Update AAarch64 VM to both run and copy_to_guest

[AndrewQuijano]

For LAVA to work on Aarch64, I need to copy to the guest to make hypercalls work as intended. After some testing, I added the necessary flags to the copy to make it work for the guest.

But this PR assumes that the root recording isn't shot too early. See the screenshot confirming copy to the guest worked.

See here as this was part of a fuller test suite.

Kernel Info for AARCH64

Also, when running the generic arch image, OSI Linux entry was missing, using these commands in a recording I obtained the necessary update for kernel.conf

To compile the kernelinfo.ko, I followed these steps to get a cross-compiled. This was done on x86-64 Ubuntu 22 VM.

# Install and download panda
sudo apt update && sudo apt install -y build-essential gcc-aarch64-linux-gnu make git libssl-dev bison flex

# Download Headers
# Create a fresh headers directory in your VM's home
mkdir -p ~/arm64_headers && cd ~/arm64_headers

# Download the exact pristine ARM64 header .debs from Canonical's pool
wget http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-5.4.0-58_5.4.0-58.64_all.deb
wget http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-5.4.0-58-generic_5.4.0-58.64_arm64.deb

# Extract them cleanly
dpkg -x linux-headers-5.4.0-58_5.4.0-58.64_all.deb .
dpkg -x linux-headers-5.4.0-58-generic_5.4.0-58.64_arm64.deb .

# Pre-install
cd ~/arm64_headers/usr/src/linux-headers-5.4.0-58-generic

# Manually compile recordmcount for x86_64
gcc scripts/recordmcount.c -o scripts/recordmcount

# Manually compile modpost for x86_64
gcc scripts/mod/modpost.c scripts/mod/file2alias.c scripts/mod/sumversion.c -o scripts/mod/modpost

# Compile kernel module for AARCH64
git clone https://github.com/panda-re/panda.git
cd panda/panda/plugins/osi_linux/utils/kernelinfo
make -C ~/arm64_headers/usr/src/linux-headers-5.4.0-58-generic M=$PWD ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- modules

I updated the LAVA script to run LAVA to have the following code to generate this output

    @panda.queue_blocking
    def create_recording_wrapper():
        # Technically the first two steps of record_cmd
        # but running executable ONLY works with absolute paths
        panda.revert_sync('root')

        # TODO: Undo this hack once image is fixed
        if project['qemu'] == 'aarch64':
            print("[PyPANDA] Forcing guest kernel to rescan PCI bus...")
            panda.run_serial_cmd("echo 1 > /sys/bus/pci/rescan")
            # Give the kernel a second to probe the drive and udev to create /dev/sr0
            time.sleep(2)

        # 2. Transfer the cross-compiled payload via native PyPANDA layer
        # (absolute_paths=True mirrors the host path structure inside the guest)
        print("[-->] Injecting kernelinfo.ko into guest...")
        panda.copy_to_guest("/mnt/c/Users/andre/OneDrive/Desktop/kernelinfo.ko", absolute_paths=True)

        # 3. Execute the kernel module inside the guest
        # Note: The double '/kernelinfo.ko/kernelinfo.ko' path is a quirk of how 
        # copy_to_guest handled the transfer on this specific snapshot.
        print("[-->] Executing kernel module (Operation Not Permitted error is expected!)...")
        panda.run_serial_cmd("sudo insmod /mnt/c/Users/andre/OneDrive/Desktop/kernelinfo.ko/kernelinfo.ko", timeout=60)

        # 4. Harvest the dynamic offsets from the kernel ring buffer
        print("[-->] Harvesting kernel info profile from dmesg:")
        dynamic_offsets = panda.run_serial_cmd("sudo dmesg | tail -n 70", timeout=60)
        print(dynamic_offsets)

        # =======================================================================
        # PHASE 2: STATIC SYMBOLS (via kallsyms)
        # =======================================================================
        print("\n[+] PHASE 2: Hunting Static Kernel Symbols...")
        panda.run_serial_cmd("sudo sysctl -w kernel.kptr_restrict=0", timeout=10)

        # 5. Grab finish_task_switch (Required for task.switch_task_hook_addr)
        # We use the '$' regex anchor to ensure we don't accidentally grab wrapper functions
        print("[-->] Getting finish_task_switch...")
        switch_hook = panda.run_serial_cmd("sudo cat /proc/kallsyms | grep -E ' \+?finish_task_switch'", timeout=15)
        print(switch_hook)

        # 6. Grab init_task (Required for task.init_addr & task.current_task_addr)
        print("\n[-->] Getting init_task...")
        init_addr = panda.run_serial_cmd("sudo cat /proc/kallsyms | grep -E ' \+?init_task'", timeout=15)
        print(init_addr)

        print("[-->] Pulling symbols from System.map disk fallback...")
        print(panda.run_serial_cmd("sudo grep ' finish_task_switch' /boot/System.map-$(uname -r)", timeout=15))
        print(panda.run_serial_cmd("sudo grep ' init_task' /boot/System.map-$(uname -r)", timeout=15))

        print("\n[+] PROFILE EXTRACTION COMPLETE!")
        print("[!] Reminder: Convert the static hex addresses to decimal before pasting into kernel.conf.")

record()

Output

Here is the output. Some interesting things to flag. The recording failed, but I suspect the root snapshot was done too early, which prompted the rescan for the copy to even work. If the snapshot is redone and the kernelinfo.conf is rebuilt, this could enable AARCH64 to fully work!

bug_mining.log

[  287.138773] blk_update_request: I/O error, dev sr0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[  287.140067] Buffer I/O error on dev sr0, logical block 0, async page read
[  287.149854] Buffer I/O error on dev sr0, logical block 1, async page read
[  292.281170] kernelinfo: loading out-of-tree module taints kernel.
[  292.290981] kernelinfo: module verification failed: signature and/or required key missing - tainting kernel

[loaded] The plugin is supported on x86-64 and ARM 64-bits
pandalogging on
asidstory: summary_mode = 0
PANDA[taint2]:propagation via pointer dereference ENABLED
PANDA[taint2]:taint operations inlining DISABLED
PANDA[taint2]:llvm optimizations DISABLED
PANDA[taint2]:taint debugging DISABLED
PANDA[taint2]:detaint if control bits 0 DISABLED
PANDA[taint2]:maximum taint compute number (0=unlimited) 0
PANDA[taint2]:maximum taintset cardinality (0=unlimited) 0
[pri_taint] This plugin is activated!
tainted_branch full mode
loading snapshot
... done.
opening nondet log for read :	./recording-rr-nondet.log
[loaded] adding asid=0x0 to running procs.  cmd=[systemd]  task=0x3a106900
adding asid=0x0 to running procs.  cmd=[systemd]  task=0x3a106900
rr_guest_instr_count = 27181
python3: /panda/cpu-exec.c:752: detect_infinite_loops: Assertion `false' failed.

[Copilot]

Pull request overview

This PR updates the AArch64 PANDA VM image definitions so pandare.Panda.copy_to_guest() can insert ISO media via a configured CD-ROM device, enabling LAVA workflows that rely on copying artifacts into the guest.

Changes:

• Set the AArch64 image cdrom monitor device name to cdrom0.
• Add QEMU args to create a SCSI CD-ROM device (virtio-scsi-pci + scsi-cd) backed by a removable -drive id=cdrom0.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.