundary_node_icos_build( tags = ["manual"], ) - build_grub_partition("partition-grub.tzst", tags = ["manual"]) + build_grub_partition("partition-grub.tzst", grub_config = "//ic-os/guestos:grub.cfg", tags = ["manual"]) build_container_filesystem( name = "rootfs-tree.tar", diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index d08a55452f6f..47840fe7a23b 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -66,6 +66,7 @@ def image_deps(mode, malicious = False): "expanded_size": "50G", "rootfs_size": "3G", "bootfs_size": "1G", + "grub_config": Label("//ic-os/guestos:grub.cfg"), # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], diff --git a/ic-os/bootloader/grub.cfg b/ic-os/guestos/grub.cfg similarity index 100% rename from ic-os/bootloader/grub.cfg rename to ic-os/guestos/grub.cfg From 660ae221378083057f4f1761d9d7579e0eae4e6f Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 08:59:17 +0000 Subject: [PATCH 02/16] Move grub.cfg files to bootloader/ --- ic-os/bootloader/BUILD.bazel | 3 +++ ic-os/{guestos/grub.cfg => bootloader/guestos_grub.cfg} | 0 ic-os/{hostos/grub.cfg => bootloader/hostos_grub.cfg} | 0 ic-os/{setupos/grub.cfg => bootloader/setupos_grub.cfg} | 0 ic-os/defs.bzl | 2 +- ic-os/guestos/defs.bzl | 2 +- ic-os/hostos/defs.bzl | 2 +- ic-os/setupos/defs.bzl | 2 +- 8 files changed, 7 insertions(+), 4 deletions(-) rename ic-os/{guestos/grub.cfg => bootloader/guestos_grub.cfg} (100%) rename ic-os/{hostos/grub.cfg => bootloader/hostos_grub.cfg} (100%) rename ic-os/{setupos/grub.cfg => bootloader/setupos_grub.cfg} (100%) diff --git a/ic-os/bootloader/BUILD.bazel b/ic-os/bootloader/BUILD.bazel index e66962931cd0..1c55d8bbf811 100644 --- a/ic-os/bootloader/BUILD.bazel +++ b/ic-os/bootloader/BUILD.bazel @@ -5,6 +5,9 @@ package(default_visibility = ["//rs:ic-os-pkg"]) exports_files([ "grubenv", "grub.cfg", + "guestos_grub.cfg", + "hostos_grub.cfg", + "setupos_grub.cfg", ]) genrule( diff --git a/ic-os/guestos/grub.cfg b/ic-os/bootloader/guestos_grub.cfg similarity index 100% rename from ic-os/guestos/grub.cfg rename to ic-os/bootloader/guestos_grub.cfg diff --git a/ic-os/hostos/grub.cfg b/ic-os/bootloader/hostos_grub.cfg similarity index 100% rename from ic-os/hostos/grub.cfg rename to ic-os/bootloader/hostos_grub.cfg diff --git a/ic-os/setupos/grub.cfg b/ic-os/bootloader/setupos_grub.cfg similarity index 100% rename from ic-os/setupos/grub.cfg rename to ic-os/bootloader/setupos_grub.cfg diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 806d2a9bd23e..315c3964c091 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -460,7 +460,7 @@ def boundary_node_icos_build( tags = ["manual"], ) - build_grub_partition("partition-grub.tzst", grub_config = "//ic-os/guestos:grub.cfg", tags = ["manual"]) + build_grub_partition("partition-grub.tzst", grub_config = "//ic-os/bootloader:guestos_grub.cfg", tags = ["manual"]) build_container_filesystem( name = "rootfs-tree.tar", diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index 47840fe7a23b..30ee03a1d361 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -66,7 +66,7 @@ def image_deps(mode, malicious = False): "expanded_size": "50G", "rootfs_size": "3G", "bootfs_size": "1G", - "grub_config": Label("//ic-os/guestos:grub.cfg"), + "grub_config": Label("//ic-os/bootloader:guestos_grub.cfg"), # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], diff --git a/ic-os/hostos/defs.bzl b/ic-os/hostos/defs.bzl index 160fa2a87afc..b3655c744f95 100644 --- a/ic-os/hostos/defs.bzl +++ b/ic-os/hostos/defs.bzl @@ -45,7 +45,7 @@ def image_deps(mode, _malicious = False): "volume_table": Label("//ic-os/hostos:volumes.csv"), "rootfs_size": "3G", "bootfs_size": "100M", - "grub_config": Label("//ic-os/hostos:grub.cfg"), + "grub_config": Label("//ic-os/bootloader:hostos_grub.cfg"), "extra_boot_args": Label("//ic-os/hostos/context:extra_boot_args"), # Add any custom partitions to the manifest diff --git a/ic-os/setupos/defs.bzl b/ic-os/setupos/defs.bzl index b8158029e7c5..930abac269f4 100644 --- a/ic-os/setupos/defs.bzl +++ b/ic-os/setupos/defs.bzl @@ -40,7 +40,7 @@ def image_deps(mode, _malicious = False): "partition_table": Label("//ic-os/setupos:partitions.csv"), "rootfs_size": "1750M", "bootfs_size": "100M", - "grub_config": Label("//ic-os/setupos:grub.cfg"), + "grub_config": Label("//ic-os/bootloader:setupos_grub.cfg"), "extra_boot_args": Label("//ic-os/setupos/context:extra_boot_args"), # Add any custom partitions to the manifest From 35a00825996429fabcdfbef15bffbc647846d2be Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 11:27:26 +0000 Subject: [PATCH 03/16] Remove extra_boot_args template --- ic-os/defs.bzl | 33 +++++-------------- ic-os/guestos/context/BUILD.bazel | 1 - ic-os/guestos/context/boot_args.template | 7 ++-- .../guestos/context/extra_boot_args.template | 14 -------- ic-os/guestos/defs.bzl | 8 ++--- 5 files changed, 13 insertions(+), 50 deletions(-) delete mode 100644 ic-os/guestos/context/extra_boot_args.template diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 315c3964c091..9eabdfc3dc75 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -185,8 +185,8 @@ def icos_build( for k, v in ( image_deps["bootfs"].items() + [ (version_txt, "/version.txt:0644"), - (extra_boot_args, "/extra_boot_args:0644"), - ] + ([(boot_args, "/boot_args:0644")] if "boot_args_template" in image_deps else []) + ] + ([(extra_boot_args, "/extra_boot_args:0644")] if "boot_args_template" not in image_deps else []) + + ([(boot_args, "/boot_args:0644")] if "boot_args_template" in image_deps else []) ) }, tags = ["manual", "no-cache"], @@ -205,24 +205,10 @@ def icos_build( # For backwards compatibility in the GuestOS and compatibility with the HostOS and SetupOS, we continue # to support the old way of calculating the dynamic args (see :extra_boot_args) and we derive boot_args # from it. - native.genrule( - name = "generate-" + boot_args, - outs = [boot_args], - srcs = [extra_boot_args, ":boot_args_template"], - cmd = """ - source "$(location """ + extra_boot_args + """)" - if [ ! -v EXTRA_BOOT_ARGS ]; then - echo "EXTRA_BOOT_ARGS is not set in $(location """ + extra_boot_args + """)" - exit 1 - fi - m4 --define=EXTRA_BOOT_ARGS="$${EXTRA_BOOT_ARGS}" "$(location :boot_args_template)" > $@ - """, - tags = ["manual"], - ) + - # Sign only if extra_boot_args_template is provided - if "extra_boot_args_template" in image_deps: - extra_boot_args_template = str(image_deps["extra_boot_args_template"]) + # Sign only for guestos builds (which have boot_args_template) + if "boot_args_template" in image_deps: native.genrule( name = "generate-" + partition_root_signed_tzst, testonly = malicious, @@ -241,13 +227,12 @@ def icos_build( ], tags = ["manual", "no-cache"], ) - native.genrule( - name = "generate-" + extra_boot_args, - srcs = [extra_boot_args_template, partition_root_hash], - outs = [extra_boot_args], + name = "generate-" + boot_args, + outs = [boot_args], + srcs = [partition_root_hash, ":boot_args_template"], cmd = "sed -e s/ROOT_HASH/$$(cat $(location " + partition_root_hash + "))/ " + - "< $(location " + extra_boot_args_template + ") > $@", + "< $(location :boot_args_template) > $@", tags = ["manual"], ) else: diff --git a/ic-os/guestos/context/BUILD.bazel b/ic-os/guestos/context/BUILD.bazel index 5aa51b3e86e1..a9ecd14bf3b9 100644 --- a/ic-os/guestos/context/BUILD.bazel +++ b/ic-os/guestos/context/BUILD.bazel @@ -6,7 +6,6 @@ exports_files([ "Dockerfile.base", "allow_console_root", "boot_args.template", - "extra_boot_args.template", ]) filegroup( diff --git a/ic-os/guestos/context/boot_args.template b/ic-os/guestos/context/boot_args.template index bfebc79f55ae..65dcf1c1e778 100644 --- a/ic-os/guestos/context/boot_args.template +++ b/ic-os/guestos/context/boot_args.template @@ -1,7 +1,4 @@ -dnl We substitute EXTRA_BOOT_ARGS from the extra_boot_args target at build time in ic-os/defs.bzl using m4 -dnl When changing the boot args, don't forget to update the fallback in ../grub.cfg - # Kernel cmdline parameters for launching the GuestOS. # BOOT_ARGS_A targets partition set "A" while BOOT_ARGS_B targets partition set "B" -BOOT_ARGS_A="root=/dev/vda5 console=ttyS0 nomodeset dfinity.system=A EXTRA_BOOT_ARGS" -BOOT_ARGS_B="root=/dev/vda8 console=ttyS0 nomodeset dfinity.system=B EXTRA_BOOT_ARGS" +BOOT_ARGS_A="root=/dev/vda5 console=ttyS0 nomodeset dfinity.system=A security=selinux selinux=1 enforcing=1 root_hash=ROOT_HASH" +BOOT_ARGS_B="root=/dev/vda8 console=ttyS0 nomodeset dfinity.system=B security=selinux selinux=1 enforcing=1 root_hash=ROOT_HASH" diff --git a/ic-os/guestos/context/extra_boot_args.template b/ic-os/guestos/context/extra_boot_args.template deleted file mode 100644 index a3bd4d92b8fd..000000000000 --- a/ic-os/guestos/context/extra_boot_args.template +++ /dev/null @@ -1,14 +0,0 @@ -# Uncomment this to run system with SELinux in PERMISSIVE mode: -# the system will use SELinux and keep track of operations that would -# be prohibited, but will only log but not actually deny them. This is -# useful for debug and policy development. The system behaves essentially the -# same as if SELinux was not activated. -# -# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0 root_hash=ROOT_HASH" - -# Uncomment this to run system with SELinux in ENFORCING mode: All rules -# of the policy are enforced, and forbidden actions are not just logged but -# stopped. This causes the system to behave differently than in either -# "no SELinux" or "permissive" mode. -# -EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1 root_hash=ROOT_HASH" diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index 30ee03a1d361..670ac559b820 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -71,12 +71,8 @@ def image_deps(mode, malicious = False): # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], - # We will install extra_boot_args onto the system, after substituting the - # hash of the root filesystem into it. Track the template (before - # substitution) as a dependency so that changes to the template file are - # reflected in the overall version hash (the root_hash must include the - # version hash, it cannot be the other way around). - "extra_boot_args_template": Label("//ic-os/guestos/context:extra_boot_args.template"), + # We will install boot_args_template onto the system, after substituting the + # hash of the root filesystem into it. "boot_args_template": Label("//ic-os/guestos/context:boot_args.template"), } From f74035762d22341a19273b1f154a1af9e7d05a1d Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 12:45:15 +0000 Subject: [PATCH 04/16] Fix buildifier --- ic-os/defs.bzl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 9eabdfc3dc75..871421297b64 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -185,7 +185,7 @@ def icos_build( for k, v in ( image_deps["bootfs"].items() + [ (version_txt, "/version.txt:0644"), - ] + ([(extra_boot_args, "/extra_boot_args:0644")] if "boot_args_template" not in image_deps else []) + + ] + ([(extra_boot_args, "/extra_boot_args:0644")] if "boot_args_template" not in image_deps else []) + ([(boot_args, "/boot_args:0644")] if "boot_args_template" in image_deps else []) ) }, @@ -205,7 +205,6 @@ def icos_build( # For backwards compatibility in the GuestOS and compatibility with the HostOS and SetupOS, we continue # to support the old way of calculating the dynamic args (see :extra_boot_args) and we derive boot_args # from it. - # Sign only for guestos builds (which have boot_args_template) if "boot_args_template" in image_deps: @@ -232,7 +231,7 @@ def icos_build( outs = [boot_args], srcs = [partition_root_hash, ":boot_args_template"], cmd = "sed -e s/ROOT_HASH/$$(cat $(location " + partition_root_hash + "))/ " + - "< $(location :boot_args_template) > $@", + "< $(location :boot_args_template) > $@", tags = ["manual"], ) else: From 01e05000c026244957f44b6cda97bd492ccb93d2 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 12:49:50 +0000 Subject: [PATCH 05/16] Validate boot_args_template and extra_boot_args --- ic-os/defs.bzl | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 871421297b64..468118d56e81 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -53,6 +53,15 @@ def icos_build( image_deps = image_deps_func(mode, malicious) + # Validate that exactly one of boot_args_template or extra_boot_args is provided + has_boot_args_template = "boot_args_template" in image_deps + has_extra_boot_args = "extra_boot_args" in image_deps + + if not has_boot_args_template and not has_extra_boot_args: + fail("Either 'boot_args_template' or 'extra_boot_args' must be provided in image_deps") + elif has_boot_args_template and has_extra_boot_args: + fail("Cannot provide both 'boot_args_template' and 'extra_boot_args' in image_deps - they are mutually