Xen project Mailing List

Re: [Xen-devel] [livepatch-build-tools: independ. modules] livepatch-build: Embed hypervisor build id into every hotpatch

To: Pawel Wieczorkiewicz <wipawel@xxxxxxxxx>

From: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>

Date: Thu, 25 Apr 2019 00:49:32 -0400

Cc: mpohlack@xxxxxxxxx, ross.lagerwall@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxx

Delivery-date: Thu, 25 Apr 2019 04:49:40 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Apr 16, 2019 at 12:57:14PM +0000, Pawel Wieczorkiewicz wrote: > This change is part of a independant stacked hotpatch modules > feature. This feature allows to bypass dependencies between modules > upon loading, but still verifies Xen build ID matching. > > With stacked hotpatch modules it is essential that each and every > hotpatch is verified against the hypervisor build id upon upload. > It must not be possible to successfully upload hotpatches built for > incorrect version of the hypervisor. > > To achieve that always embed an additional ELF section: > '.livpatch.xen_depends' containing the hypervisor build id. > > The hypervisor build id must be always provided as a command line > parameter: --xen-depends. > > Signed-off-by: Pawel Wieczorkiewicz <wipawel@xxxxxxxxx> > Reviewed-by: Andra-Irina Paraschiv <andraprs@xxxxxxxxxx> > Reviewed-by: Bjoern Doebel <doebel@xxxxxxxxx> > Reviewed-by: Norbert Manthey <nmanthey@xxxxxxxxx> This patch looks OK, but I would want to wait until the Xen hypervisor one gets the test-cases+documentation changes.. > --- > livepatch-build | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/livepatch-build b/livepatch-build > index c057fa1..0938b3a 100755 > --- a/livepatch-build > +++ b/livepatch-build > @@ -30,6 +30,7 @@ DEBUG=n > XEN_DEBUG=n > SKIP= > DEPENDS= > +XEN_DEPENDS= > PRELINK= > XENSYMS=xen-syms > > @@ -157,6 +158,9 @@ function create_patch() > # Create a dependency section > perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${DEPENDS}'" > > depends.bin > > + # Create a Xen dependency section > + perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${XEN_DEPENDS}'" > > xen_depends.bin > + > echo "Creating patch module..." > if [ -z "$PRELINK" ]; then > ld -r -o "${PATCHNAME}.livepatch" --build-id=sha1 $(find output > -type f -name "*.o") || die > @@ -168,6 +172,9 @@ function create_patch() > > objcopy --add-section .livepatch.depends=depends.bin > "${PATCHNAME}.livepatch" > objcopy --set-section-flags .livepatch.depends=alloc,readonly > "${PATCHNAME}.livepatch" > + > + objcopy --add-section .livepatch.xen_depends=xen_depends.bin > "${PATCHNAME}.livepatch" > + objcopy --set-section-flags .livepatch.xen_depends=alloc,readonly > "${PATCHNAME}.livepatch" > } > > usage() { > @@ -183,12 +190,13 @@ usage() { > echo " --xen-debug Build debug Xen (if your .config does > not have the options)" >&2 > echo " --xen-syms Build against a xen-syms" >&2 > echo " --depends Required build-id" >&2 > + echo " --xen-depends Required Xen build-id" >&2 > echo " --prelink Prelink" >&2 > } > > find_tools || die "can't find supporting tools" > > -options=$(getopt -o hs:p:c:o:j:k:d -l > "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,prelink" > -- "$@") || die "getopt failed" > +options=$(getopt -o hs:p:c:o:j:k:d -l > "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,xen-depends:,prelink" > -- "$@") || die "getopt failed" > > eval set -- "$options" > > @@ -247,6 +255,11 @@ while [[ $# -gt 0 ]]; do > DEPENDS="$1" > shift > ;; > + --xen-depends) > + shift > + XEN_DEPENDS="$1" > + shift > + ;; > --prelink) > PRELINK=--resolve > shift > @@ -263,6 +276,7 @@ done > [ -z "$configarg" ] && die ".config not given" > [ -z "$outputarg" ] && die "Output directory not given" > [ -z "$DEPENDS" ] && die "Build-id dependency not given" > +[ -z "$XEN_DEPENDS" ] && die "Xen Build-id dependency not given" > > SRCDIR="$(readlink -m -- "$srcarg")" > PATCHFILE="$(readlink -m -- "$patcharg")" > -- > 2.16.5 > > > > > Amazon Development Center Germany GmbH > Krausenstr. 38 > 10117 Berlin > Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich > Ust-ID: DE 289 237 879 > Eingetragen am Amtsgericht Charlottenburg HRB 149173 B > > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.