lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150212125149.GB18578@treble.redhat.com>
Date:	Thu, 12 Feb 2015 06:51:49 -0600
From:	Josh Poimboeuf <jpoimboe@...hat.com>
To:	Peter Zijlstra <peterz@...radead.org>
Cc:	Ingo Molnar <mingo@...hat.com>,
	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>,
	live-patching@...r.kernel.org, linux-kernel@...r.kernel.org,
	Seth Jennings <sjenning@...hat.com>,
	Jiri Kosina <jkosina@...e.cz>, Vojtech Pavlik <vojtech@...e.cz>
Subject: Re: [RFC PATCH 6/9] livepatch: create per-task consistency model

On Thu, Feb 12, 2015 at 12:56:28PM +0100, Peter Zijlstra wrote:
> On Wed, Feb 11, 2015 at 09:21:21PM -0600, Josh Poimboeuf wrote:
> > Ingo, Peter,
> > 
> > Would you have any objections to making task_rq_lock/unlock() non-static
> > (or moving them to kernel/sched/sched.h) so they can be called by the
> > livepatch code?
> 
> Basically yes. I really don't want to expose that. And
> kernel/sched/sched.h is very much not intended for use outside of
> kernel/sched/ so even that is a no go.
> 
> > To provide some background, I'm looking for a way to temporarily prevent
> > a sleeping task from running while its stack is examined, to decide
> > whether it can be safely switched to the new patching "universe".  For
> > more details see klp_transition_task() in the patch below.
> > 
> > Using task_rq_lock() is the most straightforward way I could find to
> > achieve that.
> 
> Its not at all clear how all this would work to me. And I'm not
> motivated enough to go try and reverse engineer your patch;

The short answer is: I need a way to ensure that a task isn't sleeping
on any of the functions we're trying to patch.  If it's not, then I can
switch the task over to start using new versions of functions.

Obviously, there are many more details than that.  If you have specific
questions I can try to answer them.

> IMO livepatching is utter fail.
> 
> If your infrastructure relies on the uptime of a single machine you've
> lost already.

It's not always about uptime.  IMO it's usually more about decoupling
your reboot schedule from your distro's kernel release schedule.

Most users want to plan in advance when they're going to reboot, rather
than being at the mercy of when CVEs and kernel fixes are released.

Rebooting is costly and risky, even (or often especially) for large
systems for which you have to stagger the reboots.  You want to do it at
a time when you're ready for something bad to happen, without having to
also worry about security in the mean time while you're waiting for your
reboot window.

> FWIW, the barriers in klp_update_task_universe() and
> klp_set_universe_goal() look like complete crack, and their comments are
> seriously deficient.

Ok, I'll try to improve the comments for the barriers.

-- 
Josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