Obtain s390x-linux-gnu-gcc
at least GCC version 9. The latest Debian/Ubuntu/Fedora distributions
should provide a recent enough version of a cross-compiler in the gcc-s390x-linux-gnu
package.
Checkout Linux kernel source:
git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git $KERNEL
Generate default configs:
cd $KERNEL
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- defconfig
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- kvm_guest.config
Enable kernel config options required for syzkaller as described here.
./scripts/config --file .config \
-d MODULES \
-e KCOV \
-e KCOV_INSTRUMENT_ALL \
-e KCOV_ENABLE_COMPARISONS \
-e KASAN \
-e KASAN_INLINE \
-e CONFIGFS_FS \
-e SECURITYFS \
-e DEBUG_INFO \
-e GDB_SCRIPTS \
-e PRINTK \
-e EARLY_PRINTK \
-e DEVTMPFS \
-e TUN \
-e VIRTIO_PCI \
-e VIRTIO_NET \
-e NET_9P_VIRTIO \
-e NET_9P \
-e 9P_FS \
-e BINFMT_MISC \
-e FAULT_INJECTION \
-e FAILSLAB \
-e FAIL_PAGE_ALLOC \
-e FAIL_MAKE_REQUEST \
-e FAIL_IO_TIMEOUT \
-e FAIL_FUTEX \
-e FAULT_INJECTION_DEBUG_FS \
-e FAULT_INJECTION_STACKTRACE_FILTER \
-e DEBUG_KMEMLEAK
Edit .config
file manually and enable them (or do that through make menuconfig
if you prefer).
Since enabling these options results in more sub options being available, we need to regenerate config:
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- olddefconfig
Build the kernel:
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- -j$(nproc)
Now you should have vmlinux
(kernel binary) and bzImage
(packed kernel image):
$ ls $KERNEL/vmlinux
$KERNEL/vmlinux
$ ls $KERNEL/arch/s390/boot/bzImage
$KERNEL/arch/s390/boot/bzImage
To create a Debian Linux image with the minimal set of required packages do:
cd $IMAGE/
wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh -O create-image.sh
chmod +x create-image.sh
./create-image.sh -a s390x
The result should be $IMAGE/bullseye.img
disk image.
For additional options of create-image.sh
, please refer to ./create-image.sh -h
Run:
qemu-system-s390x \
-M s390-ccw-virtio -cpu max,zpci=on -m 4G -smp 2 \
-kernel $KERNEL/arch/s390/boot/bzImage \
-drive file=$IMAGE/buster.img,if=virtio,format=raw \
-append "rootwait root=/dev/vda net.ifnames=0 biosdevname=0" \
-net nic,model=virtio -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
-display none -serial mon:stdio \
-pidfile vm.pid 2>&1 | tee vm.log
After that you should be able to ssh to QEMU instance in another terminal:
ssh -i $IMAGE/buster.id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhost
If this fails with "too many tries", ssh may be passing default keys before
the one explicitly passed with -i
. Append option -o "IdentitiesOnly yes"
.
To kill the running QEMU instance press Ctrl+A
and then X
or run:
kill $(cat vm.pid)
If QEMU works, the kernel boots and ssh succeeds, you can shutdown QEMU and try to run syzkaller.
Build syzkaller as described here, with s390x
target:
make TARGETOS=linux TARGETARCH=s390x
Then create a manager config like the following, replacing the environment
variables $GOPATH
, $KERNEL
and $IMAGE
with their actual values.
{
"target": "linux/s390x",
"http": "127.0.0.1:56741",
"workdir": "$GOPATH/src/github.com/google/syzkaller/workdir",
"kernel_obj": "$KERNEL",
"image": "$IMAGE/buster.img",
"sshkey": "$IMAGE/buster.id_rsa",
"syzkaller": "$GOPATH/src/github.com/google/syzkaller",
"procs": 8,
"type": "qemu",
"vm": {
"count": 4,
"kernel": "$KERNEL/arch/s390/boot/bzImage",
"cpu": 2,
"mem": 2048
}
}
Run syzkaller manager:
mkdir workdir
./bin/syz-manager -config=my.cfg
Now syzkaller should be running, you can check manager status with your web browser at 127.0.0.1:56741
.
If you get issues after syz-manager
starts, consider running it with the -debug
flag.
Also see this page for troubleshooting tips.