tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
livepatch: Add some basic livepatch documentation
livepatch framework deserves some documentation, definitely.
This is an attempt to provide some basic info. I hope that
it will be useful for both LivePatch producers and also
potential developers of the framework itself.
[jkosina@suse.cz:
- incorporated feedback (grammar fixes) from
Chris J Arges <chris.j.arges@canonical.com>
- s/LivePatch/livepatch in changelog as pointed out by
Josh Poimboeuf <jpoimboe@redhat.com>
- incorporated part of feedback (grammar fixes / reformulations) from
Balbir Singh <bsingharora@gmail.com>
]
Acked-by: Jessica Yu <jeyu@redhat.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
authored by
Petr Mladek
and committed by
Jiri Kosina
5e4e3844
0f49fc95
+395
+394
Documentation/livepatch/livepatch.txt
+394
Documentation/livepatch/livepatch.txt
···
1
+
=========
2
+
Livepatch
3
+
=========
4
+
5
+
This document outlines basic information about kernel livepatching.
6
+
7
+
Table of Contents:
8
+
9
+
1. Motivation
10
+
2. Kprobes, Ftrace, Livepatching
11
+
3. Consistency model
12
+
4. Livepatch module
13
+
4.1. New functions
14
+
4.2. Metadata
15
+
4.3. Livepatch module handling
16
+
5. Livepatch life-cycle
17
+
5.1. Registration
18
+
5.2. Enabling
19
+
5.3. Disabling
20
+
5.4. Unregistration
21
+
6. Sysfs
22
+
7. Limitations
23
+
24
+
25
+
1. Motivation
26
+
=============
27
+
28
+
There are many situations where users are reluctant to reboot a system. It may
29
+
be because their system is performing complex scientific computations or under
30
+
heavy load during peak usage. In addition to keeping systems up and running,
31
+
users want to also have a stable and secure system. Livepatching gives users
32
+
both by allowing for function calls to be redirected; thus, fixing critical
33
+
functions without a system reboot.
34
+
35
+
36
+
2. Kprobes, Ftrace, Livepatching
37
+
================================
38
+
39
+
There are multiple mechanisms in the Linux kernel that are directly related
40
+
to redirection of code execution; namely: kernel probes, function tracing,
41
+
and livepatching:
42
+
43
+
+ The kernel probes are the most generic. The code can be redirected by
44
+
putting a breakpoint instruction instead of any instruction.
45
+
46
+
+ The function tracer calls the code from a predefined location that is
47
+
close to the function entry point. This location is generated by the
48
+
compiler using the '-pg' gcc option.
49
+
50
+
+ Livepatching typically needs to redirect the code at the very beginning
51
+
of the function entry before the function parameters or the stack
52
+
are in any way modified.
53
+
54
+
All three approaches need to modify the existing code at runtime. Therefore
55
+
they need to be aware of each other and not step over each other's toes.
56
+
Most of these problems are solved by using the dynamic ftrace framework as
57
+
a base. A Kprobe is registered as a ftrace handler when the function entry
58
+
is probed, see CONFIG_KPROBES_ON_FTRACE. Also an alternative function from
59
+
a live patch is called with the help of a custom ftrace handler. But there are
60
+
some limitations, see below.
61
+
62
+
63
+
3. Consistency model
64
+
====================
65
+
66
+
Functions are there for a reason. They take some input parameters, get or
67
+
release locks, read, process, and even write some data in a defined way,
68
+
have return values. In other words, each function has a defined semantic.
69
+
70
+
Many fixes do not change the semantic of the modified functions. For
71
+
example, they add a NULL pointer or a boundary check, fix a race by adding
72
+
a missing memory barrier, or add some locking around a critical section.
73
+
Most of these changes are self contained and the function presents itself
74
+
the same way to the rest of the system. In this case, the functions might
75
+
be updated independently one by one.
76
+
77
+
But there are more complex fixes. For example, a patch might change
78
+
ordering of locking in multiple functions at the same time. Or a patch
79
+
might exchange meaning of some temporary structures and update
80
+
all the relevant functions. In this case, the affected unit
81
+
(thread, whole kernel) need to start using all new versions of
82
+
the functions at the same time. Also the switch must happen only
83
+
when it is safe to do so, e.g. when the affected locks are released
84
+
or no data are stored in the modified structures at the moment.
