From 996741506aa346a03935aa752189309462e4caf4 Mon Sep 17 00:00:00 2001
From: Tiziano Santoro <tzn@google.com>
Date: Wed, 21 Jun 2023 13:58:50 +0100
Subject: [PATCH] Use nix in Docker

---
 .devcontainer.json                            |   2 +-
 .github/workflows/build_rust_docs.yaml        |   3 +-
 .github/workflows/ci.yaml                     |  31 +-
 .markdownlint.yaml                            |   7 -
 Dockerfile                                    | 363 +-----------------
 FORCE_CI                                      |   2 +-
 buildconfigs/oak_echo_enclave_app.toml        |   4 +
 buildconfigs/oak_echo_raw_enclave_app.toml    |   4 +
 buildconfigs/oak_functions_enclave_app.toml   |   4 +
 buildconfigs/oak_restricted_kernel_bin.toml   |   4 +
 .../oak_restricted_kernel_simple_io_bin.toml  |   4 +
 buildconfigs/oak_tensorflow_enclave_app.toml  |   6 +
 buildconfigs/quirk_echo_enclave_app.toml      |   4 +
 buildconfigs/stage0_bin.toml                  |   4 +
 cc/tflite_micro/README.md                     |   2 +
 enclave_apps/oak_echo_enclave_app/src/main.rs |   2 +-
 .../quirk_echo_enclave_app/src/main.rs        |   2 +-
 flake.lock                                    | 162 ++++----
 flake.nix                                     | 115 ++++--
 .../java/com/google/oak/client/android/BUILD  |  62 +--
 kokoro/presubmit.sh                           |   2 +-
 oak_sev_guest/src/ghcb.rs                     |   4 +-
 oak_virtio/src/queue/mod.rs                   |   2 +-
 quirk_echo_service/tests/integration_test.rs  |   2 +-
 scripts/common                                |   4 +-
 scripts/format_doc                            |   1 -
 .../tests/integration_test.rs                 |   2 +-
 .../transformer_expression/README.md          |   1 +
 xtask/src/files.rs                            |   1 +
 xtask/src/main.rs                             |  31 +-
 30 files changed, 270 insertions(+), 567 deletions(-)

diff --git a/.devcontainer.json b/.devcontainer.json
index e8d4785f1f0..8f28cf60e65 100644
--- a/.devcontainer.json
+++ b/.devcontainer.json
@@ -4,7 +4,7 @@
 // - https://code.visualstudio.com/docs/remote/devcontainerjson-reference
 {
   // Do not modify manually. This value is automatically updated by ./scripts/docker_build .
-  "image": "sha256:f48ec237afe33447dadb24071ef38a5bd472a2fcae2c1ef61bab0244ee9c0e03",
+  "image": "sha256:963c4d4b0e029725153814fc88528597fc66dac652758849db3b83fafa227786",
   "extensions": [
     "13xforever.language-x86-64-assembly",
     "bazelbuild.vscode-bazel",
diff --git a/.github/workflows/build_rust_docs.yaml b/.github/workflows/build_rust_docs.yaml
index 30766de9de1..f1ed67fad07 100644
--- a/.github/workflows/build_rust_docs.yaml
+++ b/.github/workflows/build_rust_docs.yaml
@@ -56,7 +56,8 @@ jobs:
 
       # Generate docs from within the Docker image.
       - name: Generate docs
-        run: ./scripts/docker_run ./scripts/build_gh_pages ./out
+        run: |
+          ./scripts/docker_run nix develop --command ./scripts/build_gh_pages ./out
 
       # From the "out" folder, commit the results and push to the `gh-pages` branch.
       # This step only applies to `push` events (not `pull_request`), and only if there are actual
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ccdee9f2698..ba27b3bb23d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -74,35 +74,6 @@ jobs:
           ./scripts/docker_pull
           df --human-readable
 
-      # Store various common Rust folders to speed up future runs.
-      #
-      # The main cache key includes the combined hash of all Cargo.lock files in the repository, but
-      # falls back on a more generic prefix if an exact match is not found, so that there is at
-      # least some chance that some of the artifacts will be found there.
-      #
-      # We specify the `./cargo-cache` folder (as per `/scripts/docker_run`), as well as various
-      # `target` folders. This can probably be improved in a variety of ways over time.
-      #
-      # See https://doc.rust-lang.org/nightly/cargo/guide/cargo-home.html#caching-the-cargo-home-in-ci
-      - name: Cache Rust artifacts
-        uses: actions/cache@v3
-        env:
-          # Increment this value to invalidate previous cache entries.
-          CACHE_VERSION: 15
-        with:
-          path: |
-            ./cargo-cache/bin
-            ./cargo-cache/registry/index
-            ./cargo-cache/registry/cache
-            ./cargo-cache/git/db
-            ./sccache-cache
-            ./target
-          key: |
-            cargo-cache-${{ env.CACHE_VERSION }}-${{ matrix.cmd }}-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            cargo-cache-${{ env.CACHE_VERSION }}-${{ matrix.cmd }}-
-            cargo-cache-${{ env.CACHE_VERSION }}-
-
       - name: Run command
         env:
           RUST_BACKTRACE: 1
@@ -110,7 +81,7 @@ jobs:
           # Do not run tests that require KVM on GitHub Actions, since nested virtualization is not supported.
           OAK_KVM_TESTS: skip
         run: |
-          ./scripts/docker_run ./scripts/xtask --scope=all ${{ matrix.cmd }}
+          ./scripts/docker_run nix develop --command ./scripts/xtask --scope=all ${{ matrix.cmd }}
           df --human-readable
 
         # Ensure that the previous steps did not modify our source-code and that
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
index 799b2b8aa39..25800f5095d 100644
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@@ -12,13 +12,6 @@ MD010:
 # https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md013
 MD013: false
 
-# Fenced code blocks should be surrounded by blank lines
-#
-# This does not work well with embedmd, which requires comments around fenced code blocks.
-#
-# https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md031
-MD031: false
-
 # Inline HTML
 #
 # https://github.com/DavidAnson/markdownlint/blob/master/doc/Rules.md#md033
diff --git a/Dockerfile b/Dockerfile
index a8bc77b23e4..7f71018d035 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,361 +1,10 @@
 # Use fixed snapshot of Debian to create a deterministic environment.
 # Snapshot tags can be found at https://hub.docker.com/r/debian/snapshot/tags?name=bullseye
-ARG debian_snapshot=sha256:d647c95797c43e8ef0e0667c4b4acba752ae70385dcf648877903f15c8977da4
-FROM debian/snapshot@${debian_snapshot}
+# ARG debian_snapshot=sha256:d647c95797c43e8ef0e0667c4b4acba752ae70385dcf648877903f15c8977da4
+ARG nix_snapshot=sha256:5073736c16b4c37e49786ef63c4dae7896c9994064ad0873f97c191e3a5bc335
+FROM nixos/nix@${nix_snapshot}
 
-# Set the SHELL option -o pipefail before RUN with a pipe in.
