xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
* [livepatch-build-tools: independ. modules] livepatch-build: Embed hypervisor build id into every hotpatch
@ 2019-04-16 12:57 Pawel Wieczorkiewicz
  2019-04-25  4:49 ` Konrad Rzeszutek Wilk
  0 siblings, 1 reply; 2+ messages in thread
From: Pawel Wieczorkiewicz @ 2019-04-16 12:57 UTC (permalink / raw)
  To: xen-devel; +Cc: mpohlack, ross.lagerwall, Pawel Wieczorkiewicz, konrad.wilk

This change is part of a independant stacked hotpatch modules
feature. This feature allows to bypass dependencies between modules
upon loading, but still verifies Xen build ID matching.

With stacked hotpatch modules it is essential that each and every
hotpatch is verified against the hypervisor build id upon upload.
It must not be possible to successfully upload hotpatches built for
incorrect version of the hypervisor.

To achieve that always embed an additional ELF section:
'.livpatch.xen_depends' containing the hypervisor build id.

The hypervisor build id must be always provided as a command line
parameter: --xen-depends.

Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Reviewed-by: Andra-Irina Paraschiv <andraprs@amazon.com>
Reviewed-by: Bjoern Doebel <doebel@amazon.de>
Reviewed-by: Norbert Manthey <nmanthey@amazon.de>
---
 livepatch-build | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/livepatch-build b/livepatch-build
index c057fa1..0938b3a 100755
--- a/livepatch-build
+++ b/livepatch-build
@@ -30,6 +30,7 @@ DEBUG=n
 XEN_DEBUG=n
 SKIP=
 DEPENDS=
+XEN_DEPENDS=
 PRELINK=
 XENSYMS=xen-syms
 
@@ -157,6 +158,9 @@ function create_patch()
     # Create a dependency section
     perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${DEPENDS}'" > depends.bin
 
+    # Create a Xen dependency section
+    perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${XEN_DEPENDS}'" > xen_depends.bin
+
     echo "Creating patch module..."
     if [ -z "$PRELINK" ]; then
         ld -r -o "${PATCHNAME}.livepatch" --build-id=sha1 $(find output -type f -name "*.o") || die
@@ -168,6 +172,9 @@ function create_patch()
 
     objcopy --add-section .livepatch.depends=depends.bin "${PATCHNAME}.livepatch"
     objcopy --set-section-flags .livepatch.depends=alloc,readonly "${PATCHNAME}.livepatch"
+
+    objcopy --add-section .livepatch.xen_depends=xen_depends.bin "${PATCHNAME}.livepatch"
+    objcopy --set-section-flags .livepatch.xen_depends=alloc,readonly "${PATCHNAME}.livepatch"
 }
 
 usage() {
@@ -183,12 +190,13 @@ usage() {
     echo "        --xen-debug        Build debug Xen (if your .config does not have the options)" >&2
     echo "        --xen-syms         Build against a xen-syms" >&2
     echo "        --depends          Required build-id" >&2
+    echo "        --xen-depends      Required Xen build-id" >&2
     echo "        --prelink          Prelink" >&2
 }
 
 find_tools || die "can't find supporting tools"
 
-options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,prelink" -- "$@") || die "getopt failed"
+options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,xen-depends:,prelink" -- "$@") || die "getopt failed"
 
 eval set -- "$options"
 
@@ -247,6 +255,11 @@ while [[ $# -gt 0 ]]; do
             DEPENDS="$1"
             shift
             ;;
+        --xen-depends)
+            shift
+            XEN_DEPENDS="$1"
+            shift
+            ;;
         --prelink)
             PRELINK=--resolve
             shift
@@ -263,6 +276,7 @@ done
 [ -z "$configarg" ] && die ".config not given"
 [ -z "$outputarg" ] && die "Output directory not given"
 [ -z "$DEPENDS" ] && die "Build-id dependency not given"
+[ -z "$XEN_DEPENDS" ] && die "Xen Build-id dependency not given"
 
 SRCDIR="$(readlink -m -- "$srcarg")"
 PATCHFILE="$(readlink -m -- "$patcharg")"
-- 
2.16.5




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [livepatch-build-tools: independ. modules] livepatch-build: Embed hypervisor build id into every hotpatch
  2019-04-16 12:57 [livepatch-build-tools: independ. modules] livepatch-build: Embed hypervisor build id into every hotpatch Pawel Wieczorkiewicz
@ 2019-04-25  4:49 ` Konrad Rzeszutek Wilk
  0 siblings, 0 replies; 2+ messages in thread
From: Konrad Rzeszutek Wilk @ 2019-04-25  4:49 UTC (permalink / raw)
  To: Pawel Wieczorkiewicz; +Cc: mpohlack, ross.lagerwall, xen-devel

On Tue, Apr 16, 2019 at 12:57:14PM +0000, Pawel Wieczorkiewicz wrote:
> This change is part of a independant stacked hotpatch modules
> feature. This feature allows to bypass dependencies between modules
> upon loading, but still verifies Xen build ID matching.
> 
> With stacked hotpatch modules it is essential that each and every
> hotpatch is verified against the hypervisor build id upon upload.
> It must not be possible to successfully upload hotpatches built for
> incorrect version of the hypervisor.
> 
> To achieve that always embed an additional ELF section:
> '.livpatch.xen_depends' containing the hypervisor build id.
> 
> The hypervisor build id must be always provided as a command line
> parameter: --xen-depends.
> 
> Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
> Reviewed-by: Andra-Irina Paraschiv <andraprs@amazon.com>
> Reviewed-by: Bjoern Doebel <doebel@amazon.de>
> Reviewed-by: Norbert Manthey <nmanthey@amazon.de>

This patch looks OK, but I would want to wait until the Xen hypervisor
one gets the test-cases+documentation changes..

> ---
>  livepatch-build | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/livepatch-build b/livepatch-build
> index c057fa1..0938b3a 100755
> --- a/livepatch-build
> +++ b/livepatch-build
> @@ -30,6 +30,7 @@ DEBUG=n
>  XEN_DEBUG=n
>  SKIP=
>  DEPENDS=
> +XEN_DEPENDS=
>  PRELINK=
>  XENSYMS=xen-syms
>  
> @@ -157,6 +158,9 @@ function create_patch()
>      # Create a dependency section
>      perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${DEPENDS}'" > depends.bin
>  
> +    # Create a Xen dependency section
> +    perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${XEN_DEPENDS}'" > xen_depends.bin
> +
>      echo "Creating patch module..."
>      if [ -z "$PRELINK" ]; then
>          ld -r -o "${PATCHNAME}.livepatch" --build-id=sha1 $(find output -type f -name "*.o") || die
> @@ -168,6 +172,9 @@ function create_patch()
>  
>      objcopy --add-section .livepatch.depends=depends.bin "${PATCHNAME}.livepatch"
>      objcopy --set-section-flags .livepatch.depends=alloc,readonly "${PATCHNAME}.livepatch"
> +
> +    objcopy --add-section .livepatch.xen_depends=xen_depends.bin "${PATCHNAME}.livepatch"
> +    objcopy --set-section-flags .livepatch.xen_depends=alloc,readonly "${PATCHNAME}.livepatch"
>  }
>  
>  usage() {
> @@ -183,12 +190,13 @@ usage() {
>      echo "        --xen-debug        Build debug Xen (if your .config does not have the options)" >&2
>      echo "        --xen-syms         Build against a xen-syms" >&2
>      echo "        --depends          Required build-id" >&2
> +    echo "        --xen-depends      Required Xen build-id" >&2
>      echo "        --prelink          Prelink" >&2
>  }
>  
>  find_tools || die "can't find supporting tools"
>  
> -options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,prelink" -- "$@") || die "getopt failed"
> +options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,xen-depends:,prelink" -- "$@") || die "getopt failed"
>  
>  eval set -- "$options"
>  
> @@ -247,6 +255,11 @@ while [[ $# -gt 0 ]]; do
>              DEPENDS="$1"
>              shift
>              ;;
> +        --xen-depends)
> +            shift
> +            XEN_DEPENDS="$1"
> +            shift
> +            ;;
>          --prelink)
>              PRELINK=--resolve
>              shift
> @@ -263,6 +276,7 @@ done
>  [ -z "$configarg" ] && die ".config not given"
>  [ -z "$outputarg" ] && die "Output directory not given"
>  [ -z "$DEPENDS" ] && die "Build-id dependency not given"
> +[ -z "$XEN_DEPENDS" ] && die "Xen Build-id dependency not given"
>  
>  SRCDIR="$(readlink -m -- "$srcarg")"
>  PATCHFILE="$(readlink -m -- "$patcharg")"
> -- 
> 2.16.5
> 
> 
> 
> 
> Amazon Development Center Germany GmbH
> Krausenstr. 38
> 10117 Berlin
> Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
> Ust-ID: DE 289 237 879
> Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
> 
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-25  4:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-16 12:57 [livepatch-build-tools: independ. modules] livepatch-build: Embed hypervisor build id into every hotpatch Pawel Wieczorkiewicz
2019-04-25  4:49 ` Konrad Rzeszutek Wilk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).