-
Notifications
You must be signed in to change notification settings - Fork 307
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create-diff-object: Add support for CONFIG_X86_KERNEL_IBT #1379
Conversation
TODO before merging
Then after merging I'll port integration tests to the latest upstream kernel (or Fedora) version. |
750229e
to
e53a551
Compare
With IBT enabled, objtool runs on the final linked vmlinux.o object instead of the individual translation units, creating the __pfx symbols at the end. But create-diff-object still runs on the individual .o objects, in which case the __pfx symbols may be missing. Manually detect function padding for that case. With this change, it should be fine [*] to patch a kernel with CONFIG_X86_KERNEL_IBT enabled. [*] Unless your patch adds an indirect call to an existing function which doesn't have any other indirect callers, in which case the callee might have been sealed, which will trigger a "Missing ENDBR" warning/panic. Signed-off-by: Josh Poimboeuf <[email protected]>
This isn't quite ready, will reopen later |
I deleted previous comment. Here is updated one. I am looking into an issue related to IBT with my folk. My current hack works for LTO, but not LTO+IBT. In my tests, I get errors like
I guess we also need some changes in kpatch_create_mcount_sections? Also, I guess CDOing vmlinux.o still takes very very long time? |
I pushed my hack + some debug change here: https://github.com/liu-song-6/kpatch/tree/for-6.4-fb-ibt-test |
@liu-song-6: My current thinking is that any solution that runs create-diff-object before objtool is flawed, because create-diff-object converts some relas to klp relas, and objtool doesn't know how to read klp relas so it doesn't have the full picture it needs. That could maybe be fixed by teaching objtool to be able to handle klp relas. I get the feeling that would be complex and fragile but I haven't looked at it much. Some months back I was working on speeding up create-diff-object on vmlinux.o, but unfortunately other work popped up and that stalled. I don't know if it would ever be fast enough, it probably needs more research. I've also been thinking about a different approach, which is to teach objtool how to diff binaries. I actually have a POC of that already and it's pretty straightforward. My hope is that if objtool does the diff, then kpatch-build could do the function extraction. Or, maybe even objtool could do the extraction and we could retire kpatch ;-) I'm sorry this has stalled for so long, but getting IBT working is a big priority for me so I hope to get it done soon. |
My hack for LTO is to run objtool first on special .o files then run create-diff-object on them. AFAICT, it works when there is no IBT. Do we need to CDO vmlinux.o for IBT w/o LTO? If so, I guess we also need to improve the speed of CDO? |
With IBT enabled, objtool runs on the final linked vmlinux.o object instead of the individual translation units, creating the __pfx symbols at the end. But create-diff-object still runs on the individual .o objects, in which case the __pfx symbols may be missing. Manually detect function padding for that case.
With this change, it should be fine [*] to patch a kernel with CONFIG_X86_KERNEL_IBT enabled.
[*] Unless your patch adds an indirect call to an existing function
which doesn't have any other indirect callers, in which case the
callee might have been sealed, which will trigger a "Missing ENDBR"
warning/panic.