FS#61822 - [linux] Enable livepatch

Attached to Project: Arch Linux
Opened by Bailey Fox (fox8091) - Wednesday, 20 February 2019, 21:03 GMT
Last edited by Jan Alexander Steffens (heftig) - Monday, 16 November 2020, 14:34 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Andreas Radke (AndyRTR)
Jan Alexander Steffens (heftig)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: This should be as simple as setting CONFIG_LIVEPATCH, as all the other required kernel flags are already set. This would allow using kpatch with the kernel in core.
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Monday, 16 November 2020, 14:34 GMT
Reason for closing:  Won't implement
Comment by Christian Hesse (eworm) - Wednesday, 20 February 2019, 21:07 GMT
And anybody would have to provide the live patches...
I do not think we will any time soon.
Comment by Bailey Fox (fox8091) - Wednesday, 20 February 2019, 21:22 GMT
Yes of course, though this can easily be done with kpatch-build, and additionally, inclusion has no ill effects.
Comment by Levente Polyak (anthraxx) - Wednesday, 20 February 2019, 23:37 GMT
besides that it exposes a security risk and attack surface, which at least is a reason this will never ever happen in linux-hardened
Comment by Bailey Fox (fox8091) - Thursday, 21 February 2019, 00:08 GMT
If you don't mind my asking, how does it open a security risk? They're compiled as kernel modules, and if attackers can load unsigned kernel modules, security has already failed.
Comment by Levente Polyak (anthraxx) - Thursday, 21 February 2019, 01:15 GMT
it exposes attack surface by the sheer existence of the in-memory runtime replacement facility inside the kernel. From a self protection perspective the potential negative side effects of such a facility is real, therefor it has no place in (at least) the hardened variant. It doesn't have anything to do with the fact that the regular userspace facing side uses kernel modules to interact with it.
Comment by Andreas Radke (AndyRTR) - Monday, 16 November 2020, 10:54 GMT
I also tend to say "Won't fix/Won't implement" from me for LTS kernel as well.
Comment by Jan Alexander Steffens (heftig) - Monday, 16 November 2020, 14:33 GMT
Same here. Since we don't want to create livepatches (and I suspect most stable upgrades are incompatible with LP, anyway) we shouldn't be enabling this.

Loading...