Klp-build Proposed As A New Means Of Generating Linux Kernel Livepatch Modules
([Linux Kernel] 3 Hours Ago
klp-build)
- Reference: 0001489433
- News link: https://www.phoronix.com/news/Linux-Livepatch-klp-build
- Source link:
Posted today as a "request for comments" by longtime Linux developer Josh Poimboeuf of Red Hat is klp-build. The klp-build proposal is a new means of building livepatch modules for live-patching the Linux kernel to address bugs and security issues with the running kernel image.
Poimboeuf posted the RFC patches today for this new livepatch module generation with klp-build. He summed it up rather well in his patch cover letter, so here are the key highlights directly:
"Here's a new way to build livepatch modules called klp-build.
I started working on it when I realized that objtool already does 99% of the work needed for detecting function changes.
This is similar in concept to kpatch-build, but the implementation is much cleaner.
Personally I still have reservations about the "source-based" approach (klp-convert and friends), including the fragility and performance concerns of -flive-patching. I would submit that klp-build might be considered the "official" way to make livepatch modules.
...
Add a klp-build script which makes use of a new "objtool klp" subcommand to generate livepatch modules using a source patch as input.
The concept is similar to kpatch-build which has been a successful out-of-tree project for over a decade. It takes a source .patch as an input, builds kernels before and after, does a binary diff, and copies any changed functions into a new object file which is then linked into a livepatch module.
By making use of existing objtool functionality, and taking from lessons learned over the last decade of maintaining kpatch-build, the overall design is much simpler. In fact, it's a complete redesign and has been written from scratch (no copied code).
Advantages over kpatch-build:
- Runs on vmlinux.o, so it's compatible with late-linked features like IBT and LTO
- Much simpler design: ~3k fewer LOC
- Makes use of existing objtool CFG functionality to create checksums for trivially detecting changed functions
- Offset __LINE__ changes are no longer a problem thanks to the adjust-patch-lines script
- In-tree means less cruft, easier maintenance, and a larger pool of potential maintainers"
The RFC patches were just posted to the Linux kernel mailing list and thus no other comment from kernel developers/maintainers yet. Before potentially being mainlined, klp-build still has open TODO items like creating more documentation, performance optimizations, automated testing, supporting Clang, enabling architectures beyond just x86_64, and other improvements. This klp-build is an interesting improvement for Linux kernel livepatching and hopefully it will all pan out and manage to be mainlined in the future.
Currently klp-build consists of 31 patches and is out for review [1]on the LKML .
[1] https://lore.kernel.org/lkml/cover.1725334260.git.jpoimboe@kernel.org/
Poimboeuf posted the RFC patches today for this new livepatch module generation with klp-build. He summed it up rather well in his patch cover letter, so here are the key highlights directly:
"Here's a new way to build livepatch modules called klp-build.
I started working on it when I realized that objtool already does 99% of the work needed for detecting function changes.
This is similar in concept to kpatch-build, but the implementation is much cleaner.
Personally I still have reservations about the "source-based" approach (klp-convert and friends), including the fragility and performance concerns of -flive-patching. I would submit that klp-build might be considered the "official" way to make livepatch modules.
...
Add a klp-build script which makes use of a new "objtool klp" subcommand to generate livepatch modules using a source patch as input.
The concept is similar to kpatch-build which has been a successful out-of-tree project for over a decade. It takes a source .patch as an input, builds kernels before and after, does a binary diff, and copies any changed functions into a new object file which is then linked into a livepatch module.
By making use of existing objtool functionality, and taking from lessons learned over the last decade of maintaining kpatch-build, the overall design is much simpler. In fact, it's a complete redesign and has been written from scratch (no copied code).
Advantages over kpatch-build:
- Runs on vmlinux.o, so it's compatible with late-linked features like IBT and LTO
- Much simpler design: ~3k fewer LOC
- Makes use of existing objtool CFG functionality to create checksums for trivially detecting changed functions
- Offset __LINE__ changes are no longer a problem thanks to the adjust-patch-lines script
- In-tree means less cruft, easier maintenance, and a larger pool of potential maintainers"
The RFC patches were just posted to the Linux kernel mailing list and thus no other comment from kernel developers/maintainers yet. Before potentially being mainlined, klp-build still has open TODO items like creating more documentation, performance optimizations, automated testing, supporting Clang, enabling architectures beyond just x86_64, and other improvements. This klp-build is an interesting improvement for Linux kernel livepatching and hopefully it will all pan out and manage to be mainlined in the future.
Currently klp-build consists of 31 patches and is out for review [1]on the LKML .
[1] https://lore.kernel.org/lkml/cover.1725334260.git.jpoimboe@kernel.org/
Britoid