microsoft
diff --git a/‎.github/workflows/openvmm-ci.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/openvmm-ci.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/openvmm-pr.yaml‎
Lines changed: 11 additions & 2 deletions b/‎.github/workflows/openvmm-pr.yaml‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎flowey/flowey_hvlite/src/pipelines/checkin_gates.rs‎
Lines changed: 23 additions & 0 deletions b/‎flowey/flowey_hvlite/src/pipelines/checkin_gates.rs‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openhcl_igvm_from_recipe.rs‎
Lines changed: 3 additions & 0 deletions b/‎flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openhcl_igvm_from_recipe.rs‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openvmm_hcl_baseline.rs‎
Lines changed: 41 additions & 2 deletions b/‎flowey/flowey_lib_hvlite/src/_jobs/build_and_publish_openvmm_hcl_baseline.rs‎
Lines changed: 41 additions & 2 deletions
diff --git a/‎flowey/flowey_lib_hvlite/src/_jobs/build_openhcl_igvm_from_recipe_nix.rs‎
Lines changed: 1 addition & 0 deletions b/‎flowey/flowey_lib_hvlite/src/_jobs/build_openhcl_igvm_from_recipe_nix.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎flowey/flowey_lib_hvlite/src/_jobs/check_openvmm_hcl_size.rs‎
Lines changed: 53 additions & 14 deletions b/‎flowey/flowey_lib_hvlite/src/_jobs/check_openvmm_hcl_size.rs‎
Lines changed: 53 additions & 14 deletions
@@ -696,6 +696,9 @@ impl IntoPipeline for CheckinGatesCli {
             all_jobs.push(job.finish());
         }
 
+        use flowey_lib_hvlite::_jobs::build_and_publish_openvmm_hcl_baseline::KernelCheck;
+        use flowey_lib_hvlite::resolve_openhcl_kernel_package::OpenhclKernelPackageKind;
+
         // emit openhcl build job
         for arch in [CommonArch::Aarch64, CommonArch::X86_64] {
             let arch_tag = match arch {
@@ -722,6 +725,23 @@ impl IntoPipeline for CheckinGatesCli {
                     (None, None)
                 };
 
+            let arch_kernel_checks: Vec<KernelCheck> = match arch {
+                CommonArch::X86_64 => vec![
+                    KernelCheck {
+                        kind: OpenhclKernelPackageKind::Main,
+                        label: "kernel-main".into(),
+                    },
+                    KernelCheck {
+                        kind: OpenhclKernelPackageKind::Cvm,
+                        label: "kernel-cvm".into(),
+                    },
+                ],
+                CommonArch::Aarch64 => vec![KernelCheck {
+                    kind: OpenhclKernelPackageKind::Main,
+                    label: "kernel-main".into(),
+                }],
+            };
+
             // also build pipette musl on this job, as until we land the
             // refactor that allows building musl without the full openhcl
             // toolchain, it would require pulling in all the openhcl
@@ -802,6 +822,7 @@ impl IntoPipeline for CheckinGatesCli {
                         artifact_dir_openhcl_igvm_extras: ctx
                             .publish_artifact(pub_openhcl_igvm_extras),
                         artifact_openhcl_verify_size_baseline: publish_baseline_artifact,
+                        kernel_checks_for_baseline: arch_kernel_checks.clone(),
                         done: ctx.new_done_handle(),
                     }
                 })
@@ -842,6 +863,7 @@ impl IntoPipeline for CheckinGatesCli {
                                 arch,
                                 platform: CommonPlatform::LinuxMusl,
                             },
+                            kernel_checks: arch_kernel_checks,
                             done: ctx.new_done_handle(),
                             pipeline_name: "openvmm-ci.yaml".into(),
                             job_name: build_openhcl_job_tag(arch_tag),
@@ -1417,6 +1439,7 @@ impl IntoPipeline for CheckinGatesCli {
                         artifact_dir_openhcl_igvm_extras: ctx
                             .publish_artifact(pub_mi_secure_igvm_extras),
                         artifact_openhcl_verify_size_baseline: None,
+                        kernel_checks_for_baseline: vec![],
                         done: ctx.new_done_handle(),
                     }
                 });
 
