From patchwork Wed Aug 21 08:19:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11105981 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9F4601399 for ; Wed, 21 Aug 2019 08:21:30 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 70CB52332A for ; Wed, 21 Aug 2019 08:21:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="Tvr4PTJ6" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 70CB52332A Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lqq-00080d-2f; Wed, 21 Aug 2019 08:20:16 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lqp-00080J-AT for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:20:15 +0000 X-Inumbo-ID: 80a10312-c3ec-11e9-951b-bc764e2007e4 Received: from smtp-fw-4101.amazon.com (unknown [72.21.198.25]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 80a10312-c3ec-11e9-951b-bc764e2007e4; Wed, 21 Aug 2019 08:20:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375614; x=1597911614; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=CnbX1wDuqwsOIDTqfSPmgi15x7JFPFCyZA+MJm+f8/Q=; b=Tvr4PTJ6zO63TD/XGKW5kOVfCj/CnaMqVphcA8CMhNb2UG47+YLZQC6V ZE7S4Pel2HX+TtNz51NeBAE3PSdZDD84BzyfI8/fj/XRCrP5ogeW3ODC4 /TVYJ1aE6hvrw+bdyPvkfcLhEH/p8aGv/mNiLm/31s5HiF6CUIJL5fpv+ A=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="780418881" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2b-a7fdc47a.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 21 Aug 2019 08:20:12 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2b-a7fdc47a.us-west-2.amazon.com (Postfix) with ESMTPS id BC36AC5DF6; Wed, 21 Aug 2019 08:20:11 +0000 (UTC) Received: from EX13D03EUC002.ant.amazon.com (10.43.164.60) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:19:58 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUC002.ant.amazon.com (10.43.164.60) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:19:57 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:19:53 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:18 +0000 Message-ID: <20190821081931.90887-2-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 01/14] livepatch: Always check hypervisor build ID upon hotpatch upload X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ross Lagerwall , Ian Jackson , mpohlack@amazon.com, Tim Deegan , Pawel Wieczorkiewicz , Julien Grall , Jan Beulich Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" This change is part of a independant stacked hotpatch modules feature. This feature allows to bypass dependencies between modules upon loading, but still verifies Xen build ID matching. In order to prevent (up)loading any hotpatches built for different hypervisor version as indicated by the Xen Build ID, add checking for the payload's vs Xen's build id match. To achieve that embed into every hotpatch another section with a dedicated hypervisor build id in it. After the payload is loaded and the .livepatch.xen_depends section becomes available, perform the check and reject the payload if there is no match. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Bjoern Doebel Reviewed-by: Eslam Elnikety Reviewed-by: Martin Pohlack --- .gitignore | 1 + docs/misc/livepatch.pandoc | 28 +++++++++++++++++++-------- xen/common/livepatch.c | 47 +++++++++++++++++++++++++++++++++++++++++++++ xen/include/xen/livepatch.h | 7 ++++--- xen/test/livepatch/Makefile | 31 +++++++++++++++++++++++++----- 5 files changed, 98 insertions(+), 16 deletions(-) diff --git a/.gitignore b/.gitignore index 3c947ac948..6f83fc8728 100644 --- a/.gitignore +++ b/.gitignore @@ -312,6 +312,7 @@ xen/test/livepatch/xen_bye_world.livepatch xen/test/livepatch/xen_hello_world.livepatch xen/test/livepatch/xen_nop.livepatch xen/test/livepatch/xen_replace_world.livepatch +xen/test/livepatch/xen_no_xen_buildid.livepatch xen/tools/kconfig/.tmp_gtkcheck xen/tools/kconfig/.tmp_qtcheck xen/tools/symbols diff --git a/docs/misc/livepatch.pandoc b/docs/misc/livepatch.pandoc index 6d9f72f49b..fd1f5d0126 100644 --- a/docs/misc/livepatch.pandoc +++ b/docs/misc/livepatch.pandoc @@ -270,6 +270,8 @@ like what the Linux kernel module loader does. The payload contains at least three sections: * `.livepatch.funcs` - which is an array of livepatch_func structures. + * `.livepatch.xen_depends` - which is an ELF Note that describes what Xen + build-id the payload depends on. **MUST** have one. * `.livepatch.depends` - which is an ELF Note that describes what the payload depends on. **MUST** have one. * `.note.gnu.build-id` - the build-id of this payload. **MUST** have one. @@ -383,16 +385,16 @@ The type definition of the function are as follow: typedef void (*livepatch_loadcall_t)(void); typedef void (*livepatch_unloadcall_t)(void); -### .livepatch.depends and .note.gnu.build-id +### .livepatch.xen_depends, .livepatch.depends and .note.gnu.build-id To support dependencies checking and safe loading (to load the appropiate payload against the right hypervisor) there is a need to embbed an build-id dependency. -This is done by the payload containing an section `.livepatch.depends` -which follows the format of an ELF Note. The contents of this -(name, and description) are specific to the linker utilized to -build the hypevisor and payload. +This is done by the payload containing sections `.livepatch.xen_depends` +and `.livepatch.depends` which follow the format of an ELF Note. +The contents of these (name, and description) are specific to the linker +utilized to build the hypevisor and payload. If GNU linker is used then the name is `GNU` and the description is a NT_GNU_BUILD_ID type ID. The description can be an SHA1 @@ -400,6 +402,13 @@ checksum, MD5 checksum or any unique value. The size of these structures varies with the `--build-id` linker option. +There are two kinds of build-id dependencies: + + * Xen build-id dependency (.livepatch.xen_depends section) + * previous payload build-id dependency (.livepatch.depends section) + +See "Live patch interdependencies" for more information. + ## Hypercalls We will employ the sub operations of the system management hypercall (sysctl). @@ -894,13 +903,16 @@ but is more complex to implement. The second option which requires an build-id of the hypervisor is implemented in the Xen hypervisor. -Specifically each payload has two build-id ELF notes: +Specifically each payload has three build-id ELF notes: * The build-id of the payload itself (generated via --build-id). + * The build-id of the Xen hypervisor it depends on (extracted from the + hypervisor during build time). * The build-id of the payload it depends on (extracted from the the previous payload or hypervisor during build time). -This means that the very first payload depends on the hypervisor -build-id. +This means that every payload depends on the hypervisor build-id and on +the build-id of the previous payload in the stack. +The very first payload depends on the hypervisor build-id only. # Not Yet Done diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index d6eaae6d3b..6a4af6ce57 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -74,6 +74,7 @@ struct payload { unsigned int nsyms; /* Nr of entries in .strtab and symbols. */ struct livepatch_build_id id; /* ELFNOTE_DESC(.note.gnu.build-id) of the payload. */ struct livepatch_build_id dep; /* ELFNOTE_DESC(.livepatch.depends). */ + struct livepatch_build_id xen_dep; /* ELFNOTE_DESC(.livepatch.xen_depends). */ livepatch_loadcall_t *const *load_funcs; /* The array of funcs to call after */ livepatch_unloadcall_t *const *unload_funcs;/* load and unload of the payload. */ unsigned int n_load_funcs; /* Nr of the funcs to load and execute. */ @@ -476,11 +477,34 @@ static bool section_ok(const struct livepatch_elf *elf, return true; } +static int check_xen_build_id(const struct payload *payload) +{ + const void *id = NULL; + unsigned int len = 0; + int rc; + + ASSERT(payload->xen_dep.len); + ASSERT(payload->xen_dep.p); + + rc = xen_build_id(&id, &len); + if ( rc ) + return rc; + + if ( payload->xen_dep.len != len || memcmp(id, payload->xen_dep.p, len) ) { + dprintk(XENLOG_ERR, "%s%s: check against hypervisor build-id failed!\n", + LIVEPATCH, payload->name); + return -EINVAL; + } + + return 0; +} + static int check_special_sections(const struct livepatch_elf *elf) { unsigned int i; static const char *const names[] = { ELF_LIVEPATCH_FUNC, ELF_LIVEPATCH_DEPENDS, + ELF_LIVEPATCH_XEN_DEPENDS, ELF_BUILD_ID_NOTE}; DECLARE_BITMAP(found, ARRAY_SIZE(names)) = { 0 }; @@ -632,6 +656,22 @@ static int prepare_payload(struct payload *payload, return -EINVAL; } + sec = livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_XEN_DEPENDS); + if ( sec ) + { + n = sec->load_addr; + + if ( sec->sec->sh_size <= sizeof(*n) ) + return -EINVAL; + + if ( xen_build_id_check(n, sec->sec->sh_size, + &payload->xen_dep.p, &payload->xen_dep.len) ) + return -EINVAL; + + if ( !payload->xen_dep.len || !payload->xen_dep.p ) + return -EINVAL; + } + /* Setup the virtual region with proper data. */ region = &payload->region; @@ -882,6 +922,10 @@ static int load_payload_data(struct payload *payload, void *raw, size_t len) if ( rc ) goto out; + rc = check_xen_build_id(payload); + if ( rc ) + goto out; + rc = build_symbol_table(payload, &elf); if ( rc ) goto out; @@ -1655,6 +1699,9 @@ static void livepatch_printall(unsigned char key) if ( data->dep.len ) printk("depend-on=%*phN\n", data->dep.len, data->dep.p); + + if ( data->xen_dep.len ) + printk("depend-on-xen=%*phN\n", data->xen_dep.len, data->xen_dep.p); } spin_unlock(&payload_lock); diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index 1b1817ca0d..ed997aa4cc 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -29,9 +29,10 @@ struct xen_sysctl_livepatch_op; /* Convenience define for printk. */ #define LIVEPATCH "livepatch: " /* ELF payload special section names. */ -#define ELF_LIVEPATCH_FUNC ".livepatch.funcs" -#define ELF_LIVEPATCH_DEPENDS ".livepatch.depends" -#define ELF_BUILD_ID_NOTE ".note.gnu.build-id" +#define ELF_LIVEPATCH_FUNC ".livepatch.funcs" +#define ELF_LIVEPATCH_DEPENDS ".livepatch.depends" +#define ELF_LIVEPATCH_XEN_DEPENDS ".livepatch.xen_depends" +#define ELF_BUILD_ID_NOTE ".note.gnu.build-id" /* Arbitrary limit for payload size and .bss section size. */ #define LIVEPATCH_MAX_SIZE MB(2) diff --git a/xen/test/livepatch/Makefile b/xen/test/livepatch/Makefile index 6831383db1..fdb82782d2 100644 --- a/xen/test/livepatch/Makefile +++ b/xen/test/livepatch/Makefile @@ -19,11 +19,13 @@ LIVEPATCH := xen_hello_world.livepatch LIVEPATCH_BYE := xen_bye_world.livepatch LIVEPATCH_REPLACE := xen_replace_world.livepatch LIVEPATCH_NOP := xen_nop.livepatch +LIVEPATCH_NO_XEN_BUILDID := xen_no_xen_buildid.livepatch LIVEPATCHES += $(LIVEPATCH) LIVEPATCHES += $(LIVEPATCH_BYE) LIVEPATCHES += $(LIVEPATCH_REPLACE) LIVEPATCHES += $(LIVEPATCH_NOP) +LIVEPATCHES += $(LIVEPATCH_NO_XEN_BUILDID) LIVEPATCH_DEBUG_DIR ?= $(DEBUG_DIR)/xen-livepatch @@ -59,7 +61,7 @@ config.h: xen_hello_world_func.o xen_hello_world.o: config.h .PHONY: $(LIVEPATCH) -$(LIVEPATCH): xen_hello_world_func.o xen_hello_world.o note.o +$(LIVEPATCH): xen_hello_world_func.o xen_hello_world.o note.o xen_note.o $(LD) $(LDFLAGS) $(build_id_linker) -r -o $(LIVEPATCH) $^ # @@ -78,6 +80,17 @@ note.o: --rename-section=.data=.livepatch.depends,alloc,load,readonly,data,contents -S $@.bin $@ rm -f $@.bin +# +# Append .livepatch.xen_depends section +# with Xen build-id derived from xen-syms. +# +.PHONY: xen_note.o +xen_note.o: + $(OBJCOPY) -O binary --only-section=.note.gnu.build-id $(BASEDIR)/xen-syms $@.bin + $(OBJCOPY) $(OBJCOPY_MAGIC) \ + --rename-section=.data=.livepatch.xen_depends,alloc,load,readonly,data,contents -S $@.bin $@ + rm -f $@.bin + # # Extract the build-id of the xen_hello_world.livepatch # (which xen_bye_world will depend on). @@ -92,20 +105,28 @@ hello_world_note.o: $(LIVEPATCH) xen_bye_world.o: config.h .PHONY: $(LIVEPATCH_BYE) -$(LIVEPATCH_BYE): xen_bye_world_func.o xen_bye_world.o hello_world_note.o +$(LIVEPATCH_BYE): xen_bye_world_func.o xen_bye_world.o hello_world_note.o xen_note.o $(LD) $(LDFLAGS) $(build_id_linker) -r -o $(LIVEPATCH_BYE) $^ xen_replace_world.o: config.h .PHONY: $(LIVEPATCH_REPLACE) -$(LIVEPATCH_REPLACE): xen_replace_world_func.o xen_replace_world.o note.o +$(LIVEPATCH_REPLACE): xen_replace_world_func.o xen_replace_world.o note.o xen_note.o $(LD) $(LDFLAGS) $(build_id_linker) -r -o $(LIVEPATCH_REPLACE) $^ xen_nop.o: config.h .PHONY: $(LIVEPATCH_NOP) -$(LIVEPATCH_NOP): xen_nop.o note.o +$(LIVEPATCH_NOP): xen_nop.o note.o xen_note.o $(LD) $(LDFLAGS) $(build_id_linker) -r -o $(LIVEPATCH_NOP) $^ +# This one always fails upon upload, because it deliberetely +# does not have a .livepatch.xen_depends (xen_note.o) section. +xen_no_xen_buildid.o: config.h + +.PHONY: $(LIVEPATCH_NO_XEN_BUILDID) +$(LIVEPATCH_NO_XEN_BUILDID): xen_nop.o note.o + $(LD) $(LDFLAGS) $(build_id_linker) -r -o $(LIVEPATCH_NO_XEN_BUILDID) $^ + .PHONY: livepatch -livepatch: $(LIVEPATCH) $(LIVEPATCH_BYE) $(LIVEPATCH_REPLACE) $(LIVEPATCH_NOP) +livepatch: $(LIVEPATCH) $(LIVEPATCH_BYE) $(LIVEPATCH_REPLACE) $(LIVEPATCH_NOP) $(LIVEPATCH_NO_XEN_BUILDID) From patchwork Wed Aug 21 08:19:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11105985 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 46F1B1395 for ; Wed, 21 Aug 2019 08:21:50 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 17CB62339F for ; Wed, 21 Aug 2019 08:21:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="e/m6IF6z" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 17CB62339F Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lr0-00085t-0M; Wed, 21 Aug 2019 08:20:26 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lqy-000854-N9 for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:20:24 +0000 X-Inumbo-ID: 84175939-c3ec-11e9-adc2-12813bfff9fa Received: from smtp-fw-6001.amazon.com (unknown [52.95.48.154]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 84175939-c3ec-11e9-adc2-12813bfff9fa; Wed, 21 Aug 2019 08:20:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375620; x=1597911620; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=QaKcKMbJ0Ivs06QZZ+oAhYDS8MkRWNYqvuPDktly0lI=; b=e/m6IF6zekchDb0Z73L+thCgl4GqKh7OPDztm6/WwbM6wNZUgDhic8Om CL6855H365ZipQyP7H+CUtwjttVEC2DP3a1tzVOtym8ac+Ugc8ENSieby zeRb9DT8b/qANbgYNmI6Yo5E70fhevGdpEOo1KfuOJnc8ilDybWo+tWAt g=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="410764999" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2a-538b0bfb.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP; 21 Aug 2019 08:20:18 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2a-538b0bfb.us-west-2.amazon.com (Postfix) with ESMTPS id 16C0CA245E; Wed, 21 Aug 2019 08:20:18 +0000 (UTC) Received: from EX13D03EUC004.ant.amazon.com (10.43.164.33) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:02 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUC004.ant.amazon.com (10.43.164.33) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:01 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:19:58 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:19 +0000 Message-ID: <20190821081931.90887-3-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 02/14] livepatch: Allow to override inter-modules buildid dependency X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ross Lagerwall , Ian Jackson , mpohlack@amazon.com, Tim Deegan , Pawel Wieczorkiewicz , Julien Grall , Jan Beulich Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" By default Livepatch enforces the following buildid-based dependency chain between hotpatch modules: 1) first module depends on given hypervisor buildid 2) every consecutive module depends on previous module's buildid This way proper hotpatch stack order is maintained and enforced. While it is important for production hotpatches it limits agility and blocks usage of testing or debug hotpatches. These kinds of hotpatch modules are typically expected to be loaded at any time irrespective of current state of the modules stack. To enable testing and debug hotpatches allow user dynamically ignore the inter-modules dependency. In this case only hypervisor buildid match is verified and enforced. To allow userland pass additional paremeters for livepatch actions add support for action flags. Each of the apply, revert, unload and revert action gets additional 64-bit parameter 'flags' where extra flags can be applied in a mask form. Initially only one flag '--nodeps' is added for the apply action. This flag modifies the default buildid dependency check as described above. The global sysctl interface input flag parameter is defined with a single corresponding flag macro: LIVEPATCH_ACTION_APPLY_NODEPS (1 << 0) The userland xen-livepatch tool is modified to support the '--nodeps' flag for apply and load commands. A general mechanism for specifying more flags in the future for apply and other action is however added. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Eslam Elnikety Reviewed-by: Petre Eftime Reviewed-by: Leonard Foerster Reviewed-by: Martin Pohlack Reviewed-by: Norbert Manthey --- tools/libxc/include/xenctrl.h | 9 ++-- tools/libxc/xc_misc.c | 20 +++---- tools/misc/xen-livepatch.c | 121 +++++++++++++++++++++++++++++++++++------- xen/common/livepatch.c | 14 +++-- xen/include/public/sysctl.h | 11 +++- 5 files changed, 139 insertions(+), 36 deletions(-) diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h index 0ff6ed9e70..725697c132 100644 --- a/tools/libxc/include/xenctrl.h +++ b/tools/libxc/include/xenctrl.h @@ -2607,11 +2607,12 @@ int xc_livepatch_list(xc_interface *xch, unsigned int max, unsigned int start, * to complete them. The `timeout` offers an option to expire the * operation if it could not be completed within the specified time * (in ns). Value of 0 means let hypervisor decide the best timeout. + * The `flags` allows to pass extra parameters to the actions. */ -int xc_livepatch_apply(xc_interface *xch, char *name, uint32_t timeout); -int xc_livepatch_revert(xc_interface *xch, char *name, uint32_t timeout); -int xc_livepatch_unload(xc_interface *xch, char *name, uint32_t timeout); -int xc_livepatch_replace(xc_interface *xch, char *name, uint32_t timeout); +int xc_livepatch_apply(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags); +int xc_livepatch_revert(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags); +int xc_livepatch_unload(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags); +int xc_livepatch_replace(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags); /* * Ensure cache coherency after memory modifications. A call to this function diff --git a/tools/libxc/xc_misc.c b/tools/libxc/xc_misc.c index 8e60b6e9f0..a8e9e7d1e2 100644 --- a/tools/libxc/xc_misc.c +++ b/tools/libxc/xc_misc.c @@ -854,7 +854,8 @@ int xc_livepatch_list(xc_interface *xch, unsigned int max, unsigned int start, static int _xc_livepatch_action(xc_interface *xch, char *name, unsigned int action, - uint32_t timeout) + uint32_t timeout, + uint64_t flags) { int rc; DECLARE_SYSCTL; @@ -880,6 +881,7 @@ static int _xc_livepatch_action(xc_interface *xch, sysctl.u.livepatch.pad = 0; sysctl.u.livepatch.u.action.cmd = action; sysctl.u.livepatch.u.action.timeout = timeout; + sysctl.u.livepatch.u.action.flags = flags; sysctl.u.livepatch.u.action.name = def_name; set_xen_guest_handle(sysctl.u.livepatch.u.action.name.name, name); @@ -891,24 +893,24 @@ static int _xc_livepatch_action(xc_interface *xch, return rc; } -int xc_livepatch_apply(xc_interface *xch, char *name, uint32_t timeout) +int xc_livepatch_apply(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags) { - return _xc_livepatch_action(xch, name, LIVEPATCH_ACTION_APPLY, timeout); + return _xc_livepatch_action(xch, name, LIVEPATCH_ACTION_APPLY, timeout, flags); } -int xc_livepatch_revert(xc_interface *xch, char *name, uint32_t timeout) +int xc_livepatch_revert(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags) { - return _xc_livepatch_action(xch, name, LIVEPATCH_ACTION_REVERT, timeout); + return _xc_livepatch_action(xch, name, LIVEPATCH_ACTION_REVERT, timeout, flags); } -int xc_livepatch_unload(xc_interface *xch, char *name, uint32_t timeout) +int xc_livepatch_unload(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags) { - return _xc_livepatch_action(xch, name, LIVEPATCH_ACTION_UNLOAD, timeout); + return _xc_livepatch_action(xch, name, LIVEPATCH_ACTION_UNLOAD, timeout, flags); } -int xc_livepatch_replace(xc_interface *xch, char *name, uint32_t timeout) +int xc_livepatch_replace(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags) { - return _xc_livepatch_action(xch, name, LIVEPATCH_ACTION_REPLACE, timeout); + return _xc_livepatch_action(xch, name, LIVEPATCH_ACTION_REPLACE, timeout, flags); } /* diff --git a/tools/misc/xen-livepatch.c b/tools/misc/xen-livepatch.c index 3233472157..a37b2457ff 100644 --- a/tools/misc/xen-livepatch.c +++ b/tools/misc/xen-livepatch.c @@ -23,18 +23,23 @@ void show_help(void) { fprintf(stderr, "xen-livepatch: live patching tool\n" - "Usage: xen-livepatch [args]\n" + "Usage: xen-livepatch [args] [command-flags]\n" " An unique name of payload. Up to %d characters.\n" "Commands:\n" " help display this help\n" " upload upload file with name\n" " list list payloads uploaded.\n" - " apply apply patch.\n" + " apply [flags] apply patch.\n" + " Supported flags:\n" + " --nodeps Disable inter-module buildid dependency check.\n" + " Check only against hypervisor buildid.\n" " revert revert name patch.\n" " replace apply patch and revert all others.\n" " unload unload name patch.\n" - " load upload and apply .\n" - " name is the name\n", + " load [flags] upload and apply with name as the name\n" + " Supported flags:\n" + " --nodeps Disable inter-module buildid dependency check.\n" + " Check only against hypervisor buildid.\n", XEN_LIVEPATCH_NAME_SIZE); } @@ -225,12 +230,13 @@ static int upload_func(int argc, char *argv[]) return rc; } -/* These MUST match to the 'action_options[]' array slots. */ +/* These MUST match to the 'action_options[]' and 'flag_options[]' array slots. */ enum { ACTION_APPLY = 0, ACTION_REVERT = 1, ACTION_UNLOAD = 2, ACTION_REPLACE = 3, + ACTION_NUM }; struct { @@ -238,7 +244,7 @@ struct { int expected; /* The state to be in after the function. */ const char *name; const char *verb; - int (*function)(xc_interface *xch, char *name, uint32_t timeout); + int (*function)(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags); } action_options[] = { { .allow = LIVEPATCH_STATE_CHECKED, .expected = LIVEPATCH_STATE_APPLIED, @@ -266,6 +272,66 @@ struct { }, }; +/* + * This structure defines supported flag options for actions. + * It defines entries for each action and supports up to 64 + * flags per action. + */ +struct { + const char *name; + const uint64_t flag; +} flag_options[ACTION_NUM][8 * sizeof(uint64_t)] = { + { /* ACTION_APPLY */ + { .name = "--nodeps", + .flag = LIVEPATCH_ACTION_APPLY_NODEPS, + }, + }, + { /* ACTION_REVERT */ + }, + { /* ACTION_UNLOAD */ + }, + { /* ACTION_REPLACE */ + } +}; + +/* + * Parse user provided action flags. + * This function expects to only receive an array of input parameters being flags. + * Expected action is specified via idx paramater (index of flag_options[]). + */ +static int get_flags(int argc, char *argv[], unsigned int idx, uint64_t *flags) +{ + int i, j; + + if ( !flags || idx >= ARRAY_SIZE(flag_options) ) + return -1; + + *flags = 0; + for ( i = 0; i < argc; i++ ) + { + for ( j = 0; j < ARRAY_SIZE(flag_options[idx]); j++ ) + { + if ( !flag_options[idx][j].name ) + goto error; + + if ( !strcmp(flag_options[idx][j].name, argv[i]) ) + { + *flags |= flag_options[idx][j].flag; + break; + } + } + + if ( j == ARRAY_SIZE(flag_options[idx]) ) + goto error; + } + + return 0; +error: + fprintf(stderr, "Unsupported flag: %s.\n", argv[i]); + errno = EINVAL; + return errno; +} + /* The hypervisor timeout for the live patching operation is 30 msec, * but it could take some time for the operation to start, so wait twice * that period. */ @@ -291,8 +357,9 @@ int action_func(int argc, char *argv[], unsigned int idx) char name[XEN_LIVEPATCH_NAME_SIZE]; int rc; xen_livepatch_status_t status; + uint64_t flags; - if ( argc != 1 ) + if ( argc < 1 ) { show_help(); return -1; @@ -301,7 +368,10 @@ int action_func(int argc, char *argv[], unsigned int idx) if ( idx >= ARRAY_SIZE(action_options) ) return -1; - if ( get_name(argc, argv, name) ) + if ( get_name(argc--, argv++, name) ) + return EINVAL; + + if ( get_flags(argc, argv, idx, &flags) ) return EINVAL; /* Check initial status. */ @@ -332,7 +402,7 @@ int action_func(int argc, char *argv[], unsigned int idx) if ( action_options[idx].allow & status.state ) { printf("%s %s... ", action_options[idx].verb, name); - rc = action_options[idx].function(xch, name, HYPERVISOR_TIMEOUT_NS); + rc = action_options[idx].function(xch, name, HYPERVISOR_TIMEOUT_NS, flags); if ( rc ) { int saved_errno = errno; @@ -394,17 +464,23 @@ int action_func(int argc, char *argv[], unsigned int idx) static int load_func(int argc, char *argv[]) { - int rc; - char *new_argv[2]; - char *path, *name, *lastdot; + int i, rc = ENOMEM; + char *upload_argv[2]; + char **apply_argv, *path, *name, *lastdot; - if ( argc != 1 ) + if ( argc < 1 ) { show_help(); return -1; } + + /* apply action has [flags] input requirement, which must be constructed */ + apply_argv = (char **) malloc(argc * sizeof(*apply_argv)); + if ( !apply_argv ) + return rc; + /* */ - new_argv[1] = argv[0]; + upload_argv[1] = argv[0]; /* Synthesize the */ path = strdup(argv[0]); @@ -413,16 +489,23 @@ static int load_func(int argc, char *argv[]) lastdot = strrchr(name, '.'); if ( lastdot != NULL ) *lastdot = '\0'; - new_argv[0] = name; + upload_argv[0] = name; + apply_argv[0] = name; - rc = upload_func(2 /* */, new_argv); + /* Fill in all user provided flags */ + for ( i = 0; i < argc - 1; i++ ) + apply_argv[i + 1] = argv[i + 1]; + + rc = upload_func(2 /* */, upload_argv); if ( rc ) - return rc; + goto error; - rc = action_func(1 /* only */, new_argv, ACTION_APPLY); + rc = action_func(argc, apply_argv, ACTION_APPLY); if ( rc ) - action_func(1, new_argv, ACTION_UNLOAD); + action_func(1 /* only */, upload_argv, ACTION_UNLOAD); +error: + free(apply_argv); free(path); return rc; } diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 6a4af6ce57..fb91d5095c 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1575,9 +1575,17 @@ static int livepatch_action(struct xen_sysctl_livepatch_action *action) break; } - rc = build_id_dep(data, !!list_empty(&applied_list)); - if ( rc ) - break; + /* + * Check if action is issued with nodeps flags to ignore module + * stack dependencies. + */ + if ( !(action->flags & LIVEPATCH_ACTION_APPLY_NODEPS) ) + { + rc = build_id_dep(data, !!list_empty(&applied_list)); + if ( rc ) + break; + } + data->rc = -EAGAIN; rc = schedule_work(data, action->cmd, action->timeout); } diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h index 91c48dcae0..1b2b165a6d 100644 --- a/xen/include/public/sysctl.h +++ b/xen/include/public/sysctl.h @@ -35,7 +35,7 @@ #include "domctl.h" #include "physdev.h" -#define XEN_SYSCTL_INTERFACE_VERSION 0x00000012 +#define XEN_SYSCTL_INTERFACE_VERSION 0x00000013 /* * Read console content from Xen buffer ring. @@ -956,6 +956,15 @@ struct xen_sysctl_livepatch_action { /* hypervisor default. */ /* Or upper bound of time (ns) */ /* for operation to take. */ + +/* + * Overwrite default inter-module buildid dependency chain enforcement. + * Check only if module is built for given hypervisor by comparing buildid. + */ +#define LIVEPATCH_ACTION_APPLY_NODEPS (1 << 0) + uint64_t flags; /* IN: action flags. */ + /* Provide additional parameters */ + /* for an action. */ }; struct xen_sysctl_livepatch_op { From patchwork Wed Aug 21 08:19:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11105987 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D6727174A for ; Wed, 21 Aug 2019 08:21:52 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B28532339E for ; Wed, 21 Aug 2019 08:21:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="s7T2hJWR" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B28532339E Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrB-0008BS-Jp; Wed, 21 Aug 2019 08:20:37 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lr9-0008AF-SF for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:20:35 +0000 X-Inumbo-ID: 8cdfed64-c3ec-11e9-adc2-12813bfff9fa Received: from smtp-fw-4101.amazon.com (unknown [72.21.198.25]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 8cdfed64-c3ec-11e9-adc2-12813bfff9fa; Wed, 21 Aug 2019 08:20:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375635; x=1597911635; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=7hjHr1HnTw/wFiWHJw0+LK26cGnsATVQG/dG8p/zPFk=; b=s7T2hJWRdPXQ7nBU8t5EhcBjr2pcbyyaCXnkocylexQ/UVowdS/y/U+c WjITtYwqElcFRempcpkr420+PfjVRhZVldDwkd7Ihh2XDl3hQkJFFgdw8 w4tq3TBHNsOuf8g3nrFJjMeaD4r82Hq+yOu6Dtr5L20vaL0P23J9pLVWi Y=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="780418941" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2a-f14f4a47.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 21 Aug 2019 08:20:34 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2a-f14f4a47.us-west-2.amazon.com (Postfix) with ESMTPS id 46767A2B34; Wed, 21 Aug 2019 08:20:33 +0000 (UTC) Received: from EX13D05EUB003.ant.amazon.com (10.43.166.253) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:05 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D05EUB003.ant.amazon.com (10.43.166.253) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:04 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:02 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:20 +0000 Message-ID: <20190821081931.90887-4-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 03/14] python: Add XC binding for Xen build ID X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Wei Liu , Ian Jackson , mpohlack@amazon.com, =?utf-8?q?Mar?= =?utf-8?q?ek_Marczykowski-G=C3=B3recki?= , Pawel Wieczorkiewicz Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Extend the list of xc() object methods with additional one to display Xen's buildid. The implementation follows the libxl implementation (e.g. max buildid size assumption being XC_PAGE_SIZE minus sizeof(buildid->len)). Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Martin Mazein Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Norbert Manthey Acked-by: Marek Marczykowski-Górecki --- tools/python/xen/lowlevel/xc/xc.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c index 188bfa34da..7f0358ba9c 100644 --- a/tools/python/xen/lowlevel/xc/xc.c +++ b/tools/python/xen/lowlevel/xc/xc.c @@ -1214,6 +1214,26 @@ out: return ret_obj ? ret_obj : pyxc_error_to_exception(self->xc_handle); } +static PyObject *pyxc_xenbuildid(XcObject *self) +{ + xen_build_id_t *buildid; + int i, r; + char *str; + + buildid = alloca(XC_PAGE_SIZE); + buildid->len = XC_PAGE_SIZE - sizeof(*buildid); + + r = xc_version(self->xc_handle, XENVER_build_id, buildid); + if ( r <= 0 ) + return pyxc_error_to_exception(self->xc_handle); + + str = alloca((r * 2) + 1); + for ( i = 0; i < r; i++ ) + snprintf(&str[i * 2], 3, "%02hhx", buildid->buf[i]); + + return Py_BuildValue("s", str); +} + static PyObject *pyxc_xeninfo(XcObject *self) { xen_extraversion_t xen_extra; @@ -2297,6 +2317,13 @@ static PyMethodDef pyxc_methods[] = { "Returns [dict]: information about Xen" " [None]: on failure.\n" }, + { "buildid", + (PyCFunction)pyxc_xenbuildid, + METH_NOARGS, "\n" + "Get Xen buildid\n" + "Returns [str]: Xen buildid" + " [None]: on failure.\n" }, + { "shadow_control", (PyCFunction)pyxc_shadow_control, METH_VARARGS | METH_KEYWORDS, "\n" From patchwork Wed Aug 21 08:19:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11105999 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A6B351395 for ; Wed, 21 Aug 2019 08:22:04 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 82C6722DA7 for ; Wed, 21 Aug 2019 08:22:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="BAbzS3ko" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 82C6722DA7 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrH-0008Fx-Di; Wed, 21 Aug 2019 08:20:43 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrG-0008FC-K3 for xen-devel@lists.xenproject.org; Wed, 21 Aug 2019 08:20:42 +0000 X-Inumbo-ID: 90ea9166-c3ec-11e9-ac23-bc764e2007e4 Received: from smtp-fw-4101.amazon.com (unknown [72.21.198.25]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 90ea9166-c3ec-11e9-ac23-bc764e2007e4; Wed, 21 Aug 2019 08:20:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375642; x=1597911642; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=osPPaskPsYEU00OGMyNUDiuRK//v96oaoBiEiNL5x60=; b=BAbzS3ko5zYdEsJ6nzGPpJ3j62mIMd35+2jyUQbetvUC8Dz8wv0DqtZK ybiWYA0VHeK0OZ1UPftAAqxq3h+uYnkoe1lSu0pNMJVBf78Gz7mj/S+aR xMXVpH/rcKp8+FHPWHg4awfHhSFPG6OakIasXcTeNsIhUjoEeJqkkEjN9 I=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="780418947" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2a-d0be17ee.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 21 Aug 2019 08:20:41 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2a-d0be17ee.us-west-2.amazon.com (Postfix) with ESMTPS id 0FDD6A01DB; Wed, 21 Aug 2019 08:20:41 +0000 (UTC) Received: from EX13D03EUC002.ant.amazon.com (10.43.164.60) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:09 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUC002.ant.amazon.com (10.43.164.60) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:07 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:05 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:21 +0000 Message-ID: <20190821081931.90887-5-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 04/14] livepatch: Export payload structure via livepatch_payload.h X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Pawel Wieczorkiewicz , wipawel@amazon.com, Ross Lagerwall , mpohlack@amazon.com, Konrad Rzeszutek Wilk Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" The payload structure will be used by the new hooks implementation and therefore its definition has to be exported via the livepatch_payload header. The new hooks will make use of the payload structure fields and the hooks' pointers will also be defined in the payload structure, so the structure along with all field definitions needs to be available to the code being patched in. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Eslam Elnikety Reviewed-by: Leonard Foerster Reviewed-by: Martin Pohlack Reviewed-by: Ross Lagerwall --- xen/common/livepatch.c | 37 ---------------------------------- xen/include/xen/livepatch_payload.h | 40 +++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index fb91d5095c..ed5756a032 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -45,43 +45,6 @@ static LIST_HEAD(applied_list); static unsigned int payload_cnt; static unsigned int payload_version = 1; -/* To contain the ELF Note header. */ -struct livepatch_build_id { - const void *p; - unsigned int len; -}; - -struct payload { - uint32_t state; /* One of the LIVEPATCH_STATE_*. */ - int32_t rc; /* 0 or -XEN_EXX. */ - bool reverted; /* Whether it was reverted. */ - bool safe_to_reapply; /* Can apply safely after revert. */ - struct list_head list; /* Linked to 'payload_list'. */ - const void *text_addr; /* Virtual address of .text. */ - size_t text_size; /* .. and its size. */ - const void *rw_addr; /* Virtual address of .data. */ - size_t rw_size; /* .. and its size (if any). */ - const void *ro_addr; /* Virtual address of .rodata. */ - size_t ro_size; /* .. and its size (if any). */ - unsigned int pages; /* Total pages for [text,rw,ro]_addr */ - struct list_head applied_list; /* Linked to 'applied_list'. */ - struct livepatch_func *funcs; /* The array of functions to patch. */ - unsigned int nfuncs; /* Nr of functions to patch. */ - const struct livepatch_symbol *symtab; /* All symbols. */ - const char *strtab; /* Pointer to .strtab. */ - struct virtual_region region; /* symbol, bug.frame patching and - exception table (x86). */ - unsigned int nsyms; /* Nr of entries in .strtab and symbols. */ - struct livepatch_build_id id; /* ELFNOTE_DESC(.note.gnu.build-id) of the payload. */ - struct livepatch_build_id dep; /* ELFNOTE_DESC(.livepatch.depends). */ - struct livepatch_build_id xen_dep; /* ELFNOTE_DESC(.livepatch.xen_depends). */ - livepatch_loadcall_t *const *load_funcs; /* The array of funcs to call after */ - livepatch_unloadcall_t *const *unload_funcs;/* load and unload of the payload. */ - unsigned int n_load_funcs; /* Nr of the funcs to load and execute. */ - unsigned int n_unload_funcs; /* Nr of funcs to call durung unload. */ - char name[XEN_LIVEPATCH_NAME_SIZE]; /* Name of it. */ -}; - /* Defines an outstanding patching action. */ struct livepatch_work { diff --git a/xen/include/xen/livepatch_payload.h b/xen/include/xen/livepatch_payload.h index 4a1a96d054..99613af2db 100644 --- a/xen/include/xen/livepatch_payload.h +++ b/xen/include/xen/livepatch_payload.h @@ -4,6 +4,15 @@ #ifndef __XEN_LIVEPATCH_PAYLOAD_H__ #define __XEN_LIVEPATCH_PAYLOAD_H__ +#include + +/* To contain the ELF Note header. */ +struct livepatch_build_id { + const void *p; + unsigned int len; +}; + +typedef struct payload livepatch_payload_t; /* * The following definitions are to be used in patches. They are taken @@ -12,6 +21,37 @@ typedef void livepatch_loadcall_t(void); typedef void livepatch_unloadcall_t(void); +struct payload { + uint32_t state; /* One of the LIVEPATCH_STATE_*. */ + int32_t rc; /* 0 or -XEN_EXX. */ + bool reverted; /* Whether it was reverted. */ + bool safe_to_reapply; /* Can apply safely after revert. */ + struct list_head list; /* Linked to 'payload_list'. */ + const void *text_addr; /* Virtual address of .text. */ + size_t text_size; /* .. and its size. */ + const void *rw_addr; /* Virtual address of .data. */ + size_t rw_size; /* .. and its size (if any). */ + const void *ro_addr; /* Virtual address of .rodata. */ + size_t ro_size; /* .. and its size (if any). */ + unsigned int pages; /* Total pages for [text,rw,ro]_addr */ + struct list_head applied_list; /* Linked to 'applied_list'. */ + struct livepatch_func *funcs; /* The array of functions to patch. */ + unsigned int nfuncs; /* Nr of functions to patch. */ + const struct livepatch_symbol *symtab; /* All symbols. */ + const char *strtab; /* Pointer to .strtab. */ + struct virtual_region region; /* symbol, bug.frame patching and + exception table (x86). */ + unsigned int nsyms; /* Nr of entries in .strtab and symbols. */ + struct livepatch_build_id id; /* ELFNOTE_DESC(.note.gnu.build-id) of the payload. */ + struct livepatch_build_id dep; /* ELFNOTE_DESC(.livepatch.depends). */ + struct livepatch_build_id xen_dep; /* ELFNOTE_DESC(.livepatch.xen_depends). */ + livepatch_loadcall_t *const *load_funcs; /* The array of funcs to call after */ + livepatch_unloadcall_t *const *unload_funcs;/* load and unload of the payload. */ + unsigned int n_load_funcs; /* Nr of the funcs to load and execute. */ + unsigned int n_unload_funcs; /* Nr of funcs to call durung unload. */ + char name[XEN_LIVEPATCH_NAME_SIZE]; /* Name of it. */ +}; + /* * LIVEPATCH_LOAD_HOOK macro * From patchwork Wed Aug 21 08:19:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11106003 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AB53A174A for ; Wed, 21 Aug 2019 08:22:06 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7C55B2339F for ; Wed, 21 Aug 2019 08:22:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="ucx5rQM9" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7C55B2339F Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrQ-0008NB-1j; Wed, 21 Aug 2019 08:20:52 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrO-0008M0-9g for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:20:50 +0000 X-Inumbo-ID: 94d6f40e-c3ec-11e9-adc2-12813bfff9fa Received: from smtp-fw-9102.amazon.com (unknown [207.171.184.29]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 94d6f40e-c3ec-11e9-adc2-12813bfff9fa; Wed, 21 Aug 2019 08:20:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375649; x=1597911649; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=N0Xjb44SoXY229XZ17xnLZJpdqrjLArGLuQOpbMphsw=; b=ucx5rQM9bGFfjiWMgodzxs/OcawFVFPGQJwYfAY+N2SRb4qOhGarqYdM 7lZTK1at1a/7sLTsOKyRfE8ZA2zumVy5w8o43lLy3OGKCjmeWHHx1r+Zb t1wwwT7YR2VlQXjPlxhtBhkv35M6YCpAG9BEf6PlTymWS7+ecZif920fN 0=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="695968357" Received: from sea3-co-svc-lb6-vlan3.sea.amazon.com (HELO email-inbound-relay-2b-c300ac87.us-west-2.amazon.com) ([10.47.22.38]) by smtp-border-fw-out-9102.sea19.amazon.com with ESMTP; 21 Aug 2019 08:20:46 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2b-c300ac87.us-west-2.amazon.com (Postfix) with ESMTPS id 19A11A256E; Wed, 21 Aug 2019 08:20:46 +0000 (UTC) Received: from EX13D03EUA004.ant.amazon.com (10.43.165.93) by EX13MTAUEA001.ant.amazon.com (10.43.61.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:12 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUA004.ant.amazon.com (10.43.165.93) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:10 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:08 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:22 +0000 Message-ID: <20190821081931.90887-6-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 05/14] livepatch: Implement pre-|post- apply|revert hooks X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Pawel Wieczorkiewicz , wipawel@amazon.com, Ross Lagerwall , mpohlack@amazon.com, Konrad Rzeszutek Wilk Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" This is an implementation of 4 new livepatch module vetoing hooks, that can be optionally supplied along with modules. Hooks that currently exists in the livepatch mechanism aren't agile enough and have various limitations: * run only from within a quiescing zone * cannot conditionally prevent applying or reverting * do not have access to the module context To address these limitations the following has been implemented: 1) pre-apply hook runs before the apply action is scheduled for execution. Its main purpose is to prevent from applying a hotpatch when certain expected conditions aren't met or when mutating actions implemented in the hook fail or cannot be executed. 2) post-apply hook runs after the apply action has been executed and quiescing zone exited. Its main purpose is to provide an ability to follow-up on actions performed by the pre- hook, when module application was successful or undo certain preparation steps of the pre- hook in case of a failure. The success/failure error code is proviVded to the post- hooks via the rc field of the payload structure. 3) pre-revert hook runs before the revert action is scheduled for execution. Its main purpose is to prevent from reverting a hotpatch when certain expected conditions aren't met or when mutating actions implemented in the hook fail or cannot be executed. 4) post-revert hook runs after the revert action has been executed and quiescing zone exited. Its main purpose is to perform cleanup of all previously executed mutating actions in order to restore the original system state from before the current module application. The success/failure error code is provided to the post- hooks via the rc field of the payload structure. The replace action performs atomically the following actions: - revert all applied modules - apply a single replacement module. With the vetoing hooks in place various inter-hook dependencies may arise. Also, during the revert part of the operation certain vetoing hooks may detect failing conditions that previously were satisfied. That could in turn lead to situation when the revert part must be rolled back with all the pre- and post- hooks re-applied, which again can't be guaranteed to always succeed. The simplest response to this complication is to disallow the replace action completely on modules with vetoing hooks. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Petre Eftime Reviewed-by: Martin Pohlack Reviewed-by: Norbert Manthey --- xen/common/livepatch.c | 179 ++++++++++++++++++++++++++++++++---- xen/include/xen/livepatch_payload.h | 27 ++++++ 2 files changed, 189 insertions(+), 17 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index ed5756a032..464c07ad28 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -28,6 +28,8 @@ #include #include +#define is_hook_enabled(hook) ({ (hook) && *(hook); }) + /* * Protects against payload_list operations and also allows only one * caller in schedule_work. @@ -501,6 +503,35 @@ static int check_special_sections(const struct livepatch_elf *elf) return 0; } +/* + * Lookup specified section and when exists assign its address to a specified hook. + * Perform section pointer and size validation: single hook sections must contain a + * single pointer only. + */ +#define LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, hook, section_name) do { \ + const struct livepatch_elf_sec *__sec = livepatch_elf_sec_by_name(elf, section_name); \ + if ( !__sec ) \ + break; \ + if ( !section_ok(elf, __sec, sizeof(*hook)) || __sec->sec->sh_size != sizeof(*hook) ) \ + return -EINVAL; \ + hook = __sec->load_addr; \ +} while (0) + +/* + * Lookup specified section and when exists assign its address to a specified hook. + * Perform section pointer and size validation: multi hook sections must contain an + * array whose size must be a multiple of the array's items size. + */ +#define LIVEPATCH_ASSIGN_MULTI_HOOK(elf, hook, nhooks, section_name) do { \ + const struct livepatch_elf_sec *__sec = livepatch_elf_sec_by_name(elf, section_name); \ + if ( !__sec ) \ + break; \ + if ( !section_ok(elf, __sec, sizeof(*hook)) ) \ + return -EINVAL; \ + hook = __sec->load_addr; \ + nhooks = __sec->sec->sh_size / sizeof(*hook); \ +} while (0) + static int prepare_payload(struct payload *payload, struct livepatch_elf *elf) { @@ -552,25 +583,14 @@ static int prepare_payload(struct payload *payload, return rc; } - sec = livepatch_elf_sec_by_name(elf, ".livepatch.hooks.load"); - if ( sec ) - { - if ( !section_ok(elf, sec, sizeof(*payload->load_funcs)) ) - return -EINVAL; - - payload->load_funcs = sec->load_addr; - payload->n_load_funcs = sec->sec->sh_size / sizeof(*payload->load_funcs); - } + LIVEPATCH_ASSIGN_MULTI_HOOK(elf, payload->load_funcs, payload->n_load_funcs, ".livepatch.hooks.load"); + LIVEPATCH_ASSIGN_MULTI_HOOK(elf, payload->unload_funcs, payload->n_unload_funcs, ".livepatch.hooks.unload"); - sec = livepatch_elf_sec_by_name(elf, ".livepatch.hooks.unload"); - if ( sec ) - { - if ( !section_ok(elf, sec, sizeof(*payload->unload_funcs)) ) - return -EINVAL; + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.pre, ".livepatch.hooks.preapply"); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.post, ".livepatch.hooks.postapply"); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.pre, ".livepatch.hooks.prerevert"); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.post, ".livepatch.hooks.postrevert"); - payload->unload_funcs = sec->load_addr; - payload->n_unload_funcs = sec->sec->sh_size / sizeof(*payload->unload_funcs); - } sec = livepatch_elf_sec_by_name(elf, ELF_BUILD_ID_NOTE); if ( sec ) { @@ -1217,6 +1237,39 @@ static bool_t is_work_scheduled(const struct payload *data) return livepatch_work.do_work && livepatch_work.data == data; } +/* + * Check if payload has any of the vetoing, non-atomic hooks assigned. + * A vetoing, non-atmic hook may perform an operation that changes the + * hypervisor state and may not be guaranteed to succeed. Result of + * such operation may be returned and may change the livepatch workflow. + * Such hooks may require additional cleanup actions performed by other + * hooks. Thus they are not suitable for replace action. + */ +static inline bool_t has_payload_any_vetoing_hooks(const struct payload *payload) +{ + return is_hook_enabled(payload->hooks.apply.pre) || + is_hook_enabled(payload->hooks.apply.post) || + is_hook_enabled(payload->hooks.revert.pre) || + is_hook_enabled(payload->hooks.revert.post); +} + +/* + * Checks if any of the already applied hotpatches has any vetoing, + * non-atomic hooks assigned. + */ +static inline bool_t livepatch_applied_have_vetoing_hooks(void) +{ + struct payload *p; + + list_for_each_entry ( p, &applied_list, applied_list ) + { + if ( has_payload_any_vetoing_hooks(p) ) + return true; + } + + return false; +} + static int schedule_work(struct payload *data, uint32_t cmd, uint32_t timeout) { ASSERT(spin_is_locked(&payload_lock)); @@ -1317,6 +1370,7 @@ void check_for_livepatch_work(void) { struct payload *p; unsigned int cpus; + bool_t action_done = false; p = livepatch_work.data; if ( !get_cpu_maps() ) @@ -1369,6 +1423,7 @@ void check_for_livepatch_work(void) livepatch_do_action(); /* Serialize and flush out the CPU via CPUID instruction (on x86). */ arch_livepatch_post_action(); + action_done = true; local_irq_restore(flags); } @@ -1381,6 +1436,43 @@ void check_for_livepatch_work(void) /* put_cpu_maps has an barrier(). */ put_cpu_maps(); + if ( action_done ) + { + switch ( livepatch_work.cmd ) + { + case LIVEPATCH_ACTION_REVERT: + if ( is_hook_enabled(p->hooks.revert.post) ) + { + printk(XENLOG_INFO LIVEPATCH "%s: Calling post-revert hook function with rc=%d\n", + p->name, p->rc); + + (*p->hooks.revert.post)(p); + } + break; + + case LIVEPATCH_ACTION_APPLY: + if ( is_hook_enabled(p->hooks.apply.post) ) + { + printk(XENLOG_INFO LIVEPATCH "%s: Calling post-apply hook function with rc=%d\n", + p->name, p->rc); + + (*p->hooks.apply.post)(p); + } + break; + + case LIVEPATCH_ACTION_REPLACE: + if ( has_payload_any_vetoing_hooks(p) ) + { + /* It should be impossible to get here since livepatch_action() guards against that. */ + panic(LIVEPATCH "%s: REPLACE action is not supported on hotpatches with vetoing hooks!\n", + p->name); + ASSERT_UNREACHABLE(); + } + default: + break; + } + } + printk(XENLOG_INFO LIVEPATCH "%s finished %s with rc=%d\n", p->name, names[livepatch_work.cmd], p->rc); } @@ -1516,6 +1608,21 @@ static int livepatch_action(struct xen_sysctl_livepatch_action *action) rc = -EBUSY; break; } + + if ( is_hook_enabled(data->hooks.revert.pre) ) + { + printk(XENLOG_INFO LIVEPATCH "%s: Calling pre-revert hook function\n", data->name); + + rc = (*data->hooks.revert.pre)(data); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH "%s: pre-revert hook failed (rc=%d), aborting!\n", + data->name, rc); + data->rc = rc; + break; + } + } + data->rc = -EAGAIN; rc = schedule_work(data, action->cmd, action->timeout); } @@ -1549,6 +1656,20 @@ static int livepatch_action(struct xen_sysctl_livepatch_action *action) break; } + if ( is_hook_enabled(data->hooks.apply.pre) ) + { + printk(XENLOG_INFO LIVEPATCH "%s: Calling pre-apply hook function\n", data->name); + + rc = (*data->hooks.apply.pre)(data); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH "%s: pre-apply hook failed (rc=%d), aborting!\n", + data->name, rc); + data->rc = rc; + break; + } + } + data->rc = -EAGAIN; rc = schedule_work(data, action->cmd, action->timeout); } @@ -1560,6 +1681,30 @@ static int livepatch_action(struct xen_sysctl_livepatch_action *action) rc = build_id_dep(data, 1 /* against hypervisor. */); if ( rc ) break; + + /* + * REPLACE action is not supported on hotpatches with vetoing hooks. + * Vetoing hooks usually perform mutating actions on the system and + * typically exist in pairs (pre- hook doing an action and post- hook + * undoing the action). Coalescing all hooks from all applied modules + * cannot be performed without inspecting potential dependencies between + * the mutating hooks and hence cannot be performed automatically by + * the replace action. Also, the replace action cannot safely assume a + * successful revert of all the module with vetoing hooks. When one + * of the hooks fails due to not meeting certain conditions the whole + * replace operation must have been reverted with all previous pre- and + * post- hooks re-executed (which cannot be guaranteed to succeed). + * The simplest response to this complication is disallow replace + * action on modules with vetoing hooks. + */ + if ( has_payload_any_vetoing_hooks(data) || livepatch_applied_have_vetoing_hooks() ) + { + printk(XENLOG_ERR LIVEPATCH "%s: REPLACE action is not supported on hotpatches with vetoing hooks!\n", + data->name); + rc = -EOPNOTSUPP; + break; + } + data->rc = -EAGAIN; rc = schedule_work(data, action->cmd, action->timeout); } diff --git a/xen/include/xen/livepatch_payload.h b/xen/include/xen/livepatch_payload.h index 99613af2db..cd20944cc4 100644 --- a/xen/include/xen/livepatch_payload.h +++ b/xen/include/xen/livepatch_payload.h @@ -21,6 +21,16 @@ typedef struct payload livepatch_payload_t; typedef void livepatch_loadcall_t(void); typedef void livepatch_unloadcall_t(void); +typedef int livepatch_precall_t(livepatch_payload_t *arg); +typedef void livepatch_postcall_t(livepatch_payload_t *arg); + +struct livepatch_hooks { + struct { + livepatch_precall_t *const *pre; + livepatch_postcall_t *const *post; + } apply, revert; +}; + struct payload { uint32_t state; /* One of the LIVEPATCH_STATE_*. */ int32_t rc; /* 0 or -XEN_EXX. */ @@ -47,6 +57,7 @@ struct payload { struct livepatch_build_id xen_dep; /* ELFNOTE_DESC(.livepatch.xen_depends). */ livepatch_loadcall_t *const *load_funcs; /* The array of funcs to call after */ livepatch_unloadcall_t *const *unload_funcs;/* load and unload of the payload. */ + struct livepatch_hooks hooks; /* Pre and post hooks for apply and revert */ unsigned int n_load_funcs; /* Nr of the funcs to load and execute. */ unsigned int n_unload_funcs; /* Nr of funcs to call durung unload. */ char name[XEN_LIVEPATCH_NAME_SIZE]; /* Name of it. */ @@ -76,6 +87,22 @@ struct payload { livepatch_unloadcall_t *__weak \ const livepatch_unload_data_##_fn __section(".livepatch.hooks.unload") = _fn; +#define LIVEPATCH_PREAPPLY_HOOK(_fn) \ + livepatch_precall_t *__attribute__((weak, used)) \ + const livepatch_preapply_data_##_fn __section(".livepatch.hooks.preapply") = _fn; + +#define LIVEPATCH_POSTAPPLY_HOOK(_fn) \ + livepatch_postcall_t *__attribute__((weak, used)) \ + const livepatch_postapply_data_##_fn __section(".livepatch.hooks.postapply") = _fn; + +#define LIVEPATCH_PREREVERT_HOOK(_fn) \ + livepatch_precall_t *__attribute__((weak, used)) \ + const livepatch_prerevert_data_##_fn __section(".livepatch.hooks.prerevert") = _fn; + +#define LIVEPATCH_POSTREVERT_HOOK(_fn) \ + livepatch_postcall_t *__attribute__((weak, used)) \ + const livepatch_postrevert_data_##_fn __section(".livepatch.hooks.postrevert") = _fn; + #endif /* __XEN_LIVEPATCH_PAYLOAD_H__ */ /* From patchwork Wed Aug 21 08:19:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11106033 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8E86A1395 for ; Wed, 21 Aug 2019 08:22:32 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5FD872339F for ; Wed, 21 Aug 2019 08:22:32 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="ozd+A4Er" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5FD872339F Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrQ-0008Nl-De; Wed, 21 Aug 2019 08:20:52 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrO-0008MO-OW for xen-devel@lists.xenproject.org; Wed, 21 Aug 2019 08:20:50 +0000 X-Inumbo-ID: 9576329e-c3ec-11e9-b95f-bc764e2007e4 Received: from smtp-fw-9102.amazon.com (unknown [207.171.184.29]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 9576329e-c3ec-11e9-b95f-bc764e2007e4; Wed, 21 Aug 2019 08:20:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375650; x=1597911650; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=lAB+FU7pGkIP7OdOzrwgcApWz6XZkWbBT7jjneGSsUo=; b=ozd+A4ErW3OcJw8DhlIqZ9z8+FMhEY5mkZnVumu9vxen13jTtyy2HXc8 rUwubMs0v9ukEoruRn8bE11oXWqKI3XmbB43mSn2kyc19cLCm1zxq8RnP g94Fb1Zf1eo6mE9K7u6o1/NHEQf6YDp8AYvW4TQjebr0Rq8AQudo1WmTm Q=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="695968363" Received: from sea3-co-svc-lb6-vlan3.sea.amazon.com (HELO email-inbound-relay-2a-90c42d1d.us-west-2.amazon.com) ([10.47.22.38]) by smtp-border-fw-out-9102.sea19.amazon.com with ESMTP; 21 Aug 2019 08:20:49 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2a-90c42d1d.us-west-2.amazon.com (Postfix) with ESMTPS id D4FF9A1DE8; Wed, 21 Aug 2019 08:20:48 +0000 (UTC) Received: from EX13D03EUC004.ant.amazon.com (10.43.164.33) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:15 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUC004.ant.amazon.com (10.43.164.33) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:13 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:11 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:23 +0000 Message-ID: <20190821081931.90887-7-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 06/14] livepatch: Add support for apply|revert action replacement hooks X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Pawel Wieczorkiewicz , wipawel@amazon.com, Ross Lagerwall , mpohlack@amazon.com, Konrad Rzeszutek Wilk Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" By default, in the quiescing zone, a hotpatch payload is applied with apply_payload() and reverted with revert_payload() functions. Both of the functions receive the payload struct pointer as a parameter. The functions are also a place where standard 'load' and 'unload' module hooks are executed. To increase hotpatching system's agility and provide more flexiable long-term hotpatch solution, allow to overwrite the default apply and revert action functions with hook-like supplied alternatives. The alternative functions are optional and the default functions are used by default. Since the alternative functions have direct access to the hotpatch payload structure, they can better control context of the 'load' and 'unload' hooks execution as well as exact instructions replacement workflows. They can be also easily extended to support extra features in the future. To simplify the alternative function generation move code responsible for payload and hotpatch region registration outside of the function. That way it is guaranteed that the registration step occurs even for newly supplied functions. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Petre Eftime Reviewed-by: Martin Pohlack Reviewed-by: Norbert Manthey Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Bjoern Doebel --- xen/common/livepatch.c | 66 +++++++++++++++++++++++++++++++------ xen/include/xen/livepatch_payload.h | 10 ++++++ 2 files changed, 66 insertions(+), 10 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 464c07ad28..38fab8b240 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -587,8 +587,11 @@ static int prepare_payload(struct payload *payload, LIVEPATCH_ASSIGN_MULTI_HOOK(elf, payload->unload_funcs, payload->n_unload_funcs, ".livepatch.hooks.unload"); LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.pre, ".livepatch.hooks.preapply"); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.action, ".livepatch.hooks.apply"); LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.post, ".livepatch.hooks.postapply"); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.pre, ".livepatch.hooks.prerevert"); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.action, ".livepatch.hooks.revert"); LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.post, ".livepatch.hooks.postrevert"); sec = livepatch_elf_sec_by_name(elf, ELF_BUILD_ID_NOTE); @@ -1114,6 +1117,11 @@ static int apply_payload(struct payload *data) arch_livepatch_revive(); + return 0; +} + +static inline void apply_payload_tail(struct payload *data) +{ /* * We need RCU variant (which has barriers) in case we crash here. * The applied_list is iterated by the trap code. @@ -1121,7 +1129,7 @@ static int apply_payload(struct payload *data) list_add_tail_rcu(&data->applied_list, &applied_list); register_virtual_region(&data->region); - return 0; + data->state = LIVEPATCH_STATE_APPLIED; } static int revert_payload(struct payload *data) @@ -1154,6 +1162,11 @@ static int revert_payload(struct payload *data) ASSERT(!local_irq_is_enabled()); arch_livepatch_revive(); + return 0; +} + +static inline void revert_payload_tail(struct payload *data) +{ /* * We need RCU variant (which has barriers) in case we crash here. @@ -1163,7 +1176,7 @@ static int revert_payload(struct payload *data) unregister_virtual_region(&data->region); data->reverted = true; - return 0; + data->state = LIVEPATCH_STATE_CHECKED; } /* @@ -1183,15 +1196,31 @@ static void livepatch_do_action(void) switch ( livepatch_work.cmd ) { case LIVEPATCH_ACTION_APPLY: - rc = apply_payload(data); + if ( is_hook_enabled(data->hooks.apply.action) ) + { + printk(XENLOG_INFO LIVEPATCH "%s: Calling apply action hook function\n", data->name); + + rc = (*data->hooks.apply.action)(data); + } + else + rc = apply_payload(data); + if ( rc == 0 ) - data->state = LIVEPATCH_STATE_APPLIED; + apply_payload_tail(data); break; case LIVEPATCH_ACTION_REVERT: - rc = revert_payload(data); + if ( is_hook_enabled(data->hooks.revert.action) ) + { + printk(XENLOG_INFO LIVEPATCH "%s: Calling revert action hook function\n", data->name); + + rc = (*data->hooks.revert.action)(data); + } + else + rc = revert_payload(data); + if ( rc == 0 ) - data->state = LIVEPATCH_STATE_CHECKED; + revert_payload_tail(data); break; case LIVEPATCH_ACTION_REPLACE: @@ -1202,9 +1231,18 @@ static void livepatch_do_action(void) */ list_for_each_entry_safe_reverse ( other, tmp, &applied_list, applied_list ) { - other->rc = revert_payload(other); + if ( is_hook_enabled(other->hooks.revert.action) ) + { + printk(XENLOG_INFO LIVEPATCH "%s: Calling revert action hook function\n", other->name); + + other->rc = (*other->hooks.revert.action)(other); + } + else + other->rc = revert_payload(other); + + if ( other->rc == 0 ) - other->state = LIVEPATCH_STATE_CHECKED; + revert_payload_tail(other); else { rc = -EINVAL; @@ -1214,9 +1252,17 @@ static void livepatch_do_action(void) if ( rc == 0 ) { - rc = apply_payload(data); + if ( is_hook_enabled(data->hooks.apply.action) ) + { + printk(XENLOG_INFO LIVEPATCH "%s: Calling apply action hook function\n", data->name); + + rc = (*data->hooks.apply.action)(data); + } + else + rc = apply_payload(data); + if ( rc == 0 ) - data->state = LIVEPATCH_STATE_APPLIED; + apply_payload_tail(data); } break; diff --git a/xen/include/xen/livepatch_payload.h b/xen/include/xen/livepatch_payload.h index cd20944cc4..ff16af0dd6 100644 --- a/xen/include/xen/livepatch_payload.h +++ b/xen/include/xen/livepatch_payload.h @@ -22,11 +22,13 @@ typedef void livepatch_loadcall_t(void); typedef void livepatch_unloadcall_t(void); typedef int livepatch_precall_t(livepatch_payload_t *arg); +typedef int livepatch_actioncall_t(livepatch_payload_t *arg); typedef void livepatch_postcall_t(livepatch_payload_t *arg); struct livepatch_hooks { struct { livepatch_precall_t *const *pre; + livepatch_actioncall_t *const *action; livepatch_postcall_t *const *post; } apply, revert; }; @@ -91,6 +93,10 @@ struct payload { livepatch_precall_t *__attribute__((weak, used)) \ const livepatch_preapply_data_##_fn __section(".livepatch.hooks.preapply") = _fn; +#define LIVEPATCH_APPLY_HOOK(_fn) \ + livepatch_actioncall_t *__attribute__((weak, used)) \ + const livepatch_apply_data_##_fn __section(".livepatch.hooks.apply") = _fn; + #define LIVEPATCH_POSTAPPLY_HOOK(_fn) \ livepatch_postcall_t *__attribute__((weak, used)) \ const livepatch_postapply_data_##_fn __section(".livepatch.hooks.postapply") = _fn; @@ -99,6 +105,10 @@ struct payload { livepatch_precall_t *__attribute__((weak, used)) \ const livepatch_prerevert_data_##_fn __section(".livepatch.hooks.prerevert") = _fn; +#define LIVEPATCH_REVERT_HOOK(_fn) \ + livepatch_actioncall_t *__attribute__((weak, used)) \ + const livepatch_revert_data_##_fn __section(".livepatch.hooks.revert") = _fn; + #define LIVEPATCH_POSTREVERT_HOOK(_fn) \ livepatch_postcall_t *__attribute__((weak, used)) \ const livepatch_postrevert_data_##_fn __section(".livepatch.hooks.postrevert") = _fn; From patchwork Wed Aug 21 08:19:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11106005 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9BC6F174A for ; Wed, 21 Aug 2019 08:22:08 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6A1F022DA7 for ; Wed, 21 Aug 2019 08:22:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="K6WpNq1O" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6A1F022DA7 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrT-0008SR-LO; Wed, 21 Aug 2019 08:20:55 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrR-0008PG-8j for xen-devel@lists.xenproject.org; Wed, 21 Aug 2019 08:20:53 +0000 X-Inumbo-ID: 9738e838-c3ec-11e9-adc2-12813bfff9fa Received: from smtp-fw-4101.amazon.com (unknown [72.21.198.25]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 9738e838-c3ec-11e9-adc2-12813bfff9fa; Wed, 21 Aug 2019 08:20:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375652; x=1597911652; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=SPD4A6bGMHPNjqLPvW3NJnbKE2CQOSt/oG6jsD3Ek3s=; b=K6WpNq1OHfCCV1R6KV3FD0yDnajJ8DOYqNNdhte1z6RHwLvWLiGTp/Y+ EJ4zYHRh9dNk2GKw6RW8ECFfJ02ItlqmMCENmNI4rH18zwsHaYQRuRlYn bp3FJ7SLX6OR5Oj9Zs2wfZYKmS5u//jWfpYg/LmdW5Kq5IgvFmTZ+YdjL E=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="780418972" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2b-a7fdc47a.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 21 Aug 2019 08:20:52 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2b-a7fdc47a.us-west-2.amazon.com (Postfix) with ESMTPS id 9EEBCC5DF6; Wed, 21 Aug 2019 08:20:51 +0000 (UTC) Received: from EX13D03EUC001.ant.amazon.com (10.43.164.245) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:18 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUC001.ant.amazon.com (10.43.164.245) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 01:20:16 -0700 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:14 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:24 +0000 Message-ID: <20190821081931.90887-8-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 07/14] livepatch: Do not enforce ELF_LIVEPATCH_FUNC section presence X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Pawel Wieczorkiewicz , wipawel@amazon.com, Ross Lagerwall , mpohlack@amazon.com, Konrad Rzeszutek Wilk Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" With default implementation the ELF_LIVEPATCH_FUNC section containing all functions to be replaced or added must be part of the hotpatch payload, otherwise the payload is rejected (with -EINVAL). However, with the extended hooks implementation, a hotpatch may be constructed of only hooks to perform certain actions without any code to be added or replaced. Therefore, do not always expect the functions section and allow it to be missing, provided there is at least one section containing hooks present. The functions section, when present in a payload, must be a single, non-empty section. Check also all extended hooks sections if they are a single, non-empty sections each. At least one of the functions or hooks section must be present in a valid payload. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Bjoern Doebel Reviewed-by: Martin Pohlack --- xen/common/livepatch.c | 145 +++++++++++++++++++++++++++++++------------- xen/include/xen/livepatch.h | 8 +++ 2 files changed, 112 insertions(+), 41 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 38fab8b240..c4a107d91c 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -467,8 +467,7 @@ static int check_xen_build_id(const struct payload *payload) static int check_special_sections(const struct livepatch_elf *elf) { unsigned int i; - static const char *const names[] = { ELF_LIVEPATCH_FUNC, - ELF_LIVEPATCH_DEPENDS, + static const char *const names[] = { ELF_LIVEPATCH_DEPENDS, ELF_LIVEPATCH_XEN_DEPENDS, ELF_BUILD_ID_NOTE}; DECLARE_BITMAP(found, ARRAY_SIZE(names)) = { 0 }; @@ -503,6 +502,64 @@ static int check_special_sections(const struct livepatch_elf *elf) return 0; } +static int check_patching_sections(const struct livepatch_elf *elf) +{ + unsigned int i; + static const char *const names[] = { ELF_LIVEPATCH_FUNC, + ELF_LIVEPATCH_LOAD_HOOKS, + ELF_LIVEPATCH_UNLOAD_HOOKS, + ELF_LIVEPATCH_PREAPPLY_HOOK, + ELF_LIVEPATCH_APPLY_HOOK, + ELF_LIVEPATCH_POSTAPPLY_HOOK, + ELF_LIVEPATCH_PREREVERT_HOOK, + ELF_LIVEPATCH_REVERT_HOOK, + ELF_LIVEPATCH_POSTREVERT_HOOK}; + DECLARE_BITMAP(found, ARRAY_SIZE(names)) = { 0 }; + + /* + * The patching sections are optional, but at least one + * must be present. Otherwise, there is nothing to do. + * All the existing sections must not be empty and must + * be present at most once. + */ + for ( i = 0; i < ARRAY_SIZE(names); i++ ) + { + const struct livepatch_elf_sec *sec; + + sec = livepatch_elf_sec_by_name(elf, names[i]); + if ( !sec ) + { + dprintk(XENLOG_INFO, LIVEPATCH "%s: %s is missing!\n", + elf->name, names[i]); + continue; /* This section is optional */ + } + + if ( !sec->sec->sh_size ) + { + dprintk(XENLOG_ERR, LIVEPATCH "%s: %s is empty!\n", + elf->name, names[i]); + return -EINVAL; + } + + if ( test_and_set_bit(i, found) ) + { + dprintk(XENLOG_ERR, LIVEPATCH "%s: %s was seen more than once!\n", + elf->name, names[i]); + return -EINVAL; + } + } + + /* Checking if at least one section is present. */ + if ( bitmap_empty(found, ARRAY_SIZE(names)) ) + { + printk(XENLOG_ERR LIVEPATCH "%s: Nothing to patch. Aborting...\n", + elf->name); + return -EINVAL; + } + + return 0; +} + /* * Lookup specified section and when exists assign its address to a specified hook. * Perform section pointer and size validation: single hook sections must contain a @@ -542,57 +599,59 @@ static int prepare_payload(struct payload *payload, const Elf_Note *n; sec = livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_FUNC); - ASSERT(sec); - if ( !section_ok(elf, sec, sizeof(*payload->funcs)) ) - return -EINVAL; - - payload->funcs = sec->load_addr; - payload->nfuncs = sec->sec->sh_size / sizeof(*payload->funcs); - - for ( i = 0; i < payload->nfuncs; i++ ) + if ( sec ) { - int rc; + if ( !section_ok(elf, sec, sizeof(*payload->funcs)) ) + return -EINVAL; - f = &(payload->funcs[i]); + payload->funcs = sec->load_addr; + payload->nfuncs = sec->sec->sh_size / sizeof(*payload->funcs); - if ( f->version != LIVEPATCH_PAYLOAD_VERSION ) + for ( i = 0; i < payload->nfuncs; i++ ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Wrong version (%u). Expected %d!\n", - elf->name, f->version, LIVEPATCH_PAYLOAD_VERSION); - return -EOPNOTSUPP; - } + int rc; - /* 'old_addr', 'new_addr', 'new_size' can all be zero. */ - if ( !f->old_size ) - { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Address or size fields are zero!\n", - elf->name); - return -EINVAL; - } + f = &(payload->funcs[i]); - rc = arch_livepatch_verify_func(f); - if ( rc ) - return rc; + if ( f->version != LIVEPATCH_PAYLOAD_VERSION ) + { + dprintk(XENLOG_ERR, LIVEPATCH "%s: Wrong version (%u). Expected %d!\n", + elf->name, f->version, LIVEPATCH_PAYLOAD_VERSION); + return -EOPNOTSUPP; + } - rc = resolve_old_address(f, elf); - if ( rc ) - return rc; + /* 'old_addr', 'new_addr', 'new_size' can all be zero. */ + if ( !f->old_size ) + { + dprintk(XENLOG_ERR, LIVEPATCH "%s: Address or size fields are zero!\n", + elf->name); + return -EINVAL; + } - rc = livepatch_verify_distance(f); - if ( rc ) - return rc; + rc = arch_livepatch_verify_func(f); + if ( rc ) + return rc; + + rc = resolve_old_address(f, elf); + if ( rc ) + return rc; + + rc = livepatch_verify_distance(f); + if ( rc ) + return rc; + } } - LIVEPATCH_ASSIGN_MULTI_HOOK(elf, payload->load_funcs, payload->n_load_funcs, ".livepatch.hooks.load"); - LIVEPATCH_ASSIGN_MULTI_HOOK(elf, payload->unload_funcs, payload->n_unload_funcs, ".livepatch.hooks.unload"); + LIVEPATCH_ASSIGN_MULTI_HOOK(elf, payload->load_funcs, payload->n_load_funcs, ELF_LIVEPATCH_LOAD_HOOKS); + LIVEPATCH_ASSIGN_MULTI_HOOK(elf, payload->unload_funcs, payload->n_unload_funcs, ELF_LIVEPATCH_UNLOAD_HOOKS); - LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.pre, ".livepatch.hooks.preapply"); - LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.action, ".livepatch.hooks.apply"); - LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.post, ".livepatch.hooks.postapply"); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.pre, ELF_LIVEPATCH_PREAPPLY_HOOK); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.action, ELF_LIVEPATCH_APPLY_HOOK); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.post, ELF_LIVEPATCH_POSTAPPLY_HOOK); - LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.pre, ".livepatch.hooks.prerevert"); - LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.action, ".livepatch.hooks.revert"); - LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.post, ".livepatch.hooks.postrevert"); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.pre, ELF_LIVEPATCH_PREREVERT_HOOK); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.action, ELF_LIVEPATCH_REVERT_HOOK); + LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.post, ELF_LIVEPATCH_POSTREVERT_HOOK); sec = livepatch_elf_sec_by_name(elf, ELF_BUILD_ID_NOTE); if ( sec ) @@ -904,6 +963,10 @@ static int load_payload_data(struct payload *payload, void *raw, size_t len) if ( rc ) goto out; + rc = check_patching_sections(&elf); + if ( rc ) + goto out; + rc = prepare_payload(payload, &elf); if ( rc ) goto out; diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index ed997aa4cc..2aec532ee2 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -33,6 +33,14 @@ struct xen_sysctl_livepatch_op; #define ELF_LIVEPATCH_DEPENDS ".livepatch.depends" #define ELF_LIVEPATCH_XEN_DEPENDS ".livepatch.xen_depends" #define ELF_BUILD_ID_NOTE ".note.gnu.build-id" +#define ELF_LIVEPATCH_LOAD_HOOKS ".livepatch.hooks.load" +#define ELF_LIVEPATCH_UNLOAD_HOOKS ".livepatch.hooks.unload" +#define ELF_LIVEPATCH_PREAPPLY_HOOK ".livepatch.hooks.preapply" +#define ELF_LIVEPATCH_APPLY_HOOK ".livepatch.hooks.apply" +#define ELF_LIVEPATCH_POSTAPPLY_HOOK ".livepatch.hooks.postapply" +#define ELF_LIVEPATCH_PREREVERT_HOOK ".livepatch.hooks.prerevert" +#define ELF_LIVEPATCH_REVERT_HOOK ".livepatch.hooks.revert" +#define ELF_LIVEPATCH_POSTREVERT_HOOK ".livepatch.hooks.postrevert" /* Arbitrary limit for payload size and .bss section size. */ #define LIVEPATCH_MAX_SIZE MB(2) From patchwork Wed Aug 21 08:19:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11105993 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 534E81864 for ; Wed, 21 Aug 2019 08:21:56 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 250192339E for ; Wed, 21 Aug 2019 08:21:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="k0Z8j+CK" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 250192339E Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lra-0000Ay-6V; Wed, 21 Aug 2019 08:21:02 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrY-000089-C1 for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:21:00 +0000 X-Inumbo-ID: 995cd5e0-c3ec-11e9-adc2-12813bfff9fa Received: from smtp-fw-6001.amazon.com (unknown [52.95.48.154]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 995cd5e0-c3ec-11e9-adc2-12813bfff9fa; Wed, 21 Aug 2019 08:20:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375656; x=1597911656; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=ZUK7mnqnzUvJEAC7JpM+QGwFjzUJUb1yYGxdXUmn7KY=; b=k0Z8j+CKP7aEFB+O3dD998cge71ElQdvyLYohY4v/E23EcaN0eR1qVuN z/wGIG8R2y0HSYkorKt/OtQ16vm8NoRTQUoTpstXhVPY0NjjWa5sk/9ME 6emk2natPDe2WqYyKjYL6YATsh2tTOIF1uuBb0FJrbGE0qwUuVqtZnR/j w=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="410765065" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2a-538b0bfb.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP; 21 Aug 2019 08:20:55 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2a-538b0bfb.us-west-2.amazon.com (Postfix) with ESMTPS id 7FBCCA244A; Wed, 21 Aug 2019 08:20:54 +0000 (UTC) Received: from EX13D05EUB002.ant.amazon.com (10.43.166.45) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:21 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D05EUB002.ant.amazon.com (10.43.166.45) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:20 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:17 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:25 +0000 Message-ID: <20190821081931.90887-9-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 08/14] livepatch: always print XENLOG_ERR information X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Wei Liu , Ross Lagerwall , Andrew Cooper , Konrad Rzeszutek Wilk , mpohlack@amazon.com, Pawel Wieczorkiewicz , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" A lot of legitimate error messages were hidden behind debug printk only. Most of these messages can be triggered by loading a malformed hotpatch payload and are priceless for understanding issues with such payloads. Thus, always display all relevant XENLOG_ERR messages. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Amit Shah Reviewed-by: Martin Mazein Reviewed-by: Bjoern Doebel Reviewed-by: Ross Lagerwall --- xen/arch/x86/livepatch.c | 16 ++++++++-------- xen/common/livepatch.c | 38 +++++++++++++++++++------------------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c index 406eb910cc..436ee40fe1 100644 --- a/xen/arch/x86/livepatch.c +++ b/xen/arch/x86/livepatch.c @@ -126,7 +126,7 @@ int arch_livepatch_verify_elf(const struct livepatch_elf *elf) hdr->e_ident[EI_CLASS] != ELFCLASS64 || hdr->e_ident[EI_DATA] != ELFDATA2LSB ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Unsupported ELF Machine type!\n", + printk(XENLOG_ERR LIVEPATCH "%s: Unsupported ELF Machine type!\n", elf->name); return -EOPNOTSUPP; } @@ -152,7 +152,7 @@ int arch_livepatch_perform_rel(struct livepatch_elf *elf, const struct livepatch_elf_sec *base, const struct livepatch_elf_sec *rela) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: SHT_REL relocation unsupported\n", + printk(XENLOG_ERR LIVEPATCH "%s: SHT_REL relocation unsupported\n", elf->name); return -EOPNOTSUPP; } @@ -172,19 +172,19 @@ int arch_livepatch_perform_rela(struct livepatch_elf *elf, if ( symndx == STN_UNDEF ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Encountered STN_UNDEF\n", + printk(XENLOG_ERR LIVEPATCH "%s: Encountered STN_UNDEF\n", elf->name); return -EOPNOTSUPP; } else if ( symndx >= elf->nsym ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Relative relocation wants symbol@%u which is past end!\n", + printk(XENLOG_ERR LIVEPATCH "%s: Relative relocation wants symbol@%u which is past end!\n", elf->name, symndx); return -EINVAL; } else if ( !elf->sym[symndx].sym ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: No symbol@%u\n", + printk(XENLOG_ERR LIVEPATCH "%s: No symbol@%u\n", elf->name, symndx); return -EINVAL; } @@ -222,14 +222,14 @@ int arch_livepatch_perform_rela(struct livepatch_elf *elf, *(int32_t *)dest = val; if ( (int64_t)val != *(int32_t *)dest ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Overflow in relocation %u in %s for %s!\n", + printk(XENLOG_ERR LIVEPATCH "%s: Overflow in relocation %u in %s for %s!\n", elf->name, i, rela->name, base->name); return -EOVERFLOW; } break; default: - dprintk(XENLOG_ERR, LIVEPATCH "%s: Unhandled relocation %lu\n", + printk(XENLOG_ERR LIVEPATCH "%s: Unhandled relocation %lu\n", elf->name, ELF64_R_TYPE(r->r_info)); return -EOPNOTSUPP; } @@ -238,7 +238,7 @@ int arch_livepatch_perform_rela(struct livepatch_elf *elf, return 0; bad_offset: - dprintk(XENLOG_ERR, LIVEPATCH "%s: Relative relocation offset is past %s section!\n", + printk(XENLOG_ERR LIVEPATCH "%s: Relative relocation offset is past %s section!\n", elf->name, base->name); return -EINVAL; } diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index c4a107d91c..585ec9819a 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -217,7 +217,7 @@ static int resolve_old_address(struct livepatch_func *f, f->old_addr = (void *)livepatch_symbols_lookup_by_name(f->name); if ( !f->old_addr ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Could not resolve old address of %s\n", + printk(XENLOG_ERR LIVEPATCH "%s: Could not resolve old address of %s\n", elf->name, f->name); return -ENOENT; } @@ -336,7 +336,7 @@ static int move_payload(struct payload *payload, struct livepatch_elf *elf) text_buf = vmalloc_xen(size * PAGE_SIZE); if ( !text_buf ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Could not allocate memory for payload!\n", + printk(XENLOG_ERR LIVEPATCH "%s: Could not allocate memory for payload!\n", elf->name); rc = -ENOMEM; goto out; @@ -434,7 +434,7 @@ static bool section_ok(const struct livepatch_elf *elf, if ( sec->sec->sh_size % sz ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Wrong size %"PRIuElfWord" of %s (must be multiple of %zu)\n", + printk(XENLOG_ERR LIVEPATCH "%s: Wrong size %"PRIuElfWord" of %s (must be multiple of %zu)\n", elf->name, sec->sec->sh_size, sec->name, sz); return false; } @@ -456,7 +456,7 @@ static int check_xen_build_id(const struct payload *payload) return rc; if ( payload->xen_dep.len != len || memcmp(id, payload->xen_dep.p, len) ) { - dprintk(XENLOG_ERR, "%s%s: check against hypervisor build-id failed!\n", + printk(XENLOG_ERR LIVEPATCH "%s%s: check against hypervisor build-id failed!\n", LIVEPATCH, payload->name); return -EINVAL; } @@ -479,21 +479,21 @@ static int check_special_sections(const struct livepatch_elf *elf) sec = livepatch_elf_sec_by_name(elf, names[i]); if ( !sec ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: %s is missing!\n", + printk(XENLOG_ERR LIVEPATCH "%s: %s is missing!\n", elf->name, names[i]); return -EINVAL; } if ( !sec->sec->sh_size ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: %s is empty!\n", + printk(XENLOG_ERR LIVEPATCH "%s: %s is empty!\n", elf->name, names[i]); return -EINVAL; } if ( test_and_set_bit(i, found) ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: %s was seen more than once!