Livepatch in Ampere LTS - AmpereComputing/ampere-lts-kernel---DEPRECATED GitHub Wiki

Currently, livepatch is not supported in upstream. And Openeuler-kernel has an un-official livepatch implementation. Ampere LTS 5.10 has draft backporting version of it.

How to enable

To enable livepatch feature, set CONFIG_LIVEPATCH in defconfig. And booting, you will see /sys/kernel/livepatch/ sysfs node.

How to make a hotpatch

There are two ways to make a hotpatch: writing a raw livepatch kernel module, or compiling a code diff patch by kpatch-build tool.

Raw livepatch kernel module

Take samples/livepatch/livepatch-sample.c as example. Compile livepatch-sample.ko first, and run insmod livepatch-sample.ko. If /sys/kernel/livepatch/livepatch_sample/ dir exists, the hotpatch is loaded successfully.

To enable hotpatch, run echo 1 > /sys/kernel/livepatch/livepatch_sample/enable, and run cat /proc/cmdline, you will see:

this has been live patched

To disable hotpatch, run echo 0 > /sys/kernel/livepatch/livepatch_sample/enable, and run cat /proc/cmdline, you will see normal version of cmdline:

BOOT_IMAGE=/boot/vmlinuz-5.10.27-livepatch root=UUID=7efba3f0-a657-4c0f-af16-c9423deacb91 ro console=tty0 cma=1024M iommu.passthrough=1 irqchip.gicv3_pseudo_nmi=1 kpti=off

make livepatch by kpatch-build tool

  1. Download and build kpatch tool:
git clone https://github.com/bobolmw/kpatch.git -b kpatch_amp
cd kpatch
make && make install PREFIX=`pwd`/out
  1. Make a kernel patch by git format-patch, for example:
From 8b82c0903bca1f3f0587500977e8d9fc0d057d08 Mon Sep 17 00:00:00 2001
From: Bobo <[email protected]>
Date: Sun, 16 Jan 2022 13:55:37 +0000
Subject: [PATCH] test patch

Signed-off-by: Bobo <[email protected]>
---
 fs/proc/cmdline.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/proc/cmdline.c b/fs/proc/cmdline.c
index fa762c5fbcb2..94536767f52e 100644
--- a/fs/proc/cmdline.c
+++ b/fs/proc/cmdline.c
@@ -6,6 +6,7 @@
 
 static int cmdline_proc_show(struct seq_file *m, void *v)
 {
+       pr_err("hit in livepatch\n");
        seq_puts(m, saved_command_line);
        seq_putc(m, '\n');
        return 0;
-- 
2.25.1
  1. Compile patch file by kpatch-build tool:
KEEP_JUMP_LABEL="yes" DISABLE_AFTER_LOAD="yes" NO_PROFILING_CALLS="yes" ./kpatch-build/kpatch-build -s ../ampere-lts-kernel -c ../ampere-lts-kernel/.config -v ../ampere-lts-kernel/vmlinux --skip-compiler-check ../ampere-lts-kernel/0001-test-patch.patch -j60

If everything ok, you will get livepatch-0001-test-patch.ko in working directory.

  1. Load and enable livepatch:
insmod livepatch-0001-test-patch.ko
echo 1 > /sys/kernel/livepatch/livepatch-0001-test-patch/enable