Obtain s390x-linux-gnu-gcc at least GCC version 9. The latest Debian/Ubuntu/Fedora distributions
should provide a recent enough version of a cross-compiler in the gcc-s390x-linux-gnu package.
Checkout Linux kernel source:
git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git $KERNELGenerate default configs:
cd $KERNEL
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- defconfig
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- kvm_guest.configEnable kernel config options required for syzkaller as described here.
./scripts/config --file .config \
-d MODULES \
-e KCOV \
-e KCOV_INSTRUMENT_ALL \
-e KCOV_ENABLE_COMPARISONS \
-e KASAN \
-e KASAN_INLINE \
-e CONFIGFS_FS \
-e SECURITYFS \
-e DEBUG_INFO \
-e GDB_SCRIPTS \
-e PRINTK \
-e EARLY_PRINTK \
-e DEVTMPFS \
-e TUN \
-e VIRTIO_PCI \
-e VIRTIO_NET \
-e NET_9P_VIRTIO \
-e NET_9P \
-e 9P_FS \
-e BINFMT_MISC \
-e FAULT_INJECTION \
-e FAILSLAB \
-e FAIL_PAGE_ALLOC \
-e FAIL_MAKE_REQUEST \
-e FAIL_IO_TIMEOUT \
-e FAIL_FUTEX \
-e FAULT_INJECTION_DEBUG_FS \
-e FAULT_INJECTION_STACKTRACE_FILTER \
-e DEBUG_KMEMLEAK
Edit .config file manually and enable them (or do that through make menuconfig if you prefer).
Since enabling these options results in more sub options being available, we need to regenerate config:
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- olddefconfigBuild the kernel:
make ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- -j$(nproc)
Now you should have vmlinux (kernel binary) and bzImage (packed kernel image):
$ ls $KERNEL/vmlinux
$KERNEL/vmlinux
$ ls $KERNEL/arch/s390/boot/bzImage
$KERNEL/arch/s390/boot/bzImageTo create a Debian Linux image with the minimal set of required packages do:
cd $IMAGE/
wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh -O create-image.sh
chmod +x create-image.sh
./create-image.sh -a s390x
The result should be $IMAGE/trixie.img disk image.
For additional options of create-image.sh, please refer to ./create-image.sh -h
Run:
qemu-system-s390x \
-M s390-ccw-virtio -cpu max,zpci=on -m 4G -smp 2 \
-kernel $KERNEL/arch/s390/boot/bzImage \
-drive file=$IMAGE/trixie.img,if=virtio,format=raw \
-append "rootwait root=/dev/vda net.ifnames=0 biosdevname=0" \
-net nic,model=virtio -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
-display none -serial mon:stdio \
-pidfile vm.pid 2>&1 | tee vm.logAfter that you should be able to ssh to QEMU instance in another terminal:
ssh -i $IMAGE/trixie.id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhostIf this fails with "too many tries", ssh may be passing default keys before
the one explicitly passed with -i. Append option -o "IdentitiesOnly yes".
To kill the running QEMU instance press Ctrl+A and then X or run:
kill $(cat vm.pid)If QEMU works, the kernel boots and ssh succeeds, you can shutdown QEMU and try to run syzkaller.
Build syzkaller as described here, with s390x target:
make TARGETOS=linux TARGETARCH=s390x
Then create a manager config like the following, replacing the environment
variables $GOPATH, $KERNEL and $IMAGE with their actual values.
{
"target": "linux/s390x",
"http": "127.0.0.1:56741",
"workdir": "$GOPATH/src/github.com/google/syzkaller/workdir",
"kernel_obj": "$KERNEL",
"image": "$IMAGE/trixie.img",
"sshkey": "$IMAGE/trixie.id_rsa",
"syzkaller": "$GOPATH/src/github.com/google/syzkaller",
"procs": 8,
"type": "qemu",
"vm": {
"count": 4,
"kernel": "$KERNEL/arch/s390/boot/bzImage",
"cpu": 2,
"mem": 2048
}
}
Run syzkaller manager:
mkdir workdir
./bin/syz-manager -config=my.cfgNow syzkaller should be running, you can check manager status with your web browser at 127.0.0.1:56741.
If you get issues after syz-manager starts, consider running it with the -debug flag.
Also see this page for troubleshooting tips.