commit 5c80acaec733e0b7c43cb0584cdeb7cebc826aa9
author Leopold Schabel <leo@nexantic.com> Tue Oct 22 15:48:58 2019 +0200
committer Leopold Schabel <leo@nexantic.com> Tue Oct 22 15:48:58 2019 +0200
tree f7db6de47e4ef38599da89dd4f1082c65569ca03
parent a71b5a4c36d5cae089666eaad57514c64baf6f24

Replace build system with a Bazel-based one

This pins our external dependencies and introduces a mostly-hermetic build where all dependencies are explicitly declared and rebuilt if needed.

Necessary prerequite for a proper CI workflow. Since Bazel can cache build artifacts, we can remove the hardcoded binary artifacts from the repo.

As suggested in our discussions, the genrule that builds mkfs.xfs is basically doing the same as the previous build_artifacts.sh script (see source code comments for rationale).

The main issue at this point is that the `build/linux_kernel:image` target rebuilds the kernel each time any of its inputs (like cmd/init)
change. This is very hard to fix without compromising on hermeticity, porting kbuild to Bazel (no thanks) or injecting the initramfs into the
kernel image in a separate rule (might just work, but the kernel build rule would either have custom code, or a massive set of outputs).

Perhaps we could use a separate initramfs for development? Or deliberately poke holes into Bazel's sandbox to reuse kernel build?

Test Plan:
Run this in a fresh container with empty Bazel cache:

    bazelisk run scripts:launch

... and watch as Bazel rebuilds the world.

X-Origin-Diff: phab/D197
GitOrigin-RevId: 21eea0e213a50e1c4ad25b2ac2bb87c53e36ea6d

.bazelignore

diff --git a/.bazelignore b/.bazelignore
new file mode 100644
index 0000000..6edb305
--- /dev/null
+++ b/.bazelignore
@@ -0,0 +1 @@
+.vendor

.bazelrc

diff --git a/.bazelrc b/.bazelrc
new file mode 100644
index 0000000..e1effb3
--- /dev/null
+++ b/.bazelrc
@@ -0,0 +1,3 @@
+startup --batch_cpu_scheduling --io_nice_level 7
+build --jobs 12 --ram_utilization_factor 50
+test --jobs 12

BUILD

diff --git a/BUILD b/BUILD
new file mode 100644
index 0000000..555b968
--- /dev/null
+++ b/BUILD
@@ -0,0 +1,41 @@
+load("@bazel_gazelle//:def.bzl", "gazelle")
+
+# gazelle:prefix git.monogon.dev/source/smalltown.git
+gazelle(name = "gazelle")
+
+genrule(
+    name = "image",
+    srcs = [
+        "@//cmd/mkimage",
+        "@//build/linux_kernel:image",
+    ],
+    outs = [
+        "smalltown.img",
+    ],
+    cmd = """
+    $(location @//cmd/mkimage) $(location @//build/linux_kernel:image) $@
+    """,
+    visibility = ["//visibility:public"],
+)
+
+genrule(
+    name = "swtpm_data",
+    outs = [
+        "tpm/tpm2-00.permall",
+    ],
+    cmd = """
+    mkdir tpm
+
+    swtpm_setup \
+        --tpmstate tpm \
+        --create-ek-cert \
+        --create-platform-cert \
+        --allow-signing \
+        --tpm2 \
+        --display \
+        --pcr-banks sha1,sha256,sha384,sha512
+
+    cp tpm/tpm2-00.permall $@
+    """,
+    visibility = ["//visibility:public"],
+)

README.md

diff --git a/README.md b/README.md
index c2b0464..4fa5e8f 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,9 @@
 
 ## Run build
 
-The build uses a Fedora 30 base image with a set of dependencies:
+The build uses a Fedora 30 base image with a set of dependencies.
+
+Start container shell:
 
 ```
 modprobe kvm
@@ -15,14 +17,14 @@
     -v /dev/null:/work/.idea \
     -v /dev/null:/work/.arcconfig \
     --device /dev/kvm \
+    --net=host \
     smalltown-builder bash
-
-scripts/fetch_third_party.sh
-scripts/build_artifacts.sh
-
-make launch
 ```
 
+Launch the VM:
+
+    bazelisk run scripts:launch
+
 Exit qemu using the monitor console: `Ctrl-A c quit`.
 
