Re: [PATCHv2 0/3] Kernel Live Patching

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
To: Seth Jennings <sjenning@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>,
	Jiri Kosina <jkosina@suse.cz>, Vojtech Pavlik <vojtech@suse.cz>,
	Steven Rostedt <rostedt@goodmis.org>,
	Petr Mladek <pmladek@suse.cz>, Miroslav Benes <mbenes@suse.cz>,
	Christoph Hellwig <hch@infradead.org>,
	Greg KH <gregkh@linuxfoundation.org>,
	Andy Lutomirski <luto@amacapital.net>,
	live-patching@vger.kernel.org, x86@kernel.org, kpatch@redhat.com,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCHv2 0/3] Kernel Live Patching
Date: Mon, 17 Nov 2014 14:33:02 +0900	[thread overview]
Message-ID: <5469888E.3090501@hitachi.com> (raw)
In-Reply-To: <1416187764-3341-1-git-send-email-sjenning@redhat.com>

Hi Seth,

(2014/11/17 10:29), Seth Jennings wrote:
> Changelog:
> 
> Thanks for all the feedback!
> 
> changes in v2:
> - rebase to next-20141113
> - add copyright/license block to livepatch.h
> - add _LINUX prefix to header defines
> - replace semaphore with mutex
> - add LPC_ prefix to state enum
> - convert BUGs to WARNs and handle properly
> - change Kconfig default to n
> - remove [old|new] attrs from function sysfs dir (KASLR leak, no use)
> - disregard user provided old_addr if kernel uses KASLR
> - s/out/err for error path labels
> - s/unregister/disable for uniform terminology
> - s/lp/lpc for module notifier elements

Hmm, btw, "LP" and "LPC" remind me line-printer and LPC bus :(
Can we use LKP (Live Kernel Patching) or KLP (Kernel Live Patching) instead ?

> - replace module ref'ing with unload notifier + mutex protection
> - adjust notifier priority to run before ftrace
> - make LIVE_PATCHING boolean (about to depend on arch stuff)

For better handling x86-32, we'd better introduce ARCH_HAVE_LIVE_PATCHING and
avoid enabling LIVE_PATCHING on x86_32, then we can simplify arch/x86/kernel/livepatch.c.

Thank you,

> - move x86-specific reloc code to arch/x86
> - s/dynrela/reloc/
> - add live patching sysfs documentation
> - add API function kernel-doc
> - TODO: kernel-doc for API structs once agreed upon
> 
> Summary:
> 
> This patchset implements an ftrace-based mechanism and kernel interface for
> doing live patching of kernel and kernel module functions.  It represents the
> greatest common functionality set between kpatch [1] and kGraft [2] and can
> accept patches built using either method.  This solution was discussed in the
> Live Patching Mini-conference at LPC 2014 [3].
> 
> The model consists of a live patching "core" that provides an interface for
> other "patch" kernel modules to register patches with the core.
> 
> Patch modules contain the new function code and create an lp_patch structure
> containing the required data about what functions to patch, where the new code
> for each patched function resides, and in which kernel object (vmlinux or
> module) the function to be patch resides.  The patch module then invokes the
> lp_register_patch() function to register with the core, then lp_enable_patch()
> to have the core redirect the execution paths using ftrace.
> 
> An example patch module can be found here:
> https://github.com/spartacus06/livepatch/blob/master/patch/patch.c
> 
> The live patching core creates a sysfs hierarchy for user-level access to live
> patching information.  The hierarchy is structured like this:
> 
> /sys/kernel/livepatch
> /sys/kernel/livepatch/<patch>
> /sys/kernel/livepatch/<patch>/enabled
> /sys/kernel/livepatch/<patch>/<object>
> /sys/kernel/livepatch/<patch>/<object>/<func>
> 
> The old function is located using one of two methods: it is either provided by
> the patch module (only possible for a function in vmlinux) or kallsyms lookup.
> Symbol ambiguity results in a failure.
> 
> The core takes a reference on the patch module itself to keep it from
> unloading.  This is because, without a mechanism to ensure that no thread is
> currently executing in the patched function, we can not determine whether it is
> safe to unload the patch module.  For this reason, unloading patch modules is
> currently not allowed.
> 
> Disabling patches can be done using the "enabled" attribute of the patch:
> 
> echo 0 > /sys/kernel/livepatch/<patch>/enabled
> 
> If a patch module contains a patch for a module that is not currently loaded,
> there is nothing to patch so the core does nothing for that patch object.
> However, the core registers a module notifier that looks for COMING events so
> that if the module is ever loaded, it is immediately patched.  If a module with
> patch code is removed, the notifier looks for GOING events and disables any
> patched functions for that object before it unloads.  The notifier has a higher
> priority than that of the ftrace notifier so that it runs before the ftrace
> notifier for GOING events and we can cleanly unregister from ftrace.
> 
> kpatch and kGraft each have their own mechanisms for ensuring system
> consistency during the patching process. This first version does not implement
> any consistency mechanism that ensures that old and new code do not run
> together.  In practice, ~90% of CVEs are safe to apply in this way, since they
> simply add a conditional check.  However, any function change that can not
> execute safely with the old version of the function can _not_ be safely applied
> for now.
> 
> [1] https://github.com/dynup/kpatch
> [2] https://git.kernel.org/cgit/linux/kernel/git/jirislaby/kgraft.git/
> [3] https://etherpad.fr/p/LPC2014_LivePatching
> 
> Seth Jennings (3):
>   kernel: add TAINT_LIVEPATCH
>   kernel: add support for live patching
>   kernel: add sysfs documentation for live patching
> 
>  Documentation/ABI/testing/sysfs-kernel-livepatch |  44 +
>  Documentation/oops-tracing.txt                   |   2 +
>  Documentation/sysctl/kernel.txt                  |   1 +
>  MAINTAINERS                                      |  13 +
>  arch/x86/Kconfig                                 |   2 +
>  arch/x86/include/asm/livepatch.h                 |  38 +
>  arch/x86/kernel/Makefile                         |   1 +
>  arch/x86/kernel/livepatch.c                      |  83 ++
>  include/linux/kernel.h                           |   1 +
>  include/linux/livepatch.h                        |  68 ++
>  kernel/Makefile                                  |   1 +
>  kernel/livepatch/Kconfig                         |   9 +
>  kernel/livepatch/Makefile                        |   3 +
>  kernel/livepatch/core.c                          | 999 +++++++++++++++++++++++
>  kernel/panic.c                                   |   2 +
>  15 files changed, 1267 insertions(+)
>  create mode 100644 Documentation/ABI/testing/sysfs-kernel-livepatch
>  create mode 100644 arch/x86/include/asm/livepatch.h
>  create mode 100644 arch/x86/kernel/livepatch.c
>  create mode 100644 include/linux/livepatch.h
>  create mode 100644 kernel/livepatch/Kconfig
>  create mode 100644 kernel/livepatch/Makefile
>  create mode 100644 kernel/livepatch/core.c
> 


