The kernel livepatching creation tool
To install the project and dependencies use:
pip install -e .
To run the project locally and test your changes use:
./klp-build
To run tests use:
tox -e tests
There are two environment variables that can be set before running the klp-build commands.
Required. This needs to point to a directory where the livepatch data will be placed, including the data generated by the different stages of the livepatch creation.
Optional. This is the place where the source code is placed. To create a livepatch for upstream kernel, this needs to point to a kernel tree with the sources built and the compile_commands.json file generated.
Instead of setting this environment variables you can set --data-dir on the setup phase of the livepatch creation.
IMPORTANT: Some patches are needed in order to make it work in your kernel. Check the patches directory for what is needed.
The current approach to create for upstream kernels needs a directory with the source code, and the compiled sources in the same location, with the compile_commands.json file generated. To generate the file, run:
./scripts/clang-tools/gen_compile_commands.pyklp-build setup --kdir --data-dir /home/mpdesouza/git/linux --name sound_lp --mod snd-pcm --conf CONFIG_SND_PCM --file-funcs sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substreamThis command creates a new directory $KLP_WORK_DIR/sound_lp. The setup phase checks if the configuration entry is set, and if the symbol being extracted is present in the module.
Explaining some arguments: --mod: The module to be livepatched. If empty, vmlinux will be livepatched instead. --file-funcs: Lists the symbols (hence funcs) from each file. These symbols will be extracted into the livepatching.
For upstream kernels we only support using clang-extract for code extraction:
klp-build extract --name sound_lp --type ceThe contents of the generated file are placed on $KLP_WORK_DIR/sound_lp/ce/$codestream/lp.
IMPORTANT: Do not use it on production. klp-build is still only used to create livepatches on SLE kernels using klp-ccp. The tool needs more tests in order to rely on this process to create livepatches for upstream kernels. More work needs to be done before it happens, like:
- Generate a template to include and generate a compilable livepatch
- Use klp-convert-mini instead of rely on kallsyms
- Simplify the setup/extraction in just one pass in order to make it even easier for the livepatch developer.
- Many other small adjustments
Along with the environment variables mentioned earlier, we also need KLP_KERNEL_SOURCE.
Optional. This is only used for SLE kernels. This should contain the path to the kernel-source tree in order to check which codestreams already contains the fix and don't need the livepatch. It also gets the fix for the CVE being livepatched.
To create a new "livepatch project", use the setup command:
klp-build setup --name bsc1197597 --cve 2022-1048 --mod snd-pcm --conf CONFIG_SND_PCM --file-funcs sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream --codestreams '15.5' --archs x86_64 ppc64leklp-build will check if the configuration is enabled, if the symbol is present on the module being livepatched. The check will be done in all architectures informed as argument. If the argument is not informed, it will return an error if configuration is not available on any of them.
At this point we support two different backends to perform the code extraction: klp-ccp and clang-extract, but only klp-ccp is being used in production. To extract the livepatches, run the command below:
klp-build extract --name bsc1197597 --type ccpDepending of the type chosen, it will use klp-ccp or clang-extract to extract the livepatch from the sources. The resulting livepatched will be placed on $KLP_WORK_DIR/bsc1197597/ccp/$codestream/lp, for example:
/home/john/livepatches/bsc1197597/ccp/15.5u40/lp