News: 0001489433

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Klp-build Proposed As A New Means Of Generating Linux Kernel Livepatch Modules

([Linux Kernel] 3 Hours Ago klp-build)


Posted today as a "request for comments" by longtime Linux developer Josh Poimboeuf of Red Hat is klp-build. The klp-build proposal is a new means of building livepatch modules for live-patching the Linux kernel to address bugs and security issues with the running kernel image.

Poimboeuf posted the RFC patches today for this new livepatch module generation with klp-build. He summed it up rather well in his patch cover letter, so here are the key highlights directly:

"Here's a new way to build livepatch modules called klp-build.

I started working on it when I realized that objtool already does 99% of the work needed for detecting function changes.

This is similar in concept to kpatch-build, but the implementation is much cleaner.

Personally I still have reservations about the "source-based" approach (klp-convert and friends), including the fragility and performance concerns of -flive-patching. I would submit that klp-build might be considered the "official" way to make livepatch modules.

...

Add a klp-build script which makes use of a new "objtool klp" subcommand to generate livepatch modules using a source patch as input.

The concept is similar to kpatch-build which has been a successful out-of-tree project for over a decade. It takes a source .patch as an input, builds kernels before and after, does a binary diff, and copies any changed functions into a new object file which is then linked into a livepatch module.

By making use of existing objtool functionality, and taking from lessons learned over the last decade of maintaining kpatch-build, the overall design is much simpler. In fact, it's a complete redesign and has been written from scratch (no copied code).

Advantages over kpatch-build:

- Runs on vmlinux.o, so it's compatible with late-linked features like IBT and LTO

- Much simpler design: ~3k fewer LOC

- Makes use of existing objtool CFG functionality to create checksums for trivially detecting changed functions

- Offset __LINE__ changes are no longer a problem thanks to the adjust-patch-lines script

- In-tree means less cruft, easier maintenance, and a larger pool of potential maintainers"

The RFC patches were just posted to the Linux kernel mailing list and thus no other comment from kernel developers/maintainers yet. Before potentially being mainlined, klp-build still has open TODO items like creating more documentation, performance optimizations, automated testing, supporting Clang, enabling architectures beyond just x86_64, and other improvements. This klp-build is an interesting improvement for Linux kernel livepatching and hopefully it will all pan out and manage to be mainlined in the future.

Currently klp-build consists of 31 patches and is out for review [1]on the LKML .



[1] https://lore.kernel.org/lkml/cover.1725334260.git.jpoimboe@kernel.org/



Britoid

Lockwood's Long Shot:
The chances of getting eaten up by a lion on Main Street
aren't one in a million, but once would be enough.