diff --git a/README.md b/README.md index 89a21248aa853423e5e42822bd362f12207c3c1b..5996e591332f72082d2a2f49bd06c056b8db187a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # kpatch-build -#### 介绍 +## 介绍 kpatch-build 是一款热补丁制作工具,可在不重启系统和中断业务的情况下对操作系统内核进行CVE和Bug修复。 支持架构: @@ -10,78 +10,70 @@ X86,ARM64 #### 软件架构 软件架构说明 -![输入图片说明](image.png) +![软件架构说明](image.png) -#### 安装教程 +## 安装教程 教程以龙蜥操作系统Anolis OS 8.6,内核版本4.19.91-26.4.an8.x86_64为例说明热补丁制作全流程。 -1.安装软件包 - +### 1.安装软件包 +``` yum install -y make gcc patch bison flex openssl-devel elfutils elfutils-devel dwarves bc perl - +``` 在制作热补丁过程中出现命令或头文件找不到,可以根据出错提示安装对应软件包即可。 +### 2.下载kernel-debuginfo,kernel-devel,kernel source -2.下载kernel-debuginfo,kernel-devel,kernel source - -源代码下载地址: https://anas.openanolis.cn/errata/detail/ANSA-2022:0692 - -debuginfo地址:https://mirrors.aliyun.com/anolis/8.6/Plus/x86_64/debug/Packages/?spm=a2c6h.25603864.0.0.3b5a47ca8f4z6h - -kernel-devel: https://anas.openanolis.cn/errata/detail/ANSA-2022:0692 +源代码下载地址: [https://anas.openanolis.cn/errata/detail/ANSA-2022:0692](https://anas.openanolis.cn/errata/detail/ANSA-2022:0692) +debuginfo地址:[https://mirrors.aliyun.com/anolis/8.6/Plus/x86_64/debug/Packages/](https://mirrors.aliyun.com/anolis/8.6/Plus/x86_64/debug/Packages/) +kernel-devel: [https://anas.openanolis.cn/errata/detail/ANSA-2022:0692](https://anas.openanolis.cn/errata/detail/ANSA-2022:0692) 分别解压三个软件包(rpm2cpio xxx.rpm | cpio -div),依次提取出vmlinux, .config和kernel source,并放置在同一个目录。 -3.下载kpatch-build - +### 3.下载kpatch-build +``` wget https://gitee.com/anolis/kpatch-build/repository/archive/master.zip +``` - -4.编译kpatch-build +### 4.编译kpatch-build 解压master.zip,并编译安装kpatch-build +``` +make BUILDMOD=no && make install +``` -make BUILDMOD=no - -make install - - -5.制作热补丁 - - +### 5.制作热补丁 +``` kpatch-build -n kpatch-test -s /root/hotfix/linux-4.19.91-26.4.an7 -c /root/hotfix/.config -v /root/hotfix/vmlinux -o /root/hotfix/output/ -dddddd -R /root/hotfix/test-livepatch.patch - +``` 其中: - +``` +-n 补丁名称 -s:指向源代码目录 - -c: config文件 - -v: vmlinux文件 - -o: 产物输出目录 - test-livepatch.patch:补丁文件 - -#### 使用说明 - +-d: 输出debug信息 +``` +## 使用说明 +热补丁中自带kpatch管理工具 加载热补丁: - +``` kpatch load kpatch-test.ko - +``` 卸载热补丁: - +``` kpatch unload kpatch-test.ko - +``` 热补丁列表: - +``` kpatch list - +``` #### 参与贡献 1. Fork 本仓库 2. 新建 Feat_xxx 分支 3. 提交代码 -4. 新建 Pull Request \ No newline at end of file +4. 新建 Pull Request diff --git a/kmod/patch/patch-hook.c b/kmod/patch/patch-hook.c index ff314d9403ea927852b30c6e28a67b834b56d9a7..2b080a98bc1f8371e3edaf83686092b3650e4f7d 100644 --- a/kmod/patch/patch-hook.c +++ b/kmod/patch/patch-hook.c @@ -17,7 +17,7 @@ * 02110-1301, USA. */ -#if IS_ENABLED(CONFIG_LIVEPATCH) +#if IS_ENABLED(CONFIG_LIVEPATCH) && (USE_KLP == 1) #include "livepatch-patch-hook.c" #else #include "kpatch-patch-hook.c" diff --git a/kpatch-build/kpatch-build b/kpatch-build/kpatch-build index 2afb3a1f34e58fddfca5de56decc9aa695dcd5ab..1d45ab3fb1350cc0faea55a3c46ad6f507fe1370 100755 --- a/kpatch-build/kpatch-build +++ b/kpatch-build/kpatch-build @@ -57,6 +57,7 @@ declare -a PATCH_LIST APPLIED_PATCHES=0 OOT_MODULE= KLP_REPLACE=0 +KPATCH_MODULE_ENABLE=0 GCC="${CROSS_COMPILE:-}gcc" CLANG="${CROSS_COMPILE:-}clang" @@ -716,7 +717,7 @@ usage() { echo " (not recommended)" >&2 } -options="$(getopt -o ha:r:s:c:v:j:t:n:o:dR -l "help,archversion:,sourcerpm:,sourcedir:,config:,vmlinux:,jobs:,target:,name:,output:,oot-module:,oot-module-src:,debug,skip-gcc-check,skip-compiler-check,skip-cleanup,non-replace" -- "$@")" || die "getopt failed" +options="$(getopt -o ha:r:s:c:v:j:t:n:o:dR -l "help,archversion:,sourcerpm:,sourcedir:,config:,vmlinux:,jobs:,target:,name:,output:,oot-module:,oot-module-src:,debug,skip-gcc-check,skip-compiler-check,skip-cleanup,non-replace,use-kpatch-module" -- "$@")" || die "getopt failed" eval set -- "$options" @@ -791,6 +792,10 @@ while [[ $# -gt 0 ]]; do echo "Skipping cleanup" SKIPCLEANUP=1 ;; + --use-kpatch-module) + echo "Enable kpatch module" + KPATCH_MODULE_ENABLE=1 + ;; --skip-gcc-check) echo "DEPRECATED: --skip-gcc-check is deprecated, use --skip-compiler-check instead" ;& @@ -856,7 +861,7 @@ if [[ -n "$USERSRCDIR" ]]; then if [[ -z "$ARCHVERSION" ]] && [[ -f "$CONFIGFILE" ]]; then ARCHVERSION="$(kernel_version_from_config)" fi - sed -i "s/^EXTRAVERSION.*/EXTRAVERSION = -${ARCHVERSION##*-}/" "$KERNEL_SRCDIR/Makefile" || die + sed -i "s/^EXTRAVERSION.*/EXTRAVERSION = -${ARCHVERSION##*-}/" "$KERNEL_SRCDIR/Makefile" || die fi fi @@ -1050,7 +1055,8 @@ KPATCH_LDFLAGS="" USE_KLP=0 USE_KLP_ARCH=0 -if [[ -n "$CONFIG_LIVEPATCH" ]] && (kernel_is_rhel || kernel_version_gte 4.9.0); then +# support kpatch module when user want kpatch module in greater version of kernel +if [[ $KPATCH_MODULE_ENABLE -eq 0 ]] && [[ -n "$CONFIG_LIVEPATCH" ]] && (kernel_is_rhel || kernel_version_gte 4.9.0); then USE_KLP=1 @@ -1156,7 +1162,7 @@ fi # shellcheck disable=SC2086 make "${MAKEVARS[@]}" "-j$CPUS" $TARGETS 2>&1 | logger || die -if [[ -n "$CONFIG_LIVEPATCH" ]]; then +if [[ -n "$CONFIG_LIVEPATCH" ]] && [[ $USE_KLP -eq 1 ]]; then if new_use_klp_arch; then USE_KLP_ARCH=1 KPATCH_LDFLAGS="--unique=.parainstructions --unique=.altinstructions" @@ -1366,6 +1372,7 @@ if [[ "$USE_KLP" -eq 1 ]]; then touch "$TEMPDIR"/patch/.output.o.cmd || die else # Add .kpatch.checksum for kpatch script + echo "Addind .kpatch.checksum" md5sum ../patch/tmp_output.o | awk '{printf "%s\0", $1}' > checksum.tmp || die "$OBJCOPY" --add-section .kpatch.checksum=checksum.tmp --set-section-flags .kpatch.checksum=alloc,load,contents,readonly ../patch/tmp_output.o || die rm -f checksum.tmp @@ -1387,6 +1394,13 @@ KPATCH_LDFLAGS="$KPATCH_LDFLAGS" \ CROSS_COMPILE="$CROSS_COMPILE" save_env + +if [[ $USE_KLP -eq 1 ]]; then + export CFLAGS_MODULE=$CFLAGS_MODULE" -DUSE_KLP=1" +else + export CFLAGS_MODULE=$CFLAGS_MODULE" -DUSE_KLP=0" +fi + make "${MAKEVARS[@]}" 2>&1 | logger || die if [[ "$USE_KLP" -eq 1 ]]; then