Skip to content

SUSE/klp-build

Repository files navigation

klp-build

klp-build is the kernel livepatching creation tool. It is designed to automate the entire process of creating and testing livepatches for the Linux kernel (specifically SUSE Linux Enterprise editions).

In addition to building livepatches, klp-build reduces the development burden by checking which codestreams are vulnerable, batching multiple codestreams in parallel, and handling remote building and testing.

Table of Contents

Installation

To install the project and its dependencies, use pipx:

pipx install .

Or via zypper on openSUSE distributions:

sudo zypper ar https://download.opensuse.org/repositories/home:/vmezzela:/klp-tools/openSUSE_Factory/ klp-tools
sudo zypper ref
sudo zypper in  --repo klp-tools klp-build

Configuration

klp-build supports a per-user configuration file located at ~/.config/klp-build/config. The file follows the standard key=value format.

Mandatory Variables

Variable Description Default
work_dir Path to the directory where livepatch data and code will be placed (including generated artifacts). ~/klp/livepatches
data_dir Path to the directory where downloaded kernel sources and binaries will be placed. ~/klp/data
kernel_dir Path to the SUSE kernel local repository. N/A
kernel_src_dir Path to the SUSE kernel-source local repository. Used to check if codestreams already contain the fix. N/A
kgr_patches_dir Path to the SUSE kgraft_patches local repository. Contains all the released livepatches for each codestream. N/A

Example Config:

[Paths]
work_dir=/home/user/klp/livepatches
data_dir=/home/user/klp/data
kernel_dir=/home/user/repos/kernel
kernel_src_dir=/home/user/repos/kernel-source
kgr_patches_dir=/home/user/repos/kgr_patches

Usage

Synopsis

klp-build [-h] [-v] [-V] <command> [-h] [-n NAME] [--filter FILTER]

Global Options

* -h, --help: Show the help message and exit.
* -v, --verbose: Produce more verbose output.
* -V, --version: Show the version number and exit.
* -n, --name NAME: The livepatch name. This corresponds to the directory name of the resulting livepatches.
* --filter FILTER: A regex list of accepted codestreams.
  * *Example:* '15.3u[0-9]+|15.6u0'
  * *Negative Regex Example:* '^(?!12.5u12).*' (filters out specific codestreams).

Commands

klp-build uses subcommands to handle different stages of the livepatch lifecycle.

  • setup: Initialize a new livepatch project, identifying vulnerable codestreams and setting up the environment.
  • extract: Extract affected functions using klp-ccp.
  • push: Submit the livepatch project to the Internal Build Service (IBS) for remote building and publication.
  • format-patches: Export the generated livepatches as git patches.

Workflow Examples

1. Setup a Livepatch Project

Use the setup command to create a new livepatch project. klp-build will scan all the backports fixing the given CVE and report all the information required for creating the livepatch: affected files, functions, kernel modules, configurations and target architectures.

klp-build setup --name bsc1197597 --cve 2022-1048

Otherwise, this information can also be provided manually. You must specify the CVE, the module, configuration, and the functions to be patched.

klp-build setup \\
    --name bsc1197597 \\
    --cve 2022-1048 \\
    --mod snd-pcm \\
    --conf CONFIG_SND_PCM \\
    --file-funcs sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream \\
    --archs x86_64 ppc64le

What this does:

  • Finds all the backports fixing the CVE and filters out the kernels already patched.
  • Checks if the configuration CONFIG_SND_PCM is enabled and the module supported.
  • Verifies if the symbol is present in the module being livepatched and if it's livepatchable.
  • Performs these checks on all specified architectures (x86_64, ppc64le).

2. Extraction

After setup, use klp-ccp (via the extract command) to extract the defective functions for the livepatch.

klp-build extract --name bsc1197597

Output:

The resulting livepatches will be placed in your configured work_dir.

<work_dir>/<lp-name>/ccp/<codestream>/lp

3. Building

Once the livepatches have been successfully generated by extract, you can proceed to build them. To ensure a reproducible environment, klp-build uses IBS to remotely compile the livepatches for each supported architecture and kernel version.

klp-build push --name bsc1122334 --wait

Should a build fail, one can check the logs simply by running:

klp-build logs --name bsc112234 --filter "15.5u34" --arch s390x

4. Exporting

Export generated livepatches as git patches from the kgraft-patches repository.

klp-build format-patches --name bsc112234 -v1

The patches will be placed in:

<workdir>/bsc112234/patches/

Development

To run the test suite:

tox -e tests

Documentation

License

This project is licensed under the GPL-2.0 license.

About

The kernel livepatching creation tool

Topics

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors

Languages