The kernel livepatching creation tool
To install the project and dependencies use:
pip install -e .
To run the project locally and test your changes use:
./klp-build
To run tests use:
tox -e tests
There are three environment variables that can be set before running the klp-build commands.
Required. This needs to point to a directory where the livepatch data will be placed, including the data generated by the different stages of the livepatch creation.
Optional. This is the place where the source code is placed. To create a livepatch for upstream kernel, this needs to point to a kernel tree with the sources built, and the compile_commands.json is generated.
Instead of setting this environment variables you can set --data-dir on the setup phase of the livepatch creation.
Optional. If you are creating a livepatch for upstream kernel, you can ignore this option.
This is only used for SLE kernels. This should contain the path to the kernel-source tree in order to check which codestreams already contains the fix the CVE that the developer is trying to fix, and so skip the not affected codestreams.
To create a new "livepatch project", use the setup command:
klp-build setup --name bsc1197597 --cve 2022-1048 --mod snd-pcm --conf CONFIG_SND_PCM --file-funcs sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream --codestreams '15.5'This command create a new directory in $KLP_WOTK_DIR, and the directory name will be the bsc argument. There will checking if the configuration is enabled to all codestreams an all achitectures.
Explaining some arguments: --mod: The module to be livepatched. If empty, vmlinux will be livepatched instead. --file-funcs: Lists the symbols (hence funcs) from each file. These symbols will be extracted into the livepatching.
At this point we support two different backends to perform the code extraction: klp-ccp and clang-extract.
To extract the livepatches, run the command below:
klp-build extract --name bsc1197597 --type <ccp|ce>Depending of the type chosen, it will use klp-ccp or clang-extract to extract the livepatch from the sources. The resulting livepatched will be placed on $KLP_WORK_DIR///$codestream/lp, for example:
/home/john/livepatches/ccp/15.5u40/lp
For downloading all the fixes in all CVE branches of kernel-source:
klp-build get-patches --name bsc1111111 --cve 2022-1048It will create a directory called fixes inside $KLP_WORK_DIR/bsc1111111, containing the fixes for all current codestream families related to the CVE in question.
Currently klp-build expects the kernel tree with compiles sources, and the compile_commands.json generated after the compilation is finished.
To create the compile_commands.json, please run the command below inside the kernel tree:
./scripts/clang-tools/gen_compile_commands.pyThe setup process is the same, but it needs the --kdir and --data-dir arguments. While --kdir is a boolean flag, --data-dir expects the git tree to contain the vmlinux and the compiled modules, like:
klp-build setup --kdir --data-dir /home/mpdesouza/git/linux --name 1197597 --cve 2022-1048 --mod snd-pcm --conf CONFIG_SND_PCM --file-funcs sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream --codestreams '15.5'And the extraction is the same as for SLE, but we only support clang-extract:
klp-build extract --name 1197597 --type ceThe contents of the generated file are placed on $KLP_WORK_DIR///$codestream/lp.
The current approach for using the livepatches generated by klp-build are only used on SLE kernels. Some things would need to be adjusted in order to have upstream kernels as first class citizens of this solutions, like:
- Generate a template to include and generate a compilable livepatch
- Use klp-convert-mini instead of rely on kallsyms
- Simplify the setup/extraction in just one pass in order to make it even easier for the livepatch developer.
- Many many other things.