1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Build a livepatch module 5 6# shellcheck disable=SC1090,SC2155,SC2164 7 8if (( BASH_VERSINFO[0] < 4 || \ 9 (BASH_VERSINFO[0] == 4 && BASH_VERSINFO[1] < 4) )); then 10 echo "error: this script requires bash 4.4+" >&2 11 exit 1 12fi 13 14set -o errtrace 15set -o pipefail 16set -o nounset 17 18# Allow doing 'cmd | mapfile -t array' instead of 'mapfile -t array < <(cmd)'. 19# This helps keep execution in pipes so pipefail+ERR trap can catch errors. 20shopt -s lastpipe 21 22unset DEBUG_CLONE DIFF_CHECKSUM SKIP_CLEANUP VERBOSE XTRACE 23 24REPLACE=1 25SHORT_CIRCUIT=0 26JOBS="$(getconf _NPROCESSORS_ONLN)" 27shopt -o xtrace | grep -q 'on' && XTRACE=1 28 29# Avoid removing the previous $TMP_DIR until args have been fully processed. 30KEEP_TMP=1 31 32SCRIPT="$(basename "$0")" 33SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" 34FIX_PATCH_LINES="$SCRIPT_DIR/fix-patch-lines" 35 36OBJTOOL="$PWD/tools/objtool/objtool" 37CONFIG="$PWD/.config" 38TMP_DIR="$PWD/klp-tmp" 39 40ORIG_DIR="$TMP_DIR/orig" 41PATCHED_DIR="$TMP_DIR/patched" 42DIFF_DIR="$TMP_DIR/diff" 43KMOD_DIR="$TMP_DIR/kmod" 44 45STASH_DIR="$TMP_DIR/stash" 46TIMESTAMP="$TMP_DIR/timestamp" 47PATCH_TMP_DIR="$TMP_DIR/tmp" 48 49KLP_DIFF_LOG="$DIFF_DIR/diff.log" 50 51# Terminal output colors 52read -r COLOR_RESET COLOR_BOLD COLOR_ERROR COLOR_WARN <<< "" 53if [[ -t 1 && -t 2 ]]; then 54 COLOR_RESET="\033[0m" 55 COLOR_BOLD="\033[1m" 56 COLOR_ERROR="\033[0;31m" 57 COLOR_WARN="\033[0;33m" 58fi 59 60grep0() { 61 # shellcheck disable=SC2317 62 command grep "$@" || true 63} 64 65# Because pipefail is enabled, the grep0 helper should be used instead of 66# grep, otherwise a failed match can propagate to an error. 67grep() { 68 echo "error: $SCRIPT: use grep0 or 'command grep' instead of bare grep" >&2 69 exit 1 70} 71 72status() { 73 echo -e "${COLOR_BOLD}$*${COLOR_RESET}" 74} 75 76warn() { 77 echo -e "${COLOR_WARN}warning${COLOR_RESET}: $SCRIPT: $*" >&2 78} 79 80die() { 81 echo -e "${COLOR_ERROR}error${COLOR_RESET}: $SCRIPT: $*" >&2 82 exit 1 83} 84 85declare -a STASHED_FILES 86 87stash_file() { 88 local file="$1" 89 local rel_file="${file#"$PWD"/}" 90 91 [[ ! -e "$file" ]] && die "no file to stash: $file" 92 93 mkdir -p "$STASH_DIR/$(dirname "$rel_file")" 94 cp -f "$file" "$STASH_DIR/$rel_file" 95 96 STASHED_FILES+=("$rel_file") 97} 98 99restore_files() { 100 local file 101 102 for file in "${STASHED_FILES[@]}"; do 103 mv -f "$STASH_DIR/$file" "$PWD/$file" || warn "can't restore file: $file" 104 done 105 106 STASHED_FILES=() 107} 108 109cleanup() { 110 set +o nounset 111 revert_patches 112 restore_files 113 [[ "$KEEP_TMP" -eq 0 ]] && rm -rf "$TMP_DIR" 114 return 0 115} 116 117trap_err() { 118 die "line ${BASH_LINENO[0]}: '$BASH_COMMAND'" 119} 120 121trap cleanup EXIT INT TERM HUP 122trap trap_err ERR 123 124__usage() { 125 cat <<EOF 126Usage: $SCRIPT [OPTIONS] PATCH_FILE(s) 127Generate a livepatch module. 