Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2066309imm;
        Thu, 18 Oct 2018 08:32:43 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61GJ/6vqrH2p8VT4K45jH8uklWz31ccAT4OP+3K9EZYolEjnHHDp/oIx68veqZYn2V2KrqK
X-Received: by 2002:a63:1066:: with SMTP id 38-v6mr29271503pgq.254.1539876763052;
        Thu, 18 Oct 2018 08:32:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539876763; cv=none;
        d=google.com; s=arc-20160816;
        b=PD32s6hnuzJStqufVhbhTentt8thxtNA1tP4iLzEk6IIEYy1Vz/dWOixIv+w05Nru8
         OB9f/M8OXNexDSQOqkuEm07if751S0+w4JEuuWb5vpeyTPcao00cvhkg0E5OdHEeb1CE
         MqYr+RSnvarezeJsi2XBsaIHkC5nnC4NsU2DZ7b8xygRP8IH7j78BipNu6MilXbl4HCg
         h78KZ0x/9y/bd0gGukAwH0ifAvMozTdI/moOzmJCZ1BmzyZM2QpuIC3gIJYeUqF8ENqb
         tsPqbgl3GLm7QO+G4yxFG99zP37vjtkxIZbIfUBKwkQHmnieTe6xsrQQyFd/B2VYQqlb
         wCcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=biS8YrUCZP7x7DpHWtafGnWnVNRjRQkYsHoJrww7Bk4=;
        b=jXXQeo00cKn7pX+L/lxW3zC1qIq76KdffiYccLmDiMV0wQqsoJH8PXJRcnNNVm24tB
         ilXwcubPfXQXMnzcuSSsKH5nYyfsXMYBJGYsqr5/4tvkiTv0R7ioSJOTsfcOtnG2gOW2
         8B31GhAwhrYir03+S2qYglrAl1VDdD/yJn+RDQZiJOdytCXVnL1idM7tUaPyXq7AJTVV
         SrzOGdB6RbhTMD+VlUeY6H7NBDYO95Y6ADVNlmnyeQ9Wtau2POt3flC7wG11csBh5lS8
         zqmBgg3+jwjhexbzV1HaFXb+6Mfg2f3gMuK/iN3ufl8/GuLIdqbT83F68ZhVFkZoFyQv
         OCnw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h2-v6si24245828plk.350.2018.10.18.08.32.27;
        Thu, 18 Oct 2018 08:32:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728387AbeJRXcE (ORCPT <rfc822;zjuysxie86@gmail.com>
        + 99 others); Thu, 18 Oct 2018 19:32:04 -0400
Received: from mx1.redhat.com ([209.132.183.28]:47612 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728249AbeJRXcE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Oct 2018 19:32:04 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id A34AF308A95E;
        Thu, 18 Oct 2018 15:30:32 +0000 (UTC)
Received: from treble (ovpn-123-182.rdu2.redhat.com [10.10.123.182])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 67FD27A1A2;
        Thu, 18 Oct 2018 15:30:29 +0000 (UTC)
Date:   Thu, 18 Oct 2018 10:30:27 -0500
From:   Josh Poimboeuf <jpoimboe@redhat.com>
To:     Petr Mladek <pmladek@suse.com>
Cc:     Miroslav Benes <mbenes@suse.cz>, Jiri Kosina <jikos@kernel.org>,
        Jason Baron <jbaron@akamai.com>,
        Joe Lawrence <joe.lawrence@redhat.com>,
        Jessica Yu <jeyu@kernel.org>,
        Evgenii Shatokhin <eshatokhin@virtuozzo.com>,
        live-patching@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v12 06/12] livepatch: Simplify API by removing
 registration step
Message-ID: <20181018153027.x4nk2ihgs5ehsln2@treble>
References: <20180828143603.4442-1-pmladek@suse.com>
 <20180828143603.4442-7-pmladek@suse.com>
 <alpine.LSU.2.21.1809051108440.7768@pobox.suse.cz>
 <20181012130120.f5berowklyccd7lj@pathway.suse.cz>
 <alpine.LSU.2.21.1810151756290.11383@pobox.suse.cz>
 <20181018145456.nrekm2iuyf5ztw3n@pathway.suse.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20181018145456.nrekm2iuyf5ztw3n@pathway.suse.cz>
User-Agent: NeoMutt/20180716
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Thu, 18 Oct 2018 15:30:33 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Oct 18, 2018 at 04:54:56PM +0200, Petr Mladek wrote:
> On Mon 2018-10-15 18:01:43, Miroslav Benes wrote:
> > On Fri, 12 Oct 2018, Petr Mladek wrote:
> > 
> > > On Wed 2018-09-05 11:34:06, Miroslav Benes wrote:
> > > > On Tue, 28 Aug 2018, Petr Mladek wrote:
> > > > > Also the API and logic is much easier. It is enough to call
> > > > > klp_enable_patch() in module_init() call. The patch patch can be disabled
> > > > > by writing '0' into /sys/kernel/livepatch/<patch>/enabled. Then the module
> > > > > can be removed once the transition finishes and sysfs interface is freed.
> > > > 
> > > > I think it would be good to discuss our sysfs interface here as well.
> > > > 
> > > > Writing '1' to enabled attribute now makes sense only when you need to 
> > > > reverse an unpatching transition. Writing '0' means "disable" or a 
> > > > reversion again.
> > > > 
> > > > Wouldn't be better to split it to two different attributes? Something like 
> > > > "disable" and "reverse"? It could be more intuitive.
> > > > 
> > > > Maybe we'd also find out that even patch->enabled member is not useful 
> > > > anymore in such case.
> > > 
> > > I though about this as well. I kept "enabled" because:
> > > 
> > >   + It keeps the public interface the same as before. Most people
> > >     would not notice any change in the behavior except maybe that
> > >     the interface disappears when the patch gets disabled.
> > 
> > Well our sysfs interface is still in a testing phase as far as ABI is 
> > involved. Moreover, each live patch is bound to its base kernel by 
> > definition anyway. So we can change this without remorse, I think.

But it would break tooling, which is not kernel specific.  I'm not sure
whether it would be worth the headache.  After all I think the livepatch
sysfs interface is designed for tools, not humans.

> > >   + The reverse operation makes most sense when the transition
> > >     cannot get finished. In theory, it might be problem to
> > >     finish even the reversed one. People might want to
> > >     reverse once again and force it. Then "reverse" file
> > >     might be confusing. They might not know in which direction
> > >     they do the reverse.
> > 
> > I still think it would be better to have a less confusing interface and it 
> > would outweigh the second remark.
> 
> OK, what about having just "disable" in sysfs. I agree that it makes
> much more sense than "enable" now.
> 
> It might be used also for the reverse operation the same way as
> "enable" was used before. I think that standalone "reverse" might
> be confusing when we allow to reverse the operation in both
> directions.

As long as we're talking about radical changes... how about we just
don't allow disabling patches at all?  Instead a patch can be replaced
with a 'revert' patch, or an empty 'nop' patch.  That would make our
code simpler and also ensure there's an audit trail.

(Apologies if we've already talked about this.  My brain is still mushy
thanks to Spectre and friends.)

The amount of flexibility we allow is kind of crazy, considering how
delicate of an operation live patching is.  That reminds me that I
should bring up my other favorite idea at LPC: require modules to be
loaded before we "patch" them.

-- 
Josh