| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Feb 2015 09:17:57 +0100 (CET) From: Jiri Kosina <jkosina@...e.cz> To: Arjan van de Ven <arjanvandeven@...il.com> cc: Dave Airlie <airlied@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, Ingo Molnar <mingo@...nel.org>, Vojtech Pavlik <vojtech@...e.com>, Josh Poimboeuf <jpoimboe@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...hat.com>, Seth Jennings <sjenning@...hat.com>, LKML <linux-kernel@...r.kernel.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Arjan van de Ven <arjan@...radead.org>, Thomas Gleixner <tglx@...utronix.de>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Borislav Petkov <bp@...en8.de>, live-patching@...r.kernel.org Subject: Re: live kernel upgrades (was: live kernel patching design) On Sun, 22 Feb 2015, Arjan van de Ven wrote: > There's a lot of logistical issues (can you patch a patched system... if > live patching is a first class citizen you end up with dozens and dozens > of live patches applied, some out of sequence etc etc). I can't speak on behalf of others, but I definitely can speak on behalf of SUSE, as we are already basing a product on this. Yes, you can patch a patched system, you can patch one function multiple times, you can revert a patch. It's all tracked by dependencies. Of course, if you are random Joe User, you can do whatever you want, i.e. also compile your own home-brew patches and apply them randomly and brick your system that way. But that's in no way different to what you as Joe User can do today; there is nothing that will prevent you from shooting yourself in a foot if you are creative. Regarding "out of sequence", this is up to the vendor providing/packaging the patches to make sure that this is guaranteed not to happen. SUSE for example always provides "all-in-one" patch for each and every released and supported kernel codestream in a cummulative manner, which takes care of the ordering issue completely. It's not really too different from shipping external kernel modules and making sure they have proper dependencies that need to be satisfied before the module can be loaded. > There's the "which patches do I have, and if the first patch for a > security hole was not complete, how do I cope by applying number two. > There's the "which of my 50.000 servers have which patch applied" > logistics. Yes. That's easy if distro/patch vendors make reasonable userspace and distribution infrastructure around this. Thanks, -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists