lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.00.1502230906450.19920@pobox.suse.cz>
Date:	Mon, 23 Feb 2015 09:17:57 +0100 (CET)
From:	Jiri Kosina <jkosina@...e.cz>
To:	Arjan van de Ven <arjanvandeven@...il.com>
cc:	Dave Airlie <airlied@...il.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Ingo Molnar <mingo@...nel.org>,
	Vojtech Pavlik <vojtech@...e.com>,
	Josh Poimboeuf <jpoimboe@...hat.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...hat.com>,
	Seth Jennings <sjenning@...hat.com>,
	LKML <linux-kernel@...r.kernel.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Arjan van de Ven <arjan@...radead.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Borislav Petkov <bp@...en8.de>, live-patching@...r.kernel.org
Subject: Re: live kernel upgrades (was: live kernel patching design)

On Sun, 22 Feb 2015, Arjan van de Ven wrote:

> There's a lot of logistical issues (can you patch a patched system... if 
> live patching is a first class citizen you end up with dozens and dozens 
> of live patches applied, some out of sequence etc etc). 

I can't speak on behalf of others, but I definitely can speak on behalf of 
SUSE, as we are already basing a product on this.

Yes, you can patch a patched system, you can patch one function multiple 
times, you can revert a patch. It's all tracked by dependencies.

Of course, if you are random Joe User, you can do whatever you want, i.e. 
also compile your own home-brew patches and apply them randomly and brick 
your system that way. But that's in no way different to what you as Joe 
User can do today; there is nothing that will prevent you from shooting 
yourself in a foot if you are creative.

Regarding "out of sequence", this is up to the vendor providing/packaging 
the patches to make sure that this is guaranteed not to happen. SUSE for 
example always provides "all-in-one" patch for each and every released and 
supported kernel codestream in a cummulative manner, which takes care of 
the ordering issue completely.

It's not really too different from shipping external kernel modules and 
making sure they have proper dependencies that need to be satisfied before 
the module can be loaded.

> There's the "which patches do I have, and if the first patch for a 
> security hole was not complete, how do I cope by applying number two. 
> There's the "which of my 50.000 servers have which patch applied" 
> logistics.

Yes. That's easy if distro/patch vendors make reasonable userspace and 
distribution infrastructure around this.

Thanks,

-- 
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