xref: /linux/scripts/livepatch/klp-build (revision a5210135489ae7bc1ef1cb4a8157361dd7b468cd) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Build a livepatch module
5
6# shellcheck disable=SC1090,SC2155
7
8if (( BASH_VERSINFO[0]  < 4 || \
9     (BASH_VERSINFO[0] == 4 && BASH_VERSINFO[1] < 4) )); then
10		echo "error: this script requires bash 4.4+" >&2
11	exit 1
12fi
13
14set -o errexit
15set -o errtrace
16set -o pipefail
17set -o nounset
18
19# Allow doing 'cmd | mapfile -t array' instead of 'mapfile -t array < <(cmd)'.
20# This helps keep execution in pipes so pipefail+errexit can catch errors.
21shopt -s lastpipe
22
23unset DEBUG_CLONE DIFF_CHECKSUM SKIP_CLEANUP XTRACE
24
25REPLACE=1
26SHORT_CIRCUIT=0
27JOBS="$(getconf _NPROCESSORS_ONLN)"
28VERBOSE="-s"
29shopt -o xtrace | grep -q 'on' && XTRACE=1
30
31# Avoid removing the previous $TMP_DIR until args have been fully processed.
32KEEP_TMP=1
33
34SCRIPT="$(basename "$0")"
35SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
36FIX_PATCH_LINES="$SCRIPT_DIR/fix-patch-lines"
37
38SRC="$(pwd)"
39OBJ="$(pwd)"
40
41CONFIG="$OBJ/.config"
42TMP_DIR="$OBJ/klp-tmp"
43
44ORIG_DIR="$TMP_DIR/orig"
45PATCHED_DIR="$TMP_DIR/patched"
46DIFF_DIR="$TMP_DIR/diff"
47KMOD_DIR="$TMP_DIR/kmod"
48
49STASH_DIR="$TMP_DIR/stash"
50TIMESTAMP="$TMP_DIR/timestamp"
51PATCH_TMP_DIR="$TMP_DIR/tmp"
52
53KLP_DIFF_LOG="$DIFF_DIR/diff.log"
54
55# Terminal output colors
56read -r COLOR_RESET COLOR_BOLD COLOR_ERROR COLOR_WARN <<< ""
57if [[ -t 1 && -t 2 ]]; then
58	COLOR_RESET="\033[0m"
59	COLOR_BOLD="\033[1m"
60	COLOR_ERROR="\033[0;31m"
61	COLOR_WARN="\033[0;33m"
62fi
63
64grep0() {
65	# shellcheck disable=SC2317
66	command grep "$@" || true
67}
68
69# Because pipefail is enabled, the grep0 helper should be used instead of
70# grep, otherwise a failed match can propagate to an error.
71grep() {
72	echo "error: $SCRIPT: use grep0 or 'command grep' instead of bare grep" >&2
73	exit 1
74}
75
76status() {
77	echo -e "${COLOR_BOLD}$*${COLOR_RESET}"
78}
79
80warn() {
81	echo -e "${COLOR_WARN}warning${COLOR_RESET}: $SCRIPT: $*" >&2
82}
83
84die() {
85	echo -e "${COLOR_ERROR}error${COLOR_RESET}: $SCRIPT: $*" >&2
86	exit 1
87}
88
89declare -a STASHED_FILES
90
91stash_file() {
92	local file="$1"
93	local rel_file="${file#"$SRC"/}"
94
95	[[ ! -e "$file" ]] && die "no file to stash: $file"
96
97	mkdir -p "$STASH_DIR/$(dirname "$rel_file")"
98	cp -f "$file" "$STASH_DIR/$rel_file"
99
100	STASHED_FILES+=("$rel_file")
101}
102
103restore_files() {
104	local file
105
106	for file in "${STASHED_FILES[@]}"; do
107		mv -f "$STASH_DIR/$file" "$SRC/$file" || warn "can't restore file: $file"
108	done
109
110	STASHED_FILES=()
111}
112
113cleanup() {
114	set +o nounset
115	revert_patches
116	restore_files
117	[[ "$KEEP_TMP" -eq 0 ]] && rm -rf "$TMP_DIR"
118	return 0
119}
120
121trap_err() {
122	die "line ${BASH_LINENO[0]}: '$BASH_COMMAND'"
123}
124
125trap cleanup  EXIT INT TERM HUP
126trap trap_err ERR
127
128__usage() {
129	cat <<EOF
130Usage: $SCRIPT [OPTIONS] PATCH_FILE(s)
131Generate a livepatch module.