@@ -33,6 +33,7 @@ flowey_request! {
         pub artifact_dir_openhcl_igvm: ReadVar<PathBuf>,
         pub artifact_dir_openhcl_igvm_extras: ReadVar<PathBuf>,
         pub artifact_openhcl_verify_size_baseline: Option<ReadVar<PathBuf>>,
+        pub kernel_checks_for_baseline: Vec<build_and_publish_openvmm_hcl_baseline::KernelCheck>,
         pub done: WriteVar<SideEffect>,
     }
 }
@@ -56,6 +57,7 @@ impl SimpleFlowNode for Node {
             artifact_dir_openhcl_igvm,
             artifact_dir_openhcl_igvm_extras,
             artifact_openhcl_verify_size_baseline,
+            kernel_checks_for_baseline,
             done,
         } = request;
 
@@ -151,6 +153,7 @@ impl SimpleFlowNode for Node {
                     did_publish.push(ctx.reqv(|v| {
                         build_and_publish_openvmm_hcl_baseline::Request {
                             target: custom_target,
+                            kernel_checks: kernel_checks_for_baseline,
                             artifact_dir: sizecheck_artifact,
                             done: v,
                         }
 
@@ -1,20 +1,31 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-//! Builds and publishes an OpenHCL binary for size comparison with PRs.
+//! Builds and publishes an OpenHCL binary and kernel binaries for size
+//! comparison with PRs.
 
 use crate::artifact_openvmm_hcl_sizecheck;
 use crate::build_openhcl_igvm_from_recipe::OpenhclIgvmRecipe;
 use crate::build_openvmm_hcl;
 use crate::build_openvmm_hcl::OpenvmmHclBuildParams;
 use crate::build_openvmm_hcl::OpenvmmHclBuildProfile;
+use crate::resolve_openhcl_kernel_package::OpenhclKernelPackageArch;
+use crate::resolve_openhcl_kernel_package::OpenhclKernelPackageKind;
 use crate::run_cargo_build::common::CommonArch;
 use crate::run_cargo_build::common::CommonTriple;
 use flowey::node::prelude::*;
 
+/// A kernel to include in the baseline artifact.
+#[derive(Clone, Serialize, Deserialize)]
+pub struct KernelCheck {
+    pub kind: OpenhclKernelPackageKind,
+    pub label: String,
+}
+
 flowey_request! {
     pub struct Request {
         pub target: CommonTriple,
+        pub kernel_checks: Vec<KernelCheck>,
         pub artifact_dir: ReadVar<PathBuf>,
         pub done: WriteVar<SideEffect>,
     }
@@ -28,16 +39,20 @@ impl SimpleFlowNode for Node {
     fn imports(ctx: &mut ImportCtx<'_>) {
         ctx.import::<artifact_openvmm_hcl_sizecheck::publish::Node>();
         ctx.import::<build_openvmm_hcl::Node>();
+        ctx.import::<crate::resolve_openhcl_kernel_package::Node>();
     }
 
     fn process_request(request: Self::Request, ctx: &mut NodeCtx<'_>) -> anyhow::Result<()> {
         let Request {
             target,
+            kernel_checks,
             done,
             artifact_dir,
         } = request;
 
-        let recipe = match target.common_arch().unwrap() {
+        let arch = target.common_arch().unwrap();
+
+        let recipe = match arch {
             CommonArch::X86_64 => OpenhclIgvmRecipe::X64,
             CommonArch::Aarch64 => OpenhclIgvmRecipe::Aarch64,
         }
@@ -54,8 +69,32 @@ impl SimpleFlowNode for Node {
             openvmm_hcl_output: v,
         });
 
