xref: /linux/scripts/livepatch/klp-build (revision 225d16dd510d92c8eaba8e6496cfaa7881a24827) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Build a livepatch module
5
6# shellcheck disable=SC1090,SC2155,SC2164
7
8if (( BASH_VERSINFO[0]  < 4 || \
9     (BASH_VERSINFO[0] == 4 && BASH_VERSINFO[1] < 4) )); then
10		echo "error: this script requires bash 4.4+" >&2
11	exit 1
12fi
13
14set -o errtrace
15set -o pipefail
16set -o nounset
17
18# Allow doing 'cmd | mapfile -t array' instead of 'mapfile -t array < <(cmd)'.
19# This helps keep execution in pipes so pipefail+ERR trap can catch errors.
20shopt -s lastpipe
21
22unset DEBUG_CLONE DIFF_CHECKSUM SKIP_CLEANUP VERBOSE XTRACE
23
24REPLACE=1
25SHORT_CIRCUIT=0
26JOBS="$(getconf _NPROCESSORS_ONLN)"
27shopt -o xtrace | grep -q 'on' && XTRACE=1
28
29# Avoid removing the previous $TMP_DIR until args have been fully processed.
30KEEP_TMP=1
31
32SCRIPT="$(basename "$0")"
33SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
34FIX_PATCH_LINES="$SCRIPT_DIR/fix-patch-lines"
35
36OBJTOOL="$PWD/tools/objtool/objtool"
37CONFIG="$PWD/.config"
38TMP_DIR="$PWD/klp-tmp"
39
40ORIG_DIR="$TMP_DIR/1-orig"
41PATCHED_DIR="$TMP_DIR/2-patched"
42ORIG_CSUM_DIR="$TMP_DIR/3-checksum-orig"
43PATCHED_CSUM_DIR="$TMP_DIR/3-checksum-patched"
44DIFF_DIR="$TMP_DIR/4-diff"
45KMOD_DIR="$TMP_DIR/5-kmod"
46
47STASH_DIR="$TMP_DIR/stash"
48TIMESTAMP="$TMP_DIR/timestamp"
49PATCH_TMP_DIR="$TMP_DIR/tmp"
50
51KLP_DIFF_LOG="$DIFF_DIR/diff.log"
52
53# Terminal output colors
54read -r COLOR_RESET COLOR_BOLD COLOR_ERROR COLOR_WARN <<< ""
55if [[ -t 1 && -t 2 ]]; then
56	COLOR_RESET="\033[0m"
57	COLOR_BOLD="\033[1m"
58	COLOR_ERROR="\033[0;31m"
59	COLOR_WARN="\033[0;33m"
60fi
61
62grep0() {
63	# shellcheck disable=SC2317
64	command grep "$@" || true
65}
66
67# Because pipefail is enabled, the grep0 helper should be used instead of
68# grep, otherwise a failed match can propagate to an error.
69grep() {
70	echo "error: $SCRIPT: use grep0 or 'command grep' instead of bare grep" >&2
71	exit 1
72}
73
74status() {
75	echo -e "${COLOR_BOLD}$*${COLOR_RESET}"
76}
77
78warn() {
79	echo -e "${COLOR_WARN}warning${COLOR_RESET}: $SCRIPT: $*" >&2
80}
81
82die() {
83	echo -e "${COLOR_ERROR}error${COLOR_RESET}: $SCRIPT: $*" >&2
84	exit 1
85}
86
87declare -a STASHED_FILES
88
89stash_file() {
90	local file="$1"
91	local rel_file="${file#"$PWD"/}"
92
93	[[ ! -e "$file" ]] && die "no file to stash: $file"
94
95	mkdir -p "$STASH_DIR/$(dirname "$rel_file")"
96	cp -f "$file" "$STASH_DIR/$rel_file"
97
98	STASHED_FILES+=("$rel_file")
99}
100
101restore_files() {
102	local file
103
104	for file in "${STASHED_FILES[@]}"; do
105		mv -f "$STASH_DIR/$file" "$PWD/$file" || warn "can't restore file: $file"
106	done
107
108	STASHED_FILES=()
109}
110
111cleanup() {
112	set +o nounset
113	revert_patches
114	restore_files
115	[[ "$KEEP_TMP" -eq 0 ]] && rm -rf "$TMP_DIR"
116	return 0
117}
118
119trap_err() {
120	die "line ${BASH_LINENO[0]}: '$BASH_COMMAND'"
121}
122
123trap cleanup  EXIT INT TERM HUP
124trap trap_err ERR
125
126__usage() {
127	cat <<EOF
128Usage: $SCRIPT [OPTIONS] PATCH_FILE(s)
129Generate a livepatch module.
130
131Options:
132   -f, --show-first-changed	Show address of first changed instruction
133   -j, --jobs=<jobs>		Build jobs to run simultaneously [default: $JOBS]
134   -o, --output=<file.ko>	Output file [default: livepatch-<patch-name>.ko]
135       --no-replace		Disable livepatch atomic replace
136   -v, --verbose		Pass V=1 to kernel/module builds
137
138Advanced Options:
139   -d, --debug			Show symbol/reloc cloning decisions
140   -S, --short-circuit=STEP	Start at build step (requires prior --keep-tmp)
141				   1|orig		Build original kernel (default)
142				   2|patched		Build patched kernel
143				   3|checksum		Generate checksums
144				   4|diff		Diff objects
145				   5|kmod		Build patch module
146   -T, --keep-tmp		Preserve tmp dir on exit
147
148EOF
149}
150
151usage() {
152	__usage >&2
153}
154
155process_args() {
156	local keep_tmp=0
157	local short
158	local long
159	local args
160	local patch
161
162	short="hfj:o:vdS:T"
163	long="help,show-first-changed,jobs:,output:,no-replace,verbose,debug,short-circuit:,keep-tmp"
164
165	args=$(getopt --options "$short" --longoptions "$long" -- "$@") || {
166		echo; usage; exit
167	}
168	eval set -- "$args"
169
170	while true; do
171		case "$1" in
172			-h | --help)
173				usage
174				exit 0
175				;;
176			-f | --show-first-changed)
177				DIFF_CHECKSUM=1
178				shift
179				;;
180			-j | --jobs)
181				JOBS="$2"
182				shift 2
183				;;
184			-o | --output)
185				[[ "$2" != *.ko ]] && die "output filename should end with .ko"
186				OUTFILE="$2"
187				NAME="$(basename "$OUTFILE")"
188				NAME="${NAME%.ko}"
189				NAME="$(module_name_string "$NAME")"
190				shift 2
191				;;
192			--no-replace)
193				REPLACE=0
194				shift
195				;;
196			-v | --verbose)
197				VERBOSE=1
198				shift
199				;;
200			-d | --debug)
201				DEBUG_CLONE=1
202				keep_tmp=1
203				shift
204				;;
205			-S | --short-circuit)
206				[[ ! -d "$TMP_DIR" ]] && die "--short-circuit requires preserved klp-tmp dir"
207				keep_tmp=1
208				case "$2" in
209					1 | orig)		SHORT_CIRCUIT=1; ;;
210					2 | patched)		SHORT_CIRCUIT=2; ;;
211					3 | checksum)		SHORT_CIRCUIT=3; ;;
212					4 | diff)		SHORT_CIRCUIT=4; ;;
213					5 | kmod)		SHORT_CIRCUIT=5; ;;
214					*)		die "invalid short-circuit step '$2'" ;;
215				esac
216				shift 2
217				;;
218			-T | --keep-tmp)
219				keep_tmp=1
220				shift
221				;;
222			--)
223				shift
224				break
225				;;
226			*)
227				usage
228				exit 1
229				;;
230		esac
231	done
232
233	if [[ $# -eq 0 ]] && (( SHORT_CIRCUIT <= 2 )); then
234		usage
235		exit 1
236	fi
237
238	KEEP_TMP="$keep_tmp"
239	PATCHES=("$@")
240
241	for patch in "${PATCHES[@]}"; do
242		[[ -f "$patch" ]] || die "$patch doesn't exist"
243	done
244}
245
246# temporarily disable xtrace for especially verbose code
247xtrace_save() {
248	[[ -v XTRACE ]] && set +x
249	return 0
250}
251
252xtrace_restore() {
253	[[ -v XTRACE ]] && set -x
254	return 0
255}
256
257validate_config() {
258	xtrace_save "reading .config"
259	source "$CONFIG" || die "no .config file in $(dirname "$CONFIG")"
260	xtrace_restore
261
262	[[ -v CONFIG_LIVEPATCH ]] ||			\
263		die "CONFIG_LIVEPATCH not enabled"
264
265	[[ -v CONFIG_KLP_BUILD ]] ||			\
266		die "CONFIG_KLP_BUILD not enabled"
267
268	[[ -v CONFIG_GCC_PLUGIN_LATENT_ENTROPY ]] &&	\
269		die "kernel option 'CONFIG_GCC_PLUGIN_LATENT_ENTROPY' not supported"
270
271	[[ -v CONFIG_GCC_PLUGIN_RANDSTRUCT ]] &&	\
272		die "kernel option 'CONFIG_GCC_PLUGIN_RANDSTRUCT' not supported"
273
274	[[ -v CONFIG_AS_IS_LLVM ]] &&				\
275		[[ "$CONFIG_AS_VERSION" -lt 200000 ]] &&	\
276		die "Clang assembler version < 20 not supported"
277
278	[[ -x "$OBJTOOL" ]] && "$OBJTOOL" klp 2>&1 | command grep -q "not implemented" && \
279		die "objtool not built with KLP support; install xxhash-devel/libxxhash-dev (version >= 0.8) and recompile"
280
281	return 0
282}
283
284# Only allow alphanumerics and '_' and '-' in the module name.  Everything else
285# is replaced with '-'.  Also truncate to 55 chars so the full name + NUL
286# terminator fits in the kernel's 56-byte module name array.
287module_name_string() {
288	echo "${1//[^a-zA-Z0-9_-]/-}" | cut -c 1-55
289}
290
291# If the module name wasn't specified on the cmdline with --output, give it a
292# name based on the patch name.
293set_module_name() {
294	[[ -v NAME ]] && return 0
295
296	if [[ "${#PATCHES[@]}" -eq 1 ]]; then
297		NAME="$(basename "${PATCHES[0]}")"
298		NAME="${NAME%.*}"
299	else
300		NAME="patch"
301	fi
302
303	NAME="livepatch-$NAME"
304	NAME="$(module_name_string "$NAME")"
305
306	OUTFILE="$NAME.ko"
307}
308
309# Hardcode the value printed by the localversion script to prevent patch
310# application from appending it with '+' due to a dirty working tree.
311set_kernelversion() {
312	local file="$PWD/scripts/setlocalversion"
313	local kernelrelease
314
315	stash_file "$file"
316
317	if [[ -n "$(make -s listnewconfig 2>/dev/null)" ]]; then
318		die ".config mismatch, check your .config or run 'make olddefconfig'"
319	fi
320	make syncconfig &>/dev/null || die "make syncconfig failed"
321
322	kernelrelease="$(make -s kernelrelease)"
323	[[ -z "$kernelrelease" ]] && die "failed to get kernel version"
324
325	sed -i "2i echo $kernelrelease; exit 0" scripts/setlocalversion
326}
327
328get_patch_input_files() {
329	local patch="$1"
330
331	grep0 -E '^--- ' "$patch"				\
332		| grep0 -v -e '/dev/null' -e '1969-12-31' -e '1970-01-01' \
333		| gawk '{print $2}'				\
334		| sed 's|^[^/]*/||'				\
335		| sort -u
336}
337
338get_patch_output_files() {
339	local patch="$1"
340
341	grep0 -E '^\+\+\+ ' "$patch"				\
342		| grep0 -v -e '/dev/null' -e '1969-12-31' -e '1970-01-01' \
343		| gawk '{print $2}'				\
344		| sed 's|^[^/]*/||'				\
345		| sort -u
346}
347
348get_patch_files() {
349	local patch="$1"
350
351	{ get_patch_input_files "$patch"; get_patch_output_files "$patch"; } \
352		| sort -u
353}
354
355check_unsupported_patches() {
356	local patch
357
358	for patch in "${PATCHES[@]}"; do
359		local files=()
360
361		get_patch_files "$patch" | mapfile -t files
362
363		for file in "${files[@]}"; do
364			case "$file" in
365				lib/*|*/vdso/*|*/realmode/rm/*|*.S)
366					die "${patch}: unsupported patch to $file"
367					;;
368			esac
369		done
370	done
371}
372
373apply_patch() {
374	local patch="$1"
375	shift
376	local extra_args=("$@")
377	local drift_regex="with fuzz|offset [0-9]+ line"
378	local output
379	local status
380
381	[[ ! -f "$patch" ]] && die "$patch doesn't exist"
382	status=0
383	output=$(patch -p1 --dry-run --no-backup-if-mismatch -r /dev/null "${extra_args[@]}" < "$patch" 2>&1) || status=$?
384	if [[ "$status" -ne 0 ]]; then
385		echo "$output" >&2
386		die "$patch did not apply"
387	elif [[ "$output" =~ $drift_regex ]]; then
388		[[ -v VERBOSE ]] && echo "$output" >&2
389		warn "${patch} applied with fuzz"
390	fi
391
392	APPLIED_PATCHES+=("$patch")
393	patch -p1 --no-backup-if-mismatch -r /dev/null "${extra_args[@]}" --silent < "$patch"
394}
395
396revert_patch() {
397	local patch="$1"
398	local tmp=()
399
400	patch -p1 -R --force --no-backup-if-mismatch -r /dev/null &> /dev/null < "$patch" || true
401
402	for p in "${APPLIED_PATCHES[@]}"; do
403		[[ "$p" == "$patch" ]] && continue
404		tmp+=("$p")
405	done
406
407	APPLIED_PATCHES=("${tmp[@]}")
408}
409
410apply_patches() {
411	local extra_args=("$@")
412	local patch
413
414	for patch in "${PATCHES[@]}"; do
415		apply_patch "$patch" "${extra_args[@]}"
416	done
417}
418
419revert_patches() {
420	local patches=("${APPLIED_PATCHES[@]}")
421
422	for (( i=${#patches[@]}-1 ; i>=0 ; i-- )) ; do
423		revert_patch "${patches[$i]}"
424	done
425
426	APPLIED_PATCHES=()
427}
428
429validate_patches() {
430	check_unsupported_patches
431	apply_patches
432	revert_patches
433}
434
435do_init() {
436	# We're not yet smart enough to handle anything other than in-tree
437	# builds in pwd.
438	[[ ! "$PWD" -ef "$SCRIPT_DIR/../.." ]] && die "please run from the kernel root directory"
439
440	if (( SHORT_CIRCUIT >= 2 )); then
441		[[ -f "$ORIG_DIR/.complete" ]] || die "-S $SHORT_CIRCUIT requires completed $ORIG_DIR"
442	fi
443	if (( SHORT_CIRCUIT >= 3 )); then
444		[[ -f "$PATCHED_DIR/.complete" ]] || die "-S $SHORT_CIRCUIT requires completed $PATCHED_DIR"
445	fi
446	if (( SHORT_CIRCUIT >= 4 )); then
447		[[ -f "$ORIG_CSUM_DIR/.complete" ]] || die "-S $SHORT_CIRCUIT requires completed $ORIG_CSUM_DIR"
448		[[ -f "$PATCHED_CSUM_DIR/.complete" ]] || die "-S $SHORT_CIRCUIT requires completed $PATCHED_CSUM_DIR"
449	fi
450	if (( SHORT_CIRCUIT >= 5 )); then
451		[[ -f "$DIFF_DIR/.complete" ]] || die "-S $SHORT_CIRCUIT requires completed $DIFF_DIR"
452	fi
453
454	(( SHORT_CIRCUIT <= 1 )) && rm -rf "$TMP_DIR"
455	mkdir -p "$TMP_DIR"
456
457	APPLIED_PATCHES=()
458
459	[[ -x "$FIX_PATCH_LINES" ]] || die "can't find fix-patch-lines"
460	command -v recountdiff &>/dev/null || die "recountdiff not found (install patchutils)"
461
462	validate_config
463	set_module_name
464	set_kernelversion
465}
466
467# Refresh the patch hunk headers, specifically the line numbers and counts.
468refresh_patch() {
469	local patch="$1"
470	local tmpdir="$PATCH_TMP_DIR"
471	local input_files=()
472	local output_files=()
473
474	rm -rf "$tmpdir"
475	mkdir -p "$tmpdir/a"
476	mkdir -p "$tmpdir/b"
477
478	# Get all source files affected by the patch
479	get_patch_input_files "$patch" | mapfile -t input_files
480	get_patch_output_files "$patch" | mapfile -t output_files
481
482	# Copy orig source files to 'a'
483	echo "${input_files[@]}" | xargs cp --parents --target-directory="$tmpdir/a"
484
485	# Copy patched source files to 'b'
486	apply_patch "$patch" "--silent"
487	echo "${output_files[@]}" | xargs cp --parents --target-directory="$tmpdir/b"
488	revert_patch "$patch"
489
490	# Diff 'a' and 'b' to make a clean patch
491	( cd "$tmpdir" && diff -Nupr a b > "$patch" ) || true
492}
493
494# Copy the patches to a temporary directory, fix their lines so as not to
495# affect the __LINE__ macro for otherwise unchanged functions further down the
496# file, and update $PATCHES to point to the fixed patches.
497fix_patches() {
498	local idx
499	local i
500
501	rm -f "$TMP_DIR"/*.patch
502
503	idx=0001
504	for i in "${!PATCHES[@]}"; do
505		local old_patch="${PATCHES[$i]}"
506		local tmp_patch="$TMP_DIR/tmp.patch"
507		local patch="${PATCHES[$i]}"
508		local new_patch
509
510		new_patch="$TMP_DIR/$idx-fixed-$(basename "$patch")"
511
512		cp -f "$old_patch" "$tmp_patch"
513		refresh_patch "$tmp_patch"
514		"$FIX_PATCH_LINES" "$tmp_patch" | recountdiff > "$new_patch"
515
516		PATCHES[i]="$new_patch"
517
518		rm -f "$tmp_patch"
519		idx=$(printf "%04d" $(( 10#$idx + 1 )))
520	done
521}
522
523clean_kernel() {
524	local cmd=()
525
526	cmd=("make")
527	cmd+=("--silent")
528	cmd+=("-j$JOBS")
529	cmd+=("clean")
530
531	"${cmd[@]}"
532}
533
534build_kernel() {
535	local build="$1"
536	local log="$TMP_DIR/build.log"
537	local cmd=()
538
539	cmd=("make")
540
541	# When a patch to a kernel module references a newly created unexported
542	# symbol which lives in vmlinux or another kernel module, the patched
543	# kernel build fails with the following error:
544	#
545	#   ERROR: modpost: "klp_string" [fs/xfs/xfs.ko] undefined!
546	#
547	# The undefined symbols are working as designed in that case.  They get
548	# resolved later when the livepatch module build link pulls all the
549	# disparate objects together into the same kernel module.
550	#
551	# It would be good to have a way to tell modpost to skip checking for
552	# undefined symbols altogether.  For now, just convert the error to a
553	# warning with KBUILD_MODPOST_WARN, and grep out the warning to avoid
554	# confusing the user.
555	#
556	cmd+=("KBUILD_MODPOST_WARN=1")
557
558	if [[ -v VERBOSE ]]; then
559		cmd+=("V=1")
560	else
561		cmd+=("-s")
562	fi
563	cmd+=("-j$JOBS")
564	cmd+=("KCFLAGS=-ffunction-sections -fdata-sections")
565	cmd+=("vmlinux")
566	cmd+=("modules")
567
568	"${cmd[@]}"							\
569		1> >(tee -a "$log")					\
570		2> >(tee -a "$log" | grep0 -v "modpost.*undefined!" >&2) \
571		|| die "$build kernel build failed"
572}
573
574find_objects() {
575	local opts=("$@")
576
577	# Find root-level vmlinux.o and non-root-level .ko files,
578	# excluding klp-tmp/ and .git/
579	find "$PWD" \( -path "$TMP_DIR" -o -path "$PWD/.git" -o -regex "$PWD/[^/][^/]*\.ko" \) -prune -o \
580		    -type f "${opts[@]}"				\
581		    \( -name "*.ko" -o -path "$PWD/vmlinux.o" \)	\
582		    -printf '%P\n'
583}
584
585# Copy all .o archives to $ORIG_DIR
586copy_orig_objects() {
587	local files=()
588
589	rm -rf "$ORIG_DIR"
590	mkdir -p "$ORIG_DIR"
591
592	find_objects | mapfile -t files
593
594	xtrace_save "copying original objects"
595	for _file in "${files[@]}"; do
596		local rel_file="${_file/.ko/.o}"
597		local file="$PWD/$rel_file"
598		local orig_file="$ORIG_DIR/$rel_file"
599		local orig_dir="$(dirname "$orig_file")"
600
601		[[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file"
602
603		mkdir -p "$orig_dir"
604		cp -f "$file" "$orig_dir"
605	done
606	xtrace_restore
607
608	mv -f "$TMP_DIR/build.log" "$ORIG_DIR"
609	touch "$TIMESTAMP"
610	touch "$ORIG_DIR/.complete"
611}
612
613# Copy all changed objects to $PATCHED_DIR
614copy_patched_objects() {
615	local files=()
616	local opts=()
617	local found=0
618
619	rm -rf "$PATCHED_DIR"
620	mkdir -p "$PATCHED_DIR"
621
622	# Note this doesn't work with some configs, thus the 'cmp' below.
623	opts=("-newer")
624	opts+=("$TIMESTAMP")
625
626	find_objects "${opts[@]}" | mapfile -t files
627
628	xtrace_save "copying changed objects"
629	for _file in "${files[@]}"; do
630		local rel_file="${_file/.ko/.o}"
631		local file="$PWD/$rel_file"
632		local orig_file="$ORIG_DIR/$rel_file"
633		local patched_file="$PATCHED_DIR/$rel_file"
634		local patched_dir="$(dirname "$patched_file")"
635
636		[[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file"
637
638		cmp -s "$orig_file" "$file" && continue
639
640		mkdir -p "$patched_dir"
641		cp -f "$file" "$patched_dir"
642		found=1
643	done
644	xtrace_restore
645
646	(( found == 0 )) && die "no changes detected"
647
648	mv -f "$TMP_DIR/build.log" "$PATCHED_DIR"
649	touch "$PATCHED_DIR/.complete"
650}
651
652# Copy .o files to a separate directory and run "objtool klp checksum" on each
653# copy.  The checksums are written to a .discard.sym_checksum section.
654#
655# If match_dir is given, only process files which also exist there.
656generate_checksums() {
657	local src_dir="$1"
658	local dest_dir="$2"
659	local match_dir="${3:-}"
660	local files=()
661	local file
662
663	rm -rf "$dest_dir"
664	mkdir -p "$dest_dir"
665
666	find "$src_dir" -type f -name "*.o" | mapfile -t files
667	for file in "${files[@]}"; do
668		local rel="${file#"$src_dir"/}"
669		local dest="$dest_dir/$rel"
670
671		[[ -n "$match_dir" && ! -f "$match_dir/$rel" ]] && continue
672
673		mkdir -p "$(dirname "$dest")"
674		cp -f "$file" "$dest"
675		"$OBJTOOL" klp checksum "$dest"
676	done
677
678	touch "$dest_dir/.complete"
679}
680
681# Diff changed objects, writing output object to $DIFF_DIR
682diff_objects() {
683	local log="$KLP_DIFF_LOG"
684	local files=()
685	local opts=()
686
687	rm -rf "$DIFF_DIR"
688	mkdir -p "$DIFF_DIR"
689
690	find "$PATCHED_CSUM_DIR" -type f -name "*.o" | mapfile -t files
691	[[ ${#files[@]} -eq 0 ]] && die "no changes detected"
692
693	[[ -v DEBUG_CLONE ]] && opts=("--debug")
694
695	# Diff all changed objects
696	for file in "${files[@]}"; do
697		local rel_file="${file#"$PATCHED_CSUM_DIR"/}"
698		local orig_file="$rel_file"
699		local patched_file="$PATCHED_CSUM_DIR/$rel_file"
700		local out_file="$DIFF_DIR/$rel_file"
701		local filter=()
702		local cmd=()
703
704		mkdir -p "$(dirname "$out_file")"
705
706		cmd=("$OBJTOOL")
707		cmd+=("klp")
708		cmd+=("diff")
709		(( ${#opts[@]} > 0 )) && cmd+=("${opts[@]}")
710		cmd+=("$orig_file")
711		cmd+=("$patched_file")
712		cmd+=("$out_file")
713
714		if [[ -v DIFF_CHECKSUM ]]; then
715			filter=("grep0")
716			filter+=("-Ev")
717			filter+=("DEBUG: .*checksum: ")
718		else
719			filter=("cat")
720		fi
721
722		(
723			cd "$ORIG_CSUM_DIR"
724			[[ -v VERBOSE ]] && echo "cd $ORIG_CSUM_DIR && ${cmd[*]}"
725			"${cmd[@]}"							\
726				1> >(tee -a "$log")					\
727				2> >(tee -a "$log" | "${filter[@]}" >&2) ||		\
728				die "objtool klp diff failed"
729		)
730	done
731
732	touch "$DIFF_DIR/.complete"
733}
734
735# For each changed object, run "objtool klp checksum" with --debug-checksum to
736# get the per-instruction checksums, and then diff those to find the first
737# changed instruction for each function.
