Debian: kpatch-prebuilt: support kpatch kernel module prebuilt

Now we provide kpatch-prebuilt to support pre-built livepatch kernel
modules, so that the kpatch kernel modules can be integrated into the
iso image.

TestCases:
After adding this package to the iso, we can boot the iso and execute
the following tests for both rt and std:
    ls -al /var/lib/kpatch/prebuilt-modules/prebuilt-test/*.ko
    kpatch install /var/lib/kpatch/prebuilt-modules/prebuilt-test/xxx.ko
    kpatch load xxx.ko
    'grep -i Chunk /proc/meminfo' to check
    kpatch unload xxx.ko
    'grep -i Chunk /proc/meminfo' to check again
    kpatch uninstall xxx.ko

Once the actual CVE source patch for livepatch(eg: kernel/livepatch/
kpatch-prebuilt/source/kpatch_patches/[std|rt]/CVE-xxxx-yyyy/zzz.patch)
is merged, the prebuilt kernel module will be generated at /var/lib/
kpatch/prebuilt-modules/[std|rt]/*.ko in the rootfs.

Story: 2009221
Task: 45911

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ia73901daa513f59861604797a5d4e233d59ef4ae

debian_pkg_dirs

@@ -7,6 +7,7 @@ kernel-modules/intel-igb_uio
 kernel-modules/intel-opae-fpga
 kernel-modules/mlnx-ofa_kernel
 kernel-modules/qat17
+livepatch/kpatch-prebuilt
 userspace/broadcom/libbnxt_re
 userspace/mellanox/rdma-core
 userspace/mellanox/mstflint

debian_pkg_dirs_rt

@@ -7,3 +7,4 @@ kernel-modules/intel-igb_uio
 kernel-modules/intel-opae-fpga
 kernel-modules/mlnx-ofa_kernel
 kernel-modules/qat17
+livepatch/kpatch-prebuilt

livepatch/kpatch-prebuilt/debian/deb_folder/changelog

@@ -0,0 +1,5 @@
+kpatch-prebuilt (0.9.5-1) stable; urgency=medium
+
+  * Initial release.
+
+ -- Zhixiong Chi <zhixiong.chi@windriver.com>  Tue, 22 Feb 2022 07:47:56 +0000

livepatch/kpatch-prebuilt/debian/deb_folder/compat

@@ -0,0 +1 @@
+13

livepatch/kpatch-prebuilt/debian/deb_folder/control

@@ -0,0 +1,31 @@
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+Source: kpatch-prebuilt
+Section: kernel
+Priority: optional
+Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
+Build-Depends: python3, openssl, libelf-dev, libssl-dev, debhelper (>= 13), kpatch, kpatch-build, bison, flex, linux@KERNEL_TYPE@-image-5.10.0-6@KERNEL_TYPE@-amd64-unsigned, linux@KERNEL_TYPE@-source-5.10, linux@KERNEL_TYPE@-image-5.10.0-6@KERNEL_TYPE@-amd64-dbg, linux@KERNEL_TYPE@-kbuild-5.10
+
+Package: kpatch-prebuilt@KERNEL_TYPE@
+Architecture: linux-amd64
+Multi-Arch: foreign
+Depends: ${misc:Depends}, ${shlibs:Depends}, kpatch
+Description: Prebuilt Tools for Kpatch and Livepatch
+ kpatch-prebuilt is a tool that can prebuild the livepatch modules from
+ a given patch for both rt and std kernel.
+

livepatch/kpatch-prebuilt/debian/deb_folder/copyright

@@ -0,0 +1,17 @@
+Files:     *
+Copyright: (c) 2022 Wind River Systems, Inc.
+License: Apache-2
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. The ASF licenses this
+ file to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.

livepatch/kpatch-prebuilt/debian/deb_folder/rules

@@ -0,0 +1,44 @@
+#!/usr/bin/make -f
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+#export DH_VERBOSE = 1
+
+KERNELTYPE=@KERNEL_TYPE@
+ifeq ($(KERNELTYPE),-rt)
+    KPATCH_KERNELTYPE=rt
+else
+    KPATCH_KERNELTYPE=std
+endif
+
+PREBUILTDIR=/var/lib/kpatch/prebuilt-modules
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	bash kpatch-prebuilt -t $(KPATCH_KERNELTYPE)
+
+override_dh_auto_install:
+	dh_installdirs $(PREBUILTDIR)/prebuilt-test
+	dh_install prebuilt-modules/prebuilt-test/*.ko $(PREBUILTDIR)/prebuilt-test
+
+
+override_dh_strip:
+	dh_strip
+	find debian -name '*.ko' | xargs strip -g

