| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 07 May 2014 07:49:25 +0900 From: Masami Hiramatsu <masami.hiramatsu.pt@...achi.com> To: Steven Rostedt <rostedt@...dmis.org> Cc: Josh Poimboeuf <jpoimboe@...hat.com>, Frederic Weisbecker <fweisbec@...il.com>, Ingo Molnar <mingo@...nel.org>, Seth Jennings <sjenning@...hat.com>, Ingo Molnar <mingo@...hat.com>, Jiri Slaby <jslaby@...e.cz>, linux-kernel@...r.kernel.org, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching (2014/05/06 21:33), Steven Rostedt wrote: > On Tue, 6 May 2014 07:12:11 -0500 > Josh Poimboeuf <jpoimboe@...hat.com> wrote: > >> Live patching is a very sensitive and risky operation, and from a kernel >> standpoint we should make it as safe as we reasonably can. But we can't >> do much about careless users. Ultimately the risk is in the hands of >> the user and their choice of patches. They need to absolutely >> understand all the implications of patching a particular function. If >> the patch changes the way a function interacts with some external data, >> then they're starting to tempt fate and they need to be extra careful. >> This care needs to be taken for *all* kernel functions, not just for the >> few that are called from kernel threads. > > Ideally the kpatch tools should be able to somewhat prevent users from > doing damage. Or at least make them type a sentence that says: > > I know what I'm doing and will not blame anyone but myself if this > kills the system along with all my puppies and kittens. > > I'm guessing that kpatch needs to be marketed that a distro or "hired > help" will be creating the patch and the admin only needs to "trust" > the one that gave them the kpatch module to load. All the > testing/checking that the module works will be done by kernel > developers and not by any "users". I strongly agreed. Desktop/Cloud users may not care about it, most of users just update kernel and reboot. Somewhat "enterprise" users may also like to do "rolling update" their cluster systems. Only limited mission critical non-stop systems require it. And since they usually don't want to loose distro support, all binary patches will be provided and tested by distro kernel developers, not by users itself. :) Thank you, -- Masami HIRAMATSU Software Platform Research Dept. Linux Technology Research Center Hitachi, Ltd., Yokohama Research Laboratory E-mail: masami.hiramatsu.pt@...achi.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists