Re: Debian live kernel patching infra
On 12-04-16 16:56, Ben Hutchings wrote:
> On Mon, 2016-03-14 at 14:43 +0100, Herman van Rink wrote:
>> Hi,
>>
>> Is anyone working on live kernel patching in Debian?
>>
>> I'm a bit surprised to see so little public speak about such a nice
>> looking feature.
> Not all the necessary infrastructure is even present upstream yet. You
> can load and apply patches, but it isn't yet possible to do so safely.
>
> In order to apply live patches safely, it is necessary either to
> quiesce all tasks running in the kernel (which turns out to be
> impractical) or to have a transitional period where both old and new
> code are in use and each task switches to using the new code only after
> reaches a suitable point in execution.
>
> Red Hat and SUSE both worked on this as part of their own live patching
> systems, and this patch series is supposed to bring that work upstream:
> <https://lwn.net/Articles/681486/>. But as you can see there is still
> some way to go before this can be applied.
>
>> I think it would be a tremendous asset for Debian to be able to offer
>> live kernel updates through the security infrastructure.
>>
>> I get the idea that the tools to patch a kernel are stabilizing.
>> To make it available to anyone the Debian security team would need to
>> prepare a patch for each of the previous kernels and have some
>> infrastructure to deliver it to end users.
> I think it would be a stretch (no pun intended) to support any kernel
> version older than the previous two point releases. So if we were in a
> position to do live patches in jessie now, you would be able to apply
> them to these base kernel versions:
>
> - 3.16.7-ckt25-{1,2}
> - 3.16.7-ckt20-1{,+deb8u{1,2,3,4}}
>
> but not anything older.
Sure, we must be able to come up with a sensible guideline on what users
can expect.
The postinstall script could check if the running version is patchable
and otherwise warn the user.
>> As the patches are available to the team the challenge would be to get a
>> tool set for them to make it easy/manageable.
>>
>> I assume that we could distribute the patches as a deb package. Maybe
>> one -livepatches package which gets updated after each CVE.
> To the extent that I had thought about this, I was expecting live
> patches to be bundled in the linux-image package. A single extra
> package (per supported flavour) of patches would also work but makes it
> less likely that users install it.
Sure, I was worried that a single package might get too large/complex...
whatever is easiest to maintain.
>> I'd like to get the ball rolling on this.
>>
>> I personally would be willing to help test this and donate some cash to get
>> this for the community.
>> I imagine that more businesses would be willing to chip in.
> I appreciate this, but I think it may still be too early to work on the
> Debian integration.
I agree that a good consistency model is essential, but it should not
stop us from already planning for the needed Debian integration.
> Are you also willing to sponsor work on testing
> and completing the upstream live patch code?
Is there a tip jar?
--
Met vriendelijke groet / Regards,
Herman van Rink
Initfour websolutions
Reply to: