Linux 6.19 Merges "klp-build" As New Livepatch Module Generation Solution
Merged as part of the objtool changes for the Linux 6.19 kernel is introducing the "klp-build" script as a new solution to generate livepatch modules using a source .patch file as the input. This klp-build effort was spearheaded by Josh Poimboeuf with ideas learned from the out-of-tree Kpatch project over the past decade.
Josh Poimboeuf has been working on this klp-build for a while and explained in the patch series cover letter:
All of this work by the Red Hat engineer is now in Linux 6.19 Git. Kernel live-patching of security updates and functional issues remains an important area for large enterprises and especially the hyperscalers where keeping system downtime to a minimum is of significant concern.
This objtool pull request landed the new klp-build and associated infrastructure for this significant improvement to Linux kernel live-patching.
Josh Poimboeuf has been working on this klp-build for a while and explained in the patch series cover letter:
"This series introduces new objtool features and a klp-build script to generate livepatch modules using a source .patch as input.
This builds on concepts from the longstanding out-of-tree kpatch project which began in 2012 and has been used for many years to generate livepatch modules for production kernels. However, this is a complete rewrite which incorporates hard-earned lessons from 12+ years of maintaining kpatch.
Key improvements compared to kpatch-build:
- Integrated with objtool: Leverages objtool's existing control-flow graph analysis to help detect changed functions.
- Works on vmlinux.o: Supports late-linked objects, making it compatible with LTO, IBT, and similar.
- Simplified code base: ~3k fewer lines of code.
- Upstream: No more out-of-tree #ifdef hacks, far less cruft.
- Cleaner internals: Vastly simplified logic for symbol/section/reloc inclusion and special section extraction.
- Robust __LINE__ macro handling: Avoids false positive binary diffs caused by the __LINE__ macro by introducing a fix-patch-lines script which injects #line directives into the source .patch to preserve the original line numbers at compile time.
The primary user interface is the klp-build script which does the following:
- Builds an original kernel with -function-sections and -fdata-sections, plus objtool function checksumming.
- Applies the .patch file and rebuilds the kernel using the same options.
- Runs 'objtool klp diff' to detect changed functions and generate intermediate binary diff objects.
- Builds a kernel module which links the diff objects with some livepatch module init code (scripts/livepatch/init.c).
- Finalizes the livepatch module (aka work around linker wreckage) using 'objtool klp post-link'."
All of this work by the Red Hat engineer is now in Linux 6.19 Git. Kernel live-patching of security updates and functional issues remains an important area for large enterprises and especially the hyperscalers where keeping system downtime to a minimum is of significant concern.
This objtool pull request landed the new klp-build and associated infrastructure for this significant improvement to Linux kernel live-patching.