Roger Pau Monne [Thu, 10 Mar 2022 15:08:32 +0000 (16:08 +0100)]
livepatch: use basename to perform object file matching
The changes in the Xen build logic has resulted in the compiler and
objcopy being called from xen/ instead of relative to each object
directory. This requires using basename so that the directory is not
taken into account when checking against the list of files to be
explicitly ignored.
Also adjust the paths used to store the differing object files, as
with the current logic the resulting path will be wrong when using
newer Xen versions, changed_objs would end containing entries like:
xen/arch/x86/hvm/vmx/arch/x86/hvm/vmx/vmx.o
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Bjoern Doebel <doebel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Roger Pau Monne [Wed, 2 Mar 2022 14:27:11 +0000 (14:27 +0000)]
livepatch: differentiate between old and new build systems
Do not attempt to modify the build system if CFLAGS are not set in
Rules.mk, and instead rely on CONFIG_LIVEPATCH already setting
-f{function,data}-sections.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Roger Pau Monne [Wed, 2 Mar 2022 14:27:08 +0000 (14:27 +0000)]
livepatch: update readme to mention --xen-depends
Fixes: b19df7b2c05e ('livepatch-build: Embed hypervisor build id into every hotpatch') Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Reviewed-by: Bjoern Doebel <doebel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
livepatch-build: Strip all metadata symbols from hotpatch modules
Strip all unneeded metadata symbols from generated hotpatch modules.
The metadata symbols are the symbols from metadata-like sections (e.g.
'.livepatch.funcs') or livepatch hooks symbols (defined by a set of
prefixes. E.g. 'livepatch_load_data_').
By default the create-diff-object does not create symbols in metadata
sections. However, such symbols may be implicitly added by speciying
extra entries in the sections manually (in a given patch).
The symbols are not needed for the hotpatch modules and should be
stripped to avoid symbol names collisions and to save hotpatch files
space.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
livepatch-build: Strip transient or unneeded symbols
In the process of creating a final hotpatch module file make sure to
strip all transient symbols that have not been caught and removed by
create-diff-object processing. For now these are only the hooks
kpatch load/unload symbols.
For all new object files that are carried along for the final linking
the transient hooks symbols are not stripped and neither are any
unneeded symbols. Strip the transient hooks symbols explicitly from
resulting object file.
Add a new option '--strip' to additionally strip all unneeded symbols
from new object files.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Extend livepatch_patch_func to support a new field: expect. This new
field describes the expected data, its length and whether expectation
is enabled. The expectation's data is of opaque padding size.
By default the expectation field is zero-out and the expectation is
disabled unless explicitly specified in the patch.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
create-diff-object: Add support for applied/reverted marker
With version 2 of a payload structure additional field is supported
to track whether given function has been applied or reverted.
There also comes additional 8-byte alignment padding to reserve
place for future flags and options.
The new fields are zero-out upon .livepatch.funcs section creation.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Include new sections containing optional pre-, post- action hooks.
The following new section names are supported:
- .livepatch.hooks.preapply
- .livepatch.hooks.postapply
- .livepatch.hooks.prerevert
- .livepatch.hooks.postrevert
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
livepatch-build: Embed hypervisor build id into every hotpatch
This change is part of a independant stacked hotpatch modules
feature. This feature allows to bypass dependencies between modules
upon loading, but still verifies Xen build ID matching.
With stacked hotpatch modules it is essential that each and every
hotpatch is verified against the hypervisor build id upon upload.
It must not be possible to successfully upload hotpatches built for
incorrect version of the hypervisor.
To achieve that always embed an additional ELF section:
'.livpatch.xen_depends' containing the hypervisor build id.
The hypervisor build id must be always provided as a command line
parameter: --xen-depends.
... when all symbols have their status and include flags processed.
Processing special sections may include additional symbols. String
sections (.rodata*) are included iff they are referenced by at least
one symbol. Thus, in order to decide if string section should be
included or not, all symbols must be evaluated first.
The .init sections must not be considered for patching regardless of
whether they are CHANGED or NEW.
Explicitely detect and ignore all such sections, before marking
ignored sections as SAME.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Ross Lagerwall [Thu, 28 Nov 2019 14:36:07 +0000 (14:36 +0000)]
Fix building with updated ENFORCE_UNIQUE_SYMBOLS behaviour
The patch "build: provide option to disambiguate symbol names" changes
ENFORCE_UNIQUE_SYMBOLS so that gcc generates output to a temporary file
and then objcopy is used to create the final object file. This breaks
livepatch-build's interposition of GCC to capture the changed object
files so intercept calls to objcopy as well to capture the final object
files.
While in the area, add a couple of extra object files to be ignored when
patching.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
create-diff-object: more precisely identify .rodata sections
This is needed for more precise patchability verification.
Only non-special .rodata sections should be subject
for such a non-referenced check in kpatch_verify_patchability().
Current check (non-standard, non-rela, non-debug) is too weak and
allows also non-rodata sections without referenced symbols to slip
through.
Detect .rodata section by checking section's type (SHT_PROGBITS),
flags (no exec, no write) and finally name prefix.
create-diff-object: do not strip STN_UNDEF symbols from *.fixup
The rela groups in the *.fixup sections vary in size. That makes it
more complex to handle in the livepatch_strip_undefined_elements().
It is also unnecessary as the .fixup sections are unlikely to have
any STN_UNDEF symbols anyway.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Andrew Cooper [Tue, 27 Aug 2019 15:38:39 +0000 (16:38 +0100)]
livepatch: Identify the object file create-diff-object dislikes
... rather than leaving the user with no hint as to where to debug next.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
create-diff-object: Strip all undefined entries of known size
The patched ELF object file contains all sections and symbols as
resulted from the compilation. However, certain symbols may not be
copied over to the resulting object file, due to being unchanged or
not included for other reasons.
In such situation the resulting object file has the entire sections
copied along (with all their entries unchanged), while some of the
corresponding symbols are not copied along at all.
This leads to having incorrect undefined (STN_UNDEF) entries in the
final hotpatch ELF file.
The newly added function livepatch_strip_undefined_elements() detects
and removes all undefined RELA entries as well as their corresponding
PROGBITS section entries.
Since the sections may contain elements of unknown size (sh.sh_entsize
== 0), perform the strip only on sections with well defined entry
sizes.
After replacing the stripped rela list, it is assumed that the next
invocation of the kpatch_rebuild_rela_section_data() will adjust all
section header parameters according to the current state.
The livepatch_strip_undefined_elements() is a superset of the
kpatch_regenerate_special_section() in both scope (covers all RELA
sections instead of just special sections) and granularity (checks
all entries instead of whole groups) modulo the entries validity
predicate.
Unifying the functions results in a complicated code, which is hard
to reason about. Thus, the kpatch_regenerate_special_section() is
kept separate with its own predicate for special sections only, and
livepatch_strip_undefined_elements() follows for all sections with
the undefined symbol detecting predicate.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Martin Pohlack <mpohlack@amazon.de> Reviewed-by: Bjoern Doebel <doebel@amazon.de> Reviewed-by: Norbert Manthey <nmanthey@amazon.de> Reviewed-by: Andra-Irina Paraschiv <andraprs@amazon.com> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
During verification check if all sections do not contain any entries
with undefined symbols (STN_UNDEF). This situation can happen when a
section is copied over from its original object to a patched object,
but various symbols related to the section are not copied along.
This scenario happens typically during stacked hotpatches creation
(between 2 different hotpatch modules).
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Martin Pohlack <mpohlack@amazon.de> Reviewed-by: Bjoern Doebel <doebel@amazon.de> Reviewed-by: Norbert Manthey <nmanthey@amazon.de> Reviewed-by: Andra-Irina Paraschiv <andraprs@amazon.com> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
create-diff-object: Do not create empty .livepatch.funcs section
When there is no changed function in the generated payload, do not
create an empty .livepatch.funcs section. Hypervisor code considers
such payloads as broken and rejects to load them.
