From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC2C044102F for ; Mon, 11 May 2026 17:10:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778519451; cv=none; b=QryWLB+BdI1vK7/eOcwnzelXhxU6wPNtDSk/Tgpf+T03aA/Hu73vgnAwI1NHsdUTFJQTw6rKo/RAincBpSeV+8oN2gH7NWW8E9jXVunu3yy90Uv6AVetqKuiEAUwlMbogBK88yxkMg7I2yusiDxB4SG/RPJ5A8GF+mz52itU5Tg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778519451; c=relaxed/simple; bh=xEf0DcTeuh8O7q7xkn5lS+B/P1HAUfQRMFjpy4xw5iQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ufDOGUprlh329tJ9H2SzRY5khG6vVl5xqupLXS5cnUFuRPl7bCBSWbwFexzkqWOH+AZYngkXSc7YUjW6FNB8gzvKF4VcN3kadgqAwjDSLVLOSZsC2V5CrqNJ5j0N4X0tA0KfI52bcg8OQTguEtfxHiPneP1CbgSCaf6EhuiRTOE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=T4kf8jSe; arc=none smtp.client-ip=209.85.221.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="T4kf8jSe" Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-44a044cb827so3607088f8f.0 for ; Mon, 11 May 2026 10:10:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1778519448; x=1779124248; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=4WseMM2s1lBw35z6Gvcd4yWHkkkXHH2E0/2CJvqDOO4=; b=T4kf8jSeOB6D1KH4+hz17L8PlZJvkCcLExTX6fIa3So+FxmRGa4ATaLAVDI6tLpw7G Rl9rdWd9+QTz3OPYpx1XD4GLjTTj8gl43dhMFgAeddowgyy6TX2HhsKBzwgFF9Tme4UC AkBz1IuOF+jSnHtpcdl25bSI+8+aWLlziCiPbMuz1Y/pFDiFMFIOaOvsAoT+FC1X1+FZ gdlnJuMHpgWlo/rZyHtvLb+eWRhyHu/3Kx33HgER2+YuJGQ3Ty+2waY5fqTwgaSBONcL uvEoy9bD6ZVRW1Mx/JrHTWsRD1llv7x/I+eMMr2sRdoVE+71UHzuSuv1HFmx3f3RXE6P uHfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778519448; x=1779124248; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4WseMM2s1lBw35z6Gvcd4yWHkkkXHH2E0/2CJvqDOO4=; b=jXQlLWc2W8Kty0eHy5hZ1gvHfQY3k8lWH8OMXE2z0oIJwJ8Kirsh0v+QXfEfgAOXlp D3AbS7TZHCoUPkfNcaNvkjjKskB4FEXVM6y15hB9z8vOGZA0wymmpjVgpVJ4QeAup0Yb AEQQcDMLWv8LtNW2S9sdXwDFNsON/sgyYD3xBcf2Y8LTwkXXOv4BLYdbSCCUQ3wL2npK GIwoe4uuOIVdnpJGBTjDydWgloQ3Nj3jPB5slDFsiNkoIKA5szzhGMAwmGKpqfHo7gJv qTYCBKk0qQmPL99LhCKthKcqpq1PziKrJJTJn2qPpl1Yuhpbsy1feGuymACEd/WDWKz5 Ba1Q== X-Forwarded-Encrypted: i=1; AFNElJ/pg0aricvSYE+rRAbK42vs9QAMk9Vklb4x2vGW32rvEN6fW7GXm1GlFuEhs6Yjy8jLdOkKgBUYViH005s=@vger.kernel.org X-Gm-Message-State: AOJu0Yyg+E7+iXHA1l6gGgXCZ6OdfQudHE4SJVyD/dWK/Id+7hjYa1X5 +EFDPCh9hLosOili8ZQUEdrLhwAdMPjLAPWThln7WxKNThsB5nbPrLpqOA2CRQHRXlE= X-Gm-Gg: Acq92OGsRi7F1pvUNeBfagLFk3IWvz1vKpO26oAKvPzrXOn29ZtsQ/xQxMKUujxZRvY RjMqM7c8sSbGjTqXnp0Tc1MVm/0E+/AOekpAB/Fo7LZKpcsL9QmA4t2rr/BJqqztgydXiTKikw7 Ksc1MgB03Ms5oiyU9yijiyPd3TSUOID1BNCbo1D1CMBrf13oRYJMXq0C8b7PoNNI0/PIvZkjp69 8W3CanhAd8flrpSO1t4gZ3NHDHTSDACQs0MWFLjFURCduXeJ0qDvPcv0QDiT2Qql4Q9tJMBJczQ T06QCBWUmvPP8p+XxmKoK7G43wokczJZp4nmwP/9AMFZiJC6EM4PfxrdHM+NXVIXsz8tyGgz6uq gF7Jp5rtRdhgqZmNzkA0P4nmrECNJXBojeUGBQgDjGQv05AYDb67ygp0GWVCwKpom1MQStQn1qY r3sT85V0nzB3HGfU7x9l1xsJrT+n3xdCBltDzF X-Received: by 2002:a05:6000:230e:b0:45a:c0e1:37b with SMTP id ffacd0b85a97d-45ac0e103bemr696373f8f.32.1778519448144; Mon, 11 May 2026 10:10:48 -0700 (PDT) Received: from localhost (109-81-87-110.rct.o2.cz. [109.81.87.110]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45491bae13csm26175978f8f.29.2026.05.11.10.10.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 10:10:47 -0700 (PDT) Date: Mon, 11 May 2026 19:10:46 +0200 From: Michal Hocko To: Sasha Levin Cc: Breno Leitao , Andrew Morton , corbet@lwn.net, skhan@linuxfoundation.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, gregkh@linuxfoundation.org Subject: Re: [PATCH] killswitch: add per-function short-circuit mitigation primitive Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Mon 11-05-26 12:45:36, Sasha Levin wrote: > Could you describe an existing infrastructure I can use here? I think it would help to CC maintainers of subsystems that provide kernel modification functionality. They will surely have a better insight than me. > Let's look at > this recent "Copy Fail" thing as an example. > > I can obviously build my own kernel and enroll my own key, but 99.9% of our > users won't be doing that. > Livepatching, or manually building a module that just injects a kprobe is out > of the question as we previously agreed. Onless I am mistaken you can enroll your own key through MOK. But you are right that this is an additional step. But the real question is whether this is a major road block for users of this specific feature. > systemtap falls into the same bucket as building my own module. > > BPF doesn't help because bpf_override_return() requires the target to be on the > same within_error_injection_list() whitelist as fault injection, and the CVE > targets never are. Some of our fleet doesn't even have BPF enabled either, but > that's the smaller objection. > > I can't use fault injection because: > > a. It's almost never built in production/distro kernels, and I suspect this > won't change. > b. The functions I need are not whitelisted. > c. Even if (a) and (b) were addressed, fault injection would still need a > securityfs front-end, a cmdline parser, a module-unload notifier, a taint flag, > and audit on engage and disengage. By the time those land in fail_function and > tie into/refactor the fault injection code, the net diff is bigger than this > proposal. I cannot comment on fault injection imeplementation details of course but I have to say that the whitelist nature is something that makes its use very limited. Maybe this is a good opportunity to change the approach. > > In my case I can remove the module, but not if I run a distro that shipped with > CONFIG_CRYPTO_USER_API_AEAD=y (like RHEL/SUSE). If you look at copy fail[2], IIRC algif_aead, esp[46] and rxrcp are all modules that could be blacklisted. > I can use "initcall_blacklist=" hack and reboot, but as things stand today, > I'll need to be rebooting few times a day. with your just disable some functions in the kernel you might need to reboot even more. But more seriously... > Even if I'm okay with rebooting that often (and I really really would prefer > not to), this doesn't solve the issues of a larger fleet of servers that can't > just reboot that often. > > What am I missing? For one, you are missing more maintainers of code modification infrastructures. -- Michal Hocko SUSE Labs