Skip to content

[Secret Hiding] Add Linux patches with userfault support #5163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 23, 2025
Merged

[Secret Hiding] Add Linux patches with userfault support #5163

merged 4 commits into from
Apr 23, 2025

Conversation

@kalyazin
Copy link
Contributor

@kalyazin kalyazin commented Apr 22, 2025

Changes

  • Make it clear that the patches are distributed under the GPL-2.0 licence
  • Add Linux patches for supporing userfault in guest_memfd

Reason

  • Patches are required for Secret Hiding CI

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • [ ] I have mentioned all user-facing changes in CHANGELOG.md.
  • [ ] If a specific issue led to this PR, this PR closes the issue.
  • [ ] When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • [ ] I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • [ ] I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@codecov
Copy link

codecov bot commented Apr 22, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.73%. Comparing base (c1479ae) to head (77c3eee).
Report is 4 commits behind head on feature/secret-hiding.

Additional details and impacted files 
@@                  Coverage Diff                   @@
##           feature/secret-hiding    #5163   +/-   ##
======================================================
  Coverage                  82.73%   82.73%           
======================================================
  Files                        251      251           
  Lines                      27522    27522           
======================================================
  Hits                       22771    22771           
  Misses                      4751     4751
Flag Coverage Δ
5.10-c5n.metal 83.20% <ø> (ø)
5.10-m5n.metal 83.20% <ø> (+<0.01%) ⬆️
5.10-m6a.metal 82.37% <ø> (-0.01%) ⬇️
5.10-m6g.metal 79.07% <ø> (ø)
5.10-m6i.metal 83.20% <ø> (ø)
5.10-m7a.metal-48xl 82.37% <ø> (ø)
5.10-m7g.metal 79.07% <ø> (ø)
6.1-c5n.metal 83.24% <ø> (ø)
6.1-m5n.metal 83.24% <ø> (-0.01%) ⬇️
6.1-m6a.metal 82.41% <ø> (ø)
6.1-m6g.metal 79.07% <ø> (ø)
6.1-m6i.metal 83.24% <ø> (ø)
6.1-m7a.metal-48xl 82.42% <ø> (+<0.01%) ⬆️
6.1-m7g.metal 79.06% <ø> (-0.01%) ⬇️
6.14-c5n.metal 83.21% <ø> (+<0.01%) ⬆️
6.14-m5n.metal 83.21% <ø> (ø)
6.14-m6a.metal 82.38% <ø> (ø)
6.14-m6g.metal 79.03% <ø> (ø)
6.14-m6i.metal 83.20% <ø> (ø)
6.14-m7a.metal-48xl 82.38% <ø> (ø)
6.14-m7g.metal 79.03% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@kalyazin
chore(hiding_ci): skip non-patch files when applying
0d2ddd3 
This is to allow to keep the licence and readme files in the patches
directory.

Signed-off-by: Nikita Kalyazin <[email protected]>
hyandell
hyandell reviewed Apr 22, 2025
View reviewed changes
hyandell
hyandell reviewed Apr 22, 2025
View reviewed changes
Copy link
Contributor

@hyandell hyandell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small suggestion to the patches/README.

Perhaps also call the directory kernel-patches to allow for other patches without mixing them.

@kalyazin kalyazin marked this pull request as ready for review April 23, 2025 07:36
@kalyazin kalyazin self-assigned this Apr 23, 2025
kalyazin added 3 commits April 23, 2025 07:39
@kalyazin
doc(hiding_ci): add readme and GPL-2.0 text for Linux patches
713f076 
Explicitly mention that Linux patches are distributed under the GPL-2.0
licence.

Signed-off-by: Nikita Kalyazin <[email protected]>
@kalyazin
chore(hiding_ci): add userfault Linux patches
82c1a06 
Include the following patch series rebased on top of the v7 of "KVM:
Mapping guest_memfd backed memory at the host for software protected
VMs"
(https://<lor>/kvm/[email protected]/, replace
"<lor>" with "lore.kernel.org" in this and the following links):
 - v4 "Direct Map Removal for guest_memfd"
   (https://<lor>/kvm/[email protected]/),
   with fixups
 - v2 "KVM: Introduce KVM Userfault"
   (https://<lor>/kvm/[email protected]/)
 - v3 "KVM: guest_memfd: use write for population"
   (https://<lor>/kvm/[email protected]/)
 - v3 "KVM: guest_memfd: support for uffd minor"
   (https://<lor>/kvm/[email protected]/),
   with fixups

After this change all patches are represented as plain text files,
meaning no patches are required to be fetched via a lore link.

Signed-off-by: Nikita Kalyazin <[email protected]>
@kalyazin
chore(hiding_ci): rename patches dir to linux_patches
77c3eee 
This is to keep Linux patches separate in case we need to store some
other patches at some point.

Signed-off-by: Nikita Kalyazin <[email protected]>
@kalyazin
Copy link
Contributor Author

kalyazin commented Apr 23, 2025

One small suggestion to the patches/README.

Perhaps also call the directory kernel-patches to allow for other patches without mixing them.

I renamed the directory to linux_patches. Thanks!

@roypat roypat enabled auto-merge (rebase) April 23, 2025 08:19
@roypat roypat merged commit 90dca9a into firecracker-microvm:feature/secret-hiding Apr 23, 2025
6 of 7 checks passed
@kalyazin kalyazin deleted the patches-sh branch April 23, 2025 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Manciukic Manciukic Manciukic approved these changes

@JackThomson2 JackThomson2 JackThomson2 approved these changes

@xmarcalx xmarcalx Awaiting requested review from xmarcalx xmarcalx is a code owner

@pb8o pb8o Awaiting requested review from pb8o pb8o is a code owner

+2 more reviewers

@hyandell hyandell hyandell left review comments

@roypat roypat roypat approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@kalyazin kalyazin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kalyazin @hyandell @Manciukic @JackThomson2 @roypat