[06/14] livepatch: Add support for apply|revert action replacement hooks

Message ID	20190821081931.90887-7-wipawel@amazon.de (mailing list archive)
State	Superseded
Headers	show Return-Path: <SRS0=S9Ce=WR=lists.xenproject.org=xen-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5FD872339F From: Pawel Wieczorkiewicz <wipawel@amazon.de> To: <xen-devel@lists.xen.org>, <xen-devel@lists.xenproject.org> Date: Wed, 21 Aug 2019 08:19:23 +0000 Message-ID: <20190821081931.90887-7-wipawel@amazon.de> In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de> References: <20190821081931.90887-1-wipawel@amazon.de> MIME-Version: 1.0 Precedence: Bulk Subject: [Xen-devel] [PATCH 06/14] livepatch: Add support for apply\|revert action replacement hooks Cc: Pawel Wieczorkiewicz <wipawel@amazon.de>, wipawel@amazon.com, Ross Lagerwall <ross.lagerwall@citrix.com>, mpohlack@amazon.com, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Series	livepatch: new features and fixes \| expand [00/14] livepatch: new features and fixes [01/14] livepatch: Always check hypervisor build ID upon hotpatch upload [02/14] livepatch: Allow to override inter-modules buildid dependency [03/14] python: Add XC binding for Xen build ID [04/14] livepatch: Export payload structure via livepatch_payload.h [05/14] livepatch: Implement pre-\|post- apply\|revert hooks [06/14] livepatch: Add support for apply\|revert action replacement hooks [07/14] livepatch: Do not enforce ELF_LIVEPATCH_FUNC section presence [08/14] livepatch: always print XENLOG_ERR information [09/14] livepatch: Add per-function applied/reverted state tracking marker [10/14] livepatch: Add support for inline asm hotpatching expectations [11/14] livepatch: Add support for modules .modinfo section metadata [12/14] livepatch: Handle arbitrary size names with the list operation [13/14] livepatch: Add metadata runtime retrieval mechanism [14/14] livepatch: Add python bindings for livepatch operations

Message ID

20190821081931.90887-7-wipawel@amazon.de (mailing list archive)

State

Superseded

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5FD872339F
From: Pawel Wieczorkiewicz <wipawel@amazon.de>
To: <xen-devel@lists.xen.org>, <xen-devel@lists.xenproject.org>
Date: Wed, 21 Aug 2019 08:19:23 +0000
Message-ID: <20190821081931.90887-7-wipawel@amazon.de>
In-Reply-To: <20190821081931.90887-1-wipawel@amazon.de>
References: <20190821081931.90887-1-wipawel@amazon.de>
MIME-Version: 1.0
Precedence: Bulk
Subject: [Xen-devel] [PATCH 06/14] livepatch: Add support for apply|revert
 action replacement hooks
Cc: Pawel Wieczorkiewicz <wipawel@amazon.de>, wipawel@amazon.com, Ross
 Lagerwall <ross.lagerwall@citrix.com>, mpohlack@amazon.com,
 Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>

Series

livepatch: new features and fixes | expand

Commit Message

Wieczorkiewicz, Pawel Aug. 21, 2019, 8:19 a.m. UTC

By default, in the quiescing zone, a hotpatch payload is applied with
apply_payload() and reverted with revert_payload() functions. Both of
the functions receive the payload struct pointer as a parameter. The
functions are also a place where standard 'load' and 'unload' module
hooks are executed.

To increase hotpatching system's agility and provide more flexiable
long-term hotpatch solution, allow to overwrite the default apply
and revert action functions with hook-like supplied alternatives.
The alternative functions are optional and the default functions are
used by default.

Since the alternative functions have direct access to the hotpatch
payload structure, they can better control context of the 'load' and
'unload' hooks execution as well as exact instructions replacement
workflows. They can be also easily extended to support extra features
in the future.

To simplify the alternative function generation move code responsible
for payload and hotpatch region registration outside of the function.
That way it is guaranteed that the registration step occurs even for
newly supplied functions.

Signed-off-by: Pawel Wieczorkiewicz <wipawel@amazon.de>
Reviewed-by: Petre Eftime <epetre@amazon.com>
Reviewed-by: Martin Pohlack <mpohlack@amazon.com>
Reviewed-by: Norbert Manthey <nmanthey@amazon.com>
Reviewed-by: Andra-Irina Paraschiv <andraprs@amazon.com>
Reviewed-by: Bjoern Doebel <doebel@amazon.com>
---
 xen/common/livepatch.c              | 66 +++++++++++++++++++++++++++++++------
 xen/include/xen/livepatch_payload.h | 10 ++++++
 2 files changed, 66 insertions(+), 10 deletions(-)

Comments

Konrad Rzeszutek Wilk Aug. 21, 2019, 6:31 p.m. UTC | #1

On 8/21/19 4:19 AM, Pawel Wieczorkiewicz wrote:
> By default, in the quiescing zone, a hotpatch payload is applied with
> apply_payload() and reverted with revert_payload() functions. Both of
> the functions receive the payload struct pointer as a parameter. The
> functions are also a place where standard 'load' and 'unload' module
> hooks are executed.
> 
> To increase hotpatching system's agility and provide more flexiable
> long-term hotpatch solution, allow to overwrite the default apply
> and revert action functions with hook-like supplied alternatives.
> The alternative functions are optional and the default functions are
> used by default.
> 
> Since the alternative functions have direct access to the hotpatch
> payload structure, they can better control context of the 'load' and
> 'unload' hooks execution as well as exact instructions replacement
> workflows. They can be also easily extended to support extra features
> in the future.
> 
> To simplify the alternative function generation move code responsible
> for payload and hotpatch region registration outside of the function.
> That way it is guaranteed that the registration step occurs even for
> newly supplied functions.
> 

This logic looks legit, but I was wondering if you would be up for a 
writing a small test-case(s) livepatch that would exercise these parts 
just to make sure nothing in the future would screw it up?

Wieczorkiewicz, Pawel Aug. 21, 2019, 7:06 p.m. UTC | #2

On 21. Aug 2019, at 20:31, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com<mailto:konrad.wilk@oracle.com>> wrote:

On 8/21/19 4:19 AM, Pawel Wieczorkiewicz wrote:
By default, in the quiescing zone, a hotpatch payload is applied with
apply_payload() and reverted with revert_payload() functions. Both of
the functions receive the payload struct pointer as a parameter. The
functions are also a place where standard 'load' and 'unload' module
hooks are executed.
To increase hotpatching system's agility and provide more flexiable
long-term hotpatch solution, allow to overwrite the default apply
and revert action functions with hook-like supplied alternatives.
The alternative functions are optional and the default functions are
used by default.
Since the alternative functions have direct access to the hotpatch
payload structure, they can better control context of the 'load' and
'unload' hooks execution as well as exact instructions replacement
workflows. They can be also easily extended to support extra features
in the future.
To simplify the alternative function generation move code responsible
for payload and hotpatch region registration outside of the function.
That way it is guaranteed that the registration step occurs even for
newly supplied functions.

This logic looks legit, but I was wondering if you would be up for a writing a small test-case(s) livepatch that would exercise these parts just to make sure nothing in the future would screw it up?

Yes, I could do that. But, I would like to discuss (get guidelines about) the expected test coverage.
With this sort of changes, there is an unlimited set of test-cases to be created. So, I would like to focus on a few most important.
I am missing knowledge how these test cases are supposed to be used… hence the ask.

Best Regards,
Pawel Wieczorkiewicz

Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Ralf Herbrich
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Konrad Rzeszutek Wilk Aug. 26, 2019, 2:30 p.m. UTC | #3

> Yes, I could do that. But, I would like to discuss (get guidelines about) the expected test coverage.
> With this sort of changes, there is an unlimited set of test-cases to be created. So, I would like to focus on a few most important.
> I am missing knowledge how these test cases are supposed to be used… hence the ask.

I had in mind two livepatches with a dependency on each other that would utilize
different callback mechanism. 

Say the first one just modifies xen_extra_function to print based on a string variable.
Applying it would change extra version to say 'FIRST_LIVEPATCH' or such.

