From patchwork Tue Nov 26 12:25:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11262099 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D52C917F0 for ; Tue, 26 Nov 2019 12:26:30 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B2FA52071E for ; Tue, 26 Nov 2019 12:26:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="qSiWVF4L" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B2FA52071E Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iZZuT-0004VA-2O; Tue, 26 Nov 2019 12:25:37 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iZZuS-0004V2-FG for xen-devel@lists.xenproject.org; Tue, 26 Nov 2019 12:25:36 +0000 X-Inumbo-ID: d8dd05b0-1047-11ea-a39f-12813bfff9fa Received: from smtp-fw-9101.amazon.com (unknown [207.171.184.25]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id d8dd05b0-1047-11ea-a39f-12813bfff9fa; Tue, 26 Nov 2019 12:25:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1574771136; x=1606307136; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=HR6Q25AMByjcPXEWxExppHvMoBR8pEutP1d1RwP/93Y=; b=qSiWVF4LN2glUlY0/0RB+dS27oVaA1VMCDAoUFU+6AHQfpgqi+s8/zf1 LY41wqm0BC3qvH6GJvEEGrKxKxWq+ZK8yjSwokhAn/oOIyYtgwehf/yo1 fb3YAXSMUOQ2SnO4dInWTGle8EYSkT+zNmwvxNmU5zkozyZ2erXHUZRXj g=; IronPort-SDR: y1wg3m7RdO4awonVWlyS/OkxtNs6M35IFQdD2WdIGVK/25JaMk/Is7SL2HiABi1RK+dAp5gRF8 3IXodFi76iiA== X-IronPort-AV: E=Sophos;i="5.69,245,1571702400"; d="scan'208";a="1534199" Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-2c-2225282c.us-west-2.amazon.com) ([10.47.23.38]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP; 26 Nov 2019 12:25:24 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2c-2225282c.us-west-2.amazon.com (Postfix) with ESMTPS id B127AA28F7; Tue, 26 Nov 2019 12:25:23 +0000 (UTC) Received: from EX13D03EUC004.ant.amazon.com (10.43.164.33) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 26 Nov 2019 12:25:23 +0000 Received: from EX13MTAUWC001.ant.amazon.com (10.43.162.135) by EX13D03EUC004.ant.amazon.com (10.43.164.33) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 26 Nov 2019 12:25:22 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.162.232) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Tue, 26 Nov 2019 12:25:19 +0000 From: Pawel Wieczorkiewicz To: Date: Tue, 26 Nov 2019 12:25:05 +0000 Message-ID: <20191126122511.7409-2-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20191126122511.7409-1-wipawel@amazon.de> References: <20191126122511.7409-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH v3 1/7] livepatch-build: Embed hypervisor build id into every hotpatch X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Pawel Wieczorkiewicz , Ross Lagerwall , mpohlack@amazon.com, Konrad Rzeszutek Wilk Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" This change is part of a independant stacked hotpatch modules feature. This feature allows to bypass dependencies between modules upon loading, but still verifies Xen build ID matching. With stacked hotpatch modules it is essential that each and every hotpatch is verified against the hypervisor build id upon upload. It must not be possible to successfully upload hotpatches built for incorrect version of the hypervisor. To achieve that always embed an additional ELF section: '.livpatch.xen_depends' containing the hypervisor build id. The hypervisor build id must be always provided as a command line parameter: --xen-depends. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Bjoern Doebel Reviewed-by: Norbert Manthey Reviewed-by: Ross Lagerwall --- livepatch-build | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/livepatch-build b/livepatch-build index b198c97..b8a1728 100755 --- a/livepatch-build +++ b/livepatch-build @@ -30,6 +30,7 @@ DEBUG=n XEN_DEBUG=n SKIP= DEPENDS= +XEN_DEPENDS= PRELINK= XENSYMS=xen-syms @@ -163,6 +164,9 @@ function create_patch() # Create a dependency section perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${DEPENDS}'" > depends.bin + # Create a Xen dependency section + perl -e "print pack 'VVVZ*H*', 4, 20, 3, 'GNU', '${XEN_DEPENDS}'" > xen_depends.bin + echo "Creating patch module..." if [ -z "$PRELINK" ]; then ld -r -o "${PATCHNAME}.livepatch" --build-id=sha1 $(find output -type f -name "*.o") || die @@ -174,6 +178,9 @@ function create_patch() objcopy --add-section .livepatch.depends=depends.bin "${PATCHNAME}.livepatch" objcopy --set-section-flags .livepatch.depends=alloc,readonly "${PATCHNAME}.livepatch" + + objcopy --add-section .livepatch.xen_depends=xen_depends.bin "${PATCHNAME}.livepatch" + objcopy --set-section-flags .livepatch.xen_depends=alloc,readonly "${PATCHNAME}.livepatch" } usage() { @@ -189,12 +196,13 @@ usage() { echo " --xen-debug Build debug Xen (if your .config does not have the options)" >&2 echo " --xen-syms Build against a xen-syms" >&2 echo " --depends Required build-id" >&2 + echo " --xen-depends Required Xen build-id" >&2 echo " --prelink Prelink" >&2 } find_tools || die "can't find supporting tools" -options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,prelink" -- "$@") || die "getopt failed" +options=$(getopt -o hs:p:c:o:j:k:d -l "help,srcdir:,patch:,config:,output:,cpus:,skip:,debug,xen-debug,xen-syms:,depends:,xen-depends:,prelink" -- "$@") || die "getopt failed" eval set -- "$options" @@ -253,6 +261,11 @@ while [[ $# -gt 0 ]]; do DEPENDS="$1" shift ;; + --xen-depends) + shift + XEN_DEPENDS="$1" + shift + ;; --prelink) PRELINK=--resolve shift @@ -269,6 +282,7 @@ done [ -z "$configarg" ] && die ".config not given" [ -z "$outputarg" ] && die "Output directory not given" [ -z "$DEPENDS" ] && die "Build-id dependency not given" +[ -z "$XEN_DEPENDS" ] && die "Xen Build-id dependency not given" SRCDIR="$(readlink -m -- "$srcarg")" # We need an absolute path because we move around, but we need to