1. Manuals
  2. Tumbleweed
  3. klp-build
  4. klp-build(1)

Scroll to navigation

klp-build(1) General Commands Manual klp-build(1)

NAME

klp-build - the kernel livepatching creation tool

SYNOPSIS

klp-build <command> [-h] [-n NAME] [--filter FILTER] [--experimental]

DESCRIPTION

klp-build is a tool meant for automating the whole process of creating and testing livepatches for the Linux kernel. To reduce the burden of livepatch developement, klp-build is also capable of checking which codestreams are vulnerable, batching multiple codestreams in parallel, and remotely building and running tests.

OPTIONS

Generic options available for all commands:

Show command's help message and exit.
The livepatch name. This will be the directory name of the resulting livepatches.
SLE specific. List of accepted codestreams. Must be specified in regex format. Example: "15.3u[0-9]+|15.6u0"
Enables functions that may not work as expected yet.

COMMANDS

During the setup, klp-build analysis each codestream in order to identify those affected by the indicated CVE. Note that in this phase a lot of per-codestream data is generated and stored for future use.
SLE specific. The CVE assigned to this livepatch.
The kernel CONFIG used to build the object to be livepatched.
SLE specific. Do not check for already patched codestreams, do the setup for all non filtered codestreams.
The path where source files and modules will be found.
SLE specific. Codestreams affected by the CVE. Can be used as a regex, like, "15.u[34]".
File and functions to be livepatched. Can be set multiple times. The format is: --file-funcs file/path.c func1 func2... --file-funcs file/patch2.c func1 func2...
Module, file and functions to be livepatched. Can be set multiple times. The format is: --mod-file-funcs module1 file/path.c func1 func2... --mod-file-funcs module2 file/patch2.c func1 func2...
Conf, module, file and functions to be livepatched. Can be set multiple times. The format is: --conf-mod-file-funcs conf1 module1 file/path.c func1 func2... --conf-mod-file-funcs conf2 module2 file/patch2.c func1 func2...
The module that will be livepatched for all files. If empty, vmlinux will be livepatched instead.
SLE specific. Supported architectures for this livepatch.
SLE specific. List of excluded codestreams. Must be specified in regex format. Example: "15.3u[0-9]+|15.6u0"

check-inline

SLE specific. Codestream to check the inlined symbol.
File to be checked.
Symbol to be found.
In this phase klp-build creates the livepatch for each affected codestream based on the data generated during the setup. Results may differ greatly depending on the back-end tool selected for the livepatch creation.
Functions to be copied into the livepatch instead of externalizing them. Useful to make sure to include symbols that are optimized in different architectures.
Apply patches found by get-patches command, if they exist.
Choose between klp-ccp(1) and clang-extract(1) back-ends.
Number of processes for klp-ccp(1) and clang-extract(1). Default: 4.
Don't exit clang-extract(1) if an error is detected when extracting the code. Should be used on cases like extracting tracepoints or other code that is usually problematic.
cs-diff
SLE specific. Apply diff on two different codestreams.
Choose between klp-ccp(1) and clang-extract(1).
SLE specific. Extract patches from kgraft-patches (see the SEE ALSO section).
Version to be added, like vX.
Find and list the kernel versions with a backported fix to the indicated CVE.
SLE specific. CVE number to search for related backported patches.
SLE specific. Remove livepatch packages from SUSE's Build Service.
Generates a tar archive per supported architecture containing scripts and files that can later be used to run tests in the desired test benchs.
SLE specific. Push the generated livetpatch packages to SUSE's Build Service. By doing so, klp-build can automate the building phase for each codestream and architecture.
Wait until all codestreams builds are finished.
SLE specific. Check the status of the livepatch building phase initiated by the push command.
Wait until all codestreams builds are finished.
SLE specific. Get build logs from SUSE'S Build Service.
The codestream to get the log from.
Build architecture.

FILES

~/.config/klp-build/config
Personal configuration file
~/klp/livepatches
Default directory where the livepatch data will be placed, including the data generated by the different stages of the livepatch creation
~/klp/data
Default directory where the dowloaded source code will be placed

EXAMPLES

Check if the codestreams for SLE 15.5 x86_64 and ppc64le are affected by CVE-2022-1048. This CVE affects snd_pcm_attach_substream() and snd_pcm_detach_substream() functions, located in the kernel module snd-pcm.

$ klp-build setup --name bsc1197597 --cve 2022-1048 --mod snd-pcm --conf CONFIG_SND_PCM --file-funcs sound/core/pcm.c snd_pcm_attach_substream snd_pcm_detach_substream --codestreams '15.5' --archs x86_64 ppc64le

SEE ALSO

SUSE's kgraft-patches public repository: https://github.com/SUSE/kernel-livepatch

SUSE's kernel-source public repository: https://github.com/SUSE/kernel-source

klp-ccp(1) clang-extract(1)

AUTHOR

Contributors to the klp-build project. See the project’s GIT history for the complete list.

DISTRIBUTION

The latest version of klp-build may be downloaded from https://github.com/SUSE/klp-build