table of contents
| klp-build(1) | General Commands Manual | klp-build(1) |
NAME¶
klp-build - the kernel livepatching creation tool
SYNOPSIS¶
klp-build <command> [-h] [-n NAME] [--filter FILTER]
DESCRIPTION¶
klp-build is a tool meant for automating the whole process of creating and testing livepatches for the Linux kernel (SLE edition). To reduce the burden of livepatch developement, klp-build is also capable of checking which codestreams are vulnerable, batching multiple codestreams in parallel, and remotely building and running tests.
OPTIONS¶
Generic options available for all commands:
- -h, --help
- Show command's help message and exit.
- -n, --name NAME
- The livepatch name. This will be the directory name of the resulting livepatches.
- --filter FILTER
- List of accepted codestreams. Must be specified in regex format. Example: "15.3u[0-9]+|15.6u0"
COMMANDS¶
- scan
- In the scan, klp-build does a shallow analysis of the given CVE, searching for already patched codestreams and reporting those that most likley are still affected by the bug. This subcommand does not store any data, as it is mainly targeted for automation and not for livepatch development. For the latter see the setup subcommand.
- --cve CVE
- The CVE to be analyzed.
- setup
- During the setup, klp-build analysis each codestream in order to identify those affected by the indicated CVE. Note that in this phase a lot of per-codestream data is generated and stored for future use.
- --cve CVE
- The CVE assigned to this livepatch.
- --conf CONF
- The kernel CONFIG used to build the object to be livepatched.
- --no-check
- Do not check for already patched codestreams, do the setup for all non filtered codestreams.
- --codestreams CODESTREAMS
- Codestreams affected by the CVE. Can be used as a regex, like, "15.u[34]".
- --file-funcs [FILE_FUNCS ...]
- File and functions to be livepatched. Can be set multiple times. The format is: --file-funcs file/path.c func1 func2... --file-funcs file/patch2.c func1 func2...
- --mod-file-funcs [MOD_FILE_FUNCS ...]
- Module, file and functions to be livepatched. Can be set multiple times. The format is: --mod-file-funcs module1 file/path.c func1 func2... --mod-file-funcs module2 file/patch2.c func1 func2...
- --conf-mod-file-funcs [CONF_MOD_FILE_FUNCS ...]
- Conf, module, file and functions to be livepatched. Can be set multiple times. The format is: --conf-mod-file-funcs conf1 module1 file/path.c func1 func2... --conf-mod-file-funcs conf2 module2 file/patch2.c func1 func2...
- --module MODULE
- The module that will be livepatched for all files. If empty, vmlinux will be livepatched instead.
- --archs {ppc64le,s390x,x86_64} [{ppc64le,s390x,x86_64} ...]
- Supported architectures for this livepatch.
- --skips SKIPS
- List of excluded codestreams. Must be specified in regex format. Example: "15.3u[0-9]+|15.6u0"
check-inline
- --codestreams CODESTREAMS
- Codestream to check the inlined symbol.
- --file FILE
- File to be checked.
- --symbol SYMBOL
- Symbol to be found.
- extract
- In this phase klp-build creates the livepatch for each affected codestream based on the data generated during the setup. Results may differ greatly depending on the back-end tool selected for the livepatch creation.
- --avoid-ext AVOID_EXT [AVOID_EXT ...]
- Functions to be copied into the livepatch instead of externalizing them. Useful to make sure to include symbols that are optimized in different architectures.
- --apply-patches
- Apply patches found by get-patches command, if they exist.
- --codestreams CODESTREAMS CODESTREAMS
- Apply diff on two different codestreams.
- format-patches
- Extract patches from kgraft-patches (see the SEE ALSO section).
- -v , --version VERSION
- Version to be added, like vX.
- get-patches
- Find and list the kernel versions with a backported fix to the indicated CVE.
- --cve CVE
- CVE number to search for related backported patches.
- cleanup
- Remove livepatch packages from SUSE's Build Service.
- prepare-tests
- Generates a tar archive per supported architecture containing scripts and files that can later be used to run tests in the desired test benchs.
- push
- Push the generated livetpatch packages to SUSE's Build Service. By doing so, klp-build can automate the building phase for each codestream and architecture.
- --wait
- Wait until all codestreams builds are finished.
- status
- Check the status of the livepatch building phase initiated by the push command.
- --wait
- Wait until all codestreams builds are finished.
- log
- Get build logs from SUSE'S Build Service.
- --cs CS
- The codestream to get the log from.
- --arch {ppc64le,s390x,x86_64}
- Build architecture.
FILES¶
- ~/.config/klp-build/config
- Personal configuration file
- ~/klp/livepatches
- Default directory where the livepatch data will be placed, including the data generated by the different stages of the livepatch creation
- ~/klp/data
- Default directory where the dowloaded source code will be placed
EXAMPLES¶
Check if the codestreams for SLE 15.5 x86_64 and ppc64le are affected by CVE-2022-1048. This CVE affects snd_pcm_attach_substream() and snd_pcm_detach_substream() functions, located in the kernel module snd-pcm.
- $ klp-build setup --name bsc1197597 --cve 2022-1048 --mod snd-pcm --conf CONFIG_SND_PCM --file-funcs sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream --codestreams '15.5' --archs x86_64 ppc64le
SEE ALSO¶
SUSE's kgraft-patches public repository: https://github.com/SUSE/kernel-livepatch
SUSE's kernel-source public repository: https://github.com/SUSE/kernel-source
klp-ccp(1)
AUTHOR¶
Contributors to the klp-build project. See the project’s GIT history for the complete list.
DISTRIBUTION¶
The latest version of klp-build may be downloaded from https://github.com/SUSE/klp-build