738diff_checksums() {
739	local orig_log="$ORIG_DIR/checksum.log"
740	local patched_log="$PATCHED_DIR/checksum.log"
741	local -A funcs
742	local cmd=()
743	local line
744	local file
745	local func
746
747	gawk '/\.o: changed function: / {
748		sub(/:$/, "", $1)
749		print $1, $NF
750	}' "$KLP_DIFF_LOG" | mapfile -t lines
751
752	for line in "${lines[@]}"; do
753		read -r file func <<< "$line"
754		if [[ ! -v funcs["$file"] ]]; then
755			funcs["$file"]="$func"
756		else
757			funcs["$file"]+=" $func"
758		fi
759	done
760
761	cmd=("$OBJTOOL")
762	cmd+=("klp" "checksum")
763	cmd+=("--dry-run")
764
765	for file in "${!funcs[@]}"; do
766		local opt="--debug-checksum=${funcs[$file]// /,}"
767
768		(
769			cd "$ORIG_DIR"
770			"${cmd[@]}" "$opt" "$file" &> "$orig_log" || \
771				( cat "$orig_log" >&2; die "objtool klp checksum failed" )
772
773			cd "$PATCHED_DIR"
774			"${cmd[@]}" "$opt" "$file" &> "$patched_log" ||	\
775				( cat "$patched_log" >&2; die "objtool klp checksum failed" )
776		)
777
778		for func in ${funcs[$file]}; do
779			local -a orig patched
780			paste <(grep0 -E "^DEBUG: .*checksum: $func " "$orig_log") \
781			      <(grep0 -E "^DEBUG: .*checksum: $func " "$patched_log") |
782			while IFS= read -r line; do
783				read -ra orig <<< "${line%%$'\t'*}"
784				read -ra patched <<< "${line#*$'\t'}"
785
786				if [[ ${#patched[@]} -eq 0 ]]; then
787					printf "%s: %s: %s (removed)\n" "${orig[1]%:}" "${orig[3]}" "${orig[-2]}"
788					break
789				elif [[ ${#orig[@]} -eq 0 ]]; then
790					printf "%s: %s: %s (added)\n" "${patched[1]%:}" "${patched[3]}" "${patched[-2]}"
791					break
792				fi
793
794				[[ "${orig[-1]}" == "${patched[-1]}" ]] && continue
795
796				printf "%s: %s: %s" "${orig[1]%:}" "${orig[3]}" "${orig[-2]}"
797				[[ "${orig[-2]}" != "${patched[-2]}" ]] && \
798					printf " (patched: %s)" "${patched[-2]}"
799				printf "\n"
800				break
801			done || true
802		done
803	done
804}
805
806# Build and post-process livepatch module in $KMOD_DIR
807build_patch_module() {
808	local makefile="$KMOD_DIR/Kbuild"
809	local log="$KMOD_DIR/build.log"
810	local kmod_file
811	local cflags=()
812	local files=()
813	local cmd=()
814
815	rm -rf "$KMOD_DIR"
816	mkdir -p "$KMOD_DIR"
817
818	cp -f "$SCRIPT_DIR/init.c" "$KMOD_DIR"
819
820	echo "obj-m := $NAME.o" > "$makefile"
821	echo -n "$NAME-y := init.o" >> "$makefile"
822
823	find "$DIFF_DIR" -type f -name "*.o" | mapfile -t files
824	[[ ${#files[@]} -eq 0 ]] && die "no changes detected"
825
826	for file in "${files[@]}"; do
827		local rel_file="${file#"$DIFF_DIR"/}"
828		local orig_file="$ORIG_DIR/$rel_file"
829		local orig_dir="$(dirname "$orig_file")"
