Upstream Live Patching -- Are We There Yet? | SUSE Communities

Upstream Live Patching — Are We There Yet?


Year 2014. SUSE and Red Hat submit their live patching solutions to upstream — kGraft and kpatch. A discussion between developers on a common implementation takes place at Linux Plumbers conference in Dusseldorf.

Year 2015. Linus Torvalds merges their effort to the mainline kernel. The version number of the kernel is promoted to 4.0 (well, it was only a coincidence that the major version changed with the live patching merge, but why not to mention it).

Year 2017, May. A consistency model becomes a part of the kernel in 4.12.

When the initial implementation was merged in 2015, with a bit of exaggeration it was not much more than a simple redirection of functions, architecture support and basic infrastructure around that. But even that could be used for a majority of security fixes we normally deal with.

It has improved a lot since then and many new features have been added. However the consistency model was still missing. We need it to be able to patch another class of security fixes which contain semantic interdependence between multiple functions. Calling a patched function from an unpatched one or vice versa has to be avoided at all times.

It took more than two years of work to get from the design proposal to the final implementation which was merged. It is a hybrid of original solution from both SUSE and Red Hat. The model combines kGraft’s per-task consistency and syscall barrier switching with kpatch’s stack trace switching. Thus, it picks up advantages from both approaches. Even the kernel itself benefits from the work. For example, compile-time stack metadata validation was implemented in the process, stack dumping was rewritten and improved.

There is a question to be asked though. Is the upstream live patching complete now? No, it is not. We cannot deal with data structure changes (or state transformation generally) yet. We need a tool to build the live patches automatically. Also, there is a need to support more architectures.

We are not there yet, but we have just made another significant step to get there.


Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet

Avatar photo