| ========= |
| Livepatch |
| ========= |
| |
| This document outlines basic information about kernel livepatching. |
| |
| Table of Contents: |
| |
| 1. Motivation |
| 2. Kprobes, Ftrace, Livepatching |
| 3. Consistency model |
| 4. Livepatch module |
| 4.1. New functions |
| 4.2. Metadata |
| 4.3. Livepatch module handling |
| 5. Livepatch life-cycle |
| 5.1. Registration |
| 5.2. Enabling |
| 5.3. Disabling |
| 5.4. Unregistration |
| 6. Sysfs |
| 7. Limitations |
| |
| |
| 1. Motivation |
| ============= |
| |
| There are many situations where users are reluctant to reboot a system. It may |
| be because their system is performing complex scientific computations or under |
| heavy load during peak usage. In addition to keeping systems up and running, |
| users want to also have a stable and secure system. Livepatching gives users |
| both by allowing for function calls to be redirected; thus, fixing critical |
| functions without a system reboot. |
| |
| |
| 2. Kprobes, Ftrace, Livepatching |
| ================================ |
| |
| There are multiple mechanisms in the Linux kernel that are directly related |
| to redirection of code execution; namely: kernel probes, function tracing, |
| and livepatching: |
| |
| + The kernel probes are the most generic. The code can be redirected by |
| putting a breakpoint instruction instead of any instruction. |
| |
| + The function tracer calls the code from a predefined location that is |
| close to the function entry point. This location is generated by the |
| compiler using the '-pg' gcc option. |
| |
| + Livepatching typically needs to redirect the code at the very beginning |
| of the function entry before the function parameters or the stack |
| are in any way modified. |
| |
| All three approaches need to modify the existing code at runtime. Therefore |
| they need to be aware of each other and not step over each other's toes. |
| Most of these problems are solved by using the dynamic ftrace framework as |
| a base. A Kprobe is registered as a ftrace handler when the function entry |
| is probed, see CONFIG_KPROBES_ON_FTRACE. Also an alternative function from |
| a live patch is called with the help of a custom ftrace handler. But there are |
| some limitations, see below. |
| |
| |
| 3. Consistency model |
| ==================== |
| |
| Functions are there for a reason. They take some input parameters, get or |
| release locks, read, process, and even write some data in a defined way, |
| have return values. In other words, each function has a defined semantic. |
| |
| Many fixes do not change the semantic of the modified functions. For |
| example, they add a NULL pointer or a boundary check, fix a race by adding |
| a missing memory barrier, or add some locking around a critical section. |
| Most of these changes are self contained and the function presents itself |
| the same way to the rest of the system. In this case, the functions might |
| be updated independently one by one. |
| |
| But there are more complex fixes. For example, a patch might change |
| ordering of locking in multiple functions at the same time. Or a patch |
| might exchange meaning of some temporary structures and update |
| all the relevant functions. In this case, the affected unit |
| (thread, whole kernel) need to start using all new versions of |
| the functions at the same time. Also the switch must happen only |
| when it is safe to do so, e.g. when the affected locks are released |
| or no data are stored in the modified structures at the moment. |
| |
| The theory about how to apply functions a safe way is rather complex. |
| The aim is to define a so-called consistency model. It attempts to define |
| conditions when the new implementation could be used so that the system |
| stays consistent. The theory is not yet finished. See the discussion at |
| https://lkml.kernel.org/r/20141107140458.GA21774@suse.cz |
| |
| The current consistency model is very simple. It guarantees that either |
| the old or the new function is called. But various functions get redirected |
| one by one without any synchronization. |
| |
| In other words, the current implementation _never_ modifies the behavior |
| in the middle of the call. It is because it does _not_ rewrite the entire |
| function in the memory. Instead, the function gets redirected at the |
| very beginning. But this redirection is used immediately even when |
| some other functions from the same patch have not been redirected yet. |
| |
| See also the section "Limitations" below. |
| |
| |
| 4. Livepatch module |
| =================== |
| |
| Livepatches are distributed using kernel modules, see |
| samples/livepatch/livepatch-sample.c. |
| |
| The module includes a new implementation of functions that we want |
| to replace. In addition, it defines some structures describing the |
| relation between the original and the new implementation. Then there |
| is code that makes the kernel start using the new code when the livepatch |
| module is loaded. Also there is code that cleans up before the |
| livepatch module is removed. All this is explained in more details in |
| the next sections. |
| |
| |
| 4.1. New functions |
| ------------------ |
| |
| New versions of functions are typically just copied from the original |
| sources. A good practice is to add a prefix to the names so that they |
