oasisprotocol
diff --git a/‎build/env/env.go‎
Lines changed: 18 additions & 5 deletions b/‎build/env/env.go‎
Lines changed: 18 additions & 5 deletions
diff --git a/‎build/rofl/artifacts.go‎
Lines changed: 3 additions & 0 deletions b/‎build/rofl/artifacts.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎build/sgxs/sgxs.go‎
Lines changed: 3 additions & 3 deletions b/‎build/sgxs/sgxs.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cmd/rofl/build/artifacts.go‎
Lines changed: 103 additions & 6 deletions b/‎cmd/rofl/build/artifacts.go‎
Lines changed: 103 additions & 6 deletions
@@ -6,6 +6,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"github.com/oasisprotocol/cli/cmd/common"
 )
@@ -86,6 +87,10 @@ type ContainerEnv struct {
 }
 
 var containerCmds = []string{"docker", "podman"}
+var (
+	containerCmdPath string
+	containerCmdOnce sync.Once
+)
 
 // NewContainerEnv creates a new Docker or Podman-based execution environment.
 func NewContainerEnv(image, baseDir, dirMount string) *ContainerEnv {
@@ -213,12 +218,20 @@ func (de *ContainerEnv) HasBinary(string) bool {
 
 // getContainerCmd finds a working docker or podman command and returns its path.
 func getContainerCmd() string {
-	for _, cmd := range containerCmds {
-		if path, err := exec.LookPath(cmd); err == nil && path != "" {
-			return path
+	containerCmdOnce.Do(func() {
+		for _, cmd := range containerCmds {
+			if path, err := exec.LookPath(cmd); err == nil && path != "" {
+				containerCmdPath = path
+				return
+			}
 		}
-	}
-	return ""
+	})
+	return containerCmdPath
+}
+
+// IsContainerRuntimeAvailable returns true if a container runtime (docker or podman) is available.
+func IsContainerRuntimeAvailable() bool {
+	return getContainerCmd() != ""
 }
 
 // IsAvailable implements ExecEnv.
 
@@ -1,5 +1,8 @@
 package rofl
 
+// LatestBuilderImage is the latest builder container image to use when building ROFL apps.
+const LatestBuilderImage = "ghcr.io/oasisprotocol/rofl-dev:v0.5.0@sha256:31573686552abeb0edebc450f6872831f0006a6cf38220cef7e0789d4376c2c1"
+
 // LatestBasicArtifacts are the latest TDX ROFL basic app artifacts.
 var LatestBasicArtifacts = ArtifactsConfig{
 	Firmware: "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/ovmf.tdx.fd#db47100a7d6a0c1f6983be224137c3f8d7cb09b63bb1c7a5ee7829d8e994a42f",
 
@@ -15,10 +15,10 @@ import (
 // It requires the `ftxsgx-elf2sgxs` utility to be installed.
 func Elf2Sgxs(buildEnv env.ExecEnv, elfSgxPath, sgxsPath string, heapSize, stackSize, threads uint64) (err error) {
 	if elfSgxPath, err = buildEnv.PathToEnv(elfSgxPath); err != nil {
-		return
+		return err
 	}
 	if sgxsPath, err = buildEnv.PathToEnv(sgxsPath); err != nil {
-		return
+		return err
 	}
 
 	args := []string{
@@ -31,7 +31,7 @@ func Elf2Sgxs(buildEnv env.ExecEnv, elfSgxPath, sgxsPath string, heapSize, stack
 
 	cmd := exec.Command("ftxsgx-elf2sgxs", args...)
 	if err = buildEnv.WrapCommand(cmd); err != nil {
-		return
+		return err
 	}
 	if common.IsVerbose() {
 		fmt.Println(cmd)
 
@@ -14,6 +14,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"
 
@@ -316,13 +317,23 @@ func createSquashFs(buildEnv env.ExecEnv, fn, dir string) (int64, error) {
 	}
 
 	// Create reproducible tar archive.
+	if os.Getenv("ROFL_DEBUG_ROOTFS_HASH") != "" {
+		if err := debugRootfsHashes(dir); err != nil {
+			return 0, fmt.Errorf("failed to compute rootfs debug hashes: %w", err)
+		}
+	}
+
 	tarPath := fn + ".tar"
+	tarPathEnv, err := buildEnv.PathToEnv(tarPath)
+	if err != nil {
+		return 0, fmt.Errorf("failed to translate tar path for container: %w", err)
+	}
 	fmt.Printf("Creating tar archive: %s\n", tarPath)
 	//nolint:gosec // tarPath is constructed internally, not from user input.
 	tarCmd := exec.Command(
 		"tar",
 		"--create",
-		"--file="+tarPath,
+		"--file="+tarPathEnv,
 		"--format=gnu",
 		"--sort=name",
 		"--mtime=@0",
@@ -413,6 +424,69 @@ func createSquashFs(buildEnv env.ExecEnv, fn, dir string) (int64, error) {
 	return fi.Size(), nil
 }
 