128 129Options: 130 -f, --show-first-changed Show address of first changed instruction 131 -j, --jobs=<jobs> Build jobs to run simultaneously [default: $JOBS] 132 -o, --output=<file.ko> Output file [default: livepatch-<patch-name>.ko] 133 --no-replace Disable livepatch atomic replace 134 -v, --verbose Pass V=1 to kernel/module builds 135 136Advanced Options: 137 -d, --debug Show symbol/reloc cloning decisions 138 -S, --short-circuit=STEP Start at build step (requires prior --keep-tmp) 139 1|orig Build original kernel (default) 140 2|patched Build patched kernel 141 3|diff Diff objects 142 4|kmod Build patch module 143 -T, --keep-tmp Preserve tmp dir on exit 144 145EOF 146} 147 148usage() { 149 __usage >&2 150} 151 152process_args() { 153 local keep_tmp=0 154 local short 155 local long 156 local args 157 local patch 158 159 short="hfj:o:vdS:T" 160 long="help,show-first-changed,jobs:,output:,no-replace,verbose,debug,short-circuit:,keep-tmp" 161 162 args=$(getopt --options "$short" --longoptions "$long" -- "$@") || { 163 echo; usage; exit 164 } 165 eval set -- "$args" 166 167 while true; do 168 case "$1" in 169 -h | --help) 170 usage 171 exit 0 172 ;; 173 -f | --show-first-changed) 174 DIFF_CHECKSUM=1 175 shift 176 ;; 177 -j | --jobs) 178 JOBS="$2" 179 shift 2 180 ;; 181 -o | --output) 182 [[ "$2" != *.ko ]] && die "output filename should end with .ko" 183 OUTFILE="$2" 184 NAME="$(basename "$OUTFILE")" 185 NAME="${NAME%.ko}" 186 NAME="$(module_name_string "$NAME")" 187 shift 2 188 ;; 189 --no-replace) 190 REPLACE=0 191 shift 192 ;; 193 -v | --verbose) 194 VERBOSE=1 195 shift 196 ;; 197 -d | --debug) 198 DEBUG_CLONE=1 199 keep_tmp=1 200 shift 201 ;; 202 -S | --short-circuit) 203 [[ ! -d "$TMP_DIR" ]] && die "--short-circuit requires preserved klp-tmp dir" 204 keep_tmp=1 205 case "$2" in 206 1 | orig) SHORT_CIRCUIT=1; ;; 207 2 | patched) SHORT_CIRCUIT=2; ;; 208 3 | diff) SHORT_CIRCUIT=3; ;; 209 4 | mod) SHORT_CIRCUIT=4; ;; 210 *) die "invalid short-circuit step '$2'" ;; 211 esac 212 shift 2 213 ;; 214 -T | --keep-tmp) 215 keep_tmp=1 216 shift 217 ;; 218 --) 219 shift 220 break 221 ;; 222 *) 223 usage 224 exit 1 225 ;; 226 esac 227 done 228 229 if [[ $# -eq 0 ]] && (( SHORT_CIRCUIT <= 2 )); then 230 usage 231 exit 1 232 fi 233 234 KEEP_TMP="$keep_tmp" 235 PATCHES=("$@") 236 237 for patch in "${PATCHES[@]}"; do 238 [[ -f "$patch" ]] || die "$patch doesn't exist" 239 done 240} 241 242# temporarily disable xtrace for especially verbose code 243xtrace_save() { 244 [[ -v XTRACE ]] && set +x 245 return 0 246} 247 248xtrace_restore() { 249 [[ -v XTRACE ]] && set -x 250 return 0 251} 252 253validate_config() { 254 xtrace_save "reading .config" 255 source "$CONFIG" || die "no .config file in $(dirname "$CONFIG")" 256 xtrace_restore 257 258 [[ -v CONFIG_LIVEPATCH ]] || \ 259 die "CONFIG_LIVEPATCH not enabled" 260 261 [[ -v CONFIG_KLP_BUILD ]] || \ 262 die "CONFIG_KLP_BUILD not enabled" 263 264 [[ -v CONFIG_GCC_PLUGIN_LATENT_ENTROPY ]] && \ 265 die "kernel option 'CONFIG_GCC_PLUGIN_LATENT_ENTROPY' not supported" 266 267 [[ -v CONFIG_GCC_PLUGIN_RANDSTRUCT ]] && \ 268 die "kernel option 'CONFIG_GCC_PLUGIN_RANDSTRUCT' not supported" 269 270 [[ -v CONFIG_AS_IS_LLVM ]] && \ 271 [[ "$CONFIG_AS_VERSION" -lt 200000 ]] && \ 272 die "Clang assembler version < 20 not supported" 273 274 return 0 275} 276 277# Only allow alphanumerics and '_' and '-' in the module name. Everything else 278# is replaced with '-'. Also truncate to 55 chars so the full name + NUL 279# terminator fits in the kernel's 56-byte module name array. 