[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5469888E.3090501@hitachi.com>
Date: Mon, 17 Nov 2014 14:33:02 +0900
From: Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>
To: Seth Jennings <sjenning@...hat.com>
Cc: Josh Poimboeuf <jpoimboe@...hat.com>,
Jiri Kosina <jkosina@...e.cz>,
Vojtech Pavlik <vojtech@...e.cz>,
Steven Rostedt <rostedt@...dmis.org>,
Petr Mladek <pmladek@...e.cz>, Miroslav Benes <mbenes@...e.cz>,
Christoph Hellwig <hch@...radead.org>,
Greg KH <gregkh@...uxfoundation.org>,
Andy Lutomirski <luto@...capital.net>,
live-patching@...r.kernel.org, x86@...nel.org, kpatch@...hat.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCHv2 0/3] Kernel Live Patching
Hi Seth,
(2014/11/17 10:29), Seth Jennings wrote:
> Changelog:
>
> Thanks for all the feedback!
>
> changes in v2:
> - rebase to next-20141113
> - add copyright/license block to livepatch.h
> - add _LINUX prefix to header defines
> - replace semaphore with mutex
> - add LPC_ prefix to state enum
> - convert BUGs to WARNs and handle properly
> - change Kconfig default to n
> - remove [old|new] attrs from function sysfs dir (KASLR leak, no use)
> - disregard user provided old_addr if kernel uses KASLR
> - s/out/err for error path labels
> - s/unregister/disable for uniform terminology
> - s/lp/lpc for module notifier elements
Hmm, btw, "LP" and "LPC" remind me line-printer and LPC bus :(
Can we use LKP (Live Kernel Patching) or KLP (Kernel Live Patching) instead ?
> - replace module ref'ing with unload notifier + mutex protection
> - adjust notifier priority to run before ftrace
> - make LIVE_PATCHING boolean (about to depend on arch stuff)
For better handling x86-32, we'd better introduce ARCH_HAVE_LIVE_PATCHING and
avoid enabling LIVE_PATCHING on x86_32, then we can simplify arch/x86/kernel/livepatch.c.
Thank you,
> - move x86-specific reloc code to arch/x86
> - s/dynrela/reloc/
> - add live patching sysfs documentation
> - add API function kernel-doc
> - TODO: kernel-doc for API structs once agreed upon
>
> Summary:
>
> This patchset implements an ftrace-based mechanism and kernel interface for
> doing live patching of kernel and kernel module functions. It represents the
> greatest common functionality set between kpatch [1] and kGraft [2] and can
> accept patches built using either method. This solution was discussed in the
> Live Patching Mini-conference at LPC 2014 [3].
>
> The model consists of a live patching "core" that provides an interface for
> other "patch" kernel modules to register patches with the core.
>
> Patch modules contain the new function code and create an lp_patch structure
> containing the required data about what functions to patch, where the new code
> for each patched function resides, and in which kernel object (vmlinux or
> module) the function to be patch resides. The patch module then invokes the
> lp_register_patch() function to register with the core, then lp_enable_patch()
> to have the core redirect the execution paths using ftrace.
>
> An example patch module can be found here:
> https://github.com/spartacus06/livepatch/blob/master/patch/patch.c
>
> The live patching core creates a sysfs hierarchy for user-level access to live
> patching information. The hierarchy is structured like this:
>
> /sys/kernel/livepatch
> /sys/kernel/livepatch/<patch>
> /sys/kernel/livepatch/<patch>/enabled
> /sys/kernel/livepatch/<patch>/<object>
> /sys/kernel/livepatch/<patch>/<object>/<func>
>
> The old function is located using one of two methods: it is either provided by
> the patch module (only possible for a function in vmlinux) or kallsyms lookup.
> Symbol ambiguity results in a failure.
>
> The core takes a reference on the patch module itself to keep it from
> unloading. This is because, without a mechanism to ensure that no thread is
> currently executing in the patched function, we can not determine whether it is
> safe to unload the patch module. For this reason, unloading patch modules is
> currently not allowed.
>
> Disabling patches can be done using the "enabled" attribute of the patch:
>
> echo 0 > /sys/kernel/livepatch/<patch>/enabled
>
> If a patch module contains a patch for a module that is not currently loaded,
> there is nothing to patch so the core does nothing for that patch object.
> However, the core registers a module notifier that looks for COMING events so
> that if the module is ever loaded, it is immediately patched. If a module with
> patch code is removed, the notifier looks for GOING events and disables any
> patched functions for that object before it unloads. The notifier has a higher
> priority than that of the ftrace notifier so that it runs before the ftrace
> notifier for GOING events and we can cleanly unregister from ftrace.
>
> kpatch and kGraft each have their own mechanisms for ensuring system
> consistency during the patching process. This first version does not implement
> any consistency mechanism that ensures that old and new code do not run
> together. In practice, ~90% of CVEs are safe to apply in this way, since they
> simply add a conditional check. However, any function change that can not
> execute safely with the old version of the function can _not_ be safely applied
> for now.
>
> [1] https://github.com/dynup/kpatch
> [2] https://git.kernel.org/cgit/linux/kernel/git/jirislaby/kgraft.git/
> [3] https://etherpad.fr/p/LPC2014_LivePatching
>
> Seth Jennings (3):
> kernel: add TAINT_LIVEPATCH
> kernel: add support for live patching
> kernel: add sysfs documentation for live patching
>
> Documentation/ABI/testing/sysfs-kernel-livepatch | 44 +
> Documentation/oops-tracing.txt | 2 +
> Documentation/sysctl/kernel.txt | 1 +
> MAINTAINERS | 13 +
> arch/x86/Kconfig | 2 +
> arch/x86/include/asm/livepatch.h | 38 +
> arch/x86/kernel/Makefile | 1 +
> arch/x86/kernel/livepatch.c | 83 ++
> include/linux/kernel.h | 1 +
> include/linux/livepatch.h | 68 ++
> kernel/Makefile | 1 +
> kernel/livepatch/Kconfig | 9 +
> kernel/livepatch/Makefile | 3 +
> kernel/livepatch/core.c | 999 +++++++++++++++++++++++
> kernel/panic.c | 2 +
> 15 files changed, 1267 insertions(+)
> create mode 100644 Documentation/ABI/testing/sysfs-kernel-livepatch
> create mode 100644 arch/x86/include/asm/livepatch.h
> create mode 100644 arch/x86/kernel/livepatch.c
> create mode 100644 include/linux/livepatch.h
> create mode 100644 kernel/livepatch/Kconfig
> create mode 100644 kernel/livepatch/Makefile
> create mode 100644 kernel/livepatch/core.c
>
--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@...achi.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists