Re: [RFC PATCH 2/2] livepatch: Clear relocation targets on a module removal

From: Miroslav Benes
Date: Thu Sep 05 2019 - 08:17:09 EST


On Wed, 4 Sep 2019, Josh Poimboeuf wrote:

> On Tue, Sep 03, 2019 at 03:02:34PM +0200, Miroslav Benes wrote:
> > On Mon, 2 Sep 2019, Joe Lawrence wrote:
> >
> > > On 9/2/19 12:13 PM, Miroslav Benes wrote:
> > > >> I can easily foresee more problems like those in the future. Going
> > > >> forward we have to always keep track of which special sections are
> > > >> needed for which architectures. Those special sections can change over
> > > >> time, or can simply be overlooked for a given architecture. It's
> > > >> fragile.
> > > >
> > > > Indeed. It bothers me a lot. Even x86 "port" is not feature complete in
> > > > this regard (jump labels, alternatives,...) and who knows what lurks in
> > > > the corners of the other architectures we support.
> > > >
> > > > So it is in itself reason enough to do something about late module
> > > > patching.
> > > >
> > >
> > > Hi Miroslav,
> > >
> > > I was tinkering with the "blue-sky" ideas that I mentioned to Josh the other
> > > day.
> >
> > > I dunno if you had a chance to look at what removing that code looks
> > > like, but I can continue to flesh out that idea if it looks interesting:
> >
> > Unfortunately no and I don't think I'll come up with something useful
> > before LPC, so anything is really welcome.
> >
> > >
> > > https://github.com/joe-lawrence/linux/tree/blue-sky
>
> I like this a lot.
>
> > > A full demo would require packaging up replacement .ko's with a livepatch, as
> > > well as "blacklisting" those deprecated .kos, etc. But that's all I had time
> > > to cook up last week before our holiday weekend here.
> >
> > Frankly, I'm not sure about this approach. I'm kind of torn. The current
> > solution is far from ideal, but I'm not excited about the other options
> > either. It seems like the choice is basically between "general but
> > technically complicated fragile solution with nontrivial maintenance
> > burden", or "something safer and maybe cleaner, but limiting for
> > users/distros". Of course it depends on whether the limitation is even
> > real and how big it is. Unfortunately we cannot quantify it much and that
> > is probably why our opinions (in the email thread) differ.
>
> How would this option be "limiting for users/distros"? If the packaging
> part of the solution is done correctly then I don't see how it would be
> limiting.

I'll try to explain my worries.

Blacklisting first. Yes, I agree that it would make things a lot simpler,
but I am afraid it would not fly at SUSE. Petr meanwhile explained
elsewhere, but I don't think we can limit our customers that much. We
perceive live patching as a product as much transparent as possible and as
less intrusive as possible. One thing is to forbid to remove a module, the
other is to forbid its loading.

We could warn the admin. Something like "there is a fix for a module foo,
which is not loaded currently. It will not be patched and the system will
be still vulnerable if you load the module unless a new fixed version is
provided."

Yes, we can distribute the new version of .ko with a livepatch. What is
the reason for blacklisting then? I don't probably understand, but either
a module is loaded and we can patch it (without late module patching), or
it is not and we could replace .ko on disk.

Now, I don't think that replacing .ko on disk is a good idea. We've
already discussed it. It would lead to a maintenance/packaging problem,
because you never know which version of the module is loaded in the
system. The state space grows rather rapidly there.

But I may be wrong in my understanding, so bear with me.

Miroslav