livepatch-build: Embed hypervisor build id into every hotpatch

This change is part of a independant stacked hotpatch modules
feature. This feature allows to bypass dependencies between modules
upon loading, but still verifies Xen build ID matching.

With stacked hotpatch modules it is essential that each and every
hotpatch is verified against the hypervisor build id upon upload.
It must not be possible to successfully upload hotpatches built for
incorrect version of the hypervisor.

To achieve that always embed an additional ELF section:
'.livpatch.xen_depends' containing the hypervisor build id.

The hypervisor build id must be always provided as a command line
parameter: --xen-depends.

Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Reviewed-by: Andra-Irina Paraschiv <andraprs@amazon.com>
Reviewed-by: Bjoern Doebel <doebel@amazon.de>
Reviewed-by: Norbert Manthey <nmanthey@amazon.de>
Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>

diff --git a/livepatch-build b/livepatch-build
index b198c97729d7fc157c394121fae982e08c03a14f..b8a1728c5ad368cc63f977797b7a87024b5da784 100755 (executable)
--- a/livepatch-build
+++ b/livepatch-build
@@ -30,6 +30,7 @@ DEBUG=n
 XEN_DEBUG=n
 SKIP=
 DEPENDS=
+XEN_DEPENDS=
 PRELINK=
 XENSYMS=xen-syms
 
@@ -163,6 +164,9 @@ function create_patch()
     # Create a dependency section
     perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${DEPENDS}'" > depends.bin
 
+    # Create a Xen dependency section
+    perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${XEN_DEPENDS}'" > xen_depends.bin
+
     echo "Creating patch module..."
     if [ -z "$PRELINK" ]; then
         ld -r -o "${PATCHNAME}.livepatch" --build-id=sha1 $(find output -type f -name "*.o") || die
@@ -174,6 +178,9 @@ function create_patch()
 
     objcopy --add-section .livepatch.depends=depends.bin "${PATCHNAME}.livepatch"
     objcopy --set-section-flags .livepatch.depends=alloc,readonly "${PATCHNAME}.livepatch"
+
+    objcopy --add-section .livepatch.xen_depends=xen_depends.bin "${PATCHNAME}.livepatch"
+    objcopy --set-section-flags .livepatch.xen_depends=alloc,readonly "${PATCHNAME}.livepatch"
 }
 
 usage() {
@@ -189,12 +196,13 @@ usage() {
     echo "        --xen-debug        Build debug Xen (if your .config does not have the options)" >&2
     echo "        --xen-syms         Build against a xen-syms" >&2
     echo "        --depends          Required build-id" >&2
+    echo "        --xen-depends      Required Xen build-id" >&2
     echo "        --prelink          Prelink" >&2
 }
 
 find_tools || die "can't find supporting tools"
 
-options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,prelink" -- "$@") || die "getopt failed"
+options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,xen-depends:,prelink" -- "$@") || die "getopt failed"
 
 eval set -- "$options"
 
@@ -253,6 +261,11 @@ while [[ $# -gt 0 ]]; do
             DEPENDS="$1"
             shift
             ;;
+        --xen-depends)
+            shift
+            XEN_DEPENDS="$1"
+            shift
+            ;;
         --prelink)
             PRELINK=--resolve
             shift
@@ -269,6 +282,7 @@ done
 [ -z "$configarg" ] && die ".config not given"
 [ -z "$outputarg" ] && die "Output directory not given"
 [ -z "$DEPENDS" ] && die "Build-id dependency not given"
+[ -z "$XEN_DEPENDS" ] && die "Xen Build-id dependency not given"
 
 SRCDIR="$(readlink -m -- "$srcarg")"
 # We need an absolute path because we move around, but we need to