From: Justin Suess <utilityemal77@gmail.com>
To: Sasha Levin <sashal@kernel.org>
Cc: Song Liu <song@kernel.org>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kselftest@vger.kernel.org, bpf@vger.kernel.org,
live-patching@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Joshua Peisach <jpeisach@ubuntu.com>,
Florian Weimer <fw@deneb.enyo.de>,
Breno Leitao <leitao@debian.org>,
Anthony Iliopoulos <ailiop@suse.com>,
Michal Hocko <mhocko@suse.com>, Jiri Olsa <jolsa@kernel.org>
Subject: Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive
Date: Thu, 4 Jun 2026 17:18:55 -0400 [thread overview]
Message-ID: <aiHgdw_fBv8RTgC2@zenbox> (raw)
In-Reply-To: <agsVDqdALBoHEHlv@laps>
On Mon, May 18, 2026 at 09:33:02AM -0400, Sasha Levin wrote:
> On Sun, May 17, 2026 at 11:37:36PM -0700, Song Liu wrote:
> > On Sun, May 17, 2026 at 6:49 AM Sasha Levin <sashal@kernel.org> wrote:
> > > * fail_function (CONFIG_FUNCTION_ERROR_INJECTION) is disabled in
> > > most production kernels. Even where enabled, it only works on
> > > functions pre-annotated with ALLOW_ERROR_INJECTION() in source -
> > > no help for a freshly-disclosed CVE. The debugfs UI is blocked by
> > > lockdown=integrity and the override is probabilistic.
> > >
> > > * BPF override (bpf_override_return) honors the same
> > > ALLOW_ERROR_INJECTION() whitelist, and BPF itself is off in many
> > > production kernels. Even where on, the operator interface is
> > > "load a verified BPF program," not a one-line write.
> >
> > If it is OK for killswitch to attach to any kernel functions, do we still
> > need ALLOW_ERROR_INJECTION() for fail_function and BPF
> > override? Shall we instead also allow fail_function and BPF override
> > to attach to any kernel functions?
>
> I don't think so. ALLOW_ERROR_INJECTION is not a security mechanism, it's an
> integrity/safety mechanism for both bpf and fault injection.
>
> It protects against a "developer or CI script doing legitimate fault injection
> accidentally panics the box" scenario, not an "attacker gets in" one.
>
At that point why not just make this entire killswitch mechanism an expanded
version of the bpf_override_return helper that doesn't care about ALLOW_ERROR_INJECTION?
Then killswitch mitigations are just BPF programs.
This could be paired with a userspace tool for building and
loading the killswitch programs conveniently.
You can make the helper function only succeed if (CONFIG_KILLSWITCH=y
CONFIG_BPF_KPROBE_OVERRIDE=y etc.) and taint the kernel on the first call.
BPF has the crash_kexec kfunc already that can take down the kernel.
Thus it's not crazy in my opinion to add a helper with a similar intentional
intentional footgun in another kfunc/helper.
We can automatically benefit from BPF signing mechanisms to prevent
unauthorized loading of programs. If killswitch is enabled, users can
restrict unauthorized use of it by restricting the loading of all BPF
programs to those signed w/ the key.
Thanks,
Justin
> --
> Thanks,
> Sasha
next prev parent reply other threads:[~2026-06-04 21:18 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 19:57 [PATCH v2] killswitch: add per-function short-circuit mitigation primitive Sasha Levin
2026-05-09 12:02 ` Florian Weimer
2026-05-09 12:34 ` Sasha Levin
2026-05-11 10:33 ` Anthony Iliopoulos
2026-05-11 11:15 ` Sasha Levin
2026-05-11 17:23 ` Anthony Iliopoulos
2026-05-11 20:12 ` Sasha Levin
2026-05-11 13:14 ` Breno Leitao
2026-05-11 13:41 ` Sasha Levin
2026-05-11 14:59 ` Breno Leitao
2026-05-17 13:48 ` [PATCH v3] " Sasha Levin
2026-05-17 19:19 ` Brandon Taylor
2026-05-18 5:23 ` Greg Kroah-Hartman
2026-05-18 6:37 ` Song Liu
2026-05-18 13:33 ` Sasha Levin
2026-05-18 23:59 ` Song Liu
2026-05-19 0:22 ` Sasha Levin
2026-05-19 12:13 ` Daniel Borkmann
2026-05-19 19:57 ` Sasha Levin
2026-05-19 22:00 ` Song Liu
2026-05-21 14:38 ` Sasha Levin
2026-05-21 18:02 ` Song Liu
2026-05-21 9:11 ` Daniel Borkmann
2026-05-21 15:31 ` Sasha Levin
2026-05-21 18:16 ` Song Liu
2026-05-23 13:41 ` Sasha Levin
2026-05-26 13:10 ` Daniel Borkmann
2026-05-26 14:29 ` Sasha Levin
2026-06-04 21:18 ` Justin Suess [this message]
2026-05-18 23:52 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiHgdw_fBv8RTgC2@zenbox \
--to=utilityemal77@gmail.com \
--cc=ailiop@suse.com \
--cc=akpm@linux-foundation.org \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=fw@deneb.enyo.de \
--cc=gregkh@linuxfoundation.org \
--cc=jolsa@kernel.org \
--cc=jpeisach@ubuntu.com \
--cc=leitao@debian.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhocko@suse.com \
--cc=sashal@kernel.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox