Advanced Usage Documentaiton out of date

[joh-nnyS]

Hey @paulgazz,

I'm trying to output a list of configuration conditions for each compilation unit of linux kernel source. My use case is to see under which conditions which source file is compiled. It looks like this was (and probably still is) possible:

https://github.com/paulgazz/kmax/blob/master/docs/advanced.md#simple-example https://github.com/paulgazz/kmax/blob/master/docs/advanced.md#example-on-linux

However the documentation for this seems outdated? The -g option does not even exist anymore? I'm looking at the source code now trying to piece together what I need. Might make a PR to update the documentation for this use case when I get there.

I'd appreciate any help of course. Specifically I'm working with the 4.19.323 Kernel. Endgoal is to to automate the process of checking whether Kernel CVEs may be disregarded due to kernel config/ be able to tell which CVEs we may get rid of by disabling possibly not needed options.

[joh-nnyS]

kmaxall arch/x86_64 block certs crypto drivers fs init ipc kernel lib mm net security sound usr virt > kmaxallOutput.txt

should, I think do the trick?

hitting this error at some point:

kmax -Dsrc=arch/x86_64 -Dsrctree=./ -z arch/x86_64 ERROR(kmax): arch/x86_64 Traceback (most recent call last): File "/usr/local/bin/kmaxall", line 4, in import('pkg_resources').run_script('kmax==4.8', 'kmaxall') File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 656, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/lib/python3/dist-packages/pkg_resources/init.py", line 1453, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python3.10/dist-packages/kmax-4.8-py3.10-linux-x86_64.egg/EGG-INFO/scripts/kmaxall", line 287, in pending_subdirectories.update(covering_set(pending_subdirectories.pop())) File "/usr/local/lib/python3.10/dist-packages/kmax-4.8-py3.10-linux-x86_64.egg/EGG-INFO/scripts/kmaxall", line 219, in covering_set sys.stderr.write(err) TypeError: write() argument must be str, not bytes

[joh-nnyS]

changed kmaxall, line 219 to: sys.stderr.write(err.decode('utf-8')) Though I guess I'll need to dive deeper....

[paulgazz]

Hi @joh-nnyS thanks for looking into this and apologies for the out of date documentation.

Indeed kmax may gave changed interface, but it should still be possible to get conditions for each source file. kmaxall is the right place to start. klocalizer has code that uses kmaxall to get each files conditions.

I'll take a look at this and try to get you the right commands. It may just require reading in some pickled data structure.

For conditions output is smt-lib2 output okay for the conditions?

[paulgazz]

Hi @joh-nnyS , I'm having trouble replicating your bug. I tried kmaxall on Linux 4.19.323, but I was able to generate constraints with the command you used. One thing is that 4.19.323 doesn't seem to have an arch/x86_64 directory (just arch/x86), though that isn't enough to explain the error about str vs. bytes.

Could you let me know what version of python you have installed and how you installed kmax? (I'm using python 3.12.3 and kmax is installed via pipx).

Also, I don't see the arch/x86_64 directory, just arch/x86, though not sure if that could be related (I just get a warning about the directory not existing with kmaxall).

Otherwise, your kmaxall command looks good. You can see how to work with the output of it with the kreader tool, e.g.,

kmaxall arch/x86_64 block certs crypto drivers fs init ipc kernel lib mm net security sound ususr virt | tee kmaxall.out
kreader --show-constraints --kmax-formulas kmaxall.out

kreader shows how to read the output of kmaxall. This gives you smt-lib2 constraints (used the z3 library).

Note that there is a special function to conjoin the conditions for a compilation unit's parent directories. For instance, to get the complete constraints for net/ipv4/netfilter/nft_dup_ipv4.o, it conjoins its own condition with the parent directory net/ipv4/netfilter/ condition then finally with the net/ipv4 condition (net/ is always included, so it's condition is always True), e.g.,

net/ipv4/netfilter/nft_dup_ipv4.o CONFIG_NFT_DUP_IPV4
net/ipv4/netfilter/ CONFIG_NETFILTER
net/ipv4/ CONFIG_INET

becomes

net/ipv4/netfilter/nft_dup_ipv4.o And(CONFIG_NFT_DUP_IPV4, CONFIG_NETFILTER, CONFIG_INET)

[joh-nnyS]

@paulgazz I appreciate the reply, thank you for taking the time!

I was running the command in two ways, both resulting in the error above:

• in a python 3.12.3 venv, installed via pip from a local clone of the repository
• from within a modified (mounting a local kernel instead of downloading) version of the Dockerfile in /scripts, which uses python 3.10

I was however running them on a modifled version of the 4.19.323 Kernel. Though looking at the patches we've applied I don't see how that would result in the error. Can't rule these out as the cause though.

I'll try to run again on a unpached version of the kernel to rule this out and will get back to you if the error occurs again.

I had stumbled across kreader in the meantime but did not have the time to play with it yet. I'm not sure I qualify for a PR to update the documentation yet, but having looked at your tool some more I can see other use cases (I think). So we'll see. In the meantime, I hope, this issue should help anyone who stumbles across the same thing.

Thanks again!