830		local kmod_file="$KMOD_DIR/$rel_file"
831		local kmod_dir="$(dirname "$kmod_file")"
832		local cmd_file="$kmod_dir/.$(basename "$file").cmd"
833
834		mkdir -p "$kmod_dir"
835		cp -f "$file" "$kmod_dir"
836
837		# Tell kbuild this is a prebuilt object
838		cp -f "$file" "${kmod_file}_shipped"
839
840		# Make modpost happy
841		touch "$cmd_file"
842
843		echo -n " $rel_file" >> "$makefile"
844	done
845
846	echo >> "$makefile"
847
848	cflags=("-ffunction-sections")
849	cflags+=("-fdata-sections")
850	[[ $REPLACE -eq 0 ]] && cflags+=("-DKLP_NO_REPLACE")
851
852	cmd=("make")
853	if [[ -v VERBOSE ]]; then
854		cmd+=("V=1")
855	else
856		cmd+=("-s")
857	fi
858	cmd+=("-j$JOBS")
859	cmd+=("--directory=.")
860	cmd+=("M=$KMOD_DIR")
861	cmd+=("KCFLAGS=${cflags[*]}")
862
863	# Build a "normal" kernel module with init.c and the diffed objects
864	"${cmd[@]}"							\
865		1> >(tee -a "$log")					\
866		2> >(tee -a "$log" >&2)
867
868	kmod_file="$KMOD_DIR/$NAME.ko"
869
870	# Save off the intermediate binary for debugging
871	cp -f "$kmod_file" "$kmod_file.orig"
872
873	# Work around issue where slight .config change makes corrupt BTF
874	objcopy --remove-section=.BTF "$kmod_file"
875
876	# Fix (and work around) linker wreckage for klp syms / relocs
877	"$OBJTOOL" klp post-link "$kmod_file" || die "objtool klp post-link failed"
878
879	cp -f "$kmod_file" "$OUTFILE"
880}
881
882
883################################################################################
884
885process_args "$@"
886do_init
887
888if (( SHORT_CIRCUIT <= 2 )); then
889	status "Validating patch(es)"
890	validate_patches
891fi
892
893if (( SHORT_CIRCUIT <= 1 )); then
894	status "Building original kernel"
895	clean_kernel
896	build_kernel "original"
897	status "Copying original object files"
898	copy_orig_objects
899fi
900
901if (( SHORT_CIRCUIT <= 2 )); then
902	status "Fixing patch(es)"
903	fix_patches
904	apply_patches "--silent"
905	status "Building patched kernel"
906	build_kernel "patched"
907	revert_patches
908	status "Copying patched object files"
909	copy_patched_objects
910fi
911
912if (( SHORT_CIRCUIT <= 3 )); then
913	status "Generating original checksums"
914	generate_checksums "$ORIG_DIR" "$ORIG_CSUM_DIR" "$PATCHED_DIR"
915	status "Generating patched checksums"
916	generate_checksums "$PATCHED_DIR" "$PATCHED_CSUM_DIR"
917fi
918
919if (( SHORT_CIRCUIT <= 4 )); then
920	status "Diffing objects"
921	diff_objects
922	if [[ -v DIFF_CHECKSUM ]]; then
923		status "Finding first changed instructions"
924		diff_checksums
925	fi
926fi
927
928if (( SHORT_CIRCUIT <= 5 )); then
929	status "Building patch module: $OUTFILE"
930	build_patch_module
931fi
932
933status "SUCCESS"
934