lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 16 Feb 2022 11:39:30 -0500
From:   Joe Lawrence <joe.lawrence@...hat.com>
To:     live-patching@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-kbuild@...r.kernel.org
Subject: [RFC PATCH v6 02/12] kbuild: Support for symbols.klp creation

From: Joao Moreira <jmoreira@...e.de>

For automatic resolution of livepatch relocations, a file called
symbols.klp is used. This file maps symbols within every compiled kernel
object allowing the identification of symbols whose name is unique, thus
relocation can be automatically inferred, or providing information that
helps developers when code annotation is required for solving the
matter.

Add support for creating symbols.klp in the main Makefile. First, ensure
that built-in is compiled when CONFIG_LIVEPATCH is enabled (as required
to achieve a complete symbols.klp file). Define the command to build
symbols.klp (cmd_klp_map) and hook it in the modules rule.

As it is undesirable to have symbols from livepatch objects inside
symbols.klp, make livepatches discernible by modifying
scripts/Makefile.build to create a .livepatch file for each livepatch in
$(MODVERDIR). This file then used by cmd_klp_map to identify and bypass
livepatches.

For identifying livepatches during the build process, a flag variable
LIVEPATCH_$(basetarget).o is considered in scripts/Makefile.build. This
way, set this flag for the livepatch sample Makefile in
samples/livepatch/Makefile.

Finally, Add a clean rule to ensure that symbols.klp is removed during
clean.

Notes:

To achieve a correct symbols.klp file, all kernel objects must be
considered, thus, its construction require these objects to be priorly
built. On the other hand, invoking scripts/Makefile.modpost without
having a complete symbols.klp in place would occasionally lead to
in-tree livepatches being post-processed incorrectly. To prevent this
from becoming a circular dependency, the construction of symbols.klp
uses non-post-processed kernel objects and such does not cause harm as
the symbols normally referenced from within livepatches are visible at
this stage. Also due to these requirements, the spot in-between modules
compilation and the invocation of scripts/Makefile.modpost was picked
for hooking cmd_klp_map.

The approach based on .livepatch files was proposed as an alternative to
using MODULE_INFO statements. This approach was originally proposed by
Miroslav Benes as a workaround for identifying livepathes without
depending on modinfo during the modpost stage. It was moved to this
patch as the approach also shown to be useful while building
symbols.klp.

Signed-off-by: Joao Moreira <jmoreira@...e.de>
Signed-off-by: Joe Lawrence <joe.lawrence@...hat.com>
---
 .gitignore             |  1 +
 Documentation/dontdiff |  1 +
 Makefile               | 24 ++++++++++++++++++++++--
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 7afd412dadd2..50638a15a527 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,7 @@ modules.order
 /vmlinux.symvers
 /vmlinux-gdb.py
 /vmlinuz
+/symbols.klp
 /System.map
 /Module.markers
 /modules.builtin
diff --git a/Documentation/dontdiff b/Documentation/dontdiff
index 910b30a2a7d9..25c656fdd99f 100644
--- a/Documentation/dontdiff
+++ b/Documentation/dontdiff
@@ -76,6 +76,7 @@ Module.markers
 Module.symvers
 PENDING
 SCCS
+symbols.klp
 System.map*
 TAGS
 aconf
diff --git a/Makefile b/Makefile
index 0fb4f94a6885..64ec4bc8172c 100644
--- a/Makefile
+++ b/Makefile
@@ -639,8 +639,13 @@ KBUILD_MODULES :=
 KBUILD_BUILTIN := 1
 
 # If we have only "make modules", don't compile built-in objects.
+# When we're building livepatch modules, we need to consider the
+# built-in objects during the descend as well, as built-in objects may
+# hold symbols which are referenced from livepatches and are required by
+# klp-convert post-processing tool for resolving these cases.
+
 ifeq ($(MAKECMDGOALS),modules)
-  KBUILD_BUILTIN :=
+  KBUILD_BUILTIN := $(if $(CONFIG_LIVEPATCH),1)
 endif
 
 # If we have "make <whatever> modules", compile modules
@@ -1487,7 +1492,7 @@ MRPROPER_FILES += include/config include/generated          \
 		  arch/$(SRCARCH)/include/generated .tmp_objdiff \
 		  debian snap tar-install \
 		  .config .config.old .version \
-		  Module.symvers \
+		  Module.symvers symbols.klp \
 		  certs/signing_key.pem \
 		  certs/x509.genkey \
 		  vmlinux-gdb.py \
@@ -1742,7 +1747,22 @@ PHONY += modules modules_install
 
 ifdef CONFIG_MODULES
 
+quiet_cmd_klp_map = KLP     symbols.klp
+
+define cmd_klp_map
+	$(shell echo "klp-convert-symbol-data.0.1" > $(objtree)/symbols.klp)				\
+	$(shell echo "*vmlinux" >> $(objtree)/symbols.klp)						\
+	$(shell nm -f posix $(objtree)/vmlinux | cut -d\  -f1 >> $(objtree)/symbols.klp)		\
+	$(foreach ko, $(sort $(shell cat modules.order)),						\
+		$(eval mod = $(patsubst %.ko,%.mod,$(ko)))						\
+		$(eval obj = $(patsubst %.ko,%.o,$(ko)))						\
+		$(if $(shell grep -o LIVEPATCH $(mod)),,						\
+			$(shell echo "*$(shell basename -s .ko $(ko))" >> $(objtree)/symbols.klp)	\
+			$(shell nm -f posix $(obj) | cut -d\  -f1 >> $(objtree)/symbols.klp)))
+endef
+
 modules: modules_check
+	$(if $(CONFIG_LIVEPATCH), $(call cmd,klp_map))
 	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
 
 PHONY += modules_check
-- 
2.26.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