+// debugRootfsHashes prints deterministic SHA256 hashes for all files in dir to help diagnose
+// cross-host differences. Controlled via ROFL_DEBUG_ROOTFS_HASH env var.
+func debugRootfsHashes(dir string) error {
+	type entry struct {
+		path string
+		hash string
+	}
+	var entries []entry
+
+	err := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if d.IsDir() {
+			return nil
+		}
+		rel, err := filepath.Rel(dir, path)
+		if err != nil {
+			return err
+		}
+
+		fi, err := os.Lstat(path)
+		if err != nil {
+			return err
+		}
+
+		switch {
+		case fi.Mode()&os.ModeSymlink != 0:
+			target, err := os.Readlink(path)
+			if err != nil {
+				return err
+			}
+			entries = append(entries, entry{path: rel, hash: "symlink->" + target})
+		default:
+			f, err := os.Open(path)
+			if err != nil {
+				return err
+			}
+			h := sha256.New()
+			if _, err = io.Copy(h, f); err != nil {
+				f.Close()
+				return err
+			}
+			f.Close()
+			entries = append(entries, entry{path: rel, hash: fmt.Sprintf("%x", h.Sum(nil))})
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	sort.Slice(entries, func(i, j int) bool {
+		return entries[i].path < entries[j].path
+	})
+
+	fmt.Println("Rootfs file hashes (debug):")
+	for _, e := range entries {
+		fmt.Printf("  %s %s\n", e.hash, e.path)
+	}
+	return nil
+}
+
 // sha256File computes a SHA-256 digest of the file with the given filename and returns a
 // hex-encoded hash.
 func sha256File(fn string) (string, error) {
@@ -443,17 +517,32 @@ func createVerityHashTree(buildEnv env.ExecEnv, fsFn, hashFn string) (string, er
 		return "", err
 	}
 
+	// Translate paths for container environments.
+	fsFnEnv, err := buildEnv.PathToEnv(fsFn)
+	if err != nil {
+		return "", fmt.Errorf("failed to translate filesystem path for container: %w", err)
+	}
+
+	hashFnEnv, err := buildEnv.PathToEnv(hashFn)
+	if err != nil {
+		return "", fmt.Errorf("failed to translate hash path for container: %w", err)
+	}
+
 	rootHashFn := hashFn + ".roothash"
+	rootHashFnEnv, err := buildEnv.PathToEnv(rootHashFn)
+	if err != nil {
+		return "", fmt.Errorf("failed to translate roothash path for container: %w", err)
+	}
 
 	cmd := exec.Command( //nolint:gosec
 		veritysetupBin, "format",
 		"--data-block-size=4096",
 		"--hash-block-size=4096",
 		"--uuid=00000000-0000-0000-0000-000000000000",
 		"--salt="+salt,
-		"--root-hash-file="+rootHashFn,
-		fsFn,
-		hashFn,
+		"--root-hash-file="+rootHashFnEnv,
+		fsFnEnv,
+		hashFnEnv,
 	)
 	var out strings.Builder
 	cmd.Stderr = &out
@@ -556,14 +645,22 @@ func convertToQcow2(buildEnv env.ExecEnv, fn string) error {
 	}
 
 	tmpOutFn := fn + ".qcow2"
+	fnEnv, err := buildEnv.PathToEnv(fn)
+	if err != nil {
+		return fmt.Errorf("failed to translate qcow input path for container: %w", err)
+	}
+	tmpOutFnEnv, err := buildEnv.PathToEnv(tmpOutFn)
+	if err != nil {
+		return fmt.Errorf("failed to translate qcow output path for container: %w", err)
+	}
 
 	// Execute qemu-img.
 	cmd := exec.Command(
 		qemuImgBin,
 		"convert",
 		"-O", "qcow2",
-		fn,
-		tmpOutFn,
+		fnEnv,
+		tmpOutFnEnv,
 	)
 	var out strings.Builder
 	cmd.Stderr = &out
Original file line number	Diff line number	Diff line change
`@@ -15,10 +15,10 @@ import (`
`15`	`15`	// It requires the `ftxsgx-elf2sgxs` utility to be installed.
`16`	`16`	`func Elf2Sgxs(buildEnv env.ExecEnv, elfSgxPath, sgxsPath string, heapSize, stackSize, threads uint64) (err error) {`
`17`	`17`	`if elfSgxPath, err = buildEnv.PathToEnv(elfSgxPath); err != nil {`
`18`		`- return`
	`18`	`+ return err`
`19`	`19`	`}`
`20`	`20`	`if sgxsPath, err = buildEnv.PathToEnv(sgxsPath); err != nil {`
`21`		`- return`
	`21`	`+ return err`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`args := []string{`
`@@ -31,7 +31,7 @@ func Elf2Sgxs(buildEnv env.ExecEnv, elfSgxPath, sgxsPath string, heapSize, stack`
`31`	`31`
`32`	`32`	`cmd := exec.Command("ftxsgx-elf2sgxs", args...)`
`33`	`33`	`if err = buildEnv.WrapCommand(cmd); err != nil {`
`34`		`- return`
	`34`	`+ return err`
`35`	`35`	`}`
`36`	`36`	`if common.IsVerbose() {`
`37`	`37`	`fmt.Println(cmd)`