Changes in Makefile

73727f4d - livepatch: Basic API to track system state changes

Wed, 30 Oct 2019 15:43:10 +0000

livepatch: Basic API to track system state changesThis is another step how to help maintaining more livepatches.One big help was the atomic replace and cumulative livepatches. Theselivepatches replace the already installed ones. Therefore it shouldbe enough when each cumulative livepatch is consistent.The problems might come with shadow variables and callbacks. They mightchange the system behavior or state so that it is no longer safe togo back and use an older livepatch or the original kernel code. Also,a new livepatch must be able to detect changes which were made bythe already installed livepatches.This is where the livepatch system state tracking gets useful. Itallows to: - find whether a system state has already been modified by previous livepatches - store data needed to manipulate and restore the system stateThe information about the manipulated system states is stored in anarray of struct klp_state. It can be searched by two new functionsklp_get_state() and klp_get_prev_state().The dependencies are going to be solved by a version field added later.The only important information is that it will be allowed to modifythe same state by more non-cumulative livepatches. It is similarto allowing to modify the same function several times. The livepatchauthor is responsible for preventing incompatible changes.Link: http://lkml.kernel.org/r/20191030154313.13263-3-pmladek@suse.comTo: Jiri Kosina Cc: Kamalesh Babulal Cc: Nicolai Stange Cc: live-patching@vger.kernel.orgCc: linux-kernel@vger.kernel.orgAcked-by: Miroslav Benes Acked-by: Joe Lawrence Acked-by: Josh Poimboeuf Signed-off-by: Petr Mladek List of files: /linux-6.15/kernel/livepatch/Makefile

ec8f24b7 - treewide: Add SPDX license identifier - Makefile/Kconfig

Sun, 19 May 2019 12:07:45 +0000

treewide: Add SPDX license identifier - Makefile/KconfigAdd SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any formThese files fall under the project license, GPL v2 only. The resulting SPDXlicense identifier is: GPL-2.0-onlySigned-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux-6.15/kernel/livepatch/Makefile

439e7271 - livepatch: introduce shadow variable API

Thu, 31 Aug 2017 20:37:41 +0000

livepatch: introduce shadow variable APIAdd exported API for livepatch modules: klp_shadow_get() klp_shadow_alloc() klp_shadow_get_or_alloc() klp_shadow_free() klp_shadow_free_all()that implement "shadow" variables, which allow callers to associate newshadow fields to existing data structures. This is intended to be usedby livepatch modules seeking to emulate additions to data structuredefinitions.See Documentation/livepatch/shadow-vars.txt for a summary of the newshadow variable API, including a few common use cases.See samples/livepatch/livepatch-shadow-* for example modules thatdemonstrate shadow variables.[jkosina@suse.cz: fix __klp_shadow_get_or_alloc() comment as spotted by Josh]Signed-off-by: Joe Lawrence Acked-by: Josh Poimboeuf Acked-by: Miroslav Benes Signed-off-by: Jiri Kosina List of files: /linux-6.15/kernel/livepatch/Makefile

d83a7cb3 - livepatch: change to a per-task consistency model

Tue, 14 Feb 2017 01:42:40 +0000

livepatch: change to a per-task consistency modelChange livepatch to use a basic per-task consistency model. This is thefoundation which will eventually enable us to patch those ~10% ofsecurity patches which change function or data semantics. This is thebiggest remaining piece needed to make livepatch more generally useful.This code stems from the design proposal made by Vojtech [1] in November2014. It's a hybrid of kGraft and kpatch: it uses kGraft's per-taskconsistency and syscall barrier switching combined with kpatch's stacktrace switching. There are also a number of fallback options which makeit quite flexible.Patches are applied on a per-task basis, when the task is deemed safe toswitch over. When a patch is enabled, livepatch enters into atransition state where tasks are converging to the patched state.Usually this transition state can complete in a few seconds. The samesequence occurs when a patch is disabled, except the tasks converge fromthe patched state to the unpatched state.An interrupt handler inherits the patched state of the task itinterrupts. The same is true for forked tasks: the child inherits thepatched state of the parent.Livepatch uses several complementary approaches to determine when it'ssafe to patch tasks:1. The first and most effective approach is stack checking of sleeping tasks. If no affected functions are on the stack of a given task, the task is patched. In most cases this will patch most or all of the tasks on the first try. Otherwise it'll keep trying periodically. This option is only available if the architecture has reliable stacks (HAVE_RELIABLE_STACKTRACE).2. The second approach, if needed, is kernel exit switching. A task is switched when it returns to user space from a system call, a user space IRQ, or a signal. It's useful in the following cases: a) Patching I/O-bound user tasks which are sleeping on an affected function. In this case you have to send SIGSTOP and SIGCONT to force it to exit the kernel and be patched. b) Patching CPU-bound user tasks. If the task is highly CPU-bound then it will get patched the next time it gets interrupted by an IRQ. c) In the future it could be useful for applying patches for architectures which don't yet have HAVE_RELIABLE_STACKTRACE. In this case you would have to signal most of the tasks on the system. However this isn't supported yet because there's currently no way to patch kthreads without HAVE_RELIABLE_STACKTRACE.3. For idle "swapper" tasks, since they don't ever exit the kernel, they instead have a klp_update_patch_state() call in the idle loop which allows them to be patched before the CPU enters the idle state. (Note there's not yet such an approach for kthreads.)All the above approaches may be skipped by setting the 'immediate' flagin the 'klp_patch' struct, which will disable per-task consistency andpatch all tasks immediately. This can be useful if the patch doesn'tchange any function or data semantics. Note that, even with this flagset, it's possible that some tasks may still be running with an oldversion of the function, until that function returns.There's also an 'immediate' flag in the 'klp_func' struct which allowsyou to specify that certain functions in the patch can be appliedwithout per-task consistency. This might be useful if you want to patcha common function like schedule(), and the function change doesn't needconsistency but the rest of the patch does.For architectures which don't have HAVE_RELIABLE_STACKTRACE, the usermust set patch->immediate which causes all tasks to be patchedimmediately. This option should be used with care, only when the patchdoesn't change any function or data semantics.In the future, architectures which don't have HAVE_RELIABLE_STACKTRACEmay be allowed to use per-task consistency if we can come up withanother way to patch kthreads.The /sys/kernel/livepatch//transition file shows whether a patchis in transition. Only a single patch (the topmost patch on the stack)can be in transition at a given time. A patch can remain in transitionindefinitely, if any of the tasks are stuck in the initial patch state.A transition can be reversed and effectively canceled by writing theopposite value to the /sys/kernel/livepatch//enabled file whilethe transition is in progress. Then all the tasks will attempt toconverge back to the original patch state.[1] https://lkml.kernel.org/r/20141107140458.GA21774@suse.czSigned-off-by: Josh Poimboeuf Acked-by: Miroslav Benes Acked-by: Ingo Molnar # for the scheduler changesSigned-off-by: Jiri Kosina List of files: /linux-6.15/kernel/livepatch/Makefile

c349cdca - livepatch: move patching functions into patch.c

Tue, 14 Feb 2017 01:42:37 +0000

livepatch: move patching functions into patch.cMove functions related to the actual patching of functions and objectsinto a new patch.c file.Signed-off-by: Josh Poimboeuf Acked-by: Miroslav Benes Reviewed-by: Petr Mladek Reviewed-by: Kamalesh Babulal Signed-off-by: Jiri Kosina List of files: /linux-6.15/kernel/livepatch/Makefile

12cf89b5 - livepatch: rename config to CONFIG_LIVEPATCH

Tue, 03 Feb 2015 22:45:18 +0000

livepatch: rename config to CONFIG_LIVEPATCHRename CONFIG_LIVE_PATCHING to CONFIG_LIVEPATCH to make the naming ofthe config and the code more consistent.Signed-off-by: Josh Poimboeuf Reviewed-by: Jingoo Han Signed-off-by: Jiri Kosina List of files: /linux-6.15/kernel/livepatch/Makefile

b700e7f0 - livepatch: kernel: add support for live patching

Tue, 16 Dec 2014 17:58:19 +0000

livepatch: kernel: add support for live patchingThis commit introduces code for the live patching core. It implementsan ftrace-based mechanism and kernel interface for doing live patchingof kernel and kernel module functions.It represents the greatest common functionality set between kpatch andkgraft and can accept patches built using either method.This first version does not implement any consistency mechanism thatensures that old and new code do not run together. In practice, ~90% ofCVEs are safe to apply in this way, since they simply add a conditionalcheck. However, any function change that can not execute safely withthe old version of the function can _not_ be safely applied in thisversion.[ jkosina@suse.cz: due to the number of contributions that got folded into this original patch from Seth Jennings, add SUSE's copyright as well, as discussed via e-mail ]Signed-off-by: Seth Jennings Signed-off-by: Josh Poimboeuf Reviewed-by: Miroslav Benes Reviewed-by: Petr Mladek Reviewed-by: Masami Hiramatsu Signed-off-by: Miroslav Benes Signed-off-by: Petr Mladek Signed-off-by: Jiri Kosina List of files: /linux-6.15/kernel/livepatch/Makefile