132
133Options:
134   -f, --show-first-changed	Show address of first changed instruction
135   -j, --jobs=<jobs>		Build jobs to run simultaneously [default: $JOBS]
136   -o, --output=<file.ko>	Output file [default: livepatch-<patch-name>.ko]
137       --no-replace		Disable livepatch atomic replace
138   -v, --verbose		Pass V=1 to kernel/module builds
139
140Advanced Options:
141   -d, --debug			Show symbol/reloc cloning decisions
142   -S, --short-circuit=STEP	Start at build step (requires prior --keep-tmp)
143				   1|orig	Build original kernel (default)
144				   2|patched	Build patched kernel
145				   3|diff	Diff objects
146				   4|kmod	Build patch module
147   -T, --keep-tmp		Preserve tmp dir on exit
148
149EOF
150}
151
152usage() {
153	__usage >&2
154}
155
156process_args() {
157	local keep_tmp=0
158	local short
159	local long
160	local args
161
162	short="hfj:o:vdS:T"
163	long="help,show-first-changed,jobs:,output:,no-replace,verbose,debug,short-circuit:,keep-tmp"
164
165	args=$(getopt --options "$short" --longoptions "$long" -- "$@") || {
166		echo; usage; exit
167	}
168	eval set -- "$args"
169
170	while true; do
171		case "$1" in
172			-h | --help)
173				usage
174				exit 0
175				;;
176			-f | --show-first-changed)
177				DIFF_CHECKSUM=1
178				shift
179				;;
180			-j | --jobs)
181				JOBS="$2"
182				shift 2
183				;;
184			-o | --output)
185				[[ "$2" != *.ko ]] && die "output filename should end with .ko"
186				OUTFILE="$2"
187				NAME="$(basename "$OUTFILE")"
188				NAME="${NAME%.ko}"
189				NAME="$(module_name_string "$NAME")"
190				shift 2
191				;;
192			--no-replace)
193				REPLACE=0
194				shift
195				;;
196			-v | --verbose)
197				VERBOSE="V=1"
198				shift
199				;;
200			-d | --debug)
201				DEBUG_CLONE=1
202				keep_tmp=1
203				shift
204				;;
205			-S | --short-circuit)
206				[[ ! -d "$TMP_DIR" ]] && die "--short-circuit requires preserved klp-tmp dir"
207				keep_tmp=1
208				case "$2" in
209					1 | orig)	SHORT_CIRCUIT=1; ;;
210					2 | patched)	SHORT_CIRCUIT=2; ;;
211					3 | diff)	SHORT_CIRCUIT=3; ;;
212					4 | mod)	SHORT_CIRCUIT=4; ;;
213					*)		die "invalid short-circuit step '$2'" ;;
214				esac
215				shift 2
216				;;
217			-T | --keep-tmp)
218				keep_tmp=1
219				shift
220				;;
221			--)
222				shift
223				break
224				;;
225			*)
226				usage
227				exit 1
228				;;
229		esac
230	done
231
232	if [[ $# -eq 0 ]] && (( SHORT_CIRCUIT <= 2 )); then
233		usage
234		exit 1
235	fi
236
237	KEEP_TMP="$keep_tmp"
238	PATCHES=("$@")
239}
240
241# temporarily disable xtrace for especially verbose code
242xtrace_save() {
243	[[ -v XTRACE ]] && set +x
244	return 0
245}
246
247xtrace_restore() {
248	[[ -v XTRACE ]] && set -x
249	return 0
250}
251
252validate_config() {
253	xtrace_save "reading .config"
254	source "$CONFIG" || die "no .config file in $(dirname "$CONFIG")"
255	xtrace_restore
256
257	[[ -v CONFIG_LIVEPATCH ]] ||			\
258		die "CONFIG_LIVEPATCH not enabled"
259
260	[[ -v CONFIG_KLP_BUILD ]] ||			\
261		die "CONFIG_KLP_BUILD not enabled"
262
263	[[ -v CONFIG_GCC_PLUGIN_LATENT_ENTROPY ]] &&	\
264		die "kernel option 'CONFIG_GCC_PLUGIN_LATENT_ENTROPY' not supported"
265
266	[[ -v CONFIG_GCC_PLUGIN_RANDSTRUCT ]] &&	\
267		die "kernel option 'CONFIG_GCC_PLUGIN_RANDSTRUCT' not supported"
268
269	[[ -v CONFIG_AS_IS_LLVM ]] &&				\
270		[[ "$CONFIG_AS_VERSION" -lt 200000 ]] &&	\
271		die "Clang assembler version < 20 not supported"
272
273	return 0
274}
275
276# Only allow alphanumerics and '_' and '-' in the module name.  Everything else
277# is replaced with '-'.  Also truncate to 55 chars so the full name + NUL
278# terminator fits in the kernel's 56-byte module name array.