280module_name_string() { 281 echo "${1//[^a-zA-Z0-9_-]/-}" | cut -c 1-55 282} 283 284# If the module name wasn't specified on the cmdline with --output, give it a 285# name based on the patch name. 286set_module_name() { 287 [[ -v NAME ]] && return 0 288 289 if [[ "${#PATCHES[@]}" -eq 1 ]]; then 290 NAME="$(basename "${PATCHES[0]}")" 291 NAME="${NAME%.*}" 292 else 293 NAME="patch" 294 fi 295 296 NAME="livepatch-$NAME" 297 NAME="$(module_name_string "$NAME")" 298 299 OUTFILE="$NAME.ko" 300} 301 302# Hardcode the value printed by the localversion script to prevent patch 303# application from appending it with '+' due to a dirty working tree. 304set_kernelversion() { 305 local file="$PWD/scripts/setlocalversion" 306 local kernelrelease 307 308 stash_file "$file" 309 310 if [[ -n "$(make -s listnewconfig 2>/dev/null)" ]]; then 311 die ".config mismatch, check your .config or run 'make olddefconfig'" 312 fi 313 make syncconfig &>/dev/null || die "make syncconfig failed" 314 315 kernelrelease="$(make -s kernelrelease)" 316 [[ -z "$kernelrelease" ]] && die "failed to get kernel version" 317 318 sed -i "2i echo $kernelrelease; exit 0" scripts/setlocalversion 319} 320 321get_patch_input_files() { 322 local patch="$1" 323 324 grep0 -E '^--- ' "$patch" \ 325 | grep0 -v -e '/dev/null' -e '1969-12-31' -e '1970-01-01' \ 326 | gawk '{print $2}' \ 327 | sed 's|^[^/]*/||' \ 328 | sort -u 329} 330 331get_patch_output_files() { 332 local patch="$1" 333 334 grep0 -E '^\+\+\+ ' "$patch" \ 335 | grep0 -v -e '/dev/null' -e '1969-12-31' -e '1970-01-01' \ 336 | gawk '{print $2}' \ 337 | sed 's|^[^/]*/||' \ 338 | sort -u 339} 340 341get_patch_files() { 342 local patch="$1" 343 344 { get_patch_input_files "$patch"; get_patch_output_files "$patch"; } \ 345 | sort -u 346} 347 348check_unsupported_patches() { 349 local patch 350 351 for patch in "${PATCHES[@]}"; do 352 local files=() 353 354 get_patch_files "$patch" | mapfile -t files 355 356 for file in "${files[@]}"; do 357 case "$file" in 358 lib/*|*/vdso/*|*/realmode/rm/*|*.S) 359 die "${patch}: unsupported patch to $file" 360 ;; 361 esac 362 done 363 done 364} 365 366apply_patch() { 367 local patch="$1" 368 shift 369 local extra_args=("$@") 370 local drift_regex="with fuzz|offset [0-9]+ line" 371 local output 372 local status 373 374 [[ ! -f "$patch" ]] && die "$patch doesn't exist" 375 status=0 376 output=$(patch -p1 --dry-run --no-backup-if-mismatch -r /dev/null "${extra_args[@]}" < "$patch" 2>&1) || status=$? 377 if [[ "$status" -ne 0 ]]; then 378 echo "$output" >&2 379 die "$patch did not apply" 380 elif [[ "$output" =~ $drift_regex ]]; then 381 [[ -v VERBOSE ]] && echo "$output" >&2 382 warn "${patch} applied with fuzz" 383 fi 384 385 APPLIED_PATCHES+=("$patch") 386 patch -p1 --no-backup-if-mismatch -r /dev/null "${extra_args[@]}" --silent < "$patch" 387} 388 389revert_patch() { 390 local patch="$1" 391 local tmp=() 392 393 patch -p1 -R --force --no-backup-if-mismatch -r /dev/null &> /dev/null < "$patch" || true 394 395 for p in "${APPLIED_PATCHES[@]}"; do 