Message ID | 20190416125714.32771-1-wipawel@amazon.de (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [livepatch-build-tools:,independ.,modules] livepatch-build: Embed hypervisor build id into every hotpatch | expand |
On Tue, Apr 16, 2019 at 12:57:14PM +0000, Pawel Wieczorkiewicz wrote: > This change is part of a independant stacked hotpatch modules > feature. This feature allows to bypass dependencies between modules > upon loading, but still verifies Xen build ID matching. > > With stacked hotpatch modules it is essential that each and every > hotpatch is verified against the hypervisor build id upon upload. > It must not be possible to successfully upload hotpatches built for > incorrect version of the hypervisor. > > To achieve that always embed an additional ELF section: > '.livpatch.xen_depends' containing the hypervisor build id. > > The hypervisor build id must be always provided as a command line > parameter: --xen-depends. > > Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> > Reviewed-by: Andra-Irina Paraschiv <andraprs@amazon.com> > Reviewed-by: Bjoern Doebel <doebel@amazon.de> > Reviewed-by: Norbert Manthey <nmanthey@amazon.de> This patch looks OK, but I would want to wait until the Xen hypervisor one gets the test-cases+documentation changes.. > --- > livepatch-build | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/livepatch-build b/livepatch-build > index c057fa1..0938b3a 100755 > --- a/livepatch-build > +++ b/livepatch-build > @@ -30,6 +30,7 @@ DEBUG=n > XEN_DEBUG=n > SKIP= > DEPENDS= > +XEN_DEPENDS= > PRELINK= > XENSYMS=xen-syms > > @@ -157,6 +158,9 @@ function create_patch() > # Create a dependency section > perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${DEPENDS}'" > depends.bin > > + # Create a Xen dependency section > + perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${XEN_DEPENDS}'" > xen_depends.bin > + > echo "Creating patch module..." > if [ -z "$PRELINK" ]; then > ld -r -o "${PATCHNAME}.livepatch" --build-id=sha1 $(find output -type f -name "*.o") || die > @@ -168,6 +172,9 @@ function create_patch() > > objcopy --add-section .livepatch.depends=depends.bin "${PATCHNAME}.livepatch" > objcopy --set-section-flags .livepatch.depends=alloc,readonly "${PATCHNAME}.livepatch" > + > + objcopy --add-section .livepatch.xen_depends=xen_depends.bin "${PATCHNAME}.livepatch" > + objcopy --set-section-flags .livepatch.xen_depends=alloc,readonly "${PATCHNAME}.livepatch" > } > > usage() { > @@ -183,12 +190,13 @@ usage() { > echo " --xen-debug Build debug Xen (if your .config does not have the options)" >&2 > echo " --xen-syms Build against a xen-syms" >&2 > echo " --depends Required build-id" >&2 > + echo " --xen-depends Required Xen build-id" >&2 > echo " --prelink Prelink" >&2 > } > > find_tools || die "can't find supporting tools" > > -options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,prelink" -- "$@") || die "getopt failed" > +options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,xen-depends:,prelink" -- "$@") || die "getopt failed" > > eval set -- "$options" > > @@ -247,6 +255,11 @@ while [[ $# -gt 0 ]]; do > DEPENDS="$1" > shift > ;; > + --xen-depends) > + shift > + XEN_DEPENDS="$1" > + shift > + ;; > --prelink) > PRELINK=--resolve > shift > @@ -263,6 +276,7 @@ done > [ -z "$configarg" ] && die ".config not given" > [ -z "$outputarg" ] && die "Output directory not given" > [ -z "$DEPENDS" ] && die "Build-id dependency not given" > +[ -z "$XEN_DEPENDS" ] && die "Xen Build-id dependency not given" > > SRCDIR="$(readlink -m -- "$srcarg")" > PATCHFILE="$(readlink -m -- "$patcharg")" > -- > 2.16.5 > > > > > Amazon Development Center Germany GmbH > Krausenstr. 38 > 10117 Berlin > Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich > Ust-ID: DE 289 237 879 > Eingetragen am Amtsgericht Charlottenburg HRB 149173 B > >
diff --git a/livepatch-build b/livepatch-build index c057fa1..0938b3a 100755 --- a/livepatch-build +++ b/livepatch-build @@ -30,6 +30,7 @@ DEBUG=n XEN_DEBUG=n SKIP= DEPENDS= +XEN_DEPENDS= PRELINK= XENSYMS=xen-syms @@ -157,6 +158,9 @@ function create_patch() # Create a dependency section perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${DEPENDS}'" > depends.bin + # Create a Xen dependency section + perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${XEN_DEPENDS}'" > xen_depends.bin + echo "Creating patch module..." if [ -z "$PRELINK" ]; then ld -r -o "${PATCHNAME}.livepatch" --build-id=sha1 $(find output -type f -name "*.o") || die @@ -168,6 +172,9 @@ function create_patch() objcopy --add-section .livepatch.depends=depends.bin "${PATCHNAME}.livepatch" objcopy --set-section-flags .livepatch.depends=alloc,readonly "${PATCHNAME}.livepatch" + + objcopy --add-section .livepatch.xen_depends=xen_depends.bin "${PATCHNAME}.livepatch" + objcopy --set-section-flags .livepatch.xen_depends=alloc,readonly "${PATCHNAME}.livepatch" } usage() { @@ -183,12 +190,13 @@ usage() { echo " --xen-debug Build debug Xen (if your .config does not have the options)" >&2 echo " --xen-syms Build against a xen-syms" >&2 echo " --depends Required build-id" >&2 + echo " --xen-depends Required Xen build-id" >&2 echo " --prelink Prelink" >&2 } find_tools || die "can't find supporting tools" -options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,prelink" -- "$@") || die "getopt failed" +options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,xen-depends:,prelink" -- "$@") || die "getopt failed" eval set -- "$options" @@ -247,6 +255,11 @@ while [[ $# -gt 0 ]]; do DEPENDS="$1" shift ;; + --xen-depends) + shift + XEN_DEPENDS="$1" + shift + ;; --prelink) PRELINK=--resolve shift @@ -263,6 +276,7 @@ done [ -z "$configarg" ] && die ".config not given" [ -z "$outputarg" ] && die "Output directory not given" [ -z "$DEPENDS" ] && die "Build-id dependency not given" +[ -z "$XEN_DEPENDS" ] && die "Xen Build-id dependency not given" SRCDIR="$(readlink -m -- "$srcarg")" PATCHFILE="$(readlink -m -- "$patcharg")"