1#!/bin/bash 2# Copyright 2016 syzkaller project authors. All rights reserved. 3# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 4 5# create-gce-image.sh creates a minimal bootable image suitable for syzkaller/GCE. 6# The image will have password-less root login with a key stored in key file. 7# 8# Prerequisites: 9# - you need a user-space system, a basic Debian system can be created with: 10# sudo debootstrap --include=openssh-server,curl,tar,gcc,libc6-dev,time,strace,sudo,less,psmisc,selinux-utils,policycoreutils,checkpolicy,selinux-policy-default stable debian 11# - you need kernel to use with image (e.g. arch/x86/boot/bzImage) 12# note: kernel modules are not supported 13# - you need grub: 14# sudo apt-get install grub-efi 15# 16# Usage: 17# ./create-gce-image.sh /dir/with/user/space/system /path/to/bzImage 18# 19# SYZ_VM_TYPE env var controls type of target test machine. Supported values: 20# - qemu (default, uses /dev/loop) 21# - gce (uses /dev/nbd0) 22# Needs nbd support in kernel and qemu-utils (qemu-nbd) installed. 23# 24# If SYZ_SYSCTL_FILE env var is set and points to a file, 25# then its contents will be appended to the image /etc/sysctl.conf. 26# If SYZ_CMDLINE_FILE env var is set and points to a file, 27# then its contents will be appended to the kernel command line. 28# If MKE2FS_CONFIG env var is set, it will affect invoked mkfs.ext4. 29# 30# Outputs are (in the current dir): 31# - disk.raw: the image 32# - key: root ssh key 33# The script can also create/delete temp files in the current dir. 34# 35# The image then needs to be compressed with: 36# tar -Sczf disk.tar.gz disk.raw 37# and uploaded to GCS with: 38# gsutil cp disk.tar.gz gs://my-images/image.tar.gz 39# finally, my-images/image.tar.gz can be used to create a new GCE image. 40# 41# The image can be tested locally with e.g.: 42# qemu-system-x86_64 -hda disk.raw -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 \ 43# -net nic -enable-kvm -m 2G -display none -serial stdio 44# once the kernel boots, you can ssh into it with: 45# ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes \ 46# -p 10022 -i key root@localhost 47 48set -eux 49 50CLEANUP="" 51trap 'eval " $CLEANUP"' EXIT 52 53if [ ! -e $1/sbin/init ]; then 54 echo "usage: create-gce-image.sh /dir/with/user/space/system /path/to/bzImage" 55 exit 1 56fi 57 58if [ "$(basename $2)" != "bzImage" ]; then 59 echo "usage: create-gce-image.sh /dir/with/user/space/system /path/to/bzImage" 60 exit 1 61fi 62 63SYZ_VM_TYPE="${SYZ_VM_TYPE:-qemu}" 64if [ "$SYZ_VM_TYPE" == "qemu" ]; then 65 : 66elif [ "$SYZ_VM_TYPE" == "gce" ]; then 67 : 68else 69 echo "SYZ_VM_TYPE has unsupported value $SYZ_VM_TYPE" 70 exit 1 71fi 72 73# Clean up after previous unsuccessful run. 74sudo umount disk.mnt || true 75if [ "$SYZ_VM_TYPE" == "qemu" ]; then 76 : 77elif [ "$SYZ_VM_TYPE" == "gce" ]; then 78 sudo modprobe nbd 79 sudo qemu-nbd -d /dev/nbd0 || true 80fi 81rm -rf disk.mnt disk.raw || true 82 83fallocate -l 2G disk.raw 84if [ "$SYZ_VM_TYPE" == "qemu" ]; then 85 DISKDEV="$(sudo losetup -f --show -P disk.raw)" 86 CLEANUP="sudo losetup -d $DISKDEV; $CLEANUP" 87elif [ "$SYZ_VM_TYPE" == "gce" ]; then 88 DISKDEV="/dev/nbd0" 89 sudo qemu-nbd -c $DISKDEV --format=raw disk.raw 90 CLEANUP="sudo qemu-nbd -d $DISKDEV; $CLEANUP" 91fi 92echo -en "o\nn\np\n1\n\n\na\nw\n" | sudo fdisk $DISKDEV 93PARTDEV=$DISKDEV"p1" 94until [ -e $PARTDEV ]; do sleep 1; done 95sudo -E mkfs.ext4 $PARTDEV 96mkdir -p disk.mnt 97CLEANUP="rm -rf disk.mnt; $CLEANUP" 98sudo mount $PARTDEV disk.mnt 99CLEANUP="sudo umount disk.mnt; $CLEANUP" 100sudo cp -a $1/. disk.mnt/. 101sudo cp $2 disk.mnt/vmlinuz 102sudo sed -i "/^root/ { s/:x:/::/ }" disk.mnt/etc/passwd 103echo "T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100" | sudo tee -a disk.mnt/etc/inittab 104echo -en "auto lo\niface lo inet loopback\nauto eth0\niface eth0 inet dhcp\n" | sudo tee disk.mnt/etc/network/interfaces 105echo "debugfs /sys/kernel/debug debugfs defaults 0 0" | sudo tee -a disk.mnt/etc/fstab 106echo 'binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc defaults 0 0' | sudo tee -a disk.mnt/etc/fstab 107for i in {0..31}; do 108 echo "KERNEL==\"binder$i\", NAME=\"binder$i\", MODE=\"0666\"" | \ 109 sudo tee -a disk.mnt/etc/udev/50-binder.rules 110done 111# We disable selinux for now because the default policy on wheezy prevents 112# mounting of cgroup2 (and stretch we don't know how to configure yet). 113echo 'SELINUX=disabled' | sudo tee disk.mnt/etc/selinux/config 114 115# sysctls 116echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf 117echo "debug.exception-trace = 0" | sudo tee -a disk.mnt/etc/sysctl.conf 118SYZ_SYSCTL_FILE="${SYZ_SYSCTL_FILE:-}" 119if [ "$SYZ_SYSCTL_FILE" != "" ]; then 120 cat $SYZ_SYSCTL_FILE | sudo tee -a disk.mnt/etc/sysctl.conf 121fi 122 123echo -en "127.0.0.1\tlocalhost\n" | sudo tee disk.mnt/etc/hosts 124echo "nameserver 8.8.8.8" | sudo tee -a disk.mnt/etc/resolve.conf 125echo "ClientAliveInterval 420" | sudo tee -a disk.mnt/etc/ssh/sshd_config 126echo "syzkaller" | sudo tee disk.mnt/etc/hostname 127rm -f key key.pub 128ssh-keygen -f key -t rsa -N "" 129sudo mkdir -p disk.mnt/root/.ssh 130sudo cp key.pub disk.mnt/root/.ssh/authorized_keys 131sudo chown root disk.mnt/root/.ssh/authorized_keys 132sudo mkdir -p disk.mnt/boot/grub 133 134CMDLINE="" 135SYZ_CMDLINE_FILE="${SYZ_CMDLINE_FILE:-}" 136if [ "$SYZ_CMDLINE_FILE" != "" ]; then 137 CMDLINE=$(awk '{printf("%s ", $0)}' $SYZ_CMDLINE_FILE) 138fi 139 140cat << EOF | sudo tee disk.mnt/boot/grub/grub.cfg 141terminal_input console 142terminal_output console 143set timeout=0 144# vsyscall=native: required to run x86_64 executables on android kernels 145# (for some reason they disable VDSO by default) 146# rodata=n: mark_rodata_ro becomes very slow with KASAN (lots of PGDs) 147# panic=86400: prevents kernel from rebooting so that we don't get reboot output in all crash reports 148# debug is not set as it produces too much output 149menuentry 'linux' --class gnu-linux --class gnu --class os { 150 insmod vbe 151 insmod vga 152 insmod video_bochs 153 insmod video_cirrus 154 insmod gzio 155 insmod part_msdos 156 insmod ext2 157 set root='(hd0,1)' 158 linux /vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 $CMDLINE 159} 160EOF 161sudo grub-install --target=i386-pc --boot-directory=disk.mnt/boot --no-floppy $DISKDEV 162