-# See https://github.com/hadolint/hadolint/wiki/DL4006
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf
 
-# Uncomment the RUN below if the default snapshot package manager is slow.
-# Please not that this might cause issues and affects reproducible builds,
-# so only use for development.
-# RUN echo \
-#  deb [arch=amd64] http://ukdebian.mirror.anlx.net/debian buster main non-free contrib\
-# > /etc/apt/sources.list
-
-# First install the minimal set of utils that will be used to setup the rest of the packages to install.
-RUN apt-get --yes update && apt-get install --no-install-recommends --yes curl gnupg2 gnupg-agent ca-certificates
-
-# Install LLDB for debugging support.
-ARG llvm_version=16
-RUN curl --fail --silent --show-error --location https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
-RUN echo "deb http://apt.llvm.org/bullseye/ llvm-toolchain-bullseye-$llvm_version main" >> /etc/apt/sources.list.d/llvm.list
-
-# Install docker CLI.
-RUN curl --fail --silent --show-error --location https://download.docker.com/linux/debian/gpg | apt-key add -
-RUN echo "deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable"  > /etc/apt/sources.list.d/backports.list
-
-# Install NodeJS
-# https://github.com/nodesource/distributions/blob/master/README.md#manual-installation
-RUN curl --fail --silent --show-error --location https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
-RUN echo "deb https://deb.nodesource.com/node_18.x bullseye main" > /etc/apt/sources.list.d/nodesource.list
-
-# Getting curl and certificates dependecies.
-# We're rate-limiting HTTP requests to 500 kB/s as otherwise we may get timeout errors
-# when downloading from snapshot.debian.org.
-RUN apt-get --yes update \
-  && apt-get install --no-install-recommends --yes --option Acquire::http::Dl-Limit=500 \
-  apt-transport-https \
-  build-essential \
-  ca-certificates \
-  # `chromium` is required to run our tests with wasm-pack.
-  chromium \
-  chromium-driver \
-  clang-format \
-  clang-tidy \
-  clang-${llvm_version} \
-  # `cmake` is needed for flatbuffer.
-  cmake \
-  # `cpio` is needed for creating initial RAM disks.
-  cpio \
-  curl \
-  docker-ce-cli \
-  git \
-  gnupg2 \
-  gnupg-agent \
-  libcap-dev \
-  libc++-${llvm_version}-dev \
-  libfl2 \
-  libgmp-dev \
-  # `virt-make-fs` from `libguestfs-tools` is needed for creating qcow2 images.
-  libguestfs-tools \
-  libmpc-dev \
-  libncurses5 \
-  libssl-dev \
-  lldb-${llvm_version} \
-  musl-tools \
-  nodejs \
-  openjdk-11-jdk \
-  pkg-config \
-  procps \
-  python3 \
-  python3-six \
-  python3-distutils \
-  qemu-system-x86 \
-  shellcheck \
-  software-properties-common \
-  texinfo \
-  vim \
-  xml2 \
-  # `unzip` and `zlib1g-dev` are needed for Bazel.
-  unzip \
-  zlib1g-dev \
-  # Cleanup
-  && apt-get clean \
-  && rm --recursive --force /var/lib/apt/lists/* \
-  # Print version of various installed tools.
-  && git --version \
-  && shellcheck --version
-
-# Install Android SDK.
-# This is very large and rarely updated, therefore it's better to keep it in a separate layer at the top of the Dockerfile.
-# https://developer.android.com/studio/#downloads
-# https://developer.android.com/studio/index.html#command-tools
-ARG android_sdk_version=8512546
-ENV ANDROID_HOME /opt/android-sdk
-ENV android_temp /tmp/android-sdk
-RUN mkdir --parents "{android_temp}" \
-  && mkdir --parents "${ANDROID_HOME}/cmdline-tools/latest" \
-  && curl --location "https://dl.google.com/android/repository/commandlinetools-linux-${android_sdk_version}_latest.zip" > android_sdk.zip \
-  && unzip android_sdk.zip -d "${android_temp}" \
-  && mv ${android_temp}/cmdline-tools/* "${ANDROID_HOME}/cmdline-tools/latest/" \
-  && rm android_sdk.zip
-
-# Install Android Platform Tools.
-# https://developer.android.com/studio/releases/platform-tools
-# https://developer.android.com/studio/releases/platforms
-# https://developer.android.com/studio/releases/build-tools
-ARG platform=30
-ARG tools=30.0.0
-RUN "${ANDROID_HOME}/cmdline-tools/latest/bin/sdkmanager" --update \
-  && (yes || true) | "${ANDROID_HOME}/cmdline-tools/latest/bin/sdkmanager" --licenses \
-  && (yes || true) | "${ANDROID_HOME}/cmdline-tools/latest/bin/sdkmanager" \
-  'tools' 'platform-tools' 'cmake;3.6.4111459' \
-  "platforms;android-${platform}" "build-tools;${tools}" \
-  "system-images;android-${platform};default;x86_64"
-
-# Set up Android SDK paths.
-ENV PATH "${PATH}:${ANDROID_HOME}/emulator:${ANDROID_HOME}/tools:${ANDROID_HOME}/platform-tools:${ANDROID_HOME}/tools/bin"
-ENV LD_LIBRARY_PATH "${LD_LIBRARY_PATH}:${ANDROID_HOME}/emulator/lib64:${ANDROID_HOME}/emulator/lib64/qt/lib"
-
-# Install Ent CLI. We mostly then just use it in order to simplify the logic around fetching
-# artifacts by URL and ensuring that their digest is correct, in order to ensure reproducibility.
-ARG ent_server_url=https://ent-server-62sa4xcfia-ew.a.run.app
-ARG ent_digest=sha256:b2e999bda4c90fc58c924e19787f5f7037f9d48fd83e7deebd06e3e1d5b31e8d
-RUN curl --location ${ent_server_url}/raw/${ent_digest} > /usr/local/bin/ent \
-  && chmod +x /usr/local/bin/ent \
-  && ent
-
-# Use a fixed version of Bazel.
-# https://github.com/bazelbuild/bazel
-ARG bazel_version=5.3.1
-ARG bazel_digest=sha256:1e939b50d90f68d30fa4f3c12dfdf31429b83ddd8076c622429854f64253c23d
-ARG bazel_url=https://storage.googleapis.com/bazel-apt/pool/jdk1.8/b/bazel/bazel_${bazel_version}_amd64.deb
-RUN ent get ${bazel_digest} --url=${bazel_url} > bazel.deb \
-  && apt-get install --no-install-recommends --yes ./bazel.deb \
-  && rm bazel.deb \
-  && apt-get clean \
-  && bazel version
-
-# Install the necessary binaries and SDKs, ordering them from the less frequently changed to the
-# more frequently changed.
-# See https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#leverage-build-cache.
-
-# Install Go.
