[devbundle] Statically link opentitantool & hsmtool

cfrantz · cfrantz · commit e295715fb0f7 · 2025-11-03T12:57:04.000-08:00
Opentitantool depends on libudev which can cause portability issues
between different runtime environments.

1. Add a flag which permits statically linking host tools.
2. Supply `libudev-zero` which is a no-dependencies replacement for
   libudev.
3. Add some flags machinery for controlling whether opentitantool is
   statically linked (default: no).
4. Deliver statically linked opentitantool and hsmtool in the devbundle.

Signed-off-by: Chris Frantz &lt;cfrantz@google.com&gt;
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -282,6 +282,9 @@ use_repo(xkcp, "xkcp")
 hsm = use_extension("//third_party/hsm:extensions.bzl", "hsm")
 use_repo(hsm, "cloud_kms_hsm", "opensc", "sc_hsm", "softhsm2")
 
+system_libs = use_extension("//third_party/system_libs:extensions.bzl", "system_libs")
+use_repo(system_libs, "libudev_zero")
+
 nist_cavp = use_extension("//third_party/nist_cavp_testvectors:extensions.bzl", "nist_cavp")
 use_repo(
     nist_cavp,
diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock
diff --git a/release/devbundle/BUILD b/release/devbundle/BUILD
@@ -5,6 +5,7 @@
 load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup", "pkg_files")
 load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
 load("//rules/opentitan:splice.bzl", "bitstream_splice")
+load("//rules:flags.bzl", "build_with_flags")
 
 package(default_visibility = ["//visibility:public"])
 
@@ -62,6 +63,22 @@ pkg_files(
     },
 )
 
+build_with_flags(
+    name = "opentitantool",
+    flags = {
+        "//rules:static_link_host_tools": "True",
+    },
+    target = "//sw/host/opentitantool:package",
+)
+
+build_with_flags(
+    name = "hsmtool",
+    flags = {
+        "//rules:static_link_host_tools": "True",
+    },
+    target = "//sw/host/hsmtool:package",
+)
+
 # TODO(cfrantz): Implement release automation so we don't have to publish the artifact manually.
 # Upload this to the GCS bucket `artifacts.opentitan.org` and name the file
 # with a date tag (e.g. devbundle-YYYYMMDD.tar.xz).
@@ -77,12 +94,13 @@ pkg_tar(
     srcs = [
         ":bazel",
         ":bitstreams_pkg",
+        ":hsmtool",
+        ":opentitantool",
         "//hw:package",
         "//hw/ip/otp_ctrl/data:package",
         "//sw/device/lib/testing/test_rom:package",
         "//sw/device/silicon_creator/lib/ownership/keys/fake:fpga_dev_pkg",
         "//sw/device/silicon_creator/rom_ext:fpga_dev_pkg",
-        "//sw/host/opentitantool:package",
     ],
     extension = "tar.xz",
     tags = ["manual"],
diff --git a/rules/BUILD b/rules/BUILD
@@ -5,6 +5,7 @@
 load("//rules:autogen.bzl", "autogen_stamp_include")
 load("//rules:stamp.bzl", "stamp_flag")
 load("//rules/opentitan:defs.bzl", "OPENTITAN_PLATFORM")
+load("@bazel_skylib//rules:common_settings.bzl", "bool_flag")
 
 package(default_visibility = ["//visibility:public"])
 
@@ -28,3 +29,15 @@ stamp_flag(name = "stamp_flag")
 autogen_stamp_include(
     name = "autogen_stamp_include",
 )
+
+bool_flag(
+    name = "static_link_host_tools",
+    build_setting_default = False,
+)
+
+config_setting(
+    name = "static_link_host_tools_enabled",
+    flag_values = {
+        ":static_link_host_tools": "True",
+    },
+)
diff --git a/rules/flags.bzl b/rules/flags.bzl
@@ -0,0 +1,59 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@rules_pkg//pkg:providers.bzl", "PackageDirsInfo", "PackageFilegroupInfo", "PackageFilesInfo", "PackageSymlinkInfo")
+
+_KNOWN_PROVIDERS = [
+    PackageDirsInfo,
+    PackageFilegroupInfo,
+    PackageFilesInfo,
+    PackageSymlinkInfo,
+    OutputGroupInfo,
+]
+
+def _bool(v):
+    if v in ("True", "true"):
+        return True
+    if v in ("False", "false"):
+        return False
+    fail("Boolean value must be 'True' or 'False'")
+
+_FLAG_CONVERSIONS = {
+    # TODO: this needs to be the superset of all flags you might want to
+    # modify during the build and an appropriate type conversion function.
+    "@lowrisc_opentitan//rules:static_link_host_tools": _bool,
+}
+
+def _flags_transition_impl(settings, attr):
+    result = {}
+    for label, value in attr.flags.items():
+        label = str(label)
+        if label.startswith("@@//"):
+            label = "@lowrisc_opentitan" + label[2:]
+        result[label] = _FLAG_CONVERSIONS[label](value)
+    return result
+
+flags_transition = transition(
+    implementation = _flags_transition_impl,
+    inputs = [],
+    outputs = _FLAG_CONVERSIONS.keys(),
+)
+
+def _build_with_flags_impl(ctx):
+    # Start with DefaultInfo and then forward on any other providers we know about.
+    result = [ctx.attr.target[DefaultInfo]]
+    for p in _KNOWN_PROVIDERS:
+        if p in ctx.attr.target:
+            result.append(ctx.attr.target[p])
+    return result
+
+build_with_flags = rule(
+    implementation = _build_with_flags_impl,
+    cfg = flags_transition,
+    attrs = {
+        "target": attr.label(doc = "Target to build with flags"),
+        "flags": attr.label_keyed_string_dict(doc = "Mapping of flag labels to values"),
+        "_allowlist_function_transition": attr.label(default = "@bazel_tools//tools/allowlists/function_transition_allowlist"),
+    },
+)
diff --git a/sw/host/hsmtool/BUILD b/sw/host/hsmtool/BUILD
@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 load("@rules_rust//rust:defs.bzl", "rust_binary", "rust_doc", "rust_library", "rust_test")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_filegroup", "pkg_files")
 
 package(default_visibility = ["//visibility:public"])
 
@@ -116,6 +117,10 @@ rust_library(
 rust_binary(
     name = "hsmtool",
     srcs = ["src/hsmtool.rs"],
+    rustc_flags = select({
+        "//rules:static_link_host_tools_enabled": ["--codegen=target-feature=+crt-static"],
+        "//conditions:default": [],
+    }),
     deps = [
         ":hsmlib",
         "@crate_index//:anyhow",
@@ -142,3 +147,17 @@ rust_doc(
     name = "hsmlib_doc",
     crate = ":hsmlib",
 )
+
+pkg_files(
+    name = "binary",
+    srcs = [":hsmtool"],
+    attributes = pkg_attributes(mode = "0755"),
+)
+
+pkg_filegroup(
+    name = "package",
+    srcs = [
+        ":binary",
+    ],
+    prefix = "hsmtool",
+)
diff --git a/sw/host/opentitantool/BUILD b/sw/host/opentitantool/BUILD
@@ -48,6 +48,10 @@ rust_binary(
     rustc_env_files = [
         "stamp-env.txt",
     ],
+    rustc_flags = select({
+        "//rules:static_link_host_tools_enabled": ["--codegen=target-feature=+crt-static"],
+        "//conditions:default": [],
+    }),
     # stamping is necessary because opentitantool builds version.rs that needs it
     stamp = -1,
     deps = [
@@ -72,7 +76,10 @@ rust_binary(
         "@crate_index//:shellwords",
         "@crate_index//:thiserror",
         "@lowrisc_serde_annotate//serde_annotate",
-    ],
+    ] + select({
+        "//rules:static_link_host_tools_enabled": ["@libudev_zero"],
+        "//conditions:default": [],
+    }),
 )
 
 pkg_files(
diff --git a/third_party/system_libs/BUILD b/third_party/system_libs/BUILD
@@ -0,0 +1,5 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+package(default_visibility = ["//visibility:public"])
diff --git a/third_party/system_libs/BUILD.libudev_zero.bazel b/third_party/system_libs/BUILD.libudev_zero.bazel
@@ -0,0 +1,18 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@rules_foreign_cc//foreign_cc:make.bzl", "make")
+
+package(default_visibility = ["//visibility:public"])
+
+filegroup(
+    name = "all_srcs",
+    srcs = glob(["**"]),
+)
+
+make(
+    name = "libudev_zero",
+    lib_source = ":all_srcs",
+    out_static_libs = ["libudev.a"],
+)
diff --git a/third_party/system_libs/extensions.bzl b/third_party/system_libs/extensions.bzl
@@ -0,0 +1,18 @@
+# Copyright lowRISC contributors (OpenTitan project).
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+system_libs = module_extension(
+    implementation = lambda _: _system_libs_repos(),
+)
+
+def _system_libs_repos():
+    http_archive(
+        name = "libudev_zero",
+        build_file = Label("//third_party/system_libs:BUILD.libudev_zero.bazel"),
+        url = "https://github.com/illiliti/libudev-zero/archive/refs/tags/1.0.3.tar.gz",
+        strip_prefix = "libudev-zero-1.0.3",
+        sha256 = "0bd89b657d62d019598e6c7ed726ff8fed80e8ba092a83b484d66afb80b77da5",
+    )
