[PATCH v3] xSplice v1 implementation and design.

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: xen-devel@lists.xenproject.org, andrew.cooper3@citrix.com,
	konrad@kernel.org, mpohlack@amazon.de, ross.lagerwall@citrix.com,
	sasha.levin@citrix.com, jinsong.liu@alibaba-inc.com
Subject: [PATCH v3] xSplice v1 implementation and design.
Date: Fri, 12 Feb 2016 13:05:38 -0500	[thread overview]
Message-ID: <1455300361-13092-1-git-send-email-konrad.wilk@oracle.com> (raw)

Hey!

Changelog:
v2: http://lists.xen.org/archives/html/xen-devel/2016-01/msg01597.html
 - Updated code/docs/design with review comments.
 - Make xen also have an PT_NOTE
 - Added more of Ross's patches
 - Combined build-id patchset with this.
(since the RFC and the Seattle Xen presentation)
 - Finished off some of the work around the build-id.
 - Settled on the preemption mechanism.
 - Cleaned the patches a lot up, broke them up to easy
   review for maintainers.
v1: http://lists.xenproject.org/archives/html/xen-devel/2015-09/msg02116.html
  - Put all the design comments in the code
Prototype: http://lists.xenproject.org/archives/html/xen-devel/2015-10/msg02595.html
[Posting by Ross]
 - Took all reviews into account.
 - Redid the patches

*What is xSplice?*

A mechanism to binarily patch the running hypervisor with new
opcodes that have come about due to primarily security updates.

*What will this patchset do once I've it*

Patch the hypervisor.

*Why are you emailing me?*

Please please review the patches. The first three are the foundation of the
design and everything else depends on them.

*Do they depend on anything*

Yes, I've sent some of the prerequisite patches:
http://lists.xen.org/archives/html/xen-devel/2016-02/msg01724.html

*OK, what do you have?*

They are located at a git tree:
  git://xenbits.xen.org/people/konradwilk/xen.git xsplice.v3

(Copying from Ross's email):

Much of the work is implementing a basic version of the Linux kernel module
loader. The code:
* Loading of xSplice ELF payloads.
* Copying allocated sections into a new executable region of memory.
* Resolving symbols.
* Applying relocations.
* Patching of altinstructions.
* Special handling of bug frames and exception tables.
* Unloading of xSplice ELF payloads.
* Compiling a sample xSplice ELF payload
* Resolving symbols (*NEW*)
* Using build-id dependencies (*NEW*)
* Support for shadow variable framework (*NEW*)
* Support for executing ELF payload functions on load/unload. (*NEW*)

The other main bit of this work is applying and reverting the patches safely.
As implemented, the code is patched with each CPU waiting in the
return-to-guest path (i.e. with no stack) or on the cpu-idle path
which appears to be the safest way of patching. While it is safe we should
still (in the next wave of patches) to verify to not patch cetain critical
sections (say the code doing the patching)

All of the following should work:
* Applying patches safely.
* Reverting patches safely.
* Replacing patches safely (e.g. reverting any applied patches and applying
   a new patch).
* Bug frames as part of modules. This means adding or
  changing WARN, ASSERT, BUG, and run_in_exception_handler works correctly.
  Line number only changes _are ignored_.
* Exception tables as part of modules. E.g. wrmsr_safe and copy_to_user work
  correctly when used in a patch module.
* Stacking of patches on top of each other
* Resolving symbols (even of patches)

*Limitations*

The above is enough to fully implement an update system where multiple source
patches are combined (using combinediff) and built into a single binary
which then atomically replaces any existing loaded patches
(this is why Ross added a REPLACE operation). This is the approach used
by kPatch and kGraft.

Multiple completely independent patches can also be loaded but unexpected
interactions may occur.

As it stands, the patches are statically linked which means that independent
patches cannot be linked against one another (e.g. if one introduces a
new symbol). Using the combinediff approach above fixes this.

Backtraces containing functions from a patch module do not show the symbol name.

There is no checking that a patch which is loaded is built for the
correct hypervisor (need to use build-id).

Binary patching works at the function level.

*Testing*

You can use the example code included in this patchset:

# xl info | grep extra
xen_extra              : -unstable
# xen-xsplice load /usr/lib/debug/xen_hello_world.xsplice
Uploading /usr/lib/debug/xen_hello_world.xsplice (8785 bytes)
Performing check: completed
Performing apply:. completed
# xl info | grep extra
xen_extra              : Hello World
# xen-xsplice revert xen_hello_world
Performing revert:. completed
# xen-xsplice unload xen_hello_world
Performing unload: completed
# xl info | grep extra
xen_extra              : -unstable

Or you can use git://xenbits.xen.org/people/konradwilk/xsplice-build-tools.git
which generates the ELF payloads.

This link has a nice description of how to use the tool:
http://lists.xenproject.org/archives/html/xen-devel/2015-10/msg02595.html

Konrad Rzeszutek Wilk (13):
      xsplice: Design document (v7).
      xen/xsplice: Hypervisor implementation of XEN_XSPLICE_op (v10)
      libxc: Implementation of XEN_XSPLICE_op in libxc (v5).
      xen-xsplice: Tool to manipulate xsplice payloads (v4)
      x86/xen_hello_world.xsplice: Test payload for patching 'xen_extra_version'. (v2)
      xsm/xen_version: Add XSM for the xen_version hypercall (v8).
      XENVER_build_id: Provide ld-embedded build-ids (v10)
      libxl: info: Display build_id of the hypervisor.
      xsplice: Print build_id in keyhandler.
      xsplice: basic build-id dependency checking.
      xsplice: Print dependency and payloads build_id in the keyhandler.
      xsplice: Add hooks functions and other macros
      xsplice,hello_world: Use the XSPLICE_[UN|]LOAD_HOOK hooks     for two functions.

Ross Lagerwall (11):
      elf: Add relocation types to elfstructs.h
      xsplice: Add helper elf routines (v4)
      xsplice: Implement payload loading (v4)
      xsplice: Implement support for applying/reverting/replacing patches. (v5)
      xsplice: Add support for bug frames. (v4)
      xsplice: Add support for exception tables. (v2)
      xsplice: Add support for alternatives
      xsplice: Prevent duplicate payloads to be loaded.
      xsplice,symbols: Implement symbol name resolution on address. (v2)
      x86, xsplice: Print payload's symbol name and module in backtraces
      xsplice: Add support for shadow variables

 .gitignore                                   |    1 +
 Config.mk                                    |   12 +
 docs/misc/xsplice.markdown                   | 1126 ++++++++++++++++++++
 tools/flask/policy/policy/modules/xen/xen.te |   14 +
 tools/libxc/include/xenctrl.h                |   19 +-
 tools/libxc/xc_misc.c                        |  332 ++++++
 tools/libxc/xc_private.c                     |    7 +
 tools/libxc/xc_private.h                     |   10 +
 tools/libxl/libxl.c                          |   45 +
 tools/libxl/libxl.h                          |    5 +
 tools/libxl/libxl_types.idl                  |    1 +
 tools/libxl/xl_cmdimpl.c                     |    1 +
 tools/misc/Makefile                          |    4 +
 tools/misc/xen-xsplice.c                     |  470 ++++++++
 tools/misc/xsplice.lds                       |   11 +
 xen/Makefile                                 |    2 +
 xen/arch/arm/Makefile                        |    7 +-
 xen/arch/arm/xen.lds.S                       |   13 +
 xen/arch/arm/xsplice.c                       |   31 +
 xen/arch/x86/Makefile                        |   46 +-
 xen/arch/x86/alternative.c                   |   12 +-
 xen/arch/x86/boot/mkelf32.c                  |  137 ++-
 xen/arch/x86/domain.c                        |    4 +
 xen/arch/x86/extable.c                       |   36 +-
 xen/arch/x86/hvm/svm/svm.c                   |    2 +
 xen/arch/x86/hvm/vmx/vmcs.c                  |    2 +
 xen/arch/x86/setup.c                         |    7 +
 xen/arch/x86/test/Makefile                   |   63 ++
 xen/arch/x86/test/xen_hello_world.c          |   33 +
 xen/arch/x86/test/xen_hello_world_func.c     |    8 +
 xen/arch/x86/traps.c                         |   36 +-
 xen/arch/x86/xen.lds.S                       |   23 +
 xen/arch/x86/xsplice.c                       |  132 +++
 xen/common/Kconfig                           |   15 +
 xen/common/Makefile                          |    4 +
 xen/common/kernel.c                          |   89 +-
 xen/common/symbols.c                         |   30 +
 xen/common/sysctl.c                          |    7 +
 xen/common/version.c                         |   70 ++
 xen/common/vsprintf.c                        |   18 +-
 xen/common/xsplice.c                         | 1475 ++++++++++++++++++++++++++
 xen/common/xsplice_elf.c                     |  302 ++++++
 xen/common/xsplice_shadow.c                  |  105 ++
 xen/include/asm-arm/bug.h                    |    2 +
 xen/include/asm-arm/nmi.h                    |   13 +
 xen/include/asm-x86/alternative.h            |    1 +
 xen/include/asm-x86/bug.h                    |    2 +
 xen/include/asm-x86/uaccess.h                |    5 +
 xen/include/asm-x86/x86_64/page.h            |    2 +
 xen/include/public/sysctl.h                  |  156 +++
 xen/include/public/version.h                 |   16 +-
 xen/include/xen/elfstructs.h                 |    8 +
 xen/include/xen/kernel.h                     |    1 +
 xen/include/xen/symbols.h                    |    2 +
 xen/include/xen/version.h                    |    6 +
 xen/include/xen/xsplice.h                    |   92 ++
 xen/include/xen/xsplice_elf.h                |   42 +
 xen/include/xen/xsplice_patch.h              |   85 ++
 xen/include/xsm/dummy.h                      |   22 +
 xen/include/xsm/xsm.h                        |    5 +
 xen/xsm/dummy.c                              |    1 +
 xen/xsm/flask/hooks.c                        |   53 +
 xen/xsm/flask/policy/access_vectors          |   32 +
 xen/xsm/flask/policy/security_classes        |    1 +
 64 files changed, 5240 insertions(+), 74 deletions(-)

Ugh! 5K ?! 