Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp3690168ima; Tue, 23 Oct 2018 09:40:37 -0700 (PDT) X-Google-Smtp-Source: AJdET5dOrT9UIJXzXHdLtfu20nBpKaeA6w+R6i+ytyJhJAuVvRFXJM2x2bCgHvwKJU5z2AuZjIOu X-Received: by 2002:a17:902:bd4a:: with SMTP id b10-v6mr13192242plx.171.1540312837525; Tue, 23 Oct 2018 09:40:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540312837; cv=none; d=google.com; s=arc-20160816; b=i1vTJ9m0wwuxd9PQ0/CPiJS3oYbdiNpua6HlFcB6ClhMbw6Xt5Ug8yiDRsjvkdGQRI UcKJnljJGZ6L0KCrt4MUEGN6iCbyLN91NLNFO2brrIFu4I00X+1+4wHy0AIkIs+RMCri QY7XiTrVXQoFFIfcZUgI88/eCHW91y0zdqghHBEw15cJuVzqmK0cS5e5kDVxXdubmkH8 DAxPYr5HNRUjnl71i+A5xf2UVARlfI4yQzgjmgCrkegbjRKlFLr9Zo9AJVghskbewJOu UYnp5TMTkwmtwxsdHGTMHCk9pNkj0FMXI/G8oX1REr+dck37qXJp7nLT/xeKYAfpeVO5 6LNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=3zoLvsp7yD3yvhvCCwRPfjV8OkQ4epwAFcZC6QKqXe4=; b=yCtzxJM4R/rSMgxoQUrjlUp/h274CH6iqWPtlrjaNNcAc2RTM7t0Qf/DEhJYZfZ8gN BCHMXyrnHdIgcpHAkHJ4IZixT8sQcKrairY1R8v+ogs/PR2zuF4RVz+ckEDizhjaer6F 0GToMLFax+H2VK0hBYg39yOoSfy/k4910GiTdbTYWAn8TQpqPmGPTvMXSfQm8eD4c9h6 PYSU00TF+H9Ti8Bjx8wXkgewUHk0D5InoDWPPTFv8eCh2p0mvN0xjXzft0TqcGTtUUy2 bEZA8e0zW1gvkuIPecgGrmfCDpDNBtHjG5+OubNiv1uCOfdAzHJzyLCItQ2sRhsUAvOj zvBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s125-v6si1756557pgs.499.2018.10.23.09.40.21; Tue, 23 Oct 2018 09:40:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728540AbeJXBD5 (ORCPT + 99 others); Tue, 23 Oct 2018 21:03:57 -0400 Received: from mx1.redhat.com ([209.132.183.28]:48762 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727402AbeJXBD5 (ORCPT ); Tue, 23 Oct 2018 21:03:57 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5CED488317; Tue, 23 Oct 2018 16:39:49 +0000 (UTC) Received: from treble (ovpn-123-230.rdu2.redhat.com [10.10.123.230]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9B363600C3; Tue, 23 Oct 2018 16:39:45 +0000 (UTC) Date: Tue, 23 Oct 2018 11:39:43 -0500 From: Josh Poimboeuf To: Petr Mladek Cc: Miroslav Benes , Jiri Kosina , Jason Baron , Joe Lawrence , Jessica Yu , Evgenii Shatokhin , live-patching@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v12 06/12] livepatch: Simplify API by removing registration step Message-ID: <20181023163943.ex65stywf2cwqvep@treble> References: <20180828143603.4442-1-pmladek@suse.com> <20180828143603.4442-7-pmladek@suse.com> <20181012130120.f5berowklyccd7lj@pathway.suse.cz> <20181018145456.nrekm2iuyf5ztw3n@pathway.suse.cz> <20181018153027.x4nk2ihgs5ehsln2@treble> <20181019143604.35zgwus4arkolbwr@treble> <20181022132509.6vxrdvq42e5j2bpx@pathway.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20181022132509.6vxrdvq42e5j2bpx@pathway.suse.cz> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 23 Oct 2018 16:39:49 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 22, 2018 at 03:25:10PM +0200, Petr Mladek wrote: > On Fri 2018-10-19 09:36:04, Josh Poimboeuf wrote: > > On Fri, Oct 19, 2018 at 02:16:19PM +0200, Miroslav Benes wrote: > > > On Thu, 18 Oct 2018, Josh Poimboeuf wrote: > > > > > > > On Thu, Oct 18, 2018 at 04:54:56PM +0200, Petr Mladek wrote: > > > > > OK, what about having just "disable" in sysfs. I agree that it makes > > > > > much more sense than "enable" now. > > > > > > > > > > It might be used also for the reverse operation the same way as > > > > > "enable" was used before. I think that standalone "reverse" might > > > > > be confusing when we allow to reverse the operation in both > > > > > directions. > > > > > > > > As long as we're talking about radical changes... how about we just > > > > don't allow disabling patches at all? Instead a patch can be replaced > > > > with a 'revert' patch, or an empty 'nop' patch. That would make our > > > > code simpler and also ensure there's an audit trail. > > > > > > > > (Apologies if we've already talked about this. My brain is still mushy > > > > thanks to Spectre and friends.) > > > > > > I think we talked about it last year in Prague and I think we convinced > > > you that it was not a good idea (...not to allow disabling patches at > > > all). > > > > > > BUT! Empty 'nop' patch is a new idea and we may certainly discuss it. > > > > I definitely remember talking about it in Prague, but I don't remember > > any conclusions. > > The revert operation allows to remove a livepatch stuck in the > transition without forcing. True, though I question the real world value of that. > Also implementing empty cumulative patch might be tricky because > of the callbacks. The current proposal is to call callbacks only > from the new livepatch. It helps tp keep the interactions easy > and under control. The way how to take over some change between > an old and new patch depends on the particular functionality. Presumably a 'no-op' patch would be special, in that it would call the un-patch callbacks. I think the only *real* benefit of this proposal would be that history would be a straight line, with no backtracking. Similar to git rebase vs merge. You'd be able to tell what has been applied and reverted just by looking at what modules are loaded. But, I now realize that in order for that to be the case, we'd have to disallow the unloading of replaced modules. But I think we're going to end up *allowing* the unloading of replaced modules, right? So maybe it's not worth it. I'll drop it. > It would mean that the empty patch might need to be custom. > Users probably would need to ask and wait for it. > > > > My livepatch-related brain cache lines have been > > flushed thanks to the aforementioned CVEs and my rapidly advancing > > senility. > > Uff, I am not the only one. :-) > > > > The amount of flexibility we allow is kind of crazy, considering how > > > > delicate of an operation live patching is. That reminds me that I > > > > should bring up my other favorite idea at LPC: require modules to be > > > > loaded before we "patch" them. > > > > > > We talked about this as well and if I remember correctly we came to a > > > conclusion that it is all about a distribution and maintenance. We cannot > > > ask customers to load modules they do not need just because we need to > > > patch them. > > > > Fair enough. > > > > > One cumulative patch is not that great in this case. I remember you > > > had a crazy idea how to solve it, but I don't remember details. My > > > notes from the event say... > > > > > > - livepatch code complexity > > > - make it synchronous with respect to modules loading > > > - Josh's crazy idea > > > > > > That's not much :D > > > > > > So yes, we can talk about it and hopefully make proper notes this time. > > > > Heh, better notes would be good, otherwise I'll just keep complaining > > about the same things every year :-) I'll try to remember what my crazy > > idea was, or maybe come up with some new ones to keep it fresh. > > If we do not want to force users to load all patched modules then > we would need to create a livepatch-per-module. This just moves > the complexity somewhere else. > > One big problem would be how to keep the system consistent. You > would need to solve races between loading modules and livepatches > anyway. > > For example, you could not load fixed/patched modules when the system > is not fully patched yet. You would need to load the module and > the related livepatch at the same time and follow the consistency > model as we do now. > > OK, there was the idea to refuse loading modules when livepatch > transition is in progress. But it might not be acceptable, > especially when the transition gets blocked infinitely > and manual intervention would be needed. > > I agree that the current solution adds complexity to > the livepatching code but it is not that complicated. > Races with loading modules and livepatches in parallel > are solved by mod->klp_active flag. There are no other > races because all other operations are done on code > that is not actively used. One good thing is that > everything is in one place and kernel has it under > control. > > I am open to discuss it. But we would need to come up with > some clever solution. Yeah, I think that's pretty much the crazy idea Miroslav mentioned. The patch would consist of several modules. The parent module would register the patch and patch vmlinux. Each child module would be associated with a to-be-patched module. The child modules could be loaded on demand, either by special klp code or by modprobe. As you described, there would be some races to think about. However, it would also have some benefits. I *hope* it would mean we could get rid of a lot of our ugly hacks, like - klp symbols, klp relas - preserving ELF data, PLT's, other horrible arch-specific things - klp.arch..altinstructions, klp.arch..parainstructions - manually calling apply_relocate_add() However... we might still need some of those things for another reason: to bypass exported symbol protections. It needs some more investigation. Given this discussion, I'm thinking there wouldn't be much to discuss at LPC for this topic unless we had a prototype to look at (which I won't have time to do). So I may drop my talk in favor of giving more time for other more tangible discussions. -- Josh