github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/linux/setup_linux-host_qemu-vm_arm64-kernel.md (about) 1 # Setup: Linux host, QEMU vm, arm64 kernel 2 3 This document will detail the steps involved in setting up a Syzkaller instance fuzzing any ARM64 linux kernel of your choice. 4 5 ## Create a disk image 6 7 We will use buildroot to create the disk image. 8 You can obtain buildroot from [here](https://buildroot.uclibc.org/download.html). 9 Extract the tarball and perform a `make menuconfig` inside it. 10 Choose the following options. 11 12 Target options 13 Target Architecture - Aarch64 (little endian) 14 Toolchain type 15 External toolchain - Linaro AArch64 16 System Configuration 17 [*] Enable root login with password 18 ( ) Root password = set your password using this option 19 [*] Run a getty (login prompt) after boot ---> 20 TTY port - ttyAMA0 21 Target packages 22 [*] Show packages that are also provided by busybox 23 Networking applications 24 [*] dhcpcd 25 [*] iproute2 26 [*] openssh 27 Filesystem images 28 [*] ext2/3/4 root filesystem 29 ext2/3/4 variant - ext3 30 exact size in blocks - 6000000 31 [*] tar the root filesystem 32 33 Run `make`. After the build, confirm that `output/images/rootfs.ext3` exists. 34 35 If you're expreriencing a very slow sshd start up time with arm64 qemu running on x86, the reason is probably low entropy and it be "fixed" with installing `haveged`. It can be found in the buildroot `menuconfig`: 36 37 ``` 38 Target packages 39 Miscellaneous 40 [*] haveged 41 ``` 42 43 ## Get the ARM64 toolchain from Linaro 44 45 You will require an ARM64 kernel with gcc plugin support. 46 If not, obtain the ARM64 toolchain from Linaro. 47 Get `gcc-linaro-6.1.1-2016.08-x86_64_aarch64-linux-gnu.tar.xz` from [here](https://releases.linaro.org/components/toolchain/binaries/6.1-2016.08/aarch64-linux-gnu/). 48 Extract and add its `bin/` to your `PATH`. 49 If you have another ARM64 toolchain on your machine, ensure that this newly downloaded toolchain takes precedence. 50 51 ## Compile the kernel 52 53 Get the source code of the Linux kernel version you want to fuzz, and do the following. 54 55 $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make defconfig 56 $ vim .config 57 58 Change the following options : 59 ``` 60 CONFIG_KCOV=y 61 CONFIG_KASAN=y 62 CONFIG_DEBUG_INFO=y 63 CONFIG_CMDLINE="console=ttyAMA0" 64 CONFIG_KCOV_INSTRUMENT_ALL=y 65 CONFIG_DEBUG_FS=y 66 CONFIG_NET_9P=y 67 CONFIG_NET_9P_VIRTIO=y 68 CONFIG_CROSS_COMPILE="aarch64-linux-gnu-" 69 ``` 70 ``` 71 $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make -j40 72 ``` 73 74 If the build was successful, you should have a `arch/arm64/boot/Image` file. 75 76 ## Obtain qemu for ARM64 77 78 Obtain the QEMU source from git or from the latest source release. 79 80 $ ./configure 81 $ make -j40 82 83 If the build was successful, you should have a `aarch64-softmmu/qemu-system-aarch64` binary. 84 85 ## Boot up manually 86 87 You should be able to start up the kernel as follows. 88 89 $ /path/to/aarch64-softmmu/qemu-system-aarch64 \ 90 -machine virt \ 91 -cpu cortex-a57 \ 92 -nographic -smp 1 \ 93 -hda /path/to/rootfs.ext3 \ 94 -kernel /path/to/arch/arm64/boot/Image \ 95 -append "console=ttyAMA0 root=/dev/vda oops=panic panic_on_warn=1 panic=-1 ftrace_dump_on_oops=orig_cpu debug earlyprintk=serial slub_debug=UZ" \ 96 -m 2048 \ 97 -net user,hostfwd=tcp::10023-:22 -net nic 98 99 At this point, you should be able to see a login prompt. 100 101 ## Set up the QEMU disk 102 103 Now that we have a shell, let us add a few lines to existing init scripts so that they are executed each time Syzkaller brings up the VM. 104 105 At the top of /etc/init.d/S50sshd add the following lines: 106 107 ifconfig eth0 up 108 dhcpcd 109 mount -t debugfs none /sys/kernel/debug 110 chmod 777 /sys/kernel/debug/kcov 111 112 Comment out the line 113 114 /usr/bin/ssh-keygen -A 115 116 Next we set up ssh. Create an ssh keypair locally and copy the public key to `/authorized_keys` in `/`. Ensure that you do not set a passphrase when creating this key. 117 118 Open `/etc/ssh/sshd_config` and modify the following lines as shown below. 119 120 PermitRootLogin yes 121 PubkeyAuthentication yes 122 AuthorizedKeysFile /authorized_keys 123 PasswordAuthentication yes 124 125 Reboot the machine, and ensure that you can ssh from host to guest as. 126 127 $ ssh -i /path/to/id_rsa root@localhost -p 10023 128 129 ## Build syzkaller 130 131 Build syzkaller as described [here](/docs/linux/setup.md#go-and-syzkaller), with `arm64` target: 132 133 ``` 134 CC=gcc-linaro-6.3.1-2017.05-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu-g++ 135 make TARGETARCH=arm64 136 ``` 137 138 139 ## Modify your config file and start off syzkaller 140 141 A sample config file that exercises the required options are shown below. Modify according to your needs. 142 143 ``` 144 { 145 "name": "QEMU-aarch64", 146 "target": "linux/arm64", 147 "http": ":56700", 148 "workdir": "/path/to/a/dir/to/store/syzkaller/corpus", 149 "kernel_obj": "/path/to/linux/build/dir", 150 "syzkaller": "/path/to/syzkaller/arm64/", 151 "image": "/path/to/rootfs.ext3", 152 "sshkey": "/path/to/id_rsa", 153 "procs": 8, 154 "type": "qemu", 155 "vm": { 156 "count": 1, 157 "qemu": "/path/to/qemu-system-aarch64", 158 "cmdline": "console=ttyAMA0 root=/dev/vda", 159 "kernel": "/path/to/Image", 160 "cpu": 2, 161 "mem": 2048 162 } 163 } 164 ``` 165 166 At this point, you should be able to visit `localhost:56700` and view the results of the fuzzing. 167 168 If you get issues after `syz-manager` starts, consider running it with the `-debug` flag. 169 Also see [this page](/docs/troubleshooting.md) for troubleshooting tips.