Re: [RFC PATCH 2/2] livepatch: Clear relocation targets on a module removal

[Miroslav Benes]

On Wed, 4 Sep 2019, Josh Poimboeuf wrote:

> On Tue, Sep 03, 2019 at 03:02:34PM +0200, Miroslav Benes wrote:
> > On Mon, 2 Sep 2019, Joe Lawrence wrote:
> > 
> > > On 9/2/19 12:13 PM, Miroslav Benes wrote:
> > > >> I can easily foresee more problems like those in the future.  Going
> > > >> forward we have to always keep track of which special sections are
> > > >> needed for which architectures.  Those special sections can change over
> > > >> time, or can simply be overlooked for a given architecture.  It's
> > > >> fragile.
> > > > 
> > > > Indeed. It bothers me a lot. Even x86 "port" is not feature complete in
> > > > this regard (jump labels, alternatives,...) and who knows what lurks in
> > > > the corners of the other architectures we support.
> > > > 
> > > > So it is in itself reason enough to do something about late module
> > > > patching.
> > > > 
> > > 
> > > Hi Miroslav,
> > > 
> > > I was tinkering with the "blue-sky" ideas that I mentioned to Josh the other
> > > day.
> > 
> > > I dunno if you had a chance to look at what removing that code looks
> > > like, but I can continue to flesh out that idea if it looks interesting:
> > 
> > Unfortunately no and I don't think I'll come up with something useful 
> > before LPC, so anything is really welcome.
> > 
> > > 
> > >   https://github.com/joe-lawrence/linux/tree/blue-sky
> 
> I like this a lot.
> 
> > > A full demo would require packaging up replacement .ko's with a livepatch, as
> > > well as "blacklisting" those deprecated .kos, etc.  But that's all I had time
> > > to cook up last week before our holiday weekend here.
> > 
> > Frankly, I'm not sure about this approach. I'm kind of torn. The current 
> > solution is far from ideal, but I'm not excited about the other options 
> > either. It seems like the choice is basically between "general but 
> > technically complicated fragile solution with nontrivial maintenance 
> > burden", or "something safer and maybe cleaner, but limiting for 
> > users/distros". Of course it depends on whether the limitation is even 
> > real and how big it is. Unfortunately we cannot quantify it much and that 
> > is probably why our opinions (in the email thread) differ.
> 
> How would this option be "limiting for users/distros"?  If the packaging
> part of the solution is done correctly then I don't see how it would be
> limiting.

I'll try to explain my worries.

Blacklisting first. Yes, I agree that it would make things a lot simpler, 
but I am afraid it would not fly at SUSE. Petr meanwhile explained 
elsewhere, but I don't think we can limit our customers that much. We 
perceive live patching as a product as much transparent as possible and as 
less intrusive as possible. One thing is to forbid to remove a module, the 
other is to forbid its loading.

We could warn the admin. Something like "there is a fix for a module foo, 
which is not loaded currently. It will not be patched and the system will 
be still vulnerable if you load the module unless a new fixed version is 
provided."

Yes, we can distribute the new version of .ko with a livepatch. What is 
the reason for blacklisting then? I don't probably understand, but either 
a module is loaded and we can patch it (without late module patching), or 
it is not and we could replace .ko on disk.

Now, I don't think that replacing .ko on disk is a good idea. We've 
already discussed it. It would lead to a maintenance/packaging problem, 
because you never know which version of the module is loaded in the 
system. The state space grows rather rapidly there.

But I may be wrong in my understanding, so bear with me.

Miroslav