Such payloads without any changed functions may appear when only
hooks are specified.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Martin Mazein <amazein@amazon.de> Reviewed-by: Martin Pohlack <mpohlack@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
create-diff-object: Do not include all .rodata sections
Older versions of GCC did not split .rodata.str sections by function.
Because of that, the entire section was always included.
The livepatch-build-tools commit [1] fixed patch creation and kept
including all .rodata.str sections, in order to maintain existing
behavior for GCC 6.1+.
This means all .rodata.str sections are always included by default,
regardless of whether they are needed or not.
During stacked hotpatch builds it leads to unnecessary accumulation of
the .rodata.str sections as each and every consecutive hotpatch module
contains all the .rodata.str sections of previous modules.
To prevent this situation, mark the .rodata.str sections for inclusion
only if they are referenced by any of the current hotpatch symbols (or
a corresponding RELA section).
Extend patchability verification to detect all non-standard, non-rela,
non-debug and non-special sections that are not referenced by any of
the symbols or RELA sections.
Rename should_include_str_section() to is_rodata_str_section().
create-diff-object: Add new entries to special sections array
Handle .livepatch.hooks* and .altinstr_replacement sections as the
special sections with assigned group_size resolution function.
By default each .livepatch.hooks* sections' entry is 8 bytes long (a
pointer). The .altinstr_replacement section has undefined group_size.
Allow to specify different .livepatch.hooks* section entry size using
shell environment variable HOOK_STRUCT_SIZE.
Add an explicit check to kpatch_regenerate_special_section() skipping
regeneration of special sections, whose group_size is 0.
livepatch-build: detect special section group sizes
Hard-coding the special section group sizes is unreliable. Instead,
determine them dynamically by finding the related struct definitions
in the DWARF metadata.
This is a livepatch backport of kpatch upstream commit [1]:
kpatch-build: detect special section group sizes 170449847136a48b19fc
Xen only deals with alt_instr, bug_frame and exception_table_entry
structures, so sizes of these structures are obtained from xen-syms.
This change is needed since with recent Xen the alt_instr structure
has changed size from 12 to 14 bytes.
common: Add is_referenced_section() helper function
This function checks if given section has an included corresponding
RELA section and/or any of the symbols table symbols references the
section. Section associated symbols are ignored here as there is
always such a symbol for every section.
Detect standard (always to be included) sections via their section
header type. The standard sections: ".shstrtab", ".symtab", ".strtab"
are either of type SHT_SYMTAB or SHT_STRTAB.
livepatch-build: Handle newly created object files
Up to now the livepatch-build ignores newly created object files.
When patch applies new .c file and augments its Makefile to build it
the resulting object file is not taken into account for final linking
step.
Such newly created object files can be detected by comparing patched/
and original/ directories and copied over to the output directory for
the final linking step.
livepatch-build: Do not follow every symlink for patch file
In some build systems symlinks might be used for patch file names
to point from target directories to actual patches. Following those
symlinks breaks naming convention as the resulting built modules
would be named after the actual hardlink insteads of the symlink.
Livepatch-build obtains hotpatch name from the patch file, so it
should not canonicalize the file path resolving all the symlinks to
not lose the original symlink name.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Martin Pohlack <mpohlack@amazon.de> Reviewed-by: Bjoern Doebel <doebel@amazon.de> Reviewed-by: Norbert Manthey <nmanthey@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
livepatch-gcc: Allow toolchain command with versions
Xen build system may enforce particular gcc version (e.g. gcc72).
Make sure the livepatch-gcc script accepts all input toolchain gcc
commands with or without version specified.
Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de> Reviewed-by: Martin Mazein <amazein@amazon.de> Reviewed-by: Bjoern Doebel <doebel@amazon.de> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Ross Lagerwall [Mon, 24 Apr 2017 12:57:57 +0000 (13:57 +0100)]
Remove section alignment requirement
Remove the requirement that section twins (i.e. functions) have the same
alignment. The section alignment of the patched section is respected by
the loader in Xen so it shouldn't matter if the original section
alignment was different.
This was discovered when building a live patch for XSA-213. For reasons
known only to the compiler, the alignment of arch_do_multicall_call()
changed from 1 to 16. This should not prevent the build tools from
generating a live patch.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Ross Lagerwall [Mon, 24 Apr 2017 11:52:43 +0000 (12:52 +0100)]
Ignore .discard sections
Ignore differences in discard sections. They are not included in the final xen
binary so there is no need to include them in the live patch.
This was discovered when building a live patch for XSA-213. Before this
commit, it failed with 'changed section .discard not selected for
inclusion'.
Reported-by: Sarah Newman <srn@prgmr.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Ross Lagerwall [Thu, 10 Nov 2016 10:58:45 +0000 (10:58 +0000)]
Fix patch creation with GCC 6.1+
GCC 6.1+ fixed https://gcc.gnu.org/bugzilla/show_bug.cgi?id=192 which
means that .rodata.str1.[0-9]+ sections are now split by function. We
could probably be smarter about including just the sections we need, but
for now, simply include the string sections for all functions as is done
for previous versions of GCC.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Reported-by: M A Young <m.a.young@durham.ac.uk>
Ross Lagerwall [Thu, 10 Nov 2016 14:37:39 +0000 (14:37 +0000)]
create-diff-object: Update fixup offsets in .rela.ex_table
When pruning entries from the fixup table, update the offsets in
.rela.ex_table otherwise the relas might point to the wrong fixup entry
or even out of the .fixup section.
This is a port of kpatch's commit 13d61012f9b2 ("create-diff-object:
Update fixup offsets in .rela__ex_table").
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Ross Lagerwall [Wed, 20 Jul 2016 14:42:17 +0000 (15:42 +0100)]
Prevent spurious rebuilding
Don't change the timestamp of arch/x86/Makefile when editing it since it
forces much of the Xen tree to be rebuilt and then requires many
invocations of create-diff-tool.
This is safe since the Makefile change only changes the final link rule,
and xen will be relinked anyway.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Ross Lagerwall [Fri, 10 Jun 2016 09:42:06 +0000 (10:42 +0100)]
Don't accept fuzz when patching
When testing and applying patches, set fuzz=0 so that patches must apply
exactly. Also set "-f" to avoid interactive questions, and reorder so
that patches are tested before the output directory is created.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Ross Lagerwall [Mon, 9 May 2016 10:19:54 +0000 (11:19 +0100)]
Fix patching functions which use __func__
If __func__ is used, it generates a symbol like __func__.5432
Since this is always included (see is_special_static), it will generate
duplicate symbol conflicts if GCC happens to use the same number (which
happens quite often since it doesn't appear to be random). To work
around this, rename the symbol to use a completely random number.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Ross Lagerwall [Fri, 13 Nov 2015 08:50:31 +0000 (08:50 +0000)]
Rename xsplice back to kpatch for functions coming from kpatch
To ease porting changes from kpatch, only use xsplice for the special
section names and for newly written functions but use the kpatch
namespace for ported functions.
Ross Lagerwall [Tue, 20 Oct 2015 15:51:37 +0000 (16:51 +0100)]
Add prelink tool
To simplify matters, prelink against a xen-syms file at compile time to
avoid having to resolve symbols at runtime. Create a prelink tool to do
this. Split out the elf loading and saving code of create-diff-object.c
into a common file which is shared by create-diff-object and prelink.
Ross Lagerwall [Tue, 20 Oct 2015 09:55:16 +0000 (10:55 +0100)]
Add support for specifying the path to xen-syms
This allows linking against a different xen-syms from the original
built. This may be useful if the compile environment or source code is
slightly different.
projects / livepatch-build-tools.git / log