279module_name_string() {
280	echo "${1//[^a-zA-Z0-9_-]/-}" | cut -c 1-55
281}
282
283# If the module name wasn't specified on the cmdline with --output, give it a
284# name based on the patch name.
285set_module_name() {
286	[[ -v NAME ]] && return 0
287
288	if [[ "${#PATCHES[@]}" -eq 1 ]]; then
289		NAME="$(basename "${PATCHES[0]}")"
290		NAME="${NAME%.*}"
291	else
292		NAME="patch"
293	fi
294
295	NAME="livepatch-$NAME"
296	NAME="$(module_name_string "$NAME")"
297
298	OUTFILE="$NAME.ko"
299}
300
301# Hardcode the value printed by the localversion script to prevent patch
302# application from appending it with '+' due to a dirty working tree.
303set_kernelversion() {
304	local file="$SRC/scripts/setlocalversion"
305	local kernelrelease
306
307	stash_file "$file"
308
309	kernelrelease="$(cd "$SRC" && make syncconfig &>/dev/null && make -s kernelrelease)"
310	[[ -z "$kernelrelease" ]] && die "failed to get kernel version"
311
312	sed -i "2i echo $kernelrelease; exit 0" scripts/setlocalversion
313}
314
315get_patch_input_files() {
316	local patch="$1"
317
318	grep0 -E '^--- ' "$patch"				\
319		| grep0 -v -e '/dev/null' -e '1969-12-31' -e '1970-01-01' \
320		| gawk '{print $2}'				\
321		| sed 's|^[^/]*/||'				\
322		| sort -u
323}
324
325get_patch_output_files() {
326	local patch="$1"
327
328	grep0 -E '^\+\+\+ ' "$patch"				\
329		| grep0 -v -e '/dev/null' -e '1969-12-31' -e '1970-01-01' \
330		| gawk '{print $2}'				\
331		| sed 's|^[^/]*/||'				\
332		| sort -u
333}
334
335get_patch_files() {
336	local patch="$1"
337
338	{ get_patch_input_files "$patch"; get_patch_output_files "$patch"; } \
339		| sort -u
340}
341
342check_unsupported_patches() {
343	local patch
344
345	for patch in "${PATCHES[@]}"; do
346		local files=()
347
348		get_patch_files "$patch" | mapfile -t files
349
350		for file in "${files[@]}"; do
351			case "$file" in
352				lib/*|*.S)
353					die "${patch}: unsupported patch to $file"
354					;;
355			esac
356		done
357	done
358}
359
360apply_patch() {
361	local patch="$1"
362	shift
363	local extra_args=("$@")
364	local drift_regex="with fuzz|offset [0-9]+ line"
365	local output
366	local status
367
368	[[ ! -f "$patch" ]] && die "$patch doesn't exist"
369	status=0
370	output=$(patch -d "$SRC" -p1 --dry-run --no-backup-if-mismatch -r /dev/null "${extra_args[@]}" < "$patch" 2>&1) || status=$?
371	if [[ "$status" -ne 0 ]]; then
372		echo "$output" >&2
373		die "$patch did not apply"
374	elif [[ "$output" =~ $drift_regex ]]; then
375		echo "$output" >&2
376		warn "${patch} applied with fuzz"
377	fi
378
379	patch -d "$SRC" -p1 --no-backup-if-mismatch -r /dev/null "${extra_args[@]}" --silent < "$patch"
380	APPLIED_PATCHES+=("$patch")
381}
382
383revert_patch() {
384	local patch="$1"
385	local tmp=()
386
387	patch -d "$SRC" -p1 -R --silent --no-backup-if-mismatch -r /dev/null < "$patch"
388
389	for p in "${APPLIED_PATCHES[@]}"; do
390		[[ "$p" == "$patch" ]] && continue
391		tmp+=("$p")
392	done
393
394	APPLIED_PATCHES=("${tmp[@]}")
395}
396
397apply_patches() {
398	local extra_args=("$@")
399	local patch
400
401	for patch in "${PATCHES[@]}"; do
402		apply_patch "$patch" "${extra_args[@]}"
403	done
404}
405
406revert_patches() {
407	local patches=("${APPLIED_PATCHES[@]}")
408
409	for (( i=${#patches[@]}-1 ; i>=0 ; i-- )) ; do
410		revert_patch "${patches[$i]}"
411	done
412
413	APPLIED_PATCHES=()
414}
415
416validate_patches() {
417	check_unsupported_patches
418	apply_patches
419	revert_patches
420}
421
422do_init() {
423	# We're not yet smart enough to handle anything other than in-tree
424	# builds in pwd.
425	[[ ! "$SRC" -ef "$SCRIPT_DIR/../.." ]] && die "please run from the kernel root directory"
426	[[ ! "$OBJ" -ef "$SCRIPT_DIR/../.." ]] && die "please run from the kernel root directory"
427
428	(( SHORT_CIRCUIT <= 1 )) && rm -rf "$TMP_DIR"
429	mkdir -p "$TMP_DIR"
430
431	APPLIED_PATCHES=()
432
433	[[ -x "$FIX_PATCH_LINES" ]] || die "can't find fix-patch-lines"
434	command -v recountdiff &>/dev/null || die "recountdiff not found (install patchutils)"
435
436	validate_config
437	set_module_name
438	set_kernelversion
439}
440
441# Refresh the patch hunk headers, specifically the line numbers and counts.
442refresh_patch() {
443	local patch="$1"
444	local tmpdir="$PATCH_TMP_DIR"
445	local input_files=()
446	local output_files=()
447
448	rm -rf "$tmpdir"
449	mkdir -p "$tmpdir/a"
450	mkdir -p "$tmpdir/b"
451
452	# Get all source files affected by the patch
453	get_patch_input_files "$patch" | mapfile -t input_files
454	get_patch_output_files "$patch" | mapfile -t output_files
455
456	# Copy orig source files to 'a'
457	( cd "$SRC" && echo "${input_files[@]}" | xargs cp --parents --target-directory="$tmpdir/a" )
458
459	# Copy patched source files to 'b'
460	apply_patch "$patch" "--silent"
461	( cd "$SRC" && echo "${output_files[@]}" | xargs cp --parents --target-directory="$tmpdir/b" )
462	revert_patch "$patch"
463
464	# Diff 'a' and 'b' to make a clean patch
465	( cd "$tmpdir" && diff -Nupr a b > "$patch" ) || true
466}
467
468# Copy the patches to a temporary directory, fix their lines so as not to
469# affect the __LINE__ macro for otherwise unchanged functions further down the
470# file, and update $PATCHES to point to the fixed patches.
