the BIOS reads the kernel file data via the fw-cfg device into guest memory.the BIOS asks via the fw-cfg device "what files do you have?", and QEMU says "I have this kern.bin".the BIOS that runs in the guest ('seabios') knows it is running on QEMU and it knows how to talk to the fw-cfg device.the guest machine has a special device called 'fw-cfg' which acts as a communication channel between QEMU and guest code.QEMU loads the data from the specified file, but not into guest memory.I haven't looked at the x86 -kernel support in detail, and it probably has some complicated special cases, but the basic approach is: On x86, it is a bit more complex, because QEMU for x86 guests always automatically runs a BIOS. (This is sometimes called the "built-in bootloader".) On some (eg Arm) QEMU loads a kernel by performing the minimum necessary tasks that a guest bootloader would normally do: it loads the file into guest memory, it sets various registers as a Linux kernel requires for startup, and it starts the guest CPU with the program counter pointing at the kernel entry point. Modify according to your needs.The behaviour of -kernel varies quite a bit between guest architectures. Modify your config file and start off syzkallerĪ sample config file that exercises the required options are shown below. Reboot the machine, and ensure that you can ssh from host to guest as. Open /etc/ssh/sshd_config and modify the following lines as shown below. Ensure that you do not set a passphrase when creating this key. Create an ssh keypair locally and copy the public key to /authorized_keys in /. Now that we have a shell, let us add a few lines to existing init scripts so that they are executed each time Syzkaller brings up the VM.Īt the top of /etc/init.d/S50sshd add the following lines: ifconfig eth0 upĬomment out the line /usr/bin/ssh-keygen -A net user,hostfwd=tcp::10023-:22 -net nicĪt this point, you should be able to see a login prompt. append "console=ttyAMA0 root=/dev/vda oops=panic panic_on_warn=1 panic=-1 ftrace_dump_on_oops=orig_cpu debug earlyprintk=serial slub_debug=UZ" \ $ /path/to/aarch64-softmmu/qemu-system-aarch64 \ You should be able to start up the kernel as follows. If the build was successful, you should have a aarch64-softmmu/qemu-system-aarch64 binary. Obtain the QEMU source from git or from the latest source release. If the build was successful, you should have a arch/arm64/boot/Image file. $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make -j40 $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make defconfigĬhange the following options : CONFIG_KCOV=yĬONFIG_CROSS_COMPILE="aarch64-linux-gnu-" Once you have obtained the source code for the linux kernel you wish to fuzz, do the following. If you have another ARM64 toolchain on your machine, ensure that this newly downloaded toolchain takes precedence. If not, obtain the ARM64 toolchain from Linaro. You will require an ARM64 kernel with gcc plugin support. After the build, confirm that output/images/rootfs.ext3 exists. Show packages that are also provided by busybox Run a getty (login prompt) after boot -> ( ) Root password = set your password using this option Target Architecture - Aarch64 (little endian) Extract the tarball and perform a make menuconfig inside it. We will use buildroot to create the disk image. This document will detail the steps involved in setting up a Syzkaller instance fuzzing any ARM64 linux kernel of your choice.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |