scripts/livepatch/klp-build at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / scripts / livepatch / klp-build
at master 18 kB view raw
  1#!/bin/bash
  2# SPDX-License-Identifier: GPL-2.0
  3#
  4# Build a livepatch module
  5
  6# shellcheck disable=SC1090,SC2155
  7
  8if (( BASH_VERSINFO[0]  < 4 || \
  9     (BASH_VERSINFO[0] == 4 && BASH_VERSINFO[1] < 4) )); then
 10		echo "error: this script requires bash 4.4+" >&2
 11	exit 1
 12fi
 13
 14set -o errexit
 15set -o errtrace
 16set -o pipefail
 17set -o nounset
 18
 19# Allow doing 'cmd | mapfile -t array' instead of 'mapfile -t array < <(cmd)'.
 20# This helps keep execution in pipes so pipefail+errexit can catch errors.
 21shopt -s lastpipe
 22
 23unset DEBUG_CLONE DIFF_CHECKSUM SKIP_CLEANUP XTRACE
 24
 25REPLACE=1
 26SHORT_CIRCUIT=0
 27JOBS="$(getconf _NPROCESSORS_ONLN)"
 28VERBOSE="-s"
 29shopt -o xtrace | grep -q 'on' && XTRACE=1
 30
 31# Avoid removing the previous $TMP_DIR until args have been fully processed.
 32KEEP_TMP=1
 33
 34SCRIPT="$(basename "$0")"
 35SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 36FIX_PATCH_LINES="$SCRIPT_DIR/fix-patch-lines"
 37
 38SRC="$(pwd)"
 39OBJ="$(pwd)"
 40
 41CONFIG="$OBJ/.config"
 42TMP_DIR="$OBJ/klp-tmp"
 43
 44ORIG_DIR="$TMP_DIR/orig"
 45PATCHED_DIR="$TMP_DIR/patched"
 46DIFF_DIR="$TMP_DIR/diff"
 47KMOD_DIR="$TMP_DIR/kmod"
 48
 49STASH_DIR="$TMP_DIR/stash"
 50TIMESTAMP="$TMP_DIR/timestamp"
 51PATCH_TMP_DIR="$TMP_DIR/tmp"
 52
 53KLP_DIFF_LOG="$DIFF_DIR/diff.log"
 54
 55grep0() {
 56	command grep "$@" || true
 57}
 58
 59status() {
 60	echo "$*"
 61}
 62
 63warn() {
 64	echo "error: $SCRIPT: $*" >&2
 65}
 66
 67die() {
 68	warn "$@"
 69	exit 1
 70}
 71
 72declare -a STASHED_FILES
 73
 74stash_file() {
 75	local file="$1"
 76	local rel_file="${file#"$SRC"/}"
 77
 78	[[ ! -e "$file" ]] && die "no file to stash: $file"
 79
 80	mkdir -p "$STASH_DIR/$(dirname "$rel_file")"
 81	cp -f "$file" "$STASH_DIR/$rel_file"
 82
 83	STASHED_FILES+=("$rel_file")
 84}
 85
 86restore_files() {
 87	local file
 88
 89	for file in "${STASHED_FILES[@]}"; do
 90		mv -f "$STASH_DIR/$file" "$SRC/$file" || warn "can't restore file: $file"
 91	done
 92
 93	STASHED_FILES=()
 94}
 95
 96cleanup() {
 97	set +o nounset
 98	revert_patches "--recount"
 99	restore_files
100	[[ "$KEEP_TMP" -eq 0 ]] && rm -rf "$TMP_DIR"
101	return 0
102}
103
104trap_err() {
105	warn "line ${BASH_LINENO[0]}: '$BASH_COMMAND'"
106}
107
108trap cleanup  EXIT INT TERM HUP
109trap trap_err ERR
110
111__usage() {
112	cat <<EOF
113Usage: $SCRIPT [OPTIONS] PATCH_FILE(s)
114Generate a livepatch module.
115
116Options:
117   -f, --show-first-changed	Show address of first changed instruction
118   -j, --jobs=<jobs>		Build jobs to run simultaneously [default: $JOBS]
119   -o, --output=<file.ko>	Output file [default: livepatch-<patch-name>.ko]
120       --no-replace		Disable livepatch atomic replace
121   -v, --verbose		Pass V=1 to kernel/module builds
122
123Advanced Options:
124   -d, --debug			Show symbol/reloc cloning decisions
125   -S, --short-circuit=STEP	Start at build step (requires prior --keep-tmp)
126				   1|orig	Build original kernel (default)
127				   2|patched	Build patched kernel
128				   3|diff	Diff objects
129				   4|kmod	Build patch module
130   -T, --keep-tmp		Preserve tmp dir on exit
131
132EOF
133}
134
135usage() {
136	__usage >&2
137}
138
139process_args() {
140	local keep_tmp=0
141	local short
142	local long
143	local args
144
145	short="hfj:o:vdS:T"
146	long="help,show-first-changed,jobs:,output:,no-replace,verbose,debug,short-circuit:,keep-tmp"
147
148	args=$(getopt --options "$short" --longoptions "$long" -- "$@") || {
149		echo; usage; exit
150	}
151	eval set -- "$args"
152
153	while true; do
154		case "$1" in
155			-h | --help)
156				usage
157				exit 0
158				;;
159			-f | --show-first-changed)
160				DIFF_CHECKSUM=1
161				shift
162				;;
163			-j | --jobs)
164				JOBS="$2"
165				shift 2
166				;;
167			-o | --output)
168				[[ "$2" != *.ko ]] && die "output filename should end with .ko"
169				OUTFILE="$2"
170				NAME="$(basename "$OUTFILE")"
171				NAME="${NAME%.ko}"
172				NAME="$(module_name_string "$NAME")"
173				shift 2
174				;;
175			--no-replace)
176				REPLACE=0
177				shift
178				;;
179			-v | --verbose)
180				VERBOSE="V=1"
181				shift
182				;;
183			-d | --debug)
184				DEBUG_CLONE=1
185				keep_tmp=1
186				shift
187				;;
188			-S | --short-circuit)
189				[[ ! -d "$TMP_DIR" ]] && die "--short-circuit requires preserved klp-tmp dir"
190				keep_tmp=1
191				case "$2" in
192					1 | orig)	SHORT_CIRCUIT=1; ;;
193					2 | patched)	SHORT_CIRCUIT=2; ;;
194					3 | diff)	SHORT_CIRCUIT=3; ;;
195					4 | mod)	SHORT_CIRCUIT=4; ;;
196					*)		die "invalid short-circuit step '$2'" ;;
197				esac
198				shift 2
199				;;
200			-T | --keep-tmp)
201				keep_tmp=1
202				shift
203				;;
204			--)
205				shift
206				break
207				;;
208			*)
209				usage
210				exit 1
211				;;
212		esac
213	done
214
215	if [[ $# -eq 0 ]]; then
216		usage
217		exit 1
218	fi
219
220	KEEP_TMP="$keep_tmp"
221	PATCHES=("$@")
222}
223
224# temporarily disable xtrace for especially verbose code
225xtrace_save() {
226	[[ -v XTRACE ]] && set +x
227	return 0
228}
229
230xtrace_restore() {
231	[[ -v XTRACE ]] && set -x
232	return 0
233}
234
235validate_config() {
236	xtrace_save "reading .config"
237	source "$CONFIG" || die "no .config file in $(dirname "$CONFIG")"
238	xtrace_restore
239
240	[[ -v CONFIG_LIVEPATCH ]] ||			\
241		die "CONFIG_LIVEPATCH not enabled"
242
243	[[ -v CONFIG_KLP_BUILD ]] ||			\
244		die "CONFIG_KLP_BUILD not enabled"
245
246	[[ -v CONFIG_GCC_PLUGIN_LATENT_ENTROPY ]] &&	\
247		die "kernel option 'CONFIG_GCC_PLUGIN_LATENT_ENTROPY' not supported"
248
249	[[ -v CONFIG_GCC_PLUGIN_RANDSTRUCT ]] &&	\
250		die "kernel option 'CONFIG_GCC_PLUGIN_RANDSTRUCT' not supported"
251
252	return 0
253}
254
255# Only allow alphanumerics and '_' and '-' in the module name.  Everything else
256# is replaced with '-'.  Also truncate to 55 chars so the full name + NUL
257# terminator fits in the kernel's 56-byte module name array.
258module_name_string() {
259	echo "${1//[^a-zA-Z0-9_-]/-}" | cut -c 1-55
260}
261
262# If the module name wasn't specified on the cmdline with --output, give it a
263# name based on the patch name.
264set_module_name() {
265	[[ -v NAME ]] && return 0
266
267	if [[ "${#PATCHES[@]}" -eq 1 ]]; then
268		NAME="$(basename "${PATCHES[0]}")"
269		NAME="${NAME%.*}"
270	else
271		NAME="patch"
272	fi
273
274	NAME="livepatch-$NAME"
275	NAME="$(module_name_string "$NAME")"
276
277	OUTFILE="$NAME.ko"
278}
279
280# Hardcode the value printed by the localversion script to prevent patch
281# application from appending it with '+' due to a dirty git working tree.
282set_kernelversion() {
283	local file="$SRC/scripts/setlocalversion"
284	local localversion
285
286	stash_file "$file"
287
288	localversion="$(cd "$SRC" && make --no-print-directory kernelversion)"
289	localversion="$(cd "$SRC" && KERNELVERSION="$localversion" ./scripts/setlocalversion)"
290	[[ -z "$localversion" ]] && die "setlocalversion failed"
291
292	sed -i "2i echo $localversion; exit 0" scripts/setlocalversion
293}
294
295get_patch_files() {
296	local patch="$1"
297
298	grep0 -E '^(--- |\+\+\+ )' "$patch"			\
299		| gawk '{print $2}'				\
300		| sed 's|^[^/]*/||'				\
301		| sort -u
302}
303
304# Make sure git re-stats the changed files
305git_refresh() {
306	local patch="$1"
307	local files=()
308
309	[[ ! -e "$SRC/.git" ]] && return
310
311	get_patch_files "$patch" | mapfile -t files
312
313	(
314		cd "$SRC"
315		git update-index -q --refresh -- "${files[@]}"
316	)
317}
318
319check_unsupported_patches() {
320	local patch
321
322	for patch in "${PATCHES[@]}"; do
323		local files=()
324
325		get_patch_files "$patch" | mapfile -t files
326
327		for file in "${files[@]}"; do
328			case "$file" in
329				lib/*|*.S)
330					die "unsupported patch to $file"
331					;;
332			esac
333		done
334	done
335}
336
337apply_patch() {
338	local patch="$1"
339	shift
340	local extra_args=("$@")
341
342	[[ ! -f "$patch" ]] && die "$patch doesn't exist"
343
344	(
345		cd "$SRC"
346
347		# The sed strips the version signature from 'git format-patch',
348		# otherwise 'git apply --recount' warns.
349		sed -n '/^-- /q;p' "$patch" |
350			git apply "${extra_args[@]}"
351	)
352
353	APPLIED_PATCHES+=("$patch")
354}
355
356revert_patch() {
357	local patch="$1"
358	shift
359	local extra_args=("$@")
360	local tmp=()
361
362	(
363		cd "$SRC"
364
365		sed -n '/^-- /q;p' "$patch" |
366			git apply --reverse "${extra_args[@]}"
367	)
368	git_refresh "$patch"
369
370	for p in "${APPLIED_PATCHES[@]}"; do
371		[[ "$p" == "$patch" ]] && continue
372		tmp+=("$p")
373	done
374
375	APPLIED_PATCHES=("${tmp[@]}")
376}
377
378apply_patches() {
379	local patch
380
381	for patch in "${PATCHES[@]}"; do
382		apply_patch "$patch"
383	done
384}
385
386revert_patches() {
387	local extra_args=("$@")
388	local patches=("${APPLIED_PATCHES[@]}")
389
390	for (( i=${#patches[@]}-1 ; i>=0 ; i-- )) ; do
391		revert_patch "${patches[$i]}" "${extra_args[@]}"
392	done
393
394	APPLIED_PATCHES=()
395}
396
397validate_patches() {
398	check_unsupported_patches
399	apply_patches
400	revert_patches
401}
402
403do_init() {
404	# We're not yet smart enough to handle anything other than in-tree
405	# builds in pwd.
406	[[ ! "$SRC" -ef "$SCRIPT_DIR/../.." ]] && die "please run from the kernel root directory"
407	[[ ! "$OBJ" -ef "$SCRIPT_DIR/../.." ]] && die "please run from the kernel root directory"
408
409	(( SHORT_CIRCUIT <= 1 )) && rm -rf "$TMP_DIR"
410	mkdir -p "$TMP_DIR"
411
412	APPLIED_PATCHES=()
413
414	[[ -x "$FIX_PATCH_LINES" ]] || die "can't find fix-patch-lines"
415
416	validate_config
417	set_module_name
418	set_kernelversion
419}
420
421# Refresh the patch hunk headers, specifically the line numbers and counts.
422refresh_patch() {
423	local patch="$1"
424	local tmpdir="$PATCH_TMP_DIR"
425	local files=()
426
427	rm -rf "$tmpdir"
428	mkdir -p "$tmpdir/a"
429	mkdir -p "$tmpdir/b"
430
431	# Get all source files affected by the patch
432	get_patch_files "$patch" | mapfile -t files
433
434	# Copy orig source files to 'a'
435	( cd "$SRC" && echo "${files[@]}" | xargs cp --parents --target-directory="$tmpdir/a" )
436
437	# Copy patched source files to 'b'
438	apply_patch "$patch" --recount
439	( cd "$SRC" && echo "${files[@]}" | xargs cp --parents --target-directory="$tmpdir/b" )
440	revert_patch "$patch" --recount
441
442	# Diff 'a' and 'b' to make a clean patch
443	( cd "$tmpdir" && git diff --no-index --no-prefix a b > "$patch" ) || true
444}
445
446# Copy the patches to a temporary directory, fix their lines so as not to
447# affect the __LINE__ macro for otherwise unchanged functions further down the
448# file, and update $PATCHES to point to the fixed patches.
449fix_patches() {
450	local idx
451	local i
452
453	rm -f "$TMP_DIR"/*.patch
454
455	idx=0001
456	for i in "${!PATCHES[@]}"; do
457		local old_patch="${PATCHES[$i]}"
458		local tmp_patch="$TMP_DIR/tmp.patch"
459		local patch="${PATCHES[$i]}"
460		local new_patch
461
462		new_patch="$TMP_DIR/$idx-fixed-$(basename "$patch")"
463
464		cp -f "$old_patch" "$tmp_patch"
465		refresh_patch "$tmp_patch"
466		"$FIX_PATCH_LINES" "$tmp_patch" > "$new_patch"
467		refresh_patch "$new_patch"
468
469		PATCHES[i]="$new_patch"
470
471		rm -f "$tmp_patch"
472		idx=$(printf "%04d" $(( 10#$idx + 1 )))
473	done
474}
475
476clean_kernel() {
477	local cmd=()
478
479	cmd=("make")
480	cmd+=("--silent")
481	cmd+=("-j$JOBS")
482	cmd+=("clean")
483
484	(
485		cd "$SRC"
486		"${cmd[@]}"
487	)
488}
489
490build_kernel() {
491	local log="$TMP_DIR/build.log"
492	local objtool_args=()
493	local cmd=()
494
495	objtool_args=("--checksum")
496
497	cmd=("make")
498
499	# When a patch to a kernel module references a newly created unexported
500	# symbol which lives in vmlinux or another kernel module, the patched
501	# kernel build fails with the following error:
502	#
503	#   ERROR: modpost: "klp_string" [fs/xfs/xfs.ko] undefined!
504	#
505	# The undefined symbols are working as designed in that case.  They get
506	# resolved later when the livepatch module build link pulls all the
507	# disparate objects together into the same kernel module.
508	#
509	# It would be good to have a way to tell modpost to skip checking for
510	# undefined symbols altogether.  For now, just convert the error to a
511	# warning with KBUILD_MODPOST_WARN, and grep out the warning to avoid
512	# confusing the user.
513	#
514	cmd+=("KBUILD_MODPOST_WARN=1")
515
516	cmd+=("$VERBOSE")
517	cmd+=("-j$JOBS")
518	cmd+=("KCFLAGS=-ffunction-sections -fdata-sections")
519	cmd+=("OBJTOOL_ARGS=${objtool_args[*]}")
520	cmd+=("vmlinux")
521	cmd+=("modules")
522
523	(
524		cd "$SRC"
525		"${cmd[@]}"							\
526			1> >(tee -a "$log")					\
527			2> >(tee -a "$log" | grep0 -v "modpost.*undefined!" >&2)
528	)
529}
530
531find_objects() {
532	local opts=("$@")
533
534	# Find root-level vmlinux.o and non-root-level .ko files,
535	# excluding klp-tmp/ and .git/
536	find "$OBJ" \( -path "$TMP_DIR" -o -path "$OBJ/.git" -o	-regex "$OBJ/[^/][^/]*\.ko" \) -prune -o \
537		    -type f "${opts[@]}"				\
538		    \( -name "*.ko" -o -path "$OBJ/vmlinux.o" \)	\
539		    -printf '%P\n'
540}
541
542# Copy all .o archives to $ORIG_DIR
543copy_orig_objects() {
544	local files=()
545
546	rm -rf "$ORIG_DIR"
547	mkdir -p "$ORIG_DIR"
548
549	find_objects | mapfile -t files
550
551	xtrace_save "copying orig objects"
552	for _file in "${files[@]}"; do
553		local rel_file="${_file/.ko/.o}"
554		local file="$OBJ/$rel_file"
555		local file_dir="$(dirname "$file")"
556		local orig_file="$ORIG_DIR/$rel_file"
557		local orig_dir="$(dirname "$orig_file")"
558		local cmd_file="$file_dir/.$(basename "$file").cmd"
559
560		[[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file"
561
562		mkdir -p "$orig_dir"
563		cp -f "$file" "$orig_dir"
564		[[ -e "$cmd_file" ]] && cp -f "$cmd_file" "$orig_dir"
565	done
566	xtrace_restore
567
568	mv -f "$TMP_DIR/build.log" "$ORIG_DIR"
569	touch "$TIMESTAMP"
570}
571
572# Copy all changed objects to $PATCHED_DIR
573copy_patched_objects() {
574	local files=()
575	local opts=()
576	local found=0
577
578	rm -rf "$PATCHED_DIR"
579	mkdir -p "$PATCHED_DIR"
580
581	# Note this doesn't work with some configs, thus the 'cmp' below.
582	opts=("-newer")
583	opts+=("$TIMESTAMP")
584
585	find_objects "${opts[@]}" | mapfile -t files
586
587	xtrace_save "copying changed objects"
588	for _file in "${files[@]}"; do
589		local rel_file="${_file/.ko/.o}"
590		local file="$OBJ/$rel_file"
591		local orig_file="$ORIG_DIR/$rel_file"
592		local patched_file="$PATCHED_DIR/$rel_file"
593		local patched_dir="$(dirname "$patched_file")"
594
595		[[ ! -f "$file" ]] && die "missing $(basename "$file") for $_file"
596
597		cmp -s "$orig_file" "$file" && continue
598
599		mkdir -p "$patched_dir"
600		cp -f "$file" "$patched_dir"
601		found=1
602	done
603	xtrace_restore
604
605	(( found == 0 )) && die "no changes detected"
606
607	mv -f "$TMP_DIR/build.log" "$PATCHED_DIR"
608}
609
610# Diff changed objects, writing output object to $DIFF_DIR
611diff_objects() {
612	local log="$KLP_DIFF_LOG"
613	local files=()
614	local opts=()
615
616	rm -rf "$DIFF_DIR"
617	mkdir -p "$DIFF_DIR"
618
619	find "$PATCHED_DIR" -type f -name "*.o" | mapfile -t files
620	[[ ${#files[@]} -eq 0 ]] && die "no changes detected"
621
622	[[ -v DEBUG_CLONE ]] && opts=("--debug")
623
624	# Diff all changed objects
625	for file in "${files[@]}"; do
626		local rel_file="${file#"$PATCHED_DIR"/}"
627		local orig_file="$rel_file"
628		local patched_file="$PATCHED_DIR/$rel_file"
629		local out_file="$DIFF_DIR/$rel_file"
630		local filter=()
631		local cmd=()
632
633		mkdir -p "$(dirname "$out_file")"
634
635		cmd=("$SRC/tools/objtool/objtool")
636		cmd+=("klp")
637		cmd+=("diff")
638		(( ${#opts[@]} > 0 )) && cmd+=("${opts[@]}")
639		cmd+=("$orig_file")
640		cmd+=("$patched_file")
641		cmd+=("$out_file")
642
643		if [[ -v DIFF_CHECKSUM ]]; then
644			filter=("grep0")
645			filter+=("-Ev")
646			filter+=("DEBUG: .*checksum: ")
647		else
648			filter=("cat")
649		fi
650
651		(
652			cd "$ORIG_DIR"
653			"${cmd[@]}"							\
654				1> >(tee -a "$log")					\
655				2> >(tee -a "$log" | "${filter[@]}" >&2) ||		\
656				die "objtool klp diff failed"
657		)
658	done
659}
660
661# For each changed object, run objtool with --debug-checksum to get the
662# per-instruction checksums, and then diff those to find the first changed
663# instruction for each function.
664diff_checksums() {
665	local orig_log="$ORIG_DIR/checksum.log"
666	local patched_log="$PATCHED_DIR/checksum.log"
667	local -A funcs
668	local cmd=()
669	local line
670	local file
671	local func
672
673	gawk '/\.o: changed function: / {
674		sub(/:$/, "", $1)
675		print $1, $NF
676	}' "$KLP_DIFF_LOG" | mapfile -t lines
677
678	for line in "${lines[@]}"; do
679		read -r file func <<< "$line"
680		if [[ ! -v funcs["$file"] ]]; then
681			funcs["$file"]="$func"
682		else
683			funcs["$file"]+=" $func"
684		fi
685	done
686
687	cmd=("$SRC/tools/objtool/objtool")
688	cmd+=("--checksum")
689	cmd+=("--link")
690	cmd+=("--dry-run")
691
692	for file in "${!funcs[@]}"; do
693		local opt="--debug-checksum=${funcs[$file]// /,}"
694
695		(
696			cd "$ORIG_DIR"
697			"${cmd[@]}" "$opt" "$file" &> "$orig_log" || \
698				( cat "$orig_log" >&2; die "objtool --debug-checksum failed" )
699
700			cd "$PATCHED_DIR"
701			"${cmd[@]}" "$opt" "$file" &> "$patched_log" ||	\
702				( cat "$patched_log" >&2; die "objtool --debug-checksum failed" )
703		)
704
705		for func in ${funcs[$file]}; do
706			diff <( grep0 -E "^DEBUG: .*checksum: $func " "$orig_log"    | sed "s|$ORIG_DIR/||")	\
707			     <( grep0 -E "^DEBUG: .*checksum: $func " "$patched_log" | sed "s|$PATCHED_DIR/||")	\
708				| gawk '/^< DEBUG: / {
709					gsub(/:/, "")
710					printf "%s: %s: %s\n", $3, $5, $6
711					exit
712			}' || true
713		done
714	done
715}
716
717# Build and post-process livepatch module in $KMOD_DIR
718build_patch_module() {
719	local makefile="$KMOD_DIR/Kbuild"
720	local log="$KMOD_DIR/build.log"
721	local kmod_file
722	local cflags=()
723	local files=()
724	local cmd=()
725
726	rm -rf "$KMOD_DIR"
727	mkdir -p "$KMOD_DIR"
728
729	cp -f "$SRC/scripts/livepatch/init.c" "$KMOD_DIR"
730
731	echo "obj-m := $NAME.o" > "$makefile"
732	echo -n "$NAME-y := init.o" >> "$makefile"
733
734	find "$DIFF_DIR" -type f -name "*.o" | mapfile -t files
735	[[ ${#files[@]} -eq 0 ]] && die "no changes detected"
736
737	for file in "${files[@]}"; do
738		local rel_file="${file#"$DIFF_DIR"/}"
739		local orig_file="$ORIG_DIR/$rel_file"
740		local orig_dir="$(dirname "$orig_file")"
741		local kmod_file="$KMOD_DIR/$rel_file"
742		local kmod_dir="$(dirname "$kmod_file")"
743		local cmd_file="$orig_dir/.$(basename "$file").cmd"
744
745		mkdir -p "$kmod_dir"
746		cp -f "$file" "$kmod_dir"
747		[[ -e "$cmd_file" ]] && cp -f "$cmd_file" "$kmod_dir"
748
749		# Tell kbuild this is a prebuilt object
750		cp -f "$file" "${kmod_file}_shipped"
751
752		echo -n " $rel_file" >> "$makefile"
753	done
754
755	echo >> "$makefile"
756
757	cflags=("-ffunction-sections")
758	cflags+=("-fdata-sections")
759	[[ $REPLACE -eq 0 ]] && cflags+=("-DKLP_NO_REPLACE")
760
761	cmd=("make")
762	cmd+=("$VERBOSE")
763	cmd+=("-j$JOBS")
764	cmd+=("--directory=.")
765	cmd+=("M=$KMOD_DIR")
766	cmd+=("KCFLAGS=${cflags[*]}")
767
768	# Build a "normal" kernel module with init.c and the diffed objects
769	(
770		cd "$SRC"
771		"${cmd[@]}"							\
772			1> >(tee -a "$log")					\
773			2> >(tee -a "$log" >&2)
774	)
775
776	kmod_file="$KMOD_DIR/$NAME.ko"
777
778	# Save off the intermediate binary for debugging
779	cp -f "$kmod_file" "$kmod_file.orig"
780
781	# Work around issue where slight .config change makes corrupt BTF
782	objcopy --remove-section=.BTF "$kmod_file"
783
784	# Fix (and work around) linker wreckage for klp syms / relocs
785	"$SRC/tools/objtool/objtool" klp post-link "$kmod_file" || die "objtool klp post-link failed"
786
787	cp -f "$kmod_file" "$OUTFILE"
788}
789
790
791################################################################################
792
793process_args "$@"
794do_init
795
796if (( SHORT_CIRCUIT <= 1 )); then
797	status "Validating patch(es)"
798	validate_patches
799	status "Building original kernel"
800	clean_kernel
801	build_kernel
802	status "Copying original object files"
803	copy_orig_objects
804fi
805
806if (( SHORT_CIRCUIT <= 2 )); then
807	status "Fixing patch(es)"
808	fix_patches
809	apply_patches
810	status "Building patched kernel"
811	build_kernel
812	revert_patches
813	status "Copying patched object files"
814	copy_patched_objects
815fi
816
817if (( SHORT_CIRCUIT <= 3 )); then
818	status "Diffing objects"
819	diff_objects
820	if [[ -v DIFF_CHECKSUM ]]; then
821		status "Finding first changed instructions"
822		diff_checksums
823	fi
824fi
825
826if (( SHORT_CIRCUIT <= 4 )); then
827	status "Building patch module: $OUTFILE"
828	build_patch_module
829fi
830
831status "SUCCESS"