Re: [RFC PATCH 0/2] kpatch: dynamic kernel patching

From: Josh Poimboeuf
Date: Wed May 07 2014 - 12:43:44 EST


On Wed, May 07, 2014 at 05:57:54PM +0200, Ingo Molnar wrote:
> Live patching does not enter into this question, ever. The correctness
> of a patch to the source does not depend on 'live patching'
> considerations in any way, shape or form.
>
> Any mechanism that tries to blur these lines is broken by design.
>
> My claim is that if a patch is correct/safe in the old fashioned way,
> then a fundamental principle is that a live patching subsystem must
> either safely apply, or safely reject the live patching attempt,
> independently from any user input.

That's a valiant goal, but it's not going to happen unless you want to
rewrite Linux in Haskell. It's just not possible for a program to prove
that a patch is safe to apply to a running kernel. There are way too
many subtle interactions with dynamically allocated data between
functions.

I think the only way to achieve that is with CRIU, but it still requires
a kexec or a reboot, so you lose all kernel state and it's much more
disruptive.

> "We think/hope it won't blow up in most cases and we automated some
> checks halfways" or "the user must know what he is doing" is really
> not something that I think is a good concept for something as fragile
> as live patching.

This is a distro tool, not a general purpose one. If distros are
careful with their patch selection, it won't blow up. It's a valuable
way for distros to help out sysadmins who need a hot security fix but
can't reboot immediately.

--
Josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/