-# https://go.dev/dl/
-ARG golang_version=1.19.2
-ARG golang_digest=sha256:5e8c5a74fe6470dd7e055a461acda8bb4050ead8c2df70f227e3ff7d8eb7eeb6
-ARG golang_temp=/tmp/golang.tar.gz
-ENV GOROOT /usr/local/go
-ENV GOPATH ${HOME}/go
-ENV PATH "${GOROOT}/bin:${PATH}"
-ENV PATH "${GOPATH}/bin:${PATH}"
-# Enable Go module behaviour even in the presence of GOPATH; this way we can specify precise
-# versions via `go install`.
-# See https://dev.to/maelvls/why-is-go111module-everywhere-and-everything-about-go-modules-24k
-ENV GO111MODULE on
-RUN mkdir --parents ${GOROOT} \
-  && ent get ${golang_digest} --url=https://dl.google.com/go/go${golang_version}.linux-amd64.tar.gz > ${golang_temp} \
-  && tar --extract --gzip --file=${golang_temp} --directory=${GOROOT} --strip-components=1 \
-  && rm ${golang_temp} \
-  && go version
-
-# Install embedmd (Markdown snippet embedder) (via Go).
-# https://github.com/campoy/embedmd
-RUN go install github.com/campoy/embedmd@97c13d6 \
-  && embedmd -v
-
-# Install liche (Markdown link checker) (via Go).
-# https://github.com/raviqqe/liche
-RUN go install github.com/raviqqe/liche@f9ba5f2 \
-  && liche --version
-
-# Install prettier and markdownlint (via Node.js).
-# This will use the Node version installed by emscripten.
-# https://prettier.io/
-# https://github.com/prettier/prettier
-# https://github.com/igorshubovych/markdownlint-cli
-ARG prettier_version=2.7.1
-ARG prettier_plugin_toml_version=0.3.1
-ARG markdownlint_version=0.32.2
-RUN npm install --global \
-  prettier@${prettier_version} \
-  prettier-plugin-toml@${prettier_plugin_toml_version} \
-  markdownlint-cli@${markdownlint_version} \
-  && prettier --version \
-  && markdownlint --version
-
-# Install hadolint.
-# https://github.com/hadolint/hadolint
-ARG hadolint_version=2.10.0
-ARG hadolint_digest=sha256:8ee6ff537341681f9e91bae2d5da451b15c575691e33980893732d866d3cefc4
-ARG hadolint_dir=/usr/local/hadolint/bin
-ARG hadolint_bin=${hadolint_dir}/hadolint
-ENV PATH "${hadolint_dir}:${PATH}"
-RUN mkdir --parents ${hadolint_dir} \
-  && ent get ${hadolint_digest} --url=https://github.com/hadolint/hadolint/releases/download/v${hadolint_version}/hadolint-Linux-x86_64 > ${hadolint_bin} \
-  && chmod +x ${hadolint_bin} \
-  && hadolint --version
-
-# Install buildifier.
-# https://github.com/bazelbuild/buildtools/tree/master/buildifier
-ARG bazel_tools_version=5.1.0
-ARG buildifier_digest=sha256:52bf6b102cb4f88464e197caac06d69793fa2b05f5ad50a7e7bf6fbd656648a3
-ARG buildifier_dir=/usr/local/buildifier/bin
-ARG buildifier_bin=${buildifier_dir}/buildifier
-ENV PATH "${buildifier_dir}:${PATH}"
-RUN mkdir --parents ${buildifier_dir} \
-  && ent get ${buildifier_digest} --url=https://github.com/bazelbuild/buildtools/releases/download/${bazel_tools_version}/buildifier-linux-amd64 > ${buildifier_bin} \
-  && chmod +x ${buildifier_bin} \
-  && buildifier --version
-
-# Install Protobuf compiler.
-# https://github.com/protocolbuffers/protobuf
-ARG protobuf_version=3.20.3
-ARG protobuf_digest=sha256:44a6b498e996b845edef83864734c0e52f42197e85c9d567af55f4e3ff09d755
-ARG protobuf_dir=/usr/local/protobuf
-ARG protobuf_temp=/tmp/protobuf.zip
-ENV PATH "${protobuf_dir}/bin:${PATH}"
-RUN ent get ${protobuf_digest} --url=https://github.com/protocolbuffers/protobuf/releases/download/v${protobuf_version}/protoc-${protobuf_version}-linux-x86_64.zip > ${protobuf_temp} \
-  && unzip ${protobuf_temp} -d ${protobuf_dir} \
-  && rm ${protobuf_temp} \
-  && chmod --recursive a+rwx ${protobuf_dir} \
-  && protoc --version
-
-# Install rustup.
-ARG rustup_dir=/usr/local/cargo
-ENV RUSTUP_HOME ${rustup_dir}
-ENV CARGO_HOME ${rustup_dir}
-ENV PATH "${rustup_dir}/bin:${PATH}"
-RUN curl --location https://sh.rustup.rs > /tmp/rustup \
-  && sh /tmp/rustup -y --default-toolchain=none \
-  && chmod a+rwx ${rustup_dir} \
-  && rustup --version
-
-# Install Rust toolchain.
-# We currently need the nightly version in order to be able to compile some of the examples.
-# See https://rust-lang.github.io/rustup-components-history/ for how to pick a version that supports
-# the appropriate set of components.
-ARG rust_version=nightly-2023-02-13
-RUN rustup toolchain install ${rust_version} \
-  && rustup default ${rust_version}
-
-# Install WebAssembly target for Rust.
-RUN rustup target add wasm32-unknown-unknown
-
-# Install musl target for Rust (for statically linked binaries).
-RUN rustup target add x86_64-unknown-linux-musl
-
-# Install freestanding target for Rust (for enclave binaries).
-RUN rustup target add x86_64-unknown-none
-
-# Install various components we need.
-RUN rustup component add \
-  clippy \
-  llvm-tools-preview \
-  rust-src \
-  rustfmt
-
-# No binary available on Github, have to use cargo install.
-# https://github.com/deadlinks/cargo-deadlinks
-ARG deadlinks_version=0.8.1
-RUN cargo install --version=${deadlinks_version} cargo-deadlinks
-
-# Install cargo-fuzz.
-# To allow local testing of the fuzzing functionality.
-# https://github.com/rust-fuzz/cargo-fuzz
-# change cargo-fuzz to the following to avoid a recent failure
-# cf. https://github.com/rust-fuzz/cargo-fuzz/pull/277
-RUN cargo install --git https://github.com/rust-fuzz/cargo-fuzz/ --rev 8c964bf183c93cd49ad655eb2f3faecf543d0012
-
-# Install cargo-binutils.
-ARG binutils_version=0.3.6
-RUN cargo install --version=${binutils_version} cargo-binutils
-
-# Install cargo-vet.
-ARG vet_version=0.6.1
-RUN cargo install --version=${vet_version} cargo-vet
-
-# Where to install rust tooling
-ARG install_dir=${rustup_dir}/bin
-
-# Install grcov.
-# https://github.com/mozilla/grcov
-ARG grcov_version=v0.8.13
-ARG grcov_location=https://github.com/mozilla/grcov/releases/download/${grcov_version}/grcov-x86_64-unknown-linux-musl.tar.bz2
-RUN curl --location ${grcov_location} | tar --extract --bzip2 --directory=${install_dir}
-RUN chmod +x ${install_dir}/grcov
-
-# Install cargo-deny
-# https://github.com/EmbarkStudios/cargo-deny
-ARG deny_version=0.13.7
-ARG deny_location=https://github.com/EmbarkStudios/cargo-deny/releases/download/${deny_version}/cargo-deny-${deny_version}-x86_64-unknown-linux-musl.tar.gz
-RUN curl --location ${deny_location} | tar --extract --gzip --directory=${install_dir} --strip-components=1
-RUN chmod +x ${install_dir}/cargo-deny
-
-# Install cargo-udeps
-# https://github.com/est31/cargo-udeps
-ARG udeps_version=0.1.35
-ARG udeps_dir=cargo-udeps-v${udeps_version}-x86_64-unknown-linux-gnu
-ARG udeps_location=https://github.com/est31/cargo-udeps/releases/download/v${udeps_version}/cargo-udeps-v${udeps_version}-x86_64-unknown-linux-gnu.tar.gz
-RUN curl --location ${udeps_location} | tar --extract --gzip --directory=${install_dir} --strip-components=2 ./${udeps_dir}/cargo-udeps
-RUN chmod +x ${install_dir}/cargo-udeps
-
-# Install cargo nextest
-# https://nexte.st/
-ARG nextest_version=0.9.49
-ARG nextest_location=https://get.nexte.st/${nextest_version}/x86_64-unknown-linux-gnu.tar.gz
-RUN curl --location ${nextest_location} | tar --extract --gzip --directory=${install_dir}
-RUN cargo nextest help
-
-# Install rust-analyzer
-# https://github.com/rust-analyzer/rust-analyzer
-ARG rust_analyzer_version=2023-02-13
-ARG rust_analyzer_location=https://github.com/rust-analyzer/rust-analyzer/releases/download/${rust_analyzer_version}/rust-analyzer-x86_64-unknown-linux-gnu.gz
-RUN curl --location ${rust_analyzer_location} | gzip --decompress "$@" > ${install_dir}/rust-analyzer
-RUN chmod +x ${install_dir}/rust-analyzer
-
-# Unset $CARGO_HOME so that the new user will use the default value for it, which will point it to
-# its own home folder.
-ENV CARGO_HOME ""
-
-# Install sccache
-# https://github.com/mozilla/sccache
-ARG sccache_version=0.3.3
-ARG sccache_dir=/usr/local/sccache
-ARG sccache_location=https://github.com/mozilla/sccache/releases/download/v${sccache_version}/sccache-v${sccache_version}-x86_64-unknown-linux-musl.tar.gz
-ENV PATH "${sccache_dir}:${PATH}"
-RUN mkdir --parents ${sccache_dir} \
-  && curl --location ${sccache_location} | tar --extract --gzip --directory=${sccache_dir} --strip-components=1 \
-  && chmod +x ${sccache_dir}/sccache
-
-# Install wasm-pack.
-# https://github.com/rustwasm/wasm-pack
-ARG wasm_pack_version=0.10.2
-ARG wasm_pack_digest=sha256:ddf59a454fbee8712932803583d01756204c32fbfb13defa69f08c3e7afb6ac5
-ARG wasm_pack_tmp=/tmp/wasm-pack
-ARG wasm_pack_dir=/usr/local/wasm-pack/bin
-ARG wasm_pack_bin=${wasm_pack_dir}/wasm-pack
-ENV PATH "${wasm_pack_dir}:${PATH}"
-RUN mkdir --parents ${wasm_pack_dir} \
-  && ent get ${wasm_pack_digest} --url=https://github.com/rustwasm/wasm-pack/releases/download/v${wasm_pack_version}/wasm-pack-v${wasm_pack_version}-x86_64-unknown-linux-musl.tar.gz > ${wasm_pack_tmp} \
-  && tar --extract --gzip --file=${wasm_pack_tmp} --directory=${wasm_pack_dir} --strip-components=1 \
-  && rm ${wasm_pack_tmp} \
-  && chmod +x ${wasm_pack_bin} \
-  && wasm-pack --version
-
-# By default, sccache uses `~/.cache/sccache` locally: https://github.com/mozilla/sccache#local.
-ENV RUSTC_WRAPPER sccache
-
-# Disable cargo incremental compilation, as it conflicts with sccache: https://github.com/mozilla/sccache#rust
-ENV CARGO_INCREMENTAL false
-
-# To make the scripts available to call from everywhere.
-ENV PATH "/workspace/scripts:${PATH}"
-
-# Add sourcing of xtask_bash_completion file to .bashrc
-RUN echo -e "\n#activate xtask auto-complete\nif [ -f /workspace/.xtask_bash_completion ]; then\n  source /workspace/.xtask_bash_completion \nfi" >> "${HOME}/.bashrc"
-
-# Define alias
-RUN echo -e "\nalias ll='ls -l'\n" >> "${HOME}/.bashrc"
+RUN nix-env -iA cachix -f https://cachix.org/api/v1/install
+RUN cachix use oak
diff --git a/FORCE_CI b/FORCE_CI
index 8e2afd34277..3c032078a4a 100644
--- a/FORCE_CI
+++ b/FORCE_CI
@@ -1 +1 @@
-17
\ No newline at end of file
+18
diff --git a/buildconfigs/oak_echo_enclave_app.toml b/buildconfigs/oak_echo_enclave_app.toml
index baf2e17fb48..235275b8da2 100644
--- a/buildconfigs/oak_echo_enclave_app.toml
+++ b/buildconfigs/oak_echo_enclave_app.toml
@@ -1,4 +1,8 @@
 command = [
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
   "env",
   "--chdir=enclave_apps/oak_echo_enclave_app",
   "cargo",
diff --git a/buildconfigs/oak_echo_raw_enclave_app.toml b/buildconfigs/oak_echo_raw_enclave_app.toml
index 2cd50354893..20df69a20e9 100644
--- a/buildconfigs/oak_echo_raw_enclave_app.toml
+++ b/buildconfigs/oak_echo_raw_enclave_app.toml
@@ -1,4 +1,8 @@
 command = [
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
   "env",
   "--chdir=enclave_apps/oak_echo_raw_enclave_app",
   "cargo",
diff --git a/buildconfigs/oak_functions_enclave_app.toml b/buildconfigs/oak_functions_enclave_app.toml
index 04175d5b8e3..03ee62a8334 100644
--- a/buildconfigs/oak_functions_enclave_app.toml
+++ b/buildconfigs/oak_functions_enclave_app.toml
@@ -2,6 +2,10 @@
 # building the `oak_functions_enclave_app` binary, and its provenance.
 # See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
 command = [
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
   "env",
   "--chdir=enclave_apps/oak_functions_enclave_app",
   "cargo",
diff --git a/buildconfigs/oak_restricted_kernel_bin.toml b/buildconfigs/oak_restricted_kernel_bin.toml
index ce6b997b447..636fb3c555e 100644
--- a/buildconfigs/oak_restricted_kernel_bin.toml
+++ b/buildconfigs/oak_restricted_kernel_bin.toml
@@ -1,4 +1,8 @@
 command = [
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
   "env",
   "--chdir=oak_restricted_kernel_bin",
   "cargo",
diff --git a/buildconfigs/oak_restricted_kernel_simple_io_bin.toml b/buildconfigs/oak_restricted_kernel_simple_io_bin.toml
index 7155264abf6..783bf1d4483 100644
--- a/buildconfigs/oak_restricted_kernel_simple_io_bin.toml
+++ b/buildconfigs/oak_restricted_kernel_simple_io_bin.toml
@@ -1,4 +1,8 @@
 command = [
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
   "env",
   "--chdir=oak_restricted_kernel_bin",
   "cargo",
diff --git a/buildconfigs/oak_tensorflow_enclave_app.toml b/buildconfigs/oak_tensorflow_enclave_app.toml
index 00119406d5d..9b0d5df3ac9 100644
--- a/buildconfigs/oak_tensorflow_enclave_app.toml
+++ b/buildconfigs/oak_tensorflow_enclave_app.toml
@@ -1,4 +1,10 @@
 command = [
+  "nix",
+  "develop",
+  # Unlike other build configs, this one needs to run in the "default" shell instead of just the
+  # "rust" one, because bazel is also used by the build.rs script.
+  ".#default",
+  "--command",
   "env",
   "--chdir=enclave_apps/oak_tensorflow_enclave_app",
   "cargo",
diff --git a/buildconfigs/quirk_echo_enclave_app.toml b/buildconfigs/quirk_echo_enclave_app.toml
index 61800be5b11..47ec4e08388 100644
--- a/buildconfigs/quirk_echo_enclave_app.toml
+++ b/buildconfigs/quirk_echo_enclave_app.toml
@@ -1,4 +1,8 @@
 command = [
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
   "env",
   "--chdir=enclave_apps/quirk_echo_enclave_app",
   "cargo",
diff --git a/buildconfigs/stage0_bin.toml b/buildconfigs/stage0_bin.toml
index fbbdeb14118..757140973d2 100644
--- a/buildconfigs/stage0_bin.toml
+++ b/buildconfigs/stage0_bin.toml
@@ -2,6 +2,10 @@
 # building the `stage0` binary, and its provenance.
 # See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
 command = [
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
   "env",
   "--chdir=stage0_bin",
   "cargo",
diff --git a/cc/tflite_micro/README.md b/cc/tflite_micro/README.md
index ae9107f5619..40fdb0fa566 100644
--- a/cc/tflite_micro/README.md
+++ b/cc/tflite_micro/README.md
@@ -117,10 +117,12 @@ example:
    of validating execution on TEE.
 
 1. Binaries that runs on Oak server
+
    ```bash
    cd oak_tensorflow_enclave
    cargo build
    ```
+
    The binary is built with Oak Restricted Kernel and Oak TensorFlow Service,
    which can be loaded into virtual machine for execution under TEE.
 
diff --git a/enclave_apps/oak_echo_enclave_app/src/main.rs b/enclave_apps/oak_echo_enclave_app/src/main.rs
index fb7269c12ff..674b61018c9 100644
--- a/enclave_apps/oak_echo_enclave_app/src/main.rs
+++ b/enclave_apps/oak_echo_enclave_app/src/main.rs
@@ -45,7 +45,7 @@ fn main() -> ! {
 // https://github.com/project-oak/oak/blob/main/oak_channel/SPEC.md
 fn start_echo_server() -> ! {
     let mut invocation_stats = StaticSampleStore::<1000>::new().unwrap();
-    let service = oak_echo_service::EchoService::default();
+    let service = oak_echo_service::EchoService;
     let server = oak_echo_service::proto::EchoServer::new(service);
     oak_channel::server::start_blocking_server(
         Box::<FileDescriptorChannel>::default(),
diff --git a/enclave_apps/quirk_echo_enclave_app/src/main.rs b/enclave_apps/quirk_echo_enclave_app/src/main.rs
index 353ccc7eb66..b41d2304e50 100644
--- a/enclave_apps/quirk_echo_enclave_app/src/main.rs
+++ b/enclave_apps/quirk_echo_enclave_app/src/main.rs
@@ -47,7 +47,7 @@ fn main() -> ! {
 // https://github.com/project-oak/oak/blob/main/oak_channel/SPEC.md
 fn start_echo_server() -> ! {
     let mut invocation_stats = StaticSampleStore::<1000>::new().unwrap();
-    let service = quirk_echo_service::EchoService::default();
+    let service = quirk_echo_service::EchoService;
     let server = quirk_echo_service::proto::quirk::echo::EchoServer::new(service);
     oak_channel::server::start_blocking_server(
         Box::<FileDescriptorChannel>::default(),
diff --git a/flake.lock b/flake.lock
index 8f8a4e740ca..4dcf16c492e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,121 +1,124 @@
 {
   "nodes": {
-    "flake-utils": {
+    "crane": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": [
+          "rust-overlay"
+        ]
+      },
       "locked": {
-        "lastModified": 1676283394,
-        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "lastModified": 1687310026,
+        "narHash": "sha256-20RHFbrnC+hsG4Hyeg/58LvQAK7JWfFItTPFAFamu8E=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "116b32c30b5ff28e49f4fcbeeb1bbe3544593204",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "ipetkov",
+        "repo": "crane",
         "type": "github"
       }
     },
-    "flake-utils_2": {
+    "flake-compat": {
+      "flake": false,
       "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "edolstra",
+        "repo": "flake-compat",
         "type": "github"
       }
     },
-    "gomod2nix": {
+    "flake-utils": {
       "inputs": {
-        "nixpkgs": "nixpkgs",
-        "utils": "utils"
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1662501203,
-        "narHash": "sha256-4BKeqCX2zwgBiTdlc2DjGQ0CttKm0vSw0r/bdFdM/PQ=",
-        "owner": "nix-community",
-        "repo": "gomod2nix",
-        "rev": "89cd0675b96775aa3ee86e7c0cf5bc238dd27976",
+        "lastModified": 1685518550,
+        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "repo": "gomod2nix",
+        "owner": "numtide",
+        "repo": "flake-utils",
         "type": "github"
       }
     },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1658285632,
-        "narHash": "sha256-zRS5S/hoeDGUbO+L95wXG9vJNwsSYcl93XiD0HQBXLk=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5342fc6fb59d0595d26883c3cadff16ce58e44f3",
-        "type": "github"
+    "flake-utils_2": {
+      "inputs": {
+        "systems": [
+          "systems"
+        ]
       },
-      "original": {
-        "owner": "NixOS",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
       "locked": {
-        "lastModified": 1676375384,
-        "narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "c43f676c938662072772339be6269226c77b51b8",
+        "lastModified": 1687171271,
+        "narHash": "sha256-BJlq+ozK2B1sJDQXS3tzJM5a+oVZmi1q0FlBK/Xqv7M=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-22.11",
-        "repo": "nixpkgs",
+        "owner": "numtide",
+        "repo": "flake-utils",
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs": {
       "locked": {
-        "lastModified": 1665296151,
-        "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=",
+        "lastModified": 1686960236,
+        "narHash": "sha256-AYCC9rXNLpUWzD9hm+askOfpliLEC9kwAo7ITJc4HIw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363",