471fix_patches() {
472	local idx
473	local i
474
475	rm -f "$TMP_DIR"/*.patch
476
477	idx=0001
478	for i in "${!PATCHES[@]}"; do
479		local old_patch="${PATCHES[$i]}"
480		local tmp_patch="$TMP_DIR/tmp.patch"
481		local patch="${PATCHES[$i]}"
482		local new_patch
483
484		new_patch="$TMP_DIR/$idx-fixed-$(basename "$patch")"
485
486		cp -f "$old_patch" "$tmp_patch"
487		refresh_patch "$tmp_patch"
488		"$FIX_PATCH_LINES" "$tmp_patch" | recountdiff > "$new_patch"
489
490		PATCHES[i]="$new_patch"
491
492		rm -f "$tmp_patch"
493		idx=$(printf "%04d" $(( 10#$idx + 1 )))
494	done
495}
496
497clean_kernel() {
498	local cmd=()
499
500	cmd=("make")
501	cmd+=("--silent")
502	cmd+=("-j$JOBS")
503	cmd+=("clean")
504
505	(
506		cd "$SRC"
507		"${cmd[@]}"
508	)
509}
510
511build_kernel() {
512	local build="$1"
513	local log="$TMP_DIR/build.log"
514	local objtool_args=()
515	local cmd=()
516
517	objtool_args=("--checksum")
518
519	cmd=("make")
520
521	# When a patch to a kernel module references a newly created unexported
522	# symbol which lives in vmlinux or another kernel module, the patched
523	# kernel build fails with the following error:
524	#
525	#   ERROR: modpost: "klp_string" [fs/xfs/xfs.ko] undefined!
526	#
527	# The undefined symbols are working as designed in that case.  They get
528	# resolved later when the livepatch module build link pulls all the
529	# disparate objects together into the same kernel module.
530	#
531	# It would be good to have a way to tell modpost to skip checking for
532	# undefined symbols altogether.  For now, just convert the error to a
533	# warning with KBUILD_MODPOST_WARN, and grep out the warning to avoid
534	# confusing the user.
535	#
536	cmd+=("KBUILD_MODPOST_WARN=1")
537
538	cmd+=("$VERBOSE")
539	cmd+=("-j$JOBS")
540	cmd+=("KCFLAGS=-ffunction-sections -fdata-sections")
541	cmd+=("OBJTOOL_ARGS=${objtool_args[*]}")
542	cmd+=("vmlinux")
543	cmd+=("modules")
544
545	(
546		cd "$SRC"
547		"${cmd[@]}"							\
548			1> >(tee -a "$log")					\
549			2> >(tee -a "$log" | grep0 -v "modpost.*undefined!" >&2)
550	) || die "$build kernel build failed"
551}
552
553find_objects() {
554	local opts=("$@")
555
556	# Find root-level vmlinux.o and non-root-level .ko files,
557	# excluding klp-tmp/ and .git/
558	find "$OBJ" \( -path "$TMP_DIR" -o -path "$OBJ/.git" -o	-regex "$OBJ/[^/][^/]*\.ko" \) -prune -o \
559		    -type f "${opts[@]}"				\
560		    \( -name "*.ko" -o -path "$OBJ/vmlinux.o" \)	\
561		    -printf '%P\n'
562}
563
564# Copy all .o archives to $ORIG_DIR
565copy_orig_objects() {
566	local files=()
567
568	rm -rf "$ORIG_DIR"
569	mkdir -p "$ORIG_DIR"
570
571	find_objects | mapfile -t files
572
573	xtrace_save "copying orig objects"
574	for _file in "${files[@]}"; do
575		local rel_file="${_file/.ko/.o}"
576		local file="$OBJ/$rel_file"
577		local orig_file="$ORIG_DIR/$rel_file"
578		local orig_dir="$(dirname "$orig_file")"
579
580		[[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file"
581
582		mkdir -p "$orig_dir"
583		cp -f "$file" "$orig_dir"
584	done
585	xtrace_restore
586
587	mv -f "$TMP_DIR/build.log" "$ORIG_DIR"
588	touch "$TIMESTAMP"
589}
590
591# Copy all changed objects to $PATCHED_DIR
592copy_patched_objects() {
593	local files=()
594	local opts=()
595	local found=0
596
597	rm -rf "$PATCHED_DIR"
598	mkdir -p "$PATCHED_DIR"
599
600	# Note this doesn't work with some configs, thus the 'cmp' below.