+        let kernel_arch = match arch {
+            CommonArch::X86_64 => OpenhclKernelPackageArch::X86_64,
+            CommonArch::Aarch64 => OpenhclKernelPackageArch::Aarch64,
+        };
+
+        let kernel_baselines: Vec<_> = kernel_checks
+            .into_iter()
+            .map(|kc| {
+                let kernel =
+                    ctx.reqv(
+                        |v| crate::resolve_openhcl_kernel_package::Request::GetKernel {
+                            kind: kc.kind,
+                            arch: kernel_arch,
+                            kernel: v,
+                        },
+                    );
+                artifact_openvmm_hcl_sizecheck::publish::KernelBaseline {
+                    label: kc.label,
+                    kernel,
+                }
+            })
+            .collect();
+
         ctx.req(artifact_openvmm_hcl_sizecheck::publish::Request {
             openvmm_openhcl: baseline_hcl_build,
+            kernel_baselines,
             artifact_dir,
             done,
         });
 
@@ -56,6 +56,7 @@ impl SimpleFlowNode for Node {
                 artifact_dir_openhcl_igvm,
                 artifact_dir_openhcl_igvm_extras,
                 artifact_openhcl_verify_size_baseline,
+                kernel_checks_for_baseline: Vec::new(),
                 done,
             },
         );
 
@@ -1,14 +1,16 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-//! Compares the size of the OpenHCL binary in the current PR with the size of the binary from the last successful merge to main.
+//! Compares the size of the OpenHCL binary and kernel binaries in the current
+//! PR with the sizes from the last successful merge to main.
 
-use crate::artifact_openhcl_igvm_from_recipe_extras;
+use crate::_jobs::build_and_publish_openvmm_hcl_baseline::KernelCheck;
 use crate::build_openhcl_igvm_from_recipe;
 use crate::build_openhcl_igvm_from_recipe::OpenhclIgvmRecipe;
 use crate::build_openvmm_hcl;
 use crate::build_openvmm_hcl::OpenvmmHclBuildParams;
 use crate::build_openvmm_hcl::OpenvmmHclBuildProfile::OpenvmmHclShip;
+use crate::resolve_openhcl_kernel_package::OpenhclKernelPackageArch;
 use crate::run_cargo_build::common::CommonArch;
 use crate::run_cargo_build::common::CommonPlatform;
 use crate::run_cargo_build::common::CommonTriple;
@@ -20,6 +22,7 @@ use flowey_lib_common::git_merge_commit;
 flowey_request! {
     pub struct Request {
         pub target: CommonTriple,
+        pub kernel_checks: Vec<KernelCheck>,
         pub done: WriteVar<SideEffect>,
         pub pipeline_name: String,
         pub job_name: String,
@@ -34,22 +37,25 @@ impl SimpleFlowNode for Node {
     fn imports(ctx: &mut ImportCtx<'_>) {
         ctx.import::<crate::build_xtask::Node>();
         ctx.import::<crate::git_checkout_openvmm_repo::Node>();
+        ctx.import::<crate::resolve_openhcl_kernel_package::Node>();
         ctx.import::<download_gh_artifact::Node>();
         ctx.import::<git_merge_commit::Node>();
         ctx.import::<gh_workflow_id::Node>();
         ctx.import::<build_openhcl_igvm_from_recipe::Node>();
         ctx.import::<build_openvmm_hcl::Node>();
-        ctx.import::<artifact_openhcl_igvm_from_recipe_extras::publish::Node>();
     }
 
     fn process_request(request: Self::Request, ctx: &mut NodeCtx<'_>) -> anyhow::Result<()> {
         let Request {
             target,
+            kernel_checks,
             done,
             pipeline_name,
             job_name,
         } = request;
 
+        let arch = target.common_arch().unwrap();
+
         let xtask_target = CommonTriple::Common {
             arch: match ctx.arch() {
                 FlowArch::X86_64 => CommonArch::X86_64,
@@ -70,7 +76,7 @@ impl SimpleFlowNode for Node {
         });
         let openvmm_repo_path = ctx.reqv(crate::git_checkout_openvmm_repo::req::GetRepoDir);
 
