Re: [RFC PATCH 2/2] livepatch: Clear relocation targets on a module removal

From: Josh Poimboeuf
Date: Thu Aug 22 2019 - 18:36:57 EST


On Fri, Aug 16, 2019 at 11:46:08AM +0200, Petr Mladek wrote:
> On Wed 2019-08-14 10:12:44, Josh Poimboeuf wrote:
> > On Wed, Aug 14, 2019 at 01:06:09PM +0200, Miroslav Benes wrote:
> > > > Really, we should be going in the opposite direction, by creating module
> > > > dependencies, like all other kernel modules do, ensuring that a module
> > > > is loaded *before* we patch it. That would also eliminate this bug.
> > >
> > > Yes, but it is not ideal either with cumulative one-fixes-all patch
> > > modules. It would load also modules which are not necessary for a
> > > customer and I know that at least some customers care about this. They
> > > want to deploy only things which are crucial for their systems.
> >
> > If you frame the question as "do you want to destabilize the live
> > patching infrastucture" then the answer might be different.
> >
> > We should look at whether it makes sense to destabilize live patching
> > for everybody, for a small minority of people who care about a small
> > minority of edge cases.
>
> I do not see it that simple. Forcing livepatched modules to be
> loaded would mean loading "random" new modules when updating
> livepatches:

I don't want to start a long debate on this, because this idea isn't
even my first choice. But we shouldn't dismiss it outright.

<devils-advocate>

> + It means more actions and higher risk to destabilize
> the system. Different modules have different quality.

Maybe the distro shouldn't ship modules which would destabilize the
system.

> + It might open more security holes that are not fixed by
> the livepatch.

Following the same line of thinking, the livepatch infrastructure might
open security holes because of the inherent complexity of late module
patching.

> + It might require some extra configuration actions to handle
> the newly opened interfaces (devices). For example, updating
> SELinux policies.

I assume you mean user-created policies, not distro ones? Is this even
a realistic concern?

> + Are there conflicting modules that might need to get
> livepatched?

Again is this realistic?

> This approach has a strong no-go from my side.

</devils-advocate>

I agree it's not ideal, but nothing is ideal at this point. Let's not
to rule it out prematurely. I do feel that our current approach is not
the best. It will continue to create problems for us until we fix it.

>
> > Or maybe there's some other solution we haven't thought about, which
> > fits more in the framework of how kernel modules already work.
> >
> > > We could split patch modules as you proposed in the past, but that have
> > > issues as well.
>
> > Right, I'm not really crazy about that solution either.
>
> Yes, this would just move the problem somewhere else.
>
>
> > Here's another idea: per-object patch modules. Patches to vmlinux are
> > in a vmlinux patch module. Patches to kvm.ko are in a kvm patch module.
> > That would require:
> >
> > - Careful management of dependencies between object-specific patches.
> > Maybe that just means that exported function ABIs shouldn't change.
> >
> > - Some kind of hooking into modprobe to ensure the patch module gets
> > loaded with the real one.
>
> I see this just as a particular approach how to split livepatches
> per-object. The above points suggest how to handle dependencies
> on the kernel side.

Yes, they would need to be done on the distro / patch creation /
operational side. They probably wouldn't affect livepatch code.

> > - Changing 'atomic replace' to allow patch modules to be per-object.
>
> The problem might be how to transition all loaded objects atomically
> when the needed code is loaded from different modules.

I'm not sure what you mean.

My idea was that each patch module would be specific to an object, with
no inter-module change dependencies. So when using atomic replace, if
the patch module is only targeted to vmlinux, then only vmlinux-targeted
patch modules would be replaced.

In other words, 'atomic replace' would be object-specific.

> Alternative would be to support only per-object consitency. But it
> might reduce the number of supported scenarios too much. Also it
> would make livepatching more error-prone.

Again, I don't follow.

--
Josh