The second one has an apply and revert callback that modifies the xen_extra_function to print say
'SECOND_LIVEPATCH' and also 'SECOND_REVERTED' when reverted?

So you would have:

xen-livepatch apply xen_first
xl version |grep extra_version
[should have FIRST_LIVEPATCH]
xen-livepatch apply xen_second
xl version |grep extra_version
[should have SECOND_LIVEPATCH]
xen-livepatch revert xen_second
xl version |grep extra_version
[should have SECOND_REVERTED]

or such?

Just want to make sure that the code that is doing the various combinations
of callbacks is behaving correctly. Naturally doing all of them would be rather
difficult, so I would rather test the most common use-case.

Hope this helps?
> 
> Best Regards,
> Pawel Wieczorkiewicz
> 
> 
> 
> Amazon Development Center Germany GmbH
> Krausenstr. 38
> 10117 Berlin
> Geschaeftsfuehrung: Christian Schlaeger, Ralf Herbrich
> Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
> Sitz: Berlin
> Ust-ID: DE 289 237 879
> 
>

diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
index 464c07ad28..38fab8b240 100644
--- a/xen/common/livepatch.c
+++ b/xen/common/livepatch.c
@@ -587,8 +587,11 @@  static int prepare_payload(struct payload *payload,
     LIVEPATCH_ASSIGN_MULTI_HOOK(elf, payload->unload_funcs, payload->n_unload_funcs, ".livepatch.hooks.unload");
 
     LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.pre, ".livepatch.hooks.preapply");
+    LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.action, ".livepatch.hooks.apply");
     LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.apply.post, ".livepatch.hooks.postapply");
+
     LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.pre, ".livepatch.hooks.prerevert");
+    LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.action, ".livepatch.hooks.revert");
     LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.post, ".livepatch.hooks.postrevert");
 
     sec = livepatch_elf_sec_by_name(elf, ELF_BUILD_ID_NOTE);
@@ -1114,6 +1117,11 @@  static int apply_payload(struct payload *data)
 
     arch_livepatch_revive();
 
+    return 0;
+}
+
+static inline void apply_payload_tail(struct payload *data)
+{
     /*
      * We need RCU variant (which has barriers) in case we crash here.
      * The applied_list is iterated by the trap code.
@@ -1121,7 +1129,7 @@  static int apply_payload(struct payload *data)
     list_add_tail_rcu(&data->applied_list, &applied_list);
     register_virtual_region(&data->region);
 
-    return 0;
+    data->state = LIVEPATCH_STATE_APPLIED;
 }
 
 static int revert_payload(struct payload *data)
@@ -1154,6 +1162,11 @@  static int revert_payload(struct payload *data)
     ASSERT(!local_irq_is_enabled());
 
     arch_livepatch_revive();
+    return 0;
+}
+
+static inline void revert_payload_tail(struct payload *data)
+{
 
     /*
      * We need RCU variant (which has barriers) in case we crash here.
@@ -1163,7 +1176,7 @@  static int revert_payload(struct payload *data)
     unregister_virtual_region(&data->region);
 
     data->reverted = true;
-    return 0;
+    data->state = LIVEPATCH_STATE_CHECKED;
 }
 
 /*
@@ -1183,15 +1196,31 @@  static void livepatch_do_action(void)
     switch ( livepatch_work.cmd )
     {
     case LIVEPATCH_ACTION_APPLY:
-        rc = apply_payload(data);
+        if ( is_hook_enabled(data->hooks.apply.action) )
+        {
+            printk(XENLOG_INFO LIVEPATCH "%s: Calling apply action hook function\n", data->name);
+
+            rc = (*data->hooks.apply.action)(data);
+        }
+        else
+            rc = apply_payload(data);
+
         if ( rc == 0 )
-            data->state = LIVEPATCH_STATE_APPLIED;
+            apply_payload_tail(data);
         break;
 
     case LIVEPATCH_ACTION_REVERT:
-        rc = revert_payload(data);
+        if ( is_hook_enabled(data->hooks.revert.action) )
+        {
+            printk(XENLOG_INFO LIVEPATCH "%s: Calling revert action hook function\n", data->name);
+
+            rc = (*data->hooks.revert.action)(data);
+        }
+        else
+            rc = revert_payload(data);
+
         if ( rc == 0 )
-            data->state = LIVEPATCH_STATE_CHECKED;
+            revert_payload_tail(data);
         break;
 
     case LIVEPATCH_ACTION_REPLACE:
@@ -1202,9 +1231,18 @@  static void livepatch_do_action(void)
          */
         list_for_each_entry_safe_reverse ( other, tmp, &applied_list, applied_list )
         {
-            other->rc = revert_payload(other);
+            if ( is_hook_enabled(other->hooks.revert.action) )
+            {
+                printk(XENLOG_INFO LIVEPATCH "%s: Calling revert action hook function\n", other->name);
+
+                other->rc = (*other->hooks.revert.action)(other);
+            }
+            else
+                other->rc = revert_payload(other);
+
+
             if ( other->rc == 0 )
-                other->state = LIVEPATCH_STATE_CHECKED;
+                revert_payload_tail(other);
             else
             {
                 rc = -EINVAL;
@@ -1214,9 +1252,17 @@  static void livepatch_do_action(void)
 
         if ( rc == 0 )
         {
-            rc = apply_payload(data);
+            if ( is_hook_enabled(data->hooks.apply.action) )
+            {
+                printk(XENLOG_INFO LIVEPATCH "%s: Calling apply action hook function\n", data->name);
+
+                rc = (*data->hooks.apply.action)(data);
+            }
+            else
+                rc = apply_payload(data);
+
             if ( rc == 0 )
-                data->state = LIVEPATCH_STATE_APPLIED;
+                apply_payload_tail(data);
         }
         break;
 
diff --git a/xen/include/xen/livepatch_payload.h b/xen/include/xen/livepatch_payload.h
index cd20944cc4..ff16af0dd6 100644
--- a/xen/include/xen/livepatch_payload.h
+++ b/xen/include/xen/livepatch_payload.h
@@ -22,11 +22,13 @@  typedef void livepatch_loadcall_t(void);
 typedef void livepatch_unloadcall_t(void);
 
 typedef int livepatch_precall_t(livepatch_payload_t *arg);
+typedef int livepatch_actioncall_t(livepatch_payload_t *arg);
 typedef void livepatch_postcall_t(livepatch_payload_t *arg);
 
 struct livepatch_hooks {
     struct {
         livepatch_precall_t *const *pre;
+        livepatch_actioncall_t *const *action;
         livepatch_postcall_t *const *post;
     } apply, revert;
 };
@@ -91,6 +93,10 @@  struct payload {
     livepatch_precall_t *__attribute__((weak, used)) \
         const livepatch_preapply_data_##_fn __section(".livepatch.hooks.preapply") = _fn;
 
+#define LIVEPATCH_APPLY_HOOK(_fn) \
+    livepatch_actioncall_t *__attribute__((weak, used)) \
+        const livepatch_apply_data_##_fn __section(".livepatch.hooks.apply") = _fn;
+
 #define LIVEPATCH_POSTAPPLY_HOOK(_fn) \
     livepatch_postcall_t *__attribute__((weak, used)) \
         const livepatch_postapply_data_##_fn __section(".livepatch.hooks.postapply") = _fn;
@@ -99,6 +105,10 @@  struct payload {
     livepatch_precall_t *__attribute__((weak, used)) \
         const livepatch_prerevert_data_##_fn __section(".livepatch.hooks.prerevert") = _fn;
 
+#define LIVEPATCH_REVERT_HOOK(_fn) \
+    livepatch_actioncall_t *__attribute__((weak, used)) \
+        const livepatch_revert_data_##_fn __section(".livepatch.hooks.revert") = _fn;
+
 #define LIVEPATCH_POSTREVERT_HOOK(_fn) \
     livepatch_postcall_t *__attribute__((weak, used)) \
         const livepatch_postrevert_data_##_fn __section(".livepatch.hooks.postrevert") = _fn;

[06/14] livepatch: Add support for apply|revert action replacement hooks

Commit Message

Comments

Patch