LivePatch/Example/XSA-182
Contents
How to enable Livepatching
Xen 4.7 implements v1 of the Live Patch Design.
The code for hypervisor is NOT enabled by default. When compiling the hypervisor one must enable it to build it.
It can be done by enabling CONFIG_LIVEPATCH=y via make menuconfig:
$ git clone git://xenbits.xen.org/xen.git
$ git checkout RELEASE-4.7.0
$ cd xen/xen
$ make menuconfig
And selecting Common Features|Live Patch live patching support.
It is marked as TECH PREVIEW.
Once you have it built and booted, you can verify that Live Patch works via:
$ xen-livepatch list
ID | status
---------------------------------------- ------------
If you see:
$ xen-livepatch list
ID | status
---------------------------------------- ------------
Failed to list 0/0: 38(Function not implemented)!
Then the hypervisor does NOT have Live Patching built in.
NOTE: The tool to patch/load/etc called xen-livepatch is part of the Xen source tree.
Build XSA hot-patches
To build hot-patches aka payloads aka binary fixes against the hypervisor, you need
- Xen hypervisor which supports Live Patch hypercalls.
- Tool to build binary fixes against hypervisor.
- Your source of Xen in a temporary directory.
- Build-id of the hypervisor you are compiling against.
- The .config the hypervisor was built with.
- The XSA-182 patch.
The tool is available at:
git://xenbits.xen.org/livepatch-build-tools.git
NOTE: The payload MUST be compiled with the same GCC version which the hypervisor was built. To find the version run:
# xl info | grep cc_compiler
cc_compiler : gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-16)
Figure out source of hypervisor.
This documents assumes you have installed RELEASE-4.7.0 Xen with CONFIG_LIVEPATCH=y enabled.
# xl info | grep xen_changeset
$ Mon Junl 20 11:38:15 2016 0100 git:9a6cc4f
The 9a6cc4f commit is the RELEASE-4.7.0 tag in Xen source code. Your commit may be different if you have extra patches on top.
Figure out the build-id of hypervisor.
The build-id in this example is 9b619b5e9ab1a738123d43f5ece13c5dd8daefdc but it will be different on each build. One can extract this by:
# xl info | grep build_id
build_id : 9b619b5e9ab1a738123d43f5ece13c5dd8daefdc
(This build-id is used to keep track of payloads dependencies and make sure they are built against the correct hypervisor built).
The .config
Usually it is in /boot/xen-4.7.0.config.
Source of hypervisor - Clone your sources in a temporary directory.
We will need a temporary location to build the payload patches against.
$ cd /tmp/
$ git clone git://xenbits.xen.org/xen.git
$ cd xen
$ git checkout 9a6cc4f
NOTE: git commit 9a6cc4f is the RELEASE-4.7.0 tag. Yours may be different.
Build and get livepatching build tools.
The work flow of the tool is to:
- Build a Xen hypervisor without the patch.
- Build a Xen hypervisor with a patch.
- Compare the two above.
- Create an payload with the difference.
$ cd /tmp
$ git clone git://xenbits.xen.org/livepatch-build-tools.git
$ cd livepatch-build-tools
$ make
NOTE: You may need to have elfutils-libelf (RPM package), or libelf1 (Debian package) installed.
And lastly the exciting part - building the payload.
The patch is assumed to be in $HOME directory.
$ ./livepatch-build -c /boot/xen-4.7.0.config -s /tmp/xen -p $HOME/xsa182-unstable.patch -o xsa182-unstable.build --depends 9b619b5e9ab1a738123d43f5ece13c5dd8daefdc
'''NOTE''' Don’t blindly plug in the build-id value! Use the one your hypervisor is built with.
= Testing out the livepatch. =
Copy the livepatches and test them out:
<syntaxhighlight lang='sh'>
$ # copy xsa*.build/*.livepatch onto the host (or if locally skip this step)
On the host:
# xen-livepatch load xsa182-unstable.livepatch
# xen-livepatch list
ID | status
---------------------------------------- ------------
xsa182-unstable | APPLIED
You can also test that the payload is properly loaded via:
# xl debug-keys x
# xl dmesg
(XEN) build-id: 9b619b5e9ab1a738123d43f5ece13c5dd8daefdc
(XEN) name=xsa182-unstable state=APPLIED(2) ffff82d080409000 (.data=ffff82d08040c000, .rodata=ffff82d08040c000) using 4 pages.
(XEN) mm.c#mod_l4_entry patch ffff82d08017d340(1119) with ffff82d080409280 (1119)
(XEN) mm.c#mod_l1_entry patch ffff82d08017e410(2046) with ffff82d0804096e0 (2046)
(XEN) do_mmu_update patch ffff82d08017ec10(6301) with ffff82d080409ee0 (6291)
(XEN) build-id=b7e6cb62371792f6bc50c644759d2cd8e35b3225
(XEN) depend-on=9b619b5e9ab1a738123d43f5ece13c5dd8daefdc
NOTE The buildid of the payload is b7e6cb62371792f6bc50c644759d2cd8e35b3225. If you are going to build other payloads on top of this XSA use this build-id instead of the hypervisor one.
That is it. Please setup at your convenience your maintenance window.
Support in older Xen versions for Live Patching
Xen 4.4
There is a backport to Xen 4.4.3 which is located at:
git://xenbits.xen.org/people/konradwilk/xen.git livepatch.backport_to.v4.4.3
Xen 4.4 did not use Kconfig, and CONFIG_LIVEPATCH is hardcoded to be enabled in the Makefile. To use it with livepatch-build-tools you have to use a dummy config:
$ touch /boot/xen-4.4.3.config
$ ./livepatch-build -c /boot/xen-4.4.3.config -s /tmp/xen -p $HOME/xsa182-4.5.patch -o xsa182-4.5.build --depends 71e9b3db4bd29fef00f0134f12916eaf2d453a88
Also the list of functions to patch is different:
(XEN) 'x' pressed - Dumping all livepatch patches
(XEN) build-id: 71e9b3db4bd29fef00f0134f12916eaf2d453a88
(XEN) name=xsa182 state=APPLIED(2) ffff82d080609000 (.data=ffff82d080612000, .rodata=ffff82d080612000) using 11 pages.
(XEN) mm.c#mmio_ro_emulated_write patch ffff82d08027af50(126) with ffff82d080609000 (126)
(XEN) mm.c#get_pg_owner patch ffff82d08027bc90(281) with ffff82d080609410 (281)
(XEN) mm.c#replace_grant_va_mapping patch ffff82d08027d410(739) with ffff82d080609a00 (739)
(XEN) mm.c#unmark_superpage patch ffff82d08027e3d0(277) with ffff82d08060a2f0 (277)
(XEN) mm.c#__get_page_type patch ffff82d08027e9c0(5691) with ffff82d08060a410 (5691)
(XEN) mm.c#mod_l4_entry patch ffff82d080282340(1209) with ffff82d08060c3a0 (1209)
(XEN) mm.c#mod_l1_entry patch ffff82d080284390(2057) with ffff82d08060e410 (2057)
(XEN) mm.c#ptwr_emulated_update patch ffff82d080286b30(1020) with ffff82d080610760 (1020)
(XEN) mm.c#ptwr_emulated_cmpxchg patch ffff82d080286f30(206) with ffff82d080610b60 (206)
(XEN) mm.c#ptwr_emulated_write patch ffff82d080287000(148) with ffff82d080610c30 (148)
(XEN) put_page patch ffff82d08027b0e0(297) with ffff82d080609080 (297)
(XEN) get_page patch ffff82d08027b210(233) with ffff82d0806091b0 (233)
(XEN) steal_page patch ffff82d08027bde0(716) with ffff82d080609530 (716)
(XEN) donate_page patch ffff82d08027ccc0(512) with ffff82d080609800 (512)
(XEN) free_page_type patch ffff82d08027d860(1535) with ffff82d080609cf0 (1535)
(XEN) get_superpage patch ffff82d080280ce0(404) with ffff82d08060ba50 (404)
(XEN) create_grant_host_mapping patch ffff82d080281b90(1959) with ffff82d08060bbf0 (1959)
(XEN) new_guest_cr3 patch ffff82d080282800(685) with ffff82d08060c860 (685)
(XEN) do_mmuext_op patch ffff82d080282ab0(6392) with ffff82d08060cb10 (6392)
(XEN) do_mmu_update patch ffff82d080285040(6885) with ffff82d08060ec20 (6974)
(XEN) replace_grant_host_mapping patch ffff82d0802870a0(1942) with ffff82d080610cd0 (1942)
(XEN) build-id=067df4809fce1344b7ca7e9b4ccc7373f4a68c5e
(XEN) depend-on=71e9b3db4bd29fef00f0134f12916eaf2d453a88
Questions, comments:
Please send them to the Xen Security member (who is also the maintainer of the livepatch-build_tools), Konrad Rzeszutek Wilk konrad.wilk@oracle.com
Version of this document.
This is version 1.
