From f136c000431fb83843b39b2f5befbd0178b2dbfb Mon Sep 17 00:00:00 2001
From: Tiziano Santoro <tzn@google.com>
Date: Wed, 6 Mar 2024 00:38:18 +0000
Subject: [PATCH] Download and pin upstream linux kernel via nix (#4868)

First step towards attempting to build and cache it via nix too, but
this is also useful in itself to make sure that the archive does not
change.

b/328294742
---
 flake.nix                      | 33 +++++++++++++++++++++++++++++++++
 oak_containers_kernel/Makefile |  9 ++++-----
 2 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/flake.nix b/flake.nix
index b21bda69471..f807a109edc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,36 @@
               allowUnfree = true; # needed to get android stuff to compile
             };
           };
+          linux_kernel_upstream = builtins.fetchurl {
+            url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.7.6.tar.xz";
+            sha256 = "1lrp7pwnxnqyy8c2l4n4nz997039gbnssrfm8ss8kl3h2c7fr2g4";
+          };
+          # TODO: b/328294742 - This derivation does not currently compile correctly, but it is a starting point.
+          oak_containers_kernel = pkgs.stdenv.mkDerivation {
+            name = "oak_containers_kernel";
+            src = ./oak_containers_kernel;
+            buildInputs = with pkgs; [
+              cowsay
+              curl
+              flex
+              bison
+              bc
+              libelf
+              elfutils
+              glibc
+              glibc.static
+              cpio
+            ];
+            baseInputs = [
+              linux_kernel_upstream
+            ];
+            buildPhase = ''
+              make target/vmlinux
+              cp target/vmlinux $out
+            '';
+            installPhase = ''
+              '';
+          };
           androidSdk =
             (pkgs.androidenv.composeAndroidPackages {
               platformVersions = [ "30" ];
@@ -150,6 +180,9 @@
             # Shell for building Oak Containers kernel and system image. This is not included in the
             # default shell because it is not needed as part of the CI.
             containers = with pkgs; mkShell {
+              shellHook = ''
+                export LINUX_KERNEL_UPSTREAM="${linux_kernel_upstream}"
+              '';
               inputsFrom = [
                 base
                 bazelShell
diff --git a/oak_containers_kernel/Makefile b/oak_containers_kernel/Makefile
index 5f6ca3fd14e..dec7573cd88 100644
--- a/oak_containers_kernel/Makefile
+++ b/oak_containers_kernel/Makefile
@@ -1,15 +1,14 @@
 all: target/vmlinux
 
 target/vmlinux: target/bzImage
-	target/linux-6.7.6/scripts/extract-vmlinux  target/bzImage > target/vmlinux
-
+	target/linux-6.7.6/scripts/extract-vmlinux target/bzImage > target/vmlinux
 
 target/bzImage: target/linux-6.7.6 configs/6.7.6/minimal.config
-	KCONFIG_CONFIG=../../configs/6.7.6/minimal.config $(MAKE) -C target/linux-6.7.6 bzImage -j `nproc`
+	KCONFIG_CONFIG=../../configs/6.7.6/minimal.config $(MAKE) --directory=target/linux-6.7.6 bzImage --jobs=$$(nproc)
 	cp target/linux-6.7.6/arch/x86/boot/bzImage target/bzImage
 
+# LINUX_KERNEL_UPSTREAM is fetched by nix and pinned by its digest. See /flake.nix.
 target/linux-6.7.6:
 	mkdir -p target
-	curl -O -L --output-dir target https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.7.6.tar.xz
-	tar -C target -Jxf target/linux-6.7.6.tar.xz
+	tar --directory=target --xz --extract --file=$${LINUX_KERNEL_UPSTREAM}
 	patch -p1 -d target/linux-6.7.6 < patches/virtio-dma.patch