\n", + printk(XENLOG_ERR LIVEPATCH "%s: %s was seen more than once!\n", elf->name, names[i]); return -EINVAL; } @@ -529,21 +529,21 @@ static int check_patching_sections(const struct livepatch_elf *elf) sec = livepatch_elf_sec_by_name(elf, names[i]); if ( !sec ) { - dprintk(XENLOG_INFO, LIVEPATCH "%s: %s is missing!\n", + dprintk(XENLOG_DEBUG, LIVEPATCH "%s: %s is missing!\n", elf->name, names[i]); continue; /* This section is optional */ } if ( !sec->sec->sh_size ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: %s is empty!\n", + printk(XENLOG_ERR LIVEPATCH "%s: %s is empty!\n", elf->name, names[i]); return -EINVAL; } if ( test_and_set_bit(i, found) ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: %s was seen more than once!\n", + printk(XENLOG_ERR LIVEPATCH "%s: %s was seen more than once!\n", elf->name, names[i]); return -EINVAL; } @@ -615,7 +615,7 @@ static int prepare_payload(struct payload *payload, if ( f->version != LIVEPATCH_PAYLOAD_VERSION ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Wrong version (%u). Expected %d!\n", + printk(XENLOG_ERR LIVEPATCH "%s: Wrong version (%u). Expected %d!\n", elf->name, f->version, LIVEPATCH_PAYLOAD_VERSION); return -EOPNOTSUPP; } @@ -623,7 +623,7 @@ static int prepare_payload(struct payload *payload, /* 'old_addr', 'new_addr', 'new_size' can all be zero. */ if ( !f->old_size ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: Address or size fields are zero!\n", + printk(XENLOG_ERR LIVEPATCH "%s: Address or size fields are zero!\n", elf->name); return -EINVAL; } @@ -762,14 +762,14 @@ static int prepare_payload(struct payload *payload, if ( (instr < region->start && instr >= region->end) || (replacement < region->start && replacement >= region->end) ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s Alt patching outside payload: %p!\n", + printk(XENLOG_ERR LIVEPATCH "%s Alt patching outside payload: %p!\n", elf->name, instr); return -EINVAL; } } apply_alternatives(start, end); #else - dprintk(XENLOG_ERR, LIVEPATCH "%s: We don't support alternative patching!\n", + printk(XENLOG_ERR LIVEPATCH "%s: We don't support alternative patching!\n", elf->name); return -EOPNOTSUPP; #endif @@ -792,7 +792,7 @@ static int prepare_payload(struct payload *payload, region->ex = s; region->ex_end = e; #else - dprintk(XENLOG_ERR, LIVEPATCH "%s: We don't support .ex_table!\n", + printk(XENLOG_ERR LIVEPATCH "%s: We don't support .ex_table!\n", elf->name); return -EOPNOTSUPP; #endif @@ -901,7 +901,7 @@ static int build_symbol_table(struct payload *payload, if ( symbols_lookup_by_name(symtab[i].name) || livepatch_symbols_lookup_by_name(symtab[i].name) ) { - dprintk(XENLOG_ERR, LIVEPATCH "%s: duplicate new symbol: %s\n", + printk(XENLOG_ERR LIVEPATCH "%s: duplicate new symbol: %s\n", elf->name, symtab[i].name); xfree(symtab); xfree(strtab); @@ -1652,7 +1652,7 @@ static int build_id_dep(struct payload *payload, bool_t internal) if ( payload->dep.len != len || memcmp(id, payload->dep.p, len) ) { - dprintk(XENLOG_ERR, "%s%s: check against %s build-id failed!\n", + printk(XENLOG_ERR LIVEPATCH "%s%s: check against %s build-id failed!\n", LIVEPATCH, payload->name, name); return -EINVAL; } @@ -1712,7 +1712,7 @@ static int livepatch_action(struct xen_sysctl_livepatch_action *action) /* We should be the last applied one. */ if ( p != data ) { - dprintk(XENLOG_ERR, "%s%s: can't unload. Top is %s!\n", + printk(XENLOG_ERR LIVEPATCH "%s%s: can't unload. Top is %s!\n", LIVEPATCH, data->name, p->name); rc = -EBUSY; break; @@ -1748,7 +1748,7 @@ static int livepatch_action(struct xen_sysctl_livepatch_action *action) */ if ( data->reverted && !data->safe_to_reapply ) { - dprintk(XENLOG_ERR, "%s%s: can't revert as payload has .data. Please unload!\n", + printk(XENLOG_ERR LIVEPATCH "%s%s: can't revert as payload has .data. Please unload!\n", LIVEPATCH, data->name); data->rc = -EINVAL; break; From patchwork Wed Aug 21 08:19:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11106021 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 36EA01395 for ; Wed, 21 Aug 2019 08:22:20 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0842822DA7 for ; Wed, 21 Aug 2019 08:22:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="efPbBfD8" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0842822DA7 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lra-0000Bl-Jt; Wed, 21 Aug 2019 08:21:02 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0LrY-00008c-I6 for xen-devel@lists.xenproject.org; Wed, 21 Aug 2019 08:21:00 +0000 X-Inumbo-ID: 9b95eb4c-c3ec-11e9-ac23-bc764e2007e4 Received: from smtp-fw-4101.amazon.com (unknown [72.21.198.25]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 9b95eb4c-c3ec-11e9-ac23-bc764e2007e4; Wed, 21 Aug 2019 08:21:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375660; x=1597911660; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=stbpz9UPVbdvPYEBVJLtY1Ny/53HxC2mJ4FFWjCIgRI=; b=efPbBfD8TawZx+GmjjaugLcyUJWDPVPBMFmv3yUXSmgiS9f40p9cc0ct Vsrzju6G9NiOWwEViQkUVnoNYTCxHQ5klLzGqjnHF93V1vHWFOpnEkzSS f/k+mQIAqvRJwiQtXQ06fGR4XDGYUSi44Muc0ofgnWUray9nLHph2wePL s=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="780418992" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2a-1c1b5cdd.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 21 Aug 2019 08:20:58 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2a-1c1b5cdd.us-west-2.amazon.com (Postfix) with ESMTPS id B49E9A073A; Wed, 21 Aug 2019 08:20:57 +0000 (UTC) Received: from EX13D05EUB001.ant.amazon.com (10.43.166.87) by EX13MTAUEA001.ant.amazon.com (10.43.61.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:26 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D05EUB001.ant.amazon.com (10.43.166.87) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:24 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:21 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:26 +0000 Message-ID: <20190821081931.90887-10-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 09/14] livepatch: Add per-function applied/reverted state tracking marker X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Stefano Stabellini , Wei Liu , Ross Lagerwall , George Dunlap , Andrew Cooper , Konrad Rzeszutek Wilk , Ian Jackson , mpohlack@amazon.com, Tim Deegan , Pawel Wieczorkiewicz , Julien Grall , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Livepatch only tracks an entire payload applied/reverted state. But, with an option to supply the apply_payload() and/or revert_payload() functions as optional hooks, it becomes possible to intermix the execution of the original apply_payload()/revert_payload() functions with their dynamically supplied counterparts. It is important then to track the current state of every function being patched and prevent situations of unintentional double-apply or unapplied revert. To support that, it is necessary to extend public interface of the livepatch. The struct livepatch_func gets additional field holding the applied/reverted state marker. To reflect the livepatch payload ABI change, bump the version flag LIVEPATCH_PAYLOAD_VERSION up to 2. The above solution only applies to x86 architecture for now. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Bjoern Doebel Reviewed-by: Martin Pohlack Signed-off-by: Pawel Wieczorkiewicz > Reviewed-by: Andra-Irina Paraschiv > Reviewed-by: Bjoern Doebel > Reviewed-by: Martin Pohlack > --- xen/arch/x86/livepatch.c | 20 +++++++++++++++++++- xen/common/livepatch.c | 35 +++++++++++++++++++++++++++++++++++ xen/include/public/sysctl.h | 11 ++++++++++- xen/include/xen/livepatch.h | 2 +- 4 files changed, 65 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c index 436ee40fe1..76fa91a082 100644 --- a/xen/arch/x86/livepatch.c +++ b/xen/arch/x86/livepatch.c @@ -61,6 +61,14 @@ void noinline arch_livepatch_apply(struct livepatch_func *func) if ( !len ) return; + /* If the apply action has been already executed on this function, do nothing... */ + if ( func->applied == LIVEPATCH_FUNC_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH "%s: %s has been already applied before\n", + __func__, func->name); + return; + } + memcpy(func->opaque, old_ptr, len); if ( func->new_addr ) { @@ -77,15 +85,25 @@ void noinline arch_livepatch_apply(struct livepatch_func *func) add_nops(insn, len); memcpy(old_ptr, insn, len); + func->applied = LIVEPATCH_FUNC_APPLIED; } /* * "noinline" to cause control flow change and thus invalidate I$ and * cause refetch after modification. */ -void noinline arch_livepatch_revert(const struct livepatch_func *func) +void noinline arch_livepatch_revert(struct livepatch_func *func) { + /* If the apply action hasn't been executed on this function, do nothing... */ + if ( !func->old_addr || func->applied == LIVEPATCH_FUNC_NOT_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH "%s: %s has not been applied before\n", + __func__, func->name); + return; + } + memcpy(func->old_addr, func->opaque, livepatch_insn_len(func)); + func->applied = LIVEPATCH_FUNC_NOT_APPLIED; } /* diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 585ec9819a..090a48977b 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1242,6 +1242,29 @@ static inline void revert_payload_tail(struct payload *data) data->state = LIVEPATCH_STATE_CHECKED; } +/* + * Check if an action has applied the same state to all payload's functions consistently. + */ +static inline bool was_action_consistent(const struct payload *data, livepatch_func_state_t expected_state) +{ + int i; + + for ( i = 0; i < data->nfuncs; i++ ) + { + struct livepatch_func *f = &(data->funcs[i]); + + if ( f->applied != expected_state ) + { + printk(XENLOG_ERR LIVEPATCH "%s: Payload has a function: '%s' with inconsistent applied state.\n", + data->name, f->name ?: "noname"); + + return false; + } + } + + return true; +} + /* * This function is executed having all other CPUs with no deep stack (we may * have cpu_idle on it) and IRQs disabled. @@ -1268,6 +1291,9 @@ static void livepatch_do_action(void) else rc = apply_payload(data); + if ( !was_action_consistent(data, rc ? LIVEPATCH_FUNC_NOT_APPLIED : LIVEPATCH_FUNC_APPLIED) ) + panic("livepatch: partially applied payload '%s'!\n", data->name); + if ( rc == 0 ) apply_payload_tail(data); break; @@ -1282,6 +1308,9 @@ static void livepatch_do_action(void) else rc = revert_payload(data); + if ( !was_action_consistent(data, rc ? LIVEPATCH_FUNC_APPLIED : LIVEPATCH_FUNC_NOT_APPLIED) ) + panic("livepatch: partially reverted payload '%s'!\n", data->name); + if ( rc == 0 ) revert_payload_tail(data); break; @@ -1304,6 +1333,9 @@ static void livepatch_do_action(void) other->rc = revert_payload(other); + if ( !was_action_consistent(other, rc ? LIVEPATCH_FUNC_APPLIED : LIVEPATCH_FUNC_NOT_APPLIED) ) + panic("livepatch: partially reverted payload '%s'!\n", other->name); + if ( other->rc == 0 ) revert_payload_tail(other); else @@ -1324,6 +1356,9 @@ static void livepatch_do_action(void) else rc = apply_payload(data); + if ( !was_action_consistent(data, rc ? LIVEPATCH_FUNC_NOT_APPLIED : LIVEPATCH_FUNC_APPLIED) ) + panic("livepatch: partially applied payload '%s'!\n", data->name); + if ( rc == 0 ) apply_payload_tail(data); } diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h index 1b2b165a6d..b55ad6d050 100644 --- a/xen/include/public/sysctl.h +++ b/xen/include/public/sysctl.h @@ -818,7 +818,7 @@ struct xen_sysctl_cpu_featureset { * If zero exit with success. */ -#define LIVEPATCH_PAYLOAD_VERSION 1 +#define LIVEPATCH_PAYLOAD_VERSION 2 /* * .livepatch.funcs structure layout defined in the `Payload format` * section in the Live Patch design document. @@ -826,6 +826,11 @@ struct xen_sysctl_cpu_featureset { * We guard this with __XEN__ as toolstacks SHOULD not use it. */ #ifdef __XEN__ +typedef enum livepatch_func_state { + LIVEPATCH_FUNC_NOT_APPLIED = 0, + LIVEPATCH_FUNC_APPLIED = 1 +} livepatch_func_state_t; + struct livepatch_func { const char *name; /* Name of function to be patched. */ void *new_addr; @@ -834,6 +839,10 @@ struct livepatch_func { uint32_t old_size; uint8_t version; /* MUST be LIVEPATCH_PAYLOAD_VERSION. */ uint8_t opaque[31]; +#if defined CONFIG_X86 + uint8_t applied; + uint8_t _pad[7]; +#endif }; typedef struct livepatch_func livepatch_func_t; #endif diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index 2aec532ee2..a93126f631 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -117,7 +117,7 @@ int arch_livepatch_quiesce(void); void arch_livepatch_revive(void); void arch_livepatch_apply(struct livepatch_func *func); -void arch_livepatch_revert(const struct livepatch_func *func); +void arch_livepatch_revert(struct livepatch_func *func); void arch_livepatch_post_action(void); void arch_livepatch_mask(void); From patchwork Wed Aug 21 08:19:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11105991 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2D1921395 for ; Wed, 21 Aug 2019 08:21:56 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0978322DA7 for ; Wed, 21 Aug 2019 08:21:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="oX7Hmi0f" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0978322DA7 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lrc-0000FD-Ay; Wed, 21 Aug 2019 08:21:04 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lra-0000BC-Ak for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:21:02 +0000 X-Inumbo-ID: 9c63ae88-c3ec-11e9-b95f-bc764e2007e4 Received: from smtp-fw-6002.amazon.com (unknown [52.95.49.90]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 9c63ae88-c3ec-11e9-b95f-bc764e2007e4; Wed, 21 Aug 2019 08:21:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375661; x=1597911661; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=ZbB9nb4Ir+dM9znWuH6dEn3w3klFitwfyliKoVUkHh0=; b=oX7Hmi0fxRXBq5mTEDKjHqbgPaUJbkNsJ5qcRP6xFuXJ2X8cF6sYqAzW 3ttjfwxvX8eZB6BLOO48+HY+M3e++5PMkih8t6R90+jwsczdx2Q6sxS+O XRNY8Sud6uukbSmXhqL92lk2HIFT9VyEielHD7SADMnc/TC0PiB7+LHbk E=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="416596160" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2c-397e131e.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-6002.iad6.amazon.com with ESMTP; 21 Aug 2019 08:21:00 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2c-397e131e.us-west-2.amazon.com (Postfix) with ESMTPS id 372BFA2C3D; Wed, 21 Aug 2019 08:20:59 +0000 (UTC) Received: from EX13D03EUA003.ant.amazon.com (10.43.165.89) by EX13MTAUEA001.ant.amazon.com (10.43.61.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:30 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUA003.ant.amazon.com (10.43.165.89) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:28 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:25 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:27 +0000 Message-ID: <20190821081931.90887-11-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 10/14] livepatch: Add support for inline asm hotpatching expectations X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Stefano Stabellini , Wei Liu , Ross Lagerwall , George Dunlap , Andrew Cooper , Konrad Rzeszutek Wilk , Ian Jackson , mpohlack@amazon.com, Tim Deegan , Pawel Wieczorkiewicz , Julien Grall , Jan Beulich Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" This is the initial implementation of the expectations enhancement to improve inline asm hotpatching. Expectations are designed as optional feature, since the main use of them is planned for inline asm hotpatching. The flag enabled allows to control the expectation state. Each expectation has data and len fields that describe the data that is expected to be found at a given patching (old_addr) location. The len must not exceed the data array size. The data array size follows the size of the opaque array, since the opaque array holds the original data and therefore must match what is specified in the expectation (if enabled). The payload structure is modified as each expectation structure is part of the livepatch_func structure and hence extends the payload. The payload version is bumped to 3 with this change to highlight the ABI modification and enforce proper support. Each expectation is checked prior to the apply action (i.e. as late as possible to check against the most current state of the code). For the replace action a new payload's expectations are checked AFTER all applied payloads are successfully reverted, but BEFORE new payload is applied. That breaks the replace action's atomicity and in case of an expectation check failure would leave a system with all payloads reverted. That is obviously insecure. Use it with caution and act upon replace errors! Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Martin Pohlack Reviewed-by: Norbert Manthey --- xen/common/livepatch.c | 71 +++++++++++++++++++++++++++++++++++++++++++++ xen/include/public/sysctl.h | 17 +++++++++-- 2 files changed, 86 insertions(+), 2 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 090a48977b..8aef2fd12e 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -560,6 +560,58 @@ static int check_patching_sections(const struct livepatch_elf *elf) return 0; } +static inline int livepatch_verify_expectation_fn(const struct livepatch_func *func) +{ + const livepatch_expectation_t *exp = &func->expect; + + /* Ignore disabled expectations. */ + if ( !exp->enabled ) + return 0; + + /* There is nothing to expect */ + if ( !func->old_addr ) + return -EFAULT; + + if ( exp->len > sizeof(exp->data)) + return -EOVERFLOW; + + /* Incorrect expectation */ + if ( func->old_size < exp->len ) + return -ERANGE; + + if ( memcmp(func->old_addr, exp->data, exp->len) ) + { + printk(XENLOG_ERR LIVEPATCH "%s: expectation failed: expected:%*phN, actual:%*phN\n", + func->name, exp->len, exp->data, exp->len, func->old_addr); + return -EINVAL; + } + + return 0; +} + +static inline int livepatch_check_expectations(const struct payload *payload) +{ + int i, rc; + + printk(XENLOG_INFO LIVEPATCH "%s: Verifying enabled expectations for all functions\n", + payload->name); + + for ( i = 0; i < payload->nfuncs; i++ ) + { + const struct livepatch_func *func = &(payload->funcs[i]); + + rc = livepatch_verify_expectation_fn(func); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH "%s: expectations of %s failed (rc=%d), aborting!\n", + payload->name, func->name ?: "unknown", rc); + return rc; + } + } + + return 0; +} + /* * Lookup specified section and when exists assign its address to a specified hook. * Perform section pointer and size validation: single hook sections must contain a @@ -1347,6 +1399,20 @@ static void livepatch_do_action(void) if ( rc == 0 ) { + /* + * Make sure all expectation requirements are met. + * Beware all the payloads are reverted at this point. + * If expectations are not met the system is left in a + * completely UNPATCHED state! + */ + rc = livepatch_check_expectations(data); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH "%s: SYSTEM MIGHT BE INSECURE: " + "Replace action has been aborted after reverting ALL payloads!\n", data->name); + break; + } + if ( is_hook_enabled(data->hooks.apply.action) ) { printk(XENLOG_INFO LIVEPATCH "%s: Calling apply action hook function\n", data->name); @@ -1800,6 +1866,11 @@ static int livepatch_action(struct xen_sysctl_livepatch_action *action) break; } + /* Make sure all expectation requirements are met. */ + rc = livepatch_check_expectations(data); + if ( rc ) + break; + if ( is_hook_enabled(data->hooks.apply.pre) ) { printk(XENLOG_INFO LIVEPATCH "%s: Calling pre-apply hook function\n", data->name); diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h index b55ad6d050..e18322350d 100644 --- a/xen/include/public/sysctl.h +++ b/xen/include/public/sysctl.h @@ -818,7 +818,7 @@ struct xen_sysctl_cpu_featureset { * If zero exit with success. */ -#define LIVEPATCH_PAYLOAD_VERSION 2 +#define LIVEPATCH_PAYLOAD_VERSION 3 /* * .livepatch.funcs structure layout defined in the `Payload format` * section in the Live Patch design document. @@ -826,6 +826,18 @@ struct xen_sysctl_cpu_featureset { * We guard this with __XEN__ as toolstacks SHOULD not use it. */ #ifdef __XEN__ +#define LIVEPATCH_OPAQUE_SIZE 31 + +struct livepatch_expectation { + uint8_t enabled : 1; + uint8_t len : 5; /* Length of data up to LIVEPATCH_OPAQUE_SIZE + (5 bits is enough for now) */ + uint8_t data[LIVEPATCH_OPAQUE_SIZE]; /* Same size as opaque[] buffer of + struct livepatch_func. This is the + max number of bytes to be patched */ +}; +typedef struct livepatch_expectation livepatch_expectation_t; + typedef enum livepatch_func_state { LIVEPATCH_FUNC_NOT_APPLIED = 0, LIVEPATCH_FUNC_APPLIED = 1 @@ -838,11 +850,12 @@ struct livepatch_func { uint32_t new_size; uint32_t old_size; uint8_t version; /* MUST be LIVEPATCH_PAYLOAD_VERSION. */ - uint8_t opaque[31]; + uint8_t opaque[LIVEPATCH_OPAQUE_SIZE]; #if defined CONFIG_X86 uint8_t applied; uint8_t _pad[7]; #endif + livepatch_expectation_t expect; }; typedef struct livepatch_func livepatch_func_t; #endif From patchwork Wed Aug 21 08:19:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11105995 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 416AF174A for ; Wed, 21 Aug 2019 08:21:57 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1D5D322DA7 for ; Wed, 21 Aug 2019 08:21:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="Yu05oJxu" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1D5D322DA7 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lrg-0000NV-FK; Wed, 21 Aug 2019 08:21:08 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lrd-0000IH-QP for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:21:05 +0000 X-Inumbo-ID: 9eae8fdc-c3ec-11e9-b95f-bc764e2007e4 Received: from smtp-fw-4101.amazon.com (unknown [72.21.198.25]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 9eae8fdc-c3ec-11e9-b95f-bc764e2007e4; Wed, 21 Aug 2019 08:21:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375665; x=1597911665; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=QI6wli2naPKZ2dkOUa0rO1lOGiYl8olkF+nc+viaPks=; b=Yu05oJxu6w7bDqOYkdV2fabrPenFXgkmxzBkBWNAcWEJc8W/KKV6WZCl jcDa5MnwwySe7VOV/eAeaK8Slpp+BmvGDbfV2H8QOSwcjEiGPggSSja4r SatDti8cCIu0r01CfOZeXFHjkrRqzTO9iVO/NHj9+ze+wYq8gf53H2o24 0=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="780419015" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2b-4ff6265a.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 21 Aug 2019 08:21:04 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2b-4ff6265a.us-west-2.amazon.com (Postfix) with ESMTPS id 20996A2E34; Wed, 21 Aug 2019 08:21:04 +0000 (UTC) Received: from EX13D03EUA004.ant.amazon.com (10.43.165.93) by EX13MTAUEA001.ant.amazon.com (10.43.61.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:33 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUA004.ant.amazon.com (10.43.165.93) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:32 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:29 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:28 +0000 Message-ID: <20190821081931.90887-12-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 11/14] livepatch: Add support for modules .modinfo section metadata X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Pawel Wieczorkiewicz , wipawel@amazon.com, Ross Lagerwall , mpohlack@amazon.com, Konrad Rzeszutek Wilk Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Having detailed hotpatch metadata helps to properly identify module's origin and version. It also allows to keep track of the history of hotpatch loads in the system (at least within dmesg buffer size limits). The hotpatch metadata are embedded in a form of .modinfo section. Each such section contains data of the following format: key=value\0key=value\0...key=value\0 The .modinfo section may be generated and appended to the resulting hotpatch ELF file optionally as an extra step of a higher level hotpatch build system. The metadata section pointer and the section length is stored in the hotpatch payload structure and is used to display the content upon hotpatch apply operation. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Bjoern Doebel Reviewed-by: Leonard Foerster Reviewed-by: Martin Pohlack Reviewed-by: Norbert Manthey --- xen/common/livepatch.c | 34 ++++++++++++++++++++++++++++++++++ xen/include/xen/livepatch_payload.h | 6 ++++++ 2 files changed, 40 insertions(+) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 8aef2fd12e..f88cf3bc73 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -850,6 +850,23 @@ static int prepare_payload(struct payload *payload, #endif } + sec = livepatch_elf_sec_by_name(elf, ".modinfo"); + if ( sec ) + { + if ( !section_ok(elf, sec, sizeof(*payload->metadata.data)) ) + return -EINVAL; + + payload->metadata.data = sec->load_addr; + payload->metadata.len = sec->sec->sh_size; + + /* The metadata is required to consists of null terminated strings. */ + if ( payload->metadata.data[payload->metadata.len - 1] != '\0' ) + { + printk(XENLOG_ERR LIVEPATCH "%s: Incorrect metadata format detected\n", payload->name); + return -EINVAL; + } + } + return 0; } @@ -1200,6 +1217,19 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) * for XEN_SYSCTL_LIVEPATCH_ACTION operation (see livepatch_action). */ +static inline void livepatch_display_metadata(const struct livepatch_metadata *metadata) +{ + const char *str; + + if ( metadata && metadata->data && metadata->len > 0 ) + { + printk(XENLOG_INFO LIVEPATCH "module metadata:\n"); + for ( str = metadata->data; str < (metadata->data + metadata->len); str += (strlen(str) + 1) ) + printk(XENLOG_INFO LIVEPATCH " %s\n", str); + } + +} + static int apply_payload(struct payload *data) { unsigned int i; @@ -1232,6 +1262,8 @@ static int apply_payload(struct payload *data) arch_livepatch_revive(); + livepatch_display_metadata(&data->metadata); + return 0; } @@ -2008,6 +2040,8 @@ static void livepatch_printall(unsigned char key) data->name, state2str(data->state), data->state, data->text_addr, data->rw_addr, data->ro_addr, data->pages); + livepatch_display_metadata(&data->metadata); + for ( i = 0; i < data->nfuncs; i++ ) { struct livepatch_func *f = &(data->funcs[i]); diff --git a/xen/include/xen/livepatch_payload.h b/xen/include/xen/livepatch_payload.h index ff16af0dd6..9f5f064205 100644 --- a/xen/include/xen/livepatch_payload.h +++ b/xen/include/xen/livepatch_payload.h @@ -33,6 +33,11 @@ struct livepatch_hooks { } apply, revert; }; +struct livepatch_metadata { + const char *data; /* Ptr to .modinfo section with ASCII data. */ + uint32_t len; /* Length of the metadata section. */ +}; + struct payload { uint32_t state; /* One of the LIVEPATCH_STATE_*. */ int32_t rc; /* 0 or -XEN_EXX. */ @@ -63,6 +68,7 @@ struct payload { unsigned int n_load_funcs; /* Nr of the funcs to load and execute. */ unsigned int n_unload_funcs; /* Nr of funcs to call durung unload. */ char name[XEN_LIVEPATCH_NAME_SIZE]; /* Name of it. */ + struct livepatch_metadata metadata; /* Module meta data record */ }; /* From patchwork Wed Aug 21 08:19:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11106009 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6A02A174A for ; Wed, 21 Aug 2019 08:22:13 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3C04F22DA7 for ; Wed, 21 Aug 2019 08:22:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="ZHFKG2SS" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3C04F22DA7 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lrm-0000ZW-JM; Wed, 21 Aug 2019 08:21:14 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lrj-0000Tm-R8 for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:21:11 +0000 X-Inumbo-ID: a09c647c-c3ec-11e9-b95f-bc764e2007e4 Received: from smtp-fw-33001.amazon.com (unknown [207.171.190.10]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id a09c647c-c3ec-11e9-b95f-bc764e2007e4; Wed, 21 Aug 2019 08:21:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375669; x=1597911669; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=tFvmdtLRb7s2aVMWulKDj3rm2tJtfJO0QQS3G0a05hg=; b=ZHFKG2SS6nMCsApW3//g0mgT9HX0jaATDW/kjeJlIIxT/BKKf8el32Ll DLlEwJfteM9TDhc1Sg1F0Fm29xAHzIDyr/CL9JWhHRarBadAwPE/BQr18 HA5CzNIgn15mhILJ9IaRtKbTUTfhSiwlcjXkbwTFAlLgApLVvVc+iALtb Y=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="822132748" Received: from sea3-co-svc-lb6-vlan2.sea.amazon.com (HELO email-inbound-relay-2a-e7be2041.us-west-2.amazon.com) ([10.47.22.34]) by smtp-border-fw-out-33001.sea14.amazon.com with ESMTP; 21 Aug 2019 08:21:06 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2a-e7be2041.us-west-2.amazon.com (Postfix) with ESMTPS id AB98CA211E; Wed, 21 Aug 2019 08:21:05 +0000 (UTC) Received: from EX13D05EUB003.ant.amazon.com (10.43.166.253) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:37 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D05EUB003.ant.amazon.com (10.43.166.253) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:35 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:32 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:29 +0000 Message-ID: <20190821081931.90887-13-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 12/14] livepatch: Handle arbitrary size names with the list operation X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ross Lagerwall , Ian Jackson , mpohlack@amazon.com, Tim Deegan , Pawel Wieczorkiewicz , Julien Grall , Jan Beulich Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" The payloads' name strings can be of arbitrary size (typically small with an upper bound of XEN_LIVEPATCH_NAME_SIZE). Current implementation of the list operation interface allows to copy names in the XEN_LIVEPATCH_NAME_SIZE chunks regardless of its actual size and enforces space allocation requirements on userland tools. To unify and simplify the interface, handle the name strings of arbitrary size by copying them in adhering chunks to the userland. In order to let the userland allocate enough space for the incoming data add an auxiliary interface xc_livepatch_list_get_sizes() that provides the current number of payload entries and the total size of all name strings. This is achieved by extending the sysctl list interface with an extra fields: name_total_size. The xc_livepatch_list_get_sizes() issues the livepatch sysctl list operation with the nr field set to 0. In this mode the operation returns the number of payload entries and calculates the total sizes for all payloads' names. When the sysctl operation is issued with a non-zero nr field (for instance with a value obtained earlier with the prior call to the xc_livepatch_list_get_sizes()) the new field name_total_size provides the total size of actually copied data. Extend the libxc to handle the name back-to-back data transfers. The xen-livepatch tool is modified to start the list operation with a call to the xc_livepatch_list_get_sizes() to obtain the actual number of payloads as well as the necessary space for names. The tool now always requests the actual number of entries and leaves the preemption handling to the libxc routine. The libxc still returns 'done' and 'left' parameters with the same semantic allowing the tool to detect anomalies and react to them. At the moment it is expected that the tool receives the exact number of entires as requested. The xen-livepatch tool has been also modified to handle the name back-to-back transfers correctly. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Bjoern Doebel Reviewed-by: Martin Pohlack --- tools/libxc/include/xenctrl.h | 49 ++++++++++++------ tools/libxc/xc_misc.c | 100 ++++++++++++++++++++++++++++--------- tools/misc/xen-livepatch.c | 112 ++++++++++++++++++++++-------------------- xen/common/livepatch.c | 31 +++++++++--- xen/include/public/sysctl.h | 15 +++--- 5 files changed, 204 insertions(+), 103 deletions(-) diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h index 725697c132..e0ebb586b6 100644 --- a/tools/libxc/include/xenctrl.h +++ b/tools/libxc/include/xenctrl.h @@ -2560,7 +2560,25 @@ int xc_livepatch_get(xc_interface *xch, xen_livepatch_status_t *status); /* - * The heart of this function is to get an array of xen_livepatch_status_t. + * Get a number of available payloads and get actual total size of + * the payloads' name array. + * + * This functions is typically executed first before the xc_livepatch_list() + * to obtain the sizes and correctly allocate all necessary data resources. + * + * The return value is zero if the hypercall completed successfully. + * + * If there was an error performing the sysctl operation, the return value + * will contain the hypercall error code value. + */ +int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, + uint64_t *name_total_size); + +/* + * The heart of this function is to get an array of the following objects: + * - xen_livepatch_status_t: states and return codes of payloads + * - name: names of payloads + * - len: lengths of corresponding payloads' names * * However it is complex because it has to deal with the hypervisor * returning some of the requested data or data being stale @@ -2571,21 +2589,20 @@ int xc_livepatch_get(xc_interface *xch, * 'left' are also updated with the number of entries filled out * and respectively the number of entries left to get from hypervisor. * - * It is expected that the caller of this function will take the - * 'left' and use the value for 'start'. This way we have an - * cursor in the array. Note that the 'info','name', and 'len' will - * be updated at the subsequent calls. + * It is expected that the caller of this function will first issue the + * xc_livepatch_list_get_sizes() in order to obtain total sizes of names + * as well as the current number of payload entries. + * The total sizes are required and supplied via the 'name_total_size' + * parameter. * - * The 'max' is to be provided by the caller with the maximum - * number of entries that 'info', 'name', and 'len' arrays can - * be filled up with. - * - * Each entry in the 'name' array is expected to be of XEN_LIVEPATCH_NAME_SIZE - * length. + * The 'max' is to be provided by the caller with the maximum number of + * entries that 'info', 'name', 'len' arrays can be filled up with. * * Each entry in the 'info' array is expected to be of xen_livepatch_status_t * structure size. * + * Each entry in the 'name' array may have an arbitrary size. + * * Each entry in the 'len' array is expected to be of uint32_t size. * * The return value is zero if the hypercall completed successfully. @@ -2597,10 +2614,12 @@ int xc_livepatch_get(xc_interface *xch, * will contain the number of entries that had been succesfully * retrieved (if any). */ -int xc_livepatch_list(xc_interface *xch, unsigned int max, unsigned int start, - xen_livepatch_status_t *info, char *name, - uint32_t *len, unsigned int *done, - unsigned int *left); +int xc_livepatch_list(xc_interface *xch, const unsigned int max, + const unsigned int start, + struct xen_livepatch_status *info, + char *name, uint32_t *len, + const uint64_t name_total_size, + unsigned int *done, unsigned int *left); /* * The operations are asynchronous and the hypervisor may take a while diff --git a/tools/libxc/xc_misc.c b/tools/libxc/xc_misc.c index a8e9e7d1e2..d787f3f29f 100644 --- a/tools/libxc/xc_misc.c +++ b/tools/libxc/xc_misc.c @@ -662,7 +662,48 @@ int xc_livepatch_get(xc_interface *xch, } /* - * The heart of this function is to get an array of xen_livepatch_status_t. + * Get a number of available payloads and get actual total size of + * the payloads' name array. + * + * This functions is typically executed first before the xc_livepatch_list() + * to obtain the sizes and correctly allocate all necessary data resources. + * + * The return value is zero if the hypercall completed successfully. + * + * If there was an error performing the sysctl operation, the return value + * will contain the hypercall error code value. + */ +int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, + uint64_t *name_total_size) +{ + DECLARE_SYSCTL; + int rc; + + if ( !nr || !name_total_size ) + { + errno = EINVAL; + return -1; + } + + memset(&sysctl, 0, sizeof(sysctl)); + sysctl.cmd = XEN_SYSCTL_livepatch_op; + sysctl.u.livepatch.cmd = XEN_SYSCTL_LIVEPATCH_LIST; + + rc = do_sysctl(xch, &sysctl); + if ( rc ) + return rc; + + *nr = sysctl.u.livepatch.u.list.nr; + *name_total_size = sysctl.u.livepatch.u.list.name_total_size; + + return 0; +} + +/* + * The heart of this function is to get an array of the following objects: + * - xen_livepatch_status_t: states and return codes of payloads + * - name: names of payloads + * - len: lengths of corresponding payloads' names * * However it is complex because it has to deal with the hypervisor * returning some of the requested data or data being stale @@ -673,21 +714,20 @@ int xc_livepatch_get(xc_interface *xch, * 'left' are also updated with the number of entries filled out * and respectively the number of entries left to get from hypervisor. * - * It is expected that the caller of this function will take the - * 'left' and use the value for 'start'. This way we have an - * cursor in the array. Note that the 'info','name', and 'len' will - * be updated at the subsequent calls. + * It is expected that the caller of this function will first issue the + * xc_livepatch_list_get_sizes() in order to obtain total sizes of names + * as well as the current number of payload entries. + * The total sizes are required and supplied via the 'name_total_size' + * parameter. * - * The 'max' is to be provided by the caller with the maximum - * number of entries that 'info', 'name', and 'len' arrays can - * be filled up with. - * - * Each entry in the 'name' array is expected to be of XEN_LIVEPATCH_NAME_SIZE - * length. + * The 'max' is to be provided by the caller with the maximum number of + * entries that 'info', 'name', 'len' arrays can be filled up with. * * Each entry in the 'info' array is expected to be of xen_livepatch_status_t * structure size. * + * Each entry in the 'name' array may have an arbitrary size. + * * Each entry in the 'len' array is expected to be of uint32_t size. * * The return value is zero if the hypercall completed successfully. @@ -699,11 +739,12 @@ int xc_livepatch_get(xc_interface *xch, * will contain the number of entries that had been succesfully * retrieved (if any). */ -int xc_livepatch_list(xc_interface *xch, unsigned int max, unsigned int start, +int xc_livepatch_list(xc_interface *xch, const unsigned int max, + const unsigned int start, struct xen_livepatch_status *info, char *name, uint32_t *len, - unsigned int *done, - unsigned int *left) + const uint64_t name_total_size, + unsigned int *done, unsigned int *left) { int rc; DECLARE_SYSCTL; @@ -714,27 +755,33 @@ int xc_livepatch_list(xc_interface *xch, unsigned int max, unsigned int start, uint32_t max_batch_sz, nr; uint32_t version = 0, retries = 0; uint32_t adjust = 0; - ssize_t sz; + off_t name_off = 0; + uint64_t name_sz; - if ( !max || !info || !name || !len ) + if ( !max || !info || !name || !len || !done || !left ) { errno = EINVAL; return -1; } + if ( name_total_size == 0 ) + { + errno = ENOENT; + return -1; + } + + memset(&sysctl, 0, sizeof(sysctl)); sysctl.cmd = XEN_SYSCTL_livepatch_op; sysctl.u.livepatch.cmd = XEN_SYSCTL_LIVEPATCH_LIST; - sysctl.u.livepatch.pad = 0; - sysctl.u.livepatch.u.list.version = 0; sysctl.u.livepatch.u.list.idx = start; - sysctl.u.livepatch.u.list.pad = 0; max_batch_sz = max; - /* Convience value. */ - sz = sizeof(*name) * XEN_LIVEPATCH_NAME_SIZE; + name_sz = name_total_size; *done = 0; *left = 0; do { + uint64_t _name_sz; + /* * The first time we go in this loop our 'max' may be bigger * than what the hypervisor is comfortable with - hence the first @@ -754,11 +801,11 @@ int xc_livepatch_list(xc_interface *xch, unsigned int max, unsigned int start, sysctl.u.livepatch.u.list.nr = nr; /* Fix the size (may vary between hypercalls). */ HYPERCALL_BOUNCE_SET_SIZE(info, nr * sizeof(*info)); - HYPERCALL_BOUNCE_SET_SIZE(name, nr * nr); + HYPERCALL_BOUNCE_SET_SIZE(name, name_sz); HYPERCALL_BOUNCE_SET_SIZE(len, nr * sizeof(*len)); /* Move the pointer to proper offset into 'info'. */ (HYPERCALL_BUFFER(info))->ubuf = info + *done; - (HYPERCALL_BUFFER(name))->ubuf = name + (sz * *done); + (HYPERCALL_BUFFER(name))->ubuf = name + name_off; (HYPERCALL_BUFFER(len))->ubuf = len + *done; /* Allocate memory. */ rc = xc_hypercall_bounce_pre(xch, info); @@ -827,14 +874,19 @@ int xc_livepatch_list(xc_interface *xch, unsigned int max, unsigned int start, break; } *left = sysctl.u.livepatch.u.list.nr; /* Total remaining count. */ + _name_sz = sysctl.u.livepatch.u.list.name_total_size; /* Total received name size. */ /* Copy only up 'rc' of data' - we could add 'min(rc,nr) if desired. */ HYPERCALL_BOUNCE_SET_SIZE(info, (rc * sizeof(*info))); - HYPERCALL_BOUNCE_SET_SIZE(name, (rc * sz)); + HYPERCALL_BOUNCE_SET_SIZE(name, _name_sz); HYPERCALL_BOUNCE_SET_SIZE(len, (rc * sizeof(*len))); /* Bounce the data and free the bounce buffer. */ xc_hypercall_bounce_post(xch, info); xc_hypercall_bounce_post(xch, name); xc_hypercall_bounce_post(xch, len); + + name_sz -= _name_sz; + name_off += _name_sz; + /* And update how many elements of info we have copied into. */ *done += rc; /* Update idx. */ diff --git a/tools/misc/xen-livepatch.c b/tools/misc/xen-livepatch.c index a37b2457ff..8ac3d567fc 100644 --- a/tools/misc/xen-livepatch.c +++ b/tools/misc/xen-livepatch.c @@ -64,14 +64,14 @@ static const char *state2str(unsigned int state) return names[state]; } -/* This value was choosen adhoc. It could be 42 too. */ -#define MAX_LEN 11 static int list_func(int argc, char *argv[]) { - unsigned int idx, done, left, i; + unsigned int nr, done, left, i; xen_livepatch_status_t *info = NULL; char *name = NULL; uint32_t *len = NULL; + uint64_t name_total_size; + off_t name_off; int rc = ENOMEM; if ( argc ) @@ -79,65 +79,73 @@ static int list_func(int argc, char *argv[]) show_help(); return -1; } - idx = left = 0; - info = malloc(sizeof(*info) * MAX_LEN); - if ( !info ) - return rc; - name = malloc(sizeof(*name) * XEN_LIVEPATCH_NAME_SIZE * MAX_LEN); - if ( !name ) + done = left = 0; + + rc = xc_livepatch_list_get_sizes(xch, &nr, &name_total_size); + if ( rc ) { - free(info); + rc = errno; + fprintf(stderr, "Failed to get list sizes.\n" + "Error %d: %s\n", + rc, strerror(rc)); return rc; } - len = malloc(sizeof(*len) * MAX_LEN); - if ( !len ) { - free(name); - free(info); + + if ( nr == 0 ) + { + fprintf(stdout, "Nothing to list\n"); + return 0; + } + + info = malloc(nr * sizeof(*info)); + if ( !info ) return rc; + + name = malloc(name_total_size * sizeof(*name)); + if ( !name ) + goto error_name; + + len = malloc(nr * sizeof(*len)); + if ( !len ) + goto error_len; + + memset(info, 'A', nr * sizeof(*info)); + memset(name, 'B', name_total_size * sizeof(*name)); + memset(len, 'C', nr * sizeof(*len)); + name_off = 0; + + rc = xc_livepatch_list(xch, nr, 0, info, name, len, name_total_size, &done, &left); + if ( rc || done != nr || left > 0) + { + rc = errno; + fprintf(stderr, "Failed to list %d/%d.\n" + "Error %d: %s\n", + left, nr, rc, strerror(rc)); + goto error; } - do { - done = 0; - /* The memset is done to catch errors. */ - memset(info, 'A', sizeof(*info) * MAX_LEN); - memset(name, 'B', sizeof(*name) * MAX_LEN * XEN_LIVEPATCH_NAME_SIZE); - memset(len, 'C', sizeof(*len) * MAX_LEN); - rc = xc_livepatch_list(xch, MAX_LEN, idx, info, name, len, &done, &left); - if ( rc ) - { - rc = errno; - fprintf(stderr, "Failed to list %d/%d.\n" - "Error %d: %s\n", - idx, left, rc, strerror(rc)); - break; - } - if ( !idx ) - fprintf(stdout," ID | status\n" - "----------------------------------------+------------\n"); + fprintf(stdout," ID | status\n" + "----------------------------------------+------------\n"); - for ( i = 0; i < done; i++ ) - { - unsigned int j; - uint32_t sz; - char *str; - - sz = len[i]; - str = name + (i * XEN_LIVEPATCH_NAME_SIZE); - for ( j = sz; j < XEN_LIVEPATCH_NAME_SIZE; j++ ) - str[j] = '\0'; - - printf("%-40s| %s", str, state2str(info[i].state)); - if ( info[i].rc ) - printf(" (%d, %s)\n", -info[i].rc, strerror(-info[i].rc)); - else - puts(""); - } - idx += done; - } while ( left ); + for ( i = 0; i < done; i++ ) + { + char *name_str = name + name_off; + + printf("%-40.*s| %s", len[i], name_str, state2str(info[i].state)); + if ( info[i].rc ) + printf(" (%d, %s)\n", -info[i].rc, strerror(-info[i].rc)); + else + puts(""); + + name_off += len[i]; + } +error: + free(len); +error_len: free(name); +error_name: free(info); - free(len); return rc; } #undef MAX_LEN diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index f88cf3bc73..f486cb3021 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1163,7 +1163,6 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) if ( list->nr && (!guest_handle_okay(list->status, list->nr) || - !guest_handle_okay(list->name, XEN_LIVEPATCH_NAME_SIZE * list->nr) || !guest_handle_okay(list->len, list->nr)) ) return -EINVAL; @@ -1174,23 +1173,35 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) return -EINVAL; } + list->name_total_size = 0; if ( list->nr ) { + uint64_t name_offset = 0; + list_for_each_entry( data, &payload_list, list ) { - uint32_t len; + uint32_t name_len; if ( list->idx > i++ ) continue; status.state = data->state; status.rc = data->rc; - len = strlen(data->name) + 1; + + name_len = strlen(data->name) + 1; + list->name_total_size += name_len; + + if ( !guest_handle_subrange_okay(list->name, name_offset, + name_offset + name_len - 1) ) + { + rc = -EINVAL; + break; + } /* N.B. 'idx' != 'i'. */ - if ( __copy_to_guest_offset(list->name, idx * XEN_LIVEPATCH_NAME_SIZE, - data->name, len) || - __copy_to_guest_offset(list->len, idx, &len, 1) || + if ( __copy_to_guest_offset(list->name, name_offset, + data->name, name_len) || + __copy_to_guest_offset(list->len, idx, &name_len, 1) || __copy_to_guest_offset(list->status, idx, &status, 1) ) { rc = -EFAULT; @@ -1198,11 +1209,19 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) } idx++; + name_offset += name_len; if ( (idx >= list->nr) || hypercall_preempt_check() ) break; } } + else + { + list_for_each_entry( data, &payload_list, list ) + { + list->name_total_size += strlen(data->name) + 1; + } + } list->nr = payload_cnt - i; /* Remaining amount. */ list->version = payload_version; spin_unlock(&payload_lock); diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h index e18322350d..19aa01fbc7 100644 --- a/xen/include/public/sysctl.h +++ b/xen/include/public/sysctl.h @@ -926,10 +926,11 @@ struct xen_sysctl_livepatch_get { * * If the hypercall returns an positive number, it is the number (up to `nr`) * of the payloads returned, along with `nr` updated with the number of remaining - * payloads, `version` updated (it may be the same across hypercalls. If it - * varies the data is stale and further calls could fail). The `status`, - * `name`, and `len`' are updated at their designed index value (`idx`) with - * the returned value of data. + * payloads, `version` updated (it may be the same across hypercalls. If it varies + * the data is stale and further calls could fail) and the name_total_size + * containing total size of transfered data for the array. + * The `status`, `name`, `len` are updated at their designed index value (`idx`) + * with the returned value of data. * * If the hypercall returns E2BIG the `nr` is too big and should be * lowered. The upper limit of `nr` is left to the implemention. @@ -952,11 +953,13 @@ struct xen_sysctl_livepatch_list { amount of payloads and version. OUT: How many payloads left. */ uint32_t pad; /* IN: Must be zero. */ + uint64_t name_total_size; /* OUT: Total size of all transfer names */ XEN_GUEST_HANDLE_64(xen_livepatch_status_t) status; /* OUT. Must have enough space allocate for nr of them. */ XEN_GUEST_HANDLE_64(char) name; /* OUT: Array of names. Each member - MUST XEN_LIVEPATCH_NAME_SIZE in size. - Must have nr of them. */ + may have an arbitrary length up to + XEN_LIVEPATCH_NAME_SIZE bytes. Must have + nr of them. */ XEN_GUEST_HANDLE_64(uint32) len; /* OUT: Array of lengths of name's. Must have nr of them. */ }; From patchwork Wed Aug 21 08:19:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11106011 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5AC4E174A for ; Wed, 21 Aug 2019 08:22:14 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2C6232339E for ; Wed, 21 Aug 2019 08:22:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="bK5T6wuS" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2C6232339E Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lrp-0000hQ-Hx; Wed, 21 Aug 2019 08:21:17 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lrn-0000bC-CQ for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:21:15 +0000 X-Inumbo-ID: a22f214e-c3ec-11e9-adc2-12813bfff9fa Received: from smtp-fw-6002.amazon.com (unknown [52.95.49.90]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id a22f214e-c3ec-11e9-adc2-12813bfff9fa; Wed, 21 Aug 2019 08:21:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375671; x=1597911671; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=OGAbYtxG/tnYai/NksElwTzTbFXQoF6HtIoD1Ufz+/4=; b=bK5T6wuSbj9mUNZFXWMROEt4kGefdpZvKIMml2ECYj7rIOi60J0iIUKJ N2VSzmpGhxWxmSXurPZTP1cqa9t2ifCWbsVknOuSMYgoA5xTQx648hxOp Wc+zpqslCJQazgfNnDOe+WdHvqISbT4oXb9nGuHWUcvLWOa1WrcYwJxUK o=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="416596181" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2b-5bdc5131.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-6002.iad6.amazon.com with ESMTP; 21 Aug 2019 08:21:07 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2b-5bdc5131.us-west-2.amazon.com (Postfix) with ESMTPS id B340AA23B8; Wed, 21 Aug 2019 08:21:06 +0000 (UTC) Received: from EX13D03EUA003.ant.amazon.com (10.43.165.89) by EX13MTAUEA001.ant.amazon.com (10.43.61.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:41 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D03EUA003.ant.amazon.com (10.43.165.89) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:40 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:36 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:30 +0000 Message-ID: <20190821081931.90887-14-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 13/14] livepatch: Add metadata runtime retrieval mechanism X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ross Lagerwall , Ian Jackson , mpohlack@amazon.com, Tim Deegan , Pawel Wieczorkiewicz , Julien Grall , Jan Beulich Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Extend the livepatch list operation to fetch also payloads' metadata. This is achieved by extending the sysctl list interface with 2 extra guest handles: * metadata - an array of arbitrary size strings * metadata_len - an array of metadata strings' lengths (uin32_t each) Payloads' metadata is a string of arbitrary size and does not have an upper bound limit. It may also vary in size between payloads. In order to let the userland allocate enough space for the incoming data add a metadata total size field to the list sysctl operation and fill it with total size of all payloads' metadata. Extend the libxc to handle the metadata back-to-back data transfers as well as metadata length array data transfers. The xen-livepatch userland tool is extended to always display the metadata for each received module. The metadata is received with the following format: key=value\0key=value\0...key=value\0. The format is modified to the following one: key=value;key=value;...key=value. The new format allows to easily parse the metadata for a given module by a machine. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Martin Pohlack Reviewed-by: Norbert Manthey --- tools/libxc/include/xenctrl.h | 22 +++++++++++---- tools/libxc/xc_misc.c | 66 +++++++++++++++++++++++++++++++++++-------- tools/misc/xen-livepatch.c | 43 ++++++++++++++++++++++------ xen/common/livepatch.c | 22 +++++++++++---- xen/include/public/sysctl.h | 19 +++++++++---- 5 files changed, 134 insertions(+), 38 deletions(-) diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h index e0ebb586b6..7a3762f44e 100644 --- a/tools/libxc/include/xenctrl.h +++ b/tools/libxc/include/xenctrl.h @@ -2561,7 +2561,7 @@ int xc_livepatch_get(xc_interface *xch, /* * Get a number of available payloads and get actual total size of - * the payloads' name array. + * the payloads' name and metadata arrays. * * This functions is typically executed first before the xc_livepatch_list() * to obtain the sizes and correctly allocate all necessary data resources. @@ -2572,13 +2572,16 @@ int xc_livepatch_get(xc_interface *xch, * will contain the hypercall error code value. */ int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, - uint64_t *name_total_size); + uint64_t *name_total_size, + uint64_t *metadata_total_size); /* * The heart of this function is to get an array of the following objects: * - xen_livepatch_status_t: states and return codes of payloads * - name: names of payloads * - len: lengths of corresponding payloads' names + * - metadata: payloads' metadata + * - metadata_len: lengths of corresponding payloads' metadata * * However it is complex because it has to deal with the hypervisor * returning some of the requested data or data being stale @@ -2591,12 +2594,13 @@ int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, * * It is expected that the caller of this function will first issue the * xc_livepatch_list_get_sizes() in order to obtain total sizes of names - * as well as the current number of payload entries. - * The total sizes are required and supplied via the 'name_total_size' - * parameter. + * and all metadata as well as the current number of payload entries. + * The total sizes are required and supplied via the 'name_total_size' and + * 'metadata_total_size' parameters. * * The 'max' is to be provided by the caller with the maximum number of - * entries that 'info', 'name', 'len' arrays can be filled up with. + * entries that 'info', 'name', 'len', 'metadata' and 'metadata_len' arrays + * can be filled up with. * * Each entry in the 'info' array is expected to be of xen_livepatch_status_t * structure size. @@ -2605,6 +2609,10 @@ int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, * * Each entry in the 'len' array is expected to be of uint32_t size. * + * Each entry in the 'metadata' array may have an arbitrary size. + * + * Each entry in the 'metadata_len' array is expected to be of uint32_t size. + * * The return value is zero if the hypercall completed successfully. * Note that the return value is _not_ the amount of entries filled * out - that is saved in 'done'. @@ -2619,6 +2627,8 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, struct xen_livepatch_status *info, char *name, uint32_t *len, const uint64_t name_total_size, + char *metadata, uint32_t *metadata_len, + const uint64_t metadata_total_size, unsigned int *done, unsigned int *left); /* diff --git a/tools/libxc/xc_misc.c b/tools/libxc/xc_misc.c index d787f3f29f..618113011d 100644 --- a/tools/libxc/xc_misc.c +++ b/tools/libxc/xc_misc.c @@ -663,7 +663,7 @@ int xc_livepatch_get(xc_interface *xch, /* * Get a number of available payloads and get actual total size of - * the payloads' name array. + * the payloads' name and metadata arrays. * * This functions is typically executed first before the xc_livepatch_list() * to obtain the sizes and correctly allocate all necessary data resources. @@ -674,12 +674,13 @@ int xc_livepatch_get(xc_interface *xch, * will contain the hypercall error code value. */ int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, - uint64_t *name_total_size) + uint64_t *name_total_size, + uint64_t *metadata_total_size) { DECLARE_SYSCTL; int rc; - if ( !nr || !name_total_size ) + if ( !nr || !name_total_size || !metadata_total_size ) { errno = EINVAL; return -1; @@ -695,6 +696,7 @@ int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, *nr = sysctl.u.livepatch.u.list.nr; *name_total_size = sysctl.u.livepatch.u.list.name_total_size; + *metadata_total_size = sysctl.u.livepatch.u.list.metadata_total_size; return 0; } @@ -704,6 +706,8 @@ int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, * - xen_livepatch_status_t: states and return codes of payloads * - name: names of payloads * - len: lengths of corresponding payloads' names + * - metadata: payloads' metadata + * - metadata_len: lengths of corresponding payloads' metadata * * However it is complex because it has to deal with the hypervisor * returning some of the requested data or data being stale @@ -716,12 +720,13 @@ int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, * * It is expected that the caller of this function will first issue the * xc_livepatch_list_get_sizes() in order to obtain total sizes of names - * as well as the current number of payload entries. - * The total sizes are required and supplied via the 'name_total_size' - * parameter. + * and all metadata as well as the current number of payload entries. + * The total sizes are required and supplied via the 'name_total_size' and + * 'metadata_total_size' parameters. * * The 'max' is to be provided by the caller with the maximum number of - * entries that 'info', 'name', 'len' arrays can be filled up with. + * entries that 'info', 'name', 'len', 'metadata' and 'metadata_len' arrays + * can be filled up with. * * Each entry in the 'info' array is expected to be of xen_livepatch_status_t * structure size. @@ -730,6 +735,10 @@ int xc_livepatch_list_get_sizes(xc_interface *xch, unsigned int *nr, * * Each entry in the 'len' array is expected to be of uint32_t size. * + * Each entry in the 'metadata' array may have an arbitrary size. + * + * Each entry in the 'metadata_len' array is expected to be of uint32_t size. + * * The return value is zero if the hypercall completed successfully. * Note that the return value is _not_ the amount of entries filled * out - that is saved in 'done'. @@ -744,6 +753,8 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, struct xen_livepatch_status *info, char *name, uint32_t *len, const uint64_t name_total_size, + char *metadata, uint32_t *metadata_len, + const uint64_t metadata_total_size, unsigned int *done, unsigned int *left) { int rc; @@ -752,19 +763,22 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, DECLARE_HYPERCALL_BOUNCE(info, 0, XC_HYPERCALL_BUFFER_BOUNCE_OUT); DECLARE_HYPERCALL_BOUNCE(name, 0, XC_HYPERCALL_BUFFER_BOUNCE_OUT); DECLARE_HYPERCALL_BOUNCE(len, 0, XC_HYPERCALL_BUFFER_BOUNCE_OUT); + DECLARE_HYPERCALL_BOUNCE(metadata, 0, XC_HYPERCALL_BUFFER_BOUNCE_OUT); + DECLARE_HYPERCALL_BOUNCE(metadata_len, 0, XC_HYPERCALL_BUFFER_BOUNCE_OUT); uint32_t max_batch_sz, nr; uint32_t version = 0, retries = 0; uint32_t adjust = 0; - off_t name_off = 0; - uint64_t name_sz; + off_t name_off = 0, metadata_off = 0; + uint64_t name_sz, metadata_sz; - if ( !max || !info || !name || !len || !done || !left ) + if ( !max || !info || !name || !len || + !metadata || !metadata_len || !done || !left ) { errno = EINVAL; return -1; } - if ( name_total_size == 0 ) + if ( name_total_size == 0 || metadata_total_size == 0 ) { errno = ENOENT; return -1; @@ -777,10 +791,11 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, max_batch_sz = max; name_sz = name_total_size; + metadata_sz = metadata_total_size; *done = 0; *left = 0; do { - uint64_t _name_sz; + uint64_t _name_sz, _metadata_sz; /* * The first time we go in this loop our 'max' may be bigger @@ -803,10 +818,14 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, HYPERCALL_BOUNCE_SET_SIZE(info, nr * sizeof(*info)); HYPERCALL_BOUNCE_SET_SIZE(name, name_sz); HYPERCALL_BOUNCE_SET_SIZE(len, nr * sizeof(*len)); + HYPERCALL_BOUNCE_SET_SIZE(metadata, metadata_sz); + HYPERCALL_BOUNCE_SET_SIZE(metadata_len, nr * sizeof(*metadata_len)); /* Move the pointer to proper offset into 'info'. */ (HYPERCALL_BUFFER(info))->ubuf = info + *done; (HYPERCALL_BUFFER(name))->ubuf = name + name_off; (HYPERCALL_BUFFER(len))->ubuf = len + *done; + (HYPERCALL_BUFFER(metadata))->ubuf = metadata + metadata_off; + (HYPERCALL_BUFFER(metadata_len))->ubuf = metadata_len + *done; /* Allocate memory. */ rc = xc_hypercall_bounce_pre(xch, info); if ( rc ) @@ -820,9 +839,19 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, if ( rc ) break; + rc = xc_hypercall_bounce_pre(xch, metadata); + if ( rc ) + break; + + rc = xc_hypercall_bounce_pre(xch, metadata_len); + if ( rc ) + break; + set_xen_guest_handle(sysctl.u.livepatch.u.list.status, info); set_xen_guest_handle(sysctl.u.livepatch.u.list.name, name); set_xen_guest_handle(sysctl.u.livepatch.u.list.len, len); + set_xen_guest_handle(sysctl.u.livepatch.u.list.metadata, metadata); + set_xen_guest_handle(sysctl.u.livepatch.u.list.metadata_len, metadata_len); rc = do_sysctl(xch, &sysctl); /* @@ -839,6 +868,8 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, xc_hypercall_bounce_post(xch, info); xc_hypercall_bounce_post(xch, name); xc_hypercall_bounce_post(xch, len); + xc_hypercall_bounce_post(xch, metadata); + xc_hypercall_bounce_post(xch, metadata_len); continue; } else if ( rc < 0 ) /* For all other errors we bail out. */ @@ -863,6 +894,8 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, xc_hypercall_bounce_post(xch, info); xc_hypercall_bounce_post(xch, name); xc_hypercall_bounce_post(xch, len); + xc_hypercall_bounce_post(xch, metadata); + xc_hypercall_bounce_post(xch, metadata_len); continue; } @@ -875,17 +908,24 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, } *left = sysctl.u.livepatch.u.list.nr; /* Total remaining count. */ _name_sz = sysctl.u.livepatch.u.list.name_total_size; /* Total received name size. */ + _metadata_sz = sysctl.u.livepatch.u.list.metadata_total_size; /* Total received metadata size. */ /* Copy only up 'rc' of data' - we could add 'min(rc,nr) if desired. */ HYPERCALL_BOUNCE_SET_SIZE(info, (rc * sizeof(*info))); HYPERCALL_BOUNCE_SET_SIZE(name, _name_sz); HYPERCALL_BOUNCE_SET_SIZE(len, (rc * sizeof(*len))); + HYPERCALL_BOUNCE_SET_SIZE(metadata, _metadata_sz); + HYPERCALL_BOUNCE_SET_SIZE(metadata_len, (rc * sizeof(*metadata_len))); /* Bounce the data and free the bounce buffer. */ xc_hypercall_bounce_post(xch, info); xc_hypercall_bounce_post(xch, name); xc_hypercall_bounce_post(xch, len); + xc_hypercall_bounce_post(xch, metadata); + xc_hypercall_bounce_post(xch, metadata_len); name_sz -= _name_sz; name_off += _name_sz; + metadata_sz -= _metadata_sz; + metadata_off += _metadata_sz; /* And update how many elements of info we have copied into. */ *done += rc; @@ -898,6 +938,8 @@ int xc_livepatch_list(xc_interface *xch, const unsigned int max, xc_hypercall_bounce_post(xch, len); xc_hypercall_bounce_post(xch, name); xc_hypercall_bounce_post(xch, info); + xc_hypercall_bounce_post(xch, metadata); + xc_hypercall_bounce_post(xch, metadata_len); } return rc > 0 ? 