85
+
86
+
The theory about how to apply functions a safe way is rather complex.
87
+
The aim is to define a so-called consistency model. It attempts to define
88
+
conditions when the new implementation could be used so that the system
89
+
stays consistent. The theory is not yet finished. See the discussion at
90
+
http://thread.gmane.org/gmane.linux.kernel/1823033/focus=1828189
91
+
92
+
The current consistency model is very simple. It guarantees that either
93
+
the old or the new function is called. But various functions get redirected
94
+
one by one without any synchronization.
95
+
96
+
In other words, the current implementation _never_ modifies the behavior
97
+
in the middle of the call. It is because it does _not_ rewrite the entire
98
+
function in the memory. Instead, the function gets redirected at the
99
+
very beginning. But this redirection is used immediately even when
100
+
some other functions from the same patch have not been redirected yet.
101
+
102
+
See also the section "Limitations" below.
103
+
104
+
105
+
4. Livepatch module
106
+
===================
107
+
108
+
Livepatches are distributed using kernel modules, see
109
+
samples/livepatch/livepatch-sample.c.
110
+
111
+
The module includes a new implementation of functions that we want
112
+
to replace. In addition, it defines some structures describing the
113
+
relation between the original and the new implementation. Then there
114
+
is code that makes the kernel start using the new code when the livepatch
115
+
module is loaded. Also there is code that cleans up before the
116
+
livepatch module is removed. All this is explained in more details in
117
+
the next sections.
118
+
119
+
120
+
4.1. New functions
121
+
------------------
122
+
123
+
New versions of functions are typically just copied from the original
124
+
sources. A good practice is to add a prefix to the names so that they
125
+
can be distinguished from the original ones, e.g. in a backtrace. Also
126
+
they can be declared as static because they are not called directly
127
+
and do not need the global visibility.
128
+
129
+
The patch contains only functions that are really modified. But they
130
+
might want to access functions or data from the original source file
131
+
that may only be locally accessible. This can be solved by a special
132
+
relocation section in the generated livepatch module, see
133
+
Documentation/livepatch/module-elf-format.txt for more details.
134
+
135
+
136
+
4.2. Metadata
137
+
------------
138
+
139
+
The patch is described by several structures that split the information
140
+
into three levels:
141
+
142
+
+ struct klp_func is defined for each patched function. It describes
143
+
the relation between the original and the new implementation of a
144
+
particular function.
145
+
146
+
The structure includes the name, as a string, of the original function.
147
+
The function address is found via kallsyms at runtime.
148
+
149
+
Then it includes the address of the new function. It is defined
150
+
directly by assigning the function pointer. Note that the new
151
+
function is typically defined in the same source file.
152
+
153
+
As an optional parameter, the symbol position in the kallsyms database can
154
+
be used to disambiguate functions of the same name. This is not the
155
+
absolute position in the database, but rather the order it has been found
156
+
only for a particular object ( vmlinux or a kernel module ). Note that
157
+
kallsyms allows for searching symbols according to the object name.
158
+
159
+
+ struct klp_object defines an array of patched functions (struct
160
+
klp_func) in the same object. Where the object is either vmlinux
161
+
(NULL) or a module name.
162
+
163
+
The structure helps to group and handle functions for each object
164
+
together. Note that patched modules might be loaded later than
165
+
the patch itself and the relevant functions might be patched
166
+
only when they are available.
167
+
168
+
169
+
+ struct klp_patch defines an array of patched objects (struct
170
+
klp_object).
171
+
172
+
This structure handles all patched functions consistently and eventually,
173
+
synchronously. The whole patch is applied only when all patched
174
+
symbols are found. The only exception are symbols from objects
175
+
(kernel modules) that have not been loaded yet. Also if a more complex
176
+
consistency model is supported then a selected unit (thread,
177
+
kernel as a whole) will see the new code from the entire patch
178
+
only when it is in a safe state.
179
+
180
+
181
+
4.3. Livepatch module handling
182
+
------------------------------
183
+
184
+
The usual behavior is that the new functions will get used when
185
+
the livepatch module is loaded. For this, the module init() function
186
+
has to register the patch (struct klp_patch) and enable it. See the
187
+
section "Livepatch life-cycle" below for more details about these
188
+
two operations.
189
+
190
+
Module removal is only safe when there are no users of the underlying
191
+
functions. The immediate consistency model is not able to detect this;
192
+
therefore livepatch modules cannot be removed. See "Limitations" below.
193
+
194
+
5. Livepatch life-cycle
195
+
=======================
196
+
197
+
Livepatching defines four basic operations that define the life cycle of each
198
+
live patch: registration, enabling, disabling and unregistration. There are
199
+
several reasons why it is done this way.
200
+
201
+
First, the patch is applied only when all patched symbols for already
202
+
loaded objects are found. The error handling is much easier if this
203
+
check is done before particular functions get redirected.
204
+
205
+
Second, the immediate consistency model does not guarantee that anyone is not
206
+
sleeping in the new code after the patch is reverted. This means that the new
207
+
code needs to stay around "forever". If the code is there, one could apply it
208
+
again. Therefore it makes sense to separate the operations that might be done
209
+
once and those that need to be repeated when the patch is enabled (applied)
210
+
again.
211
+
212
+
Third, it might take some time until the entire system is migrated
213
+
when a more complex consistency model is used. The patch revert might
214
+
block the livepatch module removal for too long. Therefore it is useful
215
+
to revert the patch using a separate operation that might be called
216
+
explicitly. But it does not make sense to remove all information
217
+
until the livepatch module is really removed.
218
+
219
+
220
+
5.1. Registration
221
+
-----------------
222
+
223
+
Each patch first has to be registered using klp_register_patch(). This makes
224
+
the patch known to the livepatch framework. Also it does some preliminary
225
+
computing and checks.
226
+
227
+
In particular, the patch is added into the list of known patches. The
228
+
addresses of the patched functions are found according to their names.
229
+
The special relocations, mentioned in the section "New functions", are
230
+
applied. The relevant entries are created under
231
+
/sys/kernel/livepatch/<name>. The patch is rejected when any operation
232
+
fails.
233
+
234
+
235
+
5.2. Enabling
236
+
-------------
237
+
238
+
Registered patches might be enabled either by calling klp_enable_patch() or
239
+
by writing '1' to /sys/kernel/livepatch/<name>/enabled. The system will
240
+
start using the new implementation of the patched functions at this stage.
241
+
242
+
In particular, if an original function is patched for the first time, a
243
+
function specific struct klp_ops is created and an universal ftrace handler
244
+
is registered.
245
+
246
+
Functions might be patched multiple times. The ftrace handler is registered
247
+
only once for the given function. Further patches just add an entry to the
248
+
list (see field `func_stack`) of the struct klp_ops. The last added
249
+
entry is chosen by the ftrace handler and becomes the active function
250
+
replacement.
251
+
252
+
Note that the patches might be enabled in a different order than they were
253
+
registered.
254
+
255
+
256
+
5.3. Disabling
257
+
--------------
258
+
259
+
Enabled patches might get disabled either by calling klp_disable_patch() or
260
+
by writing '0' to /sys/kernel/livepatch/<name>/enabled. At this stage
261
+
either the code from the previously enabled patch or even the original
262
+
code gets used.
263
+
264
+
Here all the functions (struct klp_func) associated with the to-be-disabled
265
+
patch are removed from the corresponding struct klp_ops. The ftrace handler
266
+
is unregistered and the struct klp_ops is freed when the func_stack list
267
+
becomes empty.
268
+
269
+
Patches must be disabled in exactly the reverse order in which they were
270
+
enabled. It makes the problem and the implementation much easier.
271
+
272
+
273
+
5.4. Unregistration
274
+
-------------------
275
+
276
+
Disabled patches might be unregistered by calling klp_unregister_patch().
277
+
This can be done only when the patch is disabled and the code is no longer
278
+
used. It must be called before the livepatch module gets unloaded.
279
+
280
+
At this stage, all the relevant sys-fs entries are removed and the patch
281
+
is removed from the list of known patches.
282
+
283
+
284
+
6. Sysfs
285
+
========
286
+
287
+
Information about the registered patches can be found under
288
+
/sys/kernel/livepatch. The patches could be enabled and disabled
289
+
by writing there.
290
+
291
+
See Documentation/ABI/testing/sysfs-kernel-livepatch for more details.
292
+
293
+
294
+
7. Limitations
295
+
==============
296
+
297
+
The current Livepatch implementation has several limitations:
298
+
299
+
300
+
+ The patch must not change the semantic of the patched functions.