-- 
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@hitachi.com

next prev parent reply	other threads:[~2014-11-17  5:33 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-17  1:29 [PATCHv2 0/3] Kernel Live Patching Seth Jennings
2014-11-17  1:29 ` [PATCHv2 1/3] kernel: add TAINT_LIVEPATCH Seth Jennings
2014-11-17  1:29 ` [PATCHv2 2/3] kernel: add support for live patching Seth Jennings
2014-11-17 18:45   ` Greg KH
2014-11-17 19:13     ` Seth Jennings
2014-11-18 14:11   ` Miroslav Benes
2014-11-18 14:26     ` Seth Jennings
2014-11-18 14:45   ` Miroslav Benes
2014-11-19 20:34     ` Seth Jennings
2014-11-20 13:22       ` Miroslav Benes
2014-11-19 15:27   ` Miroslav Benes
2014-11-19 16:05     ` Seth Jennings
2014-11-20 13:10   ` Miroslav Benes
2014-11-20 17:35     ` Josh Poimboeuf
2014-11-20 19:56       ` Seth Jennings
2014-11-21 14:41         ` Miroslav Benes
2014-11-21 14:38       ` Miroslav Benes
2014-11-20 15:19   ` Josh Poimboeuf
2014-11-20 16:48     ` Seth Jennings
2014-11-17  1:29 ` [PATCHv2 3/3] kernel: add sysfs documentation " Seth Jennings
2014-11-17 18:50   ` Greg KH
2014-11-17  5:33 ` Masami Hiramatsu [this message]
2014-11-17 13:16   ` [PATCHv2 0/3] Kernel Live Patching Steven Rostedt
2014-11-17 14:54   ` Seth Jennings
2014-11-18 14:23     ` Jiri Slaby
2014-11-18 14:42       ` Seth Jennings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5469888E.3090501@hitachi.com \
    --to=masami.hiramatsu.pt@hitachi.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hch@infradead.org \
    --cc=jkosina@suse.cz \
    --cc=jpoimboe@redhat.com \
    --cc=kpatch@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=live-patching@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mbenes@suse.cz \
    --cc=pmladek@suse.cz \
    --cc=rostedt@goodmis.org \
    --cc=sjenning@redhat.com \
    --cc=vojtech@suse.cz \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.