exclusive") + # -------------------- Version management -------------------- copy_file( From cd489da247818ca290bbf64bc943275059eb4b2c Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 13:17:19 +0000 Subject: [PATCH 06/16] Re-add tar_extract --- ic-os/defs.bzl | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 41e2dd2944fc..2d10a1429c8e 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -414,3 +414,31 @@ EOF # end def icos_build +def _tar_extract_impl(ctx): + in_tar = ctx.files.src[0] + out = ctx.actions.declare_file(ctx.label.name) + + ctx.actions.run_shell( + inputs = [in_tar], + outputs = [out], + command = "tar xOf %s --occurrence=1 %s > %s" % ( + in_tar.path, + ctx.attr.path, + out.path, + ), + ) + + return [DefaultInfo(files = depset([out]))] + +tar_extract = rule( + implementation = _tar_extract_impl, + attrs = { + "src": attr.label( + allow_files = True, + mandatory = True, + ), + "path": attr.string( + mandatory = True, + ), + }, +) From d7533c0e3b30ac7de9be3fc30fa0513f3ba19395 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 13:30:57 +0000 Subject: [PATCH 07/16] Create boot_args.template for hostos and guestos --- ic-os/bootloader/hostos_grub.cfg | 38 ++++++++++++--- ic-os/bootloader/setupos_grub.cfg | 11 ++--- ic-os/defs.bzl | 61 +++++++++++------------- ic-os/hostos/context/boot_args.template | 4 ++ ic-os/hostos/context/extra_boot_args | 14 ------ ic-os/hostos/defs.bzl | 2 +- ic-os/setupos/context/boot_args.template | 3 ++ ic-os/setupos/context/extra_boot_args | 14 ------ ic-os/setupos/defs.bzl | 2 +- 9 files changed, 74 insertions(+), 75 deletions(-) create mode 100644 ic-os/hostos/context/boot_args.template delete mode 100644 ic-os/hostos/context/extra_boot_args create mode 100644 ic-os/setupos/context/boot_args.template delete mode 100644 ic-os/setupos/context/extra_boot_args diff --git a/ic-os/bootloader/hostos_grub.cfg b/ic-os/bootloader/hostos_grub.cfg index 5ae08e3c17cc..3fb4492a339e 100644 --- a/ic-os/bootloader/hostos_grub.cfg +++ b/ic-os/bootloader/hostos_grub.cfg @@ -76,14 +76,38 @@ fi echo Booting linux from system "${boot_alternative}" (state: "${boot_cycle}")... -if [ -f ${boot}/extra_boot_args ]; then - echo Loading extra boot args ${boot}/extra_boot_args - source ${boot}/extra_boot_args - echo Extra boot arguments $EXTRA_BOOT_ARGS -fi - menuentry "Boot System ${boot_alternative} (${BOOT_STATE})" { - linux /vmlinuz root=$linux_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 dfinity.system=$boot_alternative $EXTRA_BOOT_ARGS + if [ -f "${boot}/boot_args" ]; then + echo "Loading boot args ${boot}/boot_args" + source "${boot}/boot_args" + # Use the appropriate boot args based on boot_alternative + if [ "${boot_alternative}" = "A" ]; then + if [ -z "${BOOT_ARGS_A}" ]; then + echo "Error: BOOT_ARGS_A is not defined in ${boot}/boot_args" + exit 1 + fi + echo "Boot arguments: ${BOOT_ARGS_A}" + linux /vmlinuz $BOOT_ARGS_A + else + if [ -z "${BOOT_ARGS_B}" ]; then + echo "Error: BOOT_ARGS_B is not defined in ${boot}/boot_args" + exit 1 + fi + echo "Boot arguments: ${BOOT_ARGS_B}" + linux /vmlinuz $BOOT_ARGS_B + fi + else + # Fallback to old method if boot_args doesn't exist + echo "Warning: boot_args not found, using fallback method" + if [ -f ${boot}/extra_boot_args ]; then + echo Loading extra boot args ${boot}/extra_boot_args + source ${boot}/extra_boot_args + echo Extra boot arguments $EXTRA_BOOT_ARGS + fi + + linux /vmlinuz root=$linux_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 dfinity.system=$boot_alternative $EXTRA_BOOT_ARGS + fi + if [ -f ${boot}/initrd.img ]; then echo Loading initial ram disk ${boot}/initrd.img initrd ${boot}/initrd.img diff --git a/ic-os/bootloader/setupos_grub.cfg b/ic-os/bootloader/setupos_grub.cfg index 134714393c83..3c52d5b906c9 100644 --- a/ic-os/bootloader/setupos_grub.cfg +++ b/ic-os/bootloader/setupos_grub.cfg @@ -11,14 +11,13 @@ set linux_root=PARTUUID=7C0A626E-E5EA-E543-B5C5-300EB8304DB7 echo Booting linux... -if [ -f ${boot}/extra_boot_args ]; then - echo Loading extra boot args ${boot}/extra_boot_args - source ${boot}/extra_boot_args - echo Extra boot arguments $EXTRA_BOOT_ARGS +if [ -f "${boot}/boot_args" ]; then + echo "Loading boot args ${boot}/boot_args" + source "${boot}/boot_args" + echo "Boot arguments: ${BOOT_ARGS}" + linux /vmlinuz $BOOT_ARGS fi -linux /vmlinuz root=$linux_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 $EXTRA_BOOT_ARGS - if [ -f ${boot}/initrd.img ] ; then echo Loading initial ram disk ${boot}/initrd.img initrd ${boot}/initrd.img diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 2d10a1429c8e..1f499bffa2bc 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -51,14 +51,6 @@ def icos_build( image_deps = image_deps_func(mode, malicious) - # Validate that exactly one of boot_args_template or extra_boot_args is provided - has_boot_args_template = "boot_args_template" in image_deps - has_extra_boot_args = "extra_boot_args" in image_deps - - if not has_boot_args_template and not has_extra_boot_args: - fail("Either 'boot_args_template' or 'extra_boot_args' must be provided in image_deps") - elif has_boot_args_template and has_extra_boot_args: - fail("Cannot provide both 'boot_args_template' and 'extra_boot_args' in image_deps - they are mutually exclusive") # -------------------- Version management -------------------- @@ -163,7 +155,6 @@ def icos_build( partition_boot_tzst = "partition-boot" + test_suffix + ".tzst" version_txt = "version" + test_suffix + ".txt" boot_args = "boot" + test_suffix + "_args" - extra_boot_args = "extra_boot" + test_suffix + "_args" ext4_image( name = partition_root_unsigned_tzst, @@ -192,29 +183,29 @@ def icos_build( for k, v in ( image_deps["bootfs"].items() + [ (version_txt, "/version.txt:0644"), - ] + ([(extra_boot_args, "/extra_boot_args:0644")] if "boot_args_template" not in image_deps else []) + - ([(boot_args, "/boot_args:0644")] if "boot_args_template" in image_deps else []) + (boot_args, "/boot_args:0644"), + ] ) }, tags = ["manual", "no-cache"], ) - # The kernel command line (boot args) was previously split into two parts: - # 1. Dynamic args calculated at boot time in grub.cfg - # 2. Static args stored in EXTRA_BOOT_ARGS on the boot partition - # - # For stable and predictable measurements with AMD SEV, we now pre-calculate and combine both parts - # into a single complete kernel command line that is: - # - Generated during image build - # - Stored statically on the boot partition - # - Measured as part of the SEV launch measurement + # The kernel command line (boot args) is generated from boot_args_template: + # - For GuestOS: Template includes ROOT_HASH placeholder that gets substituted with dm-verity hash + # - For HostOS/SetupOS: Template is used as-is without ROOT_HASH substitution # - # For backwards compatibility in the GuestOS and compatibility with the HostOS and SetupOS, we continue - # to support the old way of calculating the dynamic args (see :extra_boot_args) and we derive boot_args - # from it. - - # Sign only for guestos builds (which have boot_args_template) - if "boot_args_template" in image_deps: + # This provides: + # - Consistent boot argument handling across all OS types + # - Predictable measurements for AMD SEV (especially important for GuestOS) + # - Static boot arguments stored on the boot partition + + # Check if the boot_args_template contains ROOT_HASH (GuestOS case) + # We determine this by checking if this is a GuestOS build (has signing) + # GuestOS is identified by having an expanded_size set (only GuestOS sets this) + is_guestos = image_deps.get("expanded_size") != None + + if is_guestos: + # GuestOS: Sign the root partition and substitute ROOT_HASH native.genrule( name = "generate-" + partition_root_signed_tzst, testonly = malicious, @@ -242,8 +233,15 @@ def icos_build( tags = ["manual"], ) else: + # HostOS/SetupOS: No signing, no ROOT_HASH substitution native.alias(name = partition_root_signed_tzst, actual = partition_root_unsigned_tzst, tags = ["manual", "no-cache"]) - native.alias(name = extra_boot_args, actual = image_deps["extra_boot_args"], tags = ["manual"]) + native.genrule( + name = "generate-" + boot_args, + outs = [boot_args], + srcs = [":boot_args_template"], + cmd = "cp $(location :boot_args_template) $@", + tags = ["manual"], + ) component_file_references_test( name = name + "_component_file_references_test", @@ -253,11 +251,10 @@ def icos_build( tags = tags, ) - if "boot_args_template" in image_deps: - native.alias( - name = "boot_args_template", - actual = image_deps["boot_args_template"], - ) + native.alias( + name = "boot_args_template", + actual = image_deps["boot_args_template"], + ) # -------------------- Assemble disk partitions --------------- diff --git a/ic-os/hostos/context/boot_args.template b/ic-os/hostos/context/boot_args.template new file mode 100644 index 000000000000..5bc4983cb261 --- /dev/null +++ b/ic-os/hostos/context/boot_args.template @@ -0,0 +1,4 @@ +# Kernel cmdline parameters for launching the HostOS. +# BOOT_ARGS_A targets partition set "A" while BOOT_ARGS_B targets partition set "B" +BOOT_ARGS_A="root=/dev/hostlvm/A_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 dfinity.system=A security=selinux selinux=1 enforcing=0" +BOOT_ARGS_B="root=/dev/hostlvm/B_root console=ttyS0,115200 console=tty0 nomodeset video=1024x768 dfinity.system=B security=selinux selinux=1 enforcing=0" \ No newline at end of file diff --git a/ic-os/hostos/context/extra_boot_args b/ic-os/hostos/context/extra_boot_args deleted file mode 100644 index 31071fb38095..000000000000 --- a/ic-os/hostos/context/extra_boot_args +++ /dev/null @@ -1,14 +0,0 @@ -# Uncomment this to run system with SELinux in PERMISSIVE mode: -# the system will use SELinux and keep track of operations that would -# be prohibited, but will only log but not actually deny them. This is -# useful for debug and policy development. The system behaves essentially the -# same as if SELinux was not activated. -# -EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0" - -# Uncomment this to run system with SELinux in ENFORCING mode: All rules -# of the policy are enforced, and forbidden actions are not just logged but -# stopped. This causes the system to behave differently than in either -# "no SELinux" or "permissive" mode. -# -# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1" diff --git a/ic-os/hostos/defs.bzl b/ic-os/hostos/defs.bzl index b3655c744f95..377394273a3c 100644 --- a/ic-os/hostos/defs.bzl +++ b/ic-os/hostos/defs.bzl @@ -46,7 +46,7 @@ def image_deps(mode, _malicious = False): "rootfs_size": "3G", "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:hostos_grub.cfg"), - "extra_boot_args": Label("//ic-os/hostos/context:extra_boot_args"), + "boot_args_template": Label("//ic-os/hostos/context:boot_args.template"), # Add any custom partitions to the manifest "custom_partitions": _custom_partitions, diff --git a/ic-os/setupos/context/boot_args.template b/ic-os/setupos/context/boot_args.template new file mode 100644 index 000000000000..384f9785e8dc --- /dev/null +++ b/ic-os/setupos/context/boot_args.template @@ -0,0 +1,3 @@ +# Kernel cmdline parameters for launching the SetupOS. +# SetupOS uses a single boot configuration (no A/B partitioning) +BOOT_ARGS="root=PARTUUID=7C0A626E-E5EA-E543-B5C5-300EB8304DB7 console=ttyS0,115200 console=tty0 nomodeset video=1024x768 security=selinux selinux=1 enforcing=0" \ No newline at end of file diff --git a/ic-os/setupos/context/extra_boot_args b/ic-os/setupos/context/extra_boot_args deleted file mode 100644 index 31071fb38095..000000000000 --- a/ic-os/setupos/context/extra_boot_args +++ /dev/null @@ -1,14 +0,0 @@ -# Uncomment this to run system with SELinux in PERMISSIVE mode: -# the system will use SELinux and keep track of operations that would -# be prohibited, but will only log but not actually deny them. This is -# useful for debug and policy development. The system behaves essentially the -# same as if SELinux was not activated. -# -EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0" - -# Uncomment this to run system with SELinux in ENFORCING mode: All rules -# of the policy are enforced, and forbidden actions are not just logged but -# stopped. This causes the system to behave differently than in either -# "no SELinux" or "permissive" mode. -# -# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1" diff --git a/ic-os/setupos/defs.bzl b/ic-os/setupos/defs.bzl index 930abac269f4..5556b48c6549 100644 --- a/ic-os/setupos/defs.bzl +++ b/ic-os/setupos/defs.bzl @@ -41,7 +41,7 @@ def image_deps(mode, _malicious = False): "rootfs_size": "1750M", "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:setupos_grub.cfg"), - "extra_boot_args": Label("//ic-os/setupos/context:extra_boot_args"), + "boot_args_template": Label("//ic-os/setupos/context:boot_args.template"), # Add any custom partitions to the manifest "custom_partitions": _custom_partitions, From ba50c701d4fe9326ed3c17d5938321b6279b6328 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 13:46:29 +0000 Subject: [PATCH 08/16] Create requires_root_signing bool --- ic-os/defs.bzl | 17 ++++++----------- ic-os/guestos/defs.bzl | 4 ++-- ic-os/hostos/defs.bzl | 1 + ic-os/setupos/defs.bzl | 1 + 4 files changed, 10 insertions(+), 13 deletions(-) diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 1f499bffa2bc..ec42fe065d20 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -191,21 +191,16 @@ def icos_build( ) # The kernel command line (boot args) is generated from boot_args_template: - # - For GuestOS: Template includes ROOT_HASH placeholder that gets substituted with dm-verity hash - # - For HostOS/SetupOS: Template is used as-is without ROOT_HASH substitution + # - For OS requiring root signing: Template includes ROOT_HASH placeholder that gets substituted with dm-verity hash + # - For OS not requiring root signing: Template is used as-is without ROOT_HASH substitution # # This provides: # - Consistent boot argument handling across all OS types - # - Predictable measurements for AMD SEV (especially important for GuestOS) + # - Predictable measurements for AMD SEV (especially important for signed root partitions) # - Static boot arguments stored on the boot partition - # Check if the boot_args_template contains ROOT_HASH (GuestOS case) - # We determine this by checking if this is a GuestOS build (has signing) - # GuestOS is identified by having an expanded_size set (only GuestOS sets this) - is_guestos = image_deps.get("expanded_size") != None - - if is_guestos: - # GuestOS: Sign the root partition and substitute ROOT_HASH + if image_deps.get("requires_root_signing", False): + # Sign the root partition and substitute ROOT_HASH in boot args native.genrule( name = "generate-" + partition_root_signed_tzst, testonly = malicious, @@ -233,7 +228,7 @@ def icos_build( tags = ["manual"], ) else: - # HostOS/SetupOS: No signing, no ROOT_HASH substitution + # No signing required, no ROOT_HASH substitution native.alias(name = partition_root_signed_tzst, actual = partition_root_unsigned_tzst, tags = ["manual", "no-cache"]) native.genrule( name = "generate-" + boot_args, diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index 670ac559b820..d2d8842c50f4 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -71,9 +71,9 @@ def image_deps(mode, malicious = False): # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], - # We will install boot_args_template onto the system, after substituting the - # hash of the root filesystem into it. "boot_args_template": Label("//ic-os/guestos/context:boot_args.template"), + # GuestOS requires dm-verity root partition signing for security + "requires_root_signing": True, } dev_build_args = ["BUILD_TYPE=dev", "ROOT_PASSWORD=root"] diff --git a/ic-os/hostos/defs.bzl b/ic-os/hostos/defs.bzl index 377394273a3c..8d48a3e3ea0c 100644 --- a/ic-os/hostos/defs.bzl +++ b/ic-os/hostos/defs.bzl @@ -47,6 +47,7 @@ def image_deps(mode, _malicious = False): "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:hostos_grub.cfg"), "boot_args_template": Label("//ic-os/hostos/context:boot_args.template"), + "requires_root_signing": False, # Add any custom partitions to the manifest "custom_partitions": _custom_partitions, diff --git a/ic-os/setupos/defs.bzl b/ic-os/setupos/defs.bzl index 5556b48c6549..5031ce567640 100644 --- a/ic-os/setupos/defs.bzl +++ b/ic-os/setupos/defs.bzl @@ -42,6 +42,7 @@ def image_deps(mode, _malicious = False): "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:setupos_grub.cfg"), "boot_args_template": Label("//ic-os/setupos/context:boot_args.template"), + "requires_root_signing": False, # Add any custom partitions to the manifest "custom_partitions": _custom_partitions, From 9e7d432eff11b4870c99b193266d8867fddc2bd8 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 13:53:12 +0000 Subject: [PATCH 09/16] Move boot_args.template files to bootloader --- ic-os/bootloader/BUILD.bazel | 3 +++ .../guestos_boot_args.template} | 0 .../hostos_boot_args.template} | 0 .../setupos_boot_args.template} | 0 ic-os/defs.bzl | 1 - ic-os/guestos/defs.bzl | 3 +-- ic-os/hostos/defs.bzl | 2 +- ic-os/setupos/defs.bzl | 2 +- 8 files changed, 6 insertions(+), 5 deletions(-) rename ic-os/{guestos/context/boot_args.template => bootloader/guestos_boot_args.template} (100%) rename ic-os/{hostos/context/boot_args.template => bootloader/hostos_boot_args.template} (100%) rename ic-os/{setupos/context/boot_args.template => bootloader/setupos_boot_args.template} (100%) diff --git a/ic-os/bootloader/BUILD.bazel b/ic-os/bootloader/BUILD.bazel index 1c55d8bbf811..eaf921aa0954 100644 --- a/ic-os/bootloader/BUILD.bazel +++ b/ic-os/bootloader/BUILD.bazel @@ -8,6 +8,9 @@ exports_files([ "guestos_grub.cfg", "hostos_grub.cfg", "setupos_grub.cfg", + "guestos_boot_args.template", + "hostos_boot_args.template", + "setupos_boot_args.template", ]) genrule( diff --git a/ic-os/guestos/context/boot_args.template b/ic-os/bootloader/guestos_boot_args.template similarity index 100% rename from ic-os/guestos/context/boot_args.template rename to ic-os/bootloader/guestos_boot_args.template diff --git a/ic-os/hostos/context/boot_args.template b/ic-os/bootloader/hostos_boot_args.template similarity index 100% rename from ic-os/hostos/context/boot_args.template rename to ic-os/bootloader/hostos_boot_args.template diff --git a/ic-os/setupos/context/boot_args.template b/ic-os/bootloader/setupos_boot_args.template similarity index 100% rename from ic-os/setupos/context/boot_args.template rename to ic-os/bootloader/setupos_boot_args.template diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index ec42fe065d20..c6fb07324961 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -51,7 +51,6 @@ def icos_build( image_deps = image_deps_func(mode, malicious) - # -------------------- Version management -------------------- copy_file( diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index d2d8842c50f4..015ceb4708dd 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -70,8 +70,7 @@ def image_deps(mode, malicious = False): # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], - - "boot_args_template": Label("//ic-os/guestos/context:boot_args.template"), + "boot_args_template": Label("//ic-os/bootloader:guestos_boot_args.template"), # GuestOS requires dm-verity root partition signing for security "requires_root_signing": True, } diff --git a/ic-os/hostos/defs.bzl b/ic-os/hostos/defs.bzl index 8d48a3e3ea0c..2fe2d378fc17 100644 --- a/ic-os/hostos/defs.bzl +++ b/ic-os/hostos/defs.bzl @@ -46,7 +46,7 @@ def image_deps(mode, _malicious = False): "rootfs_size": "3G", "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:hostos_grub.cfg"), - "boot_args_template": Label("//ic-os/hostos/context:boot_args.template"), + "boot_args_template": Label("//ic-os/bootloader:hostos_boot_args.template"), "requires_root_signing": False, # Add any custom partitions to the manifest diff --git a/ic-os/setupos/defs.bzl b/ic-os/setupos/defs.bzl index 5031ce567640..6771b813a7ad 100644 --- a/ic-os/setupos/defs.bzl +++ b/ic-os/setupos/defs.bzl @@ -41,7 +41,7 @@ def image_deps(mode, _malicious = False): "rootfs_size": "1750M", "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:setupos_grub.cfg"), - "boot_args_template": Label("//ic-os/setupos/context:boot_args.template"), + "boot_args_template": Label("//ic-os/bootloader:setupos_boot_args.template"), "requires_root_signing": False, # Add any custom partitions to the manifest From 09d797e76528adf4978b5af8d7ef18f24b5cceb9 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 15:13:36 +0000 Subject: [PATCH 10/16] Merge grub changes --- ic-os/bootloader/BUILD.bazel | 1 - ic-os/bootloader/guestos_boot_args.template | 5 +++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ic-os/bootloader/BUILD.bazel b/ic-os/bootloader/BUILD.bazel index eaf921aa0954..ca3e2fac4aed 100644 --- a/ic-os/bootloader/BUILD.bazel +++ b/ic-os/bootloader/BUILD.bazel @@ -4,7 +4,6 @@ package(default_visibility = ["//rs:ic-os-pkg"]) exports_files([ "grubenv", - "grub.cfg", "guestos_grub.cfg", "hostos_grub.cfg", "setupos_grub.cfg", diff --git a/ic-os/bootloader/guestos_boot_args.template b/ic-os/bootloader/guestos_boot_args.template index 65dcf1c1e778..b51184a7d328 100644 --- a/ic-os/bootloader/guestos_boot_args.template +++ b/ic-os/bootloader/guestos_boot_args.template @@ -1,4 +1,9 @@ # Kernel cmdline parameters for launching the GuestOS. # BOOT_ARGS_A targets partition set "A" while BOOT_ARGS_B targets partition set "B" +# +# To run system with SELinux in PERMISSIVE mode, change enforcing=1 to enforcing=0: +# the system will use SELinux and keep track of operations that would +# be prohibited, but will only log but not actually deny them. This is +# useful for debug and policy development. BOOT_ARGS_A="root=/dev/vda5 console=ttyS0 nomodeset dfinity.system=A security=selinux selinux=1 enforcing=1 root_hash=ROOT_HASH" BOOT_ARGS_B="root=/dev/vda8 console=ttyS0 nomodeset dfinity.system=B security=selinux selinux=1 enforcing=1 root_hash=ROOT_HASH" From 5d91db3a98dc7e92da1483c7d94755ac713418e3 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Thu, 5 Jun 2025 16:27:43 +0000 Subject: [PATCH 11/16] Fix comment --- ic-os/guestos/defs.bzl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index 1964eee204d4..d2de7a268792 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -72,7 +72,7 @@ def image_deps(mode, malicious = False): # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], "boot_args_template": Label("//ic-os/bootloader:guestos_boot_args.template"), - # GuestOS requires dm-verity root partition signing for security + # GuestOS requires dm-verity root partition signing for SEV "requires_root_signing": True, } From 1533b99cc0639a6bd19049bbeda9b848d3df09c2 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Fri, 6 Jun 2025 07:34:59 +0000 Subject: [PATCH 12/16] Fix merge errors --- ic-os/guestos/defs.bzl | 1 - 1 file changed, 1 deletion(-) diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index d2de7a268792..0c3d78abb61d 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -67,7 +67,6 @@ def image_deps(mode, malicious = False): "rootfs_size": "3G", "bootfs_size": "1G", "grub_config": Label("//ic-os/bootloader:guestos_grub.cfg"), - "grub_config": Label("//ic-os/bootloader:guestos_grub.cfg"), # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], From bbfb096f2d0c79525e66c3347d33464eec0b801f Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Fri, 6 Jun 2025 09:21:30 +0000 Subject: [PATCH 13/16] Fix grub backwards compatibility by continuing to pass extra_boot_args --- ic-os/bootloader/BUILD.bazel | 3 +++ .../guestos_extra_boot_args.template | 14 ++++++++++ ic-os/bootloader/hostos_extra_boot_args | 14 ++++++++++ ic-os/bootloader/setupos_extra_boot_args | 14 ++++++++++ ic-os/defs.bzl | 26 ++++++++++++------- ic-os/guestos/defs.bzl | 1 + ic-os/hostos/defs.bzl | 1 + ic-os/setupos/defs.bzl | 1 + 8 files changed, 65 insertions(+), 9 deletions(-) create mode 100644 ic-os/bootloader/guestos_extra_boot_args.template create mode 100644 ic-os/bootloader/hostos_extra_boot_args create mode 100644 ic-os/bootloader/setupos_extra_boot_args diff --git a/ic-os/bootloader/BUILD.bazel b/ic-os/bootloader/BUILD.bazel index ca3e2fac4aed..4310850a1d89 100644 --- a/ic-os/bootloader/BUILD.bazel +++ b/ic-os/bootloader/BUILD.bazel @@ -10,6 +10,9 @@ exports_files([ "guestos_boot_args.template", "hostos_boot_args.template", "setupos_boot_args.template", + "guestos_extra_boot_args.template", + "hostos_extra_boot_args", + "setupos_extra_boot_args", ]) genrule( diff --git a/ic-os/bootloader/guestos_extra_boot_args.template b/ic-os/bootloader/guestos_extra_boot_args.template new file mode 100644 index 000000000000..8e2a97a91c8f --- /dev/null +++ b/ic-os/bootloader/guestos_extra_boot_args.template @@ -0,0 +1,14 @@ +# Uncomment this to run system with SELinux in PERMISSIVE mode: +# the system will use SELinux and keep track of operations that would +# be prohibited, but will only log but not actually deny them. This is +# useful for debug and policy development. The system behaves essentially the +# same as if SELinux was not activated. +# +# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0 root_hash=ROOT_HASH" + +# Uncomment this to run system with SELinux in ENFORCING mode: All rules +# of the policy are enforced, and forbidden actions are not just logged but +# stopped. This causes the system to behave differently than in either +# "no SELinux" or "permissive" mode. +# +EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1 root_hash=ROOT_HASH" \ No newline at end of file diff --git a/ic-os/bootloader/hostos_extra_boot_args b/ic-os/bootloader/hostos_extra_boot_args new file mode 100644 index 000000000000..be848a2bff3f --- /dev/null +++ b/ic-os/bootloader/hostos_extra_boot_args @@ -0,0 +1,14 @@ +# Uncomment this to run system with SELinux in PERMISSIVE mode: +# the system will use SELinux and keep track of operations that would +# be prohibited, but will only log but not actually deny them. This is +# useful for debug and policy development. The system behaves essentially the +# same as if SELinux was not activated. +# +EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0" + +# Uncomment this to run system with SELinux in ENFORCING mode: All rules +# of the policy are enforced, and forbidden actions are not just logged but +# stopped. This causes the system to behave differently than in either +# "no SELinux" or "permissive" mode. +# +# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1" \ No newline at end of file diff --git a/ic-os/bootloader/setupos_extra_boot_args b/ic-os/bootloader/setupos_extra_boot_args new file mode 100644 index 000000000000..be848a2bff3f --- /dev/null +++ b/ic-os/bootloader/setupos_extra_boot_args @@ -0,0 +1,14 @@ +# Uncomment this to run system with SELinux in PERMISSIVE mode: +# the system will use SELinux and keep track of operations that would +# be prohibited, but will only log but not actually deny them. This is +# useful for debug and policy development. The system behaves essentially the +# same as if SELinux was not activated. +# +EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=0" + +# Uncomment this to run system with SELinux in ENFORCING mode: All rules +# of the policy are enforced, and forbidden actions are not just logged but +# stopped. This causes the system to behave differently than in either +# "no SELinux" or "permissive" mode. +# +# EXTRA_BOOT_ARGS="security=selinux selinux=1 enforcing=1" \ No newline at end of file diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index bd064bf6cdd0..f69e96af2d77 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -51,15 +51,6 @@ def icos_build( image_deps = image_deps_func(mode, malicious) - # Validate that exactly one of boot_args_template or extra_boot_args is provided - has_boot_args_template = "boot_args_template" in image_deps - has_extra_boot_args = "extra_boot_args" in image_deps - - if not has_boot_args_template and not has_extra_boot_args: - fail("Either 'boot_args_template' or 'extra_boot_args' must be provided in image_deps") - elif has_boot_args_template and has_extra_boot_args: - fail("Cannot provide both 'boot_args_template' and 'extra_boot_args' in image_deps - they are mutually exclusive") - # -------------------- Version management -------------------- copy_file( @@ -163,6 +154,7 @@ def icos_build( partition_boot_tzst = "partition-boot" + test_suffix + ".tzst" version_txt = "version" + test_suffix + ".txt" boot_args = "boot" + test_suffix + "_args" + extra_boot_args = "extra_boot" + test_suffix + "_args" ext4_image( name = partition_root_unsigned_tzst, @@ -192,6 +184,7 @@ def icos_build( image_deps["bootfs"].items() + [ (version_txt, "/version.txt:0644"), (boot_args, "/boot_args:0644"), + (extra_boot_args, "/extra_boot_args:0644"), ] ) }, @@ -235,6 +228,14 @@ def icos_build( "< $(location :boot_args_template) > $@", tags = ["manual"], ) + native.genrule( + name = "generate-" + extra_boot_args, + outs = [extra_boot_args], + srcs = [partition_root_hash, ":extra_boot_args_template"], + cmd = "sed -e s/ROOT_HASH/$$(cat $(location " + partition_root_hash + "))/ " + + "< $(location :extra_boot_args_template) > $@", + tags = ["manual"], + ) else: # No signing required, no ROOT_HASH substitution native.alias(name = partition_root_signed_tzst, actual = partition_root_unsigned_tzst, tags = ["manual", "no-cache"]) @@ -245,6 +246,7 @@ def icos_build( cmd = "cp $(location :boot_args_template) $@", tags = ["manual"], ) + native.alias(name = extra_boot_args, actual = image_deps["extra_boot_args"], tags = ["manual"]) component_file_references_test( name = name + "_component_file_references_test", @@ -259,6 +261,12 @@ def icos_build( actual = image_deps["boot_args_template"], ) + if "extra_boot_args_template" in image_deps: + native.alias( + name = "extra_boot_args_template", + actual = image_deps["extra_boot_args_template"], + ) + # -------------------- Assemble disk partitions --------------- # Build a list of custom partitions to allow "injecting" variant-specific partition logic. diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index 0c3d78abb61d..c478a894d5bd 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -67,6 +67,7 @@ def image_deps(mode, malicious = False): "rootfs_size": "3G", "bootfs_size": "1G", "grub_config": Label("//ic-os/bootloader:guestos_grub.cfg"), + "extra_boot_args_template": Label("//ic-os/bootloader:guestos_extra_boot_args.template"), # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], diff --git a/ic-os/hostos/defs.bzl b/ic-os/hostos/defs.bzl index 2fe2d378fc17..5cbba2138f4b 100644 --- a/ic-os/hostos/defs.bzl +++ b/ic-os/hostos/defs.bzl @@ -46,6 +46,7 @@ def image_deps(mode, _malicious = False): "rootfs_size": "3G", "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:hostos_grub.cfg"), + "extra_boot_args": Label("//ic-os/bootloader:hostos_extra_boot_args"), "boot_args_template": Label("//ic-os/bootloader:hostos_boot_args.template"), "requires_root_signing": False, diff --git a/ic-os/setupos/defs.bzl b/ic-os/setupos/defs.bzl index 6771b813a7ad..dfb67372f6a7 100644 --- a/ic-os/setupos/defs.bzl +++ b/ic-os/setupos/defs.bzl @@ -42,6 +42,7 @@ def image_deps(mode, _malicious = False): "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:setupos_grub.cfg"), "boot_args_template": Label("//ic-os/bootloader:setupos_boot_args.template"), + "extra_boot_args": Label("//ic-os/bootloader:setupos_extra_boot_args"), "requires_root_signing": False, # Add any custom partitions to the manifest From 077a910d65279e89d34d28f79d52e335c00b29f7 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Fri, 6 Jun 2025 11:27:57 +0000 Subject: [PATCH 14/16] Fix documentation --- ic-os/defs.bzl | 4 ++++ ic-os/guestos/defs.bzl | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index f69e96af2d77..59d477623d0b 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -200,6 +200,10 @@ def icos_build( # - Predictable measurements for AMD SEV (especially important for signed root partitions) # - Static boot arguments stored on the boot partition + # For backwards compatibility in GuestOS and HostOS, + # we continue to support the old way of calculating the dynamic args (see :extra_boot_args). + + if image_deps.get("requires_root_signing", False): # Sign the root partition and substitute ROOT_HASH in boot args native.genrule( diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index c478a894d5bd..aeb01dc346aa 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -72,7 +72,7 @@ def image_deps(mode, malicious = False): # Add any custom partitions to the manifest "custom_partitions": lambda _: [Label("//ic-os/guestos:partition-config.tzst")], "boot_args_template": Label("//ic-os/bootloader:guestos_boot_args.template"), - # GuestOS requires dm-verity root partition signing for SEV + # GuestOS requires dm-verity root partition signing "requires_root_signing": True, } From 86c7f627595ef0e1409794cca0f7ed05872cfd58 Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Fri, 6 Jun 2025 11:34:34 +0000 Subject: [PATCH 15/16] Convert extra_boot_args to templates to match GuestOS --- ic-os/bootloader/BUILD.bazel | 4 ++-- ...ot_args => hostos_extra_boot_args.template} | 0 ...t_args => setupos_extra_boot_args.template} | 0 ic-os/defs.bzl | 18 +++++++++++------- ic-os/hostos/defs.bzl | 2 +- ic-os/setupos/defs.bzl | 2 +- 6 files changed, 15 insertions(+), 11 deletions(-) rename ic-os/bootloader/{hostos_extra_boot_args => hostos_extra_boot_args.template} (100%) rename ic-os/bootloader/{setupos_extra_boot_args => setupos_extra_boot_args.template} (100%) diff --git a/ic-os/bootloader/BUILD.bazel b/ic-os/bootloader/BUILD.bazel index 4310850a1d89..cecd9c5f49ea 100644 --- a/ic-os/bootloader/BUILD.bazel +++ b/ic-os/bootloader/BUILD.bazel @@ -11,8 +11,8 @@ exports_files([ "hostos_boot_args.template", "setupos_boot_args.template", "guestos_extra_boot_args.template", - "hostos_extra_boot_args", - "setupos_extra_boot_args", + "hostos_extra_boot_args.template", + "setupos_extra_boot_args.template", ]) genrule( diff --git a/ic-os/bootloader/hostos_extra_boot_args b/ic-os/bootloader/hostos_extra_boot_args.template similarity index 100% rename from ic-os/bootloader/hostos_extra_boot_args rename to ic-os/bootloader/hostos_extra_boot_args.template diff --git a/ic-os/bootloader/setupos_extra_boot_args b/ic-os/bootloader/setupos_extra_boot_args.template similarity index 100% rename from ic-os/bootloader/setupos_extra_boot_args rename to ic-os/bootloader/setupos_extra_boot_args.template diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 59d477623d0b..b2e6afaedc11 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -203,7 +203,6 @@ def icos_build( # For backwards compatibility in GuestOS and HostOS, # we continue to support the old way of calculating the dynamic args (see :extra_boot_args). - if image_deps.get("requires_root_signing", False): # Sign the root partition and substitute ROOT_HASH in boot args native.genrule( @@ -250,7 +249,13 @@ def icos_build( cmd = "cp $(location :boot_args_template) $@", tags = ["manual"], ) - native.alias(name = extra_boot_args, actual = image_deps["extra_boot_args"], tags = ["manual"]) + native.genrule( + name = "generate-" + extra_boot_args, + outs = [extra_boot_args], + srcs = [":extra_boot_args_template"], + cmd = "cp $(location :extra_boot_args_template) $@", + tags = ["manual"], + ) component_file_references_test( name = name + "_component_file_references_test", @@ -265,11 +270,10 @@ def icos_build( actual = image_deps["boot_args_template"], ) - if "extra_boot_args_template" in image_deps: - native.alias( - name = "extra_boot_args_template", - actual = image_deps["extra_boot_args_template"], - ) + native.alias( + name = "extra_boot_args_template", + actual = image_deps["extra_boot_args_template"], + ) # -------------------- Assemble disk partitions --------------- diff --git a/ic-os/hostos/defs.bzl b/ic-os/hostos/defs.bzl index 5cbba2138f4b..a67e53f60550 100644 --- a/ic-os/hostos/defs.bzl +++ b/ic-os/hostos/defs.bzl @@ -46,7 +46,7 @@ def image_deps(mode, _malicious = False): "rootfs_size": "3G", "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:hostos_grub.cfg"), - "extra_boot_args": Label("//ic-os/bootloader:hostos_extra_boot_args"), + "extra_boot_args_template": Label("//ic-os/bootloader:hostos_extra_boot_args.template"), "boot_args_template": Label("//ic-os/bootloader:hostos_boot_args.template"), "requires_root_signing": False, diff --git a/ic-os/setupos/defs.bzl b/ic-os/setupos/defs.bzl index dfb67372f6a7..8f5aa35f738b 100644 --- a/ic-os/setupos/defs.bzl +++ b/ic-os/setupos/defs.bzl @@ -42,7 +42,7 @@ def image_deps(mode, _malicious = False): "bootfs_size": "100M", "grub_config": Label("//ic-os/bootloader:setupos_grub.cfg"), "boot_args_template": Label("//ic-os/bootloader:setupos_boot_args.template"), - "extra_boot_args": Label("//ic-os/bootloader:setupos_extra_boot_args"), + "extra_boot_args_template": Label("//ic-os/bootloader:setupos_extra_boot_args.template"), "requires_root_signing": False, # Add any custom partitions to the manifest From f9cabd1f702ef9b0aed3ecf342641e32fb5cec4a Mon Sep 17 00:00:00 2001 From: Andrew Battat Date: Fri, 6 Jun 2025 11:38:16 +0000 Subject: [PATCH 16/16] Move unnecessary genrules to aliases --- ic-os/defs.bzl | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index b2e6afaedc11..1758149ee26c 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -242,18 +242,14 @@ def icos_build( else: # No signing required, no ROOT_HASH substitution native.alias(name = partition_root_signed_tzst, actual = partition_root_unsigned_tzst, tags = ["manual", "no-cache"]) - native.genrule( - name = "generate-" + boot_args, - outs = [boot_args], - srcs = [":boot_args_template"], - cmd = "cp $(location :boot_args_template) $@", + native.alias( + name = boot_args, + actual = ":boot_args_template", tags = ["manual"], ) - native.genrule( - name = "generate-" + extra_boot_args, - outs = [extra_boot_args], - srcs = [":extra_boot_args_template"], - cmd = "cp $(location :extra_boot_args_template) $@", + native.alias( + name = extra_boot_args, + actual = ":extra_boot_args_template", tags = ["manual"], )