396 [[ "$p" == "$patch" ]] && continue 397 tmp+=("$p") 398 done 399 400 APPLIED_PATCHES=("${tmp[@]}") 401} 402 403apply_patches() { 404 local extra_args=("$@") 405 local patch 406 407 for patch in "${PATCHES[@]}"; do 408 apply_patch "$patch" "${extra_args[@]}" 409 done 410} 411 412revert_patches() { 413 local patches=("${APPLIED_PATCHES[@]}") 414 415 for (( i=${#patches[@]}-1 ; i>=0 ; i-- )) ; do 416 revert_patch "${patches[$i]}" 417 done 418 419 APPLIED_PATCHES=() 420} 421 422validate_patches() { 423 check_unsupported_patches 424 apply_patches 425 revert_patches 426} 427 428do_init() { 429 # We're not yet smart enough to handle anything other than in-tree 430 # builds in pwd. 431 [[ ! "$PWD" -ef "$SCRIPT_DIR/../.." ]] && die "please run from the kernel root directory" 432 433 (( SHORT_CIRCUIT <= 1 )) && rm -rf "$TMP_DIR" 434 mkdir -p "$TMP_DIR" 435 436 APPLIED_PATCHES=() 437 438 [[ -x "$FIX_PATCH_LINES" ]] || die "can't find fix-patch-lines" 439 command -v recountdiff &>/dev/null || die "recountdiff not found (install patchutils)" 440 441 validate_config 442 set_module_name 443 set_kernelversion 444} 445 446# Refresh the patch hunk headers, specifically the line numbers and counts. 447refresh_patch() { 448 local patch="$1" 449 local tmpdir="$PATCH_TMP_DIR" 450 local input_files=() 451 local output_files=() 452 453 rm -rf "$tmpdir" 454 mkdir -p "$tmpdir/a" 455 mkdir -p "$tmpdir/b" 456 457 # Get all source files affected by the patch 458 get_patch_input_files "$patch" | mapfile -t input_files 459 get_patch_output_files "$patch" | mapfile -t output_files 460 461 # Copy orig source files to 'a' 462 echo "${input_files[@]}" | xargs cp --parents --target-directory="$tmpdir/a" 463 464 # Copy patched source files to 'b' 465 apply_patch "$patch" "--silent" 466 echo "${output_files[@]}" | xargs cp --parents --target-directory="$tmpdir/b" 467 revert_patch "$patch" 468 469 # Diff 'a' and 'b' to make a clean patch 470 ( cd "$tmpdir" && diff -Nupr a b > "$patch" ) || true 471} 472 473# Copy the patches to a temporary directory, fix their lines so as not to 474# affect the __LINE__ macro for otherwise unchanged functions further down the 475# file, and update $PATCHES to point to the fixed patches. 476fix_patches() { 477 local idx 478 local i 479 480 rm -f "$TMP_DIR"/*.patch 481 482 idx=0001 483 for i in "${!PATCHES[@]}"; do 484 local old_patch="${PATCHES[$i]}" 485 local tmp_patch="$TMP_DIR/tmp.patch" 486 local patch="${PATCHES[$i]}" 487 local new_patch 488 489 new_patch="$TMP_DIR/$idx-fixed-$(basename "$patch")" 490 491 cp -f "$old_patch" "$tmp_patch" 492 refresh_patch "$tmp_patch" 493 "$FIX_PATCH_LINES" "$tmp_patch" | recountdiff > "$new_patch" 494 495 PATCHES[i]="$new_patch" 496 497 rm -f "$tmp_patch" 498 idx=$(printf "%04d" $(( 10#$idx + 1 ))) 499 done 500} 501 502clean_kernel() { 503 local cmd=() 504 505 cmd=("make") 506 cmd+=("--silent") 507 cmd+=("-j$JOBS") 508 cmd+=("clean") 509 510 "${cmd[@]}" 511} 512 513build_kernel() { 514 local build="$1" 515 local log="$TMP_DIR/build.log" 516 local objtool_args=() 517 local cmd=() 518 519 objtool_args=("--checksum") 520 521 cmd=("make") 522 523 # When a patch to a kernel module references a newly created unexported 524 # symbol which lives in vmlinux or another kernel module, the patched 525 # kernel build fails with the following error: 526 # 527 # ERROR: modpost: "klp_string" [fs/xfs/xfs.ko] undefined! 