-        let recipe = match target.common_arch().unwrap() {
+        let recipe = match arch {
             CommonArch::X86_64 => OpenhclIgvmRecipe::X64,
             CommonArch::Aarch64 => OpenhclIgvmRecipe::Aarch64,
         }
@@ -87,7 +93,27 @@ impl SimpleFlowNode for Node {
             openvmm_hcl_output: v,
         });
 
-        let file_name = match target.common_arch().unwrap() {
+        let kernel_arch = match arch {
+            CommonArch::X86_64 => OpenhclKernelPackageArch::X86_64,
+            CommonArch::Aarch64 => OpenhclKernelPackageArch::Aarch64,
+        };
+
+        let current_kernels: Vec<_> = kernel_checks
+            .iter()
+            .map(|kc| {
+                let kernel =
+                    ctx.reqv(
+                        |v| crate::resolve_openhcl_kernel_package::Request::GetKernel {
+                            kind: kc.kind,
+                            arch: kernel_arch,
+                            kernel: v,
+                        },
+                    );
+                (kc.label.clone(), kernel)
+            })
+            .collect();
+
+        let file_name = match arch {
             CommonArch::X86_64 => "x64-openhcl-baseline",
             CommonArch::Aarch64 => "aarch64-openhcl-baseline",
         };
@@ -121,10 +147,6 @@ impl SimpleFlowNode for Node {
         });
 
         // Publish the built binary as an artifact for offline analysis.
-        //
-        // FUTURE: Flowey should have a general mechanism for this. We cannot
-        // use the existing artifact support because all artifacts are only
-        // published at the end of the job, if everything else succeeds.
         let publish_artifact = if ctx.backend() == FlowBackend::Github {
             let dir = ctx.emit_rust_stepv("collect openvmm_hcl files for analysis", |ctx| {
                 let built_openvmm_hcl = built_openvmm_hcl.clone().claim(ctx);
@@ -162,13 +184,16 @@ impl SimpleFlowNode for Node {
         };
 
         let comparison = ctx.emit_rust_step("binary size comparison", |ctx| {
-            // Ensure the artifact is published before the analysis since this step may fail.
             let _publish_artifact = publish_artifact.claim(ctx);
             let xtask = xtask.claim(ctx);
             let openvmm_repo_path = openvmm_repo_path.claim(ctx);
             let old_openhcl = merge_head_artifact.claim(ctx);
             let new_openhcl = built_openvmm_hcl.claim(ctx);
             let merge_run = merge_run.claim(ctx);
+            let current_kernels: Vec<_> = current_kernels
+                .into_iter()
+                .map(|(label, k)| (label, k.claim(ctx)))
+                .collect();
 
             move |rt| {
                 let xtask = match rt.read(xtask) {
@@ -180,22 +205,36 @@ impl SimpleFlowNode for Node {
                 let new_openhcl = rt.read(new_openhcl);
                 let merge_run = rt.read(merge_run);
 
-                let old_path = old_openhcl.join(file_name).join("openhcl");
-                let new_path = new_openhcl.bin;
+                let path = rt.read(openvmm_repo_path);
+                rt.sh.change_dir(&path);
 
                 println!(
                     "comparing HEAD to merge commit {} and workflow {}",
                     merge_run.commit, merge_run.id
                 );
 
-                let path = rt.read(openvmm_repo_path);
-                rt.sh.change_dir(path);
+                // Compare usermode binary
+                let old_path = old_openhcl.join(file_name).join("openhcl");
+                let new_path = &new_openhcl.bin;
+                println!("== openvmm_hcl usermode binary ==");
                 flowey::shell_cmd!(
                     rt,
                     "{xtask} verify-size --original {old_path} --new {new_path}"
                 )
                 .run()?;
 
+                // Compare kernel binaries
+                for (label, kernel_var) in current_kernels {
+                    let new_kernel = rt.read(kernel_var);
+                    let old_kernel = old_openhcl.join(file_name).join(&label);
+                    println!("== kernel: {label} ==");
+                    flowey::shell_cmd!(
+                        rt,
+                        "{xtask} verify-size --original {old_kernel} --new {new_kernel}"
+                    )
+                    .run()?;
+                }
+
                 Ok(())
             }
         });