301
+
302
+
The current implementation guarantees only that either the old
303
+
or the new function is called. The functions are patched one
304
+
by one. It means that the patch must _not_ change the semantic
305
+
of the function.
306
+
307
+
308
+
+ Data structures can not be patched.
309
+
310
+
There is no support to version data structures or anyhow migrate
311
+
one structure into another. Also the simple consistency model does
312
+
not allow to switch more functions atomically.
313
+
314
+
Once there is more complex consistency mode, it will be possible to
315
+
use some workarounds. For example, it will be possible to use a hole
316
+
for a new member because the data structure is aligned. Or it will
317
+
be possible to use an existing member for something else.
318
+
319
+
There are no plans to add more generic support for modified structures
320
+
at the moment.
321
+
322
+
323
+
+ Only functions that can be traced could be patched.
324
+
325
+
Livepatch is based on the dynamic ftrace. In particular, functions
326
+
implementing ftrace or the livepatch ftrace handler could not be
327
+
patched. Otherwise, the code would end up in an infinite loop. A
328
+
potential mistake is prevented by marking the problematic functions
329
+
by "notrace".
330
+
331
+
332
+
+ Anything inlined into __schedule() can not be patched.
333
+
334
+
The switch_to macro is inlined into __schedule(). It switches the
335
+
context between two processes in the middle of the macro. It does
336
+
not save RIP in x86_64 version (contrary to 32-bit version). Instead,
337
+
the currently used __schedule()/switch_to() handles both processes.
338
+
339
+
Now, let's have two different tasks. One calls the original
340
+
__schedule(), its registers are stored in a defined order and it
341
+
goes to sleep in the switch_to macro and some other task is restored
342
+
using the original __schedule(). Then there is the second task which
343
+
calls patched__schedule(), it goes to sleep there and the first task
344
+
is picked by the patched__schedule(). Its RSP is restored and now
345
+
the registers should be restored as well. But the order is different
346
+
in the new patched__schedule(), so...
347
+
348
+
There is work in progress to remove this limitation.
349
+
350
+
351
+
+ Livepatch modules can not be removed.
352
+
353
+
The current implementation just redirects the functions at the very
354
+
beginning. It does not check if the functions are in use. In other
355
+
words, it knows when the functions get called but it does not
356
+
know when the functions return. Therefore it can not decide when
357
+
the livepatch module can be safely removed.
358
+
359
+
This will get most likely solved once a more complex consistency model
360
+
is supported. The idea is that a safe state for patching should also
361
+
mean a safe state for removing the patch.
362
+
363
+
Note that the patch itself might get disabled by writing zero
364
+
to /sys/kernel/livepatch/<patch>/enabled. It causes that the new
365
+
code will not longer get called. But it does not guarantee
366
+
that anyone is not sleeping anywhere in the new code.
367
+
368
+
369
+
+ Livepatch works reliably only when the dynamic ftrace is located at
370
+
the very beginning of the function.
371
+
372
+
The function need to be redirected before the stack or the function
373
+
parameters are modified in any way. For example, livepatch requires
374
+
using -fentry gcc compiler option on x86_64.
375
+
376
+
One exception is the PPC port. It uses relative addressing and TOC.
377
+
Each function has to handle TOC and save LR before it could call
378
+
the ftrace handler. This operation has to be reverted on return.
379
+
Fortunately, the generic ftrace code has the same problem and all
380
+
this is is handled on the ftrace level.
381
+
382
+
383
+
+ Kretprobes using the ftrace framework conflict with the patched
384
+
functions.
385
+
386
+
Both kretprobes and livepatches use a ftrace handler that modifies
387
+
the return address. The first user wins. Either the probe or the patch
388
+
is rejected when the handler is already in use by the other.
389
+
390
+
391
+
+ Kprobes in the original function are ignored when the code is
392
+
redirected to the new implementation.
393
+
394
+
There is a work in progress to add warnings about this situation.
+1
MAINTAINERS
+1
MAINTAINERS
···
6605
6605
F: include/linux/livepatch.h
6606
6606
F: arch/x86/include/asm/livepatch.h
6607
6607
F: arch/x86/kernel/livepatch.c
6608
+
F: Documentation/livepatch/
6608
6609
F: Documentation/ABI/testing/sysfs-kernel-livepatch
6609
6610
F: samples/livepatch/
6610
6611
L: live-patching@vger.kernel.org