+        "rev": "04af42f3b31dba0ef742d254456dc4c14eedac86",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "root": {
       "inputs": {
-        "flake-utils": "flake-utils",
-        "gomod2nix": "gomod2nix",
-        "nixpkgs": "nixpkgs_2",
-        "rust-overlay": "rust-overlay"
+        "crane": "crane",
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs",
+        "rust-overlay": "rust-overlay",
+        "systems": "systems_2"
       }
     },
     "rust-overlay": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_3"
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1676437770,
-        "narHash": "sha256-mhJye91Bn0jJIE7NnEywGty/U5qdELfsT8S+FBjTdG4=",
+        "lastModified": 1687314899,
+        "narHash": "sha256-zglbWHHXnqPUnG+oSQ0xKXR4a8hgGEwbEdGr/1Jgfm0=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "a619538647bd03e3ee1d7b947f7c11ff289b376e",
+        "rev": "417dc5995703ea9edcce098ad59bb4511271cb73",
         "type": "github"
       },
       "original": {
@@ -124,18 +127,33 @@
         "type": "github"
       }
     },
-    "utils": {
+    "systems": {
       "locked": {
-        "lastModified": 1653893745,
-        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1680978846,
+        "narHash": "sha256-Gtqg8b/v49BFDpDetjclCYXm8mAnTrUzR0JnE2nv5aw=",
+        "owner": "nix-systems",
+        "repo": "x86_64-linux",
+        "rev": "2ecfcac5e15790ba6ce360ceccddb15ad16d08a8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "x86_64-linux",
         "type": "github"
       }
     }
diff --git a/flake.nix b/flake.nix
index e6a43f1e47e..38e404b8a14 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,19 +1,24 @@
 {
   description = "oak";
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+    systems.url = "github:nix-systems/x86_64-linux";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
-    gomod2nix.url = "github:nix-community/gomod2nix";
+    flake-utils.inputs.systems.follows = "systems";
     rust-overlay.url = "github:oxalica/rust-overlay";
+    rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
+    rust-overlay.inputs.flake-utils.follows = "flake-utils";
+    crane.url = "github:ipetkov/crane";
+    crane.inputs.nixpkgs.follows = "nixpkgs";
+    crane.inputs.rust-overlay.follows = "rust-overlay";
   };
-  outputs = { self, nixpkgs, flake-utils, gomod2nix, rust-overlay }:
+  outputs = { self, systems, nixpkgs, flake-utils, rust-overlay, crane }:
     (flake-utils.lib.eachDefaultSystem
       (system:
         let
           pkgs = import nixpkgs {
             inherit system;
             overlays = [
-              gomod2nix.overlays.default
               rust-overlay.overlays.default
             ];
             config = {
@@ -21,28 +26,71 @@
               allowUnfree = true; # needed to get android stuff to compile
             };
           };
+          androidSdk =
+            (pkgs.androidenv.composeAndroidPackages {
+              platformVersions = [ "30" ];
+              buildToolsVersions = [ "30.0.0" ];
+              includeEmulator = false;
+              includeNDK = false;
+              includeSources = false;
+              includeSystemImages = false;
+            }).androidsdk;
+          rustToolchain =
+            pkgs.rust-bin.nightly."2023-02-13".default.override {
+              extensions = [
+                "clippy"
+                "llvm-tools-preview"
+                "rust-src"
+                "rustfmt"
+              ];
+              targets = [
+                "wasm32-unknown-unknown"
+                "x86_64-unknown-linux-musl"
+                "x86_64-unknown-none"
+              ];
+            };
+          craneLib = (crane.mkLib pkgs).overrideToolchain rustToolchain;
+          src = ./.;
+          # Build xtask as a package so that we can use it in the devShell and cache it in the 
+          # future, without rebuilding it every time.
+          xtask = craneLib.buildPackage {
+            inherit src;
+            pname = "xtask";
+            version = "0.1.0";
+            cargoExtraArgs = "--package=xtask";
+            buildInputs = [
+              pkgs.protobuf
+            ];
+          };
+          # Build the dependencies of xtask as a package so that we can use it in the devShell and
+          # cache it in the future, without rebuilding it every time.
+          cargoDeps = craneLib.buildDepsOnly {
+            inherit src;
+            pname = "cargodeps";
+            version = "0.1.0";
+            cargoExtraArgs = "--package=xtask";
+          };
         in
         {
           packages = { };
+          formatter = pkgs.nixpkgs-fmt;
           devShells = rec {
+            base = with pkgs; mkShell {
+              packages = [
+                just
+                which
+              ];
+            };
             rust = with pkgs; mkShell {
+              inputsFrom = [
+                base
+              ];
               packages = [
-                (rust-bin.selectLatestNightlyWith (toolchain: toolchain.default.override {
-                  extensions = [
-                    "clippy"
-                    "llvm-tools-preview"
-                    "rust-src"
-                    "rustfmt"
-                  ];
-                  targets = [
-                    "wasm32-unknown-unknown"
-                    "x86_64-unknown-linux-musl"
-                    "x86_64-unknown-none"
-                  ];
-                }))
+                (rust-bin.selectLatestNightlyWith (toolchain: rustToolchain))
                 cargo-deadlinks
                 cargo-binutils
                 cargo-deny
+                cargo-fuzz
                 cargo-nextest
                 cargo-udeps
                 protobuf
@@ -51,33 +99,38 @@
             };
             lint = with pkgs; mkShell {
               packages = [
-                hadolint
+                bazel-buildtools
                 cargo-deadlinks
+                clang-tools
+                hadolint
+                nixpkgs-fmt
+                nodePackages.markdownlint-cli
                 nodePackages.prettier
                 nodePackages.prettier-plugin-toml
-                nixpkgs-fmt
+                shellcheck
               ];
+              shellHook = ''
+                export NODE_PATH=${nodePackages.prettier-plugin-toml}/lib/node_modules:$NODE_PATH
+              '';
             };
-            bazel = with pkgs; mkShell {
+            bazelShell = with pkgs; mkShell {
               shellHook = ''
-                export ANDROID_BASE_DIR=$(dirname $(dirname $(which android)))
-                export ANDROID_HOME=$ANDROID_BASE_DIR/libexec/android-sdk
+                export ANDROID_HOME="${androidSdk}/libexec/android-sdk"
+                export GRADLE_OPTS="-Dorg.gradle.project.android.aapt2FromMavenOverride=${androidSdk}/libexec/android-sdk/build-tools/28.0.3/aapt2";
               '';
               packages = [
-                jdk11
-                bazel_6
-                (androidenv.composeAndroidPackages {
-                  includeNDK = false;
-                  platformVersions = [ "30" "32" ];
-                  buildToolsVersions = [ "30.0.0" ];
-                }).androidsdk
+                jdk11_headless
                 bazel_6
+                androidSdk
+                bazel-buildtools
               ];
             };
-            default = with pkgs; mkShell {
+            # By default create a shell with all the inputs.