| can be distinguished from the original ones, e.g. in a backtrace. Also |
| they can be declared as static because they are not called directly |
| and do not need the global visibility. |
| |
| The patch contains only functions that are really modified. But they |
| might want to access functions or data from the original source file |
| that may only be locally accessible. This can be solved by a special |
| relocation section in the generated livepatch module, see |
| Documentation/livepatch/module-elf-format.txt for more details. |
| |
| |
| 4.2. Metadata |
| ------------ |
| |
| The patch is described by several structures that split the information |
| into three levels: |
| |
| + struct klp_func is defined for each patched function. It describes |
| the relation between the original and the new implementation of a |
| particular function. |
| |
| The structure includes the name, as a string, of the original function. |
| The function address is found via kallsyms at runtime. |
| |
| Then it includes the address of the new function. It is defined |
| directly by assigning the function pointer. Note that the new |
| function is typically defined in the same source file. |
| |
| As an optional parameter, the symbol position in the kallsyms database can |
| be used to disambiguate functions of the same name. This is not the |
| absolute position in the database, but rather the order it has been found |
| only for a particular object ( vmlinux or a kernel module ). Note that |
| kallsyms allows for searching symbols according to the object name. |
| |
| + struct klp_object defines an array of patched functions (struct |
| klp_func) in the same object. Where the object is either vmlinux |
| (NULL) or a module name. |
| |
| The structure helps to group and handle functions for each object |
| together. Note that patched modules might be loaded later than |
| the patch itself and the relevant functions might be patched |
| only when they are available. |
| |
| |
| + struct klp_patch defines an array of patched objects (struct |
| klp_object). |
| |
| This structure handles all patched functions consistently and eventually, |
| synchronously. The whole patch is applied only when all patched |
| symbols are found. The only exception are symbols from objects |
| (kernel modules) that have not been loaded yet. Also if a more complex |
| consistency model is supported then a selected unit (thread, |
| kernel as a whole) will see the new code from the entire patch |
| only when it is in a safe state. |
| |
| |
| 4.3. Livepatch module handling |
| ------------------------------ |
| |
| The usual behavior is that the new functions will get used when |
| the livepatch module is loaded. For this, the module init() function |
| has to register the patch (struct klp_patch) and enable it. See the |
| section "Livepatch life-cycle" below for more details about these |
| two operations. |
| |
| Module removal is only safe when there are no users of the underlying |
| functions. The immediate consistency model is not able to detect this; |
| therefore livepatch modules cannot be removed. See "Limitations" below. |
| |
| 5. Livepatch life-cycle |
| ======================= |
| |
| Livepatching defines four basic operations that define the life cycle of each |
| live patch: registration, enabling, disabling and unregistration. There are |
| several reasons why it is done this way. |
| |
| First, the patch is applied only when all patched symbols for already |
| loaded objects are found. The error handling is much easier if this |
| check is done before particular functions get redirected. |
| |
| Second, the immediate consistency model does not guarantee that anyone is not |
| sleeping in the new code after the patch is reverted. This means that the new |
| code needs to stay around "forever". If the code is there, one could apply it |
| again. Therefore it makes sense to separate the operations that might be done |
| once and those that need to be repeated when the patch is enabled (applied) |
| again. |
| |
| Third, it might take some time until the entire system is migrated |
| when a more complex consistency model is used. The patch revert might |
| block the livepatch module removal for too long. Therefore it is useful |
| to revert the patch using a separate operation that might be called |
| explicitly. But it does not make sense to remove all information |
| until the livepatch module is really removed. |
| |
| |
| 5.1. Registration |
| ----------------- |
| |
| Each patch first has to be registered using klp_register_patch(). This makes |
| the patch known to the livepatch framework. Also it does some preliminary |
| computing and checks. |
| |
| In particular, the patch is added into the list of known patches. The |
| addresses of the patched functions are found according to their names. |
| The special relocations, mentioned in the section "New functions", are |
| applied. The relevant entries are created under |
| /sys/kernel/livepatch/<name>. The patch is rejected when any operation |
| fails. |
| |
| |
| 5.2. Enabling |
| ------------- |
| |
| Registered patches might be enabled either by calling klp_enable_patch() or |
| by writing '1' to /sys/kernel/livepatch/<name>/enabled. The system will |
| start using the new implementation of the patched functions at this stage. |
| |
| In particular, if an original function is patched for the first time, a |
| function specific struct klp_ops is created and an universal ftrace handler |
| is registered. |
| |
| Functions might be patched multiple times. The ftrace handler is registered |
| only once for the given function. Further patches just add an entry to the |
| list (see field `func_stack`) of the struct klp_ops. The last added |
| entry is chosen by the ftrace handler and becomes the active function |
| replacement. |
| |
| Note that the patches might be enabled in a different order than they were |
| registered. |
| |
| |
| 5.3. Disabling |
| -------------- |
| |
| Enabled patches might get disabled either by calling klp_disable_patch() or |
| by writing '0' to /sys/kernel/livepatch/<name>/enabled. At this stage |
| either the code from the previously enabled patch or even the original |
| code gets used. |
| |
| Here all the functions (struct klp_func) associated with the to-be-disabled |
| patch are removed from the corresponding struct klp_ops. The ftrace handler |
| is unregistered and the struct klp_ops is freed when the func_stack list |
| becomes empty. |
| |
| Patches must be disabled in exactly the reverse order in which they were |
| enabled. It makes the problem and the implementation much easier. |
| |
| |
| 5.4. Unregistration |
| ------------------- |
| |
| Disabled patches might be unregistered by calling klp_unregister_patch(). |
| This can be done only when the patch is disabled and the code is no longer |
| used. It must be called before the livepatch module gets unloaded. |
| |
| At this stage, all the relevant sys-fs entries are removed and the patch |
| is removed from the list of known patches. |
| |
| |
| 6. Sysfs |
| ======== |
| |
| Information about the registered patches can be found under |
| /sys/kernel/livepatch. The patches could be enabled and disabled |
| by writing there. |
| |
| See Documentation/ABI/testing/sysfs-kernel-livepatch for more details. |
| |
| |
| 7. Limitations |
| ============== |
| |
| The current Livepatch implementation has several limitations: |
| |
| |
| + The patch must not change the semantic of the patched functions. |
| |
| The current implementation guarantees only that either the old |
| or the new function is called. The functions are patched one |
| by one. It means that the patch must _not_ change the semantic |
| of the function. |
| |
| |
| + Data structures can not be patched. |
| |
| There is no support to version data structures or anyhow migrate |
| one structure into another. Also the simple consistency model does |
| not allow to switch more functions atomically. |
| |
| Once there is more complex consistency mode, it will be possible to |
| use some workarounds. For example, it will be possible to use a hole |
| for a new member because the data structure is aligned. Or it will |
| be possible to use an existing member for something else. |
| |
| There are no plans to add more generic support for modified structures |
| at the moment. |
| |
| |
| + Only functions that can be traced could be patched. |
| |
| Livepatch is based on the dynamic ftrace. In particular, functions |
| implementing ftrace or the livepatch ftrace handler could not be |
| patched. Otherwise, the code would end up in an infinite loop. A |
| potential mistake is prevented by marking the problematic functions |
| by "notrace". |
| |
| |
| + Livepatch modules can not be removed. |
| |
| The current implementation just redirects the functions at the very |
| beginning. It does not check if the functions are in use. In other |
| words, it knows when the functions get called but it does not |
| know when the functions return. Therefore it can not decide when |
| the livepatch module can be safely removed. |
| |
| This will get most likely solved once a more complex consistency model |
| is supported. The idea is that a safe state for patching should also |
| mean a safe state for removing the patch. |
| |
| Note that the patch itself might get disabled by writing zero |
| to /sys/kernel/livepatch/<patch>/enabled. It causes that the new |
| code will not longer get called. But it does not guarantee |
| that anyone is not sleeping anywhere in the new code. |
| |
| |
| + Livepatch works reliably only when the dynamic ftrace is located at |
| the very beginning of the function. |
| |
| The function need to be redirected before the stack or the function |
| parameters are modified in any way. For example, livepatch requires |
| using -fentry gcc compiler option on x86_64. |
| |
| One exception is the PPC port. It uses relative addressing and TOC. |
| Each function has to handle TOC and save LR before it could call |
| the ftrace handler. This operation has to be reverted on return. |
| Fortunately, the generic ftrace code has the same problem and all |
| this is handled on the ftrace level. |
| |
| |
| + Kretprobes using the ftrace framework conflict with the patched |
| functions. |
| |
| Both kretprobes and livepatches use a ftrace handler that modifies |
| the return address. The first user wins. Either the probe or the patch |
| is rejected when the handler is already in use by the other. |
| |
| |
| + Kprobes in the original function are ignored when the code is |
| redirected to the new implementation. |
| |
| There is a work in progress to add warnings about this situation. |