lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 25 Mar 2024 12:15:26 -0400
From: Joe Lawrence <joe.lawrence@...hat.com>
To: Marcos Paulo de Souza <mpdesouza@...e.com>,
 Josh Poimboeuf <jpoimboe@...nel.org>, Jiri Kosina <jikos@...nel.org>,
 Miroslav Benes <mbenes@...e.cz>, Petr Mladek <pmladek@...e.com>,
 Shuah Khan <shuah@...nel.org>
Cc: linux-kernel@...r.kernel.org, live-patching@...r.kernel.org,
 linux-kselftest@...r.kernel.org
Subject: Re: [PATCH] selftests: livepatch: Test atomic replace against
 multiple modules

On 3/22/24 16:31, Marcos Paulo de Souza wrote:
> On Thu, 2024-03-21 at 10:08 -0400, Joe Lawrence wrote:
>> On 3/12/24 08:12, Marcos Paulo de Souza wrote:
>>> This new test checks if a livepatch with replace attribute set
>>> replaces
>>> all previously applied livepatches.
>>>
>>> Signed-off-by: Marcos Paulo de Souza <mpdesouza@...e.com>
>>> ---
>>>  tools/testing/selftests/livepatch/Makefile         |  3 +-
>>>  .../selftests/livepatch/test-atomic-replace.sh     | 71
>>> ++++++++++++++++++++++
>>>  2 files changed, 73 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/tools/testing/selftests/livepatch/Makefile
>>> b/tools/testing/selftests/livepatch/Makefile
>>> index 35418a4790be..e92f61208d35 100644
>>> --- a/tools/testing/selftests/livepatch/Makefile
>>> +++ b/tools/testing/selftests/livepatch/Makefile
>>> @@ -10,7 +10,8 @@ TEST_PROGS := \
>>>  	test-state.sh \
>>>  	test-ftrace.sh \
>>>  	test-sysfs.sh \
>>> -	test-syscall.sh
>>> +	test-syscall.sh \
>>> +	test-atomic-replace.sh
>>>  
>>>  TEST_FILES := settings
>>>  
>>> diff --git a/tools/testing/selftests/livepatch/test-atomic-
>>> replace.sh b/tools/testing/selftests/livepatch/test-atomic-
>>> replace.sh
>>> new file mode 100755
>>> index 000000000000..09a3dcdcb8de
>>> --- /dev/null
>>> +++ b/tools/testing/selftests/livepatch/test-atomic-replace.sh
>>> @@ -0,0 +1,71 @@
>>> +#!/bin/bash
>>> +# SPDX-License-Identifier: GPL-2.0
>>> +#
>>> +# Copyright (C) 2024 SUSE
>>> +# Author: Marcos Paulo de Souza <mpdesouza@...e.com>
>>> +
>>> +. $(dirname $0)/functions.sh
>>> +
>>> +MOD_REPLACE=test_klp_atomic_replace
>>> +
>>> +setup_config
>>> +
>>> +# - Load three livepatch modules.
>>> +# - Load one more livepatch with replace being set, and check that
>>> only one
>>> +#   livepatch module is being listed.
>>> +
>>> +start_test "apply one liveptach to replace multiple livepatches"
>>> +
>>> +for mod in test_klp_livepatch test_klp_syscall
>>> test_klp_callbacks_demo; do
>>> +	load_lp $mod
>>> +done
>>> +
>>> +nmods=$(ls /sys/kernel/livepatch | wc -l)
>>> +if [ $nmods -ne 3 ]; then
>>> +	die "Expecting three modules listed, found $nmods"
>>> +fi
>>> +
>>> +load_lp $MOD_REPLACE replace=1
>>> +
>>> +nmods=$(ls /sys/kernel/livepatch | wc -l)
>>> +if [ $nmods -ne 1 ]; then
>>> +	die "Expecting only one moduled listed, found $nmods"
>>> +fi
>>> +
>>> +disable_lp $MOD_REPLACE
>>> +unload_lp $MOD_REPLACE
>>> +
>>> +check_result "% insmod test_modules/test_klp_livepatch.ko
>>> +livepatch: enabling patch 'test_klp_livepatch'
>>> +livepatch: 'test_klp_livepatch': initializing patching transition
>>> +livepatch: 'test_klp_livepatch': starting patching transition
>>> +livepatch: 'test_klp_livepatch': completing patching transition
>>> +livepatch: 'test_klp_livepatch': patching complete
>>> +% insmod test_modules/test_klp_syscall.ko
>>> +livepatch: enabling patch 'test_klp_syscall'
>>> +livepatch: 'test_klp_syscall': initializing patching transition
>>> +livepatch: 'test_klp_syscall': starting patching transition
>>> +livepatch: 'test_klp_syscall': completing patching transition
>>> +livepatch: 'test_klp_syscall': patching complete
>>> +% insmod test_modules/test_klp_callbacks_demo.ko
>>> +livepatch: enabling patch 'test_klp_callbacks_demo'
>>> +livepatch: 'test_klp_callbacks_demo': initializing patching
>>> transition
>>> +test_klp_callbacks_demo: pre_patch_callback: vmlinux
>>> +livepatch: 'test_klp_callbacks_demo': starting patching transition
>>> +livepatch: 'test_klp_callbacks_demo': completing patching
>>> transition
>>> +test_klp_callbacks_demo: post_patch_callback: vmlinux
>>> +livepatch: 'test_klp_callbacks_demo': patching complete
>>> +% insmod test_modules/test_klp_atomic_replace.ko replace=1
>>> +livepatch: enabling patch 'test_klp_atomic_replace'
>>> +livepatch: 'test_klp_atomic_replace': initializing patching
>>> transition
>>> +livepatch: 'test_klp_atomic_replace': starting patching transition
>>> +livepatch: 'test_klp_atomic_replace': completing patching
>>> transition
>>> +livepatch: 'test_klp_atomic_replace': patching complete
>>> +% echo 0 > /sys/kernel/livepatch/test_klp_atomic_replace/enabled
>>> +livepatch: 'test_klp_atomic_replace': initializing unpatching
>>> transition
>>> +livepatch: 'test_klp_atomic_replace': starting unpatching
>>> transition
>>> +livepatch: 'test_klp_atomic_replace': completing unpatching
>>> transition
>>> +livepatch: 'test_klp_atomic_replace': unpatching complete
>>> +% rmmod test_klp_atomic_replace"
>>> +
>>> +exit 0
>>>
>>
>> Hi Marcos,
>>
>> I'm not against adding a specific atomic replace test, but for a
>> quick
>> tl/dr what is the difference between this new test and
>> test-livepatch.sh's "atomic replace livepatch" test?
>>
>> If this one provides better coverage, should we follow up with
>> removing
>> the existing one?
> 
> Hi Joe,
> 
> thanks for looking at it. To be honest I haven't checked the current
> use of atomic replace on test-livepatch.sh =/
> 
> yes, that's mostly the same case, but in mine I load three modules and
> then load the third one replacing the others, while in the test-
> livepatch.sh we have only one module that is loaded, replaced, and then
> we unload the replaced one.
> 
> Do you see value in extending the test at test-livepatch.sh to load
> more than one LP moduled and the replace all of them with another one?
> I believe that it adds more coverage, while keeping the number of tests
> the same.
> 

Yeah, it shouldn't be too hard to combine this test with the existing
one by adding the 3 module load to the beginning of the test.

Verifying the livepatch count is an interesting new wrinkle.  (Do check
out the shellcheck warning about leveraging the output of ls, though.)
If atomic-replace was used throughout the test suite, I might say that
load_mod should be aware and check accordingly, but it's not the default
build mode, so counting the final livepatches in the test itself seems
reasonable enough.

-- 
Joe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