+            default = pkgs.mkShell {
+              packages = [ ];
               inputsFrom = [
                 rust
-                bazel
+                bazelShell
                 lint
               ];
             };
diff --git a/java/src/main/java/com/google/oak/client/android/BUILD b/java/src/main/java/com/google/oak/client/android/BUILD
index f7c3dc8f26d..d2fb4e4f3ab 100644
--- a/java/src/main/java/com/google/oak/client/android/BUILD
+++ b/java/src/main/java/com/google/oak/client/android/BUILD
@@ -14,38 +14,40 @@
 # limitations under the License.
 #
 
-load("@build_bazel_rules_android//android:rules.bzl", "android_binary", "android_library")
+#load("@build_bazel_rules_android//android:rules.bzl", "android_binary", "android_library")
 
 package(
     licenses = ["notice"],
 )
 
-android_library(
-    name = "client_activity",
-    srcs = ["MainActivity.java"],
-    custom_package = "com.google.oak.client.android",
-    manifest = "AndroidManifest.xml",
-    resource_files = glob(["res/**"]),
-    deps = [
-        "//java/src/main/java/com/google/oak/client",
-        "//java/src/main/java/com/google/oak/remote_attestation:insecure_attestation_verifier",
-        "//java/src/main/java/com/google/oak/transport:api_key_interceptor",
-        "//java/src/main/java/com/google/oak/transport:grpc_streaming_transport",
-        "//java/src/main/java/com/google/oak/util",
-        "//oak_remote_attestation/proto/v1:service_streaming_java_grpc",
-        "@com_google_guava_guava",
-        "@com_google_protobuf//:protobuf_javalite",
-        "@io_grpc_grpc_java//api",
-        "@io_grpc_grpc_java//netty",
-    ],
-)
-
-android_binary(
-    name = "client_app",
-    custom_package = "com.google.oak.client.android",
-    manifest = "AndroidManifest.xml",
-    multidex = "native",
-    deps = [
-        ":client_activity",
-    ],
-)
+# TODO(#4070): Re-enable Android client build.
+#
+#android_library(
+#    name = "client_activity",
+#    srcs = ["MainActivity.java"],
+#    custom_package = "com.google.oak.client.android",
+#    manifest = "AndroidManifest.xml",
+#    resource_files = glob(["res/**"]),
+#    deps = [
+#        "//java/src/main/java/com/google/oak/client",
+#        "//java/src/main/java/com/google/oak/remote_attestation:insecure_attestation_verifier",
+#        "//java/src/main/java/com/google/oak/transport:api_key_interceptor",
+#        "//java/src/main/java/com/google/oak/transport:grpc_streaming_transport",
+#        "//java/src/main/java/com/google/oak/util",
+#        "//oak_remote_attestation/proto/v1:service_streaming_java_grpc",
+#        "@com_google_guava_guava",
+#        "@com_google_protobuf//:protobuf_javalite",
+#        "@io_grpc_grpc_java//api",
+#        "@io_grpc_grpc_java//netty",
+#    ],
+#)
+#
+#android_binary(
+#    name = "client_app",
+#    custom_package = "com.google.oak.client.android",
+#    manifest = "AndroidManifest.xml",
+#    multidex = "native",
+#    deps = [
+#        ":client_activity",
+#    ],
+#)
diff --git a/kokoro/presubmit.sh b/kokoro/presubmit.sh
index 1843d410b8d..01ed91cf37f 100755
--- a/kokoro/presubmit.sh
+++ b/kokoro/presubmit.sh
@@ -13,7 +13,7 @@ export XDG_RUNTIME_DIR=/var/run
 
 ./scripts/docker_pull
 # --all-targets is needed to also run tests for examples and benches.
-./scripts/docker_run cargo nextest run --all-targets --hide-progress-bar
+./scripts/docker_run nix develop --command cargo nextest run --all-targets --hide-progress-bar
 
 mkdir "$KOKORO_ARTIFACTS_DIR/test_logs/"
 cp ./target/nextest/default/*.xml "$KOKORO_ARTIFACTS_DIR/test_logs/"
diff --git a/oak_sev_guest/src/ghcb.rs b/oak_sev_guest/src/ghcb.rs
index 0477eb640e9..05b59b7e179 100644
--- a/oak_sev_guest/src/ghcb.rs
+++ b/oak_sev_guest/src/ghcb.rs
@@ -401,7 +401,7 @@ where
 
     /// Calls a CPUID function for the given input using the GHCB protocol.
     pub fn get_cpuid(&mut self, request: CpuidInput) -> Result<CpuidOutput, &'static str> {
-        let mut ghcb = self.ghcb.as_mut();
+        let ghcb = self.ghcb.as_mut();
         ghcb.sw_exit_code = SW_EXIT_CODE_CPUID;
         ghcb.sw_exit_info_1 = 0;
         ghcb.sw_exit_info_2 = 0;
@@ -469,7 +469,7 @@ where
         request_address: PhysAddr,
         response_address: PhysAddr,
     ) -> Result<(), &'static str> {
-        let mut ghcb = self.ghcb.as_mut();
+        let ghcb = self.ghcb.as_mut();
         ghcb.sw_exit_code = SW_EXIT_CODE_GUEST_REQUEST;
         ghcb.sw_exit_info_1 = request_address.as_u64();
         ghcb.sw_exit_info_2 = response_address.as_u64();
diff --git a/oak_virtio/src/queue/mod.rs b/oak_virtio/src/queue/mod.rs
index b1c10d005f8..c0f1b441f3b 100644
--- a/oak_virtio/src/queue/mod.rs
+++ b/oak_virtio/src/queue/mod.rs
@@ -71,7 +71,7 @@ impl<'a, const QUEUE_SIZE: usize, const BUFFER_SIZE: usize, A: Allocator>
             .copy_from_slice(&data[..len]);
 
         // Update the length of the descriptor.
-        let mut desc = &mut self.inner.virt_queue.desc[id as usize];
+        let desc = &mut self.inner.virt_queue.desc[id as usize];
         desc.length = len as u32;
 
         self.inner.add_available_descriptor(id);
diff --git a/quirk_echo_service/tests/integration_test.rs b/quirk_echo_service/tests/integration_test.rs
index 41de4a6c91c..c780da846ed 100644
--- a/quirk_echo_service/tests/integration_test.rs
+++ b/quirk_echo_service/tests/integration_test.rs
@@ -29,7 +29,7 @@ const TEST_DATA: &[u8] = b"test_data";
 
 #[test]
 fn it_should_handle_echo_requests() {
-    let service = EchoService::default();
+    let service = EchoService;
     let mut client = EchoClient::new(EchoServer::new(service));
 
     let request = EchoRequest {
diff --git a/scripts/common b/scripts/common
index 3662bf37a92..92d8c854fca 100644
--- a/scripts/common
+++ b/scripts/common
@@ -20,10 +20,10 @@ readonly DOCKER_IMAGE_NAME='europe-west2-docker.pkg.dev/oak-ci/oak-development/o
 # from a registry first.
 
 # Do not modify manually. This value is automatically updated by ./scripts/docker_build .
-readonly DOCKER_IMAGE_ID='sha256:f48ec237afe33447dadb24071ef38a5bd472a2fcae2c1ef61bab0244ee9c0e03'
+readonly DOCKER_IMAGE_ID='sha256:963c4d4b0e029725153814fc88528597fc66dac652758849db3b83fafa227786'
 
 # Do not modify manually. This value is automatically updated by ./scripts/docker_push .
-readonly DOCKER_IMAGE_REPO_DIGEST='europe-west2-docker.pkg.dev/oak-ci/oak-development/oak-development@sha256:7b6e401df8e90fec2597806a8c912649b9802de83abe9f6724c3dffe7772f07d'
+readonly DOCKER_IMAGE_REPO_DIGEST='europe-west2-docker.pkg.dev/oak-ci/oak-development/oak-development@sha256:a1ab2e25aa11e3e36900a0131f7430aa8cb11a38d0827c5e8c8c4d08470db6d0'
 
 readonly CACHE_DIR='bazel-cache'
 readonly SERVER_BIN_DIR="${PWD}/oak_loader/bin"
diff --git a/scripts/format_doc b/scripts/format_doc
index d26a2bce5ee..54f4209a474 100755
--- a/scripts/format_doc
+++ b/scripts/format_doc
@@ -9,4 +9,3 @@ source "$SCRIPTS_DIR/common"
 prettier --write "$@"
 markdownlint --fix "$@"
 liche --document-root=. --exclude='(https://groups.google.com/g/project-oak-discuss|https://crates.io/crates)' "$@"
-embedmd -w "$@"
diff --git a/testing/oak_echo_service/tests/integration_test.rs b/testing/oak_echo_service/tests/integration_test.rs
index b9b7bf2bb5c..e6cc3fc0c11 100644
--- a/testing/oak_echo_service/tests/integration_test.rs
+++ b/testing/oak_echo_service/tests/integration_test.rs
@@ -29,7 +29,7 @@ const TEST_DATA: &[u8] = b"test_data";
 
 #[test]
 fn it_should_handle_echo_requests() {
-    let service = EchoService::default();
+    let service = EchoService;
     let mut client = EchoClient::new(EchoServer::new(service));
 
     let request = EchoRequest {
diff --git a/testing/tflite_micro/transformer_expression/README.md b/testing/tflite_micro/transformer_expression/README.md
index ab3d5fab30f..d231a145549 100644
--- a/testing/tflite_micro/transformer_expression/README.md
+++ b/testing/tflite_micro/transformer_expression/README.md
@@ -5,6 +5,7 @@
 - Copy the latest or a specific version of `tranformer_expression.tflite` to
   this folder
 - Build with debugging information without stripping symbols
+
   ```bash
   bazel build --copt=-g --strip=never //testing/tflite_micro/transformer_expression
   ```
diff --git a/xtask/src/files.rs b/xtask/src/files.rs
index 11788b5bab7..f3b088537c3 100644
--- a/xtask/src/files.rs
+++ b/xtask/src/files.rs
@@ -239,6 +239,7 @@ fn is_ignored_path(path: &Path) -> bool {
         || components.contains(&std::path::Component::Normal("bazel-wasm-bin".as_ref()))
         || components.contains(&std::path::Component::Normal("bazel-wasm-out".as_ref()))
         || components.contains(&std::path::Component::Normal("bazel-wasm-oak".as_ref()))
+        || components.contains(&std::path::Component::Normal("bazel-vscode-target".as_ref()))
         || components.contains(&std::path::Component::Normal("cache".as_ref()))
         || components.contains(&std::path::Component::Normal("cargo-cache".as_ref()))
         || components.contains(&std::path::Component::Normal("node_modules".as_ref()))
diff --git a/xtask/src/main.rs b/xtask/src/main.rs
index 937173a5aea..1330c22b1c3 100644
--- a/xtask/src/main.rs
+++ b/xtask/src/main.rs
@@ -219,7 +219,6 @@ fn format(scope: &Scope) -> Step {
             run_buildifier(FormatMode::Fix),
             run_prettier(FormatMode::Fix),
             run_markdownlint(FormatMode::Fix),
-            run_embedmd(FormatMode::Fix),
             run_cargo_fmt(FormatMode::Fix, &modified_crates),
         ],
     }
@@ -238,7 +237,6 @@ fn check_format(scope: &Scope) -> Step {
             run_buildifier(FormatMode::Check),
             run_prettier(FormatMode::Check),
             run_markdownlint(FormatMode::Check),
-            run_embedmd(FormatMode::Check),
             // TODO(#1304): Uncomment, when re-run from GitHub is fixed.
             // run_liche(),
             run_cargo_fmt(FormatMode::Check, &modified_crates),
@@ -343,6 +341,7 @@ fn run_prettier(mode: FormatMode) -> Step {
         command: Cmd::new(
             "prettier",
             spread![
+                "--plugin=prettier-plugin-toml".to_string(),
                 match mode {
                     FormatMode::Check => "--check".to_string(),
                     FormatMode::Fix => "--write".to_string(),
@@ -376,29 +375,6 @@ fn run_markdownlint(mode: FormatMode) -> Step {
     }
 }
 
-fn run_embedmd(mode: FormatMode) -> Step {
-    Step::Multiple {
-        name: "embedmd".to_string(),
-        steps: source_files()
-            .filter(|p| is_markdown_file(p))
-            .map(to_string)
-            .map(|entry| Step::Single {
-                name: entry.clone(),
-                command: Cmd::new(
-                    "embedmd",
-                    [
-                        match mode {
-                            FormatMode::Check => "-d",
-                            FormatMode::Fix => "-w",
-                        },
-                        &entry,
-                    ],
-                ),
-            })
-            .collect(),
-    }
-}
-
 // TODO(#1304): Re-enable dead-code check, when re-run from GitHub is fixed.
 #[allow(dead_code)]
 fn run_liche() -> Step {
@@ -445,7 +421,10 @@ fn run_shellcheck() -> Step {
             .map(to_string)
             .map(|entry| Step::Single {
                 name: entry.clone(),
-                command: Cmd::new("shellcheck", ["--external-sources", &entry]),
+                command: Cmd::new(
+                    "shellcheck",
+                    ["--exclude=SC2155", "--external-sources", &entry],
+                ),
             })
             .collect(),
     }