 If your host is low on entropy, consider running rngd from rng-tools for development.

WORKSPACE

diff --git a/WORKSPACE b/WORKSPACE
new file mode 100644
index 0000000..59a53fd
--- /dev/null
+++ b/WORKSPACE
@@ -0,0 +1,155 @@
+workspace(name = "smalltown")
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+load("@bazel_tools//tools/build_defs/repo:git.bzl", "new_git_repository")
+
+# Load skylib
+
+http_archive(
+    name = "bazel_skylib",
+    sha256 = "97e70364e9249702246c0e9444bccdc4b847bed1eb03c5a3ece4f83dfe6abc44",
+    urls = [
+        "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.0.2/bazel-skylib-1.0.2.tar.gz",
+        "https://github.com/bazelbuild/bazel-skylib/releases/download/1.0.2/bazel-skylib-1.0.2.tar.gz",
+    ],
+)
+
+load("@bazel_skylib//:workspace.bzl", "bazel_skylib_workspace")
+
+bazel_skylib_workspace()
+
+# Assert minimum Bazel version
+
+load("@bazel_skylib//lib:versions.bzl", "versions")
+
+versions.check(minimum_bazel_version = "1.0.0")
+
+# Go and Gazelle
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+http_archive(
+    name = "io_bazel_rules_go",
+    sha256 = "842ec0e6b4fbfdd3de6150b61af92901eeb73681fd4d185746644c338f51d4c0",
+    urls = [
+        "https://storage.googleapis.com/bazel-mirror/github.com/bazelbuild/rules_go/releases/download/v0.20.1/rules_go-v0.20.1.tar.gz",
+        "https://github.com/bazelbuild/rules_go/releases/download/v0.20.1/rules_go-v0.20.1.tar.gz",
+    ],
+)
+
+http_archive(
+    name = "bazel_gazelle",
+    sha256 = "41bff2a0b32b02f20c227d234aa25ef3783998e5453f7eade929704dcff7cd4b",
+    urls = [
+        "https://storage.googleapis.com/bazel-mirror/github.com/bazelbuild/bazel-gazelle/releases/download/v0.19.0/bazel-gazelle-v0.19.0.tar.gz",
+        "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.19.0/bazel-gazelle-v0.19.0.tar.gz",
+    ],
+)
+
+load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")
+
+# golang.org/x/sys is overridden by the go_rules protobuf dependency -> declare it first, since
+# we need a newer version of it for the netlink package which would fail to compile otherwise.
+load("@bazel_gazelle//:deps.bzl", "go_repository")
+
+go_repository(
+    name = "org_golang_x_sys",
+    importpath = "golang.org/x/sys",
+    sum = "h1:ZtoklVMHQy6BFRHkbG6JzK+S6rX82//Yeok1vMlizfQ=",
+    version = "v0.0.0-20191018095205-727590c5006e",
+)
+
+go_rules_dependencies()
+
+go_register_toolchains()
+
+load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies")
+
+gazelle_dependencies()
+
+# Load Gazelle-generated local dependencies
+
+# gazelle:repository_macro repositories.bzl%go_repositories
+load("//:repositories.bzl", "go_repositories")
+
+go_repositories()
+
+# Protobuf
+
+http_archive(
+    name = "com_google_protobuf",
+    sha256 = "758249b537abba2f21ebc2d02555bf080917f0f2f88f4cbe2903e0e28c4187ed",
+    strip_prefix = "protobuf-3.10.0",
+    urls = ["https://github.com/protocolbuffers/protobuf/archive/v3.10.0.tar.gz"],
+)
+
+load("@com_google_protobuf//:protobuf_deps.bzl", "protobuf_deps")
+
+protobuf_deps()
+
+# External repository filegroup shortcut
+all_content = """filegroup(name = "all", srcs = glob(["**"]), visibility = ["//visibility:public"])"""
+
+# Linux kernel
+
+linux_kernel_version = "4.19.72"
+
+http_archive(
+    name = "linux_kernel",
+    build_file_content = all_content,
+    sha256 = "f9fcb6b3bd29115ac55fc154e300c3dce2044502732f6842ad6c25e6f9f51f6d",
+    strip_prefix = "linux-" + linux_kernel_version,
+    urls = ["https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-%s.tar.xz" % linux_kernel_version],
+)
+
+# EDK2
+
+# edk2-stable201908
+new_git_repository(
+    name = "edk2",
+    build_file = "@//build/edk2:BUILD",
+    commit = "37eef91017ad042035090cae46557f9d6e2d5917",
+    init_submodules = True,
+    remote = "https://github.com/tianocore/edk2",
+    shallow_since = "1567048229 +0800",
+)
+
+# musl
+
+musl_version = "1.1.23"
+
+http_archive(
+    name = "musl",
+    build_file_content = all_content,
+    sha256 = "8a0feb41cef26c97dde382c014e68b9bb335c094bbc1356f6edaaf6b79bd14aa",
+    strip_prefix = "musl-" + musl_version,
+    urls = ["https://www.musl-libc.org/releases/musl-%s.tar.gz" % musl_version],
+)
+
+# util-linux
+
+util_linux_version = "2.34"
+
+http_archive(
+    name = "util_linux",
+    build_file_content = all_content,
+    sha256 = "1d0c1a38f8c14a2c251681907203cccc78704f5702f2ef4b438bed08344242f7",
+    strip_prefix = "util-linux-" + util_linux_version,
+    urls = ["https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/snapshot/util-linux-%s.tar.gz" % util_linux_version],
+)
+
+# xfsprogs-dev
+
+xfsprogs_dev_version = "5.2.1"
+
+http_archive(
+    name = "xfsprogs_dev",
+    build_file_content = all_content,
+    patch_args = ["-p1"],
+    patches = [
+        "@//build/utils/xfsprogs_dev:0001-Fixes-for-static-compilation.patch",
+    ],
+    sha256 = "6187f25f1744d1ecbb028b0ea210ad586d0f2dae24e258e4688c67740cc861ef",
+    strip_prefix = "xfsprogs-dev-" + xfsprogs_dev_version,
+    urls = ["https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/snapshot/xfsprogs-dev-%s.tar.gz" % xfsprogs_dev_version],
+)

build/edk2/BUILD

diff --git a/build/edk2/BUILD b/build/edk2/BUILD
new file mode 100644
index 0000000..7911678
--- /dev/null
+++ b/build/edk2/BUILD
@@ -0,0 +1,22 @@
+genrule(
+    name = "firmware",
+    srcs = glob(["**"]),
+    outs = [
+        "OVMF_CODE.fd",
+        "OVMF_VARS.fd",
+    ],
+    cmd = """
+    (
+        # The edk2 build does not like Bazel's default genrule environment.
+        set +u
+
+        cd external/edk2
+        . edksetup.sh
+        make -C BaseTools/Source/C
+        build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE -t GCC5 -a X64 -b RELEASE -p $$PWD/OvmfPkg/OvmfPkgX64.dsc
+    ) > /dev/null
+
+    cp external/edk2/Build/OvmfX64/RELEASE_GCC5/FV/{OVMF_CODE.fd,OVMF_VARS.fd} $(RULEDIR)
+    """,
+    visibility = ["//visibility:public"],
+)

build/linux_kernel/BUILD

diff --git a/build/linux_kernel/BUILD b/build/linux_kernel/BUILD
new file mode 100644
index 0000000..b5665e2
--- /dev/null
+++ b/build/linux_kernel/BUILD
@@ -0,0 +1,28 @@
+genrule(
+    name = "image",
+    srcs = [
+        "@linux_kernel//:all",
+        "@//cmd/init",
+        "@//build/utils",
+        "initramfs.list",
+        "linux-smalltown.config",
+    ],
+    outs = [
+        "bzImage",
+    ],
+    cmd = """
+    DIR=external/linux_kernel
+
+    mkdir $$DIR/.bin
+
+    cp $(location linux-smalltown.config) $$DIR/.config
+    cp $(location @//cmd/init) $$DIR/.bin/init
+    cp $(locations @//build/utils) $$DIR/.bin/
+    cp $(location initramfs.list) $$DIR/initramfs.list
+
+    (cd $$DIR && make -j 16) >/dev/null
+
+    cp $$DIR/arch/x86/boot/bzImage $(RULEDIR)
+    """,
+    visibility = ["//visibility:public"],
+)

build/linux_kernel/initramfs.list

diff --git a/build/linux_kernel/initramfs.list b/build/linux_kernel/initramfs.list
new file mode 100644
index 0000000..71fbfea
--- /dev/null
+++ b/build/linux_kernel/initramfs.list
@@ -0,0 +1,6 @@
+dir /dev 0755 0 0
+nod /dev/console 0600 0 0 c 5 1
+nod /dev/null 0644 0 0 c 1 3
+file /init .bin/init 0755 0 0
+dir /bin 0755 0 0
+file /bin/mkfs.xfs .bin/mkfs.xfs 0755 0 0

build/linux_kernel/linux-signos.config

diff --git a/kernel/linux-signos.config b/build/linux_kernel/linux-signos.config
similarity index 99%
rename from kernel/linux-signos.config
rename to build/linux_kernel/linux-signos.config
index 97ecdef..cec3ff6 100644
--- a/kernel/linux-signos.config
+++ b/build/linux_kernel/linux-signos.config
@@ -118,7 +118,7 @@
 # CONFIG_SYSFS_DEPRECATED is not set
 # CONFIG_RELAY is not set
 CONFIG_BLK_DEV_INITRD=y
-CONFIG_INITRAMFS_SOURCE="../../kernel/initramfs.list"
+CONFIG_INITRAMFS_SOURCE="initramfs.list"
 CONFIG_INITRAMFS_ROOT_UID=0
 CONFIG_INITRAMFS_ROOT_GID=0
 # CONFIG_RD_GZIP is not set

