Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753205AbaKQOza (ORCPT ); Mon, 17 Nov 2014 09:55:30 -0500 Received: from mx1.redhat.com ([209.132.183.28]:40376 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751961AbaKQOz1 (ORCPT ); Mon, 17 Nov 2014 09:55:27 -0500 Date: Mon, 17 Nov 2014 08:54:50 -0600 From: Seth Jennings To: Masami Hiramatsu Cc: Josh Poimboeuf , Jiri Kosina , Vojtech Pavlik , Steven Rostedt , Petr Mladek , Miroslav Benes , Christoph Hellwig , Greg KH , Andy Lutomirski , live-patching@vger.kernel.org, x86@kernel.org, kpatch@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCHv2 0/3] Kernel Live Patching Message-ID: <20141117145450.GA2314@cerebellum.variantweb.net> References: <1416187764-3341-1-git-send-email-sjenning@redhat.com> <5469888E.3090501@hitachi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5469888E.3090501@hitachi.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 17, 2014 at 02:33:02PM +0900, Masami Hiramatsu wrote: > Hi Seth, > > (2014/11/17 10:29), Seth Jennings wrote: > > Changelog: > > > > Thanks for all the feedback! > > > > changes in v2: > > - rebase to next-20141113 > > - add copyright/license block to livepatch.h > > - add _LINUX prefix to header defines > > - replace semaphore with mutex > > - add LPC_ prefix to state enum > > - convert BUGs to WARNs and handle properly > > - change Kconfig default to n > > - remove [old|new] attrs from function sysfs dir (KASLR leak, no use) > > - disregard user provided old_addr if kernel uses KASLR > > - s/out/err for error path labels > > - s/unregister/disable for uniform terminology > > - s/lp/lpc for module notifier elements > > Hmm, btw, "LP" and "LPC" remind me line-printer and LPC bus :( > Can we use LKP (Live Kernel Patching) or KLP (Kernel Live Patching) instead ? Jiri S also mentioned this so I guess it is a common sentiment :) He suggested "lip" but I think I like "klp" better? Jiri S sound good? > > > - replace module ref'ing with unload notifier + mutex protection > > - adjust notifier priority to run before ftrace > > - make LIVE_PATCHING boolean (about to depend on arch stuff) > > For better handling x86-32, we'd better introduce ARCH_HAVE_LIVE_PATCHING and > avoid enabling LIVE_PATCHING on x86_32, then we can simplify arch/x86/kernel/livepatch.c. Will do. Thanks for the review! Seth > > Thank you, > > > - move x86-specific reloc code to arch/x86 > > - s/dynrela/reloc/ > > - add live patching sysfs documentation > > - add API function kernel-doc > > - TODO: kernel-doc for API structs once agreed upon > > > > Summary: > > > > This patchset implements an ftrace-based mechanism and kernel interface for > > doing live patching of kernel and kernel module functions. It represents the > > greatest common functionality set between kpatch [1] and kGraft [2] and can > > accept patches built using either method. This solution was discussed in the > > Live Patching Mini-conference at LPC 2014 [3]. > > > > The model consists of a live patching "core" that provides an interface for > > other "patch" kernel modules to register patches with the core. > > > > Patch modules contain the new function code and create an lp_patch structure > > containing the required data about what functions to patch, where the new code > > for each patched function resides, and in which kernel object (vmlinux or > > module) the function to be patch resides. The patch module then invokes the > > lp_register_patch() function to register with the core, then lp_enable_patch() > > to have the core redirect the execution paths using ftrace. > > > > An example patch module can be found here: > > https://github.com/spartacus06/livepatch/blob/master/patch/patch.c > > > > The live patching core creates a sysfs hierarchy for user-level access to live > > patching information. The hierarchy is structured like this: > > > > /sys/kernel/livepatch > > /sys/kernel/livepatch/ > > /sys/kernel/livepatch//enabled > > /sys/kernel/livepatch// > > /sys/kernel/livepatch/// > > > > The old function is located using one of two methods: it is either provided by > > the patch module (only possible for a function in vmlinux) or kallsyms lookup. > > Symbol ambiguity results in a failure. > > > > The core takes a reference on the patch module itself to keep it from > > unloading. This is because, without a mechanism to ensure that no thread is > > currently executing in the patched function, we can not determine whether it is > > safe to unload the patch module. For this reason, unloading patch modules is > > currently not allowed. > > > > Disabling patches can be done using the "enabled" attribute of the patch: > > > > echo 0 > /sys/kernel/livepatch//enabled > > > > If a patch module contains a patch for a module that is not currently loaded, > > there is nothing to patch so the core does nothing for that patch object. > > However, the core registers a module notifier that looks for COMING events so > > that if the module is ever loaded, it is immediately patched. If a module with > > patch code is removed, the notifier looks for GOING events and disables any > > patched functions for that object before it unloads. The notifier has a higher > > priority than that of the ftrace notifier so that it runs before the ftrace > > notifier for GOING events and we can cleanly unregister from ftrace. > > > > kpatch and kGraft each have their own mechanisms for ensuring system > > consistency during the patching process. This first version does not implement > > any consistency mechanism that ensures that old and new code do not run > > together. In practice, ~90% of CVEs are safe to apply in this way, since they > > simply add a conditional check. However, any function change that can not > > execute safely with the old version of the function can _not_ be safely applied > > for now. > > > > [1] https://github.com/dynup/kpatch > > [2] https://git.kernel.org/cgit/linux/kernel/git/jirislaby/kgraft.git/ > > [3] https://etherpad.fr/p/LPC2014_LivePatching > > > > Seth Jennings (3): > > kernel: add TAINT_LIVEPATCH > > kernel: add support for live patching > > kernel: add sysfs documentation for live patching > > > > Documentation/ABI/testing/sysfs-kernel-livepatch | 44 + > > Documentation/oops-tracing.txt | 2 + > > Documentation/sysctl/kernel.txt | 1 + > > MAINTAINERS | 13 + > > arch/x86/Kconfig | 2 + > > arch/x86/include/asm/livepatch.h | 38 + > > arch/x86/kernel/Makefile | 1 + > > arch/x86/kernel/livepatch.c | 83 ++ > > include/linux/kernel.h | 1 + > > include/linux/livepatch.h | 68 ++ > > kernel/Makefile | 1 + > > kernel/livepatch/Kconfig | 9 + > > kernel/livepatch/Makefile | 3 + > > kernel/livepatch/core.c | 999 +++++++++++++++++++++++ > > kernel/panic.c | 2 + > > 15 files changed, 1267 insertions(+) > > create mode 100644 Documentation/ABI/testing/sysfs-kernel-livepatch > > create mode 100644 arch/x86/include/asm/livepatch.h > > create mode 100644 arch/x86/kernel/livepatch.c > > create mode 100644 include/linux/livepatch.h > > create mode 100644 kernel/livepatch/Kconfig > > create mode 100644 kernel/livepatch/Makefile > > create mode 100644 kernel/livepatch/core.c > > > > > -- > Masami HIRAMATSU > Software Platform Research Dept. Linux Technology Research Center > Hitachi, Ltd., Yokohama Research Laboratory > E-mail: masami.hiramatsu.pt@hitachi.com > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/