Re: [PATCHv2 0/3] Kernel Live Patching

[Masami Hiramatsu]

Hi Seth,

(2014/11/17 10:29), Seth Jennings wrote:
> Changelog:
> 
> Thanks for all the feedback!
> 
> changes in v2:
> - rebase to next-20141113
> - add copyright/license block to livepatch.h
> - add _LINUX prefix to header defines
> - replace semaphore with mutex
> - add LPC_ prefix to state enum
> - convert BUGs to WARNs and handle properly
> - change Kconfig default to n
> - remove [old|new] attrs from function sysfs dir (KASLR leak, no use)
> - disregard user provided old_addr if kernel uses KASLR
> - s/out/err for error path labels
> - s/unregister/disable for uniform terminology
> - s/lp/lpc for module notifier elements

Hmm, btw, "LP" and "LPC" remind me line-printer and LPC bus :(
Can we use LKP (Live Kernel Patching) or KLP (Kernel Live Patching) instead ?

> - replace module ref'ing with unload notifier + mutex protection
> - adjust notifier priority to run before ftrace
> - make LIVE_PATCHING boolean (about to depend on arch stuff)

For better handling x86-32, we'd better introduce ARCH_HAVE_LIVE_PATCHING and
avoid enabling LIVE_PATCHING on x86_32, then we can simplify arch/x86/kernel/livepatch.c.

Thank you,

> - move x86-specific reloc code to arch/x86
> - s/dynrela/reloc/
> - add live patching sysfs documentation
> - add API function kernel-doc
> - TODO: kernel-doc for API structs once agreed upon
> 
> Summary:
> 
> This patchset implements an ftrace-based mechanism and kernel interface for
> doing live patching of kernel and kernel module functions.  It represents the
> greatest common functionality set between kpatch [1] and kGraft [2] and can
> accept patches built using either method.  This solution was discussed in the
> Live Patching Mini-conference at LPC 2014 [3].
> 
> The model consists of a live patching "core" that provides an interface for
> other "patch" kernel modules to register patches with the core.
> 
> Patch modules contain the new function code and create an lp_patch structure
> containing the required data about what functions to patch, where the new code
> for each patched function resides, and in which kernel object (vmlinux or
> module) the function to be patch resides.  The patch module then invokes the
> lp_register_patch() function to register with the core, then lp_enable_patch()
> to have the core redirect the execution paths using ftrace.
> 
> An example patch module can be found here:
> https://github.com/spartacus06/livepatch/blob/master/patch/patch.c
> 
> The live patching core creates a sysfs hierarchy for user-level access to live
> patching information.  The hierarchy is structured like this:
> 
> /sys/kernel/livepatch
> /sys/kernel/livepatch/<patch>
> /sys/kernel/livepatch/<patch>/enabled
> /sys/kernel/livepatch/<patch>/<object>
> /sys/kernel/livepatch/<patch>/<object>/<func>
> 
> The old function is located using one of two methods: it is either provided by
> the patch module (only possible for a function in vmlinux) or kallsyms lookup.
> Symbol ambiguity results in a failure.
> 
> The core takes a reference on the patch module itself to keep it from
> unloading.  This is because, without a mechanism to ensure that no thread is
> currently executing in the patched function, we can not determine whether it is
> safe to unload the patch module.  For this reason, unloading patch modules is
> currently not allowed.
> 
> Disabling patches can be done using the "enabled" attribute of the patch:
> 
> echo 0 > /sys/kernel/livepatch/<patch>/enabled
> 
> If a patch module contains a patch for a module that is not currently loaded,
> there is nothing to patch so the core does nothing for that patch object.
> However, the core registers a module notifier that looks for COMING events so
> that if the module is ever loaded, it is immediately patched.  If a module with
> patch code is removed, the notifier looks for GOING events and disables any
> patched functions for that object before it unloads.  The notifier has a higher
> priority than that of the ftrace notifier so that it runs before the ftrace
> notifier for GOING events and we can cleanly unregister from ftrace.
> 
> kpatch and kGraft each have their own mechanisms for ensuring system
> consistency during the patching process. This first version does not implement
> any consistency mechanism that ensures that old and new code do not run
> together.  In practice, ~90% of CVEs are safe to apply in this way, since they
> simply add a conditional check.  However, any function change that can not
> execute safely with the old version of the function can _not_ be safely applied
> for now.
> 
> [1] https://github.com/dynup/kpatch
> [2] https://git.kernel.org/cgit/linux/kernel/git/jirislaby/kgraft.git/
> [3] https://etherpad.fr/p/LPC2014_LivePatching
> 
> Seth Jennings (3):
>   kernel: add TAINT_LIVEPATCH
>   kernel: add support for live patching
>   kernel: add sysfs documentation for live patching
> 
>  Documentation/ABI/testing/sysfs-kernel-livepatch |  44 +
>  Documentation/oops-tracing.txt                   |   2 +
>  Documentation/sysctl/kernel.txt                  |   1 +
>  MAINTAINERS                                      |  13 +
>  arch/x86/Kconfig                                 |   2 +
>  arch/x86/include/asm/livepatch.h                 |  38 +
>  arch/x86/kernel/Makefile                         |   1 +
>  arch/x86/kernel/livepatch.c                      |  83 ++
>  include/linux/kernel.h                           |   1 +
>  include/linux/livepatch.h                        |  68 ++
>  kernel/Makefile                                  |   1 +
>  kernel/livepatch/Kconfig                         |   9 +
>  kernel/livepatch/Makefile                        |   3 +
>  kernel/livepatch/core.c                          | 999 +++++++++++++++++++++++
>  kernel/panic.c                                   |   2 +
>  15 files changed, 1267 insertions(+)
>  create mode 100644 Documentation/ABI/testing/sysfs-kernel-livepatch
>  create mode 100644 arch/x86/include/asm/livepatch.h
>  create mode 100644 arch/x86/kernel/livepatch.c
>  create mode 100644 include/linux/livepatch.h
>  create mode 100644 kernel/livepatch/Kconfig
>  create mode 100644 kernel/livepatch/Makefile
>  create mode 100644 kernel/livepatch/core.c
> 


-- 
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@xxxxxxxxxxx


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/