lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 9 Feb 2015 20:55:53 +0100 (CET)
From:	Jiri Kosina <jkosina@...e.cz>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
cc:	linux-kernel@...r.kernel.org, live-patching@...r.kernel.org
Subject: [GIT PULL] Live patching for 3.20

Linus,

Live patching core is available for you to pull at

  git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching.git for-linus



Let me provide a bit of history first, before describing what is in this 
pile.

Originally, there was kSplice as a standalone project that implemented 
stop_machine()-based patching for the linux kernel. This project got later 
acquired, and the current owner is providing live patching as a 
proprietary service, without any intentions to have their implementation 
merged.

Then, due to rising user/customer demand, both Red Hat and SUSE started 
working on their own implementation (not knowing about each other), and 
announced first versions roughly at the same time [1] [2].

The principle difference between the two solutions is how they are making 
sure that the patching is performed in a consistent way when it comes to 
different execution threads with respect to the semantic nature of the 
change that is being introduced.

In a nutshell, kPatch is issuing stop_machine(), then looking at stacks of 
all existing processess, and if it decides that the system is in a state 
that can be patched safely, it proceeds insterting code redirection 
machinery to the patched functions.

On the other hand, kGraft provides a per-thread consistency during one 
single pass of a process through the kernel and performs a lazy 
contignuous migration of threads from "unpatched" universe to the 
"patched" one at safe checkpoints.

If interested in a more detailed discussion about the consistency models 
and its possible combinations, please see the thread that evolved 
around [3].

It pretty quickly became obvious to the interested parties that it's 
absolutely impractical in this case to have several isolated solutions for 
one task to co-exist in the kernel. During a dedicated Live Kernel 
Patching track at LPC in Dusseldorf, all the interested parties sat 
together and came up with a joint aproach that would work for both distro 
vendors. Steven Rostedt took notes [4] from this meeting.

And the foundation for that aproach is what's present in this pull 
request.

It provides a basic infrastructure for function "live patching" (i.e. code 
redirection), including API for kernel modules containing the actual 
patches, and API/ABI for userspace to be able to operate on the patches 
(look up what patches are applied, enable/disable them, etc). It's 
relatively simple and minimalistic, as it's making use of existing kernel 
infrastructure (namely ftrace) as much as possible. It's also 
self-contained, in a sense that it doesn't hook itself in any other kernel 
subsystem (it doesn't even touch any other code). It's now implemented for 
x86 only as a reference architecture, but support for powerpc, s390 and 
arm is already in the works (adding arch-specific support basically boils 
down to teaching ftrace about regs-saving).

Once this common infrastructure gets merged, both Red Hat and SUSE have 
agreed to immediately start porting their current solutions on top of 
this, abandoning their out-of-tree code. The plan basically is that each 
patch will be marked by flag(s) that would indicate which consistency 
model it is willing to use (again, the details have been sketched out 
already in the thread at [3]).

Before this happens, the current codebase can be used to patch a large 
group of secruity/stability problems the patches for which are not too 
complex (in a sense that they don't introduce non-trivial change of 
function's return value semantics, they don't change layout of data 
structures, etc) -- this corresponds to LEAVE_FUNCTION && SWITCH_FUNCTION 
semantics described at [3].

This tree has been in linux-next since December.

Thanks.

[1] https://lkml.org/lkml/2014/4/30/477
[2] https://lkml.org/lkml/2014/7/14/857
[3] https://lkml.org/lkml/2014/11/7/354
[4] http://linuxplumbersconf.org/2014/wp-content/uploads/2014/10/LPC2014_LivePatching.txt



[ The core code is introduced by the three commits authored by Seth 
  Jennings, which got a lot of changes incorporated during numerous 
  respins and reviews of the initial implementation. All the followup 
  commits have materialized only after public tree has been created, so 
  they were not folded into initial three commits so that the public tree 
  doesn't get rebased. ]

----------------------------------------------------------------
Christoph Jaeger (1):
      livepatch: kconfig: use bool instead of boolean

Jiri Kosina (2):
      livepatch: MAINTAINERS: add git tree location
      livepatch: handle ancient compilers with more grace

Josh Poimboeuf (8):
      livepatch: use FTRACE_OPS_FL_IPMODIFY
      livepatch: samples: fix usage example comments
      livepatch: fix deferred module patching order
      livepatch: enforce patch stacking semantics
      livepatch: support for repatching a function
      livepatch: fix uninitialized return value
      livepatch: rename config to CONFIG_LIVEPATCH
      livepatch: add missing newline to error message

Li Bin (1):
      livepatch: move x86 specific ftrace handler code to arch/x86

Miroslav Benes (1):
      livepatch: change ARCH_HAVE_LIVE_PATCHING to HAVE_LIVE_PATCHING

Seth Jennings (3):
      livepatch: kernel: add TAINT_LIVEPATCH
      livepatch: kernel: add support for live patching
      livepatch: samples: add sample live patching module

 Documentation/ABI/testing/sysfs-kernel-livepatch |   44 +
 Documentation/oops-tracing.txt                   |    2 +
 Documentation/sysctl/kernel.txt                  |    1 +
 MAINTAINERS                                      |   15 +
 arch/x86/Kconfig                                 |    3 +
 arch/x86/include/asm/livepatch.h                 |   46 +
 arch/x86/kernel/Makefile                         |    1 +
 arch/x86/kernel/livepatch.c                      |   90 ++
 include/linux/kernel.h                           |    1 +
 include/linux/livepatch.h                        |  133 +++
 kernel/Makefile                                  |    1 +
 kernel/livepatch/Kconfig                         |   18 +
 kernel/livepatch/Makefile                        |    3 +
 kernel/livepatch/core.c                          | 1015 ++++++++++++++++++++++
 kernel/panic.c                                   |    2 +
 samples/Kconfig                                  |    7 +
 samples/Makefile                                 |    2 +-
 samples/livepatch/Makefile                       |    1 +
 samples/livepatch/livepatch-sample.c             |   91 ++
 19 files changed, 1475 insertions(+), 1 deletion(-)
 create mode 100644 Documentation/ABI/testing/sysfs-kernel-livepatch
 create mode 100644 arch/x86/include/asm/livepatch.h
 create mode 100644 arch/x86/kernel/livepatch.c
 create mode 100644 include/linux/livepatch.h
 create mode 100644 kernel/livepatch/Kconfig
 create mode 100644 kernel/livepatch/Makefile
 create mode 100644 kernel/livepatch/core.c
 create mode 100644 samples/livepatch/Makefile
 create mode 100644 samples/livepatch/livepatch-sample.c

-- 
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