build/utils/BUILD

diff --git a/build/utils/BUILD b/build/utils/BUILD
new file mode 100644
index 0000000..0a3454b
--- /dev/null
+++ b/build/utils/BUILD
@@ -0,0 +1,86 @@
+# TODO(leo): I have not been able to figure out a clever way of separating this
+# into multiple rules, particularly musl, which hardcodes sandbox paths into its
+# toolchain such that a different rule cannot consume it.
+#
+# For now, using a single massive genrule is the least annoying way to do this.
+# As soon as we build more than just mkfs.xfs, we should re-visit this.
+#
+# Some possibilities:
+#
+#  - Build the musl toolchain in the build container and use native rules
+#    for headers_install and util_linux (they should, in theory, generate
+#    well-defined artifacts that we can use in the build).
+#
+#    This would use Bazel's toolchain definition mechanism to consume the
+#    external toolchain, and would be compatible with the native C rules.
+#
+#    Maybe we can even build the external toolchain inside Bazel somehow?
+#
+#  - Write a custom rule that handles the toolchain.
+#
+#  - Converting *everything* to native rules is probably not an option due
+#    to how complex the third party build systems we touch are.
+
+genrule(
+    name = "utils",
+    srcs = [
+        "@xfsprogs_dev//:all",
+        "@musl//:all",
+        "@util_linux//:all",
+        "@linux_kernel//:all",
+    ],
+    outs = [
+        "mkfs.xfs",
+    ],
+    cmd = """
+    MUSL=$$PWD/$(RULEDIR)/musl_prefix
+
+    echo "Compiling and installing musl..."
+    (
+        cd external/musl
+        ./configure --prefix=$$MUSL
+        make -j 8 install
+    ) > /dev/null
+
+    echo "Installing Linux kernel headers..."
+    (
+        cd external/linux_kernel
+        make headers_install ARCH=x86_64 INSTALL_HDR_PATH=$$MUSL
+    ) > /dev/null
+
+    echo "Compiling util_linux..."
+    (
+        cd external/util_linux
+        ./autogen.sh
+        ./configure \
+        CC="$$MUSL/bin/musl-gcc" \
+        --without-systemd \
+        --without-udev \
+        --without-btrfs \
+        --disable-pylibmount \
+        --without-tinfo \
+        --prefix=$$MUSL \
+        --disable-makeinstall-chown \
+        --disable-makeinstall-setuid \
+        --with-bashcompletiondir=$$MUSL/usr/share/bash-completion
+        make -j8 libuuid.la libblkid.la
+        echo "Installing util_linux..."
+        cp -v .libs/* $$MUSL/lib/
+        mkdir -p $$MUSL/include/{uuid,blkid}
+        cp libuuid/src/uuid.h $$MUSL/include/uuid/
+        cp libblkid/src/blkid.h $$MUSL/include/blkid/
+    ) > /dev/null
+
+    echo "Compiling mkfs.xfs..."
+    (
+        cd external/xfsprogs_dev
+        make configure
+        ./configure CC="$$MUSL/bin/musl-gcc" CFLAGS="-static" --prefix=$$MUSL
+        echo COMPILERING
+        make mkfs
+    ) > /dev/null
+
+    cp external/xfsprogs_dev/mkfs/mkfs.xfs $(RULEDIR)
+    """,
+    visibility = ["//visibility:public"],
+)

build/utils/xfsprogs_dev/0001-Fixes-for-static-compilation.patch

diff --git a/patches/xfsprogs-dev/0001-Fixes-for-static-compilation.patch b/build/utils/xfsprogs_dev/0001-Fixes-for-static-compilation.patch
similarity index 100%
rename from patches/xfsprogs-dev/0001-Fixes-for-static-compilation.patch
rename to build/utils/xfsprogs_dev/0001-Fixes-for-static-compilation.patch

build/utils/xfsprogs_dev/BUILD

diff --git a/build/utils/xfsprogs_dev/BUILD b/build/utils/xfsprogs_dev/BUILD
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/build/utils/xfsprogs_dev/BUILD

cmd/init/BUILD.bazel

diff --git a/cmd/init/BUILD.bazel b/cmd/init/BUILD.bazel
new file mode 100644
index 0000000..4246105
--- /dev/null
+++ b/cmd/init/BUILD.bazel
@@ -0,0 +1,22 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["main.go"],
+    importpath = "git.monogon.dev/source/smalltown.git/cmd/init",
+    visibility = ["//visibility:private"],
+    deps = [
+        "//internal/network:go_default_library",
+        "//internal/node:go_default_library",
+        "//pkg/tpm:go_default_library",
+        "@org_golang_x_sys//unix:go_default_library",
+        "@org_uber_go_zap//:go_default_library",
+    ],
+)
+
+go_binary(
+    name = "init",
+    embed = [":go_default_library"],
+    pure = "on",  # keep
+    visibility = ["//visibility:public"],
+)

cmd/mkimage/BUILD.bazel

diff --git a/cmd/mkimage/BUILD.bazel b/cmd/mkimage/BUILD.bazel
new file mode 100644
index 0000000..6ef43f6
--- /dev/null
+++ b/cmd/mkimage/BUILD.bazel
@@ -0,0 +1,20 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["main.go"],
+    importpath = "git.monogon.dev/source/smalltown.git/cmd/mkimage",
+    visibility = ["//visibility:private"],
+    deps = [
+        "@com_github_diskfs_go_diskfs//:go_default_library",
+        "@com_github_diskfs_go_diskfs//disk:go_default_library",
+        "@com_github_diskfs_go_diskfs//filesystem:go_default_library",
+        "@com_github_diskfs_go_diskfs//partition/gpt:go_default_library",
+    ],
+)
+
+go_binary(
+    name = "mkimage",
+    embed = [":go_default_library"],
+    visibility = ["//visibility:public"],
+)

internal/storage/BUILD.bazel

diff --git a/internal/storage/BUILD.bazel b/internal/storage/BUILD.bazel
new file mode 100644
index 0000000..2fe8f56
--- /dev/null
+++ b/internal/storage/BUILD.bazel
@@ -0,0 +1,22 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "blockdev.go",
+        "data.go",
+        "find.go",
+        "xfs.go",
+    ],
+    importpath = "git.monogon.dev/source/smalltown.git/internal/storage",
+    visibility = ["//:__subpackages__"],
+    deps = [
+        "//internal/common:go_default_library",
+        "//pkg/devicemapper:go_default_library",
+        "//pkg/sysfs:go_default_library",
+        "//pkg/tpm:go_default_library",
+        "@com_github_rekby_gpt//:go_default_library",
+        "@org_golang_x_sys//unix:go_default_library",
+        "@org_uber_go_zap//:go_default_library",
+    ],
+)

kernel/initramfs.list

diff --git a/kernel/initramfs.list b/kernel/initramfs.list
deleted file mode 100644
index 8fcb966..0000000
--- a/kernel/initramfs.list
+++ /dev/null
@@ -1,6 +0,0 @@
-dir /dev 0755 0 0
-nod /dev/console 0600 0 0 c 5 1
-nod /dev/null 0644 0 0 c 1 3
-file /init ../../.bin/init 0755 0 0
-dir /bin 0755 0 0
-file /bin/mkfs.xfs ../../.artifacts/mkfs.xfs 0755 0 0

pkg/devicemapper/BUILD.bazel

diff --git a/pkg/devicemapper/BUILD.bazel b/pkg/devicemapper/BUILD.bazel
new file mode 100644
index 0000000..a56718b
--- /dev/null
+++ b/pkg/devicemapper/BUILD.bazel
@@ -0,0 +1,13 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["devicemapper.go"],
+    importpath = "git.monogon.dev/source/smalltown.git/pkg/devicemapper",
+    visibility = ["//visibility:public"],
+    deps = [
+        "@com_github_pkg_errors//:go_default_library",
+        "@com_github_yalue_native_endian//:go_default_library",
+        "@org_golang_x_sys//unix:go_default_library",
+    ],
+)

pkg/sysfs/BUILD.bazel

diff --git a/pkg/sysfs/BUILD.bazel b/pkg/sysfs/BUILD.bazel
new file mode 100644
index 0000000..28c4008
--- /dev/null
+++ b/pkg/sysfs/BUILD.bazel
@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["uevents.go"],
+    importpath = "git.monogon.dev/source/smalltown.git/pkg/sysfs",
+    visibility = ["//visibility:public"],
+)

