Initial support for flyvm

.github/workflows/build-and-release.yml

@@ -0,0 +1,127 @@
+name: Build, and Release Kernels
+
+# This workflow runs on pull requests and when a new tag is created.
+on:
+  pull_request:
+  create:
+
+env:
+  KERNEL_VERSION: 6.12.20
+
+jobs:
+  # Job to build the x86_64 version of the kernel
+  build_x86_64:
+    name: Build x86_64 Kernel
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v4
+
+      - name: Cache Build Directories
+        uses: actions/cache@v4
+        with:
+          # Define the paths to cache
+          path: |
+            tarballs
+            linux-${{ env.KERNEL_VERSION }}
+          # Create a unique key for the cache based on OS, architecture, and kernel version
+          key: ${{ runner.os }}-kernel-x86_64-${{ env.KERNEL_VERSION }}
+          # Provide a fallback key
+          restore-keys: |
+            ${{ runner.os }}-kernel-x86_64-
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y curl build-essential python3-pyelftools bc kmod cpio flex libncurses5-dev libelf-dev libssl-dev dwarves bison
+
+      - name: Build x86_64 kernel
+        run: make KERNEL_VERSION=linux-${{ env.KERNEL_VERSION }}
+
+      - name: Upload x86_64 Kernel Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: kernel-x86_64
+          # IMPORTANT: Replace this path with the actual path to your built x86_64 kernel
+          path: libkrunfw.so.4.9.0
+
+  # Job to cross-compile the aarch64 version of the kernel
+  build_aarch64:
+    name: Cross-build aarch64 Kernel
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v4
+
+      - name: Cache Build Directories
+        uses: actions/cache@v4
+        with:
+          # Define the paths to cache
+          path: |
+            tarballs
+            linux-${{ env.KERNEL_VERSION }}
+          # Create a unique key for the cache based on OS, architecture, and kernel version
+          key: ${{ runner.os }}-kernel-aarch64-${{ env.KERNEL_VERSION }}
+          # Provide a fallback key
+          restore-keys: |
+            ${{ runner.os }}-kernel-aarch64-
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y curl build-essential python3-pyelftools bc kmod cpio flex libncurses5-dev libelf-dev libssl-dev dwarves bison gcc-aarch64-linux-gnu
+
+      - name: Build aarch64 kernel
+        run: make KERNEL_VERSION=linux-${{ env.KERNEL_VERSION }} ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-
+
+      - name: Upload aarch64 Build Artifacts
+        # This step uploads the entire directory for the macos job to use
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-output-aarch64
+          path: .
+
+  # Job to take the aarch64 build and create a .dylib on macOS ARM64
+  build_macos_dylib:
+    name: Build macOS arm64 .dylib
+    runs-on: macos-14 # This is the Apple Silicon (ARM64) runner
+    needs: build_aarch64 # This job depends on the aarch64 build completing successfully
+    steps:
+      - name: Download aarch64 build output
+        uses: actions/download-artifact@v4
+        with:
+          name: build-output-aarch64
+          path: . # Download to the current directory
+
+      - name: Build .dylib from aarch64 artifacts
+        # IMPORTANT: You may need a specific make target here instead of a plain 'make'.
+        # For example: make my-dylib-target
+        run: make KERNEL_VERSION=linux-${{ env.KERNEL_VERSION }}
+
+      - name: Upload .dylib Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: dylib-arm64
+          path: libkrunfw.4.dylib
+
+  # Job to create a release if the trigger was a tag
+  release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    # Only run this job if the event was a tag being created
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: [build_x86_64, build_aarch64, build_macos_dylib] # Depends on all build jobs
+    permissions:
+      contents: write # Required to create a release
+    steps:
+      - name: Download all build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          # No name downloads all artifacts from the workflow run
+          path: artifacts
+
+      - name: Create Release and Upload Artifacts
+        uses: softprops/action-gh-release@v2
+        with:
+          # This will create a release with the tag name and upload all files
+          # from the 'artifacts' directory as release assets.
+          files: |
+            artifacts/kernel-x86_64/*
+            artifacts/build-output-aarch64/libkrunfw.so.4.9.0
+            artifacts/dylib-arm64/*

build_on_krunvm_debian.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -x
+
 # This is a helper script for building the Linux kernel on macOS using
 # a lightweight VM with krunvm.
 
@@ -12,7 +14,7 @@ fi
 # realpath does not exist by default on macOS, use `brew install coreutils` to get it
 SCRIPTPATH=`realpath $0`
 WORKDIR=`dirname $SCRIPTPATH`
-krunvm create debian:bookworm-slim --name libkrunfw-builder --cpus 2 --mem 2048 -v $WORKDIR:/work -w /work
+krunvm create debian:bookworm-slim --name libkrunfw-builder --cpus 8 --mem 8192 -v $WORKDIR:/work -w /work
 if [ $? != 0 ]; then
 	echo "Error creating lightweight VM"
 	exit -1

config-libkrunfw_aarch64

@@ -3334,7 +3334,7 @@ CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
 CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
 CONFIG_HAVE_C_RECORDMCOUNT=y
 CONFIG_TRACING_SUPPORT=y
-# CONFIG_FTRACE is not set
+CONFIG_FTRACE=y
 # CONFIG_SAMPLES is not set
 CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y
 CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y

config-libkrunfw_x86_64

@@ -51,8 +51,9 @@ CONFIG_DEFAULT_INIT=""
 CONFIG_DEFAULT_HOSTNAME="(none)"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_SYSCTL=y
-# CONFIG_POSIX_MQUEUE is not set
-# CONFIG_WATCH_QUEUE is not set
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_WATCH_QUEUE=y
 CONFIG_CROSS_MEMORY_ATTACH=y
 # CONFIG_USELIB is not set
 CONFIG_AUDIT=y
@@ -1688,7 +1689,55 @@ CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
 # CONFIG_CONFIGFS_FS is not set
 # end of Pseudo filesystems
 
-# CONFIG_MISC_FILESYSTEMS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_ECRYPT_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_JFFS2_FS is not set
+# CONFIG_UBIFS_FS is not set
+# CONFIG_CRAMFS is not set
+CONFIG_SQUASHFS=y
+CONFIG_SQUASHFS_FILE_CACHE=y
+# CONFIG_SQUASHFS_FILE_DIRECT is not set
+CONFIG_SQUASHFS_DECOMP_SINGLE=y
+# CONFIG_SQUASHFS_CHOICE_DECOMP_BY_MOUNT is not set
+CONFIG_SQUASHFS_COMPILE_DECOMP_SINGLE=y
+# CONFIG_SQUASHFS_COMPILE_DECOMP_MULTI is not set
+# CONFIG_SQUASHFS_COMPILE_DECOMP_MULTI_PERCPU is not set
+# CONFIG_SQUASHFS_XATTR is not set
+CONFIG_SQUASHFS_ZLIB=y
+# CONFIG_SQUASHFS_LZ4 is not set
+# CONFIG_SQUASHFS_LZO is not set
+# CONFIG_SQUASHFS_XZ is not set
+CONFIG_SQUASHFS_ZSTD=y
+# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
+# CONFIG_SQUASHFS_EMBEDDED is not set
+CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_EROFS_FS=y
+# CONFIG_EROFS_FS_DEBUG is not set
+CONFIG_EROFS_FS_XATTR=y
+CONFIG_EROFS_FS_POSIX_ACL=y
+CONFIG_EROFS_FS_SECURITY=y
+CONFIG_EROFS_FS_ZIP=y
+# CONFIG_EROFS_FS_ZIP_LZMA is not set
+# CONFIG_EROFS_FS_ZIP_DEFLATE is not set
+# CONFIG_EROFS_FS_PCPU_KTHREAD is not set
 # CONFIG_NETWORK_FILESYSTEMS is not set
 CONFIG_NLS=y
 CONFIG_NLS_DEFAULT="utf8"
@@ -2181,7 +2230,8 @@ CONFIG_OBJTOOL=y
 # Generic Kernel Debugging Instruments
 #
 # CONFIG_MAGIC_SYSRQ is not set
-# CONFIG_DEBUG_FS is not set
+CONFIG_DEBUG_FS=y
+CONFIG_DEBUG_FS_ALLOW_ALL=y
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
 CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
@@ -2333,7 +2383,7 @@ CONFIG_HAVE_OBJTOOL_NOP_MCOUNT=y
 CONFIG_HAVE_C_RECORDMCOUNT=y
 CONFIG_HAVE_BUILDTIME_MCOUNT_SORT=y
 CONFIG_TRACING_SUPPORT=y
-# CONFIG_FTRACE is not set
+CONFIG_FTRACE=y
 # CONFIG_SAMPLES is not set
 CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y
 CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y

patches/0009-Transparent-Socket-Impersonation-implementation.patch

@@ -18,7 +18,12 @@ guest acting as a proxy, without the need to use bridged tap devices
 nor virtual network interfaces, achieving a good performance with a
 low overall footprint.
 
-TODO - implement remote [get|set]sockopt
+Enhanced socket option handling: TSI sockets in S_VSOCK state return success
+for all setsockopt calls instead of EOPNOTSUPP, eliminating application errors
+like "tcp set_nodelay error: Operation not supported" while TSI proxy connections
+are active.
+
+TODO - implement actual remote [get|set]sockopt forwarding
 
 Signed-off-by: Sergio Lopez <slp@redhat.com>
 ---
@@ -427,7 +432,7 @@ index 000000000000..f43a17cff3a3
 +		}
 +	}
 +
-+	if (vsocket) {
++	if (vsocket && (sin->sin_addr.s_addr & 0xff) != 0x7f) {
 +		struct sockaddr_vm vm_addr;
 +		struct tsi_connect_req tc_req;
 +		struct tsi_connect_rsp tc_rsp;
@@ -969,7 +974,8 @@ index 000000000000..f43a17cff3a3
 +					       optlen);
 +		break;
 +	case S_VSOCK:
-+		// TODO implement remote setsockopt
++		// TODO implement remote setsockopt - for now, return success to avoid app errors
++		pr_debug("TSI: setsockopt on S_VSOCK stream socket (level %d, optname %d), returning success.\n", level, optname);
 +		err = 0;
 +		break;
 +	}
@@ -1002,7 +1008,8 @@ index 000000000000..f43a17cff3a3
 +					       optlen);
 +		break;
 +	case S_VSOCK:
-+		// TODO implement remote setsockopt
++		// TODO implement remote setsockopt - for now, return success to avoid app errors
++		pr_debug("TSI: setsockopt on S_VSOCK dgram socket (level %d, optname %d), returning success.\n", level, optname);
 +		err = 0;
 +		break;
 +	}
@@ -1352,9 +1359,11 @@ index 000000000000..f43a17cff3a3
 +	return 0;
 +
 +release_vsocket:
-+	vsocket->ops->release(vsocket);
++	if (vsocket)
++		vsocket->ops->release(vsocket);
 +release_isocket:
-+	isocket->ops->release(isocket);
++	if (isocket)
++		isocket->ops->release(isocket);
 +	return err;
 +}
 +