528 # 529 # The undefined symbols are working as designed in that case. They get 530 # resolved later when the livepatch module build link pulls all the 531 # disparate objects together into the same kernel module. 532 # 533 # It would be good to have a way to tell modpost to skip checking for 534 # undefined symbols altogether. For now, just convert the error to a 535 # warning with KBUILD_MODPOST_WARN, and grep out the warning to avoid 536 # confusing the user. 537 # 538 cmd+=("KBUILD_MODPOST_WARN=1") 539 540 if [[ -v VERBOSE ]]; then 541 cmd+=("V=1") 542 else 543 cmd+=("-s") 544 fi 545 cmd+=("-j$JOBS") 546 cmd+=("KCFLAGS=-ffunction-sections -fdata-sections") 547 cmd+=("OBJTOOL_ARGS=${objtool_args[*]}") 548 cmd+=("vmlinux") 549 cmd+=("modules") 550 551 "${cmd[@]}" \ 552 1> >(tee -a "$log") \ 553 2> >(tee -a "$log" | grep0 -v "modpost.*undefined!" >&2) \ 554 || die "$build kernel build failed" 555} 556 557find_objects() { 558 local opts=("$@") 559 560 # Find root-level vmlinux.o and non-root-level .ko files, 561 # excluding klp-tmp/ and .git/ 562 find "$PWD" \( -path "$TMP_DIR" -o -path "$PWD/.git" -o -regex "$PWD/[^/][^/]*\.ko" \) -prune -o \ 563 -type f "${opts[@]}" \ 564 \( -name "*.ko" -o -path "$PWD/vmlinux.o" \) \ 565 -printf '%P\n' 566} 567 568# Copy all .o archives to $ORIG_DIR 569copy_orig_objects() { 570 local files=() 571 572 rm -rf "$ORIG_DIR" 573 mkdir -p "$ORIG_DIR" 574 575 find_objects | mapfile -t files 576 577 xtrace_save "copying orig objects" 578 for _file in "${files[@]}"; do 579 local rel_file="${_file/.ko/.o}" 580 local file="$PWD/$rel_file" 581 local orig_file="$ORIG_DIR/$rel_file" 582 local orig_dir="$(dirname "$orig_file")" 583 584 [[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file" 585 586 mkdir -p "$orig_dir" 587 cp -f "$file" "$orig_dir" 588 done 589 xtrace_restore 590 591 mv -f "$TMP_DIR/build.log" "$ORIG_DIR" 592 touch "$TIMESTAMP" 593} 594 595# Copy all changed objects to $PATCHED_DIR 596copy_patched_objects() { 597 local files=() 598 local opts=() 599 local found=0 600 601 rm -rf "$PATCHED_DIR" 602 mkdir -p "$PATCHED_DIR" 603 604 # Note this doesn't work with some configs, thus the 'cmp' below. 605 opts=("-newer") 606 opts+=("$TIMESTAMP") 607 608 find_objects "${opts[@]}" | mapfile -t files 609 610 xtrace_save "copying changed objects" 611 for _file in "${files[@]}"; do 612 local rel_file="${_file/.ko/.o}" 613 local file="$PWD/$rel_file" 614 local orig_file="$ORIG_DIR/$rel_file" 615 local patched_file="$PATCHED_DIR/$rel_file" 616 local patched_dir="$(dirname "$patched_file")" 617 618 [[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file" 619 620 cmp -s "$orig_file" "$file" && continue 621 622 mkdir -p "$patched_dir" 623 cp -f "$file" "$patched_dir" 624 found=1 625 done 626 xtrace_restore 627 628 (( found == 0 )) && die "no changes detected" 629 630 mv -f "$TMP_DIR/build.log" "$PATCHED_DIR" 631} 632 633# Diff changed objects, writing output object to $DIFF_DIR 