601	opts=("-newer")
602	opts+=("$TIMESTAMP")
603
604	find_objects "${opts[@]}" | mapfile -t files
605
606	xtrace_save "copying changed objects"
607	for _file in "${files[@]}"; do
608		local rel_file="${_file/.ko/.o}"
609		local file="$OBJ/$rel_file"
610		local orig_file="$ORIG_DIR/$rel_file"
611		local patched_file="$PATCHED_DIR/$rel_file"
612		local patched_dir="$(dirname "$patched_file")"
613
614		[[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file"
615
616		cmp -s "$orig_file" "$file" && continue
617
618		mkdir -p "$patched_dir"
619		cp -f "$file" "$patched_dir"
620		found=1
621	done
622	xtrace_restore
623
624	(( found == 0 )) && die "no changes detected"
625
626	mv -f "$TMP_DIR/build.log" "$PATCHED_DIR"
627}
628
629# Diff changed objects, writing output object to $DIFF_DIR
630diff_objects() {
631	local log="$KLP_DIFF_LOG"
632	local files=()
633	local opts=()
634
635	rm -rf "$DIFF_DIR"
636	mkdir -p "$DIFF_DIR"
637
638	find "$PATCHED_DIR" -type f -name "*.o" | mapfile -t files
639	[[ ${#files[@]} -eq 0 ]] && die "no changes detected"
640
641	[[ -v DEBUG_CLONE ]] && opts=("--debug")
642
643	# Diff all changed objects
644	for file in "${files[@]}"; do
645		local rel_file="${file#"$PATCHED_DIR"/}"
646		local orig_file="$rel_file"
647		local patched_file="$PATCHED_DIR/$rel_file"
648		local out_file="$DIFF_DIR/$rel_file"
649		local filter=()
650		local cmd=()
651
652		mkdir -p "$(dirname "$out_file")"
653
654		cmd=("$SRC/tools/objtool/objtool")
655		cmd+=("klp")
656		cmd+=("diff")
657		(( ${#opts[@]} > 0 )) && cmd+=("${opts[@]}")
658		cmd+=("$orig_file")
659		cmd+=("$patched_file")
660		cmd+=("$out_file")
661
662		if [[ -v DIFF_CHECKSUM ]]; then
663			filter=("grep0")
664			filter+=("-Ev")
665			filter+=("DEBUG: .*checksum: ")
666		else
667			filter=("cat")
668		fi
669
670		(
671			cd "$ORIG_DIR"
672			"${cmd[@]}"							\
673				1> >(tee -a "$log")					\
674				2> >(tee -a "$log" | "${filter[@]}" >&2) ||		\
675				die "objtool klp diff failed"
676		)
677	done
678}
679
680# For each changed object, run objtool with --debug-checksum to get the
681# per-instruction checksums, and then diff those to find the first changed
682# instruction for each function.
683diff_checksums() {
684	local orig_log="$ORIG_DIR/checksum.log"
685	local patched_log="$PATCHED_DIR/checksum.log"
686	local -A funcs
687	local cmd=()
688	local line
689	local file
690	local func
691
692	gawk '/\.o: changed function: / {
693		sub(/:$/, "", $1)
694		print $1, $NF
695	}' "$KLP_DIFF_LOG" | mapfile -t lines
696
697	for line in "${lines[@]}"; do
698		read -r file func <<< "$line"
699		if [[ ! -v funcs["$file"] ]]; then
700			funcs["$file"]="$func"
701		else
702			funcs["$file"]+=" $func"
703		fi
704	done
705
706	cmd=("$SRC/tools/objtool/objtool")
707	cmd+=("--checksum")
708	cmd+=("--link")
709	cmd+=("--dry-run")
710
711	for file in "${!funcs[@]}"; do
712		local opt="--debug-checksum=${funcs[$file]// /,}"
713
714		(
715			cd "$ORIG_DIR"
716			"${cmd[@]}" "$opt" "$file" &> "$orig_log" || \
717				( cat "$orig_log" >&2; die "objtool --debug-checksum failed" )
718
719			cd "$PATCHED_DIR"
720			"${cmd[@]}" "$opt" "$file" &> "$patched_log" ||	\
721				( cat "$patched_log" >&2; die "objtool --debug-checksum failed" )
722		)
723
724		for func in ${funcs[$file]}; do
725			diff <( grep0 -E "^DEBUG: .*checksum: $func " "$orig_log"    | sed "s|$ORIG_DIR/||")	\
726			     <( grep0 -E "^DEBUG: .*checksum: $func " "$patched_log" | sed "s|$PATCHED_DIR/||")	\
727				| gawk '/^< DEBUG: / {
728					gsub(/:/, "")
729					printf "%s: %s: %s\n", $3, $5, $6
730					exit
731			}' || true
732		done
733	done
734}
735
736# Build and post-process livepatch module in $KMOD_DIR
737build_patch_module() {
738	local makefile="$KMOD_DIR/Kbuild"
739	local log="$KMOD_DIR/build.log"
740	local kmod_file
741	local cflags=()
742	local files=()
743	local cmd=()
744
745	rm -rf "$KMOD_DIR"
746	mkdir -p "$KMOD_DIR"
747
748	cp -f "$SRC/scripts/livepatch/init.c" "$KMOD_DIR"
749
750	echo "obj-m := $NAME.o" > "$makefile"
751	echo -n "$NAME-y := init.o" >> "$makefile"
752
753	find "$DIFF_DIR" -type f -name "*.o" | mapfile -t files
754	[[ ${#files[@]} -eq 0 ]] && die "no changes detected"
755
756	for file in "${files[@]}"; do
757		local rel_file="${file#"$DIFF_DIR"/}"
758		local orig_file="$ORIG_DIR/$rel_file"
759		local orig_dir="$(dirname "$orig_file")"
760		local kmod_file="$KMOD_DIR/$rel_file"
761		local kmod_dir="$(dirname "$kmod_file")"
762		local cmd_file="$kmod_dir/.$(basename "$file").cmd"
763
764		mkdir -p "$kmod_dir"
765		cp -f "$file" "$kmod_dir"
766
767		# Tell kbuild this is a prebuilt object
768		cp -f "$file" "${kmod_file}_shipped"
769
770		# Make modpost happy
771		touch "$cmd_file"
772
773		echo -n " $rel_file" >> "$makefile"
774	done
775
776	echo >> "$makefile"
777
778	cflags=("-ffunction-sections")
779	cflags+=("-fdata-sections")
780	[[ $REPLACE -eq 0 ]] && cflags+=("-DKLP_NO_REPLACE")
781
782	cmd=("make")
783	cmd+=("$VERBOSE")
784	cmd+=("-j$JOBS")
785	cmd+=("--directory=.")
786	cmd+=("M=$KMOD_DIR")
787	cmd+=("KCFLAGS=${cflags[*]}")
788
789	# Build a "normal" kernel module with init.c and the diffed objects
790	(
791		cd "$SRC"
792		"${cmd[@]}"							\
793			1> >(tee -a "$log")					\
794			2> >(tee -a "$log" >&2)
795	)
796
797	kmod_file="$KMOD_DIR/$NAME.ko"
798
799	# Save off the intermediate binary for debugging
800	cp -f "$kmod_file" "$kmod_file.orig"
801
802	# Work around issue where slight .config change makes corrupt BTF
803	objcopy --remove-section=.BTF "$kmod_file"
804
805	# Fix (and work around) linker wreckage for klp syms / relocs
806	"$SRC/tools/objtool/objtool" klp post-link "$kmod_file" || die "objtool klp post-link failed"
807
808	cp -f "$kmod_file" "$OUTFILE"
809}
810
811
812################################################################################
813
814process_args "$@"
815do_init
816
817if (( SHORT_CIRCUIT <= 2 )); then
818	status "Validating patch(es)"
819	validate_patches
820fi
821
822if (( SHORT_CIRCUIT <= 1 )); then
823	status "Building original kernel"
824	clean_kernel
825	build_kernel "original"
826	status "Copying original object files"
827	copy_orig_objects
828fi
829
830if (( SHORT_CIRCUIT <= 2 )); then
831	status "Fixing patch(es)"
832	fix_patches
833	apply_patches "--silent"
834	status "Building patched kernel"
835	build_kernel "patched"
836	revert_patches
837	status "Copying patched object files"
838	copy_patched_objects
839fi
840
841if (( SHORT_CIRCUIT <= 3 )); then
842	status "Diffing objects"
843	diff_objects
844	if [[ -v DIFF_CHECKSUM ]]; then
845		status "Finding first changed instructions"
846		diff_checksums
847	fi
848fi
849
850if (( SHORT_CIRCUIT <= 4 )); then
851	status "Building patch module: $OUTFILE"
852	build_patch_module
853fi
854
855status "SUCCESS"
856