github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/linux/setup_linux-host_qemu-vm_s390x-kernel.md (about) 1 # Setup: Debian/Ubuntu/Fedora host, QEMU vm, s390x kernel 2 3 ## GCC 4 5 Obtain `s390x-linux-gnu-gcc` at least GCC version 9. The latest Debian/Ubuntu/Fedora distributions 6 should provide a recent enough version of a cross-compiler in the `gcc-s390x-linux-gnu` package. 7 8 ## Kernel 9 10 Checkout Linux kernel source: 11 12 ``` bash 13 git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git $KERNEL 14 ``` 15 16 Generate default configs: 17 18 ``` bash 19 cd $KERNEL 20 make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- defconfig 21 make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- kvm_guest.config 22 ``` 23 24 Enable kernel config options required for syzkaller as described [here](kernel_configs.md). 25 26 ``` 27 ./scripts/config --file .config \ 28 -d MODULES \ 29 -e KCOV \ 30 -e KCOV_INSTRUMENT_ALL \ 31 -e KCOV_ENABLE_COMPARISONS \ 32 -e KASAN \ 33 -e KASAN_INLINE \ 34 -e CONFIGFS_FS \ 35 -e SECURITYFS \ 36 -e DEBUG_INFO \ 37 -e GDB_SCRIPTS \ 38 -e PRINTK \ 39 -e EARLY_PRINTK \ 40 -e DEVTMPFS \ 41 -e TUN \ 42 -e VIRTIO_PCI \ 43 -e VIRTIO_NET \ 44 -e NET_9P_VIRTIO \ 45 -e NET_9P \ 46 -e 9P_FS \ 47 -e BINFMT_MISC \ 48 -e FAULT_INJECTION \ 49 -e FAILSLAB \ 50 -e FAIL_PAGE_ALLOC \ 51 -e FAIL_MAKE_REQUEST \ 52 -e FAIL_IO_TIMEOUT \ 53 -e FAIL_FUTEX \ 54 -e FAULT_INJECTION_DEBUG_FS \ 55 -e FAULT_INJECTION_STACKTRACE_FILTER \ 56 -e DEBUG_KMEMLEAK 57 ``` 58 59 Edit `.config` file manually and enable them (or do that through `make menuconfig` if you prefer). 60 61 Since enabling these options results in more sub options being available, we need to regenerate config: 62 63 ``` bash 64 make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- olddefconfig 65 ``` 66 67 Build the kernel: 68 69 ``` 70 make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- -j$(nproc) 71 ``` 72 73 Now you should have `vmlinux` (kernel binary) and `bzImage` (packed kernel image): 74 75 ``` bash 76 $ ls $KERNEL/vmlinux 77 $KERNEL/vmlinux 78 $ ls $KERNEL/arch/s390/boot/bzImage 79 $KERNEL/arch/s390/boot/bzImage 80 ``` 81 82 ## Image 83 84 ### Debian 85 86 To create a Debian Linux image with the minimal set of required packages do: 87 88 ``` 89 cd $IMAGE/ 90 wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh -O create-image.sh 91 chmod +x create-image.sh 92 ./create-image.sh -a s390x 93 ``` 94 95 The result should be `$IMAGE/bullseye.img` disk image. 96 97 For additional options of `create-image.sh`, please refer to `./create-image.sh -h` 98 99 ## QEMU 100 101 ### Debian 102 103 Run: 104 105 ```shell 106 qemu-system-s390x \ 107 -M s390-ccw-virtio -cpu max,zpci=on -m 4G -smp 2 \ 108 -kernel $KERNEL/arch/s390/boot/bzImage \ 109 -drive file=$IMAGE/buster.img,if=virtio,format=raw \ 110 -append "rootwait root=/dev/vda net.ifnames=0 biosdevname=0" \ 111 -net nic,model=virtio -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \ 112 -display none -serial mon:stdio \ 113 -pidfile vm.pid 2>&1 | tee vm.log 114 ``` 115 116 After that you should be able to ssh to QEMU instance in another terminal: 117 118 ``` bash 119 ssh -i $IMAGE/buster.id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhost 120 ``` 121 122 If this fails with "too many tries", ssh may be passing default keys before 123 the one explicitly passed with `-i`. Append option `-o "IdentitiesOnly yes"`. 124 125 To kill the running QEMU instance press `Ctrl+A` and then `X` or run: 126 127 ``` bash 128 kill $(cat vm.pid) 129 ``` 130 131 If QEMU works, the kernel boots and ssh succeeds, you can shutdown QEMU and try to run syzkaller. 132 133 ## syzkaller 134 135 Build syzkaller as described [here](/docs/linux/setup.md#go-and-syzkaller), with `s390x` target: 136 137 ``` 138 make TARGETOS=linux TARGETARCH=s390x 139 ``` 140 141 Then create a manager config like the following, replacing the environment 142 variables `$GOPATH`, `$KERNEL` and `$IMAGE` with their actual values. 143 144 ``` 145 { 146 "target": "linux/s390x", 147 "http": "127.0.0.1:56741", 148 "workdir": "$GOPATH/src/github.com/google/syzkaller/workdir", 149 "kernel_obj": "$KERNEL", 150 "image": "$IMAGE/buster.img", 151 "sshkey": "$IMAGE/buster.id_rsa", 152 "syzkaller": "$GOPATH/src/github.com/google/syzkaller", 153 "procs": 8, 154 "type": "qemu", 155 "vm": { 156 "count": 4, 157 "kernel": "$KERNEL/arch/s390/boot/bzImage", 158 "cpu": 2, 159 "mem": 2048 160 } 161 } 162 ``` 163 164 Run syzkaller manager: 165 166 ``` bash 167 mkdir workdir 168 ./bin/syz-manager -config=my.cfg 169 ``` 170 171 Now syzkaller should be running, you can check manager status with your web browser at `127.0.0.1:56741`. 172 173 If you get issues after `syz-manager` starts, consider running it with the `-debug` flag. 174 Also see [this page](/docs/troubleshooting.md) for troubleshooting tips.