livepatch/kpatch-prebuilt/debian/deb_folder/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

livepatch/kpatch-prebuilt/debian/meta_data.yaml

@@ -0,0 +1,7 @@
+---
+debver: 0.9.5-1
+serial: true
+src_path: source
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: True

livepatch/kpatch-prebuilt/source/kpatch-prebuilt

@@ -0,0 +1,175 @@
+#!/bin/bash
+#
+# kpatch-prebuilt framework
+#
+# Generate the livepatch kernel modules for std and rt kernel
+# types during the packages build.
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+shopt -s nullglob
+set -o pipefail
+
+BINDIR="/usr/bin"
+SRCDIR="/usr/src"
+KPATCHBUILD="${BINDIR}/kpatch-build"
+BASE="$(pwd)"
+MODULESDIR="${BASE}/prebuilt-modules"
+TESTOUTPUTDIR="${MODULESDIR}/prebuilt-test"
+BUILDDIR="${BUILDDIR:-${BASE}/kpatch-prebuild}"
+PATCHDIR="${BASE}/kpatch_patches"
+LOGFILE="${BASE}/kpatch-prebuilt.log"
+CPUS=${MAX_CPUS}
+declare -a PATCHDIR_LIST
+declare -a PATCH_LIST
+DEBUG=0
+SKIPCLEANUP=0
+
+warn() {
+        echo "ERROR: $1" >&2
+}
+
+die() {
+        if [[ -z "$1" ]]; then
+                msg="kpatch-prebuilt build failed"
+        else
+                msg="$1"
+        fi
+
+        if [[ -e "${LOGFILE}" ]]; then
+                warn "${msg}. Check ${LOGFILE} for more details."
+        else
+                warn "${msg}."
+        fi
+
+        exit 1
+}
+
+logger() {
+        local to_stdout=${1:-0}
+
+        if [[ "${DEBUG}" -ge 1 ]] || [[ "${to_stdout}" -eq 1 ]]; then
+                # Log to both stdout and the logfile
+                tee -a "${LOGFILE}"
+        else
+                # Log only to the logfile
+                cat >> "${LOGFILE}"
+        fi
+}
+
+cleanup() {
+	rm -f "${LOGFILE}"
+	unset CACHEDIR
+}
+
+usage() {
+	echo "Usage: $(basename "$0") [options]" >&2
+	echo "		-h, --help              Show this help message" >&2
+	echo "		-d, --debug             Enable 'xtrace' and keep scratch files" >&2
+	echo "					in <LOGFILE>" >&2
+	echo "		-t, --kerneltype        Select the kerneltype to build" >&2
+	echo "		--skip-cleanup		Skip post-build cleanup" >&2
+}
+
+options="$(getopt -o hdt: -l "help,debug,kerneltype,skip-cleanup" -- "$@")" || die "get opt failed"
+
+eval set -- "${options}"
+
+while [[ $# -gt 0 ]]; do
+	case "$1" in
+	-h|--help)
+		usage
+		exit 0
+		;;
+	-d|--debug)
+		DEBUG=$((DEBUG + 1))
+		if [[ ${DEBUG} -eq 1 ]]; then
+			echo "DEBUG mode enabled"
+		fi
+		;;
+	-t|--kerneltype)
+		KPATCH_KERNELTYPE="$2"
+		shift
+		;;
+	--skip-cleanup)
+		echo "Skipping cleanup"
+		SKIPCLEANUP=1
+		;;
+	*)
+		[[ "$1" = "--" ]] && shift && continue
+		[[ -d "$1" ]] && echo "patches directory '$1' not found"
+		PATCHDIR_LIST+=("$(readlink -f "$1")")
+		;;
+	esac
+	shift
+done
+
+if [[ "${KPATCH_KERNELTYPE}" == "rt" ]]; then
+	CONFIGFILE=$(find /boot -name "config-*-amd64" | grep rt)
+else
+	CONFIGFILE=$(find /boot -name "config-*-amd64" | grep -v rt)
+fi
+
+CONFIGFILEBASENAME=${CONFIGFILE##*/}
+ARCHVERSION=${CONFIGFILEBASENAME#config-}
+KEYDIR="${SRCDIR}/kernels/${ARCHVERSION}"
+
+if [[ ${DEBUG} -eq 1 ]]; then
+	set -o xtrace
+fi
+
+# set jobs as 6 by default if there is no env variable MAX_CPUS
+[[ -z "${MAX_CPUS}" ]] && CPUS=6
+
+if [[ "${ARCHVERSION}" =~ rt ]]; then
+	PATCHDIR="${PATCHDIR}/rt"
+	MODULESDIR="${MODULESDIR}/rt"
+else
+	PATCHDIR="${PATCHDIR}/std"
+	MODULESDIR="${MODULESDIR}/std"
+fi
+
+mkdir -p "${BUILDDIR}" | logger || die "Couldn't create ${BUILDDIR}"
+
+export CACHEDIR="${BUILDDIR}"
+
+[[ "${SKIPCLEANUP}" -eq 0 ]] && trap cleanup EXIT INT TERM HUP
+
+cd  "${BUILDDIR}" || die
+
+PATCH_LIST+=($(ls -A "${PATCHDIR}"))
+[[ -n "${PATCH_LIST[*]}" ]] || die "No sub-directory found for livepatch in ${PATCHDIR} "
+
+for dir in "${PATCH_LIST[@]}"; do
+
+	if [[ "${dir}" == "test" ]]; then
+		OUTPUTDIR="${TESTOUTPUTDIR}"
+	else
+		OUTPUTDIR="${MODULESDIR}/${dir}"
+	fi
+
+	mkdir -p "${OUTPUTDIR}" | logger || die "Couldn't create ${OUTPUTDIR}"
+
+	echo "Build for ${dir}"
+	("${KPATCHBUILD}" "-j${CPUS}" -a "${ARCHVERSION}" -c "${CONFIGFILE}" -k "${KEYDIR}" \
+         -o "${OUTPUTDIR}" "${PATCHDIR}"/"${dir}"/*.patch -R) 2>&1 | logger 1 || \
+         die "kpatch kernel module prebuilt failed for ${dir}."
+
+done
+
+[[ "${DEBUG}" -eq 0 && "${SKIPCLEANUP}" -eq 0 ]] && rm -f "${LOGFILE}"

livepatch/kpatch-prebuilt/source/kpatch_patches/rt/test/meminfo-string-example.patch

@@ -0,0 +1,28 @@
+From 8d0255caf3407a29abde844033bcbf33a895c96d Mon Sep 17 00:00:00 2001
+From: Zhixiong Chi <zhixiong.chi@windriver.com>
+Date: Tue, 26 Jul 2022 21:42:51 -0700
+Subject: [PATCH] meminfo string example
+
+Add the kernel example patch for kpatch build.
+
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ fs/proc/meminfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
+index 887a5532e..62aafe080 100644
+--- a/fs/proc/meminfo.c
++++ b/fs/proc/meminfo.c
+@@ -119,7 +119,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
+ 	seq_printf(m, "VmallocTotal:   %8lu kB\n",
+ 		   (unsigned long)VMALLOC_TOTAL >> 10);
+ 	show_val_kb(m, "VmallocUsed:    ", vmalloc_nr_pages());
+-	show_val_kb(m, "VmallocChunk:   ", 0ul);
++	show_val_kb(m, "VMALLOCChunk:   ", 0ul);
+ 	show_val_kb(m, "Percpu:         ", pcpu_nr_pages());
+ 
+ #ifdef CONFIG_MEMORY_FAILURE
+-- 
+2.34.1
+

livepatch/kpatch-prebuilt/source/kpatch_patches/std/test/meminfo-string-example.patch

@@ -0,0 +1,28 @@
+From 8d0255caf3407a29abde844033bcbf33a895c96d Mon Sep 17 00:00:00 2001
+From: Zhixiong Chi <zhixiong.chi@windriver.com>
+Date: Tue, 26 Jul 2022 21:42:51 -0700
+Subject: [PATCH] meminfo string example
+
+Add the kernel example patch for kpatch build.
+
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ fs/proc/meminfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
+index 887a5532e..62aafe080 100644
+--- a/fs/proc/meminfo.c
++++ b/fs/proc/meminfo.c
+@@ -119,7 +119,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
+ 	seq_printf(m, "VmallocTotal:   %8lu kB\n",
+ 		   (unsigned long)VMALLOC_TOTAL >> 10);
+ 	show_val_kb(m, "VmallocUsed:    ", vmalloc_nr_pages());
+-	show_val_kb(m, "VmallocChunk:   ", 0ul);
++	show_val_kb(m, "VMALLOCChunk:   ", 0ul);
+ 	show_val_kb(m, "Percpu:         ", pcpu_nr_pages());
+ 
+ #ifdef CONFIG_MEMORY_FAILURE
+-- 
+2.34.1
+