pkg/tpm/BUILD.bazel

diff --git a/pkg/tpm/BUILD.bazel b/pkg/tpm/BUILD.bazel
new file mode 100644
index 0000000..2325170
--- /dev/null
+++ b/pkg/tpm/BUILD.bazel
@@ -0,0 +1,18 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["tpm.go"],
+    importpath = "git.monogon.dev/source/smalltown.git/pkg/tpm",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/sysfs:go_default_library",
+        "@com_github_gogo_protobuf//proto:go_default_library",
+        "@com_github_google_go_tpm//tpm2:go_default_library",
+        "@com_github_google_go_tpm_tools//proto:go_default_library",
+        "@com_github_google_go_tpm_tools//tpm2tools:go_default_library",
+        "@com_github_pkg_errors//:go_default_library",
+        "@org_golang_x_sys//unix:go_default_library",
+        "@org_uber_go_zap//:go_default_library",
+    ],
+)

scripts/BUILD

diff --git a/scripts/BUILD b/scripts/BUILD
new file mode 100644
index 0000000..a071996
--- /dev/null
+++ b/scripts/BUILD
@@ -0,0 +1,9 @@
+sh_binary(
+    name = "launch",
+    srcs = ["launch.sh"],
+    data = [
+        "@//:image",
+        "@//:swtpm_data",
+        "@edk2//:firmware",
+    ],
+)

scripts/bazel_copy_generated_for_ide.sh

diff --git a/scripts/bazel_copy_generated_for_ide.sh b/scripts/bazel_copy_generated_for_ide.sh
new file mode 100755
index 0000000..66a980f
--- /dev/null
+++ b/scripts/bazel_copy_generated_for_ide.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Copy generated Go protobuf libraries to a place where a non-Bazel-aware IDE can find them.
+# Locally, a symlink will be sufficient.
+
+cp -r bazel-bin/api/*/linux_amd64_stripped/*/git.monogon.dev/source/smalltown.git/generated/* generated/

scripts/build_artifacts.sh

diff --git a/scripts/build_artifacts.sh b/scripts/build_artifacts.sh
deleted file mode 100755
index de1addc..0000000
--- a/scripts/build_artifacts.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/usr/bin/env bash
-set -eo pipefail
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-ROOT=$(realpath ${DIR}/../.vendor)
-
-echo "Vendor build root: $ROOT"
-
-if [ ! -d "$ROOT/linux" ] ; then
-    echo "Please first call scripts/fetch_third_party.sh"
-    exit 1
-fi
-
-if [ ! -d "$ROOT/edk2" ] ; then
-    git clone --single-branch --branch edk2-stable201908 --depth=1 --recurse-submodules https://github.com/tianocore/edk2 $ROOT/edk2
-fi
-
-(
-  cd $ROOT/edk2
-  . edksetup.sh
-  make -C BaseTools/Source/C
-  build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE -t GCC5 -a X64 -b RELEASE -p $PWD/OvmfPkg/OvmfPkgX64.dsc
-
-  cp Build/OvmfX64/RELEASE_GCC5/FV/{OVMF_CODE.fd,OVMF_VARS.fd} $ROOT/../.artifacts
-)
-
-musl_prefix=$ROOT/musl-prefix
-
-(
-  cd $ROOT/linux
-  make headers_install ARCH=x86_64 INSTALL_HDR_PATH=$musl_prefix
-)
-
-mkdir -p $ROOT/musl
-curl -L https://www.musl-libc.org/releases/musl-1.1.23.tar.gz | tar -xzf - -C $ROOT/musl --strip-components 1
-
-(
-  cd $ROOT/musl
-
-  ./configure --prefix=$musl_prefix --syslibdir=$musl_prefix/lib
-  make -j8
-  make install
-)
-
-mkdir -p $ROOT/util-linux
-curl -L https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/snapshot/util-linux-2.34.tar.gz | tar -xzf - -C $ROOT/util-linux --strip-components 1
-
-(
-  cd $ROOT/util-linux
-  ./autogen.sh
-  ./configure \
-    CC=$musl_prefix/bin/musl-gcc \
-    --without-systemd \
-    --without-udev \
-    --without-btrfs \
-    --disable-pylibmount \
-    --without-tinfo \
-    --prefix=$musl_prefix \
-    --disable-makeinstall-chown \
-    --disable-makeinstall-setuid \
-    --with-bashcompletiondir=$musl_prefix/usr/share/bash-completion
-  make -j8
-  make install
-)
-
-mkdir -p $ROOT/xfsprogs-dev
-curl -L https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/snapshot/xfsprogs-dev-5.2.1.tar.gz | tar -xzf - -C $ROOT/xfsprogs-dev --strip-components 1
-
-(
-  cd $ROOT/xfsprogs-dev
-  patch -p1 < ../../patches/xfsprogs-dev/*.patch
-  make configure
-  ./configure CC=$musl_prefix/bin/musl-gcc "CFLAGS=-static -I$musl_prefix/include -L$musl_prefix/lib" "LDFLAGS=-L$musl_prefix/lib"
-  make -j8 mkfs
-  cp $ROOT/xfsprogs-dev/mkfs/mkfs.xfs $ROOT/../.artifacts
-)

scripts/fetch_third_party.sh

diff --git a/scripts/fetch_third_party.sh b/scripts/fetch_third_party.sh
deleted file mode 100755
index 537b19a..0000000
--- a/scripts/fetch_third_party.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-mkdir -p .vendor/linux
-curl -L https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.19.72.tar.xz | tar -xJf - -C .vendor/linux --strip-components 1
-ln -rfs kernel/linux-smalltown.config .vendor/linux/.config

scripts/gazelle.sh

diff --git a/scripts/gazelle.sh b/scripts/gazelle.sh
new file mode 100755
index 0000000..c47241e
--- /dev/null
+++ b/scripts/gazelle.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# gazelle.sh regenerates BUILD.bazel files for Go source files.
+
+bazelisk run //:gazelle -- update
+bazelisk run //:gazelle -- update-repos -from_file=go.mod -to_macro=repositories.bzl%go_repositories

scripts/launch.sh

diff --git a/scripts/launch.sh b/scripts/launch.sh
index aad121f..4704272 100755
--- a/scripts/launch.sh
+++ b/scripts/launch.sh
@@ -1,18 +1,18 @@
 #!/bin/sh
 
-swtpm socket --tpmstate dir=$PWD/.data/tpm --ctrl type=unixio,path=$PWD/.data/swtpm-sock --tpm2 &
+swtpm socket --tpmstate dir=tpm --ctrl type=unixio,path=tpm-socket --tpm2 &
 
 qemu-system-x86_64 \
     -cpu host -smp sockets=1,cpus=1,cores=2,threads=2,maxcpus=4 -m 1024 -machine q35 -enable-kvm -nographic -nodefaults \
-    -drive if=pflash,format=raw,readonly,file=$PWD/.artifacts/OVMF_CODE.fd \
-    -drive if=pflash,format=raw,snapshot=on,file=$PWD/.artifacts/OVMF_VARS.fd \
-    -drive if=virtio,format=raw,cache=unsafe,file=$PWD/.data/smalltown.img \
+    -drive if=pflash,format=raw,readonly,file=external/edk2/OVMF_CODE.fd \
+    -drive if=pflash,format=raw,snapshot=on,file=external/edk2/OVMF_VARS.fd \
+    -drive if=virtio,format=raw,cache=unsafe,file=smalltown.img \
     -netdev user,id=net0,hostfwd=tcp::7833-:7833,hostfwd=tcp::7834-:7834 \
     -device virtio-net-pci,netdev=net0 \
-    -chardev socket,id=chrtpm,path=$PWD/.data/swtpm-sock \
+    -chardev socket,id=chrtpm,path=tpm-socket \
     -tpmdev emulator,id=tpm0,chardev=chrtpm \
     -device tpm-tis,tpmdev=tpm0 \
-    -debugcon file:.data/debug.log \
+    -debugcon file:debug.log \
     -global isa-debugcon.iobase=0x402 \
     -device ipmi-bmc-sim,id=ipmi0 \
     -device virtio-rng-pci \