On Mon, 2016-03-14 at 14:43 +0100, Herman van Rink wrote:
> Hi,
>
> Is anyone working on live kernel patching in Debian?
>
> I'm a bit surprised to see so little public speak about such a nice
> looking feature.
Not all the necessary infrastructure is even present upstream yet. You
can load and apply patches, but it isn't yet possible to do so safely.
In order to apply live patches safely, it is necessary either to
quiesce all tasks running in the kernel (which turns out to be
impractical) or to have a transitional period where both old and new
code are in use and each task switches to using the new code only after
reaches a suitable point in execution.
Red Hat and SUSE both worked on this as part of their own live patching
systems, and this patch series is supposed to bring that work upstream:
<https://lwn.net/Articles/681486/>. But as you can see there is still
some way to go before this can be applied.
> I think it would be a tremendous asset for Debian to be able to offer
> live kernel updates through the security infrastructure.
>
> I get the idea that the tools to patch a kernel are stabilizing.
> To make it available to anyone the Debian security team would need to
> prepare a patch for each of the previous kernels and have some
> infrastructure to deliver it to end users.
I think it would be a stretch (no pun intended) to support any kernel
version older than the previous two point releases. So if we were in a
position to do live patches in jessie now, you would be able to apply
them to these base kernel versions:
- 3.16.7-ckt25-{1,2}
- 3.16.7-ckt20-1{,+deb8u{1,2,3,4}}
but not anything older.
> As the patches are available to the team the challenge would be to get a
> tool set for them to make it easy/manageable.
>
> I assume that we could distribute the patches as a deb package. Maybe
> one -livepatches package which gets updated after each CVE.
To the extent that I had thought about this, I was expecting live
patches to be bundled in the linux-image package. A single extra
package (per supported flavour) of patches would also work but makes it
less likely that users install it.
> I'd like to get the ball rolling on this.
>
> I personally would be willing to help test this and donate some cash to get
> this for the community.
> I imagine that more businesses would be willing to chip in.
I appreciate this, but I think it may still be too early to work on the
Debian integration. Are you also willing to sponsor work on testing
and completing the upstream live patch code?
Ben.
--
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.Attachment:
signature.asc
Description: This is a digitally signed message part