1# Setup: Debian host, QEMU vm, arm kernel 2 3# GCC 4 5Obtain a fresh `arm-linux-gnueabihf-gcc`. Latest Debian distributions provide 6version 7.2.0, which should be enough. Otherwise you can download Linaro 7compiler [here](https://www.linaro.org/downloads). 8 9# Kernel 10 11The instructions are tested with `v4.16.1`. Check that you have/backport 12["arm: port KCOV to arm"](https://groups.google.com/d/msg/syzkaller/zLThPHplyIc/9ncfpRvVCAAJ) 13patch. Create kernel config with: 14 15```shell 16make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- vexpress_defconfig 17``` 18 19Then enable the following configs on top: 20 21``` 22CONFIG_KCOV=y 23CONFIG_DEBUG_INFO=y 24CONFIG_DEVTMPFS_MOUNT=y 25CONFIG_NAMESPACES=y 26CONFIG_USER_NS=y 27CONFIG_UTS_NS=y 28CONFIG_IPC_NS=y 29CONFIG_PID_NS=y 30CONFIG_NET_NS=y 31``` 32 33Also check out general kernel configuration [recommendations](/docs/linux/kernel_configs.md). 34 35Then build kernel with: 36 37``` 38make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- 39``` 40 41# Image 42 43We will use buildroot to create the disk image. You can obtain buildroot 44[here](https://buildroot.uclibc.org/download.html). Instructions were tested 45with buildroot `c665c7c9cd6646b135cdd9aa7036809f7771ab80`. First run: 46 47``` 48make qemu_arm_vexpress_defconfig 49make menuconfig 50``` 51 52Choose the following options: 53 54``` 55 Target packages 56 Networking applications 57 [*] dhcpcd 58 [*] iproute2 59 [*] openssh 60 Filesystem images 61 exact size - 1g 62``` 63 64Unselect: 65 66``` 67 Kernel 68 Linux Kernel 69``` 70 71Run `make`. 72 73Then add the following line to `output/target/etc/fstab`: 74 75``` 76debugfs /sys/kernel/debug debugfs defaults 0 0 77``` 78 79Then replace `output/target/etc/ssh/sshd_config` with the following contents: 80 81``` 82PermitRootLogin yes 83PasswordAuthentication yes 84PermitEmptyPasswords yes 85``` 86 87Run `make` again. 88 89# Test kernel and image 90 91Run: 92 93``` 94qemu-system-arm -m 512 -smp 2 -net nic -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -display none -serial stdio -machine vexpress-a15 -dtb /linux/arch/arm/boot/dts/vexpress-v2p-ca15-tc1.dtb -sd /buildroot/output/images/rootfs.ext2 -snapshot -kernel /linux/arch/arm/boot/zImage -append "earlyprintk=serial console=ttyAMA0 root=/dev/sda root=/dev/mmcblk0" 95``` 96 97This should boot the kernel. Wait for login prompt, then in another console run: 98 99``` 100ssh -p 10022 root@localhost 101``` 102 103ssh should succeed. 104 105# syzkaller 106 107Build `syzkaller` with `make TARGETARCH=arm`. Create manager config `arm.cfg` 108similar to the following one (changing paths as necessary): 109 110``` 111{ 112 "name": "arm", 113 "target": "linux/arm", 114 "http": ":12345", 115 "workdir": "/workdir", 116 "kernel_obj": "/linux", 117 "syzkaller": "/gopath/src/github.com/google/syzkaller", 118 "image": "/buildroot/output/images/rootfs.ext2", 119 "sandbox": "none", 120 "reproduce": false, 121 "procs": 4, 122 "type": "qemu", 123 "vm": { 124 "count": 10, 125 "qemu_args": "-machine vexpress-a15 -dtb /linux/arch/arm/boot/dts/vexpress-v2p-ca15-tc1.dtb", 126 "cmdline": "console=ttyAMA0 root=/dev/mmcblk0", 127 "kernel": "/linux/arch/arm/boot/zImage", 128 "image_device": "sd", 129 "mem": 512 130 "cpu": 2, 131 } 132} 133``` 134 135Finally, run `bin/syz-manager -config arm.cfg`. 136