0 : rc; diff --git a/tools/misc/xen-livepatch.c b/tools/misc/xen-livepatch.c index 8ac3d567fc..61d4950001 100644 --- a/tools/misc/xen-livepatch.c +++ b/tools/misc/xen-livepatch.c @@ -69,9 +69,11 @@ static int list_func(int argc, char *argv[]) unsigned int nr, done, left, i; xen_livepatch_status_t *info = NULL; char *name = NULL; + char *metadata = NULL; uint32_t *len = NULL; - uint64_t name_total_size; - off_t name_off; + uint32_t *metadata_len = NULL; + uint64_t name_total_size, metadata_total_size; + off_t name_off, metadata_off; int rc = ENOMEM; if ( argc ) @@ -81,7 +83,7 @@ static int list_func(int argc, char *argv[]) } done = left = 0; - rc = xc_livepatch_list_get_sizes(xch, &nr, &name_total_size); + rc = xc_livepatch_list_get_sizes(xch, &nr, &name_total_size, &metadata_total_size); if ( rc ) { rc = errno; @@ -109,12 +111,23 @@ static int list_func(int argc, char *argv[]) if ( !len ) goto error_len; + metadata = malloc(metadata_total_size * sizeof(*metadata)); + if ( !metadata ) + goto error_metadata; + + metadata_len = malloc(nr * sizeof(*metadata_len)); + if ( !metadata_len ) + goto error_metadata_len; + memset(info, 'A', nr * sizeof(*info)); memset(name, 'B', name_total_size * sizeof(*name)); memset(len, 'C', nr * sizeof(*len)); - name_off = 0; + memset(metadata, 'D', metadata_total_size * sizeof(*metadata)); + memset(metadata_len, 'E', nr * sizeof(*metadata_len)); + name_off = metadata_off = 0; - rc = xc_livepatch_list(xch, nr, 0, info, name, len, name_total_size, &done, &left); + rc = xc_livepatch_list(xch, nr, 0, info, name, len, name_total_size, + metadata, metadata_len, metadata_total_size, &done, &left); if ( rc || done != nr || left > 0) { rc = errno; @@ -124,23 +137,35 @@ static int list_func(int argc, char *argv[]) goto error; } - fprintf(stdout," ID | status\n" - "----------------------------------------+------------\n"); + fprintf(stdout," ID | status | metadata\n" + "----------------------------------------+------------+---------------\n"); for ( i = 0; i < done; i++ ) { + unsigned int j; char *name_str = name + name_off; + char *metadata_str = metadata + metadata_off; printf("%-40.*s| %s", len[i], name_str, state2str(info[i].state)); if ( info[i].rc ) - printf(" (%d, %s)\n", -info[i].rc, strerror(-info[i].rc)); + printf(" (%d, %s) | ", -info[i].rc, strerror(-info[i].rc)); else - puts(""); + printf(" | "); + + /* Replace all '\0' with semi-colons. */ + for ( j = 0; j < metadata_len[i] - 1; j++ ) + metadata_str[j] = (metadata_str[j] ?: ';'); + printf("%.*s\n", metadata_len[i], metadata_str); name_off += len[i]; + metadata_off += metadata_len[i]; } error: + free(metadata_len); +error_metadata_len: + free(metadata); +error_metadata: free(len); error_len: free(name); diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index f486cb3021..49a76f1029 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1163,7 +1163,8 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) if ( list->nr && (!guest_handle_okay(list->status, list->nr) || - !guest_handle_okay(list->len, list->nr)) ) + !guest_handle_okay(list->len, list->nr) || + !guest_handle_okay(list->metadata_len, list->nr)) ) return -EINVAL; spin_lock(&payload_lock); @@ -1174,13 +1175,14 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) } list->name_total_size = 0; + list->metadata_total_size = 0; if ( list->nr ) { - uint64_t name_offset = 0; + uint64_t name_offset = 0, metadata_offset = 0; list_for_each_entry( data, &payload_list, list ) { - uint32_t name_len; + uint32_t name_len, metadata_len; if ( list->idx > i++ ) continue; @@ -1191,8 +1193,13 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) name_len = strlen(data->name) + 1; list->name_total_size += name_len; + metadata_len = data->metadata.len; + list->metadata_total_size += metadata_len; + if ( !guest_handle_subrange_okay(list->name, name_offset, - name_offset + name_len - 1) ) + name_offset + name_len - 1) || + !guest_handle_subrange_okay(list->metadata, metadata_offset, + metadata_offset + metadata_len - 1) ) { rc = -EINVAL; break; @@ -1202,7 +1209,10 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) if ( __copy_to_guest_offset(list->name, name_offset, data->name, name_len) || __copy_to_guest_offset(list->len, idx, &name_len, 1) || - __copy_to_guest_offset(list->status, idx, &status, 1) ) + __copy_to_guest_offset(list->status, idx, &status, 1) || + __copy_to_guest_offset(list->metadata, metadata_offset, + data->metadata.data, metadata_len) || + __copy_to_guest_offset(list->metadata_len, idx, &metadata_len, 1) ) { rc = -EFAULT; break; @@ -1210,6 +1220,7 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) idx++; name_offset += name_len; + metadata_offset += metadata_len; if ( (idx >= list->nr) || hypercall_preempt_check() ) break; @@ -1220,6 +1231,7 @@ static int livepatch_list(struct xen_sysctl_livepatch_list *list) list_for_each_entry( data, &payload_list, list ) { list->name_total_size += strlen(data->name) + 1; + list->metadata_total_size += data->metadata.len; } } list->nr = payload_cnt - i; /* Remaining amount. */ diff --git a/xen/include/public/sysctl.h b/xen/include/public/sysctl.h index 19aa01fbc7..3cf8216d6e 100644 --- a/xen/include/public/sysctl.h +++ b/xen/include/public/sysctl.h @@ -921,16 +921,17 @@ struct xen_sysctl_livepatch_get { }; /* - * Retrieve an array of abbreviated status and names of payloads that are - * loaded in the hypervisor. + * Retrieve an array of abbreviated status, names and metadata of payloads that + * are loaded in the hypervisor. * * If the hypercall returns an positive number, it is the number (up to `nr`) * of the payloads returned, along with `nr` updated with the number of remaining * payloads, `version` updated (it may be the same across hypercalls. If it varies - * the data is stale and further calls could fail) and the name_total_size - * containing total size of transfered data for the array. - * The `status`, `name`, `len` are updated at their designed index value (`idx`) - * with the returned value of data. + * the data is stale and further calls could fail), `name_total_size` and + * `metadata_total_size` containing total sizes of transfered data for both the + * arrays. + * The `status`, `name`, `len`, `metadata` and `metadata_len` are updated at their + * designed index value (`idx`) with the returned value of data. * * If the hypercall returns E2BIG the `nr` is too big and should be * lowered. The upper limit of `nr` is left to the implemention. @@ -954,6 +955,7 @@ struct xen_sysctl_livepatch_list { OUT: How many payloads left. */ uint32_t pad; /* IN: Must be zero. */ uint64_t name_total_size; /* OUT: Total size of all transfer names */ + uint64_t metadata_total_size; /* OUT: Total size of all transfer metadata */ XEN_GUEST_HANDLE_64(xen_livepatch_status_t) status; /* OUT. Must have enough space allocate for nr of them. */ XEN_GUEST_HANDLE_64(char) name; /* OUT: Array of names. Each member @@ -962,6 +964,11 @@ struct xen_sysctl_livepatch_list { nr of them. */ XEN_GUEST_HANDLE_64(uint32) len; /* OUT: Array of lengths of name's. Must have nr of them. */ + XEN_GUEST_HANDLE_64(char) metadata; /* OUT: Array of metadata strings. Each + member may have an arbitrary length. + Must have nr of them. */ + XEN_GUEST_HANDLE_64(uint32) metadata_len; /* OUT: Array of lengths of metadata's. + Must have nr of them. */ }; /* From patchwork Wed Aug 21 08:19:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Wieczorkiewicz, Pawel" X-Patchwork-Id: 11106007 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 02C201395 for ; Wed, 21 Aug 2019 08:22:09 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C89F12339E for ; Wed, 21 Aug 2019 08:22:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.de header.i=@amazon.de header.b="RfhN9lJ3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C89F12339E Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lrk-0000VB-Ig; Wed, 21 Aug 2019 08:21:12 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i0Lri-0000Qt-8x for xen-devel@lists.xen.org; Wed, 21 Aug 2019 08:21:10 +0000 X-Inumbo-ID: a10ca7dc-c3ec-11e9-adc2-12813bfff9fa Received: from smtp-fw-6002.amazon.com (unknown [52.95.49.90]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id a10ca7dc-c3ec-11e9-adc2-12813bfff9fa; Wed, 21 Aug 2019 08:21:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1566375669; x=1597911669; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=1EdzHRTTwtcVC+sckk3Tz2Imzwirb5+n8TteRxITOHM=; b=RfhN9lJ3nIGOktEQr3yNyrjsa3YVtTSf8RInvC0BXJMcYgIFNjyOi0BL 779e0GwI+HL6QXQDEee+mqcAJ2vAFkhO6TrpXYM8q+iZLNIeJlxgcaAmZ EBcbXoxAgNgJUTCLUMx/MTNYuFNZFEMIsgw8GijFdXLvQml1EK/0FDH25 Q=; X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="416596184" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2c-1968f9fa.us-west-2.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-6002.iad6.amazon.com with ESMTP; 21 Aug 2019 08:21:08 +0000 Received: from EX13MTAUEA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2c-1968f9fa.us-west-2.amazon.com (Postfix) with ESMTPS id A2B1DA23B1; Wed, 21 Aug 2019 08:21:07 +0000 (UTC) Received: from EX13D05EUB004.ant.amazon.com (10.43.166.115) by EX13MTAUEA001.ant.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:44 +0000 Received: from EX13MTAUWB001.ant.amazon.com (10.43.161.207) by EX13D05EUB004.ant.amazon.com (10.43.166.115) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 21 Aug 2019 08:20:43 +0000 Received: from dev-dsk-wipawel-1a-0c4e6d58.eu-west-1.amazon.com (10.4.134.33) by mail-relay.amazon.com (10.43.161.249) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Wed, 21 Aug 2019 08:20:40 +0000 From: Pawel Wieczorkiewicz To: , Date: Wed, 21 Aug 2019 08:19:31 +0000 Message-ID: <20190821081931.90887-15-wipawel@amazon.de> X-Mailer: git-send-email 2.16.5 In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 14/14] livepatch: Add python bindings for livepatch operations X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: wipawel@amazon.com, Wei Liu , Ian Jackson , mpohlack@amazon.com, =?utf-8?q?Mar?= =?utf-8?q?ek_Marczykowski-G=C3=B3recki?= , Pawel Wieczorkiewicz Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Extend the XC python bindings library to support also all common livepatch operations and actions. Add the python bindings for the following operations: - status (pyxc_livepatch_status): Requires a payload name as an input. Returns a status dict containing a state string and a return code integer. - action (pyxc_livepatch_action): Requires a payload name and an action id as an input. Timeout and flags are optional parameters. Returns a return code integer. - upload (pyxc_livepatch_upload): Requires a payload name and a module's filename as an input. Returns a return code integer. - list (pyxc_livepatch_list): Takes no parameters. Returns a list of dicts containing each payload's: * name as a string * state as a string * return code as an integer * list of metadata key=value strings Each functions throws an exception error based on the errno value received from its corresponding libxc function call. Signed-off-by: Pawel Wieczorkiewicz Reviewed-by: Martin Mazein Reviewed-by: Andra-Irina Paraschiv Reviewed-by: Leonard Foerster Reviewed-by: Norbert Manthey --- tools/python/xen/lowlevel/xc/xc.c | 273 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 273 insertions(+) diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c index 7f0358ba9c..368739b996 100644 --- a/tools/python/xen/lowlevel/xc/xc.c +++ b/tools/python/xen/lowlevel/xc/xc.c @@ -2011,6 +2011,230 @@ static PyObject *pyflask_access(PyObject *self, PyObject *args, return Py_BuildValue("i",ret); } +static PyObject *pyxc_livepatch_status(XcObject *self, + PyObject *args, + PyObject *kwds) +{ + xen_livepatch_status_t status; + PyObject *info_dict = NULL; + char *name; + int rc; + + static char *kwd_list[] = { "name", NULL }; + + if ( !PyArg_ParseTupleAndKeywords(args, kwds, "s", kwd_list, &name) ) + goto error; + + rc = xc_livepatch_get(self->xc_handle, name, &status); + if ( rc ) + goto error; + + info_dict = Py_BuildValue( + "{s:i,s:i}", + "state", status.state, + "rc", status.rc); + +error: + return info_dict ?: pyxc_error_to_exception(self->xc_handle); +} + +static PyObject *pyxc_livepatch_action(XcObject *self, + PyObject *args, + PyObject *kwds) +{ + int (*action_func)(xc_interface *xch, char *name, uint32_t timeout, uint64_t flags); + char *name; + unsigned int action; + uint32_t timeout; + uint64_t flags; + int rc; + + static char *kwd_list[] = { "name", "action", "timeout", "flags", NULL }; + + if ( !PyArg_ParseTupleAndKeywords(args, kwds, "sI|Ik", kwd_list, + &name, &action, &timeout, &flags) ) + goto error; + + switch (action) + { + case LIVEPATCH_ACTION_UNLOAD: + action_func = xc_livepatch_unload; + break; + case LIVEPATCH_ACTION_REVERT: + action_func = xc_livepatch_revert; + break; + case LIVEPATCH_ACTION_APPLY: + action_func = xc_livepatch_apply; + break; + case LIVEPATCH_ACTION_REPLACE: + action_func = xc_livepatch_replace; + break; + default: + goto error; + } + + rc = action_func(self->xc_handle, name, timeout, flags); + if ( rc ) + goto error; + + return Py_BuildValue("i", rc); +error: + return pyxc_error_to_exception(self->xc_handle); +} + +static PyObject *pyxc_livepatch_upload(XcObject *self, + PyObject *args, + PyObject *kwds) +{ + unsigned char *fbuf = MAP_FAILED; + char *name, *filename; + struct stat buf; + int fd = 0, rc; + ssize_t len; + + static char *kwd_list[] = { "name", "filename", NULL }; + + if ( !PyArg_ParseTupleAndKeywords(args, kwds, "ss", kwd_list, + &name, &filename)) + goto error; + + fd = open(filename, O_RDONLY); + if ( fd < 0 ) + goto error; + + if ( stat(filename, &buf) != 0 ) + goto error; + + len = buf.st_size; + fbuf = mmap(0, len, PROT_READ, MAP_PRIVATE, fd, 0); + if ( fbuf == MAP_FAILED ) + goto error; + + rc = xc_livepatch_upload(self->xc_handle, name, fbuf, len); + if ( rc ) + goto error; + + if ( munmap(fbuf, len) ) + { + fbuf = MAP_FAILED; + goto error; + } + close(fd); + + return Py_BuildValue("i", rc);; +error: + if ( fbuf != MAP_FAILED ) + munmap(fbuf, len); + if ( fd >= 0 ) + close(fd); + return pyxc_error_to_exception(self->xc_handle); +} + +static PyObject *pyxc_livepatch_list(XcObject *self) +{ + PyObject *list; + unsigned int nr, done, left, i; + xen_livepatch_status_t *info = NULL; + char *name = NULL; + char *metadata = NULL; + uint32_t *len = NULL; + uint32_t *metadata_len = NULL; + uint64_t name_total_size, metadata_total_size; + off_t name_off, metadata_off; + int rc; + + rc = xc_livepatch_list_get_sizes(self->xc_handle, &nr, + &name_total_size, &metadata_total_size); + if ( rc ) + goto error; + + if ( nr == 0 ) + return PyList_New(0); + + rc = ENOMEM; + info = malloc(nr * sizeof(*info)); + if ( !info ) + goto error; + + name = malloc(name_total_size * sizeof(*name)); + if ( !name ) + goto error; + + len = malloc(nr * sizeof(*len)); + if ( !len ) + goto error; + + metadata = malloc(metadata_total_size * sizeof(*metadata)); + if ( !metadata ) + goto error; + + metadata_len = malloc(nr * sizeof(*metadata_len)); + if ( !metadata_len ) + goto error; + + rc = xc_livepatch_list(self->xc_handle, nr, 0, info, + name, len, name_total_size, + metadata, metadata_len, metadata_total_size, + &done, &left); + if ( rc ) + goto error; + + list = PyList_New(0); + name_off = metadata_off = 0; + for ( i = 0; i < done; i++ ) + { + PyObject *info_dict, *metadata_list; + char *name_str, *metadata_str; + + name_str = name + name_off; + metadata_str = metadata + metadata_off; + + metadata_list = PyList_New(0); + for ( char *s = metadata_str; s < metadata_str + metadata_len[i]; s += strlen(s) + 1 ) + { + PyObject *field = Py_BuildValue("s", s); + if ( field == NULL ) + { + Py_DECREF(list); + Py_DECREF(metadata_list); + rc = EFAULT; + goto error; + } + + PyList_Append(metadata_list, field); + Py_DECREF(field); + } + + info_dict = Py_BuildValue( + "{s:s,s:i,s:i,s:N}", + "name", name_str, + "state", info[i].state, + "rc", info[i].rc, + "metadata", metadata_list); + + if ( info_dict == NULL ) + { + Py_DECREF(list); + Py_DECREF(metadata_list); + rc = EFAULT; + goto error; + } + PyList_Append(list, info_dict); + Py_DECREF(info_dict); + + name_off += len[i]; + metadata_off += metadata_len[i]; + } + +error: + free(info); + free(name); + free(len); + free(metadata); + free(metadata_len); + return rc ? pyxc_error_to_exception(self->xc_handle) : list; +} + static PyMethodDef pyxc_methods[] = { { "domain_create", (PyCFunction)pyxc_domain_create, @@ -2587,6 +2811,44 @@ static PyMethodDef pyxc_methods[] = { "Returns: [int]: 0 on all permission granted; -1 if any permissions are \ denied\n" }, + { "livepatch_status", + (PyCFunction)pyxc_livepatch_status, + METH_KEYWORDS, "\n" + "Gets current state and return code for a specified module.\n" + " name [str]: Module name to be used\n" + "Returns: [dict] on success; throwing an exception on error\n" + " state [int]: Module current state: CHECKED or APPLIED\n" + " rc [int]: Return code of last module's operation\n" }, + + { "livepatch_upload", + (PyCFunction)pyxc_livepatch_upload, + METH_KEYWORDS, "\n" + "Uploads a module with specified name from filename.\n" + " name [str]: Module name to be used\n" + " filename [str]: Filename of a module to be uploaded\n" + "Returns: [int] 0 on success; throwing an exception on error\n" }, + + { "livepatch_action", + (PyCFunction)pyxc_livepatch_action, + METH_KEYWORDS, "\n" + "Performs an action (unload, revert, apply or replace) on a specified \ + module.\n" + " name [str]: Module name to be used\n" + " action [uint]: Action enum id\n" + " timeout [uint]: Action scheduled execution timeout\n" + " flags [ulong]: Flags specifying action's extra parameters\n" + "Returns: [int] 0 on success; throwing an exception on error\n" }, + + { "livepatch_list", + (PyCFunction)pyxc_livepatch_list, + METH_NOARGS, "\n" + "List all uploaded livepatch modules with their current state and metadata.\n" + "Returns: [list of dicts] on success; throwing an exception on error\n" + " name [str]: Module name\n" + " state [int]: Module current state: CHECKED or APPLIED\n" + " rc [int]: Return code of last module's operation\n" + " metadata [list]: List of module's metadata 'key=value' strings\n" }, + { NULL, NULL, 0, NULL } }; @@ -2698,6 +2960,17 @@ PyMODINIT_FUNC initxc(void) PyModule_AddIntConstant(m, "XEN_SCHEDULER_CREDIT", XEN_SCHEDULER_CREDIT); PyModule_AddIntConstant(m, "XEN_SCHEDULER_CREDIT2", XEN_SCHEDULER_CREDIT2); + /* Expose livepatch constants to Python */ + PyModule_AddIntConstant(m, "LIVEPATCH_ACTION_UNLOAD", LIVEPATCH_ACTION_UNLOAD); + PyModule_AddIntConstant(m, "LIVEPATCH_ACTION_REVERT", LIVEPATCH_ACTION_REVERT); + PyModule_AddIntConstant(m, "LIVEPATCH_ACTION_APPLY", LIVEPATCH_ACTION_APPLY); + PyModule_AddIntConstant(m, "LIVEPATCH_ACTION_REPLACE", LIVEPATCH_ACTION_REPLACE); + + PyModule_AddIntConstant(m, "LIVEPATCH_ACTION_APPLY_NODEPS", LIVEPATCH_ACTION_APPLY_NODEPS); + + PyModule_AddIntConstant(m, "LIVEPATCH_STATE_APPLIED", LIVEPATCH_STATE_APPLIED); + PyModule_AddIntConstant(m, "LIVEPATCH_STATE_CHECKED", LIVEPATCH_STATE_CHECKED); + #if PY_MAJOR_VERSION >= 3 return m; #endif