On Wed 2019-08-14 10:12:44, Josh Poimboeuf wrote:
> On Wed, Aug 14, 2019 at 01:06:09PM +0200, Miroslav Benes wrote:
> > > Really, we should be going in the opposite direction, by creating module
> > > dependencies, like all other kernel modules do, ensuring that a module
> > > is loaded *before* we patch it. That would also eliminate this bug.
> >
> > Yes, but it is not ideal either with cumulative one-fixes-all patch
> > modules. It would load also modules which are not necessary for a
> > customer and I know that at least some customers care about this. They
> > want to deploy only things which are crucial for their systems.
>
> If you frame the question as "do you want to destabilize the live
> patching infrastucture" then the answer might be different.
>
> We should look at whether it makes sense to destabilize live patching
> for everybody, for a small minority of people who care about a small
> minority of edge cases.
I do not see it that simple. Forcing livepatched modules to be
loaded would mean loading "random" new modules when updating
livepatches:
+ It means more actions and higher risk to destabilize
the system. Different modules have different quality.
+ It might open more security holes that are not fixed by
the livepatch.
+ It might require some extra configuration actions to handle
the newly opened interfaces (devices). For example, updating
SELinux policies.
+ Are there conflicting modules that might need to get
livepatched?
This approach has a strong no-go from my side.
> Or maybe there's some other solution we haven't thought about, which
> fits more in the framework of how kernel modules already work.
>
> > We could split patch modules as you proposed in the past, but that have
> > issues as well.
> Right, I'm not really crazy about that solution either.
Yes, this would just move the problem somewhere else.
> Here's another idea: per-object patch modules. Patches to vmlinux are
> in a vmlinux patch module. Patches to kvm.ko are in a kvm patch module.
> That would require:
>
> - Careful management of dependencies between object-specific patches.
> Maybe that just means that exported function ABIs shouldn't change.
>
> - Some kind of hooking into modprobe to ensure the patch module gets
> loaded with the real one.
I see this just as a particular approach how to split livepatches
per-object. The above points suggest how to handle dependencies
on the kernel side.
> - Changing 'atomic replace' to allow patch modules to be per-object.
The problem might be how to transition all loaded objects atomically
when the needed code is loaded from different modules.
Alternative would be to support only per-object consitency. But it
might reduce the number of supported scenarios too much. Also it
would make livepatching more error-prone.
I would like to see updated variant of this patch to see how much
arch-specific code is really necessary.
IMHO, if reverting relocations is too complicated then the least painful
compromise is to "deny the patched modules to be removed".
> > Anyway, that is why I proposed "Rethinking late module patching" talk at
> > LPC and we should try to come up with a solution there.
>
> Thanks, I saw that. It's definitely worthy of more discussion. The
> talk may be more productive if there were code to look at. For example,
> a patch which removes all the "late module patching" gunk, so we can at
> least quantify the cost of the current approach.
+1
Best Regards,
Petr