634diff_objects() { 635 local log="$KLP_DIFF_LOG" 636 local files=() 637 local opts=() 638 639 rm -rf "$DIFF_DIR" 640 mkdir -p "$DIFF_DIR" 641 642 find "$PATCHED_DIR" -type f -name "*.o" | mapfile -t files 643 [[ ${#files[@]} -eq 0 ]] && die "no changes detected" 644 645 [[ -v DEBUG_CLONE ]] && opts=("--debug") 646 647 # Diff all changed objects 648 for file in "${files[@]}"; do 649 local rel_file="${file#"$PATCHED_DIR"/}" 650 local orig_file="$rel_file" 651 local patched_file="$PATCHED_DIR/$rel_file" 652 local out_file="$DIFF_DIR/$rel_file" 653 local filter=() 654 local cmd=() 655 656 mkdir -p "$(dirname "$out_file")" 657 658 cmd=("$OBJTOOL") 659 cmd+=("klp") 660 cmd+=("diff") 661 (( ${#opts[@]} > 0 )) && cmd+=("${opts[@]}") 662 cmd+=("$orig_file") 663 cmd+=("$patched_file") 664 cmd+=("$out_file") 665 666 if [[ -v DIFF_CHECKSUM ]]; then 667 filter=("grep0") 668 filter+=("-Ev") 669 filter+=("DEBUG: .*checksum: ") 670 else 671 filter=("cat") 672 fi 673 674 ( 675 cd "$ORIG_DIR" 676 [[ -v VERBOSE ]] && echo "cd $ORIG_DIR && ${cmd[*]}" 677 "${cmd[@]}" \ 678 1> >(tee -a "$log") \ 679 2> >(tee -a "$log" | "${filter[@]}" >&2) || \ 680 die "objtool klp diff failed" 681 ) 682 done 683} 684 685# For each changed object, run objtool with --debug-checksum to get the 686# per-instruction checksums, and then diff those to find the first changed 687# instruction for each function. 688diff_checksums() { 689 local orig_log="$ORIG_DIR/checksum.log" 690 local patched_log="$PATCHED_DIR/checksum.log" 691 local -A funcs 692 local cmd=() 693 local line 694 local file 695 local func 696 697 gawk '/\.o: changed function: / { 698 sub(/:$/, "", $1) 699 print $1, $NF 700 }' "$KLP_DIFF_LOG" | mapfile -t lines 701 702 for line in "${lines[@]}"; do 703 read -r file func <<< "$line" 704 if [[ ! -v funcs["$file"] ]]; then 705 funcs["$file"]="$func" 706 else 707 funcs["$file"]+=" $func" 708 fi 709 done 710 711 cmd=("$OBJTOOL") 712 cmd+=("--checksum") 713 cmd+=("--link") 714 cmd+=("--dry-run") 715 716 for file in "${!funcs[@]}"; do 717 local opt="--debug-checksum=${funcs[$file]// /,}" 718 719 ( 720 cd "$ORIG_DIR" 721 "${cmd[@]}" "$opt" "$file" &> "$orig_log" || \ 722 ( cat "$orig_log" >&2; die "objtool --debug-checksum failed" ) 723 724 cd "$PATCHED_DIR" 725 "${cmd[@]}" "$opt" "$file" &> "$patched_log" || \ 726 ( cat "$patched_log" >&2; die "objtool --debug-checksum failed" ) 727 ) 728 729 for func in ${funcs[$file]}; do 730 local -a orig patched 731 paste <(grep0 -E "^DEBUG: .*checksum: $func " "$orig_log") \ 732 <(grep0 -E "^DEBUG: .*checksum: $func " "$patched_log") | 733 while IFS= read -r line; do 734 read -ra orig <<< "${line%%$'\t'*}" 735 read -ra patched <<< "${line#*$'\t'}" 736 737 if [[ ${#patched[@]} -eq 0 ]]; then 738 printf "%s: %s: %s (removed)\n" "${orig[1]%:}" "${orig[3]}" "${orig[-2]}" 739 break 740 elif [[ ${#orig[@]} -eq 0 ]]; then 741 printf "%s: %s: %s (added)\n" "${patched[1]%:}" "${patched[3]}" "${patched[-2]}" 742 break 743 fi 744 745 [[ "${orig[-1]}" == "${patched[-1]}" ]] && continue 746 747 printf "%s: %s: %s" "${orig[1]%:}" "${orig[3]}" "${orig[-2]}" 748 [[ "${orig[-2]}" != "${patched[-2]}" ]] && \ 749 printf " (patched: %s)" "${patched[-2]}" 750 printf "\n" 751 break 752 done || true 753 done 754 done 755} 756 757# Build and post-process livepatch module in $KMOD_DIR 758build_patch_module() { 759 local makefile="$KMOD_DIR/Kbuild" 760 local log="$KMOD_DIR/build.log" 761 local kmod_file 762 local cflags=() 763 local files=() 764 local cmd=() 765 766 rm -rf "$KMOD_DIR" 767 mkdir -p "$KMOD_DIR" 768 769 cp -f "$SCRIPT_DIR/init.c" "$KMOD_DIR" 770 771 echo "obj-m := $NAME.o" > "$makefile" 772 echo -n "$NAME-y := init.o" >> "$makefile" 773 774 find "$DIFF_DIR" -type f -name "*.o" | mapfile -t files 775 [[ ${#files[@]} -eq 0 ]] && die "no changes detected" 776 777 for file in "${files[@]}"; do 778 local rel_file="${file#"$DIFF_DIR"/}" 779 local orig_file="$ORIG_DIR/$rel_file" 780 local orig_dir="$(dirname "$orig_file")" 781 local kmod_file="$KMOD_DIR/$rel_file" 782 local kmod_dir="$(dirname "$kmod_file")" 783 local cmd_file="$kmod_dir/.$(basename "$file").cmd" 784 785 mkdir -p "$kmod_dir" 786 cp -f "$file" "$kmod_dir" 787 788 # Tell kbuild this is a prebuilt object 789 cp -f "$file" "${kmod_file}_shipped" 790 791 # Make modpost happy 792 touch "$cmd_file" 793 794 echo -n " $rel_file" >> "$makefile" 795 done 796 797 echo >> "$makefile" 798 799 cflags=("-ffunction-sections") 800 cflags+=("-fdata-sections") 801 [[ $REPLACE -eq 0 ]] && cflags+=("-DKLP_NO_REPLACE") 802 803 cmd=("make") 804 if [[ -v VERBOSE ]]; then 805 cmd+=("V=1") 806 else 807 cmd+=("-s") 808 fi 809 cmd+=("-j$JOBS") 810 cmd+=("--directory=.") 811 cmd+=("M=$KMOD_DIR") 812 cmd+=("KCFLAGS=${cflags[*]}") 813 814 # Build a "normal" kernel module with init.c and the diffed objects 815 "${cmd[@]}" \ 816 1> >(tee -a "$log") \ 817 2> >(tee -a "$log" >&2) 818 819 kmod_file="$KMOD_DIR/$NAME.ko" 820 821 # Save off the intermediate binary for debugging 822 cp -f "$kmod_file" "$kmod_file.orig" 823 824 # Work around issue where slight .config change makes corrupt BTF 825 objcopy --remove-section=.BTF "$kmod_file" 826 827 # Fix (and work around) linker wreckage for klp syms / relocs 828 "$OBJTOOL" klp post-link "$kmod_file" || die "objtool klp post-link failed" 829 830 cp -f "$kmod_file" "$OUTFILE" 831} 832 833 834################################################################################ 835 836process_args "$@" 837do_init 838 839if (( SHORT_CIRCUIT <= 2 )); then 840 status "Validating patch(es)" 841 validate_patches 842fi 843 844if (( SHORT_CIRCUIT <= 1 )); then 845 status "Building original kernel" 846 clean_kernel 847 build_kernel "original" 848 status "Copying original object files" 849 copy_orig_objects 850fi 851 852if (( SHORT_CIRCUIT <= 2 )); then 853 status "Fixing patch(es)" 854 fix_patches 855 apply_patches "--silent" 856 status "Building patched kernel" 857 build_kernel "patched" 858 revert_patches 859 status "Copying patched object files" 860 copy_patched_objects 861fi 862 863if (( SHORT_CIRCUIT <= 3 )); then 864 status "Diffing objects" 865 diff_objects 866 if [[ -v DIFF_CHECKSUM ]]; then 867 status "Finding first changed instructions" 868 diff_checksums 869 fi 870fi 871 872if (( SHORT_CIRCUIT <= 4 )); then 873 status "Building patch module: $OUTFILE" 874 build_patch_module 875fi 876 877status "SUCCESS" 878