diff options
Diffstat (limited to 'Documentation/livepatch')
| -rw-r--r-- | Documentation/livepatch/livepatch.txt | 135 |
1 files changed, 53 insertions, 82 deletions
diff --git a/Documentation/livepatch/livepatch.txt b/Documentation/livepatch/livepatch.txt index 2d7ed09dbd59..8f56490a4bb6 100644 --- a/Documentation/livepatch/livepatch.txt +++ b/Documentation/livepatch/livepatch.txt | |||
| @@ -12,12 +12,11 @@ Table of Contents: | |||
| 12 | 4. Livepatch module | 12 | 4. Livepatch module |
| 13 | 4.1. New functions | 13 | 4.1. New functions |
| 14 | 4.2. Metadata | 14 | 4.2. Metadata |
| 15 | 4.3. Livepatch module handling | ||
| 16 | 5. Livepatch life-cycle | 15 | 5. Livepatch life-cycle |
| 17 | 5.1. Registration | 16 | 5.1. Loading |
| 18 | 5.2. Enabling | 17 | 5.2. Enabling |
| 19 | 5.3. Disabling | 18 | 5.3. Disabling |
| 20 | 5.4. Unregistration | 19 | 5.4. Removing |
| 21 | 6. Sysfs | 20 | 6. Sysfs |
| 22 | 7. Limitations | 21 | 7. Limitations |
| 23 | 22 | ||
| @@ -298,117 +297,89 @@ into three levels: | |||
| 298 | see the "Consistency model" section. | 297 | see the "Consistency model" section. |
| 299 | 298 | ||
| 300 | 299 | ||
| 301 | 4.3. Livepatch module handling | ||
| 302 | ------------------------------ | ||
| 303 | |||
| 304 | The usual behavior is that the new functions will get used when | ||
| 305 | the livepatch module is loaded. For this, the module init() function | ||
| 306 | has to register the patch (struct klp_patch) and enable it. See the | ||
| 307 | section "Livepatch life-cycle" below for more details about these | ||
| 308 | two operations. | ||
| 309 | |||
| 310 | Module removal is only safe when there are no users of the underlying | ||
| 311 | functions. This is the reason why the force feature permanently disables | ||
| 312 | the removal. The forced tasks entered the functions but we cannot say | ||
| 313 | that they returned back. Therefore it cannot be decided when the | ||
| 314 | livepatch module can be safely removed. When the system is successfully | ||
| 315 | transitioned to a new patch state (patched/unpatched) without being | ||
| 316 | forced it is guaranteed that no task sleeps or runs in the old code. | ||
| 317 | |||
| 318 | |||
| 319 | 5. Livepatch life-cycle | 300 | 5. Livepatch life-cycle |
| 320 | ======================= | 301 | ======================= |
| 321 | 302 | ||
| 322 | Livepatching defines four basic operations that define the life cycle of each | 303 | Livepatching can be described by four basic operations: |
| 323 | live patch: registration, enabling, disabling and unregistration. There are | 304 | loading, enabling, disabling, removing. |
| 324 | several reasons why it is done this way. | ||
| 325 | |||
| 326 | First, the patch is applied only when all patched symbols for already | ||
| 327 | loaded objects are found. The error handling is much easier if this | ||
| 328 | check is done before particular functions get redirected. | ||
| 329 | 305 | ||
| 330 | Second, it might take some time until the entire system is migrated with | ||
| 331 | the hybrid consistency model being used. The patch revert might block | ||
| 332 | the livepatch module removal for too long. Therefore it is useful to | ||
| 333 | revert the patch using a separate operation that might be called | ||
| 334 | explicitly. But it does not make sense to remove all information until | ||
| 335 | the livepatch module is really removed. | ||
| 336 | 306 | ||
| 307 | 5.1. Loading | ||
| 308 | ------------ | ||
| 337 | 309 | ||
| 338 | 5.1. Registration | 310 | The only reasonable way is to enable the patch when the livepatch kernel |
| 339 | ----------------- | 311 | module is being loaded. For this, klp_enable_patch() has to be called |
| 312 | in the module_init() callback. There are two main reasons: | ||
| 340 | 313 | ||
| 341 | Each patch first has to be registered using klp_register_patch(). This makes | 314 | First, only the module has an easy access to the related struct klp_patch. |
| 342 | the patch known to the livepatch framework. Also it does some preliminary | ||
| 343 | computing and checks. | ||
| 344 | 315 | ||
| 345 | In particular, the patch is added into the list of known patches. The | 316 | Second, the error code might be used to refuse loading the module when |
| 346 | addresses of the patched functions are found according to their names. | 317 | the patch cannot get enabled. |
| 347 | The special relocations, mentioned in the section "New functions", are | ||
| 348 | applied. The relevant entries are created under | ||
| 349 | /sys/kernel/livepatch/<name>. The patch is rejected when any operation | ||
| 350 | fails. | ||
| 351 | 318 | ||
| 352 | 319 | ||
| 353 | 5.2. Enabling | 320 | 5.2. Enabling |
| 354 | ------------- | 321 | ------------- |
| 355 | 322 | ||
| 356 | Registered patches might be enabled either by calling klp_enable_patch() or | 323 | The livepatch gets enabled by calling klp_enable_patch() from |
| 357 | by writing '1' to /sys/kernel/livepatch/<name>/enabled. The system will | 324 | the module_init() callback. The system will start using the new |
| 358 | start using the new implementation of the patched functions at this stage. | 325 | implementation of the patched functions at this stage. |
| 359 | 326 | ||
| 360 | When a patch is enabled, livepatch enters into a transition state where | 327 | First, the addresses of the patched functions are found according to their |
| 361 | tasks are converging to the patched state. This is indicated by a value | 328 | names. The special relocations, mentioned in the section "New functions", |
| 362 | of '1' in /sys/kernel/livepatch/<name>/transition. Once all tasks have | 329 | are applied. The relevant entries are created under |
| 363 | been patched, the 'transition' value changes to '0'. For more | 330 | /sys/kernel/livepatch/<name>. The patch is rejected when any above |
| 364 | information about this process, see the "Consistency model" section. | 331 | operation fails. |
| 365 | 332 | ||
| 366 | If an original function is patched for the first time, a function | 333 | Second, livepatch enters into a transition state where tasks are converging |
| 367 | specific struct klp_ops is created and an universal ftrace handler is | 334 | to the patched state. If an original function is patched for the first |
| 368 | registered. | 335 | time, a function specific struct klp_ops is created and an universal |
| 336 | ftrace handler is registered[*]. This stage is indicated by a value of '1' | ||
| 337 | in /sys/kernel/livepatch/<name>/transition. For more information about | ||
| 338 | this process, see the "Consistency model" section. | ||
| 369 | 339 | ||
| 370 | Functions might be patched multiple times. The ftrace handler is registered | 340 | Finally, once all tasks have been patched, the 'transition' value changes |
| 371 | only once for the given function. Further patches just add an entry to the | 341 | to '0'. |
| 372 | list (see field `func_stack`) of the struct klp_ops. The last added | ||
| 373 | entry is chosen by the ftrace handler and becomes the active function | ||
| 374 | replacement. | ||
| 375 | 342 | ||
| 376 | Note that the patches might be enabled in a different order than they were | 343 | [*] Note that functions might be patched multiple times. The ftrace handler |
| 377 | registered. | 344 | is registered only once for a given function. Further patches just add |
| 345 | an entry to the list (see field `func_stack`) of the struct klp_ops. | ||
| 346 | The right implementation is selected by the ftrace handler, see | ||
| 347 | the "Consistency model" section. | ||
| 378 | 348 | ||
| 379 | 349 | ||
| 380 | 5.3. Disabling | 350 | 5.3. Disabling |
| 381 | -------------- | 351 | -------------- |
| 382 | 352 | ||
| 383 | Enabled patches might get disabled either by calling klp_disable_patch() or | 353 | Enabled patches might get disabled by writing '0' to |
| 384 | by writing '0' to /sys/kernel/livepatch/<name>/enabled. At this stage | 354 | /sys/kernel/livepatch/<name>/enabled. |
| 385 | either the code from the previously enabled patch or even the original | ||
| 386 | code gets used. | ||
| 387 | 355 | ||
| 388 | When a patch is disabled, livepatch enters into a transition state where | 356 | First, livepatch enters into a transition state where tasks are converging |
| 389 | tasks are converging to the unpatched state. This is indicated by a | 357 | to the unpatched state. The system starts using either the code from |
| 390 | value of '1' in /sys/kernel/livepatch/<name>/transition. Once all tasks | 358 | the previously enabled patch or even the original one. This stage is |
| 391 | have been unpatched, the 'transition' value changes to '0'. For more | 359 | indicated by a value of '1' in /sys/kernel/livepatch/<name>/transition. |
| 392 | information about this process, see the "Consistency model" section. | 360 | For more information about this process, see the "Consistency model" |
| 361 | section. | ||
| 393 | 362 | ||
| 394 | Here all the functions (struct klp_func) associated with the to-be-disabled | 363 | Second, once all tasks have been unpatched, the 'transition' value changes |
| 364 | to '0'. All the functions (struct klp_func) associated with the to-be-disabled | ||
| 395 | patch are removed from the corresponding struct klp_ops. The ftrace handler | 365 | patch are removed from the corresponding struct klp_ops. The ftrace handler |
| 396 | is unregistered and the struct klp_ops is freed when the func_stack list | 366 | is unregistered and the struct klp_ops is freed when the func_stack list |
| 397 | becomes empty. | 367 | becomes empty. |
| 398 | 368 | ||
| 399 | Patches must be disabled in exactly the reverse order in which they were | 369 | Third, the sysfs interface is destroyed. |
| 400 | enabled. It makes the problem and the implementation much easier. | ||
| 401 | 370 | ||
| 371 | Note that patches must be disabled in exactly the reverse order in which | ||
| 372 | they were enabled. It makes the problem and the implementation much easier. | ||
| 402 | 373 | ||
| 403 | 5.4. Unregistration | ||
| 404 | ------------------- | ||
| 405 | 374 | ||
| 406 | Disabled patches might be unregistered by calling klp_unregister_patch(). | 375 | 5.4. Removing |
| 407 | This can be done only when the patch is disabled and the code is no longer | 376 | ------------- |
| 408 | used. It must be called before the livepatch module gets unloaded. | ||
| 409 | 377 | ||
| 410 | At this stage, all the relevant sys-fs entries are removed and the patch | 378 | Module removal is only safe when there are no users of functions provided |
| 411 | is removed from the list of known patches. | 379 | by the module. This is the reason why the force feature permanently |
| 380 | disables the removal. Only when the system is successfully transitioned | ||
| 381 | to a new patch state (patched/unpatched) without being forced it is | ||
| 382 | guaranteed that no task sleeps or runs in the old code. | ||
| 412 | 383 | ||
| 413 | 384 | ||
| 414 | 6. Sysfs | 385 | 6. Sysfs |